npm - @elevasis/core - Versions diffs - 0.22.0 → 0.24.0 - Mend

@elevasis/core 0.22.0 → 0.24.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (244) hide show

package/dist/index.d.ts +3214 -2501
package/dist/index.js +3112 -1222
package/dist/knowledge/index.d.ts +1108 -1264
package/dist/knowledge/index.js +112 -9
package/dist/organization-model/index.d.ts +3214 -2501
package/dist/organization-model/index.js +3112 -1222
package/dist/test-utils/index.d.ts +985 -1103
package/dist/test-utils/index.js +2464 -1165
package/package.json +5 -5
package/src/README.md +14 -14
package/src/__tests__/publish.test.ts +24 -24
package/src/__tests__/template-core-compatibility.test.ts +9 -80
package/src/_gen/__tests__/__snapshots__/contracts.md.snap +2389 -2121
package/src/_gen/__tests__/scaffold-contracts.test.ts +30 -30
package/src/auth/multi-tenancy/credentials/__tests__/encryption.test.ts +217 -217
package/src/auth/multi-tenancy/credentials/server/encryption.ts +69 -69
package/src/auth/multi-tenancy/credentials/server/kek-loader.ts +37 -37
package/src/auth/multi-tenancy/index.ts +26 -26
package/src/auth/multi-tenancy/invitations/api-schemas.ts +104 -104
package/src/auth/multi-tenancy/memberships/api-schemas.ts +143 -143
package/src/auth/multi-tenancy/memberships/index.ts +26 -26
package/src/auth/multi-tenancy/memberships/membership.ts +130 -130
package/src/auth/multi-tenancy/organizations/__tests__/api-schemas.test.ts +194 -194
package/src/auth/multi-tenancy/organizations/api-schemas.ts +136 -136
package/src/auth/multi-tenancy/permissions.test.ts +42 -42
package/src/auth/multi-tenancy/permissions.ts +123 -123
package/src/auth/multi-tenancy/role-management/api-schemas.ts +78 -78
package/src/auth/multi-tenancy/role-management/index.ts +16 -16
package/src/auth/multi-tenancy/theme-presets.ts +45 -45
package/src/auth/multi-tenancy/types.ts +57 -57
package/src/auth/multi-tenancy/users/api-schemas.ts +165 -165
package/src/business/README.md +2 -2
package/src/business/acquisition/activity-events.test.ts +250 -250
package/src/business/acquisition/activity-events.ts +93 -93
package/src/business/acquisition/api-schemas.test.ts +1883 -1843
package/src/business/acquisition/api-schemas.ts +1493 -1500
package/src/business/acquisition/build-templates.test.ts +240 -240
package/src/business/acquisition/build-templates.ts +83 -41
package/src/business/acquisition/crm-next-action.test.ts +262 -262
package/src/business/acquisition/crm-next-action.ts +220 -220
package/src/business/acquisition/crm-priority.test.ts +216 -216
package/src/business/acquisition/crm-priority.ts +349 -349
package/src/business/acquisition/crm-state-actions.test.ts +153 -151
package/src/business/acquisition/deal-ownership.test.ts +351 -351
package/src/business/acquisition/deal-ownership.ts +120 -120
package/src/business/acquisition/derive-actions.test.ts +129 -104
package/src/business/acquisition/derive-actions.ts +74 -84
package/src/business/acquisition/index.ts +171 -170
package/src/business/acquisition/ontology-validation.ts +309 -0
package/src/business/acquisition/stateful.ts +30 -30
package/src/business/acquisition/types.ts +396 -392
package/src/business/clients/api-schemas.test.ts +115 -115
package/src/business/clients/api-schemas.ts +158 -158
package/src/business/clients/index.ts +1 -1
package/src/business/crm/api-schemas.ts +40 -40
package/src/business/crm/index.ts +1 -1
package/src/business/deals/api-schemas.ts +87 -87
package/src/business/deals/index.ts +1 -1
package/src/business/index.ts +5 -5
package/src/business/projects/types.ts +144 -144
package/src/commands/queue/types/task.ts +15 -15
package/src/execution/core/runner-types.ts +61 -61
package/src/execution/core/sse-executions.ts +7 -7
package/src/execution/engine/__tests__/fixtures/test-agents.ts +10 -10
package/src/execution/engine/agent/core/__tests__/agent.test.ts +16 -16
package/src/execution/engine/agent/core/__tests__/error-passthrough.test.ts +4 -4
package/src/execution/engine/agent/core/types.ts +25 -25
package/src/execution/engine/agent/index.ts +6 -6
package/src/execution/engine/agent/reasoning/__tests__/request-builder.test.ts +24 -24
package/src/execution/engine/index.ts +443 -443
package/src/execution/engine/tools/integration/server/adapters/apify/__tests__/apify-run-actor.integration.test.ts +298 -298
package/src/execution/engine/tools/integration/server/adapters/apify/apify-adapter.test.ts +55 -55
package/src/execution/engine/tools/integration/server/adapters/apify/apify-adapter.ts +107 -107
package/src/execution/engine/tools/integration/server/adapters/apollo/apollo-adapter.test.ts +48 -48
package/src/execution/engine/tools/integration/server/adapters/apollo/apollo-adapter.ts +99 -99
package/src/execution/engine/tools/integration/server/adapters/apollo/index.ts +1 -1
package/src/execution/engine/tools/integration/server/adapters/attio/__tests__/attio-crud.integration.test.ts +363 -363
package/src/execution/engine/tools/integration/server/adapters/attio/fetch/get-record/index.test.ts +162 -162
package/src/execution/engine/tools/integration/server/adapters/attio/fetch/list-records/index.test.ts +316 -316
package/src/execution/engine/tools/integration/server/adapters/clickup/clickup-adapter.test.ts +18 -18
package/src/execution/engine/tools/integration/server/adapters/clickup/clickup-adapter.ts +194 -194
package/src/execution/engine/tools/integration/server/adapters/clickup/index.ts +7 -7
package/src/execution/engine/tools/integration/server/adapters/gmail/gmail-adapter.ts +204 -204
package/src/execution/engine/tools/integration/server/adapters/gmail/gmail-tools.ts +105 -105
