@elevasis/core 0.39.0 → 0.40.0

package/dist/auth/index.d.ts

@@ -4383,6 +4383,7 @@ type SidebarNode = SidebarSurfaceNode | SidebarGroupNode;
 
 declare const OrganizationModelSchema: z.ZodObject<{
     version: z.ZodDefault<z.ZodLiteral<1>>;
+    snapshotHash: z.ZodOptional<z.ZodString>;
     domainMetadata: z.ZodPipe<z.ZodDefault<z.ZodObject<{
         branding: z.ZodOptional<z.ZodObject<{
             version: z.ZodDefault<z.ZodLiteral<1>>;

package/dist/index.d.ts

@@ -4223,6 +4223,7 @@ declare const OrganizationModelDomainMetadataByDomainSchema: z.ZodPipe<z.ZodDefa
 }>>;
 declare const OrganizationModelSchema: z.ZodObject<{
     version: z.ZodDefault<z.ZodLiteral<1>>;
+    snapshotHash: z.ZodOptional<z.ZodString>;
     domainMetadata: z.ZodPipe<z.ZodDefault<z.ZodObject<{
         branding: z.ZodOptional<z.ZodObject<{
             version: z.ZodDefault<z.ZodLiteral<1>>;

package/dist/index.js

@@ -2464,6 +2464,18 @@ var OrganizationModelDomainMetadataByDomainSchema = z.object({
 }).partial().default(DEFAULT_ORGANIZATION_MODEL_DOMAIN_METADATA).transform((metadata) => ({ ...DEFAULT_ORGANIZATION_MODEL_DOMAIN_METADATA, ...metadata }));
 var OrganizationModelSchemaBase = z.object({
   version: z.literal(1).default(1),
+  /**
+   * Deterministic SHA-256 hex hash of the full resolved model, excluding this
+   * field itself and volatile domainMetadata.lastModified values.
+   *
+   * Stamped at deploy time by the platform OM assembly and persisted alongside
+   * the snapshot in the DB. Compared at API boot to detect stale deployed
+   * snapshots (primary gate: deploy; secondary backstop: boot).
+   *
+   * Optional — absent on models that predate Step 2 versioning or that have
+   * not been stamped (e.g. tenant partial overrides before re-deploy).
+   */
+  snapshotHash: z.string().optional(),
   domainMetadata: OrganizationModelDomainMetadataByDomainSchema,
   branding: OrganizationModelBrandingSchema.default(DEFAULT_ORGANIZATION_MODEL_BRANDING),
   navigation: OrganizationModelNavigationSchema,

package/dist/knowledge/index.d.ts

@@ -374,6 +374,7 @@ type OrganizationModelIconToken = z.infer<typeof OrganizationModelIconTokenSchem
 
 declare const OrganizationModelSchema: z.ZodObject<{
     version: z.ZodDefault<z.ZodLiteral<1>>;
+    snapshotHash: z.ZodOptional<z.ZodString>;
     domainMetadata: z.ZodPipe<z.ZodDefault<z.ZodObject<{
         branding: z.ZodOptional<z.ZodObject<{
             version: z.ZodDefault<z.ZodLiteral<1>>;
@@ -1467,19 +1468,22 @@ declare function governs(graph: OrganizationGraph, nodeId: string): string[];
  */
 declare function governedBy(graph: OrganizationGraph, nodeId: string): string[];
 /** The recognized mount axes for Knowledge Map paths. */
-type KnowledgeMount = 'by-system' | 'by-ontology' | 'by-kind' | 'by-owner' | 'graph' | 'node';
+type KnowledgeMount = 'by-system' | 'by-ontology' | 'by-kind' | 'by-owner' | 'graph' | 'node' | 'all-systems' | 'all-resources' | 'all-roles';
 /**
  * The result of parsing a Knowledge Map path string.
  *
  * Shape: `{ mount: KnowledgeMount, args: string[] }`
  *
  * Per-mount arg arrays:
- * - `by-system`:  `[systemId]`   (e.g. `['sales.crm']`)
- * - `by-ontology`:`[ontologyId]` (e.g. `['sales.crm:object/deal']`)
- * - `by-kind`:    `[kind]`       (e.g. `['playbook']`)
- * - `by-owner`:   `[ownerId]`    (e.g. `['role.ops-lead']`)
- * - `graph`:      `[nodeId, verb]` where verb is `'governs'` or `'governed-by'`
- * - `node`:       `[nodeId]`     (single node lookup, no sub-path)
+ * - `by-system`:    `[systemId]`   (e.g. `['sales.crm']`)
+ * - `by-ontology`:  `[ontologyId]` (e.g. `['sales.crm:object/deal']`)
+ * - `by-kind`:      `[kind]`       (e.g. `['playbook']`)
+ * - `by-owner`:     `[ownerId]`    (e.g. `['role.ops-lead']`)
+ * - `graph`:        `[nodeId, verb]` where verb is `'governs'` or `'governed-by'`
+ * - `node`:         `[nodeId]`     (single node lookup, no sub-path)
+ * - `all-systems`:  `[]`           (no args — returns all systems flattened)
+ * - `all-resources`:`[]`           (no args — returns all resources)
+ * - `all-roles`:    `[]`           (no args — returns all roles)
  */
 interface ParsedKnowledgePath {
     mount: KnowledgeMount;
@@ -1489,13 +1493,16 @@ interface ParsedKnowledgePath {
  * Parses a Knowledge Map path string into a `{ mount, args }` descriptor.
  *
  * Supported path patterns:
- *   `/by-system/<systemId>`           -> `{ mount: 'by-system', args: ['<systemId>'] }`
- *   `/by-ontology/<ontologyId>`       -> `{ mount: 'by-ontology', args: ['<ontologyId>'] }`
- *   `/by-kind/<kind>`                 → `{ mount: 'by-kind',    args: ['<kind>'] }`
- *   `/by-owner/<ownerId>`             → `{ mount: 'by-owner',   args: ['<ownerId>'] }`
- *   `/graph/<nodeId>/governs`         → `{ mount: 'graph',      args: ['<nodeId>', 'governs'] }`
- *   `/graph/<nodeId>/governed-by`     → `{ mount: 'graph',      args: ['<nodeId>', 'governed-by'] }`
- *   `/<nodeId>`                       → `{ mount: 'node',       args: ['<nodeId>'] }`
+ *   `/by-system/<systemId>`           -> `{ mount: ‘by-system’,    args: [‘<systemId>’] }`
+ *   `/by-ontology/<ontologyId>`       -> `{ mount: ‘by-ontology’,  args: [‘<ontologyId>’] }`
+ *   `/by-kind/<kind>`                 -> `{ mount: ‘by-kind’,      args: [‘<kind>’] }`
+ *   `/by-owner/<ownerId>`             -> `{ mount: ‘by-owner’,     args: [‘<ownerId>’] }`
+ *   `/graph/<nodeId>/governs`         -> `{ mount: ‘graph’,        args: [‘<nodeId>’, ‘governs’] }`
+ *   `/graph/<nodeId>/governed-by`     -> `{ mount: ‘graph’,        args: [‘<nodeId>’, ‘governed-by’] }`
+ *   `/<nodeId>`                       -> `{ mount: ‘node’,         args: [‘<nodeId>’] }`
+ *   `/all-systems`                    -> `{ mount: ‘all-systems’,  args: [] }`
+ *   `/all-resources`                  -> `{ mount: ‘all-resources’,args: [] }`
+ *   `/all-roles`                      -> `{ mount: ‘all-roles’,    args: [] }`
  *
  * The path MUST start with `/`.  Trailing slashes are stripped before parsing.
  *

