@simonsbs/keylore 1.0.0-rc4

package/dist/services/trace-export-service.js

@@ -0,0 +1,126 @@
+import { traceExportStatusSchema } from "../domain/types.js";
+export class TraceExportService {
+    endpoint;
+    authHeader;
+    batchSize;
+    intervalMs;
+    timeoutMs;
+    telemetry;
+    queue = [];
+    timer;
+    flushing = false;
+    snapshot;
+    constructor(endpoint, authHeader, batchSize, intervalMs, timeoutMs, telemetry) {
+        this.endpoint = endpoint;
+        this.authHeader = authHeader;
+        this.batchSize = batchSize;
+        this.intervalMs = intervalMs;
+        this.timeoutMs = timeoutMs;
+        this.telemetry = telemetry;
+        this.snapshot = traceExportStatusSchema.parse({
+            enabled: Boolean(endpoint),
+            endpoint,
+            pendingSpans: 0,
+            consecutiveFailures: 0,
+            running: false,
+        });
+    }
+    start() {
+        if (!this.endpoint || this.timer) {
+            return;
+        }
+        this.timer = setInterval(() => {
+            void this.flushNow();
+        }, this.intervalMs);
+        this.timer.unref();
+    }
+    async stop() {
+        if (this.timer) {
+            clearInterval(this.timer);
+            this.timer = undefined;
+        }
+        await this.flushNow();
+    }
+    enqueue(span) {
+        if (!this.endpoint) {
+            return;
+        }
+        this.queue.push(span);
+        this.snapshot.pendingSpans = this.queue.length;
+        if (this.queue.length >= this.batchSize) {
+            void this.flushNow();
+        }
+    }
+    status() {
+        return traceExportStatusSchema.parse({
+            ...this.snapshot,
+            pendingSpans: this.queue.length,
+            running: this.flushing,
+        });
+    }
+    async flushNow() {
+        if (!this.endpoint) {
+            this.telemetry.recordTraceExport("disabled", 0);
+            return this.status();
+        }
+        if (this.flushing || this.queue.length === 0) {
+            return this.status();
+        }
+        this.flushing = true;
+        this.snapshot.running = true;
+        const batch = this.queue.splice(0, this.batchSize);
+        this.snapshot.pendingSpans = this.queue.length;
+        try {
+            const headers = {
+                "content-type": "application/json",
+            };
+            if (this.authHeader) {
+                headers.authorization = this.authHeader;
+            }
+            const response = await fetch(this.endpoint, {
+                method: "POST",
+                headers,
+                body: JSON.stringify({
+                    exportedAt: new Date().toISOString(),
+                    spans: batch,
+                }),
+                signal: AbortSignal.timeout(this.timeoutMs),
+            });
+            if (!response.ok) {
+                throw new Error(`Trace export endpoint responded with ${response.status}.`);
+            }
+            this.snapshot = traceExportStatusSchema.parse({
+                ...this.snapshot,
+                endpoint: this.endpoint,
+                enabled: true,
+                pendingSpans: this.queue.length,
+                lastFlushAt: new Date().toISOString(),
+                lastBatchSize: batch.length,
+                lastError: undefined,
+                consecutiveFailures: 0,
+                running: false,
+            });
+            this.telemetry.recordTraceExport("success", batch.length);
+            return this.status();
+        }
+        catch (error) {
+            this.queue.unshift(...batch);
+            this.snapshot = traceExportStatusSchema.parse({
+                ...this.snapshot,
+                endpoint: this.endpoint,
+                enabled: true,
+                pendingSpans: this.queue.length,
+                lastBatchSize: batch.length,
+                lastError: error instanceof Error ? error.message : "Trace export failed.",
+                consecutiveFailures: this.snapshot.consecutiveFailures + 1,
+                running: false,
+            });
+            this.telemetry.recordTraceExport("error", batch.length);
+            return this.status();
+        }
+        finally {
+            this.flushing = false;
+            this.snapshot.running = false;
+        }
+    }
+}

