npm - @onequery/cli - Versions diffs - 0.1.45-win32-x64 → 0.1.46-darwin-arm64 - Mend

@onequery/cli 0.1.45-win32-x64 → 0.1.46-darwin-arm64

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (145) hide show

package/vendor/{x86_64-pc-windows-msvc → aarch64-apple-darwin}/server/onequery-server.mjs RENAMED Viewed

@@ -28527,8 +28527,8 @@ const workflowEffectDispatches = pgTable("workflow_effect_dispatches", {
 	check$2("workflow_effect_dispatches_completion_status_check", sql$1`((${table.status} = 'completed' and ${table.completedAt} is not null) or (${table.status} <> 'completed' and ${table.completedAt} is null))`)
 ]);
 //#endregion
-//#region packages/db/src/client.ts
-const postgresSchema = {
+//#region packages/db/src/schema/index.ts
+const schema$2 = {
 	...audit_feed_entries_exports,
 	...audit_projection_checkpoints_exports,
 	...audit_workflow_exports,
@@ -28548,43 +28548,17 @@ const postgresSchema = {
 	...workflow_effect_dispatches_exports,
 	...relations_exports
 };
+//#endregion
+//#region packages/db/src/client.ts
 const DB_CACHE_SYMBOL = Symbol.for("onequery.db.instance-cache");
-const DB_RUNTIME_SCHEMA_SYMBOL = Symbol.for("onequery.db.runtime-schema");
 function getDbCache() {
 	const globalWithCache = globalThis;
 	if (!globalWithCache[DB_CACHE_SYMBOL]) globalWithCache[DB_CACHE_SYMBOL] = /* @__PURE__ */ new Map();
 	return globalWithCache[DB_CACHE_SYMBOL];
 }
-function attachRuntimeSchema(db, runtimeSchema) {
-	Object.defineProperty(db, DB_RUNTIME_SCHEMA_SYMBOL, {
-		configurable: true,
-		enumerable: false,
-		value: runtimeSchema,
-		writable: false
-	});
-	return db;
-}
 function getDatabaseEngine(connectionString) {
 	return isPgliteConnectionString(connectionString) ? "pglite" : "postgres";
 }
-function getDatabaseSchemaForEngine(_engine) {
-	return postgresSchema;
-}
-function getDatabaseSchema(db) {
-	const stableRuntimeSchema = db[DB_RUNTIME_SCHEMA_SYMBOL];
-	if (stableRuntimeSchema) return stableRuntimeSchema;
-	const drizzleRuntimeSchema = db._?.fullSchema;
-	if (!drizzleRuntimeSchema) throw new Error("Database instance does not expose a runtime schema");
-	return drizzleRuntimeSchema;
-}
-function createDatabaseRuntime(connectionString) {
-	const engine = getDatabaseEngine(connectionString);
-	return {
-		db: createDb(connectionString),
-		engine,
-		schema: getDatabaseSchemaForEngine(engine)
-	};
-}
 function createDb(connectionString) {
 	const cache = getDbCache();
 	const cachedDb = cache.get(connectionString);
@@ -28595,13 +28569,12 @@ function createDb(connectionString) {
 		max: 5,
 		fetch_types: false,
 		prepare: true
-	}), { schema: postgresSchema });
-	db = attachRuntimeSchema(db, postgresSchema);
+	}), { schema: schema$2 });
 	cache.set(connectionString, db);
 	return db;
 }
 function createPgliteDb(connectionString) {
-	return drizzle$1(new Xe(ensurePgliteDataDir(connectionString), resolvePgliteRuntimeOptions()), { schema: postgresSchema });
+	return drizzle$1(new Xe(ensurePgliteDataDir(connectionString), resolvePgliteRuntimeOptions()), { schema: schema$2 });
 }
 //#endregion
 //#region node_modules/.bun/drizzle-orm@0.45.2+8cc11c6382417d66/node_modules/drizzle-orm/migrator.js
@@ -28649,7 +28622,7 @@ async function prepareApplicationDatabase(options) {
 	if (getDatabaseEngine(options.connectionString) === "pglite") {
 		const client = new Xe(ensurePgliteDataDir(options.connectionString), resolvePgliteRuntimeOptions());
 		try {
-			await migrate$1(drizzle$1(client, { schema: postgresSchema }), { migrationsFolder: options.migrationsFolder });
+			await migrate$1(drizzle$1(client, { schema: schema$2 }), { migrationsFolder: options.migrationsFolder });
 		} finally {
 			await client.close();
 		}
@@ -28665,7 +28638,7 @@ async function prepareApplicationDatabase(options) {
 		prepare: false
 	});
 	try {
-		await migrate(drizzle(client, { schema: postgresSchema }), { migrationsFolder: options.migrationsFolder });
+		await migrate(drizzle(client, { schema: schema$2 }), { migrationsFolder: options.migrationsFolder });
 	} finally {
 		await client.end({ timeout: 0 });
 	}
@@ -86860,7 +86833,7 @@ async function authorizeSelfHostSignUp(input) {
 	};
 	const invitations = await input.db.query.invitation.findMany({
 		columns: { expiresAt: true },
-		where: and(eq(input.schema.invitation.email, normalizedEmail), eq(input.schema.invitation.status, "pending"))
+		where: and(eq(invitation.email, normalizedEmail), eq(invitation.status, "pending"))
 	});
 	const now = Date.now();
 	if (invitations.some((invitation) => invitation.expiresAt.getTime() > now)) return {
@@ -97227,10 +97200,7 @@ function resolveAuthDb(config) {
 }
 function createAuth(config) {
 	const db = resolveAuthDb(config);
-	const tables = config.schema ?? (config.databaseUrl ? createDatabaseRuntime(config.databaseUrl).schema : void 0);
 	const provider = config.provider ?? "pg";
-	const authSchema = tables;
-	if (!tables) throw new Error("createAuth requires a runtime schema when no databaseUrl is provided");
 	const isHttps = config.baseURL?.startsWith("https://") ?? false;
 	const trustedOrigins = [config.baseURL, "http://localhost:*"].filter((origin) => origin !== void 0);
 	const crossSubDomainCookieDomain = config.baseURL ? new URL(config.baseURL).hostname : void 0;
@@ -97238,7 +97208,7 @@ function createAuth(config) {
 	return betterAuth({
 		database: drizzleAdapter(db, {
 			provider,
-			schema: authSchema
+			schema: schema$2
 		}),
 		secret: config.secret,
 		baseURL: config.baseURL,
@@ -97294,8 +97264,7 @@ function createAuth(config) {
 				if (signupEmail) {
 					const authorization = await authorizeSelfHostSignUp({
 						db,
-						email: signupEmail,
-						schema: tables
+						email: signupEmail
 					});
 					if (!authorization.allowed) return ctx.json({
 						error: authorization.message,
@@ -97310,7 +97279,7 @@ function createAuth(config) {
 				if (!organizationId) return;
 				const membership = await db.query.member.findFirst({
 					columns: { role: true },
-					where: and(eq(tables.member.userId, session.user.id), eq(tables.member.organizationId, organizationId))
+					where: and(eq(schema$2.member.userId, session.user.id), eq(schema$2.member.organizationId, organizationId))
 				});
 				if (!membership) return;
 				if (!doesOrganizationMembershipGrantPermission({
@@ -97343,7 +97312,6 @@ function createAuthFromConfig(runtime, input = {}) {
 		emailDelivery: runtime.auth.emailDelivery,
 		enableTestUtils: input.enableTestUtils,
 		provider: input.provider,
-		schema: input.schema,
 		secret: runtime.auth.secret
 	});
 }
@@ -97367,19 +97335,17 @@ function readEmailField(value) {
 //#endregion
 //#region packages/server/src/storage.ts
 function createServerStorage(runtime, apiRateLimitStorage, input = {}) {
-	const databaseRuntime = createDatabaseRuntime(runtime.storage.connectionString);
+	const db = createDb(runtime.storage.connectionString);
 	return {
 		auth: createAuthFromConfig(runtime, {
-			db: databaseRuntime.db,
+			db,
 			enableTestUtils: input.enableAuthTestUtils,
-			provider: "pg",
-			schema: databaseRuntime.schema
+			provider: "pg"
 		}),
-		db: databaseRuntime.db,
+		db,
 		emailDelivery: runtime.auth.emailDelivery,
 		emailDeliveryMode: getEmailDeliveryMode(runtime.auth.emailDelivery),
-		engine: databaseRuntime.engine,
-		schema: databaseRuntime.schema,
+		engine: getDatabaseEngine(runtime.storage.connectionString),
 		apiRateLimitStorage
 	};
 }
@@ -97620,10 +97586,6 @@ function toCliErrorMessage(error) {
 }
 //#endregion
 //#region packages/cli-server/src/app.ts
-function generateCliRequestId(c) {
-	const existingRequestId = c.get("requestId");
-	return typeof existingRequestId === "string" && existingRequestId.length > 0 ? existingRequestId : crypto.randomUUID();
-}
 const cliRequestObservabilityMiddleware = createMiddleware$1(async (c, next) => {
 	const requestStartedAtMs = Date.now();
 	c.set("requestStartedAtMs", requestStartedAtMs);
@@ -97667,10 +97629,7 @@ function createCliApp(input) {
 	const app = createCliRouter();
 	app.use(cliRuntimeMiddleware(input.runtime));
 	app.use(serverStorageMiddleware(input.storage));
-	app.use(requestId({
-		generator: generateCliRequestId,
-		headerName: CLI_REQUEST_ID_HEADER
-	}));
+	app.use(requestId({ headerName: CLI_REQUEST_ID_HEADER }));
 	app.use(cliRequestObservabilityMiddleware);
 	return app;
 }
@@ -97678,10 +97637,7 @@ function createCliBrowserApp(input) {
 	const app = createCliRouter();
 	app.use(cliRuntimeMiddleware(input.runtime));
 	app.use(serverStorageMiddleware(input.storage));
-	app.use(requestId({
-		generator: generateCliRequestId,
-		headerName: CLI_REQUEST_ID_HEADER
-	}));
+	app.use(requestId({ headerName: CLI_REQUEST_ID_HEADER }));
 	app.use(cliRequestObservabilityMiddleware);
 	return app;
 }
@@ -107668,8 +107624,7 @@ const CliAuthSessionSchema = object$1({
 async function resolveActiveOrgSlug(storage, activeOrganizationId) {
 	if (!activeOrganizationId) return null;
 	try {
-		const { organization } = getDatabaseSchema(storage.db);
-		const [org] = await storage.db.select({ slug: organization.slug }).from(organization).where(eq(organization.id, activeOrganizationId)).limit(1);
+		const [org] = await storage.db.select({ slug: organization$1.slug }).from(organization$1).where(eq(organization$1.id, activeOrganizationId)).limit(1);
 		return org?.slug ?? activeOrganizationId;
 	} catch {
 		return activeOrganizationId;
@@ -107785,14 +107740,13 @@ function authorizeCliOrgAccess(input) {
 //#endregion
 //#region packages/cli-server/src/organization/effects.ts
 async function runCliLoadOrgAccess(input) {
-	const { member, organization } = getDatabaseSchema(input.db);
 	const org = await input.db.query.organization.findFirst({
 		columns: {
 			id: true,
 			slug: true,
 			name: true
 		},
-		where: eq(organization.slug, input.orgSlug)
+		where: eq(organization$1.slug, input.orgSlug)
 	});
 	if (!org) return { kind: "not_found" };
 	if (typeof org.slug !== "string" || org.slug.trim().length === 0) return { kind: "not_found" };
@@ -107806,7 +107760,7 @@ async function runCliLoadOrgAccess(input) {
 			id: true,
 			role: true
 		},
-		where: and(eq(member.userId, input.userId), eq(member.organizationId, accessibleOrg.id))
+		where: and(eq(member$1.userId, input.userId), eq(member$1.organizationId, accessibleOrg.id))
 	});
 	if (!membership) return { kind: "forbidden" };
 	return {
@@ -107816,11 +107770,10 @@ async function runCliLoadOrgAccess(input) {
 	};
 }
 async function runCliListVisibleOrgs(input) {
-	const { member, organization } = getDatabaseSchema(input.db);
 	const rawRows = await input.db.select({
-		name: organization.name,
-		slug: organization.slug
