pikkujs/pikku-kysely
packages/cli/skills/pikku-kysely/SKILL.md
Use when setting up SQL database services with Kysely in a Pikku app. Covers @pikku/kysely (base), @pikku/kysely-postgres, @pikku/kysely-mysql, @pikku/kysely-sqlite — channel stores, workflow services, secret services, AI storage, agent runs, and deployment services. TRIGGER when: code uses Kysely, PikkuKysely, KyselyChannelStore, KyselyWorkflowService, KyselySecretService, or user asks about SQL database setup, Postgres/MySQL/SQLite with Pikku. DO NOT TRIGGER when: user asks about MongoDB (use pikku-mongodb) or Redis (use pikku-redis).
$ install --global
skillsauthnpx skillsauth add pikkujs/pikku pikku-kyselyInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 4, 2026, 6:05 AM147.7s1 file scanned
SKILL.md
- name:
- pikku-kysely
- description:
- Use when setting up SQL database services with Kysely in a Pikku app. Covers @pikku/kysely (base), @pikku/kysely-postgres, @pikku/kysely-mysql, @pikku/kysely-sqlite — channel stores, workflow services, secret services, AI storage, agent runs, and deployment services.
- TRIGGER when:
- code uses Kysely, PikkuKysely, KyselyChannelStore, KyselyWorkflowService, KyselySecretService, or user asks about SQL database setup, Postgres/MySQL/SQLite with Pikku.
- DO NOT TRIGGER when:
- user asks about MongoDB (use pikku-mongodb) or Redis (use pikku-redis).
- installGroups:
- [core]
Pikku Kysely (SQL Database Services)
Agent Operating Procedure
Use this skill as an execution checklist, not reference material.
- Discover before editing. Prefer OpenCode tools such as
pikku-metawhen available; otherwise run the relevantpikku meta ... --jsoncommand and inspect only the focused output you need. - Identify the source files that own the behavior. Do not start by reading generated output,
.pikku,node_modules, vendored packages, or broad build artifacts. - Make the smallest source change that satisfies the task. Keep generated files generated, and avoid hand-editing SDKs, schema output, or typegen.
- Validate with the narrowest relevant command first, then run
pikku-verifyorpikku allwhen functions, wirings, schemas, or generated clients may have changed. - If validation fails, fix the source cause and rerun validation. Do not paper over generated errors by editing generated files.
Pikku provides SQL database services through four packages:
@pikku/kysely— Base service implementations (database-agnostic)@pikku/kysely-postgres— PostgreSQL-specific implementations +PikkuKyselyconnection wrapper@pikku/kysely-mysql— MySQL-specific implementations@pikku/kysely-sqlite— SQLite-specific implementations +createSQLiteKyselyfactory
All implement standard Pikku interfaces from @pikku/core.
Installation
# Pick your database
yarn add @pikku/kysely @pikku/kysely-postgres # PostgreSQL
yarn add @pikku/kysely @pikku/kysely-mysql # MySQL
yarn add @pikku/kysely @pikku/kysely-sqlite # SQLite
API Reference
PostgreSQL Connection — PikkuKysely
import { PikkuKysely } from '@pikku/kysely-postgres'
const db = new PikkuKysely<DB>(
logger: Logger,
connectionOrConfig: postgres.Sql | postgres.Options | string,
defaultSchemaName?: string
)
await db.init()
db.kysely // Kysely<DB> instance for queries
await db.close()
SQLite Factory — createSQLiteKysely
import { createSQLiteKysely } from '@pikku/kysely-sqlite'
const kysely = createSQLiteKysely(database: SqliteDatabase | (() => Promise<SqliteDatabase>))
Available Services
Each database variant exports these services with a prefix (Pg, MySQL, SQLite, or base Kysely):
| Service | Interface | Purpose |
| --------------------- | ------------------------------------- | ---------------------------------------------- |
| *ChannelStore | ChannelStore | WebSocket channel state persistence |
| *EventHubStore | EventHubStore | Event hub state persistence |
| *WorkflowService | PikkuWorkflowService | Workflow definition storage |
| *WorkflowRunService | WorkflowRunService | Workflow execution tracking |
| *DeploymentService | DeploymentService | Deployment state management |
| *AIStorageService | AIStorageService, AIRunStateService | AI conversation/run storage |
| *AgentRunService | AgentRunService | Agent execution tracking |
| *SecretService | SecretService | Encrypted secret storage (envelope encryption) |
All services take a Kysely<KyselyPikkuDB> instance in their constructor and have an init() method that creates tables if needed.
