@desplega.ai/agent-swarm 1.80.2 → 1.81.0

package/src/tests/workflow-triggers-v2.test.ts

@@ -2,7 +2,14 @@ import { afterAll, beforeAll, describe, expect, test } from "bun:test";
 import crypto from "node:crypto";
 import { unlink } from "node:fs/promises";
 import { z } from "zod";
-import { closeDb, createWorkflow, getWorkflowRun, initDb, updateWorkflow } from "../be/db";
+import {
+  closeDb,
+  createWorkflow,
+  getWorkflowRun,
+  initDb,
+  updateWorkflow,
+  upsertSwarmConfig,
+} from "../be/db";
 import type { Workflow } from "../types";
 import { startWorkflowExecution } from "../workflows/engine";
 import { BaseExecutor, type ExecutorResult } from "../workflows/executors/base";
@@ -118,7 +125,12 @@ describe("handleWebhookTrigger", () => {
     hmac.update(body);
     const sig = `sha256=${hmac.digest("hex")}`;
 
-    const result = await handleWebhookTrigger(workflow.id, body, sig, sig, registry);
+    const result = await handleWebhookTrigger(
+      workflow.id,
+      body,
+      { "x-hub-signature-256": sig },
+      registry,
+    );
 
     expect(result.runId).toBeDefined();
     expect(typeof result.runId).toBe("string");
@@ -138,8 +150,7 @@ describe("handleWebhookTrigger", () => {
       await handleWebhookTrigger(
         workflow.id,
         '{"test":true}',
-        "sha256=invalid",
-        "sha256=invalid",
+        { "x-hub-signature-256": "sha256=invalid" },
         registry,
       );
       expect(true).toBe(false); // Should not reach here
@@ -155,7 +166,7 @@ describe("handleWebhookTrigger", () => {
     });
 
     try {
-      await handleWebhookTrigger(workflow.id, '{"test":true}', undefined, undefined, registry);
+      await handleWebhookTrigger(workflow.id, '{"test":true}', {}, registry);
       expect(true).toBe(false);
     } catch (err) {
       expect(err).toBeInstanceOf(WebhookError);
@@ -168,13 +179,7 @@ describe("handleWebhookTrigger", () => {
       triggers: [{ type: "webhook" }],
     });
 
-    const result = await handleWebhookTrigger(
-      workflow.id,
-      '{"data":"hello"}',
-      undefined,
-      undefined,
-      registry,
-    );
+    const result = await handleWebhookTrigger(workflow.id, '{"data":"hello"}', {}, registry);
 
     expect(result.runId).toBeDefined();
     const run = getWorkflowRun(result.runId);
@@ -183,13 +188,7 @@ describe("handleWebhookTrigger", () => {
 
   test("workflow not found returns 404", async () => {
     try {
-      await handleWebhookTrigger(
-        "00000000-0000-0000-0000-000000000000",
-        "{}",
-        undefined,
-        undefined,
-        registry,
-      );
+      await handleWebhookTrigger("00000000-0000-0000-0000-000000000000", "{}", {}, registry);
       expect(true).toBe(false);
     } catch (err) {
       expect(err).toBeInstanceOf(WebhookError);
@@ -205,7 +204,7 @@ describe("handleWebhookTrigger", () => {
     updateWorkflow(workflow.id, { enabled: false });
 
     try {
-      await handleWebhookTrigger(workflow.id, "{}", undefined, undefined, registry);
+      await handleWebhookTrigger(workflow.id, "{}", {}, registry);
       expect(true).toBe(false);
     } catch (err) {
       expect(err).toBeInstanceOf(WebhookError);
@@ -214,6 +213,248 @@ describe("handleWebhookTrigger", () => {
   });
 });
 
