kavachos 0.2.1 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/dist/index.d.ts +9 -3
  2. package/dist/index.js +388 -135
  3. package/dist/index.js.map +1 -1
  4. package/package.json +1 -1
package/dist/index.js CHANGED
@@ -15430,6 +15430,70 @@ function createDatabaseSync(config) {
15430
15430
  }
15431
15431
 
15432
15432
  // src/db/migrations.ts
15433
+ var ALL_FEATURES_ENABLED = {
15434
+ core: true,
15435
+ session: true,
15436
+ agent: true,
15437
+ audit: true,
15438
+ oauth: true,
15439
+ tenant: true,
15440
+ mcp: true,
15441
+ org: true,
15442
+ rateLimit: true,
15443
+ budget: true,
15444
+ magicLink: true,
15445
+ emailOtp: true,
15446
+ totp: true,
15447
+ passkey: true,
15448
+ sso: true,
15449
+ apiKey: true,
15450
+ username: true,
15451
+ phone: true,
15452
+ device: true,
15453
+ oneTimeToken: true,
15454
+ loginHistory: true,
15455
+ oidcProvider: true,
15456
+ jwt: true,
15457
+ rebac: true,
15458
+ federation: true
15459
+ };
15460
+ function resolveEnabledFeatures(config) {
15461
+ if (!config) {
15462
+ return ALL_FEATURES_ENABLED;
15463
+ }
15464
+ const hasAgents = !!config.agents || !!config.did;
15465
+ const hasSession = !!config.auth?.session;
15466
+ const hasOAuth = config.plugins?.some((p2) => p2.id === "kavach-oauth") ?? false;
15467
+ const hasOidc = config.plugins?.some((p2) => p2.id === "kavach-oidc-provider") ?? false;
15468
+ return {
15469
+ core: true,
15470
+ session: hasSession,
15471
+ agent: hasAgents,
15472
+ audit: hasAgents,
15473
+ oauth: hasOAuth,
15474
+ tenant: hasAgents,
15475
+ mcp: !!config.mcp,
15476
+ org: !!config.org,
15477
+ rateLimit: hasAgents,
15478
+ budget: hasAgents,
15479
+ magicLink: !!config.magicLink,
15480
+ emailOtp: !!config.emailOtp,
15481
+ totp: !!config.totp,
15482
+ passkey: !!config.passkey,
15483
+ sso: !!config.sso,
15484
+ apiKey: !!config.apiKeys,
15485
+ username: !!config.username,
15486
+ phone: !!config.phone,
15487
+ device: hasSession,
15488
+ oneTimeToken: !!config.magicLink || !!config.emailOtp || !!config.passwordReset,
15489
+ loginHistory: hasSession,
15490
+ oidcProvider: hasOidc,
15491
+ jwt: hasSession,
15492
+ rebac: hasAgents,
15493
+ federation: false
15494
+ // only when explicitly configured (no config key yet)
15495
+ };
15496
+ }
15433
15497
  function buildStatements(provider) {
15434
15498
  const isPostgres = provider === "postgres";
15435
15499
  const isMysql = provider === "mysql";
@@ -15442,7 +15506,9 @@ function buildStatements(provider) {
15442
15506
  // ------------------------------------------------------------------
15443
15507
  // kavach_users
15444
15508
  // ------------------------------------------------------------------
15445
- `CREATE TABLE ${ifne} kavach_users (
15509
+ {
15510
+ feature: "core",
15511
+ sql: `CREATE TABLE ${ifne} kavach_users (
15446
15512
  id TEXT NOT NULL PRIMARY KEY,
15447
15513
  email TEXT NOT NULL UNIQUE,
15448
15514
  username TEXT UNIQUE,
@@ -15469,11 +15535,14 @@ function buildStatements(provider) {
15469
15535
  polar_cancel_at_period_end ${bool} NOT NULL DEFAULT ${isPostgres ? "FALSE" : "0"},
15470
15536
  created_at ${ts} NOT NULL,
15471
15537
  updated_at ${ts} NOT NULL
15472
- )`,
15538
+ )`
15539
+ },
15473
15540
  // ------------------------------------------------------------------
15474
15541
  // kavach_tenants (must come before kavach_agents – agents FK to tenants)
15475
15542
  // ------------------------------------------------------------------
15476
- `CREATE TABLE ${ifne} kavach_tenants (
15543
+ {
15544
+ feature: "tenant",
15545
+ sql: `CREATE TABLE ${ifne} kavach_tenants (
15477
15546
  id TEXT NOT NULL PRIMARY KEY,
15478
15547
  name TEXT NOT NULL,
15479
15548
  slug TEXT NOT NULL UNIQUE,
@@ -15481,11 +15550,14 @@ function buildStatements(provider) {
15481
15550
  status TEXT NOT NULL DEFAULT 'active',
15482
15551
  created_at ${ts} NOT NULL,
15483
15552
  updated_at ${ts} NOT NULL
15484
- )`,
15553
+ )`
15554
+ },
15485
15555
  // ------------------------------------------------------------------
15486
15556
  // kavach_agents
15487
15557
  // ------------------------------------------------------------------
15488
- `CREATE TABLE ${ifne} kavach_agents (
15558
+ {
15559
+ feature: "agent",
15560
+ sql: `CREATE TABLE ${ifne} kavach_agents (
15489
15561
  id TEXT NOT NULL PRIMARY KEY,
15490
15562
  owner_id TEXT NOT NULL REFERENCES kavach_users(id),
15491
15563
  tenant_id TEXT REFERENCES kavach_tenants(id),
@@ -15499,22 +15571,28 @@ function buildStatements(provider) {
15499
15571
  metadata ${json2},
15500
15572
  created_at ${ts} NOT NULL,
15501
15573
  updated_at ${ts} NOT NULL
15502
- )`,
15574
+ )`
15575
+ },
15503
15576
  // ------------------------------------------------------------------
15504
15577
  // kavach_permissions
15505
15578
  // ------------------------------------------------------------------
15506
- `CREATE TABLE ${ifne} kavach_permissions (
15579
+ {
15580
+ feature: "agent",
15581
+ sql: `CREATE TABLE ${ifne} kavach_permissions (
15507
15582
  id TEXT NOT NULL PRIMARY KEY,
15508
15583
  agent_id TEXT NOT NULL REFERENCES kavach_agents(id) ON DELETE CASCADE,
15509
15584
  resource TEXT NOT NULL,
15510
15585
  actions ${json2} NOT NULL,
15511
15586
  constraints ${json2},
15512
15587
  created_at ${ts} NOT NULL
15513
- )`,
15588
+ )`
15589
+ },
15514
15590
  // ------------------------------------------------------------------
