@undefineds.co/xpod 0.1.7 → 0.2.0

package/dist/identity/drizzle/ServiceTokenRepository.js

@@ -0,0 +1,142 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ServiceTokenRepository = void 0;
+const node_crypto_1 = require("node:crypto");
+const drizzle_orm_1 = require("drizzle-orm");
+const global_logger_factory_1 = require("global-logger-factory");
+const db_1 = require("./db");
+class ServiceTokenRepository {
+    constructor(db) {
+        this.db = db;
+        this.logger = (0, global_logger_factory_1.getLoggerFor)(this);
+        this.schema = (0, db_1.getSchema)(db);
+    }
+    /**
+     * Create a new service token. Returns the plaintext token (only available at creation time).
+     */
+    async createToken(options) {
+        const id = (0, node_crypto_1.randomUUID)();
+        const token = `svc-${(0, node_crypto_1.randomUUID)().replace(/-/g, '')}`;
+        const tokenHash = this.hashToken(token);
+        await this.db.insert(this.schema.serviceTokens).values({
+            id,
+            tokenHash,
+            serviceType: options.serviceType,
+            serviceId: options.serviceId,
+            scopes: JSON.stringify(options.scopes),
+            createdAt: (0, db_1.toDbTimestamp)(this.db, new Date()),
+            expiresAt: options.expiresAt ? (0, db_1.toDbTimestamp)(this.db, options.expiresAt) : null,
+        });
+        this.logger.info(`Created service token ${id} for ${options.serviceType}:${options.serviceId}`);
+        return { id, token };
+    }
+    /**
+     * Register a token from a known plaintext value (e.g. XPOD_BUSINESS_TOKEN env var).
+     * Upserts by serviceType + serviceId to avoid duplicates.
+     */
+    async registerToken(token, options) {
+        const tokenHash = this.hashToken(token);
+        // Check if a token already exists for this service
+        const existing = await this.findByService(options.serviceType, options.serviceId);
+        if (existing) {
+            // Update the hash in case the token changed
+            await this.db.update(this.schema.serviceTokens)
+                .set({
+                tokenHash,
+                scopes: JSON.stringify(options.scopes),
+                expiresAt: options.expiresAt ? (0, db_1.toDbTimestamp)(this.db, options.expiresAt) : null,
+            })
+                .where((0, drizzle_orm_1.eq)(this.schema.serviceTokens.id, existing.id));
+            this.logger.info(`Updated service token ${existing.id} for ${options.serviceType}:${options.serviceId}`);
+            return existing.id;
+        }
+        const id = (0, node_crypto_1.randomUUID)();
+        await this.db.insert(this.schema.serviceTokens).values({
+            id,
+            tokenHash,
+            serviceType: options.serviceType,
+            serviceId: options.serviceId,
+            scopes: JSON.stringify(options.scopes),
+            createdAt: (0, db_1.toDbTimestamp)(this.db, new Date()),
+            expiresAt: options.expiresAt ? (0, db_1.toDbTimestamp)(this.db, options.expiresAt) : null,
+        });
+        this.logger.info(`Registered service token ${id} for ${options.serviceType}:${options.serviceId}`);
+        return id;
+    }
+    /**
+     * Verify a plaintext token and return the matching record if valid.
+     */
+    async verifyToken(token) {
+        const tokenHash = this.hashToken(token);
+        const rows = await this.db.select()
+            .from(this.schema.serviceTokens)
+            .where((0, drizzle_orm_1.eq)(this.schema.serviceTokens.tokenHash, tokenHash));
+        if (!rows || rows.length === 0) {
+            return undefined;
+        }
+        const row = rows[0];
+        // Check expiration (expiresAt is Unix timestamp in seconds)
+        if (row.expiresAt) {
+            const expiresAtValue = (0, db_1.fromDbTimestamp)(row.expiresAt);
+            const expiresAtMs = expiresAtValue?.getTime() ?? Number.NaN;
+            if (expiresAtMs < Date.now()) {
+                this.logger.debug(`Service token ${row.id} has expired`);
+                return undefined;
+            }
+        }
+        return this.toRecord(row);
+    }
+    /**
+     * Find a token record by service type and service ID.
+     */
+    async findByService(serviceType, serviceId) {
+        const rows = await this.db.select()
+            .from(this.schema.serviceTokens)
+            .where((0, drizzle_orm_1.eq)(this.schema.serviceTokens.serviceType, serviceType));
+        const match = rows.find((r) => r.serviceId === serviceId);
+        return match ? this.toRecord(match) : undefined;
+    }
+    /**
+     * Delete a service token by ID.
+     */
+    async deleteToken(id) {
+        await this.db.delete(this.schema.serviceTokens).where((0, drizzle_orm_1.eq)(this.schema.serviceTokens.id, id));
+        this.logger.info(`Deleted service token ${id}`);
+    }
+    /**
+     * List all service tokens (without hashes).
+     */
+    async listTokens() {
+        const rows = await this.db.select({
+            id: this.schema.serviceTokens.id,
+            serviceType: this.schema.serviceTokens.serviceType,
+            serviceId: this.schema.serviceTokens.serviceId,
+            scopes: this.schema.serviceTokens.scopes,
+            createdAt: this.schema.serviceTokens.createdAt,
+            expiresAt: this.schema.serviceTokens.expiresAt,
+        }).from(this.schema.serviceTokens);
+        return rows.map((r) => this.toRecord(r));
+    }
+    hashToken(token) {
+        return (0, node_crypto_1.createHash)('sha256').update(token).digest('hex');
+    }
+    toRecord(row) {
+        let scopes;
+        try {
+            scopes = typeof row.scopes === 'string' ? JSON.parse(row.scopes) : row.scopes;
+        }
+        catch {
+            scopes = [];
+        }
+        return {
+            id: row.id,
+            serviceType: row.serviceType ?? row.service_type,
+            serviceId: row.serviceId ?? row.service_id,
+            scopes,
+            createdAt: (0, db_1.fromDbTimestamp)(row.createdAt ?? row.created_at) ?? new Date(0),
+            expiresAt: (0, db_1.fromDbTimestamp)(row.expiresAt ?? row.expires_at) ?? null,
+        };
+    }
+}
+exports.ServiceTokenRepository = ServiceTokenRepository;
+//# sourceMappingURL=ServiceTokenRepository.js.map

package/dist/identity/drizzle/ServiceTokenRepository.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ServiceTokenRepository.js","sourceRoot":"","sources":["../../../src/identity/drizzle/ServiceTokenRepository.ts"],"names":[],"mappings":";;;AAAA,6CAAqD;AACrD,6CAAiC;AACjC,iEAAqD;AAErD,6BAAiE;AAoBjE,MAAa,sBAAsB;IAIjC,YAAoC,EAAoB;QAApB,OAAE,GAAF,EAAE,CAAkB;QAHvC,WAAM,GAAG,IAAA,oCAAY,EAAC,IAAI,CAAC,CAAC;QAI3C,IAAI,CAAC,MAAM,GAAG,IAAA,cAAS,EAAC,EAAE,CAAC,CAAC;IAC9B,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,WAAW,CAAC,OAAkC;QACzD,MAAM,EAAE,GAAG,IAAA,wBAAU,GAAE,CAAC;QACxB,MAAM,KAAK,GAAG,OAAO,IAAA,wBAAU,GAAE,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,EAAE,CAAC;QACtD,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAExC,MAAM,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,MAAM,CAAC;YACrD,EAAE;YACF,SAAS;YACT,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,MAAM,CAAC;YACtC,SAAS,EAAE,IAAA,kBAAa,EAAC,IAAI,CAAC,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC;YAC7C,SAAS,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,IAAA,kBAAa,EAAC,IAAI,CAAC,EAAE,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI;SAChF,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,yBAAyB,EAAE,QAAQ,OAAO,CAAC,WAAW,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC,CAAC;QAChG,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,CAAC;IACvB,CAAC;IAED;;;OAGG;IACI,KAAK,CAAC,aAAa,CACxB,KAAa,EACb,OAAkC;QAElC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAExC,mDAAmD;QACnD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,aAAa,CAAC,OAAO,CAAC,WAAW,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC;QAClF,IAAI,QAAQ,EAAE,CAAC;YACb,4CAA4C;YAC5C,MAAM,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;iBAC5C,GAAG,CAAC;gBACH,SAAS;gBACT,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,MAAM,CAAC;gBACtC,SAAS,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,IAAA,kBAAa,EAAC,IAAI,CAAC,EAAE,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI;aAChF,CAAC;iBACD,KAAK,CAAC,IAAA,gBAAE,EAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,EAAE,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;YACxD,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,yBAAyB,QAAQ,CAAC,EAAE,QAAQ,OAAO,CAAC,WAAW,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC,CAAC;YACzG,OAAO,QAAQ,CAAC,EAAE,CAAC;QACrB,CAAC;QAED,MAAM,EAAE,GAAG,IAAA,wBAAU,GAAE,CAAC;QACxB,MAAM,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,MAAM,CAAC;YACrD,EAAE;YACF,SAAS;YACT,WAAW,EAAE,OAAO,CAAC,WAAW;YAChC,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,MAAM,CAAC;YACtC,SAAS,EAAE,IAAA,kBAAa,EAAC,IAAI,CAAC,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC;YAC7C,SAAS,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,IAAA,kBAAa,EAAC,IAAI,CAAC,EAAE,EAAE,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI;SAChF,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,4BAA4B,EAAE,QAAQ,OAAO,CAAC,WAAW,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC,CAAC;QACnG,OAAO,EAAE,CAAC;IACZ,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,WAAW,CAAC,KAAa;QACpC,MAAM,SAAS,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAExC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE;aAChC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;aAC/B,KAAK,CAAC,IAAA,gBAAE,EAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC,CAAC;QAE7D,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YAC/B,OAAO,SAAS,CAAC;QACnB,CAAC;QAED,MAAM,GAAG,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;QAEpB,4DAA4D;QAC5D,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC;YAClB,MAAM,cAAc,GAAG,IAAA,oBAAe,EAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YACtD,MAAM,WAAW,GAAG,cAAc,EAAE,OAAO,EAAE,IAAI,MAAM,CAAC,GAAG,CAAC;YAC5D,IAAI,WAAW,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;gBAC7B,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,iBAAiB,GAAG,CAAC,EAAE,cAAc,CAAC,CAAC;gBACzD,OAAO,SAAS,CAAC;YACnB,CAAC;QACH,CAAC;QAED,OAAO,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IAC5B,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,aAAa,CAAC,WAAwB,EAAE,SAAiB;QACpE,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE;aAChC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC;aAC/B,KAAK,CAAC,IAAA,gBAAE,EAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,WAAW,EAAE,WAAW,CAAC,CAAC,CAAC;QAEjE,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,SAAS,CAAC,CAAC;QAC/D,OAAO,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAClD,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,WAAW,CAAC,EAAU;QACjC,MAAM,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,KAAK,CAAC,IAAA,gBAAE,EAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC;QAC5F,IAAI,CAAC,MAAM,CAAC,IAAI,CAAC,yBAAyB,EAAE,EAAE,CAAC,CAAC;IAClD,CAAC;IAED;;OAEG;IACI,KAAK,CAAC,UAAU;QACrB,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,EAAE,CAAC,MAAM,CAAC;YAChC,EAAE,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,EAAE;YAChC,WAAW,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,WAAW;YAClD,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,SAAS;YAC9C,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,MAAM;YACxC,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,SAAS;YAC9C,SAAS,EAAE,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,SAAS;SAC/C,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;QAEnC,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;IAChD,CAAC;IAEO,SAAS,CAAC,KAAa;QAC7B,OAAO,IAAA,wBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IAC1D,CAAC;IAEO,QAAQ,CAAC,GAAQ;QACvB,IAAI,MAAgB,CAAC;QACrB,IAAI,CAAC;YACH,MAAM,GAAG,OAAO,GAAG,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC;QAChF,CAAC;QAAC,MAAM,CAAC;YACP,MAAM,GAAG,EAAE,CAAC;QACd,CAAC;QAED,OAAO;YACL,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,WAAW,EAAE,GAAG,CAAC,WAAW,IAAI,GAAG,CAAC,YAAY;YAChD,SAAS,EAAE,GAAG,CAAC,SAAS,IAAI,GAAG,CAAC,UAAU;YAC1C,MAAM;YACN,SAAS,EAAE,IAAA,oBAAe,EAAC,GAAG,CAAC,SAAS,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,IAAI,IAAI,CAAC,CAAC,CAAC;YAC1E,SAAS,EAAE,IAAA,oBAAe,EAAC,GAAG,CAAC,SAAS,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,IAAI;SACpE,CAAC;IACJ,CAAC;CACF;AA5JD,wDA4JC","sourcesContent":["import { randomUUID, createHash } from 'node:crypto';\nimport { eq } from 'drizzle-orm';\nimport { getLoggerFor } from 'global-logger-factory';\nimport type { IdentityDatabase } from './db';\nimport { getSchema, toDbTimestamp, fromDbTimestamp } from './db';\n\nexport type ServiceType = 'local' | 'business' | 'cloud' | 'compute';\n\nexport interface ServiceTokenRecord {\n  id: string;\n  serviceType: ServiceType;\n  serviceId: string;\n  scopes: string[];\n  createdAt: Date;\n  expiresAt: Date | null;\n}\n\nexport interface CreateServiceTokenOptions {\n  serviceType: ServiceType;\n  serviceId: string;\n  scopes: string[];\n  expiresAt?: Date | null;\n}\n\nexport class ServiceTokenRepository {\n  private readonly logger = getLoggerFor(this);\n  private readonly schema: ReturnType<typeof getSchema>;\n\n  public constructor(private readonly db: IdentityDatabase) {\n    this.schema = getSchema(db);\n  }\n\n  /**\n   * Create a new service token. Returns the plaintext token (only available at creation time).\n   */\n  public async createToken(options: CreateServiceTokenOptions): Promise<{ id: string; token: string }> {\n    const id = randomUUID();\n    const token = `svc-${randomUUID().replace(/-/g, '')}`;\n    const tokenHash = this.hashToken(token);\n\n    await this.db.insert(this.schema.serviceTokens).values({\n      id,\n      tokenHash,\n      serviceType: options.serviceType,\n      serviceId: options.serviceId,\n      scopes: JSON.stringify(options.scopes),\n      createdAt: toDbTimestamp(this.db, new Date()),\n      expiresAt: options.expiresAt ? toDbTimestamp(this.db, options.expiresAt) : null,\n    });\n\n    this.logger.info(`Created service token ${id} for ${options.serviceType}:${options.serviceId}`);\n    return { id, token };\n  }\n\n  /**\n   * Register a token from a known plaintext value (e.g. XPOD_BUSINESS_TOKEN env var).\n   * Upserts by serviceType + serviceId to avoid duplicates.\n   */\n  public async registerToken(\n    token: string,\n    options: CreateServiceTokenOptions,\n  ): Promise<string> {\n    const tokenHash = this.hashToken(token);\n\n    // Check if a token already exists for this service\n    const existing = await this.findByService(options.serviceType, options.serviceId);\n    if (existing) {\n      // Update the hash in case the token changed\n      await this.db.update(this.schema.serviceTokens)\n        .set({\n          tokenHash,\n          scopes: JSON.stringify(options.scopes),\n          expiresAt: options.expiresAt ? toDbTimestamp(this.db, options.expiresAt) : null,\n        })\n        .where(eq(this.schema.serviceTokens.id, existing.id));\n      this.logger.info(`Updated service token ${existing.id} for ${options.serviceType}:${options.serviceId}`);\n      return existing.id;\n    }\n\n    const id = randomUUID();\n    await this.db.insert(this.schema.serviceTokens).values({\n      id,\n      tokenHash,\n      serviceType: options.serviceType,\n      serviceId: options.serviceId,\n      scopes: JSON.stringify(options.scopes),\n      createdAt: toDbTimestamp(this.db, new Date()),\n      expiresAt: options.expiresAt ? toDbTimestamp(this.db, options.expiresAt) : null,\n    });\n\n    this.logger.info(`Registered service token ${id} for ${options.serviceType}:${options.serviceId}`);\n    return id;\n  }\n\n  /**\n   * Verify a plaintext token and return the matching record if valid.\n   */\n  public async verifyToken(token: string): Promise<ServiceTokenRecord | undefined> {\n    const tokenHash = this.hashToken(token);\n\n    const rows = await this.db.select()\n      .from(this.schema.serviceTokens)\n      .where(eq(this.schema.serviceTokens.tokenHash, tokenHash));\n\n    if (!rows || rows.length === 0) {\n      return undefined;\n    }\n\n    const row = rows[0];\n\n    // Check expiration (expiresAt is Unix timestamp in seconds)\n    if (row.expiresAt) {\n      const expiresAtValue = fromDbTimestamp(row.expiresAt);\n      const expiresAtMs = expiresAtValue?.getTime() ?? Number.NaN;\n      if (expiresAtMs < Date.now()) {\n        this.logger.debug(`Service token ${row.id} has expired`);\n        return undefined;\n      }\n    }\n\n    return this.toRecord(row);\n  }\n\n  /**\n   * Find a token record by service type and service ID.\n   */\n  public async findByService(serviceType: ServiceType, serviceId: string): Promise<ServiceTokenRecord | undefined> {\n    const rows = await this.db.select()\n      .from(this.schema.serviceTokens)\n      .where(eq(this.schema.serviceTokens.serviceType, serviceType));\n\n    const match = rows.find((r: any) => r.serviceId === serviceId);\n    return match ? this.toRecord(match) : undefined;\n  }\n\n  /**\n   * Delete a service token by ID.\n   */\n  public async deleteToken(id: string): Promise<void> {\n    await this.db.delete(this.schema.serviceTokens).where(eq(this.schema.serviceTokens.id, id));\n    this.logger.info(`Deleted service token ${id}`);\n  }\n\n  /**\n   * List all service tokens (without hashes).\n   */\n  public async listTokens(): Promise<ServiceTokenRecord[]> {\n    const rows = await this.db.select({\n      id: this.schema.serviceTokens.id,\n      serviceType: this.schema.serviceTokens.serviceType,\n      serviceId: this.schema.serviceTokens.serviceId,\n      scopes: this.schema.serviceTokens.scopes,\n      createdAt: this.schema.serviceTokens.createdAt,\n      expiresAt: this.schema.serviceTokens.expiresAt,\n    }).from(this.schema.serviceTokens);\n\n    return rows.map((r: any) => this.toRecord(r));\n  }\n\n  private hashToken(token: string): string {\n    return createHash('sha256').update(token).digest('hex');\n  }\n\n  private toRecord(row: any): ServiceTokenRecord {\n    let scopes: string[];\n    try {\n      scopes = typeof row.scopes === 'string' ? JSON.parse(row.scopes) : row.scopes;\n    } catch {\n      scopes = [];\n    }\n\n    return {\n      id: row.id,\n      serviceType: row.serviceType ?? row.service_type,\n      serviceId: row.serviceId ?? row.service_id,\n      scopes,\n      createdAt: fromDbTimestamp(row.createdAt ?? row.created_at) ?? new Date(0),\n      expiresAt: fromDbTimestamp(row.expiresAt ?? row.expires_at) ?? null,\n    };\n  }\n}\n"]}

package/dist/identity/drizzle/db.d.ts

@@ -3,6 +3,15 @@ import * as pgSchema from './schema.pg';
 import * as sqliteSchema from './schema.sqlite';
 export type IdentityDatabase = any;
 export type IdentitySchema = typeof pgSchema | typeof sqliteSchema;
+/**
+ * Get the appropriate schema for the given database connection.
+ * This provides a unified abstraction layer over PG and SQLite schemas.
+ *
+ * @example
+ * const schema = getSchema(db);
+ * await db.select().from(schema.accountUsage).where(eq(schema.accountUsage.accountId, id));
+ */
+export declare function getSchema(db: IdentityDatabase): typeof pgSchema | typeof sqliteSchema;
 /**
  * Standardized query result format across databases.
  */

package/dist/identity/drizzle/db.js

@@ -26,6 +26,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.getSchema = getSchema;
 exports.isSqliteUrl = isSqliteUrl;
 exports.getIdentityDatabase = getIdentityDatabase;
 exports.getIdentitySchema = getIdentitySchema;
@@ -39,19 +40,55 @@ exports.fromDbTimestamp = fromDbTimestamp;
 const pg_1 = require("pg");
 const node_postgres_1 = require("drizzle-orm/node-postgres");
 const better_sqlite3_1 = require("drizzle-orm/better-sqlite3");
-const better_sqlite3_2 = __importDefault(require("better-sqlite3"));
 const pgSchema = __importStar(require("./schema.pg"));
 const sqliteSchema = __importStar(require("./schema.sqlite"));
 const node_path_1 = __importDefault(require("node:path"));
 const node_fs_1 = __importDefault(require("node:fs"));
 const PostgresPoolManager_1 = require("../../storage/database/PostgresPoolManager");
+/**
+ * Get the appropriate schema for the given database connection.
+ * This provides a unified abstraction layer over PG and SQLite schemas.
