@elevasis/sdk 1.22.0 → 1.22.1

package/dist/test-utils/index.js

@@ -8075,7 +8075,6 @@ function addLegacyEntityProjections(index2, diagnostics, sourcesById, entities)
           table: entity.table
         }
       } : {},
-      legacyEntityId: entity.id,
       ...entity.rowSchema !== void 0 ? { rowSchema: entity.rowSchema } : {},
       ...entity.stateCatalogId !== void 0 ? { stateCatalogId: entity.stateCatalogId } : {}
     };
@@ -8100,8 +8099,7 @@ function addLegacyEntityProjections(index2, diagnostics, sourcesById, entities)
         from: legacyObjectId(entity),
         to: legacyObjectId(targetEntity),
         cardinality: link.kind,
-        ...link.via !== void 0 ? { via: link.via } : {},
-        legacyEntityId: entity.id
+        ...link.via !== void 0 ? { via: link.via } : {}
       };
       addRecord(index2, diagnostics, sourcesById, "linkTypes", linkType, {
         source: "legacy.entities.links",
@@ -8159,8 +8157,7 @@ function addSystemContentProjections(index2, diagnostics, sourcesById, systemPat
       kind: node.type,
       ...typeof node.data?.["entityId"] === "string" ? { appliesTo: formatOntologyId({ scope: systemPath, kind: "object", localId: node.data["entityId"] }) } : {},
       ...Object.keys(entries).length > 0 ? { entries } : {},
-      ...node.data !== void 0 ? { data: node.data } : {},
-      legacyContentId: `${systemPath}:${localId}`
+      ...node.data !== void 0 ? { data: node.data } : {}
     };
     addRecord(index2, diagnostics, sourcesById, "catalogTypes", catalogType, {
       source: "legacy.system.content",
@@ -8338,11 +8335,20 @@ EventEmissionDescriptorSchema.extend({
   ownerKind: z.enum(["resource", "entity"]).meta({ label: "Owner kind" })
 });
 var ResourceOntologyBindingSchema = z.object({
-  implements: z.array(OntologyIdSchema).optional(),
+  actions: z.array(OntologyIdSchema).optional(),
+  primaryAction: OntologyIdSchema.optional(),
   reads: z.array(OntologyIdSchema).optional(),
   writes: z.array(OntologyIdSchema).optional(),
   usesCatalogs: z.array(OntologyIdSchema).optional(),
   emits: z.array(OntologyIdSchema).optional()
+}).superRefine((binding, ctx) => {
+  if (binding.primaryAction === void 0) return;
+  if (binding.actions?.includes(binding.primaryAction)) return;
+  ctx.addIssue({
+    code: z.ZodIssueCode.custom,
+    path: ["primaryAction"],
+    message: "Resource ontology primaryAction must be included in actions"
+  });
 });
 var CodeReferenceSchema = z.object({
   path: z.string().trim().min(1).max(500).regex(/^[A-Za-z0-9_./$@()[\] -]+$/, "Code reference paths must be repo-relative paths"),
@@ -8357,6 +8363,10 @@ var ResourceEntryBaseSchema = z.object({
   order: z.number().default(0),
   /** Required single System membership — value is a dot-separated system path (e.g. "sales.lead-gen"). */
   systemPath: SystemPathSchema.meta({ ref: "system" }),
+  /** Executable display title owned by the OM Resource descriptor. */
+  title: LabelSchema.optional(),
+  /** Executable display description owned by the OM Resource descriptor. */
+  description: DescriptionSchema.optional(),
   /** Optional role responsible for maintaining this resource. */
   ownerRoleId: ModelIdSchema.meta({ ref: "role" }).optional(),
   status: ResourceGovernanceStatusSchema,
@@ -8371,8 +8381,6 @@ var ResourceEntryBaseSchema = z.object({
 });
 var WorkflowResourceEntrySchema = ResourceEntryBaseSchema.extend({
   kind: z.literal("workflow"),
-  /** Mirrors WorkflowConfig.actionKey when the runtime workflow has one. */
-  actionKey: z.string().trim().min(1).max(255).optional(),
   emits: z.array(EventEmissionDescriptorSchema).optional()
 });
 var AgentResourceEntrySchema = ResourceEntryBaseSchema.extend({
@@ -8514,6 +8522,73 @@ var GoalsDomainSchema = z.record(z.string(), ObjectiveSchema).refine((record) =>
   message: "Each objective entry id must match its map key"
 }).default({});
