@pattern-stack/codegen 0.15.1 → 0.15.3

package/dist/chunk-LG57S2SC.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../runtime/subsystems/integration/incremental-read.ts"],"sourcesContent":["/**\n * Integration subsystem — `IncrementalRead<T, F>` + `RandomRead<T>` capability\n * and the providing `IncrementalReadBase<T, F, M>` (RFC-0003 R1).\n *\n * The universal read primitive. Where `IChangeSource.listChanges` is the\n * *transport* contract (stream `Change<T>`, orchestrator owns cursor lifecycle),\n * this base owns *how the body that produces those changes is written* — the\n * level the bare `changeSources = {}` author-seam left unstructured.\n *\n * The read decomposes into two composable verbs the adapter supplies:\n *\n *   - `enumerate(mode, filter) → AsyncIterable<Ref<M>[]>` — the cheap delta /\n *     backfill walk; streams pages of lightweight refs (id + per-ref cursor +\n *     filterable metadata). LAZY: pull-driven so hydrate backpressures it.\n *   - `hydrate(ids) → Map<id, raw>` — the expensive fetch-by-id, batched; where\n *     bounded concurrency / a vendor `/batch` endpoint lives. Keyed and\n *     miss-tolerant (a mid-run 404 cannot shift alignment).\n *   - `toCanonical(raw) → T | null` — provider payload → canonical record.\n *\n * The base PROVIDES the orchestration: drain enumerate, **filter before\n * hydrate** (structural — an adapter physically cannot hydrate-then-discard),\n * keyed pairing, per-ref cursor emission, and the `IChangeSource.listChanges`\n * adaptation. It also provides `RandomRead.get()` for free as\n * `toCanonical ∘ hydrate([id])` — so every incremental adapter is a\n * single-record reader (the \"list cheaply, fill on click\" query-surface need)\n * without extra code.\n *\n * The shape generalizes dealbrain's proven HubSpot `listSince` (streams, pushes\n * the filter server-side, carries a per-record cursor) to vendors whose list\n * returns id-stubs (Gmail) or nested resources (Meet). Calendar-style\n * full-object lists override `hydrate` as a passthrough.\n *\n * See RFC-0003 (Track D round-3), ADR-033 (`detection:` config), and\n * `poll-change-source.ts` (the sibling primitive this composes beside).\n */\n\nimport type {\n  Change,\n  ChangeSource,\n  IChangeSource,\n  IntegrationSubscriptionView,\n} from './integration-change-source.protocol';\n\n// ============================================================================\n// Capability shapes\n// ============================================================================\n\n/**\n * How a read walks the upstream. Modes are values, not verbs (swe-brain\n * ADR-0003: mode ≠ capability) — one `read()` verb dispatches on these.\n *\n *   - `delta`     — incremental walk from a persisted cursor.\n *   - `full`      — cursorless backfill (optionally bounded by `since`).\n *   - `reconcile` — gap-repair: re-fetch a known id set the cursor skipped\n *                   (the repair pass for the silent-tail-skip + #414-style\n *                   multi-provider divergence).\n */\nexport type ReadMode =\n  | { readonly kind: 'delta'; readonly cursor: unknown }\n  | { readonly kind: 'full'; readonly since?: Date }\n  | { readonly kind: 'reconcile'; readonly knownIds: readonly string[] };\n\n/**\n * A cheap ref from the enumerate pass: identity + per-ref cursor + metadata to\n * filter or display on. `cursor` is the position AS OF this ref — see\n * `IncrementalReadBase.cursorDivisible` (R2) for when it may be checkpointed\n * mid-walk versus withheld until a safe boundary.\n */\nexport interface Ref<M = Record<string, unknown>> {\n  readonly externalId: string;\n  readonly cursor: unknown;\n  readonly meta: M;\n}\n\n/** A read request: the mode, an optional adapter-typed filter, and page size. */\nexport interface ReadRequest<F = unknown> {\n  readonly mode: ReadMode;\n  readonly filter?: F;\n  readonly pageSize?: number;\n}\n\n/**\n * Per-run context threaded from `listChanges` into the vendor read body (R5).\n *\n * Carries the `subscription` framing the run so `enumerate`/`hydrate` can resolve\n * **per-connection credentials** (and raw-landing keys) from\n * `subscription.externalRef` — the gap a multi-account consumer surfaced: a\n * singleton change source cannot hold connection-scoped auth, and before R5 the\n * base forwarded the subscription only into `filterFor`, never into the fetch.\n *\n * Optional throughout (the core contract): a direct `read()` / `get()` call — the\n * query surface's \"fill one record on click\" — may omit it. An adapter that needs\n * per-connection auth reads `ctx?.subscription?.externalRef` and asserts its\n * presence; a provider-level-auth adapter ignores it.\n */\nexport interface ReadContext {\n  /** The subscription framing this run; `externalRef` is the upstream scope /\n   *  connection id the adapter resolves credentials + raw-landing keys from. */\n  readonly subscription?: IntegrationSubscriptionView;\n}\n\n/**\n * The `read()`-side envelope: canonical record + the raw vendor payload it came\n * from + the originating external id + the per-ref cursor.\n *\n * Distinct from the runtime's transport envelope `Change<T>`\n * (operation/externalId/cursor/source). The relationship is one-directional:\n * `listChanges()` adapts `read()` → `Change<T>` (dropping `raw`, stamping\n * `operation`). `read()` keeps `raw` and `externalId` so a query surface can\n * re-project without a second fetch.\n */\nexport interface SourcedRecord<T> {\n  readonly externalId: string;\n  readonly record: T;\n  readonly raw: unknown;\n  readonly cursor: unknown;\n}\n\n/**\n * The universal read capability — one public verb that streams. Filtering,\n * hydration, and cursor emission are the providing base's concern.\n */\nexport interface IncrementalRead<T, F = unknown> {\n  read(req: ReadRequest<F>, ctx?: ReadContext): AsyncIterable<SourcedRecord<T>>;\n}\n\n/**\n * Single-record read by external id — the \"fill on click\" atom. Provided for\n * free by `IncrementalReadBase` (composes `hydrate` + `toCanonical`); declared\n * as its own capability so consumers can depend on it without the streaming\n * surface.\n */\nexport interface RandomRead<T> {\n  get(id: string, ctx?: ReadContext): Promise<T | null>;\n}\n\n// ============================================================================\n// Bounded-parallel map helper\n// ============================================================================\n\n/**\n * Map `ids` through `fn` with at most `limit` concurrent in-flight calls,\n * collecting results keyed by id. The workhorse for writing a batched\n * `hydrate` over a single-id fetch without serial N+1 latency.\n */\nexport async function mapConcurrent<R>(\n  ids: readonly string[],\n  fn: (id: string) => Promise<R>,\n  limit: number,\n): Promise<Map<string, R>> {\n  const out = new Map<string, R>();\n  if (ids.length === 0) return out;\n  const width = Math.max(1, Math.min(limit, ids.length));\n  let next = 0;\n  const worker = async (): Promise<void> => {\n    while (next < ids.length) {\n      const idx = next++;\n      const id = ids[idx]!;\n      out.set(id, await fn(id));\n    }\n  };\n  await Promise.all(Array.from({ length: width }, worker));\n  return out;\n}\n\n// ============================================================================\n// IncrementalReadBase\n// ============================================================================\n\n/**\n * Providing base for the read capability. A subclass fills exactly three vendor\n * methods — `enumerate`, `hydrate`, `toCanonical` — and gets a streaming,\n * filter-before-hydrate, miss-tolerant `IncrementalRead<T, F>` +\n * `IChangeSource<T>` + `RandomRead<T>`.\n *\n * Type params: `T` canonical record, `F` adapter-typed filter, `M` per-ref\n * metadata (defaults to an untyped bag — surface packages supply a domain `M`).\n */\nexport abstract class IncrementalReadBase<T, F = unknown, M = Record<string, unknown>>\n  implements IncrementalRead<T, F>, IChangeSource<T>, RandomRead<T>\n{\n  /** Human label for run logs — e.g. `'google-mail-email'`. */\n  abstract readonly label: string;\n\n  /**\n   * Whether the vendor takes the request predicate server-side. Declared, not\n   * enforced here — surfaced into the emission manifest (R3) so the falsifier\n   * suite (R4) can record which adapters filter post-hydrate. `false` is the\n   * honest floor (e.g. Gmail without `q=`), handled via `matchesRecord`.\n   */\n  protected readonly filterPushdown: boolean = false;\n\n  /** Max concurrent in-flight calls for a `mapConcurrent`-built `hydrate`. */\n  protected readonly hydrateConcurrency: number = 10;\n\n  /** `Change<T>.source` provenance stamped by `listChanges`. */\n  protected readonly changeSource: ChangeSource = 'poll';\n\n  /**\n   * Whether this source's cursor strategy is divisible (RFC-0003 §3). When\n   * `true` (default — sortable watermarks like `systemModstamp`/`timestamp`/\n   * `replayId`), `listChanges` emits each record's per-ref cursor, so the\n   * orchestrator may checkpoint mid-walk and a crash resumes from the last\n   * delivered ref.\n   *\n   * When `false` (atomic opaque tokens — Gmail `historyId`, Calendar\n   * `syncToken`), `listChanges` WITHHOLDS per-ref cursors and emits the\n   * end-of-walk token only on the final record, so the orchestrator's\n   * persist-last-yielded lifecycle can never persist an unresumable mid-walk\n   * token. The cost is blast-radius: an interrupted atomic run resumes\n   * all-or-nothing from the prior persisted token. For atomic *backfills* that\n   * radius is the whole enumerate walk — bound it with `ReadRequest.pageSize`\n   * (smaller pages ⇒ shorter walks per run). Per-page atomic checkpointing is a\n   * future refinement; R2 gates at end-of-walk.