Secret Service
import { PgKyselySecretService } from '@pikku/kysely-postgres'
const secrets = new PgKyselySecretService(db.kysely, {
kekSecret: 'your-key-encryption-key',
salt: 'your-salt',
})
await secrets.init()
await secrets.setSecretJSON('api-key', { key: 'sk-...' })
const value = await secrets.getSecretJSON<{ key: string }>('api-key')
await secrets.rotateKEK() // Re-encrypt all secrets with new KEK
Usage Patterns
PostgreSQL Setup
import {
PikkuKysely,
PgKyselyChannelStore,
PgKyselyWorkflowService,
} from '@pikku/kysely-postgres'
const createSingletonServices = pikkuServices(async (config) => {
const logger = new PinoLogger()
const db = new PikkuKysely(logger, config.databaseUrl)
await db.init()
const channelStore = new PgKyselyChannelStore(db.kysely)
await channelStore.init()
const workflowService = new PgKyselyWorkflowService(db.kysely)
await workflowService.init()
return { config, logger, database: db, channelStore, workflowService }
})
SQLite Setup
import {
createSQLiteKysely,
SQLiteKyselyChannelStore,
} from '@pikku/kysely-sqlite'
import Database from 'better-sqlite3'
const kysely = createSQLiteKysely(new Database('app.db'))
const channelStore = new SQLiteKyselyChannelStore(kysely)
await channelStore.init()
MySQL Setup
import { MySQLKyselyWorkflowService } from '@pikku/kysely-mysql'
const workflowService = new MySQLKyselyWorkflowService(kyselyInstance)
await workflowService.init()
Related Skills
pikkujs/pikku-tag-middleware
documentation
VerifiedTrustedCommunity
Deprecated — use pikku-middleware instead. Tag middleware (addTagMiddleware) is now documented as a section within the pikku-middleware skill, alongside global HTTP middleware, execution order, and the service-to-service bearer auth pattern.
56SKILL.mdUpdated Jun 10, 2026
pikkujs/pikku-permissions
testing
VerifiedTrustedCommunity
Use when adding authorization checks to Pikku functions or routes — pikkuPermission, pikkuAuth, per-function permissions, pattern-based permissions, or understanding OR/AND permission logic. TRIGGER when: user wants to restrict who can call a function, check resource ownership, add role-based access, or understand where permission checks belong. DO NOT TRIGGER when: user asks about middleware or request interception (use pikku-middleware), authentication strategies (use pikku-security), or session management.
56SKILL.mdUpdated Jun 10, 2026
pikkujs/pikku-middleware
testing
VerifiedTrustedCommunity
Use when adding any middleware to a Pikku app — global HTTP middleware, tag-scoped middleware (including service-to-service bearer auth), per-route middleware, session-setting middleware, or understanding middleware execution order and priority. TRIGGER when: user wants middleware on some or all routes, machine-to-machine auth, tag-scoped cross-cutting concerns, global interceptors, or middleware priority/order questions. DO NOT TRIGGER when: user asks about permissions/authorization checks (use pikku-permissions), auth strategies like authBearer/authCookie (use pikku-security), or deployment.
56SKILL.mdUpdated Jun 10, 2026
pikkujs/pikku-template-clone
documentation
VerifiedTrustedCommunity
Standard cleanup to run right after a Pikku template is cloned or scaffolded into a new project. TRIGGER when: a Pikku template was just cloned/scaffolded (via `pikku create`, `git clone <template>`, or the user says "I cloned the kanban template / starter / template"), or the working tree still looks like an untouched template (template README, placeholder `@project/*` name in package.json). DO NOT TRIGGER when: working in an established project mid-feature, or editing the template repo itself.
56SKILL.mdUpdated Jun 4, 2026