@simonsbs/keylore 1.0.0-rc4

package/dist/index.js

@@ -0,0 +1,40 @@
+import { createKeyLoreApp } from "./app.js";
+import { startHttpServer } from "./http/server.js";
+import { runStdioServer } from "./mcp/stdio.js";
+function readTransportArg(argv) {
+    const transportIndex = argv.findIndex((value) => value === "--transport");
+    if (transportIndex >= 0) {
+        const value = argv[transportIndex + 1];
+        if (value === "http" || value === "stdio") {
+            return value;
+        }
+    }
+    const inline = argv.find((value) => value.startsWith("--transport="));
+    if (inline) {
+        const [, value] = inline.split("=", 2);
+        if (value === "http" || value === "stdio") {
+            return value;
+        }
+    }
+    return "http";
+}
+async function main() {
+    const app = await createKeyLoreApp();
+    const transport = readTransportArg(process.argv.slice(2));
+    if (transport === "stdio") {
+        await runStdioServer(app);
+        return;
+    }
+    const server = await startHttpServer(app);
+    const shutdown = async () => {
+        await server.close();
+        await app.close();
+        process.exit(0);
+    };
+    process.on("SIGINT", shutdown);
+    process.on("SIGTERM", shutdown);
+}
+main().catch((error) => {
+    console.error(error);
+    process.exit(1);
+});

