import { pool } from '../pool.js'; import { recordAudit } from './audit_stub.js'; const FIELDS = ['space_id','slug','name','runtime_type','host','url','version','status','monitoring','metadata','last_check','maintenance_until']; export async function create(input, actor) { const cols = [], vals = [], ph = []; let i = 1; for (const f of FIELDS) { if (input[f] !== undefined) { cols.push(f); vals.push(input[f]); ph.push(`$${i++}`); } } const { rows: [r] } = await pool.query( `INSERT INTO resources(${cols.join(',')}) VALUES(${ph.join(',')}) RETURNING *`, vals ); await recordAudit(actor, 'create', 'resource', r.id, null, r); return r; } export async function getById(id) { const { rows: [r] } = await pool.query(`SELECT * FROM resources WHERE id=$1`, [id]); return r; } export async function listBySpace(space_id) { const { rows } = await pool.query( `SELECT * FROM resources WHERE space_id=$1 ORDER BY name`, [space_id] ); return rows; } // Attack-surface inventory across all spaces. Scalar columns only — never the // monitoring/metadata JSON blobs (which can hold connection hints / vault_path). export async function listExposure() { const { rows } = await pool.query( `SELECT id, space_id, slug, name, runtime_type, host, url, version, status, last_check, maintenance_until FROM resources ORDER BY name` ); return rows; } export async function update(id, patch, actor) { const before = await getById(id); const sets = [], vals = []; let i = 1; for (const f of FIELDS) { if (patch[f] !== undefined) { sets.push(`${f}=$${i++}`); vals.push(patch[f]); } } sets.push(`updated_at=now()`); vals.push(id); const { rows: [r] } = await pool.query( `UPDATE resources SET ${sets.join(', ')} WHERE id=$${i} RETURNING *`, vals ); await recordAudit(actor, 'update', 'resource', id, before, r); return r; } export async function del(id, actor) { const before = await getById(id); await pool.query(`DELETE FROM resources WHERE id=$1`, [id]); await recordAudit(actor, 'delete', 'resource', id, before, null); } export async function addDependency(resource_id, depends_on, kind) { if (resource_id === depends_on) throw new Error('resource cannot depend on itself'); // Derive space_id from the source resource; the composite FK rejects // cross-space links at the DB layer. const { rows: [src] } = await pool.query( `SELECT space_id FROM resources WHERE id=$1`, [resource_id] ); if (!src) throw new Error(`resource ${resource_id} not found`); await pool.query( `INSERT INTO resource_dependencies(resource_id, depends_on, space_id, kind) VALUES($1,$2,$3,$4) ON CONFLICT DO NOTHING`, [resource_id, depends_on, src.space_id, kind || null] ); } export async function removeDependency(resource_id, depends_on) { await pool.query( `DELETE FROM resource_dependencies WHERE resource_id=$1 AND depends_on=$2`, [resource_id, depends_on] ); } export async function listDependencies(resource_id) { const { rows } = await pool.query( `SELECT * FROM resource_dependencies WHERE resource_id=$1`, [resource_id] ); return rows; } export async function addCredential(resource_id, { label, vault_path, kind, notes }) { // Derive space_id from the resource so caller can't fake cross-tenant assignment. const { rows: [src] } = await pool.query( `SELECT space_id FROM resources WHERE id=$1`, [resource_id] ); if (!src) throw new Error(`resource ${resource_id} not found`); const { rows: [r] } = await pool.query( `INSERT INTO resource_credentials(resource_id, space_id, label, vault_path, kind, notes) VALUES($1,$2,$3,$4,$5,$6) RETURNING *`, [resource_id, src.space_id, label, vault_path, kind || null, notes || null] ); return r; } export async function listCredentials(resource_id) { const { rows } = await pool.query( `SELECT id, resource_id, label, vault_path, kind, notes, created_at FROM resource_credentials WHERE resource_id=$1 ORDER BY label`, [resource_id] ); return rows; }