npm - @wopr-network/platform-core - Versions diffs - 0.1.0 - Mend

@wopr-network/platform-core 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (694) hide show

package/biome.json +61 -0
package/dist/admin/admin-audit-log-repository.d.ts +33 -0
package/dist/admin/admin-audit-log-repository.js +102 -0
package/dist/admin/audit-log.d.ts +49 -0
package/dist/admin/audit-log.js +63 -0
package/dist/admin/index.d.ts +6 -0
package/dist/admin/index.js +3 -0
package/dist/admin/role-store.d.ts +37 -0
package/dist/admin/role-store.js +106 -0
package/dist/auth/api-key-repository.d.ts +11 -0
package/dist/auth/api-key-repository.js +33 -0
package/dist/auth/api-key-repository.test.d.ts +1 -0
package/dist/auth/api-key-repository.test.js +46 -0
package/dist/auth/auth.test.d.ts +1 -0
package/dist/auth/auth.test.js +140 -0
package/dist/auth/better-auth.d.ts +42 -0
package/dist/auth/better-auth.js +196 -0
package/dist/auth/index.d.ts +186 -0
package/dist/auth/index.js +422 -0
package/dist/auth/login-history-repository.d.ts +14 -0
package/dist/auth/login-history-repository.js +15 -0
package/dist/auth/login-history-repository.test.d.ts +1 -0
package/dist/auth/login-history-repository.test.js +47 -0
package/dist/auth/middleware.d.ts +55 -0
package/dist/auth/middleware.js +101 -0
package/dist/auth/middleware.test.d.ts +1 -0
package/dist/auth/middleware.test.js +213 -0
package/dist/auth/scoped-tokens.test.d.ts +1 -0
package/dist/auth/scoped-tokens.test.js +306 -0
package/dist/auth/tenant-access.test.d.ts +1 -0
package/dist/auth/tenant-access.test.js +62 -0
package/dist/auth/user-creator.d.ts +9 -0
package/dist/auth/user-creator.js +47 -0
package/dist/auth/user-creator.test.d.ts +1 -0
package/dist/auth/user-creator.test.js +78 -0
package/dist/auth/user-role-repository.d.ts +31 -0
package/dist/auth/user-role-repository.js +53 -0
package/dist/auth/user-role-repository.test.d.ts +1 -0
package/dist/auth/user-role-repository.test.js +122 -0
package/dist/billing/drizzle-webhook-seen-repository.d.ts +10 -0
package/dist/billing/drizzle-webhook-seen-repository.js +28 -0
package/dist/billing/index.d.ts +7 -0
package/dist/billing/index.js +7 -0
package/dist/billing/payment-processor.d.ts +127 -0
package/dist/billing/payment-processor.js +8 -0
package/dist/billing/payment-processor.test.d.ts +1 -0
package/dist/billing/payment-processor.test.js +71 -0
package/dist/billing/payram/cents-credits-boundary.test.d.ts +1 -0
package/dist/billing/payram/cents-credits-boundary.test.js +75 -0
package/dist/billing/payram/charge-store.d.ts +41 -0
package/dist/billing/payram/charge-store.js +72 -0
package/dist/billing/payram/charge-store.test.d.ts +1 -0
package/dist/billing/payram/charge-store.test.js +64 -0
package/dist/billing/payram/checkout.d.ts +15 -0
package/dist/billing/payram/checkout.js +24 -0
package/dist/billing/payram/checkout.test.d.ts +1 -0
package/dist/billing/payram/checkout.test.js +74 -0
package/dist/billing/payram/client.d.ts +7 -0
package/dist/billing/payram/client.js +15 -0
package/dist/billing/payram/client.test.d.ts +1 -0
package/dist/billing/payram/client.test.js +52 -0
package/dist/billing/payram/index.d.ts +8 -0
package/dist/billing/payram/index.js +4 -0
package/dist/billing/payram/types.d.ts +40 -0
package/dist/billing/payram/types.js +1 -0
package/dist/billing/payram/webhook.d.ts +19 -0
package/dist/billing/payram/webhook.js +67 -0
package/dist/billing/payram/webhook.test.d.ts +7 -0
package/dist/billing/payram/webhook.test.js +248 -0
package/dist/billing/stripe/cents-credits-boundary.test.d.ts +1 -0
package/dist/billing/stripe/cents-credits-boundary.test.js +62 -0
package/dist/billing/stripe/checkout.d.ts +20 -0
package/dist/billing/stripe/checkout.js +63 -0
package/dist/billing/stripe/checkout.test.d.ts +1 -0
package/dist/billing/stripe/checkout.test.js +148 -0
package/dist/billing/stripe/client.d.ts +14 -0
package/dist/billing/stripe/client.js +33 -0
package/dist/billing/stripe/client.test.d.ts +1 -0
package/dist/billing/stripe/client.test.js +58 -0
package/dist/billing/stripe/credit-prices.d.ts +63 -0
package/dist/billing/stripe/credit-prices.js +81 -0
package/dist/billing/stripe/credit-prices.test.d.ts +1 -0
package/dist/billing/stripe/credit-prices.test.js +87 -0
package/dist/billing/stripe/index.d.ts +14 -0
package/dist/billing/stripe/index.js +8 -0
package/dist/billing/stripe/payment-methods-detach-all.test.d.ts +1 -0
package/dist/billing/stripe/payment-methods-detach-all.test.js +40 -0
package/dist/billing/stripe/payment-methods.d.ts +25 -0
package/dist/billing/stripe/payment-methods.js +53 -0
package/dist/billing/stripe/payment-methods.test.d.ts +1 -0
package/dist/billing/stripe/payment-methods.test.js +122 -0
package/dist/billing/stripe/portal.d.ts +10 -0
package/dist/billing/stripe/portal.js +16 -0
package/dist/billing/stripe/portal.test.d.ts +1 -0
package/dist/billing/stripe/portal.test.js +48 -0
package/dist/billing/stripe/setup-intent.d.ts +16 -0
package/dist/billing/stripe/setup-intent.js +22 -0
package/dist/billing/stripe/setup-intent.test.d.ts +1 -0
package/dist/billing/stripe/setup-intent.test.js +58 -0
package/dist/billing/stripe/stripe-payment-processor.d.ts +49 -0
package/dist/billing/stripe/stripe-payment-processor.js +166 -0
package/dist/billing/stripe/stripe-payment-processor.test.d.ts +1 -0
package/dist/billing/stripe/stripe-payment-processor.test.js +413 -0
package/dist/billing/stripe/tenant-store.d.ts +56 -0
package/dist/billing/stripe/tenant-store.js +119 -0
package/dist/billing/stripe/tenant-store.test.d.ts +1 -0
package/dist/billing/stripe/tenant-store.test.js +97 -0
package/dist/billing/stripe/types.d.ts +49 -0
package/dist/billing/stripe/types.js +1 -0
package/dist/billing/webhook-seen-repository.d.ts +14 -0
package/dist/billing/webhook-seen-repository.js +13 -0
package/dist/config/billing-env.test.d.ts +1 -0
package/dist/config/billing-env.test.js +48 -0
package/dist/config/index.d.ts +46 -0
package/dist/config/index.js +38 -0
package/dist/config/logger.d.ts +2 -0
package/dist/config/logger.js +11 -0
package/dist/config/provider-endpoints.d.ts +6 -0
package/dist/config/provider-endpoints.js +12 -0
package/dist/credits/auto-topup-charge.d.ts +27 -0
package/dist/credits/auto-topup-charge.js +139 -0
package/dist/credits/auto-topup-charge.test.d.ts +1 -0
package/dist/credits/auto-topup-charge.test.js +242 -0
package/dist/credits/auto-topup-event-log-repository.d.ts +16 -0
package/dist/credits/auto-topup-event-log-repository.js +18 -0
package/dist/credits/auto-topup-event-log-repository.test.d.ts +1 -0
package/dist/credits/auto-topup-event-log-repository.test.js +83 -0
package/dist/credits/auto-topup-schedule.d.ts +27 -0
package/dist/credits/auto-topup-schedule.js +66 -0
package/dist/credits/auto-topup-schedule.test.d.ts +1 -0
package/dist/credits/auto-topup-schedule.test.js +145 -0
package/dist/credits/auto-topup-settings-repository.d.ts +54 -0
package/dist/credits/auto-topup-settings-repository.js +184 -0
package/dist/credits/auto-topup-settings-repository.test.d.ts +1 -0
package/dist/credits/auto-topup-settings-repository.test.js +104 -0
package/dist/credits/auto-topup-usage.d.ts +22 -0
package/dist/credits/auto-topup-usage.js +56 -0
package/dist/credits/auto-topup-usage.test.d.ts +1 -0
package/dist/credits/auto-topup-usage.test.js +181 -0
package/dist/credits/credit-expiry-cron.d.ts +19 -0
package/dist/credits/credit-expiry-cron.js +50 -0
package/dist/credits/credit-expiry-cron.test.d.ts +1 -0
package/dist/credits/credit-expiry-cron.test.js +67 -0
package/dist/credits/credit-ledger-extra.test.d.ts +1 -0
package/dist/credits/credit-ledger-extra.test.js +40 -0
package/dist/credits/credit-ledger.bench.d.ts +1 -0
package/dist/credits/credit-ledger.bench.js +33 -0
package/dist/credits/credit-ledger.d.ts +130 -0
package/dist/credits/credit-ledger.js +293 -0
package/dist/credits/credit-ledger.test.d.ts +4 -0
package/dist/credits/credit-ledger.test.js +203 -0
package/dist/credits/credit-transaction-repository.d.ts +17 -0
package/dist/credits/credit-transaction-repository.js +35 -0
package/dist/credits/credit-transaction-repository.test.d.ts +1 -0
package/dist/credits/credit-transaction-repository.test.js +232 -0
package/dist/credits/credit.d.ts +75 -0
package/dist/credits/credit.js +139 -0
package/dist/credits/credit.test.d.ts +1 -0
package/dist/credits/credit.test.js +196 -0
package/dist/credits/dividend-cron.d.ts +29 -0
package/dist/credits/dividend-cron.js +88 -0
package/dist/credits/dividend-cron.test.d.ts +1 -0
package/dist/credits/dividend-cron.test.js +128 -0
package/dist/credits/dividend-repository.d.ts +29 -0
package/dist/credits/dividend-repository.js +126 -0
package/dist/credits/dividend-repository.test.d.ts +1 -0
package/dist/credits/dividend-repository.test.js +176 -0
package/dist/credits/index.d.ts +9 -0
package/dist/credits/index.js +5 -0
package/dist/credits/repository-types.d.ts +29 -0
package/dist/credits/repository-types.js +1 -0
