@zincapp/znvault-cli 2.19.0 → 2.19.1

package/dist/lib/db/health.js

@@ -0,0 +1,177 @@
+// Path: src/lib/db/health.ts
+import { REDIS_PING_TIMEOUT_MS, REDIS_SENTINEL_TIMEOUT_MS } from '../constants.js';
+import { BaseDBClient } from './client.js';
+export class HealthOperations extends BaseDBClient {
+    async health() {
+        await this.connect();
+        const dbTime = await this.queryOne('SELECT NOW() as now');
+        const version = await this.getVaultVersion();
+        const haEnabled = process.env.HA_ENABLED === 'true';
+        const nodeId = process.env.HA_NODE_ID ?? 'standalone';
+        const pgStatus = await this.getPostgresStatus();
+        const redisStatus = await this.getRedisStatus();
+        let clusterSize = 1;
+        let isLeader = false;
+        if (haEnabled && redisStatus.status === 'ok') {
+            const clusterInfo = await this.getClusterInfoFromRedis();
+            clusterSize = clusterInfo.nodeCount;
+            isLeader = clusterInfo.leaderNodeId === nodeId;
+        }
+        return {
+            status: 'ok',
+            version,
+            uptime: process.uptime(),
+            timestamp: dbTime?.now.toISOString() ?? new Date().toISOString(),
+            database: pgStatus,
+            redis: redisStatus.status !== 'unavailable' ? redisStatus : undefined,
+            ha: haEnabled ? {
+                enabled: true,
+                nodeId,
+                isLeader,
+                clusterSize,
+            } : undefined,
+        };
+    }
+    async clusterStatus() {
+        await this.connect();
+        const haEnabled = process.env.HA_ENABLED === 'true';
+        const nodeId = process.env.HA_NODE_ID ?? 'unknown';
+        let nodes = [];
+        try {
+            const dbNodes = await this.query(`
+        SELECT node_id, advertised_host, advertised_port, is_leader, last_heartbeat, status
+        FROM ha_nodes
+        ORDER BY node_id
+      `);
+            nodes = dbNodes.map(n => ({
+                nodeId: n.node_id,
+                host: n.advertised_host,
+                port: n.advertised_port,
+                isLeader: n.is_leader,
+                isHealthy: n.status === 'healthy',
+                lastHeartbeat: n.last_heartbeat.toISOString(),
+            }));
+        }
+        catch {
+            // Table might not exist in non-HA setups
+        }
+        const leader = nodes.find(n => n.isLeader);
+        return {
+            enabled: haEnabled,
+            nodeId,
+            isLeader: leader?.nodeId === nodeId,
+            leaderNodeId: leader?.nodeId ?? null,
+            nodes,
+        };
+    }
+    async getVaultVersion() {
+        try {
+            const fs = await import('node:fs');
+            const manifestPaths = [
+                '/opt/znvault/current/MANIFEST.json',
+                '/opt/znvault/current/manifest.json',
+            ];
+            for (const manifestPath of manifestPaths) {
+                if (fs.existsSync(manifestPath)) {
+                    const manifest = JSON.parse(fs.readFileSync(manifestPath, 'utf-8'));
+                    return manifest.version ?? '1.2.9';
+                }
+            }
+        }
+        catch {
+            // Ignore
+        }
+        return process.env.npm_package_version ?? '1.2.9';
+    }
+    async getPostgresStatus() {
+        try {
+            const recovery = await this.queryOne('SELECT pg_is_in_recovery() as in_recovery');
+            if (recovery?.in_recovery) {
+                const lag = await this.queryOne("SELECT pg_wal_lsn_diff(pg_last_wal_receive_lsn(), pg_last_wal_replay_lsn()) as lag_bytes");
+                return {
+                    status: 'ok',
+                    role: 'replica',
+                    replicationLag: lag ? parseInt(lag.lag_bytes, 10) : 0,
+                };
+            }
+            const replicas = await this.query('SELECT client_addr, state FROM pg_stat_replication');
+            return {
+                status: 'ok',
+                role: 'primary',
+                replicationLag: replicas.length > 0 ? 0 : undefined,
+            };
+        }
+        catch {
+            return { status: 'ok' };
+        }
+    }
+    async getRedisStatus() {
+        const sentinelNodes = process.env.REDIS_SENTINEL_NODES;
+        const sentinelMaster = process.env.REDIS_SENTINEL_MASTER ?? 'znvault-master';
+        if (!sentinelNodes) {
+            if (process.env.REDIS_URL) {
+                try {
+                    const result = await this.execAsync(`redis-cli -u "${process.env.REDIS_URL}" PING 2>/dev/null`, REDIS_PING_TIMEOUT_MS);
+                    return { status: result.trim() === 'PONG' ? 'ok' : 'error' };
+                }
+                catch {
+                    return { status: 'error' };
+                }
+            }
+            return { status: 'unavailable' };
+        }
+        try {
+            const nodes = sentinelNodes.split(',');
+            const nodeResults = await Promise.allSettled(nodes.map(async (node) => {
+                const [host, port] = node.split(':');
+                const result = await this.execAsync(`redis-cli -h ${host} -p ${port} SENTINEL get-master-addr-by-name ${sentinelMaster} 2>/dev/null`, REDIS_SENTINEL_TIMEOUT_MS);
+                return result.trim();
+            }));
+            let healthyNodes = 0;
+            let masterHost = '';
+            for (const result of nodeResults) {
+                if (result.status === 'fulfilled' && result.value) {
+                    healthyNodes++;
+                    if (!masterHost) {
+                        const lines = result.value.split('\n');
+                        masterHost = lines[0] ?? '';
+                    }
+                }
+            }
+            return {
+                status: healthyNodes >= 2 ? 'ok' : (healthyNodes > 0 ? 'degraded' : 'error'),
+                sentinelNodes: healthyNodes,
+                master: masterHost || undefined,
+            };
+        }
+        catch {
+            return { status: 'error' };
+        }
+    }
+    async getClusterInfoFromRedis() {
+        const sentinelNodes = process.env.REDIS_SENTINEL_NODES;
+        const sentinelMaster = process.env.REDIS_SENTINEL_MASTER ?? 'znvault-master';
+        if (!sentinelNodes) {
+            return { nodeCount: 1, leaderNodeId: null };
+        }
+        try {
+            const nodes = sentinelNodes.split(',');
+            const [host, port] = nodes[0].split(':');
+            const masterResult = await this.execAsync(`redis-cli -h ${host} -p ${port} SENTINEL get-master-addr-by-name ${sentinelMaster} 2>/dev/null`, 3000);
+            const masterHost = masterResult.trim().split('\n')[0];
+            const masterPort = masterResult.trim().split('\n')[1] ?? '6379';
+            const [nodesResult, leaderResult] = await Promise.all([
+                this.execAsync(`redis-cli -h ${masterHost} -p ${masterPort} HGETALL 'zn-vault:nodes' 2>/dev/null`, 3000),
+                this.execAsync(`redis-cli -h ${masterHost} -p ${masterPort} GET 'zn-vault:leader' 2>/dev/null`, 3000),
+            ]);
+            const lines = nodesResult.trim().split('\n').filter(l => l);
+            const nodeCount = Math.max(Math.floor(lines.length / 2), 1);
+            const leaderNodeId = leaderResult.trim() || null;
+            return { nodeCount, leaderNodeId };
+        }
+        catch {
+            return { nodeCount: 3, leaderNodeId: null };
+        }
+    }
+}
+//# sourceMappingURL=health.js.map

