You've already forked agentic-coding-workflow
feat(mcp): sqlc queries for mcp_tokens (CRUD + revoke + reaper + purge)
This commit is contained in:
@@ -0,0 +1,290 @@
|
||||
// Code generated by sqlc. DO NOT EDIT.
|
||||
// versions:
|
||||
// sqlc v1.31.1
|
||||
// source: mcp_tokens.sql
|
||||
|
||||
package mcpsqlc
|
||||
|
||||
import (
|
||||
"context"
|
||||
|
||||
"github.com/jackc/pgx/v5/pgtype"
|
||||
)
|
||||
|
||||
const createMcpToken = `-- name: CreateMcpToken :one
|
||||
INSERT INTO mcp_tokens (
|
||||
id, token_hash, user_id, name, issuer, scope,
|
||||
acp_session_id, expires_at, created_by
|
||||
) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
|
||||
RETURNING id, token_hash, user_id, name, issuer, scope,
|
||||
acp_session_id, expires_at, last_used_at, revoked_at,
|
||||
created_by, created_at
|
||||
`
|
||||
|
||||
type CreateMcpTokenParams struct {
|
||||
ID pgtype.UUID `json:"id"`
|
||||
TokenHash []byte `json:"token_hash"`
|
||||
UserID pgtype.UUID `json:"user_id"`
|
||||
Name string `json:"name"`
|
||||
Issuer string `json:"issuer"`
|
||||
Scope []byte `json:"scope"`
|
||||
AcpSessionID pgtype.UUID `json:"acp_session_id"`
|
||||
ExpiresAt pgtype.Timestamptz `json:"expires_at"`
|
||||
CreatedBy pgtype.UUID `json:"created_by"`
|
||||
}
|
||||
|
||||
func (q *Queries) CreateMcpToken(ctx context.Context, arg CreateMcpTokenParams) (McpToken, error) {
|
||||
row := q.db.QueryRow(ctx, createMcpToken,
|
||||
arg.ID,
|
||||
arg.TokenHash,
|
||||
arg.UserID,
|
||||
arg.Name,
|
||||
arg.Issuer,
|
||||
arg.Scope,
|
||||
arg.AcpSessionID,
|
||||
arg.ExpiresAt,
|
||||
arg.CreatedBy,
|
||||
)
|
||||
var i McpToken
|
||||
err := row.Scan(
|
||||
&i.ID,
|
||||
&i.TokenHash,
|
||||
&i.UserID,
|
||||
&i.Name,
|
||||
&i.Issuer,
|
||||
&i.Scope,
|
||||
&i.AcpSessionID,
|
||||
&i.ExpiresAt,
|
||||
&i.LastUsedAt,
|
||||
&i.RevokedAt,
|
||||
&i.CreatedBy,
|
||||
&i.CreatedAt,
|
||||
)
|
||||
return i, err
|
||||
}
|
||||
|
||||
const deleteMcpTokenByID = `-- name: DeleteMcpTokenByID :exec
|
||||
DELETE FROM mcp_tokens WHERE id = $1
|
||||
`
|
||||
|
||||
// 仅供测试用(生产不允许直接物理删;走撤销)。
|
||||
func (q *Queries) DeleteMcpTokenByID(ctx context.Context, id pgtype.UUID) error {
|
||||
_, err := q.db.Exec(ctx, deleteMcpTokenByID, id)
|
||||
return err
|
||||
}
|
||||
|
||||
const getMcpTokenByHash = `-- name: GetMcpTokenByHash :one
|
||||
SELECT id, token_hash, user_id, name, issuer, scope,
|
||||
acp_session_id, expires_at, last_used_at, revoked_at,
|
||||
created_by, created_at
|
||||
FROM mcp_tokens
|
||||
WHERE token_hash = $1
|
||||
`
|
||||
|
||||
func (q *Queries) GetMcpTokenByHash(ctx context.Context, tokenHash []byte) (McpToken, error) {
|
||||
row := q.db.QueryRow(ctx, getMcpTokenByHash, tokenHash)
|
||||
var i McpToken
|
||||
err := row.Scan(
|
||||
&i.ID,
|
||||
&i.TokenHash,
|
||||
&i.UserID,
|
||||
&i.Name,
|
||||
&i.Issuer,
|
||||
&i.Scope,
|
||||
&i.AcpSessionID,
|
||||
&i.ExpiresAt,
|
||||
&i.LastUsedAt,
|
||||
&i.RevokedAt,
|