package/dist/credits/signup-grant.d.ts +12 -0
package/dist/credits/signup-grant.js +35 -0
package/dist/credits/signup-grant.test.d.ts +1 -0
package/dist/credits/signup-grant.test.js +51 -0
package/dist/credits/tenant-customer-repository.d.ts +30 -0
package/dist/credits/tenant-customer-repository.js +5 -0
package/dist/db/auth-user-repository.d.ts +46 -0
package/dist/db/auth-user-repository.js +90 -0
package/dist/db/credit-column.d.ts +27 -0
package/dist/db/credit-column.js +13 -0
package/dist/db/index.d.ts +14 -0
package/dist/db/index.js +8 -0
package/dist/db/schema/account-deletion-requests.d.ts +203 -0
package/dist/db/schema/account-deletion-requests.js +36 -0
package/dist/db/schema/account-export-requests.d.ts +148 -0
package/dist/db/schema/account-export-requests.js +19 -0
package/dist/db/schema/admin-audit.d.ts +194 -0
package/dist/db/schema/admin-audit.js +21 -0
package/dist/db/schema/admin-users.d.ts +177 -0
package/dist/db/schema/admin-users.js +23 -0
package/dist/db/schema/affiliate-fraud.d.ts +160 -0
package/dist/db/schema/affiliate-fraud.js +18 -0
package/dist/db/schema/affiliate.d.ts +277 -0
package/dist/db/schema/affiliate.js +32 -0
package/dist/db/schema/coupon-codes.d.ts +143 -0
package/dist/db/schema/coupon-codes.js +17 -0
package/dist/db/schema/credit-auto-topup-settings.d.ts +232 -0
package/dist/db/schema/credit-auto-topup-settings.js +27 -0
package/dist/db/schema/credit-auto-topup.d.ts +130 -0
package/dist/db/schema/credit-auto-topup.js +21 -0
package/dist/db/schema/credits.d.ts +283 -0
package/dist/db/schema/credits.js +38 -0
package/dist/db/schema/dividend-distributions.d.ts +130 -0
package/dist/db/schema/dividend-distributions.js +19 -0
package/dist/db/schema/email-notifications.d.ts +99 -0
package/dist/db/schema/email-notifications.js +21 -0
package/dist/db/schema/index.d.ts +33 -0
package/dist/db/schema/index.js +33 -0
package/dist/db/schema/meter-events.d.ts +599 -0
package/dist/db/schema/meter-events.js +55 -0
package/dist/db/schema/notification-preferences.d.ts +165 -0
package/dist/db/schema/notification-preferences.js +18 -0
package/dist/db/schema/notification-queue.d.ts +236 -0
package/dist/db/schema/notification-queue.js +40 -0
package/dist/db/schema/org-memberships.d.ts +63 -0
package/dist/db/schema/org-memberships.js +15 -0
package/dist/db/schema/organization-members.d.ts +235 -0
package/dist/db/schema/organization-members.js +27 -0
package/dist/db/schema/payram.d.ts +164 -0
package/dist/db/schema/payram.js +21 -0
package/dist/db/schema/platform-api-keys.d.ts +143 -0
package/dist/db/schema/platform-api-keys.js +20 -0
package/dist/db/schema/promotion-redemptions.d.ts +143 -0
package/dist/db/schema/promotion-redemptions.js +18 -0
package/dist/db/schema/promotions.d.ts +445 -0
package/dist/db/schema/promotions.js +48 -0
package/dist/db/schema/provider-credentials.d.ts +201 -0
package/dist/db/schema/provider-credentials.js +36 -0
package/dist/db/schema/rate-limit-entries.d.ts +75 -0
package/dist/db/schema/rate-limit-entries.js +7 -0
package/dist/db/schema/secret-audit-log.d.ts +109 -0
package/dist/db/schema/secret-audit-log.js +15 -0
package/dist/db/schema/session-usage.d.ts +194 -0
package/dist/db/schema/session-usage.js +19 -0
package/dist/db/schema/spending-limits.d.ts +92 -0
package/dist/db/schema/spending-limits.js +8 -0
package/dist/db/schema/tenant-addons.d.ts +58 -0
package/dist/db/schema/tenant-addons.js +9 -0
package/dist/db/schema/tenant-api-keys.d.ts +131 -0
package/dist/db/schema/tenant-api-keys.js +21 -0
package/dist/db/schema/tenant-capability-settings.d.ts +79 -0
package/dist/db/schema/tenant-capability-settings.js +12 -0
package/dist/db/schema/tenant-customers.d.ts +303 -0
package/dist/db/schema/tenant-customers.js +25 -0
package/dist/db/schema/tenants.d.ts +126 -0
package/dist/db/schema/tenants.js +18 -0
package/dist/db/schema/user-roles.d.ts +98 -0
package/dist/db/schema/user-roles.js +18 -0
package/dist/db/schema/webhook-seen-events.d.ts +58 -0
package/dist/db/schema/webhook-seen-events.js +9 -0
package/dist/email/billing-emails.d.ts +51 -0
package/dist/email/billing-emails.js +163 -0
package/dist/email/billing-emails.test.d.ts +1 -0
package/dist/email/billing-emails.test.js +162 -0
package/dist/email/client.d.ts +51 -0
package/dist/email/client.js +102 -0
package/dist/email/client.test.d.ts +1 -0
package/dist/email/client.test.js +120 -0
package/dist/email/drizzle-billing-email-repository.d.ts +21 -0
package/dist/email/drizzle-billing-email-repository.js +36 -0
package/dist/email/drizzle-billing-email-repository.test.d.ts +1 -0
package/dist/email/drizzle-billing-email-repository.test.js +42 -0
package/dist/email/index.d.ts +33 -0
package/dist/email/index.js +22 -0
package/dist/email/notification-preferences-store.d.ts +12 -0
package/dist/email/notification-preferences-store.js +82 -0
package/dist/email/notification-preferences-store.test.d.ts +1 -0
package/dist/email/notification-preferences-store.test.js +86 -0
package/dist/email/notification-queue-store.d.ts +25 -0
package/dist/email/notification-queue-store.js +97 -0
package/dist/email/notification-queue-store.test.d.ts +1 -0
package/dist/email/notification-queue-store.test.js +177 -0
package/dist/email/notification-repository-types.d.ts +70 -0
package/dist/email/notification-repository-types.js +6 -0
package/dist/email/notification-service.d.ts +41 -0
package/dist/email/notification-service.js +196 -0
package/dist/email/notification-service.test.d.ts +1 -0
package/dist/email/notification-service.test.js +160 -0
package/dist/email/notification-templates.d.ts +18 -0
package/dist/email/notification-templates.js +574 -0
package/dist/email/notification-templates.test.d.ts +1 -0
package/dist/email/notification-templates.test.js +238 -0
package/dist/email/notification-worker.d.ts +24 -0
package/dist/email/notification-worker.js +109 -0
package/dist/email/notification-worker.test.d.ts +1 -0
package/dist/email/notification-worker.test.js +153 -0
package/dist/email/require-verified.d.ts +25 -0
package/dist/email/require-verified.js +52 -0
package/dist/email/require-verified.test.d.ts +1 -0
package/dist/email/require-verified.test.js +62 -0
package/dist/email/resend-adapter.d.ts +47 -0
package/dist/email/resend-adapter.js +137 -0
package/dist/email/resend-adapter.test.d.ts +1 -0
package/dist/email/resend-adapter.test.js +190 -0
package/dist/email/templates.d.ts +22 -0
package/dist/email/templates.js +359 -0
package/dist/email/templates.test.d.ts +1 -0
package/dist/email/templates.test.js +170 -0
package/dist/email/verification.d.ts +42 -0
package/dist/email/verification.js +83 -0
package/dist/email/verification.test.d.ts +1 -0
package/dist/email/verification.test.js +141 -0
package/dist/index.d.ts +13 -0
package/dist/index.js +23 -0
package/dist/metering/aggregator.d.ts +54 -0
package/dist/metering/aggregator.js +123 -0
package/dist/metering/aggregator.test.d.ts +1 -0
package/dist/metering/aggregator.test.js +179 -0
package/dist/metering/dlq.d.ts +31 -0
package/dist/metering/dlq.js +82 -0
package/dist/metering/dlq.test.d.ts +1 -0
package/dist/metering/dlq.test.js +117 -0
package/dist/metering/drizzle-usage-summary-repository.d.ts +67 -0
package/dist/metering/drizzle-usage-summary-repository.js +98 -0
package/dist/metering/emitter.d.ts +66 -0
package/dist/metering/emitter.js +185 -0
package/dist/metering/emitter.test.d.ts +1 -0
package/dist/metering/emitter.test.js +171 -0
package/dist/metering/index.d.ts +11 -0
package/dist/metering/index.js +5 -0
package/dist/metering/load-test.bench.d.ts +1 -0
package/dist/metering/load-test.bench.js +103 -0
package/dist/metering/meter-event-repository.d.ts +33 -0
package/dist/metering/meter-event-repository.js +58 -0
package/dist/metering/meter-repositories.test.d.ts +1 -0
package/dist/metering/meter-repositories.test.js +419 -0
package/dist/metering/metering.test.d.ts +1 -0
package/dist/metering/metering.test.js +1046 -0
package/dist/metering/reconciliation-cron.d.ts +37 -0
package/dist/metering/reconciliation-cron.js +85 -0
package/dist/metering/reconciliation-cron.test.d.ts +1 -0
package/dist/metering/reconciliation-cron.test.js +162 -0
package/dist/metering/reconciliation-repository.d.ts +27 -0
package/dist/metering/reconciliation-repository.js +43 -0
package/dist/metering/reconciliation-repository.test.d.ts +1 -0
package/dist/metering/reconciliation-repository.test.js +160 -0
package/dist/metering/types.d.ts +88 -0
package/dist/metering/types.js +1 -0
package/dist/metering/wal.d.ts +49 -0
package/dist/metering/wal.js +124 -0
package/dist/metering/wal.test.d.ts +1 -0
package/dist/metering/wal.test.js +175 -0
package/dist/middleware/csrf.d.ts +24 -0
package/dist/middleware/csrf.js +80 -0
package/dist/middleware/csrf.test.d.ts +1 -0
package/dist/middleware/csrf.test.js +152 -0
package/dist/middleware/drizzle-rate-limit-repository.d.ts +9 -0
package/dist/middleware/drizzle-rate-limit-repository.js +52 -0
package/dist/middleware/drizzle-rate-limit-repository.test.d.ts +1 -0
