You've already forked agentic-coding-workflow
295 lines
7.7 KiB
Go
295 lines
7.7 KiB
Go
// Code generated by sqlc. DO NOT EDIT.
|
|
// versions:
|
|
// sqlc v1.31.1
|
|
// source: mcp_tokens.sql
|
|
|
|
package mcpsqlc
|
|
|
|
import (
|
|
"context"
|
|
|
|
"github.com/jackc/pgx/v5/pgtype"
|
|
)
|
|
|
|
const createMcpToken = `-- name: CreateMcpToken :one
|
|
INSERT INTO mcp_tokens (
|
|
id, token_hash, user_id, name, issuer, scope,
|
|
acp_session_id, expires_at, created_by
|
|
) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
|
|
RETURNING id, token_hash, user_id, name, issuer, scope,
|
|
acp_session_id, expires_at, last_used_at, revoked_at,
|
|
created_by, created_at
|
|
`
|
|
|
|
type CreateMcpTokenParams struct {
|
|
ID pgtype.UUID `json:"id"`
|
|
TokenHash []byte `json:"token_hash"`
|
|
UserID pgtype.UUID `json:"user_id"`
|
|
Name string `json:"name"`
|
|
Issuer string `json:"issuer"`
|
|
Scope []byte `json:"scope"`
|
|
AcpSessionID pgtype.UUID `json:"acp_session_id"`
|
|
ExpiresAt pgtype.Timestamptz `json:"expires_at"`
|
|
CreatedBy pgtype.UUID `json:"created_by"`
|
|
}
|
|
|
|
func (q *Queries) CreateMcpToken(ctx context.Context, arg CreateMcpTokenParams) (McpToken, error) {
|
|
row := q.db.QueryRow(ctx, createMcpToken,
|
|
arg.ID,
|
|
arg.TokenHash,
|
|
arg.UserID,
|
|
arg.Name,
|
|
arg.Issuer,
|
|
arg.Scope,
|
|
arg.AcpSessionID,
|
|
arg.ExpiresAt,
|
|
arg.CreatedBy,
|
|
)
|
|
var i McpToken
|
|
err := row.Scan(
|
|
&i.ID,
|
|
&i.TokenHash,
|
|
&i.UserID,
|
|
&i.Name,
|
|
&i.Issuer,
|
|
&i.Scope,
|
|
&i.AcpSessionID,
|
|
&i.ExpiresAt,
|
|
&i.LastUsedAt,
|
|
&i.RevokedAt,
|
|
&i.CreatedBy,
|
|
&i.CreatedAt,
|
|
)
|
|
return i, err
|
|
}
|
|
|
|
const deleteMcpTokenByID = `-- name: DeleteMcpTokenByID :exec
|
|
DELETE FROM mcp_tokens WHERE id = $1
|
|
`
|
|
|
|
// 仅供测试用(生产不允许直接物理删;走撤销)。
|
|
func (q *Queries) DeleteMcpTokenByID(ctx context.Context, id pgtype.UUID) error {
|
|
_, err := q.db.Exec(ctx, deleteMcpTokenByID, id)
|
|
return err
|
|
}
|
|
|
|
const getMcpTokenByHash = `-- name: GetMcpTokenByHash :one
|
|
SELECT t.id, t.token_hash, t.user_id, t.name, t.issuer, t.scope,
|
|
t.acp_session_id, t.expires_at, t.last_used_at, t.revoked_at,
|
|
t.created_by, t.created_at
|
|
FROM mcp_tokens t
|
|
JOIN users u ON u.id = t.user_id
|
|
WHERE t.token_hash = $1
|
|
AND u.enabled = true
|
|
`
|
|
|
|
// 鉴权用:仅返回属于 enabled 用户的 token,禁用用户的 MCP token 立即失效
|
|
// (与 web session 解析 GetSessionByTokenHash 的 enabled=true 约束一致)。
|
|
func (q *Queries) GetMcpTokenByHash(ctx context.Context, tokenHash []byte) (McpToken, error) {
|
|
row := q.db.QueryRow(ctx, getMcpTokenByHash, tokenHash)
|
|
var i McpToken
|
|
err := row.Scan(
|
|
&i.ID,
|
|
&i.TokenHash,
|
|
&i.UserID,
|
|
&i.Name,
|
|
&i.Issuer,
