npm - @agentlensai/server - Versions diffs - 0.11.0 → 0.13.0 - Mend

@agentlensai/server 0.11.0 → 0.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (633) hide show

package/LICENSE +21 -0
package/dist/cloud/auth/rbac.d.ts +1 -1
package/dist/cloud/auth/rbac.d.ts.map +1 -1
package/dist/cloud/auth/rbac.js +2 -2
package/dist/cloud/auth/rbac.js.map +1 -1
package/dist/cloud/billing/stripe-client.d.ts.map +1 -1
package/dist/cloud/billing/stripe-client.js +6 -1
package/dist/cloud/billing/stripe-client.js.map +1 -1
package/dist/cloud/ingestion/gateway.d.ts.map +1 -1
package/dist/cloud/ingestion/gateway.js +0 -1
package/dist/cloud/ingestion/gateway.js.map +1 -1
package/dist/cloud/middleware/validate-org-access.d.ts +14 -0
package/dist/cloud/middleware/validate-org-access.d.ts.map +1 -0
package/dist/cloud/middleware/validate-org-access.js +38 -0
package/dist/cloud/middleware/validate-org-access.js.map +1 -0
package/dist/cloud/routes/index.d.ts +13 -0
package/dist/cloud/routes/index.d.ts.map +1 -0
package/dist/cloud/routes/index.js +98 -0
package/dist/cloud/routes/index.js.map +1 -0
package/dist/config.d.ts +33 -1
package/dist/config.d.ts.map +1 -1
package/dist/config.js +71 -1
package/dist/config.js.map +1 -1
package/dist/db/api-key-lookup.d.ts +25 -0
package/dist/db/api-key-lookup.d.ts.map +1 -0
package/dist/db/api-key-lookup.js +38 -0
package/dist/db/api-key-lookup.js.map +1 -0
package/dist/db/connection.postgres.d.ts +44 -0
package/dist/db/connection.postgres.d.ts.map +1 -0
package/dist/db/connection.postgres.js +79 -0
package/dist/db/connection.postgres.js.map +1 -0
package/dist/db/cost-budget-store.d.ts +30 -0
package/dist/db/cost-budget-store.d.ts.map +1 -0
package/dist/db/cost-budget-store.js +201 -0
package/dist/db/cost-budget-store.js.map +1 -0
package/dist/db/drizzle/0000_initial.sql +336 -0
package/dist/db/drizzle/0001_indexes.sql +20 -0
package/dist/db/drizzle/0002_pgvector.sql +19 -0
package/dist/db/drizzle/drizzle/0000_initial.sql +336 -0
package/dist/db/drizzle/drizzle/0001_indexes.sql +20 -0
package/dist/db/drizzle/drizzle/0002_pgvector.sql +19 -0
package/dist/db/drizzle/drizzle/meta/0000_snapshot.json +2593 -0
package/dist/db/drizzle/drizzle/meta/_journal.json +27 -0
package/dist/db/drizzle/meta/0000_snapshot.json +2593 -0
package/dist/db/drizzle/meta/_journal.json +27 -0
package/dist/db/embedding-store.d.ts +2 -1
package/dist/db/embedding-store.d.ts.map +1 -1
package/dist/db/embedding-store.interface.d.ts +19 -0
package/dist/db/embedding-store.interface.d.ts.map +1 -0
package/dist/db/embedding-store.interface.js +7 -0
package/dist/db/embedding-store.interface.js.map +1 -0
package/dist/db/embedding-store.js +3 -1
package/dist/db/embedding-store.js.map +1 -1
package/dist/db/eval-store.d.ts +88 -0
package/dist/db/eval-store.d.ts.map +1 -0
package/dist/db/eval-store.js +408 -0
package/dist/db/eval-store.js.map +1 -0
package/dist/db/guardrail-store.d.ts +9 -0
package/dist/db/guardrail-store.d.ts.map +1 -1
package/dist/db/guardrail-store.js +57 -3
package/dist/db/guardrail-store.js.map +1 -1
package/dist/db/index.d.ts +7 -0
package/dist/db/index.d.ts.map +1 -1
package/dist/db/index.js +4 -12
package/dist/db/index.js.map +1 -1
package/dist/db/migrate.d.ts +5 -22
package/dist/db/migrate.d.ts.map +1 -1
package/dist/db/migrate.js +7 -637
package/dist/db/migrate.js.map +1 -1
package/dist/db/migrate.postgres.d.ts +16 -0
package/dist/db/migrate.postgres.d.ts.map +1 -0
package/dist/db/migrate.postgres.js +23 -0
package/dist/db/migrate.postgres.js.map +1 -0
package/dist/db/migrate.sqlite.d.ts +26 -0
package/dist/db/migrate.sqlite.d.ts.map +1 -0
package/dist/db/migrate.sqlite.js +920 -0
package/dist/db/migrate.sqlite.js.map +1 -0
package/dist/db/postgres-embedding-store.d.ts +23 -0
package/dist/db/postgres-embedding-store.d.ts.map +1 -0
package/dist/db/postgres-embedding-store.js +218 -0
package/dist/db/postgres-embedding-store.js.map +1 -0
package/dist/db/postgres-store.d.ts +80 -0
package/dist/db/postgres-store.d.ts.map +1 -0
package/dist/db/postgres-store.js +910 -0
package/dist/db/postgres-store.js.map +1 -0
package/dist/db/prompt-store.d.ts +57 -0
package/dist/db/prompt-store.d.ts.map +1 -0
package/dist/db/prompt-store.js +300 -0
package/dist/db/prompt-store.js.map +1 -0
package/dist/db/repositories/agent-repository.d.ts +21 -0
package/dist/db/repositories/agent-repository.d.ts.map +1 -0
package/dist/db/repositories/agent-repository.js +142 -0
package/dist/db/repositories/agent-repository.js.map +1 -0
package/dist/db/repositories/alert-repository.d.ts +27 -0
package/dist/db/repositories/alert-repository.d.ts.map +1 -0
package/dist/db/repositories/alert-repository.js +164 -0
package/dist/db/repositories/alert-repository.js.map +1 -0
package/dist/db/repositories/analytics-repository.d.ts +24 -0
package/dist/db/repositories/analytics-repository.d.ts.map +1 -0
package/dist/db/repositories/analytics-repository.js +147 -0
package/dist/db/repositories/analytics-repository.js.map +1 -0
package/dist/db/repositories/event-repository.d.ts +81 -0
package/dist/db/repositories/event-repository.d.ts.map +1 -0
package/dist/db/repositories/event-repository.js +331 -0
package/dist/db/repositories/event-repository.js.map +1 -0
package/dist/db/repositories/notification-channel-repository.d.ts +28 -0
package/dist/db/repositories/notification-channel-repository.d.ts.map +1 -0
package/dist/db/repositories/notification-channel-repository.js +151 -0
package/dist/db/repositories/notification-channel-repository.js.map +1 -0
package/dist/db/repositories/session-repository.d.ts +26 -0
package/dist/db/repositories/session-repository.d.ts.map +1 -0
package/dist/db/repositories/session-repository.js +240 -0
package/dist/db/repositories/session-repository.js.map +1 -0
package/dist/db/schema.postgres.d.ts +4681 -0
package/dist/db/schema.postgres.d.ts.map +1 -0
package/dist/db/schema.postgres.js +458 -0
package/dist/db/schema.postgres.js.map +1 -0
package/dist/db/schema.sqlite.d.ts +2221 -671
package/dist/db/schema.sqlite.d.ts.map +1 -1
package/dist/db/schema.sqlite.js +137 -2
package/dist/db/schema.sqlite.js.map +1 -1
package/dist/db/services/retention-service.d.ts +13 -0
package/dist/db/services/retention-service.d.ts.map +1 -0
package/dist/db/services/retention-service.js +48 -0
package/dist/db/services/retention-service.js.map +1 -0
package/dist/db/shared/query-helpers.d.ts +32 -0
package/dist/db/shared/query-helpers.d.ts.map +1 -0
package/dist/db/shared/query-helpers.js +180 -0
package/dist/db/shared/query-helpers.js.map +1 -0
package/dist/db/sqlite-store.d.ts +48 -55
package/dist/db/sqlite-store.d.ts.map +1 -1
package/dist/db/sqlite-store.js +78 -945
package/dist/db/sqlite-store.js.map +1 -1
package/dist/db/tenant-scoped-store.d.ts +18 -1
package/dist/db/tenant-scoped-store.d.ts.map +1 -1
package/dist/db/tenant-scoped-store.js +6 -0
package/dist/db/tenant-scoped-store.js.map +1 -1
package/dist/index.d.ts +28 -14
package/dist/index.d.ts.map +1 -1
package/dist/index.js +432 -97
package/dist/index.js.map +1 -1
package/dist/lib/alert-engine.d.ts +10 -0
package/dist/lib/alert-engine.d.ts.map +1 -1
package/dist/lib/alert-engine.js +73 -20
package/dist/lib/alert-engine.js.map +1 -1
package/dist/lib/audit-verify.d.ts +40 -0
package/dist/lib/audit-verify.d.ts.map +1 -0
package/dist/lib/audit-verify.js +128 -0
package/dist/lib/audit-verify.js.map +1 -0
package/dist/lib/audit.d.ts +37 -0
package/dist/lib/audit.d.ts.map +1 -0
package/dist/lib/audit.js +59 -0
package/dist/lib/audit.js.map +1 -0
package/dist/lib/budget-engine.d.ts +26 -0
package/dist/lib/budget-engine.d.ts.map +1 -0
package/dist/lib/budget-engine.js +201 -0
package/dist/lib/budget-engine.js.map +1 -0
package/dist/lib/compliance-export.d.ts +41 -0
package/dist/lib/compliance-export.d.ts.map +1 -0
package/dist/lib/compliance-export.js +124 -0
package/dist/lib/compliance-export.js.map +1 -0
package/dist/lib/compliance-report.d.ts +87 -0
package/dist/lib/compliance-report.d.ts.map +1 -0
