feat(mcp): sqlc queries for mcp_tokens (CRUD + revoke + reaper + purge)

This commit is contained in:
2026-05-08 07:07:47 +08:00
parent 6e43792bd6
commit 39f57df882
4 changed files with 715 additions and 0 deletions
+290
View File
@@ -0,0 +1,290 @@
// Code generated by sqlc. DO NOT EDIT.
// versions:
// sqlc v1.31.1
// source: mcp_tokens.sql
package mcpsqlc
import (
"context"
"github.com/jackc/pgx/v5/pgtype"
)
const createMcpToken = `-- name: CreateMcpToken :one
INSERT INTO mcp_tokens (
id, token_hash, user_id, name, issuer, scope,
acp_session_id, expires_at, created_by
) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
RETURNING id, token_hash, user_id, name, issuer, scope,
acp_session_id, expires_at, last_used_at, revoked_at,
created_by, created_at
`
type CreateMcpTokenParams struct {
ID pgtype.UUID `json:"id"`
TokenHash []byte `json:"token_hash"`
UserID pgtype.UUID `json:"user_id"`
Name string `json:"name"`
Issuer string `json:"issuer"`
Scope []byte `json:"scope"`
AcpSessionID pgtype.UUID `json:"acp_session_id"`
ExpiresAt pgtype.Timestamptz `json:"expires_at"`
CreatedBy pgtype.UUID `json:"created_by"`
}
func (q *Queries) CreateMcpToken(ctx context.Context, arg CreateMcpTokenParams) (McpToken, error) {
row := q.db.QueryRow(ctx, createMcpToken,
arg.ID,
arg.TokenHash,
arg.UserID,
arg.Name,
arg.Issuer,
arg.Scope,
arg.AcpSessionID,
arg.ExpiresAt,
arg.CreatedBy,
)
var i McpToken
err := row.Scan(
&i.ID,
&i.TokenHash,
&i.UserID,
&i.Name,
&i.Issuer,
&i.Scope,
&i.AcpSessionID,
&i.ExpiresAt,
&i.LastUsedAt,
&i.RevokedAt,
&i.CreatedBy,
&i.CreatedAt,
)
return i, err
}
const deleteMcpTokenByID = `-- name: DeleteMcpTokenByID :exec
DELETE FROM mcp_tokens WHERE id = $1
`
// 仅供测试用(生产不允许直接物理删;走撤销)。
func (q *Queries) DeleteMcpTokenByID(ctx context.Context, id pgtype.UUID) error {
_, err := q.db.Exec(ctx, deleteMcpTokenByID, id)
return err
}
const getMcpTokenByHash = `-- name: GetMcpTokenByHash :one
SELECT id, token_hash, user_id, name, issuer, scope,
acp_session_id, expires_at, last_used_at, revoked_at,
created_by, created_at
FROM mcp_tokens
WHERE token_hash = $1
`
func (q *Queries) GetMcpTokenByHash(ctx context.Context, tokenHash []byte) (McpToken, error) {
row := q.db.QueryRow(ctx, getMcpTokenByHash, tokenHash)
var i McpToken
err := row.Scan(
&i.ID,
&i.TokenHash,
&i.UserID,
&i.Name,
&i.Issuer,
&i.Scope,
&i.AcpSessionID,
&i.ExpiresAt,
&i.LastUsedAt,
&i.RevokedAt,
&i.CreatedBy,
&i.CreatedAt,
)
return i, err
}
const getMcpTokenByID = `-- name: GetMcpTokenByID :one
SELECT id, token_hash, user_id, name, issuer, scope,
acp_session_id, expires_at, last_used_at, revoked_at,
created_by, created_at
FROM mcp_tokens
WHERE id = $1
`
func (q *Queries) GetMcpTokenByID(ctx context.Context, id pgtype.UUID) (McpToken, error) {
row := q.db.QueryRow(ctx, getMcpTokenByID, id)
var i McpToken
err := row.Scan(
&i.ID,
&i.TokenHash,
&i.UserID,
&i.Name,
&i.Issuer,
&i.Scope,
&i.AcpSessionID,
&i.ExpiresAt,
&i.LastUsedAt,
&i.RevokedAt,
&i.CreatedBy,
&i.CreatedAt,
)
return i, err
}
const listMcpTokens = `-- name: ListMcpTokens :many
SELECT id, token_hash, user_id, name, issuer, scope,
acp_session_id, expires_at, last_used_at, revoked_at,
created_by, created_at
FROM mcp_tokens
WHERE
($1::uuid IS NULL
OR (user_id = $1::uuid AND issuer = 'admin'))
AND
(NOT $2::boolean
OR (revoked_at IS NULL AND (expires_at IS NULL OR expires_at > now())))
ORDER BY created_at DESC
`
type ListMcpTokensParams struct {
CallerUserID pgtype.UUID `json:"caller_user_id"`
ActiveOnly bool `json:"active_only"`
}
