kavachos 0.1.0 → 0.1.3

package/dist/agent/index.js

@@ -1,6 +1,791 @@
-export { createAgentModule } from '../chunk-IKTOSJ4O.js';
-import '../chunk-KDL6A76K.js';
-import '../chunk-QCRHJMDX.js';
-import '../chunk-NSBPE2FW.js';
+import { and, eq } from 'drizzle-orm';
+import { sqliteTable, integer, text } from 'drizzle-orm/sqlite-core';
+
+// src/agent/agent.ts
+
+// src/crypto/web-crypto.ts
+var HEX_CHARS = "0123456789abcdef";
+function toHex(bytes) {
+  let hex = "";
+  for (let i = 0; i < bytes.length; i++) {
+    const b = bytes[i];
+    hex += HEX_CHARS[b >> 4];
+    hex += HEX_CHARS[b & 15];
+  }
+  return hex;
+}
+function toBase64Url(bytes) {
+  let binary = "";
+  for (let i = 0; i < bytes.length; i++) {
+    binary += String.fromCharCode(bytes[i]);
+  }
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function generateId() {
+  return globalThis.crypto.randomUUID();
+}
+function randomBytes(length) {
+  const bytes = new Uint8Array(length);
+  globalThis.crypto.getRandomValues(bytes);
+  return bytes;
+}
+var TEXT_ENCODER = new TextEncoder();
+function toBytes(data) {
+  if (typeof data === "string") {
+    const encoded = TEXT_ENCODER.encode(data);
+    return encoded.buffer.slice(
+      encoded.byteOffset,
+      encoded.byteOffset + encoded.byteLength
+    );
+  }
+  return data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength);
+}
+async function sha256(data) {
+  const digest = await globalThis.crypto.subtle.digest("SHA-256", toBytes(data));
+  return toHex(new Uint8Array(digest));
+}
+var users = sqliteTable("kavach_users", {
+  id: text("id").primaryKey(),
+  email: text("email").notNull().unique(),
+  name: text("name"),
+  username: text("username").unique(),
+  externalId: text("external_id"),
+  // ID from external auth (better-auth, Auth.js, etc.)
+  externalProvider: text("external_provider"),
+  // "better-auth", "authjs", "clerk", etc.
+  metadata: text("metadata", { mode: "json" }).$type(),
+  // Admin ban fields (populated by admin module)
+  banned: integer("banned").notNull().default(0),
+  banReason: text("ban_reason"),
+  banExpiresAt: integer("ban_expires_at", { mode: "timestamp" }),
+  forcePasswordReset: integer("force_password_reset").notNull().default(0),
+  emailVerified: integer("email_verified").notNull().default(0),
+  // Stripe integration fields (populated by kavach-stripe plugin)
+  stripeCustomerId: text("stripe_customer_id").unique(),
+  stripeSubscriptionId: text("stripe_subscription_id"),
+  stripeSubscriptionStatus: text("stripe_subscription_status"),
+  stripePriceId: text("stripe_price_id"),
+  stripeCurrentPeriodEnd: integer("stripe_current_period_end", { mode: "timestamp" }),
+  stripeCancelAtPeriodEnd: integer("stripe_cancel_at_period_end", { mode: "boolean" }).notNull().default(false),
+  // Polar integration fields (populated by kavach-polar plugin)
+  polarCustomerId: text("polar_customer_id").unique(),
+  polarSubscriptionId: text("polar_subscription_id"),
+  polarSubscriptionStatus: text("polar_subscription_status"),
+  polarProductId: text("polar_product_id"),
+  polarCurrentPeriodEnd: integer("polar_current_period_end", { mode: "timestamp" }),
+  polarCancelAtPeriodEnd: integer("polar_cancel_at_period_end", { mode: "boolean" }).notNull().default(false),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull(),
+  updatedAt: integer("updated_at", { mode: "timestamp" }).notNull()
+});
+var tenants = sqliteTable("kavach_tenants", {
+  id: text("id").primaryKey(),
+  name: text("name").notNull(),
+  slug: text("slug").notNull().unique(),
+  settings: text("settings", { mode: "json" }).$type(),
+  status: text("status", { enum: ["active", "suspended"] }).notNull().default("active"),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull(),
+  updatedAt: integer("updated_at", { mode: "timestamp" }).notNull()
+});
+var agents = sqliteTable("kavach_agents", {
+  id: text("id").primaryKey(),
+  ownerId: text("owner_id").notNull().references(() => users.id),
+  tenantId: text("tenant_id").references(() => tenants.id),
+  // nullable, for multi-tenant scoping
+  name: text("name").notNull(),
+  type: text("type", { enum: ["autonomous", "delegated", "service"] }).notNull(),
+  status: text("status", { enum: ["active", "revoked", "expired"] }).notNull().default("active"),