package/dist/middleware/drizzle-rate-limit-repository.test.js +74 -0
package/dist/middleware/get-client-ip.d.ts +22 -0
package/dist/middleware/get-client-ip.js +51 -0
package/dist/middleware/get-client-ip.test.d.ts +1 -0
package/dist/middleware/get-client-ip.test.js +40 -0
package/dist/middleware/index.d.ts +5 -0
package/dist/middleware/index.js +4 -0
package/dist/middleware/rate-limit-repository.d.ts +19 -0
package/dist/middleware/rate-limit-repository.js +1 -0
package/dist/middleware/rate-limit.d.ts +57 -0
package/dist/middleware/rate-limit.js +109 -0
package/dist/middleware/rate-limit.test.d.ts +1 -0
package/dist/middleware/rate-limit.test.js +247 -0
package/dist/security/credential-vault/audit-repository.d.ts +27 -0
package/dist/security/credential-vault/audit-repository.js +42 -0
package/dist/security/credential-vault/audit-repository.test.d.ts +1 -0
package/dist/security/credential-vault/audit-repository.test.js +78 -0
package/dist/security/credential-vault/credential-repository.d.ts +94 -0
package/dist/security/credential-vault/credential-repository.js +145 -0
package/dist/security/credential-vault/credential-repository.test.d.ts +1 -0
package/dist/security/credential-vault/credential-repository.test.js +206 -0
package/dist/security/credential-vault/index.d.ts +12 -0
package/dist/security/credential-vault/index.js +6 -0
package/dist/security/credential-vault/key-rotation.d.ts +18 -0
package/dist/security/credential-vault/key-rotation.js +52 -0
package/dist/security/credential-vault/key-rotation.test.d.ts +1 -0
package/dist/security/credential-vault/key-rotation.test.js +95 -0
package/dist/security/credential-vault/migrate-plaintext.d.ts +15 -0
package/dist/security/credential-vault/migrate-plaintext.js +80 -0
package/dist/security/credential-vault/migrate-plaintext.test.d.ts +1 -0
package/dist/security/credential-vault/migrate-plaintext.test.js +111 -0
package/dist/security/credential-vault/migration-check.d.ts +15 -0
package/dist/security/credential-vault/migration-check.js +71 -0
package/dist/security/credential-vault/migration-check.test.d.ts +1 -0
package/dist/security/credential-vault/migration-check.test.js +457 -0
package/dist/security/credential-vault/store.d.ts +106 -0
package/dist/security/credential-vault/store.js +181 -0
package/dist/security/credential-vault/store.test.d.ts +1 -0
package/dist/security/credential-vault/store.test.js +482 -0
package/dist/security/encryption.d.ts +22 -0
package/dist/security/encryption.js +53 -0
package/dist/security/encryption.test.d.ts +1 -0
package/dist/security/encryption.test.js +95 -0
package/dist/security/host-validation.d.ts +11 -0
package/dist/security/host-validation.js +108 -0
package/dist/security/host-validation.test.d.ts +1 -0
package/dist/security/host-validation.test.js +106 -0
package/dist/security/index.d.ts +11 -0
package/dist/security/index.js +11 -0
package/dist/security/key-audit.d.ts +16 -0
package/dist/security/key-audit.js +35 -0
package/dist/security/key-audit.test.d.ts +1 -0
package/dist/security/key-audit.test.js +50 -0
package/dist/security/key-injection.d.ts +28 -0
package/dist/security/key-injection.js +57 -0
package/dist/security/key-injection.test.d.ts +1 -0
package/dist/security/key-injection.test.js +97 -0
package/dist/security/key-validation.d.ts +16 -0
package/dist/security/key-validation.js +78 -0
package/dist/security/key-validation.test.d.ts +1 -0
package/dist/security/key-validation.test.js +87 -0
package/dist/security/redirect-allowlist.d.ts +6 -0
package/dist/security/redirect-allowlist.js +36 -0
package/dist/security/redirect-allowlist.test.d.ts +1 -0
package/dist/security/redirect-allowlist.test.js +55 -0
package/dist/security/tenant-keys/capability-settings-store.d.ts +22 -0
package/dist/security/tenant-keys/capability-settings-store.js +33 -0
package/dist/security/tenant-keys/capability-settings-store.test.d.ts +1 -0
package/dist/security/tenant-keys/capability-settings-store.test.js +77 -0
package/dist/security/tenant-keys/index.d.ts +10 -0
package/dist/security/tenant-keys/index.js +5 -0
package/dist/security/tenant-keys/key-resolution-repository.d.ts +15 -0
package/dist/security/tenant-keys/key-resolution-repository.js +18 -0
package/dist/security/tenant-keys/key-resolution-repository.test.d.ts +1 -0
package/dist/security/tenant-keys/key-resolution-repository.test.js +72 -0
package/dist/security/tenant-keys/key-resolution.d.ts +39 -0
package/dist/security/tenant-keys/key-resolution.js +59 -0
package/dist/security/tenant-keys/key-resolution.test.d.ts +1 -0
package/dist/security/tenant-keys/key-resolution.test.js +97 -0
package/dist/security/tenant-keys/org-key-resolution.d.ts +30 -0
package/dist/security/tenant-keys/org-key-resolution.js +50 -0
package/dist/security/tenant-keys/org-key-resolution.test.d.ts +1 -0
package/dist/security/tenant-keys/org-key-resolution.test.js +103 -0
package/dist/security/tenant-keys/tenant-key-repository.d.ts +36 -0
package/dist/security/tenant-keys/tenant-key-repository.js +96 -0
package/dist/security/tenant-keys/tenant-key-repository.test.d.ts +1 -0
package/dist/security/tenant-keys/tenant-key-repository.test.js +114 -0
package/dist/security/types.d.ts +35 -0
package/dist/security/types.js +15 -0
package/dist/tenancy/drizzle-org-repository.d.ts +40 -0
package/dist/tenancy/drizzle-org-repository.js +126 -0
package/dist/tenancy/index.d.ts +6 -0
package/dist/tenancy/index.js +3 -0
package/dist/tenancy/org-member-repository.d.ts +57 -0
package/dist/tenancy/org-member-repository.js +99 -0
package/dist/tenancy/org-repository.test.d.ts +1 -0
package/dist/tenancy/org-repository.test.js +143 -0
package/dist/tenancy/org-service.d.ts +70 -0
package/dist/tenancy/org-service.js +223 -0
package/dist/tenancy/org-service.test.d.ts +1 -0
package/dist/tenancy/org-service.test.js +550 -0
package/dist/test/db.d.ts +33 -0
package/dist/test/db.js +65 -0
package/dist/trpc/index.d.ts +1 -0
package/dist/trpc/index.js +1 -0
package/dist/trpc/init.d.ts +49 -0
package/dist/trpc/init.js +108 -0
package/dist/trpc/init.test.d.ts +1 -0
package/dist/trpc/init.test.js +154 -0
package/drizzle/migrations/0000_slippery_mandrill.sql +559 -0
package/drizzle/migrations/meta/0000_snapshot.json +4374 -0
package/drizzle/migrations/meta/_journal.json +13 -0
package/drizzle.config.ts +41 -0
package/package.json +64 -0
package/src/admin/admin-audit-log-repository.ts +135 -0
package/src/admin/audit-log.ts +111 -0
package/src/admin/index.ts +6 -0
package/src/admin/role-store.ts +134 -0
package/src/auth/api-key-repository.test.ts +63 -0
package/src/auth/api-key-repository.ts +46 -0
package/src/auth/auth.test.ts +166 -0
package/src/auth/better-auth.ts +216 -0
package/src/auth/index.ts +520 -0
package/src/auth/login-history-repository.test.ts +54 -0
package/src/auth/login-history-repository.ts +28 -0
package/src/auth/middleware.test.ts +264 -0
package/src/auth/middleware.ts +117 -0
package/src/auth/scoped-tokens.test.ts +362 -0
package/src/auth/tenant-access.test.ts +69 -0
package/src/auth/user-creator.test.ts +98 -0
package/src/auth/user-creator.ts +54 -0
package/src/auth/user-role-repository.test.ts +149 -0
package/src/auth/user-role-repository.ts +67 -0
package/src/billing/drizzle-webhook-seen-repository.ts +34 -0
package/src/billing/index.ts +22 -0
package/src/billing/payment-processor.test.ts +93 -0
package/src/billing/payment-processor.ts +150 -0
package/src/billing/payram/cents-credits-boundary.test.ts +84 -0
package/src/billing/payram/charge-store.test.ts +84 -0
package/src/billing/payram/charge-store.ts +109 -0
package/src/billing/payram/checkout.test.ts +99 -0
package/src/billing/payram/checkout.ts +40 -0
package/src/billing/payram/client.test.ts +62 -0
package/src/billing/payram/client.ts +21 -0
package/src/billing/payram/index.ts +14 -0
package/src/billing/payram/types.ts +44 -0
package/src/billing/payram/webhook.test.ts +318 -0
package/src/billing/payram/webhook.ts +97 -0
package/src/billing/stripe/cents-credits-boundary.test.ts +70 -0
package/src/billing/stripe/checkout.test.ts +186 -0
package/src/billing/stripe/checkout.ts +82 -0
package/src/billing/stripe/client.test.ts +64 -0
package/src/billing/stripe/client.ts +39 -0
package/src/billing/stripe/credit-prices.test.ts +114 -0
package/src/billing/stripe/credit-prices.ts +113 -0
package/src/billing/stripe/index.ts +14 -0
package/src/billing/stripe/payment-methods-detach-all.test.ts +53 -0
package/src/billing/stripe/payment-methods.test.ts +157 -0
package/src/billing/stripe/payment-methods.ts +76 -0
package/src/billing/stripe/portal.test.ts +63 -0
package/src/billing/stripe/portal.ts +25 -0
package/src/billing/stripe/setup-intent.test.ts +78 -0
package/src/billing/stripe/setup-intent.ts +34 -0
package/src/billing/stripe/stripe-payment-processor.test.ts +517 -0
package/src/billing/stripe/stripe-payment-processor.ts +255 -0
package/src/billing/stripe/tenant-store.test.ts +124 -0
package/src/billing/stripe/tenant-store.ts +151 -0
