@derwinjs/db 0.1.0

package/prisma-client/schema.prisma

@@ -0,0 +1,748 @@
+// Derwin platform schema — Postgres + Prisma.
+//
+// 14 models, project-namespaced. Per ADR-0005 (Prisma + Postgres + project-
+// namespaced schema). Reference: technical spec §3.
+//
+// Multi-tenancy convention: every project-scoped table has a `projectId String`
+// FK to Project. Cross-project leakage is the leading regression risk; queries
+// MUST filter on projectId. Per ADR-0005, the trust-mitigation gates are:
+//   1. A lint or static check that flags Prisma queries missing projectId
+//      filters on tables that have one (added in Sprint 8 / risk-tier work).
+//   2. A multi-project broken-fixture E2E that asserts isolation
+//      (added in Sprint 13 / QAP-130).
+//
+// pgvector convention: `embedding Bytes?` on RAGCorpus is the v1 storage type.
+// QAP-076 (Sprint 7 — RAG corpus add) switches it to a pgvector `vector(1536)`
+// column once the extension is enabled in QAP-036.
+
+// Generator output is INSIDE the package so the generated client ships
+// in the published tarball alongside dist/. Consumer code does
+// `import { PrismaClient } from '@derwinjs/db'` (or '@derwinjs/db/client') —
+// see packages/db/src/index.ts re-exports. This is required for
+// multi-tenant correctness: each Derwin consumer (Lifeline, Side Piece,
+// Bolt, ...) already has its own @prisma/client generated against its
+// own schema; @derwinjs/db can't piggyback on the consumer's @prisma/client
+// or types break (Lifeline's PrismaClient doesn't have qAUniformity etc).
+//
+// binaryTargets ships explicit cross-platform binaries so the published
+// tarball works regardless of where the publish workflow ran:
+//   - darwin-arm64: Apple Silicon Mac dev (the Derwin team's primary local)
+//   - rhel-openssl-3.0.x: x86 Linux on OpenSSL 3 (Vercel default, most CI)
+//   - linux-arm64-openssl-3.0.x: ARM Linux (AWS Graviton, etc.)
+// "native" is intentionally omitted — relying on it makes the published
+// tarball platform-dependent (whatever the publisher was running on).
+// Intel Mac users (rare) add `darwin` locally via a re-generate.
+generator client {
+  provider      = "prisma-client-js"
+  output        = "../prisma-client"
+  binaryTargets = ["darwin-arm64", "rhel-openssl-3.0.x", "linux-arm64-openssl-3.0.x"]
+}
+
+datasource db {
+  provider = "postgresql"
+  url      = env("DATABASE_URL")
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+// Multi-tenant root
+// ═══════════════════════════════════════════════════════════════════════════
+
+model Project {
+  id        String      @id @default(cuid())
+  name      String
+  slug      String      @unique
+  type      ProjectType
+  createdAt DateTime    @default(now())
+  updatedAt DateTime    @updatedAt
+
+  // Operating mode (Observe / TicketOnly / Author / Auto) — see product brief §11.2
+  mode          ProjectMode @default(OBSERVE)
+  modeChangedAt DateTime    @default(now())
+  modeChangedBy String?
+
+  // Per-project quotas + budgets
+  monthlyBudgetCents Int @default(10000) // $100 default
+  dailyDispatchLimit Int @default(50)
+
+  // GitHub integration (QAP-019C / Group D-1, 2026-05-04).
+  //
+  // `repoFullName` is the canonical "<owner>/<repo>" identifier (e.g.,
+  // "RoryLYN/derwin"). The github-webhook route uses it to resolve a
+  // payload's `repository.full_name` → projectId. Optional + unique
+  // because: not every Derwin project has a GitHub repo (Sprint 4+ may
+  // onboard products that don't run on GitHub); but a given repo can map
+  // to at most one Derwin project (otherwise webhook payloads would be
+  // ambiguous).