+  tokenHash: text("token_hash").notNull(),
+  // hashed agent token
+  tokenPrefix: text("token_prefix").notNull(),
+  // first 8 chars for identification
+  expiresAt: integer("expires_at", { mode: "timestamp" }),
+  lastActiveAt: integer("last_active_at", { mode: "timestamp" }),
+  metadata: text("metadata", { mode: "json" }).$type(),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull(),
+  updatedAt: integer("updated_at", { mode: "timestamp" }).notNull()
+});
+var permissions = sqliteTable("kavach_permissions", {
+  id: text("id").primaryKey(),
+  agentId: text("agent_id").notNull().references(() => agents.id, { onDelete: "cascade" }),
+  resource: text("resource").notNull(),
+  // e.g. "mcp:github:*", "tool:file_read"
+  actions: text("actions", { mode: "json" }).notNull().$type(),
+  // ["read", "write", "execute"]
+  constraints: text("constraints", { mode: "json" }).$type(),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_delegation_chains", {
+  id: text("id").primaryKey(),
+  fromAgentId: text("from_agent_id").notNull().references(() => agents.id),
+  toAgentId: text("to_agent_id").notNull().references(() => agents.id),
+  permissions: text("permissions", { mode: "json" }).notNull().$type(),
+  depth: integer("depth").notNull().default(1),
+  maxDepth: integer("max_depth").notNull().default(3),
+  status: text("status", { enum: ["active", "revoked", "expired"] }).notNull().default("active"),
+  expiresAt: integer("expires_at", { mode: "timestamp" }).notNull(),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_audit_logs", {
+  id: text("id").primaryKey(),
+  agentId: text("agent_id").notNull().references(() => agents.id),
+  userId: text("user_id").notNull().references(() => users.id),
+  action: text("action").notNull(),
+  // "execute", "read", "write", "delete"
+  resource: text("resource").notNull(),
+  // "mcp:github:create_issue"
+  parameters: text("parameters", { mode: "json" }).$type(),
+  result: text("result", { enum: ["allowed", "denied", "rate_limited"] }).notNull(),
+  reason: text("reason"),
+  // why denied/rate_limited
+  durationMs: integer("duration_ms").notNull(),
+  tokensCost: integer("tokens_cost"),
+  ip: text("ip"),
+  userAgent: text("user_agent"),
+  timestamp: integer("timestamp", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_rate_limits", {
+  id: text("id").primaryKey(),
+  agentId: text("agent_id").notNull().references(() => agents.id, { onDelete: "cascade" }),
+  resource: text("resource").notNull(),
+  windowStart: integer("window_start", { mode: "timestamp" }).notNull(),
+  count: integer("count").notNull().default(0)
+});
+sqliteTable("kavach_mcp_servers", {
+  id: text("id").primaryKey(),
+  name: text("name").notNull(),
+  endpoint: text("endpoint").notNull().unique(),
+  tools: text("tools", { mode: "json" }).notNull().$type(),
+  authRequired: integer("auth_required", { mode: "boolean" }).notNull().default(true),
+  rateLimitRpm: integer("rate_limit_rpm"),
+  status: text("status", { enum: ["active", "inactive"] }).notNull().default("active"),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull(),
+  updatedAt: integer("updated_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_sessions", {
+  id: text("id").primaryKey(),
+  userId: text("user_id").notNull().references(() => users.id),
+  expiresAt: integer("expires_at", { mode: "timestamp" }).notNull(),
+  metadata: text("metadata", { mode: "json" }).$type(),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull()
+});
+var oauthClients = sqliteTable("kavach_oauth_clients", {
+  id: text("id").primaryKey(),
+  clientId: text("client_id").notNull().unique(),
+  clientSecret: text("client_secret"),
+  // null for public clients
+  clientName: text("client_name"),
+  clientUri: text("client_uri"),
+  redirectUris: text("redirect_uris", { mode: "json" }).notNull().$type(),
+  grantTypes: text("grant_types", { mode: "json" }).notNull().$type().default(["authorization_code"]),
+  responseTypes: text("response_types", { mode: "json" }).notNull().$type().default(["code"]),
+  tokenEndpointAuthMethod: text("token_endpoint_auth_method").notNull().default("client_secret_basic"),
+  type: text("type", { enum: ["public", "confidential"] }).notNull().default("confidential"),
+  disabled: integer("disabled", { mode: "boolean" }).notNull().default(false),