15515
15591
  // kavach_delegation_chains
15516
15592
  // ------------------------------------------------------------------
15517
- `CREATE TABLE ${ifne} kavach_delegation_chains (
15593
+ {
15594
+ feature: "agent",
15595
+ sql: `CREATE TABLE ${ifne} kavach_delegation_chains (
15518
15596
  id TEXT NOT NULL PRIMARY KEY,
15519
15597
  from_agent_id TEXT NOT NULL REFERENCES kavach_agents(id),
15520
15598
  to_agent_id TEXT NOT NULL REFERENCES kavach_agents(id),
@@ -15524,11 +15602,14 @@ function buildStatements(provider) {
15524
15602
  status TEXT NOT NULL DEFAULT 'active',
15525
15603
  expires_at ${ts} NOT NULL,
15526
15604
  created_at ${ts} NOT NULL
15527
- )`,
15605
+ )`
15606
+ },
15528
15607
  // ------------------------------------------------------------------
15529
15608
  // kavach_audit_logs
15530
15609
  // ------------------------------------------------------------------
15531
- `CREATE TABLE ${ifne} kavach_audit_logs (
15610
+ {
15611
+ feature: "audit",
15612
+ sql: `CREATE TABLE ${ifne} kavach_audit_logs (
15532
15613
  id TEXT NOT NULL PRIMARY KEY,
15533
15614
  agent_id TEXT NOT NULL REFERENCES kavach_agents(id),
15534
15615
  user_id TEXT NOT NULL REFERENCES kavach_users(id),
@@ -15542,21 +15623,27 @@ function buildStatements(provider) {
15542
15623
  ip TEXT,
15543
15624
  user_agent TEXT,
15544
15625
  timestamp ${ts} NOT NULL
15545
- )`,
15626
+ )`
15627
+ },
15546
15628
  // ------------------------------------------------------------------
15547
15629
  // kavach_rate_limits
15548
15630
  // ------------------------------------------------------------------
15549
- `CREATE TABLE ${ifne} kavach_rate_limits (
15631
+ {
15632
+ feature: "rateLimit",
15633
+ sql: `CREATE TABLE ${ifne} kavach_rate_limits (
15550
15634
  id TEXT NOT NULL PRIMARY KEY,
15551
15635
  agent_id TEXT NOT NULL REFERENCES kavach_agents(id) ON DELETE CASCADE,
15552
15636
  resource TEXT NOT NULL,
15553
15637
  window_start ${ts} NOT NULL,
15554
15638
  count INTEGER NOT NULL DEFAULT 0
15555
- )`,
15639
+ )`
15640
+ },
15556
15641
  // ------------------------------------------------------------------
15557
15642
  // kavach_mcp_servers
15558
15643
  // ------------------------------------------------------------------
15559
- `CREATE TABLE ${ifne} kavach_mcp_servers (
15644
+ {
15645
+ feature: "mcp",
15646
+ sql: `CREATE TABLE ${ifne} kavach_mcp_servers (
15560
15647
  id TEXT NOT NULL PRIMARY KEY,
15561
15648
  name TEXT NOT NULL,
15562
15649
  endpoint TEXT NOT NULL UNIQUE,
@@ -15566,21 +15653,27 @@ function buildStatements(provider) {
15566
15653
  status TEXT NOT NULL DEFAULT 'active',
15567
15654
  created_at ${ts} NOT NULL,
15568
15655
  updated_at ${ts} NOT NULL
15569
- )`,
15656
+ )`
15657
+ },
15570
15658
  // ------------------------------------------------------------------
15571
15659
  // kavach_sessions
15572
15660
  // ------------------------------------------------------------------
15573
- `CREATE TABLE ${ifne} kavach_sessions (
15661
+ {
15662
+ feature: "session",
15663
+ sql: `CREATE TABLE ${ifne} kavach_sessions (
15574
15664
  id TEXT NOT NULL PRIMARY KEY,
15575
15665
  user_id TEXT NOT NULL REFERENCES kavach_users(id),
15576
15666
  expires_at ${ts} NOT NULL,
15577
15667
  metadata ${json2},
15578
15668
  created_at ${ts} NOT NULL
15579
- )`,
15669
+ )`
15670
+ },
15580
15671
  // ------------------------------------------------------------------
15581
15672
  // kavach_oauth_clients
15582
15673
  // ------------------------------------------------------------------
15583
- `CREATE TABLE ${ifne} kavach_oauth_clients (
15674
+ {
15675
+ feature: "oauth",
15676
+ sql: `CREATE TABLE ${ifne} kavach_oauth_clients (
15584
15677
  id TEXT NOT NULL PRIMARY KEY,
15585
15678
  client_id TEXT NOT NULL UNIQUE,
15586
15679
  client_secret TEXT,
@@ -15595,11 +15688,14 @@ function buildStatements(provider) {
15595
15688
  metadata ${json2},
15596
15689
  created_at ${ts} NOT NULL,
15597
15690
  updated_at ${ts} NOT NULL
15598
- )`,
15691
+ )`
15692
+ },
15599
15693
  // ------------------------------------------------------------------
15600
15694
  // kavach_oauth_access_tokens
15601
15695
  // ------------------------------------------------------------------
15602
- `CREATE TABLE ${ifne} kavach_oauth_access_tokens (
15696
+ {
15697
+ feature: "oauth",
15698
+ sql: `CREATE TABLE ${ifne} kavach_oauth_access_tokens (
15603
15699
  id TEXT NOT NULL PRIMARY KEY,
15604
15700
  access_token TEXT NOT NULL UNIQUE,
15605
15701
  refresh_token TEXT UNIQUE,
@@ -15610,11 +15706,14 @@ function buildStatements(provider) {
15610
15706
  access_token_expires_at ${ts} NOT NULL,
15611
15707
  refresh_token_expires_at ${tsNull},
15612
15708
  created_at ${ts} NOT NULL
15613
- )`,
15709
+ )`
15710
+ },
15614
15711
  // ------------------------------------------------------------------
15615
15712
  // kavach_oauth_authorization_codes
15616
15713
  // ------------------------------------------------------------------
15617
- `CREATE TABLE ${ifne} kavach_oauth_authorization_codes (
15714
+ {
15715
+ feature: "oauth",
15716
+ sql: `CREATE TABLE ${ifne} kavach_oauth_authorization_codes (
15618
15717
  id TEXT NOT NULL PRIMARY KEY,
15619
15718
  code TEXT NOT NULL UNIQUE,
15620
15719
  client_id TEXT NOT NULL REFERENCES kavach_oauth_clients(client_id),
@@ -15626,11 +15725,14 @@ function buildStatements(provider) {
