@elevasis/core 0.11.1 → 0.12.0

package/src/_gen/__tests__/__snapshots__/contracts.md.snap

@@ -180,7 +180,8 @@ export type OrganizationModelKeyResult = z.infer<typeof KeyResultSchema>
 ### `DeepPartial`
 
 ```typescript
-export type DeepPartial<T> = T extends Array<infer U> ? Array<DeepPartial<U>> : T extends object ? { [K in keyof T]?: DeepPartial<T[K]> } : T
+export type DeepPartial<T> =
+  T extends Array<infer U> ? Array<DeepPartial<U>> : T extends object ? { [K in keyof T]?: DeepPartial<T[K]> } : T
 ```
 
 ## Feature System
@@ -189,13 +190,12 @@ export type DeepPartial<T> = T extends Array<infer U> ? Array<DeepPartial<U>> :
 
 ```typescript
 export type FeatureSidebarComponent = ComponentType
-export type FeatureIconComponent = ComponentType<{ size?: number;
 ```
 
 ### `FeatureIconComponent`
 
 ```typescript
-export type FeatureIconComponent = ComponentType<{ size?: number;
+export type FeatureIconComponent = ComponentType<{ size?: number; stroke?: number }>
 ```
 
 ### `FeatureSidebarWidthResolver`
@@ -361,26 +361,10 @@ export interface ElevasisFeaturesContextValue {
 ### `ResourceStatus`
 
 ```typescript
-/**
- * Resource Registry type definitions
- */
-
-import type { IntegrationType } from '../../execution/engine/tools/integration'
-import type { ResourceCategory, ResourceLink } from './resource-link'
-
-// ============================================================================
-// Core Resource Type Definitions
-// ============================================================================
-
 /**
  * Environment/deployment status for resources
- */
-export type ResourceStatus = 'dev' | 'prod'
-
-/**
- * All resource types in the platform
- * Used as the discriminator field in ResourceDefinition
- */
+ */
+export type ResourceStatus = 'dev' | 'prod'
 ```
 
 ### `ResourceType`
@@ -389,13 +373,8 @@ export type ResourceStatus = 'dev' | 'prod'
 /**
  * All resource types in the platform
  * Used as the discriminator field in ResourceDefinition
- */
-export type ResourceType = 'agent' | 'workflow' | 'trigger' | 'integration' | 'external' | 'human'
-
-/**
- * Executable resource types (subset of ResourceType)
- * These resources can be directly executed by the execution engine
- */
+ */
+export type ResourceType = 'agent' | 'workflow' | 'trigger' | 'integration' | 'external' | 'human'
 ```
 
 ### `ExecutableResourceType`
@@ -404,17 +383,8 @@ export type ResourceType = 'agent' | 'workflow' | 'trigger' | 'integration' | 'e
 /**
  * Executable resource types (subset of ResourceType)
  * These resources can be directly executed by the execution engine
- */
-export type ExecutableResourceType = 'workflow' | 'agent'
-
-// ============================================================================
-// Base Resource Interface
-// ============================================================================
-
-/**
- * Base interface for ALL platform resources
- * Shared by both executable (agents, workflows) and non-executable (triggers, integrations, etc.) resources
- */
+ */
+export type ExecutableResourceType = 'workflow' | 'agent'
 ```
 
