@executor-js/cli 0.2.1 → 0.2.3

package/dist/index.js

@@ -3,1066 +3,12 @@
 // src/index.ts
 import { Command as Command2 } from "commander";
 
-// src/commands/generate.ts
-import { existsSync as existsSync3 } from "fs";
+// src/commands/schema.ts
+import { existsSync as existsSync2 } from "fs";
 import fs from "fs/promises";
 import path2 from "path";
 import { Command } from "commander";
-
-// ../sdk/src/index.ts
-import { Context as Context2, Effect as Effect18, Layer as Layer5, Schema as Schema19, Data as Data6, Option as Option6 } from "effect";
-import {
-  HttpApi,
-  HttpApiBuilder,
-  HttpApiClient,
-  HttpApiEndpoint,
-  HttpApiGroup,
-  HttpApiMiddleware,
-  HttpApiSchema
-} from "effect/unstable/httpapi";
-
-// ../storage-core/src/factory.ts
-import { Effect, Option, Schema } from "effect";
-
-// ../storage-core/src/errors.ts
-import { Data } from "effect";
-var StorageError = class extends Data.TaggedError("StorageError") {
-};
-var UniqueViolationError = class extends Data.TaggedError("UniqueViolationError") {
-};
-
-// ../storage-core/src/factory.ts
-var decodeJsonFromString = Schema.decodeUnknownOption(Schema.UnknownFromJsonString);
-
-// ../sdk/src/ids.ts
-import { Schema as Schema2 } from "effect";
-var ScopeId = Schema2.String.pipe(Schema2.brand("ScopeId"));
-var ToolId = Schema2.String.pipe(Schema2.brand("ToolId"));
-var SecretId = Schema2.String.pipe(Schema2.brand("SecretId"));
-var PolicyId = Schema2.String.pipe(Schema2.brand("PolicyId"));
-var ConnectionId = Schema2.String.pipe(Schema2.brand("ConnectionId"));
-var CredentialBindingId = Schema2.String.pipe(Schema2.brand("CredentialBindingId"));
-
-// ../sdk/src/scope.ts
-import { Schema as Schema3 } from "effect";
-var Scope = class extends Schema3.Class("Scope")({
-  id: ScopeId,
-  name: Schema3.String,
-  createdAt: Schema3.Date
-}) {
-};
-
-// ../sdk/src/errors.ts
-import { Data as Data2, Schema as Schema4 } from "effect";
-var ToolNotFoundError = class extends Schema4.TaggedErrorClass()(
-  "ToolNotFoundError",
-  { toolId: ToolId }
-) {
-};
-var ToolInvocationError = class extends Data2.TaggedError("ToolInvocationError") {
-};
-var PluginNotLoadedError = class extends Schema4.TaggedErrorClass()(
-  "PluginNotLoadedError",
-  {
-    pluginId: Schema4.String,
-    toolId: ToolId
-  }
-) {
-};
-var NoHandlerError = class extends Schema4.TaggedErrorClass()("NoHandlerError", {
-  toolId: ToolId,
-  pluginId: Schema4.String
-}) {
-};
-var ToolBlockedError = class extends Schema4.TaggedErrorClass()(
-  "ToolBlockedError",
-  {
-    toolId: ToolId,
-    pattern: Schema4.String
-  }
-) {
-};
-var SourceNotFoundError = class extends Schema4.TaggedErrorClass()(
-  "SourceNotFoundError",
-  { sourceId: Schema4.String }
-) {
-};
-var SourceRemovalNotAllowedError = class extends Schema4.TaggedErrorClass()(
-  "SourceRemovalNotAllowedError",
-  { sourceId: Schema4.String }
-) {
-};
-var SecretNotFoundError = class extends Schema4.TaggedErrorClass()(
-  "SecretNotFoundError",
-  { secretId: SecretId }
-) {
-};
-var SecretResolutionError = class extends Schema4.TaggedErrorClass()(
-  "SecretResolutionError",
-  {
-    secretId: SecretId,
-    message: Schema4.String
-  }
-) {
-};
-var SecretOwnedByConnectionError = class extends Schema4.TaggedErrorClass()(
-  "SecretOwnedByConnectionError",
-  {
-    secretId: SecretId,
-    connectionId: ConnectionId
-  }
-) {
-};
-var SecretInUseError = class extends Schema4.TaggedErrorClass()(
-  "SecretInUseError",
-  {
-    secretId: SecretId,
-    usageCount: Schema4.Number
-  }
-) {
-};
-var ConnectionNotFoundError = class extends Schema4.TaggedErrorClass()(
-  "ConnectionNotFoundError",
-  { connectionId: ConnectionId }
-) {
-};
-var ConnectionProviderNotRegisteredError = class extends Schema4.TaggedErrorClass()(
-  "ConnectionProviderNotRegisteredError",
-  {
-    provider: Schema4.String,
-    connectionId: Schema4.optional(ConnectionId)
-  }
-) {
-};
-var ConnectionRefreshNotSupportedError = class extends Schema4.TaggedErrorClass()(
-  "ConnectionRefreshNotSupportedError",
-  {
-    connectionId: ConnectionId,
-    provider: Schema4.String
-  }
-) {
-};
-var ConnectionReauthRequiredError = class extends Schema4.TaggedErrorClass()(
-  "ConnectionReauthRequiredError",
-  {
-    connectionId: ConnectionId,
-    provider: Schema4.String,
-    message: Schema4.String
-  }
-) {
-};
-var ConnectionInUseError = class extends Schema4.TaggedErrorClass()(
-  "ConnectionInUseError",
-  {
-    connectionId: ConnectionId,
-    usageCount: Schema4.Number
-  }
-) {
-};
-
-// ../sdk/src/types.ts
-import { Schema as Schema5 } from "effect";
-var ToolSchema = class extends Schema5.Class("ToolSchema")({
-  id: ToolId,
-  name: Schema5.optional(Schema5.String),
-  description: Schema5.optional(Schema5.String),
-  inputSchema: Schema5.optional(Schema5.Unknown),
-  outputSchema: Schema5.optional(Schema5.Unknown),
-  inputTypeScript: Schema5.optional(Schema5.String),
-  outputTypeScript: Schema5.optional(Schema5.String),
-  typeScriptDefinitions: Schema5.optional(Schema5.Record(Schema5.String, Schema5.String))
-}) {
-};
-var SourceDetectionResult = class extends Schema5.Class(
-  "SourceDetectionResult"
-)({
-  /** Plugin id that recognized the URL (e.g. "openapi", "graphql"). */
-  kind: Schema5.String,
-  /** Confidence tier — UI uses this to pick a winner when multiple
-   *  plugins claim a URL. */
-  confidence: Schema5.Literals(["high", "medium", "low"]),
-  /** The (possibly normalized) endpoint the plugin will use. */
-  endpoint: Schema5.String,
-  /** Human-readable name suggestion, typically derived from spec title
-   *  or URL hostname. */
-  name: Schema5.String,
-  /** Namespace suggestion — the plugin's recommendation for the source
-   *  id. UI may override. */
-  namespace: Schema5.String
-}) {
-};
-
-// ../sdk/src/core-schema.ts
-var credentialBindingKinds = ["text", "secret", "connection"];
-var coreSchema = {
-  source: {
-    fields: {
-      id: { type: "string", required: true },
-      scope_id: { type: "string", required: true, index: true },
-      plugin_id: { type: "string", required: true, index: true },
-      kind: { type: "string", required: true },
-      name: { type: "string", required: true },
-      url: { type: "string", required: false },
-      can_remove: {
-        type: "boolean",
-        required: true,
-        defaultValue: true
-      },
-      can_refresh: {
-        type: "boolean",
-        required: true,
-        defaultValue: false
-      },
-      can_edit: {
-        type: "boolean",
-        required: true,
-        defaultValue: false
-      },
-      created_at: { type: "date", required: true },
-      updated_at: { type: "date", required: true }
-    }
-  },
-  tool: {
-    fields: {
-      id: { type: "string", required: true },
-      scope_id: { type: "string", required: true, index: true },
-      source_id: { type: "string", required: true, index: true },
-      plugin_id: { type: "string", required: true, index: true },
-      name: { type: "string", required: true },
-      description: { type: "string", required: true },
-      input_schema: { type: "json", required: false },
-      output_schema: { type: "json", required: false },
-      // NOTE: tool annotations (requiresApproval, approvalDescription,
-      // mayElicit) are NOT stored on this row. They're derived at read
-      // time from plugin-owned data via `plugin.resolveAnnotations`,
-      // because the source of truth already lives in each plugin's own
-      // storage (openapi's OperationBinding, etc.) and duplicating it
-      // here would just mean bulk-rewriting rows every time the
-      // derivation logic changes.