package/dist/mcp/create-server.js

@@ -0,0 +1,388 @@
+import * as z from "zod/v4";
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { accessDecisionSchema, adapterHealthListOutputSchema, auditRecentOutputSchema, breakGlassListOutputSchema, breakGlassRequestInputSchema, breakGlassRequestSchema, breakGlassReviewInputSchema, catalogGetOutputSchema, credentialStatusReportListOutputSchema, catalogSearchInputSchema, catalogSearchOutputSchema, maintenanceStatusOutputSchema, operationSchema, rotationRunListOutputSchema, rotationPlanInputSchema, rotationCreateInputSchema, rotationCompleteInputSchema, runtimeExecutionResultSchema, rotationRunSchema, traceExportStatusOutputSchema, traceListOutputSchema, sensitivitySchema, scopeTierSchema, } from "../domain/types.js";
+import { authContextFromToken, localOperatorContext } from "../services/auth-context.js";
+function makeText(value) {
+    return JSON.stringify(value, null, 2);
+}
+function contextFromExtra(app, extra) {
+    if (!extra?.authInfo) {
+        return localOperatorContext(app.config.defaultPrincipal);
+    }
+    return authContextFromToken({
+        principal: typeof extra.authInfo.extra?.principal === "string"
+            ? extra.authInfo.extra.principal
+            : extra.authInfo.clientId,
+        clientId: extra.authInfo.clientId,
+        tenantId: typeof extra.authInfo.extra?.tenantId === "string" ? extra.authInfo.extra.tenantId : undefined,
+        scopes: extra.authInfo.scopes,
+        roles: (Array.isArray(extra.authInfo.extra?.roles)
+            ? extra.authInfo.extra.roles
+            : []),
+        resource: extra.authInfo.resource?.href,
+    });
+}
+export function createKeyLoreMcpServer(app) {
+    const server = new McpServer({
+        name: "keylore-mcp",
+        version: app.config.version,
+    });
+    server.registerTool("catalog_search", {
+        description: "Search credential metadata without exposing secret values. Use this before attempting access.",
+        inputSchema: {
+            query: z.string().optional(),
+            service: z.string().optional(),
+            owner: z.string().optional(),
+            scopeTier: scopeTierSchema.optional(),
+            sensitivity: sensitivitySchema.optional(),
+            status: z.enum(["active", "disabled"]).optional(),
+            tag: z.string().optional(),
+            limit: z.number().int().min(1).max(50).default(10),
+        },
+        outputSchema: catalogSearchOutputSchema,
+    }, async (input, extra) => {
+        const parsed = catalogSearchInputSchema.parse(input);
+        const context = contextFromExtra(app, extra);
+        app.auth.requireScopes(context, ["catalog:read"]);
+        const results = await app.broker.searchCatalog(context, parsed);
+        return {
+            content: [{ type: "text", text: makeText(results) }],
+            structuredContent: {
+                results,
+                count: results.length,
+            },
+        };
+    });
+    server.registerTool("catalog_get", {
+        description: "Return one credential metadata record by identifier, still without secrets.",
+        inputSchema: {
+            credentialId: z.string().min(1),
+        },
+        outputSchema: catalogGetOutputSchema,
+    }, async ({ credentialId }, extra) => {
+        const context = contextFromExtra(app, extra);
+        app.auth.requireScopes(context, ["catalog:read"]);
+        const result = await app.broker.getCredential(context, credentialId);
+        return {
+            content: [
+                {
+                    type: "text",
+                    text: makeText(result ?? { error: "Credential not found." }),
+                },
+            ],
+            structuredContent: {
+                result: result ?? null,
+            },
+        };
+    });
+    server.registerTool("catalog_report", {
+        description: "Inspect credential rotation and expiry status without exposing secret values.",
+        inputSchema: {
+            credentialId: z.string().min(1).optional(),
+        },
+        outputSchema: credentialStatusReportListOutputSchema,
+    }, async ({ credentialId }, extra) => {
+        const context = contextFromExtra(app, extra);
+        app.auth.requireScopes(context, ["catalog:read"]);
+        app.auth.requireRoles(context, ["admin", "operator", "auditor"]);
+        const reports = await app.broker.listCredentialReports(context, credentialId);
+        return {
+            content: [{ type: "text", text: makeText(reports) }],
+            structuredContent: {
+                reports,
+            },
+        };
+    });
+    server.registerTool("access_request", {
