deepline 0.1.64 → 0.1.66

package/dist/repo/sdk/src/plays/harness-stub.ts

@@ -168,6 +168,8 @@ export async function harnessReadSheetDatasetRows(
  */
 export async function harnessPrewarmPostgresSessions(input: {
   executorToken: string;
+  orgId: string;
+  playName: string;
   sessions: PreloadedRuntimeDbSessionInput[];
 }): Promise<{ ok: true; sessions: number }> {
   return requireBinding().prewarmPostgresSessions(input);
@@ -180,6 +182,7 @@ export async function harnessPrewarmPostgresSessions(input: {
 export async function harnessStartSheetDataset(input: {
   baseUrl: string;
   executorToken: string;
+  orgId: string;
   preloadedDbSessions?: PreloadedRuntimeDbSessionInput[] | null;
   playName: string;
   tableNamespace: string;
@@ -206,6 +209,7 @@ export async function harnessStartSheetDataset(input: {
 export async function harnessPersistCompletedSheetRows(input: {
   baseUrl: string;
   executorToken: string;
+  orgId: string;
   preloadedDbSessions?: PreloadedRuntimeDbSessionInput[] | null;
   playName: string;
   tableNamespace: string;

package/dist/repo/sdk/src/release.ts

@@ -50,10 +50,10 @@ export type SdkRelease = {
 };
 
 export const SDK_RELEASE = {
-  version: '0.1.64',
+  version: '0.1.66',
   apiContract: '2026-05-play-bootstrap-dataset-summary',
   supportPolicy: {
-    latest: '0.1.64',
+    latest: '0.1.66',
     minimumSupported: '0.1.53',
     deprecatedBelow: '0.1.53',
   },