-      created_at: { type: "date", required: true },
-      updated_at: { type: "date", required: true }
-    }
-  },
-  // Shared JSON-schema `$defs` stored once per source. Tool input/output
-  // schemas carry `$ref: "#/$defs/X"` pointers; the read path attaches
-  // matching defs under `$defs` before returning. Keyed by synthetic id
-  // `${source_id}.${name}` so cleanup on source removal is a single
-  // deleteMany by source_id.
-  definition: {
-    fields: {
-      id: { type: "string", required: true },
-      scope_id: { type: "string", required: true, index: true },
-      source_id: { type: "string", required: true, index: true },
-      plugin_id: { type: "string", required: true, index: true },
-      name: { type: "string", required: true },
-      schema: { type: "json", required: true },
-      created_at: { type: "date", required: true }
-    }
-  },
-  // Secrets live in the core surface as metadata (id, display name,
-  // provider key). Actual values never touch this table — they live in
-  // the secret provider (keychain, 1password, file, etc.) and are
-  // resolved on demand via `ctx.secrets.get(id)`.
-  //
-  // `owned_by_connection_id` ties the row to a connection. Connection-
-  // owned secrets are plumbing, not user-facing values: `ctx.secrets.list`
-  // filters them out (the user sees the Connection instead), and
-  // `ctx.secrets.remove` refuses to delete them (Connection.remove is
-  // the single owner of the lifecycle). The FK is nullable so existing
-  // "bare" secrets (API keys entered by the user, pre-connection OAuth
-  // rows during migration) remain visible and removable unchanged.
-  secret: {
-    fields: {
-      id: { type: "string", required: true },
-      scope_id: { type: "string", required: true, index: true },
-      name: { type: "string", required: true },
-      provider: { type: "string", required: true, index: true },
-      owned_by_connection_id: {
-        type: "string",
-        required: false,
-        index: true
-      },
-      created_at: { type: "date", required: true }
-    }
-  },
-  // Connections — sign-in state for one identity against one remote
-  // provider. A Connection owns one or more `secret` rows (access +
-  // refresh tokens, etc.) via `secret.owned_by_connection_id`, and the
-  // SDK exposes `ctx.connections.accessToken(id)` which transparently
-  // refreshes the backing secrets when they're near expiry. Plugins
-  // contribute refresh behavior via `plugin.connectionProviders[].refresh`
-  // keyed by `provider`, same pattern as `secretProviders`.
-  //
-  // `provider_state` is plugin-owned opaque JSON — token endpoint URL,
-  // scopes, issuer, auth-server metadata — whatever the provider's
-  // refresh handler needs to re-hit the token endpoint. It's NOT
-  // sensitive (all secrets go through the provider-backed secret rows);
-  // it's just enough metadata to drive a refresh without re-running
-  // discovery.
-  connection: {
-    fields: {
-      id: { type: "string", required: true },
-      scope_id: { type: "string", required: true, index: true },
-      /** Routing key into `plugin.connectionProviders`. OAuth2 connections
-       *  use the shared `oauth2` provider. Mirrors `secret.provider`. */
-      provider: { type: "string", required: true, index: true },
-      /** Display label shown in the Connections UI. Usually the account
-       *  email / handle / org name the user signed in as. */
-      identity_label: { type: "string", required: false },
-      /** Stable id of the access-token secret. Always present. */
-      access_token_secret_id: { type: "string", required: true },
-      /** Stable id of the refresh-token secret. Null for flows that
-       *  don't mint a refresh token (client_credentials, etc.). */
-      refresh_token_secret_id: { type: "string", required: false },
-      /** Epoch ms when the access token expires. Null if the provider
-       *  didn't declare an expiry. Used as the refresh trigger. Stored as
-       *  `bigint` because `Date.now()` overflows int32. */
-      expires_at: { type: "number", required: false, bigint: true },
-      /** Scope string as returned by the token endpoint. */
-      scope: { type: "string", required: false },
-      /** Opaque plugin-owned JSON — token endpoint URL, scopes list,
-       *  discovery hints, etc. Never sensitive. */
-      provider_state: { type: "json", required: false },
-      created_at: { type: "date", required: true },
-      updated_at: { type: "date", required: true }
-    }
-  },
-  // Pending OAuth authorization rows shared by every OAuth-capable plugin.
-  // Rows are short-lived and deleted after completion/cancel; the resulting
-  // `connection` row is the durable sign-in state.
-  oauth2_session: {
-    fields: {
-      id: { type: "string", required: true },
-      scope_id: { type: "string", required: true, index: true },
-      plugin_id: { type: "string", required: true, index: true },
-      strategy: { type: "string", required: true },
-      connection_id: { type: "string", required: true, index: true },
-      token_scope: { type: "string", required: true },
-      redirect_url: { type: "string", required: true },
-      payload: { type: "json", required: true },
-      expires_at: { type: "number", required: true, bigint: true },
-      created_at: { type: "date", required: true }
-    }
-  },
-  // Shared credential slot bindings. Plugins keep source-specific semantics
-  // local, but credential ownership and resolution use one scoped shape.
-  credential_binding: {
-    fields: {
-      id: { type: "string", required: true },
-      scope_id: { type: "string", required: true, index: true },
-      plugin_id: { type: "string", required: true, index: true },
-      source_id: { type: "string", required: true, index: true },
-      source_scope_id: { type: "string", required: true, index: true },
-      slot_key: { type: "string", required: true, index: true },
-      /** "text" | "secret" | "connection". */
-      kind: { type: credentialBindingKinds, required: true, index: true },
-      text_value: { type: "string", required: false },
-      secret_id: { type: "string", required: false, index: true },
-      secret_scope_id: { type: "string", required: false, index: true },
-      connection_id: { type: "string", required: false, index: true },
-      created_at: { type: "date", required: true },
-      updated_at: { type: "date", required: true }
-    }
-  },
-  // User-authored overrides for tool permissions. Each row is one rule:
-  // a glob-ish pattern + an action (approve / require_approval / block).
-  // Resolution walks the scope stack innermost-first, then `position`
-  // ascending within each scope; first match wins. Plugin-derived
-  // annotations from `resolveAnnotations` apply only when no rule
-  // matches.
-  //
-  // Pattern grammar (v1):
-  //   - `*`                  every tool id (universal)
-  //   - `vercel.dns.create`  exact tool id
-  //   - `vercel.dns.*`       any tool whose id starts with `vercel.dns.`
-  //   - `vercel.*`           plugin-wide
-  // No `**`, no brace expansion, no leading-`*` prefixes (`*foo`, `*.foo`).
