@derwinjs/db 0.7.0 → 0.8.0

package/dist/path-tier-resolver.js

@@ -0,0 +1,177 @@
+/**
+ * createPrismaPathTierResolver — Prisma-backed implementation of the SDK
+ * PathTierResolver contract introduced by QAP-080.
+ *
+ * Sprint 8 (Policy Governance, Phase 1). Resolves a list of paths to the
+ * **strictest** RiskTier among all rules that match any of the supplied
+ * paths. "Strictest" follows the RiskTier ladder: NEVER > HIGH > MEDIUM >
+ * LOW. Falls back to the project's `defaultTier` when no rule matches; if
+ * the project itself doesn't exist, falls back to LOW (defense-in-depth
+ * against tenant enumeration — wrong-project lookups must not throw or
+ * leak whether a Project row exists).
+ *
+ * No external glob library — `matchGlob` below is a small in-house helper
+ * that handles the three glob features we need (`**`, `*`, literals). We
+ * deliberately avoid pulling `minimatch` into @derwinjs/db to keep the
+ * dependency surface small for Sprint 8; if the Sprint 9 policy editor
+ * needs feature parity (negation, brace expansion, `?`), revisit then.
+ *
+ * Tenant isolation: every read scopes by projectId. setRules wraps DELETE
+ * + bulk INSERT in an interactive transaction so partial failures don't
+ * leave a half-applied ruleset.
+ */
+import { PathTierResolverError, RiskTierValues, } from '@derwinjs/sdk';
+// ─── Tier ordering ────────────────────────────────────────────────────────
+/**
+ * Strictness ladder. The resolver picks the maximum-strictness tier among
+ * all matching rules. NEVER is strictest (forbidden), LOW is loosest.
+ *
+ * NOTE: the SDK's RiskTier enum currently is `LOW | MEDIUM | HIGH | NEVER`.
+ * The Sprint 8 plan referenced `CRITICAL` in early drafts; we honor the
+ * existing schema enum and treat NEVER as the strictest tier (it means
+ * "auto-fix forbidden — must be human-only"). If a future migration
+ * renames NEVER to CRITICAL, update this ladder accordingly.
+ */
+const TIER_STRICTNESS = {
+    LOW: 0,
+    MEDIUM: 1,
+    HIGH: 2,
+    NEVER: 3,
+};
+function strictest(a, b) {
+    return TIER_STRICTNESS[a] >= TIER_STRICTNESS[b] ? a : b;
+}
+// ─── Glob matcher ─────────────────────────────────────────────────────────
+/**
+ * Minimal glob → path matcher.
+ *
+ *   `**` — matches zero or more path segments (including `/`)
+ *   `*`  — matches zero or more chars within a single segment (no `/`)
+ *   anything else — literal
+ *
+ * Implemented by translating the glob to a RegExp. Anchored at both ends.
+ * This is intentionally a small subset — we don't support brace expansion,
+ * negation, character classes, or `?`. Add them when a real consumer
+ * needs them; YAGNI applies in Sprint 8.
+ *
+ * Throws PathTierResolverError(`invalid_pattern`) on a glob that produces
+ * an unparseable RegExp (extremely rare with the supported subset, but
+ * the guard exists so the contract's error-code surface is honored).
+ */
+export function matchGlob(pattern, path) {
+    // Tokenize so we can distinguish `**` from two consecutive `*`.
+    let regexSrc = '';
+    let i = 0;
+    while (i < pattern.length) {
+        const ch = pattern.charAt(i);
+        if (ch === '*') {
+            if (pattern[i + 1] === '*') {
+                // `**` — match anything including `/`
+                regexSrc += '.*';
+                i += 2;
+                // Skip a trailing `/` in `**/` so the rule matches the empty
+                // prefix case (e.g., `**/foo.ts` should match `foo.ts`).
+                if (pattern[i] === '/') {
+                    regexSrc += '/?';
+                    i += 1;
+                }
+            }
+            else {
+                // single `*` — match within a segment
+                regexSrc += '[^/]*';
+                i += 1;
+            }
+        }
+        else if (/[.+?^${}()|[\]\\]/.test(ch)) {
+            regexSrc += '\\' + ch;
+            i += 1;
+        }
+        else {
+            regexSrc += ch;
+            i += 1;
+        }
+    }
+    let re;
+    try {
+        re = new RegExp('^' + regexSrc + '$');
+    }
+    catch (err) {
+        throw new PathTierResolverError('invalid_pattern', `PathTierResolver: invalid glob pattern ${JSON.stringify(pattern)}`, err);
+    }
+    return re.test(path);
+}
+// ─── Validation ──────────────────────────────────────────────────────────
+function validateRule(rule) {
+    if (typeof rule.pattern !== 'string' || rule.pattern.length === 0) {
+        throw new PathTierResolverError('invalid_pattern', 'PathTierResolver: rule.pattern must be a non-empty string');
+    }
+    if (!RiskTierValues.includes(rule.tier)) {
+        throw new PathTierResolverError('invalid_tier', `PathTierResolver: rule.tier must be one of ${RiskTierValues.join(', ')} (got ${rule.tier})`);
+    }
+}
+// ─── Factory ─────────────────────────────────────────────────────────────
+export function createPrismaPathTierResolver(config) {
+    const { prisma } = config;
+    return {
+        async resolveTier(input) {
+            const { projectId, paths } = input;
+            // Read project row for the fallback tier. findUnique (not findFirst)
+            // because Project.id is the unique key. Wrong-project / unknown-
+            // project returns null → fall back to LOW (no leak that the project
+            // doesn't exist).
+            const project = await prisma.project.findUnique({
+                where: { id: projectId },
+                select: { defaultTier: true },
+            });
+            const fallback = project?.defaultTier ?? 'LOW';
+            if (paths.length === 0) {
+                return fallback;
+            }
+            const rules = await prisma.pathTierRule.findMany({
+                where: { projectId },
+                orderBy: { priority: 'asc' },
+            });
+            let strictestSeen = null;
+            for (const rule of rules) {
+                const matched = paths.some((p) => matchGlob(rule.pattern, p));
+                if (matched) {
+                    strictestSeen = strictestSeen === null ? rule.tier : strictest(strictestSeen, rule.tier);
+                }
+            }
+            return strictestSeen ?? fallback;
+        },
+        async listRules(input) {
+            const rows = await prisma.pathTierRule.findMany({
+                where: { projectId: input.projectId },
+                orderBy: { priority: 'asc' },
+            });
+            return rows.map((row) => ({
+                pattern: row.pattern,
+                tier: row.tier,
+                ...(row.reason !== null ? { reason: row.reason } : {}),
+            }));
+        },
+        async setRules(input) {
+            const { projectId, rules } = input;
+            // Validate up-front so a bad rule fails fast before we touch the DB.
+            for (const rule of rules)
+                validateRule(rule);
+            // Atomic replace: DELETE + bulk INSERT inside one transaction.
+            await prisma.$transaction(async (tx) => {
+                await tx.pathTierRule.deleteMany({ where: { projectId } });
+                if (rules.length === 0)
+                    return;
+                await tx.pathTierRule.createMany({
+                    data: rules.map((rule, idx) => ({
+                        projectId,
+                        pattern: rule.pattern,
+                        tier: rule.tier,
+                        priority: idx,
+                        reason: rule.reason ?? null,
+                    })),
+                });
+            });
+        },
+    };
+}
+//# sourceMappingURL=path-tier-resolver.js.map

