@wopr-network/platform-core 0.1.0

package/dist/security/tenant-keys/key-resolution-repository.test.js

@@ -0,0 +1,72 @@
+import { randomUUID } from "node:crypto";
+import { afterAll, beforeAll, beforeEach, describe, expect, it } from "vitest";
+import { tenantApiKeys } from "../../db/schema/tenant-api-keys.js";
+import { createTestDb, truncateAllTables } from "../../test/db.js";
+import { DrizzleKeyResolutionRepository } from "./key-resolution-repository.js";
+let db;
+let pool;
+async function insertKey(tenantId, provider, encryptedKey) {
+    const now = Date.now();
+    await db
+        .insert(tenantApiKeys)
+        .values({ id: randomUUID(), tenantId, provider, label: "", encryptedKey, createdAt: now, updatedAt: now });
+}
+beforeAll(async () => {
+    ({ db, pool } = await createTestDb());
+});
+afterAll(async () => {
+    await pool.close();
+});
+describe("DrizzleKeyResolutionRepository", () => {
+    let repo;
+    beforeEach(async () => {
+        await truncateAllTables(pool);
+        repo = new DrizzleKeyResolutionRepository(db);
+    });
+    it("returns the encrypted key for a matching tenant and provider", async () => {
+        const payload = JSON.stringify({ iv: "aaa", authTag: "bbb", ciphertext: "ccc" });
+        await insertKey("tenant-1", "anthropic", payload);
+        const result = await repo.findEncryptedKey("tenant-1", "anthropic");
+        expect(result).not.toBeNull();
+        expect(result?.encryptedKey).toBe(payload);
+    });
+    it("returns null when no key exists for the tenant", async () => {
+        const result = await repo.findEncryptedKey("nonexistent-tenant", "anthropic");
+        expect(result).toBeNull();
+    });
+    it("returns null when no key exists for the provider", async () => {
+        const payload = JSON.stringify({ iv: "aaa", authTag: "bbb", ciphertext: "ccc" });
+        await insertKey("tenant-1", "anthropic", payload);
+        const result = await repo.findEncryptedKey("tenant-1", "openai");
+        expect(result).toBeNull();
+    });
+    it("isolates keys between tenants (cross-tenant isolation)", async () => {
+        const payloadA = JSON.stringify({ iv: "aaa", authTag: "bbb", ciphertext: "tenant-a-secret" });
+        const payloadB = JSON.stringify({ iv: "xxx", authTag: "yyy", ciphertext: "tenant-b-secret" });
+        await insertKey("tenant-a", "anthropic", payloadA);
+        await insertKey("tenant-b", "anthropic", payloadB);
+        const resultA = await repo.findEncryptedKey("tenant-a", "anthropic");
+        const resultB = await repo.findEncryptedKey("tenant-b", "anthropic");
+        expect(resultA).not.toBeNull();
+        expect(resultB).not.toBeNull();
+        expect(resultA?.encryptedKey).toBe(payloadA);
+        expect(resultB?.encryptedKey).toBe(payloadB);
+        expect(resultA?.encryptedKey).not.toBe(resultB?.encryptedKey);
+    });
+    it("tenant A cannot see tenant B keys", async () => {
+        const payload = JSON.stringify({ iv: "aaa", authTag: "bbb", ciphertext: "only-for-b" });
+        await insertKey("tenant-b", "openai", payload);
+        const result = await repo.findEncryptedKey("tenant-a", "openai");
+        expect(result).toBeNull();
+    });
+    it("returns correct key when tenant has multiple providers", async () => {
+        const anthropicPayload = JSON.stringify({ iv: "a1", authTag: "a2", ciphertext: "anthropic-key" });
+        const openaiPayload = JSON.stringify({ iv: "o1", authTag: "o2", ciphertext: "openai-key" });
+        await insertKey("tenant-1", "anthropic", anthropicPayload);
+        await insertKey("tenant-1", "openai", openaiPayload);
+        const anthropicResult = await repo.findEncryptedKey("tenant-1", "anthropic");
+        const openaiResult = await repo.findEncryptedKey("tenant-1", "openai");
+        expect(anthropicResult?.encryptedKey).toBe(anthropicPayload);
+        expect(openaiResult?.encryptedKey).toBe(openaiPayload);
+    });
+});