+// ─── Custom HMAC header + secret refs ───────────────────────
+
+describe("handleWebhookTrigger — custom hmacHeader", () => {
+  function signRaw(secret: string, body: string): string {
+    return crypto.createHmac("sha256", secret).update(body).digest("hex");
+  }
+
+  test("custom hmacHeader (X-Webhook-Signature) is picked up and verified", async () => {
+    const secret = "kapso-secret";
+    const workflow = makeWorkflow({
+      triggers: [{ type: "webhook", hmacSecret: secret, hmacHeader: "X-Webhook-Signature" }],
+    });
+
+    const body = '{"event":"message"}';
+    // Kapso-style: raw hex, no `sha256=` prefix.
+    const result = await handleWebhookTrigger(
+      workflow.id,
+      body,
+      { "x-webhook-signature": signRaw(secret, body) },
+      registry,
+    );
+
+    expect(result.runId).toBeDefined();
+    expect(getWorkflowRun(result.runId)).not.toBeNull();
+  });
+
+  test("custom hmacHeader lookup is case-insensitive", async () => {
+    const secret = "kapso-secret-ci";
+    const workflow = makeWorkflow({
+      triggers: [{ type: "webhook", hmacSecret: secret, hmacHeader: "X-Webhook-Signature" }],
+    });
+
+    const body = '{"event":"ci"}';
+    const result = await handleWebhookTrigger(
+      workflow.id,
+      body,
+      { "X-Webhook-Signature": signRaw(secret, body) },
+      registry,
+    );
+
+    expect(result.runId).toBeDefined();
+  });
+
+  test("signature on a non-configured header is rejected as missing", async () => {
+    const secret = "kapso-secret-2";
+    const workflow = makeWorkflow({
+      triggers: [{ type: "webhook", hmacSecret: secret, hmacHeader: "X-Webhook-Signature" }],
+    });
+
+    const body = '{"event":"x"}';
+    // Use a header that is neither the configured one nor a known fallback.
+    try {
+      await handleWebhookTrigger(
+        workflow.id,
+        body,
+        { "x-some-other-header": signRaw(secret, body) },
+        registry,
+      );
+      expect(true).toBe(false);
+    } catch (err) {
+      expect(err).toBeInstanceOf(WebhookError);
+      expect((err as WebhookError).statusCode).toBe(401);
+    }
+  });
+
+  test("fallback header (x-signature) still works without explicit hmacHeader", async () => {
+    const secret = "fallback-secret";
+    const workflow = makeWorkflow({
+      triggers: [{ type: "webhook", hmacSecret: secret }],
+    });
+
+    const body = '{"event":"fallback"}';
+    const result = await handleWebhookTrigger(
+      workflow.id,
+      body,
+      { "x-signature": signRaw(secret, body) },
+      registry,
+    );
+
+    expect(result.runId).toBeDefined();
+  });
+
+  test("default X-Hub-Signature-256 path still works (no regression)", async () => {
+    const secret = "default-header-secret";
+    const workflow = makeWorkflow({
+      triggers: [{ type: "webhook", hmacSecret: secret }],
+    });
+
+    const body = '{"event":"default"}';
+    const sig = `sha256=${signRaw(secret, body)}`;
+    const result = await handleWebhookTrigger(
+      workflow.id,
+      body,
+      { "x-hub-signature-256": sig },
+      registry,
+    );
+
+    expect(result.runId).toBeDefined();
+  });
+});
+
+describe("handleWebhookTrigger — hmacSecret references", () => {
+  function signRaw(secret: string, body: string): string {
+    return crypto.createHmac("sha256", secret).update(body).digest("hex");
+  }
+
+  test("hmacSecret as secret.NAME ref resolves and verifies", async () => {
+    const SECRET_VALUE = "resolved-kapso-hmac-value";
+    upsertSwarmConfig({
+      scope: "global",
+      key: "TEST_KAPSO_WEBHOOK_HMAC_SECRET",
+      value: SECRET_VALUE,
+      isSecret: true,
+    });
+
+    const workflow = makeWorkflow({
+      triggers: [
+        {
+          type: "webhook",
+          hmacSecret: "secret.TEST_KAPSO_WEBHOOK_HMAC_SECRET",
+          hmacHeader: "X-Webhook-Signature",
+        },
+      ],
+    });
+
+    const body = '{"event":"secret-ref"}';
+    const result = await handleWebhookTrigger(
+      workflow.id,
