mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

feat(#355): Create UserCredential model with RLS and encryption support
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
Details

Browse Source 
Implements secure user credential storage with comprehensive RLS policies
and encryption-ready architecture for Phase 3 of M9-CredentialSecurity.

**Features:**
- UserCredential Prisma model with 19 fields
- CredentialType enum (6 values: API_KEY, OAUTH_TOKEN, etc.)
- CredentialScope enum (USER, WORKSPACE, SYSTEM)
- FORCE ROW LEVEL SECURITY with 3 policies
- Encrypted value storage (OpenBao Transit ready)
- Cascade delete on user/workspace deletion
- Activity logging integration (CREDENTIAL_* actions)
- 28 comprehensive test cases

**Security:**
- RLS owner bypass, user access, workspace admin policies
- SQL injection hardening for is_workspace_admin()
- Encryption version tracking ready
- Full down migration for reversibility

**Testing:**
- 100% enum coverage (all CredentialType + CredentialScope values)
- Unique constraint enforcement
- Foreign key cascade deletes
- Timestamp behavior validation
- JSONB metadata storage

**Files:**
- Migration: 20260207_add_user_credentials (184 lines + 76 line down.sql)
- Security: 20260207163740_fix_sql_injection_is_workspace_admin
- Tests: user-credential.model.spec.ts (28 tests, 544 lines)
- Docs: README.md (228 lines), scratchpad

Fixes #355

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jason Woltje
2026-02-07 16:39:15 -06:00
parent 1f86c36cc1
commit 864c23dc94
8 changed files with 1480 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