+  metadata: text("metadata", { mode: "json" }).$type(),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull(),
+  updatedAt: integer("updated_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_oauth_access_tokens", {
+  id: text("id").primaryKey(),
+  accessToken: text("access_token").notNull().unique(),
+  refreshToken: text("refresh_token").unique(),
+  clientId: text("client_id").notNull().references(() => oauthClients.clientId),
+  userId: text("user_id").notNull().references(() => users.id),
+  scopes: text("scopes").notNull(),
+  // space-separated
+  resource: text("resource"),
+  // RFC 8707 - audience binding
+  accessTokenExpiresAt: integer("access_token_expires_at", { mode: "timestamp" }).notNull(),
+  refreshTokenExpiresAt: integer("refresh_token_expires_at", { mode: "timestamp" }),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_oauth_authorization_codes", {
+  id: text("id").primaryKey(),
+  code: text("code").notNull().unique(),
+  clientId: text("client_id").notNull().references(() => oauthClients.clientId),
+  userId: text("user_id").notNull().references(() => users.id),
+  redirectUri: text("redirect_uri").notNull(),
+  scopes: text("scopes").notNull(),
+  codeChallenge: text("code_challenge"),
+  // PKCE
+  codeChallengeMethod: text("code_challenge_method"),
+  // "S256"
+  resource: text("resource"),
+  // RFC 8707
+  expiresAt: integer("expires_at", { mode: "timestamp" }).notNull(),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_budget_policies", {
+  id: text("id").primaryKey(),
+  agentId: text("agent_id").references(() => agents.id, { onDelete: "cascade" }),
+  // nullable
+  userId: text("user_id").references(() => users.id),
+  // nullable
+  tenantId: text("tenant_id").references(() => tenants.id),
+  // nullable
+  limits: text("limits", { mode: "json" }).notNull().$type(),
+  currentUsage: text("current_usage", { mode: "json" }).notNull().$type(),
+  action: text("action", { enum: ["warn", "throttle", "block", "revoke"] }).notNull().default("warn"),
+  status: text("status", { enum: ["active", "triggered", "disabled"] }).notNull().default("active"),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_agent_cards", {
+  id: text("id").primaryKey(),
+  agentId: text("agent_id").notNull().references(() => agents.id, { onDelete: "cascade" }),
+  name: text("name").notNull(),
+  description: text("description"),
+  version: text("version").notNull(),
+  protocols: text("protocols", { mode: "json" }).notNull().$type(),
+  capabilities: text("capabilities", { mode: "json" }).notNull().$type(),
+  authRequirements: text("auth_requirements", { mode: "json" }).notNull().$type(),
+  endpoint: text("endpoint"),
+  metadata: text("metadata", { mode: "json" }).$type(),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull(),
+  updatedAt: integer("updated_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_approval_requests", {
+  id: text("id").primaryKey(),
+  agentId: text("agent_id").notNull().references(() => agents.id, { onDelete: "cascade" }),
+  userId: text("user_id").notNull().references(() => users.id),
+  action: text("action").notNull(),
+  resource: text("resource").notNull(),
+  arguments: text("arguments", { mode: "json" }).$type(),
+  status: text("status", { enum: ["pending", "approved", "denied", "expired"] }).notNull().default("pending"),
+  expiresAt: integer("expires_at", { mode: "timestamp" }).notNull(),
+  respondedAt: integer("responded_at", { mode: "timestamp" }),
+  respondedBy: text("responded_by"),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_trust_scores", {
+  agentId: text("agent_id").primaryKey().references(() => agents.id, { onDelete: "cascade" }),
+  score: integer("score").notNull(),
+  level: text("level", {
+    enum: ["untrusted", "limited", "standard", "trusted", "elevated"]
+  }).notNull(),
+  factors: text("factors", { mode: "json" }).notNull().$type(),
+  computedAt: integer("computed_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_magic_links", {
+  id: text("id").primaryKey(),
+  email: text("email").notNull(),
+  token: text("token").notNull().unique(),
+  expiresAt: integer("expires_at", { mode: "timestamp" }).notNull(),
+  used: integer("used", { mode: "boolean" }).notNull().default(false),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_email_otps", {