package/dist/path-tier-resolver.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"path-tier-resolver.js","sourceRoot":"","sources":["../src/path-tier-resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAGH,OAAO,EACL,qBAAqB,EACrB,cAAc,GAIf,MAAM,eAAe,CAAC;AASvB,6EAA6E;AAE7E;;;;;;;;;GASG;AACH,MAAM,eAAe,GAA6B;IAChD,GAAG,EAAE,CAAC;IACN,MAAM,EAAE,CAAC;IACT,IAAI,EAAE,CAAC;IACP,KAAK,EAAE,CAAC;CACT,CAAC;AAEF,SAAS,SAAS,CAAC,CAAW,EAAE,CAAW;IACzC,OAAO,eAAe,CAAC,CAAC,CAAC,IAAI,eAAe,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;AAC1D,CAAC;AAED,6EAA6E;AAE7E;;;;;;;;;;;;;;;GAeG;AACH,MAAM,UAAU,SAAS,CAAC,OAAe,EAAE,IAAY;IACrD,gEAAgE;IAChE,IAAI,QAAQ,GAAG,EAAE,CAAC;IAClB,IAAI,CAAC,GAAG,CAAC,CAAC;IACV,OAAO,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;QAC1B,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QAC7B,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC;YACf,IAAI,OAAO,CAAC,CAAC,GAAG,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;gBAC3B,sCAAsC;gBACtC,QAAQ,IAAI,IAAI,CAAC;gBACjB,CAAC,IAAI,CAAC,CAAC;gBACP,6DAA6D;gBAC7D,yDAAyD;gBACzD,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;oBACvB,QAAQ,IAAI,IAAI,CAAC;oBACjB,CAAC,IAAI,CAAC,CAAC;gBACT,CAAC;YACH,CAAC;iBAAM,CAAC;gBACN,sCAAsC;gBACtC,QAAQ,IAAI,OAAO,CAAC;gBACpB,CAAC,IAAI,CAAC,CAAC;YACT,CAAC;QACH,CAAC;aAAM,IAAI,mBAAmB,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC;YACxC,QAAQ,IAAI,IAAI,GAAG,EAAE,CAAC;YACtB,CAAC,IAAI,CAAC,CAAC;QACT,CAAC;aAAM,CAAC;YACN,QAAQ,IAAI,EAAE,CAAC;YACf,CAAC,IAAI,CAAC,CAAC;QACT,CAAC;IACH,CAAC;IAED,IAAI,EAAU,CAAC;IACf,IAAI,CAAC;QACH,EAAE,GAAG,IAAI,MAAM,CAAC,GAAG,GAAG,QAAQ,GAAG,GAAG,CAAC,CAAC;IACxC,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,IAAI,qBAAqB,CAC7B,iBAAiB,EACjB,0CAA0C,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,EAAE,EACnE,GAAG,CACJ,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACvB,CAAC;AAED,4EAA4E;AAE5E,SAAS,YAAY,CAAC,IAAkB;IACtC,IAAI,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClE,MAAM,IAAI,qBAAqB,CAC7B,iBAAiB,EACjB,2DAA2D,CAC5D,CAAC;IACJ,CAAC;IACD,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;QACxC,MAAM,IAAI,qBAAqB,CAC7B,cAAc,EACd,8CAA8C,cAAc,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,IAAI,CAAC,IAAI,GAAG,CAC7F,CAAC;IACJ,CAAC;AACH,CAAC;AAED,4EAA4E;AAE5E,MAAM,UAAU,4BAA4B,CAC1C,MAAoC;IAEpC,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,CAAC;IAE1B,OAAO;QACL,KAAK,CAAC,WAAW,CAAC,KAA6C;YAC7D,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC;YAEnC,qEAAqE;YACrE,iEAAiE;YACjE,oEAAoE;YACpE,kBAAkB;YAClB,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC;gBAC9C,KAAK,EAAE,EAAE,EAAE,EAAE,SAAS,EAAE;gBACxB,MAAM,EAAE,EAAE,WAAW,EAAE,IAAI,EAAE;aAC9B,CAAC,CAAC;YACH,MAAM,QAAQ,GAAa,OAAO,EAAE,WAAW,IAAI,KAAK,CAAC;YAEzD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACvB,OAAO,QAAQ,CAAC;YAClB,CAAC;YAED,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC;gBAC/C,KAAK,EAAE,EAAE,SAAS,EAAE;gBACpB,OAAO,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE;aAC7B,CAAC,CAAC;YAEH,IAAI,aAAa,GAAoB,IAAI,CAAC;YAC1C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;gBACzB,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC,CAAC;gBAC9D,IAAI,OAAO,EAAE,CAAC;oBACZ,aAAa,GAAG,aAAa,KAAK,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS,CAAC,aAAa,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC;gBAC3F,CAAC;YACH,CAAC;YAED,OAAO,aAAa,IAAI,QAAQ,CAAC;QACnC,CAAC;QAED,KAAK,CAAC,SAAS,CAAC,KAA4B;YAC1C,MAAM,IAAI,GAAG,MAAM,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC;gBAC9C,KAAK,EAAE,EAAE,SAAS,EAAE,KAAK,CAAC,SAAS,EAAE;gBACrC,OAAO,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE;aAC7B,CAAC,CAAC;YACH,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC;gBACxB,OAAO,EAAE,GAAG,CAAC,OAAO;gBACpB,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,GAAG,CAAC,GAAG,CAAC,MAAM,KAAK,IAAI,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;aACvD,CAAC,CAAC,CAAC;QACN,CAAC;QAED,KAAK,CAAC,QAAQ,CAAC,KAAmD;YAChE,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,KAAK,CAAC;YAEnC,qEAAqE;YACrE,KAAK,MAAM,IAAI,IAAI,KAAK;gBAAE,YAAY,CAAC,IAAI,CAAC,CAAC;YAE7C,+DAA+D;YAC/D,MAAM,MAAM,CAAC,YAAY,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;gBACrC,MAAM,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC,EAAE,KAAK,EAAE,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;gBAC3D,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;oBAAE,OAAO;gBAC/B,MAAM,EAAE,CAAC,YAAY,CAAC,UAAU,CAAC;oBAC/B,IAAI,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;wBAC9B,SAAS;wBACT,OAAO,EAAE,IAAI,CAAC,OAAO;wBACrB,IAAI,EAAE,IAAI,CAAC,IAAI;wBACf,QAAQ,EAAE,GAAG;wBACb,MAAM,EAAE,IAAI,CAAC,MAAM,IAAI,IAAI;qBAC5B,CAAC,CAAC;iBACJ,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC;KACF,CAAC;AACJ,CAAC"}