\n   *\n   * Codegen (R3) sets this from the strategy kind via `isDivisibleCursor`.\n   */\n  protected readonly cursorDivisible: boolean = true;\n\n  // ---- SUPPLIED by the adapter (the irreducible vendor seam) ----\n\n  /**\n   * The cheap walk. Streams pages of refs; LAZY so `hydrate` backpressures it\n   * (one page hydrated before the next is pulled). Mode-dispatch lives here:\n   * `delta` resumes from `mode.cursor`, `full` walks from the top, `reconcile`\n   * re-fetches `mode.knownIds`.\n   *\n   * `pageSize` (from `ReadRequest`) is the adapter's requested vendor page size\n   * — also the atomic-cursor backfill blast-radius bound (§ `cursorDivisible`).\n   * Honor it as a hint; vendors that cap page size clamp it.\n   *\n   * `ctx?.subscription` (R5) carries the run's subscription, so a per-connection\n   * adapter resolves credentials / upstream scope from `externalRef` here; absent\n   * on a direct `read()` with no run subscription.\n   */\n  protected abstract enumerate(\n    mode: ReadMode,\n    filter?: F,\n    pageSize?: number,\n    ctx?: ReadContext,\n  ): AsyncIterable<Ref<M>[]>;\n\n  /**\n   * Fetch raw payloads for `ids`, keyed by id. MUST be miss-tolerant: omit (or\n   * map to `null`) any id that 404s mid-run rather than throwing or shifting\n   * alignment. Write it over `mapConcurrent(ids, (id) => this.fetchOne(id),\n   * this.hydrateConcurrency)`; override with a real `/batch` call or a\n   * passthrough (full-object list) where the vendor allows.\n   *\n   * `ctx?.subscription` (R5) carries the run's subscription for per-connection\n   * credential resolution (the fetch is where the vendor call happens) and is the\n   * natural place to land raw payloads keyed by `subscription.id`.\n   */\n  protected abstract hydrate(ids: string[], ctx?: ReadContext): Promise<Map<string, unknown>>;\n\n  /** Provider payload → canonical record. Return `null` to drop a record. */\n  protected abstract toCanonical(raw: unknown): T | null;\n\n  // ---- Optional filter hooks — exactly one is live per `filterPushdown` ----\n\n  /** Pre-hydrate predicate over the cheap ref (preferred — avoids hydration). */\n  protected matchesRef(_ref: Ref<M>, _filter?: F): boolean {\n    return true;\n  }\n\n  /** Post-hydrate predicate over the canonical record (the no-pushdown floor). */\n  protected matchesRecord(_record: T, _filter?: F): boolean {\n    return true;\n  }\n\n  /**\n   * Resolve the filter for a subscription when adapting to `listChanges`\n   * (which has no filter argument). Defaults to none; codegen wiring (R3)\n   * overrides this to thread `DetectionConfig.filters`.\n   */\n  protected filterFor(_subscription: IntegrationSubscriptionView): F | undefined {\n    return undefined;\n  }\n\n  // ---- PROVIDED by the base ----\n\n  /**\n   * Stream canonical records for a request. Filter is applied BEFORE hydrate\n   * (structural: a kept ref is hydrated, a rejected one never is), so an\n   * adapter cannot hydrate-then-discard. A hydrate miss (deleted mid-run) is\n   * skipped, never fabricated.\n   */\n  async *read(req: ReadRequest<F>, ctx?: ReadContext): AsyncIterable<SourcedRecord<T>> {\n    for await (const refPage of this.enumerate(req.mode, req.filter, req.pageSize, ctx)) {\n      const kept = refPage.filter((ref) => this.matchesRef(ref, req.filter));\n      if (kept.length === 0) continue;\n      const raws = await this.hydrate(\n        kept.map((ref) => ref.externalId),\n        ctx,\n      );\n      for (const ref of kept) {\n        const raw = raws.get(ref.externalId);\n        if (raw === undefined || raw === null) continue; // deleted mid-run → skip\n        const record = this.toCanonical(raw);\n        if (record !== null && this.matchesRecord(record, req.filter)) {\n          yield { externalId: ref.externalId, record, raw, cursor: ref.cursor };\n        }\n      }\n    }\n  }\n\n  /**\n   * `RandomRead<T>` — single-record read, provided for free as\n   * `toCanonical ∘ hydrate([id])`. Reuses the adapter's batched fetch + miss\n   * tolerance; returns `null` for a missing or undecodable record.\n   */\n  async get(id: string, ctx?: ReadContext): Promise<T | null> {\n    const raws = await this.hydrate([id], ctx);\n    const raw = raws.get(id);\n    if (raw === undefined || raw === null) return null;\n    return this.toCanonical(raw);\n  }\n\n  /**\n   * `IChangeSource<T>` adaptation. Maps the orchestrator's by-value cursor to a\n   * `ReadMode` (`null` → `full` backfill, else `delta`), streams `read()`, and\n   * stamps each `SourcedRecord` into a `Change<T>`. All records surface as\n   * `'updated'`; the orchestrator's diff stage classifies create-vs-update and\n   * deletes arrive as tombstone refs (`toCanonical` may flag them).\n   *\n   * Cursor emission honors `cursorDivisible` (RFC-0003 §3). Divisible: each\n   * record carries its own per-ref cursor. Atomic: per-ref cursors are withheld\n   * (`undefined`, which the orchestrator skips persisting) and the end-of-walk\n   * token rides only on the final record — so a mid-walk crash never persists\n   * an unresumable token. If an atomic run yields no surviving records, no\n   * cursor is persisted and the next run re-reads the same (empty) delta — a\n   * bounded inefficiency, never data loss.\n   */\n  async *listChanges(\n    subscription: IntegrationSubscriptionView,\n    cursor: unknown | null,\n  ): AsyncIterable<Change<T>> {\n    const mode: ReadMode =\n      cursor === null || cursor === undefined\n        ? { kind: 'full' }\n        : { kind: 'delta', cursor };\n    const filter = this.filterFor(subscription);\n    // R5: thread the run's subscription into the read body so `enumerate`/`hydrate`\n    // can resolve per-connection credentials (and raw-landing keys) from it.\n    const stream = this.read({ mode, filter }, { subscription });\n\n    if (this.cursorDivisible) {\n      for await (const sourced of stream) {\n        yield this.toChange(sourced, sourced.cursor);\n      }\n      return;\n    }\n\n    // Atomic: one-record lookahead. Emit every record but the last with a\n    // withheld (`undefined`) cursor; the last record carries the end-of-walk\n    // token. Contract: an atomic adapter stamps the (single, shared) end-of-walk\n    // token onto its refs' `cursor` — so whichever record survives last carries\n    // it. The base emits a real cursor exactly once, on that final record, so the\n    // orchestrator can never persist a mid-walk value. If zero records survive,\n    // nothing is persisted (next run re-reads the delta — bounded, never lossy).\n    let prev: SourcedRecord<T> | null = null;\n    for await (const sourced of stream) {\n      if (prev !== null) yield this.toChange(prev, undefined);\n      prev = sourced;\n    }\n    if (prev !== null) yield this.toChange(prev, prev.cursor);\n  }\n\n  /** Stamp a `SourcedRecord` into a `Change<T>` with an explicit emitted cursor. */\n  private toChange(sourced: SourcedRecord<T>, cursor: unknown): Change<T> {\n    return {\n      externalId: sourced.externalId,\n      operation: 'updated',\n      record: sourced.record,\n      cursor,\n      source: this.changeSource,\n    };\n  }\n}\n"],"mappings":";AAiJA,eAAsB,cACpB,KACA,IACA,OACyB;AACzB,QAAM,MAAM,oBAAI,IAAe;AAC/B,MAAI,IAAI,WAAW,EAAG,QAAO;AAC7B,QAAM,QAAQ,KAAK,IAAI,GAAG,KAAK,IAAI,OAAO,IAAI,MAAM,CAAC;AACrD,MAAI,OAAO;AACX,QAAM,SAAS,YAA2B;AACxC,WAAO,OAAO,IAAI,QAAQ;AACxB,YAAM,MAAM;AACZ,YAAM,KAAK,IAAI,GAAG;AAClB,UAAI,IAAI,IAAI,MAAM,GAAG,EAAE,CAAC;AAAA,IAC1B;AAAA,EACF;AACA,QAAM,QAAQ,IAAI,MAAM,KAAK,EAAE,QAAQ,MAAM,GAAG,MAAM,CAAC;AACvD,SAAO;AACT;AAeO,IAAe,sBAAf,MAEP;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUqB,iBAA0B;AAAA;AAAA,EAG1B,qBAA6B;AAAA;AAAA,EAG7B,eAA6B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAqB7B,kBAA2B;AAAA;AAAA;AAAA,EA4CpC,WAAW,MAAc,SAAsB;AACvD,WAAO;AAAA,EACT;AAAA;AAAA,EAGU,cAAc,SAAY,SAAsB;AACxD,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOU,UAAU,eAA2D;AAC7E,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,OAAO,KAAK,KAAqB,KAAoD;AACnF,qBAAiB,WAAW,KAAK,UAAU,IAAI,MAAM,IAAI,QAAQ,IAAI,UAAU,GAAG,GAAG;AACnF,YAAM,OAAO,QAAQ,OAAO,CAAC,QAAQ,KAAK,WAAW,KAAK,IAAI,MAAM,CAAC;AACrE,UAAI,KAAK,WAAW,EAAG;AACvB,YAAM,OAAO,MAAM,KAAK;AAAA,QACtB,KAAK,IAAI,CAAC,QAAQ,IAAI,UAAU;AAAA,QAChC;AAAA,MACF;AACA,iBAAW,OAAO,MAAM;AACtB,cAAM,MAAM,KAAK,IAAI,IAAI,UAAU;AACnC,YAAI,QAAQ,UAAa,QAAQ,KAAM;AACvC,cAAM,SAAS,KAAK,YAAY,GAAG;AACnC,YAAI,WAAW,QAAQ,KAAK,cAAc,QAAQ,IAAI,MAAM,GAAG;AAC7D,gBAAM,EAAE,YAAY,IAAI,YAAY,QAAQ,KAAK,QAAQ,IAAI,OAAO;AAAA,QACtE;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,IAAI,IAAY,KAAsC;AAC1D,UAAM,OAAO,MAAM,KAAK,QAAQ,CAAC,EAAE,GAAG,GAAG;AACzC,UAAM,MAAM,KAAK,IAAI,EAAE;AACvB,QAAI,QAAQ,UAAa,QAAQ,KAAM,QAAO;AAC9C,WAAO,KAAK,YAAY,GAAG;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBA,OAAO,YACL,cACA,QAC0B;AAC1B,UAAM,OACJ,WAAW,QAAQ,WAAW,SAC1B,EAAE,MAAM,OAAO,IACf,EAAE,MAAM,SAAS,OAAO;AAC9B,UAAM,SAAS,KAAK,UAAU,YAAY;AAG1C,UAAM,SAAS,KAAK,KAAK,EAAE,MAAM,OAAO,GAAG,EAAE,aAAa,CAAC;AAE3D,QAAI,KAAK,iBAAiB;AACxB,uBAAiB,WAAW,QAAQ;AAClC,cAAM,KAAK,SAAS,SAAS,QAAQ,MAAM;AAAA,MAC7C;AACA;AAAA,IACF;AASA,QAAI,OAAgC;AACpC,qBAAiB,WAAW,QAAQ;AAClC,UAAI,SAAS,KAAM,OAAM,KAAK,SAAS,MAAM,MAAS;AACtD,aAAO;AAAA,IACT;AACA,QAAI,SAAS,KAAM,OAAM,KAAK,SAAS,MAAM,KAAK,MAAM;AAAA,EAC1D;AAAA;AAAA,EAGQ,SAAS,SAA2B,QAA4B;AACtE,WAAO;AAAA,MACL,YAAY,QAAQ;AAAA,MACpB,WAAW;AAAA,MACX,QAAQ,QAAQ;AAAA,MAChB;AAAA,MACA,QAAQ,KAAK;AAAA,IACf;AAAA,EACF;AACF;","names":[]}