package/dist/knowledge/index.js

@@ -200,11 +200,20 @@ function parsePath(pathString) {
     }
     return { mount: "graph", args: [graphNodeId, verb] };
   }
+  if (first === "all-systems" && rest.length === 0) {
+    return { mount: "all-systems", args: [] };
+  }
+  if (first === "all-resources" && rest.length === 0) {
+    return { mount: "all-resources", args: [] };
+  }
+  if (first === "all-roles" && rest.length === 0) {
+    return { mount: "all-roles", args: [] };
+  }
   if (segments.length === 1) {
     return { mount: "node", args: [first] };
   }
   throw new Error(
-    `parsePath: unrecognized path pattern "${pathString}". Supported: /by-system/<id>, /by-kind/<kind>, /by-owner/<id>, /graph/<nodeId>/governs, /graph/<nodeId>/governed-by, /<nodeId>`
+    `parsePath: unrecognized path pattern "${pathString}". Supported: /by-system/<id>, /by-kind/<kind>, /by-owner/<id>, /graph/<nodeId>/governs, /graph/<nodeId>/governed-by, /<nodeId>, /all-systems, /all-resources, /all-roles`
   );
 }
 

package/dist/organization-model/index.d.ts

@@ -4223,6 +4223,7 @@ declare const OrganizationModelDomainMetadataByDomainSchema: z.ZodPipe<z.ZodDefa
 }>>;
 declare const OrganizationModelSchema: z.ZodObject<{
     version: z.ZodDefault<z.ZodLiteral<1>>;
+    snapshotHash: z.ZodOptional<z.ZodString>;
     domainMetadata: z.ZodPipe<z.ZodDefault<z.ZodObject<{
         branding: z.ZodOptional<z.ZodObject<{
             version: z.ZodDefault<z.ZodLiteral<1>>;

package/dist/organization-model/index.js

@@ -2464,6 +2464,18 @@ var OrganizationModelDomainMetadataByDomainSchema = z.object({
 }).partial().default(DEFAULT_ORGANIZATION_MODEL_DOMAIN_METADATA).transform((metadata) => ({ ...DEFAULT_ORGANIZATION_MODEL_DOMAIN_METADATA, ...metadata }));
 var OrganizationModelSchemaBase = z.object({
   version: z.literal(1).default(1),
+  /**
+   * Deterministic SHA-256 hex hash of the full resolved model, excluding this
+   * field itself and volatile domainMetadata.lastModified values.
+   *
+   * Stamped at deploy time by the platform OM assembly and persisted alongside
+   * the snapshot in the DB. Compared at API boot to detect stale deployed
+   * snapshots (primary gate: deploy; secondary backstop: boot).
+   *
+   * Optional — absent on models that predate Step 2 versioning or that have
+   * not been stamped (e.g. tenant partial overrides before re-deploy).
+   */
+  snapshotHash: z.string().optional(),
   domainMetadata: OrganizationModelDomainMetadataByDomainSchema,
   branding: OrganizationModelBrandingSchema.default(DEFAULT_ORGANIZATION_MODEL_BRANDING),
   navigation: OrganizationModelNavigationSchema,

package/dist/test-utils/index.d.ts

@@ -3859,6 +3859,7 @@ type DeepPartial<T> = T extends Array<infer U> ? Array<DeepPartial<U>> : T exten
 
 declare const OrganizationModelSchema: z.ZodObject<{
     version: z.ZodDefault<z.ZodLiteral<1>>;
+    snapshotHash: z.ZodOptional<z.ZodString>;
     domainMetadata: z.ZodPipe<z.ZodDefault<z.ZodObject<{
         branding: z.ZodOptional<z.ZodObject<{
             version: z.ZodDefault<z.ZodLiteral<1>>;

package/dist/test-utils/index.js

@@ -21612,6 +21612,18 @@ var OrganizationModelDomainMetadataByDomainSchema = z.object({
 }).partial().default(DEFAULT_ORGANIZATION_MODEL_DOMAIN_METADATA).transform((metadata) => ({ ...DEFAULT_ORGANIZATION_MODEL_DOMAIN_METADATA, ...metadata }));
 var OrganizationModelSchemaBase = z.object({
   version: z.literal(1).default(1),
+  /**
+   * Deterministic SHA-256 hex hash of the full resolved model, excluding this
+   * field itself and volatile domainMetadata.lastModified values.
+   *
+   * Stamped at deploy time by the platform OM assembly and persisted alongside
+   * the snapshot in the DB. Compared at API boot to detect stale deployed
+   * snapshots (primary gate: deploy; secondary backstop: boot).
+   *
+   * Optional — absent on models that predate Step 2 versioning or that have
+   * not been stamped (e.g. tenant partial overrides before re-deploy).
+   */
+  snapshotHash: z.string().optional(),
   domainMetadata: OrganizationModelDomainMetadataByDomainSchema,
   branding: OrganizationModelBrandingSchema.default(DEFAULT_ORGANIZATION_MODEL_BRANDING),
   navigation: OrganizationModelNavigationSchema,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@elevasis/core",
-  "version": "0.39.0",
+  "version": "0.40.0",
   "license": "MIT",
   "description": "Minimal shared constants across Elevasis monorepo",
   "sideEffects": false,

package/src/business/acquisition/ontology-validation.ts

@@ -15,10 +15,7 @@ import {
   SYSTEM_INTERFACE_READINESS_PROFILES
 } from '../../organization-model/domains/systems'
 import type { OmTopologyRelationship } from '../../organization-model/domains/topology'
-import {
-  type LeadGenStageCatalogEntry,
-  type StatefulStateDefinition
-} from '../../organization-model/domains/sales'
+import { type LeadGenStageCatalogEntry, type StatefulStateDefinition } from '../../organization-model/domains/sales'
 import { getSystem } from '../../organization-model/helpers'
 import { getLeadGenStageCatalog } from '../../organization-model/migration-helpers'
 
@@ -107,6 +104,11 @@ export type SystemInterfaceReadinessIssueFamily =
   | 'SYSTEM_INTERFACE_INVALID'
   | 'SYSTEM_INTERFACE_NOT_READY'
   | 'SYSTEM_BRIDGE_NOT_READY'
+  /**
+   * The deployed OM snapshot hash does not match the canonical source hash.
+   * Redeploy with `pnpm operations:deploy` to refresh the snapshot.
+   */
+  | 'STALE_OM_SNAPSHOT'
 
 export interface SystemInterfaceReadinessIssue {
   family: SystemInterfaceReadinessIssueFamily
@@ -266,7 +268,10 @@ function getActiveScopedResources(
   return resources
 }
 
-function resourceBindingIds(resources: ResourceEntry[], key: 'reads' | 'writes' | 'usesCatalogs' | 'actions' | 'emits'): Set<string> {
+function resourceBindingIds(
+  resources: ResourceEntry[],
+  key: 'reads' | 'writes' | 'usesCatalogs' | 'actions' | 'emits'
+): Set<string> {
   return new Set(resources.flatMap((resource) => resource.ontology?.[key] ?? []))
 }
 