package/dist/trust-threshold-config-store.d.ts

@@ -0,0 +1,20 @@
+/**
+ * createPrismaTrustThresholdConfigStore — Prisma-backed implementation of
+ * the SDK TrustThresholdConfigStore contract introduced by QAP-082.
+ *
+ * Sprint 8 Phase 2 (Policy Governance). The config is stored as a JSON
+ * column on Project.trustThresholds. Null in storage means "use defaults".
+ *
+ * Tenant isolation: every method scopes by projectId. Pattern D applies —
+ * unknown / wrong-project lookups return DEFAULT_TRUST_THRESHOLDS rather
+ * than throwing or leaking existence (defense-in-depth against tenant
+ * enumeration).
+ */
+import type { PrismaClient } from './prisma.js';
+import { type TrustThresholdConfigStore } from '@derwinjs/sdk';
+export interface PrismaTrustThresholdConfigStoreConfig {
+    /** Generated Prisma client. Pass an instance per process. */
+    prisma: PrismaClient;
+}
+export declare function createPrismaTrustThresholdConfigStore(config: PrismaTrustThresholdConfigStoreConfig): TrustThresholdConfigStore;
+//# sourceMappingURL=trust-threshold-config-store.d.ts.map

package/dist/trust-threshold-config-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"trust-threshold-config-store.d.ts","sourceRoot":"","sources":["../src/trust-threshold-config-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAChD,OAAO,EAIL,KAAK,yBAAyB,EAC/B,MAAM,eAAe,CAAC;AAIvB,MAAM,WAAW,qCAAqC;IACpD,6DAA6D;IAC7D,MAAM,EAAE,YAAY,CAAC;CACtB;AA8DD,wBAAgB,qCAAqC,CACnD,MAAM,EAAE,qCAAqC,GAC5C,yBAAyB,CA4B3B"}