-	}).from(member).innerJoin(organization, eq(member.organizationId, organization.id)).where(eq(member.userId, input.userId));
+		name: organization$1.name,
+		slug: organization$1.slug
+	}).from(member$1).innerJoin(organization$1, eq(member$1.organizationId, organization$1.id)).where(eq(member$1.userId, input.userId));
 	const orgs = [];
 	for (const row of rawRows) {
 		if (typeof row.slug !== "string" || row.slug.trim().length === 0) continue;
@@ -124796,13 +124749,6 @@ var ConnectorJobTimeoutError = class extends ConnectorBrokerError {
 		this.timeoutMs = input.timeoutMs;
 	}
 };
-function getConnectorTables(db) {
-	const schema = getDatabaseSchema(db);
-	return {
-		connectorJobs: schema.connectorJobs,
-		connectors: schema.connectors
-	};
-}
 function getTestStoreOverride() {
 	return testStoreOverride;
 }
@@ -124883,7 +124829,6 @@ function authenticateConnectorInMemory(input) {
 	});
 }
 async function authenticateConnectorInDb(input) {
-	const { connectors } = getConnectorTables(input.db);
 	const [connector] = await input.db.select({
 		authTokenHash: connectors.authTokenHash,
 		connectorId: connectors.connectorId,
@@ -124924,7 +124869,6 @@ async function sleepUnlessAborted(input) {
 	});
 }
 async function expireConnectorJobIfPending(input) {
-	const { connectorJobs } = getConnectorTables(input.db);
 	await input.db.update(connectorJobs).set({
 		completedAt: input.now,
 		status: "expired",
@@ -124932,7 +124876,6 @@ async function expireConnectorJobIfPending(input) {
 	}).where(and(eq(connectorJobs.jobId, input.jobId), or(eq(connectorJobs.status, "queued"), eq(connectorJobs.status, "leased"))));
 }
 async function waitForConnectorJobOutcomeInDb(input) {
-	const { connectorJobs } = getConnectorTables(input.db);
 	const startedAt = Date.now();
 	while (Date.now() - startedAt <= input.waitTimeoutMs) {
 		const [job] = await input.db.select({
@@ -124965,7 +124908,6 @@ async function waitForConnectorJobOutcomeInDb(input) {
 	}));
 }
 async function claimNextQueuedJobInDb(input) {
-	const { connectorJobs } = getConnectorTables(input.db);
 	while (true) {
 		const [candidate] = await input.db.select({
 			database: connectorJobs.database,
@@ -125014,7 +124956,6 @@ function assertJobMutationAllowedInMemory(input) {
 }
 async function assertJobMutationAllowedInDb(request) {
 	const db = resolveBrokerDb(request.db);
-	const { connectorJobs } = getConnectorTables(db);
 	const auth = await authenticateConnectorInDb({
 		authToken: request.authToken,
 		connectorId: request.connectorId,
@@ -125039,7 +124980,6 @@ async function findConnectorIdByAuthToken(input) {
 		return matchedConnectorId === null ? U$1.err(new ConnectorBrokerError("Invalid connector token", 401)) : U$1.ok(matchedConnectorId);
 	}
 	const db = resolveBrokerDb(input.db);
-	const { connectors } = getConnectorTables(db);
 	const authTokenHash = await hashAuthToken(input.authToken);
 	const [connector] = await db.select({ connectorId: connectors.connectorId }).from(connectors).where(eq(connectors.authTokenHash, authTokenHash)).limit(1);
 	if (!connector?.connectorId) return U$1.err(new ConnectorBrokerError("Invalid connector token", 401));
@@ -125069,7 +125009,6 @@ async function registerConnector(input) {
 		};
 	}
 	const db = resolveBrokerDb(input.db);
-	const { connectors } = getConnectorTables(db);
 	const connectorId = generateConnectorId();
 	const authToken = generateConnectorAuthToken();
 	const authTokenHash = await hashAuthToken(authToken);
@@ -125096,9 +125035,7 @@ async function ensureConnectorOrganization(input) {
 		if (connector.organizationId !== input.organizationId) return U$1.err(new ConnectorBrokerError("Connector belongs to a different organization", 403));
 		return U$1.ok(void 0);
 	}
-	const db = resolveBrokerDb(input.db);
-	const { connectors } = getConnectorTables(db);
-	const [connector] = await db.select({ organizationId: connectors.organizationId }).from(connectors).where(eq(connectors.connectorId, input.connectorId)).limit(1);
+	const [connector] = await resolveBrokerDb(input.db).select({ organizationId: connectors.organizationId }).from(connectors).where(eq(connectors.connectorId, input.connectorId)).limit(1);
 	if (!connector) return U$1.err(new ConnectorBrokerError("Connector not found", 404));
 	if (connector.organizationId !== input.organizationId) return U$1.err(new ConnectorBrokerError("Connector belongs to a different organization", 403));
 	return U$1.ok(void 0);
@@ -125121,7 +125058,6 @@ async function recordConnectorHeartbeat(input) {
 		return U$1.ok(void 0);
 	}
 	const db = resolveBrokerDb(input.db);
-	const { connectors } = getConnectorTables(db);
 	const auth = await authenticateConnectorInDb({
 		authToken: input.authToken,
 		connectorId: input.connectorId,
@@ -125173,7 +125109,6 @@ async function pollConnectorJob(input) {
 		return U$1.ok(nextJob);
 	}
 	const db = resolveBrokerDb(input.db);
-	const { connectors } = getConnectorTables(db);
 	const auth = await authenticateConnectorInDb({
 		authToken: input.authToken,
 		connectorId: input.connectorId,
@@ -125246,7 +125181,6 @@ async function queueConnectorAthenaJob(input) {
 	});
 	if (organizationCheck.isErr()) return U$1.err(organizationCheck.error);
 	const now = /* @__PURE__ */ new Date();
-	const { connectorJobs } = getConnectorTables(db);
 	const jobId = generateJobId();
 	await db.insert(connectorJobs).values({
 		connectorId: input.connectorId,
@@ -125287,7 +125221,6 @@ async function submitConnectorJobResult(input) {
 	const prepared = await assertJobMutationAllowedInDb(input);
 	if (prepared.isErr()) return U$1.err(prepared.error);
 	const db = resolveBrokerDb(input.db);
-	const { connectorJobs } = getConnectorTables(db);
 	const now = /* @__PURE__ */ new Date();
 	const [updated] = await db.update(connectorJobs).set({
 		completedAt: now,
@@ -125319,7 +125252,6 @@ async function submitConnectorJobError(input) {
 	const prepared = await assertJobMutationAllowedInDb(input);
 	if (prepared.isErr()) return U$1.err(prepared.error);
 	const db = resolveBrokerDb(input.db);
-	const { connectorJobs } = getConnectorTables(db);
 	const now = /* @__PURE__ */ new Date();
 	const [updated] = await db.update(connectorJobs).set({
 		completedAt: now,
@@ -154089,7 +154021,6 @@ async function runCliExecuteSqlEffect(input) {
 	};
 }
 async function runCliPersistQueryUsageEffect(input) {
-	const { dataSources } = getDatabaseSchema(input.db);
 	const persisted = await U$1.tryPromise(async () => {
 		await input.db.update(dataSources).set({ lastUsedAt: /* @__PURE__ */ new Date() }).where(eq(dataSources.id, input.effect.sourceId));
 	});
@@ -251504,7 +251435,6 @@ function normalizeSourceDisplayName(value) {
 //#endregion
 //#region packages/cli-server/src/source/effects.ts
 async function runCliListSourcesEffect(input) {
-	const { dataSources } = getDatabaseSchema(input.db);
 	return {
 		kind: "sources_loaded",
 		sources: (await input.db.query.dataSources.findMany({
@@ -251522,7 +251452,6 @@ async function runCliListSourcesEffect(input) {
 	};
 }
 async function runCliLoadSourceEffect(input) {
-	const { dataSources } = getDatabaseSchema(input.db);
 	const row = await input.db.query.dataSources.findFirst({
 		columns: {
 			id: true,
@@ -251544,7 +251473,6 @@ async function runCliLoadSourceEffect(input) {
 	};
 }
 async function runCliConnectSourceEffect(input) {
-	const { dataSources } = getDatabaseSchema(input.db);
 	const encrypted = encryptCredentialsObject(input.effect.credentials, input.masterEncryptionKey);
 	const [inserted] = await input.db.insert(dataSources).values({
 		credentialsEncrypted: encrypted.ciphertext,
@@ -251587,7 +251515,6 @@ async function runCliTestSourceEffect(input) {
 	if (preparedCredentials.isErr()) {
 		const latencyMs = 0;
 		const now = /* @__PURE__ */ new Date();
-		const { dataSources } = getDatabaseSchema(input.db);
 		await input.db.update(dataSources).set({
 			errorMessage: preparedCredentials.error.message,
 			lastUsedAt: now,
@@ -251608,7 +251535,6 @@ async function runCliTestSourceEffect(input) {
 	}));
 	if (serialized.kind === "unsupported") return serialized;
 	const now = /* @__PURE__ */ new Date();
-	const { dataSources } = getDatabaseSchema(input.db);
 	await input.db.update(dataSources).set({
 		errorMessage: serialized.result.success ? null : serialized.result.error,
 		lastUsedAt: now,
@@ -254533,7 +254459,469 @@ let SourceApiActionFailureCode = /* @__PURE__ */ function(SourceApiActionFailure
 */
 const SourceApiActionFailureCodeSchema = enumDesc(file_onequery_workflow_v1_source_api_action, 6);
 //#endregion
-//#region packages/cli-server/src/audit/source-api-action-family/protobuf-codec.ts
+//#region packages/cli-server/src/audit/source-api-action-family/protobuf-codec/enums.ts
+function toWorkflowSourceProvider(provider) {
+	switch (provider) {
+		case "postgres": return WorkflowSourceProvider.POSTGRES;
+		case "supabase": return WorkflowSourceProvider.SUPABASE;
+		case "mysql": return WorkflowSourceProvider.MYSQL;
+		case "mongodb": return WorkflowSourceProvider.MONGODB;
+		case "bigquery": return WorkflowSourceProvider.BIGQUERY;
+		case "laminar": return WorkflowSourceProvider.LAMINAR;
+		case "aws_athena_connector": return WorkflowSourceProvider.AWS_ATHENA_CONNECTOR;
+		case "ga": return WorkflowSourceProvider.GOOGLE_ANALYTICS;
+		case "amplitude": return WorkflowSourceProvider.AMPLITUDE;
+		case "mixpanel": return WorkflowSourceProvider.MIXPANEL;
+		case "posthog": return WorkflowSourceProvider.POSTHOG;
+		case "sentry": return WorkflowSourceProvider.SENTRY;
+		case "github": return WorkflowSourceProvider.GITHUB;
+		case "linear": return WorkflowSourceProvider.LINEAR;
+		default: return assertNever$4(provider);
+	}
+}
+function fromWorkflowSourceProvider(provider) {
+	switch (provider) {
+		case WorkflowSourceProvider.POSTGRES: return "postgres";
+		case WorkflowSourceProvider.SUPABASE: return "supabase";
+		case WorkflowSourceProvider.MYSQL: return "mysql";
+		case WorkflowSourceProvider.MONGODB: return "mongodb";
+		case WorkflowSourceProvider.BIGQUERY: return "bigquery";
+		case WorkflowSourceProvider.LAMINAR: return "laminar";
+		case WorkflowSourceProvider.AWS_ATHENA_CONNECTOR: return "aws_athena_connector";
+		case WorkflowSourceProvider.GOOGLE_ANALYTICS: return "ga";
+		case WorkflowSourceProvider.AMPLITUDE: return "amplitude";
+		case WorkflowSourceProvider.MIXPANEL: return "mixpanel";
+		case WorkflowSourceProvider.POSTHOG: return "posthog";
+		case WorkflowSourceProvider.SENTRY: return "sentry";
+		case WorkflowSourceProvider.GITHUB: return "github";
+		case WorkflowSourceProvider.LINEAR: return "linear";