+  //
+  // `webhookSecret` is the per-project HMAC-SHA256 secret GitHub uses to
+  // sign webhook payloads. Optional so projects without GitHub integration
+  // carry no secret. The webhook route passes this to
+  // `QAAuthAdapter.verifyWebhook(headers, body, secret)` to authenticate
+  // payloads before any DB writes.
+  repoFullName  String? @unique
+  webhookSecret String?
+
+  // Relations
+  profile        ProjectProfile?
+  runs           QARun[]
+  tickets        QATicket[]
+  fixAttempts    QAFixAttempt[]
+  auditArtifacts AuditArtifact[]
+  policies       Policy[]
+  trustScores    ClassificationTrust[]
+  modeLog        ProjectModeLog[]
+  patterns       QAPattern[]
+  reverts        QARevert[]
+  uniformities   QAUniformity[]
+
+  @@map("projects")
+}
+
+enum ProjectType {
+  SAAS
+  ECOMMERCE
+  MARKETING
+  ERP
+  ANALYTICS
+  INFRA
+  CONTENT
+}
+
+enum ProjectMode {
+  OBSERVE // run but write nothing
+  TICKET_ONLY // write tickets, no fix authoring
+  AUTHOR // tickets + fix authoring, all to PR
+  AUTO // full autonomy per risk tier policies
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+// Layer A: Project Profile (the Knowledge Base)
+// ═══════════════════════════════════════════════════════════════════════════
+
+model ProjectProfile {
+  id        String      @id @default(cuid())
+  projectId String      @unique
+  type      ProjectType
+
+  domainOntology Json // entities[], actions[], roles[]
+  riskProfile    Json // 8-vector weights across surface categories
+  criticalFlows  Json // named user journeys with steps + assertions
+  glossary       Json // term → definition; disambiguates "ticket"/"tenant"/etc.
+  dependencies   Json // third-party services that need integration testing
+  complianceTags String[] @default([])
+
+  ingestedDocsHash String // hash of (doc, version) tuples for change detection
+
+  lastIngestedAt DateTime
+  lastEvolvedAt  DateTime
+  createdAt      DateTime @default(now())
+  updatedAt      DateTime @updatedAt
+
+  project      Project               @relation(fields: [projectId], references: [id], onDelete: Cascade)
+  evolutionLog ProfileEvolutionLog[]
+
+  @@map("project_profiles")
+}
+
+model IngestedDoc {
+  id            String   @id @default(cuid())
+  projectId     String
+  source        String // "filesystem" | "notion" | "google-docs" | etc.
+  sourcePath    String // canonical path/URL of the doc
+  contentHash   String
+  contentSize   Int
+  ingestedAt    DateTime @default(now())
+  ontologyDelta Json? // what this doc contributed to the Profile
+
+  @@unique([projectId, sourcePath, contentHash])
+  @@index([projectId, sourcePath])
+  @@map("ingested_docs")
+}
+
+model ProfileEvolutionLog {
+  id          String   @id @default(cuid())
+  profileId   String
+  triggerType String // "FIX_OUTCOME" | "SPRINT_INGEST" | "DEPLOY" | "OPERATOR_OVERRIDE"
+  delta       Json // what changed
+  rationale   String   @db.Text
+  appliedAt   DateTime @default(now())
+  appliedBy   String // "agent" | userId
+
+  profile ProjectProfile @relation(fields: [profileId], references: [id], onDelete: Cascade)
+
+  @@index([profileId, appliedAt(sort: Desc)])
+  @@map("profile_evolution_log")
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+// Layer B/C: Discovery + Execution
+// ═══════════════════════════════════════════════════════════════════════════
+
+model QARun {
+  id          String     @id @default(cuid())
+  projectId   String
+  triggeredBy String // "cron" | "operator:<userId>" | "webhook" | "<routeName>"
+  triggerType RunTrigger
+  scope       Json // what surfaces, which routes, which subset
+  startedAt   DateTime   @default(now())
+  completedAt DateTime?