+  id: text("id").primaryKey(),
+  email: text("email").notNull(),
+  codeHash: text("code_hash").notNull(),
+  expiresAt: integer("expires_at", { mode: "timestamp" }).notNull(),
+  attempts: integer("attempts").notNull().default(0),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_totp", {
+  userId: text("user_id").primaryKey().references(() => users.id),
+  secret: text("secret").notNull(),
+  // base32-encoded TOTP secret
+  enabled: integer("enabled", { mode: "boolean" }).notNull().default(false),
+  backupCodes: text("backup_codes", { mode: "json" }).notNull().$type(),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull(),
+  updatedAt: integer("updated_at", { mode: "timestamp" }).notNull()
+});
+var organizations = sqliteTable("kavach_organizations", {
+  id: text("id").primaryKey(),
+  name: text("name").notNull(),
+  slug: text("slug").notNull().unique(),
+  ownerId: text("owner_id").notNull().references(() => users.id),
+  metadata: text("metadata", { mode: "json" }).$type(),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull(),
+  updatedAt: integer("updated_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_org_members", {
+  id: text("id").primaryKey(),
+  orgId: text("org_id").notNull().references(() => organizations.id, { onDelete: "cascade" }),
+  userId: text("user_id").notNull().references(() => users.id),
+  role: text("role").notNull().default("member"),
+  joinedAt: integer("joined_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_org_invitations", {
+  id: text("id").primaryKey(),
+  orgId: text("org_id").notNull().references(() => organizations.id, { onDelete: "cascade" }),
+  email: text("email").notNull(),
+  role: text("role").notNull().default("member"),
+  invitedBy: text("invited_by").notNull().references(() => users.id),
+  status: text("status", { enum: ["pending", "accepted", "expired"] }).notNull().default("pending"),
+  expiresAt: integer("expires_at", { mode: "timestamp" }).notNull(),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_org_roles", {
+  id: text("id").primaryKey(),
+  orgId: text("org_id").notNull().references(() => organizations.id, { onDelete: "cascade" }),
+  name: text("name").notNull(),
+  permissions: text("permissions", { mode: "json" }).notNull().$type()
+});
+sqliteTable("kavach_passkey_credentials", {
+  id: text("id").primaryKey(),
+  userId: text("user_id").notNull().references(() => users.id),
+  credentialId: text("credential_id").notNull().unique(),
+  publicKey: text("public_key").notNull(),
+  // base64url-encoded COSE key
+  counter: integer("counter").notNull().default(0),
+  deviceName: text("device_name"),
+  transports: text("transports"),
+  // JSON array, e.g. '["internal","usb"]'
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull(),
+  lastUsedAt: integer("last_used_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_sso_connections", {
+  id: text("id").primaryKey(),
+  orgId: text("org_id").notNull(),
+  providerId: text("provider_id").notNull(),
+  type: text("type", { enum: ["saml", "oidc"] }).notNull(),
+  domain: text("domain").notNull().unique(),
+  enabled: integer("enabled").notNull().default(1),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_api_keys", {
+  id: text("id").primaryKey(),
+  userId: text("user_id").notNull().references(() => users.id),
+  name: text("name").notNull(),
+  keyHash: text("key_hash").notNull(),
+  keyPrefix: text("key_prefix").notNull(),
+  permissions: text("permissions", { mode: "json" }).notNull().$type(),
+  expiresAt: integer("expires_at", { mode: "timestamp" }),
+  lastUsedAt: integer("last_used_at", { mode: "timestamp" }),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_passkey_challenges", {
+  id: text("id").primaryKey(),
+  challenge: text("challenge").notNull().unique(),
+  userId: text("user_id"),
+  // null for discoverable credential flows
+  type: text("type", { enum: ["registration", "authentication"] }).notNull(),
+  expiresAt: integer("expires_at", { mode: "timestamp" }).notNull(),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_username_accounts", {
+  id: text("id").primaryKey(),
+  userId: text("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+  username: text("username").notNull().unique(),