+		case WorkflowSourceProvider.UNSPECIFIED: throw new Error("workflow source provider is unspecified");
+		default: throw new Error(`unsupported workflow source provider: ${provider}`);
+	}
+}
+function toSourceApiRequestKind(kind) {
+	switch (kind) {
+		case "describe": return SourceApiActionRequestKind.DESCRIBE;
+		case "invoke": return SourceApiActionRequestKind.INVOKE;
+		default: return assertNever$4(kind);
+	}
+}
+function fromSourceApiRequestKind(kind) {
+	switch (kind) {
+		case SourceApiActionRequestKind.DESCRIBE: return "describe";
+		case SourceApiActionRequestKind.INVOKE: return "invoke";
+		case SourceApiActionRequestKind.UNSPECIFIED: throw new Error("source api request kind is unspecified");
+		default: throw new Error(`unsupported source api request kind: ${kind}`);
+	}
+}
+function toSourceApiInvokeMode(mode) {
+	switch (mode) {
+		case "preview_only": return SourceApiActionInvokeMode.PREVIEW_ONLY;
+		case "execute": return SourceApiActionInvokeMode.EXECUTE;
+		default: return assertNever$4(mode);
+	}
+}
+function fromSourceApiInvokeMode(mode) {
+	switch (mode) {
+		case SourceApiActionInvokeMode.PREVIEW_ONLY: return "preview_only";
+		case SourceApiActionInvokeMode.EXECUTE: return "execute";
+		case SourceApiActionInvokeMode.UNSPECIFIED: throw new Error("source api invoke mode is unspecified");
+		default: throw new Error(`unsupported source api invoke mode: ${mode}`);
+	}
+}
+function toSourceApiOperationKind(kind) {
+	switch (kind) {
+		case "http_request": return SourceApiActionOperationKind.HTTP_REQUEST;
+		case "structured_request": return SourceApiActionOperationKind.STRUCTURED_REQUEST;
+		default: return assertNever$4(kind);
+	}
+}
+function fromSourceApiOperationKind(kind) {
+	switch (kind) {
+		case SourceApiActionOperationKind.HTTP_REQUEST: return "http_request";
+		case SourceApiActionOperationKind.STRUCTURED_REQUEST: return "structured_request";
+		case SourceApiActionOperationKind.UNSPECIFIED: throw new Error("source api operation kind is unspecified");
+		default: throw new Error(`unsupported source api operation kind: ${kind}`);
+	}
+}
+function toSourceApiSelectorKind(kind) {
+	switch (kind) {
+		case "none": return SourceApiActionSelectorKind.NONE;
+		case "path": return SourceApiActionSelectorKind.PATH;
+		case "identifier": return SourceApiActionSelectorKind.IDENTIFIER;
+		default: return assertNever$4(kind);
+	}
+}
+function fromSourceApiSelectorKind(kind) {
+	switch (kind) {
+		case SourceApiActionSelectorKind.NONE: return "none";
+		case SourceApiActionSelectorKind.PATH: return "path";
+		case SourceApiActionSelectorKind.IDENTIFIER: return "identifier";
+		case SourceApiActionSelectorKind.UNSPECIFIED: throw new Error("source api selector kind is unspecified");
+		default: throw new Error(`unsupported source api selector kind: ${kind}`);
+	}
+}
+function toSourceApiPaginationPolicy(policy) {
+	switch (policy) {
+		case "none": return SourceApiActionPaginationPolicy.NONE;
+		case "continuation_token": return SourceApiActionPaginationPolicy.CONTINUATION_TOKEN;
+		default: return assertNever$4(policy);
+	}
+}
+function fromSourceApiPaginationPolicy(policy) {
+	switch (policy) {
+		case SourceApiActionPaginationPolicy.NONE: return "none";
+		case SourceApiActionPaginationPolicy.CONTINUATION_TOKEN: return "continuation_token";
+		case SourceApiActionPaginationPolicy.UNSPECIFIED: throw new Error("source api pagination policy is unspecified");
+		default: throw new Error(`unsupported source api pagination policy: ${policy}`);
+	}
+}
+function toSourceApiInputMode(mode) {
+	switch (mode) {
+		case "none": return SourceApiActionInputMode.NONE;
+		case "request_object": return SourceApiActionInputMode.REQUEST_OBJECT;
+		case "request_body": return SourceApiActionInputMode.REQUEST_BODY;
+		default: return assertNever$4(mode);
+	}
+}
+function fromSourceApiInputMode(mode) {
+	switch (mode) {
+		case SourceApiActionInputMode.NONE: return "none";
+		case SourceApiActionInputMode.REQUEST_OBJECT: return "request_object";
+		case SourceApiActionInputMode.REQUEST_BODY: return "request_body";
+		case SourceApiActionInputMode.UNSPECIFIED: throw new Error("source api input mode is unspecified");
+		default: throw new Error(`unsupported source api input mode: ${mode}`);
+	}
+}
+function toSourceApiFailureCode(code) {
+	switch (code) {
+		case "source_not_found": return SourceApiActionFailureCode.SOURCE_NOT_FOUND;
+		case "descriptor_unavailable": return SourceApiActionFailureCode.DESCRIPTOR_UNAVAILABLE;
+		case "invalid_request": return SourceApiActionFailureCode.INVALID_REQUEST;
+		case "permission_denied": return SourceApiActionFailureCode.PERMISSION_DENIED;
+		case "request_timed_out": return SourceApiActionFailureCode.REQUEST_TIMED_OUT;
+		case "execution_failed": return SourceApiActionFailureCode.EXECUTION_FAILED;
+		case "execution_state_invalid": return SourceApiActionFailureCode.EXECUTION_STATE_INVALID;
+		default: return assertNever$4(code);
+	}
+}
+function fromDescriptorResolutionFailureCode(code) {
+	switch (code) {
+		case SourceApiActionFailureCode.DESCRIPTOR_UNAVAILABLE: return "descriptor_unavailable";
+		case SourceApiActionFailureCode.PERMISSION_DENIED: return "permission_denied";
+		case SourceApiActionFailureCode.UNSPECIFIED: throw new Error("source api failure code is unspecified");
+		default: throw new Error(`unsupported descriptor resolution failure code: ${code}`);
+	}
+}
+function fromRequestPreparationFailureCode(code) {
+	switch (code) {
+		case SourceApiActionFailureCode.INVALID_REQUEST: return "invalid_request";
+		case SourceApiActionFailureCode.PERMISSION_DENIED: return "permission_denied";
+		case SourceApiActionFailureCode.EXECUTION_STATE_INVALID: return "execution_state_invalid";
+		case SourceApiActionFailureCode.UNSPECIFIED: throw new Error("source api failure code is unspecified");
+		default: throw new Error(`unsupported request preparation failure code: ${code}`);
+	}
+}
+function fromPageFetchFailureCode(code) {
+	switch (code) {
+		case SourceApiActionFailureCode.INVALID_REQUEST: return "invalid_request";
+		case SourceApiActionFailureCode.REQUEST_TIMED_OUT: return "request_timed_out";
+		case SourceApiActionFailureCode.EXECUTION_FAILED: return "execution_failed";
+		case SourceApiActionFailureCode.EXECUTION_STATE_INVALID: return "execution_state_invalid";
+		case SourceApiActionFailureCode.UNSPECIFIED: throw new Error("source api failure code is unspecified");
+		default: throw new Error(`unsupported page fetch failure code: ${code}`);
+	}
+}
+//#endregion
+//#region packages/cli-server/src/audit/source-api-action-family/protobuf-codec/shared.ts
+function assertMatchingPayloadType(expected, actual) {
+	if (expected !== actual) throw new Error(`stored scalar payload type '${expected}' does not match protobuf payload type '${actual}'`);
+}
+function requireMessage(value, fieldName) {
+	if (value === void 0) throw new Error(`missing required protobuf field: ${fieldName}`);
+	return value;
+}
+//#endregion
+//#region packages/server/src/source-api/helpers/header-policy.ts
+function canonicalizeSourceApiHeaderName(name) {
+	return name.trim().toLowerCase();
+}
+function canonicalizeSourceApiHeaderNames(names) {
+	const canonicalNames = /* @__PURE__ */ new Set();
+	for (const name of names) canonicalNames.add(canonicalizeSourceApiHeaderName(name));
+	return [...canonicalNames];
+}
+function canonicalizeSourceApiHeaderPolicy(policy) {
+	return {
+		allowedRequestHeaders: canonicalizeSourceApiHeaderNames(policy.allowedRequestHeaders),
+		allowedResponseHeaders: canonicalizeSourceApiHeaderNames(policy.allowedResponseHeaders)
+	};
+}
+function canonicalizeSourceApiOperationHeaderPolicy(operation) {
+	return {
+		...operation,
+		headerPolicy: canonicalizeSourceApiHeaderPolicy(operation.headerPolicy)
+	};
+}
+function canonicalizeSourceApiDescriptorHeaderPolicies(descriptor) {
+	return {
+		...descriptor,
+		operations: descriptor.operations.map(canonicalizeSourceApiOperationHeaderPolicy)
+	};
+}
+//#endregion
+//#region packages/cli-server/src/audit/source-api-action-family/protobuf-codec/source-api-value-codec.ts
+function toSourceApiSourceDescriptorMessage(source) {
+	return create(SourceApiActionSourceDescriptorSchema, {
+		...source.displayName === null ? {} : { displayName: source.displayName },
+		provider: toWorkflowSourceProvider(source.provider),
+		sourceId: source.sourceId,
+		sourceKey: source.sourceKey
+	});
+}
+function fromSourceApiSourceDescriptorMessage(source) {
+	const value = requireMessage(source, "source");
+	return {
+		displayName: isFieldSet(value, SourceApiActionSourceDescriptorSchema.field.displayName) ? value.displayName : null,
+		provider: fromWorkflowSourceProvider(value.provider),
+		sourceId: value.sourceId,
+		sourceKey: value.sourceKey
+	};
+}
+function toSourceApiRequestDescriptorMessage(descriptor) {
+	return create(SourceApiActionRequestDescriptorSchema, {
+		...descriptor.descriptorVersion === null ? {} : { descriptorVersion: descriptor.descriptorVersion },
+		...descriptor.kind === null ? {} : { kind: toSourceApiOperationKind(descriptor.kind) },
+		...descriptor.method === null ? {} : { method: descriptor.method },
+		operation: descriptor.operation,
+		...descriptor.paginationPolicy === null ? {} : { paginationPolicy: toSourceApiPaginationPolicy(descriptor.paginationPolicy) },
+		...descriptor.selector === null ? {} : { selector: descriptor.selector }
+	});
+}
+function fromSourceApiRequestDescriptorMessage(descriptor) {
+	const value = requireMessage(descriptor, "request_descriptor");
+	return {
+		descriptorVersion: isFieldSet(value, SourceApiActionRequestDescriptorSchema.field.descriptorVersion) ? value.descriptorVersion : null,
+		kind: isFieldSet(value, SourceApiActionRequestDescriptorSchema.field.kind) ? fromSourceApiOperationKind(value.kind) : null,
+		method: isFieldSet(value, SourceApiActionRequestDescriptorSchema.field.method) ? value.method : null,
+		operation: value.operation,
+		paginationPolicy: isFieldSet(value, SourceApiActionRequestDescriptorSchema.field.paginationPolicy) ? fromSourceApiPaginationPolicy(value.paginationPolicy) : null,
+		selector: isFieldSet(value, SourceApiActionRequestDescriptorSchema.field.selector) ? value.selector : null
+	};
+}
+function toSourceApiDescriptorMessage(descriptor) {
+	return create(SourceApiActionDescriptorSchema, {
+		...descriptor.defaultPathOperation === void 0 ? {} : { defaultPathOperation: descriptor.defaultPathOperation },
+		descriptorVersion: descriptor.descriptorVersion,
+		examples: descriptor.examples.map(toSourceApiExampleMessage),
+		notes: [...descriptor.notes],
+		operations: descriptor.operations.map(toSourceApiOperationMessage),