package/src/billing/stripe/types.ts +53 -0
package/src/billing/webhook-seen-repository.ts +24 -0
package/src/config/billing-env.test.ts +54 -0
package/src/config/index.ts +44 -0
package/src/config/logger.ts +12 -0
package/src/config/provider-endpoints.ts +14 -0
package/src/credits/auto-topup-charge.test.ts +292 -0
package/src/credits/auto-topup-charge.ts +171 -0
package/src/credits/auto-topup-event-log-repository.test.ts +99 -0
package/src/credits/auto-topup-event-log-repository.ts +30 -0
package/src/credits/auto-topup-schedule.test.ts +179 -0
package/src/credits/auto-topup-schedule.ts +93 -0
package/src/credits/auto-topup-settings-repository.test.ts +123 -0
package/src/credits/auto-topup-settings-repository.ts +245 -0
package/src/credits/auto-topup-usage.test.ts +220 -0
package/src/credits/auto-topup-usage.ts +68 -0
package/src/credits/credit-expiry-cron.test.ts +125 -0
package/src/credits/credit-expiry-cron.ts +76 -0
package/src/credits/credit-ledger-extra.test.ts +57 -0
package/src/credits/credit-ledger.bench.ts +56 -0
package/src/credits/credit-ledger.test.ts +276 -0
package/src/credits/credit-ledger.ts +450 -0
package/src/credits/credit-transaction-repository.test.ts +274 -0
package/src/credits/credit-transaction-repository.ts +62 -0
package/src/credits/credit.test.ts +234 -0
package/src/credits/credit.ts +160 -0
package/src/credits/dividend-cron.test.ts +158 -0
package/src/credits/dividend-cron.ts +127 -0
package/src/credits/dividend-repository.test.ts +223 -0
package/src/credits/dividend-repository.ts +182 -0
package/src/credits/index.ts +25 -0
package/src/credits/repository-types.ts +33 -0
package/src/credits/signup-grant.test.ts +63 -0
package/src/credits/signup-grant.ts +44 -0
package/src/credits/tenant-customer-repository.ts +28 -0
package/src/db/auth-user-repository.ts +124 -0
package/src/db/credit-column.ts +17 -0
package/src/db/index.ts +21 -0
package/src/db/schema/account-deletion-requests.ts +41 -0
package/src/db/schema/account-export-requests.ts +24 -0
package/src/db/schema/admin-audit.ts +26 -0
package/src/db/schema/admin-users.ts +31 -0
package/src/db/schema/affiliate-fraud.ts +23 -0
package/src/db/schema/affiliate.ts +38 -0
package/src/db/schema/coupon-codes.ts +22 -0
package/src/db/schema/credit-auto-topup-settings.ts +32 -0
package/src/db/schema/credit-auto-topup.ts +26 -0
package/src/db/schema/credits.ts +44 -0
package/src/db/schema/dividend-distributions.ts +24 -0
package/src/db/schema/email-notifications.ts +26 -0
package/src/db/schema/index.ts +33 -0
package/src/db/schema/meter-events.ts +70 -0
package/src/db/schema/notification-preferences.ts +19 -0
package/src/db/schema/notification-queue.ts +45 -0
package/src/db/schema/org-memberships.ts +20 -0
package/src/db/schema/organization-members.ts +37 -0
package/src/db/schema/payram.ts +26 -0
package/src/db/schema/platform-api-keys.ts +25 -0
package/src/db/schema/promotion-redemptions.ts +23 -0
package/src/db/schema/promotions.ts +57 -0
package/src/db/schema/provider-credentials.ts +41 -0
package/src/db/schema/rate-limit-entries.ts +12 -0
package/src/db/schema/secret-audit-log.ts +20 -0
package/src/db/schema/session-usage.ts +24 -0
package/src/db/schema/spending-limits.ts +9 -0
package/src/db/schema/tenant-addons.ts +14 -0
package/src/db/schema/tenant-api-keys.ts +26 -0
package/src/db/schema/tenant-capability-settings.ts +17 -0
package/src/db/schema/tenant-customers.ts +35 -0
package/src/db/schema/tenants.ts +23 -0
package/src/db/schema/user-roles.ts +23 -0
package/src/db/schema/webhook-seen-events.ts +14 -0
package/src/email/billing-emails.test.ts +198 -0
package/src/email/billing-emails.ts +211 -0
package/src/email/client.test.ts +149 -0
package/src/email/client.ts +137 -0
package/src/email/drizzle-billing-email-repository.test.ts +52 -0
package/src/email/drizzle-billing-email-repository.ts +59 -0
package/src/email/index.ts +57 -0
package/src/email/notification-preferences-store.test.ts +102 -0
package/src/email/notification-preferences-store.ts +90 -0
package/src/email/notification-queue-store.test.ts +215 -0
package/src/email/notification-queue-store.ts +127 -0
package/src/email/notification-repository-types.ts +101 -0
package/src/email/notification-service.test.ts +178 -0
package/src/email/notification-service.ts +265 -0
package/src/email/notification-templates.test.ts +261 -0
package/src/email/notification-templates.ts +727 -0
package/src/email/notification-worker.test.ts +189 -0
package/src/email/notification-worker.ts +133 -0
package/src/email/require-verified.ts +65 -0
package/src/email/resend-adapter.test.ts +253 -0
package/src/email/resend-adapter.ts +157 -0
package/src/email/templates.test.ts +217 -0
package/src/email/templates.ts +469 -0
package/src/email/verification.test.ts +185 -0
package/src/email/verification.ts +110 -0
package/src/index.ts +51 -0
package/src/metering/aggregator.test.ts +239 -0
package/src/metering/aggregator.ts +160 -0
package/src/metering/dlq.test.ts +134 -0
package/src/metering/dlq.ts +102 -0
package/src/metering/drizzle-usage-summary-repository.ts +167 -0
package/src/metering/emitter.test.ts +202 -0
package/src/metering/emitter.ts +227 -0
package/src/metering/index.ts +21 -0
package/src/metering/load-test.bench.ts +130 -0
package/src/metering/meter-event-repository.ts +87 -0
package/src/metering/meter-repositories.test.ts +491 -0
package/src/metering/metering.test.ts +1317 -0
package/src/metering/reconciliation-cron.test.ts +202 -0
package/src/metering/reconciliation-cron.ts +134 -0
package/src/metering/reconciliation-repository.test.ts +196 -0
package/src/metering/reconciliation-repository.ts +83 -0
package/src/metering/types.ts +93 -0
package/src/metering/wal.test.ts +222 -0
package/src/metering/wal.ts +139 -0
package/src/middleware/csrf.test.ts +178 -0
package/src/middleware/csrf.ts +101 -0
package/src/middleware/drizzle-rate-limit-repository.test.ts +97 -0
package/src/middleware/drizzle-rate-limit-repository.ts +57 -0
package/src/middleware/get-client-ip.test.ts +49 -0
package/src/middleware/get-client-ip.ts +62 -0
package/src/middleware/index.ts +12 -0
package/src/middleware/rate-limit-repository.ts +22 -0
package/src/middleware/rate-limit.test.ts +338 -0
package/src/middleware/rate-limit.ts +169 -0
package/src/security/credential-vault/audit-repository.test.ts +91 -0
package/src/security/credential-vault/audit-repository.ts +64 -0
package/src/security/credential-vault/credential-repository.test.ts +264 -0
package/src/security/credential-vault/credential-repository.ts +233 -0
package/src/security/credential-vault/index.ts +26 -0
package/src/security/credential-vault/key-rotation.test.ts +139 -0
package/src/security/credential-vault/key-rotation.ts +70 -0
package/src/security/credential-vault/migrate-plaintext.test.ts +138 -0
package/src/security/credential-vault/migrate-plaintext.ts +101 -0
package/src/security/credential-vault/migration-check.test.ts +533 -0
package/src/security/credential-vault/migration-check.ts +88 -0
package/src/security/credential-vault/store.test.ts +569 -0
package/src/security/credential-vault/store.ts +284 -0
package/src/security/encryption.test.ts +114 -0
package/src/security/encryption.ts +65 -0
package/src/security/host-validation.test.ts +136 -0
package/src/security/host-validation.ts +116 -0
package/src/security/index.ts +59 -0
package/src/security/key-audit.test.ts +57 -0
package/src/security/key-audit.ts +45 -0
package/src/security/key-injection.test.ts +131 -0
package/src/security/key-injection.ts +71 -0
package/src/security/key-validation.test.ts +111 -0
package/src/security/key-validation.ts +84 -0
package/src/security/redirect-allowlist.test.ts +70 -0
package/src/security/redirect-allowlist.ts +35 -0
package/src/security/tenant-keys/capability-settings-store.test.ts +98 -0
package/src/security/tenant-keys/capability-settings-store.ts +53 -0
package/src/security/tenant-keys/index.ts +10 -0
package/src/security/tenant-keys/key-resolution-repository.test.ts +95 -0
package/src/security/tenant-keys/key-resolution-repository.ts +31 -0
package/src/security/tenant-keys/key-resolution.test.ts +173 -0
package/src/security/tenant-keys/key-resolution.ts +87 -0
package/src/security/tenant-keys/org-key-resolution.test.ts +217 -0
package/src/security/tenant-keys/org-key-resolution.ts +76 -0
package/src/security/tenant-keys/tenant-key-repository.test.ts +143 -0
package/src/security/tenant-keys/tenant-key-repository.ts +130 -0
package/src/security/types.ts +43 -0
package/src/tenancy/drizzle-org-repository.ts +169 -0
package/src/tenancy/index.ts +6 -0
package/src/tenancy/org-member-repository.ts +159 -0
package/src/tenancy/org-repository.test.ts +172 -0
package/src/tenancy/org-service.test.ts +634 -0
package/src/tenancy/org-service.ts +290 -0
package/src/test/db.ts +97 -0
package/src/trpc/index.ts +11 -0
package/src/trpc/init.test.ts +196 -0
package/src/trpc/init.ts +138 -0
package/tsconfig.json +20 -0
package/vitest.config.ts +8 -0