package/dist/repo/shared_libs/play-runtime/db-session-crypto.ts

@@ -0,0 +1,312 @@
+import type { CreateDbSessionResponse } from './db-session';
+
+const POSTGRES_URL_ENCRYPTION_ALGORITHM = 'AES-GCM' as const;
+const POSTGRES_URL_ENCRYPTION_KEY_ID =
+  'deepline-runtime-db-session-url:v1' as const;
+const POSTGRES_URL_PUBLIC_KEY_ENCRYPTION_KEY_ID =
+  'deepline-runtime-db-session-url:v2' as const;
+const POSTGRES_URL_ENCRYPTION_LABEL =
+  'deepline:runtime-db-session-postgres-url:v1';
+const POSTGRES_URL_PUBLIC_KEY_ENCRYPTION_ALGORITHM =
+  'RSA-OAEP-256+A256GCM' as const;
+const IV_LENGTH_BYTES = 12;
+const AUTH_TAG_LENGTH_BYTES = 16;
+
+export type SharedSecretEncryptedPostgresUrl = {
+  alg: 'A256GCM';
+  kid: typeof POSTGRES_URL_ENCRYPTION_KEY_ID;
+  iv: string;
+  ciphertext: string;
+  tag: string;
+};
+
+export type PublicKeyEncryptedPostgresUrl = {
+  alg: typeof POSTGRES_URL_PUBLIC_KEY_ENCRYPTION_ALGORITHM;
+  kid: typeof POSTGRES_URL_PUBLIC_KEY_ENCRYPTION_KEY_ID;
+  wrappedKey: string;
+  iv: string;
+  ciphertext: string;
+  tag: string;
+};
+
+export type EncryptedPostgresUrl =
+  | SharedSecretEncryptedPostgresUrl
+  | PublicKeyEncryptedPostgresUrl;
+
+export type PostgresUrlEncryptionRequest = {
+  alg: typeof POSTGRES_URL_PUBLIC_KEY_ENCRYPTION_ALGORITHM;
+  publicKeyJwk: JsonWebKey;
+};
+
+export type PostgresUrlDecryptionKey = {
+  request: PostgresUrlEncryptionRequest;
+  privateKey: CryptoKey;
+};
+
+function encodeBase64Url(bytes: Uint8Array): string {
+  const base64 =
+    typeof Buffer !== 'undefined'
+      ? Buffer.from(bytes).toString('base64')
+      : btoa(String.fromCharCode(...bytes));
+  return base64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/g, '');
+}
+
+function decodeBase64Url(value: string): Uint8Array {
+  const padding =
+    value.length % 4 === 0 ? '' : '='.repeat(4 - (value.length % 4));
+  const normalized = value.replace(/-/g, '+').replace(/_/g, '/') + padding;
+  if (typeof Buffer !== 'undefined') {
+    return new Uint8Array(Buffer.from(normalized, 'base64'));
+  }
+  return Uint8Array.from(atob(normalized), (char) => char.charCodeAt(0));
+}
+
+function toArrayBuffer(bytes: Uint8Array): ArrayBuffer {
+  return bytes.buffer.slice(
+    bytes.byteOffset,
+    bytes.byteOffset + bytes.byteLength,
+  ) as ArrayBuffer;
+}
+
+type RsaOaepKeyGenAlgorithm = {
+  name: 'RSA-OAEP';
+  modulusLength: number;
+  publicExponent: Uint8Array;
+  hash: string;
+};
+
+type RsaOaepImportAlgorithm = {
+  name: 'RSA-OAEP';
+  hash: string;
+};
+
+function rsaOaepAlgorithm(): RsaOaepKeyGenAlgorithm {
+  return {
+    name: 'RSA-OAEP',
+    modulusLength: 2048,
+    publicExponent: new Uint8Array([1, 0, 1]),
+    hash: 'SHA-256',
+  };
+}
+
+function rsaOaepImportAlgorithm(): RsaOaepImportAlgorithm {
+  return {
+    name: 'RSA-OAEP',
+    hash: 'SHA-256',
+  };
+}
+
+async function derivePostgresUrlEncryptionKey(
+  secret: string,
+): Promise<CryptoKey> {
+  const normalizedSecret = secret.trim();
+  if (!normalizedSecret) {
+    throw new Error('Runtime DB session encryption secret is empty.');
+  }
+  const keyBytes = new Uint8Array(
+    await crypto.subtle.digest(
+      'SHA-256',
+      new TextEncoder().encode(
+        `${POSTGRES_URL_ENCRYPTION_LABEL}:${normalizedSecret}`,
+      ),
+    ),
+  );
+  return await crypto.subtle.importKey(
+    'raw',
+    toArrayBuffer(keyBytes),
+    { name: POSTGRES_URL_ENCRYPTION_ALGORITHM },
+    false,
+    ['encrypt', 'decrypt'],
+  );
+}
+
+export function dbSessionPostgresUrlAad(
+  session: Omit<
+    CreateDbSessionResponse,
+    'postgresUrl' | 'encryptedPostgresUrl'
+  >,
+): string {
+  return JSON.stringify({
+    sessionId: session.sessionId,
+    expiresAt: session.expiresAt,
+    playName: session.playName,
+    target: session.target,
+    operations: [...session.operations].sort(),
+    postgres: session.postgres ?? null,
+  });
+}
+
+export async function generateDbSessionPostgresUrlDecryptionKey(): Promise<PostgresUrlDecryptionKey> {
+  const keyPair = (await crypto.subtle.generateKey(rsaOaepAlgorithm(), true, [
+    'encrypt',
+    'decrypt',
+  ])) as CryptoKeyPair;
+  const publicKeyJwk = (await crypto.subtle.exportKey(
+    'jwk',
+    keyPair.publicKey,
+  )) as JsonWebKey;
+  const serializablePublicKeyJwk: JsonWebKey = {
+    kty: publicKeyJwk.kty,
+    n: publicKeyJwk.n,
+    e: publicKeyJwk.e,
+    alg: publicKeyJwk.alg,
+    ext: publicKeyJwk.ext,
+    key_ops: publicKeyJwk.key_ops ? [...publicKeyJwk.key_ops] : undefined,
+  };
+  return {
+    request: {
+      alg: POSTGRES_URL_PUBLIC_KEY_ENCRYPTION_ALGORITHM,
+      publicKeyJwk: serializablePublicKeyJwk,
+    },
+    privateKey: keyPair.privateKey,
+  };
+}
+
+export async function encryptDbSessionPostgresUrl(input: {
+  postgresUrl: string;
+  secret: string;
+  aad: string;
+}): Promise<SharedSecretEncryptedPostgresUrl> {
+  const iv = crypto.getRandomValues(new Uint8Array(IV_LENGTH_BYTES));
