4runr-os 2.10.2 → 2.10.3

package/apps/gateway/package-lock.json

@@ -261,9 +261,9 @@
       }
     },
     "node_modules/@aws-sdk/client-kms": {
-      "version": "3.1036.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/client-kms/-/client-kms-3.1036.0.tgz",
-      "integrity": "sha512-tpqED4Wxmwx3gKv4czaMBbptyoYYX/2KuJ/F3+ZUQ5xPimQ448Wrx6Ci0aOfnbBIKek8DIL24LdgYSoApgnHoQ==",
+      "version": "3.1037.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-kms/-/client-kms-3.1037.0.tgz",
+      "integrity": "sha512-kCaCPJVob3ArRGqBougLiHkarRKJx4C5okwX54VJVdSrsKmF/HMXsFXWB7DAS3mfvc5HGaTUstneuaM7VmhO6A==",
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha256-browser": "5.2.0",
@@ -311,9 +311,9 @@
       }
     },
     "node_modules/@aws-sdk/client-secrets-manager": {
-      "version": "3.1036.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/client-secrets-manager/-/client-secrets-manager-3.1036.0.tgz",
-      "integrity": "sha512-4Q0Rqh1CrNfwmAOrQF9FiuU2QmV51cTSa+rJJNan7/KzYUUlUFmavuWpKH+S3preT8iaTlCT0JyCqO46kg24RA==",
+      "version": "3.1037.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-secrets-manager/-/client-secrets-manager-3.1037.0.tgz",
+      "integrity": "sha512-SBXVNgXdzFeiuUod1AZXJexTDndPcpSTGOrVDe5Ny81Xq7d3r18th7ZTzvnc7BsD9MQa8SckNgOYscvi/fYZhw==",
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha256-browser": "5.2.0",
@@ -361,9 +361,9 @@
       }
     },
     "node_modules/@aws-sdk/client-ssm": {
-      "version": "3.1036.0",
-      "resolved": "https://registry.npmjs.org/@aws-sdk/client-ssm/-/client-ssm-3.1036.0.tgz",
-      "integrity": "sha512-MGUcW/ITX37ktOQpBI9T2x0bHt1KFi5z8FjkSRC8FrBezxyViMMRbvJcbU3sOojsRvFpZePUgfB4RkcYu7BAbg==",
+      "version": "3.1037.0",
+      "resolved": "https://registry.npmjs.org/@aws-sdk/client-ssm/-/client-ssm-3.1037.0.tgz",
+      "integrity": "sha512-bpOon1QQ+FN1yH7NbjjHnyQ7y5xPvS/3vS2nL3+e2+Iu9sA+WJwgwquk6N+U1EtnAuGPAl9eNzk0GnEHaIwAOQ==",
       "license": "Apache-2.0",
       "dependencies": {
         "@aws-crypto/sha256-browser": "5.2.0",
@@ -1964,9 +1964,9 @@
       }
     },
     "node_modules/@fastify/ajv-compiler/node_modules/ajv": {
-      "version": "8.18.0",
-      "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.18.0.tgz",
-      "integrity": "sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A==",
+      "version": "8.20.0",
+      "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.20.0.tgz",
+      "integrity": "sha512-Thbli+OlOj+iMPYFBVBfJ3OmCAnaSyNn4M1vz9T6Gka5Jt9ba/HIR56joy65tY6kx/FCF5VXNB819Y7/GUrBGA==",
       "license": "MIT",
       "dependencies": {
         "fast-deep-equal": "^3.1.3",
@@ -4102,9 +4102,9 @@
       }
     },
     "node_modules/ajv-formats/node_modules/ajv": {
-      "version": "8.18.0",
-      "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.18.0.tgz",
-      "integrity": "sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A==",
+      "version": "8.20.0",
+      "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.20.0.tgz",
+      "integrity": "sha512-Thbli+OlOj+iMPYFBVBfJ3OmCAnaSyNn4M1vz9T6Gka5Jt9ba/HIR56joy65tY6kx/FCF5VXNB819Y7/GUrBGA==",
       "license": "MIT",
       "dependencies": {
         "fast-deep-equal": "^3.1.3",
@@ -5420,9 +5420,9 @@
       }
     },
     "node_modules/fast-json-stringify/node_modules/ajv": {
-      "version": "8.18.0",
-      "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.18.0.tgz",
-      "integrity": "sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A==",
+      "version": "8.20.0",
+      "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.20.0.tgz",
+      "integrity": "sha512-Thbli+OlOj+iMPYFBVBfJ3OmCAnaSyNn4M1vz9T6Gka5Jt9ba/HIR56joy65tY6kx/FCF5VXNB819Y7/GUrBGA==",
       "license": "MIT",
       "dependencies": {
         "fast-deep-equal": "^3.1.3",