package/dist/chunk-M6QLSLPO.js

@@ -0,0 +1,97 @@
+import {
+  ConnectionBrokenError
+} from "./chunk-2N4UG4VD.js";
+
+// runtime/subsystems/auth/runtime/oauth2-refresh.strategy.ts
+var REFRESH_SAFETY_MS = 5 * 60 * 1e3;
+var OAuth2RefreshStrategy = class {
+  connectionReader;
+  tokenWriter;
+  fetchImpl;
+  now;
+  constructor(opts) {
+    this.connectionReader = opts.connectionReader;
+    this.tokenWriter = opts.tokenWriter;
+    this.fetchImpl = opts.fetch ?? fetch;
+    this.now = opts.now ?? Date.now;
+  }
+  async resolve(connectionId, opts = {}) {
+    const connection = await this.connectionReader.findByIdDecrypted(connectionId);
+    if (!connection) {
+      throw new Error(`Connection ${connectionId} not found`);
+    }
+    if (connection.provider !== this.provider) {
+      throw new Error(
+        `${this.constructor.name} called for non-${this.provider} connection ${connectionId} (provider=${connection.provider})`
+      );
+    }
+    const needsRefresh = opts.forceRefresh || this.isExpiring(connection.expiresAt) || !connection.accessToken;
+    if (!needsRefresh) {
+      return this.buildCredentials(connection.accessToken, connection);
+    }
+    if (!connection.refreshToken) {
+      throw new ConnectionBrokenError(
+        connectionId,
+        "no_refresh_token",
+        "Connection has no refresh token; user must reconnect"
+      );
+    }
+    const { parsed, raw } = await this.executeRefresh(
+      connectionId,
+      connection.refreshToken
+    );
+    const newExpiresAt = new Date(
+      this.now() + (parsed.expiresInSec ?? this.defaultExpiresInSec) * 1e3
+    );
+    await this.tokenWriter.persistRefresh({
+      connectionId,
+      accessToken: parsed.accessToken,
+      refreshToken: parsed.refreshToken ?? void 0,
+      expiresAt: newExpiresAt
+    });
+    return this.buildCredentials(parsed.accessToken, connection, raw);
+  }
+  async executeRefresh(connectionId, refreshToken) {
+    const body = new URLSearchParams({
+      grant_type: "refresh_token",
+      refresh_token: refreshToken,
+      ...this.refreshBodyExtras()
+    });
+    const response = await this.fetchImpl(this.tokenEndpoint(), {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: body.toString()
+    });
+    if (!response.ok) {
+      const err = await safeJson(response);
+      if (response.status === 400 && (err.error === "invalid_grant" || err.error === "invalid_token")) {
+        throw new ConnectionBrokenError(
+          connectionId,
+          err.error ?? "invalid_grant",
+          err.error_description ?? err.message ?? "refresh token rejected"
+        );
+      }
+      throw new Error(
+        `${this.provider} token refresh failed: ${response.status} ${err.error ?? ""} ${err.error_description ?? err.message ?? ""}`.trim()
+      );
+    }
+    const raw = await response.json();
+    return { parsed: this.parseRefreshResponse(raw), raw };
+  }
+  isExpiring(expiresAt) {
+    if (!expiresAt) return true;
+    return expiresAt.getTime() - this.now() < REFRESH_SAFETY_MS;
+  }
+};
+async function safeJson(response) {
+  try {
+    return await response.clone().json();
+  } catch {
+    return {};
+  }
+}
+
+export {
+  OAuth2RefreshStrategy
+};
+//# sourceMappingURL=chunk-M6QLSLPO.js.map