+        description: "Evaluate policy and, if allowed, execute a constrained authenticated proxy request without returning secret material.",
+        inputSchema: {
+            credentialId: z.string().min(1),
+            operation: operationSchema,
+            targetUrl: z.string().url(),
+            headers: z.record(z.string(), z.string()).optional(),
+            payload: z.string().optional(),
+            approvalId: z.string().uuid().optional(),
+            dryRun: z.boolean().optional(),
+        },
+        outputSchema: accessDecisionSchema,
+    }, async (input, extra) => {
+        const context = contextFromExtra(app, extra);
+        app.auth.requireScopes(context, ["broker:use"]);
+        const decision = await app.broker.requestAccess(context, input);
+        return {
+            content: [{ type: "text", text: makeText(decision) }],
+            structuredContent: decision,
+        };
+    });
+    server.registerTool("policy_simulate", {
+        description: "Evaluate policy for a proposed access request without executing the outbound call or creating approval side effects.",
+        inputSchema: {
+            credentialId: z.string().min(1),
+            operation: operationSchema,
+            targetUrl: z.string().url(),
+            headers: z.record(z.string(), z.string()).optional(),
+            payload: z.string().optional(),
+            approvalId: z.string().uuid().optional(),
+        },
+        outputSchema: accessDecisionSchema,
+    }, async (input, extra) => {
+        const context = contextFromExtra(app, extra);
+        app.auth.requireScopes(context, ["broker:use"]);
+        const decision = await app.broker.simulateAccess(context, input);
+        return {
+            content: [{ type: "text", text: makeText(decision) }],
+            structuredContent: decision,
+        };
+    });
+    server.registerTool("audit_recent", {
+        description: "Read recent audit events for search, authorization, and credential use.",
+        inputSchema: {
+            limit: z.number().int().min(1).max(100).default(20),
+        },
+        outputSchema: auditRecentOutputSchema,
+    }, async ({ limit }, extra) => {
+        const context = contextFromExtra(app, extra);
+        app.auth.requireScopes(context, ["audit:read"]);
+        app.auth.requireRoles(context, ["admin", "auditor"]);
+        const events = await app.broker.listRecentAuditEvents(context, limit);
+        return {
+            content: [{ type: "text", text: makeText(events) }],
+            structuredContent: {
+                events,
+            },
+        };
+    });
+    server.registerTool("system_adapters", {
+        description: "Read adapter availability and health for configured secret backends.",
+        inputSchema: {},
+        outputSchema: adapterHealthListOutputSchema,
+    }, async (_input, extra) => {
+        const context = contextFromExtra(app, extra);
+        app.auth.requireScopes(context, ["system:read"]);
+        app.auth.requireRoles(context, ["admin", "maintenance_operator", "auditor"]);
+        const adapters = await app.broker.adapterHealth();
+        return {
+            content: [{ type: "text", text: makeText(adapters) }],
+            structuredContent: {
+                adapters,
+            },
+        };
+    });
+    server.registerTool("system_maintenance_status", {
+        description: "Read background maintenance loop status and last cleanup result.",
+        inputSchema: {},
+        outputSchema: maintenanceStatusOutputSchema,
+    }, async (_input, extra) => {
+        const context = contextFromExtra(app, extra);
+        app.auth.requireScopes(context, ["system:read"]);
+        app.auth.requireRoles(context, ["admin", "maintenance_operator", "auditor"]);
+        return {
+            content: [{ type: "text", text: makeText(app.maintenance.status()) }],
+            structuredContent: {
+                maintenance: app.maintenance.status(),
+            },
+        };
+    });
+    server.registerTool("system_recent_traces", {
+        description: "Inspect recent in-memory trace spans for HTTP, review, notification, and operator flows.",
+        inputSchema: {
+            limit: z.number().int().min(1).max(100).default(20),
+            traceId: z.string().optional(),
+        },
+        outputSchema: traceListOutputSchema,
+    }, async ({ limit, traceId }, extra) => {
+        const context = contextFromExtra(app, extra);
+        app.auth.requireScopes(context, ["system:read"]);
+        app.auth.requireRoles(context, ["admin", "maintenance_operator", "auditor"]);
+        return {
+            content: [{ type: "text", text: makeText(app.traces.recent(limit, traceId)) }],
