@elevasis/core 0.35.0 → 0.36.0

package/dist/auth/index.d.ts

@@ -349,6 +349,18 @@ declare const UpdateOrganizationSchema: z.ZodObject<{
     }, z.core.$strip>>>>;
     metadata: z.ZodOptional<z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>>;
 }, z.core.$strict>;
+/**
+ * Update organization auth config
+ * PATCH /organizations/:id/config/auth
+ *
+ * Security:
+ * - Narrow config surface: only appOrigin is accepted
+ * - App origin is an origin URL, not a route URL
+ * - Strict mode prevents accidental writes to unrelated config keys
+ */
+declare const UpdateOrganizationAuthConfigSchema: z.ZodObject<{
+    appOrigin: z.ZodString;
+}, z.core.$strict>;
 /**
  * List organizations with filters
  * GET /organizations
@@ -364,6 +376,7 @@ declare const ListOrganizationsQuerySchema: z.ZodObject<{
 }, z.core.$strip>;
 type CreateOrganizationInput = z.infer<typeof CreateOrganizationSchema>;
 type UpdateOrganizationInput = z.infer<typeof UpdateOrganizationSchema>;
+type UpdateOrganizationAuthConfigInput = z.infer<typeof UpdateOrganizationAuthConfigSchema>;
 type ListOrganizationsQuery = z.infer<typeof ListOrganizationsQuerySchema>;
 type OrganizationIdParam = z.infer<typeof OrganizationIdParamSchema>;
 
@@ -3876,6 +3889,17 @@ type Database = {
                 Args: never;
                 Returns: undefined;
             };
+            repair_membership_role_assignments: {
+                Args: never;
+                Returns: {
+                    membership_id: string;
+                    organization_id: string;
+                    repaired: boolean;
+                    role_id: string;
+                    role_slug: string;
+                    user_id: string;
+                }[];
+            };
             sync_all_memberships_with_role: {
                 Args: {
                     p_role_id: string;
@@ -3888,6 +3912,13 @@ type Database = {
                 };
                 Returns: undefined;
             };
+            update_membership_role_assignment: {
+                Args: {
+                    p_role_slug: string;
+                    p_workos_membership_id: string;
+                };
+                Returns: string;
+            };
             upsert_user_profile: {
                 Args: never;
                 Returns: {
@@ -4108,6 +4139,17 @@ declare const SendInvitationSchema: z.ZodObject<{
 declare const AcceptInvitationSchema: z.ZodObject<{
     invitation_token: z.ZodString;
 }, z.core.$strict>;
+/**
+ * Public invitation router query
+ * GET /api/invite
+ *
+ * Security:
+ * - Token validated as present only; service layer performs WorkOS lookup
+ * - Router redirects with only the token needed by tenant AuthKit login
+ */
+declare const InviteRouterQuerySchema: z.ZodObject<{
+    invitation_token: z.ZodString;
+}, z.core.$strict>;
 /**
  * List invitations with filters
  * GET /invitations
@@ -4130,6 +4172,7 @@ declare const ListInvitationsQuerySchema: z.ZodObject<{
 }, z.core.$strict>;
 type SendInvitationInput = z.infer<typeof SendInvitationSchema>;
 type AcceptInvitationInput = z.infer<typeof AcceptInvitationSchema>;
+type InviteRouterQuery = z.infer<typeof InviteRouterQuerySchema>;
 type ListInvitationsQuery = z.infer<typeof ListInvitationsQuerySchema>;
 type InvitationIdParam = z.infer<typeof InvitationIdParamSchema>;
 
@@ -5415,5 +5458,5 @@ interface AccessModel {
 declare function checkAccess(input: AccessKeyInput, ctx: AccessContext): AccessAnswer;
 declare function createAccessModel(organizationModel: OrganizationModel): AccessModel;
 