15626
15725
  resource TEXT,
15627
15726
  expires_at ${ts} NOT NULL,
15628
15727
  created_at ${ts} NOT NULL
15629
- )`,
15728
+ )`
15729
+ },
15630
15730
  // ------------------------------------------------------------------
15631
15731
  // kavach_oauth_accounts (provider account linking)
15632
15732
  // ------------------------------------------------------------------
15633
- `CREATE TABLE ${ifne} kavach_oauth_accounts (
15733
+ {
15734
+ feature: "oauth",
15735
+ sql: `CREATE TABLE ${ifne} kavach_oauth_accounts (
15634
15736
  id TEXT NOT NULL PRIMARY KEY,
15635
15737
  user_id TEXT NOT NULL,
15636
15738
  provider TEXT NOT NULL,
@@ -15640,22 +15742,28 @@ function buildStatements(provider) {
15640
15742
  expires_at ${tsNull},
15641
15743
  created_at ${ts} NOT NULL,
15642
15744
  updated_at ${ts} NOT NULL
15643
- )`,
15745
+ )`
15746
+ },
15644
15747
  // ------------------------------------------------------------------
15645
15748
  // kavach_oauth_states (PKCE state for CSRF protection)
15646
15749
  // ------------------------------------------------------------------
15647
- `CREATE TABLE ${ifne} kavach_oauth_states (
15750
+ {
15751
+ feature: "oauth",
15752
+ sql: `CREATE TABLE ${ifne} kavach_oauth_states (
15648
15753
  state TEXT NOT NULL PRIMARY KEY,
15649
15754
  code_verifier TEXT NOT NULL,
15650
15755
  redirect_uri TEXT NOT NULL,
15651
15756
  provider TEXT NOT NULL,
15652
15757
  expires_at ${ts} NOT NULL,
15653
15758
  created_at ${ts} NOT NULL
15654
- )`,
15759
+ )`
15760
+ },
15655
15761
  // ------------------------------------------------------------------
15656
15762
  // kavach_budget_policies
15657
15763
  // ------------------------------------------------------------------
15658
- `CREATE TABLE ${ifne} kavach_budget_policies (
15764
+ {
15765
+ feature: "budget",
15766
+ sql: `CREATE TABLE ${ifne} kavach_budget_policies (
15659
15767
  id TEXT NOT NULL PRIMARY KEY,
15660
15768
  agent_id TEXT REFERENCES kavach_agents(id) ON DELETE CASCADE,
15661
15769
  user_id TEXT REFERENCES kavach_users(id),
@@ -15665,11 +15773,14 @@ function buildStatements(provider) {
15665
15773
  action TEXT NOT NULL DEFAULT 'warn',
15666
15774
  status TEXT NOT NULL DEFAULT 'active',
15667
15775
  created_at ${ts} NOT NULL
15668
- )`,
15776
+ )`
15777
+ },
15669
15778
  // ------------------------------------------------------------------
15670
15779
  // kavach_agent_cards (A2A discovery)
15671
15780
  // ------------------------------------------------------------------
15672
- `CREATE TABLE ${ifne} kavach_agent_cards (
15781
+ {
15782
+ feature: "agent",
15783
+ sql: `CREATE TABLE ${ifne} kavach_agent_cards (
15673
15784
  id TEXT NOT NULL PRIMARY KEY,
15674
15785
  agent_id TEXT NOT NULL REFERENCES kavach_agents(id) ON DELETE CASCADE,
15675
15786
  name TEXT NOT NULL,
@@ -15682,11 +15793,14 @@ function buildStatements(provider) {
15682
15793
  metadata ${json2},
15683
15794
  created_at ${ts} NOT NULL,
15684
15795
  updated_at ${ts} NOT NULL
15685
- )`,
15796
+ )`
15797
+ },
15686
15798
  // ------------------------------------------------------------------
15687
15799
  // kavach_approval_requests (CIBA async approval flows)
15688
15800
  // ------------------------------------------------------------------
15689
- `CREATE TABLE ${ifne} kavach_approval_requests (
15801
+ {
15802
+ feature: "agent",
15803
+ sql: `CREATE TABLE ${ifne} kavach_approval_requests (
15690
15804
  id TEXT NOT NULL PRIMARY KEY,
15691
15805
  agent_id TEXT NOT NULL REFERENCES kavach_agents(id) ON DELETE CASCADE,
15692
15806
  user_id TEXT NOT NULL REFERENCES kavach_users(id),
@@ -15698,21 +15812,27 @@ function buildStatements(provider) {
15698
15812
  responded_at ${tsNull},
15699
15813
  responded_by TEXT,
15700
15814
  created_at ${ts} NOT NULL
15701
- )`,
15815
+ )`
15816
+ },
15702
15817
  // ------------------------------------------------------------------
15703
15818
  // kavach_trust_scores (graduated autonomy scoring)
15704
15819
  // ------------------------------------------------------------------
15705
- `CREATE TABLE ${ifne} kavach_trust_scores (
15820
+ {
15821
+ feature: "agent",
15822
+ sql: `CREATE TABLE ${ifne} kavach_trust_scores (
15706
15823
  agent_id TEXT NOT NULL PRIMARY KEY REFERENCES kavach_agents(id) ON DELETE CASCADE,
15707
15824
  score INTEGER NOT NULL,
15708
15825
  level TEXT NOT NULL,
15709
15826
  factors ${json2} NOT NULL,
15710
15827
  computed_at ${ts} NOT NULL
15711
- )`,
15828
+ )`
15829
+ },
15712
15830
  // ------------------------------------------------------------------
15713
15831
  // kavach_organizations
15714
15832
  // ------------------------------------------------------------------
15715
- `CREATE TABLE ${ifne} kavach_organizations (
15833
+ {
15834
+ feature: "org",
15835
+ sql: `CREATE TABLE ${ifne} kavach_organizations (
15716
15836
  id TEXT NOT NULL PRIMARY KEY,
15717
15837
  name TEXT NOT NULL,
15718
15838
  slug TEXT NOT NULL UNIQUE,
@@ -15720,22 +15840,28 @@ function buildStatements(provider) {
15720
15840
  metadata ${json2},
15721
15841
  created_at ${ts} NOT NULL,
15722
15842
  updated_at ${ts} NOT NULL
15723
- )`,
15843
+ )`
15844
+ },
15724
15845
  // ------------------------------------------------------------------
15725
15846
  // kavach_org_members
15726
15847
  // ------------------------------------------------------------------
15727