+            structuredContent: {
+                traces: app.traces.recent(limit, traceId),
+            },
+        };
+    });
+    server.registerTool("system_trace_exporter_status", {
+        description: "Read external trace-export pipeline status and pending queue depth.",
+        inputSchema: {},
+        outputSchema: traceExportStatusOutputSchema,
+    }, async (_input, extra) => {
+        const context = contextFromExtra(app, extra);
+        app.auth.requireScopes(context, ["system:read"]);
+        app.auth.requireRoles(context, ["admin", "maintenance_operator", "auditor"]);
+        return {
+            content: [{ type: "text", text: makeText(app.traceExports.status()) }],
+            structuredContent: {
+                exporter: app.traceExports.status(),
+            },
+        };
+    });
+    server.registerTool("system_rotation_list", {
+        description: "List credential rotation workflow runs and their current status.",
+        inputSchema: {
+            status: z.enum(["pending", "in_progress", "completed", "failed", "cancelled"]).optional(),
+            credentialId: z.string().optional(),
+        },
+        outputSchema: rotationRunListOutputSchema,
+    }, async ({ status, credentialId }, extra) => {
+        const context = contextFromExtra(app, extra);
+        app.auth.requireScopes(context, ["system:read"]);
+        app.auth.requireRoles(context, ["admin", "operator", "maintenance_operator", "auditor"]);
+        const rotations = await app.rotations.list({ tenantId: context.tenantId, status, credentialId });
+        return {
+            content: [{ type: "text", text: makeText(rotations) }],
+            structuredContent: {
+                rotations,
+            },
+        };
+    });
+    server.registerTool("system_rotation_plan", {
+        description: "Create pending rotation runs for credentials approaching expiry or backend rotation windows.",
+        inputSchema: {
+            horizonDays: z.number().int().min(1).max(365).default(14),
+            credentialIds: z.array(z.string()).optional(),
+        },
+        outputSchema: rotationRunListOutputSchema,
+    }, async (input, extra) => {
+        const parsed = rotationPlanInputSchema.parse(input);
+        const context = contextFromExtra(app, extra);
+        app.auth.requireScopes(context, ["system:write"]);
+        app.auth.requireRoles(context, ["admin", "operator", "maintenance_operator"]);
+        const rotations = await app.rotations.planDue(context, parsed);
+        return {
+            content: [{ type: "text", text: makeText(rotations) }],
+            structuredContent: {
+                rotations,
+            },
+        };
+    });
+    server.registerTool("system_rotation_create", {
+        description: "Create a manual rotation workflow run for a specific credential.",
+        inputSchema: {
+            credentialId: z.string().min(1),
+            reason: z.string().min(8).max(2000),
+            dueAt: z.string().datetime().optional(),
+            note: z.string().max(2000).optional(),
+        },
+        outputSchema: z.object({ rotation: rotationRunSchema }),
+    }, async (input, extra) => {
+        const parsed = rotationCreateInputSchema.parse(input);
+        const context = contextFromExtra(app, extra);
+        app.auth.requireScopes(context, ["system:write"]);
+        app.auth.requireRoles(context, ["admin", "operator", "maintenance_operator"]);
+        const rotation = await app.rotations.createManual(context, parsed);
+        return {
+            content: [{ type: "text", text: makeText(rotation) }],
+            structuredContent: {
+                rotation,
+            },
+        };
+    });
+    server.registerTool("system_rotation_complete", {
+        description: "Mark a rotation workflow run completed and optionally update the credential binding reference.",
+        inputSchema: {
+            rotationId: z.string().uuid(),
+            note: z.string().max(2000).optional(),
+            targetRef: z.string().optional(),
+            expiresAt: z.string().datetime().nullable().optional(),
+            lastValidatedAt: z.string().datetime().optional(),
+        },
+        outputSchema: z.object({ rotation: rotationRunSchema.nullable() }),
+    }, async ({ rotationId, ...input }, extra) => {
+        const parsed = rotationCompleteInputSchema.parse(input);
+        const context = contextFromExtra(app, extra);
+        app.auth.requireScopes(context, ["system:write"]);
+        app.auth.requireRoles(context, ["admin", "operator", "maintenance_operator"]);
+        const rotation = await app.rotations.complete(rotationId, context, parsed);