-export { AcceptInvitationSchema, AccessActionSchema, AccessKeyInputSchema, AccessKeyObjectSchema, AccessKeySchema, AccessKeys, AssignMembershipRoleRequestSchema, CreateMembershipSchema, CreateOrgRoleRequestSchema, CreateOrganizationSchema, DEFAULT_ACCESS_ACTION, DIAGNOSTIC_VIEW_ACCESS_KEYS, ExternalIdParamSchema, InvitationIdParamSchema, ListInvitationsQuerySchema, ListMembershipsQuerySchema, ListOrganizationsQuerySchema, ListUsersQuerySchema, MEMBERSHIP_STATUS_COLORS, MembershipIdParamSchema, MembershipParamsSchema, MembershipRoleParamsSchema, MembershipRoleSchema, MembershipStatusSchema, MyOrgPermissionsResponseSchema, NormalizedAccessKeySchema, OrgIdParamSchema, OrgRoleParamsSchema, OrgRolesParamsSchema, OrganizationDomainSchema, OrganizationIdParamSchema, OrganizationNameSchema, PERMISSIONS, PERMISSION_CATALOG, PLATFORM_ADMIN_ACCESS_KEY, PLATFORM_ADMIN_ACCESS_KEY_SHORTHAND, SendInvitationSchema, THEME_PRESETS, ThemePresetEnum, UpdateMembershipSchema, UpdateMyProfileSchema, UpdateOrgRoleRequestSchema, UpdateOrganizationSchema, UpdateUserSchema, UserIdParamSchema, accessKeyToString, asSupabaseOrgId, asSupabaseOrgIdOrNull, asWorkOsOrgId, asWorkOsOrgIdOrNull, brandSupabaseOrgId, brandWorkOsOrgId, checkAccess, createAccessModel, deriveAccessKeyCatalog, findAccessCatalogEntry, isPermissionKey, isSupabaseOrgId, isWorkOsOrgId, listAccessKeys, normalizeAccessKey, rolePermissionForAccessKey, transformMembershipToTableRow, transformSupabaseToInvitation, transformSupabaseToMembership };
-export type { AcceptInvitationInput, AcceptInvitationRequest, AcceptanceResult, AccessAction, AccessAnswer, AccessCatalogEntry, AccessCatalogEntrySource, AccessContext, AccessContextMembership, AccessContextProfile, AccessKey, AccessKeyCatalog, AccessKeyInput, AccessKeyObject, AccessModel, AccessReason, AccessRestrictedBy, AdminOrgInvitation, AssignMembershipRoleInput, CreateCredentialParams, CreateMembershipInput, CreateMembershipRequest, CreateOrgRoleInput, CreateOrganizationInput, CreateUserRequest, CredentialMetadata, DeriveAccessKeyCatalogOptions, ExternalIdParam, Invitation, InvitationIdParam, InvitationListQuery, InvitationState, InvitationSummaryResponse, InvitationWithDetails, ListInvitationsParams, ListInvitationsQuery, ListMembershipsParams, ListMembershipsQuery, ListMembershipsResponse, ListOrganizationsQuery, ListUsersParams, ListUsersQuery, ListUsersResponse, MembershipIdParam, MembershipParams, MembershipRole, MembershipRoleParams, MembershipStatus, MembershipTableRow, MembershipWithDetails, MyOrgPermissionsResponse, NormalizedAccessKey, OrgIdParam, OrgMetadata, OrgRoleParams, OrgRolesParams, Organization, OrganizationIdParam, OrganizationMembership, OrganizationSummary, PermissionDescriptor, PermissionKey, SendInvitationInput, SendInvitationRequest, SupabaseOrgId, SupabaseOrgInvitation, SupabaseOrgInvitationInsert, SupabaseOrgInvitationUpdate, SupabaseOrgMembership, SupabaseOrgMembershipInsert, SupabaseOrgMembershipUpdate, ThemePresetName, UpdateMembershipInput, UpdateMembershipRequest, UpdateMyProfileInput, UpdateOrgRoleInput, UpdateOrganizationInput, UpdateUserInput, UpdateUserRequest, User, UserConfig, UserIdParam, UserSummary, WorkOsOrgId };
+export { AcceptInvitationSchema, AccessActionSchema, AccessKeyInputSchema, AccessKeyObjectSchema, AccessKeySchema, AccessKeys, AssignMembershipRoleRequestSchema, CreateMembershipSchema, CreateOrgRoleRequestSchema, CreateOrganizationSchema, DEFAULT_ACCESS_ACTION, DIAGNOSTIC_VIEW_ACCESS_KEYS, ExternalIdParamSchema, InvitationIdParamSchema, InviteRouterQuerySchema, ListInvitationsQuerySchema, ListMembershipsQuerySchema, ListOrganizationsQuerySchema, ListUsersQuerySchema, MEMBERSHIP_STATUS_COLORS, MembershipIdParamSchema, MembershipParamsSchema, MembershipRoleParamsSchema, MembershipRoleSchema, MembershipStatusSchema, MyOrgPermissionsResponseSchema, NormalizedAccessKeySchema, OrgIdParamSchema, OrgRoleParamsSchema, OrgRolesParamsSchema, OrganizationDomainSchema, OrganizationIdParamSchema, OrganizationNameSchema, PERMISSIONS, PERMISSION_CATALOG, PLATFORM_ADMIN_ACCESS_KEY, PLATFORM_ADMIN_ACCESS_KEY_SHORTHAND, SendInvitationSchema, THEME_PRESETS, ThemePresetEnum, UpdateMembershipSchema, UpdateMyProfileSchema, UpdateOrgRoleRequestSchema, UpdateOrganizationAuthConfigSchema, UpdateOrganizationSchema, UpdateUserSchema, UserIdParamSchema, accessKeyToString, asSupabaseOrgId, asSupabaseOrgIdOrNull, asWorkOsOrgId, asWorkOsOrgIdOrNull, brandSupabaseOrgId, brandWorkOsOrgId, checkAccess, createAccessModel, deriveAccessKeyCatalog, findAccessCatalogEntry, isPermissionKey, isSupabaseOrgId, isWorkOsOrgId, listAccessKeys, normalizeAccessKey, rolePermissionForAccessKey, transformMembershipToTableRow, transformSupabaseToInvitation, transformSupabaseToMembership };
+export type { AcceptInvitationInput, AcceptInvitationRequest, AcceptanceResult, AccessAction, AccessAnswer, AccessCatalogEntry, AccessCatalogEntrySource, AccessContext, AccessContextMembership, AccessContextProfile, AccessKey, AccessKeyCatalog, AccessKeyInput, AccessKeyObject, AccessModel, AccessReason, AccessRestrictedBy, AdminOrgInvitation, AssignMembershipRoleInput, CreateCredentialParams, CreateMembershipInput, CreateMembershipRequest, CreateOrgRoleInput, CreateOrganizationInput, CreateUserRequest, CredentialMetadata, DeriveAccessKeyCatalogOptions, ExternalIdParam, Invitation, InvitationIdParam, InvitationListQuery, InvitationState, InvitationSummaryResponse, InvitationWithDetails, InviteRouterQuery, ListInvitationsParams, ListInvitationsQuery, ListMembershipsParams, ListMembershipsQuery, ListMembershipsResponse, ListOrganizationsQuery, ListUsersParams, ListUsersQuery, ListUsersResponse, MembershipIdParam, MembershipParams, MembershipRole, MembershipRoleParams, MembershipStatus, MembershipTableRow, MembershipWithDetails, MyOrgPermissionsResponse, NormalizedAccessKey, OrgIdParam, OrgMetadata, OrgRoleParams, OrgRolesParams, Organization, OrganizationIdParam, OrganizationMembership, OrganizationSummary, PermissionDescriptor, PermissionKey, SendInvitationInput, SendInvitationRequest, SupabaseOrgId, SupabaseOrgInvitation, SupabaseOrgInvitationInsert, SupabaseOrgInvitationUpdate, SupabaseOrgMembership, SupabaseOrgMembershipInsert, SupabaseOrgMembershipUpdate, ThemePresetName, UpdateMembershipInput, UpdateMembershipRequest, UpdateMyProfileInput, UpdateOrgRoleInput, UpdateOrganizationAuthConfigInput, UpdateOrganizationInput, UpdateUserInput, UpdateUserRequest, User, UserConfig, UserIdParam, UserSummary, WorkOsOrgId };