- `CREATE TABLE ${ifne} kavach_org_members (
15848
+ {
15849
+ feature: "org",
15850
+ sql: `CREATE TABLE ${ifne} kavach_org_members (
15728
15851
  id TEXT NOT NULL PRIMARY KEY,
15729
15852
  org_id TEXT NOT NULL REFERENCES kavach_organizations(id) ON DELETE CASCADE,
15730
15853
  user_id TEXT NOT NULL REFERENCES kavach_users(id),
15731
15854
  role TEXT NOT NULL DEFAULT 'member',
15732
15855
  joined_at ${ts} NOT NULL,
15733
15856
  UNIQUE(org_id, user_id)
15734
- )`,
15857
+ )`
15858
+ },
15735
15859
  // ------------------------------------------------------------------
15736
15860
  // kavach_org_invitations
15737
15861
  // ------------------------------------------------------------------
15738
- `CREATE TABLE ${ifne} kavach_org_invitations (
15862
+ {
15863
+ feature: "org",
15864
+ sql: `CREATE TABLE ${ifne} kavach_org_invitations (
15739
15865
  id TEXT NOT NULL PRIMARY KEY,
15740
15866
  org_id TEXT NOT NULL REFERENCES kavach_organizations(id) ON DELETE CASCADE,
15741
15867
  email TEXT NOT NULL,
@@ -15744,21 +15870,27 @@ function buildStatements(provider) {
15744
15870
  status TEXT NOT NULL DEFAULT 'pending',
15745
15871
  expires_at ${ts} NOT NULL,
15746
15872
  created_at ${ts} NOT NULL
15747
- )`,
15873
+ )`
15874
+ },
15748
15875
  // ------------------------------------------------------------------
15749
15876
  // kavach_org_roles
15750
15877
  // ------------------------------------------------------------------
15751
- `CREATE TABLE ${ifne} kavach_org_roles (
15878
+ {
15879
+ feature: "org",
15880
+ sql: `CREATE TABLE ${ifne} kavach_org_roles (
15752
15881
  id TEXT NOT NULL PRIMARY KEY,
15753
15882
  org_id TEXT NOT NULL REFERENCES kavach_organizations(id) ON DELETE CASCADE,
15754
15883
  name TEXT NOT NULL,
15755
15884
  permissions ${json2} NOT NULL,
15756
15885
  UNIQUE(org_id, name)
15757
- )`,
15886
+ )`
15887
+ },
15758
15888
  // ------------------------------------------------------------------
15759
15889
  // kavach_passkey_credentials (WebAuthn / FIDO2 passkeys)
15760
15890
  // ------------------------------------------------------------------
15761
- `CREATE TABLE ${ifne} kavach_passkey_credentials (
15891
+ {
15892
+ feature: "passkey",
15893
+ sql: `CREATE TABLE ${ifne} kavach_passkey_credentials (
15762
15894
  id TEXT NOT NULL PRIMARY KEY,
15763
15895
  user_id TEXT NOT NULL REFERENCES kavach_users(id),
15764
15896
  credential_id TEXT NOT NULL UNIQUE,
@@ -15768,22 +15900,28 @@ function buildStatements(provider) {
15768
15900
  transports TEXT,
15769
15901
  created_at ${ts} NOT NULL,
15770
15902
  last_used_at ${ts} NOT NULL
15771
- )`,
15903
+ )`
15904
+ },
15772
15905
  // ------------------------------------------------------------------
15773
15906
  // kavach_passkey_challenges (short-lived WebAuthn challenges)
15774
15907
  // ------------------------------------------------------------------
15775
- `CREATE TABLE ${ifne} kavach_passkey_challenges (
15908
+ {
15909
+ feature: "passkey",
15910
+ sql: `CREATE TABLE ${ifne} kavach_passkey_challenges (
15776
15911
  id TEXT NOT NULL PRIMARY KEY,
15777
15912
  challenge TEXT NOT NULL UNIQUE,
15778
15913
  user_id TEXT,
15779
15914
  type TEXT NOT NULL,
15780
15915
  expires_at ${ts} NOT NULL,
15781
15916
  created_at ${ts} NOT NULL
15782
- )`,
15917
+ )`
15918
+ },
15783
15919
  // ------------------------------------------------------------------
15784
15920
  // kavach_one_time_tokens (email verify, password reset, invitation)
15785
15921
  // ------------------------------------------------------------------
15786
- `CREATE TABLE ${ifne} kavach_one_time_tokens (
15922
+ {
15923
+ feature: "oneTimeToken",
15924
+ sql: `CREATE TABLE ${ifne} kavach_one_time_tokens (
15787
15925
  id TEXT NOT NULL PRIMARY KEY,
15788
15926
  token_hash TEXT NOT NULL UNIQUE,
15789
15927
  purpose TEXT NOT NULL,
@@ -15792,55 +15930,70 @@ function buildStatements(provider) {
15792
15930
  used ${bool} NOT NULL DEFAULT ${isPostgres ? "FALSE" : "0"},
15793
15931
  expires_at ${ts} NOT NULL,
15794
15932
  created_at ${ts} NOT NULL
15795
- )`,
15933
+ )`
15934
+ },
15796
15935
  // ------------------------------------------------------------------
15797
15936
  // kavach_agent_dids (W3C Decentralized Identifiers per agent)
15798
15937
  // ------------------------------------------------------------------
15799
- `CREATE TABLE ${ifne} kavach_agent_dids (
15938
+ {
15939
+ feature: "agent",
15940
+ sql: `CREATE TABLE ${ifne} kavach_agent_dids (
15800
15941
  agent_id TEXT NOT NULL PRIMARY KEY REFERENCES kavach_agents(id) ON DELETE CASCADE,
15801
15942
  did TEXT NOT NULL UNIQUE,
15802
15943
  method TEXT NOT NULL,
15803
15944
  public_key_jwk TEXT NOT NULL,
15804
15945
  did_document TEXT NOT NULL,
15805
15946
  created_at ${ts} NOT NULL
15806
- )`,
15947
+ )`
15948
+ },
15807
15949
  // ------------------------------------------------------------------
15808
15950
  // kavach_magic_links (passwordless email login)
15809
15951
  // ------------------------------------------------------------------
15810
- `CREATE TABLE ${ifne} kavach_magic_links (
15952
+ {
15953
+ feature: "magicLink",
15954
+ sql: `CREATE TABLE ${ifne} kavach_magic_links (
15811
15955
  id TEXT NOT NULL PRIMARY KEY,
15812
15956
  email TEXT NOT NULL,
15813
15957
  token TEXT NOT NULL UNIQUE,
15814
15958
  expires_at ${ts} NOT NULL,
15815
15959