+  status      RunStatus  @default(IN_PROGRESS)
+
+  // Outcome counts (denormalized for dashboard reads)
+  signalsRaised    Int @default(0)
+  ticketsCreated   Int @default(0)
+  attemptsLaunched Int @default(0)
+
+  project      Project        @relation(fields: [projectId], references: [id], onDelete: Cascade)
+  signals      RawSignal[]
+  tickets      QATicket[]
+  reverts      QARevert[]
+  uniformities QAUniformity[]
+
+  @@index([projectId, startedAt(sort: Desc)])
+  @@map("qa_runs")
+}
+
+enum RunTrigger {
+  CRON
+  OPERATOR_ON_DEMAND
+  WEBHOOK
+  CONTINUOUS // for routes that run as a daemon (telemetry mining etc.)
+  AGENT // QAP-019F (Group D-3): standalone QA agent (browser tool) ingestion
+}
+
+enum RunStatus {
+  IN_PROGRESS
+  COMPLETED
+  FAILED
+  CANCELLED
+}
+
+// A RawSignal is what a Discovery route emits. It hasn't been investigated /
+// classified / ticketed yet — Triage takes signals and produces tickets.
+model RawSignal {
+  id              String @id @default(cuid())
+  qaRunId         String
+  routeName       String // which Discovery route fired
+  signalType      String // "test_failure" | "telemetry_anomaly" | "rage_click_cluster" | etc.
+  rawData         Json // route-specific payload (test results, metric snapshot, etc.)
+  rawArtifactRefs Json // pointers to S3 artifacts (videos, screenshots)
+
+  // Investigation + classification happen later; null until Triage processes.
+  qaTicketId     String?   @unique
+  investigatedAt DateTime?
+
+  capturedAt DateTime @default(now())
+
+  qaRun  QARun     @relation(fields: [qaRunId], references: [id], onDelete: Cascade)
+  ticket QATicket? @relation(fields: [qaTicketId], references: [id])
+
+  @@index([qaRunId])
+  @@index([routeName, capturedAt(sort: Desc)])
+  @@map("raw_signals")
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+// Layer D: Triage — the structured QA ticket
+// ═══════════════════════════════════════════════════════════════════════════
+
+model QATicket {
+  id        String @id @default(cuid())
+  projectId String
+  qaRunId   String
+
+  // Identity / linkage
+  externalRef          String? // if mirrored to Linear/Jira/Lifeline-native, the ID there (single primary cross-system ref; legacy from v0.4)
+  externalSystem       String? // "linear" | "jira" | "github-issues" | "lifeline-native"
+  originatingTicketRef String? // the FEATURE ticket that introduced the affected code, if known
+
+  // Cross-link stubs posted to consumer ticket systems per ADR-0008 (architecture
+  // pivot 2026-05-01). Array of { system: 'github', repo: string, issueNumber: number,
+  // url: string, state: 'open' | 'closed' }. Multiple stubs supported (e.g., post
+  // to both GitHub Issues and Linear). QAP-018 (Sprint 2) populates this on
+  // createQATicket via the LifelineTicketAdapter.
+  crossLinkRefs Json @default("[]")
+
+  // Canonical deep-link URL for this ticket in the Derwin-owned dashboard per
+  // ADR-0008. Populated by QAP-018B's createQATicket from DERWIN_DASHBOARD_URL
+  // env + ticket id. The cross-link stubs in crossLinkRefs[] embed this URL in
+  // their bodies so operators triaging in the consumer ticket system can click
+  // through to the rich Derwin record.
+  dashboardUrl String?
+
+  // Classification
+  surface        SurfaceCategory
+  classification String // SELECTOR | PRODUCT_BUG | TIMING | etc., extensible
+  severity       Severity
+  riskTier       RiskTier
+  status         TicketStatus    @default(OPEN)
+
+  // Content (from the structured ticket format in product brief §6.3)
+  title              String
+  reproSteps         Json // array of step objects
+  suspectedRootCause String @db.Text
+  blastRadius        Json // affected files / tests / pages
+
+  // Author/dispatch decision
+  proposedFixApproach String  @db.Text
+  autoMergeEligible   Boolean @default(false)
+  autoMergeRationale  String? @db.Text
+
+  // Final bucket assignment (populated after lifecycle completes)
+  finalBucket  ReviewBucket?