 var DEFAULT_ORGANIZATION_MODEL_GOALS = {};
+var SecretLikeMetadataKeySchema = /(?:secret|password|passwd|token|api[-_]?key|credential|private[-_]?key)/i;
+var SecretLikeMetadataValueSchema = /(?:sk-[A-Za-z0-9_-]{12,}|pk_live_[A-Za-z0-9_-]{12,}|eyJ[A-Za-z0-9_-]{20,}|-----BEGIN (?:RSA |OPENSSH |EC )?PRIVATE KEY-----)/;
+z.enum([
+  "system",
+  "resource",
+  "ontology",
+  "policy",
+  "role",
+  "trigger",
+  "humanCheckpoint",
+  "externalResource"
+]);
+var OmTopologyRelationshipKindSchema = z.enum(["triggers", "uses", "approval"]);
+var OmTopologyNodeRefSchema = z.discriminatedUnion("kind", [
+  z.object({ kind: z.literal("system"), id: ModelIdSchema }),
+  z.object({ kind: z.literal("resource"), id: ResourceIdSchema }),
+  z.object({ kind: z.literal("ontology"), id: OntologyIdSchema }),
+  z.object({ kind: z.literal("policy"), id: ModelIdSchema }),
+  z.object({ kind: z.literal("role"), id: ModelIdSchema }),
+  z.object({ kind: z.literal("trigger"), id: ResourceIdSchema }),
+  z.object({ kind: z.literal("humanCheckpoint"), id: ResourceIdSchema }),
+  z.object({ kind: z.literal("externalResource"), id: ResourceIdSchema })
+]);
+var OmTopologyMetadataSchema = z.record(z.string().trim().min(1).max(120), JsonValueSchema).superRefine((metadata, ctx) => {
+  function visit(value, path) {
+    if (typeof value === "string" && SecretLikeMetadataValueSchema.test(value)) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        path,
+        message: "Topology metadata must not contain secret-like values"
+      });
+      return;
+    }
+    if (Array.isArray(value)) {
+      value.forEach((entry, index2) => visit(entry, [...path, index2]));
+      return;
+    }
+    if (typeof value !== "object" || value === null) return;
+    Object.entries(value).forEach(([key, entry]) => {
+      if (SecretLikeMetadataKeySchema.test(key)) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          path: [...path, key],
+          message: `Topology metadata key "${key}" looks secret-like`
+        });
+      }
+      visit(entry, [...path, key]);
+    });
+  }
+  visit(metadata, []);
+});
+var OmTopologyRelationshipSchema = z.object({
+  from: OmTopologyNodeRefSchema,
+  kind: OmTopologyRelationshipKindSchema,
+  to: OmTopologyNodeRefSchema,
+  systemPath: SystemPathSchema.optional(),
+  required: z.boolean().optional(),
+  metadata: OmTopologyMetadataSchema.optional()
+});
+var OmTopologyDomainSchema = z.object({
+  version: z.literal(1).default(1),
+  relationships: z.record(z.string().trim().min(1).max(255), OmTopologyRelationshipSchema).default({})
+}).default({ version: 1, relationships: {} });
+var DEFAULT_ORGANIZATION_MODEL_TOPOLOGY = {
+  version: 1,
+  relationships: {}
+};
 var PolicyIdSchema = ModelIdSchema;
 var PolicyApplicabilitySchema = z.object({
   systemIds: z.array(ModelIdSchema.meta({ ref: "system" })).default([]),
@@ -8886,6 +8961,7 @@ z.enum([
   "systems",
   "ontology",
   "resources",
+  "topology",
   "actions",
   "entities",
   "policies",
@@ -8905,6 +8981,7 @@ var DEFAULT_ORGANIZATION_MODEL_DOMAIN_METADATA = {
   systems: { version: 1, lastModified: "2026-05-10" },
   ontology: { version: 1, lastModified: "2026-05-14" },
   resources: { version: 1, lastModified: "2026-05-10" },
+  topology: { version: 1, lastModified: "2026-05-14" },
   actions: { version: 1, lastModified: "2026-05-10" },
   entities: { version: 1, lastModified: "2026-05-10" },
   policies: { version: 1, lastModified: "2026-05-10" },
@@ -8920,6 +8997,7 @@ var OrganizationModelDomainMetadataByDomainSchema = z.object({
   systems: OrganizationModelDomainMetadataSchema,
   ontology: OrganizationModelDomainMetadataSchema,
   resources: OrganizationModelDomainMetadataSchema,
+  topology: OrganizationModelDomainMetadataSchema,
   actions: OrganizationModelDomainMetadataSchema,
   entities: OrganizationModelDomainMetadataSchema,