  used ${bool} NOT NULL DEFAULT ${isPostgres ? "FALSE" : "0"},
15816
15960
  created_at ${ts} NOT NULL
15817
- )`,
15961
+ )`
15962
+ },
15818
15963
  // ------------------------------------------------------------------
15819
15964
  // kavach_email_otps (one-time password login)
15820
15965
  // ------------------------------------------------------------------
15821
- `CREATE TABLE ${ifne} kavach_email_otps (
15966
+ {
15967
+ feature: "emailOtp",
15968
+ sql: `CREATE TABLE ${ifne} kavach_email_otps (
15822
15969
  id TEXT NOT NULL PRIMARY KEY,
15823
15970
  email TEXT NOT NULL,
15824
15971
  code_hash TEXT NOT NULL,
15825
15972
  expires_at ${ts} NOT NULL,
15826
15973
  attempts INTEGER NOT NULL DEFAULT 0,
15827
15974
  created_at ${ts} NOT NULL
15828
- )`,
15975
+ )`
15976
+ },
15829
15977
  // ------------------------------------------------------------------
15830
15978
  // kavach_totp (TOTP two-factor authentication)
15831
15979
  // ------------------------------------------------------------------
15832
- `CREATE TABLE ${ifne} kavach_totp (
15980
+ {
15981
+ feature: "totp",
15982
+ sql: `CREATE TABLE ${ifne} kavach_totp (
15833
15983
  user_id TEXT NOT NULL PRIMARY KEY REFERENCES kavach_users(id),
15834
15984
  secret TEXT NOT NULL,
15835
15985
  enabled ${bool} NOT NULL DEFAULT ${isPostgres ? "FALSE" : "0"},
15836
15986
  backup_codes ${json2} NOT NULL,
15837
15987
  created_at ${ts} NOT NULL,
15838
15988
  updated_at ${ts} NOT NULL
15839
- )`,
15989
+ )`
15990
+ },
15840
15991
  // ------------------------------------------------------------------
15841
15992
  // kavach_sso_connections (SAML 2.0 / OIDC enterprise SSO)
15842
15993
  // ------------------------------------------------------------------
15843
- `CREATE TABLE ${ifne} kavach_sso_connections (
15994
+ {
15995
+ feature: "sso",
15996
+ sql: `CREATE TABLE ${ifne} kavach_sso_connections (
15844
15997
  id TEXT NOT NULL PRIMARY KEY,
15845
15998
  org_id TEXT NOT NULL,
15846
15999
  provider_id TEXT NOT NULL,
@@ -15848,11 +16001,14 @@ function buildStatements(provider) {
15848
16001
  domain TEXT NOT NULL UNIQUE,
15849
16002
  enabled INTEGER NOT NULL DEFAULT 1,
15850
16003
  created_at ${ts} NOT NULL
15851
- )`,
16004
+ )`
16005
+ },
15852
16006
  // ------------------------------------------------------------------
15853
16007
  // kavach_api_keys (static bearer tokens with permission scopes)
15854
16008
  // ------------------------------------------------------------------
15855
- `CREATE TABLE ${ifne} kavach_api_keys (
16009
+ {
16010
+ feature: "apiKey",
16011
+ sql: `CREATE TABLE ${ifne} kavach_api_keys (
15856
16012
  id TEXT NOT NULL PRIMARY KEY,
15857
16013
  user_id TEXT NOT NULL REFERENCES kavach_users(id),
15858
16014
  name TEXT NOT NULL,
@@ -15862,57 +16018,75 @@ function buildStatements(provider) {
15862
16018
  expires_at ${tsNull},
15863
16019
  last_used_at ${tsNull},
15864
16020
  created_at ${ts} NOT NULL
15865
- )`,
16021
+ )`
16022
+ },
15866
16023
  // ------------------------------------------------------------------
15867
16024
  // kavach_username_accounts (username + password auth)
15868
16025
  // ------------------------------------------------------------------
15869
- `CREATE TABLE ${ifne} kavach_username_accounts (
16026
+ {
16027
+ feature: "username",
16028
+ sql: `CREATE TABLE ${ifne} kavach_username_accounts (
15870
16029
  id TEXT NOT NULL PRIMARY KEY,
15871
16030
  user_id TEXT NOT NULL REFERENCES kavach_users(id) ON DELETE CASCADE,
15872
16031
  username TEXT NOT NULL UNIQUE,
15873
16032
  password_hash TEXT NOT NULL,
15874
16033
  created_at ${ts} NOT NULL,
15875
16034
  updated_at ${ts} NOT NULL
15876
- )`,
16035
+ )`
16036
+ },
15877
16037
  // ------------------------------------------------------------------
15878
16038
  // kavach_phone_verifications (SMS OTP)
15879
16039
  // ------------------------------------------------------------------
15880
- `CREATE TABLE ${ifne} kavach_phone_verifications (
16040
+ {
16041
+ feature: "phone",
16042
+ sql: `CREATE TABLE ${ifne} kavach_phone_verifications (
15881
16043
  id TEXT NOT NULL PRIMARY KEY,
15882
16044
  phone_number TEXT NOT NULL,
15883
16045
  code_hash TEXT NOT NULL,
15884
16046
  attempts INTEGER NOT NULL DEFAULT 0,
15885
16047
  expires_at ${ts} NOT NULL,
15886
16048
  created_at ${ts} NOT NULL
15887
- )`,
16049
+ )`
16050
+ },
15888
16051
  // ------------------------------------------------------------------
15889
16052
  // kavach_trusted_devices (skip 2FA on trusted devices for a window)
15890
16053
  // ------------------------------------------------------------------
15891
- `CREATE TABLE ${ifne} kavach_trusted_devices (
16054
+ {
16055
+ feature: "device",
16056
+ sql: `CREATE TABLE ${ifne} kavach_trusted_devices (
15892
16057
  id TEXT NOT NULL PRIMARY KEY,
15893
16058
  user_id TEXT NOT NULL REFERENCES kavach_users(id) ON DELETE CASCADE,
15894
16059
  fingerprint TEXT NOT NULL,
15895
16060
  label TEXT NOT NULL,
15896
16061
  trusted_at ${ts} NOT NULL,
15897
16062
  expires_at ${ts} NOT NULL
15898
- )`,
16063
+ )`
16064
+ },
15899
16065
  // ------------------------------------------------------------------
15900
16066
  // kavach_login_history (last-login method tracking per user)
15901
16067
  // ------------------------------------------------------------------
15902
- `CREATE TABLE ${ifne} kavach_login_history (
16068
+ {
16069
+ feature: "loginHistory",