+      body,
+      { "x-webhook-signature": signRaw(SECRET_VALUE, body) },
+      registry,
+    );
+
+    expect(result.runId).toBeDefined();
+    expect(getWorkflowRun(result.runId)).not.toBeNull();
+  });
+
+  test("unresolvable secret.NAME ref fails cleanly with a WebhookError", async () => {
+    const workflow = makeWorkflow({
+      triggers: [{ type: "webhook", hmacSecret: "secret.NONEXISTENT_HMAC_SECRET_12345" }],
+    });
+
+    const body = '{"event":"missing-secret"}';
+    try {
+      await handleWebhookTrigger(
+        workflow.id,
+        body,
+        { "x-hub-signature-256": "deadbeef" },
+        registry,
+      );
+      expect(true).toBe(false);
+    } catch (err) {
+      expect(err).toBeInstanceOf(WebhookError);
+      expect((err as WebhookError).statusCode).toBe(500);
+    }
+  });
+
+  test("a literal hmacSecret is not treated as a reference", async () => {
+    const secret = "plain.literal-not-a-ref";
+    const workflow = makeWorkflow({
+      triggers: [{ type: "webhook", hmacSecret: secret }],
+    });
+
+    const body = '{"event":"literal"}';
+    const result = await handleWebhookTrigger(
+      workflow.id,
+      body,
+      { "x-hub-signature-256": signRaw(secret, body) },
+      registry,
+    );
+
+    expect(result.runId).toBeDefined();
+  });
+});
+
+// ─── Trigger payload JSON parsing ───────────────────────────
+
+describe("handleWebhookTrigger — triggerData JSON parsing", () => {
+  function signRaw(secret: string, body: string): string {
+    return crypto.createHmac("sha256", secret).update(body).digest("hex");
+  }
+
+  test("JSON body is parsed and run.triggerData is a deep-equal object", async () => {
+    const workflow = makeWorkflow({ triggers: [{ type: "webhook" }] });
+    const payload = {
+      message: { from: "+34000111222", text: "hi" },
+      conversation: { id: "conv-abc-123" },
+    };
+    const body = JSON.stringify(payload);
+
+    const result = await handleWebhookTrigger(workflow.id, body, {}, registry);
+
+    const run = getWorkflowRun(result.runId);
+    expect(run).not.toBeNull();
+    expect(run!.triggerData).toEqual(payload);
+    // Deep paths must be reachable (this is what `{{trigger.message.from}}` needs).
+    expect((run!.triggerData as { message: { from: string } }).message.from).toBe("+34000111222");
+  });
+
+  test("signed JSON body: HMAC verified against raw bytes, triggerData parsed to object", async () => {
+    const secret = "kapso-deep-secret";
+    const workflow = makeWorkflow({
+      triggers: [{ type: "webhook", hmacSecret: secret, hmacHeader: "X-Webhook-Signature" }],
+    });
+    // Use whitespace + unsorted keys so any re-serialization would change the bytes.
+    const body = '{ "message": {"from":"+1","text":"hi"},  "id":"x" }';
+    const sig = signRaw(secret, body);
+
+    const result = await handleWebhookTrigger(
+      workflow.id,
+      body,
+      { "x-webhook-signature": sig },
+      registry,
+    );
+
+    const run = getWorkflowRun(result.runId);
+    expect(run).not.toBeNull();
+    expect(run!.triggerData).toEqual({ message: { from: "+1", text: "hi" }, id: "x" });
+  });
+
+  test("non-JSON body falls back to the raw string and does not throw", async () => {
+    const workflow = makeWorkflow({ triggers: [{ type: "webhook" }] });
+    const body = "this is not json at all";
+
+    const result = await handleWebhookTrigger(workflow.id, body, {}, registry);
+
+    const run = getWorkflowRun(result.runId);
+    expect(run).not.toBeNull();
+    expect(run!.triggerData).toBe(body);
+  });
+
+  test("empty body produces a run without throwing", async () => {
+    const workflow = makeWorkflow({ triggers: [{ type: "webhook" }] });
+
+    const result = await handleWebhookTrigger(workflow.id, "", {}, registry);
+
+    expect(result.runId).toBeDefined();
+    const run = getWorkflowRun(result.runId);
+    expect(run).not.toBeNull();
+  });
+});
+
 // ─── Manual Trigger ─────────────────────────────────────────
 