|
|
&i.Scope,
|
|
&i.AcpSessionID,
|
|
&i.ExpiresAt,
|
|
&i.LastUsedAt,
|
|
&i.RevokedAt,
|
|
&i.CreatedBy,
|
|
&i.CreatedAt,
|
|
)
|
|
return i, err
|
|
}
|
|
|
|
const getMcpTokenByID = `-- name: GetMcpTokenByID :one
|
|
SELECT id, token_hash, user_id, name, issuer, scope,
|
|
acp_session_id, expires_at, last_used_at, revoked_at,
|
|
created_by, created_at
|
|
FROM mcp_tokens
|
|
WHERE id = $1
|
|
`
|
|
|
|
func (q *Queries) GetMcpTokenByID(ctx context.Context, id pgtype.UUID) (McpToken, error) {
|
|
row := q.db.QueryRow(ctx, getMcpTokenByID, id)
|
|
var i McpToken
|
|
err := row.Scan(
|
|
&i.ID,
|
|
&i.TokenHash,
|
|
&i.UserID,
|
|
&i.Name,
|
|
&i.Issuer,
|
|
&i.Scope,
|
|
&i.AcpSessionID,
|
|
&i.ExpiresAt,
|
|
&i.LastUsedAt,
|
|
&i.RevokedAt,
|
|
&i.CreatedBy,
|
|
&i.CreatedAt,
|
|
)
|
|
return i, err
|
|
}
|
|
|
|
const listMcpTokens = `-- name: ListMcpTokens :many
|
|
SELECT id, token_hash, user_id, name, issuer, scope,
|
|
acp_session_id, expires_at, last_used_at, revoked_at,
|
|
created_by, created_at
|
|
FROM mcp_tokens
|
|
WHERE
|
|
($1::uuid IS NULL
|
|
OR (user_id = $1::uuid AND issuer = 'admin'))
|
|
AND
|
|
(NOT $2::boolean
|
|
OR (revoked_at IS NULL AND (expires_at IS NULL OR expires_at > now())))
|
|
ORDER BY created_at DESC
|
|
`
|
|
|
|
type ListMcpTokensParams struct {
|
|
CallerUserID pgtype.UUID `json:"caller_user_id"`
|
|
ActiveOnly bool `json:"active_only"`
|
|
}
|
|
|
|
// ListMcpTokens:admin 看全部;普通 user 看自己持有的 admin-issued。
|
|
// callerUserID 为 NULL 表示 admin(不过滤);非空表示按 (user_id=$1 AND issuer='admin') 过滤。
|
|
// activeOnly=true 时排除已撤销 / 已过期。
|
|
func (q *Queries) ListMcpTokens(ctx context.Context, arg ListMcpTokensParams) ([]McpToken, error) {
|
|
rows, err := q.db.Query(ctx, listMcpTokens, arg.CallerUserID, arg.ActiveOnly)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer rows.Close()
|
|
var items []McpToken
|
|
for rows.Next() {
|
|
var i McpToken
|
|
if err := rows.Scan(
|
|
&i.ID,
|
|
&i.TokenHash,
|
|
&i.UserID,
|
|
&i.Name,
|
|
&i.Issuer,
|
|
&i.Scope,
|
|
&i.AcpSessionID,
|
|
&i.ExpiresAt,
|
|
&i.LastUsedAt,
|
|
&i.RevokedAt,
|
|
&i.CreatedBy,
|
|
&i.CreatedAt,
|
|
); err != nil {
|
|
return nil, err
|
|
}
|
|
items = append(items, i)
|
|
}
|
|
if err := rows.Err(); err != nil {
|
|
return nil, err
|
|
}
|
|
return items, nil
|
|
}
|
|
|
|
const purgeMcpTokensExpired = `-- name: PurgeMcpTokensExpired :execrows
|
|
DELETE FROM mcp_tokens
|
|
WHERE (expires_at IS NOT NULL AND expires_at < $1)
|
|
OR (revoked_at IS NOT NULL AND revoked_at < $1)
|
|
`
|
|
|
|
// 后台 jobs runner 用:删 expires_at + retention 之前 / revoked_at + retention 之前的 row。
|
|
// 单条 query 用 OR 条件,retention 同一份。
|
|
func (q *Queries) PurgeMcpTokensExpired(ctx context.Context, expiresAt pgtype.Timestamptz) (int64, error) {
