npm - @elevasis/core - Versions diffs - 0.11.2 → 0.13.0 - Mend

@elevasis/core 0.11.2 → 0.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (50) hide show

package/dist/index.d.ts +2 -1
package/dist/index.js +8 -1
package/dist/organization-model/index.d.ts +2 -1
package/dist/organization-model/index.js +8 -1
package/dist/test-utils/index.d.ts +27 -15
package/dist/test-utils/index.js +25 -0
package/package.json +1 -1
package/src/_gen/__tests__/__snapshots__/contracts.md.snap +27 -270
package/src/auth/multi-tenancy/credentials/__tests__/encryption.test.ts +217 -216
package/src/auth/multi-tenancy/credentials/server/encryption.ts +69 -39
package/src/auth/multi-tenancy/credentials/server/kek-loader.ts +37 -0
package/src/auth/multi-tenancy/index.ts +3 -0
package/src/auth/multi-tenancy/invitations/api-schemas.ts +104 -107
package/src/auth/multi-tenancy/memberships/api-schemas.ts +6 -5
package/src/auth/multi-tenancy/memberships/membership.ts +130 -138
package/src/auth/multi-tenancy/permissions.ts +12 -5
package/src/auth/multi-tenancy/role-management/api-schemas.ts +78 -0
package/src/auth/multi-tenancy/role-management/index.ts +16 -0
package/src/business/acquisition/activity-events.ts +142 -0
package/src/business/acquisition/api-schemas.ts +694 -689
package/src/business/acquisition/derive-actions.ts +90 -0
package/src/business/acquisition/index.ts +111 -109
package/src/execution/engine/index.ts +434 -434
package/src/execution/engine/tools/integration/server/adapters/apify/__tests__/apify-run-actor.integration.test.ts +298 -293
package/src/execution/engine/tools/integration/server/adapters/attio/__tests__/attio-crud.integration.test.ts +0 -1
package/src/execution/engine/tools/integration/service.test.ts +214 -0
package/src/execution/engine/tools/integration/service.ts +169 -161
package/src/execution/engine/tools/lead-service-types.ts +882 -879
package/src/execution/engine/tools/registry.ts +699 -700
package/src/execution/engine/tools/tool-maps.ts +777 -780
package/src/integrations/credentials/__tests__/api-schemas.test.ts +420 -496
package/src/integrations/credentials/api-schemas.ts +127 -143
package/src/integrations/webhook-endpoints/__tests__/api-schemas.test.ts +327 -318
package/src/integrations/webhook-endpoints/api-schemas.ts +103 -102
package/src/integrations/webhook-endpoints/types.ts +58 -51
package/src/operations/activities/api-schemas.ts +80 -79
package/src/operations/activities/types.ts +64 -63
package/src/organization-model/contracts.ts +1 -0
package/src/organization-model/defaults.ts +6 -0
package/src/organization-model/domains/navigation.ts +37 -23
package/src/organization-model/organization-graph.mdx +2 -2
package/src/organization-model/published.ts +2 -1
package/src/platform/constants/versions.ts +1 -1
package/src/reference/_generated/contracts.md +27 -270
package/src/scaffold-registry/__tests__/index.test.ts +72 -7
package/src/scaffold-registry/index.ts +163 -29
package/src/scaffold-registry/schema.ts +68 -62
package/src/server.ts +281 -272
package/src/supabase/database.types.ts +16 -10
package/src/test-utils/rls/RLSTestContext.ts +585 -553

package/src/integrations/credentials/__tests__/api-schemas.test.ts CHANGED Viewed

@@ -1,496 +1,420 @@
-/**
- * Credential API schemas tests
- * Tests all validation schemas for credentials endpoints
- * Focus: Security (path traversal, DoS, mass assignment, type coercion)
- */
-import { describe, it, expect } from 'vitest'
-import {
-  CredentialTypeSchema,
-  CreateCredentialRequestSchema,
-  UpdateCredentialParamsSchema,
-  UpdateCredentialRequestSchema,
-  DeleteCredentialParamsSchema,
-  DecryptCredentialParamsSchema,
-  ListCredentialsResponseSchema
-} from '../api-schemas'
-describe('CredentialTypeSchema', () => {
-  it('accepts valid credential types', () => {
-    // These are the actual types stored in the database
-    expect(CredentialTypeSchema.parse('oauth')).toBe('oauth')
-    expect(CredentialTypeSchema.parse('api-key')).toBe('api-key')
-    expect(CredentialTypeSchema.parse('webhook-secret')).toBe('webhook-secret')
-  })
-  it('rejects invalid credential types', () => {
-    expect(() => CredentialTypeSchema.parse('invalid-type')).toThrow()
-    expect(() => CredentialTypeSchema.parse('')).toThrow()
-  })
-  it('rejects provider names (these are CREDENTIAL_SCHEMAS keys, not stored types)', () => {
-    // OAuth providers store type='oauth', not their provider name
-    expect(() => CredentialTypeSchema.parse('notion')).toThrow()