package/dist/security/tenant-keys/key-resolution.d.ts

@@ -0,0 +1,39 @@
+import type { Provider } from "../types.js";
+import type { IKeyResolutionRepository } from "./key-resolution-repository.js";
+/** Result of resolving which API key to use. */
+export interface ResolvedKey {
+    /** The plaintext API key. */
+    key: string;
+    /** Where the key came from. */
+    source: "tenant" | "pooled";
+    /** The provider the key is for. */
+    provider: Provider;
+}
+/**
+ * Resolve which API key to use for a given tenant and provider.
+ *
+ * Resolution order:
+ * 1. If the tenant has a BYOK key stored, decrypt and return it.
+ * 2. Otherwise, fall back to the pooled (platform-level) key from env vars.
+ * 3. If neither exists, return null.
+ *
+ * SECURITY: The decrypted key is returned to the caller and must be discarded
+ * after use. This function does not log, persist, or cache the plaintext key.
+ *
+ * @param repo - Repository for looking up tenant BYOK keys
+ * @param tenantId - The tenant requesting the key
+ * @param provider - The AI provider (anthropic, openai, google, discord)
+ * @param encryptionKey - The 32-byte key used to decrypt the stored BYOK key
+ * @param pooledKeys - Map of provider -> pooled API key (from env vars)
+ */
+export declare function resolveApiKey(repo: IKeyResolutionRepository, tenantId: string, provider: Provider, encryptionKey: Buffer, pooledKeys: Map<Provider, string>): Promise<ResolvedKey | null>;
+/**
+ * Build a pooled keys map from environment variables.
+ *
+ * Reads:
+ * - ANTHROPIC_API_KEY
+ * - OPENAI_API_KEY
+ * - GOOGLE_API_KEY
+ * - DISCORD_BOT_TOKEN
+ */
+export declare function buildPooledKeysMap(env?: Record<string, string | undefined>): Map<Provider, string>;

package/dist/security/tenant-keys/key-resolution.js

@@ -0,0 +1,59 @@
+import { decrypt } from "../encryption.js";
+/**
+ * Resolve which API key to use for a given tenant and provider.
+ *
+ * Resolution order:
+ * 1. If the tenant has a BYOK key stored, decrypt and return it.
+ * 2. Otherwise, fall back to the pooled (platform-level) key from env vars.
+ * 3. If neither exists, return null.
+ *
+ * SECURITY: The decrypted key is returned to the caller and must be discarded
+ * after use. This function does not log, persist, or cache the plaintext key.
+ *
+ * @param repo - Repository for looking up tenant BYOK keys
+ * @param tenantId - The tenant requesting the key
+ * @param provider - The AI provider (anthropic, openai, google, discord)
+ * @param encryptionKey - The 32-byte key used to decrypt the stored BYOK key
+ * @param pooledKeys - Map of provider -> pooled API key (from env vars)
+ */
+export async function resolveApiKey(repo, tenantId, provider, encryptionKey, pooledKeys) {
+    // 1. Check for tenant BYOK key
+    const row = await repo.findEncryptedKey(tenantId, provider);
+    if (row) {
+        const payload = JSON.parse(row.encryptedKey);
+        const plaintext = decrypt(payload, encryptionKey);
+        return { key: plaintext, source: "tenant", provider };
+    }
+    // 2. Fall back to pooled key
+    const pooledKey = pooledKeys.get(provider);
+    if (pooledKey) {
+        return { key: pooledKey, source: "pooled", provider };
+    }
+    // 3. No key available
+    return null;
+}
+/**
+ * Build a pooled keys map from environment variables.
+ *
+ * Reads:
+ * - ANTHROPIC_API_KEY
+ * - OPENAI_API_KEY
+ * - GOOGLE_API_KEY
+ * - DISCORD_BOT_TOKEN
+ */
+export function buildPooledKeysMap(env = process.env) {
+    const keys = new Map();
+    const mapping = [
+        ["ANTHROPIC_API_KEY", "anthropic"],
+        ["OPENAI_API_KEY", "openai"],
+        ["GOOGLE_API_KEY", "google"],
+        ["DISCORD_BOT_TOKEN", "discord"],
+    ];
+    for (const [envVar, provider] of mapping) {
+        const val = env[envVar]?.trim();
+        if (val) {
+            keys.set(provider, val);
+        }
+    }
+    return keys;
+}