+ *
+ * @example
+ * const schema = getSchema(db);
+ * await db.select().from(schema.accountUsage).where(eq(schema.accountUsage.accountId, id));
+ */
+function getSchema(db) {
+    return isDatabaseSqlite(db) ? sqliteSchema : pgSchema;
+}
 const dbCache = new Map();
+const dbInitPromises = new WeakMap();
 const JSON_OIDS = [114, 3802];
 for (const oid of JSON_OIDS) {
     // Explicitly return raw string to avoid "Type Conflict" with CSS
     // and to satisfy PgQuintStore's parseVector expecting a string.
     pg_1.types.setTypeParser(oid, (value) => value);
 }
+function wrapBetterSqliteError(error) {
+    if (!(error instanceof Error)) {
+        return new Error(String(error));
+    }
+    if (!/NODE_MODULE_VERSION|compiled against a different Node\.js version/i.test(error.message)) {
+        return error;
+    }
+    return new Error([
+        `Failed to load better-sqlite3 under Node ${process.version} (ABI ${process.versions.modules}).`,
+        'This usually means native modules were installed with a different Node.js major version.',
+        'Suggested fix:',
+        '  1. nvm use 22',
+        '  2. yarn install --force --ignore-engines',
+        '',
+        `Original error: ${error.message}`,
+    ].join('\n'));
+}
+function loadBetterSqlite3() {
+    try {
+        return require('better-sqlite3');
+    }
+    catch (error) {
+        throw wrapBetterSqliteError(error);
+    }
+}
 /**
  * Returns true if the connection string is a SQLite URL.
  */
@@ -76,7 +113,8 @@ function getIdentityDatabase(connectionString) {
                 node_fs_1.default.mkdirSync(directory, { recursive: true });
             }
         }
-        const sqlite = new better_sqlite3_2.default(isMemory ? ':memory:' : filename);
+        const BetterSqlite3 = loadBetterSqlite3();
+        const sqlite = new BetterSqlite3(isMemory ? ':memory:' : filename);
         // Apply pragmas for better concurrency (prevents SQLITE_BUSY errors)
         // WAL mode allows concurrent reads during writes
         // busy_timeout waits up to 5 seconds before throwing SQLITE_BUSY
@@ -88,6 +126,7 @@ function getIdentityDatabase(connectionString) {
         const db = (0, better_sqlite3_1.drizzle)(sqlite);
         // Create tables if they don't exist
         ensureSqliteTables(sqlite);
+        dbInitPromises.set(db, Promise.resolve());
         dbCache.set(connectionString, {
             db,
             schema: sqliteSchema,
@@ -99,6 +138,14 @@ function getIdentityDatabase(connectionString) {
     // PostgreSQL: use shared pool to avoid connection exhaustion and deadlocks
     const pool = (0, PostgresPoolManager_1.getSharedPool)({ connectionString });
     const db = (0, node_postgres_1.drizzle)(pool);
+    const initPromise = (async () => {
+        await ensurePostgresTables(pool);
+        await migratePgColumns(pool);
+    })();
+    dbInitPromises.set(db, initPromise);
+    initPromise.catch((err) => {
+        console.error(`[IdentityDB] PG migration failed: ${err}`);
+    });
     dbCache.set(connectionString, {
         db,
         schema: pgSchema,
@@ -147,6 +194,12 @@ function isDatabaseSqlite(db) {
     // SQLite drizzle has `all` method, PostgreSQL drizzle has `execute` method
     return typeof db.all === 'function' && typeof db.execute !== 'function';
 }
+async function ensureDatabaseReady(db) {
+    const initPromise = dbInitPromises.get(db);
+    if (initPromise) {
+        await initPromise;
+    }
+}
 /**
  * Execute a SQL query uniformly across PostgreSQL and SQLite.
  * Returns a standardized result with rows array.
@@ -156,6 +209,7 @@ function isDatabaseSqlite(db) {
  * if (result.rows.length > 0) { ... }
  */
 async function executeQuery(db, query) {
+    await ensureDatabaseReady(db);
     if (isDatabaseSqlite(db)) {
         // SQLite: db.all() returns array directly
         const rows = db.all(query);
@@ -169,6 +223,7 @@ async function executeQuery(db, query) {
  * Works uniformly across PostgreSQL and SQLite.
  */
 async function executeStatement(db, query) {
+    await ensureDatabaseReady(db);
     if (isDatabaseSqlite(db)) {
         // SQLite: db.run() for statements
         db.run(query);
@@ -215,6 +270,11 @@ function ensureSqliteTables(sqlite) {
       egress_bytes INTEGER NOT NULL DEFAULT 0,
       storage_limit_bytes INTEGER,
       bandwidth_limit_bps INTEGER,
+      compute_seconds INTEGER NOT NULL DEFAULT 0,
+      tokens_used INTEGER NOT NULL DEFAULT 0,
+      compute_limit_seconds INTEGER,
+      token_limit_monthly INTEGER,
+      period_start INTEGER,
       updated_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now'))
     );
 
@@ -226,6 +286,11 @@ function ensureSqliteTables(sqlite) {
       egress_bytes INTEGER NOT NULL DEFAULT 0,
       storage_limit_bytes INTEGER,
       bandwidth_limit_bps INTEGER,
+      compute_seconds INTEGER NOT NULL DEFAULT 0,
+      tokens_used INTEGER NOT NULL DEFAULT 0,
+      compute_limit_seconds INTEGER,
+      token_limit_monthly INTEGER,
+      period_start INTEGER,
       updated_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now'))
     );
 
@@ -238,10 +303,16 @@ function ensureSqliteTables(sqlite) {
       node_type TEXT DEFAULT 'edge',
       subdomain TEXT UNIQUE,
       access_mode TEXT,
-      public_ip TEXT,
+      ipv4 TEXT,
       public_port INTEGER,
+      public_url TEXT,
+      service_token_hash TEXT,
+      provision_code_hash TEXT,
       internal_ip TEXT,
       internal_port INTEGER,
+      hostname TEXT,
+      ipv6 TEXT,
+      version TEXT,
       capabilities TEXT,
       metadata TEXT,
       connectivity_status TEXT DEFAULT 'unknown',
@@ -264,6 +335,167 @@ function ensureSqliteTables(sqlite) {
       display_name TEXT,
       created_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now'))
     );
+
+    CREATE TABLE IF NOT EXISTS identity_service_token (
+      id TEXT PRIMARY KEY,
+      token_hash TEXT NOT NULL UNIQUE,
+      service_type TEXT NOT NULL,
+      service_id TEXT NOT NULL,
+      scopes TEXT NOT NULL,
+      created_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now')),
+      expires_at INTEGER
+    );
+  `);
+    // Migrate existing tables: add new columns if missing
+    migrateSqliteColumns(sqlite);
+}
+/**
+ * Add columns that may be missing from older databases.
+ * SQLite ALTER TABLE ADD COLUMN is idempotent-safe via try/catch.
+ */
+function migrateSqliteColumns(sqlite) {
+    const addColumn = (table, column, type) => {
+        try {
+            sqlite.exec(`ALTER TABLE ${table} ADD COLUMN ${column} ${type}`);
+        }
+        catch {
+            // Column already exists — ignore
+        }
+    };
+    addColumn('identity_edge_node', 'public_url', 'TEXT');
+    addColumn('identity_edge_node', 'service_token_hash', 'TEXT');
+    addColumn('identity_edge_node', 'provision_code_hash', 'TEXT');
+    // Usage tables: compute/token columns
+    addColumn('identity_account_usage', 'compute_seconds', 'INTEGER NOT NULL DEFAULT 0');
+    addColumn('identity_account_usage', 'tokens_used', 'INTEGER NOT NULL DEFAULT 0');
+    addColumn('identity_account_usage', 'compute_limit_seconds', 'INTEGER');
+    addColumn('identity_account_usage', 'token_limit_monthly', 'INTEGER');
+    addColumn('identity_account_usage', 'period_start', 'INTEGER');
+    addColumn('identity_pod_usage', 'compute_seconds', 'INTEGER NOT NULL DEFAULT 0');
+    addColumn('identity_pod_usage', 'tokens_used', 'INTEGER NOT NULL DEFAULT 0');
+    addColumn('identity_pod_usage', 'compute_limit_seconds', 'INTEGER');
+    addColumn('identity_pod_usage', 'token_limit_monthly', 'INTEGER');
+    addColumn('identity_pod_usage', 'period_start', 'INTEGER');
+}
+/**
+ * Add columns that may be missing from older PostgreSQL databases.
+ * Uses IF NOT EXISTS via information_schema check + ALTER TABLE.