-    expect(() => CredentialTypeSchema.parse('google-sheets')).toThrow()
-  })
-})
-describe('CreateCredentialRequestSchema', () => {
-  const validPayload = {
-    name: 'gmail-prod',
-    type: 'api-key' as const,
-    value: { apiKey: 'test-key-123' }
-  }
-  describe('valid requests', () => {
-    it('accepts valid credential creation request', () => {
-      const result = CreateCredentialRequestSchema.parse(validPayload)
-      expect(result).toEqual(validPayload)
-    })
-    it('accepts oauth type credentials', () => {
-      const payload = {
-        name: 'notion-dev',
-        type: 'oauth' as const,
-        value: { accessToken: 'token', refreshToken: 'refresh' }
-      }
-      const result = CreateCredentialRequestSchema.parse(payload)
-      expect(result).toEqual(payload)
-    })
-    it('accepts webhook-secret type credentials', () => {
-      const payload = {
-        name: 'stripe-webhook',
-        type: 'webhook-secret' as const,
-        value: { signingSecret: 'whsec_abc123' }
-      }
-      const result = CreateCredentialRequestSchema.parse(payload)
-      expect(result).toEqual(payload)
-    })
-  })
-  describe('SECURITY: mass assignment prevention', () => {
-    it('rejects unknown fields (strict mode)', () => {
-      const payload = {
-        ...validPayload,
-        organizationId: 'attacker-org-id', // Injected field
-        createdBy: null // Override creator
-      }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-    it('rejects extra top-level fields', () => {
-      const payload = {
-        ...validPayload,
-        maliciousField: 'value'
-      }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-  })
-  describe('SECURITY: credential name validation', () => {
-    it('rejects invalid credential names', () => {
-      const payload = { ...validPayload, name: 'gmail prod' }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must be lowercase/)
-    })
-    it('rejects path traversal in name', () => {
-      const payload = { ...validPayload, name: '../admin-cred' }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must be lowercase/)
-    })
-    it('rejects special characters in name', () => {
-      const payload = { ...validPayload, name: 'gmail@prod' }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must be lowercase/)
-    })
-    it('rejects names without hyphens', () => {
-      const payload = { ...validPayload, name: 'gmailprod' }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must be lowercase/)
-    })
-    it('rejects underscores', () => {
-      const payload = { ...validPayload, name: 'gmail_prod' }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must be lowercase/)
-    })
-    it('auto-lowercases uppercase input', () => {
-      const payload = { ...validPayload, name: 'Gmail-Prod' }
-      const result = CreateCredentialRequestSchema.parse(payload)
-      expect(result.name).toBe('gmail-prod')
-    })
-  })
-  describe('SECURITY: credential type validation', () => {
-    it('rejects invalid credential types', () => {
-      const payload = { ...validPayload, type: 'invalid-type' }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-    it('rejects null type', () => {
-      const payload = { ...validPayload, type: null }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-    it('rejects array as type', () => {
-      const payload = { ...validPayload, type: ['api-key'] }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-  })
-  describe('SECURITY: credential value validation', () => {
-    it('rejects empty credential value', () => {
-      const payload = { ...validPayload, value: {} }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must not be empty/)
-    })
-    it('rejects non-object value', () => {
-      const payload = { ...validPayload, value: 'string-instead-of-object' }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-    it('rejects null value', () => {
-      const payload = { ...validPayload, value: null }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-    it('rejects array as value', () => {
-      const payload = { ...validPayload, value: ['array', 'as', 'value'] }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-  })
-  describe('SECURITY: DoS prevention - credential value size', () => {
-    it('rejects credential value with too many keys (over 50)', () => {
-      const largeValue = Object.fromEntries(
-        Array.from({ length: 51 }, (_, i) => [`key${i}`, 'value'])
-      )