@@ -288,7 +293,11 @@ function requireScopedBinding(
   )
 }
 
-function ontologyOwnerMatches(ontologyId: string, expectedSystemPath: string, catalog: OntologyCatalogType | undefined): boolean {
+function ontologyOwnerMatches(
+  ontologyId: string,
+  expectedSystemPath: string,
+  catalog: OntologyCatalogType | undefined
+): boolean {
   if (catalog?.ownerSystemId !== undefined) return catalog.ownerSystemId === expectedSystemPath
   return parseOntologyId(ontologyId).scope === expectedSystemPath
 }
@@ -579,7 +588,13 @@ export function computeInterfaceReadiness(
       `System "${request.systemPath}" is missing.`,
       { ref: request.systemPath }
     )
-    return { ready: false, systemPath: request.systemPath, interfaceKey: request.interfaceKey, scopedResourceIds, issues }
+    return {
+      ready: false,
+      systemPath: request.systemPath,
+      interfaceKey: request.interfaceKey,
+      scopedResourceIds,
+      issues
+    }
   }
 
   if (systemInterface === undefined) {
@@ -590,7 +605,13 @@ export function computeInterfaceReadiness(
       `System "${request.systemPath}" does not declare interface "${request.interfaceKey}".`,
       { path: readinessMarkerPath(request) }
     )
-    return { ready: false, systemPath: request.systemPath, interfaceKey: request.interfaceKey, scopedResourceIds, issues }
+    return {
+      ready: false,
+      systemPath: request.systemPath,
+      interfaceKey: request.interfaceKey,
+      scopedResourceIds,
+      issues
+    }
   }
 
   if (systemInterface.lifecycle !== 'active') {
@@ -604,7 +625,8 @@ export function computeInterfaceReadiness(
   }
 
   const supportedProfile =
-    readinessProfile !== undefined && SYSTEM_INTERFACE_PROFILES.some((profile) => profile.readinessProfile === readinessProfile)
+    readinessProfile !== undefined &&
+    SYSTEM_INTERFACE_PROFILES.some((profile) => profile.readinessProfile === readinessProfile)
 
   if (!supportedProfile) {
     addReadinessIssue(

package/src/knowledge/index.ts

@@ -1,4 +1,17 @@
-export { bySystem, byOntology, byKind, byOwner, governs, governedBy, parsePath, omSearch, omDescribe } from './queries'
+export {
+  bySystem,
+  byOntology,
+  byKind,
+  byOwner,
+  governs,
+  governedBy,
+  parsePath,
+  omSearch,
+  omDescribe,
+  listAllSystemsFlat,
+  listAllResources,
+  listAllRoles
+} from './queries'
 export type {
   KnowledgeMount,
   ParsedKnowledgePath,

package/src/knowledge/queries.ts

@@ -217,12 +217,54 @@ export function governedBy(graph: OrganizationGraph, nodeId: string): string[] {
   return results
 }
 
+// ---------------------------------------------------------------------------
+// Enumeration helpers (Bucket 4: /all-* mounts)
+// ---------------------------------------------------------------------------
+
+/**
+ * Returns all systems flattened from the recursive OM tree via `listAllSystems`.
+ *
+ * Each entry is `{ path, system }` — the same shape produced by `listAllSystems`.
+ *
+ * @param model - The resolved OrganizationModel.
+ */
+export function listAllSystemsFlat(model: OrganizationModel): ReturnType<typeof listAllSystems> {
+  return listAllSystems(model)
+}
+
+/**
+ * Returns every resource from the model as a flat array, sorted by id.
+ *
+ * @param model - The resolved OrganizationModel.
+ */
+export function listAllResources(model: OrganizationModel): NonNullable<OrganizationModel['resources']>[string][] {
+  return Object.values(model.resources ?? {}).sort((a, b) => a.id.localeCompare(b.id))
+}
+
+/**
+ * Returns every role from the model as a flat array, sorted by id.
+ *
+ * @param model - The resolved OrganizationModel.
+ */
+export function listAllRoles(model: OrganizationModel): NonNullable<OrganizationModel['roles']>[string][] {
+  return Object.values(model.roles ?? {}).sort((a, b) => a.id.localeCompare(b.id))
+}
+
 // ---------------------------------------------------------------------------
 // Path parser
 // ---------------------------------------------------------------------------
 
 /** The recognized mount axes for Knowledge Map paths. */
-export type KnowledgeMount = 'by-system' | 'by-ontology' | 'by-kind' | 'by-owner' | 'graph' | 'node'
+export type KnowledgeMount =
+  | 'by-system'
+  | 'by-ontology'
+  | 'by-kind'
+  | 'by-owner'
+  | 'graph'
+  | 'node'
+  | 'all-systems'
+  | 'all-resources'
+  | 'all-roles'
 
 /**
  * The result of parsing a Knowledge Map path string.
@@ -230,12 +272,15 @@ export type KnowledgeMount = 'by-system' | 'by-ontology' | 'by-kind' | 'by-owner
  * Shape: `{ mount: KnowledgeMount, args: string[] }`
  *
  * Per-mount arg arrays:
- * - `by-system`:  `[systemId]`   (e.g. `['sales.crm']`)
- * - `by-ontology`:`[ontologyId]` (e.g. `['sales.crm:object/deal']`)
- * - `by-kind`:    `[kind]`       (e.g. `['playbook']`)
- * - `by-owner`:   `[ownerId]`    (e.g. `['role.ops-lead']`)
- * - `graph`:      `[nodeId, verb]` where verb is `'governs'` or `'governed-by'`
- * - `node`:       `[nodeId]`     (single node lookup, no sub-path)
+ * - `by-system`:    `[systemId]`   (e.g. `['sales.crm']`)
+ * - `by-ontology`:  `[ontologyId]` (e.g. `['sales.crm:object/deal']`)
+ * - `by-kind`:      `[kind]`       (e.g. `['playbook']`)
+ * - `by-owner`:     `[ownerId]`    (e.g. `['role.ops-lead']`)
+ * - `graph`:        `[nodeId, verb]` where verb is `'governs'` or `'governed-by'`
+ * - `node`:         `[nodeId]`     (single node lookup, no sub-path)
+ * - `all-systems`:  `[]`           (no args — returns all systems flattened)
+ * - `all-resources`:`[]`           (no args — returns all resources)
+ * - `all-roles`:    `[]`           (no args — returns all roles)
  */
 export interface ParsedKnowledgePath {
   mount: KnowledgeMount
@@ -246,13 +291,16 @@ export interface ParsedKnowledgePath {
  * Parses a Knowledge Map path string into a `{ mount, args }` descriptor.
  *
  * Supported path patterns:
- *   `/by-system/<systemId>`           -> `{ mount: 'by-system', args: ['<systemId>'] }`
- *   `/by-ontology/<ontologyId>`       -> `{ mount: 'by-ontology', args: ['<ontologyId>'] }`
- *   `/by-kind/<kind>`                 → `{ mount: 'by-kind',    args: ['<kind>'] }`
- *   `/by-owner/<ownerId>`             → `{ mount: 'by-owner',   args: ['<ownerId>'] }`
- *   `/graph/<nodeId>/governs`         → `{ mount: 'graph',      args: ['<nodeId>', 'governs'] }`
- *   `/graph/<nodeId>/governed-by`     → `{ mount: 'graph',      args: ['<nodeId>', 'governed-by'] }`
- *   `/<nodeId>`                       → `{ mount: 'node',       args: ['<nodeId>'] }`
+ *   `/by-system/<systemId>`           -> `{ mount: ‘by-system’,    args: [‘<systemId>’] }`
+ *   `/by-ontology/<ontologyId>`       -> `{ mount: ‘by-ontology’,  args: [‘<ontologyId>’] }`
+ *   `/by-kind/<kind>`                 -> `{ mount: ‘by-kind’,      args: [‘<kind>’] }`
+ *   `/by-owner/<ownerId>`             -> `{ mount: ‘by-owner’,     args: [‘<ownerId>’] }`
+ *   `/graph/<nodeId>/governs`         -> `{ mount: ‘graph’,        args: [‘<nodeId>’, ‘governs’] }`
+ *   `/graph/<nodeId>/governed-by`     -> `{ mount: ‘graph’,        args: [‘<nodeId>’, ‘governed-by’] }`
+ *   `/<nodeId>`                       -> `{ mount: ‘node’,         args: [‘<nodeId>’] }`
+ *   `/all-systems`                    -> `{ mount: ‘all-systems’,  args: [] }`
+ *   `/all-resources`                  -> `{ mount: ‘all-resources’,args: [] }`
+ *   `/all-roles`                      -> `{ mount: ‘all-roles’,    args: [] }`
  *
  * The path MUST start with `/`.  Trailing slashes are stripped before parsing.
  *
@@ -325,6 +373,17 @@ export function parsePath(pathString: string): ParsedKnowledgePath {
     return { mount: 'graph', args: [graphNodeId, verb] }
   }
 