package/src/execution/engine/tools/integration/server/adapters/google-calendar/google-calendar-adapter.ts +428 -428
package/src/execution/engine/tools/integration/server/adapters/google-calendar/index.ts +2 -2
package/src/execution/engine/tools/integration/server/adapters/google-sheets/__tests__/google-sheets.integration.test.ts +261 -261
package/src/execution/engine/tools/integration/server/adapters/instantly/instantly-tools.ts +1474 -1474
package/src/execution/engine/tools/integration/server/adapters/millionverifier/millionverifier-tools.ts +103 -103
package/src/execution/engine/tools/integration/server/adapters/resend/fetch/send-email/index.test.ts +88 -88
package/src/execution/engine/tools/integration/server/adapters/resend/fetch/send-email/index.ts +141 -141
package/src/execution/engine/tools/integration/server/adapters/resend/fetch/utils/types.ts +76 -76
package/src/execution/engine/tools/integration/server/adapters/signature-api/signature-api-tools.ts +182 -182
package/src/execution/engine/tools/integration/server/adapters/stripe/stripe-tools.ts +310 -310
package/src/execution/engine/tools/integration/service.test.ts +239 -239
package/src/execution/engine/tools/integration/service.ts +172 -172
package/src/execution/engine/tools/integration/tool.ts +255 -255
package/src/execution/engine/tools/lead-service-types.ts +1005 -1005
package/src/execution/engine/tools/messages.ts +43 -43
package/src/execution/engine/tools/platform/acquisition/company-tools.ts +7 -7
package/src/execution/engine/tools/platform/acquisition/contact-tools.ts +6 -6
package/src/execution/engine/tools/platform/acquisition/list-tools.ts +6 -6
package/src/execution/engine/tools/platform/acquisition/types.ts +280 -280
package/src/execution/engine/tools/platform/email/types.ts +97 -97
package/src/execution/engine/tools/registry.ts +704 -704
package/src/execution/engine/tools/tool-maps.ts +831 -831
package/src/execution/engine/tools/types.ts +234 -234
package/src/execution/engine/workflow/types.ts +202 -202
package/src/execution/external/__tests__/api-schemas.test.ts +127 -127
package/src/execution/external/api-schemas.ts +40 -40
package/src/execution/external/index.ts +1 -1
package/src/index.ts +18 -18
package/src/integrations/credentials/__tests__/api-schemas.test.ts +420 -420
package/src/integrations/credentials/api-schemas.ts +146 -146
package/src/integrations/credentials/schemas.ts +200 -200
package/src/integrations/oauth/__tests__/provider-registry.test.ts +7 -7
package/src/integrations/oauth/provider-registry.ts +74 -74
package/src/integrations/oauth/server/credentials.ts +43 -43
package/src/integrations/webhook-endpoints/__tests__/api-schemas.test.ts +327 -327
package/src/integrations/webhook-endpoints/api-schemas.ts +103 -103
package/src/integrations/webhook-endpoints/types.ts +58 -58
package/src/knowledge/README.md +33 -32
package/src/knowledge/__tests__/queries.test.ts +633 -541
package/src/knowledge/format.ts +100 -99
package/src/knowledge/index.ts +5 -5
package/src/knowledge/published.ts +5 -5
package/src/knowledge/queries.ts +274 -222
package/src/operations/activities/api-schemas.ts +80 -80
package/src/operations/activities/types.ts +64 -64
package/src/organization-model/README.md +149 -109
package/src/organization-model/__tests__/content-kinds-registry.test.ts +210 -0
package/src/organization-model/__tests__/defaults.test.ts +168 -194
package/src/organization-model/__tests__/domains/actions.test.ts +78 -0
package/src/organization-model/__tests__/domains/customers.test.ts +48 -44
package/src/organization-model/__tests__/domains/entities.test.ts +56 -0
package/src/organization-model/__tests__/domains/goals.test.ts +110 -96
package/src/organization-model/__tests__/domains/identity.test.ts +4 -3
package/src/organization-model/__tests__/domains/navigation.test.ts +222 -166
package/src/organization-model/__tests__/domains/offerings.test.ts +83 -88
package/src/organization-model/__tests__/domains/policies.test.ts +323 -0
package/src/organization-model/__tests__/domains/resource-mappings.test.ts +30 -30
package/src/organization-model/__tests__/domains/resources.test.ts +396 -175
package/src/organization-model/__tests__/domains/roles.test.ts +463 -402
package/src/organization-model/__tests__/domains/statuses.test.ts +13 -10
package/src/organization-model/__tests__/domains/systems.test.ts +209 -193
package/src/organization-model/__tests__/flatten-additive-merge.test.ts +362 -0
package/src/organization-model/__tests__/foundation.test.ts +47 -75
package/src/organization-model/__tests__/get-resources-for-system.test.ts +144 -0
package/src/organization-model/__tests__/graph.test.ts +1336 -149
package/src/organization-model/__tests__/icons.test.ts +10 -1
package/src/organization-model/__tests__/knowledge.test.ts +418 -61
package/src/organization-model/__tests__/lookup-helpers.test.ts +438 -0
package/src/organization-model/__tests__/migration-helpers.test.ts +591 -0
package/src/organization-model/__tests__/prospecting-ssot.test.ts +103 -94
package/src/organization-model/__tests__/recursive-system-schema.test.ts +549 -0
package/src/organization-model/__tests__/resolve.test.ts +303 -42
package/src/organization-model/__tests__/schema.test.ts +863 -153
package/src/organization-model/__tests__/surface-projection.test.ts +284 -174
package/src/organization-model/catalogs/lead-gen.ts +144 -0
package/src/organization-model/content-kinds/config.ts +36 -0
package/src/organization-model/content-kinds/index.ts +78 -0
package/src/organization-model/content-kinds/pipeline.ts +68 -0
package/src/organization-model/content-kinds/registry.ts +44 -0