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "4runr-os",
-  "version": "2.10.2",
+  "version": "2.10.3",
   "type": "module",
-  "description": "4Runr AI Agent OS - Secure terminal interface for AI agents. v2.10.2: Portal Monitoring — auto-refresh, uptime/queue/memory metrics, /api/monitoring/summary; /health includes uptime+memory; TUI text-only (no decorative emoji). v2.10.1+ Docker Postgres+Redis in auto mode. See docs/4RUNR-DB-IMPLEMENTATION-PLAN.md, docs/MONITORING-IMPROVEMENTS-V1.md",
+  "description": "4Runr AI Agent OS - Secure terminal interface for AI agents. v2.10.3: npm global Gateway — ship prisma/ in package, postinstall always runs prisma generate (fixes @prisma/client not initialized). v2.10.2: Portal monitoring metrics. v2.10.1+ Docker Postgres+Redis in auto mode. See docs/4RUNR-DB-IMPLEMENTATION-PLAN.md, docs/MONITORING-IMPROVEMENTS-V1.md",
   "main": "dist/index.js",
   "bin": {
     "4runr": "dist/index.js",
@@ -84,6 +84,7 @@
     "mk3-tui/bin/**/*",
     "mk3-tui/binaries/**/*",
     "apps/gateway/**/*",
+    "prisma/**/*",
     "packages/shared/package.json",
     "packages/shared/dist/**/*",
     "packages/sentinel/package.json",

package/prisma/migrations/20250806234307_add_agent_model/migration.sql

@@ -0,0 +1,23 @@
+-- CreateTable
+CREATE TABLE "Agent" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "name" TEXT NOT NULL,
+    "role" TEXT NOT NULL,
+    "createdBy" TEXT NOT NULL,
+    "publicKey" TEXT NOT NULL,
+    "status" TEXT NOT NULL DEFAULT 'active',
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
+
+-- CreateTable
+CREATE TABLE "Token" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "agentId" TEXT NOT NULL,
+    "token" TEXT NOT NULL,
+    "expiresAt" DATETIME NOT NULL,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    CONSTRAINT "Token_agentId_fkey" FOREIGN KEY ("agentId") REFERENCES "Agent" ("id") ON DELETE RESTRICT ON UPDATE CASCADE
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "Token_token_key" ON "Token"("token");

package/prisma/migrations/20250806234618_add_token_model/migration.sql

@@ -0,0 +1,24 @@
+/*
+  Warnings:
+
+  - You are about to drop the column `token` on the `Token` table. All the data in the column will be lost.
+  - Added the required column `encrypted` to the `Token` table without a default value. This is not possible if the table is not empty.
+
+*/
+-- RedefineTables
+PRAGMA defer_foreign_keys=ON;
+PRAGMA foreign_keys=OFF;
+CREATE TABLE "new_Token" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "agentId" TEXT NOT NULL,
+    "encrypted" TEXT NOT NULL,
+    "expiresAt" DATETIME NOT NULL,
+    "revoked" BOOLEAN NOT NULL DEFAULT false,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    CONSTRAINT "Token_agentId_fkey" FOREIGN KEY ("agentId") REFERENCES "Agent" ("id") ON DELETE RESTRICT ON UPDATE CASCADE
+);
+INSERT INTO "new_Token" ("agentId", "createdAt", "expiresAt", "id") SELECT "agentId", "createdAt", "expiresAt", "id" FROM "Token";
+DROP TABLE "Token";
+ALTER TABLE "new_Token" RENAME TO "Token";
+PRAGMA foreign_keys=ON;
+PRAGMA defer_foreign_keys=OFF;

package/prisma/migrations/20250807002545_add_request_log_model/migration.sql

@@ -0,0 +1,12 @@
+-- CreateTable
+CREATE TABLE "RequestLog" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "agentId" TEXT NOT NULL,
+    "tool" TEXT NOT NULL,
+    "action" TEXT NOT NULL,
+    "responseTime" INTEGER NOT NULL,
+    "statusCode" INTEGER NOT NULL,
+    "success" BOOLEAN NOT NULL,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    CONSTRAINT "RequestLog_agentId_fkey" FOREIGN KEY ("agentId") REFERENCES "Agent" ("id") ON DELETE RESTRICT ON UPDATE CASCADE
+);