+		source: create(SourceApiActionDescriptorSourceSchema, {
+			...descriptor.source.displayName === void 0 || descriptor.source.displayName === null ? {} : { displayName: descriptor.source.displayName },
+			provider: toWorkflowSourceProvider(descriptor.source.provider),
+			sourceKey: descriptor.source.sourceKey
+		})
+	});
+}
+function fromSourceApiDescriptorMessage(descriptor) {
+	const value = requireMessage(descriptor, "descriptor");
+	const source = requireMessage(value.source, "source");
+	return {
+		...isFieldSet(value, SourceApiActionDescriptorSchema.field.defaultPathOperation) ? { defaultPathOperation: value.defaultPathOperation } : {},
+		descriptorVersion: value.descriptorVersion,
+		examples: value.examples.map(fromSourceApiExampleMessage),
+		notes: [...value.notes],
+		operations: value.operations.map(fromSourceApiOperationMessage),
+		source: {
+			...isFieldSet(source, SourceApiActionDescriptorSourceSchema.field.displayName) ? { displayName: source.displayName } : {},
+			provider: fromWorkflowSourceProvider(source.provider),
+			sourceKey: source.sourceKey
+		}
+	};
+}
+function toSourceApiOperationMessage(operation) {
+	return create(SourceApiActionOperationSchema, {
+		description: operation.description,
+		examples: operation.examples.map(toSourceApiExampleMessage),
+		fieldPolicy: toSourceApiFieldPolicyMessage(operation.fieldPolicy),
+		headerPolicy: toSourceApiHeaderPolicyMessage(operation.headerPolicy),
+		kind: toSourceApiOperationKind(operation.kind),
+		methodPolicy: toSourceApiMethodPolicyMessage(operation.methodPolicy),
+		name: operation.name,
+		notes: [...operation.notes],
+		paginationPolicy: toSourceApiPaginationPolicy(operation.paginationPolicy),
+		...operation.selectorLabel === void 0 ? {} : { selectorLabel: operation.selectorLabel },
+		selectorKind: toSourceApiSelectorKind(operation.selectorKind),
+		summary: operation.summary
+	});
+}
+function fromSourceApiOperationMessage(operation) {
+	return {
+		description: operation.description,
+		examples: operation.examples.map(fromSourceApiExampleMessage),
+		fieldPolicy: fromSourceApiFieldPolicyMessage(operation.fieldPolicy),
+		headerPolicy: fromSourceApiHeaderPolicyMessage(operation.headerPolicy),
+		kind: fromSourceApiOperationKind(operation.kind),
+		methodPolicy: fromSourceApiMethodPolicyMessage(operation.methodPolicy),
+		name: operation.name,
+		notes: [...operation.notes],
+		paginationPolicy: fromSourceApiPaginationPolicy(operation.paginationPolicy),
+		...isFieldSet(operation, SourceApiActionOperationSchema.field.selectorLabel) ? { selectorLabel: operation.selectorLabel } : {},
+		selectorKind: fromSourceApiSelectorKind(operation.selectorKind),
+		summary: operation.summary
+	};
+}
+function toSourceApiMethodPolicyMessage(policy) {
+	return create(SourceApiActionMethodPolicySchema, {
+		allowedMethods: [...policy.allowedMethods],
+		...policy.defaultMethod === void 0 ? {} : { defaultMethod: policy.defaultMethod }
+	});
+}
+function fromSourceApiMethodPolicyMessage(policy) {
+	const value = requireMessage(policy, "method_policy");
+	return {
+		allowedMethods: [...value.allowedMethods],
+		...isFieldSet(value, SourceApiActionMethodPolicySchema.field.defaultMethod) ? { defaultMethod: value.defaultMethod } : {}
+	};
+}
+function toSourceApiFieldPolicyMessage(policy) {
+	return create(SourceApiActionFieldPolicySchema, {
+		acceptsInput: policy.acceptsInput,
+		allowsRawFields: policy.allowsRawFields,
+		allowsTypedFields: policy.allowsTypedFields,
+		inputMode: toSourceApiInputMode(policy.inputMode),
+		mergePatches: policy.mergePatches,
+		supportsArrayPaths: policy.supportsArrayPaths,
+		supportsNestedPaths: policy.supportsNestedPaths
+	});
+}
+function fromSourceApiFieldPolicyMessage(policy) {
+	const value = requireMessage(policy, "field_policy");
+	return {
+		acceptsInput: value.acceptsInput,
+		allowsRawFields: value.allowsRawFields,
+		allowsTypedFields: value.allowsTypedFields,
+		inputMode: fromSourceApiInputMode(value.inputMode),
+		mergePatches: value.mergePatches,
+		supportsArrayPaths: value.supportsArrayPaths,
+		supportsNestedPaths: value.supportsNestedPaths
+	};
+}
+function toSourceApiHeaderPolicyMessage(policy) {
+	return create(SourceApiActionHeaderPolicySchema, {
+		allowedRequestHeaderNames: canonicalizeSourceApiHeaderNames(policy.allowedRequestHeaders),
+		allowedResponseHeaderNames: canonicalizeSourceApiHeaderNames(policy.allowedResponseHeaders)
+	});
+}
+function fromSourceApiHeaderPolicyMessage(policy) {
+	const value = requireMessage(policy, "header_policy");
+	return {
+		allowedRequestHeaders: [...value.allowedRequestHeaderNames],
+		allowedResponseHeaders: [...value.allowedResponseHeaderNames]
+	};
+}
+function toSourceApiExampleMessage(example) {
+	return create(SourceApiActionExampleSchema, {
+		command: example.command,
+		...example.description === void 0 ? {} : { description: example.description },
+		label: example.label
+	});
+}
+function fromSourceApiExampleMessage(example) {
+	return {
+		command: example.command,
+		...isFieldSet(example, SourceApiActionExampleSchema.field.description) ? { description: example.description } : {},
+		label: example.label
+	};
+}
+function toSourceApiExecutionResultMessage(result) {
+	return create(SourceApiActionExecutionResultSchema, {
+		body: toSourceApiExecutionBodyMessage(result.body),
+		contentType: result.contentType,
+		headers: result.headers.map((header) => create(WorkflowSourceHeaderSchema, {
+			name: header.name,
+			value: header.value
+		})),
+		...result.nextContinuationState === void 0 ? {} : { nextContinuationState: fromJson(ValueSchema, result.nextContinuationState) },
+		operation: result.operation,
+		...result.selector === void 0 ? {} : { selector: result.selector },
+		httpStatus: result.status,
+		source: toSourceApiExecutionSourceMessage(result.source)
+	});
+}
+function fromSourceApiExecutionResultMessage(result) {
+	const value = requireMessage(result, "execution_result");
+	return {
+		body: fromSourceApiExecutionBodyMessage(value.body),
+		contentType: value.contentType,
+		headers: value.headers.map((header) => ({
+			name: header.name,
+			value: header.value
+		})),
+		...value.nextContinuationState === void 0 ? {} : { nextContinuationState: toJson(ValueSchema, value.nextContinuationState) },
+		operation: value.operation,
+		...isFieldSet(value, SourceApiActionExecutionResultSchema.field.selector) ? { selector: value.selector } : {},
+		source: fromSourceApiExecutionSourceMessage(value.source),
+		status: value.httpStatus
+	};
+}
+function toSourceApiExecutionSourceMessage(source) {
+	return create(SourceApiActionExecutionSourceSchema, {
+		...source.displayName === void 0 || source.displayName === null ? {} : { displayName: source.displayName },
+		provider: toWorkflowSourceProvider(source.provider),
+		sourceKey: source.sourceKey
+	});
+}
+function fromSourceApiExecutionSourceMessage(source) {
+	const value = requireMessage(source, "source");
+	return {
+		...isFieldSet(value, SourceApiActionExecutionSourceSchema.field.displayName) ? { displayName: value.displayName } : {},
+		provider: fromWorkflowSourceProvider(value.provider),
+		sourceKey: value.sourceKey
+	};
+}
+function toSourceApiExecutionBodyMessage(body) {
+	switch (body.kind) {
+		case "none": return {
+			case: "none",
+			value: create(SourceApiActionEmptyBodySchema)
+		};
+		case "json": return {
+			case: "json",
+			value: fromJson(ValueSchema, body.value)
+		};
+		case "text": return {
+			case: "text",
+			value: body.value
+		};
+		case "binary": return {
+			case: "binary",
+			value: body.value
+		};
+		default: return assertNever$4(body);
+	}
+}
+function fromSourceApiExecutionBodyMessage(body) {
+	switch (body.case) {
+		case "none": return { kind: "none" };
+		case "json": return {
+			kind: "json",
+			value: toJson(ValueSchema, body.value)
+		};
+		case "text": return {
+			kind: "text",
+			value: body.value
+		};
+		case "binary": return {
+			kind: "binary",
+			value: new Uint8Array(body.value)
+		};
+		case void 0: throw new Error("source api execution result body missing oneof case");
+		default: return assertNever$4(body);
+	}
+}
+//#endregion
+//#region packages/cli-server/src/audit/source-api-action-family/protobuf-codec/command-payload.ts
 init_dist$3();
 function encodeSourceApiActionCommandPayload(payload) {
 	return encodeWorkflowPayload(SourceApiActionCommandPayloadSchema, toSourceApiActionCommandMessage(payload));
@@ -254583,46 +254971,6 @@ function decodeSourceApiActionCommandPayload(bytes, context) {
 		return fromSourceApiActionCommandMessage(decoded.value);
 	});
 }
-function encodeSourceApiActionEventPayload(event) {
-	return encodeWorkflowPayload(SourceApiActionEventPayloadSchema, toSourceApiActionEventMessage(event));
-}
-function decodeSourceApiActionEventPayload(bytes, context) {
-	const decoded = decodeWorkflowPayload(SourceApiActionEventPayloadSchema, bytes, {
-		...context,
-		entity: "source_api_action_event_payload",
-		family: "source_api_action"
-	});
-	if (decoded.isErr()) return U$1.err(decoded.error);
-	return convertWorkflowPayload({
-		...context,
-		entity: "source_api_action_event_payload",
-		family: "source_api_action"
-	}, () => {
-		const event = fromSourceApiActionEventMessage(decoded.value);
-		assertMatchingPayloadType(context.payloadType, event.type);
-		return event;
-	});
-}
-function encodeSourceApiActionEffectPayload(effect) {
-	return encodeWorkflowPayload(SourceApiActionEffectPayloadSchema, toSourceApiActionEffectMessage(effect));
-}
-function decodeSourceApiActionEffectPayload(bytes, context) {
-	const decoded = decodeWorkflowPayload(SourceApiActionEffectPayloadSchema, bytes, {
-		...context,
-		entity: "source_api_action_effect_payload",
-		family: "source_api_action"
-	});
-	if (decoded.isErr()) return U$1.err(decoded.error);
-	return convertWorkflowPayload({
-		...context,
-		entity: "source_api_action_effect_payload",
-		family: "source_api_action"
-	}, () => {
-		const effect = fromSourceApiActionEffectMessage(decoded.value);
-		assertMatchingPayloadType(context.payloadType, effect.type);
-		return effect;
-	});
-}
 function toSourceApiActionCommandMessage(payload) {
 	switch (payload.type) {
 		case "start_describe": return create(SourceApiActionCommandPayloadSchema, { command: {
@@ -254815,6 +255163,113 @@ function getSourceApiActionCommandPayloadTypeFromOneofCase(oneofCase) {
 		default: return assertNever$4(oneofCase);
 	}
 }
+//#endregion
+//#region packages/cli-server/src/audit/source-api-action-family/protobuf-codec/effect-payload.ts
+init_dist$3();
+function encodeSourceApiActionEffectPayload(effect) {
