import crypto from 'node:crypto'; import bcrypt from 'bcrypt'; import { pool } from '../pool.js'; import { recordAudit } from './audit_stub.js'; const FIELDS = ['slug','name','kind','model','persona_path','capabilities','scopes']; export async function create(input, actor) { const cols = [], vals = [], ph = []; let i = 1; for (const f of FIELDS) { if (input[f] !== undefined) { cols.push(f); vals.push(input[f]); ph.push(`$${i++}`); } } const { rows: [r] } = await pool.query( `INSERT INTO agents(${cols.join(',')}) VALUES(${ph.join(',')}) RETURNING *`, vals ); await recordAudit(actor, 'create', 'agent', r.id, null, r); return r; } export async function getById(id) { const { rows: [r] } = await pool.query(`SELECT * FROM agents WHERE id=$1`, [id]); return r; } export async function getBySlug(slug) { const { rows: [r] } = await pool.query(`SELECT * FROM agents WHERE slug=$1`, [slug]); return r; } export async function list() { const { rows } = await pool.query(`SELECT * FROM agents ORDER BY name`); return rows; } export async function setCapabilities(id, capabilities, scopes) { const { rows: [r] } = await pool.query( `UPDATE agents SET capabilities=$1, scopes=$2 WHERE id=$3 RETURNING *`, [capabilities, scopes || {}, id] ); return r; } // Token format: vk_. // selector — non-secret, indexed, locates exactly one row (O(1)) // verifier — the secret; only this is bcrypt-hashed into token_hash // base64url never contains '.', so the delimiter is unambiguous. export async function createToken(agent_id, label) { const selector = crypto.randomBytes(9).toString('base64url'); // ~12 chars const verifier = crypto.randomBytes(32).toString('base64url'); // ~43 chars const plaintext = `vk_${selector}.${verifier}`; const token_hash = await bcrypt.hash(verifier, 12); const { rows: [t] } = await pool.query( `INSERT INTO agent_tokens(agent_id, label, token_hash, selector) VALUES($1,$2,$3,$4) RETURNING id`, [agent_id, label || null, token_hash, selector] ); return { token: plaintext, id: t.id }; } const AGENT_SELECT = `SELECT t.id, t.token_hash, t.agent_id, a.* FROM agent_tokens t JOIN agents a ON a.id = t.agent_id`; async function finalizeVerify(row, secret) { if (await bcrypt.compare(secret, row.token_hash)) { await pool.query(`UPDATE agent_tokens SET last_used=now() WHERE id=$1`, [row.id]); const { token_hash, selector, ...agent } = row; return agent; } return null; } export async function verifyToken(plaintext) { if (!plaintext?.startsWith('vk_')) return null; const rest = plaintext.slice(3); const dot = rest.indexOf('.'); if (dot !== -1) { // New format — single indexed lookup by selector, bcrypt the verifier only. const selector = rest.slice(0, dot); const verifier = rest.slice(dot + 1); const { rows: [row] } = await pool.query( `${AGENT_SELECT} WHERE t.selector = $1 AND t.revoked_at IS NULL`, [selector] ); if (!row) return null; return finalizeVerify(row, verifier); } // Legacy fallback — pre-migration tokens hashed the full plaintext and have // no selector. Scan only the (shrinking) NULL-selector set. const { rows } = await pool.query( `${AGENT_SELECT} WHERE t.selector IS NULL AND t.revoked_at IS NULL` ); for (const row of rows) { const agent = await finalizeVerify(row, plaintext); if (agent) return agent; } return null; } export async function revokeToken(token_id) { await pool.query(`UPDATE agent_tokens SET revoked_at=now() WHERE id=$1`, [token_id]); } // Token metadata for security review — label/usage/revocation joined with the // owning agent. NEVER selects token_hash. export async function listTokenMeta() { const { rows } = await pool.query( `SELECT t.id, t.agent_id, a.slug AS agent_slug, a.name AS agent_name, t.label, t.last_used, t.created_at, t.revoked_at FROM agent_tokens t JOIN agents a ON a.id = t.agent_id ORDER BY t.created_at DESC` ); return rows; }