+  // /all-systems  /all-resources  /all-roles  (no-arg enumeration mounts)
+  if (first === 'all-systems' && rest.length === 0) {
+    return { mount: 'all-systems', args: [] }
+  }
+  if (first === 'all-resources' && rest.length === 0) {
+    return { mount: 'all-resources', args: [] }
+  }
+  if (first === 'all-roles' && rest.length === 0) {
+    return { mount: 'all-roles', args: [] }
+  }
+
   // /<nodeId>  (single node)
   // first must not be a recognized mount prefix
   if (segments.length === 1) {
@@ -332,7 +391,7 @@ export function parsePath(pathString: string): ParsedKnowledgePath {
   }
 
   throw new Error(
-    `parsePath: unrecognized path pattern "${pathString}". Supported: /by-system/<id>, /by-kind/<kind>, /by-owner/<id>, /graph/<nodeId>/governs, /graph/<nodeId>/governed-by, /<nodeId>`
+    `parsePath: unrecognized path pattern "${pathString}". Supported: /by-system/<id>, /by-kind/<kind>, /by-owner/<id>, /graph/<nodeId>/governs, /graph/<nodeId>/governed-by, /<nodeId>, /all-systems, /all-resources, /all-roles`
   )
 }
 

package/src/organization-model/__tests__/snapshot-hash.test.ts

@@ -0,0 +1,82 @@
+import { describe, expect, it } from 'vitest'
+import { canonicalStringifyOrganizationModel } from '../snapshot-hash'
+import type { OrganizationModel } from '../types'
+import { resolveOrganizationModel } from '../resolve'
+
+// Minimal valid resolved model for hash-stability tests.
+function makeModel(overrides: Partial<OrganizationModel> = {}): OrganizationModel {
+  return resolveOrganizationModel(overrides)
+}
+
+describe('canonicalStringifyOrganizationModel', () => {
+  it('produces the same string regardless of key insertion order', () => {
+    // Two equivalent objects with different key ordering in domainMetadata.
+    const model = makeModel()
+
+    // Produce two copies with the same semantic content but different metadata key order.
+    const a: OrganizationModel = { ...model }
+    const b: OrganizationModel = {
+      ...model,
+      // Re-assign domainMetadata entries in a different key order.
+      domainMetadata: Object.fromEntries(
+        Object.entries(model.domainMetadata).reverse()
+      ) as OrganizationModel['domainMetadata']
+    }
+
+    expect(canonicalStringifyOrganizationModel(a)).toBe(canonicalStringifyOrganizationModel(b))
+  })
+
+  it('excludes the snapshotHash field from the serialized output', () => {
+    const base = makeModel()
+    const withHash: OrganizationModel = { ...base, snapshotHash: 'abc123' }
+    const withOtherHash: OrganizationModel = { ...base, snapshotHash: 'xyz789' }
+    const withoutHash: OrganizationModel = { ...base, snapshotHash: undefined }
+
+    // All three produce the same canonical string — snapshotHash is excluded.
+    expect(canonicalStringifyOrganizationModel(withHash)).toBe(canonicalStringifyOrganizationModel(withoutHash))
+    expect(canonicalStringifyOrganizationModel(withHash)).toBe(canonicalStringifyOrganizationModel(withOtherHash))
+  })
+
+  it('excludes domainMetadata lastModified from the serialized output', () => {
+    const base = makeModel()
+
+    // Two models differing only in lastModified.
+    const earlyDate: OrganizationModel = {
+      ...base,
+      domainMetadata: {
+        ...base.domainMetadata,
+        branding: { version: 1, lastModified: '2026-01-01' }
+      }
+    }
+    const lateDate: OrganizationModel = {
+      ...base,
+      domainMetadata: {
+        ...base.domainMetadata,
+        branding: { version: 1, lastModified: '2026-12-31' }
+      }
+    }
+
+    expect(canonicalStringifyOrganizationModel(earlyDate)).toBe(canonicalStringifyOrganizationModel(lateDate))
+  })
+
+  it('produces different strings for different semantic content', () => {
+    const modelA = makeModel({ version: 1 })
+    const modelB = makeModel({
+      version: 1,
+      branding: { organizationName: 'AlphaOrg', productName: 'AlphaPlatform', shortName: 'Alpha' }
+    })
+
+    // Different semantic content → different canonical strings.
+    expect(canonicalStringifyOrganizationModel(modelA)).not.toBe(canonicalStringifyOrganizationModel(modelB))
+  })
+
+  it('is deterministic across multiple calls with the same input', () => {
+    const model = makeModel()
+    const first = canonicalStringifyOrganizationModel(model)
+    const second = canonicalStringifyOrganizationModel(model)
+    const third = canonicalStringifyOrganizationModel(model)
+
+    expect(first).toBe(second)
+    expect(first).toBe(third)
+  })
+})

package/src/organization-model/index.ts

@@ -1,5 +1,6 @@
 export * from './cross-ref'
 export * from './schema'
+export * from './snapshot-hash'
 export * from './types'
 export * from './ontology'
 export * from './contracts'

package/src/organization-model/schema.ts

@@ -91,6 +91,18 @@ export const OrganizationModelDomainMetadataByDomainSchema = z
 //   Surfaces are derived from navigation.sidebar routeable leaves.
 const OrganizationModelSchemaBase = z.object({
   version: z.literal(1).default(1),
+  /**
+   * Deterministic SHA-256 hex hash of the full resolved model, excluding this
+   * field itself and volatile domainMetadata.lastModified values.
+   *
+   * Stamped at deploy time by the platform OM assembly and persisted alongside
+   * the snapshot in the DB. Compared at API boot to detect stale deployed
+   * snapshots (primary gate: deploy; secondary backstop: boot).
+   *
+   * Optional — absent on models that predate Step 2 versioning or that have
+   * not been stamped (e.g. tenant partial overrides before re-deploy).
+   */
+  snapshotHash: z.string().optional(),
   domainMetadata: OrganizationModelDomainMetadataByDomainSchema,
   branding: OrganizationModelBrandingSchema.default(DEFAULT_ORGANIZATION_MODEL_BRANDING),
   navigation: OrganizationModelNavigationSchema,