 ### `ResourceDefinition`
@@ -423,7 +393,7 @@ export type ExecutableResourceType = 'workflow' | 'agent'
 /**
  * Base interface for ALL platform resources
  * Shared by both executable (agents, workflows) and non-executable (triggers, integrations, etc.) resources
- */
+ */
 export interface ResourceDefinition {
   /** Unique resource identifier */
   resourceId: string
@@ -463,44 +433,10 @@ export interface ResourceDefinition {
 ### `ResourceList`
 
 ```typescript
-/** Unique resource identifier */
-  resourceId: string
-
-  /** Display name */
-  name: string
-
-  /** Purpose and functionality description */
-  description: string
-
-  /** Version for change tracking and evolution */
-  version: string
-
-  /** Resource type discriminator */
-  type: ResourceType
-
-  /** Environment/deployment status */
-  status: ResourceStatus
-
-  /** Graph links to Organization Model nodes */
-  links?: ResourceLink[]
-
-  /** Infrastructure category for filtering */
-  category?: ResourceCategory
-
-  /** Whether the agent supports multi-turn sessions (agents only) */
-  sessionCapable?: boolean
-
-  /** Whether the resource is local (monorepo) or remote (externally deployed) */
-  origin?: 'local' | 'remote'
-
-  /** Whether this resource is archived and should be excluded from registration and deployment */
-  archived?: boolean
-}
-
 /**
  * Resource list for organization
  * Returns ResourceDefinition metadata (not full definitions)
- */
+ */
 export interface ResourceList {
   workflows: ResourceDefinition[]
   agents: ResourceDefinition[]
@@ -513,16 +449,14 @@ export interface ResourceList {
 ### `WebhookProviderType`
 
 ```typescript
-/** Webhook provider identifiers */
-export type WebhookProviderType = 'cal-com' | 'stripe' | 'signature-api' | 'instantly' | 'apify' | 'test'
-
-/** Webhook trigger configuration */
+/** Webhook provider identifiers */
+export type WebhookProviderType = 'cal-com' | 'stripe' | 'signature-api' | 'instantly' | 'apify' | 'test'
 ```
 
 ### `WebhookTriggerConfig`
 
 ```typescript
-/** Webhook trigger configuration */
+/** Webhook trigger configuration */
 export interface WebhookTriggerConfig {
   /** Provider identifier */
   provider: WebhookProviderType
@@ -538,17 +472,7 @@ export interface WebhookTriggerConfig {
 ### `ScheduleTriggerConfig`
 
 ```typescript
-/** Provider identifier */
-  provider: WebhookProviderType
-  /** Event type for documentation (not used for matching - workflow handles routing) */
-  event?: string
-  /** Optional filtering (e.g., specific form ID for Fillout) */
-  filter?: Record<string, string>
-  /** References credential in credentials table for per-org webhook secrets */
-  credentialName?: string
-}
-
-/** Schedule trigger configuration */
+/** Schedule trigger configuration */
 export interface ScheduleTriggerConfig {
   /** Cron expression (e.g., '0 6 * * *') */
   cron: string
@@ -560,13 +484,7 @@ export interface ScheduleTriggerConfig {
 ### `EventTriggerConfig`
 
 ```typescript
-/** Cron expression (e.g., '0 6 * * *') */
-  cron: string
-  /** Optional timezone (default: UTC) */
-  timezone?: string
-}
-
-/** Event trigger configuration */
+/** Event trigger configuration */
 export interface EventTriggerConfig {
   /** Internal event type */
   eventType: string
@@ -578,50 +496,8 @@ export interface EventTriggerConfig {
 ### `TriggerConfig`
 
 ```typescript
-/** Internal event type */
-  eventType: string
-  /** Event source */
-  source?: string
-}
-
-/** Union of all trigger configs */
-export type TriggerConfig = WebhookTriggerConfig | ScheduleTriggerConfig | EventTriggerConfig
-
-// ============================================================================
-// Trigger Definition
-// ============================================================================
-
-/**
- * Trigger metadata - entry points that initiate resource execution
- *
- * Triggers represent how executions start: webhooks from external services,
- * scheduled cron jobs, platform events, or manual user actions.
- *
- * BREAKING CHANGES (2025-11-30):
- * - Now extends ResourceDefinition (inherits: resourceId, name, description, version, type, status, links, category)
- * - Field renames: `id` -> `resourceId` (inherited), `type` -> `triggerType`
- * - Relationship rename: `invokes` -> `triggers` (unified vocabulary)
- * - New required fields: `version` (inherited), `type: 'trigger'` (inherited)
- * - triggers object now includes `externalResources` option
- *
- * @example
- * // TriggerDefinition - metadata only
- * {
- *   resourceId: 'trigger-new-order',
- *   type: 'trigger',
- *   triggerType: 'webhook',
- *   name: 'New Order',
- *   description: 'Webhook from Shopify on new orders',
- *   version: '1.0.0',
- *   status: 'prod',
- *   webhookPath: '/webhooks/shopify/orders'
- * }
- *
- * // Relationships declared in ResourceRelationships (not on TriggerDefinition):
- * // relationships: {
- * //   'trigger-new-order': { triggers: { workflows: ['order-fulfillment-workflow'] } }
- * // }
- */
+/** Union of all trigger configs */
+export type TriggerConfig = WebhookTriggerConfig | ScheduleTriggerConfig | EventTriggerConfig
 ```
 