package/dist/security/tenant-keys/key-resolution.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/security/tenant-keys/key-resolution.test.js

@@ -0,0 +1,97 @@
+import { afterAll, beforeAll, beforeEach, describe, expect, it } from "vitest";
+import { createTestDb, truncateAllTables } from "../../test/db.js";
+import { encrypt, generateInstanceKey } from "../encryption.js";
+import { buildPooledKeysMap, resolveApiKey } from "./key-resolution.js";
+import { DrizzleKeyResolutionRepository } from "./key-resolution-repository.js";
+async function insertTenantKey(pool, tenantId, provider, encryptedKey) {
+    const { randomUUID } = await import("node:crypto");
+    const now = Date.now();
+    await pool.query("INSERT INTO tenant_api_keys (id, tenant_id, provider, label, encrypted_key, created_at, updated_at) VALUES ($1, $2, $3, $4, $5, $6, $7)", [randomUUID(), tenantId, provider, "", JSON.stringify(encryptedKey), now, now]);
+}
+let db;
+let pool;
+beforeAll(async () => {
+    ({ db, pool } = await createTestDb());
+});
+afterAll(async () => {
+    await pool.close();
+});
+describe("resolveApiKey", () => {
+    let encryptionKey;
+    beforeEach(async () => {
+        await truncateAllTables(pool);
+        encryptionKey = generateInstanceKey();
+    });
+    it("returns tenant BYOK key when one is stored", async () => {
+        const encrypted = encrypt("sk-ant-tenant-key", encryptionKey);
+        await insertTenantKey(pool, "t1", "anthropic", encrypted);
+        const pooled = new Map([["anthropic", "sk-ant-pooled"]]);
+        const result = await resolveApiKey(new DrizzleKeyResolutionRepository(db), "t1", "anthropic", encryptionKey, pooled);
+        expect(result).not.toBeNull();
+        expect(result?.key).toBe("sk-ant-tenant-key");
+        expect(result?.source).toBe("tenant");
+        expect(result?.provider).toBe("anthropic");
+    });
+    it("falls back to pooled key when no tenant key stored", async () => {
+        const pooled = new Map([["openai", "sk-pooled-openai"]]);
+        const result = await resolveApiKey(new DrizzleKeyResolutionRepository(db), "t1", "openai", encryptionKey, pooled);
+        expect(result).not.toBeNull();
+        expect(result?.key).toBe("sk-pooled-openai");
+        expect(result?.source).toBe("pooled");
+        expect(result?.provider).toBe("openai");
+    });
+    it("returns null when neither tenant nor pooled key exists", async () => {
+        const pooled = new Map();
+        const result = await resolveApiKey(new DrizzleKeyResolutionRepository(db), "t1", "anthropic", encryptionKey, pooled);
+        expect(result).toBeNull();
+    });
+    it("resolves different providers independently", async () => {
+        const encrypted = encrypt("my-google-key", encryptionKey);
+        await insertTenantKey(pool, "t1", "google", encrypted);
+        const pooled = new Map([["anthropic", "sk-ant-pooled"]]);
+        const googleResult = await resolveApiKey(new DrizzleKeyResolutionRepository(db), "t1", "google", encryptionKey, pooled);
+        expect(googleResult?.source).toBe("tenant");
+        expect(googleResult?.key).toBe("my-google-key");
+        const anthropicResult = await resolveApiKey(new DrizzleKeyResolutionRepository(db), "t1", "anthropic", encryptionKey, pooled);
+        expect(anthropicResult?.source).toBe("pooled");
+        expect(anthropicResult?.key).toBe("sk-ant-pooled");
+        const discordResult = await resolveApiKey(new DrizzleKeyResolutionRepository(db), "t1", "discord", encryptionKey, pooled);
+        expect(discordResult).toBeNull();
+    });
+    it("isolates keys between tenants", async () => {
+        const encrypted = encrypt("t1-anthropic-key", encryptionKey);
+        await insertTenantKey(pool, "t1", "anthropic", encrypted);
+        const pooled = new Map([["anthropic", "sk-ant-pooled"]]);
+        const t1Result = await resolveApiKey(new DrizzleKeyResolutionRepository(db), "t1", "anthropic", encryptionKey, pooled);
+        expect(t1Result?.source).toBe("tenant");
+        const t2Result = await resolveApiKey(new DrizzleKeyResolutionRepository(db), "t2", "anthropic", encryptionKey, pooled);
+        expect(t2Result?.source).toBe("pooled");
+    });
+});
+describe("buildPooledKeysMap", () => {
+    it("reads keys from environment variables", () => {
+        const env = {
+            ANTHROPIC_API_KEY: "sk-ant-test",
+            OPENAI_API_KEY: "sk-openai-test",
+            GOOGLE_API_KEY: "google-test",
+            DISCORD_BOT_TOKEN: "discord-test",
+        };
+        const keys = buildPooledKeysMap(env);
+        expect(keys.get("anthropic")).toBe("sk-ant-test");
+        expect(keys.get("openai")).toBe("sk-openai-test");
+        expect(keys.get("google")).toBe("google-test");
+        expect(keys.get("discord")).toBe("discord-test");
+    });
+    it("ignores missing env vars", () => {
+        const keys = buildPooledKeysMap({});
+        expect(keys.size).toBe(0);
+    });
+    it("trims whitespace from values", () => {
+        const keys = buildPooledKeysMap({ ANTHROPIC_API_KEY: "  sk-ant-test  " });
+        expect(keys.get("anthropic")).toBe("sk-ant-test");
+    });
+    it("ignores empty values", () => {
+        const keys = buildPooledKeysMap({ ANTHROPIC_API_KEY: "  " });
+        expect(keys.size).toBe(0);
+    });
+});