package/dist/lib/db/health.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"health.js","sourceRoot":"","sources":["../../../src/lib/db/health.ts"],"names":[],"mappings":"AAAA,6BAA6B;AAO7B,OAAO,EAAE,qBAAqB,EAAE,yBAAyB,EAAE,MAAM,iBAAiB,CAAC;AAEnF,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAE3C,MAAM,OAAO,gBAAiB,SAAQ,YAAY;IAChD,KAAK,CAAC,MAAM;QACV,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QAErB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAgB,qBAAqB,CAAC,CAAC;QACzE,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC;QAE7C,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,KAAK,MAAM,CAAC;QACpD,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,YAAY,CAAC;QAEtD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,iBAAiB,EAAE,CAAC;QAChD,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAEhD,IAAI,WAAW,GAAG,CAAC,CAAC;QACpB,IAAI,QAAQ,GAAG,KAAK,CAAC;QACrB,IAAI,SAAS,IAAI,WAAW,CAAC,MAAM,KAAK,IAAI,EAAE,CAAC;YAC7C,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,uBAAuB,EAAE,CAAC;YACzD,WAAW,GAAG,WAAW,CAAC,SAAS,CAAC;YACpC,QAAQ,GAAG,WAAW,CAAC,YAAY,KAAK,MAAM,CAAC;QACjD,CAAC;QAED,OAAO;YACL,MAAM,EAAE,IAAI;YACZ,OAAO;YACP,MAAM,EAAE,OAAO,CAAC,MAAM,EAAE;YACxB,SAAS,EAAE,MAAM,EAAE,GAAG,CAAC,WAAW,EAAE,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YAChE,QAAQ,EAAE,QAAQ;YAClB,KAAK,EAAE,WAAW,CAAC,MAAM,KAAK,aAAa,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS;YACrE,EAAE,EAAE,SAAS,CAAC,CAAC,CAAC;gBACd,OAAO,EAAE,IAAI;gBACb,MAAM;gBACN,QAAQ;gBACR,WAAW;aACZ,CAAC,CAAC,CAAC,SAAS;SACd,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,aAAa;QACjB,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC;QAErB,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,KAAK,MAAM,CAAC;QACpD,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,SAAS,CAAC;QAEnD,IAAI,KAAK,GAAkB,EAAE,CAAC;QAC9B,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAY;;;;OAI3C,CAAC,CAAC;YAEH,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;gBACxB,MAAM,EAAE,CAAC,CAAC,OAAO;gBACjB,IAAI,EAAE,CAAC,CAAC,eAAe;gBACvB,IAAI,EAAE,CAAC,CAAC,eAAe;gBACvB,QAAQ,EAAE,CAAC,CAAC,SAAS;gBACrB,SAAS,EAAE,CAAC,CAAC,MAAM,KAAK,SAAS;gBACjC,aAAa,EAAE,CAAC,CAAC,cAAc,CAAC,WAAW,EAAE;aAC9C,CAAC,CAAC,CAAC;QACN,CAAC;QAAC,MAAM,CAAC;YACP,yCAAyC;QAC3C,CAAC;QAED,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QAE3C,OAAO;YACL,OAAO,EAAE,SAAS;YAClB,MAAM;YACN,QAAQ,EAAE,MAAM,EAAE,MAAM,KAAK,MAAM;YACnC,YAAY,EAAE,MAAM,EAAE,MAAM,IAAI,IAAI;YACpC,KAAK;SACN,CAAC;IACJ,CAAC;IAEO,KAAK,CAAC,eAAe;QAC3B,IAAI,CAAC;YACH,MAAM,EAAE,GAAG,MAAM,MAAM,CAAC,SAAS,CAAC,CAAC;YACnC,MAAM,aAAa,GAAG;gBACpB,oCAAoC;gBACpC,oCAAoC;aACrC,CAAC;YACF,KAAK,MAAM,YAAY,IAAI,aAAa,EAAE,CAAC;gBACzC,IAAI,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;oBAChC,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,YAAY,EAAE,OAAO,CAAC,CAAiB,CAAC;oBACpF,OAAO,QAAQ,CAAC,OAAO,IAAI,OAAO,CAAC;gBACrC,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,SAAS;QACX,CAAC;QACD,OAAO,OAAO,CAAC,GAAG,CAAC,mBAAmB,IAAI,OAAO,CAAC;IACpD,CAAC;IAEO,KAAK,CAAC,iBAAiB;QAC7B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,QAAQ,CAClC,2CAA2C,CAC5C,CAAC;YAEF,IAAI,QAAQ,EAAE,WAAW,EAAE,CAAC;gBAC1B,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,QAAQ,CAC7B,0FAA0F,CAC3F,CAAC;gBACF,OAAO;oBACL,MAAM,EAAE,IAAI;oBACZ,IAAI,EAAE,SAAS;oBACf,cAAc,EAAE,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,SAAS,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;iBACtD,CAAC;YACJ,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAC/B,oDAAoD,CACrD,CAAC;YAEF,OAAO;gBACL,MAAM,EAAE,IAAI;gBACZ,IAAI,EAAE,SAAS;gBACf,cAAc,EAAE,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS;aACpD,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;QAC1B,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,cAAc;QAC1B,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;QACvD,MAAM,cAAc,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,IAAI,gBAAgB,CAAC;QAE7E,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,IAAI,OAAO,CAAC,GAAG,CAAC,SAAS,EAAE,CAAC;gBAC1B,IAAI,CAAC;oBACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CACjC,iBAAiB,OAAO,CAAC,GAAG,CAAC,SAAS,oBAAoB,EAC1D,qBAAqB,CACtB,CAAC;oBACF,OAAO,EAAE,MAAM,EAAE,MAAM,CAAC,IAAI,EAAE,KAAK,MAAM,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,OAAO,EAAE,CAAC;gBAC/D,CAAC;gBAAC,MAAM,CAAC;oBACP,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;gBAC7B,CAAC;YACH,CAAC;YACD,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,CAAC;QACnC,CAAC;QAED,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,aAAa,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAEvC,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,UAAU,CAC1C,KAAK,CAAC,GAAG,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;gBACvB,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;gBACrC,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,SAAS,CACjC,gBAAgB,IAAI,OAAO,IAAI,qCAAqC,cAAc,cAAc,EAChG,yBAAyB,CAC1B,CAAC;gBACF,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC;YACvB,CAAC,CAAC,CACH,CAAC;YAEF,IAAI,YAAY,GAAG,CAAC,CAAC;YACrB,IAAI,UAAU,GAAG,EAAE,CAAC;YAEpB,KAAK,MAAM,MAAM,IAAI,WAAW,EAAE,CAAC;gBACjC,IAAI,MAAM,CAAC,MAAM,KAAK,WAAW,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;oBAClD,YAAY,EAAE,CAAC;oBACf,IAAI,CAAC,UAAU,EAAE,CAAC;wBAChB,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;wBACvC,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;oBAC9B,CAAC;gBACH,CAAC;YACH,CAAC;YAED,OAAO;gBACL,MAAM,EAAE,YAAY,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,YAAY,GAAG,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC;gBAC5E,aAAa,EAAE,YAAY;gBAC3B,MAAM,EAAE,UAAU,IAAI,SAAS;aAChC,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;QAC7B,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,uBAAuB;QACnC,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;QACvD,MAAM,cAAc,GAAG,OAAO,CAAC,GAAG,CAAC,qBAAqB,IAAI,gBAAgB,CAAC;QAE7E,IAAI,CAAC,aAAa,EAAE,CAAC;YACnB,OAAO,EAAE,SAAS,EAAE,CAAC,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;QAC9C,CAAC;QAED,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,aAAa,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACvC,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAEzC,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,SAAS,CACvC,gBAAgB,IAAI,OAAO,IAAI,qCAAqC,cAAc,cAAc,EAChG,IAAI,CACL,CAAC;YACF,MAAM,UAAU,GAAG,YAAY,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;YACtD,MAAM,UAAU,GAAG,YAAY,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC;YAEhE,MAAM,CAAC,WAAW,EAAE,YAAY,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;gBACpD,IAAI,CAAC,SAAS,CACZ,gBAAgB,UAAU,OAAO,UAAU,uCAAuC,EAClF,IAAI,CACL;gBACD,IAAI,CAAC,SAAS,CACZ,gBAAgB,UAAU,OAAO,UAAU,oCAAoC,EAC/E,IAAI,CACL;aACF,CAAC,CAAC;YAEH,MAAM,KAAK,GAAG,WAAW,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YAC5D,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YAC5D,MAAM,YAAY,GAAG,YAAY,CAAC,IAAI,EAAE,IAAI,IAAI,CAAC;YAEjD,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,CAAC;QACrC,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,SAAS,EAAE,CAAC,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC;QAC9C,CAAC;IACH,CAAC;CACF"}