   policies: OrganizationModelDomainMetadataSchema,
@@ -8938,6 +9016,7 @@ var OrganizationModelSchemaBase = z.object({
   systems: SystemsDomainSchema.default(DEFAULT_ORGANIZATION_MODEL_SYSTEMS),
   ontology: OntologyScopeSchema.default(DEFAULT_ONTOLOGY_SCOPE),
   resources: ResourcesDomainSchema.default(DEFAULT_ORGANIZATION_MODEL_RESOURCES),
+  topology: OmTopologyDomainSchema.default(DEFAULT_ORGANIZATION_MODEL_TOPOLOGY),
   actions: ActionsDomainSchema.default(DEFAULT_ORGANIZATION_MODEL_ACTIONS),
   entities: EntitiesDomainSchema.default(DEFAULT_ORGANIZATION_MODEL_ENTITIES),
   policies: PoliciesDomainSchema.default(DEFAULT_ORGANIZATION_MODEL_POLICIES),
@@ -9280,6 +9359,25 @@ OrganizationModelSchemaBase.superRefine((model, ctx) => {
     surface: ontologyCompilation.ontology.surfaces
   };
   const ontologyIds = new Set(Object.values(ontologyIndexByKind).flatMap((index2) => Object.keys(index2)));
+  function topologyTargetExists(ref) {
+    if (ref.kind === "system") return systemsById.has(ref.id);
+    if (ref.kind === "resource") return resourcesById.has(ref.id);
+    if (ref.kind === "ontology") return ontologyIds.has(ref.id);
+    if (ref.kind === "policy") return policiesById.has(ref.id);
+    if (ref.kind === "role") return rolesById.has(ref.id);
+    return true;
+  }
+  Object.entries(model.topology.relationships).forEach(([relationshipId, relationship]) => {
+    ["from", "to"].forEach((side) => {
+      const ref = relationship[side];
+      if (topologyTargetExists(ref)) return;
+      addIssue(
+        ctx,
+        ["topology", "relationships", relationshipId, side],
+        `Topology relationship "${relationshipId}" ${side} references unknown ${ref.kind} "${ref.id}"`
+      );
+    });
+  });
   const ontologyReferenceKeyKinds = {
     valueType: "value-type",
     catalogType: "catalog",
@@ -9418,11 +9516,18 @@ OrganizationModelSchemaBase.superRefine((model, ctx) => {
     }
   });
   function validateResourceOntologyBinding(resourceId, bindingKey, expectedKind, ids) {
-    ids?.forEach((ontologyId, ontologyIndex) => {
+    const ontologyIds2 = ids === void 0 ? [] : Array.isArray(ids) ? ids : [ids];
+    ontologyIds2.forEach((ontologyId, ontologyIndex) => {
       if (ontologyIndexByKind[expectedKind][ontologyId] === void 0) {
         addIssue(
           ctx,
-          ["resources", resourceId, "ontology", bindingKey, ontologyIndex],
+          [
+            "resources",
+            resourceId,
+            "ontology",
+            bindingKey,
+            ...Array.isArray(ids) ? [ontologyIndex] : []
+          ],
           `Resource "${resourceId}" ontology binding "${bindingKey}" references unknown ${expectedKind} ontology ID "${ontologyId}"`
         );
       }
@@ -9431,7 +9536,8 @@ OrganizationModelSchemaBase.superRefine((model, ctx) => {
   Object.values(model.resources).forEach((resource) => {
     const binding = resource.ontology;
     if (binding === void 0) return;
-    validateResourceOntologyBinding(resource.id, "implements", "action", binding.implements);
+    validateResourceOntologyBinding(resource.id, "actions", "action", binding.actions);
+    validateResourceOntologyBinding(resource.id, "primaryAction", "action", binding.primaryAction);
     validateResourceOntologyBinding(resource.id, "reads", "object", binding.reads);
     validateResourceOntologyBinding(resource.id, "writes", "object", binding.writes);
     validateResourceOntologyBinding(resource.id, "usesCatalogs", "catalog", binding.usesCatalogs);
@@ -10260,6 +10366,7 @@ var DEFAULT_ORGANIZATION_MODEL = {
   },
   ontology: DEFAULT_ONTOLOGY_SCOPE,
   resources: DEFAULT_ORGANIZATION_MODEL_RESOURCES,
+  topology: DEFAULT_ORGANIZATION_MODEL_TOPOLOGY,
   actions: DEFAULT_ORGANIZATION_MODEL_ACTIONS,
   entities: DEFAULT_ORGANIZATION_MODEL_ENTITIES2,
   policies: DEFAULT_ORGANIZATION_MODEL_POLICIES,
@@ -11731,6 +11838,119 @@ function getRuntimeResources(resources) {
