ghcr-manager 0.0.4 → 0.9.0

package/dist/core/_types.d.ts

@@ -1,22 +1,23 @@
+export type ManifestKind = "image_index" | "image_manifest" | "artifact_manifest" | "attestation_manifest" | "signature_manifest";
 export interface PackageVersionRecord {
     versionId: number;
-    digest: string;
     createdAt: string;
     updatedAt: string;
     metadata?: Record<string, unknown>;
 }
 export interface TagRecord {
     tag: string;
-    digest: string;
     versionId: number;
 }
 export interface ManifestRecord {
+    versionId: number;
     digest: string;
     mediaType: string;
     artifactType?: string;
     configMediaType?: string;
     subjectDigest?: string;
     annotations?: Record<string, unknown>;
+    manifestKind?: ManifestKind;
     platform?: {
         architecture?: string;
         os?: string;

package/dist/core/index.d.ts

@@ -1 +1,4 @@
-export type { ManifestEdgeRecord, ManifestDescriptorRecord, ManifestRecord, PackageSnapshot, PackageVersionRecord, TagRecord } from "./_types.js";
+export type { ManifestEdgeRecord, ManifestDescriptorRecord, ManifestKind, ManifestRecord, PackageSnapshot, PackageVersionRecord, TagRecord } from "./_types.js";
+export type { HttpErrorResponse } from "./_http-error.js";
+export { buildHttpErrorMessage } from "./_http-error.js";
+export { getOwnerURIComponent } from "./_github-package-owner.js";

package/dist/core/index.js

@@ -1 +1,2 @@
-export {};
+export { buildHttpErrorMessage } from "./_http-error.js";
+export { getOwnerURIComponent } from "./_github-package-owner.js";

package/dist/db/_cleanup-run-writer.d.ts

@@ -0,0 +1,10 @@
+import type Database from "better-sqlite3";
+import type { DeletePlan } from "./planner/index.js";
+export declare class CleanupRunWriter {
+    #private;
+    constructor(database: Database.Database);
+    persistCleanupRun(scanId: number, plan: DeletePlan, options: {
+        dryRun: boolean;
+        cleanupStartedAt: string;
+    }): number;
+}

package/dist/db/_cleanup-run-writer.js

@@ -0,0 +1,73 @@
+import { randomUUID } from "node:crypto";
+import { resolveGitHubActionsRunUrl } from "./_github-actions-run-url.js";
+export class CleanupRunWriter {
+    #database;
+    constructor(database) {
+        this.#database = database;
+    }
+    persistCleanupRun(scanId, plan, options) {
+        return this.#database.transaction(() => {
+            const cleanupRunId = this.#insertCleanupRun(scanId, plan, options);
+            for (const rootDecision of plan.rootDecisions) {
+                this.#database
+                    .prepare(`
+              INSERT INTO cleanup_root_decisions(
+                cleanup_run_id,
+                scan_id,
+                digest,
+                selection_mode,
+                selection_reason,
+                validation_status,
+                validation_reason_code,
+                validation_reason,
+                blocking_digest,
+                overlap_digest
+              )
+              VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+            `)
+                    .run(cleanupRunId, scanId, rootDecision.digest, rootDecision.selectionMode, rootDecision.selectionReason, rootDecision.validationStatus, rootDecision.validationReasonCode, rootDecision.validationReason, rootDecision.blockingDigest ?? null, rootDecision.overlapDigest ?? null);
+            }
+            for (const protectedRoot of plan.protectedRoots) {
+                for (const block of protectedRoot.blocks) {
+                    this.#database
+                        .prepare(`
+                INSERT INTO cleanup_protected_root_blocks(
+                  cleanup_run_id,
+                  scan_id,
+                  protected_digest,
+                  blocked_digest,
+                  block_reason_code,
+                  overlap_digest
+                )
+                VALUES(?, ?, ?, ?, ?, ?)
+              `)
+                        .run(cleanupRunId, scanId, protectedRoot.digest, block.blockedDigest, block.blockReasonCode, block.overlapDigest);
+                }
+            }
+            return cleanupRunId;
+        })();
+    }
+    #insertCleanupRun(scanId, plan, options) {
+        const result = this.#database
+            .prepare(`
+          INSERT INTO cleanup_runs(
+            scan_id,
+            cleanup_uuid,
+            cleanup_started_at,
+            github_actions_run_url,
+            dry_run,
+            planner_inputs_json,
+            direct_target_tag_count,
+            direct_target_root_count,
+            delete_root_candidate_count,
+            untag_only_root_count,
+            fully_deletable_root_count,
+            blocked_delete_root_count,
+            protected_root_count
+          )
+          VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+        `)
+            .run(scanId, randomUUID(), options.cleanupStartedAt, resolveGitHubActionsRunUrl(), options.dryRun ? 1 : 0, JSON.stringify(plan.plannerInputs), plan.validationSummary.directTargetTagCount, plan.validationSummary.directTargetRootCount, plan.validationSummary.deleteRootCandidateCount, plan.validationSummary.untagOnlyRootCount, plan.validationSummary.fullyDeletableRootCount, plan.validationSummary.blockedDeleteRootCount, plan.validationSummary.protectedRootCount);
+        return Number(result.lastInsertRowid);
+    }
+}