package/src/organization-model/server/snapshot-hash-server.ts

@@ -0,0 +1,23 @@
+/**
+ * Server-only: compute a deterministic SHA-256 hash for an OrganizationModel snapshot.
+ *
+ * Uses node:crypto — never import this file from browser-reachable code.
+ * For the browser-safe canonical serializer, use `canonicalStringifyOrganizationModel`
+ * from `@repo/core/organization-model`.
+ */
+
+import { createHash } from 'node:crypto'
+import type { OrganizationModel } from '../types'
+import { canonicalStringifyOrganizationModel } from '../snapshot-hash'
+
+/**
+ * Compute a deterministic SHA-256 hex hash for an OrganizationModel.
+ *
+ * Delegates serialization to `canonicalStringifyOrganizationModel` (key-sorted,
+ * excludes `snapshotHash` and `domainMetadata[*].lastModified`) then hashes with SHA-256.
+ *
+ * @returns 64-character lowercase hex string
+ */
+export function computeOrganizationModelSnapshotHash(model: OrganizationModel): string {
+  return createHash('sha256').update(canonicalStringifyOrganizationModel(model)).digest('hex')
+}

package/src/organization-model/snapshot-hash.ts

@@ -0,0 +1,64 @@
+/**
+ * Deterministic canonical serialization helper for OrganizationModel snapshot hashing.
+ *
+ * Provides a stable JSON stringify that produces identical output for equivalent objects
+ * regardless of key insertion order. Used by deploy-time and boot-time snapshot hash
+ * verification to detect stale deployed OM snapshots.
+ *
+ * Only the serialization is here (browser-safe). Callers that need a hash compute it
+ * themselves using their preferred crypto implementation (e.g. node:crypto sha256).
+ */
+
+import type { OrganizationModel } from './types'
+
+/**
+ * Recursively serialize a value to a deterministic JSON string with sorted keys.
+ * Arrays preserve order; objects sort keys lexicographically.
+ */
+function deterministicStringify(value: unknown): string {
+  if (Array.isArray(value)) {
+    return `[${value.map(deterministicStringify).join(',')}]`
+  }
+
+  if (value !== null && typeof value === 'object') {
+    return `{${Object.entries(value as Record<string, unknown>)
+      .sort(([a], [b]) => a.localeCompare(b))
+      .map(([key, entry]) => `${JSON.stringify(key)}:${deterministicStringify(entry)}`)
+      .join(',')}}`
+  }
+
+  return JSON.stringify(value)
+}
+
+/**
+ * Produce a deterministic canonical string for an OrganizationModel suitable for hashing.
+ *
+ * Exclusions (volatile / self-referential fields that must not be part of the hash input):
+ *   - `snapshotHash`   — the field being populated from this hash; must not be circular
+ *   - `domainMetadata[*].lastModified` — wall-clock date string; changes on every edit
+ *     independent of semantic content, causing spurious hash mismatches
+ *
+ * Same model content → same canonical string, regardless of key insertion order.
+ */
+export function canonicalStringifyOrganizationModel(model: OrganizationModel): string {
+  // Shallow-clone to strip snapshotHash without mutating the caller's object.
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  const { snapshotHash: _snapshotHash, domainMetadata, ...rest } = model
+
+  // Strip lastModified from each domain metadata entry so volatile dates do not
+  // pollute the hash. The domain version numbers are still included.
+  const strippedDomainMetadata = domainMetadata
+    ? Object.fromEntries(
+        Object.entries(domainMetadata).map(([domain, meta]) => {
+          if (meta === null || typeof meta !== 'object') return [domain, meta]
+          // eslint-disable-next-line @typescript-eslint/no-unused-vars
+          const { lastModified: _lastModified, ...metaRest } = meta as Record<string, unknown>
+          return [domain, metaRest]
+        })
+      )
+    : undefined
+
+  const forHashing = strippedDomainMetadata !== undefined ? { ...rest, domainMetadata: strippedDomainMetadata } : rest
+
+  return deterministicStringify(forHashing)
+}

package/src/platform/constants/versions.ts

@@ -1,3 +1,3 @@
 export const VERSION = {
-  CURRENT: '1.12.14'
+  CURRENT: '1.12.16'
 }