package/src/organization-model/content-kinds/status.ts +71 -0
package/src/organization-model/content-kinds/template.ts +83 -0
package/src/organization-model/content-kinds/types.ts +117 -0
package/src/organization-model/contracts.ts +27 -17
package/src/organization-model/defaults.ts +489 -107
package/src/organization-model/domains/actions.ts +333 -0
package/src/organization-model/domains/customers.ts +10 -7
package/src/organization-model/domains/entities.ts +144 -0
package/src/organization-model/domains/goals.ts +9 -6
package/src/organization-model/domains/knowledge.ts +128 -54
package/src/organization-model/domains/navigation.ts +139 -416
package/src/organization-model/domains/offerings.ts +15 -10
package/src/organization-model/domains/policies.ts +102 -0
package/src/organization-model/domains/projects.ts +6 -40
package/src/organization-model/domains/prospecting.ts +395 -514
package/src/organization-model/domains/resources.ts +173 -81
package/src/organization-model/domains/roles.ts +96 -93
package/src/organization-model/domains/sales.test.ts +218 -218
package/src/organization-model/domains/sales.ts +380 -589
package/src/organization-model/domains/shared.ts +8 -8
package/src/organization-model/domains/statuses.ts +298 -89
package/src/organization-model/domains/systems.ts +240 -38
package/src/organization-model/foundation.ts +35 -48
package/src/organization-model/graph/build.ts +1035 -279
package/src/organization-model/graph/index.ts +4 -4
package/src/organization-model/graph/link.ts +10 -10
package/src/organization-model/graph/schema.ts +77 -56
package/src/organization-model/graph/types.ts +75 -56
package/src/organization-model/helpers.ts +312 -59
package/src/organization-model/icons.ts +78 -66
package/src/organization-model/index.ts +129 -16
package/src/organization-model/migration-helpers.ts +252 -0
package/src/organization-model/ontology.ts +661 -0
package/src/organization-model/organization-graph.mdx +110 -89
package/src/organization-model/organization-model.mdx +226 -171
package/src/organization-model/published.ts +295 -139
package/src/organization-model/resolve.ts +139 -21
package/src/organization-model/schema.ts +841 -301
package/src/organization-model/surface-projection.ts +212 -218
package/src/organization-model/types.ts +181 -90
package/src/platform/api/types.ts +38 -38
package/src/platform/constants/versions.ts +3 -3
package/src/platform/index.ts +23 -23
package/src/platform/registry/__tests__/command-view.test.ts +5 -7
package/src/platform/registry/__tests__/resource-link.test.ts +35 -30
package/src/platform/registry/__tests__/resource-registry.integration.test.ts +17 -32
package/src/platform/registry/__tests__/resource-registry.nested-systems.test.ts +245 -0
package/src/platform/registry/__tests__/resource-registry.test.ts +2053 -2051
package/src/platform/registry/__tests__/validation.test.ts +1347 -1343
package/src/platform/registry/command-view.ts +10 -10
package/src/platform/registry/index.ts +103 -103
package/src/platform/registry/resource-link.ts +32 -32
package/src/platform/registry/resource-registry.ts +890 -878
package/src/platform/registry/serialization.ts +295 -295
package/src/platform/registry/serialized-types.ts +166 -166
package/src/platform/registry/stats-types.ts +68 -68
package/src/platform/registry/types.ts +425 -425
package/src/platform/registry/validation.ts +745 -743
package/src/platform/utils/__tests__/validation.test.ts +1084 -1084
package/src/platform/utils/validation.ts +425 -425
package/src/projects/api-schemas.test.ts +39 -39
package/src/projects/api-schemas.ts +291 -291
package/src/reference/_generated/contracts.md +2389 -2121
package/src/reference/glossary.md +76 -76
package/src/scaffold-registry/__tests__/index.test.ts +206 -206
package/src/scaffold-registry/__tests__/schema.test.ts +166 -166
package/src/scaffold-registry/index.ts +392 -392
package/src/scaffold-registry/schema.ts +243 -243
package/src/server.ts +289 -289
package/src/supabase/database.types.ts +3153 -3093
package/src/test-utils/README.md +37 -37
package/src/test-utils/entities.ts +108 -108
package/src/test-utils/fixtures/memberships.ts +82 -82
package/src/test-utils/index.ts +12 -12
package/src/test-utils/organization-model.ts +65 -65
package/src/test-utils/published.ts +6 -6
package/src/test-utils/rls/RLSTestContext.ts +588 -588
package/src/test-utils/test-utils.test.ts +44 -49
package/src/organization-model/__tests__/domains/operations.test.ts +0 -203
package/src/organization-model/domains/features.ts +0 -31
package/src/organization-model/domains/operations.ts +0 -85

package/src/integrations/credentials/__tests__/api-schemas.test.ts CHANGED Viewed

@@ -1,420 +1,420 @@
-/**
- * Credential API schemas tests
- * Tests all validation schemas for credentials endpoints
- * Focus: Security (path traversal, DoS, mass assignment, type coercion)
- */
-import { describe, it, expect } from 'vitest'
-import {
-  CredentialTypeSchema,
-  CreateCredentialRequestSchema,
-  UpdateCredentialParamsSchema,
-  UpdateCredentialRequestSchema,
-  DeleteCredentialParamsSchema,
-  ListCredentialsResponseSchema
-} from '../api-schemas'
-describe('CredentialTypeSchema', () => {
-  it('accepts valid credential types', () => {
-    // These are the actual types stored in the database
-    expect(CredentialTypeSchema.parse('oauth')).toBe('oauth')
-    expect(CredentialTypeSchema.parse('api-key')).toBe('api-key')
-    expect(CredentialTypeSchema.parse('webhook-secret')).toBe('webhook-secret')
-  })
-  it('rejects invalid credential types', () => {
-    expect(() => CredentialTypeSchema.parse('invalid-type')).toThrow()
-    expect(() => CredentialTypeSchema.parse('')).toThrow()