package/dist/trust-threshold-config-store.js

@@ -0,0 +1,88 @@
+/**
+ * createPrismaTrustThresholdConfigStore — Prisma-backed implementation of
+ * the SDK TrustThresholdConfigStore contract introduced by QAP-082.
+ *
+ * Sprint 8 Phase 2 (Policy Governance). The config is stored as a JSON
+ * column on Project.trustThresholds. Null in storage means "use defaults".
+ *
+ * Tenant isolation: every method scopes by projectId. Pattern D applies —
+ * unknown / wrong-project lookups return DEFAULT_TRUST_THRESHOLDS rather
+ * than throwing or leaking existence (defense-in-depth against tenant
+ * enumeration).
+ */
+import { DEFAULT_TRUST_THRESHOLDS, TrustThresholdConfigError, } from '@derwinjs/sdk';
+// ─── Validation ──────────────────────────────────────────────────────────
+/**
+ * Each threshold must be a finite integer in [0, 100]. We accept floats
+ * because the JSON column can store them, but the dispatcher's comparison
+ * is integer-percent semantically; reject NaN / Infinity / out-of-range.
+ */
+function validateConfig(config) {
+    for (const [key, value] of [
+        ['low', config.low],
+        ['medium', config.medium],
+        ['high', config.high],
+    ]) {
+        if (typeof value !== 'number' || !Number.isFinite(value)) {
+            throw new TrustThresholdConfigError('invalid_input', `TrustThresholdConfig: ${key} must be a finite number (got ${String(value)})`);
+        }
+        if (value < 0 || value > 100) {
+            throw new TrustThresholdConfigError('invalid_input', `TrustThresholdConfig: ${key} must be in [0, 100] (got ${String(value)})`);
+        }
+    }
+}
+/**
+ * Best-effort coercion of an unknown JSON value into a TrustThresholdConfig.
+ * Returns null if the shape is wrong — caller falls back to defaults. We
+ * intentionally do not throw here: defense-in-depth so a corrupted row
+ * doesn't cascade into a runtime error.
+ */
+function tryParseConfig(value) {
+    if (value !== null &&
+        typeof value === 'object' &&
+        !Array.isArray(value) &&
+        'low' in value &&
+        'medium' in value &&
+        'high' in value) {
+        const v = value;
+        if (typeof v.low === 'number' &&
+            typeof v.medium === 'number' &&
+            typeof v.high === 'number' &&
+            Number.isFinite(v.low) &&
+            Number.isFinite(v.medium) &&
+            Number.isFinite(v.high)) {
+            return { low: v.low, medium: v.medium, high: v.high };
+        }
+    }
+    return null;
+}
+// ─── Factory ─────────────────────────────────────────────────────────────
+export function createPrismaTrustThresholdConfigStore(config) {
+    const { prisma } = config;
+    return {
+        async getConfig(input) {
+            const project = await prisma.project.findUnique({
+                where: { id: input.projectId },
+                select: { trustThresholds: true },
+            });
+            if (project === null)
+                return { ...DEFAULT_TRUST_THRESHOLDS };
+            const parsed = tryParseConfig(project.trustThresholds);
+            return parsed ?? { ...DEFAULT_TRUST_THRESHOLDS };
+        },
+        async setConfig(input) {
+            validateConfig(input.config);
+            await prisma.project.update({
+                where: { id: input.projectId },
+                data: {
+                    trustThresholds: {
+                        low: input.config.low,
+                        medium: input.config.medium,
+                        high: input.config.high,
+                    },
+                },
+            });
+        },
+    };
+}
+//# sourceMappingURL=trust-threshold-config-store.js.map