package/prisma/migrations/20250811200143_init/migration.sql

@@ -0,0 +1,75 @@
+-- CreateTable
+CREATE TABLE "Policy" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "name" TEXT NOT NULL,
+    "description" TEXT,
+    "agentId" TEXT,
+    "role" TEXT,
+    "spec" TEXT NOT NULL,
+    "specHash" TEXT NOT NULL,
+    "active" BOOLEAN NOT NULL DEFAULT true,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" DATETIME NOT NULL,
+    CONSTRAINT "Policy_agentId_fkey" FOREIGN KEY ("agentId") REFERENCES "Agent" ("id") ON DELETE SET NULL ON UPDATE CASCADE
+);
+
+-- CreateTable
+CREATE TABLE "PolicyLog" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "policyId" TEXT NOT NULL,
+    "agentId" TEXT NOT NULL,
+    "tool" TEXT NOT NULL,
+    "action" TEXT NOT NULL,
+    "decision" TEXT NOT NULL,
+    "reason" TEXT,
+    "requestData" TEXT,
+    "responseData" TEXT,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    CONSTRAINT "PolicyLog_policyId_fkey" FOREIGN KEY ("policyId") REFERENCES "Policy" ("id") ON DELETE RESTRICT ON UPDATE CASCADE,
+    CONSTRAINT "PolicyLog_agentId_fkey" FOREIGN KEY ("agentId") REFERENCES "Agent" ("id") ON DELETE RESTRICT ON UPDATE CASCADE
+);
+
+-- CreateTable
+CREATE TABLE "QuotaCounter" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "policyId" TEXT NOT NULL,
+    "quotaKey" TEXT NOT NULL,
+    "current" INTEGER NOT NULL DEFAULT 0,
+    "resetAt" DATETIME NOT NULL,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" DATETIME NOT NULL,
+    CONSTRAINT "QuotaCounter_policyId_fkey" FOREIGN KEY ("policyId") REFERENCES "Policy" ("id") ON DELETE RESTRICT ON UPDATE CASCADE
+);
+
+-- CreateTable
+CREATE TABLE "ToolCredential" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "tool" TEXT NOT NULL,
+    "version" TEXT NOT NULL,
+    "isActive" BOOLEAN NOT NULL DEFAULT false,
+    "encryptedCredential" TEXT NOT NULL,
+    "metadata" TEXT,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" DATETIME NOT NULL,
+    "activatedAt" DATETIME,
+    "deactivatedAt" DATETIME
+);
+
+-- CreateTable
+CREATE TABLE "TokenRegistry" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "tokenId" TEXT NOT NULL,
+    "agentId" TEXT NOT NULL,
+    "payloadHash" TEXT NOT NULL,
+    "issuedAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "expiresAt" DATETIME NOT NULL,
+    "isRevoked" BOOLEAN NOT NULL DEFAULT false,
+    "revokedAt" DATETIME,
+    CONSTRAINT "TokenRegistry_agentId_fkey" FOREIGN KEY ("agentId") REFERENCES "Agent" ("id") ON DELETE RESTRICT ON UPDATE CASCADE
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "ToolCredential_tool_version_key" ON "ToolCredential"("tool", "version");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "TokenRegistry_tokenId_key" ON "TokenRegistry"("tokenId");

package/prisma/migrations/20250820014813_add_agent_runtime_models/migration.sql

@@ -0,0 +1,44 @@
+-- CreateTable
+CREATE TABLE "runtime_agents" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "name" TEXT NOT NULL,
+    "language" TEXT NOT NULL,
+    "sourceType" TEXT NOT NULL DEFAULT 'ZIP',
+    "sourceUri" TEXT,
+    "entrypoint" TEXT NOT NULL,
+    "env" JSONB NOT NULL,
+    "limitsCpu" REAL,
+    "limitsMemMb" INTEGER,
+    "networkMode" TEXT NOT NULL DEFAULT 'NONE',
+    "status" TEXT NOT NULL DEFAULT 'READY',
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" DATETIME NOT NULL
+);
+
+-- CreateTable
+CREATE TABLE "runtime_runs" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "agentId" TEXT NOT NULL,
+    "status" TEXT NOT NULL DEFAULT 'QUEUED',
+    "startedAt" DATETIME,
+    "endedAt" DATETIME,
+    "exitCode" INTEGER,
+    "reason" TEXT,
+    "cpuSeconds" REAL,
+    "maxMemMb" INTEGER,
+    "logsPtr" TEXT,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    CONSTRAINT "runtime_runs_agentId_fkey" FOREIGN KEY ("agentId") REFERENCES "runtime_agents" ("id") ON DELETE CASCADE ON UPDATE CASCADE
+);
+
+-- CreateTable
+CREATE TABLE "runtime_schedules" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "agentId" TEXT NOT NULL,
+    "cronExpr" TEXT NOT NULL,
+    "enabled" BOOLEAN NOT NULL DEFAULT true,
+    "lastRunAt" DATETIME,
+    "nextRunAt" DATETIME,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    CONSTRAINT "runtime_schedules_agentId_fkey" FOREIGN KEY ("agentId") REFERENCES "runtime_agents" ("id") ON DELETE CASCADE ON UPDATE CASCADE
+);