     }))
   ];
 }
+function hasOntologySources(organizationModel) {
+  return organizationModel.ontology !== void 0 || organizationModel.entities !== void 0 || organizationModel.actions !== void 0 || Object.values(organizationModel.systems ?? {}).some(systemHasOntologySource);
+}
+function systemHasOntologySource(system) {
+  if (system.ontology !== void 0 || system.content !== void 0 && Object.keys(system.content).length > 0) return true;
+  return Object.values(system.systems ?? system.subsystems ?? {}).some(systemHasOntologySource);
+}
+function ontologyIndexForKind(index2, kind) {
+  switch (kind) {
+    case "object":
+      return index2.objectTypes;
+    case "link":
+      return index2.linkTypes;
+    case "action":
+      return index2.actionTypes;
+    case "catalog":
+      return index2.catalogTypes;
+    case "event":
+      return index2.eventTypes;
+    case "interface":
+      return index2.interfaceTypes;
+    case "value-type":
+      return index2.valueTypes;
+    case "property":
+      return index2.sharedProperties;
+    case "group":
+      return index2.groups;
+    case "surface":
+      return index2.surfaces;
+  }
+}
+function sameJson(left, right) {
+  return JSON.stringify(left ?? null) === JSON.stringify(right ?? null);
+}
+function addOntologyBindingIssues(issues, orgName, resource, ontologyIndex) {
+  const binding = resource.ontology;
+  if (binding === void 0) return;
+  if ((resource.kind === "workflow" || resource.kind === "agent") && (binding.actions?.length ?? 0) === 0) {
+    addGovernanceIssue(
+      issues,
+      "missing-ontology-actions",
+      orgName,
+      resource.id,
+      `[${orgName}] Resource '${resource.id}' declares ontology bindings but no ontology actions.`
+    );
+  }
+  if (binding.primaryAction !== void 0 && !binding.actions?.includes(binding.primaryAction)) {
+    addGovernanceIssue(
+      issues,
+      "primary-action-mismatch",
+      orgName,
+      resource.id,
+      `[${orgName}] Resource '${resource.id}' primaryAction '${binding.primaryAction}' must be included in ontology.actions.`
+    );
+  }
+  if (ontologyIndex === void 0) return;
+  const validateRefs = (bindingKey, expectedKind, refs) => {
+    const values = refs === void 0 ? [] : Array.isArray(refs) ? refs : [refs];
+    const index2 = ontologyIndexForKind(ontologyIndex, expectedKind);
+    for (const ref of values) {
+      if (index2[ref] !== void 0) continue;
+      addGovernanceIssue(
+        issues,
+        "ontology-reference-missing",
+        orgName,
+        resource.id,
+        `[${orgName}] Resource '${resource.id}' ontology.${bindingKey} references missing ${expectedKind} ontology record '${ref}'.`
+      );
+    }
+  };
+  validateRefs("actions", "action", binding.actions);
+  validateRefs("primaryAction", "action", binding.primaryAction);
+  validateRefs("reads", "object", binding.reads);
+  validateRefs("writes", "object", binding.writes);
+  validateRefs("usesCatalogs", "catalog", binding.usesCatalogs);
+  validateRefs("emits", "event", binding.emits);
+}
+function addTopologyIssues(issues, orgName, deployment, organizationModel, systemsById, omResourcesById, ontologyIndex) {
+  const relationships = organizationModel.topology?.relationships;
+  if (relationships === void 0) return;
+  const rolesById = new Set(Object.keys(organizationModel.roles ?? {}));
+  const policiesById = new Set(Object.keys(organizationModel.policies ?? {}));
+  const triggerIds = new Set(deployment.triggers?.map((trigger) => trigger.resourceId) ?? []);
+  const humanCheckpointIds = new Set(deployment.humanCheckpoints?.map((checkpoint) => checkpoint.resourceId) ?? []);
+  const externalResourceIds = new Set(deployment.externalResources?.map((external) => external.resourceId) ?? []);
+  const topologyRefExists = (ref) => {
+    if (ref.kind === "system") return systemsById.has(ref.id);