package/dist/lib/compliance-report.js +148 -0
package/dist/lib/compliance-report.js.map +1 -0
package/dist/lib/context/retrieval.d.ts +5 -3
package/dist/lib/context/retrieval.d.ts.map +1 -1
package/dist/lib/context/retrieval.js +5 -2
package/dist/lib/context/retrieval.js.map +1 -1
package/dist/lib/cost-anomaly-detector.d.ts +23 -0
package/dist/lib/cost-anomaly-detector.d.ts.map +1 -0
package/dist/lib/cost-anomaly-detector.js +108 -0
package/dist/lib/cost-anomaly-detector.js.map +1 -0
package/dist/lib/db-resilience.d.ts +15 -0
package/dist/lib/db-resilience.d.ts.map +1 -0
package/dist/lib/db-resilience.js +49 -0
package/dist/lib/db-resilience.js.map +1 -0
package/dist/lib/diagnostics/cache.d.ts +29 -0
package/dist/lib/diagnostics/cache.d.ts.map +1 -0
package/dist/lib/diagnostics/cache.js +88 -0
package/dist/lib/diagnostics/cache.js.map +1 -0
package/dist/lib/diagnostics/context-builder.d.ts +41 -0
package/dist/lib/diagnostics/context-builder.d.ts.map +1 -0
package/dist/lib/diagnostics/context-builder.js +135 -0
package/dist/lib/diagnostics/context-builder.js.map +1 -0
package/dist/lib/diagnostics/index.d.ts +34 -0
package/dist/lib/diagnostics/index.d.ts.map +1 -0
package/dist/lib/diagnostics/index.js +223 -0
package/dist/lib/diagnostics/index.js.map +1 -0
package/dist/lib/diagnostics/llm-client.d.ts +24 -0
package/dist/lib/diagnostics/llm-client.d.ts.map +1 -0
package/dist/lib/diagnostics/llm-client.js +42 -0
package/dist/lib/diagnostics/llm-client.js.map +1 -0
package/dist/lib/diagnostics/prompt-templates.d.ts +18 -0
package/dist/lib/diagnostics/prompt-templates.d.ts.map +1 -0
package/dist/lib/diagnostics/prompt-templates.js +144 -0
package/dist/lib/diagnostics/prompt-templates.js.map +1 -0
package/dist/lib/diagnostics/providers/anthropic.d.ts +8 -0
package/dist/lib/diagnostics/providers/anthropic.d.ts.map +1 -0
package/dist/lib/diagnostics/providers/anthropic.js +79 -0
package/dist/lib/diagnostics/providers/anthropic.js.map +1 -0
package/dist/lib/diagnostics/providers/openai.d.ts +8 -0
package/dist/lib/diagnostics/providers/openai.d.ts.map +1 -0
package/dist/lib/diagnostics/providers/openai.js +70 -0
package/dist/lib/diagnostics/providers/openai.js.map +1 -0
package/dist/lib/diagnostics/providers/types.d.ts +23 -0
package/dist/lib/diagnostics/providers/types.d.ts.map +1 -0
package/dist/lib/diagnostics/providers/types.js +5 -0
package/dist/lib/diagnostics/providers/types.js.map +1 -0
package/dist/lib/diagnostics/response-parser.d.ts +60 -0
package/dist/lib/diagnostics/response-parser.d.ts.map +1 -0
package/dist/lib/diagnostics/response-parser.js +55 -0
package/dist/lib/diagnostics/response-parser.js.map +1 -0
package/dist/lib/diagnostics/types.d.ts +60 -0
package/dist/lib/diagnostics/types.d.ts.map +1 -0
package/dist/lib/diagnostics/types.js +7 -0
package/dist/lib/diagnostics/types.js.map +1 -0
package/dist/lib/embeddings/index.d.ts +6 -3
package/dist/lib/embeddings/index.d.ts.map +1 -1
package/dist/lib/embeddings/index.js +7 -15
package/dist/lib/embeddings/index.js.map +1 -1
package/dist/lib/embeddings/worker.d.ts +2 -2
package/dist/lib/embeddings/worker.d.ts.map +1 -1
package/dist/lib/embeddings/worker.js +3 -1
package/dist/lib/embeddings/worker.js.map +1 -1
package/dist/lib/error-sanitizer.d.ts +28 -0
package/dist/lib/error-sanitizer.d.ts.map +1 -0
package/dist/lib/error-sanitizer.js +106 -0
package/dist/lib/error-sanitizer.js.map +1 -0
package/dist/lib/eval/index.d.ts +15 -0
package/dist/lib/eval/index.d.ts.map +1 -0
package/dist/lib/eval/index.js +24 -0
package/dist/lib/eval/index.js.map +1 -0
package/dist/lib/eval/runner.d.ts +28 -0
package/dist/lib/eval/runner.d.ts.map +1 -0
package/dist/lib/eval/runner.js +260 -0
package/dist/lib/eval/runner.js.map +1 -0
package/dist/lib/eval/scorers/contains.d.ts +10 -0
package/dist/lib/eval/scorers/contains.d.ts.map +1 -0
package/dist/lib/eval/scorers/contains.js +33 -0
package/dist/lib/eval/scorers/contains.js.map +1 -0
package/dist/lib/eval/scorers/exact-match.d.ts +10 -0
package/dist/lib/eval/scorers/exact-match.d.ts.map +1 -0
package/dist/lib/eval/scorers/exact-match.js +33 -0
package/dist/lib/eval/scorers/exact-match.js.map +1 -0
package/dist/lib/eval/scorers/index.d.ts +20 -0
package/dist/lib/eval/scorers/index.d.ts.map +1 -0
package/dist/lib/eval/scorers/index.js +19 -0
package/dist/lib/eval/scorers/index.js.map +1 -0
package/dist/lib/eval/scorers/llm-judge.d.ts +22 -0
package/dist/lib/eval/scorers/llm-judge.d.ts.map +1 -0
package/dist/lib/eval/scorers/llm-judge.js +79 -0
package/dist/lib/eval/scorers/llm-judge.js.map +1 -0
package/dist/lib/eval/scorers/regex.d.ts +10 -0
package/dist/lib/eval/scorers/regex.d.ts.map +1 -0
package/dist/lib/eval/scorers/regex.js +36 -0
package/dist/lib/eval/scorers/regex.js.map +1 -0
package/dist/lib/guardrails/actions.d.ts +6 -0
package/dist/lib/guardrails/actions.d.ts.map +1 -1
package/dist/lib/guardrails/actions.js +82 -0
package/dist/lib/guardrails/actions.js.map +1 -1
package/dist/lib/guardrails/conditions.d.ts +47 -0
package/dist/lib/guardrails/conditions.d.ts.map +1 -1
package/dist/lib/guardrails/conditions.js +55 -10
package/dist/lib/guardrails/conditions.js.map +1 -1
package/dist/lib/guardrails/content-engine.d.ts +19 -0
package/dist/lib/guardrails/content-engine.d.ts.map +1 -0
package/dist/lib/guardrails/content-engine.js +154 -0
package/dist/lib/guardrails/content-engine.js.map +1 -0
package/dist/lib/guardrails/engine.d.ts +33 -0
package/dist/lib/guardrails/engine.d.ts.map +1 -1
package/dist/lib/guardrails/engine.js +37 -2
package/dist/lib/guardrails/engine.js.map +1 -1
package/dist/lib/guardrails/scanners/base-scanner.d.ts +23 -0
package/dist/lib/guardrails/scanners/base-scanner.d.ts.map +1 -0
package/dist/lib/guardrails/scanners/base-scanner.js +7 -0
package/dist/lib/guardrails/scanners/base-scanner.js.map +1 -0
package/dist/lib/guardrails/scanners/patterns/pii-patterns.d.ts +13 -0
package/dist/lib/guardrails/scanners/patterns/pii-patterns.d.ts.map +1 -0
package/dist/lib/guardrails/scanners/patterns/pii-patterns.js +49 -0
package/dist/lib/guardrails/scanners/patterns/pii-patterns.js.map +1 -0
package/dist/lib/guardrails/scanners/patterns/secret-patterns.d.ts +6 -0
package/dist/lib/guardrails/scanners/patterns/secret-patterns.d.ts.map +1 -0
package/dist/lib/guardrails/scanners/patterns/secret-patterns.js +69 -0
package/dist/lib/guardrails/scanners/patterns/secret-patterns.js.map +1 -0
package/dist/lib/guardrails/scanners/pii-scanner.d.ts +10 -0
package/dist/lib/guardrails/scanners/pii-scanner.d.ts.map +1 -0
package/dist/lib/guardrails/scanners/pii-scanner.js +57 -0
package/dist/lib/guardrails/scanners/pii-scanner.js.map +1 -0
package/dist/lib/guardrails/scanners/scanner-registry.d.ts +14 -0
package/dist/lib/guardrails/scanners/scanner-registry.d.ts.map +1 -0
package/dist/lib/guardrails/scanners/scanner-registry.js +51 -0
package/dist/lib/guardrails/scanners/scanner-registry.js.map +1 -0
package/dist/lib/guardrails/scanners/secrets-scanner.d.ts +9 -0
package/dist/lib/guardrails/scanners/secrets-scanner.d.ts.map +1 -0
package/dist/lib/guardrails/scanners/secrets-scanner.js +47 -0
package/dist/lib/guardrails/scanners/secrets-scanner.js.map +1 -0
package/dist/lib/logger.d.ts +8 -0
package/dist/lib/logger.d.ts.map +1 -0
package/dist/lib/logger.js +31 -0
package/dist/lib/logger.js.map +1 -0
package/dist/lib/lore-client.d.ts +128 -0
package/dist/lib/lore-client.d.ts.map +1 -0
package/dist/lib/lore-client.js +188 -0
package/dist/lib/lore-client.js.map +1 -0
package/dist/lib/mesh-client.d.ts +31 -0
package/dist/lib/mesh-client.d.ts.map +1 -0
package/dist/lib/mesh-client.js +72 -0
package/dist/lib/mesh-client.js.map +1 -0
package/dist/lib/notifications/grouping-buffer.d.ts +25 -0
package/dist/lib/notifications/grouping-buffer.d.ts.map +1 -0
package/dist/lib/notifications/grouping-buffer.js +73 -0
package/dist/lib/notifications/grouping-buffer.js.map +1 -0
package/dist/lib/notifications/provider.d.ts +10 -0
package/dist/lib/notifications/provider.d.ts.map +1 -0