package/dist/services/trace-service.js

@@ -0,0 +1,87 @@
+import { AsyncLocalStorage } from "node:async_hooks";
+import { randomUUID } from "node:crypto";
+import { traceSpanSchema } from "../domain/types.js";
+export class TraceService {
+    enabled;
+    recentSpanLimit;
+    storage = new AsyncLocalStorage();
+    spans = [];
+    exporter;
+    constructor(enabled, recentSpanLimit) {
+        this.enabled = enabled;
+        this.recentSpanLimit = recentSpanLimit;
+    }
+    runWithTrace(traceId, fn) {
+        if (!this.enabled) {
+            return Promise.resolve(fn());
+        }
+        return Promise.resolve(this.storage.run({ traceId, spanStack: [] }, fn));
+    }
+    currentTraceId() {
+        return this.storage.getStore()?.traceId;
+    }
+    async withSpan(name, attributes, fn) {
+        if (!this.enabled) {
+            return Promise.resolve(fn());
+        }
+        const current = this.storage.getStore();
+        const traceId = current?.traceId ?? randomUUID();
+        const spanId = randomUUID();
+        const parentSpanId = current?.spanStack.at(-1);
+        const startedAt = new Date();
+        const context = {
+            traceId,
+            spanStack: [...(current?.spanStack ?? []), spanId],
+        };
+        const execute = async () => {
+            try {
+                const result = await fn();
+                this.record({
+                    spanId,
+                    traceId,
+                    parentSpanId,
+                    name,
+                    startedAt: startedAt.toISOString(),
+                    endedAt: new Date().toISOString(),
+                    durationMs: Math.max(0, Date.now() - startedAt.getTime()),
+                    status: "ok",
+                    attributes,
+                });
+                return result;
+            }
+            catch (error) {
+                this.record({
+                    spanId,
+                    traceId,
+                    parentSpanId,
+                    name,
+                    startedAt: startedAt.toISOString(),
+                    endedAt: new Date().toISOString(),
+                    durationMs: Math.max(0, Date.now() - startedAt.getTime()),
+                    status: "error",
+                    attributes: {
+                        ...attributes,
+                        error: error instanceof Error ? error.message : "Unknown error",
+                    },
+                });
+                throw error;
+            }
+        };
+        return this.storage.run(context, execute);
+    }
+    recent(limit = 20, traceId) {
+        const filtered = traceId ? this.spans.filter((span) => span.traceId === traceId) : this.spans;
+        return filtered.slice(Math.max(0, filtered.length - limit)).reverse();
+    }
+    attachExporter(exporter) {
+        this.exporter = exporter;
+    }
+    record(span) {
+        const parsed = traceSpanSchema.parse(span);
+        this.spans.push(parsed);
+        if (this.spans.length > this.recentSpanLimit) {
+            this.spans.splice(0, this.spans.length - this.recentSpanLimit);
+        }
+        this.exporter?.enqueue(parsed);
+    }
+}

package/dist/storage/bootstrap.js

@@ -0,0 +1,68 @@
+import { authClientSeedFileSchema, catalogFileSchema, policyFileSchema } from "../domain/types.js";
+import { readTextFile } from "../repositories/json-file.js";
+import { hashSecret } from "../services/auth-secrets.js";
+export async function bootstrapFromFiles(credentialRepository, policyRepository, authClientRepository, tenantRepository, catalogPath, policyPath, authClientsPath) {
+    const ensureTenant = async (tenantId) => {
+        const existing = await tenantRepository.getById(tenantId);
+        if (!existing) {
+            await tenantRepository.create({
+                tenantId,
+                displayName: tenantId,
+                status: "active",
+            });
+        }
+    };
+    if ((await credentialRepository.count()) === 0) {
+        const catalogText = await readTextFile(catalogPath);
+        if (catalogText) {
+            const catalog = catalogFileSchema.parse(JSON.parse(catalogText));
+            for (const credential of catalog.credentials) {
+                await ensureTenant(credential.tenantId);
+                await credentialRepository.create(credential);
+            }
+        }
+    }
+    if ((await policyRepository.count()) === 0) {
+        const policyText = await readTextFile(policyPath);
+        if (policyText) {
+            const policyFile = policyFileSchema.parse(JSON.parse(policyText));
+            for (const rule of policyFile.rules) {
+                await ensureTenant(rule.tenantId);
+            }
+            await policyRepository.replaceAll(policyFile);
+        }
+    }
+    if ((await authClientRepository.count()) === 0) {
+        const authClientText = await readTextFile(authClientsPath);
+        if (authClientText) {
+            const authClients = authClientSeedFileSchema.parse(JSON.parse(authClientText));
+            const missingSecrets = [];
+            for (const client of authClients.clients) {
+                const secret = client.secretRef ? process.env[client.secretRef] : undefined;
+                if (!["private_key_jwt", "none"].includes(client.tokenEndpointAuthMethod) && !secret) {
+                    missingSecrets.push(`${client.clientId}:${client.secretRef}`);
+                    continue;
+                }
+                const hashed = secret ? hashSecret(secret) : undefined;
+                await ensureTenant(client.tenantId);
+                await authClientRepository.upsert({
+                    clientId: client.clientId,
+                    tenantId: client.tenantId,
+                    displayName: client.displayName,
+                    secretHash: hashed?.hash,
+                    secretSalt: hashed?.salt,
+                    roles: client.roles,
+                    allowedScopes: client.allowedScopes,
+                    status: client.status,
+                    tokenEndpointAuthMethod: client.tokenEndpointAuthMethod,
+                    grantTypes: client.grantTypes,
+                    redirectUris: client.redirectUris,
+                    jwks: client.jwks ?? [],
+                });
+            }
+            if (missingSecrets.length > 0) {
+                throw new Error(`Missing bootstrap auth client secrets for: ${missingSecrets.join(", ")}`);
+            }
+        }
+    }
+}