package/dist/auth/index.js

@@ -226,6 +226,16 @@ var CreateOrganizationSchema = z.object({
 var UpdateOrganizationSchema = CreateOrganizationSchema.partial().strict().refine((data) => Object.keys(data).length > 0, {
   message: "At least one field (name, domainData, or metadata) must be provided"
 });
+var UpdateOrganizationAuthConfigSchema = z.object({
+  appOrigin: z.string().trim().url("App origin must be a valid URL").max(2048, "App origin must be at most 2048 characters").refine((value) => {
+    try {
+      const url = new URL(value);
+      return url.pathname === "/" && url.search === "" && url.hash === "";
+    } catch {
+      return false;
+    }
+  }, "App origin must not include a path, query string, or hash")
+}).strict();
 var ListOrganizationsQuerySchema = z.object({
   limit: z.coerce.number().int().min(1).max(100).default(20),
   before: z.string().optional(),
@@ -394,6 +404,9 @@ var SendInvitationSchema = z.object({
 var AcceptInvitationSchema = z.object({
   invitation_token: z.string().min(1, "Invitation token is required")
 }).strict();
+var InviteRouterQuerySchema = z.object({
+  invitation_token: z.string().min(1, "Invitation token is required")
+}).strict();
 var ListInvitationsQuerySchema = z.object({
   organizationId: z.string().optional(),
   userId: z.string().optional(),
@@ -410,6 +423,8 @@ function childSystemsOf(system) {
   return system.systems ?? system.subsystems ?? {};
 }
 function getSystem(model, path) {
+  const flatMatch = model.systems[path];
+  if (flatMatch !== void 0) return flatMatch;
   const segments = path.split(".");
   let current = model.systems;
   let node;
@@ -634,4 +649,4 @@ function createAccessModel(organizationModel) {
   };
 }
 