-  })
-  it('rejects provider names (these are CREDENTIAL_SCHEMAS keys, not stored types)', () => {
-    // OAuth providers store type='oauth', not their provider name
-    expect(() => CredentialTypeSchema.parse('notion')).toThrow()
-    expect(() => CredentialTypeSchema.parse('google-sheets')).toThrow()
-  })
-})
-describe('CreateCredentialRequestSchema', () => {
-  const validPayload = {
-    name: 'gmail-prod',
-    type: 'api-key' as const,
-    value: { apiKey: 'test-key-123' }
-  }
-  describe('valid requests', () => {
-    it('accepts valid credential creation request', () => {
-      const result = CreateCredentialRequestSchema.parse(validPayload)
-      expect(result).toEqual(validPayload)
-    })
-    it('accepts oauth type credentials', () => {
-      const payload = {
-        name: 'notion-dev',
-        type: 'oauth' as const,
-        value: { accessToken: 'token', refreshToken: 'refresh' }
-      }
-      const result = CreateCredentialRequestSchema.parse(payload)
-      expect(result).toEqual(payload)
-    })
-    it('accepts webhook-secret type credentials', () => {
-      const payload = {
-        name: 'stripe-webhook',
-        type: 'webhook-secret' as const,
-        value: { signingSecret: 'whsec_abc123' }
-      }
-      const result = CreateCredentialRequestSchema.parse(payload)
-      expect(result).toEqual(payload)
-    })
-  })
-  describe('SECURITY: mass assignment prevention', () => {
-    it('rejects unknown fields (strict mode)', () => {
-      const payload = {
-        ...validPayload,
-        organizationId: 'attacker-org-id', // Injected field
-        createdBy: null // Override creator
-      }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-    it('rejects extra top-level fields', () => {
-      const payload = {
-        ...validPayload,
-        maliciousField: 'value'
-      }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-  })
-  describe('SECURITY: credential name validation', () => {
-    it('rejects invalid credential names', () => {
-      const payload = { ...validPayload, name: 'gmail prod' }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must be lowercase/)
-    })
-    it('rejects path traversal in name', () => {
-      const payload = { ...validPayload, name: '../admin-cred' }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must be lowercase/)
-    })
-    it('rejects special characters in name', () => {
-      const payload = { ...validPayload, name: 'gmail@prod' }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must be lowercase/)
-    })
-    it('rejects names without hyphens', () => {
-      const payload = { ...validPayload, name: 'gmailprod' }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must be lowercase/)
-    })
-    it('rejects underscores', () => {
-      const payload = { ...validPayload, name: 'gmail_prod' }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must be lowercase/)
-    })
-    it('auto-lowercases uppercase input', () => {
-      const payload = { ...validPayload, name: 'Gmail-Prod' }
-      const result = CreateCredentialRequestSchema.parse(payload)
-      expect(result.name).toBe('gmail-prod')
-    })
-  })
-  describe('SECURITY: credential type validation', () => {
-    it('rejects invalid credential types', () => {
-      const payload = { ...validPayload, type: 'invalid-type' }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-    it('rejects null type', () => {
-      const payload = { ...validPayload, type: null }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-    it('rejects array as type', () => {
-      const payload = { ...validPayload, type: ['api-key'] }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-  })
-  describe('SECURITY: credential value validation', () => {
-    it('rejects empty credential value', () => {
-      const payload = { ...validPayload, value: {} }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must not be empty/)
-    })
-    it('rejects non-object value', () => {
-      const payload = { ...validPayload, value: 'string-instead-of-object' }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-    it('rejects null value', () => {
-      const payload = { ...validPayload, value: null }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-    it('rejects array as value', () => {
-      const payload = { ...validPayload, value: ['array', 'as', 'value'] }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-  })
-  describe('SECURITY: DoS prevention - credential value size', () => {
-    it('rejects credential value with too many keys (over 50)', () => {
-      const largeValue = Object.fromEntries(Array.from({ length: 51 }, (_, i) => [`key${i}`, 'value']))
-      const payload = { ...validPayload, value: largeValue }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/too many keys/)
-    })
-    it('accepts credential value with max keys (50)', () => {
-      const maxValue = Object.fromEntries(Array.from({ length: 50 }, (_, i) => [`key${i}`, 'value']))
-      const payload = { ...validPayload, value: maxValue }
-      const result = CreateCredentialRequestSchema.parse(payload)
-      expect(Object.keys(result.value).length).toBe(50)
-    })
-    it('rejects individual string values over 10KB', () => {
-      const hugeString = 'a'.repeat(10241)
-      const payload = { ...validPayload, value: { apiKey: hugeString } }
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/too large/)
-    })
-    it('accepts string values at max size (10KB)', () => {
-      const maxString = 'a'.repeat(10240)
-      const payload = { ...validPayload, value: { apiKey: maxString } }