16070
+ sql: `CREATE TABLE ${ifne} kavach_login_history (
15903
16071
  id TEXT NOT NULL PRIMARY KEY,
15904
16072
  user_id TEXT NOT NULL REFERENCES kavach_users(id) ON DELETE CASCADE,
15905
16073
  method TEXT NOT NULL,
15906
16074
  ip TEXT,
15907
16075
  user_agent TEXT,
15908
16076
  timestamp ${ts} NOT NULL
15909
- )`,
15910
- `CREATE INDEX ${ifne} kavach_login_history_user_ts
15911
- ON kavach_login_history (user_id, timestamp DESC)`,
16077
+ )`
16078
+ },
16079
+ {
16080
+ feature: "loginHistory",
16081
+ sql: `CREATE INDEX ${ifne} kavach_login_history_user_ts
16082
+ ON kavach_login_history (user_id, timestamp DESC)`
16083
+ },
15912
16084
  // ------------------------------------------------------------------
15913
16085
  // kavach_oidc_clients (OIDC Provider — registered relying parties)
15914
16086
  // ------------------------------------------------------------------
15915
- `CREATE TABLE ${ifne} kavach_oidc_clients (
16087
+ {
16088
+ feature: "oidcProvider",
16089
+ sql: `CREATE TABLE ${ifne} kavach_oidc_clients (
15916
16090
  id TEXT NOT NULL PRIMARY KEY,
15917
16091
  client_id TEXT NOT NULL UNIQUE,
15918
16092
  client_secret_hash TEXT NOT NULL,
@@ -15924,11 +16098,14 @@ function buildStatements(provider) {
15924
16098
  token_endpoint_auth_method TEXT NOT NULL DEFAULT 'client_secret_post',
15925
16099
  created_at ${ts} NOT NULL,
15926
16100
  updated_at ${ts} NOT NULL
15927
- )`,
16101
+ )`
16102
+ },
15928
16103
  // ------------------------------------------------------------------
15929
16104
  // kavach_oidc_auth_codes (OIDC Provider — authorization codes)
15930
16105
  // ------------------------------------------------------------------
15931
- `CREATE TABLE ${ifne} kavach_oidc_auth_codes (
16106
+ {
16107
+ feature: "oidcProvider",
16108
+ sql: `CREATE TABLE ${ifne} kavach_oidc_auth_codes (
15932
16109
  id TEXT NOT NULL PRIMARY KEY,
15933
16110
  code_hash TEXT NOT NULL UNIQUE,
15934
16111
  client_id TEXT NOT NULL,
@@ -15941,11 +16118,14 @@ function buildStatements(provider) {
15941
16118
  used ${bool} NOT NULL DEFAULT ${isPostgres ? "FALSE" : "0"},
15942
16119
  expires_at ${ts} NOT NULL,
15943
16120
  created_at ${ts} NOT NULL
15944
- )`,
16121
+ )`
16122
+ },
15945
16123
  // ------------------------------------------------------------------
15946
16124
  // kavach_oidc_refresh_tokens (OIDC Provider — refresh tokens)
15947
16125
  // ------------------------------------------------------------------
15948
- `CREATE TABLE ${ifne} kavach_oidc_refresh_tokens (
16126
+ {
16127
+ feature: "oidcProvider",
16128
+ sql: `CREATE TABLE ${ifne} kavach_oidc_refresh_tokens (
15949
16129
  id TEXT NOT NULL PRIMARY KEY,
15950
16130
  token_hash TEXT NOT NULL UNIQUE,
15951
16131
  client_id TEXT NOT NULL,
@@ -15954,11 +16134,14 @@ function buildStatements(provider) {
15954
16134
  revoked ${bool} NOT NULL DEFAULT ${isPostgres ? "FALSE" : "0"},
15955
16135
  expires_at ${ts} NOT NULL,
15956
16136
  created_at ${ts} NOT NULL
15957
- )`,
16137
+ )`
16138
+ },
15958
16139
  // ------------------------------------------------------------------
15959
16140
  // kavach_cost_events (per-agent cost attribution)
15960
16141
  // ------------------------------------------------------------------
15961
- `CREATE TABLE ${ifne} kavach_cost_events (
16142
+ {
16143
+ feature: "audit",
16144
+ sql: `CREATE TABLE ${ifne} kavach_cost_events (
15962
16145
  id TEXT NOT NULL PRIMARY KEY,
15963
16146
  agent_id TEXT NOT NULL REFERENCES kavach_agents(id) ON DELETE CASCADE,
15964
16147
  tool TEXT NOT NULL,
@@ -15969,15 +16152,24 @@ function buildStatements(provider) {
15969
16152
  metadata ${json2},
15970
16153
  delegation_chain_id TEXT,
15971
16154
  recorded_at ${ts} NOT NULL
15972
- )`,
15973
- `CREATE INDEX ${ifne} kavach_cost_events_agent_recorded
15974
- ON kavach_cost_events (agent_id, recorded_at DESC)`,
15975
- `CREATE INDEX ${ifne} kavach_cost_events_chain_id
15976
- ON kavach_cost_events (delegation_chain_id)`,
16155
+ )`
16156
+ },
16157
+ {
16158
+ feature: "audit",
16159
+ sql: `CREATE INDEX ${ifne} kavach_cost_events_agent_recorded
16160
+ ON kavach_cost_events (agent_id, recorded_at DESC)`
16161
+ },
16162
+ {
16163
+ feature: "audit",
16164
+ sql: `CREATE INDEX ${ifne} kavach_cost_events_chain_id
16165
+ ON kavach_cost_events (delegation_chain_id)`
16166
+ },
15977
16167
  // ------------------------------------------------------------------
15978
16168
  // kavach_ephemeral_sessions (short-lived agent credentials)
15979
16169
  // ------------------------------------------------------------------
15980
- `CREATE TABLE ${ifne} kavach_ephemeral_sessions (
16170
+ {
16171
+ feature: "agent",
16172
+ sql: `CREATE TABLE ${ifne} kavach_ephemeral_sessions (
15981
16173
  id TEXT NOT NULL PRIMARY KEY,
15982
16174
  agent_id TEXT NOT NULL REFERENCES kavach_agents(id) ON DELETE CASCADE,
15983
16175
  owner_id TEXT NOT NULL REFERENCES kavach_users(id),
@@ -15989,55 +16181,85 @@ function buildStatements(provider) {
15989
16181
  audit_group_id TEXT NOT NULL,
15990
16182
  created_at ${ts} NOT NULL,
15991
16183
  updated_at ${ts} NOT NULL
15992
- )`,
15993
- `CREATE INDEX ${ifne} kavach_ephemeral_sessions_owner_status
15994
- ON kavach_ephemeral_sessions (owner_id, status)`,
15995
- `CREATE INDEX ${ifne} kavach_ephemeral_sessions_expires_at
15996
- ON kavach_ephemeral_sessions (expires_at)`,
16184