-  tool_policy: {
-    fields: {
-      id: { type: "string", required: true },
-      scope_id: { type: "string", required: true, index: true },
-      pattern: { type: "string", required: true },
-      /** "approve" | "require_approval" | "block". */
-      action: { type: "string", required: true },
-      /** Fractional-indexing key (Jira lexorank style). Lower lex order =
-       *  higher precedence. New rules default to a key generated above
-       *  the current minimum. Strings instead of numbers so we can
-       *  always lengthen the key to insert between two adjacent rows
-       *  without precision loss; see `fractional-indexing` in
-       *  `policies.ts`. */
-      position: { type: "string", required: true, index: true },
-      created_at: { type: "date", required: true },
-      updated_at: { type: "date", required: true }
-    }
-  }
-};
-
-// ../sdk/src/policies.ts
-import { Match, Schema as Schema6 } from "effect";
-var ToolPolicyActionSchema = Schema6.Literals(["approve", "require_approval", "block"]);
-
-// ../sdk/src/secrets.ts
-import { Schema as Schema7 } from "effect";
-var SecretRef = class extends Schema7.Class("SecretRef")({
-  id: SecretId,
-  scopeId: ScopeId,
-  /** Human-readable label (e.g. "Cloudflare API Token") */
-  name: Schema7.String,
-  /** Which provider holds the value */
-  provider: Schema7.String,
-  createdAt: Schema7.Date
-}) {
-};
-var SetSecretInput = class extends Schema7.Class("SetSecretInput")({
-  id: SecretId,
-  /** Scope id to own this secret. Must be one of the executor's
-   *  configured scopes. */
-  scope: ScopeId,
-  /** Display name shown in secret-list UI. */
-  name: Schema7.String,
-  /** The secret value itself — never persisted outside the provider. */
-  value: Schema7.String,
-  /** Optional provider routing. If unset the executor picks the first
-   *  writable provider in registration order. */
-  provider: Schema7.optional(Schema7.String)
-}) {
-};
-var RemoveSecretInput = class extends Schema7.Class("RemoveSecretInput")({
-  id: SecretId,
-  /** Scope id whose secret row/value should be removed. Must be one of
-   *  the executor's configured scopes. */
-  targetScope: ScopeId
-}) {
-};
-
-// ../sdk/src/secret-backed-value.ts
-import { Effect as Effect3, Schema as Schema8 } from "effect";
-var SecretBackedValue = Schema8.Union([
-  Schema8.String,
-  Schema8.Struct({
-    secretId: Schema8.String,
-    prefix: Schema8.optional(Schema8.String)
-  })
-]);
-var SecretBackedMap = Schema8.Record(Schema8.String, SecretBackedValue);
-
-// ../sdk/src/credential-bindings.ts
-import { Match as Match2, Schema as Schema9 } from "effect";
-var CredentialBindingKind = Schema9.Literals(credentialBindingKinds);
-var CredentialBindingValue = Schema9.Union([
-  Schema9.Struct({
-    kind: Schema9.Literal("text"),
-    text: Schema9.String
-  }),
-  Schema9.Struct({
-    kind: Schema9.Literal("secret"),
-    secretId: SecretId,
-    secretScopeId: Schema9.optional(ScopeId)
-  }),
-  Schema9.Struct({
-    kind: Schema9.Literal("connection"),
-    connectionId: ConnectionId
-  })
-]);
-var ConfiguredCredentialBindingSchema = Schema9.Struct({
-  kind: Schema9.Literal("binding"),
-  slot: Schema9.String,
-  prefix: Schema9.optional(Schema9.String)
-});
-var ConfiguredCredentialBinding = class extends Schema9.Class(
-  "ConfiguredCredentialBinding"
-)(ConfiguredCredentialBindingSchema.fields) {
-};
-var ConfiguredCredentialValue = Schema9.Union([Schema9.String, ConfiguredCredentialBinding]);
-var ConfiguredCredentialValueSchema = Schema9.Union([
-  Schema9.String,
-  ConfiguredCredentialBindingSchema
-]);
-var ScopedSecretCredentialInput = Schema9.Struct({
-  secretId: Schema9.String,
-  prefix: Schema9.optional(Schema9.String),
-  targetScope: ScopeId,
-  secretScopeId: Schema9.optional(ScopeId)
-});
-var CredentialBindingRef = class extends Schema9.Class(
-  "CredentialBindingRef"
-)({
-  id: CredentialBindingId,
-  scopeId: ScopeId,
-  pluginId: Schema9.String,
-  sourceId: Schema9.String,
-  sourceScopeId: ScopeId,
-  slotKey: Schema9.String,
-  value: CredentialBindingValue,
-  createdAt: Schema9.Date,
-  updatedAt: Schema9.Date
-}) {
-};
-var SetCredentialBindingInput = class extends Schema9.Class(
-  "SetCredentialBindingInput"
-)({
-  targetScope: ScopeId,
-  pluginId: Schema9.String,
-  sourceId: Schema9.String,
-  sourceScope: ScopeId,
-  slotKey: Schema9.String,
-  value: CredentialBindingValue
-}) {
-};
-var CredentialBindingSourceInput = class extends Schema9.Class(
-  "CredentialBindingSourceInput"
-)({
-  pluginId: Schema9.String,
-  sourceId: Schema9.String,
-  sourceScope: ScopeId
-}) {
-};
-var CredentialBindingSlotInput = class extends Schema9.Class(
-  "CredentialBindingSlotInput"
-)({
-  pluginId: Schema9.String,
-  sourceId: Schema9.String,
-  sourceScope: ScopeId,
-  slotKey: Schema9.String
-}) {
-};
-var RemoveCredentialBindingInput = class extends Schema9.Class(
-  "RemoveCredentialBindingInput"
-)({
-  targetScope: ScopeId,
-  pluginId: Schema9.String,
-  sourceId: Schema9.String,
-  sourceScope: ScopeId,
-  slotKey: Schema9.String
-}) {
-};
-var ReplaceCredentialBindingValue = class extends Schema9.Class(
-  "ReplaceCredentialBindingValue"
-)({
-  slotKey: Schema9.String,
-  value: CredentialBindingValue
-}) {
-};
-var ReplaceCredentialBindingsInput = class extends Schema9.Class(
-  "ReplaceCredentialBindingsInput"
-)({
-  targetScope: ScopeId,
-  pluginId: Schema9.String,
-  sourceId: Schema9.String,
-  sourceScope: ScopeId,
-  slotPrefixes: Schema9.Array(Schema9.String),
-  bindings: Schema9.Array(ReplaceCredentialBindingValue)
-}) {
-};
-var CredentialBindingResolutionStatus = Schema9.Literals([
-  "resolved",
-  "missing",
-  "blocked"
-]);
-var ResolvedCredentialSlot = class extends Schema9.Class(
-  "ResolvedCredentialSlot"
-)({
-  pluginId: Schema9.String,
-  sourceId: Schema9.String,
-  sourceScopeId: ScopeId,
-  slotKey: Schema9.String,
-  bindingScopeId: Schema9.NullOr(ScopeId),
-  kind: Schema9.NullOr(CredentialBindingKind),
-  status: CredentialBindingResolutionStatus
-}) {
-};
-
-// ../sdk/src/usages.ts
-import { Schema as Schema10 } from "effect";
-var Usage = class extends Schema10.Class("Usage")({
-  pluginId: Schema10.String,
-  scopeId: ScopeId,
-  ownerKind: Schema10.String,
-  ownerId: Schema10.String,
-  ownerName: Schema10.NullOr(Schema10.String),
-  slot: Schema10.String
-}) {
-};
-
-// ../sdk/src/connections.ts
-import { Data as Data3, Schema as Schema11 } from "effect";
-var ConnectionProviderState = Schema11.Record(Schema11.String, Schema11.Unknown);
-var ConnectionRef = class extends Schema11.Class("ConnectionRef")({
-  id: ConnectionId,
-  scopeId: ScopeId,
-  provider: Schema11.String,
-  identityLabel: Schema11.NullOr(Schema11.String),
-  accessTokenSecretId: SecretId,
-  refreshTokenSecretId: Schema11.NullOr(SecretId),
-  /** Epoch ms when the access token expires; null if not declared. */
-  expiresAt: Schema11.NullOr(Schema11.Number),
-  /** OAuth-style scope string as returned by the token endpoint. Named
-   *  `oauthScope` to avoid collision with the executor scope id. */