package/dist/security/credential-vault/audit-repository.d.ts ADDED Viewed

@@ -0,0 +1,27 @@
+import type { PlatformDb } from "../../db/index.js";
+export interface SecretAuditEvent {
+    id: string;
+    credentialId: string;
+    accessedAt: number;
+    accessedBy: string;
+    action: "read" | "write" | "delete";
+    ip: string | null;
+}
+export interface ISecretAuditRepository {
+    insert(event: SecretAuditEvent): Promise<void>;
+    listByCredentialId(credentialId: string, opts: {
+        limit: number;
+        offset: number;
+    }): Promise<SecretAuditEvent[]>;
+    countByCredentialId(credentialId: string): Promise<number>;
+}
+export declare class DrizzleSecretAuditRepository implements ISecretAuditRepository {
+    private readonly db;
+    constructor(db: PlatformDb);
+    insert(event: SecretAuditEvent): Promise<void>;
+    listByCredentialId(credentialId: string, opts: {
+        limit: number;
+        offset: number;
+    }): Promise<SecretAuditEvent[]>;
+    countByCredentialId(credentialId: string): Promise<number>;
+}

package/dist/security/credential-vault/audit-repository.js ADDED Viewed

@@ -0,0 +1,42 @@
+import { count, desc, eq } from "drizzle-orm";
+import { secretAuditLog } from "../../db/schema/index.js";
+const MAX_LIMIT = 250;
+export class DrizzleSecretAuditRepository {
+    db;
+    constructor(db) {
+        this.db = db;
+    }
+    async insert(event) {
+        await this.db.insert(secretAuditLog).values({
+            id: event.id,
+            credentialId: event.credentialId,
+            accessedAt: event.accessedAt,
+            accessedBy: event.accessedBy,
+            action: event.action,
+            ip: event.ip,
+        });
+    }
+    async listByCredentialId(credentialId, opts) {
+        const limit = Math.min(Math.max(1, opts.limit), MAX_LIMIT);
+        const offset = Math.max(0, opts.offset);
+        const rows = await this.db
+            .select()
+            .from(secretAuditLog)
+            .where(eq(secretAuditLog.credentialId, credentialId))
+            .orderBy(desc(secretAuditLog.accessedAt))
+            .limit(limit)
+            .offset(offset);
+        return rows.map((r) => ({
+            id: r.id,
+            credentialId: r.credentialId,
+            accessedAt: r.accessedAt,
+            accessedBy: r.accessedBy,
+            action: r.action,
+            ip: r.ip,
+        }));
+    }
+    async countByCredentialId(credentialId) {
+        const result = (await this.db.select({ count: count() }).from(secretAuditLog).where(eq(secretAuditLog.credentialId, credentialId)))[0];
+        return result?.count ?? 0;
+    }
+}

package/dist/security/credential-vault/audit-repository.test.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/dist/security/credential-vault/audit-repository.test.js ADDED Viewed