package/dist/lib/notifications/provider.js +5 -0
package/dist/lib/notifications/provider.js.map +1 -0
package/dist/lib/notifications/providers/email.d.ts +14 -0
package/dist/lib/notifications/providers/email.d.ts.map +1 -0
package/dist/lib/notifications/providers/email.js +88 -0
package/dist/lib/notifications/providers/email.js.map +1 -0
package/dist/lib/notifications/providers/pagerduty.d.ts +16 -0
package/dist/lib/notifications/providers/pagerduty.d.ts.map +1 -0
package/dist/lib/notifications/providers/pagerduty.js +94 -0
package/dist/lib/notifications/providers/pagerduty.js.map +1 -0
package/dist/lib/notifications/providers/slack.d.ts +14 -0
package/dist/lib/notifications/providers/slack.d.ts.map +1 -0
package/dist/lib/notifications/providers/slack.js +106 -0
package/dist/lib/notifications/providers/slack.js.map +1 -0
package/dist/lib/notifications/providers/webhook.d.ts +16 -0
package/dist/lib/notifications/providers/webhook.d.ts.map +1 -0
package/dist/lib/notifications/providers/webhook.js +78 -0
package/dist/lib/notifications/providers/webhook.js.map +1 -0
package/dist/lib/notifications/router.d.ts +30 -0
package/dist/lib/notifications/router.d.ts.map +1 -0
package/dist/lib/notifications/router.js +137 -0
package/dist/lib/notifications/router.js.map +1 -0
package/dist/lib/notifications/ssrf.d.ts +13 -0
package/dist/lib/notifications/ssrf.d.ts.map +1 -0
package/dist/lib/notifications/ssrf.js +37 -0
package/dist/lib/notifications/ssrf.js.map +1 -0
package/dist/lib/optimization/analyzers/model-downgrade.d.ts +15 -0
package/dist/lib/optimization/analyzers/model-downgrade.d.ts.map +1 -0
package/dist/lib/optimization/analyzers/model-downgrade.js +58 -0
package/dist/lib/optimization/analyzers/model-downgrade.js.map +1 -0
package/dist/lib/optimization/analyzers/prompt-optimization.d.ts +17 -0
package/dist/lib/optimization/analyzers/prompt-optimization.d.ts.map +1 -0
package/dist/lib/optimization/analyzers/prompt-optimization.js +160 -0
package/dist/lib/optimization/analyzers/prompt-optimization.js.map +1 -0
package/dist/lib/optimization/analyzers/types.d.ts +23 -0
package/dist/lib/optimization/analyzers/types.d.ts.map +1 -0
package/dist/lib/optimization/analyzers/types.js +5 -0
package/dist/lib/optimization/analyzers/types.js.map +1 -0
package/dist/lib/optimization/classifier.d.ts +4 -3
package/dist/lib/optimization/classifier.d.ts.map +1 -1
package/dist/lib/optimization/classifier.js +15 -9
package/dist/lib/optimization/classifier.js.map +1 -1
package/dist/lib/optimization/cost-optimizer.d.ts +21 -0
package/dist/lib/optimization/cost-optimizer.d.ts.map +1 -0
package/dist/lib/optimization/cost-optimizer.js +114 -0
package/dist/lib/optimization/cost-optimizer.js.map +1 -0
package/dist/lib/optimization/engine.d.ts.map +1 -1
package/dist/lib/optimization/engine.js +45 -6
package/dist/lib/optimization/engine.js.map +1 -1
package/dist/lib/optimization/forecast.d.ts +39 -0
package/dist/lib/optimization/forecast.d.ts.map +1 -0
package/dist/lib/optimization/forecast.js +128 -0
package/dist/lib/optimization/forecast.js.map +1 -0
package/dist/lib/secrets.d.ts +30 -0
package/dist/lib/secrets.d.ts.map +1 -0
package/dist/lib/secrets.js +103 -0
package/dist/lib/secrets.js.map +1 -0
package/dist/lib/threshold-monitor.d.ts +53 -0
package/dist/lib/threshold-monitor.d.ts.map +1 -0
package/dist/lib/threshold-monitor.js +112 -0
package/dist/lib/threshold-monitor.js.map +1 -0
package/dist/middleware/audit.d.ts +16 -0
package/dist/middleware/audit.d.ts.map +1 -0
package/dist/middleware/audit.js +16 -0
package/dist/middleware/audit.js.map +1 -0
package/dist/middleware/auth-errors.d.ts +67 -0
package/dist/middleware/auth-errors.d.ts.map +1 -0
package/dist/middleware/auth-errors.js +84 -0
package/dist/middleware/auth-errors.js.map +1 -0
package/dist/middleware/auth.d.ts +5 -2
package/dist/middleware/auth.d.ts.map +1 -1
package/dist/middleware/auth.js +44 -17
package/dist/middleware/auth.js.map +1 -1
package/dist/middleware/body-limit.d.ts +9 -0
package/dist/middleware/body-limit.d.ts.map +1 -0
package/dist/middleware/body-limit.js +15 -0
package/dist/middleware/body-limit.js.map +1 -0
package/dist/middleware/cors-config.d.ts +30 -0
package/dist/middleware/cors-config.d.ts.map +1 -0
package/dist/middleware/cors-config.js +55 -0
package/dist/middleware/cors-config.js.map +1 -0
package/dist/middleware/rate-limit.d.ts +9 -0
package/dist/middleware/rate-limit.d.ts.map +1 -0
package/dist/middleware/rate-limit.js +56 -0
package/dist/middleware/rate-limit.js.map +1 -0
package/dist/middleware/rbac.d.ts +30 -0
package/dist/middleware/rbac.d.ts.map +1 -0
package/dist/middleware/rbac.js +87 -0
package/dist/middleware/rbac.js.map +1 -0
package/dist/middleware/security-headers.d.ts +12 -0
package/dist/middleware/security-headers.d.ts.map +1 -0
package/dist/middleware/security-headers.js +57 -0
package/dist/middleware/security-headers.js.map +1 -0
package/dist/middleware/unified-auth.d.ts +49 -0
package/dist/middleware/unified-auth.d.ts.map +1 -0
package/dist/middleware/unified-auth.js +246 -0
package/dist/middleware/unified-auth.js.map +1 -0
package/dist/middleware/validation.d.ts +31 -0
package/dist/middleware/validation.d.ts.map +1 -0
package/dist/middleware/validation.js +45 -0
package/dist/middleware/validation.js.map +1 -0
package/dist/routes/alerts.d.ts.map +1 -1
package/dist/routes/alerts.js +4 -3
package/dist/routes/alerts.js.map +1 -1
package/dist/routes/analytics.d.ts +2 -1
package/dist/routes/analytics.d.ts.map +1 -1
package/dist/routes/analytics.js +175 -95
package/dist/routes/analytics.js.map +1 -1
package/dist/routes/api-keys.d.ts +5 -0
package/dist/routes/api-keys.d.ts.map +1 -1
package/dist/routes/api-keys.js +89 -8
package/dist/routes/api-keys.js.map +1 -1
package/dist/routes/audit-verify.d.ts +12 -0
package/dist/routes/audit-verify.d.ts.map +1 -0
package/dist/routes/audit-verify.js +73 -0
package/dist/routes/audit-verify.js.map +1 -0
package/dist/routes/audit.d.ts +4 -6
package/dist/routes/audit.d.ts.map +1 -1
package/dist/routes/audit.js +54 -157
package/dist/routes/audit.js.map +1 -1
package/dist/routes/auth.d.ts +21 -0
package/dist/routes/auth.d.ts.map +1 -0
package/dist/routes/auth.js +235 -0
package/dist/routes/auth.js.map +1 -0
package/dist/routes/benchmarks.d.ts.map +1 -1
package/dist/routes/benchmarks.js +63 -11
package/dist/routes/benchmarks.js.map +1 -1
package/dist/routes/capabilities-top.d.ts.map +1 -1
package/dist/routes/capabilities-top.js +1 -4
package/dist/routes/capabilities-top.js.map +1 -1
package/dist/routes/capabilities.d.ts.map +1 -1
package/dist/routes/capabilities.js +1 -7
package/dist/routes/capabilities.js.map +1 -1
package/dist/routes/compliance.d.ts +17 -0
package/dist/routes/compliance.d.ts.map +1 -0
package/dist/routes/compliance.js +151 -0
package/dist/routes/compliance.js.map +1 -0
package/dist/routes/config.d.ts +1 -13
package/dist/routes/config.d.ts.map +1 -1
package/dist/routes/context.d.ts.map +1 -1
package/dist/routes/context.js +6 -5
package/dist/routes/context.js.map +1 -1
package/dist/routes/cost-budgets.d.ts +20 -0
package/dist/routes/cost-budgets.d.ts.map +1 -0
package/dist/routes/cost-budgets.js +194 -0
package/dist/routes/cost-budgets.js.map +1 -0
package/dist/routes/delegation.d.ts.map +1 -1
package/dist/routes/delegation.js +67 -41
package/dist/routes/delegation.js.map +1 -1
package/dist/routes/delegations-top.d.ts.map +1 -1
package/dist/routes/delegations-top.js +1 -3
package/dist/routes/delegations-top.js.map +1 -1
package/dist/routes/diagnose.d.ts +16 -0
package/dist/routes/diagnose.d.ts.map +1 -0
package/dist/routes/diagnose.js +82 -0
package/dist/routes/diagnose.js.map +1 -0
package/dist/routes/discovery.d.ts.map +1 -1
package/dist/routes/discovery.js +50 -38
package/dist/routes/discovery.js.map +1 -1
package/dist/routes/eval.d.ts +24 -0
package/dist/routes/eval.d.ts.map +1 -0
package/dist/routes/eval.js +281 -0
package/dist/routes/eval.js.map +1 -0
package/dist/routes/events.d.ts.map +1 -1