+	return encodeWorkflowPayload(SourceApiActionEffectPayloadSchema, toSourceApiActionEffectMessage(effect));
+}
+function decodeSourceApiActionEffectPayload(bytes, context) {
+	const decoded = decodeWorkflowPayload(SourceApiActionEffectPayloadSchema, bytes, {
+		...context,
+		entity: "source_api_action_effect_payload",
+		family: "source_api_action"
+	});
+	if (decoded.isErr()) return U$1.err(decoded.error);
+	return convertWorkflowPayload({
+		...context,
+		entity: "source_api_action_effect_payload",
+		family: "source_api_action"
+	}, () => {
+		const effect = fromSourceApiActionEffectMessage(decoded.value);
+		assertMatchingPayloadType(context.payloadType, effect.type);
+		return effect;
+	});
+}
+function toSourceApiActionEffectMessage(effect) {
+	switch (effect.type) {
+		case "load_source": return create(SourceApiActionEffectPayloadSchema, { effect: {
+			case: "loadSource",
+			value: create(SourceApiActionLoadSourceEffectSchema, {
+				organizationId: effect.organizationId,
+				sourceKey: effect.sourceKey
+			})
+		} });
+		case "resolve_descriptor": return create(SourceApiActionEffectPayloadSchema, { effect: {
+			case: "resolveDescriptor",
+			value: create(SourceApiActionResolveDescriptorEffectSchema, { source: toSourceApiSourceDescriptorMessage(effect.source) })
+		} });
+		case "prepare_request": return create(SourceApiActionEffectPayloadSchema, { effect: {
+			case: "prepareRequest",
+			value: create(SourceApiActionPrepareRequestEffectSchema, {
+				requestDescriptor: toSourceApiRequestDescriptorMessage(effect.requestDescriptor),
+				source: toSourceApiSourceDescriptorMessage(effect.source)
+			})
+		} });
+		case "execute_page": return create(SourceApiActionEffectPayloadSchema, { effect: {
+			case: "executePage",
+			value: create(SourceApiActionExecutePageEffectSchema, {
+				attemptNumber: effect.attemptNumber,
+				pageIndex: effect.pageIndex,
+				preparedRequestFingerprint: effect.preparedRequestFingerprint,
+				requestDescriptor: toSourceApiRequestDescriptorMessage(effect.requestDescriptor),
+				source: toSourceApiSourceDescriptorMessage(effect.source)
+			})
+		} });
+		default: return assertNever$4(effect);
+	}
+}
+function fromSourceApiActionEffectMessage(payload) {
+	switch (payload.effect.case) {
+		case "loadSource": return {
+			organizationId: payload.effect.value.organizationId,
+			sourceKey: payload.effect.value.sourceKey,
+			type: "load_source"
+		};
+		case "resolveDescriptor": return {
+			source: fromSourceApiSourceDescriptorMessage(payload.effect.value.source),
+			type: "resolve_descriptor"
+		};
+		case "prepareRequest": return {
+			requestDescriptor: fromSourceApiRequestDescriptorMessage(payload.effect.value.requestDescriptor),
+			source: fromSourceApiSourceDescriptorMessage(payload.effect.value.source),
+			type: "prepare_request"
+		};
+		case "executePage": return {
+			attemptNumber: payload.effect.value.attemptNumber,
+			pageIndex: payload.effect.value.pageIndex,
+			preparedRequestFingerprint: payload.effect.value.preparedRequestFingerprint,
+			requestDescriptor: fromSourceApiRequestDescriptorMessage(payload.effect.value.requestDescriptor),
+			source: fromSourceApiSourceDescriptorMessage(payload.effect.value.source),
+			type: "execute_page"
+		};
+		case void 0: throw new Error("source api action effect payload missing oneof case");
+		default: return assertNever$4(payload.effect);
+	}
+}
+//#endregion
+//#region packages/cli-server/src/audit/source-api-action-family/protobuf-codec/event-payload.ts
+init_dist$3();
+function encodeSourceApiActionEventPayload(event) {
+	return encodeWorkflowPayload(SourceApiActionEventPayloadSchema, toSourceApiActionEventMessage(event));
+}
+function decodeSourceApiActionEventPayload(bytes, context) {
+	const decoded = decodeWorkflowPayload(SourceApiActionEventPayloadSchema, bytes, {
+		...context,
+		entity: "source_api_action_event_payload",
+		family: "source_api_action"
+	});
+	if (decoded.isErr()) return U$1.err(decoded.error);
+	return convertWorkflowPayload({
+		...context,
+		entity: "source_api_action_event_payload",
+		family: "source_api_action"
+	}, () => {
+		const event = fromSourceApiActionEventMessage(decoded.value);
+		assertMatchingPayloadType(context.payloadType, event.type);
+		return event;
+	});
+}
 function toSourceApiActionEventMessage(event) {
 	switch (event.type) {
 		case "action_received": return create(SourceApiActionEventPayloadSchema, { event: {
@@ -254941,495 +255396,6 @@ function fromSourceApiActionEventMessage(payload) {
 		default: return assertNever$4(payload.event);
 	}
 }
-function toSourceApiActionEffectMessage(effect) {
-	switch (effect.type) {
-		case "load_source": return create(SourceApiActionEffectPayloadSchema, { effect: {
-			case: "loadSource",
-			value: create(SourceApiActionLoadSourceEffectSchema, {
-				organizationId: effect.organizationId,
-				sourceKey: effect.sourceKey
-			})
-		} });
-		case "resolve_descriptor": return create(SourceApiActionEffectPayloadSchema, { effect: {
-			case: "resolveDescriptor",
-			value: create(SourceApiActionResolveDescriptorEffectSchema, { source: toSourceApiSourceDescriptorMessage(effect.source) })
-		} });
-		case "prepare_request": return create(SourceApiActionEffectPayloadSchema, { effect: {
-			case: "prepareRequest",
-			value: create(SourceApiActionPrepareRequestEffectSchema, {
-				requestDescriptor: toSourceApiRequestDescriptorMessage(effect.requestDescriptor),
-				source: toSourceApiSourceDescriptorMessage(effect.source)
-			})
-		} });
-		case "execute_page": return create(SourceApiActionEffectPayloadSchema, { effect: {
-			case: "executePage",
-			value: create(SourceApiActionExecutePageEffectSchema, {
-				attemptNumber: effect.attemptNumber,
-				pageIndex: effect.pageIndex,
-				preparedRequestFingerprint: effect.preparedRequestFingerprint,
-				requestDescriptor: toSourceApiRequestDescriptorMessage(effect.requestDescriptor),
-				source: toSourceApiSourceDescriptorMessage(effect.source)
-			})
-		} });
-		default: return assertNever$4(effect);
-	}
-}
-function fromSourceApiActionEffectMessage(payload) {
-	switch (payload.effect.case) {
-		case "loadSource": return {
-			organizationId: payload.effect.value.organizationId,
-			sourceKey: payload.effect.value.sourceKey,
-			type: "load_source"
-		};
-		case "resolveDescriptor": return {
-			source: fromSourceApiSourceDescriptorMessage(payload.effect.value.source),
-			type: "resolve_descriptor"
-		};
-		case "prepareRequest": return {
-			requestDescriptor: fromSourceApiRequestDescriptorMessage(payload.effect.value.requestDescriptor),
-			source: fromSourceApiSourceDescriptorMessage(payload.effect.value.source),
-			type: "prepare_request"
-		};
-		case "executePage": return {
-			attemptNumber: payload.effect.value.attemptNumber,
-			pageIndex: payload.effect.value.pageIndex,
-			preparedRequestFingerprint: payload.effect.value.preparedRequestFingerprint,
-			requestDescriptor: fromSourceApiRequestDescriptorMessage(payload.effect.value.requestDescriptor),
-			source: fromSourceApiSourceDescriptorMessage(payload.effect.value.source),
-			type: "execute_page"
-		};
-		case void 0: throw new Error("source api action effect payload missing oneof case");
-		default: return assertNever$4(payload.effect);
-	}
-}
-function toSourceApiSourceDescriptorMessage(source) {
-	return create(SourceApiActionSourceDescriptorSchema, {
-		...source.displayName === null ? {} : { displayName: source.displayName },
-		provider: toWorkflowSourceProvider(source.provider),
-		sourceId: source.sourceId,
-		sourceKey: source.sourceKey
-	});
-}
-function fromSourceApiSourceDescriptorMessage(source) {
-	const value = requireMessage(source, "source");
-	return {
-		displayName: isFieldSet(value, SourceApiActionSourceDescriptorSchema.field.displayName) ? value.displayName : null,
-		provider: fromWorkflowSourceProvider(value.provider),
-		sourceId: value.sourceId,
-		sourceKey: value.sourceKey
-	};
-}
-function toSourceApiRequestDescriptorMessage(descriptor) {
-	return create(SourceApiActionRequestDescriptorSchema, {
-		...descriptor.descriptorVersion === null ? {} : { descriptorVersion: descriptor.descriptorVersion },
-		...descriptor.kind === null ? {} : { kind: toSourceApiOperationKind(descriptor.kind) },
-		...descriptor.method === null ? {} : { method: descriptor.method },
-		operation: descriptor.operation,
-		...descriptor.paginationPolicy === null ? {} : { paginationPolicy: toSourceApiPaginationPolicy(descriptor.paginationPolicy) },
-		...descriptor.selector === null ? {} : { selector: descriptor.selector }
-	});
-}
-function fromSourceApiRequestDescriptorMessage(descriptor) {
-	const value = requireMessage(descriptor, "request_descriptor");
-	return {
-		descriptorVersion: isFieldSet(value, SourceApiActionRequestDescriptorSchema.field.descriptorVersion) ? value.descriptorVersion : null,
-		kind: isFieldSet(value, SourceApiActionRequestDescriptorSchema.field.kind) ? fromSourceApiOperationKind(value.kind) : null,
-		method: isFieldSet(value, SourceApiActionRequestDescriptorSchema.field.method) ? value.method : null,
-		operation: value.operation,
-		paginationPolicy: isFieldSet(value, SourceApiActionRequestDescriptorSchema.field.paginationPolicy) ? fromSourceApiPaginationPolicy(value.paginationPolicy) : null,
-		selector: isFieldSet(value, SourceApiActionRequestDescriptorSchema.field.selector) ? value.selector : null
-	};
-}
-function toSourceApiDescriptorMessage(descriptor) {
-	return create(SourceApiActionDescriptorSchema, {
-		...descriptor.defaultPathOperation === void 0 ? {} : { defaultPathOperation: descriptor.defaultPathOperation },
-		descriptorVersion: descriptor.descriptorVersion,
-		examples: descriptor.examples.map(toSourceApiExampleMessage),
-		notes: [...descriptor.notes],
-		operations: descriptor.operations.map(toSourceApiOperationMessage),
-		source: create(SourceApiActionDescriptorSourceSchema, {
-			...descriptor.source.displayName === void 0 || descriptor.source.displayName === null ? {} : { displayName: descriptor.source.displayName },
-			provider: toWorkflowSourceProvider(descriptor.source.provider),
-			sourceKey: descriptor.source.sourceKey
-		})
-	});
-}
-function fromSourceApiDescriptorMessage(descriptor) {
-	const value = requireMessage(descriptor, "descriptor");
-	const source = requireMessage(value.source, "source");
-	return {
-		...isFieldSet(value, SourceApiActionDescriptorSchema.field.defaultPathOperation) ? { defaultPathOperation: value.defaultPathOperation } : {},
-		descriptorVersion: value.descriptorVersion,
-		examples: value.examples.map(fromSourceApiExampleMessage),
-		notes: [...value.notes],
-		operations: value.operations.map(fromSourceApiOperationMessage),