-export { AcceptInvitationSchema, AccessActionSchema, AccessKeyInputSchema, AccessKeyObjectSchema, AccessKeySchema, AccessKeys, AssignMembershipRoleRequestSchema, CreateMembershipSchema, CreateOrgRoleRequestSchema, CreateOrganizationSchema, DEFAULT_ACCESS_ACTION, DIAGNOSTIC_VIEW_ACCESS_KEYS, ExternalIdParamSchema, InvitationIdParamSchema, ListInvitationsQuerySchema, ListMembershipsQuerySchema, ListOrganizationsQuerySchema, ListUsersQuerySchema, MEMBERSHIP_STATUS_COLORS, MembershipIdParamSchema, MembershipParamsSchema, MembershipRoleParamsSchema, MembershipRoleSchema, MembershipStatusSchema, MyOrgPermissionsResponseSchema, NormalizedAccessKeySchema, OrgIdParamSchema, OrgRoleParamsSchema, OrgRolesParamsSchema, OrganizationDomainSchema, OrganizationIdParamSchema, OrganizationNameSchema, PERMISSIONS, PERMISSION_CATALOG, PLATFORM_ADMIN_ACCESS_KEY, PLATFORM_ADMIN_ACCESS_KEY_SHORTHAND, SendInvitationSchema, THEME_PRESETS, ThemePresetEnum, UpdateMembershipSchema, UpdateMyProfileSchema, UpdateOrgRoleRequestSchema, UpdateOrganizationSchema, UpdateUserSchema, UserIdParamSchema, accessKeyToString, asSupabaseOrgId, asSupabaseOrgIdOrNull, asWorkOsOrgId, asWorkOsOrgIdOrNull, brandSupabaseOrgId, brandWorkOsOrgId, checkAccess, createAccessModel, deriveAccessKeyCatalog, findAccessCatalogEntry, isPermissionKey, isSupabaseOrgId, isWorkOsOrgId, listAccessKeys, normalizeAccessKey, rolePermissionForAccessKey, transformMembershipToTableRow, transformSupabaseToInvitation, transformSupabaseToMembership };
+export { AcceptInvitationSchema, AccessActionSchema, AccessKeyInputSchema, AccessKeyObjectSchema, AccessKeySchema, AccessKeys, AssignMembershipRoleRequestSchema, CreateMembershipSchema, CreateOrgRoleRequestSchema, CreateOrganizationSchema, DEFAULT_ACCESS_ACTION, DIAGNOSTIC_VIEW_ACCESS_KEYS, ExternalIdParamSchema, InvitationIdParamSchema, InviteRouterQuerySchema, ListInvitationsQuerySchema, ListMembershipsQuerySchema, ListOrganizationsQuerySchema, ListUsersQuerySchema, MEMBERSHIP_STATUS_COLORS, MembershipIdParamSchema, MembershipParamsSchema, MembershipRoleParamsSchema, MembershipRoleSchema, MembershipStatusSchema, MyOrgPermissionsResponseSchema, NormalizedAccessKeySchema, OrgIdParamSchema, OrgRoleParamsSchema, OrgRolesParamsSchema, OrganizationDomainSchema, OrganizationIdParamSchema, OrganizationNameSchema, PERMISSIONS, PERMISSION_CATALOG, PLATFORM_ADMIN_ACCESS_KEY, PLATFORM_ADMIN_ACCESS_KEY_SHORTHAND, SendInvitationSchema, THEME_PRESETS, ThemePresetEnum, UpdateMembershipSchema, UpdateMyProfileSchema, UpdateOrgRoleRequestSchema, UpdateOrganizationAuthConfigSchema, UpdateOrganizationSchema, UpdateUserSchema, UserIdParamSchema, accessKeyToString, asSupabaseOrgId, asSupabaseOrgIdOrNull, asWorkOsOrgId, asWorkOsOrgIdOrNull, brandSupabaseOrgId, brandWorkOsOrgId, checkAccess, createAccessModel, deriveAccessKeyCatalog, findAccessCatalogEntry, isPermissionKey, isSupabaseOrgId, isWorkOsOrgId, listAccessKeys, normalizeAccessKey, rolePermissionForAccessKey, transformMembershipToTableRow, transformSupabaseToInvitation, transformSupabaseToMembership };

package/dist/index.js

@@ -726,6 +726,8 @@ function childSystemsOf2(system) {
   return system.systems ?? system.subsystems ?? {};
 }
 function getSystem(model, path) {
+  const flatMatch = model.systems[path];
+  if (flatMatch !== void 0) return flatMatch;
   const segments = path.split(".");
   let current = model.systems;
   let node;

package/dist/organization-model/index.js

@@ -726,6 +726,8 @@ function childSystemsOf2(system) {
   return system.systems ?? system.subsystems ?? {};
 }
 function getSystem(model, path) {
+  const flatMatch = model.systems[path];
+  if (flatMatch !== void 0) return flatMatch;
   const segments = path.split(".");
   let current = model.systems;
   let node;