package/prisma/migrations/20250820024550_task003_monitoring/migration.sql

@@ -0,0 +1,49 @@
+/*
+  Warnings:
+
+  - You are about to drop the column `logsPtr` on the `runtime_runs` table. All the data in the column will be lost.
+
+*/
+-- RedefineTables
+PRAGMA defer_foreign_keys=ON;
+PRAGMA foreign_keys=OFF;
+CREATE TABLE "new_runtime_agents" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "name" TEXT NOT NULL,
+    "language" TEXT NOT NULL,
+    "sourceType" TEXT NOT NULL DEFAULT 'ZIP',
+    "sourceUri" TEXT,
+    "entrypoint" TEXT NOT NULL,
+    "env" JSONB NOT NULL,
+    "limitsCpu" REAL,
+    "limitsMemMb" INTEGER,
+    "networkMode" TEXT NOT NULL DEFAULT 'NONE',
+    "status" TEXT NOT NULL DEFAULT 'READY',
+    "maxRestarts" INTEGER NOT NULL DEFAULT 2,
+    "restartBackoffMs" INTEGER NOT NULL DEFAULT 5000,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" DATETIME NOT NULL
+);
+INSERT INTO "new_runtime_agents" ("createdAt", "entrypoint", "env", "id", "language", "limitsCpu", "limitsMemMb", "name", "networkMode", "sourceType", "sourceUri", "status", "updatedAt") SELECT "createdAt", "entrypoint", "env", "id", "language", "limitsCpu", "limitsMemMb", "name", "networkMode", "sourceType", "sourceUri", "status", "updatedAt" FROM "runtime_agents";
+DROP TABLE "runtime_agents";
+ALTER TABLE "new_runtime_agents" RENAME TO "runtime_agents";
+CREATE TABLE "new_runtime_runs" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "agentId" TEXT NOT NULL,
+    "status" TEXT NOT NULL DEFAULT 'QUEUED',
+    "startedAt" DATETIME,
+    "endedAt" DATETIME,
+    "exitCode" INTEGER,
+    "reason" TEXT,
+    "cpuSeconds" REAL,
+    "maxMemMb" INTEGER,
+    "restarts" INTEGER NOT NULL DEFAULT 0,
+    "lastSampleAt" DATETIME,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    CONSTRAINT "runtime_runs_agentId_fkey" FOREIGN KEY ("agentId") REFERENCES "runtime_agents" ("id") ON DELETE CASCADE ON UPDATE CASCADE
+);
+INSERT INTO "new_runtime_runs" ("agentId", "cpuSeconds", "createdAt", "endedAt", "exitCode", "id", "maxMemMb", "reason", "startedAt", "status") SELECT "agentId", "cpuSeconds", "createdAt", "endedAt", "exitCode", "id", "maxMemMb", "reason", "startedAt", "status" FROM "runtime_runs";
+DROP TABLE "runtime_runs";
+ALTER TABLE "new_runtime_runs" RENAME TO "runtime_runs";
+PRAGMA foreign_keys=ON;
+PRAGMA defer_foreign_keys=OFF;

package/prisma/migrations/20250820160424_task005_demo_tags/migration.sql

@@ -0,0 +1,26 @@
+-- RedefineTables
+PRAGMA defer_foreign_keys=ON;
+PRAGMA foreign_keys=OFF;
+CREATE TABLE "new_runtime_agents" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "name" TEXT NOT NULL,
+    "language" TEXT NOT NULL,
+    "sourceType" TEXT NOT NULL DEFAULT 'ZIP',
+    "sourceUri" TEXT,
+    "entrypoint" TEXT NOT NULL,
+    "env" JSONB NOT NULL,
+    "limitsCpu" REAL,
+    "limitsMemMb" INTEGER,
+    "networkMode" TEXT NOT NULL DEFAULT 'NONE',
+    "status" TEXT NOT NULL DEFAULT 'READY',
+    "maxRestarts" INTEGER NOT NULL DEFAULT 2,
+    "restartBackoffMs" INTEGER NOT NULL DEFAULT 5000,
+    "tags" JSONB NOT NULL DEFAULT [],
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" DATETIME NOT NULL
+);
+INSERT INTO "new_runtime_agents" ("createdAt", "entrypoint", "env", "id", "language", "limitsCpu", "limitsMemMb", "maxRestarts", "name", "networkMode", "restartBackoffMs", "sourceType", "sourceUri", "status", "updatedAt") SELECT "createdAt", "entrypoint", "env", "id", "language", "limitsCpu", "limitsMemMb", "maxRestarts", "name", "networkMode", "restartBackoffMs", "sourceType", "sourceUri", "status", "updatedAt" FROM "runtime_agents";
+DROP TABLE "runtime_agents";
+ALTER TABLE "new_runtime_agents" RENAME TO "runtime_agents";
+PRAGMA foreign_keys=ON;
+PRAGMA defer_foreign_keys=OFF;