@@ -0,0 +1,78 @@
+import { randomUUID } from "node:crypto";
+import { afterAll, beforeAll, beforeEach, describe, expect, it } from "vitest";
+import { createTestDb, truncateAllTables } from "../../test/db.js";
+import { DrizzleSecretAuditRepository } from "./audit-repository.js";
+let db;
+let pool;
+let repo;
+beforeAll(async () => {
+    ({ db, pool } = await createTestDb());
+});
+afterAll(async () => {
+    await pool.close();
+});
+beforeEach(async () => {
+    await truncateAllTables(pool);
+    repo = new DrizzleSecretAuditRepository(db);
+});
+describe("DrizzleSecretAuditRepository", () => {
+    const credentialId = "cred-1";
+    it("inserts and retrieves audit events", async () => {
+        const event = {
+            id: randomUUID(),
+            credentialId,
+            accessedAt: Date.now(),
+            accessedBy: "user-1",
+            action: "read",
+            ip: "127.0.0.1",
+        };
+        await repo.insert(event);
+        const events = await repo.listByCredentialId(credentialId, { limit: 50, offset: 0 });
+        expect(events).toHaveLength(1);
+        expect(events[0]).toMatchObject({
+            id: event.id,
+            credentialId,
+            accessedBy: "user-1",
+            action: "read",
+            ip: "127.0.0.1",
+        });
+    });
+    it("counts events by credential ID", async () => {
+        for (let i = 0; i < 3; i++) {
+            await repo.insert({
+                id: randomUUID(),
+                credentialId,
+                accessedAt: Date.now() + i,
+                accessedBy: "user-1",
+                action: "read",
+                ip: null,
+            });
+        }
+        const count = await repo.countByCredentialId(credentialId);
+        expect(count).toBe(3);
+    });
+    it("paginates results ordered by accessedAt desc", async () => {
+        for (let i = 0; i < 5; i++) {
+            await repo.insert({
+                id: randomUUID(),
+                credentialId,
+                accessedAt: 1000 + i,
+                accessedBy: "user-1",
+                action: "read",
+                ip: null,
+            });
+        }
+        const page1 = await repo.listByCredentialId(credentialId, { limit: 2, offset: 0 });
+        expect(page1).toHaveLength(2);
+        expect(page1[0]?.accessedAt).toBe(1004); // newest first
+        const page2 = await repo.listByCredentialId(credentialId, { limit: 2, offset: 2 });
+        expect(page2).toHaveLength(2);
+        expect(page2[0]?.accessedAt).toBe(1002);
+    });
+    it("returns empty for unknown credential", async () => {
+        const events = await repo.listByCredentialId("nonexistent", { limit: 50, offset: 0 });
+        expect(events).toHaveLength(0);
+        const count = await repo.countByCredentialId("nonexistent");
+        expect(count).toBe(0);
+    });
+});

package/dist/security/credential-vault/credential-repository.d.ts ADDED Viewed

@@ -0,0 +1,94 @@
+import type { PlatformDb } from "../../db/index.js";
+/** A full credential row from the database — includes encrypted value. */
+export interface CredentialRow {
+    id: string;
+    provider: string;
+    keyName: string;
+    encryptedValue: string;
+    authType: string;
+    authHeader: string | null;
+    isActive: boolean;
+    lastValidated: string | null;
+    createdAt: string;
+    rotatedAt: string | null;
+    createdBy: string;
+}
+/** A credential row without the encrypted value — for listing. */
+export interface CredentialSummaryRow {
+    id: string;
+    provider: string;
+    keyName: string;
+    authType: string;
+    authHeader: string | null;
+    isActive: boolean;
+    lastValidated: string | null;
+    createdAt: string;
+    rotatedAt: string | null;
+    createdBy: string;
+}
+export interface InsertCredentialRow {
+    id: string;
+    provider: string;
+    keyName: string;
+    encryptedValue: string;
+    authType: string;
+    authHeader: string | null;
+    createdBy: string;
+}
+/** Pure storage repository for provider credentials. No encryption logic. */
+export interface ICredentialRepository {
+    insert(data: InsertCredentialRow): Promise<void>;
+    getFullById(id: string): Promise<CredentialRow | null>;
+    getSummaryById(id: string): Promise<CredentialSummaryRow | null>;
+    list(provider?: string): Promise<CredentialSummaryRow[]>;
+    listActiveForProvider(provider: string): Promise<CredentialRow[]>;
+    updateEncryptedValue(id: string, encryptedValue: string): Promise<boolean>;
+    setActive(id: string, isActive: boolean): Promise<boolean>;
+    markValidated(id: string): Promise<boolean>;
+    deleteById(id: string): Promise<boolean>;
+}
+/** Narrow interface for migration-only access to provider_credentials encrypted values. */
+export interface ICredentialMigrationAccess {
+    listAllWithEncryptedValue(): Promise<Array<{
+        id: string;
+        encryptedValue: string;
+    }>>;
+    updateEncryptedValueOnly(id: string, encryptedValue: string): Promise<void>;
+}
+/** Narrow interface for tenant_api_keys migration access. */
+export interface IMigrationTenantKeyAccess {
+    listAll(): Promise<Array<{
+        id: string;
+        tenantId: string;
+        encryptedKey: string;
+    }>>;
+    updateEncryptedKey(id: string, encryptedKey: string): Promise<void>;
+}
+export declare class DrizzleCredentialRepository implements ICredentialRepository, ICredentialMigrationAccess {
+    private readonly db;
+    constructor(db: PlatformDb);
+    insert(data: InsertCredentialRow): Promise<void>;
+    getFullById(id: string): Promise<CredentialRow | null>;
+    getSummaryById(id: string): Promise<CredentialSummaryRow | null>;
+    list(provider?: string): Promise<CredentialSummaryRow[]>;
+    listActiveForProvider(provider: string): Promise<CredentialRow[]>;
+    updateEncryptedValue(id: string, encryptedValue: string): Promise<boolean>;
+    setActive(id: string, isActive: boolean): Promise<boolean>;
+    markValidated(id: string): Promise<boolean>;
+    deleteById(id: string): Promise<boolean>;
+    listAllWithEncryptedValue(): Promise<Array<{
+        id: string;
+        encryptedValue: string;
+    }>>;
+    updateEncryptedValueOnly(id: string, encryptedValue: string): Promise<void>;
+}
+export declare class DrizzleMigrationTenantKeyAccess implements IMigrationTenantKeyAccess {
+    private readonly db;
+    constructor(db: PlatformDb);
+    listAll(): Promise<Array<{
+        id: string;
+        tenantId: string;
+        encryptedKey: string;
+    }>>;
+    updateEncryptedKey(id: string, encryptedKey: string): Promise<void>;
+}