// ListMcpTokens:admin 看全部;普通 user 看自己持有的 admin-issued。
// callerUserID 为 NULL 表示 admin(不过滤);非空表示按 (user_id=$1 AND issuer='admin') 过滤。
// activeOnly=true 时排除已撤销 / 已过期。
func (q *Queries) ListMcpTokens(ctx context.Context, arg ListMcpTokensParams) ([]McpToken, error) {
rows, err := q.db.Query(ctx, listMcpTokens, arg.CallerUserID, arg.ActiveOnly)
if err != nil {
return nil, err
}
defer rows.Close()
var items []McpToken
for rows.Next() {
var i McpToken
if err := rows.Scan(
&i.ID,
&i.TokenHash,
&i.UserID,
&i.Name,
&i.Issuer,
&i.Scope,
&i.AcpSessionID,
&i.ExpiresAt,
&i.LastUsedAt,
&i.RevokedAt,
&i.CreatedBy,
&i.CreatedAt,
); err != nil {
return nil, err
}
items = append(items, i)
}
if err := rows.Err(); err != nil {
return nil, err
}
return items, nil
}
const purgeMcpTokensExpired = `-- name: PurgeMcpTokensExpired :execrows
DELETE FROM mcp_tokens
WHERE (expires_at IS NOT NULL AND expires_at < $1)
OR (revoked_at IS NOT NULL AND revoked_at < $1)
`
// 后台 jobs runner 用:删 expires_at + retention 之前 / revoked_at + retention 之前的 row。
// 单条 query 用 OR 条件,retention 同一份。
func (q *Queries) PurgeMcpTokensExpired(ctx context.Context, expiresAt pgtype.Timestamptz) (int64, error) {
result, err := q.db.Exec(ctx, purgeMcpTokensExpired, expiresAt)
if err != nil {
return 0, err
}
return result.RowsAffected(), nil
}
const reapStaleSystemTokens = `-- name: ReapStaleSystemTokens :many
UPDATE mcp_tokens t
SET revoked_at = now()
FROM acp_sessions s
WHERE t.acp_session_id = s.id
AND t.issuer = 'system'
AND t.revoked_at IS NULL
AND s.status IN ('crashed','exited')
RETURNING t.id
`
// 启动期 reaper:所有 system token 中,关联的 acp_sessions 已经是 crashed/exited 的,全部撤销。
// ACP 自身的 reaper 必须先把 starting/running 残留转为 crashed,本 query 才能命中。
func (q *Queries) ReapStaleSystemTokens(ctx context.Context) ([]pgtype.UUID, error) {
rows, err := q.db.Query(ctx, reapStaleSystemTokens)
if err != nil {
return nil, err
}
defer rows.Close()
var items []pgtype.UUID
for rows.Next() {
var id pgtype.UUID
if err := rows.Scan(&id); err != nil {
return nil, err
}
items = append(items, id)
}
if err := rows.Err(); err != nil {
return nil, err
}
return items, nil
}
const revokeMcpToken = `-- name: RevokeMcpToken :one
UPDATE mcp_tokens
SET revoked_at = now()
WHERE id = $1 AND revoked_at IS NULL
RETURNING id
`
func (q *Queries) RevokeMcpToken(ctx context.Context, id pgtype.UUID) (pgtype.UUID, error) {
row := q.db.QueryRow(ctx, revokeMcpToken, id)
var id_2 pgtype.UUID
err := row.Scan(&id_2)
return id_2, err
}
const revokeMcpTokensBySession = `-- name: RevokeMcpTokensBySession :many
UPDATE mcp_tokens
SET revoked_at = now()
WHERE acp_session_id = $1
AND issuer = 'system'
AND revoked_at IS NULL
RETURNING id
`
// 给定一个 ACP session 的 ID,把所有引用该 session 的 system token 一次性撤销。
// 返回已撤销的 token id 列表(用于 audit 写入逐条)。
func (q *Queries) RevokeMcpTokensBySession(ctx context.Context, acpSessionID pgtype.UUID) ([]pgtype.UUID, error) {
rows, err := q.db.Query(ctx, revokeMcpTokensBySession, acpSessionID)
if err != nil {
return nil, err
}
defer rows.Close()
var items []pgtype.UUID
for rows.Next() {
var id pgtype.UUID
if err := rows.Scan(&id); err != nil {
return nil, err
}
items = append(items, id)
}
if err := rows.Err(); err != nil {
return nil, err
}
return items, nil
}
const updateMcpTokenLastUsed = `-- name: UpdateMcpTokenLastUsed :exec
UPDATE mcp_tokens
SET last_used_at = now()
WHERE id = $1
`
func (q *Queries) UpdateMcpTokenLastUsed(ctx context.Context, id pgtype.UUID) error {
_, err := q.db.Exec(ctx, updateMcpTokenLastUsed, id)
return err
}