package/dist/test-utils/index.d.ts

@@ -3126,6 +3126,17 @@ type Database = {
                 Args: never;
                 Returns: undefined;
             };
+            repair_membership_role_assignments: {
+                Args: never;
+                Returns: {
+                    membership_id: string;
+                    organization_id: string;
+                    repaired: boolean;
+                    role_id: string;
+                    role_slug: string;
+                    user_id: string;
+                }[];
+            };
             sync_all_memberships_with_role: {
                 Args: {
                     p_role_id: string;
@@ -3138,6 +3149,13 @@ type Database = {
                 };
                 Returns: undefined;
             };
+            update_membership_role_assignment: {
+                Args: {
+                    p_role_slug: string;
+                    p_workos_membership_id: string;
+                };
+                Returns: string;
+            };
             upsert_user_profile: {
                 Args: never;
                 Returns: {

package/dist/test-utils/index.js

@@ -2011,7 +2011,7 @@ var RLSTestContext = class {
     if (roleErr || !roleDef) {
       throw new Error(`Failed to look up system role '${slug}': ${roleErr?.message ?? "not found"}`);
     }
-    const { error: assignErr } = await this.adminClient.from("org_rol_assignments").insert({ membership_id: membershipId, role_id: roleDef.id });
+    const { error: assignErr } = await this.adminClient.from("org_rol_assignments").upsert({ membership_id: membershipId, role_id: roleDef.id }, { onConflict: "membership_id,role_id" });
     if (assignErr) {
       throw new Error(`Failed to assign system role '${slug}' to membership: ${assignErr.message}`);
     }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@elevasis/core",
-  "version": "0.35.0",
+  "version": "0.36.0",
   "license": "MIT",
   "description": "Minimal shared constants across Elevasis monorepo",
   "sideEffects": false,

package/src/auth/multi-tenancy/invitations/api-schemas.ts

@@ -59,11 +59,25 @@ export const SendInvitationSchema = z
  * Security:
  * - Token validated (non-empty string)
  */
-export const AcceptInvitationSchema = z
-  .object({
-    invitation_token: z.string().min(1, 'Invitation token is required')
-  })
-  .strict()
+export const AcceptInvitationSchema = z
+  .object({
+    invitation_token: z.string().min(1, 'Invitation token is required')
+  })
+  .strict()
+
+/**
+ * Public invitation router query
+ * GET /api/invite
+ *
+ * Security:
+ * - Token validated as present only; service layer performs WorkOS lookup
+ * - Router redirects with only the token needed by tenant AuthKit login
+ */
+export const InviteRouterQuerySchema = z
+  .object({
+    invitation_token: z.string().min(1, 'Invitation token is required')
+  })
+  .strict()
 
 // ============================================================================
 // Query Parameters
@@ -98,7 +112,8 @@ export const ListInvitationsQuerySchema = z
 // ============================================================================
 
 // Export inferred types for use in route handlers
-export type SendInvitationInput = z.infer<typeof SendInvitationSchema>
-export type AcceptInvitationInput = z.infer<typeof AcceptInvitationSchema>
-export type ListInvitationsQuery = z.infer<typeof ListInvitationsQuerySchema>
-export type InvitationIdParam = z.infer<typeof InvitationIdParamSchema>
+export type SendInvitationInput = z.infer<typeof SendInvitationSchema>
+export type AcceptInvitationInput = z.infer<typeof AcceptInvitationSchema>
+export type InviteRouterQuery = z.infer<typeof InviteRouterQuerySchema>
+export type ListInvitationsQuery = z.infer<typeof ListInvitationsQuerySchema>
+export type InvitationIdParam = z.infer<typeof InvitationIdParamSchema>

package/src/auth/multi-tenancy/invitations/index.ts

@@ -27,12 +27,14 @@ export { transformSupabaseToInvitation } from './supabase'
 
 // Validation schemas
 export {
-  SendInvitationSchema,
-  AcceptInvitationSchema,
-  ListInvitationsQuerySchema,
-  InvitationIdParamSchema,
-  type SendInvitationInput,
-  type AcceptInvitationInput,
-  type ListInvitationsQuery,
-  type InvitationIdParam
-} from './api-schemas'
+  SendInvitationSchema,
+  AcceptInvitationSchema,
+  InviteRouterQuerySchema,
+  ListInvitationsQuerySchema,
+  InvitationIdParamSchema,
+  type SendInvitationInput,
+  type AcceptInvitationInput,
+  type InviteRouterQuery,
+  type ListInvitationsQuery,
+  type InvitationIdParam
+} from './api-schemas'

package/src/auth/multi-tenancy/organizations/__tests__/api-schemas.test.ts

@@ -1,5 +1,10 @@
 import { describe, expect, it } from 'vitest'
-import { CreateOrganizationSchema, ListOrganizationsQuerySchema, UpdateOrganizationSchema } from '../api-schemas'
+import {
+  CreateOrganizationSchema,
+  ListOrganizationsQuerySchema,
+  UpdateOrganizationAuthConfigSchema,
+  UpdateOrganizationSchema
+} from '../api-schemas'
 
 // ---------------------------------------------------------------------------
 // CreateOrganizationSchema
@@ -87,7 +92,7 @@ describe('CreateOrganizationSchema', () => {
 // UpdateOrganizationSchema
 // ---------------------------------------------------------------------------
 