+  passwordHash: text("password_hash").notNull(),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull(),
+  updatedAt: integer("updated_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_phone_verifications", {
+  id: text("id").primaryKey(),
+  phoneNumber: text("phone_number").notNull(),
+  codeHash: text("code_hash").notNull(),
+  attempts: integer("attempts").notNull().default(0),
+  expiresAt: integer("expires_at", { mode: "timestamp" }).notNull(),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_trusted_devices", {
+  id: text("id").primaryKey(),
+  userId: text("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+  fingerprint: text("fingerprint").notNull(),
+  // HMAC-SHA256 of stable request headers
+  label: text("label").notNull(),
+  // human-readable, e.g. "Mac", "iPhone"
+  trustedAt: integer("trusted_at", { mode: "timestamp" }).notNull(),
+  expiresAt: integer("expires_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_one_time_tokens", {
+  id: text("id").primaryKey(),
+  tokenHash: text("token_hash").notNull().unique(),
+  // SHA-256 hex of the raw token
+  purpose: text("purpose", {
+    enum: ["email-verify", "password-reset", "invitation", "custom"]
+  }).notNull(),
+  identifier: text("identifier").notNull(),
+  // email, userId, or any caller-supplied key
+  metadata: text("metadata", { mode: "json" }).$type(),
+  used: integer("used", { mode: "boolean" }).notNull().default(false),
+  expiresAt: integer("expires_at", { mode: "timestamp" }).notNull(),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_login_history", {
+  id: text("id").primaryKey(),
+  userId: text("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+  method: text("method").notNull(),
+  // LoginMethod — kept as text to support oauth:{provider} variants
+  ip: text("ip"),
+  userAgent: text("user_agent"),
+  timestamp: integer("timestamp", { mode: "timestamp_ms" }).notNull()
+});
+sqliteTable("kavach_agent_dids", {
+  agentId: text("agent_id").primaryKey().references(() => agents.id, { onDelete: "cascade" }),
+  did: text("did").notNull().unique(),
+  method: text("method", { enum: ["key", "web"] }).notNull(),
+  publicKeyJwk: text("public_key_jwk").notNull(),
+  // JSON-serialised JWK (public key only)
+  didDocument: text("did_document").notNull(),
+  // JSON-serialised DID Document
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_oidc_clients", {
+  id: text("id").primaryKey(),
+  clientId: text("client_id").notNull().unique(),
+  clientSecretHash: text("client_secret_hash").notNull(),
+  // SHA-256 hex of the raw secret
+  clientName: text("client_name").notNull(),
+  redirectUris: text("redirect_uris", { mode: "json" }).notNull().$type(),
+  grantTypes: text("grant_types", { mode: "json" }).notNull().$type(),
+  responseTypes: text("response_types", { mode: "json" }).notNull().$type(),
+  scopes: text("scopes", { mode: "json" }).notNull().$type(),
+  tokenEndpointAuthMethod: text("token_endpoint_auth_method").notNull().default("client_secret_post"),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull(),
+  updatedAt: integer("updated_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_oidc_auth_codes", {
+  id: text("id").primaryKey(),
+  codeHash: text("code_hash").notNull().unique(),
+  // SHA-256 hex of the raw code
+  clientId: text("client_id").notNull(),
+  userId: text("user_id").notNull(),
+  redirectUri: text("redirect_uri").notNull(),
+  scopes: text("scopes").notNull(),
+  // space-separated
+  nonce: text("nonce"),
+  codeChallenge: text("code_challenge"),
+  // PKCE S256
+  codeChallengeMethod: text("code_challenge_method"),
+  used: integer("used", { mode: "boolean" }).notNull().default(false),
+  expiresAt: integer("expires_at", { mode: "timestamp" }).notNull(),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_oidc_refresh_tokens", {
+  id: text("id").primaryKey(),
+  tokenHash: text("token_hash").notNull().unique(),
+  // SHA-256 hex of the raw token
+  clientId: text("client_id").notNull(),
+  userId: text("user_id").notNull(),
+  scopes: text("scopes").notNull(),
+  // space-separated
+  revoked: integer("revoked", { mode: "boolean" }).notNull().default(false),
+  expiresAt: integer("expires_at", { mode: "timestamp" }).notNull(),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_cost_events", {
