# Phase 4 - Repository/Service Layer

Status: implemented  
Date: 2026-02-25

## Delivered module

- `src/auth/tokenProfiles.ts`

## Capabilities

- Per-user profile CRUD:
  - `listTokenProfiles`
  - `getTokenProfileById`
  - `createTokenProfile`
  - `updateTokenProfile`
  - `deleteTokenProfile`
  - `setDefaultTokenProfile`
  - `touchTokenProfileLastUsed`
- Runtime execution resolver:
  - `resolveTokenProfileForExecution` (decrypt token only at execution boundary)

## Business rules

- Owner boundary: profile is always scoped by `user_id`.
- One user can have many profiles.
- One profile can have many token sources.
- One profile can have many account presets.
- Default profile is maintained as single active default per user.
- Source key must be unique per profile.
- Account preset must reference existing source key.

## Security behavior

- Token encrypt/decrypt uses Phase 3 security layer.
- Profile read model returns masked token only.
- Execution resolver returns plaintext token only for in-process API call path.

## DB compatibility

- Works with SQLite and MySQL.
- Uses existing Phase 2 schema:
  - `auth_user_api_profiles`
  - `auth_user_api_sources`
  - `auth_user_api_accounts`
  - `auth_user_api_audit` (table ready for Phase 5 logging usage)