-  oauthScope: Schema11.NullOr(Schema11.String),
-  providerState: Schema11.NullOr(ConnectionProviderState),
-  createdAt: Schema11.Date,
-  updatedAt: Schema11.Date
-}) {
-};
-var TokenMaterial = class extends Schema11.Class("TokenMaterial")({
-  /** Target secret id. Plugins typically derive this from the source id
-   *  + a stable suffix (e.g. `${sourceId}.access_token`). */
-  secretId: SecretId,
-  /** Display name stamped on the secret row. Only visible to code — the
-   *  Connections UI hides connection-owned secrets. */
-  name: Schema11.String,
-  value: Schema11.String
-}) {
-};
-var CreateConnectionInput = class extends Schema11.Class(
-  "CreateConnectionInput"
-)({
-  id: ConnectionId,
-  /** Executor scope id that will own this connection + its backing
-   *  secrets. This is the sharing boundary: a user scope is personal,
-   *  an org/workspace scope is shared with descendants. */
-  scope: ScopeId,
-  provider: Schema11.String,
-  identityLabel: Schema11.NullOr(Schema11.String),
-  accessToken: TokenMaterial,
-  refreshToken: Schema11.NullOr(TokenMaterial),
-  expiresAt: Schema11.NullOr(Schema11.Number),
-  /** OAuth-style scope string. Distinct from the executor scope above. */
-  oauthScope: Schema11.NullOr(Schema11.String),
-  providerState: Schema11.NullOr(ConnectionProviderState)
-}) {
-};
-var ConnectionRefreshError = class extends Data3.TaggedError("ConnectionRefreshError") {
-};
-var UpdateConnectionTokensInput = class extends Schema11.Class(
-  "UpdateConnectionTokensInput"
-)({
-  id: ConnectionId,
-  accessToken: Schema11.String,
-  refreshToken: Schema11.optional(Schema11.NullOr(Schema11.String)),
-  expiresAt: Schema11.optional(Schema11.NullOr(Schema11.Number)),
-  oauthScope: Schema11.optional(Schema11.NullOr(Schema11.String)),
-  providerState: Schema11.optional(Schema11.NullOr(ConnectionProviderState)),
-  identityLabel: Schema11.optional(Schema11.NullOr(Schema11.String))
-}) {
-};
-var RemoveConnectionInput = class extends Schema11.Class(
-  "RemoveConnectionInput"
-)({
-  id: ConnectionId,
-  /** Scope id whose connection row and owned token secrets should be removed. */
-  targetScope: ScopeId
-}) {
-};
-
-// ../sdk/src/elicitation.ts
-import { Schema as Schema12 } from "effect";
-var FormElicitation = class extends Schema12.TaggedClass()("FormElicitation", {
-  message: Schema12.String,
-  /** JSON Schema describing the fields to collect */
-  requestedSchema: Schema12.Record(Schema12.String, Schema12.Unknown)
-}) {
-};
-var UrlElicitation = class extends Schema12.TaggedClass()("UrlElicitation", {
-  message: Schema12.String,
-  url: Schema12.String,
-  /** Unique ID so the host can correlate the callback */
-  elicitationId: Schema12.String
-}) {
-};
-var ElicitationAction = Schema12.Literals(["accept", "decline", "cancel"]);
-var ElicitationResponse = class extends Schema12.Class("ElicitationResponse")({
-  action: ElicitationAction,
-  /** Present when action is "accept" — the data the user provided */
-  content: Schema12.optional(Schema12.Record(Schema12.String, Schema12.Unknown))
-}) {
-};
-var ElicitationDeclinedError = class extends Schema12.TaggedErrorClass()(
-  "ElicitationDeclinedError",
-  {
-    toolId: ToolId,
-    action: Schema12.Literals(["decline", "cancel"])
-  }
-) {
-};
-
-// ../sdk/src/blob.ts
-import { Effect as Effect7 } from "effect";
-
-// ../sdk/src/oauth.ts
-import { Effect as Effect8, Schema as Schema13 } from "effect";
-var OAuthDynamicDcrStrategy = Schema13.Struct({
-  kind: Schema13.Literal("dynamic-dcr"),
-  /** Scopes to request. Defaults to whatever `scopes_supported`
-   *  advertises; caller can narrow or extend. */
-  scopes: Schema13.optional(Schema13.Array(Schema13.String))
-});
-var OAuthAuthorizationCodeStrategy = Schema13.Struct({
-  kind: Schema13.Literal("authorization-code"),
-  authorizationEndpoint: Schema13.String,
-  tokenEndpoint: Schema13.String,
-  /** Expected authorization-server issuer for ID token validation. Some
-   *  providers use a token endpoint host that differs from issuer, or a
-   *  path-scoped issuer such as Okta custom authorization servers. */
-  issuerUrl: Schema13.optional(Schema13.NullOr(Schema13.String)),
-  /** Secret id holding the `client_id`. Using a secret row rather than
-   *  an inline string so the value lives at the scope where the caller
-   *  configured it and shadowing behaves consistently. */
-  clientIdSecretId: Schema13.String,
-  /** Secret id for `client_secret`. Null for public clients using
-   *  PKCE without a confidential secret. */
-  clientSecretSecretId: Schema13.NullOr(Schema13.String),
-  scopes: Schema13.Array(Schema13.String),
-  /** Separator between scopes. RFC 6749 says space; some providers
-   *  (GitHub classic) use comma. */
-  scopeSeparator: Schema13.optional(Schema13.String),
-  /** Provider-specific params injected at authorization URL build time
-   *  (Google's `access_type=offline`, `prompt=consent`, ...). */
-  extraAuthorizationParams: Schema13.optional(Schema13.Record(Schema13.String, Schema13.String)),
-  /** `"body"` (default) sends client creds in the form body; `"basic"`
-   *  uses HTTP Basic auth. Stripe-style servers require basic. */
-  clientAuth: Schema13.optional(Schema13.Literals(["body", "basic"]))
-});
-var OAuthClientCredentialsStrategy = Schema13.Struct({
-  kind: Schema13.Literal("client-credentials"),
-  tokenEndpoint: Schema13.String,
-  clientIdSecretId: Schema13.String,
-  clientSecretSecretId: Schema13.String,
-  scopes: Schema13.optional(Schema13.Array(Schema13.String)),
-  scopeSeparator: Schema13.optional(Schema13.String),
-  clientAuth: Schema13.optional(Schema13.Literals(["body", "basic"]))
-});
-var OAuthStrategy = Schema13.Union([
-  OAuthDynamicDcrStrategy,
-  OAuthAuthorizationCodeStrategy,
-  OAuthClientCredentialsStrategy
-]);
-var OAuthProviderState = Schema13.Union([
-  Schema13.Struct({
-    kind: Schema13.Literal("dynamic-dcr"),
-    tokenEndpoint: Schema13.String,
-    issuerUrl: Schema13.optional(Schema13.NullOr(Schema13.String)),
-    authorizationServerUrl: Schema13.optional(Schema13.NullOr(Schema13.String)),
-    authorizationServerMetadataUrl: Schema13.NullOr(Schema13.String),
-    idTokenSigningAlgValuesSupported: Schema13.optional(Schema13.Array(Schema13.String)),
-    /** DCR-minted client_id. Embedded inline (not a secret) — DCR
-     *  clients are public-ish by design; the secret part (if the AS
-     *  issued one) is a separate secret row. */
-    clientId: Schema13.String,
-    clientSecretSecretId: Schema13.NullOr(Schema13.String),
-    clientSecretSecretScopeId: Schema13.optional(Schema13.NullOr(Schema13.String)),
-    clientAuth: Schema13.Literals(["body", "basic"]),
-    scopes: Schema13.Array(Schema13.String).pipe(Schema13.withDecodingDefaultType(Effect8.succeed([]))),
-    scopeSeparator: Schema13.optional(Schema13.String),
-    scope: Schema13.NullOr(Schema13.String),
-    /** RFC 8707 canonical resource URL. Replayed on refresh so the new
-     *  access token's audience stays bound to the same resource. */