+        return {
+            content: [{ type: "text", text: makeText(rotation ?? { error: "Rotation not found." }) }],
+            structuredContent: {
+                rotation: rotation ?? null,
+            },
+        };
+    });
+    server.registerTool("break_glass_request", {
+        description: "Create an audited emergency-access request for a specific credential and target.",
+        inputSchema: {
+            credentialId: z.string().min(1),
+            operation: operationSchema,
+            targetUrl: z.string().url(),
+            justification: z.string().min(12).max(2000),
+            requestedDurationSeconds: z.number().int().min(60).max(86400).optional(),
+        },
+        outputSchema: z.object({ request: breakGlassRequestSchema }),
+    }, async (input, extra) => {
+        const parsed = breakGlassRequestInputSchema.parse(input);
+        const context = contextFromExtra(app, extra);
+        app.auth.requireScopes(context, ["breakglass:request"]);
+        app.auth.requireRoles(context, ["admin", "breakglass_operator"]);
+        const request = await app.broker.createBreakGlassRequest(context, parsed);
+        return {
+            content: [{ type: "text", text: makeText(request) }],
+            structuredContent: { request },
+        };
+    });
+    server.registerTool("break_glass_list", {
+        description: "List emergency-access requests and their review status.",
+        inputSchema: {
+            status: z.enum(["pending", "active", "denied", "expired", "revoked"]).optional(),
+            requestedBy: z.string().optional(),
+        },
+        outputSchema: breakGlassListOutputSchema,
+    }, async ({ status, requestedBy }, extra) => {
+        const context = contextFromExtra(app, extra);
+        app.auth.requireScopes(context, ["breakglass:read"]);
+        app.auth.requireRoles(context, ["admin", "approver", "auditor", "breakglass_operator"]);
+        const requests = await app.broker.listBreakGlassRequests(context, { status, requestedBy });
+        return {
+            content: [{ type: "text", text: makeText(requests) }],
+            structuredContent: {
+                requests,
+            },
+        };
+    });
+    server.registerTool("break_glass_review", {
+        description: "Approve, deny, or revoke an emergency-access request.",
+        inputSchema: {
+            requestId: z.string().uuid(),
+            action: z.enum(["approve", "deny", "revoke"]),
+            note: z.string().max(1000).optional(),
+        },
+        outputSchema: z.object({ request: breakGlassRequestSchema.nullable() }),
+    }, async ({ requestId, action, note }, extra) => {
+        const parsedNote = breakGlassReviewInputSchema.parse({ note }).note;
+        const context = contextFromExtra(app, extra);
+        app.auth.requireScopes(context, ["breakglass:review"]);
+        app.auth.requireRoles(context, action === "revoke" ? ["admin", "approver", "breakglass_operator"] : ["admin", "approver"]);
+        const request = action === "approve"
+            ? await app.broker.reviewBreakGlassRequest(context, requestId, "active", parsedNote)
+            : action === "deny"
+                ? await app.broker.reviewBreakGlassRequest(context, requestId, "denied", parsedNote)
+                : await app.broker.revokeBreakGlassRequest(context, requestId, parsedNote);
+        return {
+            content: [{ type: "text", text: makeText(request ?? { error: "Request not found." }) }],
+            structuredContent: { request: request ?? null },
+        };
+    });
+    server.registerTool("runtime_run_sandboxed", {
+        description: "Run a tightly allowlisted command with a credential injected into a temporary process environment, with output scrubbing.",
+        inputSchema: {
+            credentialId: z.string().min(1),
+            command: z.string().min(1),
+            args: z.array(z.string()).max(32).default([]),
+            secretEnvName: z.string().regex(/^[A-Z_][A-Z0-9_]*$/).optional(),
+            env: z.record(z.string().regex(/^[A-Z_][A-Z0-9_]*$/), z.string()).optional(),
+            timeoutMs: z.number().int().min(100).max(60000).optional(),
+        },
+        outputSchema: runtimeExecutionResultSchema,
+    }, async (input, extra) => {
+        const context = contextFromExtra(app, extra);
+        app.auth.requireScopes(context, ["sandbox:run"]);
+        app.auth.requireRoles(context, ["admin", "operator"]);
+        const result = await app.broker.runSandboxed(context, input);
+        return {
+            content: [{ type: "text", text: makeText(result) }],
+            structuredContent: result,
+        };
+    });
+    return server;
+}