package/prisma/migrations/20250820162446_task006_trigger_tracking/migration.sql

@@ -0,0 +1,24 @@
+-- RedefineTables
+PRAGMA defer_foreign_keys=ON;
+PRAGMA foreign_keys=OFF;
+CREATE TABLE "new_runtime_runs" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "agentId" TEXT NOT NULL,
+    "status" TEXT NOT NULL DEFAULT 'QUEUED',
+    "startedAt" DATETIME,
+    "endedAt" DATETIME,
+    "exitCode" INTEGER,
+    "reason" TEXT,
+    "cpuSeconds" REAL,
+    "maxMemMb" INTEGER,
+    "restarts" INTEGER NOT NULL DEFAULT 0,
+    "lastSampleAt" DATETIME,
+    "triggeredBy" TEXT NOT NULL DEFAULT 'MANUAL',
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    CONSTRAINT "runtime_runs_agentId_fkey" FOREIGN KEY ("agentId") REFERENCES "runtime_agents" ("id") ON DELETE CASCADE ON UPDATE CASCADE
+);
+INSERT INTO "new_runtime_runs" ("agentId", "cpuSeconds", "createdAt", "endedAt", "exitCode", "id", "lastSampleAt", "maxMemMb", "reason", "restarts", "startedAt", "status") SELECT "agentId", "cpuSeconds", "createdAt", "endedAt", "exitCode", "id", "lastSampleAt", "maxMemMb", "reason", "restarts", "startedAt", "status" FROM "runtime_runs";
+DROP TABLE "runtime_runs";
+ALTER TABLE "new_runtime_runs" RENAME TO "runtime_runs";
+PRAGMA foreign_keys=ON;
+PRAGMA defer_foreign_keys=OFF;

package/prisma/migrations/migration_lock.toml

@@ -0,0 +1,3 @@
+# Please do not edit this file manually
+# It should be added in your version-control system (e.g., Git)
+provider = "postgresql"