package/dist/db/_db-merge-cleanup-copy.d.ts

@@ -0,0 +1,7 @@
+import type Database from "better-sqlite3";
+export declare class DbMergeCleanupCopy {
+    #private;
+    constructor(database: Database.Database);
+    copyCleanupRuns(attachName: string, sourceScanId: number, targetScanId: number, existingCleanupUuids: string[]): number;
+    listCleanupUuids(tableName: string, scanId: number): string[];
+}

package/dist/db/_db-merge-cleanup-copy.js

@@ -0,0 +1,122 @@
+export class DbMergeCleanupCopy {
+    #database;
+    constructor(database) {
+        this.#database = database;
+    }
+    copyCleanupRuns(attachName, sourceScanId, targetScanId, existingCleanupUuids) {
+        const rows = this.#database
+            .prepare(`
+          SELECT
+            cleanup_run_id,
+            cleanup_uuid,
+            cleanup_started_at,
+            github_actions_run_url,
+            dry_run,
+            planner_inputs_json,
+            direct_target_tag_count,
+            direct_target_root_count,
+            delete_root_candidate_count,
+            untag_only_root_count,
+            fully_deletable_root_count,
+            blocked_delete_root_count,
+            protected_root_count
+          FROM ${attachName}.cleanup_runs
+          WHERE scan_id = ?
+          ORDER BY cleanup_run_id
+        `)
+            .all(sourceScanId);
+        const knownCleanupUuids = new Set(existingCleanupUuids);
+        let importedCleanupRunCount = 0;
+        for (const row of rows) {
+            if (knownCleanupUuids.has(row.cleanup_uuid)) {
+                continue;
+            }
+            const cleanupRunId = Number(this.#database
+                .prepare(`
+              INSERT INTO cleanup_runs(
+                scan_id,
+                cleanup_uuid,
+                cleanup_started_at,
+                github_actions_run_url,
+                dry_run,
+                planner_inputs_json,
+                direct_target_tag_count,
+                direct_target_root_count,
+                delete_root_candidate_count,
+                untag_only_root_count,
+                fully_deletable_root_count,
+                blocked_delete_root_count,
+                protected_root_count
+              )
+              VALUES(?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+            `)
+                .run(targetScanId, row.cleanup_uuid, row.cleanup_started_at, row.github_actions_run_url, row.dry_run, row.planner_inputs_json, row.direct_target_tag_count, row.direct_target_root_count, row.delete_root_candidate_count, row.untag_only_root_count, row.fully_deletable_root_count, row.blocked_delete_root_count, row.protected_root_count).lastInsertRowid);
+            this.#database
+                .prepare(`
+            INSERT INTO cleanup_root_decisions(
+              cleanup_run_id,
+              scan_id,
+              digest,
+              selection_mode,
+              selection_reason,
+              validation_status,
+              validation_reason_code,
+              validation_reason,
+              blocking_digest,
+              overlap_digest
+            )
+            SELECT
+              ?,
+              ?,
+              digest,
+              selection_mode,
+              selection_reason,
+              validation_status,
+              validation_reason_code,
+              validation_reason,
+              blocking_digest,
+              overlap_digest
+            FROM ${attachName}.cleanup_root_decisions
+            WHERE cleanup_run_id = ?
+              AND scan_id = ?
+          `)
+                .run(cleanupRunId, targetScanId, row.cleanup_run_id, sourceScanId);
+            this.#database
+                .prepare(`
+            INSERT INTO cleanup_protected_root_blocks(
+              cleanup_run_id,
+              scan_id,
+              protected_digest,
+              blocked_digest,
+              block_reason_code,
+              overlap_digest
+            )
+            SELECT
+              ?,
+              ?,
+              protected_digest,
+              blocked_digest,
+              block_reason_code,
+              overlap_digest
+            FROM ${attachName}.cleanup_protected_root_blocks
+            WHERE cleanup_run_id = ?
+              AND scan_id = ?
+          `)
+                .run(cleanupRunId, targetScanId, row.cleanup_run_id, sourceScanId);
+            knownCleanupUuids.add(row.cleanup_uuid);
+            importedCleanupRunCount += 1;
+        }
+        return importedCleanupRunCount;
+    }
+    listCleanupUuids(tableName, scanId) {
+        const rows = this.#database
+            .prepare(`
+          SELECT cleanup_uuid
+          FROM ${tableName}
+          WHERE scan_id = ?
+          ORDER BY cleanup_run_id
+        `)
+            .all(scanId);
+        return rows.map((row) => row.cleanup_uuid);
+    }
+}