package/dist/routes/events.js +11 -6
package/dist/routes/events.js.map +1 -1
package/dist/routes/guardrails.d.ts +2 -1
package/dist/routes/guardrails.d.ts.map +1 -1
package/dist/routes/guardrails.js +85 -14
package/dist/routes/guardrails.js.map +1 -1
package/dist/routes/health.d.ts +14 -11
package/dist/routes/health.d.ts.map +1 -1
package/dist/routes/health.js +181 -61
package/dist/routes/health.js.map +1 -1
package/dist/routes/lore-proxy.d.ts +13 -0
package/dist/routes/lore-proxy.d.ts.map +1 -0
package/dist/routes/lore-proxy.js +229 -0
package/dist/routes/lore-proxy.js.map +1 -0
package/dist/routes/mesh-proxy.d.ts +7 -0
package/dist/routes/mesh-proxy.d.ts.map +1 -0
package/dist/routes/mesh-proxy.js +94 -0
package/dist/routes/mesh-proxy.js.map +1 -0
package/dist/routes/notifications.d.ts +19 -0
package/dist/routes/notifications.d.ts.map +1 -0
package/dist/routes/notifications.js +129 -0
package/dist/routes/notifications.js.map +1 -0
package/dist/routes/optimize.d.ts.map +1 -1
package/dist/routes/optimize.js +44 -0
package/dist/routes/optimize.js.map +1 -1
package/dist/routes/otlp.d.ts +17 -0
package/dist/routes/otlp.d.ts.map +1 -0
package/dist/routes/otlp.js +544 -0
package/dist/routes/otlp.js.map +1 -0
package/dist/routes/prompts.d.ts +21 -0
package/dist/routes/prompts.d.ts.map +1 -0
package/dist/routes/prompts.js +173 -0
package/dist/routes/prompts.js.map +1 -0
package/dist/routes/recall.d.ts.map +1 -1
package/dist/routes/recall.js +6 -4
package/dist/routes/recall.js.map +1 -1
package/dist/routes/replay.d.ts.map +1 -1
package/dist/routes/replay.js +2 -1
package/dist/routes/replay.js.map +1 -1
package/dist/routes/server-info.d.ts +9 -0
package/dist/routes/server-info.d.ts.map +1 -0
package/dist/routes/server-info.js +18 -0
package/dist/routes/server-info.js.map +1 -0
package/dist/routes/sessions.d.ts +7 -7
package/dist/routes/sessions.d.ts.map +1 -1
package/dist/routes/sessions.js +112 -35
package/dist/routes/sessions.js.map +1 -1
package/dist/routes/stats.d.ts.map +1 -1
package/dist/routes/stats.js +40 -0
package/dist/routes/stats.js.map +1 -1
package/dist/routes/stream.d.ts +2 -2
package/dist/routes/stream.d.ts.map +1 -1
package/dist/routes/stream.js +7 -11
package/dist/routes/stream.js.map +1 -1
package/dist/routes/tenant-helper.d.ts +15 -10
package/dist/routes/tenant-helper.d.ts.map +1 -1
package/dist/routes/tenant-helper.js +36 -22
package/dist/routes/tenant-helper.js.map +1 -1
package/dist/routes/trust.d.ts.map +1 -1
package/dist/routes/trust.js +1 -3
package/dist/routes/trust.js.map +1 -1
package/dist/schemas/api-keys.d.ts +11 -0
package/dist/schemas/api-keys.d.ts.map +1 -0
package/dist/schemas/api-keys.js +10 -0
package/dist/schemas/api-keys.js.map +1 -0
package/dist/schemas/common.d.ts +34 -0
package/dist/schemas/common.d.ts.map +1 -0
package/dist/schemas/common.js +43 -0
package/dist/schemas/common.js.map +1 -0
package/dist/schemas/delegation.d.ts +23 -0
package/dist/schemas/delegation.d.ts.map +1 -0
package/dist/schemas/delegation.js +22 -0
package/dist/schemas/delegation.js.map +1 -0
package/dist/schemas/discovery.d.ts +17 -0
package/dist/schemas/discovery.d.ts.map +1 -0
package/dist/schemas/discovery.js +15 -0
package/dist/schemas/discovery.js.map +1 -0
package/dist/schemas/health.d.ts +75 -0
package/dist/schemas/health.d.ts.map +1 -0
package/dist/schemas/health.js +55 -0
package/dist/schemas/health.js.map +1 -0
package/dist/schemas/index.d.ts +6 -0
package/dist/schemas/index.d.ts.map +1 -0
package/dist/schemas/index.js +6 -0
package/dist/schemas/index.js.map +1 -0
package/dist/schemas/sessions.d.ts +67 -0
package/dist/schemas/sessions.d.ts.map +1 -0
package/dist/schemas/sessions.js +58 -0
package/dist/schemas/sessions.js.map +1 -0
package/dist/services/delegation-service.d.ts +1 -4
package/dist/services/delegation-service.d.ts.map +1 -1
package/dist/services/delegation-service.js +5 -31
package/dist/services/delegation-service.js.map +1 -1
package/package.json +29 -19
package/dist/db/lesson-store.d.ts +0 -57
package/dist/db/lesson-store.d.ts.map +0 -1
package/dist/db/lesson-store.js +0 -217
package/dist/db/lesson-store.js.map +0 -1
package/dist/lib/embeddings/local.d.ts +0 -15
package/dist/lib/embeddings/local.d.ts.map +0 -1
package/dist/lib/embeddings/local.js +0 -65
package/dist/lib/embeddings/local.js.map +0 -1
package/dist/lib/redaction/human-review-layer.d.ts +0 -37
package/dist/lib/redaction/human-review-layer.d.ts.map +0 -1
package/dist/lib/redaction/human-review-layer.js +0 -62
package/dist/lib/redaction/human-review-layer.js.map +0 -1
package/dist/lib/redaction/index.d.ts +0 -12
package/dist/lib/redaction/index.d.ts.map +0 -1
package/dist/lib/redaction/index.js +0 -12
package/dist/lib/redaction/index.js.map +0 -1
package/dist/lib/redaction/pii-detection-layer.d.ts +0 -30
package/dist/lib/redaction/pii-detection-layer.d.ts.map +0 -1
package/dist/lib/redaction/pii-detection-layer.js +0 -183
package/dist/lib/redaction/pii-detection-layer.js.map +0 -1
package/dist/lib/redaction/pipeline.d.ts +0 -26
package/dist/lib/redaction/pipeline.d.ts.map +0 -1
package/dist/lib/redaction/pipeline.js +0 -91
package/dist/lib/redaction/pipeline.js.map +0 -1
package/dist/lib/redaction/secret-detection-layer.d.ts +0 -10
package/dist/lib/redaction/secret-detection-layer.d.ts.map +0 -1
package/dist/lib/redaction/secret-detection-layer.js +0 -79
package/dist/lib/redaction/secret-detection-layer.js.map +0 -1
package/dist/lib/redaction/secret-patterns.d.ts +0 -29
package/dist/lib/redaction/secret-patterns.d.ts.map +0 -1
package/dist/lib/redaction/secret-patterns.js +0 -133
package/dist/lib/redaction/secret-patterns.js.map +0 -1
package/dist/lib/redaction/semantic-denylist-layer.d.ts +0 -10
package/dist/lib/redaction/semantic-denylist-layer.d.ts.map +0 -1
package/dist/lib/redaction/semantic-denylist-layer.js +0 -64
package/dist/lib/redaction/semantic-denylist-layer.js.map +0 -1
package/dist/lib/redaction/tenant-deidentification-layer.d.ts +0 -10
package/dist/lib/redaction/tenant-deidentification-layer.d.ts.map +0 -1
package/dist/lib/redaction/tenant-deidentification-layer.js +0 -64
package/dist/lib/redaction/tenant-deidentification-layer.js.map +0 -1
package/dist/lib/redaction/url-path-scrubbing-layer.d.ts +0 -14
package/dist/lib/redaction/url-path-scrubbing-layer.d.ts.map +0 -1
package/dist/lib/redaction/url-path-scrubbing-layer.js +0 -156
package/dist/lib/redaction/url-path-scrubbing-layer.js.map +0 -1
package/dist/routes/community.d.ts +0 -24
package/dist/routes/community.d.ts.map +0 -1
package/dist/routes/community.js +0 -272
package/dist/routes/community.js.map +0 -1
package/dist/routes/lessons.d.ts +0 -19
package/dist/routes/lessons.d.ts.map +0 -1
package/dist/routes/lessons.js +0 -164
package/dist/routes/lessons.js.map +0 -1
package/dist/routes/redaction-test.d.ts +0 -14
package/dist/routes/redaction-test.d.ts.map +0 -1
package/dist/routes/redaction-test.js +0 -33
package/dist/routes/redaction-test.js.map +0 -1
package/dist/services/community-service.d.ts +0 -283
package/dist/services/community-service.d.ts.map +0 -1
package/dist/services/community-service.js +0 -816
package/dist/services/community-service.js.map +0 -1

package/dist/db/migrate.sqlite.js ADDED Viewed

@@ -0,0 +1,920 @@
+/**
+ * Database migration runner.
+ *
+ * For SQLite, uses Drizzle's push-based approach to create/update tables
+ * on first start. For production, Drizzle Kit migrations can be used.
+ */
+import { sql } from 'drizzle-orm';
+/**
+ * Run migrations: create all tables and indexes if they don't exist.
+ *
+ * Uses CREATE TABLE IF NOT EXISTS for idempotent startup.
+ * This approach is simpler than file-based migrations for an
+ * embedded SQLite database that auto-creates on first start.
+ */
+export function runMigrations(db) {
+    // Create all tables using raw SQL for CREATE IF NOT EXISTS
+    // Drizzle doesn't have a built-in "push" that works at runtime,
+    // so we use the schema definitions to generate DDL.