package/src/server.ts

@@ -1,289 +1,292 @@
-/**
- * Server-only exports for @repo/core
- *
- * WARNING: DO NOT import in browser/frontend code
- * This module uses Node.js APIs (crypto, process.env) and server-side libraries
- *
- * For browser-safe imports, use '@repo/core' instead
- */
-
-// Credential management (uses Node.js crypto)
-export {
-  encryptCredential,
-  decryptCredential,
-  setKek,
-  clearKeks,
-  CURRENT_KEY_ID,
-  LEGACY_KEY_ID
-} from './auth/multi-tenancy/credentials/server/encryption'
-
-export { loadCredentialKEKs } from './auth/multi-tenancy/credentials/server/kek-loader'
-
-export {
-  prepareCredentialForInsert,
-  decryptCredentialValue,
-  transformToMetadata,
-  type CreateCredentialParams,
-  type CredentialMetadata
-} from './auth/multi-tenancy/credentials/server/service'
-
-// Session management (uses Supabase service client)
-export { SessionManager } from './operations/sessions/server/manager'
-export { Session } from './operations/sessions/server/session'
-export type {
-  SessionTurnResult,
-  CreateSessionParams,
-  ListSessionsFilters,
-  SessionRow,
-  SessionInsert
-} from './operations/sessions/types'
-
-// Multi-tenancy WorkOS types and transforms (server-only)
-export * from './auth/multi-tenancy/organizations/server'
-export * from './auth/multi-tenancy/users/server'
-export * from './auth/multi-tenancy/memberships/server'
-export * from './auth/multi-tenancy/invitations/server'
-
-// Note: Browser-safe and Supabase types are re-exported from /server subdirectories
-// No additional re-exports needed here to avoid conflicts
-
-// Supabase client (service role with process.env credentials - lazy initialization)
-export { getSupabaseClient, supabaseClient } from './supabase/server/client'
-export type { SupabaseClient, Database, Tables, TablesInsert, TablesUpdate, Json } from './supabase'
-
-// OAuth credentials and token refresh (uses process.env for client credentials)
-export { getOAuthCredentials } from './integrations/oauth/server/credentials'
-export { refreshOAuthTokenIfExpired, forceRefreshOAuthToken } from './integrations/oauth/server/refresh'
-
-// Integration adapters (uses Node.js SDKs - googleapis, @slack/web-api)
-export { GmailAdapter } from './execution/engine/tools/integration/server/adapters/gmail/gmail-adapter'
-export { AttioAdapter } from './execution/engine/tools/integration/server/adapters/attio'
-export { GoogleSheetsAdapter } from './execution/engine/tools/integration/server/adapters/google-sheets'
-export { ApifyAdapter } from './execution/engine/tools/integration/server/adapters/apify'
-export { ApolloAdapter } from './execution/engine/tools/integration/server/adapters/apollo'
-export { InstantlyAdapter } from './execution/engine/tools/integration/server/adapters/instantly'
-export { ResendAdapter } from './execution/engine/tools/integration/server/adapters/resend'
-export { AnymailfinderAdapter } from './execution/engine/tools/integration/server/adapters/anymailfinder'
-export { TombaAdapter } from './execution/engine/tools/integration/server/adapters/tomba'
-export { MillionVerifierAdapter } from './execution/engine/tools/integration/server/adapters/millionverifier'
-export { StripeAdapter } from './execution/engine/tools/integration/server/adapters/stripe'
-export { SignatureApiAdapter } from './execution/engine/tools/integration/server/adapters/signature-api'
-export { DropboxAdapter } from './execution/engine/tools/integration/server/adapters/dropbox'
-export { ClickUpAdapter } from './execution/engine/tools/integration/server/adapters/clickup'
-export {
-  GoogleCalendarAdapter,
-  type CalendarEvent,
-  type CalendarDateTime,
-  type ListEventsResult
-} from './execution/engine/tools/integration/server/adapters/google-calendar'
-
-// Integration Tool Factories (server-only - uses adapters above)
-export {
-  createGmailSendEmailTool,
-  createGmailSendEmailToolNamed
-} from './execution/engine/tools/integration/server/adapters/gmail/gmail-tools'
-export {
-  createAttioCreateRecordTool,
-  createAttioUpdateRecordTool,
-  createAttioListRecordsTool,
-  createAttioGetRecordTool,
-  createAttioDeleteRecordTool,
-  createAttioToolNamed,
-  // Schema operations
-  createAttioListObjectsTool,
-  createAttioListAttributesTool,
-  createAttioCreateAttributeTool,
-  createAttioUpdateAttributeTool,
-  // Note operations
-  createAttioCreateNoteTool
-} from './execution/engine/tools/integration/server/adapters/attio'
-export {
-  // Core methods
-  createGoogleSheetsReadTool,
-  createGoogleSheetsWriteTool,
-  createGoogleSheetsAppendTool,
-  createGoogleSheetsClearTool,
-  createGoogleSheetsMetadataTool,
-  createGoogleSheetsBatchUpdateTool,
-  // Workflow-friendly methods
-  createGoogleSheetsGetHeadersTool,
-  createGoogleSheetsGetLastRowTool,
-  createGoogleSheetsFindRowTool,
-  createGoogleSheetsUpdateRowTool,
-  createGoogleSheetsUpsertRowTool,
-  createGoogleSheetsFilterRowsTool,
-  createGoogleSheetsDeleteRowTool
-} from './execution/engine/tools/integration/server/adapters/google-sheets'
-export { createApifyRunActorTool } from './execution/engine/tools/integration/server/adapters/apify'
-export {
-  createInstantlySendReplyTool,
-  createInstantlyRemoveFromSubsequenceTool,
-  createInstantlyGetEmailsTool,
-  createInstantlyUpdateInterestStatusTool,
-  createInstantlyAddToCampaignTool
-} from './execution/engine/tools/integration/server/adapters/instantly'
-export {
-  createResendSendEmailTool,
-  createResendGetEmailTool,
-  createResendSendEmailToolNamed
-} from './execution/engine/tools/integration/server/adapters/resend'
-export {
-  createAnymailfinderFindCompanyEmailTool,
-  createAnymailfinderFindPersonEmailTool,
-  createAnymailfinderFindDecisionMakerEmailTool,
-  createAnymailfinderVerifyEmailTool
-} from './execution/engine/tools/integration/server/adapters/anymailfinder'
-export {
-  createTombaEmailFinderTool,
-  createTombaDomainSearchTool,
-  createTombaEmailVerifierTool
-} from './execution/engine/tools/integration/server/adapters/tomba'
-export {
-  createMillionVerifierVerifyEmailTool,
-  createMillionVerifierCheckCreditsTool
-} from './execution/engine/tools/integration/server/adapters/millionverifier'
-export {
-  createDropboxUploadTool,
-  createDropboxCreateFolderTool
-} from './execution/engine/tools/integration/server/adapters/dropbox'
-export {
-  createStripeCreatePaymentLinkTool,
-  createStripeGetPaymentLinkTool,
-  createStripeUpdatePaymentLinkTool,
-  createStripeListPaymentLinksTool,
-  createStripeCheckoutSessionTool,
-  createStripeAutoPaymentLinkTool
-} from './execution/engine/tools/integration/server/adapters/stripe'
-
-// Resend fetch functions (low-level API for platform email service)
-export { sendEmail as sendResendEmail } from './execution/engine/tools/integration/server/adapters/resend/fetch/send-email/index'
-export type {
-  ResendCredentials,
-  SendEmailParams as ResendSendEmailParams,
-  SendEmailResult as ResendSendEmailResult
-} from './execution/engine/tools/integration/server/adapters/resend/fetch/utils/types'
-
-// Resend email configuration (high-level sender config for workflows)
-export type { ResendEmailConfig } from './execution/engine/tools/integration/server/adapters/resend/types'
-
-// SignatureAPI types (for eSignature envelope operations)
-export type {
-  SignatureApiCredentials,
-  CreateEnvelopeParams,
-  CreateEnvelopeResult,
-  VoidEnvelopeParams,
-  VoidEnvelopeResult,
-  DownloadDocumentParams,
-  DownloadDocumentResult,
-  EnvelopeDocument,
-  Recipient,
-  SigningPlace
-} from './execution/engine/tools/integration/server/adapters/signature-api'