package/dist/mcp/stdio.js

@@ -0,0 +1,7 @@
+import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
+import { createKeyLoreMcpServer } from "./create-server.js";
+export async function runStdioServer(app) {
+    const server = createKeyLoreMcpServer(app);
+    const transport = new StdioServerTransport();
+    await server.connect(transport);
+}

package/dist/repositories/credential-repository.js

@@ -0,0 +1,109 @@
+import { randomUUID } from "node:crypto";
+import { catalogFileSchema, createCredentialInputSchema, updateCredentialInputSchema, } from "../domain/types.js";
+import { readTextFile, writeTextFile } from "./json-file.js";
+function normalizeText(value) {
+    return value.trim().toLowerCase();
+}
+function matchesQuery(credential, query) {
+    if (!query) {
+        return true;
+    }
+    const haystack = [
+        credential.id,
+        credential.displayName,
+        credential.service,
+        credential.owner,
+        credential.selectionNotes,
+        ...credential.tags,
+    ]
+        .join(" ")
+        .toLowerCase();
+    return normalizeText(query)
+        .split(/\s+/)
+        .every((token) => haystack.includes(token));
+}
+export class JsonCredentialRepository {
+    filePath;
+    constructor(filePath) {
+        this.filePath = filePath;
+    }
+    async ensureInitialized() {
+        const file = await readTextFile(this.filePath);
+        if (file) {
+            catalogFileSchema.parse(JSON.parse(file));
+            return;
+        }
+        const emptyCatalog = { version: 1, credentials: [] };
+        await writeTextFile(this.filePath, `${JSON.stringify(emptyCatalog, null, 2)}\n`);
+    }
+    async list() {
+        return (await this.readCatalog()).credentials;
+    }
+    async getById(id) {
+        return (await this.list()).find((credential) => credential.id === id);
+    }
+    async search(input) {
+        const credentials = await this.list();
+        return credentials
+            .filter((credential) => matchesQuery(credential, input.query))
+            .filter((credential) => (input.service ? credential.service === input.service : true))
+            .filter((credential) => (input.owner ? credential.owner === input.owner : true))
+            .filter((credential) => (input.scopeTier ? credential.scopeTier === input.scopeTier : true))
+            .filter((credential) => (input.sensitivity ? credential.sensitivity === input.sensitivity : true))
+            .filter((credential) => (input.status ? credential.status === input.status : true))
+            .filter((credential) => (input.tag ? credential.tags.includes(input.tag) : true))
+            .slice(0, input.limit);
+    }
+    async create(record) {
+        const parsed = createCredentialInputSchema.parse(record);
+        const catalog = await this.readCatalog();
+        if (catalog.credentials.some((credential) => credential.id === parsed.id)) {
+            throw new Error(`Credential ${parsed.id} already exists.`);
+        }
+        catalog.credentials.push(parsed);
+        await this.writeCatalog(catalog);
+        return parsed;
+    }
+    async createWithDefaults(record) {
+        return this.create({
+            id: record.id ?? randomUUID(),
+            ...record,
+        });
+    }
+    async update(id, patch) {
+        const parsedPatch = updateCredentialInputSchema.parse(patch);
+        const catalog = await this.readCatalog();
+        const index = catalog.credentials.findIndex((credential) => credential.id === id);
+        if (index === -1) {
+            throw new Error(`Credential ${id} was not found.`);
+        }
+        const merged = createCredentialInputSchema.parse({
+            ...catalog.credentials[index],
+            ...parsedPatch,
+            id,
+        });
+        catalog.credentials[index] = merged;
+        await this.writeCatalog(catalog);
+        return merged;
+    }
+    async delete(id) {
+        const catalog = await this.readCatalog();
+        const initialLength = catalog.credentials.length;
+        catalog.credentials = catalog.credentials.filter((credential) => credential.id !== id);
+        if (catalog.credentials.length === initialLength) {
+            return false;
+        }
+        await this.writeCatalog(catalog);
+        return true;
+    }
+    async readCatalog() {
+        const text = await readTextFile(this.filePath);
+        if (!text) {
+            return { version: 1, credentials: [] };
+        }
+        return catalogFileSchema.parse(JSON.parse(text));
+    }
+    async writeCatalog(catalog) {
+        await writeTextFile(this.filePath, `${JSON.stringify(catalog, null, 2)}\n`);
+    }
+}

package/dist/repositories/interfaces.js

@@ -0,0 +1 @@
+export {};

package/dist/repositories/json-file.js

@@ -0,0 +1,20 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+export async function ensureParentDirectory(filePath) {
+    await fs.mkdir(path.dirname(filePath), { recursive: true });
+}
+export async function readTextFile(filePath) {
+    try {
+        return await fs.readFile(filePath, "utf8");
+    }
+    catch (error) {
+        if (error.code === "ENOENT") {
+            return undefined;
+        }
+        throw error;
+    }
+}
+export async function writeTextFile(filePath, text) {
+    await ensureParentDirectory(filePath);
+    await fs.writeFile(filePath, text, "utf8");
+}