package/prisma/schema.prisma

@@ -0,0 +1,469 @@
+// This is your Prisma schema file,
+// learn more about it in the docs: https://pris.ly/d/prisma-schema
+
+generator client {
+  provider      = "prisma-client-js"
+  binaryTargets = ["native", "linux-musl-openssl-3.0.x", "linux-musl"]
+}
+
+datasource db {
+  provider = "postgresql"
+  url      = env("DATABASE_URL")
+}
+
+model Agent {
+  id         String   @id @default(uuid())
+  name       String
+  role       String
+  createdBy  String
+  publicKey  String
+  status     String   @default("active")
+  createdAt  DateTime @default(now())
+  tokens     Token[]
+  requestLogs RequestLog[]
+  policies   Policy[]
+  policyLogs PolicyLog[]
+  tokenRegistries TokenRegistry[]
+}
+
+model Token {
+  id         String   @id @default(uuid())
+  agentId    String
+  agent      Agent    @relation(fields: [agentId], references: [id])
+  encrypted  String
+  expiresAt  DateTime
+  revoked    Boolean  @default(false)
+  createdAt  DateTime @default(now())
+}
+
+model RequestLog {
+  id           String   @id @default(uuid())
+  agentId      String
+  agent        Agent    @relation(fields: [agentId], references: [id])
+  tool         String
+  action       String
+  responseTime Int      // milliseconds
+  statusCode   Int
+  success      Boolean
+  createdAt    DateTime @default(now())
+}
+
+model Policy {
+  id          String   @id @default(uuid())
+  name        String
+  description String?
+  agentId     String?  // null for role-based policies
+  role        String?  // null for agent-specific policies
+  spec        String   // JSON policy specification
+  specHash    String   // SHA256 hash of spec for change detection
+  active      Boolean  @default(true)
+  createdAt   DateTime @default(now())
+  updatedAt   DateTime @updatedAt
+  agent       Agent?   @relation(fields: [agentId], references: [id])
+  policyLogs  PolicyLog[]
+  quotaCounters QuotaCounter[]
+}
+
+model PolicyLog {
+  id          String   @id @default(uuid())
+  policyId    String
+  agentId     String
+  tool        String
+  action      String
+  decision    String   // "allow", "deny"
+  reason      String?  // denial reason
+  requestData String?  // JSON request data (truncated)
+  responseData String? // JSON response data (truncated)
+  createdAt   DateTime @default(now())
+  policy      Policy   @relation(fields: [policyId], references: [id])
+  agent       Agent    @relation(fields: [agentId], references: [id])
+}
+
+model QuotaCounter {
+  id          String   @id @default(uuid())
+  policyId    String
+  quotaKey    String   // e.g., "serpapi:search:2024-01-15"
+  current     Int      @default(0)
+  resetAt     DateTime
+  createdAt   DateTime @default(now())
+  updatedAt   DateTime @updatedAt
+  policy      Policy   @relation(fields: [policyId], references: [id])
+}
+
+model ToolCredential {
+  id          String   @id @default(uuid())
+  tool        String   // e.g., "serpapi", "openai", "gmail_send"
+  version     String   // e.g., "v1", "v2"
+  isActive    Boolean  @default(false)
+  encryptedCredential String // Encrypted credential data
+  metadata    String?  // JSON metadata (encrypted)
+  createdAt   DateTime @default(now())
+  updatedAt   DateTime @updatedAt
+  activatedAt DateTime?
+  deactivatedAt DateTime?
+  
+  @@unique([tool, version])
+}
+
+model TokenRegistry {
+  id          String   @id @default(uuid())
+  tokenId     String   @unique // The token ID issued to the agent
+  agentId     String
+  payloadHash String   // SHA256 hash of the token payload
+  issuedAt    DateTime @default(now())
+  expiresAt   DateTime
+  isRevoked   Boolean  @default(false)
+  revokedAt   DateTime?
+  agent       Agent    @relation(fields: [agentId], references: [id])
+}
+
+// ====== AI AGENT RUNTIME MODELS (TASK-001) ======
+
+model RuntimeAgent {
+  id           String   @id @default(uuid())
+  name         String
+  language     AgentLanguage
+  sourceType   SourceType   @default(ZIP) // ZIP | GIT (ZIP for MVP)
+  sourceUri    String?      // path to extracted zip in local FS (MVP)
+  entrypoint   String       // index.js | main.py
+  env          Json         // non-secret env vars (secrets via Gateway only)
+  limitsCpu    Float?       // e.g. 0.5
+  limitsMemMb  Int?         // e.g. 256
+  networkMode  NetworkMode  @default(NONE) // NONE | EGRESS (via Gateway proxy only)
+  status       AgentStatus  @default(READY)
+  // NEW: restart policy & limits
+  maxRestarts  Int      @default(2)  // per run
+  restartBackoffMs Int  @default(5000)
+  // NEW: tags for demo functionality (JSON array for SQLite compatibility)
+  tags         Json     @default("[]")
+  createdAt    DateTime     @default(now())
+  updatedAt    DateTime     @updatedAt
+
+  runs         RuntimeRun[]
+  schedules    RuntimeSchedule[]
+
+  @@map("runtime_agents")
+}
+
+model RuntimeRun {
+  id          String    @id @default(uuid())
+  agentId     String
+  agent       RuntimeAgent @relation(fields: [agentId], references: [id], onDelete: Cascade)
+  status      RunStatus @default(QUEUED)  // QUEUED | RUNNING | SUCCEEDED | FAILED | KILLED
+  startedAt   DateTime?
+  endedAt     DateTime?
+  exitCode    Int?
+  reason      String?        // containerId or failure reason
+  // NEW: restart policy & limits
+  cpuSeconds  Float?         // cumulative seconds
+  maxMemMb    Int?           // peak RSS MB
+  restarts    Int            @default(0)
+  lastSampleAt DateTime?     // last stats collection time
+  // NEW: trigger tracking
+  triggeredBy TriggerType    @default(MANUAL)
+  // (optional) logsPtr for future
+  createdAt   DateTime  @default(now())
+
+  @@map("runtime_runs")
+}
+
+model RuntimeSchedule {
+  id        String   @id @default(uuid())
+  agentId   String
+  agent     RuntimeAgent @relation(fields: [agentId], references: [id], onDelete: Cascade)
+  cronExpr  String
+  enabled   Boolean  @default(true)
+  lastRunAt DateTime?
+  nextRunAt DateTime?
+  createdAt DateTime @default(now())
+
+  @@map("runtime_schedules")
+}
+
+enum AgentLanguage {
+  NODE
+  PYTHON
+}
+
+enum SourceType {
+  ZIP
+  GIT
+}
+
+enum NetworkMode {
+  NONE
+  EGRESS
+}
+
+enum AgentStatus {
+  READY
+  ERROR
+  DISABLED
+}
+
+enum RunStatus {
+  CREATED
+  QUEUED
+  RUNNING
+  COMPLETED
+  FAILED
+  KILLED
+  SUCCEEDED // Alias for COMPLETED (keeping for RuntimeRun compatibility)
+}
+
+enum TriggerType {
+  MANUAL
+  SCHEDULE
+}
+
+// ====== GATEWAY RUNS MODELS ======
+
+model Run {
+  id           String   @id @default(uuid())
+  name         String
+  status       RunStatus @default(CREATED)
+  input        Json?    // JSON input payload
+  output       Json?    // JSON output payload