-
-// Execution validators (uses process.env for environment detection)
-export { detectEnvironment, canExecuteResource, type Environment } from './execution/core/server/environment'
-
-// HMAC token utilities (uses Node.js crypto - server-only)
-export { generateHmacToken, verifyHmacToken, generateBrochureUrl } from './platform/utils/server/hmac'
-export {
-  generateUnsubscribeToken,
-  verifyUnsubscribeToken,
-  generateUnsubscribeUrl,
-  generateUnsubscribeHeaders
-} from './platform/utils/server/unsubscribe'
-
-// Better Stack error logging (uses @sentry/node - server-only)
-export {
-  bslogExternalServiceError,
-  bslogExecutionFailure,
-  isSystemError
-} from './platform/utils/server/betterstack-logger'
-
-// LLM Adapters (uses betterstack-logger - server-only)
-export { OpenAIAdapter, isOpenAIModel, type OpenAIAdapterConfig } from './execution/engine/llm/adapters/server/openai'
-export {
-  OpenRouterAdapter,
-  isOpenRouterModel,
-  type OpenRouterAdapterConfig
-} from './execution/engine/llm/adapters/server/openrouter'
-export { createLLMAdapter } from './execution/engine/llm/adapters/server/adapter-factory'
-
-// Browser-safe adapters (also exported from server for convenience)
-export { UniversalLLMAdapter } from './execution/engine/llm/adapters/universal-adapter'
-export { MockAdapter, isMockModel } from './execution/engine/llm/adapters/mock-adapter'
-export { configureCircuitBreakerAlerts } from './execution/engine/llm/adapters/circuit-breaker'
-
-// LLM Tool factory (uses server-only adapters)
-export { createLLMCallTool, type LLMCallToolConfig } from './execution/engine/tools/llm/server'
-
-// Workflow step helper (uses server-only adapters)
-export { llmCall, type LLMCallOptions } from './execution/engine/workflow/helpers/server'
-
-// Retained server-side resource invocation service types live under @repo/core/execution.
-// Deployed SDK workers use platform.call() -> dispatcher for nested execution.
-
-// Resilience utilities (timeout, circuit breaker, infrastructure errors)
-export {
-  // Existing
-  withTimeout,
-  SERVICE_TIMEOUTS,
-  createCircuitBreaker,
-  CircuitState,
-  ServiceTimeoutError,
-  ServiceUnavailableError,
-  isInfrastructureError,
-  type CircuitBreaker,
-  type CircuitBreakerConfig,
-  // Rate limiting
-  InMemoryRateLimiter,
-  createRateLimiter,
-  // Retry logic
-  withRetry,
-  calculateRetryDelay,
-  sleep,
-  DEFAULT_RETRY_POLICY,
-  // HTTP error mapping
-  createHttpError,
-  mapHttpStatusToErrorType,
-  type RateLimiter,
-  type RetryPolicy,
-  type HttpErrorContext,
-  type ErrorParser
-} from './platform/resilience'
-
-// Acquisition Platform Tools (lead database)
-export {
-  // List tools
-  createAcqListCreateTool,
-  createAcqListUpdateTool,
-  createAcqListDeleteTool,
-  createAcqListListTool,
-  // Company tools
-  createAcqCompanyCreateTool,
-  createAcqCompanyUpdateTool,
-  createAcqCompanyUpsertTool,
-  createAcqCompanyGetTool,
-  createAcqCompanyListTool,
-  createAcqCompanyDeleteTool,
-  // Contact tools
-  createAcqContactCreateTool,
-  createAcqContactUpdateTool,
-  createAcqContactUpsertTool,
-  createAcqContactGetTool,
-  createAcqContactListTool,
-  createAcqContactDeleteTool,
-  createAcqContactBulkImportTool
-} from './execution/engine/tools/platform/acquisition'
-
-// PDF Tool (server-only - uses React-PDF renderToBuffer)
-export {
-  createPdfRenderTool,
-  type PdfRenderInput,
-  type PdfRenderOutput,
-  type PdfToolConfig,
-  PdfRenderInputSchema,
-  PdfRenderOutputSchema
-} from './execution/engine/tools/platform/pdf'
-
-// PDF Document types (for constructing documents programmatically)
-export type { PDFDocument, ContentBlock, Page as PDFPage } from './business/pdf/types'
+/**
+ * Server-only exports for @repo/core
+ *
+ * WARNING: DO NOT import in browser/frontend code
+ * This module uses Node.js APIs (crypto, process.env) and server-side libraries
+ *
+ * For browser-safe imports, use '@repo/core' instead
+ */
+
+// Credential management (uses Node.js crypto)
+export {
+  encryptCredential,
+  decryptCredential,
+  setKek,
+  clearKeks,
+  CURRENT_KEY_ID,
+  LEGACY_KEY_ID
+} from './auth/multi-tenancy/credentials/server/encryption'
+
+export { loadCredentialKEKs } from './auth/multi-tenancy/credentials/server/kek-loader'
+
+export {
+  prepareCredentialForInsert,
+  decryptCredentialValue,
+  transformToMetadata,
+  type CreateCredentialParams,
+  type CredentialMetadata
+} from './auth/multi-tenancy/credentials/server/service'
+
+// Session management (uses Supabase service client)
+export { SessionManager } from './operations/sessions/server/manager'
+export { Session } from './operations/sessions/server/session'
+export type {
+  SessionTurnResult,
+  CreateSessionParams,
+  ListSessionsFilters,
+  SessionRow,
+  SessionInsert
+} from './operations/sessions/types'
+
+// Multi-tenancy WorkOS types and transforms (server-only)
+export * from './auth/multi-tenancy/organizations/server'
+export * from './auth/multi-tenancy/users/server'
+export * from './auth/multi-tenancy/memberships/server'
+export * from './auth/multi-tenancy/invitations/server'
+
+// Note: Browser-safe and Supabase types are re-exported from /server subdirectories
+// No additional re-exports needed here to avoid conflicts
+
+// Supabase client (service role with process.env credentials - lazy initialization)
+export { getSupabaseClient, supabaseClient } from './supabase/server/client'
+export type { SupabaseClient, Database, Tables, TablesInsert, TablesUpdate, Json } from './supabase'
+
+// OAuth credentials and token refresh (uses process.env for client credentials)
+export { getOAuthCredentials } from './integrations/oauth/server/credentials'
+export { refreshOAuthTokenIfExpired, forceRefreshOAuthToken } from './integrations/oauth/server/refresh'
+
+// Integration adapters (uses Node.js SDKs - googleapis, @slack/web-api)
+export { GmailAdapter } from './execution/engine/tools/integration/server/adapters/gmail/gmail-adapter'
+export { AttioAdapter } from './execution/engine/tools/integration/server/adapters/attio'
+export { GoogleSheetsAdapter } from './execution/engine/tools/integration/server/adapters/google-sheets'
+export { ApifyAdapter } from './execution/engine/tools/integration/server/adapters/apify'
+export { ApolloAdapter } from './execution/engine/tools/integration/server/adapters/apollo'
+export { InstantlyAdapter } from './execution/engine/tools/integration/server/adapters/instantly'
+export { ResendAdapter } from './execution/engine/tools/integration/server/adapters/resend'
+export { AnymailfinderAdapter } from './execution/engine/tools/integration/server/adapters/anymailfinder'
+export { TombaAdapter } from './execution/engine/tools/integration/server/adapters/tomba'
+export { MillionVerifierAdapter } from './execution/engine/tools/integration/server/adapters/millionverifier'
+export { StripeAdapter } from './execution/engine/tools/integration/server/adapters/stripe'
+export { SignatureApiAdapter } from './execution/engine/tools/integration/server/adapters/signature-api'
+export { DropboxAdapter } from './execution/engine/tools/integration/server/adapters/dropbox'
+export { ClickUpAdapter } from './execution/engine/tools/integration/server/adapters/clickup'
+export {
+  GoogleCalendarAdapter,
+  type CalendarEvent,
+  type CalendarDateTime,
+  type ListEventsResult
+} from './execution/engine/tools/integration/server/adapters/google-calendar'
+
+// Integration Tool Factories (server-only - uses adapters above)
+export {
+  createGmailSendEmailTool,
+  createGmailSendEmailToolNamed