+ )`
16185
+ },
16186
+ {
16187
+ feature: "agent",
16188
+ sql: `CREATE INDEX ${ifne} kavach_ephemeral_sessions_owner_status
16189
+ ON kavach_ephemeral_sessions (owner_id, status)`
16190
+ },
16191
+ {
16192
+ feature: "agent",
16193
+ sql: `CREATE INDEX ${ifne} kavach_ephemeral_sessions_expires_at
16194
+ ON kavach_ephemeral_sessions (expires_at)`
16195
+ },
15997
16196
  // ------------------------------------------------------------------
15998
16197
  // kavach_jwt_refresh_tokens (JWT session plugin — general purpose)
15999
16198
  // ------------------------------------------------------------------
16000
- `CREATE TABLE ${ifne} kavach_jwt_refresh_tokens (
16199
+ {
16200
+ feature: "jwt",
16201
+ sql: `CREATE TABLE ${ifne} kavach_jwt_refresh_tokens (
16001
16202
  id TEXT NOT NULL PRIMARY KEY,
16002
16203
  token_hash TEXT NOT NULL UNIQUE,
16003
16204
  user_id TEXT NOT NULL REFERENCES kavach_users(id) ON DELETE CASCADE,
16004
16205
  used ${bool} NOT NULL DEFAULT ${isPostgres ? "FALSE" : "0"},
16005
16206
  expires_at ${ts} NOT NULL,
16006
16207
  created_at ${ts} NOT NULL
16007
- )`,
16008
- `CREATE INDEX ${ifne} kavach_jwt_refresh_tokens_user_id
16009
- ON kavach_jwt_refresh_tokens (user_id)`,
16208
+ )`
16209
+ },
16210
+ {
16211
+ feature: "jwt",
16212
+ sql: `CREATE INDEX ${ifne} kavach_jwt_refresh_tokens_user_id
16213
+ ON kavach_jwt_refresh_tokens (user_id)`
16214
+ },
16010
16215
  // ------------------------------------------------------------------
16011
16216
  // kavach_stream_events (persisted SSE events for replay)
16012
16217
  // ------------------------------------------------------------------
16013
- `CREATE TABLE ${ifne} kavach_stream_events (
16218
+ {
16219
+ feature: "audit",
16220
+ sql: `CREATE TABLE ${ifne} kavach_stream_events (
16014
16221
  id TEXT NOT NULL PRIMARY KEY,
16015
16222
  type TEXT NOT NULL,
16016
16223
  timestamp ${ts} NOT NULL,
16017
16224
  data ${json2} NOT NULL,
16018
16225
  agent_id TEXT,
16019
16226
  user_id TEXT
16020
- )`,
16021
- `CREATE INDEX ${ifne} kavach_stream_events_timestamp
16022
- ON kavach_stream_events (timestamp DESC)`,
16023
- `CREATE INDEX ${ifne} kavach_stream_events_type_timestamp
16024
- ON kavach_stream_events (type, timestamp DESC)`,
16227
+ )`
16228
+ },
16229
+ {
16230
+ feature: "audit",
16231
+ sql: `CREATE INDEX ${ifne} kavach_stream_events_timestamp
16232
+ ON kavach_stream_events (timestamp DESC)`
16233
+ },
16234
+ {
16235
+ feature: "audit",
16236
+ sql: `CREATE INDEX ${ifne} kavach_stream_events_type_timestamp
16237
+ ON kavach_stream_events (type, timestamp DESC)`
16238
+ },
16025
16239
  // ------------------------------------------------------------------
16026
16240
  // kavach_rebac_resources (ReBAC resource hierarchy)
16027
16241
  // ------------------------------------------------------------------
16028
- `CREATE TABLE ${ifne} kavach_rebac_resources (
16242
+ {
16243
+ feature: "rebac",
16244
+ sql: `CREATE TABLE ${ifne} kavach_rebac_resources (
16029
16245
  id TEXT NOT NULL PRIMARY KEY,
16030
16246
  type TEXT NOT NULL,
16031
16247
  parent_id TEXT,
16032
16248
  parent_type TEXT,
16033
16249
  created_at ${ts} NOT NULL
16034
- )`,
16035
- `CREATE INDEX ${ifne} kavach_rebac_resources_parent
16036
- ON kavach_rebac_resources (parent_id, parent_type)`,
16250
+ )`
16251
+ },
16252
+ {
16253
+ feature: "rebac",
16254
+ sql: `CREATE INDEX ${ifne} kavach_rebac_resources_parent
16255
+ ON kavach_rebac_resources (parent_id, parent_type)`
16256
+ },
16037
16257
  // ------------------------------------------------------------------
16038
16258
  // kavach_rebac_relationships (Zanzibar-style subject-relation-object tuples)
16039
16259
  // ------------------------------------------------------------------
16040
- `CREATE TABLE ${ifne} kavach_rebac_relationships (
16260
+ {
16261
+ feature: "rebac",
16262
+ sql: `CREATE TABLE ${ifne} kavach_rebac_relationships (
16041
16263
  id TEXT NOT NULL PRIMARY KEY,
16042
16264
  subject_type TEXT NOT NULL,
16043
16265
  subject_id TEXT NOT NULL,
@@ -16045,17 +16267,29 @@ function buildStatements(provider) {
16045
16267
  object_type TEXT NOT NULL,
16046
16268
  object_id TEXT NOT NULL,
16047
16269
  created_at ${ts} NOT NULL
16048
- )`,
16049
- `CREATE INDEX ${ifne} kavach_rebac_relationships_subject
16050
- ON kavach_rebac_relationships (subject_type, subject_id)`,
16051
- `CREATE INDEX ${ifne} kavach_rebac_relationships_object
16052
- ON kavach_rebac_relationships (object_type, object_id)`,
16053
- `CREATE UNIQUE INDEX ${ifne} kavach_rebac_relationships_tuple
16054
- ON kavach_rebac_relationships (subject_type, subject_id, relation, object_type, object_id)`,
16270
+ )`
16271
+ },
16272
+ {
16273
+ feature: "rebac",
16274
+ sql: `CREATE INDEX ${ifne} kavach_rebac_relationships_subject
16275
+ ON kavach_rebac_relationships (subject_type, subject_id)`
16276
+ },
16277
+ {
16278
+ feature: "rebac",
16279
+ sql: `CREATE INDEX ${ifne} kavach_rebac_relationships_object
16280
+ ON kavach_rebac_relationships (object_type, object_id)`
16281
+ },
16282
+ {
16283
+ feature: "rebac",
16284
+ sql: `CREATE UNIQUE INDEX ${ifne} kavach_rebac_relationships_tuple
16285
+ ON kavach_rebac_relationships (subject_type, subject_id, relation, object_type, object_id)`
16286
+ },
16055
16287
  // ------------------------------------------------------------------
16056
16288