 describe("manual trigger (startWorkflowExecution)", () => {

package/src/tools/manage-user.ts

@@ -8,30 +8,81 @@ import {
   getUserById,
   updateUser,
 } from "@/be/db";
+import {
+  getUserIdentities,
+  type IdentityActor,
+  linkIdentity,
+  recordIdentityEvent,
+  unlinkIdentity,
+} from "@/be/users";
 import { createToolRegistrar } from "@/tools/utils";
 
+/**
+ * `manage-user` — Q18 break-and-migrate shape:
+ *   - Identities passed as `identities: [{kind, externalId}, ...]` (was previously
+ *     four denormalised columns: slackUserId / linearUserId / githubUsername /
+ *     gitlabUsername — all dropped).
+ *   - `dailyBudgetUsd`, `status`, `metadata` are new (migration 064).
+ *   - Update path computes a diff against the current `getUserIdentities(userId)`
+ *     so the call is declarative: pass the full desired set, helper emits
+ *     `identity_added` / `identity_removed` events for each delta.
+ *   - Email-alias edits emit `email_added` / `email_removed` events (Q19).
+ */
+const IdentityEntry = z.object({
+  kind: z.string().describe("Identity kind (e.g. 'slack', 'linear', 'github', 'gitlab', 'jira')."),
+  externalId: z.string().describe("Platform-specific identifier for the given kind."),
+});
+
+const InputSchema = z.object({
+  action: z.enum(["create", "update", "delete", "list", "get"]).describe("Action to perform"),
+  userId: z.string().optional().describe("User ID (required for update/delete/get)"),
+  name: z.string().optional().describe("Display name (required for create)"),
+  email: z.string().optional().describe("Primary email address"),
+  role: z.string().optional().describe('Role (e.g., "founder", "engineer")'),
+  notes: z.string().optional().describe("Free-form notes"),
+  identities: z
+    .array(IdentityEntry)
+    .optional()
+    .describe(
+      "List of platform identities to link. On create: every entry is linked. On update: the list is treated as the desired set — entries not currently linked are added (identity_added), entries currently linked but missing are removed (identity_removed).",
+    ),
+  emailAliases: z.array(z.string()).optional().describe("Additional email addresses"),
+  preferredChannel: z.string().optional().describe("Preferred contact channel"),
+  timezone: z.string().optional().describe("Timezone (e.g., America/New_York)"),
+  dailyBudgetUsd: z
+    .number()
+    .nullable()
+    .optional()
+    .describe("Daily budget in USD (null clears the cap)"),
+  status: z
+    .enum(["invited", "active", "suspended"])
+    .optional()
+    .describe("User status — invited / active / suspended"),
+  metadata: z
+    .record(z.string(), z.unknown())
+    .nullable()
+    .optional()
+    .describe("Free-form JSON metadata (null clears the field)"),
+});
+
+function diffAliases(prev: string[], next: string[]): { added: string[]; removed: string[] } {
+  const prevSet = new Set(prev.map((a) => a.toLowerCase()));
+  const nextSet = new Set(next.map((a) => a.toLowerCase()));
+  return {
+    added: next.filter((a) => !prevSet.has(a.toLowerCase())),
+    removed: prev.filter((a) => !nextSet.has(a.toLowerCase())),
+  };
+}
+
 export const registerManageUserTool = (server: McpServer) => {
   createToolRegistrar(server)(
     "manage-user",
     {
       title: "Manage user profiles",
-      description: "Create, update, delete, or list user profiles in the user registry. Lead-only.",
+      description:
+        "Create, update, delete, or list user profiles in the user registry. Identities are managed via an `identities: [{kind, externalId}]` array (declarative — update computes diff). Lead-only.",
       annotations: { readOnlyHint: false },
-      inputSchema: z.object({
-        action: z.enum(["create", "update", "delete", "list", "get"]).describe("Action to perform"),
-        userId: z.string().optional().describe("User ID (required for update/delete/get)"),
-        name: z.string().optional().describe("Display name (required for create)"),
-        email: z.string().optional().describe("Primary email address"),
-        role: z.string().optional().describe('Role (e.g., "founder", "engineer")'),
-        notes: z.string().optional().describe("Free-form notes"),
-        slackUserId: z.string().optional().describe("Slack user ID"),
-        linearUserId: z.string().optional().describe("Linear user UUID"),
-        githubUsername: z.string().optional().describe("GitHub username"),
-        gitlabUsername: z.string().optional().describe("GitLab username"),
-        emailAliases: z.array(z.string()).optional().describe("Additional email addresses"),
-        preferredChannel: z.string().optional().describe("Preferred contact channel"),
-        timezone: z.string().optional().describe("Timezone (e.g., America/New_York)"),
-      }),
+      inputSchema: InputSchema,
     },
     async (input, requestInfo) => {
       const callerAgent = requestInfo.agentId ? getAgentById(requestInfo.agentId) : null;
@@ -43,6 +94,12 @@ export const registerManageUserTool = (server: McpServer) => {
         };
       }
 