136
apps/api/prisma/schema.prisma
View File

@@ -62,6 +62,10 @@ enum ActivityAction {
LOGOUT
PASSWORD_RESET
EMAIL_VERIFIED
CREDENTIAL_CREATED
CREDENTIAL_ACCESSED
CREDENTIAL_ROTATED
CREDENTIAL_REVOKED
}
enum EntityType {
@@ -72,6 +76,7 @@ enum EntityType {
USER
IDEA
DOMAIN
CREDENTIAL
}
enum IdeaStatus {
@@ -186,6 +191,21 @@ enum FederationMessageStatus {
TIMEOUT
}
enum CredentialType {
API_KEY
OAUTH_TOKEN
ACCESS_TOKEN
SECRET
PASSWORD
CUSTOM
}
enum CredentialScope {
USER
WORKSPACE
SYSTEM
}
// ============================================
// MODELS
// ============================================
@@ -222,6 +242,7 @@ model User {
llmProviders LlmProviderInstance[] @relation("UserLlmProviders")
federatedIdentities FederatedIdentity[]
llmUsageLogs LlmUsageLog[] @relation("UserLlmUsageLogs")
userCredentials UserCredential[] @relation("UserCredentials")
@@map("users")
}
@@ -248,32 +269,33 @@ model Workspace {
updatedAt DateTime @updatedAt @map("updated_at") @db.Timestamptz
// Relations
owner User @relation("WorkspaceOwner", fields: [ownerId], references: [id], onDelete: Cascade)
members WorkspaceMember[]
teams Team[]
tasks Task[]
events Event[]
projects Project[]
activityLogs ActivityLog[]
memoryEmbeddings MemoryEmbedding[]
domains Domain[]
ideas Idea[]
relationships Relationship[]
agents Agent[]
agentSessions AgentSession[]
agentTasks AgentTask[]
userLayouts UserLayout[]
knowledgeEntries KnowledgeEntry[]
knowledgeTags KnowledgeTag[]
cronSchedules CronSchedule[]
personalities Personality[]
llmSettings WorkspaceLlmSettings?
qualityGates QualityGate[]
runnerJobs RunnerJob[]
federationConnections FederationConnection[]
federationMessages FederationMessage[]
federationEventSubscriptions FederationEventSubscription[]
llmUsageLogs LlmUsageLog[]
owner User @relation("WorkspaceOwner", fields: [ownerId], references: [id], onDelete: Cascade)
members WorkspaceMember[]
teams Team[]
tasks Task[]
events Event[]
projects Project[]
activityLogs ActivityLog[]
memoryEmbeddings MemoryEmbedding[]
domains Domain[]
ideas Idea[]
relationships Relationship[]
agents Agent[]
agentSessions AgentSession[]
agentTasks AgentTask[]
userLayouts UserLayout[]
knowledgeEntries KnowledgeEntry[]
knowledgeTags KnowledgeTag[]
cronSchedules CronSchedule[]
personalities Personality[]
llmSettings WorkspaceLlmSettings?
qualityGates QualityGate[]
runnerJobs RunnerJob[]
federationConnections FederationConnection[]
federationMessages FederationMessage[]
federationEventSubscriptions FederationEventSubscription[]
llmUsageLogs LlmUsageLog[]
userCredentials UserCredential[]
@@index([ownerId])
@@map("workspaces")
@@ -808,6 +830,52 @@ model Verification {
@@map("verifications")
}
// ============================================
// USER CREDENTIALS MODULE
// ============================================
model UserCredential {
id String @id @default(uuid()) @db.Uuid
userId String @map("user_id") @db.Uuid
workspaceId String? @map("workspace_id") @db.Uuid
// Identity
name String
provider String // "github", "openai", "custom"
type CredentialType
scope CredentialScope @default(USER)
// Encrypted storage
encryptedValue String @map("encrypted_value") @db.Text
maskedValue String? @map("masked_value") @db.VarChar(20)
// Metadata
description String? @db.Text
expiresAt DateTime? @map("expires_at") @db.Timestamptz
lastUsedAt DateTime? @map("last_used_at") @db.Timestamptz
metadata Json @default("{}")
// Status
isActive Boolean @default(true) @map("is_active")
rotatedAt DateTime? @map("rotated_at") @db.Timestamptz
// Audit
createdAt DateTime @default(now()) @map("created_at") @db.Timestamptz
updatedAt DateTime @updatedAt @map("updated_at") @db.Timestamptz
// Relations
user User @relation("UserCredentials", fields: [userId], references: [id], onDelete: Cascade)
workspace Workspace? @relation(fields: [workspaceId], references: [id], onDelete: Cascade)
@@unique([userId, workspaceId, provider, name])
@@index([userId])
@@index([workspaceId])
@@index([userId, scope])
@@index([workspaceId, scope])
@@index([scope, isActive])
@@map("user_credentials")
}
// ============================================
// KNOWLEDGE MODULE
// ============================================
@@ -1293,8 +1361,8 @@ model FederationConnection {
disconnectedAt DateTime? @map("disconnected_at") @db.Timestamptz
// Relations
workspace Workspace @relation(fields: [workspaceId], references: [id], onDelete: Cascade)
messages FederationMessage[]
workspace Workspace @relation(fields: [workspaceId], references: [id], onDelete: Cascade)
messages FederationMessage[]
eventSubscriptions FederationEventSubscription[]
@@unique([workspaceId, remoteInstanceId])
@@ -1399,9 +1467,9 @@ model LlmUsageLog {
userId String @map("user_id") @db.Uuid
// LLM provider and model info
provider String @db.VarChar(50)
model String @db.VarChar(100)
providerInstanceId String? @map("provider_instance_id") @db.Uuid
provider String @db.VarChar(50)
model String @db.VarChar(100)
providerInstanceId String? @map("provider_instance_id") @db.Uuid
// Token usage
promptTokens Int @default(0) @map("prompt_tokens")
@@ -1424,9 +1492,9 @@ model LlmUsageLog {
createdAt DateTime @default(now()) @map("created_at") @db.Timestamptz
// Relations
workspace Workspace @relation(fields: [workspaceId], references: [id], onDelete: Cascade)
user User @relation("UserLlmUsageLogs", fields: [userId], references: [id], onDelete: Cascade)
llmProviderInstance LlmProviderInstance? @relation("LlmUsageLogs", fields: [providerInstanceId], references: [id], onDelete: SetNull)
workspace Workspace @relation(fields: [workspaceId], references: [id], onDelete: Cascade)
user User @relation("UserLlmUsageLogs", fields: [userId], references: [id], onDelete: Cascade)
llmProviderInstance LlmProviderInstance? @relation("LlmUsageLogs", fields: [providerInstanceId], references: [id], onDelete: SetNull)
@@index([workspaceId])
@@index([workspaceId, createdAt])