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS events (
+      id TEXT PRIMARY KEY,
+      timestamp TEXT NOT NULL,
+      session_id TEXT NOT NULL,
+      agent_id TEXT NOT NULL,
+      event_type TEXT NOT NULL,
+      severity TEXT NOT NULL DEFAULT 'info',
+      payload TEXT NOT NULL,
+      metadata TEXT NOT NULL DEFAULT '{}',
+      prev_hash TEXT,
+      hash TEXT NOT NULL
+    )
+  `);
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS sessions (
+      id TEXT NOT NULL,
+      agent_id TEXT NOT NULL,
+      agent_name TEXT,
+      started_at TEXT NOT NULL,
+      ended_at TEXT,
+      status TEXT NOT NULL DEFAULT 'active',
+      event_count INTEGER NOT NULL DEFAULT 0,
+      tool_call_count INTEGER NOT NULL DEFAULT 0,
+      error_count INTEGER NOT NULL DEFAULT 0,
+      total_cost_usd REAL NOT NULL DEFAULT 0,
+      llm_call_count INTEGER NOT NULL DEFAULT 0,
+      total_input_tokens INTEGER NOT NULL DEFAULT 0,
+      total_output_tokens INTEGER NOT NULL DEFAULT 0,
+      tags TEXT NOT NULL DEFAULT '[]',
+      tenant_id TEXT NOT NULL DEFAULT 'default',
+      PRIMARY KEY (id, tenant_id)
+    )
+  `);
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS agents (
+      id TEXT NOT NULL,
+      name TEXT NOT NULL,
+      description TEXT,
+      first_seen_at TEXT NOT NULL,
+      last_seen_at TEXT NOT NULL,
+      session_count INTEGER NOT NULL DEFAULT 0,
+      tenant_id TEXT NOT NULL DEFAULT 'default',
+      PRIMARY KEY (id, tenant_id)
+    )
+  `);
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS alert_rules (
+      id TEXT PRIMARY KEY,
+      name TEXT NOT NULL,
+      enabled INTEGER NOT NULL DEFAULT 1,
+      condition TEXT NOT NULL,
+      threshold REAL NOT NULL,
+      window_minutes INTEGER NOT NULL,
+      scope TEXT NOT NULL DEFAULT '{}',
+      notify_channels TEXT NOT NULL DEFAULT '[]',
+      created_at TEXT NOT NULL,
+      updated_at TEXT NOT NULL
+    )
+  `);
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS alert_history (
+      id TEXT PRIMARY KEY,
+      rule_id TEXT NOT NULL REFERENCES alert_rules(id),
+      triggered_at TEXT NOT NULL,
+      resolved_at TEXT,
+      current_value REAL NOT NULL,
+      threshold REAL NOT NULL,
+      message TEXT NOT NULL
+    )
+  `);
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS api_keys (
+      id TEXT PRIMARY KEY,
+      key_hash TEXT NOT NULL,
+      name TEXT NOT NULL,
+      scopes TEXT NOT NULL,
+      created_at INTEGER NOT NULL,
+      last_used_at INTEGER,
+      revoked_at INTEGER,
+      rate_limit INTEGER
+    )
+  `);
+    // Create indexes (IF NOT EXISTS)
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_events_timestamp ON events(timestamp)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_events_session_id ON events(session_id)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_events_agent_id ON events(agent_id)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_events_type ON events(event_type)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_events_session_ts ON events(session_id, timestamp)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_events_agent_type_ts ON events(agent_id, event_type, timestamp)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_sessions_agent_id ON sessions(agent_id)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_sessions_started_at ON sessions(started_at)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_sessions_status ON sessions(status)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_api_keys_hash ON api_keys(key_hash)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_alert_history_rule_id ON alert_history(rule_id)`);
+    // ─── Migrations for existing databases ──────────────────
+    // Add LLM tracking columns to sessions (v0.3.0)
+    // SQLite doesn't support ADD COLUMN IF NOT EXISTS, so we check first
+    const sessionColumns = db.all(sql `PRAGMA table_info(sessions)`);
+    const sessionColumnNames = new Set(sessionColumns.map((c) => c.name));
+    if (!sessionColumnNames.has('llm_call_count')) {
+        db.run(sql `ALTER TABLE sessions ADD COLUMN llm_call_count INTEGER NOT NULL DEFAULT 0`);
+    }
+    if (!sessionColumnNames.has('total_input_tokens')) {
+        db.run(sql `ALTER TABLE sessions ADD COLUMN total_input_tokens INTEGER NOT NULL DEFAULT 0`);
+    }
+    if (!sessionColumnNames.has('total_output_tokens')) {
+        db.run(sql `ALTER TABLE sessions ADD COLUMN total_output_tokens INTEGER NOT NULL DEFAULT 0`);
+    }
+    // ─── Tenant isolation migration (Epic 1) ──────────────────
+    // Add tenant_id to all data tables for multi-tenant support
+    // api_keys.tenant_id
+    const apiKeyColumns = db.all(sql `PRAGMA table_info(api_keys)`);
+    const apiKeyColumnNames = new Set(apiKeyColumns.map((c) => c.name));
+    if (!apiKeyColumnNames.has('tenant_id')) {
+        db.run(sql `ALTER TABLE api_keys ADD COLUMN tenant_id TEXT NOT NULL DEFAULT 'default'`);
+    }
+    if (!apiKeyColumnNames.has('created_by')) {
+        db.run(sql `ALTER TABLE api_keys ADD COLUMN created_by TEXT REFERENCES users(id)`);
+    }
+    if (!apiKeyColumnNames.has('role')) {
+        db.run(sql `ALTER TABLE api_keys ADD COLUMN role TEXT NOT NULL DEFAULT 'editor'`);
+    }
+    // events.tenant_id
+    const eventColumns = db.all(sql `PRAGMA table_info(events)`);
+    const eventColumnNames = new Set(eventColumns.map((c) => c.name));
+    if (!eventColumnNames.has('tenant_id')) {
+        db.run(sql `ALTER TABLE events ADD COLUMN tenant_id TEXT NOT NULL DEFAULT 'default'`);
+    }
+    // sessions.tenant_id
+    if (!sessionColumnNames.has('tenant_id')) {
+        db.run(sql `ALTER TABLE sessions ADD COLUMN tenant_id TEXT NOT NULL DEFAULT 'default'`);
+    }
+    // agents.tenant_id
+    const agentColumns = db.all(sql `PRAGMA table_info(agents)`);
+    const agentColumnNames = new Set(agentColumns.map((c) => c.name));
+    if (!agentColumnNames.has('tenant_id')) {
+        db.run(sql `ALTER TABLE agents ADD COLUMN tenant_id TEXT NOT NULL DEFAULT 'default'`);
+    }
+    // alert_rules.tenant_id
+    const alertRuleColumns = db.all(sql `PRAGMA table_info(alert_rules)`);
+    const alertRuleColumnNames = new Set(alertRuleColumns.map((c) => c.name));
+    if (!alertRuleColumnNames.has('tenant_id')) {
+        db.run(sql `ALTER TABLE alert_rules ADD COLUMN tenant_id TEXT NOT NULL DEFAULT 'default'`);
+    }
+    // alert_history.tenant_id
+    const alertHistoryColumns = db.all(sql `PRAGMA table_info(alert_history)`);
+    const alertHistoryColumnNames = new Set(alertHistoryColumns.map((c) => c.name));
+    if (!alertHistoryColumnNames.has('tenant_id')) {
+        db.run(sql `ALTER TABLE alert_history ADD COLUMN tenant_id TEXT NOT NULL DEFAULT 'default'`);
+    }
+    // Tenant isolation indexes
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_events_tenant_id ON events(tenant_id)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_events_tenant_session ON events(tenant_id, session_id)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_events_tenant_agent_ts ON events(tenant_id, agent_id, timestamp)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_sessions_tenant_id ON sessions(tenant_id)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_sessions_tenant_agent ON sessions(tenant_id, agent_id)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_sessions_tenant_started ON sessions(tenant_id, started_at)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_agents_tenant_id ON agents(tenant_id)`);
+    // ─── Embeddings table (Epic 2 — Story 2.2) ──────────────────
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS embeddings (
+      id TEXT PRIMARY KEY,
+      tenant_id TEXT NOT NULL,
+      source_type TEXT NOT NULL,
+      source_id TEXT NOT NULL,
+      content_hash TEXT NOT NULL,
+      text_content TEXT NOT NULL,
+      embedding BLOB NOT NULL,
+      embedding_model TEXT NOT NULL,
+      dimensions INTEGER NOT NULL,
+      created_at TEXT NOT NULL
+    )
+  `);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_embeddings_tenant ON embeddings(tenant_id)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_embeddings_source ON embeddings(source_type, source_id)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_embeddings_content_hash ON embeddings(tenant_id, content_hash)`);
+    // ─── Session Summaries table (Epic 2 — Story 2.2) ──────────────────
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS session_summaries (
+      session_id TEXT NOT NULL,
+      tenant_id TEXT NOT NULL,
+      summary TEXT NOT NULL,
+      topics TEXT NOT NULL DEFAULT '[]',
+      tool_sequence TEXT NOT NULL DEFAULT '[]',
+      error_summary TEXT,
+      outcome TEXT,
+      created_at TEXT NOT NULL,
+      updated_at TEXT NOT NULL,
+      PRIMARY KEY (session_id, tenant_id)
+    )
+  `);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_session_summaries_tenant ON session_summaries(tenant_id)`);
+    // ─── Composite PK migration (CRITICAL-2) ──────────────────
+    // SQLite doesn't support ALTER TABLE to change PKs, so we recreate
+    // tables with composite PKs (id, tenant_id) for tenant isolation.