+  bucketReason String?       @db.Text
+
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  // Optional audit field — operator userId or system actor name (e.g.,
+  // "qa-auto-fix-webhook") that resolved this ticket. Set on status
+  // transitions to RESOLVED, REJECTED, or REGRESSED_REVERTED. QAP-019C
+  // (Group D-1, 2026-05-04). Mirrors Lifeline's QARecommendation.resolvedBy
+  // column. Optional because not every status transition carries a
+  // resolution actor.
+  resolvedBy String?
+  closedAt   DateTime?
+
+  project   Project         @relation(fields: [projectId], references: [id], onDelete: Cascade)
+  qaRun     QARun           @relation(fields: [qaRunId], references: [id], onDelete: Cascade)
+  signals   RawSignal[]
+  attempts  QAFixAttempt[]
+  artifacts AuditArtifact[]
+  reverts   QARevert[]
+
+  @@index([projectId, status])
+  @@index([projectId, finalBucket])
+  @@index([projectId, createdAt(sort: Desc)])
+  @@map("qa_tickets")
+}
+
+enum SurfaceCategory {
+  CODE_HEALTH
+  FUNCTIONAL_CORRECTNESS
+  UI_UX_INTEGRITY
+  PERF_RESILIENCE
+  SECURITY
+  COMPLIANCE_AUDIT
+  MULTI_TENANT_SAFETY
+  OPERATIONAL_HEALTH
+}
+
+enum Severity {
+  CRITICAL
+  HIGH
+  MEDIUM
+  LOW
+}
+
+enum RiskTier {
+  LOW
+  MEDIUM
+  HIGH
+  NEVER
+}
+
+enum TicketStatus {
+  OPEN
+  INVESTIGATING
+  AUTHORING
+  PR_OPEN
+  MERGED
+  REGRESSED_REVERTED
+  CLOSED_WONTFIX
+  CLOSED_RESOLVED
+  ESCALATED
+}
+
+enum ReviewBucket {
+  PASS
+  FAIL
+  ESCALATION
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+// Layer E: Auto-fix attempts
+// ═══════════════════════════════════════════════════════════════════════════
+
+model QAFixAttempt {
+  id            String @id @default(cuid())
+  qaTicketId    String
+  projectId     String
+  attemptNumber Int // 1..N for iterative retry
+
+  // Prompt + diff
+  promptText    String  @db.Text
+  diff          String? @db.Text
+  diffSizeBytes Int?
+  modelName     String?
+  modelVersion  String?
+  inputTokens   Int?
+  outputTokens  Int?
+  costCents     Int?
+
+  // Pre-merge verification
+  preVerifyResult Json? // sandbox run results
+  preVerifyPassed Boolean?
+
+  // Dispatch outcome
+  branchName     String?
+  prUrl          String?
+  prNumber       Int?
+  dispatchStatus AttemptStatus @default(AUTHORING)
+
+  // Post-merge verification (set after merge)
+  mergedAt           DateTime?
+  postVerifyResult   Json?
+  regressionDetected Boolean   @default(false)
+  autoRevertedAt     DateTime?
+  humanEditLines     Int?
+  fixSuccessScore    Float? // -1.0 to 1.0
+
+  attemptedAt DateTime  @default(now())
+  closedAt    DateTime?