-      const payload = { ...validPayload, value: largeValue }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/too many keys/)
-    })
-    it('accepts credential value with max keys (50)', () => {
-      const maxValue = Object.fromEntries(
-        Array.from({ length: 50 }, (_, i) => [`key${i}`, 'value'])
-      )
-      const payload = { ...validPayload, value: maxValue }
-      const result = CreateCredentialRequestSchema.parse(payload)
-      expect(Object.keys(result.value).length).toBe(50)
-    })
-    it('rejects individual string values over 10KB', () => {
-      const hugeString = 'a'.repeat(10241)
-      const payload = { ...validPayload, value: { apiKey: hugeString } }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/too large/)
-    })
-    it('accepts string values at max size (10KB)', () => {
-      const maxString = 'a'.repeat(10240)
-      const payload = { ...validPayload, value: { apiKey: maxString } }
-      const result = CreateCredentialRequestSchema.parse(payload)
-      expect(result.value.apiKey).toBe(maxString)
-    })
-    it('allows non-string values without size checks', () => {
-      const payload = {
-        ...validPayload,
-        value: {
-          apiKey: 'test',
-          number: 12345,
-          boolean: true,
-          nested: { key: 'value' }
-        }
-      }
-      const result = CreateCredentialRequestSchema.parse(payload)
-      expect(result.value).toEqual(payload.value)
-    })
-  })
-  describe('required fields', () => {
-    it('rejects missing name', () => {
-      const { name: _name, ...payload } = validPayload
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-    it('rejects missing type', () => {
-      const { type: _type, ...payload } = validPayload
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-    it('rejects missing value', () => {
-      const { value: _value, ...payload } = validPayload
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-  })
-  describe('provider field (OAuth provider identification)', () => {
-    it('accepts OAuth credential with provider', () => {
-      const payload = {
-        name: 'my-dropbox',
-        type: 'oauth' as const,
-        value: { accessToken: 'token', refreshToken: 'refresh' },
-        provider: 'dropbox'
-      }
-      const result = CreateCredentialRequestSchema.parse(payload)
-      expect(result.provider).toBe('dropbox')
-    })
-    it('accepts request without provider (optional field)', () => {
-      const result = CreateCredentialRequestSchema.parse(validPayload)
-      expect(result.provider).toBeUndefined()
-    })
-    it('accepts various OAuth provider values', () => {
-      const providers = ['dropbox', 'notion', 'google-sheets']
-      for (const provider of providers) {
-        const payload = {
-          name: `my-${provider}`,
-          type: 'oauth' as const,
-          value: { accessToken: 'token' },
-          provider
-        }
-        const result = CreateCredentialRequestSchema.parse(payload)
-        expect(result.provider).toBe(provider)
-      }
-    })
-  })
-})
-describe('UpdateCredentialParamsSchema', () => {
-  const validUuid = 'a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11'
-  it('accepts valid UUID', () => {
-    const result = UpdateCredentialParamsSchema.parse({ credentialId: validUuid })
-    expect(result.credentialId).toBe(validUuid)
-  })
-  it('rejects invalid UUID format', () => {
-    expect(() => UpdateCredentialParamsSchema.parse({ credentialId: 'not-a-uuid' })).toThrow()
-  })
-  it('rejects empty string', () => {
-    expect(() => UpdateCredentialParamsSchema.parse({ credentialId: '' })).toThrow()
-  })
-  it('rejects number instead of UUID', () => {
-    expect(() => UpdateCredentialParamsSchema.parse({ credentialId: 12345 })).toThrow()
-  })
-})
-describe('UpdateCredentialRequestSchema', () => {
-  const validValue = { apiKey: 'updated-key' }
-  const validName = 'updated-name'
-  describe('valid requests', () => {
-    it('accepts update with value only', () => {
-      const result = UpdateCredentialRequestSchema.parse({ value: validValue })
-      expect(result.value).toEqual(validValue)
-      expect(result.name).toBeUndefined()
-    })
-    it('accepts update with name only', () => {
-      const result = UpdateCredentialRequestSchema.parse({ name: validName })
-      expect(result.name).toBe(validName)
-      expect(result.value).toBeUndefined()
-    })
-    it('accepts update with both value and name', () => {