-      const result = CreateCredentialRequestSchema.parse(payload)
-      expect(result.value.apiKey).toBe(maxString)
-    })
-    it('allows non-string values without size checks', () => {
-      const payload = {
-        ...validPayload,
-        value: {
-          apiKey: 'test',
-          number: 12345,
-          boolean: true,
-          nested: { key: 'value' }
-        }
-      }
-      const result = CreateCredentialRequestSchema.parse(payload)
-      expect(result.value).toEqual(payload.value)
-    })
-  })
-  describe('required fields', () => {
-    it('rejects missing name', () => {
-      const { name: _name, ...payload } = validPayload
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-    it('rejects missing type', () => {
-      const { type: _type, ...payload } = validPayload
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-    it('rejects missing value', () => {
-      const { value: _value, ...payload } = validPayload
-      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-  })
-  describe('provider field (OAuth provider identification)', () => {
-    it('accepts OAuth credential with provider', () => {
-      const payload = {
-        name: 'my-dropbox',
-        type: 'oauth' as const,
-        value: { accessToken: 'token', refreshToken: 'refresh' },
-        provider: 'dropbox'
-      }
-      const result = CreateCredentialRequestSchema.parse(payload)
-      expect(result.provider).toBe('dropbox')
-    })
-    it('accepts request without provider (optional field)', () => {
-      const result = CreateCredentialRequestSchema.parse(validPayload)
-      expect(result.provider).toBeUndefined()
-    })
-    it('accepts various OAuth provider values', () => {
-      const providers = ['dropbox', 'notion', 'google-sheets']
-      for (const provider of providers) {
-        const payload = {
-          name: `my-${provider}`,
-          type: 'oauth' as const,
-          value: { accessToken: 'token' },
-          provider
-        }
-        const result = CreateCredentialRequestSchema.parse(payload)
-        expect(result.provider).toBe(provider)
-      }
-    })
-  })
-})
-describe('UpdateCredentialParamsSchema', () => {
-  const validUuid = 'a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11'
-  it('accepts valid UUID', () => {
-    const result = UpdateCredentialParamsSchema.parse({ credentialId: validUuid })
-    expect(result.credentialId).toBe(validUuid)
-  })
-  it('rejects invalid UUID format', () => {
-    expect(() => UpdateCredentialParamsSchema.parse({ credentialId: 'not-a-uuid' })).toThrow()
-  })
-  it('rejects empty string', () => {
-    expect(() => UpdateCredentialParamsSchema.parse({ credentialId: '' })).toThrow()
-  })
-  it('rejects number instead of UUID', () => {
-    expect(() => UpdateCredentialParamsSchema.parse({ credentialId: 12345 })).toThrow()
-  })
-})
-describe('UpdateCredentialRequestSchema', () => {
-  const validValue = { apiKey: 'updated-key' }
-  const validName = 'updated-name'
-  describe('valid requests', () => {
-    it('accepts update with value only', () => {
-      const result = UpdateCredentialRequestSchema.parse({ value: validValue })
-      expect(result.value).toEqual(validValue)
-      expect(result.name).toBeUndefined()
-    })
-    it('accepts update with name only', () => {
-      const result = UpdateCredentialRequestSchema.parse({ name: validName })
-      expect(result.name).toBe(validName)
-      expect(result.value).toBeUndefined()
-    })
-    it('accepts update with both value and name', () => {
-      const result = UpdateCredentialRequestSchema.parse({ value: validValue, name: validName })
-      expect(result.value).toEqual(validValue)
-      expect(result.name).toBe(validName)
-    })
-  })
-  describe('SECURITY: strict mode', () => {
-    it('rejects unknown fields', () => {
-      const payload = { value: validValue, unknownField: 'test' }
-      expect(() => UpdateCredentialRequestSchema.parse(payload)).toThrow()
-    })
-  })
-  describe('validation: at least one field required', () => {
-    it('rejects empty update (no fields)', () => {
-      expect(() => UpdateCredentialRequestSchema.parse({})).toThrow(/At least one field/)
-    })
-    it('rejects update with undefined fields only', () => {
-      expect(() => UpdateCredentialRequestSchema.parse({ value: undefined, name: undefined })).toThrow(
-        /At least one field/
-      )
-    })
-  })
-  describe('SECURITY: credential value validation', () => {
-    it('rejects empty value object', () => {
-      expect(() => UpdateCredentialRequestSchema.parse({ value: {} })).toThrow(/must not be empty/)
-    })
-    it('rejects value with too many keys', () => {
-      const largeValue = Object.fromEntries(Array.from({ length: 51 }, (_, i) => [`key${i}`, 'value']))
-      expect(() => UpdateCredentialRequestSchema.parse({ value: largeValue })).toThrow(/too many keys/)
-    })
-    it('rejects individual string values over 10KB', () => {
-      const hugeString = 'a'.repeat(10241)
-      expect(() => UpdateCredentialRequestSchema.parse({ value: { apiKey: hugeString } })).toThrow(/too large/)
-    })
-  })
-  describe('SECURITY: credential name validation', () => {
-    it('rejects invalid name format', () => {
-      expect(() => UpdateCredentialRequestSchema.parse({ name: 'gmail prod' })).toThrow(/must be lowercase/)
-    })
-    it('rejects path traversal in name', () => {
-      expect(() => UpdateCredentialRequestSchema.parse({ name: '../admin' })).toThrow(/must be lowercase/)
-    })
-  })
-})
-describe('DeleteCredentialParamsSchema', () => {