 ### `TriggerDefinition`
@@ -657,7 +533,7 @@ export type TriggerConfig = WebhookTriggerConfig | ScheduleTriggerConfig | Event
  * // relationships: {
  * //   'trigger-new-order': { triggers: { workflows: ['order-fulfillment-workflow'] } }
  * // }
- */
+ */
 export interface TriggerDefinition extends ResourceDefinition {
   /** Resource type discriminator (narrowed from base union) */
   type: 'trigger'
@@ -684,27 +560,6 @@ export interface TriggerDefinition extends ResourceDefinition {
 ### `IntegrationDefinition`
 
 ```typescript
-/** Resource type discriminator (narrowed from base union) */
-  type: 'trigger'
-
-  /** Trigger mechanism type (renamed from 'type' to avoid collision with base type discriminator) */
-  triggerType: 'webhook' | 'schedule' | 'manual' | 'event'
-
-  /** Type-specific configuration */
-  config?: TriggerConfig
-
-  // Legacy fields (deprecated, use config instead)
-  /** For webhook triggers: path like '/webhooks/shopify/orders' */
-  webhookPath?: string
-  /** For schedule triggers: cron expression like '0 6 * * *' */
-  schedule?: string
-  /** For event triggers: event type like 'low-stock-alert' */
-  eventType?: string
-
-  // NOTE: What this trigger starts is declared in ResourceRelationships, not here
-  // This prevents duplication - triggers are forward-declared in relationships
-}
-
 /**
  * Integration metadata - external service connections
  *
@@ -729,7 +584,7 @@ export interface TriggerDefinition extends ResourceDefinition {
  *   version: '1.0.0',
  *   status: 'prod'
  * }
- */
+ */
 export interface IntegrationDefinition extends ResourceDefinition {
   /** Resource type discriminator (narrowed from base union) */
   type: 'integration'
@@ -744,15 +599,6 @@ export interface IntegrationDefinition extends ResourceDefinition {
 ### `RelationshipDeclaration`
 
 ```typescript
-/** Resource type discriminator (narrowed from base union) */
-  type: 'integration'
-
-  /** Integration provider type */
-  provider: IntegrationType
-  /** References credentials table (e.g., 'shopify-prod', 'zendesk-api') */
-  credentialName: string
-}
-
 /**
  * Explicit resource relationship declaration
  *
@@ -764,7 +610,7 @@ export interface IntegrationDefinition extends ResourceDefinition {
  *   triggers: { workflows: ['order-fulfillment-workflow'] },
  *   uses: { integrations: ['integration-shopify-prod', 'integration-postgres'] }
  * }
- */
+ */
 export interface RelationshipDeclaration {
   /** Resources this resource triggers */
   triggers?: {
@@ -784,20 +630,6 @@ export interface RelationshipDeclaration {
 ### `ResourceRelationships`
 
 ```typescript
-/** Resources this resource triggers */
-  triggers?: {
-    /** Agent resourceIds this resource triggers */
-    agents?: string[]
-    /** Workflow resourceIds this resource triggers */
-    workflows?: string[]
-  }
-  /** Integrations this resource uses */
-  uses?: {
-    /** Integration IDs this resource uses */
-    integrations?: string[]
-  }
-}
-
 /**
  * Resource relationships map
  * Maps resourceId to its relationship declarations
@@ -809,17 +641,8 @@ export interface RelationshipDeclaration {
  *     uses: { integrations: ['integration-shopify-prod'] }
  *   }
  * }
- */
-export type ResourceRelationships = Record<string, RelationshipDeclaration>
-
-// ============================================================================
-// External Resource Types
-// ============================================================================
-
-/**
- * External platform type
- * Supported third-party automation platforms
- */
+ */
+export type ResourceRelationships = Record<string, RelationshipDeclaration>
 ```
 