-      const result = UpdateCredentialRequestSchema.parse({ value: validValue, name: validName })
-      expect(result.value).toEqual(validValue)
-      expect(result.name).toBe(validName)
-    })
-  })
-  describe('SECURITY: strict mode', () => {
-    it('rejects unknown fields', () => {
-      const payload = { value: validValue, unknownField: 'test' }
-      expect(() => UpdateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-  })
-  describe('validation: at least one field required', () => {
-    it('rejects empty update (no fields)', () => {
-      expect(() => UpdateCredentialRequestSchema.parse({})).toThrow(/At least one field/)
-    })
-    it('rejects update with undefined fields only', () => {
-      expect(() => UpdateCredentialRequestSchema.parse({ value: undefined, name: undefined })).toThrow(/At least one field/)
-    })
-  })
-  describe('SECURITY: credential value validation', () => {
-    it('rejects empty value object', () => {
-      expect(() => UpdateCredentialRequestSchema.parse({ value: {} })).toThrow(/must not be empty/)
-    })
-    it('rejects value with too many keys', () => {
-      const largeValue = Object.fromEntries(
-        Array.from({ length: 51 }, (_, i) => [`key${i}`, 'value'])
-      )
-      expect(() => UpdateCredentialRequestSchema.parse({ value: largeValue })).toThrow(/too many keys/)
-    })
-    it('rejects individual string values over 10KB', () => {
-      const hugeString = 'a'.repeat(10241)
-      expect(() => UpdateCredentialRequestSchema.parse({ value: { apiKey: hugeString } })).toThrow(/too large/)
-    })
-  })
-  describe('SECURITY: credential name validation', () => {
-    it('rejects invalid name format', () => {
-      expect(() => UpdateCredentialRequestSchema.parse({ name: 'gmail prod' })).toThrow(/must be lowercase/)
-    })
-    it('rejects path traversal in name', () => {
-      expect(() => UpdateCredentialRequestSchema.parse({ name: '../admin' })).toThrow(/must be lowercase/)
-    })
-  })
-})
-describe('DeleteCredentialParamsSchema', () => {
-  const validUuid = 'a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11'
-  it('accepts valid UUID', () => {
-    const result = DeleteCredentialParamsSchema.parse({ credentialId: validUuid })
-    expect(result.credentialId).toBe(validUuid)
-  })
-  it('rejects invalid UUID format', () => {
-    expect(() => DeleteCredentialParamsSchema.parse({ credentialId: 'not-a-uuid' })).toThrow()
-  })
-  it('rejects empty string', () => {
-    expect(() => DeleteCredentialParamsSchema.parse({ credentialId: '' })).toThrow()
-  })
-})
-describe('ListCredentialsResponseSchema - Provider Field', () => {
-  const validUuid = 'a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11'
-  it('validates response with provider set', () => {
-    const response = {
-      credentials: [{
-        id: validUuid,
-        name: 'dropbox-cred',
-        type: 'oauth',
-        provider: 'dropbox',
-        createdAt: '2026-02-02T00:00:00.000Z'
-      }]
-    }
-    const result = ListCredentialsResponseSchema.parse(response)
-    expect(result.credentials[0].provider).toBe('dropbox')
-  })
-  it('validates response with null provider (non-OAuth credentials)', () => {
-    const response = {
-      credentials: [{
-        id: validUuid,
-        name: 'api-key',
-        type: 'api-key',
-        provider: null,
-        createdAt: '2026-02-02T00:00:00.000Z'
-      }]
-    }
-    const result = ListCredentialsResponseSchema.parse(response)
-    expect(result.credentials[0].provider).toBeNull()
-  })
-  it('validates response with mixed provider values', () => {
-    const response = {
-      credentials: [
-        {
-          id: validUuid,
-          name: 'dropbox-cred',
-          type: 'oauth',
-          provider: 'dropbox',
-          createdAt: '2026-02-02T00:00:00.000Z'
-        },
-        {
-          id: 'b0eebc99-9c0b-4ef8-bb6d-6bb9bd380a22',
-          name: 'api-key',
-          type: 'api-key',
-          provider: null,
-          createdAt: '2026-02-02T00:00:00.000Z'
-        }
-      ]
-    }
-    const result = ListCredentialsResponseSchema.parse(response)
-    expect(result.credentials[0].provider).toBe('dropbox')
-    expect(result.credentials[1].provider).toBeNull()
-  })
-})
-describe('DecryptCredentialParamsSchema - CRITICAL ENDPOINT', () => {
-  describe('valid credential names', () => {
-    it('accepts valid credential name', () => {