+
+  ticket    QATicket        @relation(fields: [qaTicketId], references: [id], onDelete: Cascade)
+  project   Project         @relation(fields: [projectId], references: [id], onDelete: Cascade)
+  artifacts AuditArtifact[]
+
+  @@index([qaTicketId, attemptNumber])
+  @@index([projectId, attemptedAt(sort: Desc)])
+  @@map("qa_fix_attempts")
+}
+
+enum AttemptStatus {
+  AUTHORING
+  PRE_VERIFY_FAILED
+  PRE_VERIFY_PASSED
+  PR_OPENED
+  AUTO_MERGED
+  HUMAN_MERGED
+  REJECTED
+  REGRESSED_REVERTED
+  FAILED
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+// Layer F: Trust scores + drift + RAG corpus
+// ═══════════════════════════════════════════════════════════════════════════
+
+model ClassificationTrust {
+  id             String          @id @default(cuid())
+  projectId      String
+  classification String // matches QATicket.classification
+  surface        SurfaceCategory
+
+  // Rolling stats (30-day window)
+  attemptsLast30d Int @default(0)
+  mergedClean     Int @default(0)
+  mergedWithEdits Int @default(0)
+  regressed       Int @default(0)
+  reverted        Int @default(0)
+
+  // Computed
+  successScore      Float   @default(0) // -1.0 to 1.0
+  trustPercent      Int     @default(0) // 0 to 100, operator-facing
+  autoMergeEligible Boolean @default(false)
+
+  lastComputedAt DateTime @default(now())
+
+  project Project @relation(fields: [projectId], references: [id], onDelete: Cascade)
+
+  @@unique([projectId, classification, surface])
+  @@map("classification_trust")
+}
+
+// Successful past fixes used as in-context examples for new dispatches.
+// Embedding column is Bytes for v1; QAP-076 (Sprint 7) switches to pgvector.
+model RAGCorpus {
+  id             String          @id @default(cuid())
+  projectId      String
+  classification String
+  surface        SurfaceCategory
+
+  promptText String @db.Text // the prompt that produced the fix
+  diff       String @db.Text // the unified diff that worked
+  embedding  Bytes? // for semantic search
+
+  fixAttemptId   String // back-reference to the source attempt
+  outcomeQuality Float // priority weight; declines if later usage shows problems
+  addedAt        DateTime @default(now())
+
+  @@index([projectId, classification, surface])
+  @@map("rag_corpus")
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+// Audit artifacts — proof-of-work, not "trust me"
+// ═══════════════════════════════════════════════════════════════════════════
+
+model AuditArtifact {
+  id             String  @id @default(cuid())
+  projectId      String
+  qaTicketId     String?
+  qaFixAttemptId String?
+
+  artifactType ArtifactType
+  stage        ArtifactStage // which lifecycle stage produced this
+
+  // Storage references (S3-style)
+  storageBackend String // "s3" | "supabase-storage" | "filesystem"
+  storageKey     String // canonical key/path
+  contentType    String
+  sizeBytes      Int
+  contentHash    String
+
+  // Metadata
+  meta           Json // route-specific (e.g., screenshot timestamp, video duration)
+  retentionUntil DateTime? // computed from project compliance mode
+
+  capturedAt DateTime @default(now())
+
+  project    Project       @relation(fields: [projectId], references: [id], onDelete: Cascade)
+  ticket     QATicket?     @relation(fields: [qaTicketId], references: [id])
+  fixAttempt QAFixAttempt? @relation(fields: [qaFixAttemptId], references: [id])
+
+  @@index([qaTicketId])
+  @@index([projectId, capturedAt(sort: Desc)])
+  @@map("audit_artifacts")
+}
+
+enum ArtifactType {
+  SCREENSHOT
+  VIDEO
+  DOM_SNAPSHOT
+  CONSOLE_LOG
+  NETWORK_LOG
+  TELEMETRY_SLICE
+  CODE_SNAPSHOT
+  PROMPT_TEXT
+  DIFF
+  REASONING_TRACE
+  REVIEWER_OUTPUT
+  REPLAY_BUNDLE
+}
+
+enum ArtifactStage {
+  DETECTION
+  INVESTIGATION
+  TICKET_CREATION
+  AUTHORING
+  PRE_MERGE_VERIFICATION
+  POST_MERGE_VERIFICATION
+  ARCHIVAL
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+// Policies + safety (Sprint 8 — QAP-080..089 — fills these out)
+// ═══════════════════════════════════════════════════════════════════════════
+
+model Policy {
+  id         String     @id @default(cuid())
+  projectId  String
+  policyType PolicyType
+
+  // Path tier rules: globs → tier
+  pathRules               Json // [{ glob: "src/auth/**", tier: "HIGH" }, …]
+  classificationOverrides Json // { "PRODUCT_BUG": "MEDIUM", … }
+
+  // Trust thresholds
+  autoMergeTrustThreshold  Int @default(70)
+  autoMergeMediumThreshold Int @default(85)
+
+  // Concurrency
+  dailyDispatchLimit    Int @default(50)
+  // Fix-attempt retry limit per ticket. Default 1 per ADR-0006 — try once,
+  // route to FAIL on failure (conservative trust posture). Configurable per
+  // project; recommended range 1–4. Higher values raise auto-fix throughput
+  // on iterative-success classifications at the cost of Anthropic spend and
+  // delayed operator awareness of classifier weakness.