package/dist/db/_db-merge-history.d.ts

@@ -0,0 +1,2 @@
+export type CleanupHistoryRelation = "source-ahead" | "target-ahead" | "diverged";
+export declare function resolveCleanupHistoryRelation(sourceCleanupUuids: string[], targetCleanupUuids: string[]): CleanupHistoryRelation;

package/dist/db/_db-merge-history.js

@@ -0,0 +1,15 @@
+export function resolveCleanupHistoryRelation(sourceCleanupUuids, targetCleanupUuids) {
+    if (_isPrefix(targetCleanupUuids, sourceCleanupUuids)) {
+        return "source-ahead";
+    }
+    if (_isPrefix(sourceCleanupUuids, targetCleanupUuids)) {
+        return "target-ahead";
+    }
+    return "diverged";
+}
+function _isPrefix(prefixCandidate, history) {
+    if (prefixCandidate.length > history.length) {
+        return false;
+    }
+    return prefixCandidate.every((cleanupUuid, index) => cleanupUuid === history[index]);
+}

package/dist/db/_db-merge-repository.d.ts

@@ -0,0 +1,8 @@
+import type Database from "better-sqlite3";
+import type { DbMergeSourceSummary } from "./_db-merge-types.js";
+export type { DbMergeSourceSummary } from "./_db-merge-types.js";
+export declare class DbMergeRepository {
+    #private;
+    constructor(database: Database.Database);
+    mergeSourceDatabase(sourceDatabasePath: string): DbMergeSourceSummary;
+}