package/dist/trust-threshold-config-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"trust-threshold-config-store.js","sourceRoot":"","sources":["../src/trust-threshold-config-store.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,EACL,wBAAwB,EACxB,yBAAyB,GAG1B,MAAM,eAAe,CAAC;AASvB,4EAA4E;AAE5E;;;;GAIG;AACH,SAAS,cAAc,CAAC,MAA4B;IAClD,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI;QACzB,CAAC,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC;QACnB,CAAC,QAAQ,EAAE,MAAM,CAAC,MAAM,CAAC;QACzB,CAAC,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC;KACb,EAAE,CAAC;QACX,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YACzD,MAAM,IAAI,yBAAyB,CACjC,eAAe,EACf,yBAAyB,GAAG,iCAAiC,MAAM,CAAC,KAAK,CAAC,GAAG,CAC9E,CAAC;QACJ,CAAC;QACD,IAAI,KAAK,GAAG,CAAC,IAAI,KAAK,GAAG,GAAG,EAAE,CAAC;YAC7B,MAAM,IAAI,yBAAyB,CACjC,eAAe,EACf,yBAAyB,GAAG,6BAA6B,MAAM,CAAC,KAAK,CAAC,GAAG,CAC1E,CAAC;QACJ,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;GAKG;AACH,SAAS,cAAc,CAAC,KAAc;IACpC,IACE,KAAK,KAAK,IAAI;QACd,OAAO,KAAK,KAAK,QAAQ;QACzB,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QACrB,KAAK,IAAI,KAAK;QACd,QAAQ,IAAI,KAAK;QACjB,MAAM,IAAI,KAAK,EACf,CAAC;QACD,MAAM,CAAC,GAAG,KAAgC,CAAC;QAC3C,IACE,OAAO,CAAC,CAAC,GAAG,KAAK,QAAQ;YACzB,OAAO,CAAC,CAAC,MAAM,KAAK,QAAQ;YAC5B,OAAO,CAAC,CAAC,IAAI,KAAK,QAAQ;YAC1B,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC;YACtB,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC;YACzB,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,EACvB,CAAC;YACD,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC,GAAG,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;QACxD,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,4EAA4E;AAE5E,MAAM,UAAU,qCAAqC,CACnD,MAA6C;IAE7C,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,CAAC;IAE1B,OAAO;QACL,KAAK,CAAC,SAAS,CAAC,KAA4B;YAC1C,MAAM,OAAO,GAAG,MAAM,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC;gBAC9C,KAAK,EAAE,EAAE,EAAE,EAAE,KAAK,CAAC,SAAS,EAAE;gBAC9B,MAAM,EAAE,EAAE,eAAe,EAAE,IAAI,EAAE;aAClC,CAAC,CAAC;YACH,IAAI,OAAO,KAAK,IAAI;gBAAE,OAAO,EAAE,GAAG,wBAAwB,EAAE,CAAC;YAC7D,MAAM,MAAM,GAAG,cAAc,CAAC,OAAO,CAAC,eAAe,CAAC,CAAC;YACvD,OAAO,MAAM,IAAI,EAAE,GAAG,wBAAwB,EAAE,CAAC;QACnD,CAAC;QAED,KAAK,CAAC,SAAS,CAAC,KAA0D;YACxE,cAAc,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;YAC7B,MAAM,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC;gBAC1B,KAAK,EAAE,EAAE,EAAE,EAAE,KAAK,CAAC,SAAS,EAAE;gBAC9B,IAAI,EAAE;oBACJ,eAAe,EAAE;wBACf,GAAG,EAAE,KAAK,CAAC,MAAM,CAAC,GAAG;wBACrB,MAAM,EAAE,KAAK,CAAC,MAAM,CAAC,MAAM;wBAC3B,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,IAAI;qBACxB;iBACF;aACF,CAAC,CAAC;QACL,CAAC;KACF,CAAC;AACJ,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@derwinjs/db",
-  "version": "0.7.0",
+  "version": "0.8.0",
   "description": "Prisma schema + migrations for Derwin's own Postgres. 14 models, project-namespaced. Per ADR-0005. Ships its own generated Prisma client (multi-platform binaries) for cross-consumer compatibility.",