package/dist/lib/db/index.d.ts

@@ -0,0 +1,56 @@
+import { TenantOperations } from './tenants.js';
+import { UserOperations } from './users.js';
+import { LockdownOperations } from './lockdown.js';
+import { AuditOperations } from './audit.js';
+export * from './types.js';
+/**
+ * Composite database client that combines all operation modules.
+ * Uses composition pattern to delegate to specialized operation classes.
+ */
+export declare class LocalDBClient {
+    private healthOps;
+    private tenantOps;
+    private userOps;
+    private lockdownOps;
+    private auditOps;
+    private emergencyOps;
+    constructor();
+    connect(): Promise<void>;
+    close(): Promise<void>;
+    disconnect(): Promise<void>;
+    health: () => Promise<import("../../types/index.js").HealthResponse>;
+    clusterStatus: () => Promise<import("../../types/index.js").ClusterStatus>;
+    listTenants: (options?: Parameters<TenantOperations["listTenants"]>[0]) => Promise<import("../../types/index.js").TenantWithUsage[]>;
+    getTenant: (id: string, withUsage?: boolean) => Promise<import("../../types/index.js").TenantWithUsage | null>;
+    getTenantUsage: (id: string) => Promise<import("../../types/index.js").TenantUsage>;
+    listUsers: (options?: Parameters<UserOperations["listUsers"]>[0]) => Promise<import("../../types/index.js").User[]>;
+    getUser: (id: string) => Promise<import("../../types/index.js").User | null>;
+    getUserByUsername: (username: string) => Promise<import("../../types/index.js").User | null>;
+    listSuperadmins: () => Promise<import("../../types/index.js").Superadmin[]>;
+    getLockdownStatus: () => Promise<import("../../types/index.js").LockdownStatus>;
+    getLockdownHistory: (limit?: number) => Promise<import("../../types/index.js").LockdownHistoryEntry[]>;
+    getThreats: (options?: Parameters<LockdownOperations["getThreats"]>[0]) => Promise<import("../../types/index.js").ThreatEvent[]>;
+    listAudit: (options?: Parameters<AuditOperations["listAudit"]>[0]) => Promise<import("../../types/index.js").AuditEntry[]>;
+    verifyAuditChain: () => Promise<import("../../types/index.js").AuditVerifyResult>;
+    testConnection: () => Promise<import("./emergency.js").ConnectionTestResult>;
+    getUserStatus: (username: string) => Promise<import("./emergency.js").UserStatusResult>;
+    resetPassword: (username: string, newPassword: string) => Promise<import("./emergency.js").OperationResult>;
+    unlockUser: (username: string) => Promise<import("./emergency.js").OperationResult>;
+    disableTotp: (username: string) => Promise<import("./emergency.js").OperationResult>;
+}
+/**
+ * Legacy EmergencyDBClient class (alias for LocalDBClient)
+ * @deprecated Use LocalDBClient instead
+ */
+export declare class EmergencyDBClient extends LocalDBClient {
+    constructor();
+}
+/**
+ * Check if emergency DB access is available
+ */
+export declare function isEmergencyDbAvailable(): boolean;
+/**
+ * Check if local mode is available (more comprehensive check)
+ */
+export declare function isLocalDbAvailable(): boolean;
+//# sourceMappingURL=index.d.ts.map