package/dist/db/_db-merge-repository.js

@@ -0,0 +1,95 @@
+import { realpathSync } from "node:fs";
+import { DbMergeCleanupCopy } from "./_db-merge-cleanup-copy.js";
+import { resolveCleanupHistoryRelation } from "./_db-merge-history.js";
+import { DbMergeScanCopy } from "./_db-merge-scan-copy.js";
+export class DbMergeRepository {
+    #database;
+    #cleanupCopy;
+    #scanCopy;
+    constructor(database) {
+        this.#database = database;
+        this.#cleanupCopy = new DbMergeCleanupCopy(database);
+        this.#scanCopy = new DbMergeScanCopy(database);
+    }
+    mergeSourceDatabase(sourceDatabasePath) {
+        const targetPath = realpathSync(this.#database.name);
+        const sourcePath = realpathSync(sourceDatabasePath);
+        if (targetPath === sourcePath) {
+            throw new Error(`source DB matches target DB: ${sourceDatabasePath}`);
+        }
+        const attachName = "merge_source";
+        const quotedAttachName = `"${attachName}"`;
+        this.#database.exec(`ATTACH DATABASE ${this.#scanCopy.quoteDatabasePath(sourcePath)} AS ${quotedAttachName}`);
+        try {
+            return this.#database.transaction(() => this.#mergeAttachedSource(attachName, sourceDatabasePath))();
+        }
+        finally {
+            this.#database.exec(`DETACH DATABASE ${quotedAttachName}`);
+        }
+    }
+    #mergeAttachedSource(attachName, sourceDatabasePath) {
+        const sourceScans = this.#database
+            .prepare(`
+          SELECT
+            scan_id,
+            scan_uuid,
+            owner,
+            package_name,
+            package_metadata_json,
+            github_actions_run_url,
+            scan_started_at,
+            scan_completed_at,
+            status
+          FROM ${attachName}.package_scans
+          ORDER BY scan_started_at, scan_uuid
+        `)
+            .all();
+        const summary = {
+            sourceDatabasePath,
+            importedScanCount: 0,
+            skippedScanCount: 0,
+            importedCleanupRunCount: 0,
+            skippedCleanupRunCount: 0
+        };
+        for (const sourceScan of sourceScans) {
+            const targetScan = this.#database
+                .prepare(`
+            SELECT
+              scan_id,
+              scan_uuid,
+              owner,
+              package_name,
+              package_metadata_json,
+              github_actions_run_url,
+              scan_started_at,
+              scan_completed_at,
+              status
+            FROM package_scans
+            WHERE scan_uuid = ?
+          `)
+                .get(sourceScan.scan_uuid);
+            if (!targetScan) {
+                const targetScanId = this.#scanCopy.insertScan(sourceScan);
+                this.#scanCopy.copyScanRows(attachName, sourceScan.scan_id, targetScanId);
+                summary.importedScanCount += 1;
+                summary.importedCleanupRunCount += this.#cleanupCopy.copyCleanupRuns(attachName, sourceScan.scan_id, targetScanId, []);
+                continue;
+            }
+            this.#scanCopy.assertMatchingScanMetadata(sourceScan, targetScan, sourceDatabasePath);
+            const sourceCleanupUuids = this.#cleanupCopy.listCleanupUuids(`${attachName}.cleanup_runs`, sourceScan.scan_id);
+            const targetCleanupUuids = this.#cleanupCopy.listCleanupUuids("cleanup_runs", targetScan.scan_id);
+            const historyRelation = resolveCleanupHistoryRelation(sourceCleanupUuids, targetCleanupUuids);
+            if (historyRelation === "source-ahead") {
+                summary.importedCleanupRunCount += this.#cleanupCopy.copyCleanupRuns(attachName, sourceScan.scan_id, targetScan.scan_id, targetCleanupUuids);
+            }
+            else if (historyRelation === "target-ahead") {
+                summary.skippedCleanupRunCount += sourceCleanupUuids.length;
+            }
+            else {
+                throw new Error(`cleanup history diverged for scan_uuid ${sourceScan.scan_uuid} while merging ${sourceDatabasePath}`);
+            }
+            summary.skippedScanCount += 1;
+        }
+        return summary;
+    }
+}

package/dist/db/_db-merge-scan-copy.d.ts

@@ -0,0 +1,10 @@
+import type Database from "better-sqlite3";
+import type { SourceScanRow, TargetScanRow } from "./_db-merge-types.js";
+export declare class DbMergeScanCopy {
+    #private;
+    constructor(database: Database.Database);
+    insertScan(sourceScan: SourceScanRow): number;
+    copyScanRows(attachName: string, sourceScanId: number, targetScanId: number): void;
+    assertMatchingScanMetadata(sourceScan: SourceScanRow, targetScan: TargetScanRow, sourceDatabasePath: string): void;
+    quoteDatabasePath(value: string): string;
+}

package/dist/db/_db-merge-scan-copy.js

@@ -0,0 +1,69 @@
+export class DbMergeScanCopy {
+    #database;
+    constructor(database) {
+        this.#database = database;
+    }
+    insertScan(sourceScan) {
+        const result = this.#database
+            .prepare(`
+          INSERT INTO package_scans(
+            scan_uuid,
+            owner,
+            package_name,
+            package_metadata_json,
+            github_actions_run_url,
+            scan_started_at,
+            scan_completed_at,
+            status
+          )
+          VALUES(?, ?, ?, ?, ?, ?, ?, ?)
+        `)
+            .run(sourceScan.scan_uuid, sourceScan.owner, sourceScan.package_name, sourceScan.package_metadata_json, sourceScan.github_actions_run_url, sourceScan.scan_started_at, sourceScan.scan_completed_at, sourceScan.status);
+        return Number(result.lastInsertRowid);
+    }
+    copyScanRows(attachName, sourceScanId, targetScanId) {
+        const copySpecs = [
+            "package_versions(scan_id, version_id, created_at, updated_at)",
+            "package_version_payloads(scan_id, version_id, raw_json)",
+            "tags(scan_id, tag, version_id)",
+            "manifests(scan_id, version_id, digest, media_type, artifact_type, config_media_type, subject_digest, annotations_json, platform_os, platform_architecture, platform_variant, manifest_kind)",
+            "manifest_descriptors(scan_id, parent_digest, child_digest, media_type, artifact_type, platform_os, platform_architecture, platform_variant)",
+            "manifest_payloads(scan_id, digest, raw_json)",
+            "manifest_edges(scan_id, parent_digest, child_digest, edge_kind)",
+            "manifest_reachability(scan_id, ancestor_digest, descendant_digest, min_distance)"
+        ];
+        for (const spec of copySpecs) {
+            const [tableName, columnList] = spec.split("(");
+            const trimmedColumnList = columnList.slice(0, -1);
+            const columns = trimmedColumnList.split(", ").slice(1);
+            this.#database
+                .prepare(`
+            INSERT INTO ${tableName}(${trimmedColumnList})
+            SELECT ?, ${columns.join(", ")}
+            FROM ${attachName}.${tableName}
+            WHERE scan_id = ?
+          `)
+                .run(targetScanId, sourceScanId);
+        }
+    }
+    assertMatchingScanMetadata(sourceScan, targetScan, sourceDatabasePath) {
+        const scanFields = [
+            "scan_uuid",
+            "owner",
+            "package_name",
+            "package_metadata_json",
+            "github_actions_run_url",
+            "scan_started_at",
+            "scan_completed_at",
+            "status"
+        ];
+        for (const field of scanFields) {
+            if (sourceScan[field] !== targetScan[field]) {
+                throw new Error(`scan metadata mismatch for scan_uuid ${sourceScan.scan_uuid} while merging ${sourceDatabasePath}`);
+            }
+        }
+    }
+    quoteDatabasePath(value) {
+        return `'${value.replaceAll("'", "''")}'`;
+    }
+}

