d26b67ebc3
Introduce company_secrets and company_secret_versions tables for encrypted secret storage. Add EnvBinding discriminated union (plain vs secret_ref) to replace raw string env values in adapter configs. Add hiddenAt column to issues for soft-hiding. Improve migration system with journal-ordered application and manual fallback when Drizzle migrator can't reconcile history. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
24 lines
1.2 KiB
TypeScript
24 lines
1.2 KiB
TypeScript
import { pgTable, uuid, text, timestamp, integer, jsonb, index, uniqueIndex } from "drizzle-orm/pg-core";
|
|
import { agents } from "./agents.js";
|
|
import { companySecrets } from "./company_secrets.js";
|
|
|
|
export const companySecretVersions = pgTable(
|
|
"company_secret_versions",
|
|
{
|
|
id: uuid("id").primaryKey().defaultRandom(),
|
|
secretId: uuid("secret_id").notNull().references(() => companySecrets.id, { onDelete: "cascade" }),
|
|
version: integer("version").notNull(),
|
|
material: jsonb("material").$type<Record<string, unknown>>().notNull(),
|
|
valueSha256: text("value_sha256").notNull(),
|
|
createdByAgentId: uuid("created_by_agent_id").references(() => agents.id, { onDelete: "set null" }),
|
|
createdByUserId: text("created_by_user_id"),
|
|
createdAt: timestamp("created_at", { withTimezone: true }).notNull().defaultNow(),
|
|
revokedAt: timestamp("revoked_at", { withTimezone: true }),
|
|
},
|
|
(table) => ({
|
|
secretIdx: index("company_secret_versions_secret_idx").on(table.secretId, table.createdAt),
|
|
valueHashIdx: index("company_secret_versions_value_sha256_idx").on(table.valueSha256),
|
|
secretVersionUq: uniqueIndex("company_secret_versions_secret_version_uq").on(table.secretId, table.version),
|
|
}),
|
|
);
|