+      // Build the operator-actor used for every event emitted in this call.
+      const operatorActor: IdentityActor = {
+        kind: "operator",
+        id: callerAgent.id,
+      };
+
       switch (input.action) {
         case "list": {
           const users = getAllUsers();
@@ -80,14 +137,16 @@ export const registerManageUserTool = (server: McpServer) => {
               email: input.email,
               role: input.role,
               notes: input.notes,
-              slackUserId: input.slackUserId,
-              linearUserId: input.linearUserId,
-              githubUsername: input.githubUsername,
-              gitlabUsername: input.gitlabUsername,
               emailAliases: input.emailAliases,
               preferredChannel: input.preferredChannel,
               timezone: input.timezone,
+              dailyBudgetUsd: input.dailyBudgetUsd ?? undefined,
+              status: input.status,
+              metadata: input.metadata ?? undefined,
             });
+            for (const ident of input.identities ?? []) {
+              linkIdentity(user.id, ident.kind, ident.externalId, operatorActor);
+            }
             return {
               content: [
                 {
@@ -111,24 +170,60 @@ export const registerManageUserTool = (server: McpServer) => {
             };
           }
           try {
+            const before = getUserById(input.userId);
+            if (!before) {
+              return {
+                content: [{ type: "text" as const, text: `User ${input.userId} not found.` }],
+              };
+            }
+
             const user = updateUser(input.userId, {
               name: input.name,
               email: input.email,
               role: input.role,
               notes: input.notes,
-              slackUserId: input.slackUserId,
-              linearUserId: input.linearUserId,
-              githubUsername: input.githubUsername,
-              gitlabUsername: input.gitlabUsername,
               emailAliases: input.emailAliases,
               preferredChannel: input.preferredChannel,
               timezone: input.timezone,
+              dailyBudgetUsd: input.dailyBudgetUsd,
+              status: input.status,
+              metadata: input.metadata,
             });
             if (!user) {
               return {
                 content: [{ type: "text" as const, text: `User ${input.userId} not found.` }],
               };
             }
+
+            // Identity diff — pass the desired set, helper emits the deltas.
+            if (input.identities !== undefined) {
+              const current = getUserIdentities(input.userId);
+              const currentSet = new Set(current.map((i) => `${i.kind}:${i.externalId}`));
+              const desiredSet = new Set(input.identities.map((i) => `${i.kind}:${i.externalId}`));
+
+              for (const ident of input.identities) {
+                if (!currentSet.has(`${ident.kind}:${ident.externalId}`)) {
+                  linkIdentity(input.userId, ident.kind, ident.externalId, operatorActor);
+                }
+              }
+              for (const ident of current) {
+                if (!desiredSet.has(`${ident.kind}:${ident.externalId}`)) {
+                  unlinkIdentity(input.userId, ident.kind, ident.externalId, operatorActor);
+                }
+              }
+            }
+
+            // Email alias diff — emit dedicated email_added / email_removed events (Q19).
+            if (input.emailAliases !== undefined) {
+              const { added, removed } = diffAliases(before.emailAliases, input.emailAliases);
+              for (const alias of added) {
+                recordIdentityEvent(input.userId, "email_added", operatorActor, null, { alias });
+              }
+              for (const alias of removed) {
+                recordIdentityEvent(input.userId, "email_removed", operatorActor, { alias }, null);
+              }
+            }
+
             return {
               content: [
                 {