-    resource: Schema13.optional(Schema13.NullOr(Schema13.String))
-  }),
-  Schema13.Struct({
-    kind: Schema13.Literal("authorization-code"),
-    tokenEndpoint: Schema13.String,
-    issuerUrl: Schema13.optional(Schema13.NullOr(Schema13.String)),
-    clientIdSecretId: Schema13.String,
-    clientIdSecretScopeId: Schema13.optional(Schema13.NullOr(Schema13.String)),
-    clientSecretSecretId: Schema13.NullOr(Schema13.String),
-    clientSecretSecretScopeId: Schema13.optional(Schema13.NullOr(Schema13.String)),
-    clientAuth: Schema13.Literals(["body", "basic"]),
-    scopes: Schema13.Array(Schema13.String).pipe(Schema13.withDecodingDefaultType(Effect8.succeed([]))),
-    scopeSeparator: Schema13.optional(Schema13.String),
-    scope: Schema13.NullOr(Schema13.String),
-    resource: Schema13.optional(Schema13.NullOr(Schema13.String))
-  }),
-  Schema13.Struct({
-    kind: Schema13.Literal("client-credentials"),
-    tokenEndpoint: Schema13.String,
-    clientIdSecretId: Schema13.String,
-    clientIdSecretScopeId: Schema13.optional(Schema13.NullOr(Schema13.String)),
-    clientSecretSecretId: Schema13.String,
-    clientSecretSecretScopeId: Schema13.optional(Schema13.NullOr(Schema13.String)),
-    scopes: Schema13.Array(Schema13.String),
-    scopeSeparator: Schema13.optional(Schema13.String),
-    clientAuth: Schema13.Literals(["body", "basic"]),
-    scope: Schema13.NullOr(Schema13.String)
-  })
-]);
-var OAuthProbeError = class extends Schema13.TaggedErrorClass()(
-  "OAuthProbeError",
-  {
-    message: Schema13.String
-  },
-  { httpApiStatus: 400 }
-) {
-};
-var OAuthStartError = class extends Schema13.TaggedErrorClass()(
-  "OAuthStartError",
-  {
-    message: Schema13.String,
-    /** RFC 6749 §5.2 / RFC 7591 §3.2.2 error code propagated up from the
-     *  authorization server (e.g. `invalid_client_metadata`). UI surfaces
-     *  it as the structured "AS rejected the registration" reason. */
-    error: Schema13.optional(Schema13.String),
-    errorDescription: Schema13.optional(Schema13.String)
-  },
-  { httpApiStatus: 400 }
-) {
-};
-var OAuthCompleteError = class extends Schema13.TaggedErrorClass()(
-  "OAuthCompleteError",
-  {
-    message: Schema13.String,
-    /** RFC 6749 §5.2 error code, when the token endpoint returned one.
-     *  Callers distinguish terminal failures (`invalid_grant` ⇒
-     *  re-auth required) from transient ones. */
-    code: Schema13.optional(Schema13.String)
-  },
-  { httpApiStatus: 400 }
-) {
-};
-var OAuthSessionNotFoundError = class extends Schema13.TaggedErrorClass()(
-  "OAuthSessionNotFoundError",
-  {
-    sessionId: Schema13.String
-  },
-  { httpApiStatus: 404 }
-) {
-};
-var OAUTH2_SESSION_TTL_MS = 15 * 60 * 1e3;
-
-// ../sdk/src/oauth-helpers.ts
-import { Data as Data4, Effect as Effect9, Predicate } from "effect";
-var OAuth2Error = class extends Data4.TaggedError("OAuth2Error") {
-};
-var isOAuth2Error = Predicate.isTagged("OAuth2Error");
-
-// ../sdk/src/oauth-service.ts
-import { Duration as Duration2, Effect as Effect11, Match as Match3, Option as Option3, Schema as Schema15 } from "effect";
-import { FetchHttpClient as FetchHttpClient2, HttpClient as HttpClient2, HttpClientRequest as HttpClientRequest2 } from "effect/unstable/http";
-
-// ../sdk/src/oauth-discovery.ts
-import { Data as Data5, Duration, Effect as Effect10, Option as Option2, Predicate as Predicate2, Result, Schema as Schema14 } from "effect";
-import { FetchHttpClient, HttpClient, HttpClientRequest } from "effect/unstable/http";
-var OAuthDiscoveryError = class extends Data5.TaggedError("OAuthDiscoveryError") {
-};
-var StringArray = Schema14.Array(Schema14.String);
-var OAuthProtectedResourceMetadataSchema = Schema14.Struct({
-  resource: Schema14.optional(Schema14.String),
-  authorization_servers: Schema14.optional(StringArray),
-  scopes_supported: Schema14.optional(StringArray),
-  bearer_methods_supported: Schema14.optional(StringArray),
-  resource_documentation: Schema14.optional(Schema14.String)
-}).annotate({ identifier: "OAuthProtectedResourceMetadata" });
-var OAuthAuthorizationServerMetadataSchema = Schema14.Struct({
-  issuer: Schema14.String,
-  authorization_endpoint: Schema14.String,
-  token_endpoint: Schema14.String,
-  registration_endpoint: Schema14.optional(Schema14.String),
-  scopes_supported: Schema14.optional(StringArray),
-  response_types_supported: Schema14.optional(StringArray),
-  grant_types_supported: Schema14.optional(StringArray),
-  code_challenge_methods_supported: Schema14.optional(StringArray),
-  token_endpoint_auth_methods_supported: Schema14.optional(StringArray),
-  revocation_endpoint: Schema14.optional(Schema14.String),
-  introspection_endpoint: Schema14.optional(Schema14.String),
-  userinfo_endpoint: Schema14.optional(Schema14.String),
-  id_token_signing_alg_values_supported: Schema14.optional(StringArray)
-}).annotate({ identifier: "OAuthAuthorizationServerMetadata" });
-var OAuthClientInformationSchema = Schema14.Struct({
-  client_id: Schema14.String,
-  client_secret: Schema14.optional(Schema14.String),
-  client_id_issued_at: Schema14.optional(Schema14.Number),
-  client_secret_expires_at: Schema14.optional(Schema14.Number),
-  registration_access_token: Schema14.optional(Schema14.String),
-  registration_client_uri: Schema14.optional(Schema14.String),
-  token_endpoint_auth_method: Schema14.optional(Schema14.String),
-  grant_types: Schema14.optional(StringArray),
-  response_types: Schema14.optional(StringArray),
-  redirect_uris: Schema14.optional(StringArray),
-  client_name: Schema14.optional(Schema14.String),
-  scope: Schema14.optional(Schema14.String)
-}).annotate({ identifier: "OAuthClientInformation" });
-var decodeResourceMetadataJson = Schema14.decodeUnknownEffect(
-  Schema14.fromJsonString(OAuthProtectedResourceMetadataSchema)
-);
-var decodeAuthServerMetadata = Schema14.decodeUnknownEffect(OAuthAuthorizationServerMetadataSchema);
-var decodeClientInformationJson = Schema14.decodeUnknownEffect(
-  Schema14.fromJsonString(OAuthClientInformationSchema)
-);
-var DcrErrorBody = class extends Data5.TaggedError("DcrErrorBody") {
-};
-var DcrTransport = class extends Data5.TaggedError("DcrTransport") {
-};
-var DcrErrorBodyJson = Schema14.Struct({
-  error: Schema14.String,
-  error_description: Schema14.optional(Schema14.String)
-});
-var decodeDcrErrorBodyJson = Schema14.decodeUnknownOption(Schema14.fromJsonString(DcrErrorBodyJson));
-
-// ../sdk/src/oauth-service.ts
-var OAuthAuthorizationServerMetadataJson = Schema15.Record(Schema15.String, Schema15.Unknown);
-var OAuthClientInformationJson = Schema15.Record(Schema15.String, Schema15.Unknown);
-var DynamicDcrSessionPayload = Schema15.Struct({
-  kind: Schema15.Literal("dynamic-dcr"),
-  identityLabel: Schema15.NullOr(Schema15.String),
-  codeVerifier: Schema15.String,
-  authorizationServerUrl: Schema15.String,
-  authorizationServerMetadataUrl: Schema15.String,
-  authorizationServerMetadata: OAuthAuthorizationServerMetadataJson,
-  clientInformation: OAuthClientInformationJson,