+    if (ref.kind === "resource") return omResourcesById.has(ref.id);
+    if (ref.kind === "policy") return policiesById.has(ref.id);
+    if (ref.kind === "role") return rolesById.has(ref.id);
+    if (ref.kind === "trigger") return triggerIds.has(ref.id);
+    if (ref.kind === "humanCheckpoint") return humanCheckpointIds.has(ref.id);
+    if (ref.kind === "externalResource") return externalResourceIds.has(ref.id);
+    if (ref.kind === "ontology") {
+      if (ontologyIndex === void 0) return true;
+      return Object.values(ontologyIndex).some((records) => records[ref.id] !== void 0);
+    }
+    return false;
+  };
+  for (const [relationshipId, relationship] of Object.entries(relationships)) {
+    ["from", "to"].forEach((side) => {
+      const ref = relationship[side];
+      if (topologyRefExists(ref)) return;
+      addGovernanceIssue(
+        issues,
+        "topology-reference-missing",
+        orgName,
+        ref.id,
+        `[${orgName}] Topology relationship '${relationshipId}' ${side} references missing ${ref.kind} '${ref.id}'.`
+      );
+    });
+  }
+}
 function validateResourceGovernance(orgName, deployment, organizationModel = deployment.organizationModel, options = {}) {
   const mode = getResourceValidatorMode(options.mode);
   const omResourcesMap = organizationModel?.resources;
@@ -11746,6 +11966,17 @@ function validateResourceGovernance(orgName, deployment, organizationModel = dep
   const omResourcesById = new Map(activeOmResources.map((resource) => [resource.id, resource]));
   const runtimeResources = getRuntimeResources(deployment);
   const runtimeResourcesById = new Map(runtimeResources.map((resource) => [resource.resourceId, resource]));
+  const ontologyCompilation = hasOntologySources(organizationModel) ? compileOrganizationOntology(organizationModel) : void 0;
+  const ontologyIndex = ontologyCompilation?.ontology;
+  for (const diagnostic of ontologyCompilation?.diagnostics ?? []) {
+    addGovernanceIssue(
+      issues,
+      "ontology-reference-missing",
+      orgName,
+      diagnostic.id,
+      `[${orgName}] ${diagnostic.message}`
+    );
+  }
   for (const resource of activeOmResources) {
     if (!systemsById.has(resource.systemPath)) {
       addGovernanceIssue(
@@ -11785,6 +12016,16 @@ function validateResourceGovernance(orgName, deployment, organizationModel = dep
         `[${orgName}] Resource '${resource.id}' system mismatch: code descriptor has '${runtimeResource.descriptor.systemPath}', OM has '${resource.systemPath}'.`
       );
     }
+    if (runtimeResource.descriptor && !sameJson(runtimeResource.descriptor.ontology, resource.ontology)) {
+      addGovernanceIssue(
+        issues,
+        "descriptor-mismatch",
+        orgName,
+        resource.id,
+        `[${orgName}] Resource '${resource.id}' ontology descriptor mismatch between code and OM.`
+      );
+    }
+    addOntologyBindingIssues(issues, orgName, resource, ontologyIndex);
   }
   for (const runtimeResource of runtimeResources) {
     const omResource = omResourcesById.get(runtimeResource.resourceId);
@@ -11826,6 +12067,7 @@ function validateResourceGovernance(orgName, deployment, organizationModel = dep
       );
     }
   }
+  addTopologyIssues(issues, orgName, deployment, organizationModel, systemsById, omResourcesById, ontologyIndex);
   emitGovernanceIssues(issues, mode, options.onWarning);
   return {
     valid: issues.length === 0,

package/dist/worker/index.js

@@ -6167,7 +6167,6 @@ function addLegacyEntityProjections(index, diagnostics, sourcesById, entities) {
           table: entity.table
         }
       } : {},
-      legacyEntityId: entity.id,
       ...entity.rowSchema !== void 0 ? { rowSchema: entity.rowSchema } : {},
       ...entity.stateCatalogId !== void 0 ? { stateCatalogId: entity.stateCatalogId } : {}
     };
@@ -6192,8 +6191,7 @@ function addLegacyEntityProjections(index, diagnostics, sourcesById, entities) {