+    // Check if sessions table still has single-column PK
+    // by looking at the CREATE TABLE statement
+    const sessionsSchema = db.get(sql `SELECT sql FROM sqlite_master WHERE type='table' AND name='sessions'`);
+    if (sessionsSchema && sessionsSchema.sql.includes('id TEXT PRIMARY KEY')) {
+        // Drop old indexes that reference sessions (they'll be recreated)
+        db.run(sql `DROP INDEX IF EXISTS idx_sessions_agent_id`);
+        db.run(sql `DROP INDEX IF EXISTS idx_sessions_started_at`);
+        db.run(sql `DROP INDEX IF EXISTS idx_sessions_status`);
+        db.run(sql `DROP INDEX IF EXISTS idx_sessions_tenant_id`);
+        db.run(sql `DROP INDEX IF EXISTS idx_sessions_tenant_agent`);
+        db.run(sql `DROP INDEX IF EXISTS idx_sessions_tenant_started`);
+        db.run(sql `
+      CREATE TABLE sessions_new (
+        id TEXT NOT NULL,
+        agent_id TEXT NOT NULL,
+        agent_name TEXT,
+        started_at TEXT NOT NULL,
+        ended_at TEXT,
+        status TEXT NOT NULL DEFAULT 'active',
+        event_count INTEGER NOT NULL DEFAULT 0,
+        tool_call_count INTEGER NOT NULL DEFAULT 0,
+        error_count INTEGER NOT NULL DEFAULT 0,
+        total_cost_usd REAL NOT NULL DEFAULT 0,
+        llm_call_count INTEGER NOT NULL DEFAULT 0,
+        total_input_tokens INTEGER NOT NULL DEFAULT 0,
+        total_output_tokens INTEGER NOT NULL DEFAULT 0,
+        tags TEXT NOT NULL DEFAULT '[]',
+        tenant_id TEXT NOT NULL DEFAULT 'default',
+        PRIMARY KEY (id, tenant_id)
+      )
+    `);
+        db.run(sql `
+      INSERT INTO sessions_new
+        SELECT id, agent_id, agent_name, started_at, ended_at, status,
+               event_count, tool_call_count, error_count, total_cost_usd,
+               llm_call_count, total_input_tokens, total_output_tokens,
+               tags, tenant_id
+        FROM sessions
+    `);
+        db.run(sql `DROP TABLE sessions`);
+        db.run(sql `ALTER TABLE sessions_new RENAME TO sessions`);
+        // Recreate indexes
+        db.run(sql `CREATE INDEX idx_sessions_agent_id ON sessions(agent_id)`);
+        db.run(sql `CREATE INDEX idx_sessions_started_at ON sessions(started_at)`);
+        db.run(sql `CREATE INDEX idx_sessions_status ON sessions(status)`);
+        db.run(sql `CREATE INDEX idx_sessions_tenant_id ON sessions(tenant_id)`);
+        db.run(sql `CREATE INDEX idx_sessions_tenant_agent ON sessions(tenant_id, agent_id)`);
+        db.run(sql `CREATE INDEX idx_sessions_tenant_started ON sessions(tenant_id, started_at)`);
+    }
+    // Check if agents table still has single-column PK
+    const agentsSchema = db.get(sql `SELECT sql FROM sqlite_master WHERE type='table' AND name='agents'`);
+    if (agentsSchema && agentsSchema.sql.includes('id TEXT PRIMARY KEY')) {
+        db.run(sql `DROP INDEX IF EXISTS idx_agents_tenant_id`);
+        db.run(sql `
+      CREATE TABLE agents_new (
+        id TEXT NOT NULL,
+        name TEXT NOT NULL,
+        description TEXT,
+        first_seen_at TEXT NOT NULL,
+        last_seen_at TEXT NOT NULL,
+        session_count INTEGER NOT NULL DEFAULT 0,
+        tenant_id TEXT NOT NULL DEFAULT 'default',
+        PRIMARY KEY (id, tenant_id)
+      )
+    `);
+        db.run(sql `
+      INSERT INTO agents_new
+        SELECT id, name, description, first_seen_at, last_seen_at,
+               session_count, tenant_id
+        FROM agents
+    `);
+        db.run(sql `DROP TABLE agents`);
+        db.run(sql `ALTER TABLE agents_new RENAME TO agents`);
+        db.run(sql `CREATE INDEX idx_agents_tenant_id ON agents(tenant_id)`);
+    }
+    // ─── Lessons table (Epic 3) ──────────────────────────────
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS lessons (
+      id TEXT NOT NULL,
+      tenant_id TEXT NOT NULL,
+      agent_id TEXT,
+      category TEXT NOT NULL DEFAULT 'general',
+      title TEXT NOT NULL,
+      content TEXT NOT NULL,
+      context TEXT NOT NULL DEFAULT '{}',
+      importance TEXT NOT NULL DEFAULT 'normal',
+      source_session_id TEXT,
+      source_event_id TEXT,
+      access_count INTEGER NOT NULL DEFAULT 0,
+      last_accessed_at TEXT,
+      created_at TEXT NOT NULL,
+      updated_at TEXT NOT NULL,
+      archived_at TEXT,
+      PRIMARY KEY (id, tenant_id)
+    )
+  `);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_lessons_tenant ON lessons(tenant_id)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_lessons_tenant_agent ON lessons(tenant_id, agent_id)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_lessons_tenant_category ON lessons(tenant_id, category)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_lessons_tenant_importance ON lessons(tenant_id, importance)`);
+    // ─── Lessons PK migration (H5) ──────────────────────────
+    // Migrate existing lessons tables from single-column PK to composite PK
+    const lessonsSchema = db.get(sql `SELECT sql FROM sqlite_master WHERE type='table' AND name='lessons'`);
+    if (lessonsSchema && lessonsSchema.sql.includes('id TEXT PRIMARY KEY')) {
+        db.run(sql `DROP INDEX IF EXISTS idx_lessons_tenant`);
+        db.run(sql `DROP INDEX IF EXISTS idx_lessons_tenant_agent`);
+        db.run(sql `DROP INDEX IF EXISTS idx_lessons_tenant_category`);
+        db.run(sql `DROP INDEX IF EXISTS idx_lessons_tenant_importance`);
+        db.run(sql `
+      CREATE TABLE lessons_new (
+        id TEXT NOT NULL,
+        tenant_id TEXT NOT NULL,
+        agent_id TEXT,
+        category TEXT NOT NULL DEFAULT 'general',
+        title TEXT NOT NULL,
+        content TEXT NOT NULL,
+        context TEXT NOT NULL DEFAULT '{}',
+        importance TEXT NOT NULL DEFAULT 'normal',
+        source_session_id TEXT,
+        source_event_id TEXT,
+        access_count INTEGER NOT NULL DEFAULT 0,
+        last_accessed_at TEXT,
+        created_at TEXT NOT NULL,
+        updated_at TEXT NOT NULL,
+        archived_at TEXT,
+        PRIMARY KEY (id, tenant_id)
+      )
+    `);
+        db.run(sql `
+      INSERT INTO lessons_new
+        SELECT id, tenant_id, agent_id, category, title, content, context,
+               importance, source_session_id, source_event_id, access_count,
+               last_accessed_at, created_at, updated_at, archived_at
+        FROM lessons
+    `);
+        db.run(sql `DROP TABLE lessons`);
+        db.run(sql `ALTER TABLE lessons_new RENAME TO lessons`);
+        db.run(sql `CREATE INDEX idx_lessons_tenant ON lessons(tenant_id)`);
+        db.run(sql `CREATE INDEX idx_lessons_tenant_agent ON lessons(tenant_id, agent_id)`);
+        db.run(sql `CREATE INDEX idx_lessons_tenant_category ON lessons(tenant_id, category)`);
+        db.run(sql `CREATE INDEX idx_lessons_tenant_importance ON lessons(tenant_id, importance)`);
+    }
+    // ─── Composite index for similarity search (M6) ──────────────────
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_embeddings_tenant_source_time ON embeddings(tenant_id, source_type, created_at)`);
+    // ─── Health Snapshots table (Epic 6 — Story 1.3) ──────────────────
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS health_snapshots (
+      id TEXT NOT NULL,
+      tenant_id TEXT NOT NULL,
+      agent_id TEXT NOT NULL,
+      date TEXT NOT NULL,
+      overall_score REAL NOT NULL,
+      error_rate_score REAL NOT NULL,
+      cost_efficiency_score REAL NOT NULL,
+      tool_success_score REAL NOT NULL,
+      latency_score REAL NOT NULL,
+      completion_rate_score REAL NOT NULL,
+      session_count INTEGER NOT NULL,
+      created_at TEXT NOT NULL,
+      PRIMARY KEY (tenant_id, agent_id, date)
+    )
+  `);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_health_snapshots_agent ON health_snapshots(tenant_id, agent_id, date DESC)`);
+    // ─── Benchmark tables (v0.7.0 — Story 1.3) ──────────────────
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS benchmarks (
+      id TEXT PRIMARY KEY,
+      tenant_id TEXT NOT NULL,
+      name TEXT NOT NULL,
+      description TEXT,
+      status TEXT NOT NULL DEFAULT 'draft',
+      agent_id TEXT,
+      metrics TEXT NOT NULL DEFAULT '[]',
+      min_sessions_per_variant INTEGER NOT NULL DEFAULT 10,
+      time_range_from TEXT,
+      time_range_to TEXT,
+      created_at TEXT NOT NULL,
+      updated_at TEXT NOT NULL,
+      completed_at TEXT
+    )
+  `);
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS benchmark_variants (
+      id TEXT PRIMARY KEY,
+      benchmark_id TEXT NOT NULL REFERENCES benchmarks(id) ON DELETE CASCADE,
+      tenant_id TEXT NOT NULL,
+      name TEXT NOT NULL,
+      description TEXT,
+      tag TEXT NOT NULL,
+      agent_id TEXT,
+      sort_order INTEGER NOT NULL DEFAULT 0
+    )
+  `);
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS benchmark_results (
+      id TEXT PRIMARY KEY,
+      benchmark_id TEXT NOT NULL REFERENCES benchmarks(id) ON DELETE CASCADE,
+      tenant_id TEXT NOT NULL,
+      variant_metrics TEXT NOT NULL DEFAULT '[]',
+      comparisons TEXT NOT NULL DEFAULT '[]',
+      summary TEXT,
+      computed_at TEXT NOT NULL
+    )
+  `);
+    // Benchmark indexes
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_benchmarks_tenant_id ON benchmarks(tenant_id)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_benchmarks_tenant_status ON benchmarks(tenant_id, status)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_benchmark_variants_benchmark_id ON benchmark_variants(benchmark_id)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_benchmark_variants_tenant_tag ON benchmark_variants(tenant_id, tag)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_benchmark_results_benchmark_id ON benchmark_results(benchmark_id)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_benchmark_results_tenant_id ON benchmark_results(tenant_id)`);
+    // ─── Guardrail tables (v0.8.0 — Phase 3) ──────────────────
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS guardrail_rules (
+      id TEXT PRIMARY KEY,
+      tenant_id TEXT NOT NULL,
+      name TEXT NOT NULL,
+      description TEXT,
+      enabled INTEGER NOT NULL DEFAULT 1,