package/src/tools/resolve-user.ts

@@ -1,46 +1,60 @@
 import type { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import * as z from "zod";
-import { resolveUser } from "@/be/db";
+import { findUserByEmail, findUserByExternalId } from "@/be/users";
 import { createToolRegistrar } from "@/tools/utils";
 
+/**
+ * `resolve-user` — Q18 break-and-migrate shape:
+ *   - `{kind, externalId}` for platform-identity lookups (replaces the old
+ *     `slackUserId` / `linearUserId` / `githubUsername` / `gitlabUsername` fields).
+ *   - `email` for primary-email or alias lookup.
+ *
+ * Validator requires either (kind + externalId) OR email. Old worker payloads
+ * carrying `slackUserId`, `name`, etc. fail Zod validation at runtime — that
+ * is the documented no-soak behaviour for this refactor.
+ *
+ * Exported for tests so the schema can be validated without spinning up an
+ * MCP transport (the SDK only runs Zod at the transport layer).
+ */
+export const resolveUserInputSchema = z
+  .object({
+    kind: z
+      .string()
+      .optional()
+      .describe(
+        "Identity kind — e.g. 'slack', 'linear', 'github', 'gitlab', 'jira', or a custom value. Must be paired with externalId.",
+      ),
+    externalId: z
+      .string()
+      .optional()
+      .describe(
+        "Platform-specific identifier for the given kind (e.g. Slack user ID 'U08NR6QD6CS', Linear user UUID, GitHub login).",
+      ),
+    email: z.string().email().optional().describe("Email address (primary or alias)."),
+  })
+  .strict()
+  .refine((v) => (v.kind !== undefined && v.externalId !== undefined) || v.email !== undefined, {
+    message: "Provide either (kind + externalId) or email",
+  });
+
 export const registerResolveUserTool = (server: McpServer) => {
   createToolRegistrar(server)(
     "resolve-user",
     {
       title: "Resolve user identity",
       description:
-        "Look up a canonical user profile by any platform-specific identifier (Slack ID, Linear ID, GitHub username, email, or name). Returns the full user profile or null.",
+        "Look up a canonical user profile by an `(kind, externalId)` pair (e.g. {kind: 'slack', externalId: 'U_X'}) OR by email (primary or alias). Returns the user profile or 'No user found'.",
       annotations: { readOnlyHint: true },
-      inputSchema: z.object({
-        slackUserId: z.string().optional().describe("Slack user ID (e.g., U08NR6QD6CS)"),
-        linearUserId: z.string().optional().describe("Linear user UUID"),
-        githubUsername: z.string().optional().describe("GitHub username"),
-        gitlabUsername: z.string().optional().describe("GitLab username"),
-        email: z.string().optional().describe("Email address"),
-        name: z.string().optional().describe("Name (fuzzy substring match, lowest priority)"),
-      }),
+      inputSchema: resolveUserInputSchema,
     },
-    async ({ slackUserId, linearUserId, githubUsername, gitlabUsername, email, name }) => {
-      if (!slackUserId && !linearUserId && !githubUsername && !gitlabUsername && !email && !name) {
-        return {
-          content: [
-            {
-              type: "text" as const,
-              text: "At least one search parameter is required.",
-            },
-          ],
-        };
+    async ({ kind, externalId, email }) => {
+      let user = null;
+      if (kind && externalId) {
+        user = findUserByExternalId(kind, externalId);
+      } else if (email) {
+        user = findUserByEmail(email);
       }
 