package/dist/lib/db/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/lib/db/index.ts"],"names":[],"mappings":"AASA,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AACnD,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAI7C,cAAc,YAAY,CAAC;AAE3B;;;GAGG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,SAAS,CAAmB;IACpC,OAAO,CAAC,SAAS,CAAmB;IACpC,OAAO,CAAC,OAAO,CAAiB;IAChC,OAAO,CAAC,WAAW,CAAqB;IACxC,OAAO,CAAC,QAAQ,CAAkB;IAClC,OAAO,CAAC,YAAY,CAAsB;;IAapC,OAAO,IAAI,OAAO,CAAC,IAAI,CAAC;IAIxB,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAYtB,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC;IAKjC,MAAM,+DAAiC;IACvC,aAAa,8DAAwC;IAGrD,WAAW,GAAI,UAAU,UAAU,CAAC,gBAAgB,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,+DACjC;IACtC,SAAS,GAAI,IAAI,MAAM,EAAE,YAAY,OAAO,oEACF;IAC1C,cAAc,GAAI,IAAI,MAAM,yDACQ;IAGpC,SAAS,GAAI,UAAU,UAAU,CAAC,cAAc,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,oDAC/B;IAClC,OAAO,GAAI,IAAI,MAAM,yDACM;IAC3B,iBAAiB,GAAI,UAAU,MAAM,yDACM;IAC3C,eAAe,6DACkB;IAGjC,iBAAiB,+DACsB;IACvC,kBAAkB,GAAI,QAAQ,MAAM,oEACS;IAC7C,UAAU,GAAI,UAAU,UAAU,CAAC,kBAAkB,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,2DAChC;IAGvC,SAAS,GAAI,UAAU,UAAU,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,0DAC/B;IACnC,gBAAgB,kEACmB;IAGnC,cAAc,+DACuB;IACrC,aAAa,GAAI,UAAU,MAAM,wDACW;IAC5C,aAAa,GAAI,UAAU,MAAM,EAAE,aAAa,MAAM,uDACG;IACzD,UAAU,GAAI,UAAU,MAAM,uDACW;IACzC,WAAW,GAAI,UAAU,MAAM,uDACW;CAC3C;AAID;;;GAGG;AACH,qBAAa,iBAAkB,SAAQ,aAAa;;CAWnD;AAED;;GAEG;AACH,wBAAgB,sBAAsB,IAAI,OAAO,CAEhD;AAED;;GAEG;AACH,wBAAgB,kBAAkB,IAAI,OAAO,CAG5C"}

package/dist/lib/db/index.js

@@ -0,0 +1,107 @@
+// Path: src/lib/db/index.ts
+/**
+ * Modular database client for direct PostgreSQL operations.
+ * Used for local mode (running on vault nodes) and emergency operations.
+ */
+import { getLocalConfig } from '../local.js';
+import { HealthOperations } from './health.js';
+import { TenantOperations } from './tenants.js';
+import { UserOperations } from './users.js';
+import { LockdownOperations } from './lockdown.js';
+import { AuditOperations } from './audit.js';
+import { EmergencyOperations } from './emergency.js';
+// Re-export types
+export * from './types.js';
+/**
+ * Composite database client that combines all operation modules.
+ * Uses composition pattern to delegate to specialized operation classes.
+ */
+export class LocalDBClient {
+    healthOps;
+    tenantOps;
+    userOps;
+    lockdownOps;
+    auditOps;
+    emergencyOps;
+    constructor() {
+        // All operations share the same connection strategy via BaseDBClient
+        this.healthOps = new HealthOperations();
+        this.tenantOps = new TenantOperations();
+        this.userOps = new UserOperations();
+        this.lockdownOps = new LockdownOperations();
+        this.auditOps = new AuditOperations();
+        this.emergencyOps = new EmergencyOperations();
+    }
+    // Connection management - delegate to health ops (or any op, they all have the same base)
+    async connect() {
+        await this.healthOps.connect();
+    }
+    async close() {
+        // Close all connections
+        await Promise.all([
+            this.healthOps.close(),
+            this.tenantOps.close(),
+            this.userOps.close(),
+            this.lockdownOps.close(),
+            this.auditOps.close(),
+            this.emergencyOps.close(),
+        ]);
+    }
+    async disconnect() {
+        return this.close();
+    }
+    // ============ Health ============
+    health = () => this.healthOps.health();
+    clusterStatus = () => this.healthOps.clusterStatus();
+    // ============ Tenants ============
+    listTenants = (options) => this.tenantOps.listTenants(options);
+    getTenant = (id, withUsage) => this.tenantOps.getTenant(id, withUsage);
+    getTenantUsage = (id) => this.tenantOps.getTenantUsage(id);
+    // ============ Users ============
+    listUsers = (options) => this.userOps.listUsers(options);
+    getUser = (id) => this.userOps.getUser(id);
+    getUserByUsername = (username) => this.userOps.getUserByUsername(username);
+    listSuperadmins = () => this.userOps.listSuperadmins();
+    // ============ Lockdown ============
+    getLockdownStatus = () => this.lockdownOps.getLockdownStatus();
+    getLockdownHistory = (limit) => this.lockdownOps.getLockdownHistory(limit);
+    getThreats = (options) => this.lockdownOps.getThreats(options);
+    // ============ Audit ============
+    listAudit = (options) => this.auditOps.listAudit(options);
+    verifyAuditChain = () => this.auditOps.verifyAuditChain();
+    // ============ Emergency Operations ============
+    testConnection = () => this.emergencyOps.testConnection();
+    getUserStatus = (username) => this.emergencyOps.getUserStatus(username);
+    resetPassword = (username, newPassword) => this.emergencyOps.resetPassword(username, newPassword);
+    unlockUser = (username) => this.emergencyOps.unlockUser(username);
+    disableTotp = (username) => this.emergencyOps.disableTotp(username);
+}
+// ============ Legacy exports for backward compatibility ============
+/**
+ * Legacy EmergencyDBClient class (alias for LocalDBClient)
+ * @deprecated Use LocalDBClient instead
+ */
+export class EmergencyDBClient extends LocalDBClient {
+    constructor() {
+        // For emergency operations, DATABASE_URL must be set
+        if (!process.env.DATABASE_URL) {
+            throw new Error('DATABASE_URL environment variable is required for emergency operations.\n' +
+                'This should only be set when running directly on a vault node.');
+        }
+        super();
+    }
+}
+/**
+ * Check if emergency DB access is available
+ */
+export function isEmergencyDbAvailable() {
+    return !!process.env.DATABASE_URL;
+}
+/**
+ * Check if local mode is available (more comprehensive check)
+ */
+export function isLocalDbAvailable() {
+    const config = getLocalConfig();
+    return config !== null;
+}
+//# sourceMappingURL=index.js.map