+  const key = await derivePostgresUrlEncryptionKey(input.secret);
+  const encrypted = new Uint8Array(
+    await crypto.subtle.encrypt(
+      {
+        name: POSTGRES_URL_ENCRYPTION_ALGORITHM,
+        iv: toArrayBuffer(iv),
+        additionalData: new TextEncoder().encode(input.aad),
+        tagLength: AUTH_TAG_LENGTH_BYTES * 8,
+      },
+      key,
+      new TextEncoder().encode(input.postgresUrl),
+    ),
+  );
+  return {
+    alg: 'A256GCM',
+    kid: POSTGRES_URL_ENCRYPTION_KEY_ID,
+    iv: encodeBase64Url(iv),
+    ciphertext: encodeBase64Url(encrypted.slice(0, -AUTH_TAG_LENGTH_BYTES)),
+    tag: encodeBase64Url(encrypted.slice(-AUTH_TAG_LENGTH_BYTES)),
+  };
+}
+
+export async function encryptDbSessionPostgresUrlWithPublicKey(input: {
+  postgresUrl: string;
+  request: PostgresUrlEncryptionRequest;
+  aad: string;
+}): Promise<PublicKeyEncryptedPostgresUrl> {
+  if (input.request.alg !== POSTGRES_URL_PUBLIC_KEY_ENCRYPTION_ALGORITHM) {
+    throw new Error('Unsupported runtime DB session public-key envelope.');
+  }
+  const publicKey = (await crypto.subtle.importKey(
+    'jwk',
+    input.request.publicKeyJwk,
+    rsaOaepImportAlgorithm(),
+    false,
+    ['encrypt'],
+  )) as CryptoKey;
+  const contentKey = (await crypto.subtle.generateKey(
+    { name: POSTGRES_URL_ENCRYPTION_ALGORITHM, length: 256 },
+    true,
+    ['encrypt', 'decrypt'],
+  )) as CryptoKey;
+  const iv = crypto.getRandomValues(new Uint8Array(IV_LENGTH_BYTES));
+  const encrypted = new Uint8Array(
+    await crypto.subtle.encrypt(
+      {
+        name: POSTGRES_URL_ENCRYPTION_ALGORITHM,
+        iv: toArrayBuffer(iv),
+        additionalData: new TextEncoder().encode(input.aad),
+        tagLength: AUTH_TAG_LENGTH_BYTES * 8,
+      },
+      contentKey,
+      new TextEncoder().encode(input.postgresUrl),
+    ),
+  );
+  const rawContentKey = (await crypto.subtle.exportKey(
+    'raw',
+    contentKey,
+  )) as ArrayBuffer;
+  const wrappedKey = new Uint8Array(
+    await crypto.subtle.encrypt({ name: 'RSA-OAEP' }, publicKey, rawContentKey),
+  );
+  return {
+    alg: POSTGRES_URL_PUBLIC_KEY_ENCRYPTION_ALGORITHM,
+    kid: POSTGRES_URL_PUBLIC_KEY_ENCRYPTION_KEY_ID,
+    wrappedKey: encodeBase64Url(wrappedKey),
+    iv: encodeBase64Url(iv),
+    ciphertext: encodeBase64Url(encrypted.slice(0, -AUTH_TAG_LENGTH_BYTES)),
+    tag: encodeBase64Url(encrypted.slice(-AUTH_TAG_LENGTH_BYTES)),
+  };
+}
+
+export async function decryptDbSessionPostgresUrl(input: {
+  encrypted: EncryptedPostgresUrl;
+  secret: string;
+  aad: string;
+}): Promise<string> {
+  if (
+    input.encrypted.alg !== 'A256GCM' ||
+    input.encrypted.kid !== POSTGRES_URL_ENCRYPTION_KEY_ID
+  ) {
+    throw new Error('Unsupported runtime DB session URL encryption envelope.');
+  }
+  const ciphertext = decodeBase64Url(input.encrypted.ciphertext);
+  const tag = decodeBase64Url(input.encrypted.tag);
+  const combined = new Uint8Array(ciphertext.byteLength + tag.byteLength);
+  combined.set(ciphertext, 0);
+  combined.set(tag, ciphertext.byteLength);
+  const key = await derivePostgresUrlEncryptionKey(input.secret);
+  const plaintext = await crypto.subtle.decrypt(
+    {
+      name: POSTGRES_URL_ENCRYPTION_ALGORITHM,
+      iv: toArrayBuffer(decodeBase64Url(input.encrypted.iv)),
+      additionalData: new TextEncoder().encode(input.aad),
+      tagLength: AUTH_TAG_LENGTH_BYTES * 8,
+    },
+    key,
+    toArrayBuffer(combined),
+  );
+  return new TextDecoder().decode(plaintext);
+}
+
+export async function decryptDbSessionPostgresUrlWithPrivateKey(input: {
+  encrypted: EncryptedPostgresUrl;
+  privateKey: CryptoKey;
+  aad: string;
+}): Promise<string> {
+  if (
+    input.encrypted.alg !== POSTGRES_URL_PUBLIC_KEY_ENCRYPTION_ALGORITHM ||
+    input.encrypted.kid !== POSTGRES_URL_PUBLIC_KEY_ENCRYPTION_KEY_ID
+  ) {
+    throw new Error('Unsupported runtime DB session URL public-key envelope.');
+  }
+  const rawContentKey = await crypto.subtle.decrypt(
+    { name: 'RSA-OAEP' },
+    input.privateKey,
+    toArrayBuffer(decodeBase64Url(input.encrypted.wrappedKey)),
+  );
+  const contentKey = await crypto.subtle.importKey(
+    'raw',
+    rawContentKey,
+    { name: POSTGRES_URL_ENCRYPTION_ALGORITHM },
+    false,
+    ['decrypt'],
+  );
+  const ciphertext = decodeBase64Url(input.encrypted.ciphertext);
+  const tag = decodeBase64Url(input.encrypted.tag);
+  const combined = new Uint8Array(ciphertext.byteLength + tag.byteLength);
+  combined.set(ciphertext, 0);
+  combined.set(tag, ciphertext.byteLength);
+  const plaintext = await crypto.subtle.decrypt(
+    {
+      name: POSTGRES_URL_ENCRYPTION_ALGORITHM,
+      iv: toArrayBuffer(decodeBase64Url(input.encrypted.iv)),
+      additionalData: new TextEncoder().encode(input.aad),
+      tagLength: AUTH_TAG_LENGTH_BYTES * 8,
+    },
+    contentKey,
+    toArrayBuffer(combined),
+  );
+  return new TextDecoder().decode(plaintext);
+}