package/dist/security/tenant-keys/org-key-resolution.d.ts

@@ -0,0 +1,30 @@
+import type { PlatformDb } from "../../db/index.js";
+import type { Provider } from "../types.js";
+/** Minimal interface for org membership lookup (provided by consumer). */
+export interface IOrgMembershipRepository {
+    getOrgTenantIdForMember(memberTenantId: string): Promise<string | null>;
+}
+export declare class DrizzleOrgMembershipRepository implements IOrgMembershipRepository {
+    private readonly db;
+    constructor(db: PlatformDb);
+    getOrgTenantIdForMember(memberTenantId: string): Promise<string | null>;
+}
+/** Extended resolution result that includes "org" as a source. */
+export interface OrgResolvedKey {
+    key: string;
+    source: "tenant" | "org" | "pooled";
+    provider: Provider;
+}
+/**
+ * Resolve API key with org fallback.
+ *
+ * Resolution order:
+ * 1. Personal tenant BYOK key
+ * 2. Org tenant BYOK key (if member belongs to an org)
+ * 3. Pooled platform key
+ * 4. null
+ *
+ * @param lookupKey - Callback to look up a decrypted key for a given tenantId, provider, and encryption key
+ * @param deriveKey - Function to derive encryption key for a given tenantId
+ */
+export declare function resolveApiKeyWithOrgFallback(lookupKey: (tenantId: string, provider: Provider, encKey: Buffer) => Promise<string | null>, tenantId: string, provider: Provider, encryptionKey: Buffer, pooledKeys: Map<Provider, string>, deriveKey: (tenantId: string) => Buffer, orgMembershipRepo: IOrgMembershipRepository): Promise<OrgResolvedKey | null>;