package/dist/lib/db/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/lib/db/index.ts"],"names":[],"mappings":"AAAA,4BAA4B;AAE5B;;;GAGG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAAE,gBAAgB,EAAE,MAAM,aAAa,CAAC;AAC/C,OAAO,EAAE,gBAAgB,EAAE,MAAM,cAAc,CAAC;AAChD,OAAO,EAAE,cAAc,EAAE,MAAM,YAAY,CAAC;AAC5C,OAAO,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AACnD,OAAO,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAC7C,OAAO,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAErD,kBAAkB;AAClB,cAAc,YAAY,CAAC;AAE3B;;;GAGG;AACH,MAAM,OAAO,aAAa;IAChB,SAAS,CAAmB;IAC5B,SAAS,CAAmB;IAC5B,OAAO,CAAiB;IACxB,WAAW,CAAqB;IAChC,QAAQ,CAAkB;IAC1B,YAAY,CAAsB;IAE1C;QACE,qEAAqE;QACrE,IAAI,CAAC,SAAS,GAAG,IAAI,gBAAgB,EAAE,CAAC;QACxC,IAAI,CAAC,SAAS,GAAG,IAAI,gBAAgB,EAAE,CAAC;QACxC,IAAI,CAAC,OAAO,GAAG,IAAI,cAAc,EAAE,CAAC;QACpC,IAAI,CAAC,WAAW,GAAG,IAAI,kBAAkB,EAAE,CAAC;QAC5C,IAAI,CAAC,QAAQ,GAAG,IAAI,eAAe,EAAE,CAAC;QACtC,IAAI,CAAC,YAAY,GAAG,IAAI,mBAAmB,EAAE,CAAC;IAChD,CAAC;IAED,0FAA0F;IAC1F,KAAK,CAAC,OAAO;QACX,MAAM,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,CAAC;IACjC,CAAC;IAED,KAAK,CAAC,KAAK;QACT,wBAAwB;QACxB,MAAM,OAAO,CAAC,GAAG,CAAC;YAChB,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;YACtB,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE;YACtB,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE;YACpB,IAAI,CAAC,WAAW,CAAC,KAAK,EAAE;YACxB,IAAI,CAAC,QAAQ,CAAC,KAAK,EAAE;YACrB,IAAI,CAAC,YAAY,CAAC,KAAK,EAAE;SAC1B,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,UAAU;QACd,OAAO,IAAI,CAAC,KAAK,EAAE,CAAC;IACtB,CAAC;IAED,mCAAmC;IACnC,MAAM,GAAG,GAAG,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,CAAC;IACvC,aAAa,GAAG,GAAG,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,aAAa,EAAE,CAAC;IAErD,oCAAoC;IACpC,WAAW,GAAG,CAAC,OAAwD,EAAE,EAAE,CACzE,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;IACtC,SAAS,GAAG,CAAC,EAAU,EAAE,SAAmB,EAAE,EAAE,CAC9C,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE,EAAE,SAAS,CAAC,CAAC;IAC1C,cAAc,GAAG,CAAC,EAAU,EAAE,EAAE,CAC9B,IAAI,CAAC,SAAS,CAAC,cAAc,CAAC,EAAE,CAAC,CAAC;IAEpC,kCAAkC;IAClC,SAAS,GAAG,CAAC,OAAoD,EAAE,EAAE,CACnE,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IAClC,OAAO,GAAG,CAAC,EAAU,EAAE,EAAE,CACvB,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC;IAC3B,iBAAiB,GAAG,CAAC,QAAgB,EAAE,EAAE,CACvC,IAAI,CAAC,OAAO,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC;IAC3C,eAAe,GAAG,GAAG,EAAE,CACrB,IAAI,CAAC,OAAO,CAAC,eAAe,EAAE,CAAC;IAEjC,qCAAqC;IACrC,iBAAiB,GAAG,GAAG,EAAE,CACvB,IAAI,CAAC,WAAW,CAAC,iBAAiB,EAAE,CAAC;IACvC,kBAAkB,GAAG,CAAC,KAAc,EAAE,EAAE,CACtC,IAAI,CAAC,WAAW,CAAC,kBAAkB,CAAC,KAAK,CAAC,CAAC;IAC7C,UAAU,GAAG,CAAC,OAAyD,EAAE,EAAE,CACzE,IAAI,CAAC,WAAW,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;IAEvC,kCAAkC;IAClC,SAAS,GAAG,CAAC,OAAqD,EAAE,EAAE,CACpE,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC;IACnC,gBAAgB,GAAG,GAAG,EAAE,CACtB,IAAI,CAAC,QAAQ,CAAC,gBAAgB,EAAE,CAAC;IAEnC,iDAAiD;IACjD,cAAc,GAAG,GAAG,EAAE,CACpB,IAAI,CAAC,YAAY,CAAC,cAAc,EAAE,CAAC;IACrC,aAAa,GAAG,CAAC,QAAgB,EAAE,EAAE,CACnC,IAAI,CAAC,YAAY,CAAC,aAAa,CAAC,QAAQ,CAAC,CAAC;IAC5C,aAAa,GAAG,CAAC,QAAgB,EAAE,WAAmB,EAAE,EAAE,CACxD,IAAI,CAAC,YAAY,CAAC,aAAa,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;IACzD,UAAU,GAAG,CAAC,QAAgB,EAAE,EAAE,CAChC,IAAI,CAAC,YAAY,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC;IACzC,WAAW,GAAG,CAAC,QAAgB,EAAE,EAAE,CACjC,IAAI,CAAC,YAAY,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;CAC3C;AAED,sEAAsE;AAEtE;;;GAGG;AACH,MAAM,OAAO,iBAAkB,SAAQ,aAAa;IAClD;QACE,qDAAqD;QACrD,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CACb,2EAA2E;gBAC3E,gEAAgE,CACjE,CAAC;QACJ,CAAC;QACD,KAAK,EAAE,CAAC;IACV,CAAC;CACF;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB;IACpC,OAAO,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;AACpC,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,kBAAkB;IAChC,MAAM,MAAM,GAAG,cAAc,EAAE,CAAC;IAChC,OAAO,MAAM,KAAK,IAAI,CAAC;AACzB,CAAC"}