+  perTicketAttemptLimit Int @default(1)
+
+  // Time-of-day
+  freezeWindowsCron String[] @default([])
+
+  // Escalation triggers
+  escalationTriggers Json
+
+  updatedAt DateTime @updatedAt
+  updatedBy String
+
+  project Project @relation(fields: [projectId], references: [id], onDelete: Cascade)
+
+  @@index([projectId])
+  @@map("policies")
+}
+
+enum PolicyType {
+  RISK_TIER
+  CONCURRENCY
+  TRUST_THRESHOLD
+  ESCALATION
+}
+
+model ProjectModeLog {
+  id        String      @id @default(cuid())
+  projectId String
+  fromMode  ProjectMode
+  toMode    ProjectMode
+  reason    String      @db.Text
+  changedBy String // "auto-promotion" | userId
+  changedAt DateTime    @default(now())
+
+  project Project @relation(fields: [projectId], references: [id], onDelete: Cascade)
+
+  @@index([projectId, changedAt(sort: Desc)])
+  @@map("project_mode_log")
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+// Cost + telemetry
+// ═══════════════════════════════════════════════════════════════════════════
+
+model SpendLedger {
+  id             String  @id @default(cuid())
+  projectId      String
+  qaFixAttemptId String?
+
+  // Per-event spend
+  vendor    String // "anthropic" | "openai" | "github-actions" | "supabase-storage"
+  eventType String // "claude_dispatch" | "claude_review" | "embedding" | "storage_write"
+  costCents Int // signed; can be credit
+  meta      Json
+
+  occurredAt DateTime @default(now())
+
+  @@index([projectId, occurredAt(sort: Desc)])
+  @@index([projectId, vendor, occurredAt])
+  @@map("spend_ledger")
+}
+
+// ═══════════════════════════════════════════════════════════════════════════
+// Layer F: Learning — patterns + reverts (QAP-019D + QAP-019E, Group D-2)
+// ═══════════════════════════════════════════════════════════════════════════
+
+// QAPattern is a learned failure signature — the orchestrator's Triage stage
+// (Sprint 6) bumps occurrenceCount + lastSeenAt when a new RawSignal matches
+// a known signature. Lifeline-shape preserved verbatim per Group D-2 plan
+// decision #1: re-ranker fields (fixSuccessScore / fixOutcomeSampleSize /
+// lastWeightedAt) stay even though Derwin's re-ranker today reads
+// classification-trust-store. Preserves optionality for Sprint 4+ consumers
+// and removes shim translation work in QAP-019G.
+//
+// (signature, projectId) is unique — the same failure signature in different
+// projects is two distinct rows. Lifeline-style.