-  resourceMetadataUrl: Schema15.NullOr(Schema15.String),
-  resourceMetadata: Schema15.NullOr(Schema15.Record(Schema15.String, Schema15.Unknown)),
-  scopes: Schema15.Array(Schema15.String),
-  resource: Schema15.NullOr(Schema15.String).pipe(Schema15.withDecodingDefaultType(Effect11.succeed(null)))
-});
-var AuthorizationCodeSessionPayload = Schema15.Struct({
-  kind: Schema15.Literal("authorization-code"),
-  identityLabel: Schema15.NullOr(Schema15.String),
-  codeVerifier: Schema15.String,
-  authorizationEndpoint: Schema15.String,
-  tokenEndpoint: Schema15.String,
-  issuerUrl: Schema15.NullOr(Schema15.String).pipe(
-    Schema15.withDecodingDefaultType(Effect11.succeed(null))
-  ),
-  clientIdSecretId: Schema15.String,
-  clientIdSecretScopeId: Schema15.NullOr(Schema15.String).pipe(
-    Schema15.withDecodingDefaultType(Effect11.succeed(null))
-  ),
-  clientSecretSecretId: Schema15.NullOr(Schema15.String),
-  clientSecretSecretScopeId: Schema15.NullOr(Schema15.String).pipe(
-    Schema15.withDecodingDefaultType(Effect11.succeed(null))
-  ),
-  scopes: Schema15.Array(Schema15.String),
-  scopeSeparator: Schema15.optional(Schema15.String),
-  clientAuth: Schema15.Literals(["body", "basic"])
-});
-var OAuthSessionPayload = Schema15.Union([
-  DynamicDcrSessionPayload,
-  AuthorizationCodeSessionPayload
-]);
-var decodeSessionPayload = Schema15.decodeUnknownSync(OAuthSessionPayload);
-var encodeSessionPayload = Schema15.encodeSync(OAuthSessionPayload);
-var UnknownFromJsonString = Schema15.fromJsonString(Schema15.Unknown);
-var decodeUnknownJsonOption = Schema15.decodeUnknownOption(UnknownFromJsonString);
-var decodeProviderStateSync = Schema15.decodeUnknownSync(OAuthProviderState);
-var encodeProviderStateSync = Schema15.encodeSync(OAuthProviderState);
-
-// ../sdk/src/hosted-http-client.ts
-import { Effect as Effect12, Layer as Layer3, Schema as Schema16 } from "effect";
-import { FetchHttpClient as FetchHttpClient3 } from "effect/unstable/http";
-var HostedOutboundRequestBlocked = class extends Schema16.TaggedErrorClass()(
-  "HostedOutboundRequestBlocked",
-  {
-    url: Schema16.String,
-    reason: Schema16.String
-  }
-) {
-};
-
-// ../sdk/src/plugin.ts
-import { Effect as Effect13 } from "effect";
-function definePlugin(authorFactory) {
-  return (options) => {
-    const {
-      storage: storageOverride,
-      ...rest
-    } = options ?? {};
-    const hasAuthorOptions = Object.keys(rest).length > 0;
-    const spec = authorFactory(hasAuthorOptions ? rest : void 0);
-    return {
-      ...spec,
-      storage: storageOverride ?? spec.storage
-    };
-  };
-}
-
-// ../sdk/src/executor.ts
-import {
-  Context,
-  Deferred,
-  Effect as Effect15,
-  Match as Match5,
-  Option as Option5,
-  Result as Result2,
-  Schema as Schema17,
-  Semaphore
-} from "effect";
-import { FetchHttpClient as FetchHttpClient4 } from "effect/unstable/http";
-
-// ../sdk/src/schema-types.ts
-import { Match as Match4, Option as Option4 } from "effect";
-
-// ../sdk/src/scoped-adapter.ts
-import { Effect as Effect14 } from "effect";
-
-// ../sdk/src/executor.ts
-var collectSchemas = (plugins) => {
-  const merged = { ...coreSchema };
-  for (const plugin of plugins) {
-    if (!plugin.schema) continue;
-    for (const [modelKey, model] of Object.entries(plugin.schema)) {
-      if (merged[modelKey]) {
-        throw new StorageError({
-          message: `Duplicate model "${modelKey}" contributed by plugin "${plugin.id}" (reserved by core or another plugin)`,
-          cause: void 0
-        });
-      }
-      merged[modelKey] = model;
-    }
-  }
-  return merged;
-};
-var decodeJsonFromString2 = Schema17.decodeUnknownOption(Schema17.UnknownFromJsonString);
-var decodeProviderState = Schema17.decodeUnknownOption(ConnectionProviderState);
-var activeAdapterRef = Context.Reference("executor/ActiveAdapter", {
-  defaultValue: () => null
-});
-var activeRawAdapterRef = Context.Reference(
-  "executor/ActiveRawAdapter",
-  {
-    defaultValue: () => null
-  }
-);
-
-// ../storage-core/src/testing/memory.ts
-import { Effect as Effect16, Match as Match6 } from "effect";
-
-// ../sdk/src/test-config.ts
-import { Effect as Effect17 } from "effect";
-var memorySecretsPlugin = definePlugin(() => {
-  const store = /* @__PURE__ */ new Map();
-  const provider = {
-    key: "memory",
-    writable: true,
-    get: (id, scope) => Effect17.sync(() => store.get(`${scope}\0${id}`) ?? null),
-    set: (id, value, scope) => Effect17.sync(() => {
-      store.set(`${scope}\0${id}`, value);
-    }),
-    delete: (id, scope) => Effect17.sync(() => store.delete(`${scope}\0${id}`)),
-    list: () => Effect17.sync(
-      () => Array.from(store.keys()).map((key) => {
-        const name = key.split("\0", 2)[1] ?? key;
-        return { id: name, name };
-      })
-    )
-  };
-  return {
-    id: "memory-secrets",
-    storage: () => ({}),
-    secretProviders: [provider]
-  };
-});
-
-// ../sdk/src/api-errors.ts
-import { Schema as Schema18 } from "effect";
-var InternalError = class extends Schema18.TaggedErrorClass()(
-  "InternalError",
-  {
-    /** Opaque correlation id for backend lookup (Sentry event id, log line, etc.). */
-    traceId: Schema18.String
-  },
-  { httpApiStatus: 500 }
-) {
-};
+import { collectTables } from "@executor-js/sdk/core";
 
 // src/utils/get-config.ts
 import { existsSync } from "fs";
@@ -1102,323 +48,10 @@ var getConfig = async (opts) => {
   return config;
 };
 
-// src/generators/drizzle.ts
-import { existsSync as existsSync2 } from "fs";
-var getModelName = (key, def) => def.modelName ?? key;
-var getType = (name, field, dialect) => {
-  if (field.references?.field === "id") {
-    return `text('${name}')`;
-  }
-  const type = field.type;
-  if (typeof type !== "string") {
-    if (Array.isArray(type) && type.every((x) => typeof x === "string")) {
-      return {
-        sqlite: `text({ enum: [${type.map((x) => `'${x}'`).join(", ")}] })`,
-        pg: `text('${name}', { enum: [${type.map((x) => `'${x}'`).join(", ")}] })`,
-        mysql: `mysqlEnum([${type.map((x) => `'${x}'`).join(", ")}])`
-      }[dialect];
-    }
-    throw new TypeError(`Invalid field type for field ${name}`);
-  }
-  const typeMap = {
-    string: {
-      sqlite: `text('${name}')`,
-      pg: `text('${name}')`,
-      mysql: field.unique ? `varchar('${name}', { length: 255 })` : field.references ? `varchar('${name}', { length: 36 })` : field.sortable ? `varchar('${name}', { length: 255 })` : field.index ? `varchar('${name}', { length: 255 })` : `text('${name}')`
-    },
-    boolean: {
-      sqlite: `integer('${name}', { mode: 'boolean' })`,
-      pg: `boolean('${name}')`,
-      mysql: `boolean('${name}')`
-    },
-    number: {
-      sqlite: `integer('${name}')`,
-      pg: field.bigint ? `bigint('${name}', { mode: 'number' })` : `integer('${name}')`,
-      mysql: field.bigint ? `bigint('${name}', { mode: 'number' })` : `int('${name}')`
-    },
-    date: {
-      sqlite: `integer('${name}', { mode: 'timestamp_ms' })`,
-      pg: `timestamp('${name}')`,
-      mysql: `timestamp('${name}', { fsp: 3 })`