package/dist/chunk-M6QLSLPO.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../runtime/subsystems/auth/runtime/oauth2-refresh.strategy.ts"],"sourcesContent":["/**\n * Abstract base class for OAuth2 refresh-token strategies.\n *\n * Template-method pattern: `resolve()` is concrete; four small hooks inject\n * provider specifics. Validated across two providers (Salesforce, HubSpot)\n * in the extraction-source app before being extracted here — see\n * `docs/gate-1-auth-extraction-findings.md` for the \"build first, extract\n * later\" evidence.\n *\n * Subclass contract:\n *   - `provider`                — slug matched against `connections.provider`\n *   - `defaultExpiresInSec`     — fallback when refresh response omits `expires_in`\n *   - `tokenEndpoint()`         — URL to POST the refresh grant\n *   - `refreshBodyExtras()`     — provider-specific body params\n *   - `parseRefreshResponse()`  — raw JSON → ParsedRefreshResponse\n *   - `buildCredentials()`      — stored or freshly-refreshed access token +\n *                                 connection + optional raw refresh response\n *                                 → provider credentials\n *\n * Base handles: expiry check w/ 5-min safety window, `forceRefresh` escape\n * hatch, POST form-urlencoded body, OAuth2 error mapping to\n * `ConnectionBrokenError`, refresh-token rotation persistence, fetch +\n * clock injection for tests.\n */\nimport type {\n  AuthCredentials,\n  AuthResolveOptions,\n  IAuthStrategy,\n} from '../protocols/auth-strategy';\nimport type {\n  DecryptedConnection,\n  IConnectionReader,\n  IConnectionTokenWriter,\n} from '../protocols/connection-store';\nimport { ConnectionBrokenError } from './connection-broken.error';\n\nexport type FetchLike = (\n  input: string | URL | Request,\n  init?: RequestInit,\n) => Promise<Response>;\n\n/** Safety window before expiry that triggers a refresh. */\nconst REFRESH_SAFETY_MS = 5 * 60 * 1000;\n\nexport interface OAuth2RefreshStrategyOptions {\n  connectionReader: IConnectionReader;\n  tokenWriter: IConnectionTokenWriter;\n  /** Injectable fetch for tests. Defaults to the global `fetch`. */\n  fetch?: FetchLike;\n  /** Injectable clock for tests. Defaults to `Date.now`. */\n  now?: () => number;\n}\n\nexport interface ParsedRefreshResponse {\n  accessToken: string;\n  /**\n   * New refresh token if the provider rotated it (HubSpot: always, Salesforce:\n   * sometimes). Omit when the provider reused the old refresh token.\n   */\n  refreshToken?: string;\n  /** Seconds from now. If omitted, subclass `defaultExpiresInSec` applies. */\n  expiresInSec?: number;\n}\n\nexport abstract class OAuth2RefreshStrategy implements IAuthStrategy {\n  protected abstract readonly provider: string;\n  protected abstract readonly defaultExpiresInSec: number;\n\n  protected readonly connectionReader: IConnectionReader;\n  protected readonly tokenWriter: IConnectionTokenWriter;\n  protected readonly fetchImpl: FetchLike;\n  protected readonly now: () => number;\n\n  constructor(opts: OAuth2RefreshStrategyOptions) {\n    this.connectionReader = opts.connectionReader;\n    this.tokenWriter = opts.tokenWriter;\n    this.fetchImpl = opts.fetch ?? fetch;\n    this.now = opts.now ?? Date.now;\n  }\n\n  async resolve(\n    connectionId: string,\n    opts: AuthResolveOptions = {},\n  ): Promise<AuthCredentials> {\n    const connection =\n      await this.connectionReader.findByIdDecrypted(connectionId);\n    if (!connection) {\n      throw new Error(`Connection ${connectionId} not found`);\n    }\n    if (connection.provider !== this.provider) {\n      throw new Error(\n        `${this.constructor.name} called for non-${this.provider} connection ${connectionId} (provider=${connection.provider})`,\n      );\n    }\n\n    const needsRefresh =\n      opts.forceRefresh ||\n      this.isExpiring(connection.expiresAt) ||\n      !connection.accessToken;\n\n    if (!needsRefresh) {\n      return this.buildCredentials(connection.accessToken, connection);\n    }\n\n    if (!connection.refreshToken) {\n      throw new ConnectionBrokenError(\n        connectionId,\n        'no_refresh_token',\n        'Connection has no refresh token; user must reconnect',\n      );\n    }\n\n    const { parsed, raw } = await this.executeRefresh(\n      connectionId,\n      connection.refreshToken,\n    );\n    const newExpiresAt = new Date(\n      this.now() + (parsed.expiresInSec ?? this.defaultExpiresInSec) * 1000,\n    );\n    await this.tokenWriter.persistRefresh({\n      connectionId,\n      accessToken: parsed.accessToken,\n      refreshToken: parsed.refreshToken ?? undefined,\n      expiresAt: newExpiresAt,\n    });\n\n    return this.buildCredentials(parsed.accessToken, connection, raw);\n  }\n\n  protected abstract tokenEndpoint(): string;\n  protected abstract refreshBodyExtras(): Record<string, string>;\n  protected abstract parseRefreshResponse(raw: unknown): ParsedRefreshResponse;\n  protected abstract buildCredentials(\n    accessToken: string,\n    connection: DecryptedConnection,\n    refreshRaw?: unknown,\n  ): AuthCredentials;\n\n  private async executeRefresh(\n    connectionId: string,\n    refreshToken: string,\n  ): Promise<{ parsed: ParsedRefreshResponse; raw: unknown }> {\n    const body = new URLSearchParams({\n      grant_type: 'refresh_token',\n      refresh_token: refreshToken,\n      ...this.refreshBodyExtras(),\n    });\n    const response = await this.fetchImpl(this.tokenEndpoint(), {\n      method: 'POST',\n      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },\n      body: body.toString(),\n    });\n    if (!response.ok) {\n      const err = (await safeJson(response)) as Partial<{\n        error: string;\n        error_description: string;\n        message: string;\n      }>;\n      if (\n        response.status === 400 &&\n        (err.error === 'invalid_grant' || err.error === 'invalid_token')\n      ) {\n        throw new ConnectionBrokenError(\n          connectionId,\n          err.error ?? 'invalid_grant',\n          err.error_description ?? err.message ?? 'refresh token rejected',\n        );\n      }\n      throw new Error(\n        `${this.provider} token refresh failed: ${response.status} ${err.error ?? ''} ${err.error_description ?? err.message ?? ''}`.trim(),\n      );\n    }\n    const raw = await response.json();\n    return { parsed: this.parseRefreshResponse(raw), raw };\n  }\n\n  private isExpiring(expiresAt: Date | null): boolean {\n    if (!expiresAt) return true;\n    return expiresAt.getTime() - this.now() < REFRESH_SAFETY_MS;\n  }\n}\n\nasync function safeJson(response: Response): Promise<unknown> {\n  try {\n    return await response.clone().json();\n  } catch {\n    return {};\n  }\n}\n"],"mappings":";;;;;AA0CA,IAAM,oBAAoB,IAAI,KAAK;AAsB5B,IAAe,wBAAf,MAA8D;AAAA,EAIhD;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EAEnB,YAAY,MAAoC;AAC9C,SAAK,mBAAmB,KAAK;AAC7B,SAAK,cAAc,KAAK;AACxB,SAAK,YAAY,KAAK,SAAS;AAC/B,SAAK,MAAM,KAAK,OAAO,KAAK;AAAA,EAC9B;AAAA,EAEA,MAAM,QACJ,cACA,OAA2B,CAAC,GACF;AAC1B,UAAM,aACJ,MAAM,KAAK,iBAAiB,kBAAkB,YAAY;AAC5D,QAAI,CAAC,YAAY;AACf,YAAM,IAAI,MAAM,cAAc,YAAY,YAAY;AAAA,IACxD;AACA,QAAI,WAAW,aAAa,KAAK,UAAU;AACzC,YAAM,IAAI;AAAA,QACR,GAAG,KAAK,YAAY,IAAI,mBAAmB,KAAK,QAAQ,eAAe,YAAY,cAAc,WAAW,QAAQ;AAAA,MACtH;AAAA,IACF;AAEA,UAAM,eACJ,KAAK,gBACL,KAAK,WAAW,WAAW,SAAS,KACpC,CAAC,WAAW;AAEd,QAAI,CAAC,cAAc;AACjB,aAAO,KAAK,iBAAiB,WAAW,aAAa,UAAU;AAAA,IACjE;AAEA,QAAI,CAAC,WAAW,cAAc;AAC5B,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAEA,UAAM,EAAE,QAAQ,IAAI,IAAI,MAAM,KAAK;AAAA,MACjC;AAAA,MACA,WAAW;AAAA,IACb;AACA,UAAM,eAAe,IAAI;AAAA,MACvB,KAAK,IAAI,KAAK,OAAO,gBAAgB,KAAK,uBAAuB;AAAA,IACnE;AACA,UAAM,KAAK,YAAY,eAAe;AAAA,MACpC;AAAA,MACA,aAAa,OAAO;AAAA,MACpB,cAAc,OAAO,gBAAgB;AAAA,MACrC,WAAW;AAAA,IACb,CAAC;AAED,WAAO,KAAK,iBAAiB,OAAO,aAAa,YAAY,GAAG;AAAA,EAClE;AAAA,EAWA,MAAc,eACZ,cACA,cAC0D;AAC1D,UAAM,OAAO,IAAI,gBAAgB;AAAA,MAC/B,YAAY;AAAA,MACZ,eAAe;AAAA,MACf,GAAG,KAAK,kBAAkB;AAAA,IAC5B,CAAC;AACD,UAAM,WAAW,MAAM,KAAK,UAAU,KAAK,cAAc,GAAG;AAAA,MAC1D,QAAQ;AAAA,MACR,SAAS,EAAE,gBAAgB,oCAAoC;AAAA,MAC/D,MAAM,KAAK,SAAS;AAAA,IACtB,CAAC;AACD,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,MAAO,MAAM,SAAS,QAAQ;AAKpC,UACE,SAAS,WAAW,QACnB,IAAI,UAAU,mBAAmB,IAAI,UAAU,kBAChD;AACA,cAAM,IAAI;AAAA,UACR;AAAA,UACA,IAAI,SAAS;AAAA,UACb,IAAI,qBAAqB,IAAI,WAAW;AAAA,QAC1C;AAAA,MACF;AACA,YAAM,IAAI;AAAA,QACR,GAAG,KAAK,QAAQ,0BAA0B,SAAS,MAAM,IAAI,IAAI,SAAS,EAAE,IAAI,IAAI,qBAAqB,IAAI,WAAW,EAAE,GAAG,KAAK;AAAA,MACpI;AAAA,IACF;AACA,UAAM,MAAM,MAAM,SAAS,KAAK;AAChC,WAAO,EAAE,QAAQ,KAAK,qBAAqB,GAAG,GAAG,IAAI;AAAA,EACvD;AAAA,EAEQ,WAAW,WAAiC;AAClD,QAAI,CAAC,UAAW,QAAO;AACvB,WAAO,UAAU,QAAQ,IAAI,KAAK,IAAI,IAAI;AAAA,EAC5C;AACF;AAEA,eAAe,SAAS,UAAsC;AAC5D,MAAI;AACF,WAAO,MAAM,SAAS,MAAM,EAAE,KAAK;AAAA,EACrC,QAAQ;AACN,WAAO,CAAC;AAAA,EACV;AACF;","names":[]}

package/dist/chunk-MZ6GV4YF.js

@@ -0,0 +1,21 @@
+// runtime/subsystems/integration/integration-errors.ts
+var MissingTenantIdError = class extends Error {
+  name = "MissingTenantIdError";
+  constructor(operation) {
+    super(
+      `Missing tenantId for integration operation '${operation}'. IntegrationModule is configured with multiTenant: true \u2014 every call must include a non-null tenantId. Either pass the tenantId or disable multi-tenancy on the module.`
+    );
+  }
+};
+function assertTenantId(tenantId, options) {
+  if (!options.multiTenant) return;
+  if (tenantId === void 0 || tenantId === null) {
+    throw new MissingTenantIdError(options.operation);
+  }
+}
+
+export {
+  MissingTenantIdError,
+  assertTenantId
+};
+//# sourceMappingURL=chunk-MZ6GV4YF.js.map

package/dist/chunk-MZ6GV4YF.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../runtime/subsystems/integration/integration-errors.ts"],"sourcesContent":["/**\n * Typed errors + shared boundary helpers for the integration subsystem.\n *\n * Classes (not bare Error) so consumers can `instanceof` them in catch\n * blocks and exception filters can map them to HTTP codes.\n *\n * Mirrors the shape of `events-errors.ts` and `jobs-errors.ts`.\n */\n\n/**\n * Thrown by the Drizzle cursor-store / run-recorder backends AND by the\n * orchestrator entry point when `INTEGRATION_MULTI_TENANT` is enabled but the\n * caller did not supply a non-null `tenantId`. Strict enforcement at the\n * boundary — explicit `null` still throws.\n *\n * Disable multi-tenancy on the module (`multiTenant: false`, the default)\n * to opt out of the requirement entirely.\n *\n * `operation` identifies the call site (e.g. `'cursor.put'`,\n * `'startRun'`, `'execute'`) so the stack-trace message points at the\n * specific boundary that rejected the input.\n */\nexport class MissingTenantIdError extends Error {\n  override readonly name = 'MissingTenantIdError';\n  constructor(operation: string) {\n    super(\n      `Missing tenantId for integration operation '${operation}'. IntegrationModule is ` +\n        `configured with multiTenant: true — every call must include a ` +\n        `non-null tenantId. Either pass the tenantId or disable multi-` +\n        `tenancy on the module.`,\n    );\n  }\n}\n\n/**\n * Shared boundary guard — used at the orchestrator entry AND inside the\n * Drizzle backends. Keeping the check in one function guarantees every\n * `MissingTenantIdError` carries the same message shape regardless of the\n * site that raised it, which makes it easier for consumers to pattern-\n * match on the error in logs/metrics.\n *\n * When `multiTenant` is false, the function is a no-op — `tenantId` may\n * be anything (including `undefined`). When true, `undefined` or `null`\n * throws.\n */\nexport function assertTenantId(\n  tenantId: string | null | undefined,\n  options: { multiTenant: boolean; operation: string },\n): asserts tenantId is string {\n  if (!options.multiTenant) return;\n  if (tenantId === undefined || tenantId === null) {\n    throw new MissingTenantIdError(options.operation);\n  }\n}\n"],"mappings":";AAsBO,IAAM,uBAAN,cAAmC,MAAM;AAAA,EAC5B,OAAO;AAAA,EACzB,YAAY,WAAmB;AAC7B;AAAA,MACE,+CAA+C,SAAS;AAAA,IAI1D;AAAA,EACF;AACF;AAaO,SAAS,eACd,UACA,SAC4B;AAC5B,MAAI,CAAC,QAAQ,YAAa;AAC1B,MAAI,aAAa,UAAa,aAAa,MAAM;AAC/C,UAAM,IAAI,qBAAqB,QAAQ,SAAS;AAAA,EAClD;AACF;","names":[]}