package/dist/storage/database.js

@@ -0,0 +1,39 @@
+import { Pool } from "pg";
+class PostgresDatabase {
+    pool;
+    constructor(pool) {
+        this.pool = pool;
+    }
+    async query(text, params) {
+        return this.pool.query(text, params);
+    }
+    async withTransaction(fn) {
+        const client = await this.pool.connect();
+        try {
+            await client.query("BEGIN");
+            const result = await fn(client);
+            await client.query("COMMIT");
+            return result;
+        }
+        catch (error) {
+            await client.query("ROLLBACK");
+            throw error;
+        }
+        finally {
+            client.release();
+        }
+    }
+    async healthcheck() {
+        await this.pool.query("SELECT 1");
+    }
+    async close() {
+        await this.pool.end();
+    }
+}
+export function createPostgresDatabase(config) {
+    const pool = new Pool({
+        connectionString: config.databaseUrl,
+        max: config.databasePoolMax,
+    });
+    return new PostgresDatabase(pool);
+}

package/dist/storage/in-memory-database.js

@@ -0,0 +1,40 @@
+import { newDb } from "pg-mem";
+class InMemoryDatabase {
+    pool;
+    constructor(pool) {
+        this.pool = pool;
+    }
+    async query(text, params) {
+        return this.pool.query(text, params);
+    }
+    async withTransaction(fn) {
+        const client = await this.pool.connect();
+        try {
+            await client.query("BEGIN");
+            const result = await fn(client);
+            await client.query("COMMIT");
+            return result;
+        }
+        catch (error) {
+            await client.query("ROLLBACK");
+            throw error;
+        }
+        finally {
+            client.release();
+        }
+    }
+    async healthcheck() {
+        await this.pool.query("SELECT 1");
+    }
+    async close() {
+        await this.pool.end();
+    }
+}
+export function createInMemoryDatabase() {
+    const db = newDb({
+        autoCreateForeignKeyIndices: true,
+    });
+    const adapter = db.adapters.createPg();
+    const pool = new adapter.Pool();
+    return new InMemoryDatabase(pool);
+}

package/dist/storage/migrations.js

@@ -0,0 +1,27 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+export async function runMigrations(database, migrationsDir) {
+    await database.query(`
+    CREATE TABLE IF NOT EXISTS schema_migrations (
+      version TEXT PRIMARY KEY,
+      applied_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+    )
+  `);
+    const dirEntries = await fs.readdir(migrationsDir, { withFileTypes: true });
+    const migrationFiles = dirEntries
+        .filter((entry) => entry.isFile() && entry.name.endsWith(".sql"))
+        .map((entry) => entry.name)
+        .sort();
+    for (const fileName of migrationFiles) {
+        const version = path.basename(fileName, ".sql");
+        const existing = await database.query("SELECT version FROM schema_migrations WHERE version = $1", [version]);
+        if ((existing.rowCount ?? 0) > 0) {
+            continue;
+        }
+        const sql = await fs.readFile(path.join(migrationsDir, fileName), "utf8");
+        await database.withTransaction(async (client) => {
+            await client.query(sql);
+            await client.query("INSERT INTO schema_migrations(version) VALUES ($1)", [version]);
+        });
+    }
+}