-describe('UpdateOrganizationSchema', () => {
+describe('UpdateOrganizationSchema', () => {
   it('rejects an empty object (at least one field required)', () => {
     // UpdateOrganizationSchema is CreateOrganizationSchema.partial().strict().refine(...)
     // The .refine() enforces the documented "at least one field" convention
@@ -135,7 +140,38 @@ describe('UpdateOrganizationSchema', () => {
   it('rejects unknown top-level fields (.strict() mode)', () => {
     expect(UpdateOrganizationSchema.safeParse({ name: 'Valid Name', unknownField: 'bad' }).success).toBe(false)
   })
-})
+})
+
+// ---------------------------------------------------------------------------
+// UpdateOrganizationAuthConfigSchema
+// ---------------------------------------------------------------------------
+
+describe('UpdateOrganizationAuthConfigSchema', () => {
+  it('accepts an HTTPS app origin', () => {
+    expect(UpdateOrganizationAuthConfigSchema.safeParse({ appOrigin: 'https://app.example.com' }).success).toBe(true)
+  })
+
+  it('rejects app origins with paths, query strings, or hashes', () => {
+    expect(UpdateOrganizationAuthConfigSchema.safeParse({ appOrigin: 'https://app.example.com/login' }).success).toBe(
+      false
+    )
+    expect(UpdateOrganizationAuthConfigSchema.safeParse({ appOrigin: 'https://app.example.com?x=1' }).success).toBe(
+      false
+    )
+    expect(UpdateOrganizationAuthConfigSchema.safeParse({ appOrigin: 'https://app.example.com#hash' }).success).toBe(
+      false
+    )
+  })
+
+  it('rejects unknown config fields', () => {
+    expect(
+      UpdateOrganizationAuthConfigSchema.safeParse({
+        appOrigin: 'https://app.example.com',
+        other: true
+      }).success
+    ).toBe(false)
+  })
+})
 
 // ---------------------------------------------------------------------------
 // ListOrganizationsQuerySchema

package/src/auth/multi-tenancy/organizations/api-schemas.ts

@@ -101,11 +101,38 @@ export const CreateOrganizationSchema = z
  * - At least one field required (matches documented Update schema convention,
  *   see .claude/rules/core-package.md → "api-schemas.ts Pattern")
  */
-export const UpdateOrganizationSchema = CreateOrganizationSchema.partial()
-  .strict()
-  .refine((data) => Object.keys(data).length > 0, {
-    message: 'At least one field (name, domainData, or metadata) must be provided'
-  })
+export const UpdateOrganizationSchema = CreateOrganizationSchema.partial()
+  .strict()
+  .refine((data) => Object.keys(data).length > 0, {
+    message: 'At least one field (name, domainData, or metadata) must be provided'
+  })
+
+/**
+ * Update organization auth config
+ * PATCH /organizations/:id/config/auth
+ *
+ * Security:
+ * - Narrow config surface: only appOrigin is accepted
+ * - App origin is an origin URL, not a route URL
+ * - Strict mode prevents accidental writes to unrelated config keys
+ */
+export const UpdateOrganizationAuthConfigSchema = z
+  .object({
+    appOrigin: z
+      .string()
+      .trim()
+      .url('App origin must be a valid URL')
+      .max(2048, 'App origin must be at most 2048 characters')
+      .refine((value) => {
+        try {
+          const url = new URL(value)
+          return url.pathname === '/' && url.search === '' && url.hash === ''
+        } catch {
+          return false
+        }
+      }, 'App origin must not include a path, query string, or hash')
+  })
+  .strict()
 
 // ============================================================================
 // Query Parameters
@@ -131,6 +158,7 @@ export const ListOrganizationsQuerySchema = z.object({
 
 // Export inferred types for use in route handlers
 export type CreateOrganizationInput = z.infer<typeof CreateOrganizationSchema>
-export type UpdateOrganizationInput = z.infer<typeof UpdateOrganizationSchema>
-export type ListOrganizationsQuery = z.infer<typeof ListOrganizationsQuerySchema>
-export type OrganizationIdParam = z.infer<typeof OrganizationIdParamSchema>
+export type UpdateOrganizationInput = z.infer<typeof UpdateOrganizationSchema>
+export type UpdateOrganizationAuthConfigInput = z.infer<typeof UpdateOrganizationAuthConfigSchema>
+export type ListOrganizationsQuery = z.infer<typeof ListOrganizationsQuerySchema>
+export type OrganizationIdParam = z.infer<typeof OrganizationIdParamSchema>

package/src/auth/multi-tenancy/organizations/index.ts

@@ -8,16 +8,18 @@ export type { Organization, OrganizationSummary } from './organization'
 