-      const result = DecryptCredentialParamsSchema.parse({ credentialName: 'gmail-prod' })
-      expect(result.credentialName).toBe('gmail-prod')
-    })
-    it('accepts multi-segment names', () => {
-      const result = DecryptCredentialParamsSchema.parse({ credentialName: 'notion-dev-2024' })
-      expect(result.credentialName).toBe('notion-dev-2024')
-    })
-    it('trims whitespace', () => {
-      const result = DecryptCredentialParamsSchema.parse({ credentialName: '  gmail-prod  ' })
-      expect(result.credentialName).toBe('gmail-prod')
-    })
-    it('auto-lowercases input', () => {
-      const result = DecryptCredentialParamsSchema.parse({ credentialName: 'Gmail-Prod' })
-      expect(result.credentialName).toBe('gmail-prod')
-    })
-  })
-  describe('CRITICAL SECURITY: path traversal prevention', () => {
-    it('rejects path traversal attempts', () => {
-      expect(() => DecryptCredentialParamsSchema.parse({ credentialName: '../admin-cred' })).toThrow(/must be lowercase/)
-      expect(() => DecryptCredentialParamsSchema.parse({ credentialName: '../../secrets' })).toThrow(/must be lowercase/)
-      expect(() => DecryptCredentialParamsSchema.parse({ credentialName: './../config' })).toThrow(/must be lowercase/)
-    })
-    it('rejects relative path characters', () => {
-      expect(() => DecryptCredentialParamsSchema.parse({ credentialName: './local-cred' })).toThrow(/must be lowercase/)
-      expect(() => DecryptCredentialParamsSchema.parse({ credentialName: '../parent' })).toThrow(/must be lowercase/)
-    })
-  })
-  describe('CRITICAL SECURITY: SQL injection prevention', () => {
-    it('rejects SQL injection attempts', () => {
-      expect(() => DecryptCredentialParamsSchema.parse({ credentialName: "' OR '1'='1" })).toThrow(/must be lowercase/)
-      expect(() => DecryptCredentialParamsSchema.parse({ credentialName: "admin'; DROP TABLE credentials;--" })).toThrow(/must be lowercase/)
-    })
-  })
-  describe('CRITICAL SECURITY: special character prevention', () => {
-    it('rejects names with spaces', () => {
-      expect(() => DecryptCredentialParamsSchema.parse({ credentialName: 'gmail prod' })).toThrow(/must be lowercase/)
-    })
-    it('rejects names with special characters', () => {
-      expect(() => DecryptCredentialParamsSchema.parse({ credentialName: 'gmail@prod' })).toThrow(/must be lowercase/)
-      expect(() => DecryptCredentialParamsSchema.parse({ credentialName: 'notion#dev' })).toThrow(/must be lowercase/)
-      expect(() => DecryptCredentialParamsSchema.parse({ credentialName: 'slack$prod' })).toThrow(/must be lowercase/)
-    })
-  })
-  describe('CRITICAL SECURITY: DoS prevention', () => {
-    it('rejects empty names', () => {
-      expect(() => DecryptCredentialParamsSchema.parse({ credentialName: '' })).toThrow(/required/)
-      expect(() => DecryptCredentialParamsSchema.parse({ credentialName: '   ' })).toThrow(/required/)
-    })
-    it('rejects names too long (over 100 chars)', () => {
-      const longName = 'a-' + 'b'.repeat(99)
-      expect(() => DecryptCredentialParamsSchema.parse({ credentialName: longName })).toThrow(/too long/)
-    })
-    it('accepts names at max length (100 chars)', () => {
-      const maxName = 'a'.repeat(49) + '-' + 'b'.repeat(49) + 'c'
-      const result = DecryptCredentialParamsSchema.parse({ credentialName: maxName })
-      expect(result.credentialName).toBe(maxName)
-    })
-  })
-})
+/**
+ * Credential API schemas tests
+ * Tests all validation schemas for credentials endpoints
+ * Focus: Security (path traversal, DoS, mass assignment, type coercion)
+ */
+import { describe, it, expect } from 'vitest'
+import {
+  CredentialTypeSchema,
+  CreateCredentialRequestSchema,
+  UpdateCredentialParamsSchema,
+  UpdateCredentialRequestSchema,
+  DeleteCredentialParamsSchema,
+  ListCredentialsResponseSchema
+} from '../api-schemas'
+describe('CredentialTypeSchema', () => {
+  it('accepts valid credential types', () => {
+    // These are the actual types stored in the database
+    expect(CredentialTypeSchema.parse('oauth')).toBe('oauth')
+    expect(CredentialTypeSchema.parse('api-key')).toBe('api-key')
+    expect(CredentialTypeSchema.parse('webhook-secret')).toBe('webhook-secret')
+  })
+  it('rejects invalid credential types', () => {
+    expect(() => CredentialTypeSchema.parse('invalid-type')).toThrow()
+    expect(() => CredentialTypeSchema.parse('')).toThrow()
+  })
+  it('rejects provider names (these are CREDENTIAL_SCHEMAS keys, not stored types)', () => {