package/dist/lib/db/lockdown.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Lockdown and security operations
+ */
+import type { LockdownStatus, ThreatEvent, LockdownHistoryEntry } from '../../types/index.js';
+import { BaseDBClient } from './client.js';
+export declare class LockdownOperations extends BaseDBClient {
+    getLockdownStatus(): Promise<LockdownStatus>;
+    getLockdownHistory(limit?: number): Promise<LockdownHistoryEntry[]>;
+    getThreats(options?: {
+        category?: string;
+        since?: string;
+        limit?: number;
+    }): Promise<ThreatEvent[]>;
+}
+//# sourceMappingURL=lockdown.d.ts.map

package/dist/lib/db/lockdown.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"lockdown.d.ts","sourceRoot":"","sources":["../../../src/lib/db/lockdown.ts"],"names":[],"mappings":"AAEA;;GAEG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,WAAW,EAAE,oBAAoB,EAAE,MAAM,sBAAsB,CAAC;AAE9F,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAE3C,qBAAa,kBAAmB,SAAQ,YAAY;IAC5C,iBAAiB,IAAI,OAAO,CAAC,cAAc,CAAC;IAwB5C,kBAAkB,CAAC,KAAK,GAAE,MAAW,GAAG,OAAO,CAAC,oBAAoB,EAAE,CAAC;IAiBvE,UAAU,CAAC,OAAO,CAAC,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;CAoC1G"}

package/dist/lib/db/lockdown.js

@@ -0,0 +1,67 @@
+// Path: src/lib/db/lockdown.ts
+import { BaseDBClient } from './client.js';
+export class LockdownOperations extends BaseDBClient {
+    async getLockdownStatus() {
+        const row = await this.queryOne('SELECT * FROM lockdown_state ORDER BY updated_at DESC LIMIT 1');
+        if (!row) {
+            return {
+                scope: 'SYSTEM',
+                status: 'NORMAL',
+                escalationCount: 0,
+            };
+        }
+        return {
+            scope: row.scope,
+            tenantId: row.tenant_id ?? undefined,
+            status: row.status,
+            reason: row.reason ?? undefined,
+            triggeredAt: row.triggered_at?.toISOString(),
+            triggeredBy: row.triggered_by ?? undefined,
+            escalationCount: row.escalation_count,
+        };
+    }
+    async getLockdownHistory(limit = 50) {
+        const rows = await this.query('SELECT * FROM lockdown_history ORDER BY created_at DESC LIMIT $1', [limit]);
+        return rows.map(r => ({
+            id: r.id,
+            previousStatus: r.previous_status,
+            newStatus: r.new_status,
+            transitionReason: r.transition_reason,
+            changedByUserId: r.changed_by_user_id ?? undefined,
+            changedBySystem: r.changed_by_system,
+            ts: r.created_at.toISOString(),
+        }));
+    }
+    async getThreats(options) {
+        let sql = 'SELECT * FROM threat_events WHERE 1=1';
+        const params = [];
+        let paramIndex = 1;
+        if (options?.category) {
+            sql += ` AND category = $${paramIndex++}`;
+            params.push(options.category);
+        }
+        if (options?.since) {
+            sql += ` AND created_at >= $${paramIndex++}`;
+            params.push(new Date(options.since));
+        }
+        sql += ` ORDER BY created_at DESC LIMIT $${paramIndex}`;
+        params.push(options?.limit ?? 100);
+        const rows = await this.query(sql, params);
+        return rows.map(r => ({
+            id: r.id,
+            ts: r.created_at.toISOString(),
+            tenantId: r.tenant_id ?? undefined,
+            userId: r.user_id ?? undefined,
+            ip: r.ip,
+            userAgent: r.user_agent ?? undefined,
+            category: r.category,
+            signal: r.signal,
+            suggestedLevel: r.suggested_level,
+            endpoint: r.endpoint,
+            method: r.method,
+            statusCode: r.status_code,
+            escalated: r.escalated,
+        }));
+    }
+}
+//# sourceMappingURL=lockdown.js.map