-  const validUuid = 'a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11'
-  it('accepts valid UUID', () => {
-    const result = DeleteCredentialParamsSchema.parse({ credentialId: validUuid })
-    expect(result.credentialId).toBe(validUuid)
-  })
-  it('rejects invalid UUID format', () => {
-    expect(() => DeleteCredentialParamsSchema.parse({ credentialId: 'not-a-uuid' })).toThrow()
-  })
-  it('rejects empty string', () => {
-    expect(() => DeleteCredentialParamsSchema.parse({ credentialId: '' })).toThrow()
-  })
-})
-describe('ListCredentialsResponseSchema - Provider Field', () => {
-  const validUuid = 'a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11'
-  it('validates response with provider set', () => {
-    const response = {
-      credentials: [
-        {
-          id: validUuid,
-          name: 'dropbox-cred',
-          type: 'oauth',
-          provider: 'dropbox',
-          createdAt: '2026-02-02T00:00:00.000Z'
-        }
-      ]
-    }
-    const result = ListCredentialsResponseSchema.parse(response)
-    expect(result.credentials[0].provider).toBe('dropbox')
-  })
-  it('validates response with null provider (non-OAuth credentials)', () => {
-    const response = {
-      credentials: [
-        {
-          id: validUuid,
-          name: 'api-key',
-          type: 'api-key',
-          provider: null,
-          createdAt: '2026-02-02T00:00:00.000Z'
-        }
-      ]
-    }
-    const result = ListCredentialsResponseSchema.parse(response)
-    expect(result.credentials[0].provider).toBeNull()
-  })
-  it('validates response with mixed provider values', () => {
-    const response = {
-      credentials: [
-        {
-          id: validUuid,
-          name: 'dropbox-cred',
-          type: 'oauth',
-          provider: 'dropbox',
-          createdAt: '2026-02-02T00:00:00.000Z'
-        },
-        {
-          id: 'b0eebc99-9c0b-4ef8-bb6d-6bb9bd380a22',
-          name: 'api-key',
-          type: 'api-key',
-          provider: null,
-          createdAt: '2026-02-02T00:00:00.000Z'
-        }
-      ]
-    }
-    const result = ListCredentialsResponseSchema.parse(response)
-    expect(result.credentials[0].provider).toBe('dropbox')
-    expect(result.credentials[1].provider).toBeNull()
-  })
-})
+/**
+ * Credential API schemas tests
+ * Tests all validation schemas for credentials endpoints
+ * Focus: Security (path traversal, DoS, mass assignment, type coercion)
+ */
+import { describe, it, expect } from 'vitest'
+import {
+  CredentialTypeSchema,
+  CreateCredentialRequestSchema,
+  UpdateCredentialParamsSchema,
+  UpdateCredentialRequestSchema,
+  DeleteCredentialParamsSchema,
+  ListCredentialsResponseSchema
+} from '../api-schemas'
+describe('CredentialTypeSchema', () => {
+  it('accepts valid credential types', () => {
+    // These are the actual types stored in the database
+    expect(CredentialTypeSchema.parse('oauth')).toBe('oauth')
+    expect(CredentialTypeSchema.parse('api-key')).toBe('api-key')
+    expect(CredentialTypeSchema.parse('webhook-secret')).toBe('webhook-secret')
+  })
+  it('rejects invalid credential types', () => {
+    expect(() => CredentialTypeSchema.parse('invalid-type')).toThrow()
+    expect(() => CredentialTypeSchema.parse('')).toThrow()
+  })
+  it('rejects provider names (these are CREDENTIAL_SCHEMAS keys, not stored types)', () => {
+    // OAuth providers store type='oauth', not their provider name
+    expect(() => CredentialTypeSchema.parse('notion')).toThrow()
+    expect(() => CredentialTypeSchema.parse('google-sheets')).toThrow()
+  })
+})
+describe('CreateCredentialRequestSchema', () => {
+  const validPayload = {
+    name: 'gmail-prod',
+    type: 'api-key' as const,
+    value: { apiKey: 'test-key-123' }
+  }
+  describe('valid requests', () => {
+    it('accepts valid credential creation request', () => {
+      const result = CreateCredentialRequestSchema.parse(validPayload)
+      expect(result).toEqual(validPayload)
+    })
+    it('accepts oauth type credentials', () => {
+      const payload = {
+        name: 'notion-dev',
+        type: 'oauth' as const,
+        value: { accessToken: 'token', refreshToken: 'refresh' }
+      }
+      const result = CreateCredentialRequestSchema.parse(payload)
+      expect(result).toEqual(payload)
+    })
+    it('accepts webhook-secret type credentials', () => {
+      const payload = {
+        name: 'stripe-webhook',
+        type: 'webhook-secret' as const,
+        value: { signingSecret: 'whsec_abc123' }
+      }
+      const result = CreateCredentialRequestSchema.parse(payload)
+      expect(result).toEqual(payload)
+    })
+  })
+  describe('SECURITY: mass assignment prevention', () => {
+    it('rejects unknown fields (strict mode)', () => {
+      const payload = {
+        ...validPayload,
+        organizationId: 'attacker-org-id', // Injected field
+        createdBy: null // Override creator
+      }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+    it('rejects extra top-level fields', () => {
+      const payload = {
+        ...validPayload,
+        maliciousField: 'value'
+      }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+  })
+  describe('SECURITY: credential name validation', () => {
+    it('rejects invalid credential names', () => {
+      const payload = { ...validPayload, name: 'gmail prod' }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must be lowercase/)
+    })
+    it('rejects path traversal in name', () => {
+      const payload = { ...validPayload, name: '../admin-cred' }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must be lowercase/)