+ */
+async function migratePgColumns(pool) {
+    const addColumn = async (table, column, type) => {
+        try {
+            await pool.query(`DO $$ BEGIN
+          IF NOT EXISTS (
+            SELECT 1 FROM information_schema.columns
+            WHERE table_name = '${table}' AND column_name = '${column}'
+          ) THEN
+            ALTER TABLE ${table} ADD COLUMN ${column} ${type};
+          END IF;
+        END $$;`);
+        }
+        catch {
+            // Ignore errors (table might not exist yet)
+        }
+    };
+    // Usage tables: compute/token columns
+    await addColumn('identity_account_usage', 'compute_seconds', 'BIGINT NOT NULL DEFAULT 0');
+    await addColumn('identity_account_usage', 'tokens_used', 'BIGINT NOT NULL DEFAULT 0');
+    await addColumn('identity_account_usage', 'compute_limit_seconds', 'BIGINT');
+    await addColumn('identity_account_usage', 'token_limit_monthly', 'BIGINT');
+    await addColumn('identity_account_usage', 'period_start', 'TIMESTAMP WITH TIME ZONE');
+    await addColumn('identity_pod_usage', 'compute_seconds', 'BIGINT NOT NULL DEFAULT 0');
+    await addColumn('identity_pod_usage', 'tokens_used', 'BIGINT NOT NULL DEFAULT 0');
+    await addColumn('identity_pod_usage', 'compute_limit_seconds', 'BIGINT');
+    await addColumn('identity_pod_usage', 'token_limit_monthly', 'BIGINT');
+    await addColumn('identity_pod_usage', 'period_start', 'TIMESTAMP WITH TIME ZONE');
+    // Service token table
+    try {
+        await pool.query(`
+      CREATE TABLE IF NOT EXISTS identity_service_token (
+        id TEXT PRIMARY KEY,
+        token_hash TEXT NOT NULL UNIQUE,
+        service_type TEXT NOT NULL,
+        service_id TEXT NOT NULL,
+        scopes TEXT NOT NULL,
+        created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW(),
+        expires_at TIMESTAMP WITH TIME ZONE
+      );
+    `);
+    }
+    catch {
+        // Ignore if already exists
+    }
+}
+async function ensurePostgresTables(pool) {
+    await pool.query(`
+    CREATE TABLE IF NOT EXISTS identity_account_usage (
+      account_id TEXT PRIMARY KEY,
+      storage_bytes BIGINT NOT NULL DEFAULT 0,
+      ingress_bytes BIGINT NOT NULL DEFAULT 0,
+      egress_bytes BIGINT NOT NULL DEFAULT 0,
+      storage_limit_bytes BIGINT,
+      bandwidth_limit_bps BIGINT,
+      updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+    );
+
+    CREATE TABLE IF NOT EXISTS identity_pod_usage (
+      pod_id TEXT PRIMARY KEY,
+      account_id TEXT NOT NULL,
+      storage_bytes BIGINT NOT NULL DEFAULT 0,
+      ingress_bytes BIGINT NOT NULL DEFAULT 0,
+      egress_bytes BIGINT NOT NULL DEFAULT 0,
+      storage_limit_bytes BIGINT,
+      bandwidth_limit_bps BIGINT,
+      updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+    );
+
+    CREATE TABLE IF NOT EXISTS identity_edge_node (
+      id TEXT PRIMARY KEY,
+      display_name TEXT,
+      owner_account_id TEXT,
+      token_hash TEXT NOT NULL,
+      account_id TEXT,
+      node_type TEXT DEFAULT 'edge',
+      subdomain TEXT UNIQUE,
+      access_mode TEXT,
+      public_ip TEXT,
+      public_port BIGINT,
+      public_url TEXT,
+      service_token_hash TEXT,
+      provision_code_hash TEXT,
+      internal_ip TEXT,
+      internal_port BIGINT,
+      capabilities JSONB,
+      metadata JSONB,
+      connectivity_status TEXT DEFAULT 'unknown',
+      last_connectivity_check TIMESTAMPTZ,
+      created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+      updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+      last_seen TIMESTAMPTZ
+    );
+
+    CREATE TABLE IF NOT EXISTS identity_edge_node_pod (
+      node_id TEXT NOT NULL REFERENCES identity_edge_node(id) ON DELETE CASCADE,
+      base_url TEXT NOT NULL
+    );
+
+    CREATE TABLE IF NOT EXISTS api_client_credentials (
+      client_id TEXT PRIMARY KEY,
+      client_secret_encrypted TEXT NOT NULL,
+      web_id TEXT NOT NULL,
+      account_id TEXT NOT NULL,
+      display_name TEXT,
+      created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+    );
   `);
+    await migratePostgresColumns(pool);
+}
+async function migratePostgresColumns(pool) {
+    const addColumn = async (table, column, type) => {
+        await pool.query(`ALTER TABLE ${table} ADD COLUMN IF NOT EXISTS ${column} ${type}`);
+    };
+    await addColumn('identity_edge_node', 'public_url', 'TEXT');
+    await addColumn('identity_edge_node', 'service_token_hash', 'TEXT');
+    await addColumn('identity_edge_node', 'provision_code_hash', 'TEXT');
 }
 //# sourceMappingURL=db.js.map

package/dist/identity/drizzle/db.js.map

@@ -1 +1 @@
-{"version":3,"file":"db.js","sourceRoot":"","sources":["../../../src/identity/drizzle/db.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AA4CA,kCAEC;AAMD,kDAqDC;AAKD,8CAQC;AAMD,wDAMC;AAED,kEAGC;AAOD,4CAGC;AAUD,oCAWC;AAMD,4CAWC;AAMD,sCAEC;AAMD,0CAcC;AAnND,2BAAiC;AACjC,6DAAiE;AACjE,+DAA6F;AAG7F,oEAAsC;AACtC,sDAAwC;AACxC,8DAAgD;AAChD,0DAA6B;AAC7B,sDAAyB;AACzB,oFAA8F;AAqB9F,MAAM,OAAO,GAAG,IAAI,GAAG,EAA4B,CAAC;AAEpD,MAAM,SAAS,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;AAE9B,KAAK,MAAM,GAAG,IAAI,SAAS,EAAE,CAAC;IAC5B,iEAAiE;IACjE,gEAAgE;IAChE,UAAK,CAAC,aAAa,CAAC,GAAG,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;AAC7C,CAAC;AAED;;GAEG;AACH,SAAgB,WAAW,CAAC,gBAAwB;IAClD,OAAO,gBAAgB,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;AAChD,CAAC;AAED;;;GAGG;AACH,SAAgB,mBAAmB,CAAC,gBAAwB;IAC1D,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IAC7C,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,MAAM,CAAC,EAAE,CAAC;IACnB,CAAC;IAED,IAAI,WAAW,CAAC,gBAAgB,CAAC,EAAE,CAAC;QAClC,MAAM,QAAQ,GAAG,gBAAgB,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QACzD,MAAM,QAAQ,GAAG,QAAQ,KAAK,UAAU,IAAI,QAAQ,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;QAC5E,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,SAAS,GAAG,mBAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;YACzC,IAAI,SAAS,IAAI,CAAC,iBAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBAC3C,iBAAE,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;QACD,MAAM,MAAM,GAAG,IAAI,wBAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QAE9D,qEAAqE;QACrE,iDAAiD;QACjD,iEAAiE;QACjE,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;YACpC,MAAM,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC;YACrC,MAAM,CAAC,MAAM,CAAC,sBAAsB,CAAC,CAAC;QACxC,CAAC;QAED,MAAM,EAAE,GAAG,IAAA,wBAAa,EAAC,MAAM,CAAC,CAAC;QAEjC,oCAAoC;QACpC,kBAAkB,CAAC,MAAM,CAAC,CAAC;QAE3B,OAAO,CAAC,GAAG,CAAC,gBAAgB,EAAE;YAC5B,EAAE;YACF,MAAM,EAAE,YAAY;YACpB,QAAQ,EAAE,IAAI;YACd,KAAK,EAAE,KAAK,IAAI,EAAE,GAAG,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;SACvC,CAAC,CAAC;QACH,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,2EAA2E;IAC3E,MAAM,IAAI,GAAG,IAAA,mCAAa,EAAC,EAAE,gBAAgB,EAAE,CAAC,CAAC;IACjD,MAAM,EAAE,GAAG,IAAA,uBAAS,EAAC,IAAI,CAAC,CAAC;IAC3B,OAAO,CAAC,GAAG,CAAC,gBAAgB,EAAE;QAC5B,EAAE;QACF,MAAM,EAAE,QAAQ;QAChB,QAAQ,EAAE,KAAK;QACf,KAAK,EAAE,KAAK,IAAI,EAAE;YAChB,wDAAwD;YACxD,IAAA,uCAAiB,EAAC,EAAE,gBAAgB,EAAE,CAAC,CAAC;QAC1C,CAAC;KACF,CAAC,CAAC;IACH,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAAC,gBAAwB;IACxD,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IAC7C,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,MAAM,CAAC,MAAM,CAAC;IACvB,CAAC;IACD,0CAA0C;IAC1C,mBAAmB,CAAC,gBAAgB,CAAC,CAAC;IACtC,OAAO,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAE,CAAC,MAAM,CAAC;AAC/C,CAAC;AAED;;;GAGG;AACH,SAAgB,sBAAsB,CAAC,gBAAwB;IAC7D,IAAI,CAAC;QACH,OAAO,mBAAmB,CAAC,gBAAgB,CAAC,CAAC;IAC/C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAEM,KAAK,UAAU,2BAA2B;IAC/C,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACrE,OAAO,CAAC,KAAK,EAAE,CAAC;AAClB,CAAC;AAED;;;;GAIG;AACH,SAAgB,gBAAgB,CAAC,EAAoB;IACnD,2EAA2E;IAC3E,OAAO,OAAO,EAAE,CAAC,GAAG,KAAK,UAAU,IAAI,OAAO,EAAE,CAAC,OAAO,KAAK,UAAU,CAAC;AAC1E,CAAC;AAED;;;;;;;GAOG;AACI,KAAK,UAAU,YAAY,CAChC,EAAoB,EACpB,KAAU;IAEV,IAAI,gBAAgB,CAAC,EAAE,CAAC,EAAE,CAAC;QACzB,0CAA0C;QAC1C,MAAM,IAAI,GAAG,EAAE,CAAC,GAAG,CAAC,KAAK,CAAQ,CAAC;QAClC,OAAO,EAAE,IAAI,EAAE,CAAC;IAClB,CAAC;IACD,mDAAmD;IACnD,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAA4B,CAAC;AACtD,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,gBAAgB,CACpC,EAAoB,EACpB,KAAU;IAEV,IAAI,gBAAgB,CAAC,EAAE,CAAC,EAAE,CAAC;QACzB,kCAAkC;QAClC,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACd,OAAO;IACT,CAAC;IACD,oDAAoD;IACpD,MAAM,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;AAC1B,CAAC;AAED;;;GAGG;AACH,SAAgB,aAAa,CAAC,EAAoB,EAAE,IAAU;IAC5D,OAAO,gBAAgB,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACzE,CAAC;AAED;;;GAGG;AACH,SAAgB,eAAe,CAAC,KAAc;IAC5C,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QAC1C,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,IAAI,KAAK,YAAY,IAAI,EAAE,CAAC;QAC1B,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,IAAI,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC;IAChC,CAAC;IACD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC;IACzB,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,MAAyB;IACnD,MAAM,CAAC,IAAI,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyDX,CAAC,CAAC;AACL,CAAC","sourcesContent":["import { Pool, types } from 'pg';\nimport { drizzle as drizzlePg } from 'drizzle-orm/node-postgres';\nimport { drizzle as drizzleSqlite, BetterSQLite3Database } from 'drizzle-orm/better-sqlite3';\nimport { NodePgDatabase } from 'drizzle-orm/node-postgres';\nimport type { SQL } from 'drizzle-orm/sql';\nimport Database from 'better-sqlite3';\nimport * as pgSchema from './schema.pg';\nimport * as sqliteSchema from './schema.sqlite';\nimport path from 'node:path';\nimport fs from 'node:fs';\nimport { getSharedPool, releaseSharedPool } from '../../storage/database/PostgresPoolManager';\n\n// Use 'any' to allow both PostgreSQL and SQLite database instances\n// The actual type depends on the connection string at runtime\nexport type IdentityDatabase = any;\nexport type IdentitySchema = typeof pgSchema | typeof sqliteSchema;\n\n/**\n * Standardized query result format across databases.