package/dist/chunk-N5OTOWTP.js

@@ -0,0 +1,55 @@
+import {
+  OAuthStateError
+} from "./chunk-BPARRK6F.js";
+import {
+  authOAuthState
+} from "./chunk-NPFPZ2HO.js";
+
+// runtime/subsystems/auth/backends/state-store.drizzle-backend.ts
+import { randomBytes } from "crypto";
+import { eq } from "drizzle-orm";
+var DrizzleOAuthStateStore = class {
+  constructor(db, opts = {}) {
+    this.db = db;
+    this.ttlMs = opts.ttlMs ?? 10 * 60 * 1e3;
+    this.now = opts.now ?? (() => Date.now());
+    this.generateToken = opts.generateToken ?? (() => randomBytes(32).toString("base64url"));
+  }
+  db;
+  ttlMs;
+  now;
+  generateToken;
+  async generate(record) {
+    const state = this.generateToken();
+    const expiresAt = new Date(this.now() + this.ttlMs);
+    await this.db.insert(authOAuthState).values({
+      state,
+      userId: record.userId,
+      redirect: record.redirect ?? null,
+      expiresAt
+    });
+    return state;
+  }
+  async consume(state) {
+    const rows = await this.db.delete(authOAuthState).where(eq(authOAuthState.state, state)).returning();
+    const row = rows[0];
+    if (!row) {
+      throw new OAuthStateError(
+        `OAuth state token unknown or already consumed`,
+        "missing"
+      );
+    }
+    if (row.expiresAt.getTime() <= this.now()) {
+      throw new OAuthStateError(`OAuth state token expired`, "expired");
+    }
+    return {
+      userId: row.userId,
+      redirect: row.redirect ?? void 0
+    };
+  }
+};
+
+export {
+  DrizzleOAuthStateStore
+};
+//# sourceMappingURL=chunk-N5OTOWTP.js.map

package/dist/chunk-N5OTOWTP.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../runtime/subsystems/auth/backends/state-store.drizzle-backend.ts"],"sourcesContent":["/**\n * Drizzle-backed `IOAuthStateStore`.\n *\n * Uses the `auth_oauth_state` table (see `auth-oauth-state.schema.ts`).\n * Single-use semantics enforced via `DELETE ... RETURNING`: the consume\n * path atomically deletes and returns the row, so a concurrent /callback\n * with the same state cannot replay.\n *\n * Behaviour:\n *   - `generate(record)` mints a 256-bit base64url token, INSERTs the row\n *     with `expires_at = now() + ttlMs`.\n *   - `consume(state)` runs `DELETE ... WHERE state = $1 RETURNING ...`\n *     once. Throws `OAuthStateError('missing')` if no row was deleted\n *     (unknown or already consumed) and `OAuthStateError('expired')` if\n *     the deleted row was past its `expires_at`.\n */\nimport { randomBytes } from 'node:crypto';\nimport { eq } from 'drizzle-orm';\nimport type { DrizzleClient } from '../../../types/drizzle';\nimport { authOAuthState } from '../auth-oauth-state.schema';\nimport {\n  type IOAuthStateStore,\n  type OAuthStateRecord,\n  OAuthStateError,\n} from '../protocols/oauth-state-store';\n\nexport interface DrizzleOAuthStateStoreOptions {\n  /** TTL in ms. Default 10 minutes. */\n  ttlMs?: number;\n  /** Injectable clock for tests. Default `Date.now`. */\n  now?: () => number;\n  /** Injectable token generator for tests. Default 32-byte base64url. */\n  generateToken?: () => string;\n}\n\nexport class DrizzleOAuthStateStore implements IOAuthStateStore {\n  private readonly ttlMs: number;\n  private readonly now: () => number;\n  private readonly generateToken: () => string;\n\n  constructor(\n    private readonly db: DrizzleClient,\n    opts: DrizzleOAuthStateStoreOptions = {},\n  ) {\n    this.ttlMs = opts.ttlMs ?? 10 * 60 * 1000;\n    this.now = opts.now ?? (() => Date.now());\n    this.generateToken =\n      opts.generateToken ?? (() => randomBytes(32).toString('base64url'));\n  }\n\n  async generate(record: OAuthStateRecord): Promise<string> {\n    const state = this.generateToken();\n    const expiresAt = new Date(this.now() + this.ttlMs);\n    await this.db.insert(authOAuthState).values({\n      state,\n      userId: record.userId,\n      redirect: record.redirect ?? null,\n      expiresAt,\n    });\n    return state;\n  }\n\n  async consume(state: string): Promise<OAuthStateRecord> {\n    const rows = await this.db\n      .delete(authOAuthState)\n      .where(eq(authOAuthState.state, state))\n      .returning();\n    const row = rows[0];\n    if (!row) {\n      throw new OAuthStateError(\n        `OAuth state token unknown or already consumed`,\n        'missing',\n      );\n    }\n    if (row.expiresAt.getTime() <= this.now()) {\n      throw new OAuthStateError(`OAuth state token expired`, 'expired');\n    }\n    return {\n      userId: row.userId,\n      redirect: row.redirect ?? undefined,\n    };\n  }\n}\n"],"mappings":";;;;;;;;AAgBA,SAAS,mBAAmB;AAC5B,SAAS,UAAU;AAkBZ,IAAM,yBAAN,MAAyD;AAAA,EAK9D,YACmB,IACjB,OAAsC,CAAC,GACvC;AAFiB;AAGjB,SAAK,QAAQ,KAAK,SAAS,KAAK,KAAK;AACrC,SAAK,MAAM,KAAK,QAAQ,MAAM,KAAK,IAAI;AACvC,SAAK,gBACH,KAAK,kBAAkB,MAAM,YAAY,EAAE,EAAE,SAAS,WAAW;AAAA,EACrE;AAAA,EAPmB;AAAA,EALF;AAAA,EACA;AAAA,EACA;AAAA,EAYjB,MAAM,SAAS,QAA2C;AACxD,UAAM,QAAQ,KAAK,cAAc;AACjC,UAAM,YAAY,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,KAAK;AAClD,UAAM,KAAK,GAAG,OAAO,cAAc,EAAE,OAAO;AAAA,MAC1C;AAAA,MACA,QAAQ,OAAO;AAAA,MACf,UAAU,OAAO,YAAY;AAAA,MAC7B;AAAA,IACF,CAAC;AACD,WAAO;AAAA,EACT;AAAA,EAEA,MAAM,QAAQ,OAA0C;AACtD,UAAM,OAAO,MAAM,KAAK,GACrB,OAAO,cAAc,EACrB,MAAM,GAAG,eAAe,OAAO,KAAK,CAAC,EACrC,UAAU;AACb,UAAM,MAAM,KAAK,CAAC;AAClB,QAAI,CAAC,KAAK;AACR,YAAM,IAAI;AAAA,QACR;AAAA,QACA;AAAA,MACF;AAAA,IACF;AACA,QAAI,IAAI,UAAU,QAAQ,KAAK,KAAK,IAAI,GAAG;AACzC,YAAM,IAAI,gBAAgB,6BAA6B,SAAS;AAAA,IAClE;AACA,WAAO;AAAA,MACL,QAAQ,IAAI;AAAA,MACZ,UAAU,IAAI,YAAY;AAAA,IAC5B;AAAA,EACF;AACF;","names":[]}

package/dist/chunk-NN7XZEGF.js

@@ -0,0 +1,14 @@
+import {
+  BaseRepository
+} from "./chunk-J6KZS54B.js";
+
+// runtime/base-classes/knowledge-entity-repository.ts
+var KnowledgeEntityRepository = class extends BaseRepository {
+  // pgvector-dependent methods will be added when the extension is available:
+  //   semanticSearch, findPendingByOpportunityId, updateStatus, updateStatusBatch
+};
+
+export {
+  KnowledgeEntityRepository
+};
+//# sourceMappingURL=chunk-NN7XZEGF.js.map

package/dist/chunk-NN7XZEGF.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../runtime/base-classes/knowledge-entity-repository.ts"],"sourcesContent":["/**\n * KnowledgeEntityRepository<TEntity>\n *\n * Stub for the knowledge family (requires pgvector — parked for now).\n * Concrete repos extend this when pgvector is available.\n */\nimport { BaseRepository } from './base-repository';\n\nexport abstract class KnowledgeEntityRepository<TEntity> extends BaseRepository<TEntity> {\n  // pgvector-dependent methods will be added when the extension is available:\n  //   semanticSearch, findPendingByOpportunityId, updateStatus, updateStatusBatch\n}\n"],"mappings":";;;;;AAQO,IAAe,4BAAf,cAA0D,eAAwB;AAAA;AAAA;AAGzF;","names":[]}

package/dist/chunk-NPFPZ2HO.js

@@ -0,0 +1,13 @@
+// runtime/subsystems/auth/auth-oauth-state.schema.ts
+import { pgTable, text, timestamp } from "drizzle-orm/pg-core";
+var authOAuthState = pgTable("auth_oauth_state", {
+  state: text("state").primaryKey(),
+  userId: text("user_id").notNull(),
+  redirect: text("redirect"),
+  expiresAt: timestamp("expires_at", { withTimezone: true }).notNull()
+});
+
+export {
+  authOAuthState
+};
+//# sourceMappingURL=chunk-NPFPZ2HO.js.map

package/dist/chunk-NPFPZ2HO.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../runtime/subsystems/auth/auth-oauth-state.schema.ts"],"sourcesContent":["/**\n * Drizzle schema for the `auth_oauth_state` table — backs the\n * `DrizzleOAuthStateStore` (`state-store.drizzle-backend.ts`).\n *\n * One row per outstanding /connect → /callback dance. Single-use; rows are\n * deleted on consume. A periodic sweep (or a `WHERE expires_at < now()`\n * filter on read) clears abandoned rows.\n *\n * Columns:\n *   - `state`       — opaque random token, primary key.\n *   - `user_id`     — text (matches the consumer-defined user-id shape;\n *                     the auth subsystem doesn't constrain this to UUID\n *                     because some apps key users by external id).\n *   - `redirect`    — optional post-callback redirect path.\n *   - `expires_at`  — TTL boundary; entries past this are treated as absent.\n *\n * Convention: schema files live at the root of the subsystem dir\n * (mirrors `cache.schema.ts`, `integration-audit.schema.ts`, `domain-events.schema.ts`).\n */\nimport { pgTable, text, timestamp } from 'drizzle-orm/pg-core';\nimport type { InferSelectModel } from 'drizzle-orm';\n\nexport const authOAuthState = pgTable('auth_oauth_state', {\n  state: text('state').primaryKey(),\n  userId: text('user_id').notNull(),\n  redirect: text('redirect'),\n  expiresAt: timestamp('expires_at', { withTimezone: true }).notNull(),\n});\n\nexport type AuthOAuthState = InferSelectModel<typeof authOAuthState>;\n"],"mappings":";AAmBA,SAAS,SAAS,MAAM,iBAAiB;AAGlC,IAAM,iBAAiB,QAAQ,oBAAoB;AAAA,EACxD,OAAO,KAAK,OAAO,EAAE,WAAW;AAAA,EAChC,QAAQ,KAAK,SAAS,EAAE,QAAQ;AAAA,EAChC,UAAU,KAAK,UAAU;AAAA,EACzB,WAAW,UAAU,cAAc,EAAE,cAAc,KAAK,CAAC,EAAE,QAAQ;AACrE,CAAC;","names":[]}