         from: legacyObjectId(entity),
         to: legacyObjectId(targetEntity),
         cardinality: link.kind,
-        ...link.via !== void 0 ? { via: link.via } : {},
-        legacyEntityId: entity.id
+        ...link.via !== void 0 ? { via: link.via } : {}
       };
       addRecord(index, diagnostics, sourcesById, "linkTypes", linkType, {
         source: "legacy.entities.links",
@@ -6251,8 +6249,7 @@ function addSystemContentProjections(index, diagnostics, sourcesById, systemPath
       kind: node.type,
       ...typeof node.data?.["entityId"] === "string" ? { appliesTo: formatOntologyId({ scope: systemPath, kind: "object", localId: node.data["entityId"] }) } : {},
       ...Object.keys(entries).length > 0 ? { entries } : {},
-      ...node.data !== void 0 ? { data: node.data } : {},
-      legacyContentId: `${systemPath}:${localId}`
+      ...node.data !== void 0 ? { data: node.data } : {}
     };
     addRecord(index, diagnostics, sourcesById, "catalogTypes", catalogType, {
       source: "legacy.system.content",
@@ -6430,11 +6427,20 @@ EventEmissionDescriptorSchema.extend({
   ownerKind: z.enum(["resource", "entity"]).meta({ label: "Owner kind" })
 });
 var ResourceOntologyBindingSchema = z.object({
-  implements: z.array(OntologyIdSchema).optional(),
+  actions: z.array(OntologyIdSchema).optional(),
+  primaryAction: OntologyIdSchema.optional(),
   reads: z.array(OntologyIdSchema).optional(),
   writes: z.array(OntologyIdSchema).optional(),
   usesCatalogs: z.array(OntologyIdSchema).optional(),
   emits: z.array(OntologyIdSchema).optional()
+}).superRefine((binding, ctx) => {
+  if (binding.primaryAction === void 0) return;
+  if (binding.actions?.includes(binding.primaryAction)) return;
+  ctx.addIssue({
+    code: z.ZodIssueCode.custom,
+    path: ["primaryAction"],
+    message: "Resource ontology primaryAction must be included in actions"
+  });
 });
 var CodeReferenceSchema = z.object({
   path: z.string().trim().min(1).max(500).regex(/^[A-Za-z0-9_./$@()[\] -]+$/, "Code reference paths must be repo-relative paths"),
@@ -6449,6 +6455,10 @@ var ResourceEntryBaseSchema = z.object({
   order: z.number().default(0),
   /** Required single System membership — value is a dot-separated system path (e.g. "sales.lead-gen"). */
   systemPath: SystemPathSchema.meta({ ref: "system" }),
+  /** Executable display title owned by the OM Resource descriptor. */
+  title: LabelSchema.optional(),
+  /** Executable display description owned by the OM Resource descriptor. */
+  description: DescriptionSchema.optional(),
   /** Optional role responsible for maintaining this resource. */
   ownerRoleId: ModelIdSchema.meta({ ref: "role" }).optional(),
   status: ResourceGovernanceStatusSchema,
@@ -6463,8 +6473,6 @@ var ResourceEntryBaseSchema = z.object({
 });
 var WorkflowResourceEntrySchema = ResourceEntryBaseSchema.extend({
   kind: z.literal("workflow"),
-  /** Mirrors WorkflowConfig.actionKey when the runtime workflow has one. */
-  actionKey: z.string().trim().min(1).max(255).optional(),
   emits: z.array(EventEmissionDescriptorSchema).optional()
 });
 var AgentResourceEntrySchema = ResourceEntryBaseSchema.extend({
@@ -6606,6 +6614,73 @@ var GoalsDomainSchema = z.record(z.string(), ObjectiveSchema).refine((record) =>
   message: "Each objective entry id must match its map key"
 }).default({});
 var DEFAULT_ORGANIZATION_MODEL_GOALS = {};
+var SecretLikeMetadataKeySchema = /(?:secret|password|passwd|token|api[-_]?key|credential|private[-_]?key)/i;
+var SecretLikeMetadataValueSchema = /(?:sk-[A-Za-z0-9_-]{12,}|pk_live_[A-Za-z0-9_-]{12,}|eyJ[A-Za-z0-9_-]{20,}|-----BEGIN (?:RSA |OPENSSH |EC )?PRIVATE KEY-----)/;
+z.enum([
+  "system",
+  "resource",
+  "ontology",
+  "policy",
+  "role",
+  "trigger",
+  "humanCheckpoint",
+  "externalResource"
+]);
+var OmTopologyRelationshipKindSchema = z.enum(["triggers", "uses", "approval"]);