+    // OAuth providers store type='oauth', not their provider name
+    expect(() => CredentialTypeSchema.parse('notion')).toThrow()
+    expect(() => CredentialTypeSchema.parse('google-sheets')).toThrow()
+  })
+})
+describe('CreateCredentialRequestSchema', () => {
+  const validPayload = {
+    name: 'gmail-prod',
+    type: 'api-key' as const,
+    value: { apiKey: 'test-key-123' }
+  }
+  describe('valid requests', () => {
+    it('accepts valid credential creation request', () => {
+      const result = CreateCredentialRequestSchema.parse(validPayload)
+      expect(result).toEqual(validPayload)
+    })
+    it('accepts oauth type credentials', () => {
+      const payload = {
+        name: 'notion-dev',
+        type: 'oauth' as const,
+        value: { accessToken: 'token', refreshToken: 'refresh' }
+      }
+      const result = CreateCredentialRequestSchema.parse(payload)
+      expect(result).toEqual(payload)
+    })
+    it('accepts webhook-secret type credentials', () => {
+      const payload = {
+        name: 'stripe-webhook',
+        type: 'webhook-secret' as const,
+        value: { signingSecret: 'whsec_abc123' }
+      }
+      const result = CreateCredentialRequestSchema.parse(payload)
+      expect(result).toEqual(payload)
+    })
+  })
+  describe('SECURITY: mass assignment prevention', () => {
+    it('rejects unknown fields (strict mode)', () => {
+      const payload = {
+        ...validPayload,
+        organizationId: 'attacker-org-id', // Injected field
+        createdBy: null // Override creator
+      }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+    it('rejects extra top-level fields', () => {
+      const payload = {
+        ...validPayload,
+        maliciousField: 'value'
+      }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+  })
+  describe('SECURITY: credential name validation', () => {
+    it('rejects invalid credential names', () => {
+      const payload = { ...validPayload, name: 'gmail prod' }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must be lowercase/)
+    })
+    it('rejects path traversal in name', () => {
+      const payload = { ...validPayload, name: '../admin-cred' }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must be lowercase/)
+    })
+    it('rejects special characters in name', () => {
+      const payload = { ...validPayload, name: 'gmail@prod' }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must be lowercase/)
+    })
+    it('rejects names without hyphens', () => {
+      const payload = { ...validPayload, name: 'gmailprod' }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must be lowercase/)
+    })
+    it('rejects underscores', () => {
+      const payload = { ...validPayload, name: 'gmail_prod' }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must be lowercase/)
+    })
+    it('auto-lowercases uppercase input', () => {
+      const payload = { ...validPayload, name: 'Gmail-Prod' }
+      const result = CreateCredentialRequestSchema.parse(payload)
+      expect(result.name).toBe('gmail-prod')
+    })
+  })
+  describe('SECURITY: credential type validation', () => {
+    it('rejects invalid credential types', () => {
+      const payload = { ...validPayload, type: 'invalid-type' }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+    it('rejects null type', () => {
+      const payload = { ...validPayload, type: null }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+    it('rejects array as type', () => {
+      const payload = { ...validPayload, type: ['api-key'] }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+  })
+  describe('SECURITY: credential value validation', () => {
+    it('rejects empty credential value', () => {
+      const payload = { ...validPayload, value: {} }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must not be empty/)
+    })
+    it('rejects non-object value', () => {
+      const payload = { ...validPayload, value: 'string-instead-of-object' }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+    it('rejects null value', () => {
+      const payload = { ...validPayload, value: null }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+    it('rejects array as value', () => {
+      const payload = { ...validPayload, value: ['array', 'as', 'value'] }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+  })
+  describe('SECURITY: DoS prevention - credential value size', () => {