|
|
result, err := q.db.Exec(ctx, purgeMcpTokensExpired, expiresAt)
|
|
if err != nil {
|
|
return 0, err
|
|
}
|
|
return result.RowsAffected(), nil
|
|
}
|
|
|
|
const reapStaleSystemTokens = `-- name: ReapStaleSystemTokens :many
|
|
UPDATE mcp_tokens t
|
|
SET revoked_at = now()
|
|
FROM acp_sessions s
|
|
WHERE t.acp_session_id = s.id
|
|
AND t.issuer = 'system'
|
|
AND t.revoked_at IS NULL
|
|
AND s.status IN ('crashed','exited')
|
|
RETURNING t.id
|
|
`
|
|
|
|
// 启动期 reaper:所有 system token 中,关联的 acp_sessions 已经是 crashed/exited 的,全部撤销。
|
|
// ACP 自身的 reaper 必须先把 starting/running 残留转为 crashed,本 query 才能命中。
|
|
func (q *Queries) ReapStaleSystemTokens(ctx context.Context) ([]pgtype.UUID, error) {
|
|
rows, err := q.db.Query(ctx, reapStaleSystemTokens)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer rows.Close()
|
|
var items []pgtype.UUID
|
|
for rows.Next() {
|
|
var id pgtype.UUID
|
|
if err := rows.Scan(&id); err != nil {
|
|
return nil, err
|
|
}
|
|
items = append(items, id)
|
|
}
|
|
if err := rows.Err(); err != nil {
|
|
return nil, err
|
|
}
|
|
return items, nil
|
|
}
|
|
|
|
const revokeMcpToken = `-- name: RevokeMcpToken :one
|
|
UPDATE mcp_tokens
|
|
SET revoked_at = now()
|
|
WHERE id = $1 AND revoked_at IS NULL
|
|
RETURNING id
|
|
`
|
|
|
|
func (q *Queries) RevokeMcpToken(ctx context.Context, id pgtype.UUID) (pgtype.UUID, error) {
|
|
row := q.db.QueryRow(ctx, revokeMcpToken, id)
|
|
var id_2 pgtype.UUID
|
|
err := row.Scan(&id_2)
|
|
return id_2, err
|
|
}
|
|
|
|
const revokeMcpTokensBySession = `-- name: RevokeMcpTokensBySession :many
|
|
UPDATE mcp_tokens
|
|
SET revoked_at = now()
|
|
WHERE acp_session_id = $1
|
|
AND issuer = 'system'
|
|
AND revoked_at IS NULL
|
|
RETURNING id
|
|
`
|
|
|
|
// 给定一个 ACP session 的 ID,把所有引用该 session 的 system token 一次性撤销。
|
|
// 返回已撤销的 token id 列表(用于 audit 写入逐条)。
|
|
func (q *Queries) RevokeMcpTokensBySession(ctx context.Context, acpSessionID pgtype.UUID) ([]pgtype.UUID, error) {
|
|
rows, err := q.db.Query(ctx, revokeMcpTokensBySession, acpSessionID)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer rows.Close()
|
|
var items []pgtype.UUID
|
|
for rows.Next() {
|
|
var id pgtype.UUID
|
|
if err := rows.Scan(&id); err != nil {
|
|
return nil, err
|
|
}
|
|
items = append(items, id)
|
|
}
|
|
if err := rows.Err(); err != nil {
|
|
return nil, err
|
|
}
|
|
return items, nil
|
|
}
|
|
|
|
const updateMcpTokenLastUsed = `-- name: UpdateMcpTokenLastUsed :exec
|
|
UPDATE mcp_tokens
|
|
SET last_used_at = now()
|
|
WHERE id = $1
|
|
`
|
|
|
|
func (q *Queries) UpdateMcpTokenLastUsed(ctx context.Context, id pgtype.UUID) error {
|
|
_, err := q.db.Exec(ctx, updateMcpTokenLastUsed, id)
|
|
return err
|
|
}
|