+  id: text("id").primaryKey(),
+  agentId: text("agent_id").notNull().references(() => agents.id, { onDelete: "cascade" }),
+  tool: text("tool").notNull(),
+  // e.g. 'openai:gpt-4o', 'anthropic:claude-3-5-sonnet', 'mcp:github'
+  inputTokens: integer("input_tokens"),
+  outputTokens: integer("output_tokens"),
+  /** Cost stored as integer microdollars (costUsd × 1_000_000) to avoid float drift */
+  costMicros: integer("cost_micros").notNull(),
+  currency: text("currency").notNull().default("USD"),
+  metadata: text("metadata", { mode: "json" }).$type(),
+  delegationChainId: text("delegation_chain_id"),
+  // null when not part of a chain
+  recordedAt: integer("recorded_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_ephemeral_sessions", {
+  id: text("id").primaryKey(),
+  agentId: text("agent_id").notNull().references(() => agents.id, { onDelete: "cascade" }),
+  ownerId: text("owner_id").notNull().references(() => users.id),
+  tokenHash: text("token_hash").notNull().unique(),
+  expiresAt: integer("expires_at", { mode: "timestamp" }).notNull(),
+  maxActions: integer("max_actions"),
+  // null = unlimited
+  actionsUsed: integer("actions_used").notNull().default(0),
+  status: text("status", { enum: ["active", "expired", "exhausted", "revoked"] }).notNull().default("active"),
+  auditGroupId: text("audit_group_id").notNull(),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull(),
+  updatedAt: integer("updated_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_stream_events", {
+  id: text("id").primaryKey(),
+  type: text("type").notNull(),
+  timestamp: integer("timestamp", { mode: "timestamp" }).notNull(),
+  data: text("data", { mode: "json" }).notNull().$type(),
+  agentId: text("agent_id"),
+  userId: text("user_id")
+});
+sqliteTable("kavach_jwt_refresh_tokens", {
+  id: text("id").primaryKey(),
+  /** SHA-256 hex of the raw refresh token. The raw token is never stored. */
+  tokenHash: text("token_hash").notNull().unique(),
+  /** The user who owns this session. */
+  userId: text("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+  /** True once the token has been used in a refresh or explicit revocation. */
+  used: integer("used", { mode: "boolean" }).notNull().default(false),
+  expiresAt: integer("expires_at", { mode: "timestamp" }).notNull(),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_rebac_resources", {
+  id: text("id").notNull().primaryKey(),
+  type: text("type").notNull(),
+  // 'org', 'workspace', 'project', 'document', etc.
+  parentId: text("parent_id"),
+  parentType: text("parent_type"),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_rebac_relationships", {
+  id: text("id").primaryKey(),
+  subjectType: text("subject_type").notNull(),
+  // 'user', 'agent', 'team', 'role'
+  subjectId: text("subject_id").notNull(),
+  relation: text("relation").notNull(),
+  // 'owner', 'editor', 'viewer', 'member', 'parent'
+  objectType: text("object_type").notNull(),
+  objectId: text("object_id").notNull(),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_federation_instances", {
+  id: text("id").primaryKey(),
+  instanceId: text("instance_id").notNull().unique(),
+  instanceUrl: text("instance_url").notNull(),
+  publicKeyJwk: text("public_key_jwk"),
+  // JSON-serialised JWK (public key only)
+  trustLevel: text("trust_level", { enum: ["full", "limited", "verify-only"] }).notNull().default("verify-only"),
+  discoveredAt: integer("discovered_at", { mode: "timestamp" }),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull(),
+  updatedAt: integer("updated_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_federation_tokens", {
+  id: text("id").primaryKey(),
+  tokenJti: text("token_jti").notNull().unique(),
+  // JWT ID for dedup
+  agentId: text("agent_id").notNull(),
+  sourceInstanceId: text("source_instance_id").notNull(),
+  targetInstanceId: text("target_instance_id"),
+  direction: text("direction", { enum: ["issued", "received"] }).notNull(),
+  permissions: text("permissions", { mode: "json" }).notNull().$type(),
+  trustScore: integer("trust_score"),
+  // stored as integer 0-100
+  expiresAt: integer("expires_at", { mode: "timestamp" }).notNull(),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull()
+});
+var refreshTokenFamilies = sqliteTable("kavach_refresh_token_families", {