package/migrations/001_init.sql

@@ -0,0 +1,49 @@
+CREATE TABLE IF NOT EXISTS credentials (
+  id TEXT PRIMARY KEY,
+  display_name TEXT NOT NULL,
+  service TEXT NOT NULL,
+  owner TEXT NOT NULL,
+  scope_tier TEXT NOT NULL,
+  sensitivity TEXT NOT NULL,
+  allowed_domains TEXT[] NOT NULL,
+  permitted_operations TEXT[] NOT NULL,
+  expires_at TIMESTAMPTZ NULL,
+  rotation_policy TEXT NOT NULL,
+  last_validated_at TIMESTAMPTZ NULL,
+  selection_notes TEXT NOT NULL,
+  binding JSONB NOT NULL,
+  tags TEXT[] NOT NULL DEFAULT '{}',
+  status TEXT NOT NULL,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE TABLE IF NOT EXISTS policy_rules (
+  id TEXT PRIMARY KEY,
+  effect TEXT NOT NULL,
+  description TEXT NOT NULL,
+  principals TEXT[] NOT NULL,
+  credential_ids TEXT[] NULL,
+  services TEXT[] NULL,
+  operations TEXT[] NOT NULL,
+  domain_patterns TEXT[] NOT NULL,
+  environments TEXT[] NULL,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE TABLE IF NOT EXISTS audit_events (
+  event_id UUID PRIMARY KEY,
+  occurred_at TIMESTAMPTZ NOT NULL,
+  type TEXT NOT NULL,
+  action TEXT NOT NULL,
+  outcome TEXT NOT NULL,
+  principal TEXT NOT NULL,
+  correlation_id UUID NOT NULL,
+  metadata JSONB NOT NULL DEFAULT '{}'::jsonb
+);
+
+CREATE INDEX IF NOT EXISTS idx_credentials_service ON credentials(service);
+CREATE INDEX IF NOT EXISTS idx_credentials_owner ON credentials(owner);
+CREATE INDEX IF NOT EXISTS idx_credentials_status ON credentials(status);
+CREATE INDEX IF NOT EXISTS idx_audit_events_occurred_at ON audit_events(occurred_at DESC);

package/migrations/002_phase2_auth.sql

@@ -0,0 +1,53 @@
+ALTER TABLE policy_rules
+  ADD COLUMN IF NOT EXISTS principal_roles TEXT[] NULL;
+
+CREATE TABLE IF NOT EXISTS oauth_clients (
+  client_id TEXT PRIMARY KEY,
+  display_name TEXT NOT NULL,
+  secret_hash TEXT NOT NULL,
+  secret_salt TEXT NOT NULL,
+  roles TEXT[] NOT NULL,
+  allowed_scopes TEXT[] NOT NULL,
+  status TEXT NOT NULL,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE TABLE IF NOT EXISTS access_tokens (
+  token_id UUID PRIMARY KEY,
+  token_hash TEXT NOT NULL UNIQUE,
+  client_id TEXT NOT NULL REFERENCES oauth_clients(client_id) ON DELETE CASCADE,
+  subject TEXT NOT NULL,
+  scopes TEXT[] NOT NULL,
+  roles TEXT[] NOT NULL,
+  resource TEXT NULL,
+  expires_at TIMESTAMPTZ NOT NULL,
+  status TEXT NOT NULL,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  last_used_at TIMESTAMPTZ NULL
+);
+
+CREATE INDEX IF NOT EXISTS idx_access_tokens_expires_at ON access_tokens(expires_at);
+
+CREATE TABLE IF NOT EXISTS approval_requests (
+  id UUID PRIMARY KEY,
+  created_at TIMESTAMPTZ NOT NULL,
+  expires_at TIMESTAMPTZ NOT NULL,
+  status TEXT NOT NULL,
+  requested_by TEXT NOT NULL,
+  requested_roles TEXT[] NOT NULL,
+  credential_id TEXT NOT NULL,
+  operation TEXT NOT NULL,
+  target_url TEXT NOT NULL,
+  target_host TEXT NOT NULL,
+  reason TEXT NOT NULL,
+  rule_id TEXT NULL,
+  correlation_id UUID NOT NULL,
+  fingerprint TEXT NOT NULL,
+  reviewed_by TEXT NULL,
+  reviewed_at TIMESTAMPTZ NULL,
+  review_note TEXT NULL
+);
+
+CREATE INDEX IF NOT EXISTS idx_approval_requests_status ON approval_requests(status);
+CREATE INDEX IF NOT EXISTS idx_approval_requests_fingerprint ON approval_requests(fingerprint);