   "license": "SEE LICENSE IN LICENSE",
   "type": "module",
@@ -33,8 +33,8 @@
   },
   "dependencies": {
     "@prisma/client": "^5.22.0",
-    "@derwinjs/core": "0.7.0",
-    "@derwinjs/sdk": "0.7.0"
+    "@derwinjs/core": "0.8.0",
+    "@derwinjs/sdk": "0.8.0"
   },
   "devDependencies": {
     "@vitest/coverage-v8": "^2.1.9",

package/prisma/migrations/20260507120000_sprint8_policy_governance/migration.sql

@@ -0,0 +1,58 @@
+-- Sprint 8 (QAP-080..081) — Policy governance: path-tier rules + classification override table.
+--
+-- Promotes Policy.pathRules / Policy.classificationOverrides JSON columns to
+-- first-class tables so the policy-editor UI (Sprint 9 / QAP-088) can render,
+-- reorder, and audit them as discrete rows. The legacy JSON fields on Policy
+-- stay for back-compat with QAP-013's createPrismaFixPolicy until Sprint 9
+-- migrates the read path.
+--
+-- Idempotent (IF NOT EXISTS) — safe to re-run on environments where the
+-- enum or tables already exist.
+
+-- 1. Project.defaultTier — fallback tier when no PathTierRule matches.
+ALTER TABLE "derwin"."projects"
+  ADD COLUMN IF NOT EXISTS "defaultTier" "derwin"."RiskTier" NOT NULL DEFAULT 'LOW';
+
+-- 2. OverrideMode enum.
+DO $$ BEGIN
+  CREATE TYPE "derwin"."OverrideMode" AS ENUM ('BLOCK_AUTO_FIX', 'FORCE_ESCALATION', 'DOWNGRADE_TIER');
+EXCEPTION
+  WHEN duplicate_object THEN NULL;
+END $$;
+
+-- 3. PathTierRule.
+CREATE TABLE IF NOT EXISTS "derwin"."path_tier_rules" (
+  "id"        TEXT PRIMARY KEY,
+  "projectId" TEXT NOT NULL,
+  "pattern"   TEXT NOT NULL,
+  "tier"      "derwin"."RiskTier" NOT NULL,
+  "priority"  INTEGER NOT NULL,
+  "reason"    TEXT,
+  "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  "updatedAt" TIMESTAMP(3) NOT NULL,
+  CONSTRAINT "path_tier_rules_projectId_fkey"
+    FOREIGN KEY ("projectId") REFERENCES "derwin"."projects"("id")
+    ON DELETE CASCADE ON UPDATE CASCADE
+);
+
+CREATE INDEX IF NOT EXISTS "path_tier_rules_projectId_priority_idx"
+  ON "derwin"."path_tier_rules" ("projectId", "priority");
+
+-- 4. ClassificationOverride.
+CREATE TABLE IF NOT EXISTS "derwin"."classification_overrides" (
+  "id"             TEXT PRIMARY KEY,
+  "projectId"      TEXT NOT NULL,
+  "classification" TEXT NOT NULL,
+  "surface"        TEXT,
+  "overrideMode"   "derwin"."OverrideMode" NOT NULL,
+  "downgradeTier"  "derwin"."RiskTier",
+  "reason"         TEXT NOT NULL,
+  "createdBy"      TEXT NOT NULL,
+  "createdAt"      TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  CONSTRAINT "classification_overrides_projectId_fkey"
+    FOREIGN KEY ("projectId") REFERENCES "derwin"."projects"("id")
+    ON DELETE CASCADE ON UPDATE CASCADE
+);
+
+CREATE INDEX IF NOT EXISTS "classification_overrides_projectId_classification_surface_idx"
+  ON "derwin"."classification_overrides" ("projectId", "classification", "surface");