package/dist/lib/db/lockdown.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"lockdown.js","sourceRoot":"","sources":["../../../src/lib/db/lockdown.ts"],"names":[],"mappings":"AAAA,+BAA+B;AAQ/B,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAE3C,MAAM,OAAO,kBAAmB,SAAQ,YAAY;IAClD,KAAK,CAAC,iBAAiB;QACrB,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,QAAQ,CAC7B,+DAA+D,CAChE,CAAC;QAEF,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,OAAO;gBACL,KAAK,EAAE,QAAQ;gBACf,MAAM,EAAE,QAAQ;gBAChB,eAAe,EAAE,CAAC;aACnB,CAAC;QACJ,CAAC;QAED,OAAO;YACL,KAAK,EAAE,GAAG,CAAC,KAA4B;YACvC,QAAQ,EAAE,GAAG,CAAC,SAAS,IAAI,SAAS;YACpC,MAAM,EAAE,GAAG,CAAC,MAAgE;YAC5E,MAAM,EAAE,GAAG,CAAC,MAAM,IAAI,SAAS;YAC/B,WAAW,EAAE,GAAG,CAAC,YAAY,EAAE,WAAW,EAAE;YAC5C,WAAW,EAAE,GAAG,CAAC,YAAY,IAAI,SAAS;YAC1C,eAAe,EAAE,GAAG,CAAC,gBAAgB;SACtC,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,kBAAkB,CAAC,QAAgB,EAAE;QACzC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAC3B,kEAAkE,EAClE,CAAC,KAAK,CAAC,CACR,CAAC;QAEF,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YACpB,EAAE,EAAE,CAAC,CAAC,EAAE;YACR,cAAc,EAAE,CAAC,CAAC,eAAe;YACjC,SAAS,EAAE,CAAC,CAAC,UAAU;YACvB,gBAAgB,EAAE,CAAC,CAAC,iBAAiB;YACrC,eAAe,EAAE,CAAC,CAAC,kBAAkB,IAAI,SAAS;YAClD,eAAe,EAAE,CAAC,CAAC,iBAAiB;YACpC,EAAE,EAAE,CAAC,CAAC,UAAU,CAAC,WAAW,EAAE;SAC/B,CAAC,CAAC,CAAC;IACN,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,OAA+D;QAC9E,IAAI,GAAG,GAAG,uCAAuC,CAAC;QAClD,MAAM,MAAM,GAAc,EAAE,CAAC;QAC7B,IAAI,UAAU,GAAG,CAAC,CAAC;QAEnB,IAAI,OAAO,EAAE,QAAQ,EAAE,CAAC;YACtB,GAAG,IAAI,oBAAoB,UAAU,EAAE,EAAE,CAAC;YAC1C,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAChC,CAAC;QAED,IAAI,OAAO,EAAE,KAAK,EAAE,CAAC;YACnB,GAAG,IAAI,uBAAuB,UAAU,EAAE,EAAE,CAAC;YAC7C,MAAM,CAAC,IAAI,CAAC,IAAI,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;QACvC,CAAC;QAED,GAAG,IAAI,oCAAoC,UAAU,EAAE,CAAC;QACxD,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,IAAI,GAAG,CAAC,CAAC;QAEnC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAiB,GAAG,EAAE,MAAM,CAAC,CAAC;QAE3D,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YACpB,EAAE,EAAE,CAAC,CAAC,EAAE;YACR,EAAE,EAAE,CAAC,CAAC,UAAU,CAAC,WAAW,EAAE;YAC9B,QAAQ,EAAE,CAAC,CAAC,SAAS,IAAI,SAAS;YAClC,MAAM,EAAE,CAAC,CAAC,OAAO,IAAI,SAAS;YAC9B,EAAE,EAAE,CAAC,CAAC,EAAE;YACR,SAAS,EAAE,CAAC,CAAC,UAAU,IAAI,SAAS;YACpC,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,MAAM,EAAE,CAAC,CAAC,MAAM;YAChB,cAAc,EAAE,CAAC,CAAC,eAAe;YACjC,QAAQ,EAAE,CAAC,CAAC,QAAQ;YACpB,MAAM,EAAE,CAAC,CAAC,MAAM;YAChB,UAAU,EAAE,CAAC,CAAC,WAAW;YACzB,SAAS,EAAE,CAAC,CAAC,SAAS;SACvB,CAAC,CAAC,CAAC;IACN,CAAC;CACF"}

package/dist/lib/db/tenants.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Tenant database operations
+ */
+import type { TenantWithUsage, TenantUsage } from '../../types/index.js';
+import { BaseDBClient } from './client.js';
+export declare class TenantOperations extends BaseDBClient {
+    listTenants(options?: {
+        status?: string;
+        withUsage?: boolean;
+    }): Promise<TenantWithUsage[]>;
+    getTenant(id: string, withUsage?: boolean): Promise<TenantWithUsage | null>;
+    getTenantUsage(id: string): Promise<TenantUsage>;
+}
+//# sourceMappingURL=tenants.d.ts.map

package/dist/lib/db/tenants.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenants.d.ts","sourceRoot":"","sources":["../../../src/lib/db/tenants.ts"],"names":[],"mappings":"AAEA;;GAEG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAEzE,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAE3C,qBAAa,gBAAiB,SAAQ,YAAY;IAC1C,WAAW,CAAC,OAAO,CAAC,EAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,SAAS,CAAC,EAAE,OAAO,CAAA;KAAE,GAAG,OAAO,CAAC,eAAe,EAAE,CAAC;IA2D3F,SAAS,CAAC,EAAE,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC;IAgC3E,cAAc,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,CAAC;CA0BvD"}

package/dist/lib/db/tenants.js

@@ -0,0 +1,88 @@
+// Path: src/lib/db/tenants.ts
+import { BaseDBClient } from './client.js';
+export class TenantOperations extends BaseDBClient {
+    async listTenants(options) {
+        const withUsage = options?.withUsage ?? false;
+        let sql;
+        if (withUsage) {
+            sql = `
+        SELECT t.id, t.name, t.status, t.max_secrets, t.max_kms_keys, t.contact_email,
+               t.created_at, t.updated_at,
+               (SELECT COUNT(*) FROM secrets WHERE tenant = t.id) as secrets_count,
+               (SELECT COUNT(*) FROM kms_keys WHERE tenant_id = t.id) as kms_keys_count,
+               (SELECT COUNT(*) FROM users WHERE tenant_id = t.id) as users_count,
+               (SELECT COUNT(*) FROM api_keys WHERE tenant_id = t.id) as api_keys_count
+        FROM tenants t
+      `;
+        }
+        else {
+            sql = `
+        SELECT t.id, t.name, t.status, t.max_secrets, t.max_kms_keys, t.contact_email,
+               t.created_at, t.updated_at
+        FROM tenants t
+      `;
+        }
+        const params = [];
+        if (options?.status) {
+            sql += ' WHERE t.status = $1';
+            params.push(options.status);
+        }
+        sql += ' ORDER BY t.name';
+        const rows = await this.query(sql, params);
+        return rows.map(r => {
+            const tenant = {
+                id: r.id,
+                name: r.name,
+                status: r.status,
+                maxSecrets: r.max_secrets ?? undefined,
+                maxKmsKeys: r.max_kms_keys ?? undefined,
+                contactEmail: r.contact_email ?? undefined,
+                createdAt: r.created_at.toISOString(),
+                updatedAt: r.updated_at.toISOString(),
+            };
+            if (withUsage) {
+                tenant.usage = {
+                    secretsCount: parseInt(r.secrets_count ?? '0', 10),
+                    kmsKeysCount: parseInt(r.kms_keys_count ?? '0', 10),
+                    storageUsedMb: 0,
+                    usersCount: parseInt(r.users_count ?? '0', 10),
+                    apiKeysCount: parseInt(r.api_keys_count ?? '0', 10),
+                };
+            }
+            return tenant;
+        });
+    }
+    async getTenant(id, withUsage) {
+        const row = await this.queryOne('SELECT * FROM tenants WHERE id = $1', [id]);
+        if (!row)
+            return null;
+        const tenant = {
+            id: row.id,
+            name: row.name,
+            status: row.status,
+            maxSecrets: row.max_secrets ?? undefined,
+            maxKmsKeys: row.max_kms_keys ?? undefined,
+            contactEmail: row.contact_email ?? undefined,
+            createdAt: row.created_at.toISOString(),
+            updatedAt: row.updated_at.toISOString(),
+        };
+        if (withUsage) {
+            tenant.usage = await this.getTenantUsage(id);
+        }
+        return tenant;
+    }
+    async getTenantUsage(id) {
+        const secrets = await this.queryOne('SELECT COUNT(*) as count FROM secrets WHERE tenant = $1', [id]);
+        const kmsKeys = await this.queryOne('SELECT COUNT(*) as count FROM kms_keys WHERE tenant_id = $1', [id]);
+        const users = await this.queryOne('SELECT COUNT(*) as count FROM users WHERE tenant_id = $1', [id]);
+        const apiKeys = await this.queryOne('SELECT COUNT(*) as count FROM api_keys WHERE tenant_id = $1', [id]);
+        return {
+            secretsCount: parseInt(secrets?.count ?? '0', 10),
+            kmsKeysCount: parseInt(kmsKeys?.count ?? '0', 10),
+            storageUsedMb: 0,
+            usersCount: parseInt(users?.count ?? '0', 10),
+            apiKeysCount: parseInt(apiKeys?.count ?? '0', 10),
+        };
+    }
+}
+//# sourceMappingURL=tenants.js.map