package/dist/db/_db-merge-types.d.ts

@@ -0,0 +1,44 @@
+export interface SourceScanRow {
+    scan_id: number;
+    scan_uuid: string;
+    owner: string;
+    package_name: string;
+    package_metadata_json: string | null;
+    github_actions_run_url: string | null;
+    scan_started_at: string;
+    scan_completed_at: string | null;
+    status: string;
+}
+export interface TargetScanRow {
+    scan_id: number;
+    scan_uuid: string;
+    owner: string;
+    package_name: string;
+    package_metadata_json: string | null;
+    github_actions_run_url: string | null;
+    scan_started_at: string;
+    scan_completed_at: string | null;
+    status: string;
+}
+export interface CleanupRunRow {
+    cleanup_run_id: number;
+    cleanup_uuid: string;
+    cleanup_started_at: string;
+    github_actions_run_url: string | null;
+    dry_run: number;
+    planner_inputs_json: string;
+    direct_target_tag_count: number;
+    direct_target_root_count: number;
+    delete_root_candidate_count: number;
+    untag_only_root_count: number;
+    fully_deletable_root_count: number;
+    blocked_delete_root_count: number;
+    protected_root_count: number;
+}
+export interface DbMergeSourceSummary {
+    sourceDatabasePath: string;
+    importedScanCount: number;
+    skippedScanCount: number;
+    importedCleanupRunCount: number;
+    skippedCleanupRunCount: number;
+}

package/dist/db/_db-merge-types.js

@@ -0,0 +1 @@
+export {};

package/dist/db/_github-actions-run-url.d.ts

@@ -0,0 +1 @@
+export declare function resolveGitHubActionsRunUrl(env?: NodeJS.ProcessEnv): string | null;

package/dist/db/_github-actions-run-url.js

@@ -0,0 +1,9 @@
+export function resolveGitHubActionsRunUrl(env = process.env) {
+    const serverUrl = env.GITHUB_SERVER_URL;
+    const repository = env.GITHUB_REPOSITORY;
+    const runId = env.GITHUB_RUN_ID;
+    if (!serverUrl || !repository || !runId) {
+        return null;
+    }
+    return `${serverUrl}/${repository}/actions/runs/${runId}`;
+}

package/dist/db/_scan-writer.d.ts

@@ -3,7 +3,9 @@ import type { ManifestDescriptorRecord, ManifestEdgeRecord, ManifestRecord, Pack
 export declare class ScanWriter {
     #private;
     constructor(database: Database.Database);
-    resetScan(owner: string, packageName: string, scanStartedAt: string): void;
+    startScan(owner: string, packageName: string, scanStartedAt: string, packageMetadata: {
+        rawJson: string;
+    }): void;
     markScanCompleted(scanCompletedAt: string): void;
     markScanFailed(scanCompletedAt: string): void;
     insertPackageVersion(version: PackageVersionRecord): void;