+  logs         Json     @default("[]") // Array of log entries
+  clientToken  String?  @unique // Idempotency token from client
+  tags         String[] @default([])
+  startedAt    DateTime?
+  completedAt  DateTime?
+  createdAt    DateTime @default(now())
+  updatedAt    DateTime @updatedAt
+
+  @@map("runs")
+  @@index([status])
+  @@index([clientToken])
+  @@index([createdAt])
+}
+
+model ApiKey {
+  id        String   @id @default(cuid())
+  key       String   @unique // Hashed or opaque token
+  label     String?
+  revoked   Boolean  @default(false)
+  userId    String?  // Link to user if applicable
+  user      User?    @relation(fields: [userId], references: [id], onDelete: Cascade)
+  createdAt DateTime @default(now())
+  revokedAt DateTime?
+
+  @@map("api_keys")
+  @@index([key])
+  @@index([userId])
+}
+
+// ====== RBAC MODELS ======
+
+model User {
+  id        String   @id @default(uuid())
+  email     String   @unique
+  username  String   @unique
+  passwordHash String? // Optional - can use external auth
+  status    UserStatus @default(ACTIVE)
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+  lastLoginAt DateTime?
+
+  // MFA fields
+  mfaEnabled Boolean  @default(false)
+  mfaSecret  String? // TOTP secret (encrypted)
+  mfaBackupCodes String[] @default([]) // Encrypted backup codes
+  mfaVerifiedAt DateTime? // When MFA was last verified
+
+  // Relations
+  roles     UserRole[]
+  apiKeys   ApiKey[]
+  sessions  UserSession[]
+
+  @@map("users")
+  @@index([email])
+  @@index([username])
+  @@index([status])
+}
+
+model Role {
+  id          String   @id @default(uuid())
+  name        String   @unique
+  description String?
+  isSystem    Boolean  @default(false) // System roles cannot be deleted
+  createdAt   DateTime @default(now())
+  updatedAt   DateTime @updatedAt
+
+  // Relations
+  users       UserRole[]
+  permissions RolePermission[]
+
+  @@map("roles")
+  @@index([name])
+}
+
+model Permission {
+  id          String   @id @default(uuid())
+  resource    String   // e.g., "runs", "agents", "users"
+  action      String   // e.g., "create", "read", "update", "delete", "execute"
+  description String?
+  createdAt   DateTime @default(now())
+
+  // Relations
+  roles       RolePermission[]
+
+  @@unique([resource, action])
+  @@map("permissions")
+  @@index([resource])
+  @@index([action])
+}
+
+model UserRole {
+  id        String   @id @default(uuid())
+  userId    String
+  roleId    String
+  user      User     @relation(fields: [userId], references: [id], onDelete: Cascade)
+  role      Role     @relation(fields: [roleId], references: [id], onDelete: Cascade)
+  assignedAt DateTime @default(now())
+  assignedBy String? // User ID who assigned this role
+
+  @@unique([userId, roleId])
+  @@map("user_roles")
+  @@index([userId])
+  @@index([roleId])
+}
+
+model RolePermission {
+  id          String   @id @default(uuid())
+  roleId      String
+  permissionId String
+  role        Role     @relation(fields: [roleId], references: [id], onDelete: Cascade)
+  permission  Permission @relation(fields: [permissionId], references: [id], onDelete: Cascade)
+  grantedAt   DateTime @default(now())
+  grantedBy   String? // User ID who granted this permission
+
+  @@unique([roleId, permissionId])
+  @@map("role_permissions")
+  @@index([roleId])
+  @@index([permissionId])
+}
+
+model UserSession {
+  id        String   @id @default(uuid())
+  userId    String
+  user      User     @relation(fields: [userId], references: [id], onDelete: Cascade)
+  token     String   @unique // JWT or session token
+  ipAddress String?
+  userAgent String?
+  expiresAt DateTime
+  createdAt DateTime @default(now())
+  lastActivityAt DateTime @default(now())
+
+  @@map("user_sessions")
+  @@index([userId])
+  @@index([token])
+  @@index([expiresAt])
+}
+
+enum UserStatus {
+  ACTIVE
+  INACTIVE
+  SUSPENDED
+  DELETED
+}
+
+// ====== IDEMPOTENCY & CACHE MODELS ======
+
+model IdempotencyToken {
+  id        String   @id @default(uuid())
+  token     String   @unique
+  runId     String?  // Reference to Run if applicable
+  response  Json?    // Cached response
+  expiresAt DateTime
+  createdAt DateTime @default(now())
+
+  @@map("idempotency_tokens")
+  @@index([token])
+  @@index([expiresAt])
+}
+
+model CacheEntry {
+  id        String   @id @default(uuid())
+  key       String   @unique
+  value     Json
+  expiresAt DateTime?
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  @@map("cache_entries")
+  @@index([key])
+  @@index([expiresAt])
+}
+
+// ====== CHAT HISTORY MODELS ======
+
+model ChatHistory {
+  id              String   @id @default(uuid())
+  clientId        String   // Client identifier (e.g., machine ID, user ID)
+  agentName       String
+  agentDescription String?
+  messages        Json     // Array of { role: 'user' | 'assistant', content: string }
+  createdAt       DateTime @default(now())
+  lastMessageAt   DateTime @default(now())
+  updatedAt       DateTime @updatedAt
+
+  @@map("chat_history")
+  @@index([clientId])
+  @@index([clientId, lastMessageAt])
+}
+
+// ====== DEVKIT AGENT & TOOL MANAGEMENT ======
+
+model DevKitAgent {
+  id          String   @id @default(uuid())
+  name        String
+  slug        String   @unique
+  description String?
+  type        String   // lead_agent, education_agent, custom, etc.
+  model       String   // gpt-4, claude-3, etc.
+  config      Json     @default("{}") // { prompt, temperature, maxTokens, etc. }
+  createdAt   DateTime @default(now())
+  updatedAt   DateTime @updatedAt
+
+  // Relations
+  tools       DevKitAgentTool[]
+
+  @@map("devkit_agents")
+  @@index([slug])
+  @@index([type])
+}
+
+model DevKitTool {
+  id        String   @id @default(uuid())
+  name      String
+  kind      String   // http, email, vector, database, etc.
+  config    Json     @default("{}") // Flexible config per kind
+  enabled   Boolean  @default(true)
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  // Relations
+  agents    DevKitAgentTool[]
+
+  @@map("devkit_tools")
+  @@index([kind])
+  @@index([enabled])
+}
+
+model DevKitAgentTool {
+  id             String   @id @default(uuid())
+  agentId        String
+  toolId         String
+  configOverride Json?    // Optional per-agent tool configuration
+  createdAt      DateTime @default(now())
+
+  // Relations
+  agent          DevKitAgent @relation(fields: [agentId], references: [id], onDelete: Cascade)
+  tool           DevKitTool  @relation(fields: [toolId], references: [id], onDelete: Cascade)
+
+  @@unique([agentId, toolId])
+  @@map("devkit_agent_tools")
+  @@index([agentId])
+  @@index([toolId])
+}