+    it('rejects credential value with too many keys (over 50)', () => {
+      const largeValue = Object.fromEntries(Array.from({ length: 51 }, (_, i) => [`key${i}`, 'value']))
+      const payload = { ...validPayload, value: largeValue }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/too many keys/)
+    })
+    it('accepts credential value with max keys (50)', () => {
+      const maxValue = Object.fromEntries(Array.from({ length: 50 }, (_, i) => [`key${i}`, 'value']))
+      const payload = { ...validPayload, value: maxValue }
+      const result = CreateCredentialRequestSchema.parse(payload)
+      expect(Object.keys(result.value).length).toBe(50)
+    })
+    it('rejects individual string values over 10KB', () => {
+      const hugeString = 'a'.repeat(10241)
+      const payload = { ...validPayload, value: { apiKey: hugeString } }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/too large/)
+    })
+    it('accepts string values at max size (10KB)', () => {
+      const maxString = 'a'.repeat(10240)
+      const payload = { ...validPayload, value: { apiKey: maxString } }
+      const result = CreateCredentialRequestSchema.parse(payload)
+      expect(result.value.apiKey).toBe(maxString)
+    })
+    it('allows non-string values without size checks', () => {
+      const payload = {
+        ...validPayload,
+        value: {
+          apiKey: 'test',
+          number: 12345,
+          boolean: true,
+          nested: { key: 'value' }
+        }
+      }
+      const result = CreateCredentialRequestSchema.parse(payload)
+      expect(result.value).toEqual(payload.value)
+    })
+  })
+  describe('required fields', () => {
+    it('rejects missing name', () => {
+      const { name: _name, ...payload } = validPayload
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+    it('rejects missing type', () => {
+      const { type: _type, ...payload } = validPayload
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+    it('rejects missing value', () => {
+      const { value: _value, ...payload } = validPayload
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+  })
+  describe('provider field (OAuth provider identification)', () => {
+    it('accepts OAuth credential with provider', () => {
+      const payload = {
+        name: 'my-dropbox',
+        type: 'oauth' as const,
+        value: { accessToken: 'token', refreshToken: 'refresh' },
+        provider: 'dropbox'
+      }
+      const result = CreateCredentialRequestSchema.parse(payload)
+      expect(result.provider).toBe('dropbox')
+    })
+    it('accepts request without provider (optional field)', () => {
+      const result = CreateCredentialRequestSchema.parse(validPayload)
+      expect(result.provider).toBeUndefined()
+    })
+    it('accepts various OAuth provider values', () => {
+      const providers = ['dropbox', 'notion', 'google-sheets']
+      for (const provider of providers) {
+        const payload = {
+          name: `my-${provider}`,
+          type: 'oauth' as const,
+          value: { accessToken: 'token' },
+          provider
+        }
+        const result = CreateCredentialRequestSchema.parse(payload)
+        expect(result.provider).toBe(provider)
+      }
+    })
+  })
+})
+describe('UpdateCredentialParamsSchema', () => {
+  const validUuid = 'a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11'
+  it('accepts valid UUID', () => {
+    const result = UpdateCredentialParamsSchema.parse({ credentialId: validUuid })
+    expect(result.credentialId).toBe(validUuid)
+  })
+  it('rejects invalid UUID format', () => {
+    expect(() => UpdateCredentialParamsSchema.parse({ credentialId: 'not-a-uuid' })).toThrow()
+  })
+  it('rejects empty string', () => {
+    expect(() => UpdateCredentialParamsSchema.parse({ credentialId: '' })).toThrow()
+  })
+  it('rejects number instead of UUID', () => {
+    expect(() => UpdateCredentialParamsSchema.parse({ credentialId: 12345 })).toThrow()
+  })
+})
+describe('UpdateCredentialRequestSchema', () => {
+  const validValue = { apiKey: 'updated-key' }
+  const validName = 'updated-name'
+  describe('valid requests', () => {
+    it('accepts update with value only', () => {
+      const result = UpdateCredentialRequestSchema.parse({ value: validValue })
+      expect(result.value).toEqual(validValue)
+      expect(result.name).toBeUndefined()
+    })
+    it('accepts update with name only', () => {
+      const result = UpdateCredentialRequestSchema.parse({ name: validName })