-    },
-    "number[]": {
-      sqlite: `text('${name}', { mode: "json" })`,
-      pg: field.bigint ? `bigint('${name}', { mode: 'number' }).array()` : `integer('${name}').array()`,
-      mysql: `text('${name}', { mode: 'json' })`
-    },
-    "string[]": {
-      sqlite: `text('${name}', { mode: "json" })`,
-      pg: `text('${name}').array()`,
-      mysql: `text('${name}', { mode: "json" })`
-    },
-    json: {
-      sqlite: `text('${name}', { mode: "json" })`,
-      pg: `jsonb('${name}')`,
-      mysql: `json('${name}', { mode: "json" })`
-    }
-  };
-  const dbTypeMap = typeMap[type];
-  if (!dbTypeMap) {
-    throw new Error(`Unsupported field type '${field.type}' for field '${name}'.`);
-  }
-  return dbTypeMap[dialect];
-};
-var generateDrizzleSchema = async ({ schema, dialect, file }) => {
-  const filePath = file || "./executor-schema.ts";
-  const fileExist = existsSync2(filePath);
-  let code = generateImport({ dialect, schema });
-  for (const [tableKey, tableDef] of Object.entries(schema)) {
-    const modelName = getModelName(tableKey, tableDef);
-    const fields = tableDef.fields;
-    const hasScopeId = Object.prototype.hasOwnProperty.call(fields, "scope_id");
-    const id = hasScopeId ? `text('id').notNull()` : `text('id').primaryKey()`;
-    const extras = [];
-    const assignExtras = (items) => {
-      if (!items.length) return "";
-      const lines = [`, (table) => [`];
-      for (const item of items) {
-        if (item.kind === "primaryKey") {
-          const cols = item.columns.map((c) => `table.${c}`).join(", ");
-          lines.push(`  primaryKey({ columns: [${cols}] }),`);
-        } else {
-          const cols = Array.isArray(item.on) ? item.on.map((c) => `table.${c}`).join(", ") : `table.${item.on}`;
-          lines.push(`  ${item.kind}("${item.name}").on(${cols}),`);
-        }
-      }
-      lines.push(`]`);
-      return lines.join("\n");
-    };
-    if (hasScopeId) {
-      extras.push({ kind: "primaryKey", columns: ["scope_id", "id"] });
-    }
-    const fieldLines = Object.entries(fields).filter(([fieldName]) => fieldName !== "id").map(([fieldName, attr]) => {
-      const physical = attr.fieldName ?? fieldName;
-      const isToolPolicyCompositeField = tableKey === "tool_policy" && (physical === "scope_id" || physical === "position");
-      if (attr.index && !attr.unique && !isToolPolicyCompositeField) {
-        extras.push({
-          kind: "index",
-          name: `${tableKey}_${physical}_idx`,
-          on: physical
-        });
-      } else if (attr.index && attr.unique) {
-        extras.push({
-          kind: "uniqueIndex",
-          name: `${tableKey}_${physical}_uidx`,
-          on: physical
-        });
-      }
-      let col = getType(physical, attr, dialect);
-      if (attr.defaultValue !== null && typeof attr.defaultValue !== "undefined") {
-        if (typeof attr.defaultValue === "function") {
-          if (attr.type === "date" && attr.defaultValue.toString().includes("new Date()")) {
-            if (dialect === "sqlite") {
-              col += `.default(sql\`(cast(unixepoch('subsecond') * 1000 as integer))\`)`;
-            } else {
-              col += `.defaultNow()`;
-            }
-          }
-        } else if (typeof attr.defaultValue === "string") {
-          col += `.default("${attr.defaultValue}")`;
-        } else {
-          col += `.default(${attr.defaultValue})`;
-        }
-      }
-      if (attr.onUpdate && attr.type === "date") {
-        if (typeof attr.onUpdate === "function") {
-          col += `.$onUpdate(${attr.onUpdate})`;
-        }
-      }
-      return `${physical}: ${col}${attr.required !== false ? ".notNull()" : ""}${attr.unique ? ".unique()" : ""}${attr.references ? `.references(()=> ${attr.references.model}.${attr.references.field ?? "id"}, { onDelete: '${attr.references.onDelete || "cascade"}' })` : ""}`;
-    }).join(",\n  ");
-    if (tableKey === "tool_policy") {
-      extras.push({
-        kind: "index",
-        name: "tool_policy_scope_id_position_idx",
-        on: ["scope_id", "position"]
-      });
-    }
-    const tableSchema = `export const ${tableKey} = ${dialect}Table("${modelName}", {
-  id: ${id},
-  ${fieldLines}
-}${assignExtras(extras)});`;
-    code += `
-${tableSchema}
-`;
-  }
-  let relationsString = "";
-  for (const [tableKey, tableDef] of Object.entries(schema)) {
-    const modelName = tableKey;
-    const oneRelations = [];
-    const manyRelations = [];
-    const manyRelationsSet = /* @__PURE__ */ new Set();
-    for (const [fieldName, field] of Object.entries(tableDef.fields)) {
-      if (!field.references) continue;
-      const referencedModel = field.references.model;
-      const physical = field.fieldName ?? fieldName;
-      const fieldRef = `${tableKey}.${physical}`;
-      const referenceRef = `${referencedModel}.${field.references.field || "id"}`;
-      oneRelations.push({
-        key: referencedModel,
-        model: referencedModel,
-        type: "one",
-        reference: {
-          field: fieldRef,
-          references: referenceRef,
-          fieldName
-        }
-      });
-    }
-    for (const [otherKey, otherDef] of Object.entries(schema)) {
-      if (otherKey === tableKey) continue;
-      const hasFK = Object.values(otherDef.fields).some(
-        (field) => field.references?.model === tableKey
-      );
-      if (!hasFK) continue;
-      const relationKey = `${otherKey}s`;
-      if (!manyRelationsSet.has(relationKey)) {
-        manyRelationsSet.add(relationKey);
-        manyRelations.push({
-          key: relationKey,
-          model: otherKey,
-          type: "many"
-        });
-      }
-    }
-    const relationsByModel = /* @__PURE__ */ new Map();
-    for (const rel of oneRelations) {
-      if (!rel.reference) continue;
-      const arr = relationsByModel.get(rel.key) ?? [];
-      arr.push(rel);
-      relationsByModel.set(rel.key, arr);
-    }
-    const duplicateRelations = [];
-    const singleRelations = [];
-    for (const [, rels] of relationsByModel.entries()) {
-      if (rels.length > 1) {
-        duplicateRelations.push(...rels);
-      } else {
-        singleRelations.push(rels[0]);
-      }
-    }
-    for (const rel of duplicateRelations) {
-      if (!rel.reference) continue;
-      const relExportName = `${modelName}${rel.reference.fieldName.charAt(0).toUpperCase() + rel.reference.fieldName.slice(1)}Relations`;
-      const block = `export const ${relExportName} = relations(${modelName}, ({ one }) => ({
-  ${rel.key}: one(${rel.model}, {
-    fields: [${rel.reference.field}],
-    references: [${rel.reference.references}],
-  })
-}))`;
-      relationsString += `
-${block}
-`;
-    }
-    const hasOne = singleRelations.length > 0;
-    const hasMany = manyRelations.length > 0;
-    if (hasOne || hasMany) {
-      const destructured = [hasOne ? "one" : "", hasMany ? "many" : ""].filter(Boolean).join(", ");
-      const body = [
-        ...singleRelations.filter((r) => r.reference).map(
-          (r) => `  ${r.key}: one(${r.model}, {