+    })
+    it('rejects special characters in name', () => {
+      const payload = { ...validPayload, name: 'gmail@prod' }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must be lowercase/)
+    })
+    it('rejects names without hyphens', () => {
+      const payload = { ...validPayload, name: 'gmailprod' }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must be lowercase/)
+    })
+    it('rejects underscores', () => {
+      const payload = { ...validPayload, name: 'gmail_prod' }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must be lowercase/)
+    })
+    it('auto-lowercases uppercase input', () => {
+      const payload = { ...validPayload, name: 'Gmail-Prod' }
+      const result = CreateCredentialRequestSchema.parse(payload)
+      expect(result.name).toBe('gmail-prod')
+    })
+  })
+  describe('SECURITY: credential type validation', () => {
+    it('rejects invalid credential types', () => {
+      const payload = { ...validPayload, type: 'invalid-type' }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+    it('rejects null type', () => {
+      const payload = { ...validPayload, type: null }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+    it('rejects array as type', () => {
+      const payload = { ...validPayload, type: ['api-key'] }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+  })
+  describe('SECURITY: credential value validation', () => {
+    it('rejects empty credential value', () => {
+      const payload = { ...validPayload, value: {} }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/must not be empty/)
+    })
+    it('rejects non-object value', () => {
+      const payload = { ...validPayload, value: 'string-instead-of-object' }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+    it('rejects null value', () => {
+      const payload = { ...validPayload, value: null }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+    it('rejects array as value', () => {
+      const payload = { ...validPayload, value: ['array', 'as', 'value'] }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+  })
+  describe('SECURITY: DoS prevention - credential value size', () => {
+    it('rejects credential value with too many keys (over 50)', () => {
+      const largeValue = Object.fromEntries(Array.from({ length: 51 }, (_, i) => [`key${i}`, 'value']))
+      const payload = { ...validPayload, value: largeValue }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/too many keys/)
+    })
+    it('accepts credential value with max keys (50)', () => {
+      const maxValue = Object.fromEntries(Array.from({ length: 50 }, (_, i) => [`key${i}`, 'value']))
+      const payload = { ...validPayload, value: maxValue }
+      const result = CreateCredentialRequestSchema.parse(payload)
+      expect(Object.keys(result.value).length).toBe(50)
+    })
+    it('rejects individual string values over 10KB', () => {
+      const hugeString = 'a'.repeat(10241)
+      const payload = { ...validPayload, value: { apiKey: hugeString } }
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow(/too large/)
+    })
+    it('accepts string values at max size (10KB)', () => {
+      const maxString = 'a'.repeat(10240)
+      const payload = { ...validPayload, value: { apiKey: maxString } }
+      const result = CreateCredentialRequestSchema.parse(payload)
+      expect(result.value.apiKey).toBe(maxString)
+    })
+    it('allows non-string values without size checks', () => {
+      const payload = {
+        ...validPayload,
+        value: {
+          apiKey: 'test',
+          number: 12345,
+          boolean: true,
+          nested: { key: 'value' }
+        }
+      }
+      const result = CreateCredentialRequestSchema.parse(payload)
+      expect(result.value).toEqual(payload.value)
+    })
+  })
+  describe('required fields', () => {
+    it('rejects missing name', () => {
+      const { name: _name, ...payload } = validPayload
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+    it('rejects missing type', () => {
+      const { type: _type, ...payload } = validPayload
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+    it('rejects missing value', () => {
+      const { value: _value, ...payload } = validPayload
+      expect(() => CreateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+  })
+  describe('provider field (OAuth provider identification)', () => {
+    it('accepts OAuth credential with provider', () => {
+      const payload = {
+        name: 'my-dropbox',
+        type: 'oauth' as const,
+        value: { accessToken: 'token', refreshToken: 'refresh' },
+        provider: 'dropbox'
+      }
+      const result = CreateCredentialRequestSchema.parse(payload)
+      expect(result.provider).toBe('dropbox')
+    })
+    it('accepts request without provider (optional field)', () => {
+      const result = CreateCredentialRequestSchema.parse(validPayload)
+      expect(result.provider).toBeUndefined()
+    })
+    it('accepts various OAuth provider values', () => {
+      const providers = ['dropbox', 'notion', 'google-sheets']
+      for (const provider of providers) {
+        const payload = {
+          name: `my-${provider}`,
+          type: 'oauth' as const,
+          value: { accessToken: 'token' },
+          provider
+        }
+        const result = CreateCredentialRequestSchema.parse(payload)
+        expect(result.provider).toBe(provider)
+      }
+    })
+  })
+})
+describe('UpdateCredentialParamsSchema', () => {
+  const validUuid = 'a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11'