 // Validation schemas
 export {
-  CreateOrganizationSchema,
-  UpdateOrganizationSchema,
-  ListOrganizationsQuerySchema,
-  OrganizationIdParamSchema,
-  OrganizationNameSchema,
-  OrganizationDomainSchema,
-  type CreateOrganizationInput,
-  type UpdateOrganizationInput,
-  type ListOrganizationsQuery,
-  type OrganizationIdParam
-} from './api-schemas'
+  CreateOrganizationSchema,
+  UpdateOrganizationSchema,
+  UpdateOrganizationAuthConfigSchema,
+  ListOrganizationsQuerySchema,
+  OrganizationIdParamSchema,
+  OrganizationNameSchema,
+  OrganizationDomainSchema,
+  type CreateOrganizationInput,
+  type UpdateOrganizationInput,
+  type UpdateOrganizationAuthConfigInput,
+  type ListOrganizationsQuery,
+  type OrganizationIdParam
+} from './api-schemas'
 
 // Note: WorkOS types and transforms available via @repo/core/server

package/src/business/acquisition/build-templates.test.ts

@@ -170,6 +170,40 @@ describe('createBuildPlanSnapshotFromTemplate', () => {
       ]
     })
   })
+
+  it('normalizes stage-key dependencies to step ids for snapshots', () => {
+    const snapshot = createBuildPlanSnapshotFromTemplate({
+      id: 'stage-key-dependency',
+      label: 'Stage Key Dependency',
+      steps: [
+        {
+          id: 'source-companies',
+          label: 'Companies found',
+          primaryEntity: 'company',
+          outputs: ['company'],
+          stageKey: 'populated',
+          dependencyMode: 'per-record-eligibility',
+          actionKey: 'lead-gen.company.source',
+          defaultBatchSize: 100,
+          maxBatchSize: 250
+        },
+        {
+          id: 'qualify-companies',
+          label: 'Companies qualified',
+          primaryEntity: 'company',
+          outputs: ['company'],
+          stageKey: 'qualified',
+          dependsOn: ['populated'],
+          dependencyMode: 'per-record-eligibility',
+          actionKey: 'lead-gen.company.qualify',
+          defaultBatchSize: 50,
+          maxBatchSize: 100
+        }
+      ]
+    })
+
+    expect(snapshot.steps[1]?.dependsOn).toEqual(['source-companies'])
+  })
 })
 
 describe('createBuildPlanSnapshotFromTemplateId', () => {

package/src/business/acquisition/build-templates.ts

@@ -30,6 +30,9 @@ export function isProspectingBuildTemplateId(
 }
 
 export function createBuildPlanSnapshotFromTemplate(template: ProspectingBuildTemplate): BuildPlanSnapshot {
+  const stepIdByStageKey = new Map(template.steps.map((step) => [step.stageKey, step.id]))
+  const stepIds = new Set(template.steps.map((step) => step.id))
+
   return {
     templateId: template.id,
     templateLabel: template.label,
@@ -50,7 +53,11 @@ export function createBuildPlanSnapshotFromTemplate(template: ProspectingBuildTe
 
       if (step.description) snapshotStep.description = step.description
       if (step.recordEntity) snapshotStep.recordEntity = step.recordEntity
-      if (step.dependsOn?.length) snapshotStep.dependsOn = [...step.dependsOn]
+      if (step.dependsOn?.length) {
+        snapshotStep.dependsOn = step.dependsOn.map((dependency) =>
+          stepIds.has(dependency) ? dependency : (stepIdByStageKey.get(dependency) ?? dependency)
+        )
+      }
       if (step.credentialRequirements?.length) {
         snapshotStep.credentialRequirements = step.credentialRequirements.map((requirement: CredentialRequirement) => ({
           ...requirement

package/src/organization-model/__tests__/lookup-helpers.test.ts

@@ -64,6 +64,23 @@ describe('getSystem', () => {
     expect(sys?.label).toBe('Leaf')
   })
 
+  it('returns a flat system whose id contains dots', () => {
+    const model = resolveOrganizationModel({
+      systems: {
+        sales: { id: 'sales', order: 10, label: 'Sales', enabled: true, path: '/sales' },
+        'sales.lead-gen': {
+          id: 'sales.lead-gen',
+          order: 20,
+          label: 'Lead Gen',
+          enabled: true,
+          path: '/lead-gen'
+        }
+      }
+    })
+
+    expect(getSystem(model, 'sales.lead-gen')?.label).toBe('Lead Gen')
+  })
+
   it('returns undefined for unresolved paths', () => {
     const model = makeNestedModel()
     expect(getSystem(model, 'nonexistent')).toBeUndefined()
@@ -90,6 +107,23 @@ describe('getSystemAncestors', () => {
     ])
   })
 