package/prisma/migrations/20260507120100_sprint8_phase2_thresholds_and_freeze/migration.sql

@@ -0,0 +1,33 @@
+-- Sprint 8 Phase 2 (QAP-082..083) — Trust threshold config + freeze windows.
+--
+-- Phase 1 (20260507120000_sprint8_policy_governance) added PathTierRule,
+-- ClassificationOverride, and Project.defaultTier. Phase 2 layers on:
+--   1. Project.trustThresholds JSONB — per-tier minimum trustPercent for
+--      auto-fix dispatch. Null → use SDK defaults ({low:60, medium:80, high:95}).
+--   2. freeze_windows table — operator-defined recurring dispatch freeze
+--      windows. Cron-driven, 5-field, no seconds.
+--
+-- Idempotent (IF NOT EXISTS). Safe to re-run on environments where Phase 1
+-- already landed but Phase 2 didn't.
+
+-- 1. Project.trustThresholds — JSONB, nullable.
+ALTER TABLE "derwin"."projects"
+  ADD COLUMN IF NOT EXISTS "trustThresholds" JSONB;
+
+-- 2. FreezeWindow.
+CREATE TABLE IF NOT EXISTS "derwin"."freeze_windows" (
+  "id"              TEXT PRIMARY KEY,
+  "projectId"       TEXT NOT NULL,
+  "cronExpression"  TEXT NOT NULL,
+  "durationMinutes" INTEGER NOT NULL,
+  "label"           TEXT NOT NULL,
+  "blocksDispatch"  BOOLEAN NOT NULL DEFAULT TRUE,
+  "enabled"         BOOLEAN NOT NULL DEFAULT TRUE,
+  "createdAt"       TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  CONSTRAINT "freeze_windows_projectId_fkey"
+    FOREIGN KEY ("projectId") REFERENCES "derwin"."projects"("id")
+    ON DELETE CASCADE ON UPDATE CASCADE
+);
+
+CREATE INDEX IF NOT EXISTS "freeze_windows_projectId_enabled_idx"
+  ON "derwin"."freeze_windows" ("projectId", "enabled");

package/prisma/migrations/20260507120200_sprint8_phase3_budget_cap/migration.sql

@@ -0,0 +1,21 @@
+-- Sprint 8 Phase 3 (QAP-084) — Per-project budget cap + soft-warn pct.
+--
+-- Adds the budget-gate columns the BudgetGate contract reads:
+--   1. Project.monthlyBudgetUsd  — DOUBLE PRECISION, nullable. Null = NO_CAP.
+--   2. Project.budgetSoftWarnPct — DOUBLE PRECISION, default 0.8 (80%).
+--
+-- The dispatcher consults a BudgetGate before runFixCycle and refuses new
+-- auto-fix dispatches when month-to-date spend / monthlyBudgetUsd >= 1.0.
+-- Soft-warn (>= budgetSoftWarnPct, < 1.0) is observable but non-blocking;
+-- hard-stop (>= 1.0) blocks. NO_CAP (monthlyBudgetUsd IS NULL) is the
+-- pre-Phase-3 default and preserves legacy behavior for projects that have
+-- not opted into explicit USD caps.
+--
+-- Idempotent (IF NOT EXISTS). Safe to re-run on environments where Phase 1
+-- and Phase 2 have already landed but Phase 3 has not.
+
+ALTER TABLE "derwin"."projects"
+  ADD COLUMN IF NOT EXISTS "monthlyBudgetUsd" DOUBLE PRECISION;
+
+ALTER TABLE "derwin"."projects"
+  ADD COLUMN IF NOT EXISTS "budgetSoftWarnPct" DOUBLE PRECISION NOT NULL DEFAULT 0.8;