package/dist/security/tenant-keys/org-key-resolution.js

@@ -0,0 +1,50 @@
+import { eq } from "drizzle-orm";
+import { orgMemberships } from "../../db/schema/index.js";
+export class DrizzleOrgMembershipRepository {
+    db;
+    constructor(db) {
+        this.db = db;
+    }
+    async getOrgTenantIdForMember(memberTenantId) {
+        const rows = await this.db
+            .select({ orgTenantId: orgMemberships.orgTenantId })
+            .from(orgMemberships)
+            .where(eq(orgMemberships.memberTenantId, memberTenantId));
+        return rows[0]?.orgTenantId ?? null;
+    }
+}
+/**
+ * Resolve API key with org fallback.
+ *
+ * Resolution order:
+ * 1. Personal tenant BYOK key
+ * 2. Org tenant BYOK key (if member belongs to an org)
+ * 3. Pooled platform key
+ * 4. null
+ *
+ * @param lookupKey - Callback to look up a decrypted key for a given tenantId, provider, and encryption key
+ * @param deriveKey - Function to derive encryption key for a given tenantId
+ */
+export async function resolveApiKeyWithOrgFallback(lookupKey, tenantId, provider, encryptionKey, pooledKeys, deriveKey, orgMembershipRepo) {
+    // 1. Check personal tenant key
+    const personal = await lookupKey(tenantId, provider, encryptionKey);
+    if (personal) {
+        return { key: personal, source: "tenant", provider };
+    }
+    // 2. Check org membership and org key
+    const orgTenantId = await orgMembershipRepo.getOrgTenantIdForMember(tenantId);
+    if (orgTenantId) {
+        const orgEncKey = deriveKey(orgTenantId);
+        const orgResult = await lookupKey(orgTenantId, provider, orgEncKey);
+        if (orgResult) {
+            return { key: orgResult, source: "org", provider };
+        }
+    }
+    // 3. Pooled key
+    const pooledKey = pooledKeys.get(provider);
+    if (pooledKey) {
+        return { key: pooledKey, source: "pooled", provider };
+    }
+    // 4. None
+    return null;
+}

package/dist/security/tenant-keys/org-key-resolution.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/security/tenant-keys/org-key-resolution.test.js