package/dist/db/_scan-writer.js

@@ -1,4 +1,5 @@
 import { randomUUID } from "node:crypto";
+import { resolveGitHubActionsRunUrl } from "./_github-actions-run-url.js";
 import { rebuildManifestReachability } from "./_manifest-reachability.js";
 export class ScanWriter {
     #database;
@@ -6,13 +7,22 @@ export class ScanWriter {
     constructor(database) {
         this.#database = database;
     }
-    resetScan(owner, packageName, scanStartedAt) {
+    startScan(owner, packageName, scanStartedAt, packageMetadata) {
         const result = this.#database
             .prepare(`
-        INSERT INTO package_scans(scan_uuid, owner, package_name, scan_started_at, scan_completed_at, status)
-        VALUES(?, ?, ?, ?, NULL, 'running')
+        INSERT INTO package_scans(
+          scan_uuid,
+          owner,
+          package_name,
+          package_metadata_json,
+          github_actions_run_url,
+          scan_started_at,
+          scan_completed_at,
+          status
+        )
+        VALUES(?, ?, ?, ?, ?, ?, NULL, 'running')
       `)
-            .run(randomUUID(), owner, packageName, scanStartedAt);
+            .run(randomUUID(), owner, packageName, packageMetadata.rawJson, resolveGitHubActionsRunUrl(), scanStartedAt);
         this.#activeScanId = Number(result.lastInsertRowid);
     }
     markScanCompleted(scanCompletedAt) {
@@ -36,13 +46,12 @@ export class ScanWriter {
     insertPackageVersion(version) {
         this.#database
             .prepare(`
-        INSERT OR REPLACE INTO package_versions(scan_id, version_id, digest, created_at, updated_at)
-        VALUES(@scanId, @versionId, @digest, @createdAt, @updatedAt)
+        INSERT OR REPLACE INTO package_versions(scan_id, version_id, created_at, updated_at)
+        VALUES(@scanId, @versionId, @createdAt, @updatedAt)
       `)
             .run({
             scanId: this.#requireScanId(),
             versionId: version.versionId,
-            digest: version.digest,
             createdAt: version.createdAt,
             updatedAt: version.updatedAt
         });
@@ -58,8 +67,8 @@ export class ScanWriter {
     insertTag(tag) {
         this.#database
             .prepare(`
-        INSERT OR REPLACE INTO tags(scan_id, tag, digest, version_id)
-        VALUES(@scanId, @tag, @digest, @versionId)
+        INSERT OR REPLACE INTO tags(scan_id, tag, version_id)
+        VALUES(@scanId, @tag, @versionId)
       `)
             .run({
             scanId: this.#requireScanId(),
@@ -71,6 +80,7 @@ export class ScanWriter {
             .prepare(`
         INSERT OR REPLACE INTO manifests(
           scan_id,
+          version_id,
           digest,
           media_type,
           artifact_type,
@@ -79,10 +89,12 @@ export class ScanWriter {
           annotations_json,
           platform_os,
           platform_architecture,
-          platform_variant
+          platform_variant,
+          manifest_kind
         )
         VALUES(
           @scanId,
+          @versionId,
           @digest,
           @mediaType,
           @artifactType,
@@ -91,11 +103,13 @@ export class ScanWriter {
           @annotationsJson,
           @platformOs,
           @platformArchitecture,
-          @platformVariant
+          @platformVariant,
+          @manifestKind
         )
       `)
             .run({
             scanId: this.#requireScanId(),
+            versionId: manifest.versionId,
             digest: manifest.digest,
             mediaType: manifest.mediaType,
             artifactType: manifest.artifactType ?? null,
@@ -104,7 +118,8 @@ export class ScanWriter {
             annotationsJson: manifest.annotations ? JSON.stringify(manifest.annotations) : null,
             platformOs: manifest.platform?.os ?? null,
             platformArchitecture: manifest.platform?.architecture ?? null,
-            platformVariant: manifest.platform?.variant ?? null
+            platformVariant: manifest.platform?.variant ?? null,
+            manifestKind: manifest.manifestKind ?? null
         });
     }
     insertManifestPayload(digest, rawJson) {
@@ -169,7 +184,7 @@ export class ScanWriter {
     }
     #requireScanId() {
         if (this.#activeScanId === null) {
-            throw new Error("package not initialized; call resetScan(owner, packageName, scanStartedAt) first");
+            throw new Error("package not initialized; call startScan(owner, packageName, scanStartedAt, packageMetadata) first");
         }
         return this.#activeScanId;
     }