  // kavach_federation_instances (trusted remote KavachOS instances)
16057
16289
  // ------------------------------------------------------------------
16058
- `CREATE TABLE ${ifne} kavach_federation_instances (
16290
+ {
16291
+ feature: "federation",
16292
+ sql: `CREATE TABLE ${ifne} kavach_federation_instances (
16059
16293
  id TEXT NOT NULL PRIMARY KEY,
16060
16294
  instance_id TEXT NOT NULL UNIQUE,
16061
16295
  instance_url TEXT NOT NULL,
@@ -16064,11 +16298,14 @@ function buildStatements(provider) {
16064
16298
  discovered_at ${tsNull},
16065
16299
  created_at ${ts} NOT NULL,
16066
16300
  updated_at ${ts} NOT NULL
16067
- )`,
16301
+ )`
16302
+ },
16068
16303
  // ------------------------------------------------------------------
16069
16304
  // kavach_federation_tokens (issued/received federation tokens)
16070
16305
  // ------------------------------------------------------------------
16071
- `CREATE TABLE ${ifne} kavach_federation_tokens (
16306
+ {
16307
+ feature: "federation",
16308
+ sql: `CREATE TABLE ${ifne} kavach_federation_tokens (
16072
16309
  id TEXT NOT NULL PRIMARY KEY,
16073
16310
  token_jti TEXT NOT NULL UNIQUE,
16074
16311
  agent_id TEXT NOT NULL,
@@ -16079,45 +16316,61 @@ function buildStatements(provider) {
16079
16316
  trust_score INTEGER,
16080
16317
  expires_at ${ts} NOT NULL,
16081
16318
  created_at ${ts} NOT NULL
16082
- )`,
16083
- `CREATE INDEX ${ifne} kavach_federation_tokens_agent
16084
- ON kavach_federation_tokens (agent_id)`,
16085
- `CREATE INDEX ${ifne} kavach_federation_tokens_source
16086
- ON kavach_federation_tokens (source_instance_id)`,
16319
+ )`
16320
+ },
16321
+ {
16322
+ feature: "federation",
16323
+ sql: `CREATE INDEX ${ifne} kavach_federation_tokens_agent
16324
+ ON kavach_federation_tokens (agent_id)`
16325
+ },
16326
+ {
16327
+ feature: "federation",
16328
+ sql: `CREATE INDEX ${ifne} kavach_federation_tokens_source
16329
+ ON kavach_federation_tokens (source_instance_id)`
16330
+ },
16087
16331
  // ------------------------------------------------------------------
16088
16332
  // kavach_refresh_token_families (token rotation / reuse detection)
16089
16333
  // ------------------------------------------------------------------
16090
- `CREATE TABLE ${ifne} kavach_refresh_token_families (
16334
+ {
16335
+ feature: "jwt",
16336
+ sql: `CREATE TABLE ${ifne} kavach_refresh_token_families (
16091
16337
  id TEXT NOT NULL PRIMARY KEY,
16092
16338
  user_id TEXT NOT NULL REFERENCES kavach_users(id) ON DELETE CASCADE,
16093
16339
  absolute_expires_at ${ts} NOT NULL,
16094
16340
  revoked ${bool} NOT NULL DEFAULT ${isPostgres ? "FALSE" : "0"},
16095
16341
  created_at ${ts} NOT NULL
16096
- )`,
16097
- `CREATE INDEX ${ifne} kavach_refresh_token_families_user_id
16098
- ON kavach_refresh_token_families (user_id)`,
16342
+ )`
16343
+ },
16344
+ {
16345
+ feature: "jwt",
16346
+ sql: `CREATE INDEX ${ifne} kavach_refresh_token_families_user_id
16347
+ ON kavach_refresh_token_families (user_id)`
16348
+ },
16099
16349
  // ------------------------------------------------------------------
16100
16350
  // kavach_refresh_tokens (individual one-time-use tokens per family)
16101
16351
  // ------------------------------------------------------------------
16102
- `CREATE TABLE ${ifne} kavach_refresh_tokens (
16352
+ {
16353
+ feature: "jwt",
16354
+ sql: `CREATE TABLE ${ifne} kavach_refresh_tokens (
16103
16355
  id TEXT NOT NULL PRIMARY KEY,
16104
16356
  family_id TEXT NOT NULL REFERENCES kavach_refresh_token_families(id) ON DELETE CASCADE,
16105
16357
  token_hash TEXT NOT NULL UNIQUE,
16106
16358
  used ${bool} NOT NULL DEFAULT ${isPostgres ? "FALSE" : "0"},
16107
16359
  expires_at ${ts} NOT NULL,
16108
16360
  created_at ${ts} NOT NULL
16109
- )`,
16110
- `CREATE INDEX ${ifne} kavach_refresh_tokens_family_id
16361
+ )`
16362
+ },
16363
+ {
16364
+ feature: "jwt",
16365
+ sql: `CREATE INDEX ${ifne} kavach_refresh_tokens_family_id
16111
16366
  ON kavach_refresh_tokens (family_id)`
16112
- // ------------------------------------------------------------------
16113
- // kavach_users ban columns (ALTER TABLE IF NOT EXISTS — safe no-ops)
16114
- // These are appended as separate ALTER statements for existing DBs.
16115
- // For SQLite we use a separate migration path since SQLite ALTER is limited.
16116
- // ------------------------------------------------------------------
16367
+ }
16117
16368
  ];
16118
16369
  }
16119
- async function createTables(db, provider) {
16120
- const statements = buildStatements(provider);
16370
+ async function createTables(db, provider, config) {
16371
+ const allStatements = buildStatements(provider);
16372
+ const features = resolveEnabledFeatures(config);
16373
+ const statements = allStatements.filter((s) => features[s.feature]).map((s) => s.sql);
16121
16374
  if (provider === "sqlite" || provider === "sqlite-native") {
16122
16375
  const session = db.session;
16123
16376
  if (session?.client?.exec) {
@@ -18299,7 +18552,7 @@ async function createKavach(config) {
18299
18552
  const authAdapter = config.auth?.adapter ?? null;
18300
18553
  const db = await createDatabase(config.database);
18301
18554
  if (!config.database.skipMigrations) {
18302
- await createTables(db, config.database.provider);
18555
+ await createTables(db, config.database.provider, config);
18303
18556
  }
18304
18557
  const agentConfig = {
18305
18558
  db,