package/dist/chunk-NXXDZ6ZF.js

@@ -0,0 +1,42 @@
+// runtime/subsystems/bridge/bridge-errors.ts
+var MissingTenantIdError = class extends Error {
+  constructor(callSite) {
+    super(
+      `MissingTenantIdError: BridgeModule was configured with multiTenant=true but ${callSite} was called without tenantId (undefined). Pass an explicit tenantId, or pass null for cross-tenant work.`
+    );
+    this.callSite = callSite;
+  }
+  callSite;
+  name = "MissingTenantIdError";
+};
+var BridgeReservedPoolsNotPolledError = class extends Error {
+  constructor(missingPools) {
+    super(
+      `BridgeModule loaded but JobWorkerModule is not polling reserved pool '${missingPools[0]}'. Add ...BRIDGE_RESERVED_POOLS to your JobWorkerModule.forRoot({ pools }) configuration. Missing pools: ${missingPools.join(", ")}. (Bridge-fanout wrappers will sit pending forever without these pollers.)`
+    );
+    this.missingPools = missingPools;
+  }
+  missingPools;
+  name = "BridgeReservedPoolsNotPolledError";
+};
+var UniqueConstraintError = class extends Error {
+  constructor(constraint, eventId, triggerId) {
+    super(
+      `UniqueConstraintError: duplicate insert into bridge_delivery for (event_id='${eventId}', trigger_id='${triggerId}') \u2014 violates constraint '${constraint}'.`
+    );
+    this.constraint = constraint;
+    this.eventId = eventId;
+    this.triggerId = triggerId;
+  }
+  constraint;
+  eventId;
+  triggerId;
+  name = "UniqueConstraintError";
+};
+
+export {
+  MissingTenantIdError,
+  BridgeReservedPoolsNotPolledError,
+  UniqueConstraintError
+};
+//# sourceMappingURL=chunk-NXXDZ6ZF.js.map

package/dist/chunk-NXXDZ6ZF.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../runtime/subsystems/bridge/bridge-errors.ts"],"sourcesContent":["/**\n * Typed errors for the bridge subsystem (ADR-023 Phase 2, BRIDGE-2).\n *\n * All thrown by the three enforcement sites named in ADR-023 §Multi-tenancy:\n *   - `EventFlowService.publishAndStart` entry (BRIDGE-7)\n *   - `BridgeDeliveryHandler.handle` entry (BRIDGE-5)\n *   - `DrizzleBridgeDeliveryRepo.insertDelivery` pre-write (BRIDGE-4)\n *\n * Same shape as `runtime/subsystems/jobs/jobs-errors.ts` and\n * `runtime/subsystems/events/events-errors.ts` so consumers can catch them\n * with the same exception-filter pattern across all three subsystems.\n */\n\n/**\n * Thrown when `BridgeModule` was configured with `multiTenant: true` but\n * the caller did not pass a `tenantId` at one of the three enforcement\n * sites listed above.\n *\n * **Strict enforcement rationale (mirrors JOB-8 / SYNC-6 stance, locked\n * 2026-04-18 for jobs; same rationale applies here).** Cross-tenant data\n * leakage is the worst class of bug a multi-tenant system can ship;\n * surfacing the misuse loudly at the call site (rather than silently\n * defaulting to `null` or to \"the last tenant seen\") prevents both\n * accidental global writes and sneaky reads that return a union of tenants.\n *\n * - `undefined` `tenantId` → throw this error.\n * - Explicit `null` `tenantId` → passes; opts the call into cross-tenant\n *   work (e.g. a system housekeeping event with no owning tenant). The\n *   `bridge_delivery` row is persisted with `tenant_id = NULL`.\n *\n * The `callSite` constructor argument names which of the three enforcement\n * sites threw — review reports and ops dashboards rely on a stable site\n * name, so use the canonical strings: `'EventFlowService.publishAndStart'`,\n * `'BridgeDeliveryHandler.handle'`,\n * `'DrizzleBridgeDeliveryRepo.insertDelivery'`.\n */\nexport class MissingTenantIdError extends Error {\n  override readonly name = 'MissingTenantIdError';\n  constructor(public readonly callSite: string) {\n    super(\n      `MissingTenantIdError: BridgeModule was configured with ` +\n        `multiTenant=true but ${callSite} was called without tenantId ` +\n        `(undefined). Pass an explicit tenantId, or pass null for ` +\n        `cross-tenant work.`,\n    );\n  }\n}\n\n/**\n * Synthetic error thrown by `MemoryBridgeDeliveryRepo.insertDelivery` when\n * a duplicate `(event_id, trigger_id)` insert hits the simulated UNIQUE\n * constraint (BRIDGE-3).\n *\n * Carries a `constraint` field equal to the Drizzle constraint name\n * declared in BRIDGE-1's schema (`uq_bridge_delivery_event_trigger`) so\n * call sites can branch on the same discriminator regardless of which\n * backend is wired up. This matters because ADR-023 explicitly leans on\n * the constraint as the dedup mechanism in two places — outbox replay\n * and `publishAndStart` Case B — and BRIDGE-4 / BRIDGE-7 will share a\n * type-check path with BRIDGE-3-driven tests.\n *\n * The Drizzle backend (BRIDGE-4) does NOT throw this error: it uses\n * `INSERT … ON CONFLICT (event_id, trigger_id) DO NOTHING RETURNING id`\n * per the BRIDGE-4 spec recommendation, so collisions surface as an empty\n * result set rather than an exception. The error exists so the memory\n * backend can faithfully model the \"duplicate raises\" behaviour for tests\n * that want to assert the constraint actually fires.\n */\n/**\n * Thrown by `BridgeModule.onModuleInit` when `JobWorkerModule` is wired\n * alongside the bridge but its active `pools` list does not include one\n * or more of the three reserved bridge pools (`events_inbound`,\n * `events_change`, `events_outbound`).\n *\n * Without a worker polling those pools, the wrapper `job_run` rows the\n * outbox drain inserts (BRIDGE-4) sit `pending` forever — a silent\n * footgun where `eventFlow.publish(...)` returns success but no user\n * job ever spawns. The boot-time check converts that into a fail-fast.\n *\n * Operators can either (a) add `...BRIDGE_RESERVED_POOLS` to their\n * `JobWorkerModule.forRoot({ pools })` configuration so the same\n * process polls the reserved pools, or (b) run a separate worker\n * process per reserved pool for lane isolation (ADR-022 §Pool\n * isolation).\n */\nexport class BridgeReservedPoolsNotPolledError extends Error {\n  override readonly name = 'BridgeReservedPoolsNotPolledError';\n  constructor(public readonly missingPools: readonly string[]) {\n    super(\n      `BridgeModule loaded but JobWorkerModule is not polling reserved ` +\n        `pool '${missingPools[0]}'. Add ...BRIDGE_RESERVED_POOLS to your ` +\n        `JobWorkerModule.forRoot({ pools }) configuration. Missing pools: ` +\n        `${missingPools.join(', ')}. (Bridge-fanout wrappers will sit ` +\n        `pending forever without these pollers.)`,\n    );\n  }\n}\n\nexport class UniqueConstraintError extends Error {\n  override readonly name = 'UniqueConstraintError';\n  constructor(\n    public readonly constraint: string,\n    public readonly eventId: string,\n    public readonly triggerId: string,\n  ) {\n    super(\n      `UniqueConstraintError: duplicate insert into bridge_delivery for ` +\n        `(event_id='${eventId}', trigger_id='${triggerId}') — violates ` +\n        `constraint '${constraint}'.`,\n    );\n  }\n}\n"],"mappings":";AAoCO,IAAM,uBAAN,cAAmC,MAAM;AAAA,EAE9C,YAA4B,UAAkB;AAC5C;AAAA,MACE,+EAC0B,QAAQ;AAAA,IAGpC;AAN0B;AAAA,EAO5B;AAAA,EAP4B;AAAA,EADV,OAAO;AAS3B;AAuCO,IAAM,oCAAN,cAAgD,MAAM;AAAA,EAE3D,YAA4B,cAAiC;AAC3D;AAAA,MACE,yEACW,aAAa,CAAC,CAAC,4GAErB,aAAa,KAAK,IAAI,CAAC;AAAA,IAE9B;AAP0B;AAAA,EAQ5B;AAAA,EAR4B;AAAA,EADV,OAAO;AAU3B;AAEO,IAAM,wBAAN,cAAoC,MAAM;AAAA,EAE/C,YACkB,YACA,SACA,WAChB;AACA;AAAA,MACE,+EACgB,OAAO,kBAAkB,SAAS,kCACjC,UAAU;AAAA,IAC7B;AARgB;AACA;AACA;AAAA,EAOlB;AAAA,EATkB;AAAA,EACA;AAAA,EACA;AAAA,EAJA,OAAO;AAY3B;","names":[]}

package/dist/chunk-NYBCQZC7.js

@@ -0,0 +1,11 @@
+import {
+  tokenKey
+} from "./chunk-GYGNEQSC.js";
+
+// runtime/subsystems/storage/storage.tokens.ts
+var STORAGE = Symbol.for(tokenKey("storage", "storage"));
+
+export {
+  STORAGE
+};
+//# sourceMappingURL=chunk-NYBCQZC7.js.map