package/dist/repositories/pg-access-token-repository.js

@@ -0,0 +1,118 @@
+import { randomUUID } from "node:crypto";
+import { accessTokenRecordSchema, } from "../domain/types.js";
+function toIso(value) {
+    if (value === null) {
+        return undefined;
+    }
+    return value instanceof Date ? value.toISOString() : value;
+}
+function mapRow(row) {
+    const record = accessTokenRecordSchema.parse({
+        tokenId: row.token_id,
+        clientId: row.client_id,
+        tenantId: row.tenant_id,
+        subject: row.subject,
+        scopes: row.scopes,
+        roles: row.roles,
+        resource: row.resource ?? undefined,
+        expiresAt: toIso(row.expires_at),
+        status: row.status,
+        createdAt: toIso(row.created_at),
+        lastUsedAt: toIso(row.last_used_at),
+    });
+    return {
+        ...record,
+        tokenHash: row.token_hash,
+    };
+}
+export class PgAccessTokenRepository {
+    database;
+    constructor(database) {
+        this.database = database;
+    }
+    async issue(input) {
+        await this.database.query(`INSERT INTO access_tokens (
+        token_id, token_hash, client_id, tenant_id, subject, scopes, roles, resource, expires_at, status
+      ) VALUES (
+        $1, $2, $3, $4, $5, $6, $7, $8, $9, 'active'
+      )`, [
+            randomUUID(),
+            input.tokenHash,
+            input.clientId,
+            input.tenantId,
+            input.subject,
+            input.scopes,
+            input.roles,
+            input.resource ?? null,
+            input.expiresAt,
+        ]);
+    }
+    async getByHash(tokenHash) {
+        const result = await this.database.query("SELECT * FROM access_tokens WHERE token_hash = $1", [tokenHash]);
+        return result.rows[0] ? mapRow(result.rows[0]) : undefined;
+    }
+    async getById(tokenId) {
+        const result = await this.database.query("SELECT * FROM access_tokens WHERE token_id = $1", [tokenId]);
+        if (!result.rows[0]) {
+            return undefined;
+        }
+        const { tokenHash: _tokenHash, ...record } = mapRow(result.rows[0]);
+        return record;
+    }
+    async touch(tokenHash) {
+        await this.database.query("UPDATE access_tokens SET last_used_at = NOW() WHERE token_hash = $1", [tokenHash]);
+    }
+    async list(filter) {
+        const clauses = [];
+        const values = [];
+        if (filter?.clientId) {
+            values.push(filter.clientId);
+            clauses.push(`client_id = $${values.length}`);
+        }
+        if (filter?.status) {
+            values.push(filter.status);
+            clauses.push(`status = $${values.length}`);
+        }
+        if (filter?.tenantId) {
+            values.push(filter.tenantId);
+            clauses.push(`tenant_id = $${values.length}`);
+        }
+        const where = clauses.length > 0 ? `WHERE ${clauses.join(" AND ")}` : "";
+        const result = await this.database.query(`SELECT * FROM access_tokens ${where} ORDER BY created_at DESC`, values);
+        return result.rows.map((row) => {
+            const { tokenHash: _tokenHash, ...record } = mapRow(row);
+            return record;
+        });
+    }
+    async expireStale() {
+        const result = await this.database.query(`WITH expired AS (
+         UPDATE access_tokens
+         SET status = 'revoked'
+         WHERE status = 'active' AND expires_at <= NOW()
+         RETURNING 1
+       )
+       SELECT COUNT(*)::text AS count FROM expired`);
+        return Number.parseInt(result.rows[0]?.count ?? "0", 10);
+    }
+    async revokeById(tokenId) {
+        const result = await this.database.query(`UPDATE access_tokens
+       SET status = 'revoked'
+       WHERE token_id = $1 AND status = 'active'
+       RETURNING *`, [tokenId]);
+        if (!result.rows[0]) {
+            return undefined;
+        }
+        const { tokenHash: _tokenHash, ...record } = mapRow(result.rows[0]);
+        return record;
+    }
+    async revokeByClientId(clientId) {
+        const result = await this.database.query(`WITH revoked AS (
+         UPDATE access_tokens
+         SET status = 'revoked'
+         WHERE client_id = $1 AND status = 'active'
+         RETURNING 1
+       )
+       SELECT COUNT(*)::text AS count FROM revoked`, [clientId]);
+        return Number.parseInt(result.rows[0]?.count ?? "0", 10);
+    }
+}