+  id: text("id").primaryKey(),
+  userId: text("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+  /** Absolute session expiry — no rotation can extend beyond this date. */
+  absoluteExpiresAt: integer("absolute_expires_at", { mode: "timestamp" }).notNull(),
+  /** 0 = active, 1 = revoked (reuse detection or explicit logout). */
+  revoked: integer("revoked").notNull().default(0),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull()
+});
+sqliteTable("kavach_refresh_tokens", {
+  id: text("id").primaryKey(),
+  familyId: text("family_id").notNull().references(() => refreshTokenFamilies.id, { onDelete: "cascade" }),
+  /** SHA-256 hash of the opaque token — never store the raw token. */
+  tokenHash: text("token_hash").notNull().unique(),
+  /** 0 = unused, 1 = already consumed (one-time use). */
+  used: integer("used").notNull().default(0),
+  expiresAt: integer("expires_at", { mode: "timestamp" }).notNull(),
+  createdAt: integer("created_at", { mode: "timestamp" }).notNull()
+});
+
+// src/agent/agent.ts
+async function generateAgentToken() {
+  const tokenBytes = randomBytes(32);
+  const token = `kv_${toBase64Url(tokenBytes)}`;
+  const hash = await sha256(token);
+  const prefix = token.slice(0, 11);
+  return { token, hash, prefix };
+}
+function parseTokenExpiry(expiry) {
+  const now = Date.now();
+  const match = expiry.match(/^(\d+)([smhd])$/);
+  if (!match) {
+    throw new Error(`Invalid token expiry format: ${expiry}. Use format like "24h", "7d", "30m".`);
+  }
+  const value = Number.parseInt(match[1], 10);
+  const unit = match[2];
+  const multipliers = {
+    s: 1e3,
+    m: 60 * 1e3,
+    h: 60 * 60 * 1e3,
+    d: 24 * 60 * 60 * 1e3
+  };
+  return new Date(now + value * (multipliers[unit] ?? 0));
+}
+function createAgentModule(config) {
+  const { db, maxPerUser, tokenExpiry } = config;
+  async function create(input) {
+    const existing = await db.select().from(agents).where(and(eq(agents.ownerId, input.ownerId), eq(agents.status, "active")));
+    if (existing.length >= maxPerUser) {
+      throw new Error(
+        `User ${input.ownerId} has reached the maximum of ${maxPerUser} active agents.`
+      );
+    }
+    const id = generateId();
+    const { token, hash, prefix } = await generateAgentToken();
+    const now = /* @__PURE__ */ new Date();
+    const expires = input.expiresAt ?? parseTokenExpiry(tokenExpiry);
+    await db.insert(agents).values({
+      id,
+      ownerId: input.ownerId,
+      tenantId: input.tenantId ?? null,
+      name: input.name,
+      type: input.type,
+      status: "active",
+      tokenHash: hash,
+      tokenPrefix: prefix,
+      expiresAt: expires,
+      metadata: input.metadata ?? {},
+      createdAt: now,
+      updatedAt: now
+    });
+    if (input.permissions.length > 0) {
+      await db.insert(permissions).values(
+        input.permissions.map((p) => ({
+          id: generateId(),
+          agentId: id,
+          resource: p.resource,
+          actions: p.actions,
+          constraints: p.constraints ?? null,
+          createdAt: now
+        }))
+      );
+    }
+    return {
+      id,
+      ownerId: input.ownerId,
+      tenantId: input.tenantId,
+      name: input.name,
+      type: input.type,
+      token,
+      permissions: input.permissions,
+      status: "active",
+      expiresAt: expires,
+      createdAt: now,
+      updatedAt: now
+    };
+  }
+  async function get(agentId) {
+    const rows = await db.select().from(agents).where(eq(agents.id, agentId)).limit(1);
+    const agent = rows[0];
+    if (!agent) return null;
+    const perms = await db.select().from(permissions).where(eq(permissions.agentId, agentId));
+    return {
+      id: agent.id,
+      ownerId: agent.ownerId,
+      tenantId: agent.tenantId ?? void 0,
+      name: agent.name,
+      type: agent.type,
+      token: "",
+      // never return token after creation
+      permissions: perms.map(toPermission),
+      status: agent.status,
+      expiresAt: agent.expiresAt,
+      createdAt: agent.createdAt,
+      updatedAt: agent.updatedAt
+    };
+  }
+  async function list(filter) {
+    let query = db.select().from(agents).$dynamic();
+    const conditions = [];
+    if (filter?.userId) conditions.push(eq(agents.ownerId, filter.userId));