package/prisma/migrations/20260507120300_sprint8_phase4_kill_switches/migration.sql

@@ -0,0 +1,74 @@
+-- Sprint 8 Phase 4 (QAP-085 / QAP-086 / QAP-087) — Three kill switches.
+--
+-- Adds the schema the KillSwitchEvaluator contract reads/writes:
+--   1. Project.killSwitchConfig — JSONB, nullable. Per-project threshold
+--      overrides; null → use SDK defaults.
+--   2. KillSwitchType enum — three trigger discriminators.
+--   3. KillSwitchScope enum — three granularity discriminators.
+--   4. kill_switch_states table — history-preserving log of every trip.
+--
+-- The dispatcher consults a KillSwitchEvaluator before runFixCycle and
+-- refuses to dispatch when any matching engaged switch is present:
+--   - PROJECT or PLATFORM-scope switches block before ticket fetch.
+--   - CLASSIFICATION-scope switches block after ticket fetch when the
+--     ticket's classification + surface match the engaged switch's tuple.
+--
+-- History semantics: a new trip inserts a new row; an unblock flips
+-- engaged → false on the existing row; subsequent re-trips on the same
+-- tuple insert another row. This preserves the audit trail.
+--
+-- Idempotent (IF NOT EXISTS / DO ... EXCEPTION). Safe to re-run on
+-- environments where Phase 1 / Phase 2 / Phase 3 already landed but
+-- Phase 4 has not.
+
+-- 1. Project.killSwitchConfig — JSONB, nullable.
+ALTER TABLE "derwin"."projects"
+  ADD COLUMN IF NOT EXISTS "killSwitchConfig" JSONB;
+
+-- 2. KillSwitchType enum.
+DO $$ BEGIN
+  CREATE TYPE "derwin"."KillSwitchType" AS ENUM (
+    'SUCCESS_RATE_DROP',
+    'CONSECUTIVE_FAILURE',
+    'REGRESSION_CASCADE'
+  );
+EXCEPTION
+  WHEN duplicate_object THEN NULL;
+END $$;
+
+-- 3. KillSwitchScope enum.
+DO $$ BEGIN
+  CREATE TYPE "derwin"."KillSwitchScope" AS ENUM (
+    'CLASSIFICATION',
+    'PROJECT',
+    'PLATFORM'
+  );
+EXCEPTION
+  WHEN duplicate_object THEN NULL;
+END $$;
+
+-- 4. KillSwitchState table.
+CREATE TABLE IF NOT EXISTS "derwin"."kill_switch_states" (
+  "id"             TEXT PRIMARY KEY,
+  "projectId"      TEXT,
+  "classification" TEXT,
+  "surface"        TEXT,
+  "type"           "derwin"."KillSwitchType" NOT NULL,
+  "scope"          "derwin"."KillSwitchScope" NOT NULL,
+  "engaged"        BOOLEAN NOT NULL DEFAULT TRUE,
+  "engagedAt"      TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  "unblockedAt"    TIMESTAMP(3),
+  "unblockedBy"    TEXT,
+  "reason"         TEXT NOT NULL,
+  "triggerMetrics" JSONB NOT NULL,
+  "createdAt"      TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  CONSTRAINT "kill_switch_states_projectId_fkey"
+    FOREIGN KEY ("projectId") REFERENCES "derwin"."projects"("id")
+    ON DELETE CASCADE ON UPDATE CASCADE
+);
+
+CREATE INDEX IF NOT EXISTS "kill_switch_states_projectId_engaged_idx"
+  ON "derwin"."kill_switch_states" ("projectId", "engaged");
+
+CREATE INDEX IF NOT EXISTS "kill_switch_states_type_scope_engaged_idx"
+  ON "derwin"."kill_switch_states" ("type", "scope", "engaged");