\n */\nexport interface QueryResult<T = Record<string, unknown>> {\n  rows: T[];\n}\n\ninterface CachedConnection {\n  db: IdentityDatabase;\n  schema: IdentitySchema;\n  isSqlite: boolean;\n  close: () => Promise<void>;\n}\n\nconst dbCache = new Map<string, CachedConnection>();\n\nconst JSON_OIDS = [114, 3802];\n\nfor (const oid of JSON_OIDS) {\n  // Explicitly return raw string to avoid \"Type Conflict\" with CSS\n  // and to satisfy PgQuintStore's parseVector expecting a string.\n  types.setTypeParser(oid, (value) => value);\n}\n\n/**\n * Returns true if the connection string is a SQLite URL.\n */\nexport function isSqliteUrl(connectionString: string): boolean {\n  return connectionString.startsWith('sqlite:');\n}\n\n/**\n * Get or create a Drizzle database connection with the appropriate schema.\n * Supports both PostgreSQL and SQLite.\n */\nexport function getIdentityDatabase(connectionString: string): IdentityDatabase {\n  const cached = dbCache.get(connectionString);\n  if (cached) {\n    return cached.db;\n  }\n\n  if (isSqliteUrl(connectionString)) {\n    const filename = connectionString.replace('sqlite:', '');\n    const isMemory = filename === ':memory:' || filename.startsWith(':memory:');\n    if (!isMemory) {\n      const directory = path.dirname(filename);\n      if (directory && !fs.existsSync(directory)) {\n        fs.mkdirSync(directory, { recursive: true });\n      }\n    }\n    const sqlite = new Database(isMemory ? ':memory:' : filename);\n\n    // Apply pragmas for better concurrency (prevents SQLITE_BUSY errors)\n    // WAL mode allows concurrent reads during writes\n    // busy_timeout waits up to 5 seconds before throwing SQLITE_BUSY\n    if (!isMemory) {\n      sqlite.pragma('journal_mode = WAL');\n      sqlite.pragma('busy_timeout = 5000');\n      sqlite.pragma('synchronous = NORMAL');\n    }\n\n    const db = drizzleSqlite(sqlite);\n\n    // Create tables if they don't exist\n    ensureSqliteTables(sqlite);\n\n    dbCache.set(connectionString, {\n      db,\n      schema: sqliteSchema,\n      isSqlite: true,\n      close: async () => { sqlite.close(); },\n    });\n    return db;\n  }\n\n  // PostgreSQL: use shared pool to avoid connection exhaustion and deadlocks\n  const pool = getSharedPool({ connectionString });\n  const db = drizzlePg(pool);\n  dbCache.set(connectionString, {\n    db,\n    schema: pgSchema,\n    isSqlite: false,\n    close: async () => { \n      // Release reference to shared pool instead of ending it\n      releaseSharedPool({ connectionString }); \n    },\n  });\n  return db;\n}\n\n/**\n * Get the schema for a given connection string.\n */\nexport function getIdentitySchema(connectionString: string): IdentitySchema {\n  const cached = dbCache.get(connectionString);\n  if (cached) {\n    return cached.schema;\n  }\n  // Initialize connection to populate cache\n  getIdentityDatabase(connectionString);\n  return dbCache.get(connectionString)!.schema;\n}\n\n/**\n * Safely get a Drizzle database connection, returning undefined on error.\n * Use this when the identity database is optional (e.g., for usage tracking).\n */\nexport function tryGetIdentityDatabase(connectionString: string): IdentityDatabase | undefined {\n  try {\n    return getIdentityDatabase(connectionString);\n  } catch {\n    return undefined;\n  }\n}\n\nexport async function closeAllIdentityConnections(): Promise<void> {\n  await Promise.all([...dbCache.values()].map(({ close }) => close()));\n  dbCache.clear();\n}\n\n/**\n * Check if a database connection is SQLite.\n * SQLite drizzle has `all()` method but no `execute()` method.\n * PostgreSQL drizzle has `execute()` method but no `all()` method.\n */\nexport function isDatabaseSqlite(db: IdentityDatabase): boolean {\n  // SQLite drizzle has `all` method, PostgreSQL drizzle has `execute` method\n  return typeof db.all === 'function' && typeof db.execute !== 'function';\n}\n\n/**\n * Execute a SQL query uniformly across PostgreSQL and SQLite.\n * Returns a standardized result with rows array.\n *\n * @example\n * const result = await executeQuery(db, sql`SELECT * FROM users WHERE id = ${userId}`);\n * if (result.rows.length > 0) { ... }\n */\nexport async function executeQuery<T = Record<string, unknown>>(\n  db: IdentityDatabase,\n  query: SQL,\n): Promise<QueryResult<T>> {\n  if (isDatabaseSqlite(db)) {\n    // SQLite: db.all() returns array directly\n    const rows = db.all(query) as T[];\n    return { rows };\n  }\n  // PostgreSQL: db.execute() returns { rows: [...] }\n  return db.execute(query) as Promise<QueryResult<T>>;\n}\n\n/**\n * Execute a SQL statement that doesn't return rows (INSERT, UPDATE, DELETE).\n * Works uniformly across PostgreSQL and SQLite.\n */\nexport async function executeStatement(\n  db: IdentityDatabase,\n  query: SQL,\n): Promise<void> {\n  if (isDatabaseSqlite(db)) {\n    // SQLite: db.run() for statements\n    db.run(query);\n    return;\n  }\n  // PostgreSQL: db.execute() works for statements too\n  await db.execute(query);\n}\n\n/**\n * Convert a Date to a value suitable for the database.\n * SQLite uses Unix timestamps (seconds), PostgreSQL uses Date objects.\n */\nexport function toDbTimestamp(db: IdentityDatabase, date: Date): number | Date {\n  return isDatabaseSqlite(db) ? Math.floor(date.getTime() / 1000) : date;\n}\n\n/**\n * Parse a timestamp value from database result to Date.\n * Handles both Unix timestamps (SQLite) and Date objects (PostgreSQL).\n */\nexport function fromDbTimestamp(value: unknown): Date | undefined {\n  if (value === null || value === undefined) {\n    return undefined;\n  }\n  if (value instanceof Date) {\n    return value;\n  }\n  if (typeof value === 'number') {\n    return new Date(value * 1000);\n  }\n  if (typeof value === 'string') {\n    return new Date(value);\n  }\n  return undefined;\n}\n\n/**\n * Ensure SQLite tables exist (simple DDL for local/dev mode).\n */\nfunction ensureSqliteTables(sqlite: Database.Database): void {\n  sqlite.exec(`\n    CREATE TABLE IF NOT EXISTS identity_account_usage (\n      account_id TEXT PRIMARY KEY,\n      storage_bytes INTEGER NOT NULL DEFAULT 0,\n      ingress_bytes INTEGER NOT NULL DEFAULT 0,\n      egress_bytes INTEGER NOT NULL DEFAULT 0,\n      storage_limit_bytes INTEGER,\n      bandwidth_limit_bps INTEGER,\n      updated_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now'))\n    );\n\n    CREATE TABLE IF NOT EXISTS identity_pod_usage (\n      pod_id TEXT PRIMARY KEY,\n      account_id TEXT NOT NULL,\n      storage_bytes INTEGER NOT NULL DEFAULT 0,\n      ingress_bytes INTEGER NOT NULL DEFAULT 0,\n      egress_bytes INTEGER NOT NULL DEFAULT 0,\n      storage_limit_bytes INTEGER,\n      bandwidth_limit_bps INTEGER,\n      updated_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now'))\n    );\n\n    CREATE TABLE IF NOT EXISTS identity_edge_node (\n      id TEXT PRIMARY KEY,\n      display_name TEXT,\n      owner_account_id TEXT,\n      token_hash TEXT NOT NULL,\n      account_id TEXT,\n      node_type TEXT DEFAULT 'edge',\n      subdomain TEXT UNIQUE,\n      access_mode TEXT,\n      public_ip TEXT,\n      public_port INTEGER,\n      internal_ip TEXT,\n      internal_port INTEGER,\n      capabilities TEXT,\n      metadata TEXT,\n      connectivity_status TEXT DEFAULT 'unknown',\n      last_connectivity_check INTEGER,\n      created_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now')),\n      updated_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now')),\n      last_seen INTEGER\n    );\n\n    CREATE TABLE IF NOT EXISTS identity_edge_node_pod (\n      node_id TEXT NOT NULL REFERENCES identity_edge_node(id) ON DELETE CASCADE,\n      base_url TEXT NOT NULL\n    );\n\n    CREATE TABLE IF NOT EXISTS api_client_credentials (\n      client_id TEXT PRIMARY KEY,\n      client_secret_encrypted TEXT NOT NULL,\n      web_id TEXT NOT NULL,\n      account_id TEXT NOT NULL,\n      display_name TEXT,\n      created_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now'))\n    );\n  `);\n}\n"]}