package/dist/chunk-NYBCQZC7.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../runtime/subsystems/storage/storage.tokens.ts"],"sourcesContent":["/**\n * Injection token for the storage service.\n *\n * Usage in use cases:\n * ```typescript\n * constructor(@Inject(STORAGE) private readonly storage: IStorageService) {}\n * ```\n *\n * ADR-037: namespaced `Symbol.for(...)` key (via `tokenKey()`) so the token matches\n * by value across import boundaries (package vs vendored runtime copy).\n */\nimport { tokenKey } from '../token-key';\n\nexport const STORAGE = Symbol.for(tokenKey('storage', 'storage'));\n"],"mappings":";;;;;AAaO,IAAM,UAAU,OAAO,IAAI,SAAS,WAAW,SAAS,CAAC;","names":[]}

package/dist/chunk-O37C3YE6.js

@@ -0,0 +1,111 @@
+import {
+  DrizzleJobRunService
+} from "./chunk-FBGHYQIZ.js";
+import {
+  MemoryJobRunService
+} from "./chunk-RDVTWIYY.js";
+import {
+  DrizzleJobStepService
+} from "./chunk-DV4RV2DC.js";
+import {
+  BULLMQ_CONNECTION,
+  BULLMQ_RESOLVED_CONFIG,
+  resolveBullMqConfig
+} from "./chunk-I6MVCB5A.js";
+import {
+  DrizzleJobOrchestrator
+} from "./chunk-5Y7W3XR6.js";
+import {
+  MemoryJobOrchestrator
+} from "./chunk-4RFHUZXU.js";
+import {
+  MemoryJobStepService
+} from "./chunk-PNZSGAB2.js";
+import {
+  MemoryJobStore
+} from "./chunk-SNQ3TOWP.js";
+import {
+  JOBS_MULTI_TENANT,
+  JOB_ORCHESTRATOR,
+  JOB_RUN_SERVICE,
+  JOB_STEP_SERVICE
+} from "./chunk-BIO6F7YI.js";
+import {
+  DRIZZLE
+} from "./chunk-U64T4YZE.js";
+import {
+  __decorateClass
+} from "./chunk-2E224ZSN.js";
+
+// runtime/subsystems/jobs/jobs-domain.module.ts
+import { Module } from "@nestjs/common";
+var JobsDomainModule = class {
+  static forRoot(opts) {
+    const multiTenant = opts.multiTenant ?? false;
+    const providers = [
+      // JOB-8 — boolean provider consumed by the four service-layer backends.
+      // Always provided (even when `multiTenant === false`) so `@Inject`
+      // always resolves; backends short-circuit the enforcement path when
+      // the value is `false`. See `jobs-domain.tokens.ts` for the claim-loop
+      // cross-tenant-by-design decision.
+      { provide: JOBS_MULTI_TENANT, useValue: multiTenant }
+    ];
+    if (opts.backend === "memory") {
+      const store = new MemoryJobStore();
+      providers.push({ provide: MemoryJobStore, useValue: store });
+      providers.push(MemoryJobStepService);
+      providers.push({ provide: JOB_STEP_SERVICE, useExisting: MemoryJobStepService });
+      providers.push(MemoryJobOrchestrator);
+      providers.push({ provide: JOB_ORCHESTRATOR, useExisting: MemoryJobOrchestrator });
+      providers.push(MemoryJobRunService);
+      providers.push({ provide: JOB_RUN_SERVICE, useExisting: MemoryJobRunService });
+    } else if (opts.backend === "bullmq") {
+      const resolved = resolveBullMqConfig(opts.extensions?.bullmq);
+      providers.push({ provide: BULLMQ_CONNECTION, useValue: resolved.connection });
+      providers.push({ provide: BULLMQ_RESOLVED_CONFIG, useValue: resolved });
+      providers.push({
+        provide: JOB_ORCHESTRATOR,
+        useFactory: async (...args) => {
+          const specifier = "./job-orchestrator.bullmq-backend";
+          const mod = await import(specifier);
+          return new mod.BullMQJobOrchestrator(...args);
+        },
+        // The bullmq orchestrator constructor mirrors DrizzleJobOrchestrator's
+        // injection list: DRIZZLE + JOBS_MULTI_TENANT + the resolved BullMQ
+        // tokens. Importing token references would force a static dep on the
+        // tokens file in this module's import graph; using the existing
+        // symbols already in scope is sufficient.
+        inject: [DRIZZLE, JOBS_MULTI_TENANT, BULLMQ_CONNECTION, BULLMQ_RESOLVED_CONFIG]
+      });
+      providers.push({ provide: JOB_RUN_SERVICE, useClass: DrizzleJobRunService });
+      providers.push({ provide: JOB_STEP_SERVICE, useClass: DrizzleJobStepService });
+    } else {
+      providers.push({ provide: JOB_ORCHESTRATOR, useClass: DrizzleJobOrchestrator });
+      providers.push({ provide: JOB_RUN_SERVICE, useClass: DrizzleJobRunService });
+      providers.push({ provide: JOB_STEP_SERVICE, useClass: DrizzleJobStepService });
+    }
+    const exports = [
+      JOB_ORCHESTRATOR,
+      JOB_RUN_SERVICE,
+      JOB_STEP_SERVICE,
+      JOBS_MULTI_TENANT
+    ];
+    if (opts.backend === "bullmq") {
+      exports.push(BULLMQ_CONNECTION, BULLMQ_RESOLVED_CONFIG);
+    }
+    return {
+      module: JobsDomainModule,
+      global: true,
+      providers,
+      exports
+    };
+  }
+};
+JobsDomainModule = __decorateClass([
+  Module({})
+], JobsDomainModule);
+
+export {
+  JobsDomainModule
+};
+//# sourceMappingURL=chunk-O37C3YE6.js.map