+var OmTopologyNodeRefSchema = z.discriminatedUnion("kind", [
+  z.object({ kind: z.literal("system"), id: ModelIdSchema }),
+  z.object({ kind: z.literal("resource"), id: ResourceIdSchema }),
+  z.object({ kind: z.literal("ontology"), id: OntologyIdSchema }),
+  z.object({ kind: z.literal("policy"), id: ModelIdSchema }),
+  z.object({ kind: z.literal("role"), id: ModelIdSchema }),
+  z.object({ kind: z.literal("trigger"), id: ResourceIdSchema }),
+  z.object({ kind: z.literal("humanCheckpoint"), id: ResourceIdSchema }),
+  z.object({ kind: z.literal("externalResource"), id: ResourceIdSchema })
+]);
+var OmTopologyMetadataSchema = z.record(z.string().trim().min(1).max(120), JsonValueSchema).superRefine((metadata, ctx) => {
+  function visit(value, path) {
+    if (typeof value === "string" && SecretLikeMetadataValueSchema.test(value)) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        path,
+        message: "Topology metadata must not contain secret-like values"
+      });
+      return;
+    }
+    if (Array.isArray(value)) {
+      value.forEach((entry, index) => visit(entry, [...path, index]));
+      return;
+    }
+    if (typeof value !== "object" || value === null) return;
+    Object.entries(value).forEach(([key, entry]) => {
+      if (SecretLikeMetadataKeySchema.test(key)) {
+        ctx.addIssue({
+          code: z.ZodIssueCode.custom,
+          path: [...path, key],
+          message: `Topology metadata key "${key}" looks secret-like`
+        });
+      }
+      visit(entry, [...path, key]);
+    });
+  }
+  visit(metadata, []);
+});
+var OmTopologyRelationshipSchema = z.object({
+  from: OmTopologyNodeRefSchema,
+  kind: OmTopologyRelationshipKindSchema,
+  to: OmTopologyNodeRefSchema,
+  systemPath: SystemPathSchema.optional(),
+  required: z.boolean().optional(),
+  metadata: OmTopologyMetadataSchema.optional()
+});
+var OmTopologyDomainSchema = z.object({
+  version: z.literal(1).default(1),
+  relationships: z.record(z.string().trim().min(1).max(255), OmTopologyRelationshipSchema).default({})
+}).default({ version: 1, relationships: {} });
+var DEFAULT_ORGANIZATION_MODEL_TOPOLOGY = {
+  version: 1,
+  relationships: {}
+};
 var PolicyIdSchema = ModelIdSchema;
 var PolicyApplicabilitySchema = z.object({
   systemIds: z.array(ModelIdSchema.meta({ ref: "system" })).default([]),
@@ -6978,6 +7053,7 @@ z.enum([
   "systems",
   "ontology",
   "resources",
+  "topology",
   "actions",
   "entities",
   "policies",
@@ -6997,6 +7073,7 @@ var DEFAULT_ORGANIZATION_MODEL_DOMAIN_METADATA = {
   systems: { version: 1, lastModified: "2026-05-10" },
   ontology: { version: 1, lastModified: "2026-05-14" },
   resources: { version: 1, lastModified: "2026-05-10" },
+  topology: { version: 1, lastModified: "2026-05-14" },
   actions: { version: 1, lastModified: "2026-05-10" },
   entities: { version: 1, lastModified: "2026-05-10" },
   policies: { version: 1, lastModified: "2026-05-10" },
@@ -7012,6 +7089,7 @@ var OrganizationModelDomainMetadataByDomainSchema = z.object({
   systems: OrganizationModelDomainMetadataSchema,
   ontology: OrganizationModelDomainMetadataSchema,
   resources: OrganizationModelDomainMetadataSchema,
+  topology: OrganizationModelDomainMetadataSchema,
   actions: OrganizationModelDomainMetadataSchema,
   entities: OrganizationModelDomainMetadataSchema,
   policies: OrganizationModelDomainMetadataSchema,
@@ -7030,6 +7108,7 @@ var OrganizationModelSchemaBase = z.object({
   systems: SystemsDomainSchema.default(DEFAULT_ORGANIZATION_MODEL_SYSTEMS),
   ontology: OntologyScopeSchema.default(DEFAULT_ONTOLOGY_SCOPE),
   resources: ResourcesDomainSchema.default(DEFAULT_ORGANIZATION_MODEL_RESOURCES),
+  topology: OmTopologyDomainSchema.default(DEFAULT_ORGANIZATION_MODEL_TOPOLOGY),
   actions: ActionsDomainSchema.default(DEFAULT_ORGANIZATION_MODEL_ACTIONS),