package/migrations/003_v05_operations.sql

@@ -0,0 +1,9 @@
+CREATE TABLE IF NOT EXISTS request_rate_limits (
+  bucket_key TEXT PRIMARY KEY,
+  window_started_at TIMESTAMPTZ NOT NULL,
+  request_count INTEGER NOT NULL,
+  updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_request_rate_limits_window_started_at
+  ON request_rate_limits(window_started_at);

package/migrations/004_v07_security.sql

@@ -0,0 +1,28 @@
+CREATE TABLE IF NOT EXISTS break_glass_requests (
+  id UUID PRIMARY KEY,
+  created_at TIMESTAMPTZ NOT NULL,
+  expires_at TIMESTAMPTZ NOT NULL,
+  status TEXT NOT NULL,
+  requested_by TEXT NOT NULL,
+  requested_roles TEXT[] NOT NULL,
+  credential_id TEXT NOT NULL,
+  operation TEXT NOT NULL,
+  target_url TEXT NOT NULL,
+  target_host TEXT NOT NULL,
+  justification TEXT NOT NULL,
+  requested_duration_seconds INTEGER NOT NULL,
+  correlation_id UUID NOT NULL,
+  fingerprint TEXT NOT NULL,
+  reviewed_by TEXT NULL,
+  reviewed_at TIMESTAMPTZ NULL,
+  review_note TEXT NULL,
+  revoked_by TEXT NULL,
+  revoked_at TIMESTAMPTZ NULL,
+  revoke_note TEXT NULL
+);
+
+CREATE INDEX IF NOT EXISTS idx_break_glass_requests_status
+  ON break_glass_requests(status);
+
+CREATE INDEX IF NOT EXISTS idx_break_glass_requests_fingerprint
+  ON break_glass_requests(fingerprint);

package/migrations/005_v08_reviews.sql

@@ -0,0 +1,11 @@
+ALTER TABLE approval_requests
+  ADD COLUMN IF NOT EXISTS required_approvals INTEGER NOT NULL DEFAULT 1,
+  ADD COLUMN IF NOT EXISTS approval_count INTEGER NOT NULL DEFAULT 0,
+  ADD COLUMN IF NOT EXISTS denial_count INTEGER NOT NULL DEFAULT 0,
+  ADD COLUMN IF NOT EXISTS reviews JSONB NOT NULL DEFAULT '[]'::jsonb;
+
+ALTER TABLE break_glass_requests
+  ADD COLUMN IF NOT EXISTS required_approvals INTEGER NOT NULL DEFAULT 1,
+  ADD COLUMN IF NOT EXISTS approval_count INTEGER NOT NULL DEFAULT 0,
+  ADD COLUMN IF NOT EXISTS denial_count INTEGER NOT NULL DEFAULT 0,
+  ADD COLUMN IF NOT EXISTS reviews JSONB NOT NULL DEFAULT '[]'::jsonb;