+      condition_type TEXT NOT NULL,
+      condition_config TEXT NOT NULL DEFAULT '{}',
+      action_type TEXT NOT NULL,
+      action_config TEXT NOT NULL DEFAULT '{}',
+      agent_id TEXT,
+      cooldown_minutes INTEGER NOT NULL DEFAULT 15,
+      dry_run INTEGER NOT NULL DEFAULT 0,
+      created_at TEXT NOT NULL,
+      updated_at TEXT NOT NULL
+    )
+  `);
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS guardrail_state (
+      rule_id TEXT NOT NULL,
+      tenant_id TEXT NOT NULL,
+      last_triggered_at TEXT,
+      trigger_count INTEGER NOT NULL DEFAULT 0,
+      last_evaluated_at TEXT,
+      current_value REAL,
+      PRIMARY KEY (rule_id, tenant_id)
+    )
+  `);
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS guardrail_trigger_history (
+      id TEXT PRIMARY KEY,
+      rule_id TEXT NOT NULL,
+      tenant_id TEXT NOT NULL,
+      triggered_at TEXT NOT NULL,
+      condition_value REAL NOT NULL,
+      condition_threshold REAL NOT NULL,
+      action_executed INTEGER NOT NULL DEFAULT 0,
+      action_result TEXT,
+      metadata TEXT NOT NULL DEFAULT '{}'
+    )
+  `);
+    // Guardrail indexes
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_guardrail_rules_tenant ON guardrail_rules(tenant_id)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_guardrail_rules_tenant_enabled ON guardrail_rules(tenant_id, enabled)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_guardrail_state_tenant ON guardrail_state(tenant_id)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_guardrail_trigger_history_tenant ON guardrail_trigger_history(tenant_id)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_guardrail_trigger_history_rule ON guardrail_trigger_history(rule_id, triggered_at)`);
+    // ─── Feature 8: Content guardrail columns ──────────────────
+    const grColsF8 = db.all(sql `PRAGMA table_info(guardrail_rules)`);
+    const grColNamesF8 = new Set(grColsF8.map((c) => c.name));
+    if (!grColNamesF8.has('direction')) {
+        db.run(sql `ALTER TABLE guardrail_rules ADD COLUMN direction TEXT DEFAULT 'both'`);
+    }
+    if (!grColNamesF8.has('tool_names')) {
+        db.run(sql `ALTER TABLE guardrail_rules ADD COLUMN tool_names TEXT`);
+    }
+    if (!grColNamesF8.has('priority')) {
+        db.run(sql `ALTER TABLE guardrail_rules ADD COLUMN priority INTEGER DEFAULT 0`);
+    }
+    // ─── Agent model override & pause columns (B1 — Story 1.2) ──────
+    // Idempotent: only adds columns if they don't already exist
+    const agentColsB1 = db.all(sql `PRAGMA table_info(agents)`);
+    const agentColNamesB1 = new Set(agentColsB1.map((c) => c.name));
+    if (!agentColNamesB1.has('model_override')) {
+        db.run(sql `ALTER TABLE agents ADD COLUMN model_override TEXT`);
+    }
+    if (!agentColNamesB1.has('paused_at')) {
+        db.run(sql `ALTER TABLE agents ADD COLUMN paused_at TEXT`);
+    }
+    if (!agentColNamesB1.has('pause_reason')) {
+        db.run(sql `ALTER TABLE agents ADD COLUMN pause_reason TEXT`);
+    }
+    // Partial index for finding paused agents efficiently
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_agents_paused ON agents(tenant_id, paused_at) WHERE paused_at IS NOT NULL`);
+    // ─── Phase 4: Sharing & Discovery tables (Stories 1.3) ──────────
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS sharing_config (
+      tenant_id TEXT PRIMARY KEY,
+      enabled INTEGER NOT NULL DEFAULT 0,
+      human_review_enabled INTEGER NOT NULL DEFAULT 0,
+      pool_endpoint TEXT,
+      anonymous_contributor_id TEXT,
+      purge_token TEXT,
+      rate_limit_per_hour INTEGER NOT NULL DEFAULT 50,
+      volume_alert_threshold INTEGER NOT NULL DEFAULT 100,
+      updated_at TEXT NOT NULL
+    )
+  `);
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS agent_sharing_config (
+      tenant_id TEXT NOT NULL,
+      agent_id TEXT NOT NULL,
+      enabled INTEGER NOT NULL DEFAULT 0,
+      categories TEXT NOT NULL DEFAULT '[]',
+      updated_at TEXT NOT NULL,
+      PRIMARY KEY (tenant_id, agent_id)
+    )
+  `);
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS deny_list_rules (
+      id TEXT PRIMARY KEY,
+      tenant_id TEXT NOT NULL,
+      pattern TEXT NOT NULL,
+      is_regex INTEGER NOT NULL DEFAULT 0,
+      reason TEXT NOT NULL,
+      created_at TEXT NOT NULL
+    )
+  `);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_deny_list_rules_tenant ON deny_list_rules(tenant_id)`);
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS sharing_audit_log (
+      id TEXT PRIMARY KEY,
+      tenant_id TEXT NOT NULL,
+      event_type TEXT NOT NULL,
+      lesson_id TEXT,
+      anonymous_lesson_id TEXT,
+      lesson_hash TEXT,
+      redaction_findings TEXT,
+      query_text TEXT,
+      result_ids TEXT,
+      pool_endpoint TEXT,
+      initiated_by TEXT,
+      timestamp TEXT NOT NULL
+    )
+  `);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_sharing_audit_tenant_ts ON sharing_audit_log(tenant_id, timestamp)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_sharing_audit_type ON sharing_audit_log(tenant_id, event_type)`);
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS sharing_review_queue (
+      id TEXT PRIMARY KEY,
+      tenant_id TEXT NOT NULL,
+      lesson_id TEXT NOT NULL,
+      original_title TEXT NOT NULL,
+      original_content TEXT NOT NULL,
+      redacted_title TEXT NOT NULL,
+      redacted_content TEXT NOT NULL,
+      redaction_findings TEXT NOT NULL,
+      status TEXT NOT NULL DEFAULT 'pending',
+      reviewed_by TEXT,
+      reviewed_at TEXT,
+      created_at TEXT NOT NULL,
+      expires_at TEXT NOT NULL
+    )
+  `);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_review_queue_tenant_status ON sharing_review_queue(tenant_id, status)`);
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS anonymous_id_map (
+      tenant_id TEXT NOT NULL,
+      agent_id TEXT NOT NULL,
+      anonymous_agent_id TEXT NOT NULL,
+      valid_from TEXT NOT NULL,
+      valid_until TEXT NOT NULL,
+      PRIMARY KEY (tenant_id, agent_id, valid_from)
+    )
+  `);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_anon_map_anon_id ON anonymous_id_map(anonymous_agent_id)`);
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS capability_registry (
+      id TEXT PRIMARY KEY,
+      tenant_id TEXT NOT NULL,
+      agent_id TEXT NOT NULL,
+      task_type TEXT NOT NULL,
+      custom_type TEXT,
+      input_schema TEXT NOT NULL,
+      output_schema TEXT NOT NULL,
+      quality_metrics TEXT NOT NULL DEFAULT '{}',
+      estimated_latency_ms INTEGER,
+      estimated_cost_usd REAL,
+      max_input_bytes INTEGER,
+      scope TEXT NOT NULL DEFAULT 'internal',
+      enabled INTEGER NOT NULL DEFAULT 1,
+      accept_delegations INTEGER NOT NULL DEFAULT 0,
+      inbound_rate_limit INTEGER NOT NULL DEFAULT 10,
+      outbound_rate_limit INTEGER NOT NULL DEFAULT 20,
+      created_at TEXT NOT NULL,
+      updated_at TEXT NOT NULL
+    )
+  `);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_capability_tenant_agent ON capability_registry(tenant_id, agent_id)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_capability_task_type ON capability_registry(tenant_id, task_type)`);
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS delegation_log (
+      id TEXT PRIMARY KEY,
+      tenant_id TEXT NOT NULL,
+      direction TEXT NOT NULL,
+      agent_id TEXT NOT NULL,
+      anonymous_target_id TEXT,
+      anonymous_source_id TEXT,
+      task_type TEXT NOT NULL,
+      status TEXT NOT NULL,
+      request_size_bytes INTEGER,
+      response_size_bytes INTEGER,
+      execution_time_ms INTEGER,
+      cost_usd REAL,
+      created_at TEXT NOT NULL,
+      completed_at TEXT
+    )
+  `);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_delegation_tenant_ts ON delegation_log(tenant_id, created_at)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_delegation_agent ON delegation_log(tenant_id, agent_id)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_delegation_status ON delegation_log(tenant_id, status)`);
+    // ─── Users Table (Enterprise Auth — S3) ─────────────────
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS users (
+      id TEXT PRIMARY KEY,
+      tenant_id TEXT NOT NULL DEFAULT 'default',
+      email TEXT NOT NULL,
+      display_name TEXT,
+      oidc_subject TEXT,
+      oidc_issuer TEXT,
+      role TEXT NOT NULL DEFAULT 'viewer',
+      created_at INTEGER NOT NULL,
+      updated_at INTEGER NOT NULL,
+      last_login_at INTEGER,
+      disabled_at INTEGER
+    )
+  `);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_users_tenant ON users(tenant_id)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_users_email ON users(email)`);
+    db.run(sql `CREATE UNIQUE INDEX IF NOT EXISTS idx_users_tenant_email ON users(tenant_id, email)`);
+    db.run(sql `CREATE UNIQUE INDEX IF NOT EXISTS idx_users_oidc ON users(oidc_issuer, oidc_subject)`);
+    // ─── Refresh Tokens Table (Enterprise Auth — S3) ───────
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS refresh_tokens (
+      id TEXT PRIMARY KEY,
+      user_id TEXT NOT NULL REFERENCES users(id),
+      tenant_id TEXT NOT NULL DEFAULT 'default',
+      token_hash TEXT NOT NULL,
+      expires_at INTEGER NOT NULL,
+      created_at INTEGER NOT NULL,
+      revoked_at INTEGER,
+      user_agent TEXT,
+      ip_address TEXT
+    )
+  `);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_refresh_tokens_user ON refresh_tokens(user_id)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_refresh_tokens_hash ON refresh_tokens(token_hash)`);
+    // ─── Audit Log table (SH-2) ──────────────────────────────
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS audit_log (
+      id TEXT PRIMARY KEY,
+      timestamp TEXT NOT NULL,
+      tenant_id TEXT NOT NULL,
+      actor_type TEXT NOT NULL,
+      actor_id TEXT NOT NULL,
+      action TEXT NOT NULL,
+      resource_type TEXT,
+      resource_id TEXT,
+      details TEXT NOT NULL DEFAULT '{}',
+      ip_address TEXT,
+      user_agent TEXT
+    )