   entities: EntitiesDomainSchema.default(DEFAULT_ORGANIZATION_MODEL_ENTITIES),
   policies: PoliciesDomainSchema.default(DEFAULT_ORGANIZATION_MODEL_POLICIES),
@@ -7372,6 +7451,25 @@ OrganizationModelSchemaBase.superRefine((model, ctx) => {
     surface: ontologyCompilation.ontology.surfaces
   };
   const ontologyIds = new Set(Object.values(ontologyIndexByKind).flatMap((index) => Object.keys(index)));
+  function topologyTargetExists(ref) {
+    if (ref.kind === "system") return systemsById.has(ref.id);
+    if (ref.kind === "resource") return resourcesById.has(ref.id);
+    if (ref.kind === "ontology") return ontologyIds.has(ref.id);
+    if (ref.kind === "policy") return policiesById.has(ref.id);
+    if (ref.kind === "role") return rolesById.has(ref.id);
+    return true;
+  }
+  Object.entries(model.topology.relationships).forEach(([relationshipId, relationship]) => {
+    ["from", "to"].forEach((side) => {
+      const ref = relationship[side];
+      if (topologyTargetExists(ref)) return;
+      addIssue(
+        ctx,
+        ["topology", "relationships", relationshipId, side],
+        `Topology relationship "${relationshipId}" ${side} references unknown ${ref.kind} "${ref.id}"`
+      );
+    });
+  });
   const ontologyReferenceKeyKinds = {
     valueType: "value-type",
     catalogType: "catalog",
@@ -7510,11 +7608,18 @@ OrganizationModelSchemaBase.superRefine((model, ctx) => {
     }
   });
   function validateResourceOntologyBinding(resourceId, bindingKey, expectedKind, ids) {
-    ids?.forEach((ontologyId, ontologyIndex) => {
+    const ontologyIds2 = ids === void 0 ? [] : Array.isArray(ids) ? ids : [ids];
+    ontologyIds2.forEach((ontologyId, ontologyIndex) => {
       if (ontologyIndexByKind[expectedKind][ontologyId] === void 0) {
         addIssue(
           ctx,
-          ["resources", resourceId, "ontology", bindingKey, ontologyIndex],
+          [
+            "resources",
+            resourceId,
+            "ontology",
+            bindingKey,
+            ...Array.isArray(ids) ? [ontologyIndex] : []
+          ],
           `Resource "${resourceId}" ontology binding "${bindingKey}" references unknown ${expectedKind} ontology ID "${ontologyId}"`
         );
       }
@@ -7523,7 +7628,8 @@ OrganizationModelSchemaBase.superRefine((model, ctx) => {
   Object.values(model.resources).forEach((resource) => {
     const binding = resource.ontology;
     if (binding === void 0) return;
-    validateResourceOntologyBinding(resource.id, "implements", "action", binding.implements);
+    validateResourceOntologyBinding(resource.id, "actions", "action", binding.actions);
+    validateResourceOntologyBinding(resource.id, "primaryAction", "action", binding.primaryAction);
     validateResourceOntologyBinding(resource.id, "reads", "object", binding.reads);
     validateResourceOntologyBinding(resource.id, "writes", "object", binding.writes);
     validateResourceOntologyBinding(resource.id, "usesCatalogs", "catalog", binding.usesCatalogs);
@@ -8352,6 +8458,7 @@ var DEFAULT_ORGANIZATION_MODEL = {
   },
   ontology: DEFAULT_ONTOLOGY_SCOPE,
   resources: DEFAULT_ORGANIZATION_MODEL_RESOURCES,
+  topology: DEFAULT_ORGANIZATION_MODEL_TOPOLOGY,
   actions: DEFAULT_ORGANIZATION_MODEL_ACTIONS,
   entities: DEFAULT_ORGANIZATION_MODEL_ENTITIES2,
   policies: DEFAULT_ORGANIZATION_MODEL_POLICIES,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@elevasis/sdk",
-  "version": "1.22.0",
+  "version": "1.22.1",
   "description": "SDK for building Elevasis organization resources",
   "type": "module",
   "bin": {
@@ -57,9 +57,9 @@
     "tsup": "^8.0.0",
     "typescript": "5.9.2",
     "zod": "^4.1.0",
-    "@repo/eslint-config": "0.0.0",
+    "@repo/core": "0.24.1",
     "@repo/typescript-config": "0.0.0",
-    "@repo/core": "0.24.0"
+    "@repo/eslint-config": "0.0.0"
   },
   "scripts": {
     "lint": "eslint src --max-warnings 0",