||||
&i.CreatedBy,
|
||||
&i.CreatedAt,
|
||||
)
|
||||
return i, err
|
||||
}
|
||||
|
||||
const getMcpTokenByID = `-- name: GetMcpTokenByID :one
|
||||
SELECT id, token_hash, user_id, name, issuer, scope,
|
||||
acp_session_id, expires_at, last_used_at, revoked_at,
|
||||
created_by, created_at
|
||||
FROM mcp_tokens
|
||||
WHERE id = $1
|
||||
`
|
||||
|
||||
func (q *Queries) GetMcpTokenByID(ctx context.Context, id pgtype.UUID) (McpToken, error) {
|
||||
row := q.db.QueryRow(ctx, getMcpTokenByID, id)
|
||||
var i McpToken
|
||||
err := row.Scan(
|
||||
&i.ID,
|
||||
&i.TokenHash,
|
||||
&i.UserID,
|
||||
&i.Name,
|
||||
&i.Issuer,
|
||||
&i.Scope,
|
||||
&i.AcpSessionID,
|
||||
&i.ExpiresAt,
|
||||
&i.LastUsedAt,
|
||||
&i.RevokedAt,
|
||||
&i.CreatedBy,
|
||||
&i.CreatedAt,
|
||||
)
|
||||
return i, err
|
||||
}
|
||||
|
||||
const listMcpTokens = `-- name: ListMcpTokens :many
|
||||
SELECT id, token_hash, user_id, name, issuer, scope,
|
||||
acp_session_id, expires_at, last_used_at, revoked_at,
|
||||
created_by, created_at
|
||||
FROM mcp_tokens
|
||||
WHERE
|
||||
($1::uuid IS NULL
|
||||
OR (user_id = $1::uuid AND issuer = 'admin'))
|
||||
AND
|
||||
(NOT $2::boolean
|
||||
OR (revoked_at IS NULL AND (expires_at IS NULL OR expires_at > now())))
|
||||
ORDER BY created_at DESC
|
||||
`
|
||||
|
||||
type ListMcpTokensParams struct {
|
||||
CallerUserID pgtype.UUID `json:"caller_user_id"`
|
||||
ActiveOnly bool `json:"active_only"`
|
||||
}
|
||||
|
||||
// ListMcpTokens:admin 看全部;普通 user 看自己持有的 admin-issued。
|
||||
// callerUserID 为 NULL 表示 admin(不过滤);非空表示按 (user_id=$1 AND issuer='admin') 过滤。
|
||||
// activeOnly=true 时排除已撤销 / 已过期。
|
||||
func (q *Queries) ListMcpTokens(ctx context.Context, arg ListMcpTokensParams) ([]McpToken, error) {
|
||||
rows, err := q.db.Query(ctx, listMcpTokens, arg.CallerUserID, arg.ActiveOnly)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer rows.Close()
|
||||
var items []McpToken
|
||||
for rows.Next() {
|
||||
var i McpToken
|
||||
if err := rows.Scan(
|
||||
&i.ID,
|
||||
&i.TokenHash,
|
||||
&i.UserID,
|
||||
&i.Name,
|
||||
&i.Issuer,
|
||||
&i.Scope,
|
||||
&i.AcpSessionID,
|
||||
&i.ExpiresAt,
|
||||
&i.LastUsedAt,
|
||||
&i.RevokedAt,
|
||||
&i.CreatedBy,
|
||||
&i.CreatedAt,
|
||||
); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
items = append(items, i)
|
||||
}
|
||||
if err := rows.Err(); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return items, nil
|
||||
}
|
||||
|
||||
const purgeMcpTokensExpired = `-- name: PurgeMcpTokensExpired :execrows
|
||||
DELETE FROM mcp_tokens
|
||||
WHERE (expires_at IS NOT NULL AND expires_at < $1)
|
||||
OR (revoked_at IS NOT NULL AND revoked_at < $1)
|
||||
`
|
||||
|
||||
// 后台 jobs runner 用:删 expires_at + retention 之前 / revoked_at + retention 之前的 row。
|
||||
// 单条 query 用 OR 条件,retention 同一份。
|
||||
func (q *Queries) PurgeMcpTokensExpired(ctx context.Context, expiresAt pgtype.Timestamptz) (int64, error) {
|
||||