@@ -0,0 +1,103 @@
+import { randomUUID } from "node:crypto";
+import { afterAll, beforeAll, beforeEach, describe, expect, it } from "vitest";
+import { createTestDb, truncateAllTables } from "../../test/db.js";
+import { encrypt, generateInstanceKey } from "../encryption.js";
+import { resolveApiKey } from "./key-resolution.js";
+import { DrizzleKeyResolutionRepository } from "./key-resolution-repository.js";
+import { DrizzleOrgMembershipRepository, resolveApiKeyWithOrgFallback } from "./org-key-resolution.js";
+async function insertTenantKey(pool, tenantId, provider, encryptedKey) {
+    const now = Date.now();
+    await pool.query("INSERT INTO tenant_api_keys (id, tenant_id, provider, label, encrypted_key, created_at, updated_at) VALUES ($1, $2, $3, $4, $5, $6, $7)", [randomUUID(), tenantId, provider, "", JSON.stringify(encryptedKey), now, now]);
+}
+async function insertOrgMembership(pool, orgTenantId, memberTenantId) {
+    await pool.query("INSERT INTO org_memberships (org_tenant_id, member_tenant_id, created_at) VALUES ($1, $2, $3)", [
+        orgTenantId,
+        memberTenantId,
+        Date.now(),
+    ]);
+}
+describe("resolveApiKeyWithOrgFallback", () => {
+    let db;
+    let pool;
+    let membershipRepo;
+    let encryptionKey;
+    let orgEncryptionKey;
+    const pooled = new Map();
+    beforeAll(async () => {
+        ({ db, pool } = await createTestDb());
+    });
+    afterAll(async () => {
+        await pool.close();
+    });
+    beforeEach(async () => {
+        await truncateAllTables(pool);
+        membershipRepo = new DrizzleOrgMembershipRepository(db);
+        encryptionKey = generateInstanceKey();
+        orgEncryptionKey = generateInstanceKey();
+    });
+    it("returns personal key when member has one (no org fallback)", async () => {
+        const encrypted = encrypt("sk-personal", encryptionKey);
+        await insertTenantKey(pool, "member-1", "anthropic", encrypted);
+        await insertOrgMembership(pool, "org-1", "member-1");
+        const orgEncrypted = encrypt("sk-org", orgEncryptionKey);
+        await insertTenantKey(pool, "org-1", "anthropic", orgEncrypted);
+        const result = await resolveApiKeyWithOrgFallback((tid, prov, encKey) => resolveApiKey(new DrizzleKeyResolutionRepository(db), tid, prov, encKey, new Map()).then((r) => r?.key ?? null), "member-1", "anthropic", encryptionKey, pooled, (tenantId) => (tenantId === "org-1" ? orgEncryptionKey : encryptionKey), membershipRepo);
+        expect(result).not.toBeNull();
+        expect(result?.key).toBe("sk-personal");
+        expect(result?.source).toBe("tenant");
+    });
+    it("falls back to org key when member has no personal key", async () => {
+        await insertOrgMembership(pool, "org-1", "member-1");
+        const orgEncrypted = encrypt("sk-org-key", orgEncryptionKey);
+        await insertTenantKey(pool, "org-1", "anthropic", orgEncrypted);
+        const result = await resolveApiKeyWithOrgFallback((tid, prov, encKey) => resolveApiKey(new DrizzleKeyResolutionRepository(db), tid, prov, encKey, new Map()).then((r) => r?.key ?? null), "member-1", "anthropic", encryptionKey, pooled, (tenantId) => (tenantId === "org-1" ? orgEncryptionKey : encryptionKey), membershipRepo);
+        expect(result).not.toBeNull();
+        expect(result?.key).toBe("sk-org-key");
+        expect(result?.source).toBe("org");
+    });
+    it("falls back to pooled when neither member nor org has a key", async () => {
+        await insertOrgMembership(pool, "org-1", "member-1");
+        const pooledKeys = new Map([["anthropic", "sk-pooled"]]);
+        const result = await resolveApiKeyWithOrgFallback((tid, prov, encKey) => resolveApiKey(new DrizzleKeyResolutionRepository(db), tid, prov, encKey, new Map()).then((r) => r?.key ?? null), "member-1", "anthropic", encryptionKey, pooledKeys, () => encryptionKey, membershipRepo);
+        expect(result).not.toBeNull();
+        expect(result?.key).toBe("sk-pooled");
+        expect(result?.source).toBe("pooled");
+    });
+    it("returns null when no key exists anywhere", async () => {
+        const result = await resolveApiKeyWithOrgFallback((tid, prov, encKey) => resolveApiKey(new DrizzleKeyResolutionRepository(db), tid, prov, encKey, new Map()).then((r) => r?.key ?? null), "member-1", "anthropic", encryptionKey, pooled, () => encryptionKey, membershipRepo);
+        expect(result).toBeNull();
+    });
+    it("works for tenants not in any org (same as resolveApiKey)", async () => {
+        const encrypted = encrypt("sk-solo", encryptionKey);
+        await insertTenantKey(pool, "solo-tenant", "openai", encrypted);
+        const result = await resolveApiKeyWithOrgFallback((tid, prov, encKey) => resolveApiKey(new DrizzleKeyResolutionRepository(db), tid, prov, encKey, new Map()).then((r) => r?.key ?? null), "solo-tenant", "openai", encryptionKey, pooled, () => encryptionKey, membershipRepo);
+        expect(result).not.toBeNull();
+        expect(result?.key).toBe("sk-solo");
+        expect(result?.source).toBe("tenant");
+    });
+    it("full chain: personal > org > pooled > null", async () => {
+        const memberKey = generateInstanceKey();
+        const orgKey = generateInstanceKey();
+        const pooledKeys = new Map([["discord", "pooled-discord"]]);
+        const deriveKey = (tid) => (tid === "org-1" ? orgKey : memberKey);
+        await insertOrgMembership(pool, "org-1", "m1");
+        await insertTenantKey(pool, "m1", "anthropic", encrypt("personal-anthropic", memberKey));
+        await insertTenantKey(pool, "org-1", "openai", encrypt("org-openai", orgKey));
+        const lookupKey = (tid, prov, encKey) => resolveApiKey(new DrizzleKeyResolutionRepository(db), tid, prov, encKey, new Map()).then((r) => r?.key ?? null);
+        // anthropic: personal wins
+        const r1 = await resolveApiKeyWithOrgFallback(lookupKey, "m1", "anthropic", memberKey, pooledKeys, deriveKey, membershipRepo);
+        expect(r1?.source).toBe("tenant");
+        expect(r1?.key).toBe("personal-anthropic");
+        // openai: org fallback
+        const r2 = await resolveApiKeyWithOrgFallback(lookupKey, "m1", "openai", memberKey, pooledKeys, deriveKey, membershipRepo);
+        expect(r2?.source).toBe("org");
+        expect(r2?.key).toBe("org-openai");
+        // discord: pooled fallback
+        const r3 = await resolveApiKeyWithOrgFallback(lookupKey, "m1", "discord", memberKey, pooledKeys, deriveKey, membershipRepo);
+        expect(r3?.source).toBe("pooled");
+        expect(r3?.key).toBe("pooled-discord");
+        // google: null
+        const r4 = await resolveApiKeyWithOrgFallback(lookupKey, "m1", "google", memberKey, new Map(), deriveKey, membershipRepo);
+        expect(r4).toBeNull();
+    });
+});