 ### `ExternalPlatform`
@@ -828,39 +651,8 @@ export type ResourceRelationships = Record<string, RelationshipDeclaration>
 /**
  * External platform type
  * Supported third-party automation platforms
- */
-export type ExternalPlatform = 'n8n' | 'make' | 'zapier' | 'other'
-
-/**
- * External automation resource metadata
- *
- * Represents workflows/automations running on third-party platforms
- * (n8n, Make, Zapier, etc.) for visualization in Command View.
- *
- * NOTE: This is metadata ONLY for visualization. No execution logic,
- * no API integration with external platforms, no status syncing.
- *
- * BREAKING CHANGES (2025-11-30):
- * - Now extends ResourceDefinition (inherits: resourceId, name, description, version, type, status, links, category)
- * - Field renames: `id` -> `resourceId` (inherited)
- * - New required field: `version` (inherited) - organizations must add version to all external resources
- * - New required field: `type: 'external'` (inherited) - resource type discriminator
- * - REMOVED FIELD: `triggeredBy` - per relationship-consolidation design, all relationships are forward-only declarations
- *
- * @example
- * {
- *   resourceId: 'external-n8n-order-sync',
- *   type: 'external',
- *   version: '1.0.0',
- *   platform: 'n8n',
- *   name: 'Shopify Order Sync',
- *   description: 'Legacy n8n workflow for syncing Shopify orders',
- *   status: 'prod',
- *   platformUrl: 'https://n8n.client.com/workflow/123',
- *   triggers: { workflows: ['order-fulfillment-workflow'] },
- *   uses: { integrations: ['integration-shopify-prod'] }
- * }
- */
+ */
+export type ExternalPlatform = 'n8n' | 'make' | 'zapier' | 'other'
 ```
 
 ### `ExternalResourceDefinition`
@@ -895,7 +687,7 @@ export type ExternalPlatform = 'n8n' | 'make' | 'zapier' | 'other'
  *   triggers: { workflows: ['order-fulfillment-workflow'] },
  *   uses: { integrations: ['integration-shopify-prod'] }
  * }
- */
+ */
 export interface ExternalResourceDefinition extends ResourceDefinition {
   /** Resource type discriminator (narrowed from base union) */
   type: 'external'
@@ -932,37 +724,6 @@ export interface ExternalResourceDefinition extends ResourceDefinition {
 ### `HumanCheckpointDefinition`
 