package/dist/security/credential-vault/credential-repository.js ADDED Viewed

@@ -0,0 +1,145 @@
+import { and, desc, eq } from "drizzle-orm";
+import { providerCredentials, tenantApiKeys } from "../../db/schema/index.js";
+// ---------------------------------------------------------------------------
+// Implementation
+// ---------------------------------------------------------------------------
+export class DrizzleCredentialRepository {
+    db;
+    constructor(db) {
+        this.db = db;
+    }
+    async insert(data) {
+        await this.db.insert(providerCredentials).values({
+            id: data.id,
+            provider: data.provider,
+            keyName: data.keyName,
+            encryptedValue: data.encryptedValue,
+            authType: data.authType,
+            authHeader: data.authHeader,
+            isActive: true,
+            createdBy: data.createdBy,
+        });
+    }
+    async getFullById(id) {
+        const row = (await this.db.select().from(providerCredentials).where(eq(providerCredentials.id, id)))[0];
+        return row ? toFullRow(row) : null;
+    }
+    async getSummaryById(id) {
+        const row = (await this.db
+            .select({
+            id: providerCredentials.id,
+            provider: providerCredentials.provider,
+            keyName: providerCredentials.keyName,
+            authType: providerCredentials.authType,
+            authHeader: providerCredentials.authHeader,
+            isActive: providerCredentials.isActive,
+            lastValidated: providerCredentials.lastValidated,
+            createdAt: providerCredentials.createdAt,
+            rotatedAt: providerCredentials.rotatedAt,
+            createdBy: providerCredentials.createdBy,
+        })
+            .from(providerCredentials)
+            .where(eq(providerCredentials.id, id)))[0];
+        return row ?? null;
+    }
+    async list(provider) {
+        const where = provider ? eq(providerCredentials.provider, provider) : undefined;
+        return this.db
+            .select({
+            id: providerCredentials.id,
+            provider: providerCredentials.provider,
+            keyName: providerCredentials.keyName,
+            authType: providerCredentials.authType,
+            authHeader: providerCredentials.authHeader,
+            isActive: providerCredentials.isActive,
+            lastValidated: providerCredentials.lastValidated,
+            createdAt: providerCredentials.createdAt,
+            rotatedAt: providerCredentials.rotatedAt,
+            createdBy: providerCredentials.createdBy,
+        })
+            .from(providerCredentials)
+            .where(where)
+            .orderBy(desc(providerCredentials.createdAt));
+    }
+    async listActiveForProvider(provider) {
+        const rows = await this.db
+            .select()
+            .from(providerCredentials)
+            .where(and(eq(providerCredentials.provider, provider), eq(providerCredentials.isActive, true)));
+        return rows.map(toFullRow);
+    }
+    async updateEncryptedValue(id, encryptedValue) {
+        const result = await this.db
+            .update(providerCredentials)
+            .set({ encryptedValue, rotatedAt: new Date().toISOString() })
+            .where(eq(providerCredentials.id, id))
+            .returning({ id: providerCredentials.id });
+        return result.length > 0;
+    }
+    async setActive(id, isActive) {
+        const result = await this.db
+            .update(providerCredentials)
+            .set({ isActive })
+            .where(eq(providerCredentials.id, id))
+            .returning({ id: providerCredentials.id });
+        return result.length > 0;
+    }
+    async markValidated(id) {
+        const result = await this.db
+            .update(providerCredentials)
+            .set({ lastValidated: new Date().toISOString() })
+            .where(eq(providerCredentials.id, id))
+            .returning({ id: providerCredentials.id });
+        return result.length > 0;
+    }
+    async deleteById(id) {
+        const result = await this.db
+            .delete(providerCredentials)
+            .where(eq(providerCredentials.id, id))
+            .returning({ id: providerCredentials.id });
+        return result.length > 0;
+    }
+    async listAllWithEncryptedValue() {
+        return this.db
+            .select({ id: providerCredentials.id, encryptedValue: providerCredentials.encryptedValue })
+            .from(providerCredentials);
+    }
+    async updateEncryptedValueOnly(id, encryptedValue) {
+        await this.db.update(providerCredentials).set({ encryptedValue }).where(eq(providerCredentials.id, id));
+    }
+}
+// ---------------------------------------------------------------------------
+// Tenant key migration access (for migrate-plaintext.ts)
+// ---------------------------------------------------------------------------
+export class DrizzleMigrationTenantKeyAccess {
+    db;
+    constructor(db) {
+        this.db = db;
+    }
+    async listAll() {
+        return this.db
+            .select({ id: tenantApiKeys.id, tenantId: tenantApiKeys.tenantId, encryptedKey: tenantApiKeys.encryptedKey })
+            .from(tenantApiKeys);
+    }
+    async updateEncryptedKey(id, encryptedKey) {
+        await this.db.update(tenantApiKeys).set({ encryptedKey }).where(eq(tenantApiKeys.id, id));
+    }
+}
+// ---------------------------------------------------------------------------
+// Row -> Domain mapper
+// ---------------------------------------------------------------------------
+function toFullRow(row) {
+    return {
+        id: row.id,
+        provider: row.provider,
+        keyName: row.keyName,
+        encryptedValue: row.encryptedValue,
+        authType: row.authType,
+        authHeader: row.authHeader,
+        isActive: row.isActive,
+        lastValidated: row.lastValidated,
+        createdAt: row.createdAt,
+        rotatedAt: row.rotatedAt,
+        createdBy: row.createdBy,
+    };
+}

package/dist/security/credential-vault/credential-repository.test.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export {};

package/dist/security/credential-vault/credential-repository.test.js ADDED Viewed