+  it('returns available ancestors for flat dotted system ids', () => {
+    const model = resolveOrganizationModel({
+      systems: {
+        sales: { id: 'sales', order: 10, label: 'Sales', enabled: true, path: '/sales' },
+        'sales.lead-gen': {
+          id: 'sales.lead-gen',
+          order: 20,
+          label: 'Lead Gen',
+          enabled: true,
+          path: '/lead-gen'
+        }
+      }
+    })
+
+    expect(getSystemAncestors(model, 'sales.lead-gen').map((system) => system.label)).toEqual(['Sales', 'Lead Gen'])
+  })
+
   it('returns empty arrays for unresolved paths', () => {
     const model = makeNestedModel()
     expect(getSystemAncestors(model, 'does.not.exist')).toEqual([])

package/src/organization-model/__tests__/migration-helpers.test.ts

@@ -114,17 +114,6 @@ function modelWithBuildTemplate(): OrganizationModel {
               kind: 'template-step',
               appliesTo: 'sales.lead-gen:object/list',
               entries: {
-                'source-companies': {
-                  label: 'Source Companies',
-                  order: 10,
-                  primaryEntity: 'company',
-                  outputs: ['company'],
-                  stageKey: 'populated',
-                  dependencyMode: 'per-record-eligibility',
-                  actionKey: 'lead-gen.company.source',
-                  defaultBatchSize: 100,
-                  maxBatchSize: 500
-                },
                 'qualify-companies': {
                   label: 'Qualify Companies',
                   order: 20,
@@ -136,6 +125,17 @@ function modelWithBuildTemplate(): OrganizationModel {
                   actionKey: 'lead-gen.company.qualify',
                   defaultBatchSize: 100,
                   maxBatchSize: 500
+                },
+                'source-companies': {
+                  label: 'Source Companies',
+                  order: 10,
+                  primaryEntity: 'company',
+                  outputs: ['company'],
+                  stageKey: 'populated',
+                  dependencyMode: 'per-record-eligibility',
+                  actionKey: 'lead-gen.company.source',
+                  defaultBatchSize: 100,
+                  maxBatchSize: 500
                 }
               }
             }

package/src/organization-model/helpers.ts

@@ -149,6 +149,9 @@ export function devOnlyFor(systems: Record<string, OrganizationModelSystemEntry>
  * Returns `undefined` if any segment is missing.
  */
 export function getSystem(model: OrganizationModel, path: string): SystemEntryWithTree | undefined {
+  const flatMatch = (model.systems as Record<string, SystemEntryWithTree>)[path]
+  if (flatMatch !== undefined) return flatMatch
+
   const segments = path.split('.')
   // model.systems is typed as Record<string, OrganizationModelSystemEntry>; cast
   // to SystemEntryWithTree (which extends it with optional content + subsystems).
@@ -171,6 +174,21 @@ export function getSystem(model: OrganizationModel, path: string): SystemEntryWi
  * Returns an empty array if the path cannot be resolved.
  */
 export function getSystemAncestors(model: OrganizationModel, path: string): SystemEntryWithTree[] {
+  const flatMatch = (model.systems as Record<string, SystemEntryWithTree>)[path]
+  if (flatMatch !== undefined) {
+    const ancestorIds = path
+      .split('.')
+      .map((_, index, segments) => segments.slice(0, index + 1).join('.'))
+      .slice(0, -1)
+
+    return [
+      ...ancestorIds
+        .map((ancestorId) => (model.systems as Record<string, SystemEntryWithTree>)[ancestorId])
+        .filter((system): system is SystemEntryWithTree => system !== undefined),
+      flatMatch
+    ]
+  }
+
   const segments = path.split('.')
   const result: SystemEntryWithTree[] = []
   let current: Record<string, SystemEntryWithTree> = model.systems as Record<string, SystemEntryWithTree>

package/src/organization-model/migration-helpers.ts

@@ -124,7 +124,14 @@ export function getAllBuildTemplates(model: OrganizationModel): BuildTemplate[]
       entriesOf(catalog).map(([templateId, templateEntry]) => {
         const stepCatalogId = stringValue(templateEntry.stepCatalog) as OntologyId | undefined
         const stepCatalog = stepCatalogId !== undefined ? stepCatalogs.get(stepCatalogId) : undefined
-        const steps = stepCatalog === undefined ? [] : entriesOf(stepCatalog)
+        const steps =
+          stepCatalog === undefined
+            ? []
+            : entriesOf(stepCatalog).sort(
+                ([leftId, left], [rightId, right]) =>
+                  numberValue(left.order, Number.MAX_SAFE_INTEGER) -
+                    numberValue(right.order, Number.MAX_SAFE_INTEGER) || leftId.localeCompare(rightId)
+              )
 
         return {
           order: numberValue(templateEntry.order, Number.MAX_SAFE_INTEGER),

package/src/platform/constants/versions.ts

@@ -1,3 +1,3 @@
-export const VERSION = {
-  CURRENT: '1.12.7'
-}
+export const VERSION = {
+  CURRENT: '1.12.12'
+}