package/dist/security/tenant-keys/tenant-key-repository.d.ts

@@ -0,0 +1,36 @@
+import type { PlatformDb } from "../../db/index.js";
+import type { EncryptedPayload } from "../types.js";
+/** A stored tenant API key record. */
+export interface TenantApiKey {
+    id: string;
+    tenant_id: string;
+    provider: string;
+    /** Label for display (e.g. "My Anthropic key"). Never contains the key itself. */
+    label: string;
+    /** AES-256-GCM encrypted key payload (JSON-serialized EncryptedPayload). */
+    encrypted_key: string;
+    created_at: number;
+    updated_at: number;
+}
+export interface ITenantKeyRepository {
+    upsert(tenantId: string, provider: string, encryptedKey: EncryptedPayload, label?: string): Promise<string>;
+    get(tenantId: string, provider: string): Promise<TenantApiKey | undefined>;
+    listForTenant(tenantId: string): Promise<Omit<TenantApiKey, "encrypted_key">[]>;
+    delete(tenantId: string, provider: string): Promise<boolean>;
+    deleteAllForTenant(tenantId: string): Promise<number>;
+}
+/** CRUD store for tenant API keys using Drizzle ORM. */
+export declare class TenantKeyRepository implements ITenantKeyRepository {
+    private readonly db;
+    constructor(db: PlatformDb);
+    /** Store or replace a tenant's key for a provider. Returns the record ID. */
+    upsert(tenantId: string, provider: string, encryptedKey: EncryptedPayload, label?: string): Promise<string>;
+    /** Get a tenant's key record for a provider. Returns undefined if none stored. */
+    get(tenantId: string, provider: string): Promise<TenantApiKey | undefined>;
+    /** List all key records for a tenant. Never returns plaintext keys. */
+    listForTenant(tenantId: string): Promise<Omit<TenantApiKey, "encrypted_key">[]>;
+    /** Delete a tenant's key for a provider. Returns true if a row was deleted. */
+    delete(tenantId: string, provider: string): Promise<boolean>;
+    /** Delete all keys for a tenant. Returns the number of rows deleted. */
+    deleteAllForTenant(tenantId: string): Promise<number>;
+}