+} from './execution/engine/tools/integration/server/adapters/gmail/gmail-tools'
+export {
+  createAttioCreateRecordTool,
+  createAttioUpdateRecordTool,
+  createAttioListRecordsTool,
+  createAttioGetRecordTool,
+  createAttioDeleteRecordTool,
+  createAttioToolNamed,
+  // Schema operations
+  createAttioListObjectsTool,
+  createAttioListAttributesTool,
+  createAttioCreateAttributeTool,
+  createAttioUpdateAttributeTool,
+  // Note operations
+  createAttioCreateNoteTool
+} from './execution/engine/tools/integration/server/adapters/attio'
+export {
+  // Core methods
+  createGoogleSheetsReadTool,
+  createGoogleSheetsWriteTool,
+  createGoogleSheetsAppendTool,
+  createGoogleSheetsClearTool,
+  createGoogleSheetsMetadataTool,
+  createGoogleSheetsBatchUpdateTool,
+  // Workflow-friendly methods
+  createGoogleSheetsGetHeadersTool,
+  createGoogleSheetsGetLastRowTool,
+  createGoogleSheetsFindRowTool,
+  createGoogleSheetsUpdateRowTool,
+  createGoogleSheetsUpsertRowTool,
+  createGoogleSheetsFilterRowsTool,
+  createGoogleSheetsDeleteRowTool
+} from './execution/engine/tools/integration/server/adapters/google-sheets'
+export { createApifyRunActorTool } from './execution/engine/tools/integration/server/adapters/apify'
+export {
+  createInstantlySendReplyTool,
+  createInstantlyRemoveFromSubsequenceTool,
+  createInstantlyGetEmailsTool,
+  createInstantlyUpdateInterestStatusTool,
+  createInstantlyAddToCampaignTool
+} from './execution/engine/tools/integration/server/adapters/instantly'
+export {
+  createResendSendEmailTool,
+  createResendGetEmailTool,
+  createResendSendEmailToolNamed
+} from './execution/engine/tools/integration/server/adapters/resend'
+export {
+  createAnymailfinderFindCompanyEmailTool,
+  createAnymailfinderFindPersonEmailTool,
+  createAnymailfinderFindDecisionMakerEmailTool,
+  createAnymailfinderVerifyEmailTool
+} from './execution/engine/tools/integration/server/adapters/anymailfinder'
+export {
+  createTombaEmailFinderTool,
+  createTombaDomainSearchTool,
+  createTombaEmailVerifierTool
+} from './execution/engine/tools/integration/server/adapters/tomba'
+export {
+  createMillionVerifierVerifyEmailTool,
+  createMillionVerifierCheckCreditsTool
+} from './execution/engine/tools/integration/server/adapters/millionverifier'
+export {
+  createDropboxUploadTool,
+  createDropboxCreateFolderTool
+} from './execution/engine/tools/integration/server/adapters/dropbox'
+export {
+  createStripeCreatePaymentLinkTool,
+  createStripeGetPaymentLinkTool,
+  createStripeUpdatePaymentLinkTool,
+  createStripeListPaymentLinksTool,
+  createStripeCheckoutSessionTool,
+  createStripeAutoPaymentLinkTool
+} from './execution/engine/tools/integration/server/adapters/stripe'
+
+// Resend fetch functions (low-level API for platform email service)
+export { sendEmail as sendResendEmail } from './execution/engine/tools/integration/server/adapters/resend/fetch/send-email/index'
+export type {
+  ResendCredentials,
+  SendEmailParams as ResendSendEmailParams,
+  SendEmailResult as ResendSendEmailResult
+} from './execution/engine/tools/integration/server/adapters/resend/fetch/utils/types'
+
+// Resend email configuration (high-level sender config for workflows)
+export type { ResendEmailConfig } from './execution/engine/tools/integration/server/adapters/resend/types'
+
+// SignatureAPI types (for eSignature envelope operations)
+export type {
+  SignatureApiCredentials,
+  CreateEnvelopeParams,
+  CreateEnvelopeResult,
+  VoidEnvelopeParams,
+  VoidEnvelopeResult,
+  DownloadDocumentParams,
+  DownloadDocumentResult,
+  EnvelopeDocument,
+  Recipient,
+  SigningPlace
+} from './execution/engine/tools/integration/server/adapters/signature-api'
+
+// Execution validators (uses process.env for environment detection)
+export { detectEnvironment, canExecuteResource, type Environment } from './execution/core/server/environment'
+
+// Organization Model hash (uses Node.js crypto - server-only)
+export { computeOrganizationModelSnapshotHash } from './organization-model/server/snapshot-hash-server'
+
+// HMAC token utilities (uses Node.js crypto - server-only)
+export { generateHmacToken, verifyHmacToken, generateBrochureUrl } from './platform/utils/server/hmac'
+export {
+  generateUnsubscribeToken,
+  verifyUnsubscribeToken,
+  generateUnsubscribeUrl,
+  generateUnsubscribeHeaders
+} from './platform/utils/server/unsubscribe'
+
+// Better Stack error logging (uses @sentry/node - server-only)
+export {
+  bslogExternalServiceError,
+  bslogExecutionFailure,
+  isSystemError
+} from './platform/utils/server/betterstack-logger'
+
+// LLM Adapters (uses betterstack-logger - server-only)
+export { OpenAIAdapter, isOpenAIModel, type OpenAIAdapterConfig } from './execution/engine/llm/adapters/server/openai'
+export {
+  OpenRouterAdapter,
+  isOpenRouterModel,
+  type OpenRouterAdapterConfig
+} from './execution/engine/llm/adapters/server/openrouter'
+export { createLLMAdapter } from './execution/engine/llm/adapters/server/adapter-factory'
+
+// Browser-safe adapters (also exported from server for convenience)
+export { UniversalLLMAdapter } from './execution/engine/llm/adapters/universal-adapter'
+export { MockAdapter, isMockModel } from './execution/engine/llm/adapters/mock-adapter'
+export { configureCircuitBreakerAlerts } from './execution/engine/llm/adapters/circuit-breaker'
+
+// LLM Tool factory (uses server-only adapters)
+export { createLLMCallTool, type LLMCallToolConfig } from './execution/engine/tools/llm/server'
+
+// Workflow step helper (uses server-only adapters)
+export { llmCall, type LLMCallOptions } from './execution/engine/workflow/helpers/server'
+
+// Retained server-side resource invocation service types live under @repo/core/execution.
+// Deployed SDK workers use platform.call() -> dispatcher for nested execution.
+
+// Resilience utilities (timeout, circuit breaker, infrastructure errors)
+export {
+  // Existing
+  withTimeout,
+  SERVICE_TIMEOUTS,
+  createCircuitBreaker,
+  CircuitState,
+  ServiceTimeoutError,
+  ServiceUnavailableError,
+  isInfrastructureError,
+  type CircuitBreaker,
+  type CircuitBreakerConfig,
+  // Rate limiting
+  InMemoryRateLimiter,
+  createRateLimiter,
+  // Retry logic
+  withRetry,
+  calculateRetryDelay,
+  sleep,
+  DEFAULT_RETRY_POLICY,
+  // HTTP error mapping
+  createHttpError,
+  mapHttpStatusToErrorType,
+  type RateLimiter,
+  type RetryPolicy,
+  type HttpErrorContext,
+  type ErrorParser
+} from './platform/resilience'
+
+// Acquisition Platform Tools (lead database)
+export {
+  // List tools
+  createAcqListCreateTool,
+  createAcqListUpdateTool,
+  createAcqListDeleteTool,
+  createAcqListListTool,
+  // Company tools
+  createAcqCompanyCreateTool,
+  createAcqCompanyUpdateTool,
+  createAcqCompanyUpsertTool,
+  createAcqCompanyGetTool,
+  createAcqCompanyListTool,
+  createAcqCompanyDeleteTool,
+  // Contact tools
+  createAcqContactCreateTool,
+  createAcqContactUpdateTool,
+  createAcqContactUpsertTool,
+  createAcqContactGetTool,
+  createAcqContactListTool,
+  createAcqContactDeleteTool,
+  createAcqContactBulkImportTool
+} from './execution/engine/tools/platform/acquisition'
+
+// PDF Tool (server-only - uses React-PDF renderToBuffer)
+export {
+  createPdfRenderTool,
+  type PdfRenderInput,
+  type PdfRenderOutput,
+  type PdfToolConfig,
+  PdfRenderInputSchema,
+  PdfRenderOutputSchema
+} from './execution/engine/tools/platform/pdf'
+
+// PDF Document types (for constructing documents programmatically)
+export type { PDFDocument, ContentBlock, Page as PDFPage } from './business/pdf/types'