package/dist/lib/db/tenants.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tenants.js","sourceRoot":"","sources":["../../../src/lib/db/tenants.ts"],"names":[],"mappings":"AAAA,8BAA8B;AAQ9B,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAE3C,MAAM,OAAO,gBAAiB,SAAQ,YAAY;IAChD,KAAK,CAAC,WAAW,CAAC,OAAkD;QAClE,MAAM,SAAS,GAAG,OAAO,EAAE,SAAS,IAAI,KAAK,CAAC;QAE9C,IAAI,GAAW,CAAC;QAChB,IAAI,SAAS,EAAE,CAAC;YACd,GAAG,GAAG;;;;;;;;OAQL,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,GAAG,GAAG;;;;OAIL,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAc,EAAE,CAAC;QAE7B,IAAI,OAAO,EAAE,MAAM,EAAE,CAAC;YACpB,GAAG,IAAI,sBAAsB,CAAC;YAC9B,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC9B,CAAC;QAED,GAAG,IAAI,kBAAkB,CAAC;QAE1B,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,KAAK,CAAY,GAAG,EAAE,MAAM,CAAC,CAAC;QAEtD,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;YAClB,MAAM,MAAM,GAAoB;gBAC9B,EAAE,EAAE,CAAC,CAAC,EAAE;gBACR,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,MAAM,EAAE,CAAC,CAAC,MAA6C;gBACvD,UAAU,EAAE,CAAC,CAAC,WAAW,IAAI,SAAS;gBACtC,UAAU,EAAE,CAAC,CAAC,YAAY,IAAI,SAAS;gBACvC,YAAY,EAAE,CAAC,CAAC,aAAa,IAAI,SAAS;gBAC1C,SAAS,EAAE,CAAC,CAAC,UAAU,CAAC,WAAW,EAAE;gBACrC,SAAS,EAAE,CAAC,CAAC,UAAU,CAAC,WAAW,EAAE;aACtC,CAAC;YAEF,IAAI,SAAS,EAAE,CAAC;gBACd,MAAM,CAAC,KAAK,GAAG;oBACb,YAAY,EAAE,QAAQ,CAAC,CAAC,CAAC,aAAa,IAAI,GAAG,EAAE,EAAE,CAAC;oBAClD,YAAY,EAAE,QAAQ,CAAC,CAAC,CAAC,cAAc,IAAI,GAAG,EAAE,EAAE,CAAC;oBACnD,aAAa,EAAE,CAAC;oBAChB,UAAU,EAAE,QAAQ,CAAC,CAAC,CAAC,WAAW,IAAI,GAAG,EAAE,EAAE,CAAC;oBAC9C,YAAY,EAAE,QAAQ,CAAC,CAAC,CAAC,cAAc,IAAI,GAAG,EAAE,EAAE,CAAC;iBACpD,CAAC;YACJ,CAAC;YAED,OAAO,MAAM,CAAC;QAChB,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,CAAC,SAAS,CAAC,EAAU,EAAE,SAAmB;QAC7C,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,QAAQ,CAS5B,qCAAqC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;QAEhD,IAAI,CAAC,GAAG;YAAE,OAAO,IAAI,CAAC;QAEtB,MAAM,MAAM,GAAoB;YAC9B,EAAE,EAAE,GAAG,CAAC,EAAE;YACV,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,MAAM,EAAE,GAAG,CAAC,MAA6C;YACzD,UAAU,EAAE,GAAG,CAAC,WAAW,IAAI,SAAS;YACxC,UAAU,EAAE,GAAG,CAAC,YAAY,IAAI,SAAS;YACzC,YAAY,EAAE,GAAG,CAAC,aAAa,IAAI,SAAS;YAC5C,SAAS,EAAE,GAAG,CAAC,UAAU,CAAC,WAAW,EAAE;YACvC,SAAS,EAAE,GAAG,CAAC,UAAU,CAAC,WAAW,EAAE;SACxC,CAAC;QAEF,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,CAAC,KAAK,GAAG,MAAM,IAAI,CAAC,cAAc,CAAC,EAAE,CAAC,CAAC;QAC/C,CAAC;QAED,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,CAAC,cAAc,CAAC,EAAU;QAC7B,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,QAAQ,CACjC,yDAAyD,EACzD,CAAC,EAAE,CAAC,CACL,CAAC;QACF,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,QAAQ,CACjC,6DAA6D,EAC7D,CAAC,EAAE,CAAC,CACL,CAAC;QACF,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,QAAQ,CAC/B,0DAA0D,EAC1D,CAAC,EAAE,CAAC,CACL,CAAC;QACF,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,QAAQ,CACjC,6DAA6D,EAC7D,CAAC,EAAE,CAAC,CACL,CAAC;QAEF,OAAO;YACL,YAAY,EAAE,QAAQ,CAAC,OAAO,EAAE,KAAK,IAAI,GAAG,EAAE,EAAE,CAAC;YACjD,YAAY,EAAE,QAAQ,CAAC,OAAO,EAAE,KAAK,IAAI,GAAG,EAAE,EAAE,CAAC;YACjD,aAAa,EAAE,CAAC;YAChB,UAAU,EAAE,QAAQ,CAAC,KAAK,EAAE,KAAK,IAAI,GAAG,EAAE,EAAE,CAAC;YAC7C,YAAY,EAAE,QAAQ,CAAC,OAAO,EAAE,KAAK,IAAI,GAAG,EAAE,EAAE,CAAC;SAClD,CAAC;IACJ,CAAC;CACF"}