-		source: {
-			...isFieldSet(source, SourceApiActionDescriptorSourceSchema.field.displayName) ? { displayName: source.displayName } : {},
-			provider: fromWorkflowSourceProvider(source.provider),
-			sourceKey: source.sourceKey
-		}
-	};
-}
-function toSourceApiOperationMessage(operation) {
-	return create(SourceApiActionOperationSchema, {
-		description: operation.description,
-		examples: operation.examples.map(toSourceApiExampleMessage),
-		fieldPolicy: toSourceApiFieldPolicyMessage(operation.fieldPolicy),
-		headerPolicy: toSourceApiHeaderPolicyMessage(operation.headerPolicy),
-		kind: toSourceApiOperationKind(operation.kind),
-		methodPolicy: toSourceApiMethodPolicyMessage(operation.methodPolicy),
-		name: operation.name,
-		notes: [...operation.notes],
-		paginationPolicy: toSourceApiPaginationPolicy(operation.paginationPolicy),
-		...operation.selectorLabel === void 0 ? {} : { selectorLabel: operation.selectorLabel },
-		selectorKind: toSourceApiSelectorKind(operation.selectorKind),
-		summary: operation.summary
-	});
-}
-function fromSourceApiOperationMessage(operation) {
-	return {
-		description: operation.description,
-		examples: operation.examples.map(fromSourceApiExampleMessage),
-		fieldPolicy: fromSourceApiFieldPolicyMessage(operation.fieldPolicy),
-		headerPolicy: fromSourceApiHeaderPolicyMessage(operation.headerPolicy),
-		kind: fromSourceApiOperationKind(operation.kind),
-		methodPolicy: fromSourceApiMethodPolicyMessage(operation.methodPolicy),
-		name: operation.name,
-		notes: [...operation.notes],
-		paginationPolicy: fromSourceApiPaginationPolicy(operation.paginationPolicy),
-		...isFieldSet(operation, SourceApiActionOperationSchema.field.selectorLabel) ? { selectorLabel: operation.selectorLabel } : {},
-		selectorKind: fromSourceApiSelectorKind(operation.selectorKind),
-		summary: operation.summary
-	};
-}
-function toSourceApiMethodPolicyMessage(policy) {
-	return create(SourceApiActionMethodPolicySchema, {
-		allowedMethods: [...policy.allowedMethods],
-		...policy.defaultMethod === void 0 ? {} : { defaultMethod: policy.defaultMethod }
-	});
-}
-function fromSourceApiMethodPolicyMessage(policy) {
-	const value = requireMessage(policy, "method_policy");
-	return {
-		allowedMethods: [...value.allowedMethods],
-		...isFieldSet(value, SourceApiActionMethodPolicySchema.field.defaultMethod) ? { defaultMethod: value.defaultMethod } : {}
-	};
-}
-function toSourceApiFieldPolicyMessage(policy) {
-	return create(SourceApiActionFieldPolicySchema, {
-		acceptsInput: policy.acceptsInput,
-		allowsRawFields: policy.allowsRawFields,
-		allowsTypedFields: policy.allowsTypedFields,
-		inputMode: toSourceApiInputMode(policy.inputMode),
-		mergePatches: policy.mergePatches,
-		supportsArrayPaths: policy.supportsArrayPaths,
-		supportsNestedPaths: policy.supportsNestedPaths
-	});
-}
-function fromSourceApiFieldPolicyMessage(policy) {
-	const value = requireMessage(policy, "field_policy");
-	return {
-		acceptsInput: value.acceptsInput,
-		allowsRawFields: value.allowsRawFields,
-		allowsTypedFields: value.allowsTypedFields,
-		inputMode: fromSourceApiInputMode(value.inputMode),
-		mergePatches: value.mergePatches,
-		supportsArrayPaths: value.supportsArrayPaths,
-		supportsNestedPaths: value.supportsNestedPaths
-	};
-}
-function toSourceApiHeaderPolicyMessage(policy) {
-	return create(SourceApiActionHeaderPolicySchema, {
-		allowedRequestHeaderNames: [...policy.allowedRequestHeaders],
-		allowedResponseHeaderNames: [...policy.allowedResponseHeaders]
-	});
-}
-function fromSourceApiHeaderPolicyMessage(policy) {
-	const value = requireMessage(policy, "header_policy");
-	return {
-		allowedRequestHeaders: [...value.allowedRequestHeaderNames],
-		allowedResponseHeaders: [...value.allowedResponseHeaderNames]
-	};
-}
-function toSourceApiExampleMessage(example) {
-	return create(SourceApiActionExampleSchema, {
-		command: example.command,
-		...example.description === void 0 ? {} : { description: example.description },
-		label: example.label
-	});
-}
-function fromSourceApiExampleMessage(example) {
-	return {
-		command: example.command,
-		...isFieldSet(example, SourceApiActionExampleSchema.field.description) ? { description: example.description } : {},
-		label: example.label
-	};
-}
-function toSourceApiExecutionResultMessage(result) {
-	return create(SourceApiActionExecutionResultSchema, {
-		body: toSourceApiExecutionBodyMessage(result.body),
-		contentType: result.contentType,
-		headers: result.headers.map((header) => create(WorkflowSourceHeaderSchema, {
-			name: header.name,
-			value: header.value
-		})),
-		...result.nextContinuationState === void 0 ? {} : { nextContinuationState: fromJson(ValueSchema, result.nextContinuationState) },
-		operation: result.operation,
-		...result.selector === void 0 ? {} : { selector: result.selector },
-		httpStatus: result.status,
-		source: toSourceApiExecutionSourceMessage(result.source)
-	});
-}
-function fromSourceApiExecutionResultMessage(result) {
-	const value = requireMessage(result, "execution_result");
-	return {
-		body: fromSourceApiExecutionBodyMessage(value.body),
-		contentType: value.contentType,
-		headers: value.headers.map((header) => ({
-			name: header.name,
-			value: header.value
-		})),
-		...value.nextContinuationState === void 0 ? {} : { nextContinuationState: toJson(ValueSchema, value.nextContinuationState) },
-		operation: value.operation,
-		...isFieldSet(value, SourceApiActionExecutionResultSchema.field.selector) ? { selector: value.selector } : {},
-		source: fromSourceApiExecutionSourceMessage(value.source),
-		status: value.httpStatus
-	};
-}
-function toSourceApiExecutionSourceMessage(source) {
-	return create(SourceApiActionExecutionSourceSchema, {
-		...source.displayName === void 0 || source.displayName === null ? {} : { displayName: source.displayName },
-		provider: toWorkflowSourceProvider(source.provider),
-		sourceKey: source.sourceKey
-	});
-}
-function fromSourceApiExecutionSourceMessage(source) {
-	const value = requireMessage(source, "source");
-	return {
-		...isFieldSet(value, SourceApiActionExecutionSourceSchema.field.displayName) ? { displayName: value.displayName } : {},
-		provider: fromWorkflowSourceProvider(value.provider),
-		sourceKey: value.sourceKey
-	};
-}
-function toSourceApiExecutionBodyMessage(body) {
-	switch (body.kind) {
-		case "none": return {
-			case: "none",
-			value: create(SourceApiActionEmptyBodySchema)
-		};
-		case "json": return {
-			case: "json",
-			value: fromJson(ValueSchema, body.value)
-		};
-		case "text": return {
-			case: "text",
-			value: body.value
-		};
-		case "binary": return {
-			case: "binary",
-			value: body.value
-		};
-		default: return assertNever$4(body);
-	}
-}
-function fromSourceApiExecutionBodyMessage(body) {
-	switch (body.case) {
-		case "none": return { kind: "none" };
-		case "json": return {
-			kind: "json",
-			value: toJson(ValueSchema, body.value)
-		};
-		case "text": return {
-			kind: "text",
-			value: body.value
-		};
-		case "binary": return {
-			kind: "binary",
-			value: new Uint8Array(body.value)
-		};
-		case void 0: throw new Error("source api execution result body missing oneof case");
-		default: return assertNever$4(body);
-	}
-}
-function toWorkflowSourceProvider(provider) {
-	switch (provider) {
-		case "postgres": return WorkflowSourceProvider.POSTGRES;
-		case "supabase": return WorkflowSourceProvider.SUPABASE;
-		case "mysql": return WorkflowSourceProvider.MYSQL;
-		case "mongodb": return WorkflowSourceProvider.MONGODB;
-		case "bigquery": return WorkflowSourceProvider.BIGQUERY;
-		case "laminar": return WorkflowSourceProvider.LAMINAR;
-		case "aws_athena_connector": return WorkflowSourceProvider.AWS_ATHENA_CONNECTOR;
-		case "ga": return WorkflowSourceProvider.GOOGLE_ANALYTICS;
-		case "amplitude": return WorkflowSourceProvider.AMPLITUDE;
-		case "mixpanel": return WorkflowSourceProvider.MIXPANEL;
-		case "posthog": return WorkflowSourceProvider.POSTHOG;
-		case "sentry": return WorkflowSourceProvider.SENTRY;
-		case "github": return WorkflowSourceProvider.GITHUB;
-		case "linear": return WorkflowSourceProvider.LINEAR;
-		default: return assertNever$4(provider);
-	}
-}
-function fromWorkflowSourceProvider(provider) {
-	switch (provider) {
-		case WorkflowSourceProvider.POSTGRES: return "postgres";
-		case WorkflowSourceProvider.SUPABASE: return "supabase";
-		case WorkflowSourceProvider.MYSQL: return "mysql";
-		case WorkflowSourceProvider.MONGODB: return "mongodb";
-		case WorkflowSourceProvider.BIGQUERY: return "bigquery";
-		case WorkflowSourceProvider.LAMINAR: return "laminar";
-		case WorkflowSourceProvider.AWS_ATHENA_CONNECTOR: return "aws_athena_connector";
-		case WorkflowSourceProvider.GOOGLE_ANALYTICS: return "ga";
-		case WorkflowSourceProvider.AMPLITUDE: return "amplitude";
-		case WorkflowSourceProvider.MIXPANEL: return "mixpanel";
-		case WorkflowSourceProvider.POSTHOG: return "posthog";
-		case WorkflowSourceProvider.SENTRY: return "sentry";
-		case WorkflowSourceProvider.GITHUB: return "github";
-		case WorkflowSourceProvider.LINEAR: return "linear";
-		case WorkflowSourceProvider.UNSPECIFIED: throw new Error("workflow source provider is unspecified");
-		default: throw new Error(`unsupported workflow source provider: ${provider}`);
-	}
-}
-function toSourceApiRequestKind(kind) {
-	switch (kind) {
-		case "describe": return SourceApiActionRequestKind.DESCRIBE;
-		case "invoke": return SourceApiActionRequestKind.INVOKE;
-		default: return assertNever$4(kind);
-	}
-}
-function fromSourceApiRequestKind(kind) {
-	switch (kind) {
-		case SourceApiActionRequestKind.DESCRIBE: return "describe";
-		case SourceApiActionRequestKind.INVOKE: return "invoke";
-		case SourceApiActionRequestKind.UNSPECIFIED: throw new Error("source api request kind is unspecified");
-		default: throw new Error(`unsupported source api request kind: ${kind}`);
-	}
-}
-function toSourceApiInvokeMode(mode) {
-	switch (mode) {
-		case "preview_only": return SourceApiActionInvokeMode.PREVIEW_ONLY;
-		case "execute": return SourceApiActionInvokeMode.EXECUTE;
-		default: return assertNever$4(mode);
-	}
-}
-function fromSourceApiInvokeMode(mode) {
-	switch (mode) {
-		case SourceApiActionInvokeMode.PREVIEW_ONLY: return "preview_only";
-		case SourceApiActionInvokeMode.EXECUTE: return "execute";
-		case SourceApiActionInvokeMode.UNSPECIFIED: throw new Error("source api invoke mode is unspecified");
-		default: throw new Error(`unsupported source api invoke mode: ${mode}`);
-	}
-}
-function toSourceApiOperationKind(kind) {
-	switch (kind) {
-		case "http_request": return SourceApiActionOperationKind.HTTP_REQUEST;
