feat(relay): add resource identity auth for relays

backend/src/db/migrations/20260521025807_relay-resource-auth.ts

@@ -0,0 +1,55 @@
+import { Knex } from "knex";
+
+import { TableName } from "../schemas";
+
+export async function up(knex: Knex): Promise<void> {
+  // 1. Add relayId FK to resource_auth_methods — same nullable-FK-per-resource-type
+  // pattern used for gatewayId (see 20260430143000_resource-auth-methods.ts).
+  if (await knex.schema.hasTable(TableName.ResourceAuthMethod)) {
+    const hasRelayId = await knex.schema.hasColumn(TableName.ResourceAuthMethod, "relayId");
+    if (!hasRelayId) {
+      await knex.schema.alterTable(TableName.ResourceAuthMethod, (t) => {
+        t.uuid("relayId").nullable();
+        t.foreign("relayId").references("id").inTable(TableName.Relay).onDelete("CASCADE");
+      });
+
+      await knex.schema.raw(`
+        CREATE UNIQUE INDEX one_method_per_relay
+        ON ${TableName.ResourceAuthMethod} ("relayId")
+        WHERE "relayId" IS NOT NULL
+      `);
+    }
+  }
+
+  // 2. Add tokenVersion to relays — used for stateless JWT revocation,
+  // same pattern as gateways_v2.tokenVersion.
+  if (await knex.schema.hasTable(TableName.Relay)) {
+    const hasTokenVersion = await knex.schema.hasColumn(TableName.Relay, "tokenVersion");
+    if (!hasTokenVersion) {
+      await knex.schema.alterTable(TableName.Relay, (t) => {
+        t.integer("tokenVersion").notNullable().defaultTo(0);
+      });
+    }
+  }
+}
+
+export async function down(knex: Knex): Promise<void> {
+  if (await knex.schema.hasTable(TableName.Relay)) {
+    const hasTokenVersion = await knex.schema.hasColumn(TableName.Relay, "tokenVersion");
+    if (hasTokenVersion) {
+      await knex.schema.alterTable(TableName.Relay, (t) => {
+        t.dropColumn("tokenVersion");
+      });
+    }
+  }
+
+  if (await knex.schema.hasTable(TableName.ResourceAuthMethod)) {
+    const hasRelayId = await knex.schema.hasColumn(TableName.ResourceAuthMethod, "relayId");
+    if (hasRelayId) {
+      await knex.schema.raw(`DROP INDEX IF EXISTS one_method_per_relay`);
+      await knex.schema.alterTable(TableName.ResourceAuthMethod, (t) => {
+        t.dropColumn("relayId");
+      });
+    }
+  }
+}

backend/src/db/schemas/relays.ts

@@ -16,7 +16,8 @@ export const RelaysSchema = z.object({
   name: z.string(),
   host: z.string(),
   heartbeat: z.date().nullable().optional(),
-  healthAlertedAt: z.date().nullable().optional()
+  healthAlertedAt: z.date().nullable().optional(),
+  tokenVersion: z.number().default(0)
 });
 
 export type TRelays = z.infer<typeof RelaysSchema>;

backend/src/db/schemas/resource-auth-methods.ts

@@ -12,7 +12,8 @@ export const ResourceAuthMethodsSchema = z.object({
   gatewayId: z.string().uuid().nullable().optional(),
   method: z.string(),
   createdAt: z.date(),
-  updatedAt: z.date()
+  updatedAt: z.date(),
+  relayId: z.string().uuid().nullable().optional()
 });
 
 export type TResourceAuthMethods = z.infer<typeof ResourceAuthMethodsSchema>;

backend/src/ee/routes/v1/relay-router.ts

@@ -1,6 +1,7 @@
 import { z } from "zod";
 
 import { RelaysSchema } from "@app/db/schemas";
+import { EventType } from "@app/ee/services/audit-log/audit-log-types";
 import { getConfig } from "@app/lib/config/env";
 import { crypto } from "@app/lib/crypto/cryptography";
 import { UnauthorizedError } from "@app/lib/errors";
@@ -70,6 +71,7 @@ export const registerRelayRouter = async (server: FastifyZodProvider) => {
       rateLimit: writeLimit
     },
     schema: {
+      hide: true,
       operationId: "registerOrgRelay",
       body: z.object({
         host: z.string(),
@@ -142,13 +144,24 @@ export const registerRelayRouter = async (server: FastifyZodProvider) => {
     },
     onRequest: verifyAuth([AuthMode.JWT, AuthMode.IDENTITY_ACCESS_TOKEN]),
     handler: async (req) => {
-      return server.services.relay.deleteRelay({
+      const relay = await server.services.relay.deleteRelay({
         id: req.params.id,
         actorId: req.permission.id,
         actor: req.permission.type,
         actorAuthMethod: req.permission.authMethod,
         actorOrgId: req.permission.orgId
       });
+
+      await server.services.auditLog.createAuditLog({
+        ...req.auditLogInfo,
+        orgId: req.permission.orgId,
+        event: {
+          type: EventType.RELAY_DELETE,
+          metadata: { relayId: relay.id, name: relay.name }
+        }
+      });
+
+      return relay;
     }
   });
 
@@ -212,6 +225,7 @@ export const registerRelayRouter = async (server: FastifyZodProvider) => {
       rateLimit: writeLimit
     },
     schema: {
+      hide: true,
       operationId: "heartbeatOrgRelay",
       body: z.object({
         name: slugSchema({ min: 1, max: 32, field: "name" })

backend/src/ee/routes/v2/index.ts

@@ -10,6 +10,7 @@ import {
 import { registerDeprecatedProjectRoleRouter } from "./deprecated-project-role-router";
 import { registerGatewayV2Router } from "./gateway-router";
 import { registerIdentityProjectAdditionalPrivilegeRouter } from "./identity-project-additional-privilege-router";
+import { registerRelayV2Router } from "./relay-router";
 import { registerSecretApprovalPolicyRouter } from "./secret-approval-policy-router";
 import { registerSecretVersionRouter } from "./secret-version-router";
 
@@ -57,4 +58,6 @@ export const registerV2EERoutes = async (server: FastifyZodProvider) => {
   );
 
   await server.register(registerSecretVersionRouter, { prefix: "/secret-versions" });
+
+  await server.register(registerRelayV2Router, { prefix: "/relays" });
 };