 ```typescript
-/** Resource type discriminator (narrowed from base union) */
-  type: 'external'
-
-  /** Platform type */
-  platform: ExternalPlatform
-
-  // Optional platform-specific metadata
-  /** Link to external platform (e.g., n8n workflow editor URL) */
-  platformUrl?: string
-  /** Platform's internal ID/reference */
-  externalId?: string
-
-  /** What this external resource triggers (external -> internal) */
-  triggers?: {
-    /** Elevasis workflow resourceIds this external automation triggers */
-    workflows?: string[]
-    /** Elevasis agent resourceIds this external automation triggers */
-    agents?: string[]
-  }
-
-  /** Integrations this external resource uses (shared credentials) */
-  uses?: {
-    /** Integration IDs this external automation uses */
-    integrations?: string[]
-  }
-
-  // NOTE: triggeredBy field removed - per relationship-consolidation design,
-  // all relationships are forward-only declarations. Graph edges are built
-  // from forward declarations only.
-}
-
 /**
  * Human Checkpoint definition - human decision points in automation
  *
@@ -987,7 +748,7 @@ export interface ExternalResourceDefinition extends ResourceDefinition {
  *   requestedBy: { agents: ['order-processor-agent'] },
  *   routesTo: { agents: ['order-fulfillment-agent'] }
  * }
- */
+ */
 export interface HumanCheckpointDefinition extends ResourceDefinition {
   /** Resource type discriminator (narrowed from base union) */
   type: 'human'
@@ -1015,10 +776,6 @@ export interface HumanCheckpointDefinition extends ResourceDefinition {
 ### `DeploymentSpec`
 
 ```typescript
-/** Always undefined for system resources; present for API compatibility with RemoteOrgConfig consumers */
-  sdkVersion?: never
-}
-
 /**
  * Organization-specific resource collection
  *

package/src/auth/multi-tenancy/credentials/server/encryption.ts

@@ -1,39 +1,83 @@
-import crypto from 'crypto'
-
-const MASTER_KEY = process.env.SECRETS_ENCRYPTION_KEY
-const ALGORITHM = 'aes-256-gcm'
-
-interface EncryptedData {
-  iv: string
-  authTag: string
-  data: string
-}
-
-export function encryptCredential(plaintext: string): string {
-  if (!MASTER_KEY) {
-    throw new Error('SECRETS_ENCRYPTION_KEY not configured')
-  }
-
-  const iv = crypto.randomBytes(16)
-  const cipher = crypto.createCipheriv(ALGORITHM, Buffer.from(MASTER_KEY, 'hex'), iv)
-  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()])
-  const authTag = cipher.getAuthTag()
-
-  return JSON.stringify({
-    iv: iv.toString('base64'),
-    authTag: authTag.toString('base64'),
-    data: encrypted.toString('base64')
-  })
-}
-
-export function decryptCredential(encrypted: string): string {
-  if (!MASTER_KEY) {
-    throw new Error('SECRETS_ENCRYPTION_KEY not configured')
-  }
-
-  const { iv, authTag, data } = JSON.parse(encrypted) as EncryptedData
-  const decipher = crypto.createDecipheriv(ALGORITHM, Buffer.from(MASTER_KEY, 'hex'), Buffer.from(iv, 'base64'))
-  decipher.setAuthTag(Buffer.from(authTag, 'base64'))
-
-  return Buffer.concat([decipher.update(Buffer.from(data, 'base64')), decipher.final()]).toString('utf8')
-}
+import crypto from 'crypto'
+
+const ALGORITHM = 'aes-256-gcm'
+
+// keyId stamped on all newly encrypted ciphertexts.
+export const CURRENT_KEY_ID = 'platform-v1'
+
+// Implicit keyId for pre-Vault ciphertext rows that were encrypted before this
+// field existed. The kek-loader registers the legacy SECRETS_ENCRYPTION_KEY env
+// value under this id during the migration window so existing rows decrypt
+// until the re-encryption script (B4) restamps them with CURRENT_KEY_ID.
+export const LEGACY_KEY_ID = 'platform-v0-legacy'
+
+interface EncryptedData {
+  iv: string
+  authTag: string
+  data: string
+  keyId?: string
+}
+
+const kekMap = new Map<string, Buffer>()
+
+export function setKek(keyId: string, key: Buffer): void {
+  if (key.length !== 32) {
+    throw new Error(`KEK must be 32 bytes (256 bits); got ${key.length}`)
+  }
+  kekMap.set(keyId, key)
+}
+
+export function clearKeks(): void {