+{"version":3,"file":"db.js","sourceRoot":"","sources":["../../../src/identity/drizzle/db.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;AAwBA,8BAEC;AA4DD,kCAEC;AAMD,kDA+DC;AAKD,8CAQC;AAMD,wDAMC;AAED,kEAGC;AAOD,4CAGC;AAiBD,oCAYC;AAMD,4CAYC;AAMD,sCAEC;AAMD,0CAcC;AAhRD,2BAAiC;AACjC,6DAAiE;AACjE,+DAA6F;AAG7F,sDAAwC;AACxC,8DAAgD;AAChD,0DAA6B;AAC7B,sDAAyB;AACzB,oFAA8F;AAO9F;;;;;;;GAOG;AACH,SAAgB,SAAS,CAAC,EAAoB;IAC5C,OAAO,gBAAgB,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC;AACxD,CAAC;AAgBD,MAAM,OAAO,GAAG,IAAI,GAAG,EAA4B,CAAC;AACpD,MAAM,cAAc,GAAG,IAAI,OAAO,EAAyB,CAAC;AAE5D,MAAM,SAAS,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;AAI9B,KAAK,MAAM,GAAG,IAAI,SAAS,EAAE,CAAC;IAC5B,iEAAiE;IACjE,gEAAgE;IAChE,UAAK,CAAC,aAAa,CAAC,GAAG,EAAE,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,CAAC;AAC7C,CAAC;AAED,SAAS,qBAAqB,CAAC,KAAc;IAC3C,IAAI,CAAC,CAAC,KAAK,YAAY,KAAK,CAAC,EAAE,CAAC;QAC9B,OAAO,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;IAClC,CAAC;IAED,IAAI,CAAC,oEAAoE,CAAC,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;QAC9F,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,IAAI,KAAK,CAAC;QACf,4CAA4C,OAAO,CAAC,OAAO,SAAS,OAAO,CAAC,QAAQ,CAAC,OAAO,IAAI;QAChG,0FAA0F;QAC1F,gBAAgB;QAChB,iBAAiB;QACjB,4CAA4C;QAC5C,EAAE;QACF,mBAAmB,KAAK,CAAC,OAAO,EAAE;KACnC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;AAChB,CAAC;AAED,SAAS,iBAAiB;IACxB,IAAI,CAAC;QACH,OAAO,OAAO,CAAC,gBAAgB,CAAC,CAAC;IACnC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,MAAM,qBAAqB,CAAC,KAAK,CAAC,CAAC;IACrC,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAgB,WAAW,CAAC,gBAAwB;IAClD,OAAO,gBAAgB,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC;AAChD,CAAC;AAED;;;GAGG;AACH,SAAgB,mBAAmB,CAAC,gBAAwB;IAC1D,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IAC7C,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,MAAM,CAAC,EAAE,CAAC;IACnB,CAAC;IAED,IAAI,WAAW,CAAC,gBAAgB,CAAC,EAAE,CAAC;QAClC,MAAM,QAAQ,GAAG,gBAAgB,CAAC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC;QACzD,MAAM,QAAQ,GAAG,QAAQ,KAAK,UAAU,IAAI,QAAQ,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC;QAC5E,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,SAAS,GAAG,mBAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;YACzC,IAAI,SAAS,IAAI,CAAC,iBAAE,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBAC3C,iBAAE,CAAC,SAAS,CAAC,SAAS,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAC/C,CAAC;QACH,CAAC;QACD,MAAM,aAAa,GAAG,iBAAiB,EAAE,CAAC;QAC1C,MAAM,MAAM,GAAG,IAAI,aAAa,CAAC,QAAQ,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QAEnE,qEAAqE;QACrE,iDAAiD;QACjD,iEAAiE;QACjE,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;YACpC,MAAM,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAAC;YACrC,MAAM,CAAC,MAAM,CAAC,sBAAsB,CAAC,CAAC;QACxC,CAAC;QAED,MAAM,EAAE,GAAG,IAAA,wBAAa,EAAC,MAAM,CAAC,CAAC;QAEjC,oCAAoC;QACpC,kBAAkB,CAAC,MAAM,CAAC,CAAC;QAE3B,cAAc,CAAC,GAAG,CAAC,EAAY,EAAE,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;QACpD,OAAO,CAAC,GAAG,CAAC,gBAAgB,EAAE;YAC5B,EAAE;YACF,MAAM,EAAE,YAAY;YACpB,QAAQ,EAAE,IAAI;YACd,KAAK,EAAE,KAAK,IAAI,EAAE,GAAG,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;SACvC,CAAC,CAAC;QACH,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,2EAA2E;IAC3E,MAAM,IAAI,GAAG,IAAA,mCAAa,EAAC,EAAE,gBAAgB,EAAE,CAAC,CAAC;IACjD,MAAM,EAAE,GAAG,IAAA,uBAAS,EAAC,IAAI,CAAC,CAAC;IAC3B,MAAM,WAAW,GAAG,CAAC,KAAK,IAAkB,EAAE;QAC5C,MAAM,oBAAoB,CAAC,IAAI,CAAC,CAAC;QACjC,MAAM,gBAAgB,CAAC,IAAI,CAAC,CAAC;IAC/B,CAAC,CAAC,EAAE,CAAC;IACL,cAAc,CAAC,GAAG,CAAC,EAAY,EAAE,WAAW,CAAC,CAAC;IAC9C,WAAW,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;QACxB,OAAO,CAAC,KAAK,CAAC,qCAAqC,GAAG,EAAE,CAAC,CAAC;IAC5D,CAAC,CAAC,CAAC;IACH,OAAO,CAAC,GAAG,CAAC,gBAAgB,EAAE;QAC5B,EAAE;QACF,MAAM,EAAE,QAAQ;QAChB,QAAQ,EAAE,KAAK;QACf,KAAK,EAAE,KAAK,IAAI,EAAE;YAChB,wDAAwD;YACxD,IAAA,uCAAiB,EAAC,EAAE,gBAAgB,EAAE,CAAC,CAAC;QAC1C,CAAC;KACF,CAAC,CAAC;IACH,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;GAEG;AACH,SAAgB,iBAAiB,CAAC,gBAAwB;IACxD,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC,CAAC;IAC7C,IAAI,MAAM,EAAE,CAAC;QACX,OAAO,MAAM,CAAC,MAAM,CAAC;IACvB,CAAC;IACD,0CAA0C;IAC1C,mBAAmB,CAAC,gBAAgB,CAAC,CAAC;IACtC,OAAO,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAE,CAAC,MAAM,CAAC;AAC/C,CAAC;AAED;;;GAGG;AACH,SAAgB,sBAAsB,CAAC,gBAAwB;IAC7D,IAAI,CAAC;QACH,OAAO,mBAAmB,CAAC,gBAAgB,CAAC,CAAC;IAC/C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAEM,KAAK,UAAU,2BAA2B;IAC/C,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACrE,OAAO,CAAC,KAAK,EAAE,CAAC;AAClB,CAAC;AAED;;;;GAIG;AACH,SAAgB,gBAAgB,CAAC,EAAoB;IACnD,2EAA2E;IAC3E,OAAO,OAAO,EAAE,CAAC,GAAG,KAAK,UAAU,IAAI,OAAO,EAAE,CAAC,OAAO,KAAK,UAAU,CAAC;AAC1E,CAAC;AAED,KAAK,UAAU,mBAAmB,CAAC,EAAoB;IACrD,MAAM,WAAW,GAAG,cAAc,CAAC,GAAG,CAAC,EAAY,CAAC,CAAC;IACrD,IAAI,WAAW,EAAE,CAAC;QAChB,MAAM,WAAW,CAAC;IACpB,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACI,KAAK,UAAU,YAAY,CAChC,EAAoB,EACpB,KAAU;IAEV,MAAM,mBAAmB,CAAC,EAAE,CAAC,CAAC;IAC9B,IAAI,gBAAgB,CAAC,EAAE,CAAC,EAAE,CAAC;QACzB,0CAA0C;QAC1C,MAAM,IAAI,GAAG,EAAE,CAAC,GAAG,CAAC,KAAK,CAAQ,CAAC;QAClC,OAAO,EAAE,IAAI,EAAE,CAAC;IAClB,CAAC;IACD,mDAAmD;IACnD,OAAO,EAAE,CAAC,OAAO,CAAC,KAAK,CAA4B,CAAC;AACtD,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,gBAAgB,CACpC,EAAoB,EACpB,KAAU;IAEV,MAAM,mBAAmB,CAAC,EAAE,CAAC,CAAC;IAC9B,IAAI,gBAAgB,CAAC,EAAE,CAAC,EAAE,CAAC;QACzB,kCAAkC;QAClC,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACd,OAAO;IACT,CAAC;IACD,oDAAoD;IACpD,MAAM,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;AAC1B,CAAC;AAED;;;GAGG;AACH,SAAgB,aAAa,CAAC,EAAoB,EAAE,IAAU;IAC5D,OAAO,gBAAgB,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;AACzE,CAAC;AAED;;;GAGG;AACH,SAAgB,eAAe,CAAC,KAAc;IAC5C,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK,SAAS,EAAE,CAAC;QAC1C,OAAO,SAAS,CAAC;IACnB,CAAC;IACD,IAAI,KAAK,YAAY,IAAI,EAAE,CAAC;QAC1B,OAAO,KAAK,CAAC;IACf,CAAC;IACD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,IAAI,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC;IAChC,CAAC;IACD,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC;IACzB,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,MAAyB;IACnD,MAAM,CAAC,IAAI,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmFX,CAAC,CAAC;IAEH,sDAAsD;IACtD,oBAAoB,CAAC,MAAM,CAAC,CAAC;AAC/B,CAAC;AAED;;;GAGG;AACH,SAAS,oBAAoB,CAAC,MAAyB;IACrD,MAAM,SAAS,GAAG,CAAC,KAAa,EAAE,MAAc,EAAE,IAAY,EAAQ,EAAE;QACtE,IAAI,CAAC;YACH,MAAM,CAAC,IAAI,CAAC,eAAe,KAAK,eAAe,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC;QACnE,CAAC;QAAC,MAAM,CAAC;YACP,iCAAiC;QACnC,CAAC;IACH,CAAC,CAAC;IAEF,SAAS,CAAC,oBAAoB,EAAE,YAAY,EAAE,MAAM,CAAC,CAAC;IACtD,SAAS,CAAC,oBAAoB,EAAE,oBAAoB,EAAE,MAAM,CAAC,CAAC;IAC9D,SAAS,CAAC,oBAAoB,EAAE,qBAAqB,EAAE,MAAM,CAAC,CAAC;IAE/D,sCAAsC;IACtC,SAAS,CAAC,wBAAwB,EAAE,iBAAiB,EAAE,4BAA4B,CAAC,CAAC;IACrF,SAAS,CAAC,wBAAwB,EAAE,aAAa,EAAE,4BAA4B,CAAC,CAAC;IACjF,SAAS,CAAC,wBAAwB,EAAE,uBAAuB,EAAE,SAAS,CAAC,CAAC;IACxE,SAAS,CAAC,wBAAwB,EAAE,qBAAqB,EAAE,SAAS,CAAC,CAAC;IACtE,SAAS,CAAC,wBAAwB,EAAE,cAAc,EAAE,SAAS,CAAC,CAAC;IAC/D,SAAS,CAAC,oBAAoB,EAAE,iBAAiB,EAAE,4BAA4B,CAAC,CAAC;IACjF,SAAS,CAAC,oBAAoB,EAAE,aAAa,EAAE,4BAA4B,CAAC,CAAC;IAC7E,SAAS,CAAC,oBAAoB,EAAE,uBAAuB,EAAE,SAAS,CAAC,CAAC;IACpE,SAAS,CAAC,oBAAoB,EAAE,qBAAqB,EAAE,SAAS,CAAC,CAAC;IAClE,SAAS,CAAC,oBAAoB,EAAE,cAAc,EAAE,SAAS,CAAC,CAAC;AAC7D,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,gBAAgB,CAAC,IAA8C;IAC5E,MAAM,SAAS,GAAG,KAAK,EAAE,KAAa,EAAE,MAAc,EAAE,IAAY,EAAiB,EAAE;QACrF,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,KAAK,CACd;;;kCAG0B,KAAK,wBAAwB,MAAM;;0BAE3C,KAAK,eAAe,MAAM,IAAI,IAAI;;gBAE5C,CACT,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,4CAA4C;QAC9C,CAAC;IACH,CAAC,CAAC;IAEF,sCAAsC;IACtC,MAAM,SAAS,CAAC,wBAAwB,EAAE,iBAAiB,EAAE,2BAA2B,CAAC,CAAC;IAC1F,MAAM,SAAS,CAAC,wBAAwB,EAAE,aAAa,EAAE,2BAA2B,CAAC,CAAC;IACtF,MAAM,SAAS,CAAC,wBAAwB,EAAE,uBAAuB,EAAE,QAAQ,CAAC,CAAC;IAC7E,MAAM,SAAS,CAAC,wBAAwB,EAAE,qBAAqB,EAAE,QAAQ,CAAC,CAAC;IAC3E,MAAM,SAAS,CAAC,wBAAwB,EAAE,cAAc,EAAE,0BAA0B,CAAC,CAAC;IACtF,MAAM,SAAS,CAAC,oBAAoB,EAAE,iBAAiB,EAAE,2BAA2B,CAAC,CAAC;IACtF,MAAM,SAAS,CAAC,oBAAoB,EAAE,aAAa,EAAE,2BAA2B,CAAC,CAAC;IAClF,MAAM,SAAS,CAAC,oBAAoB,EAAE,uBAAuB,EAAE,QAAQ,CAAC,CAAC;IACzE,MAAM,SAAS,CAAC,oBAAoB,EAAE,qBAAqB,EAAE,QAAQ,CAAC,CAAC;IACvE,MAAM,SAAS,CAAC,oBAAoB,EAAE,cAAc,EAAE,0BAA0B,CAAC,CAAC;IAElF,sBAAsB;IACtB,IAAI,CAAC;QACH,MAAM,IAAI,CAAC,KAAK,CAAC;;;;;;;;;;KAUhB,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,2BAA2B;IAC7B,CAAC;AACH,CAAC;AAGD,KAAK,UAAU,oBAAoB,CAAC,IAAU;IAC5C,MAAM,IAAI,CAAC,KAAK,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4DhB,CAAC,CAAC;IAEH,MAAM,sBAAsB,CAAC,IAAI,CAAC,CAAC;AACrC,CAAC;AAED,KAAK,UAAU,sBAAsB,CAAC,IAAU;IAC9C,MAAM,SAAS,GAAG,KAAK,EAAE,KAAa,EAAE,MAAc,EAAE,IAAY,EAAiB,EAAE;QACrF,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,KAAK,6BAA6B,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC;IACtF,CAAC,CAAC;IAEF,MAAM,SAAS,CAAC,oBAAoB,EAAE,YAAY,EAAE,MAAM,CAAC,CAAC;IAC5D,MAAM,SAAS,CAAC,oBAAoB,EAAE,oBAAoB,EAAE,MAAM,CAAC,CAAC;IACpE,MAAM,SAAS,CAAC,oBAAoB,EAAE,qBAAqB,EAAE,MAAM,CAAC,CAAC;AACvE,CAAC","sourcesContent":["import { Pool, types } from 'pg';\nimport { drizzle as drizzlePg } from 'drizzle-orm/node-postgres';\nimport { drizzle as drizzleSqlite, BetterSQLite3Database } from 'drizzle-orm/better-sqlite3';\nimport { NodePgDatabase } from 'drizzle-orm/node-postgres';\nimport type { SQL } from 'drizzle-orm/sql';\nimport * as pgSchema from './schema.pg';\nimport * as sqliteSchema from './schema.sqlite';\nimport path from 'node:path';\nimport fs from 'node:fs';\nimport { getSharedPool, releaseSharedPool } from '../../storage/database/PostgresPoolManager';\n\n// Use 'any' to allow both PostgreSQL and SQLite database instances\n// The actual type depends on the connection string at runtime\nexport type IdentityDatabase = any;\nexport type IdentitySchema = typeof pgSchema | typeof sqliteSchema;\n\n/**\n * Get the appropriate schema for the given database connection.