@simonsbs/keylore 1.0.0-rc4

package/migrations/008_v011_auth_tenant_ops.sql

@@ -0,0 +1,95 @@
+CREATE TABLE IF NOT EXISTS tenants (
+  tenant_id TEXT PRIMARY KEY,
+  display_name TEXT NOT NULL,
+  description TEXT NULL,
+  status TEXT NOT NULL DEFAULT 'active',
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+INSERT INTO tenants (tenant_id, display_name, description, status)
+VALUES ('default', 'Default Tenant', 'Bootstrap default tenant', 'active')
+ON CONFLICT (tenant_id) DO NOTHING;
+
+INSERT INTO tenants (tenant_id, display_name, description, status)
+SELECT tenant_id, tenant_id, NULL, 'active'
+FROM (
+  SELECT tenant_id FROM credentials
+  UNION
+  SELECT tenant_id FROM policy_rules
+  UNION
+  SELECT tenant_id FROM audit_events
+  UNION
+  SELECT tenant_id FROM oauth_clients
+  UNION
+  SELECT tenant_id FROM access_tokens
+  UNION
+  SELECT tenant_id FROM approval_requests
+  UNION
+  SELECT tenant_id FROM break_glass_requests
+  UNION
+  SELECT tenant_id FROM rotation_runs
+) tenant_ids
+WHERE tenant_id IS NOT NULL
+ON CONFLICT (tenant_id) DO NOTHING;
+
+ALTER TABLE oauth_clients
+  ALTER COLUMN secret_hash DROP NOT NULL;
+
+ALTER TABLE oauth_clients
+  ALTER COLUMN secret_salt DROP NOT NULL;
+
+ALTER TABLE oauth_clients
+  ADD COLUMN IF NOT EXISTS grant_types TEXT[] NOT NULL DEFAULT ARRAY['client_credentials']::TEXT[];
+
+ALTER TABLE oauth_clients
+  ADD COLUMN IF NOT EXISTS redirect_uris TEXT[] NOT NULL DEFAULT ARRAY[]::TEXT[];
+
+CREATE TABLE IF NOT EXISTS oauth_authorization_codes (
+  code_id UUID PRIMARY KEY,
+  code_hash TEXT NOT NULL UNIQUE,
+  client_id TEXT NOT NULL REFERENCES oauth_clients(client_id) ON DELETE CASCADE,
+  tenant_id TEXT NOT NULL,
+  subject TEXT NOT NULL,
+  scopes TEXT[] NOT NULL,
+  roles TEXT[] NOT NULL,
+  resource TEXT NULL,
+  redirect_uri TEXT NOT NULL,
+  code_challenge TEXT NOT NULL,
+  code_challenge_method TEXT NOT NULL,
+  expires_at TIMESTAMPTZ NOT NULL,
+  status TEXT NOT NULL DEFAULT 'active',
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  consumed_at TIMESTAMPTZ NULL
+);
+
+CREATE INDEX IF NOT EXISTS idx_oauth_authorization_codes_client_id
+  ON oauth_authorization_codes(client_id, status);
+
+CREATE INDEX IF NOT EXISTS idx_oauth_authorization_codes_expires_at
+  ON oauth_authorization_codes(expires_at);
+
+CREATE TABLE IF NOT EXISTS refresh_tokens (
+  refresh_token_id UUID PRIMARY KEY,
+  token_hash TEXT NOT NULL UNIQUE,
+  client_id TEXT NOT NULL REFERENCES oauth_clients(client_id) ON DELETE CASCADE,
+  tenant_id TEXT NOT NULL,
+  subject TEXT NOT NULL,
+  scopes TEXT[] NOT NULL,
+  roles TEXT[] NOT NULL,
+  resource TEXT NULL,
+  expires_at TIMESTAMPTZ NOT NULL,
+  status TEXT NOT NULL DEFAULT 'active',
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  last_used_at TIMESTAMPTZ NULL,
+  replaced_by_token_id UUID NULL
+);
+
+CREATE INDEX IF NOT EXISTS idx_refresh_tokens_client_id
+  ON refresh_tokens(client_id, status);
+
+CREATE INDEX IF NOT EXISTS idx_refresh_tokens_tenant_id
+  ON refresh_tokens(tenant_id, status);
+
+CREATE INDEX IF NOT EXISTS idx_refresh_tokens_expires_at
+  ON refresh_tokens(expires_at);

package/package.json

@@ -0,0 +1,78 @@
+{
+  "name": "@simonsbs/keylore",
+  "version": "1.0.0-rc4",
+  "description": "MCP credential broker and searchable credential catalogue for LLM coding tools.",
+  "type": "module",
+  "main": "dist/index.js",
+  "files": [
+    "bin",
+    "dist",
+    "data/auth-clients.json",
+    "data/catalog.json",
+    "data/policies.json",
+    "migrations",
+    ".env.example",
+    "README.md",
+    "LICENSE",
+    "NOTICE"
+  ],
+  "bin": {
+    "keylore": "dist/cli.js",
+    "keylore-http": "bin/keylore-http.js",
+    "keylore-stdio": "bin/keylore-stdio.js"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Simonsbs/keylore.git"
+  },
+  "keywords": [
+    "mcp",
+    "model-context-protocol",
+    "credentials",
+    "secrets",
+    "broker",
+    "catalogue"
+  ],
+  "author": "Simon",
+  "license": "Apache-2.0",
+  "engines": {
+    "node": ">=20"
+  },
+  "scripts": {
+    "build": "rm -rf dist && tsc -p tsconfig.build.json",
+    "prepack": "npm run build",
+    "typecheck": "tsc --noEmit",
+    "test:contracts": "node --test --import tsx src/test/contract.test.ts",
+    "test:conformance": "node --test --import tsx src/test/conformance.test.ts",
+    "test:hardening": "node --test --import tsx src/test/hardening.test.ts",
+    "db:up": "docker compose up -d postgres",
+    "db:down": "docker compose down",
+    "dev:http": "tsx src/index.ts --transport http",
+    "quickstart": "bash ./scripts/quickstart.sh",
+    "dev:stdio": "tsx src/index.ts --transport stdio",
+    "dev:cli": "tsx src/cli.ts",
+    "ops:container-smoke": "bash ./scripts/container-smoke.sh",
+    "ops:fresh-user-env": "sudo bash ./scripts/fresh-user-env.sh",
+    "ops:fresh-user-env:cleanup": "sudo bash ./scripts/fresh-user-env-cleanup.sh",
+    "ops:helm-validate": "bash ./scripts/helm-validate.sh",
+    "ops:release-verify": "bash ./scripts/release-verify.sh",
+    "ops:restore-drill": "bash ./scripts/restore-drill.sh",
+    "start:http": "node dist/index.js --transport http",
+    "start:stdio": "node dist/index.js --transport stdio",
+    "start:cli": "node dist/cli.js",
+    "test": "node --test --import tsx src/test/**/*.test.ts"
+  },
+  "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.27.1",
+    "pg": "^8.20.0",
+    "pg-mem": "^3.0.14",
+    "pino": "^10.3.1",
+    "zod": "^4.3.6"
+  },
+  "devDependencies": {
+    "@types/node": "^25.5.0",
+    "@types/pg": "^8.18.0",
+    "tsx": "^4.21.0",
+    "typescript": "^5.9.3"
+  }
+}