package/dist/security/tenant-keys/tenant-key-repository.js

@@ -0,0 +1,96 @@
+import { randomUUID } from "node:crypto";
+import { and, eq } from "drizzle-orm";
+import { tenantApiKeys } from "../../db/schema/index.js";
+/** CRUD store for tenant API keys using Drizzle ORM. */
+export class TenantKeyRepository {
+    db;
+    constructor(db) {
+        this.db = db;
+    }
+    /** Store or replace a tenant's key for a provider. Returns the record ID. */
+    async upsert(tenantId, provider, encryptedKey, label = "") {
+        const now = Date.now();
+        const serialized = JSON.stringify(encryptedKey);
+        const existing = await this.db
+            .select({ id: tenantApiKeys.id })
+            .from(tenantApiKeys)
+            .where(and(eq(tenantApiKeys.tenantId, tenantId), eq(tenantApiKeys.provider, provider)))
+            .limit(1);
+        if (existing.length > 0) {
+            await this.db
+                .update(tenantApiKeys)
+                .set({ encryptedKey: serialized, label, updatedAt: now })
+                .where(eq(tenantApiKeys.id, existing[0].id));
+            return existing[0].id;
+        }
+        const id = randomUUID();
+        await this.db.insert(tenantApiKeys).values({
+            id,
+            tenantId,
+            provider,
+            label,
+            encryptedKey: serialized,
+            createdAt: now,
+            updatedAt: now,
+        });
+        return id;
+    }
+    /** Get a tenant's key record for a provider. Returns undefined if none stored. */
+    async get(tenantId, provider) {
+        const rows = await this.db
+            .select()
+            .from(tenantApiKeys)
+            .where(and(eq(tenantApiKeys.tenantId, tenantId), eq(tenantApiKeys.provider, provider)))
+            .limit(1);
+        if (rows.length === 0)
+            return undefined;
+        const r = rows[0];
+        return {
+            id: r.id,
+            tenant_id: r.tenantId,
+            provider: r.provider,
+            label: r.label,
+            encrypted_key: r.encryptedKey,
+            created_at: r.createdAt,
+            updated_at: r.updatedAt,
+        };
+    }
+    /** List all key records for a tenant. Never returns plaintext keys. */
+    async listForTenant(tenantId) {
+        const rows = await this.db
+            .select({
+            id: tenantApiKeys.id,
+            tenantId: tenantApiKeys.tenantId,
+            provider: tenantApiKeys.provider,
+            label: tenantApiKeys.label,
+            createdAt: tenantApiKeys.createdAt,
+            updatedAt: tenantApiKeys.updatedAt,
+        })
+            .from(tenantApiKeys)
+            .where(eq(tenantApiKeys.tenantId, tenantId));
+        return rows.map((r) => ({
+            id: r.id,
+            tenant_id: r.tenantId,
+            provider: r.provider,
+            label: r.label,
+            created_at: r.createdAt,
+            updated_at: r.updatedAt,
+        }));
+    }
+    /** Delete a tenant's key for a provider. Returns true if a row was deleted. */
+    async delete(tenantId, provider) {
+        const result = await this.db
+            .delete(tenantApiKeys)
+            .where(and(eq(tenantApiKeys.tenantId, tenantId), eq(tenantApiKeys.provider, provider)))
+            .returning({ id: tenantApiKeys.id });
+        return result.length > 0;
+    }
+    /** Delete all keys for a tenant. Returns the number of rows deleted. */
+    async deleteAllForTenant(tenantId) {
+        const result = await this.db
+            .delete(tenantApiKeys)
+            .where(eq(tenantApiKeys.tenantId, tenantId))
+            .returning({ id: tenantApiKeys.id });
+        return result.length;
+    }
+}

package/dist/security/tenant-keys/tenant-key-repository.test.d.ts

@@ -0,0 +1 @@
+export {};