\n * This provides a unified abstraction layer over PG and SQLite schemas.\n *\n * @example\n * const schema = getSchema(db);\n * await db.select().from(schema.accountUsage).where(eq(schema.accountUsage.accountId, id));\n */\nexport function getSchema(db: IdentityDatabase): typeof pgSchema | typeof sqliteSchema {\n  return isDatabaseSqlite(db) ? sqliteSchema : pgSchema;\n}\n\n/**\n * Standardized query result format across databases.\n */\nexport interface QueryResult<T = Record<string, unknown>> {\n  rows: T[];\n}\n\ninterface CachedConnection {\n  db: IdentityDatabase;\n  schema: IdentitySchema;\n  isSqlite: boolean;\n  close: () => Promise<void>;\n}\n\nconst dbCache = new Map<string, CachedConnection>();\nconst dbInitPromises = new WeakMap<object, Promise<void>>();\n\nconst JSON_OIDS = [114, 3802];\n\ntype SqliteDdlExecutor = { exec: (sql: string) => unknown };\n\nfor (const oid of JSON_OIDS) {\n  // Explicitly return raw string to avoid \"Type Conflict\" with CSS\n  // and to satisfy PgQuintStore's parseVector expecting a string.\n  types.setTypeParser(oid, (value) => value);\n}\n\nfunction wrapBetterSqliteError(error: unknown): Error {\n  if (!(error instanceof Error)) {\n    return new Error(String(error));\n  }\n\n  if (!/NODE_MODULE_VERSION|compiled against a different Node\\.js version/i.test(error.message)) {\n    return error;\n  }\n\n  return new Error([\n    `Failed to load better-sqlite3 under Node ${process.version} (ABI ${process.versions.modules}).`,\n    'This usually means native modules were installed with a different Node.js major version.',\n    'Suggested fix:',\n    '  1. nvm use 22',\n    '  2. yarn install --force --ignore-engines',\n    '',\n    `Original error: ${error.message}`,\n  ].join('\\n'));\n}\n\nfunction loadBetterSqlite3(): any {\n  try {\n    return require('better-sqlite3');\n  } catch (error) {\n    throw wrapBetterSqliteError(error);\n  }\n}\n\n/**\n * Returns true if the connection string is a SQLite URL.\n */\nexport function isSqliteUrl(connectionString: string): boolean {\n  return connectionString.startsWith('sqlite:');\n}\n\n/**\n * Get or create a Drizzle database connection with the appropriate schema.\n * Supports both PostgreSQL and SQLite.\n */\nexport function getIdentityDatabase(connectionString: string): IdentityDatabase {\n  const cached = dbCache.get(connectionString);\n  if (cached) {\n    return cached.db;\n  }\n\n  if (isSqliteUrl(connectionString)) {\n    const filename = connectionString.replace('sqlite:', '');\n    const isMemory = filename === ':memory:' || filename.startsWith(':memory:');\n    if (!isMemory) {\n      const directory = path.dirname(filename);\n      if (directory && !fs.existsSync(directory)) {\n        fs.mkdirSync(directory, { recursive: true });\n      }\n    }\n    const BetterSqlite3 = loadBetterSqlite3();\n    const sqlite = new BetterSqlite3(isMemory ? ':memory:' : filename);\n\n    // Apply pragmas for better concurrency (prevents SQLITE_BUSY errors)\n    // WAL mode allows concurrent reads during writes\n    // busy_timeout waits up to 5 seconds before throwing SQLITE_BUSY\n    if (!isMemory) {\n      sqlite.pragma('journal_mode = WAL');\n      sqlite.pragma('busy_timeout = 5000');\n      sqlite.pragma('synchronous = NORMAL');\n    }\n\n    const db = drizzleSqlite(sqlite);\n\n    // Create tables if they don't exist\n    ensureSqliteTables(sqlite);\n\n    dbInitPromises.set(db as object, Promise.resolve());\n    dbCache.set(connectionString, {\n      db,\n      schema: sqliteSchema,\n      isSqlite: true,\n      close: async () => { sqlite.close(); },\n    });\n    return db;\n  }\n\n  // PostgreSQL: use shared pool to avoid connection exhaustion and deadlocks\n  const pool = getSharedPool({ connectionString });\n  const db = drizzlePg(pool);\n  const initPromise = (async(): Promise<void> => {\n    await ensurePostgresTables(pool);\n    await migratePgColumns(pool);\n  })();\n  dbInitPromises.set(db as object, initPromise);\n  initPromise.catch((err) => {\n    console.error(`[IdentityDB] PG migration failed: ${err}`);\n  });\n  dbCache.set(connectionString, {\n    db,\n    schema: pgSchema,\n    isSqlite: false,\n    close: async () => { \n      // Release reference to shared pool instead of ending it\n      releaseSharedPool({ connectionString }); \n    },\n  });\n  return db;\n}\n\n/**\n * Get the schema for a given connection string.\n */\nexport function getIdentitySchema(connectionString: string): IdentitySchema {\n  const cached = dbCache.get(connectionString);\n  if (cached) {\n    return cached.schema;\n  }\n  // Initialize connection to populate cache\n  getIdentityDatabase(connectionString);\n  return dbCache.get(connectionString)!.schema;\n}\n\n/**\n * Safely get a Drizzle database connection, returning undefined on error.\n * Use this when the identity database is optional (e.g., for usage tracking).\n */\nexport function tryGetIdentityDatabase(connectionString: string): IdentityDatabase | undefined {\n  try {\n    return getIdentityDatabase(connectionString);\n  } catch {\n    return undefined;\n  }\n}\n\nexport async function closeAllIdentityConnections(): Promise<void> {\n  await Promise.all([...dbCache.values()].map(({ close }) => close()));\n  dbCache.clear();\n}\n\n/**\n * Check if a database connection is SQLite.\n * SQLite drizzle has `all()` method but no `execute()` method.\n * PostgreSQL drizzle has `execute()` method but no `all()` method.\n */\nexport function isDatabaseSqlite(db: IdentityDatabase): boolean {\n  // SQLite drizzle has `all` method, PostgreSQL drizzle has `execute` method\n  return typeof db.all === 'function' && typeof db.execute !== 'function';\n}\n\nasync function ensureDatabaseReady(db: IdentityDatabase): Promise<void> {\n  const initPromise = dbInitPromises.get(db as object);\n  if (initPromise) {\n    await initPromise;\n  }\n}\n\n/**\n * Execute a SQL query uniformly across PostgreSQL and SQLite.\n * Returns a standardized result with rows array.\n *\n * @example\n * const result = await executeQuery(db, sql`SELECT * FROM users WHERE id = ${userId}`);\n * if (result.rows.length > 0) { ... }\n */\nexport async function executeQuery<T = Record<string, unknown>>(\n  db: IdentityDatabase,\n  query: SQL,\n): Promise<QueryResult<T>> {\n  await ensureDatabaseReady(db);\n  if (isDatabaseSqlite(db)) {\n    // SQLite: db.all() returns array directly\n    const rows = db.all(query) as T[];\n    return { rows };\n  }\n  // PostgreSQL: db.execute() returns { rows: [...] }\n  return db.execute(query) as Promise<QueryResult<T>>;\n}\n\n/**\n * Execute a SQL statement that doesn't return rows (INSERT, UPDATE, DELETE).\n * Works uniformly across PostgreSQL and SQLite.\n */\nexport async function executeStatement(\n  db: IdentityDatabase,\n  query: SQL,\n): Promise<void> {\n  await ensureDatabaseReady(db);\n  if (isDatabaseSqlite(db)) {\n    // SQLite: db.run() for statements\n    db.run(query);\n    return;\n  }\n  // PostgreSQL: db.execute() works for statements too\n  await db.execute(query);\n}\n\n/**\n * Convert a Date to a value suitable for the database.\n * SQLite uses Unix timestamps (seconds), PostgreSQL uses Date objects.\n */\nexport function toDbTimestamp(db: IdentityDatabase, date: Date): number | Date {\n  return isDatabaseSqlite(db) ? Math.floor(date.getTime() / 1000) : date;\n}\n\n/**\n * Parse a timestamp value from database result to Date.\n * Handles both Unix timestamps (SQLite) and Date objects (PostgreSQL).\n */\nexport function fromDbTimestamp(value: unknown): Date | undefined {\n  if (value === null || value === undefined) {\n    return undefined;\n  }\n  if (value instanceof Date) {\n    return value;\n  }\n  if (typeof value === 'number') {\n    return new Date(value * 1000);\n  }\n  if (typeof value === 'string') {\n    return new Date(value);\n  }\n  return undefined;\n}\n\n/**\n * Ensure SQLite tables exist (simple DDL for local/dev mode).