+  `);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_audit_log_tenant_ts ON audit_log(tenant_id, timestamp)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_audit_log_action ON audit_log(action)`);
+    // ─── API Key Rotation columns (SH-6) ──────────────────
+    const apiKeyColsSH6 = db.all(sql `PRAGMA table_info(api_keys)`);
+    const apiKeyColNamesSH6 = new Set(apiKeyColsSH6.map((c) => c.name));
+    if (!apiKeyColNamesSH6.has('rotated_at')) {
+        db.run(sql `ALTER TABLE api_keys ADD COLUMN rotated_at INTEGER`);
+    }
+    if (!apiKeyColNamesSH6.has('expires_at')) {
+        db.run(sql `ALTER TABLE api_keys ADD COLUMN expires_at INTEGER`);
+    }
+    // ─── Discovery Config (Story 5.4) ──────────────────────
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS discovery_config (
+      tenant_id TEXT PRIMARY KEY,
+      min_trust_threshold INTEGER NOT NULL DEFAULT 60,
+      delegation_enabled INTEGER NOT NULL DEFAULT 0,
+      updated_at TEXT NOT NULL
+    )
+  `);
+    // ─── Cost Budget tables (Feature 5) ──────────────────────
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS cost_budgets (
+      id TEXT PRIMARY KEY,
+      tenant_id TEXT NOT NULL,
+      scope TEXT NOT NULL,
+      agent_id TEXT,
+      period TEXT NOT NULL,
+      limit_usd REAL NOT NULL,
+      on_breach TEXT NOT NULL DEFAULT 'alert',
+      downgrade_target_model TEXT,
+      enabled INTEGER NOT NULL DEFAULT 1,
+      created_at TEXT NOT NULL,
+      updated_at TEXT NOT NULL
+    )
+  `);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_cost_budgets_tenant ON cost_budgets(tenant_id)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_cost_budgets_tenant_enabled ON cost_budgets(tenant_id, enabled)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_cost_budgets_tenant_agent ON cost_budgets(tenant_id, agent_id)`);
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS cost_budget_state (
+      budget_id TEXT NOT NULL,
+      tenant_id TEXT NOT NULL,
+      last_breach_at TEXT,
+      breach_count INTEGER NOT NULL DEFAULT 0,
+      current_spend REAL,
+      period_start TEXT,
+      PRIMARY KEY (budget_id, tenant_id)
+    )
+  `);
+    // ─── Notification Channels (Feature 12) ──────────────────
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS notification_channels (
+      id TEXT PRIMARY KEY,
+      tenant_id TEXT NOT NULL DEFAULT 'default',
+      type TEXT NOT NULL,
+      name TEXT NOT NULL,
+      config TEXT NOT NULL,
+      enabled INTEGER NOT NULL DEFAULT 1,
+      created_at TEXT NOT NULL,
+      updated_at TEXT NOT NULL
+    )
+  `);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_notification_channels_tenant ON notification_channels(tenant_id)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_notification_channels_type ON notification_channels(tenant_id, type)`);
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS notification_log (
+      id TEXT PRIMARY KEY,
+      tenant_id TEXT NOT NULL DEFAULT 'default',
+      channel_id TEXT NOT NULL,
+      rule_id TEXT,
+      rule_type TEXT,
+      status TEXT NOT NULL,
+      attempt INTEGER NOT NULL DEFAULT 1,
+      error_message TEXT,
+      payload_summary TEXT,
+      created_at TEXT NOT NULL
+    )
+  `);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_notification_log_tenant ON notification_log(tenant_id)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_notification_log_channel ON notification_log(channel_id)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_notification_log_created ON notification_log(tenant_id, created_at)`);
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS cost_anomaly_config (
+      tenant_id TEXT PRIMARY KEY,
+      multiplier REAL NOT NULL DEFAULT 3.0,
+      min_sessions INTEGER NOT NULL DEFAULT 5,
+      enabled INTEGER NOT NULL DEFAULT 1,
+      updated_at TEXT NOT NULL
+    )
+  `);
+    // ─── Eval Framework tables (Feature 15) ──────────────────
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS eval_datasets (
+      id            TEXT PRIMARY KEY,
+      tenant_id     TEXT NOT NULL,
+      agent_id      TEXT,
+      name          TEXT NOT NULL,
+      description   TEXT,
+      version       INTEGER NOT NULL DEFAULT 1,
+      parent_id     TEXT,
+      immutable     INTEGER NOT NULL DEFAULT 0,
+      created_at    TEXT NOT NULL,
+      updated_at    TEXT NOT NULL
+    )
+  `);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_eval_datasets_tenant ON eval_datasets(tenant_id)`);
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS eval_test_cases (
+      id                TEXT PRIMARY KEY,
+      dataset_id        TEXT NOT NULL REFERENCES eval_datasets(id) ON DELETE CASCADE,
+      tenant_id         TEXT NOT NULL,
+      input             TEXT NOT NULL,
+      expected_output   TEXT,
+      tags              TEXT NOT NULL DEFAULT '[]',
+      metadata          TEXT NOT NULL DEFAULT '{}',
+      scoring_criteria  TEXT,
+      sort_order        INTEGER NOT NULL DEFAULT 0,
+      created_at        TEXT NOT NULL
+    )
+  `);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_eval_test_cases_dataset ON eval_test_cases(dataset_id)`);
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS eval_runs (
+      id              TEXT PRIMARY KEY,
+      tenant_id       TEXT NOT NULL,
+      dataset_id      TEXT NOT NULL REFERENCES eval_datasets(id),
+      dataset_version INTEGER NOT NULL,
+      agent_id        TEXT NOT NULL,
+      webhook_url     TEXT NOT NULL,
+      status          TEXT NOT NULL DEFAULT 'pending',
+      config          TEXT NOT NULL DEFAULT '{}',
+      baseline_run_id TEXT,
+      total_cases     INTEGER NOT NULL DEFAULT 0,
+      passed_cases    INTEGER NOT NULL DEFAULT 0,
+      failed_cases    INTEGER NOT NULL DEFAULT 0,
+      avg_score       REAL,
+      total_cost_usd  REAL,
+      total_duration_ms INTEGER,
+      started_at      TEXT,
+      completed_at    TEXT,
+      created_at      TEXT NOT NULL,
+      error           TEXT
+    )
+  `);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_eval_runs_tenant ON eval_runs(tenant_id)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_eval_runs_dataset ON eval_runs(dataset_id)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_eval_runs_agent ON eval_runs(tenant_id, agent_id)`);
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS eval_results (
+      id              TEXT PRIMARY KEY,
+      run_id          TEXT NOT NULL REFERENCES eval_runs(id) ON DELETE CASCADE,
+      test_case_id    TEXT NOT NULL REFERENCES eval_test_cases(id),
+      tenant_id       TEXT NOT NULL,
+      session_id      TEXT,
+      actual_output   TEXT,
+      score           REAL NOT NULL,
+      passed          INTEGER NOT NULL,
+      scorer_type     TEXT NOT NULL,
+      scorer_details  TEXT NOT NULL DEFAULT '{}',
+      latency_ms      INTEGER,
+      cost_usd        REAL,
+      token_count     INTEGER,
+      error           TEXT,
+      created_at      TEXT NOT NULL
+    )
+  `);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_eval_results_run ON eval_results(run_id)`);
+    // ─── Prompt Management tables (Feature 19) ──────────────────
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS prompt_templates (
+      id TEXT PRIMARY KEY,
+      tenant_id TEXT NOT NULL,
+      name TEXT NOT NULL,
+      description TEXT,
+      category TEXT NOT NULL DEFAULT 'general',
+      current_version_id TEXT,
+      created_at TEXT NOT NULL,
+      updated_at TEXT NOT NULL,
+      deleted_at TEXT
+    )
+  `);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_prompt_templates_tenant ON prompt_templates(tenant_id)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_prompt_templates_tenant_cat ON prompt_templates(tenant_id, category)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_prompt_templates_tenant_name ON prompt_templates(tenant_id, name)`);
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS prompt_versions (
+      id TEXT PRIMARY KEY,
+      template_id TEXT NOT NULL,
+      tenant_id TEXT NOT NULL,
+      version_number INTEGER NOT NULL,
+      content TEXT NOT NULL,
+      variables TEXT,
+      content_hash TEXT NOT NULL,
+      changelog TEXT,
+      created_by TEXT,
+      created_at TEXT NOT NULL,
+      UNIQUE(template_id, version_number)
+    )
+  `);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_prompt_versions_tenant ON prompt_versions(tenant_id)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_prompt_versions_hash ON prompt_versions(content_hash)`);
+    db.run(sql `
+    CREATE TABLE IF NOT EXISTS prompt_fingerprints (
+      content_hash TEXT NOT NULL,
+      tenant_id TEXT NOT NULL,
+      agent_id TEXT NOT NULL,
+      first_seen_at TEXT NOT NULL,
+      last_seen_at TEXT NOT NULL,
+      call_count INTEGER NOT NULL DEFAULT 0,
+      template_id TEXT,
+      sample_content TEXT,
+      PRIMARY KEY (content_hash, tenant_id, agent_id)
+    )
+  `);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_prompt_fp_tenant ON prompt_fingerprints(tenant_id)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_prompt_fp_agent ON prompt_fingerprints(tenant_id, agent_id)`);
+    db.run(sql `CREATE INDEX IF NOT EXISTS idx_prompt_fp_template ON prompt_fingerprints(template_id)`);
+}
+/**
+ * Verify that WAL mode is enabled.
+ */
+export function verifyPragmas(db) {
+    const journalMode = db.get(sql `PRAGMA journal_mode`)?.journal_mode ?? '';
+    const synchronous = db.get(sql `PRAGMA synchronous`)?.synchronous ?? -1;
+    const cacheSize = db.get(sql `PRAGMA cache_size`)?.cache_size ?? 0;
+    // SQLite returns { timeout: N } for PRAGMA busy_timeout
+    const busyTimeout = db.get(sql `PRAGMA busy_timeout`)?.timeout ?? 0;
+    const foreignKeys = db.get(sql `PRAGMA foreign_keys`)?.foreign_keys === 1;
+    // synchronous: 0=OFF, 1=NORMAL, 2=FULL, 3=EXTRA
+    const syncNames = { 0: 'OFF', 1: 'NORMAL', 2: 'FULL', 3: 'EXTRA' };
+    return {
+        journalMode,
+        synchronous: syncNames[synchronous] ?? String(synchronous),
+        cacheSize,
+        busyTimeout,
+        foreignKeys,
+    };
+}
+//# sourceMappingURL=migrate.sqlite.js.map