-    fields: [${r.reference.field}],
-    references: [${r.reference.references}],
-  })`
-        ),
-        ...manyRelations.map(({ key, model }) => `  ${key}: many(${model})`)
-      ].join(",\n");
-      const block = `export const ${modelName}Relations = relations(${modelName}, ({ ${destructured} }) => ({
-${body}
-}))`;
-      relationsString += `
-${block}
-`;
-    }
-  }
-  code += `
-${relationsString}`;
-  return {
-    code,
-    fileName: filePath,
-    overwrite: fileExist
-  };
-};
-function generateImport({ dialect, schema }) {
-  const rootImports = [];
-  const coreImports = [];
-  let hasBigint = false;
-  let hasJson = false;
-  let hasBoolean = false;
-  let hasNumber = false;
-  let hasDate = false;
-  let hasIndex = false;
-  let hasUniqueIndex = false;
-  let hasReferences = false;
-  let hasCompositePrimaryKey = false;
-  for (const [tableKey, table] of Object.entries(schema)) {
-    for (const field of Object.values(table.fields)) {
-      if (field.bigint) hasBigint = true;
-      if (field.type === "json") hasJson = true;
-      if (field.type === "boolean") hasBoolean = true;
-      if (field.type === "number" && !field.bigint || field.type === "number[]") {
-        hasNumber = true;
-      }
-      if (field.type === "date") hasDate = true;
-      if (field.index && !field.unique) hasIndex = true;
-      if (field.index && field.unique) hasUniqueIndex = true;
-      if (field.references) hasReferences = true;
-    }
-    if (Object.prototype.hasOwnProperty.call(table.fields, "scope_id")) {
-      hasCompositePrimaryKey = true;
-    }
-    void tableKey;
-  }
-  coreImports.push(`${dialect}Table`);
-  coreImports.push("text");
-  if (hasBoolean && dialect !== "sqlite") coreImports.push("boolean");
-  if (hasDate) {
-    if (dialect === "pg") coreImports.push("timestamp");
-  }
-  if (hasNumber || dialect === "sqlite") {
-    if (dialect === "pg") coreImports.push("integer");
-    else if (dialect === "mysql") coreImports.push("int");
-    else coreImports.push("integer");
-  }
-  if (hasBigint && dialect !== "sqlite") coreImports.push("bigint");
-  if (hasJson) {
-    if (dialect === "pg") coreImports.push("jsonb");
-    else if (dialect === "mysql") coreImports.push("json");
-  }
-  if (hasIndex) coreImports.push("index");
-  if (hasUniqueIndex) coreImports.push("uniqueIndex");
-  if (hasCompositePrimaryKey) coreImports.push("primaryKey");
-  if (dialect === "sqlite" && (hasBoolean || hasDate)) {
-    if (!coreImports.includes("integer")) coreImports.push("integer");
-  }
-  if (dialect === "sqlite" && hasNumber) {
-  }
-  const hasSqliteTimestamp = dialect === "sqlite" && Object.values(schema).some(
-    (table) => Object.values(table.fields).some(
-      (field) => field.type === "date" && field.defaultValue && typeof field.defaultValue === "function" && field.defaultValue.toString().includes("new Date()")
-    )
-  );
-  if (hasSqliteTimestamp) {
-    rootImports.push("sql");
-  }
-  if (hasReferences || dialect === "mysql") {
-  }
-  if (hasReferences) rootImports.push("relations");
-  const filteredCore = coreImports.map((x) => x.trim()).filter((x) => x !== "");
-  const uniqueCore = [...new Set(filteredCore)];
-  const uniqueRoot = [...new Set(rootImports)];
-  return `${uniqueRoot.length > 0 ? `import { ${uniqueRoot.join(", ")} } from "drizzle-orm";
-` : ""}import { ${uniqueCore.join(", ")} } from "drizzle-orm/${dialect}-core";
-`;
-}
-
-// src/commands/generate.ts
-async function generateAction(opts) {
+// src/commands/schema.ts
+var schemaGenerateAction = async (opts) => {
   const cwd = path2.resolve(opts.cwd);
-  if (!existsSync3(cwd)) {
+  if (!existsSync2(cwd)) {
     console.error(`The directory "${cwd}" does not exist.`);
     process.exit(1);
   }
@@ -1429,29 +62,48 @@ async function generateAction(opts) {
     );
     process.exit(1);
   }
-  const schema = collectSchemas(config.plugins());
-  const result = await generateDrizzleSchema({
-    schema,
-    dialect: config.dialect,
-    file: opts.output
-  });
-  if (!result.code) {
-    console.log("Schema is already up to date.");
-    process.exit(0);
+  if (opts.adapter !== "drizzle") {
+    console.error(`Unsupported schema adapter "${opts.adapter}". Supported adapters: drizzle.`);
+    process.exit(1);
   }
-  const outPath = path2.resolve(cwd, result.fileName);
-  const outDir = path2.dirname(outPath);
-  if (!existsSync3(outDir)) {
-    await fs.mkdir(outDir, { recursive: true });
+  if (opts.provider !== "mysql" && opts.provider !== "postgresql" && opts.provider !== "sqlite") {
+    console.error(
+      `Unsupported drizzle provider "${opts.provider}". Supported providers: mysql, postgresql, sqlite.`
+    );
+    process.exit(1);
   }
-  await fs.writeFile(outPath, result.code);
+  const [{ fumadb }, { drizzleAdapter }, { schema: fumaSchema }] = await Promise.all([
+    import("fumadb"),
+    import("fumadb/adapters/drizzle"),
+    import("fumadb/schema")
+  ]);
+  const schema2 = fumaSchema({
+    version: opts.version,
+    tables: collectTables(config.plugins())
+  });
+  const factory = fumadb({
+    namespace: opts.namespace,
+    schemas: [schema2]
+  });
+  const generated = factory.client(
+    drizzleAdapter({
+      db: {},
+      provider: opts.provider
+    })
+  ).generateSchema("latest", opts.namespace);
+  const output = opts.output ?? generated.path;
+  const outPath = path2.resolve(cwd, output);
+  await fs.mkdir(path2.dirname(outPath), { recursive: true });
+  await fs.writeFile(outPath, generated.code);
   console.log(`Schema generated: ${path2.relative(cwd, outPath)}`);
-}
-var generate = new Command("generate").description("Generate a drizzle schema file from the executor config").option("-c, --cwd <cwd>", "the working directory", process.cwd()).option("--config <config>", "path to the executor config file").option("--output <output>", "output file path for the generated schema").action(generateAction);
+};
+var schema = new Command("schema").description("Database schema utilities").addCommand(
+  new Command("generate").description("Generate an ORM schema file from the executor config").option("-c, --cwd <cwd>", "the working directory", process.cwd()).option("--config <config>", "path to the executor config file").option("--output <output>", "output file path for the generated schema").option("--namespace <namespace>", "FumaDB namespace", "executor").option("--adapter <adapter>", "FumaDB adapter", "drizzle").option("--provider <provider>", "database provider", "postgresql").option("--version <version>", "FumaDB schema version", "1.0.0").action(schemaGenerateAction)
+);
 
 // src/index.ts
 process.on("SIGINT", () => process.exit(0));
 process.on("SIGTERM", () => process.exit(0));
-var program = new Command2("executor").version("0.0.1").description("Executor CLI").addCommand(generate).action(() => program.help());
-program.parse();
+var program = new Command2("executor-sdk").version("0.0.1").description("Executor SDK CLI").addCommand(schema).action(() => program.help());
+await program.parseAsync();
 //# sourceMappingURL=index.js.map