+    if (filter?.tenantId) conditions.push(eq(agents.tenantId, filter.tenantId));
+    if (filter?.status) conditions.push(eq(agents.status, filter.status));
+    if (filter?.type) conditions.push(eq(agents.type, filter.type));
+    if (conditions.length > 0) {
+      query = query.where(and(...conditions));
+    }
+    const rows = await query;
+    const agentIds = rows.map((r) => r.id);
+    const permsByAgent = /* @__PURE__ */ new Map();
+    for (const id of agentIds) {
+      const perms = await db.select().from(permissions).where(eq(permissions.agentId, id));
+      permsByAgent.set(id, perms.map(toPermission));
+    }
+    return rows.map((agent) => ({
+      id: agent.id,
+      ownerId: agent.ownerId,
+      tenantId: agent.tenantId ?? void 0,
+      name: agent.name,
+      type: agent.type,
+      token: "",
+      permissions: permsByAgent.get(agent.id) ?? [],
+      status: agent.status,
+      expiresAt: agent.expiresAt,
+      createdAt: agent.createdAt,
+      updatedAt: agent.updatedAt
+    }));
+  }
+  async function update(agentId, input) {
+    const existing = await get(agentId);
+    if (!existing) throw new Error(`Agent ${agentId} not found.`);
+    const now = /* @__PURE__ */ new Date();
+    await db.update(agents).set({
+      name: input.name ?? existing.name,
+      expiresAt: input.expiresAt ?? existing.expiresAt,
+      metadata: input.metadata,
+      updatedAt: now
+    }).where(eq(agents.id, agentId));
+    if (input.permissions) {
+      await db.delete(permissions).where(eq(permissions.agentId, agentId));
+      if (input.permissions.length > 0) {
+        await db.insert(permissions).values(
+          input.permissions.map((p) => ({
+            id: generateId(),
+            agentId,
+            resource: p.resource,
+            actions: p.actions,
+            constraints: p.constraints ?? null,
+            createdAt: now
+          }))
+        );
+      }
+    }
+    const updated = await get(agentId);
+    if (!updated) throw new Error(`Agent ${agentId} disappeared after update.`);
+    return updated;
+  }
+  async function revoke(agentId) {
+    const existing = await get(agentId);
+    if (!existing) throw new Error(`Agent ${agentId} not found.`);
+    await db.update(agents).set({ status: "revoked", updatedAt: /* @__PURE__ */ new Date() }).where(eq(agents.id, agentId));
+  }
+  async function rotate(agentId) {
+    const existing = await get(agentId);
+    if (!existing) throw new Error(`Agent ${agentId} not found.`);
+    if (existing.status !== "active")
+      throw new Error(`Cannot rotate token for ${existing.status} agent.`);
+    const { token, hash, prefix } = await generateAgentToken();
+    const now = /* @__PURE__ */ new Date();
+    await db.update(agents).set({ tokenHash: hash, tokenPrefix: prefix, updatedAt: now }).where(eq(agents.id, agentId));
+    return { ...existing, token, updatedAt: now };
+  }
+  async function validateToken(token) {
+    const hash = await sha256(token);
+    const rows = await db.select().from(agents).where(eq(agents.tokenHash, hash)).limit(1);
+    const agent = rows[0];
+    if (!agent) return null;
+    if (agent.status !== "active") return null;
+    if (agent.expiresAt && agent.expiresAt < /* @__PURE__ */ new Date()) {
+      await db.update(agents).set({ status: "expired", updatedAt: /* @__PURE__ */ new Date() }).where(eq(agents.id, agent.id));
+      return null;
+    }
+    await db.update(agents).set({ lastActiveAt: /* @__PURE__ */ new Date() }).where(eq(agents.id, agent.id));
+    const perms = await db.select().from(permissions).where(eq(permissions.agentId, agent.id));
+    return {
+      id: agent.id,
+      ownerId: agent.ownerId,
+      tenantId: agent.tenantId ?? void 0,
+      name: agent.name,
+      type: agent.type,
+      token: "",
+      permissions: perms.map(toPermission),
+      status: "active",
+      expiresAt: agent.expiresAt,
+      createdAt: agent.createdAt,
+      updatedAt: agent.updatedAt
+    };
+  }
+  return { create, get, list, update, revoke, rotate, validateToken };
+}
+function toPermission(row) {
+  return {
+    resource: row.resource,
+    actions: row.actions,
+    constraints: row.constraints ?? void 0
+  };
+}
+
+export { createAgentModule };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map