package/migrations/006_v09_auth_trace_rotation.sql

@@ -0,0 +1,51 @@
+ALTER TABLE oauth_clients
+  ADD COLUMN IF NOT EXISTS token_endpoint_auth_method TEXT NOT NULL DEFAULT 'client_secret_basic';
+
+ALTER TABLE oauth_clients
+  ADD COLUMN IF NOT EXISTS jwks JSONB NULL;
+
+ALTER TABLE oauth_clients
+  ALTER COLUMN secret_hash DROP NOT NULL;
+
+ALTER TABLE oauth_clients
+  ALTER COLUMN secret_salt DROP NOT NULL;
+
+CREATE TABLE IF NOT EXISTS oauth_client_assertion_jtis (
+  client_id TEXT NOT NULL REFERENCES oauth_clients(client_id) ON DELETE CASCADE,
+  jti TEXT NOT NULL,
+  expires_at TIMESTAMPTZ NOT NULL,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  PRIMARY KEY (client_id, jti)
+);
+
+CREATE INDEX IF NOT EXISTS idx_oauth_client_assertion_jtis_expires_at
+  ON oauth_client_assertion_jtis(expires_at);
+
+CREATE TABLE IF NOT EXISTS rotation_runs (
+  id UUID PRIMARY KEY,
+  credential_id TEXT NOT NULL REFERENCES credentials(id) ON DELETE CASCADE,
+  status TEXT NOT NULL,
+  source TEXT NOT NULL,
+  reason TEXT NOT NULL,
+  due_at TIMESTAMPTZ NULL,
+  planned_at TIMESTAMPTZ NOT NULL,
+  started_at TIMESTAMPTZ NULL,
+  completed_at TIMESTAMPTZ NULL,
+  planned_by TEXT NOT NULL,
+  updated_by TEXT NOT NULL,
+  note TEXT NULL,
+  target_ref TEXT NULL,
+  result_note TEXT NULL,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_rotation_runs_status_due_at
+  ON rotation_runs(status, due_at);
+
+CREATE INDEX IF NOT EXISTS idx_rotation_runs_credential_id
+  ON rotation_runs(credential_id);
+
+CREATE UNIQUE INDEX IF NOT EXISTS idx_rotation_runs_open_by_credential
+  ON rotation_runs(credential_id)
+  WHERE status IN ('pending', 'in_progress');

package/migrations/007_v010_multi_tenant.sql

@@ -0,0 +1,32 @@
+ALTER TABLE credentials
+  ADD COLUMN IF NOT EXISTS tenant_id TEXT NOT NULL DEFAULT 'default';
+
+ALTER TABLE policy_rules
+  ADD COLUMN IF NOT EXISTS tenant_id TEXT NOT NULL DEFAULT 'default';
+
+ALTER TABLE audit_events
+  ADD COLUMN IF NOT EXISTS tenant_id TEXT NOT NULL DEFAULT 'default';
+
+ALTER TABLE oauth_clients
+  ADD COLUMN IF NOT EXISTS tenant_id TEXT NOT NULL DEFAULT 'default';
+
+ALTER TABLE access_tokens
+  ADD COLUMN IF NOT EXISTS tenant_id TEXT NOT NULL DEFAULT 'default';
+
+ALTER TABLE approval_requests
+  ADD COLUMN IF NOT EXISTS tenant_id TEXT NOT NULL DEFAULT 'default';
+
+ALTER TABLE break_glass_requests
+  ADD COLUMN IF NOT EXISTS tenant_id TEXT NOT NULL DEFAULT 'default';
+
+ALTER TABLE rotation_runs
+  ADD COLUMN IF NOT EXISTS tenant_id TEXT NOT NULL DEFAULT 'default';
+
+CREATE INDEX IF NOT EXISTS idx_credentials_tenant_id ON credentials(tenant_id);
+CREATE INDEX IF NOT EXISTS idx_policy_rules_tenant_id ON policy_rules(tenant_id);
+CREATE INDEX IF NOT EXISTS idx_audit_events_tenant_id_occurred_at ON audit_events(tenant_id, occurred_at DESC);
+CREATE INDEX IF NOT EXISTS idx_oauth_clients_tenant_id ON oauth_clients(tenant_id);
+CREATE INDEX IF NOT EXISTS idx_access_tokens_tenant_id ON access_tokens(tenant_id);
+CREATE INDEX IF NOT EXISTS idx_approval_requests_tenant_id_status ON approval_requests(tenant_id, status);
+CREATE INDEX IF NOT EXISTS idx_break_glass_requests_tenant_id_status ON break_glass_requests(tenant_id, status);
+CREATE INDEX IF NOT EXISTS idx_rotation_runs_tenant_id_status ON rotation_runs(tenant_id, status);