@@ -0,0 +1,206 @@
+import { afterAll, beforeAll, beforeEach, describe, expect, it } from "vitest";
+import { createTestDb, truncateAllTables } from "../../test/db.js";
+import { DrizzleCredentialRepository } from "./credential-repository.js";
+function makeRow(overrides = {}) {
+    return {
+        id: overrides.id ?? "cred-001",
+        provider: overrides.provider ?? "anthropic",
+        keyName: overrides.keyName ?? "Production Key",
+        encryptedValue: overrides.encryptedValue ?? "enc::cipher::abc123",
+        authType: overrides.authType ?? "header",
+        authHeader: overrides.authHeader ?? "x-api-key",
+        createdBy: overrides.createdBy ?? "admin-1",
+        ...overrides,
+    };
+}
+describe("DrizzleCredentialRepository", () => {
+    let pool;
+    let db;
+    let repo;
+    beforeAll(async () => {
+        ({ db, pool } = await createTestDb());
+    });
+    afterAll(async () => {
+        await pool.close();
+    });
+    beforeEach(async () => {
+        await truncateAllTables(pool);
+        repo = new DrizzleCredentialRepository(db);
+    });
+    // --- CRUD: insert + getFullById ---
+    describe("insert + getFullById", () => {
+        it("inserts a credential and reads it back", async () => {
+            const row = makeRow();
+            await repo.insert(row);
+            const result = await repo.getFullById("cred-001");
+            expect(result).not.toBeNull();
+            expect(result?.id).toBe("cred-001");
+            expect(result?.provider).toBe("anthropic");
+            expect(result?.keyName).toBe("Production Key");
+            expect(result?.encryptedValue).toBe("enc::cipher::abc123");
+            expect(result?.authType).toBe("header");
+            expect(result?.authHeader).toBe("x-api-key");
+            expect(result?.isActive).toBe(true);
+            expect(result?.createdBy).toBe("admin-1");
+            expect(result?.createdAt).toMatch(/^\d{4}-\d{2}-\d{2}[T ]\d{2}:\d{2}:\d{2}/);
+        });
+        it("returns null for non-existent ID", async () => {
+            const result = await repo.getFullById("no-such-id");
+            expect(result).toBeNull();
+        });
+    });
+    // --- getSummaryById ---
+    describe("getSummaryById", () => {
+        it("returns summary without encryptedValue", async () => {
+            await repo.insert(makeRow());
+            const summary = await repo.getSummaryById("cred-001");
+            expect(summary).not.toBeNull();
+            expect(summary?.id).toBe("cred-001");
+            expect(summary?.provider).toBe("anthropic");
+            expect(summary !== null && "encryptedValue" in summary).toBe(false);
+        });
+        it("returns null for non-existent ID", async () => {
+            expect(await repo.getSummaryById("missing")).toBeNull();
+        });
+    });
+    // --- list ---
+    describe("list", () => {
+        it("lists all credentials as summaries", async () => {
+            await repo.insert(makeRow({ id: "c1", provider: "anthropic" }));
+            await repo.insert(makeRow({ id: "c2", provider: "openai" }));
+            const all = await repo.list();
+            expect(all).toHaveLength(2);
+            for (const s of all) {
+                expect("encryptedValue" in s).toBe(false);
+            }
+        });
+        it("filters by provider", async () => {
+            await repo.insert(makeRow({ id: "c1", provider: "anthropic" }));
+            await repo.insert(makeRow({ id: "c2", provider: "openai" }));
+            const filtered = await repo.list("openai");
+            expect(filtered).toHaveLength(1);
+            expect(filtered[0].provider).toBe("openai");
+        });
+        it("returns empty array when no credentials exist", async () => {
+            expect(await repo.list()).toEqual([]);
+        });
+    });
+    // --- listActiveForProvider ---
+    describe("listActiveForProvider", () => {
+        it("returns only active credentials for a provider", async () => {
+            await repo.insert(makeRow({ id: "c1", provider: "anthropic" }));
+            await repo.insert(makeRow({ id: "c2", provider: "anthropic" }));
+            await repo.setActive("c2", false);
+            const active = await repo.listActiveForProvider("anthropic");
+            expect(active).toHaveLength(1);
+            expect(active[0].id).toBe("c1");
+            expect(active[0].encryptedValue).toBe("enc::cipher::abc123");
+        });
+        it("does not return credentials from other providers", async () => {
+            await repo.insert(makeRow({ id: "c1", provider: "anthropic" }));
+            await repo.insert(makeRow({ id: "c2", provider: "openai" }));
+            const active = await repo.listActiveForProvider("anthropic");
+            expect(active).toHaveLength(1);
+            expect(active[0].id).toBe("c1");
+        });
+    });
+    // --- Encryption-at-rest verification ---
+    describe("encryption-at-rest", () => {
+        it("stores encryptedValue verbatim (round-trip fidelity)", async () => {
+            const encryptedValue = "ENCRYPTED::v1::abc123xyz";
+            await repo.insert(makeRow({ id: "enc-test", encryptedValue }));
+            const result = await repo.getFullById("enc-test");
+            expect(result?.encryptedValue).toBe(encryptedValue);
+        });
+        it("updateEncryptedValue changes the stored ciphertext", async () => {
+            await repo.insert(makeRow({ id: "rot-test", encryptedValue: "cipher-v1" }));
+            const updated = await repo.updateEncryptedValue("rot-test", "cipher-v2");
+            expect(updated).toBe(true);
+            const row = await repo.getFullById("rot-test");
+            expect(row?.encryptedValue).toBe("cipher-v2");
+            expect(row?.rotatedAt).toMatch(/^\d{4}-\d{2}-\d{2}[T ]\d{2}:\d{2}:\d{2}/);
+        });
+    });
+    // --- Provider isolation (closest analog to tenant isolation) ---
+    describe("provider/creator isolation", () => {
+        it("list() with provider filter isolates results", async () => {
+            await repo.insert(makeRow({ id: "a1", provider: "anthropic", createdBy: "admin-A" }));
+            await repo.insert(makeRow({ id: "o1", provider: "openai", createdBy: "admin-B" }));
+            const anthropicCreds = await repo.list("anthropic");
+            expect(anthropicCreds).toHaveLength(1);
+            expect(anthropicCreds[0].id).toBe("a1");
+            const openaiCreds = await repo.list("openai");
+            expect(openaiCreds).toHaveLength(1);
+            expect(openaiCreds[0].id).toBe("o1");
+        });
+        it("getFullById only returns exact ID match", async () => {
+            await repo.insert(makeRow({ id: "a1", provider: "anthropic" }));
+            await repo.insert(makeRow({ id: "o1", provider: "openai" }));
+            expect(await repo.getFullById("a1")).not.toBeNull();
+            expect(await repo.getFullById("o1")).not.toBeNull();
+            expect(await repo.getFullById("a2")).toBeNull();
+        });
+    });
+    // --- deleteById ---
+    describe("deleteById", () => {
+        it("deletes an existing credential and returns true", async () => {
+            await repo.insert(makeRow({ id: "del-1" }));
+            expect(await repo.deleteById("del-1")).toBe(true);
+            expect(await repo.getFullById("del-1")).toBeNull();
+        });
+        it("returns false for non-existent ID", async () => {
+            expect(await repo.deleteById("no-such")).toBe(false);
+        });
+    });
+    // --- setActive ---
+    describe("setActive", () => {
+        it("deactivates an active credential", async () => {
+            await repo.insert(makeRow({ id: "sa-1" }));
+            expect(await repo.setActive("sa-1", false)).toBe(true);
+            const row = await repo.getFullById("sa-1");
+            expect(row?.isActive).toBe(false);
+        });
+        it("reactivates a deactivated credential", async () => {
+            await repo.insert(makeRow({ id: "sa-2" }));
+            await repo.setActive("sa-2", false);
+            expect(await repo.setActive("sa-2", true)).toBe(true);
+            const row = await repo.getFullById("sa-2");
+            expect(row?.isActive).toBe(true);
+        });
+        it("returns false for non-existent ID", async () => {
+            expect(await repo.setActive("missing", false)).toBe(false);
+        });
+    });
+    // --- markValidated ---
+    describe("markValidated", () => {
+        it("sets lastValidated timestamp", async () => {
+            await repo.insert(makeRow({ id: "mv-1" }));
+            expect(await repo.markValidated("mv-1")).toBe(true);
+            const row = await repo.getFullById("mv-1");
+            expect(row?.lastValidated).toMatch(/^\d{4}-\d{2}-\d{2}[T ]\d{2}:\d{2}:\d{2}/);
+        });
+        it("returns false for non-existent ID", async () => {
+            expect(await repo.markValidated("missing")).toBe(false);
+        });
+    });
+    // --- Migration access ---
+    describe("listAllWithEncryptedValue", () => {
+        it("returns all IDs and encrypted values", async () => {
+            await repo.insert(makeRow({ id: "m1", encryptedValue: "ev1" }));
+            await repo.insert(makeRow({ id: "m2", encryptedValue: "ev2" }));
+            const rows = await repo.listAllWithEncryptedValue();
+            expect(rows).toHaveLength(2);
+            expect(rows.map((r) => r.id).sort()).toEqual(["m1", "m2"]);
+            expect(rows.find((r) => r.id === "m1")?.encryptedValue).toBe("ev1");
+        });
+    });
+    describe("updateEncryptedValueOnly", () => {
+        it("updates encrypted value without touching rotatedAt", async () => {
+            await repo.insert(makeRow({ id: "uev-1", encryptedValue: "old" }));
+            await repo.updateEncryptedValueOnly("uev-1", "new");
+            const row = await repo.getFullById("uev-1");
+            expect(row?.encryptedValue).toBe("new");
+            expect(row?.rotatedAt).toBeNull();
+        });
+    });
+});

package/dist/security/credential-vault/index.d.ts ADDED Viewed

@@ -0,0 +1,12 @@
+export type { SecretAuditEvent, ISecretAuditRepository } from "./audit-repository.js";
+export { DrizzleSecretAuditRepository } from "./audit-repository.js";
+export type { CredentialRow, CredentialSummaryRow, InsertCredentialRow, ICredentialMigrationAccess, ICredentialRepository, IMigrationTenantKeyAccess, } from "./credential-repository.js";
+export { DrizzleCredentialRepository, DrizzleMigrationTenantKeyAccess } from "./credential-repository.js";
+export type { RotationResult } from "./key-rotation.js";
+export { reEncryptAllCredentials } from "./key-rotation.js";
+export type { MigrationResult } from "./migrate-plaintext.js";
+export { migratePlaintextCredentials } from "./migrate-plaintext.js";
+export type { PlaintextFinding } from "./migration-check.js";
+export { auditCredentialEncryption } from "./migration-check.js";
+export type { AuthType, CreateCredentialInput, CredentialSummary, DecryptedCredential, ICredentialVaultStore, RotateCredentialInput, } from "./store.js";
+export { CredentialVaultStore, getVaultEncryptionKey } from "./store.js";

package/dist/security/credential-vault/index.js ADDED Viewed

@@ -0,0 +1,6 @@
+export { DrizzleSecretAuditRepository } from "./audit-repository.js";
+export { DrizzleCredentialRepository, DrizzleMigrationTenantKeyAccess } from "./credential-repository.js";
+export { reEncryptAllCredentials } from "./key-rotation.js";
+export { migratePlaintextCredentials } from "./migrate-plaintext.js";
+export { auditCredentialEncryption } from "./migration-check.js";
+export { CredentialVaultStore, getVaultEncryptionKey } from "./store.js";

package/dist/security/credential-vault/key-rotation.d.ts ADDED Viewed

@@ -0,0 +1,18 @@
+import type { ICredentialMigrationAccess, IMigrationTenantKeyAccess } from "./credential-repository.js";
+export interface RotationResult {
+    providerCredentials: {
+        migrated: number;
+        errors: string[];
+    };
+    tenantKeys: {
+        migrated: number;
+        errors: string[];
+    };
+}
+/**
+ * Re-encrypt all credentials from oldSecret to newSecret.
+ *
+ * MUST be run inside a transaction by the caller.
+ * Back up the database before running this.
+ */
+export declare function reEncryptAllCredentials(credentialAccess: ICredentialMigrationAccess, tenantKeyAccess: IMigrationTenantKeyAccess, oldSecret: string, newSecret: string): Promise<RotationResult>;