result, err := q.db.Exec(ctx, purgeMcpTokensExpired, expiresAt)
|
||||
if err != nil {
|
||||
return 0, err
|
||||
}
|
||||
return result.RowsAffected(), nil
|
||||
}
|
||||
|
||||
const reapStaleSystemTokens = `-- name: ReapStaleSystemTokens :many
|
||||
UPDATE mcp_tokens t
|
||||
SET revoked_at = now()
|
||||
FROM acp_sessions s
|
||||
WHERE t.acp_session_id = s.id
|
||||
AND t.issuer = 'system'
|
||||
AND t.revoked_at IS NULL
|
||||
AND s.status IN ('crashed','exited')
|
||||
RETURNING t.id
|
||||
`
|
||||
|
||||
// 启动期 reaper:所有 system token 中,关联的 acp_sessions 已经是 crashed/exited 的,全部撤销。
|
||||
// ACP 自身的 reaper 必须先把 starting/running 残留转为 crashed,本 query 才能命中。
|
||||
func (q *Queries) ReapStaleSystemTokens(ctx context.Context) ([]pgtype.UUID, error) {
|
||||
rows, err := q.db.Query(ctx, reapStaleSystemTokens)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer rows.Close()
|
||||
var items []pgtype.UUID
|
||||
for rows.Next() {
|
||||
var id pgtype.UUID
|
||||
if err := rows.Scan(&id); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
items = append(items, id)
|
||||
}
|
||||
if err := rows.Err(); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return items, nil
|
||||
}
|
||||
|
||||
const revokeMcpToken = `-- name: RevokeMcpToken :one
|
||||
UPDATE mcp_tokens
|
||||
SET revoked_at = now()
|
||||
WHERE id = $1 AND revoked_at IS NULL
|
||||
RETURNING id
|
||||
`
|
||||
|
||||
func (q *Queries) RevokeMcpToken(ctx context.Context, id pgtype.UUID) (pgtype.UUID, error) {
|
||||
row := q.db.QueryRow(ctx, revokeMcpToken, id)
|
||||
var id_2 pgtype.UUID
|
||||
err := row.Scan(&id_2)
|
||||
return id_2, err
|
||||
}
|
||||
|
||||
const revokeMcpTokensBySession = `-- name: RevokeMcpTokensBySession :many
|
||||
UPDATE mcp_tokens
|
||||
SET revoked_at = now()
|
||||
WHERE acp_session_id = $1
|
||||
AND issuer = 'system'
|
||||
AND revoked_at IS NULL
|
||||
RETURNING id
|
||||
`
|
||||
|
||||
// 给定一个 ACP session 的 ID,把所有引用该 session 的 system token 一次性撤销。
|
||||
// 返回已撤销的 token id 列表(用于 audit 写入逐条)。
|
||||
func (q *Queries) RevokeMcpTokensBySession(ctx context.Context, acpSessionID pgtype.UUID) ([]pgtype.UUID, error) {
|
||||
rows, err := q.db.Query(ctx, revokeMcpTokensBySession, acpSessionID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
defer rows.Close()
|
||||
var items []pgtype.UUID
|
||||
for rows.Next() {
|
||||
var id pgtype.UUID
|
||||
if err := rows.Scan(&id); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
items = append(items, id)
|
||||
}
|
||||
if err := rows.Err(); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return items, nil
|
||||
}
|
||||
|
||||
const updateMcpTokenLastUsed = `-- name: UpdateMcpTokenLastUsed :exec
|
||||
UPDATE mcp_tokens
|
||||
SET last_used_at = now()
|
||||
WHERE id = $1
|
||||
`
|
||||
|
||||
func (q *Queries) UpdateMcpTokenLastUsed(ctx context.Context, id pgtype.UUID) error {
|
||||
_, err := q.db.Exec(ctx, updateMcpTokenLastUsed, id)
|
||||
return err
|
||||
}
|
||||
Reference in New Issue
Block a user