package/dist/repo/shared_libs/play-runtime/db-session-plan.ts

@@ -0,0 +1,69 @@
+import {
+  flattenStaticPipeline,
+  resolveSheetContractForTableNamespace,
+  type PlaySheetContract,
+  type PlayStaticPipeline,
+} from '../plays/static-pipeline';
+import {
+  RUNTIME_SHEET_ROWS_LOGICAL_TABLE,
+  RUNTIME_WORK_RECEIPT_LOGICAL_TABLE,
+  RUNTIME_WORK_RECEIPT_TABLE_NAMESPACE,
+  type DbLogicalTable,
+  type DbSessionLimits,
+  type DbSessionOperation,
+} from './db-session';
+
+export type RuntimeDbSessionRequirement = {
+  tableNamespace: string;
+  logicalTable: DbLogicalTable;
+  operations: DbSessionOperation[];
+  limits?: DbSessionLimits;
+  sheetContract?: PlaySheetContract | null;
+};
+
+export function planRuntimeSheetDbSessionRequirements(
+  pipeline: PlayStaticPipeline | null,
+): RuntimeDbSessionRequirement[] {
+  if (!pipeline) {
+    return [];
+  }
+  const byNamespace = new Map<string, PlaySheetContract>();
+  for (const substep of flattenStaticPipeline(pipeline)) {
+    if (substep.type !== 'map') continue;
+    const tableNamespace = (
+      substep.tableNamespace ??
+      substep.field ??
+      ''
+    ).trim();
+    if (!tableNamespace) continue;
+    const sheetContract =
+      resolveSheetContractForTableNamespace(pipeline, tableNamespace) ??
+      substep.sheetContract ??
+      null;
+    if (!sheetContract) continue;
+    byNamespace.set(tableNamespace, sheetContract);
+  }
+  return [...byNamespace.entries()].map(([tableNamespace, sheetContract]) => ({
+    tableNamespace,
+    logicalTable: RUNTIME_SHEET_ROWS_LOGICAL_TABLE,
+    operations: ['rows.read', 'rows.upsert'],
+    sheetContract,
+  }));
+}
+
+export function runtimeWorkReceiptDbSessionRequirement(): RuntimeDbSessionRequirement {
+  return {
+    tableNamespace: RUNTIME_WORK_RECEIPT_TABLE_NAMESPACE,
+    logicalTable: RUNTIME_WORK_RECEIPT_LOGICAL_TABLE,
+    operations: ['rows.read', 'rows.upsert'],
+  };
+}
+
+export function planRuntimeDbSessionRequirements(
+  pipeline: PlayStaticPipeline | null,
+): RuntimeDbSessionRequirement[] {
+  return [
+    ...planRuntimeSheetDbSessionRequirements(pipeline),
+    runtimeWorkReceiptDbSessionRequirement(),
+  ];
+}