+model QAPattern {
+  id               String          @id @default(cuid())
+  projectId        String
+  signature        String
+  classification   QAFailureClass
+  firstSeenAt      DateTime        @default(now())
+  lastSeenAt       DateTime        @default(now())
+  occurrenceCount  Int             @default(1)
+  affectedTickets  String[]        @default([])
+  trendDirection   String          @default("stable") // improving | stable | degrading
+  status           QAPatternStatus @default(OPEN)
+  resolvedAt       DateTime?
+  promotedToLintAt DateTime?
+  promotedLintPR   String?
+  archivedAt       DateTime?
+
+  // Re-ranker fields (Lifeline-shape preserved, Decision 1).
+  fixSuccessScore      Float?
+  fixOutcomeSampleSize Int       @default(0)
+  lastWeightedAt       DateTime?
+
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  project Project @relation(fields: [projectId], references: [id], onDelete: Cascade)
+
+  @@unique([projectId, signature])
+  @@index([projectId, lastSeenAt(sort: Desc)])
+  @@index([status])
+  @@map("qa_patterns")
+}
+
+enum QAPatternStatus {
+  OPEN
+  RESOLVED
+  ARCHIVED
+}
+
+enum QAFailureClass {
+  SELECTOR
+  TIMING
+  TEST_DATA
+  PRODUCT_BUG
+  SCHEMA_DRIFT
+  UNKNOWN
+}
+
+// QARevert logs a manual or auto-revert of a fix-forward commit. The route
+// handler does NOT execute `git revert` — it only records the operator's
+// action. Restore is the inverse: a fix-forward commit lands and the operator
+// flips restoredAt + restoredBy + restoredBySha.
+//
+// Decision 2: keep qaRunId FK only. Lifeline's qaResultId pointed at the
+// QARunResult table, which Derwin doesn't have under Option β (results are
+// RawSignal records). Reverts are at the ticket+commit level, not the
+// per-test-result level.
+model QARevert {
+  id              String   @id @default(cuid())
+  projectId       String
+  ticketId        String
+  revertedFromSha String
+  revertedToSha   String?
+  revertedAt      DateTime @default(now())
+  revertedBy      String
+  reason          String   @db.Text
+  qaRunId         String?
+
+  // Restore audit trail — set when the fix-forward commit ships.
+  restoredAt    DateTime?
+  restoredBy    String?
+  restoredBySha String?
+
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  project Project  @relation(fields: [projectId], references: [id], onDelete: Cascade)
+  ticket  QATicket @relation(fields: [ticketId], references: [id], onDelete: Cascade)
+  run     QARun?   @relation(fields: [qaRunId], references: [id], onDelete: SetNull)
+
+  @@index([projectId, revertedAt(sort: Desc)])
+  @@index([ticketId])
+  @@map("qa_reverts")
+}
+
+// QAUniformity stores per-page rule outcomes from the invariant crawler
+// (uniformity audit). Lifeline calls this `QAUniformityAudit`; renamed to
+// `QAUniformity` per Group D-3 plan Decision 5 (drop `Audit` suffix to match
+// other Derwin model names). Bulk-inserted by /api/qa/uniformity POST and
+// aggregated by GET. Optionally tied to a QARun (most ingestions are run-
+// scoped; manual operator runs may not have a qaRunId).
+model QAUniformity {
+  id              String             @id @default(cuid())
+  projectId       String
+  qaRunId         String?
+  pagePath        String
+  ruleName        String
+  ruleCategory    String
+  status          QAUniformityStatus
+  violationDetail String?            @db.Text
+  createdAt       DateTime           @default(now())
+
+  project Project @relation(fields: [projectId], references: [id], onDelete: Cascade)
+  run     QARun?  @relation(fields: [qaRunId], references: [id], onDelete: SetNull)
+
+  @@index([projectId, createdAt(sort: Desc)])
+  @@index([projectId, ruleName, status])
+  @@index([projectId, pagePath])
+  @@map("qa_uniformities")
+}
+
+enum QAUniformityStatus {
+  PASSED
+  FAILED
+  SKIPPED
+}