-      const user = resolveUser({
-        slackUserId,
-        linearUserId,
-        githubUsername,
-        gitlabUsername,
-        email,
-        name,
-      });
-
       if (!user) {
         return {
           content: [{ type: "text" as const, text: "No user found matching the given criteria." }],

package/src/types.ts

@@ -224,19 +224,41 @@ export const UserSchema = z.object({
   email: z.string().optional(),
   role: z.string().optional(),
   notes: z.string().optional(),
-  slackUserId: z.string().optional(),
-  linearUserId: z.string().optional(),
-  githubUsername: z.string().optional(),
-  gitlabUsername: z.string().optional(),
   emailAliases: z.array(z.string()).default([]),
   preferredChannel: z.string().default("slack"),
   timezone: z.string().optional(),
+  // Phase 064: free-form JSON for operator notes + integration hints.
+  metadata: z.record(z.string(), z.unknown()).optional(),
+  // NULL = unlimited (Phase 064).
+  dailyBudgetUsd: z.number().nullable().optional(),
+  // Lifecycle (Phase 064). CHECK constraint enforces these three values.
+  status: z.enum(["invited", "active", "suspended"]).default("active"),
   createdAt: z.iso.datetime(),
   lastUpdatedAt: z.iso.datetime(),
 });
 
 export type User = z.infer<typeof UserSchema>;
 
+/**
+ * Identity event types — mirrored in lockstep with the CHECK constraint on
+ * `user_identity_events.eventType` in migration 064. Drift breaks helper
+ * INSERTs at runtime; update both sides together.
+ */
+export const IdentityEventTypeSchema = z.enum([
+  "auto_merge",
+  "manual_merge",
+  "identity_added",
+  "identity_removed",
+  "email_added",
+  "email_removed",
+  "token_minted",
+  "token_revoked",
+  "budget_changed",
+  "status_changed",
+  "profile_changed",
+]);
+export type IdentityEventType = z.infer<typeof IdentityEventTypeSchema>;
+
 // ============================================================================
 // Inbox Item State (per-user dismiss/snooze/done for action-items inbox)
 // ============================================================================

package/src/utils/secret-scrubber.ts

@@ -124,6 +124,11 @@ const TOKEN_REGEXES: ReadonlyArray<{ name: string; re: RegExp }> = [
     name: "signoz_ingestion_key",
     re: /\bsignoz-ingestion-key=[A-Za-z0-9._~+/-]{20,}={0,2}\b/g,
   },
+  // Agent-swarm MCP user tokens (`aswt_<base62-20+>`). Schema lands in
+  // migration 064; mint/revoke endpoints ship with the MCP-token plan.
+  // Rule lives here now so plaintexts never leak into logs once endpoints
+  // come online.
+  { name: "mcp_token", re: /\baswt_[A-Za-z0-9]{20,}\b/g },
 ];
 
 interface EnvValueEntry {