+  kekMap.clear()
+}
+
+function resolveKek(keyId: string): Buffer | undefined {
+  const cached = kekMap.get(keyId)
+  if (cached) return cached
+
+  // Non-production fallback: bootstrap from SECRETS_ENCRYPTION_KEY so tests and
+  // local dev keep working without an explicit setKek() boot step. Production
+  // must register KEKs via the kek-loader; the env var is removed in Wave B5.
+  if (process.env.NODE_ENV !== 'production' && process.env.SECRETS_ENCRYPTION_KEY) {
+    const envKey = Buffer.from(process.env.SECRETS_ENCRYPTION_KEY, 'hex')
+    if (envKey.length === 32) {
+      kekMap.set(keyId, envKey)
+      return envKey
+    }
+  }
+
+  return undefined
+}
+
+export function encryptCredential(plaintext: string): string {
+  const key = resolveKek(CURRENT_KEY_ID)
+  if (!key) {
+    throw new Error(`Encryption KEK '${CURRENT_KEY_ID}' not loaded; call setKek() at boot`)
+  }
+
+  const iv = crypto.randomBytes(16)
+  const cipher = crypto.createCipheriv(ALGORITHM, key, iv)
+  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()])
+  const authTag = cipher.getAuthTag()
+
+  return JSON.stringify({
+    iv: iv.toString('base64'),
+    authTag: authTag.toString('base64'),
+    data: encrypted.toString('base64'),
+    keyId: CURRENT_KEY_ID
+  })
+}
+
+export function decryptCredential(encrypted: string): string {
+  const { iv, authTag, data, keyId } = JSON.parse(encrypted) as EncryptedData
+  const resolvedKeyId = keyId ?? LEGACY_KEY_ID
+  const key = resolveKek(resolvedKeyId)
+  if (!key) {
+    throw new Error(`Decryption KEK '${resolvedKeyId}' not loaded`)
+  }
+
+  const decipher = crypto.createDecipheriv(ALGORITHM, key, Buffer.from(iv, 'base64'))
+  decipher.setAuthTag(Buffer.from(authTag, 'base64'))
+
+  return Buffer.concat([decipher.update(Buffer.from(data, 'base64')), decipher.final()]).toString('utf8')
+}

package/src/auth/multi-tenancy/credentials/server/kek-loader.ts

@@ -0,0 +1,47 @@
+import { getSupabaseClient } from '../../../../supabase/server/client'
+import { setKek, CURRENT_KEY_ID, LEGACY_KEY_ID } from './encryption'
+
+let loaded = false
+
+/**
+ * Loads the platform credential KEK from Supabase Vault and registers it under
+ * `CURRENT_KEY_ID` ('platform-v1'). During the migration window, also registers
+ * the legacy `SECRETS_ENCRYPTION_KEY` env var under `LEGACY_KEY_ID` so existing
+ * ciphertext rows (no `keyId` field) can still be decrypted.
+ *
+ * Idempotent: subsequent calls are no-ops.
+ *
+ * Fails fast on missing / malformed Vault KEK so misconfigured deploys do not
+ * silently fall through to env-only encryption.
+ */
+export async function loadCredentialKEKs(): Promise<void> {
+  if (loaded) return
+
+  const supabase = await getSupabaseClient()
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- RPC isn't in generated types yet (run `supabase gen types` post-merge)
+  const { data, error } = await (supabase.rpc as any)('get_platform_credential_kek')
+  if (error) {
+    throw new Error(
+      `Failed to load platform credential KEK from Vault: ${error.message}. ` +
+        `Did you run provision-credential-kek.sql against this environment?`
+    )
+  }
+  if (typeof data !== 'string' || data.length === 0) {
+    throw new Error('Vault returned null/empty platform credential KEK')
+  }
+  const vaultKek = Buffer.from(data, 'hex')
+  if (vaultKek.length !== 32) {
+    throw new Error(`Vault KEK is ${vaultKek.length} bytes, expected 32`)
+  }
+  setKek(CURRENT_KEY_ID, vaultKek)
+
+  const legacyHex = process.env.SECRETS_ENCRYPTION_KEY
+  if (legacyHex) {
+    const legacyKey = Buffer.from(legacyHex, 'hex')
+    if (legacyKey.length === 32) {
+      setKek(LEGACY_KEY_ID, legacyKey)
+    }
+  }
+
+  loaded = true
+}

package/src/auth/multi-tenancy/index.ts

@@ -4,6 +4,9 @@ export * from './types'
 // Permission catalog (canonical PERMISSIONS constant + types)
 export * from './permissions'
 
+// Role management schemas
+export * from './role-management/index'
+
 // Organization types
 export * from './organizations/index'