"""add_registration_tokens_and_agent_secret_hash Revision ID: add_registration_tokens Revises: add_agent_fields Create Date: 2025-12-06 10:00:00.000000 This migration adds: 1. registration_tokens table for secure agent registration 2. secret_hash column to agents for new auth scheme 3. registration_token_id FK in agents to track token usage """ from typing import Sequence, Union import hashlib from alembic import op import sqlalchemy as sa from sqlalchemy.dialects import postgresql # revision identifiers, used by Alembic. revision: str = 'add_registration_tokens' down_revision: Union[str, None] = 'add_agent_fields' branch_labels: Union[str, Sequence[str], None] = None depends_on: Union[str, Sequence[str], None] = None def upgrade() -> None: # 1. Create registration_tokens table op.create_table( 'registration_tokens', sa.Column('id', sa.UUID(), nullable=False), sa.Column('tenant_id', sa.UUID(), nullable=False), sa.Column('token_hash', sa.String(length=64), nullable=False, comment='SHA-256 hash of the registration token'), sa.Column('description', sa.String(length=255), nullable=True, comment='Human-readable description for the token'), sa.Column('max_uses', sa.Integer(), nullable=False, server_default='1', comment='Maximum number of uses (0 = unlimited)'), sa.Column('use_count', sa.Integer(), nullable=False, server_default='0', comment='Current number of times this token has been used'), sa.Column('expires_at', sa.DateTime(timezone=True), nullable=True, comment='Optional expiration timestamp'), sa.Column('revoked', sa.Boolean(), nullable=False, server_default='false', comment='Whether this token has been manually revoked'), sa.Column('created_by', sa.String(length=255), nullable=True, comment='Identifier of who created this token (for audit)'), sa.Column('created_at', sa.DateTime(timezone=True), nullable=False, server_default=sa.func.now()), sa.Column('updated_at', sa.DateTime(timezone=True), nullable=False, server_default=sa.func.now()), sa.PrimaryKeyConstraint('id'), sa.ForeignKeyConstraint(['tenant_id'], ['tenants.id'], ondelete='CASCADE'), ) op.create_index(op.f('ix_registration_tokens_tenant_id'), 'registration_tokens', ['tenant_id'], unique=False) op.create_index(op.f('ix_registration_tokens_token_hash'), 'registration_tokens', ['token_hash'], unique=False) # 2. Add secret_hash column to agents (for new auth scheme) # Initialize with empty string, will be populated during agent migration op.add_column( 'agents', sa.Column('secret_hash', sa.String(length=64), nullable=False, server_default='', comment='SHA-256 hash of the agent secret') ) # 3. Add registration_token_id FK to agents op.add_column( 'agents', sa.Column('registration_token_id', sa.UUID(), nullable=True) ) op.create_foreign_key( 'fk_agents_registration_token_id', 'agents', 'registration_tokens', ['registration_token_id'], ['id'], ondelete='SET NULL' ) op.create_index(op.f('ix_agents_registration_token_id'), 'agents', ['registration_token_id'], unique=False) # 4. Migrate existing agent tokens to secret_hash # For existing agents, we'll hash their current token and store it as secret_hash # This allows backward compatibility during the transition period connection = op.get_bind() agents = connection.execute(sa.text("SELECT id, token FROM agents WHERE token != ''")) for agent in agents: if agent.token: hashed = hashlib.sha256(agent.token.encode()).hexdigest() connection.execute( sa.text("UPDATE agents SET secret_hash = :hash WHERE id = :id"), {"hash": hashed, "id": agent.id} ) def downgrade() -> None: # Drop registration_token_id FK and index from agents op.drop_index(op.f('ix_agents_registration_token_id'), table_name='agents') op.drop_constraint('fk_agents_registration_token_id', 'agents', type_='foreignkey') op.drop_column('agents', 'registration_token_id') # Drop secret_hash column from agents op.drop_column('agents', 'secret_hash') # Drop registration_tokens table op.drop_index(op.f('ix_registration_tokens_token_hash'), table_name='registration_tokens') op.drop_index(op.f('ix_registration_tokens_tenant_id'), table_name='registration_tokens') op.drop_table('registration_tokens')