+      expect(result.name).toBe(validName)
+      expect(result.value).toBeUndefined()
+    })
+    it('accepts update with both value and name', () => {
+      const result = UpdateCredentialRequestSchema.parse({ value: validValue, name: validName })
+      expect(result.value).toEqual(validValue)
+      expect(result.name).toBe(validName)
+    })
+  })
+  describe('SECURITY: strict mode', () => {
+    it('rejects unknown fields', () => {
+      const payload = { value: validValue, unknownField: 'test' }
+      expect(() => UpdateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+  })
+  describe('validation: at least one field required', () => {
+    it('rejects empty update (no fields)', () => {
+      expect(() => UpdateCredentialRequestSchema.parse({})).toThrow(/At least one field/)
+    })
+    it('rejects update with undefined fields only', () => {
+      expect(() => UpdateCredentialRequestSchema.parse({ value: undefined, name: undefined })).toThrow(
+        /At least one field/
+      )
+    })
+  })
+  describe('SECURITY: credential value validation', () => {
+    it('rejects empty value object', () => {
+      expect(() => UpdateCredentialRequestSchema.parse({ value: {} })).toThrow(/must not be empty/)
+    })
+    it('rejects value with too many keys', () => {
+      const largeValue = Object.fromEntries(Array.from({ length: 51 }, (_, i) => [`key${i}`, 'value']))
+      expect(() => UpdateCredentialRequestSchema.parse({ value: largeValue })).toThrow(/too many keys/)
+    })
+    it('rejects individual string values over 10KB', () => {
+      const hugeString = 'a'.repeat(10241)
+      expect(() => UpdateCredentialRequestSchema.parse({ value: { apiKey: hugeString } })).toThrow(/too large/)
+    })
+  })
+  describe('SECURITY: credential name validation', () => {
+    it('rejects invalid name format', () => {
+      expect(() => UpdateCredentialRequestSchema.parse({ name: 'gmail prod' })).toThrow(/must be lowercase/)
+    })
+    it('rejects path traversal in name', () => {
+      expect(() => UpdateCredentialRequestSchema.parse({ name: '../admin' })).toThrow(/must be lowercase/)
+    })
+  })
+})
+describe('DeleteCredentialParamsSchema', () => {
+  const validUuid = 'a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11'
+  it('accepts valid UUID', () => {
+    const result = DeleteCredentialParamsSchema.parse({ credentialId: validUuid })
+    expect(result.credentialId).toBe(validUuid)
+  })
+  it('rejects invalid UUID format', () => {
+    expect(() => DeleteCredentialParamsSchema.parse({ credentialId: 'not-a-uuid' })).toThrow()
+  })
+  it('rejects empty string', () => {
+    expect(() => DeleteCredentialParamsSchema.parse({ credentialId: '' })).toThrow()
+  })
+})
+describe('ListCredentialsResponseSchema - Provider Field', () => {
+  const validUuid = 'a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11'
+  it('validates response with provider set', () => {
+    const response = {
+      credentials: [
+        {
+          id: validUuid,
+          name: 'dropbox-cred',
+          type: 'oauth',
+          provider: 'dropbox',
+          createdAt: '2026-02-02T00:00:00.000Z'
+        }
+      ]
+    }
+    const result = ListCredentialsResponseSchema.parse(response)
+    expect(result.credentials[0].provider).toBe('dropbox')
+  })
+  it('validates response with null provider (non-OAuth credentials)', () => {
+    const response = {
+      credentials: [
+        {
+          id: validUuid,
+          name: 'api-key',
+          type: 'api-key',
+          provider: null,
+          createdAt: '2026-02-02T00:00:00.000Z'
+        }
+      ]
+    }
+    const result = ListCredentialsResponseSchema.parse(response)
+    expect(result.credentials[0].provider).toBeNull()
+  })
+  it('validates response with mixed provider values', () => {
+    const response = {
+      credentials: [
+        {
+          id: validUuid,
+          name: 'dropbox-cred',
+          type: 'oauth',
+          provider: 'dropbox',
+          createdAt: '2026-02-02T00:00:00.000Z'
+        },
+        {
+          id: 'b0eebc99-9c0b-4ef8-bb6d-6bb9bd380a22',
+          name: 'api-key',
+          type: 'api-key',
+          provider: null,
+          createdAt: '2026-02-02T00:00:00.000Z'
+        }
+      ]
+    }
+    const result = ListCredentialsResponseSchema.parse(response)
+    expect(result.credentials[0].provider).toBe('dropbox')
+    expect(result.credentials[1].provider).toBeNull()
+  })
+})