fix(cloud-shared): biome organizeImports + format across db/crypto + token-redemption + payout-fork test

Auto-fix: `biome check --write`. Sweeps:
- db/crypto/{api-keys,conversations,crypto.test,field-crypto,index,platform-credentials,users}.ts
- db/schemas/{index,secrets,users}.ts
- db/migrations/meta/_journal.json
- lib/services/token-redemption-secure.ts
- lib/services/__tests__/payout-fork.integration.test.ts

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: Shaw

packages/cloud-shared/src/db/crypto/api-keys.ts

@@ -10,7 +10,7 @@
  * after insert — the plaintext never persists outside the encrypted columns.
  */
 
-import { encryptField, decryptField, type EncryptedField, type FieldCoords } from "./field-crypto";
+import { decryptField, type EncryptedField, encryptField, type FieldCoords } from "./field-crypto";
 
 const COORDS = (rowId: string): FieldCoords => ({
   table: "api_keys",
@@ -33,9 +33,6 @@ export async function encryptApiKey(
 /**
  * Decrypt an API-key plaintext from the encrypted columns.
  */
-export async function decryptApiKey(
-  rowId: string,
-  field: EncryptedField,
-): Promise<string> {
+export async function decryptApiKey(rowId: string, field: EncryptedField): Promise<string> {
   return decryptField(field, COORDS(rowId));
 }

packages/cloud-shared/src/db/crypto/conversations.ts

@@ -7,11 +7,7 @@
  * column.
  */
 
-import {
-  decryptField,
-  encryptField,
-  type EncryptedField,
-} from "./field-crypto";
+import { decryptField, type EncryptedField, encryptField } from "./field-crypto";
 
 const TABLE = "conversation_messages";
 const COLUMN = "content";

packages/cloud-shared/src/db/crypto/crypto.test.ts

@@ -52,15 +52,9 @@ describe("field-crypto", () => {
   test("AAD mismatch causes decrypt to fail", async () => {
     const coords = { table: "t1", rowId: ROW, column: "c1" };
     const enc = await encryptField(ORG, "secret", coords);
-    await expect(
-      decryptField(enc, { ...coords, rowId: ROW_B }),
-    ).rejects.toThrow();
-    await expect(
-      decryptField(enc, { ...coords, column: "c2" }),
-    ).rejects.toThrow();
-    await expect(
-      decryptField(enc, { ...coords, table: "other" }),
-    ).rejects.toThrow();
+    await expect(decryptField(enc, { ...coords, rowId: ROW_B })).rejects.toThrow();
+    await expect(decryptField(enc, { ...coords, column: "c2" })).rejects.toThrow();
+    await expect(decryptField(enc, { ...coords, table: "other" })).rejects.toThrow();
   });
 
   test("blindIndex is deterministic for the same input", async () => {

packages/cloud-shared/src/db/crypto/field-crypto.ts

@@ -54,7 +54,11 @@ export async function encryptField(
   const kms = getKmsClient();
   const keyId = orgKey(orgId, "dek");
   await kms.getOrCreateKey(keyId);
-  const result = await kms.encrypt(keyId, enc.encode(plaintext), aadFor(coords.table, coords.rowId, coords.column));
+  const result = await kms.encrypt(
+    keyId,
+    enc.encode(plaintext),
+    aadFor(coords.table, coords.rowId, coords.column),
+  );
   return {
     ciphertext: b64encode(result.ciphertext),
     nonce: b64encode(result.nonce),

packages/cloud-shared/src/db/crypto/index.ts

@@ -1,6 +1,6 @@
+export * as apiKeyCrypto from "./api-keys";
+export * as conversationCrypto from "./conversations";
 export * from "./field-crypto";
 export * from "./kms-client";
-export * as apiKeyCrypto from "./api-keys";
-export * as userCrypto from "./users";
 export * as platformCredentialCrypto from "./platform-credentials";
-export * as conversationCrypto from "./conversations";
+export * as userCrypto from "./users";

packages/cloud-shared/src/db/crypto/platform-credentials.ts

@@ -4,11 +4,7 @@
  * Encrypted columns: platform_user_id, platform_email, platform_display_name.
  */
 
-import {
-  decryptField,
-  encryptField,
-  type EncryptedField,
-} from "./field-crypto";
+import { decryptField, type EncryptedField, encryptField } from "./field-crypto";
 
 const TABLE = "platform_credentials";
 

packages/cloud-shared/src/db/crypto/users.ts

@@ -10,11 +10,11 @@
 import {
   blindIndex,
   decryptField,
+  type EncryptedField,
   encryptField,
   normalizeEmail,
   normalizePhone,
   normalizeWallet,
-  type EncryptedField,
 } from "./field-crypto";
 
 const TABLE = "users";

packages/cloud-shared/src/db/migrations/meta/_journal.json

@@ -920,4 +920,4 @@
       "breakpoints": true
     }
   ]
-}
+}

packages/cloud-shared/src/db/schemas/index.ts

@@ -23,14 +23,14 @@ export * from "./alb-priorities";
 export * from "./analytics-alert-events";
 export * from "./anonymous-sessions";
 export * from "./api-keys";
-export * from "./auth-events";
 export * from "./app-billing";
 export * from "./app-config";
 export * from "./app-credit-balances";
 export * from "./app-databases";
 export * from "./app-domains";
 export * from "./app-earnings";
 export * from "./apps";
+export * from "./auth-events";
 export * from "./cli-auth-sessions";
 export * from "./containers";
 export * from "./conversations";

packages/cloud-shared/src/db/schemas/secrets.ts

@@ -256,9 +256,7 @@ export const secretAuditLog = pgTable(
     // shorter retention (e.g. dev events). Purge job at
     // packages/cloud-api/src/jobs/audit-log-purge.ts removes rows where
     // expires_at < now().
-    expires_at: timestamp("expires_at")
-      .notNull()
-      .default(sql`now() + interval '7 years'`),
+    expires_at: timestamp("expires_at").notNull().default(sql`now() + interval '7 years'`),
   },
   (table) => ({
     secret_idx: index("secret_audit_log_secret_idx").on(table.secret_id),