\n */\nfunction ensureSqliteTables(sqlite: SqliteDdlExecutor): void {\n  sqlite.exec(`\n    CREATE TABLE IF NOT EXISTS identity_account_usage (\n      account_id TEXT PRIMARY KEY,\n      storage_bytes INTEGER NOT NULL DEFAULT 0,\n      ingress_bytes INTEGER NOT NULL DEFAULT 0,\n      egress_bytes INTEGER NOT NULL DEFAULT 0,\n      storage_limit_bytes INTEGER,\n      bandwidth_limit_bps INTEGER,\n      compute_seconds INTEGER NOT NULL DEFAULT 0,\n      tokens_used INTEGER NOT NULL DEFAULT 0,\n      compute_limit_seconds INTEGER,\n      token_limit_monthly INTEGER,\n      period_start INTEGER,\n      updated_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now'))\n    );\n\n    CREATE TABLE IF NOT EXISTS identity_pod_usage (\n      pod_id TEXT PRIMARY KEY,\n      account_id TEXT NOT NULL,\n      storage_bytes INTEGER NOT NULL DEFAULT 0,\n      ingress_bytes INTEGER NOT NULL DEFAULT 0,\n      egress_bytes INTEGER NOT NULL DEFAULT 0,\n      storage_limit_bytes INTEGER,\n      bandwidth_limit_bps INTEGER,\n      compute_seconds INTEGER NOT NULL DEFAULT 0,\n      tokens_used INTEGER NOT NULL DEFAULT 0,\n      compute_limit_seconds INTEGER,\n      token_limit_monthly INTEGER,\n      period_start INTEGER,\n      updated_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now'))\n    );\n\n    CREATE TABLE IF NOT EXISTS identity_edge_node (\n      id TEXT PRIMARY KEY,\n      display_name TEXT,\n      owner_account_id TEXT,\n      token_hash TEXT NOT NULL,\n      account_id TEXT,\n      node_type TEXT DEFAULT 'edge',\n      subdomain TEXT UNIQUE,\n      access_mode TEXT,\n      ipv4 TEXT,\n      public_port INTEGER,\n      public_url TEXT,\n      service_token_hash TEXT,\n      provision_code_hash TEXT,\n      internal_ip TEXT,\n      internal_port INTEGER,\n      hostname TEXT,\n      ipv6 TEXT,\n      version TEXT,\n      capabilities TEXT,\n      metadata TEXT,\n      connectivity_status TEXT DEFAULT 'unknown',\n      last_connectivity_check INTEGER,\n      created_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now')),\n      updated_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now')),\n      last_seen INTEGER\n    );\n\n    CREATE TABLE IF NOT EXISTS identity_edge_node_pod (\n      node_id TEXT NOT NULL REFERENCES identity_edge_node(id) ON DELETE CASCADE,\n      base_url TEXT NOT NULL\n    );\n\n    CREATE TABLE IF NOT EXISTS api_client_credentials (\n      client_id TEXT PRIMARY KEY,\n      client_secret_encrypted TEXT NOT NULL,\n      web_id TEXT NOT NULL,\n      account_id TEXT NOT NULL,\n      display_name TEXT,\n      created_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now'))\n    );\n\n    CREATE TABLE IF NOT EXISTS identity_service_token (\n      id TEXT PRIMARY KEY,\n      token_hash TEXT NOT NULL UNIQUE,\n      service_type TEXT NOT NULL,\n      service_id TEXT NOT NULL,\n      scopes TEXT NOT NULL,\n      created_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now')),\n      expires_at INTEGER\n    );\n  `);\n\n  // Migrate existing tables: add new columns if missing\n  migrateSqliteColumns(sqlite);\n}\n\n/**\n * Add columns that may be missing from older databases.\n * SQLite ALTER TABLE ADD COLUMN is idempotent-safe via try/catch.\n */\nfunction migrateSqliteColumns(sqlite: SqliteDdlExecutor): void {\n  const addColumn = (table: string, column: string, type: string): void => {\n    try {\n      sqlite.exec(`ALTER TABLE ${table} ADD COLUMN ${column} ${type}`);\n    } catch {\n      // Column already exists — ignore\n    }\n  };\n\n  addColumn('identity_edge_node', 'public_url', 'TEXT');\n  addColumn('identity_edge_node', 'service_token_hash', 'TEXT');\n  addColumn('identity_edge_node', 'provision_code_hash', 'TEXT');\n\n  // Usage tables: compute/token columns\n  addColumn('identity_account_usage', 'compute_seconds', 'INTEGER NOT NULL DEFAULT 0');\n  addColumn('identity_account_usage', 'tokens_used', 'INTEGER NOT NULL DEFAULT 0');\n  addColumn('identity_account_usage', 'compute_limit_seconds', 'INTEGER');\n  addColumn('identity_account_usage', 'token_limit_monthly', 'INTEGER');\n  addColumn('identity_account_usage', 'period_start', 'INTEGER');\n  addColumn('identity_pod_usage', 'compute_seconds', 'INTEGER NOT NULL DEFAULT 0');\n  addColumn('identity_pod_usage', 'tokens_used', 'INTEGER NOT NULL DEFAULT 0');\n  addColumn('identity_pod_usage', 'compute_limit_seconds', 'INTEGER');\n  addColumn('identity_pod_usage', 'token_limit_monthly', 'INTEGER');\n  addColumn('identity_pod_usage', 'period_start', 'INTEGER');\n}\n\n/**\n * Add columns that may be missing from older PostgreSQL databases.\n * Uses IF NOT EXISTS via information_schema check + ALTER TABLE.\n */\nasync function migratePgColumns(pool: { query: (sql: string) => Promise<any> }): Promise<void> {\n  const addColumn = async (table: string, column: string, type: string): Promise<void> => {\n    try {\n      await pool.query(\n        `DO $$ BEGIN\n          IF NOT EXISTS (\n            SELECT 1 FROM information_schema.columns\n            WHERE table_name = '${table}' AND column_name = '${column}'\n          ) THEN\n            ALTER TABLE ${table} ADD COLUMN ${column} ${type};\n          END IF;\n        END $$;`,\n      );\n    } catch {\n      // Ignore errors (table might not exist yet)\n    }\n  };\n\n  // Usage tables: compute/token columns\n  await addColumn('identity_account_usage', 'compute_seconds', 'BIGINT NOT NULL DEFAULT 0');\n  await addColumn('identity_account_usage', 'tokens_used', 'BIGINT NOT NULL DEFAULT 0');\n  await addColumn('identity_account_usage', 'compute_limit_seconds', 'BIGINT');\n  await addColumn('identity_account_usage', 'token_limit_monthly', 'BIGINT');\n  await addColumn('identity_account_usage', 'period_start', 'TIMESTAMP WITH TIME ZONE');\n  await addColumn('identity_pod_usage', 'compute_seconds', 'BIGINT NOT NULL DEFAULT 0');\n  await addColumn('identity_pod_usage', 'tokens_used', 'BIGINT NOT NULL DEFAULT 0');\n  await addColumn('identity_pod_usage', 'compute_limit_seconds', 'BIGINT');\n  await addColumn('identity_pod_usage', 'token_limit_monthly', 'BIGINT');\n  await addColumn('identity_pod_usage', 'period_start', 'TIMESTAMP WITH TIME ZONE');\n\n  // Service token table\n  try {\n    await pool.query(`\n      CREATE TABLE IF NOT EXISTS identity_service_token (\n        id TEXT PRIMARY KEY,\n        token_hash TEXT NOT NULL UNIQUE,\n        service_type TEXT NOT NULL,\n        service_id TEXT NOT NULL,\n        scopes TEXT NOT NULL,\n        created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW(),\n        expires_at TIMESTAMP WITH TIME ZONE\n      );\n    `);\n  } catch {\n    // Ignore if already exists\n  }\n}\n\n\nasync function ensurePostgresTables(pool: Pool): Promise<void> {\n  await pool.query(`\n    CREATE TABLE IF NOT EXISTS identity_account_usage (\n      account_id TEXT PRIMARY KEY,\n      storage_bytes BIGINT NOT NULL DEFAULT 0,\n      ingress_bytes BIGINT NOT NULL DEFAULT 0,\n      egress_bytes BIGINT NOT NULL DEFAULT 0,\n      storage_limit_bytes BIGINT,\n      bandwidth_limit_bps BIGINT,\n      updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()\n    );\n\n    CREATE TABLE IF NOT EXISTS identity_pod_usage (\n      pod_id TEXT PRIMARY KEY,\n      account_id TEXT NOT NULL,\n      storage_bytes BIGINT NOT NULL DEFAULT 0,\n      ingress_bytes BIGINT NOT NULL DEFAULT 0,\n      egress_bytes BIGINT NOT NULL DEFAULT 0,\n      storage_limit_bytes BIGINT,\n      bandwidth_limit_bps BIGINT,\n      updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()\n    );\n\n    CREATE TABLE IF NOT EXISTS identity_edge_node (\n      id TEXT PRIMARY KEY,\n      display_name TEXT,\n      owner_account_id TEXT,\n      token_hash TEXT NOT NULL,\n      account_id TEXT,\n      node_type TEXT DEFAULT 'edge',\n      subdomain TEXT UNIQUE,\n      access_mode TEXT,\n      public_ip TEXT,\n      public_port BIGINT,\n      public_url TEXT,\n      service_token_hash TEXT,\n      provision_code_hash TEXT,\n      internal_ip TEXT,\n      internal_port BIGINT,\n      capabilities JSONB,\n      metadata JSONB,\n      connectivity_status TEXT DEFAULT 'unknown',\n      last_connectivity_check TIMESTAMPTZ,\n      created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n      updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n      last_seen TIMESTAMPTZ\n    );\n\n    CREATE TABLE IF NOT EXISTS identity_edge_node_pod (\n      node_id TEXT NOT NULL REFERENCES identity_edge_node(id) ON DELETE CASCADE,\n      base_url TEXT NOT NULL\n    );\n\n    CREATE TABLE IF NOT EXISTS api_client_credentials (\n      client_id TEXT PRIMARY KEY,\n      client_secret_encrypted TEXT NOT NULL,\n      web_id TEXT NOT NULL,\n      account_id TEXT NOT NULL,\n      display_name TEXT,\n      created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()\n    );\n  `);\n\n  await migratePostgresColumns(pool);\n}\n\nasync function migratePostgresColumns(pool: Pool): Promise<void> {\n  const addColumn = async (table: string, column: string, type: string): Promise<void> => {\n    await pool.query(`ALTER TABLE ${table} ADD COLUMN IF NOT EXISTS ${column} ${type}`);\n  };\n\n  await addColumn('identity_edge_node', 'public_url', 'TEXT');\n  await addColumn('identity_edge_node', 'service_token_hash', 'TEXT');\n  await addColumn('identity_edge_node', 'provision_code_hash', 'TEXT');\n}\n"]}

package/dist/identity/drizzle/schema.pg.d.ts

@@ -18,3 +18,8 @@ export declare const ddnsRecords: any;
 export declare const edgeNodes: any;
 export declare const edgeNodePods: any;
 export declare const apiClientCredentials: any;
+/**
+ * Service Token 表
+ * 用于服务间认证 (Business, Local SP, Cloud, Compute)
+ */
+export declare const serviceTokens: any;