-		case "structured_request": return SourceApiActionOperationKind.STRUCTURED_REQUEST;
-		default: return assertNever$4(kind);
-	}
-}
-function fromSourceApiOperationKind(kind) {
-	switch (kind) {
-		case SourceApiActionOperationKind.HTTP_REQUEST: return "http_request";
-		case SourceApiActionOperationKind.STRUCTURED_REQUEST: return "structured_request";
-		case SourceApiActionOperationKind.UNSPECIFIED: throw new Error("source api operation kind is unspecified");
-		default: throw new Error(`unsupported source api operation kind: ${kind}`);
-	}
-}
-function toSourceApiSelectorKind(kind) {
-	switch (kind) {
-		case "none": return SourceApiActionSelectorKind.NONE;
-		case "path": return SourceApiActionSelectorKind.PATH;
-		case "identifier": return SourceApiActionSelectorKind.IDENTIFIER;
-		default: return assertNever$4(kind);
-	}
-}
-function fromSourceApiSelectorKind(kind) {
-	switch (kind) {
-		case SourceApiActionSelectorKind.NONE: return "none";
-		case SourceApiActionSelectorKind.PATH: return "path";
-		case SourceApiActionSelectorKind.IDENTIFIER: return "identifier";
-		case SourceApiActionSelectorKind.UNSPECIFIED: throw new Error("source api selector kind is unspecified");
-		default: throw new Error(`unsupported source api selector kind: ${kind}`);
-	}
-}
-function toSourceApiPaginationPolicy(policy) {
-	switch (policy) {
-		case "none": return SourceApiActionPaginationPolicy.NONE;
-		case "continuation_token": return SourceApiActionPaginationPolicy.CONTINUATION_TOKEN;
-		default: return assertNever$4(policy);
-	}
-}
-function fromSourceApiPaginationPolicy(policy) {
-	switch (policy) {
-		case SourceApiActionPaginationPolicy.NONE: return "none";
-		case SourceApiActionPaginationPolicy.CONTINUATION_TOKEN: return "continuation_token";
-		case SourceApiActionPaginationPolicy.UNSPECIFIED: throw new Error("source api pagination policy is unspecified");
-		default: throw new Error(`unsupported source api pagination policy: ${policy}`);
-	}
-}
-function toSourceApiInputMode(mode) {
-	switch (mode) {
-		case "none": return SourceApiActionInputMode.NONE;
-		case "request_object": return SourceApiActionInputMode.REQUEST_OBJECT;
-		case "request_body": return SourceApiActionInputMode.REQUEST_BODY;
-		default: return assertNever$4(mode);
-	}
-}
-function fromSourceApiInputMode(mode) {
-	switch (mode) {
-		case SourceApiActionInputMode.NONE: return "none";
-		case SourceApiActionInputMode.REQUEST_OBJECT: return "request_object";
-		case SourceApiActionInputMode.REQUEST_BODY: return "request_body";
-		case SourceApiActionInputMode.UNSPECIFIED: throw new Error("source api input mode is unspecified");
-		default: throw new Error(`unsupported source api input mode: ${mode}`);
-	}
-}
-function toSourceApiFailureCode(code) {
-	switch (code) {
-		case "source_not_found": return SourceApiActionFailureCode.SOURCE_NOT_FOUND;
-		case "descriptor_unavailable": return SourceApiActionFailureCode.DESCRIPTOR_UNAVAILABLE;
-		case "invalid_request": return SourceApiActionFailureCode.INVALID_REQUEST;
-		case "permission_denied": return SourceApiActionFailureCode.PERMISSION_DENIED;
-		case "request_timed_out": return SourceApiActionFailureCode.REQUEST_TIMED_OUT;
-		case "execution_failed": return SourceApiActionFailureCode.EXECUTION_FAILED;
-		case "execution_state_invalid": return SourceApiActionFailureCode.EXECUTION_STATE_INVALID;
-		default: return assertNever$4(code);
-	}
-}
-function fromDescriptorResolutionFailureCode(code) {
-	switch (code) {
-		case SourceApiActionFailureCode.DESCRIPTOR_UNAVAILABLE: return "descriptor_unavailable";
-		case SourceApiActionFailureCode.PERMISSION_DENIED: return "permission_denied";
-		case SourceApiActionFailureCode.UNSPECIFIED: throw new Error("source api failure code is unspecified");
-		default: throw new Error(`unsupported descriptor resolution failure code: ${code}`);
-	}
-}
-function fromRequestPreparationFailureCode(code) {
-	switch (code) {
-		case SourceApiActionFailureCode.INVALID_REQUEST: return "invalid_request";
-		case SourceApiActionFailureCode.PERMISSION_DENIED: return "permission_denied";
-		case SourceApiActionFailureCode.EXECUTION_STATE_INVALID: return "execution_state_invalid";
-		case SourceApiActionFailureCode.UNSPECIFIED: throw new Error("source api failure code is unspecified");
-		default: throw new Error(`unsupported request preparation failure code: ${code}`);
-	}
-}
-function fromPageFetchFailureCode(code) {
-	switch (code) {
-		case SourceApiActionFailureCode.INVALID_REQUEST: return "invalid_request";
-		case SourceApiActionFailureCode.REQUEST_TIMED_OUT: return "request_timed_out";
-		case SourceApiActionFailureCode.EXECUTION_FAILED: return "execution_failed";
-		case SourceApiActionFailureCode.EXECUTION_STATE_INVALID: return "execution_state_invalid";
-		case SourceApiActionFailureCode.UNSPECIFIED: throw new Error("source api failure code is unspecified");
-		default: throw new Error(`unsupported page fetch failure code: ${code}`);
-	}
-}
-function assertMatchingPayloadType(expected, actual) {
-	if (expected !== actual) throw new Error(`stored scalar payload type '${expected}' does not match protobuf payload type '${actual}'`);
-}
-function requireMessage(value, fieldName) {
-	if (value === void 0) throw new Error(`missing required protobuf field: ${fieldName}`);
-	return value;
-}
 //#endregion
 //#region packages/cli-server/src/audit/storage/serialization.ts
 init_dist$3();
@@ -258123,7 +258089,7 @@ function buildCliSourceApiPreview(value) {
 	return {
 		bodyKind: toCliSourceApiBodyKind(value.bodyKind),
 		bodyPaths: [...value.bodyPaths],
-		headerNames: lowerUniqueStrings(value.headerNames),
+		headerNames: canonicalizeSourceApiHeaderNames(value.headerNames),
 		host: value.host,
 		kind: toCliSourceApiOperationKind(value.kind),
 		method: value.method,
@@ -258150,7 +258116,7 @@ function buildCliSourceApiOperation(value) {
 		description: value.description,
 		examples: value.examples.map(buildCliSourceApiExample),
 		fieldPolicy: buildCliSourceApiFieldPolicy(value.fieldPolicy),
-		headerPolicy: { allowedRequestHeaderNames: lowerUniqueStrings(value.headerPolicy.allowedRequestHeaders) },
+		headerPolicy: { allowedRequestHeaderNames: canonicalizeSourceApiHeaderNames(value.headerPolicy.allowedRequestHeaders) },
 		kind: toCliSourceApiOperationKind(value.kind),
 		methodPolicy: {
 			allowedMethods: [...value.methodPolicy.allowedMethods],
@@ -258176,9 +258142,6 @@ function toCliSourceApiPatchMode(value) {
 	if (!value.allowsRawFields && !value.allowsTypedFields) return SourceApiPatchMode.NONE;
 	return value.mergePatches ? SourceApiPatchMode.MERGE : SourceApiPatchMode.SEPARATE;
 }
-function lowerUniqueStrings(values) {
-	return [...new Set(values.map((value) => value.toLowerCase()))];
-}
 function buildCliSourceApiExample(value) {
 	return {
 		command: value.command,
@@ -258392,7 +258355,7 @@ function createHttpRequestOperation(input) {
 			...DEFAULT_HTTP_FIELD_POLICY,
 			...input.fieldPolicy
 		},
-		headerPolicy,
+		headerPolicy: canonicalizeSourceApiHeaderPolicy(headerPolicy),
 		kind: "http_request",
 		methodPolicy,
 		name: input.name,
@@ -258744,7 +258707,7 @@ function createStructuredRequestOperation(input) {
 			...DEFAULT_STRUCTURED_FIELD_POLICY,
 			...input.fieldPolicy
 		},
-		headerPolicy,
+		headerPolicy: canonicalizeSourceApiHeaderPolicy(headerPolicy),
 		kind: "structured_request",
 		methodPolicy: {
 			allowedMethods: ["POST"],
@@ -260850,10 +260813,10 @@ const sourceApiRegistry = createSourceApiRegistry([
 //#endregion
 //#region packages/server/src/source-api/describe.ts
 async function describeSourceApi(input) {
-	return getSourceApiAdapter(input.registry ?? sourceApiRegistry, input.source.provider).describe({
+	return canonicalizeSourceApiDescriptorHeaderPolicies(await getSourceApiAdapter(input.registry ?? sourceApiRegistry, input.source.provider).describe({
 		actor: input.actor,
 		source: input.source
-	});
+	}));
 }
 //#endregion
 //#region packages/server/src/source-api/execute.ts
@@ -262563,10 +262526,12 @@ function registerCliConnectRoutes(router) {
 //#endregion
 //#region packages/cli-server/src/connect/node-adapter.ts
 const cliRequestIdInterceptor = (next) => async (request) => {
+	const requestId = request.contextValues.get(cliConnectRequestContextKey)?.requestId ?? "unknown";
 	try {
-		return await next(request);
+		const response = await next(request);
+		response.header.set(CLI_REQUEST_ID_HEADER, requestId);
+		return response;
 	} catch (reason) {
-		const requestId = request.contextValues.get(cliConnectRequestContextKey)?.requestId ?? "unknown";
 		throw withCliRequestId(ConnectError.from(reason), requestId);
 	}
 };
@@ -263685,10 +263650,7 @@ function createProblemDetailsErrorHandler(source) {
 //#endregion
 //#region packages/server/src/routes/auth.ts
 const authRoute = new Hono().get("/bootstrap-state", async (c) => {
-	const state = await readAuthBootstrapState({
-		db: c.var.storage.db,
-		schema: c.var.storage.schema
-	});
+	const state = await readAuthBootstrapState({ db: c.var.storage.db });
 	return c.json({
 		...state,
 		emailDeliveryMode: c.var.storage.emailDeliveryMode,
@@ -263924,7 +263886,6 @@ const bootstrapRoute = new Hono().get("/", async (c) => {
 	if (!(await readBootstrapState(c.var.storage.db)).needsBootstrap) return c.json({ error: "Bootstrap is already complete. Sign in with an existing account." }, 409);
 	const auth = c.var.storage.auth;
 	const db = c.var.storage.db;
-	const schema = c.var.storage.schema;
 	const body = c.req.valid("json");
 	let createdOrganizationId = null;
 	const baseUrl = c.var.runtime.auth.baseURL;
@@ -263970,8 +263931,8 @@ const bootstrapRoute = new Hono().get("/", async (c) => {
 		response.headers.set("cache-control", "no-store");
 		return response;
 	} catch (error) {
-		const cleanupOperations = [db.delete(schema.user).where(eq(schema.user.id, userId))];
-		if (createdOrganizationId) cleanupOperations.push(db.delete(schema.organization).where(eq(schema.organization.id, createdOrganizationId)));
+		const cleanupOperations = [db.delete(user).where(eq(user.id, userId))];
+		if (createdOrganizationId) cleanupOperations.push(db.delete(organization$1).where(eq(organization$1.id, createdOrganizationId)));
 		await Promise.allSettled(cleanupOperations);
 		if (error instanceof BootstrapFlowError) return c.json({ error: error.message }, { status: error.status });
 		return c.json({ error: "Failed to complete the first-run bootstrap flow" }, 500);
@@ -264024,8 +263985,7 @@ var OrganizationNotFoundError = class extends r$9("OrganizationNotFoundError")()
 * Users must be members of the organization.