package/scripts/postinstall-gateway.js

@@ -20,8 +20,31 @@ if (!fs.existsSync(packageJson)) {
   process.exit(0); // No gateway in this install
 }
 
+const prismaSchema = path.join(__dirname, '..', 'prisma', 'schema.prisma');
+
+function ensurePrismaClient() {
+  if (!fs.existsSync(prismaSchema)) {
+    return;
+  }
+  try {
+    console.log('🔧 Prisma: generating client for Gateway (global 4runr-os install)...');
+    execSync('npx prisma generate --schema=../../prisma/schema.prisma', {
+      cwd: gatewayDir,
+      stdio: 'inherit',
+      shell: process.platform === 'win32',
+    });
+    console.log('✓ Prisma client ready for Gateway');
+  } catch (err) {
+    console.warn(
+      '⚠️  prisma generate failed. OS auto-start Gateway may fail until you run:\n' +
+        '  cd apps/gateway && npx prisma generate --schema=../../prisma/schema.prisma',
+    );
+  }
+}
+
 if (fs.existsSync(nodeModules) && fs.readdirSync(nodeModules).length > 0) {
-  process.exit(0); // Already has deps (e.g. from prepublish)
+  ensurePrismaClient();
+  process.exit(0); // Deps already present (e.g. from prepublish) — still (re)generate Prisma
 }
 
 try {
@@ -36,3 +59,5 @@ try {
   console.warn('⚠️  Gateway dependency install failed. Start gateway from repo with: cd apps/gateway && npm start');
   // Don't fail the main install
 }
+
+ensurePrismaClient();