+  it('accepts valid UUID', () => {
+    const result = UpdateCredentialParamsSchema.parse({ credentialId: validUuid })
+    expect(result.credentialId).toBe(validUuid)
+  })
+  it('rejects invalid UUID format', () => {
+    expect(() => UpdateCredentialParamsSchema.parse({ credentialId: 'not-a-uuid' })).toThrow()
+  })
+  it('rejects empty string', () => {
+    expect(() => UpdateCredentialParamsSchema.parse({ credentialId: '' })).toThrow()
+  })
+  it('rejects number instead of UUID', () => {
+    expect(() => UpdateCredentialParamsSchema.parse({ credentialId: 12345 })).toThrow()
+  })
+})
+describe('UpdateCredentialRequestSchema', () => {
+  const validValue = { apiKey: 'updated-key' }
+  const validName = 'updated-name'
+  describe('valid requests', () => {
+    it('accepts update with value only', () => {
+      const result = UpdateCredentialRequestSchema.parse({ value: validValue })
+      expect(result.value).toEqual(validValue)
+      expect(result.name).toBeUndefined()
+    })
+    it('accepts update with name only', () => {
+      const result = UpdateCredentialRequestSchema.parse({ name: validName })
+      expect(result.name).toBe(validName)
+      expect(result.value).toBeUndefined()
+    })
+    it('accepts update with both value and name', () => {
+      const result = UpdateCredentialRequestSchema.parse({ value: validValue, name: validName })
+      expect(result.value).toEqual(validValue)
+      expect(result.name).toBe(validName)
+    })
+  })
+  describe('SECURITY: strict mode', () => {
+    it('rejects unknown fields', () => {
+      const payload = { value: validValue, unknownField: 'test' }
+      expect(() => UpdateCredentialRequestSchema.parse(payload)).toThrow()
+    })
+  })
+  describe('validation: at least one field required', () => {
+    it('rejects empty update (no fields)', () => {
+      expect(() => UpdateCredentialRequestSchema.parse({})).toThrow(/At least one field/)
+    })
+    it('rejects update with undefined fields only', () => {
+      expect(() => UpdateCredentialRequestSchema.parse({ value: undefined, name: undefined })).toThrow(
+        /At least one field/
+      )
+    })
+  })
+  describe('SECURITY: credential value validation', () => {
+    it('rejects empty value object', () => {
+      expect(() => UpdateCredentialRequestSchema.parse({ value: {} })).toThrow(/must not be empty/)
+    })
+    it('rejects value with too many keys', () => {
+      const largeValue = Object.fromEntries(Array.from({ length: 51 }, (_, i) => [`key${i}`, 'value']))
+      expect(() => UpdateCredentialRequestSchema.parse({ value: largeValue })).toThrow(/too many keys/)
+    })
+    it('rejects individual string values over 10KB', () => {
+      const hugeString = 'a'.repeat(10241)
+      expect(() => UpdateCredentialRequestSchema.parse({ value: { apiKey: hugeString } })).toThrow(/too large/)
+    })
+  })
+  describe('SECURITY: credential name validation', () => {
+    it('rejects invalid name format', () => {
+      expect(() => UpdateCredentialRequestSchema.parse({ name: 'gmail prod' })).toThrow(/must be lowercase/)
+    })
+    it('rejects path traversal in name', () => {
+      expect(() => UpdateCredentialRequestSchema.parse({ name: '../admin' })).toThrow(/must be lowercase/)
+    })
+  })
+})
+describe('DeleteCredentialParamsSchema', () => {
+  const validUuid = 'a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11'
+  it('accepts valid UUID', () => {
+    const result = DeleteCredentialParamsSchema.parse({ credentialId: validUuid })
+    expect(result.credentialId).toBe(validUuid)
+  })
+  it('rejects invalid UUID format', () => {
+    expect(() => DeleteCredentialParamsSchema.parse({ credentialId: 'not-a-uuid' })).toThrow()
+  })
+  it('rejects empty string', () => {
+    expect(() => DeleteCredentialParamsSchema.parse({ credentialId: '' })).toThrow()
+  })
+})
+describe('ListCredentialsResponseSchema - Provider Field', () => {
+  const validUuid = 'a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11'
+  it('validates response with provider set', () => {
+    const response = {
+      credentials: [
+        {
+          id: validUuid,
+          name: 'dropbox-cred',
+          type: 'oauth',
+          provider: 'dropbox',
+          createdAt: '2026-02-02T00:00:00.000Z'
+        }
+      ]
+    }
+    const result = ListCredentialsResponseSchema.parse(response)
+    expect(result.credentials[0].provider).toBe('dropbox')
+  })
+  it('validates response with null provider (non-OAuth credentials)', () => {
+    const response = {
+      credentials: [
+        {
+          id: validUuid,
+          name: 'api-key',
+          type: 'api-key',
+          provider: null,
+          createdAt: '2026-02-02T00:00:00.000Z'
+        }
+      ]
+    }
+    const result = ListCredentialsResponseSchema.parse(response)
+    expect(result.credentials[0].provider).toBeNull()
+  })
+  it('validates response with mixed provider values', () => {
+    const response = {
+      credentials: [
+        {
+          id: validUuid,
+          name: 'dropbox-cred',
+          type: 'oauth',
+          provider: 'dropbox',
+          createdAt: '2026-02-02T00:00:00.000Z'
+        },
+        {
+          id: 'b0eebc99-9c0b-4ef8-bb6d-6bb9bd380a22',
+          name: 'api-key',
+          type: 'api-key',
+          provider: null,
+          createdAt: '2026-02-02T00:00:00.000Z'
+        }
+      ]
+    }
+    const result = ListCredentialsResponseSchema.parse(response)
+    expect(result.credentials[0].provider).toBe('dropbox')
+    expect(result.credentials[1].provider).toBeNull()
+  })
+})