 */
 async function verifyOrgAccess(db, userId, organizationId) {
-	const { member } = getDatabaseSchema(db);
-	const [membership] = await db.select({ id: member.id }).from(member).where(and(eq(member.userId, userId), eq(member.organizationId, organizationId))).limit(1);
+	const [membership] = await db.select({ id: member$1.id }).from(member$1).where(and(eq(member$1.userId, userId), eq(member$1.organizationId, organizationId))).limit(1);
 	return Boolean(membership);
 }
 //#endregion
@@ -264565,9 +264525,7 @@ async function revokeLinearToken(input) {
 }
 const dataSourcesCrudRoute = new Hono().get("/", requireOrgAccess(), zValidator("query", OrgQuerySchema, zodProblemHook()), async (c) => {
 	const { organizationId } = c.req.valid("query");
-	const db = c.var.storage.db;
-	const { dataSources } = getDatabaseSchema(db);
-	const result = await db.query.dataSources.findMany({
+	const result = await c.var.storage.db.query.dataSources.findMany({
 		columns: {
 			id: true,
 			provider: true,
@@ -264585,9 +264543,7 @@ const dataSourcesCrudRoute = new Hono().get("/", requireOrgAccess(), zValidator(
 }).get("/:id", requireOrgAccess(), zValidator("query", OrgQuerySchema, zodProblemHook()), async (c) => {
 	const { organizationId } = c.req.valid("query");
 	const id = c.req.param("id");
-	const db = c.var.storage.db;
-	const { dataSources } = getDatabaseSchema(db);
-	const dataSource = await db.query.dataSources.findFirst({
+	const dataSource = await c.var.storage.db.query.dataSources.findFirst({
 		columns: {
 			id: true,
 			provider: true,
@@ -264609,7 +264565,6 @@ const dataSourcesCrudRoute = new Hono().get("/", requireOrgAccess(), zValidator(
 	const session = c.get("session");
 	if (!session?.user) return c.json({ error: "Unauthorized" }, 401);
 	const db = c.var.storage.db;
-	const { dataSources } = getDatabaseSchema(db);
 	if (!await verifyOrgAccess(db, session.user.id, body.organizationId)) return c.json({ error: "Forbidden: Not a member of this organization" }, 403);
 	if (!doesProviderMatchCredentials({
 		credentialsType: body.credentials.type,
@@ -264656,7 +264611,6 @@ const dataSourcesCrudRoute = new Hono().get("/", requireOrgAccess(), zValidator(
 	const id = c.req.param("id");
 	const body = c.req.valid("json");
 	const db = c.var.storage.db;
-	const { dataSources } = getDatabaseSchema(db);
 	const existing = await db.query.dataSources.findFirst({ where: and(eq(dataSources.id, id), eq(dataSources.organizationId, organizationId)) });
 	if (!existing) return c.json({ error: "Data source not found" }, 404);
 	const updates = { updatedAt: /* @__PURE__ */ new Date() };
@@ -264708,7 +264662,6 @@ const dataSourcesCrudRoute = new Hono().get("/", requireOrgAccess(), zValidator(
 	const { organizationId } = c.req.valid("query");
 	const id = c.req.param("id");
 	const db = c.var.storage.db;
-	const { dataSources } = getDatabaseSchema(db);
 	const existing = await db.query.dataSources.findFirst({ where: and(eq(dataSources.id, id), eq(dataSources.organizationId, organizationId)) });
 	if (!existing) return c.json({ error: "Data source not found" }, 404);
 	if (existing.provider === "linear") {
@@ -264802,9 +264755,7 @@ const GitHubRepositoriesSchema = array$1(GitHubRepositorySchema);
 const dataSourcesGitHubRepositoriesRoute = new Hono().use("*", requireOrgAccess()).get("/:id/github-repositories", zValidator("query", OrgQuerySchema, zodProblemHook()), async (c) => {
 	const { organizationId } = c.req.valid("query");
 	const id = c.req.param("id");
-	const db = c.var.storage.db;
-	const { dataSources } = getDatabaseSchema(db);
-	const dataSource = await db.query.dataSources.findFirst({
+	const dataSource = await c.var.storage.db.query.dataSources.findFirst({
 		columns: {
 			id: true,
 			provider: true,
@@ -264841,7 +264792,6 @@ const dataSourcesGitHubRepositoriesRoute = new Hono().use("*", requireOrgAccess(
 	const id = c.req.param("id");
 	const body = c.req.valid("json");
 	const db = c.var.storage.db;
-	const { dataSources } = getDatabaseSchema(db);
 	const dataSource = await db.query.dataSources.findFirst({ where: and(eq(dataSources.id, id), eq(dataSources.organizationId, organizationId)) });
 	if (!dataSource) return c.json({ error: "Data source not found" }, 404);
 	if (dataSource.provider !== "github") return c.json({ error: "Data source is not GitHub" }, 400);
@@ -264871,7 +264821,6 @@ const dataSourcesTestRoute = new Hono().use("*", requireOrgAccess()).post("/:id/
 	const { organizationId } = c.req.valid("query");
 	const id = c.req.param("id");
 	const db = c.var.storage.db;
-	const { dataSources } = getDatabaseSchema(db);
 	const dataSource = await db.query.dataSources.findFirst({ where: and(eq(dataSources.id, id), eq(dataSources.organizationId, organizationId)) });
 	if (!dataSource) return c.json({ error: "Data source not found" }, 404);
 	const preparedCredentials = await prepareDataSourceCredentials({
@@ -264916,15 +264865,13 @@ const healthRoute = new Hono().get("/health", (c) => c.json({
 //#region packages/server/src/routes/organizations.ts
 const OrganizationSlugParamsSchema = object$1({ slug: string$3().min(1, "slug is required") });
 const UpdateOrgSettingsSchema = object$1({ monthlyBudgetUsd: number$4().min(0).nullable().optional() }).refine((body) => body.monthlyBudgetUsd !== void 0, { message: "At least one organization setting must be provided" });
-function getOrganizationSettingsSelection(db) {
-	const { organizationProfiles } = getDatabaseSchema(db);
+function getOrganizationSettingsSelection() {
 	return { monthlyBudgetUsd: organizationProfiles.monthlyBudgetUsd };
 }
 async function findOrganizationMembershipBySlug(input) {
-	const { member, organization } = getDatabaseSchema(input.db);
-	const [org] = await input.db.select({ id: organization.id }).from(organization).where(eq(organization.slug, input.slug)).limit(1);
+	const [org] = await input.db.select({ id: organization$1.id }).from(organization$1).where(eq(organization$1.slug, input.slug)).limit(1);
 	if (!org) return { kind: "not_found" };
-	const [membership] = await input.db.select({ role: member.role }).from(member).where(and(eq(member.organizationId, org.id), eq(member.userId, input.userId))).limit(1);
+	const [membership] = await input.db.select({ role: member$1.role }).from(member$1).where(and(eq(member$1.organizationId, org.id), eq(member$1.userId, input.userId))).limit(1);
 	if (!membership) return { kind: "forbidden" };
 	return {
 		kind: "ok",
@@ -264942,16 +264889,15 @@ async function findOrganizationMembershipBySlug(input) {
 const organizationsRoute = new Hono().get("/:slug", async (c) => {
 	const slug = c.req.param("slug");
 	const db = c.var.storage.db;
-	const { organization } = getDatabaseSchema(db);
 	const session = c.get("session");
 	if (!session?.user) return c.json({ error: "Unauthorized" }, 401);
 	const [org] = await db.select({
-		createdAt: organization.createdAt,
-		id: organization.id,
-		logo: organization.logo,
-		name: organization.name,
-		slug: organization.slug
-	}).from(organization).where(eq(organization.slug, slug)).limit(1);
+		createdAt: organization$1.createdAt,
+		id: organization$1.id,
+		logo: organization$1.logo,
+		name: organization$1.name,
+		slug: organization$1.slug
+	}).from(organization$1).where(eq(organization$1.slug, slug)).limit(1);
 	if (!org) return c.json({ error: "Organization not found" }, 404);
 	if (!await verifyOrgAccess(db, session.user.id, org.id)) return c.json({ error: "Forbidden: Not a member of this organization" }, 403);
 	return c.json({ organization: org });
@@ -264983,11 +264929,10 @@ const organizationsRoute = new Hono().get("/:slug", async (c) => {
 }).get("/:slug/settings", async (c) => {
 	const slug = c.req.param("slug");
 	const db = c.var.storage.db;
-	const { organization, organizationProfiles } = getDatabaseSchema(db);
-	const organizationSettingsSelection = getOrganizationSettingsSelection(db);
+	const organizationSettingsSelection = getOrganizationSettingsSelection();
 	const session = c.get("session");
 	if (!session?.user) return c.json({ error: "Unauthorized" }, 401);
-	const [org] = await db.select({ id: organization.id }).from(organization).where(eq(organization.slug, slug)).limit(1);
+	const [org] = await db.select({ id: organization$1.id }).from(organization$1).where(eq(organization$1.slug, slug)).limit(1);
 	if (!org) return c.json({ error: "Organization not found" }, 404);
 	if (!await verifyOrgAccess(db, session.user.id, org.id)) return c.json({ error: "Forbidden: Not a member of this organization" }, 403);
 	const [profile] = await db.select(organizationSettingsSelection).from(organizationProfiles).where(eq(organizationProfiles.organizationId, org.id)).limit(1);
@@ -264999,13 +264944,12 @@ const organizationsRoute = new Hono().get("/:slug", async (c) => {
 	const slug = c.req.param("slug");
 	const body = c.req.valid("json");
 	const db = c.var.storage.db;
-	const { member, organization, organizationProfiles } = getDatabaseSchema(db);
-	const organizationSettingsSelection = getOrganizationSettingsSelection(db);
+	const organizationSettingsSelection = getOrganizationSettingsSelection();
 	const session = c.get("session");
 	if (!session?.user) return c.json({ error: "Unauthorized" }, 401);
-	const [org] = await db.select({ id: organization.id }).from(organization).where(eq(organization.slug, slug)).limit(1);
+	const [org] = await db.select({ id: organization$1.id }).from(organization$1).where(eq(organization$1.slug, slug)).limit(1);
 	if (!org) return c.json({ error: "Organization not found" }, 404);
-	const [membership] = await db.select({ role: member.role }).from(member).where(and(eq(member.userId, session.user.id), eq(member.organizationId, org.id))).limit(1);
+	const [membership] = await db.select({ role: member$1.role }).from(member$1).where(and(eq(member$1.userId, session.user.id), eq(member$1.organizationId, org.id))).limit(1);
 	if (!membership) return c.json({ error: "Forbidden: Not a member of this organization" }, 403);
 	if (!doesOrganizationMembershipGrantPermission({
 		permission: organizationPermissionChecks.organizationUpdate,
@@ -265026,7 +264970,6 @@ const QuerySchema = object$1({ organizationId: string$3().min(1, "organizationId
 const statsRoute = new Hono().use("*", requireOrgAccess()).get("/", zValidator("query", QuerySchema, zodProblemHook()), async (c) => {
 	const { organizationId } = c.req.valid("query");
 	const db = c.var.storage.db;
-	const { dataSources } = getDatabaseSchema(db);
 	const [dataSourcesResult] = await Promise.all([db.select({ count: count() }).from(dataSources).where(eq(dataSources.organizationId, organizationId))]);
 	return c.json({ dataSourcesCount: dataSourcesResult[0]?.count ?? 0 });
 });
@@ -265168,7 +265111,7 @@ function serverRuntimeMiddleware(runtime) {
 */
 function createServerApi(input) {
 	const storage = input.storage ?? createServerStorage(input.runtime, createMemoryApiRateLimitStorage(), { enableAuthTestUtils: input.enableAuthTestUtils });
-	return new Hono().onError(createProblemDetailsErrorHandler("packages/server/createServerApi")).use("*", serverRuntimeMiddleware(input.runtime)).use("*", serverStorageMiddleware(storage)).use("*", apiRateLimiter({ enabled: input.runtime.rateLimit.enabled })).use("/organizations", sessionMiddleware()).use("/organizations/*", sessionMiddleware()).use("/stats", sessionMiddleware()).use("/stats/*", sessionMiddleware()).use("/team", sessionMiddleware()).use("/team/*", sessionMiddleware()).use("/data-sources", sessionMiddleware()).use("/data-sources/*", sessionMiddleware()).use("/budget", sessionMiddleware()).use("/budget/*", sessionMiddleware()).route("/", healthRoute).route("/bootstrap", bootstrapRoute).route("/budget", budgetRoute).route("/connectors", connectorsRoute).route("/jobs", connectorJobsRoute).route("/auth", authRoute).route("/data-sources", dataSourcesRoute).route("/organizations", organizationsRoute).route("/stats", statsRoute).route("/team", teamRoute);
+	return new Hono().onError(createProblemDetailsErrorHandler("packages/server/createServerApi")).use("*", requestId()).use("*", serverRuntimeMiddleware(input.runtime)).use("*", serverStorageMiddleware(storage)).use("*", apiRateLimiter({ enabled: input.runtime.rateLimit.enabled })).use("/organizations", sessionMiddleware()).use("/organizations/*", sessionMiddleware()).use("/stats", sessionMiddleware()).use("/stats/*", sessionMiddleware()).use("/team", sessionMiddleware()).use("/team/*", sessionMiddleware()).use("/data-sources", sessionMiddleware()).use("/data-sources/*", sessionMiddleware()).use("/budget", sessionMiddleware()).use("/budget/*", sessionMiddleware()).route("/", healthRoute).route("/bootstrap", bootstrapRoute).route("/budget", budgetRoute).route("/connectors", connectorsRoute).route("/jobs", connectorJobsRoute).route("/auth", authRoute).route("/data-sources", dataSourcesRoute).route("/organizations", organizationsRoute).route("/stats", statsRoute).route("/team", teamRoute);
 }
 //#endregion
 //#region node_modules/.bun/hono@4.12.14/node_modules/hono/dist/utils/color.js