package/dist/chunk-O37C3YE6.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../runtime/subsystems/jobs/jobs-domain.module.ts"],"sourcesContent":["/**\n * JobsDomainModule — `DynamicModule.forRoot({ backend })` factory wiring\n * the three jobs-domain protocol tokens to a backend implementation\n * (ADR-022, JOB-5).\n *\n * Mirrors `EventsModule.forRoot()` exactly:\n *   - `global: true` so consumer entity modules don't have to import this\n *     individually — `JOB_ORCHESTRATOR` / `JOB_RUN_SERVICE` /\n *     `JOB_STEP_SERVICE` are available project-wide.\n *   - One backend at a time (Drizzle for production, Memory for tests).\n *\n * Backend swappability follows the core/extension protocol from CLAUDE.md:\n * the three tokens are the **core contract**; backend-specific tunables\n * live under `extensions.<backend>` so opting into a feature is explicit\n * and the type system reserves the slot.\n */\nimport { Module, type DynamicModule, type Provider } from '@nestjs/common';\nimport { DRIZZLE } from '../../constants/tokens';\nimport {\n  JOB_ORCHESTRATOR,\n  JOB_RUN_SERVICE,\n  JOB_STEP_SERVICE,\n  JOBS_MULTI_TENANT,\n} from './jobs-domain.tokens';\nimport { DrizzleJobOrchestrator } from './job-orchestrator.drizzle-backend';\nimport { DrizzleJobRunService } from './job-run-service.drizzle-backend';\nimport { DrizzleJobStepService } from './job-step-service.drizzle-backend';\n// #6 — `BullMQJobOrchestrator` is lazy-loaded only when `backend: 'bullmq'`\n// is selected. The backend file is filtered out of drizzle/memory installs\n// (see `backendFileFilter`); a non-literal dynamic import below sidesteps\n// consumer-side tsc resolution of an absent file.\nimport { MemoryJobOrchestrator } from './job-orchestrator.memory-backend';\nimport { MemoryJobRunService } from './job-run-service.memory-backend';\nimport { MemoryJobStepService } from './job-step-service.memory-backend';\nimport { MemoryJobStore } from './memory-job-store';\nimport {\n  BULLMQ_CONNECTION,\n  BULLMQ_RESOLVED_CONFIG,\n  resolveBullMqConfig,\n  type BullMqExtensionsConfig,\n} from './bullmq.config';\n\n/**\n * Drizzle backend extensions surface. None are wired into the Drizzle\n * orchestrator yet — this is the **typed reservation** for the LISTEN/NOTIFY\n * + tunable poll-interval extensions called out in ADR-022. App code\n * passing these today is parsed but not yet dispatched; when the\n * Drizzle orchestrator grows the consumer hooks, opt-in code paths will\n * read directly from these fields.\n */\nexport interface DrizzleBackendExtensions {\n  /** Use Postgres LISTEN/NOTIFY to wake the polling loop. Default false. */\n  listenNotify?: boolean;\n  /** Polling interval when LISTEN/NOTIFY is off (ms). Default 1000. */\n  pollIntervalMs?: number;\n}\n\nexport interface JobsDomainModuleOptions {\n  backend: 'drizzle' | 'memory' | 'bullmq';\n  /**\n   * Backend-specific extensions. Only the matching backend's extensions\n   * are read at boot; non-matching keys are ignored. This is the\n   * core/extension protocol surface — see CLAUDE.md.\n   */\n  extensions?: {\n    drizzle?: DrizzleBackendExtensions;\n    /**\n     * BullMQ backend extensions (BULLMQ-1). Snake_case mirrors the YAML\n     * under `jobs.extensions.bullmq`. `redis_url` falls back to\n     * `process.env.REDIS_URL` then `redis://localhost:6379`.\n     */\n    bullmq?: BullMqExtensionsConfig;\n  };\n  /** Multi-tenancy opt-in. Wired by JOB-8; module signature stays stable. */\n  multiTenant?: boolean;\n}\n\n@Module({})\nexport class JobsDomainModule {\n  static forRoot(opts: JobsDomainModuleOptions): DynamicModule {\n    const multiTenant = opts.multiTenant ?? false;\n\n    const providers: Provider[] = [\n      // JOB-8 — boolean provider consumed by the four service-layer backends.\n      // Always provided (even when `multiTenant === false`) so `@Inject`\n      // always resolves; backends short-circuit the enforcement path when\n      // the value is `false`. See `jobs-domain.tokens.ts` for the claim-loop\n      // cross-tenant-by-design decision.\n      { provide: JOBS_MULTI_TENANT, useValue: multiTenant },\n    ];\n\n    if (opts.backend === 'memory') {\n      // The store is a plain class — wired as a singleton `useValue` so\n      // unit tests can pull it out via `.get(MemoryJobStore)` for direct\n      // assertions (matches the access pattern in JOB-4 specs).\n      const store = new MemoryJobStore();\n      providers.push({ provide: MemoryJobStore, useValue: store });\n      providers.push(MemoryJobStepService);\n      providers.push({ provide: JOB_STEP_SERVICE, useExisting: MemoryJobStepService });\n      providers.push(MemoryJobOrchestrator);\n      providers.push({ provide: JOB_ORCHESTRATOR, useExisting: MemoryJobOrchestrator });\n      providers.push(MemoryJobRunService);\n      providers.push({ provide: JOB_RUN_SERVICE, useExisting: MemoryJobRunService });\n    } else if (opts.backend === 'bullmq') {\n      // BULLMQ-1 — BullMQ orchestrator over a Postgres source of truth. The\n      // run/step services stay Drizzle (domain reads + `listForScope` are\n      // Postgres queries, unchanged per spec). Only the orchestrator's\n      // claim/dispatch half swaps to BullMQ.\n      //\n      // #6 — the bullmq backend module is filtered out of drizzle/memory\n      // installs (no `bullmq` peer dep, no consumer-side tsc compile of an\n      // unused file). The factory below dynamic-imports it via a non-literal\n      // specifier so TS treats the module type as `any` and never tries to\n      // resolve the absent file on a drizzle/memory consumer.\n      const resolved = resolveBullMqConfig(opts.extensions?.bullmq);\n      providers.push({ provide: BULLMQ_CONNECTION, useValue: resolved.connection });\n      providers.push({ provide: BULLMQ_RESOLVED_CONFIG, useValue: resolved });\n      providers.push({\n        provide: JOB_ORCHESTRATOR,\n        useFactory: async (...args: unknown[]): Promise<object> => {\n          const specifier = './job-orchestrator.bullmq-backend';\n          const mod = (await import(specifier)) as {\n            BullMQJobOrchestrator: new (...args: unknown[]) => object;\n          };\n          return new mod.BullMQJobOrchestrator(...args);\n        },\n        // The bullmq orchestrator constructor mirrors DrizzleJobOrchestrator's\n        // injection list: DRIZZLE + JOBS_MULTI_TENANT + the resolved BullMQ\n        // tokens. Importing token references would force a static dep on the\n        // tokens file in this module's import graph; using the existing\n        // symbols already in scope is sufficient.\n        inject: [DRIZZLE, JOBS_MULTI_TENANT, BULLMQ_CONNECTION, BULLMQ_RESOLVED_CONFIG],\n      });\n      providers.push({ provide: JOB_RUN_SERVICE, useClass: DrizzleJobRunService });\n      providers.push({ provide: JOB_STEP_SERVICE, useClass: DrizzleJobStepService });\n    } else {\n      providers.push({ provide: JOB_ORCHESTRATOR, useClass: DrizzleJobOrchestrator });\n      providers.push({ provide: JOB_RUN_SERVICE, useClass: DrizzleJobRunService });\n      providers.push({ provide: JOB_STEP_SERVICE, useClass: DrizzleJobStepService });\n    }\n\n    const exports = [\n      JOB_ORCHESTRATOR,\n      JOB_RUN_SERVICE,\n      JOB_STEP_SERVICE,\n      JOBS_MULTI_TENANT,\n    ];\n    // BULLMQ-1 — only export the BullMQ tokens when they were actually\n    // provided. Nest throws \"exported but not provided\" otherwise. Exported so\n    // JobWorkerModule (which imports this module) can read the resolved\n    // connection/config to spawn BullMQ workers.\n    if (opts.backend === 'bullmq') {\n      exports.push(BULLMQ_CONNECTION, BULLMQ_RESOLVED_CONFIG);\n    }\n\n    return {\n      module: JobsDomainModule,\n      global: true,\n      providers,\n      exports,\n    };\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgBA,SAAS,cAAiD;AA8DnD,IAAM,mBAAN,MAAuB;AAAA,EAC5B,OAAO,QAAQ,MAA8C;AAC3D,UAAM,cAAc,KAAK,eAAe;AAExC,UAAM,YAAwB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,MAM5B,EAAE,SAAS,mBAAmB,UAAU,YAAY;AAAA,IACtD;AAEA,QAAI,KAAK,YAAY,UAAU;AAI7B,YAAM,QAAQ,IAAI,eAAe;AACjC,gBAAU,KAAK,EAAE,SAAS,gBAAgB,UAAU,MAAM,CAAC;AAC3D,gBAAU,KAAK,oBAAoB;AACnC,gBAAU,KAAK,EAAE,SAAS,kBAAkB,aAAa,qBAAqB,CAAC;AAC/E,gBAAU,KAAK,qBAAqB;AACpC,gBAAU,KAAK,EAAE,SAAS,kBAAkB,aAAa,sBAAsB,CAAC;AAChF,gBAAU,KAAK,mBAAmB;AAClC,gBAAU,KAAK,EAAE,SAAS,iBAAiB,aAAa,oBAAoB,CAAC;AAAA,IAC/E,WAAW,KAAK,YAAY,UAAU;AAWpC,YAAM,WAAW,oBAAoB,KAAK,YAAY,MAAM;AAC5D,gBAAU,KAAK,EAAE,SAAS,mBAAmB,UAAU,SAAS,WAAW,CAAC;AAC5E,gBAAU,KAAK,EAAE,SAAS,wBAAwB,UAAU,SAAS,CAAC;AACtE,gBAAU,KAAK;AAAA,QACb,SAAS;AAAA,QACT,YAAY,UAAU,SAAqC;AACzD,gBAAM,YAAY;AAClB,gBAAM,MAAO,MAAM,OAAO;AAG1B,iBAAO,IAAI,IAAI,sBAAsB,GAAG,IAAI;AAAA,QAC9C;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,QAMA,QAAQ,CAAC,SAAS,mBAAmB,mBAAmB,sBAAsB;AAAA,MAChF,CAAC;AACD,gBAAU,KAAK,EAAE,SAAS,iBAAiB,UAAU,qBAAqB,CAAC;AAC3E,gBAAU,KAAK,EAAE,SAAS,kBAAkB,UAAU,sBAAsB,CAAC;AAAA,IAC/E,OAAO;AACL,gBAAU,KAAK,EAAE,SAAS,kBAAkB,UAAU,uBAAuB,CAAC;AAC9E,gBAAU,KAAK,EAAE,SAAS,iBAAiB,UAAU,qBAAqB,CAAC;AAC3E,gBAAU,KAAK,EAAE,SAAS,kBAAkB,UAAU,sBAAsB,CAAC;AAAA,IAC/E;AAEA,UAAM,UAAU;AAAA,MACd;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF;AAKA,QAAI,KAAK,YAAY,UAAU;AAC7B,cAAQ,KAAK,mBAAmB,sBAAsB;AAAA,IACxD;AAEA,WAAO;AAAA,MACL,QAAQ;AAAA,MACR,QAAQ;AAAA,MACR;AAAA,MACA;AAAA,IACF;AAAA,EACF;AACF;AApFa,mBAAN;AAAA,EADN,OAAO,CAAC,CAAC;AAAA,GACG;","names":[]}

package/dist/chunk-OFRRBC7M.js

@@ -0,0 +1,78 @@
+// runtime/subsystems/events/domain-events.schema.ts
+import {
+  check,
+  index,
+  jsonb,
+  pgTable,
+  text,
+  timestamp,
+  uuid
+} from "drizzle-orm/pg-core";
+import { sql } from "drizzle-orm";
+var domainEvents = pgTable(
+  "domain_events",
+  {
+    id: uuid("id").primaryKey(),
+    type: text("type").notNull(),
+    aggregateId: text("aggregate_id").notNull(),
+    aggregateType: text("aggregate_type").notNull(),
+    payload: jsonb("payload").notNull().$type(),
+    occurredAt: timestamp("occurred_at", { withTimezone: true }).notNull(),
+    processedAt: timestamp("processed_at", { withTimezone: true }),
+    /** Lifecycle status: pending | processed | failed */
+    status: text("status").notNull().default("pending"),
+    /** Error message from the last failed dispatch attempt. */
+    error: text("error"),
+    metadata: jsonb("metadata").$type(),
+    /** Routing pool (e.g. `events_inbound`, `events_change`, `events_outbound`). Populated by DrizzleEventBus.publish() in EVT-4. NULL when `tier='audit'`. */
+    pool: text("pool"),
+    /** Routing direction: `inbound` | `change` | `outbound`. Populated by DrizzleEventBus.publish() in EVT-4. NULL when `tier='audit'`. */
+    direction: text("direction"),
+    /**
+     * Event tier: `'domain'` (default) or `'audit'`. Audit-tier rows are
+     * observability-only and have null `pool`/`direction` by construction —
+     * enforced by the `domain_events_tier_routing_check` CHECK constraint
+     * declared below. (AUDIT-1)
+     */
+    tier: text("tier").notNull().default("domain"),
+    // conditional: emitted only when events.multi_tenant: true
+    tenantId: text("tenant_id")
+  },
+  (t) => ({
+    /** Polling drain filter (existing — promoted from comment to declaration in EVT-1). */
+    idxDomainEventsStatusOccurredAt: index("idx_domain_events_status_occurred_at").on(
+      t.status,
+      t.occurredAt
+    ),
+    /** Event replay per aggregate (existing — promoted from comment to declaration in EVT-1). */
+    idxDomainEventsAggregate: index("idx_domain_events_aggregate").on(
+      t.aggregateId,
+      t.aggregateType
+    ),
+    /** Per-pool drain filter (EVT-1). Enables DrizzleEventBus to drain a single pool without scanning all events. */
+    idxDomainEventsPoolStatusOccurredAt: index(
+      "idx_domain_events_pool_status_occurred_at"
+    ).on(t.pool, t.status, t.occurredAt),
+    /** Per-tier filter (AUDIT-1). Backs the observability viewer's tier toggle. */
+    idxDomainEventsTierStatusOccurredAt: index(
+      "idx_domain_events_tier_status_occurred_at"
+    ).on(t.tier, t.status, t.occurredAt),
+    /**
+     * Tier ↔ routing-fields invariant (AUDIT-1):
+     *   - `tier` is one of `'domain' | 'audit'`.
+     *   - `tier='audit'` ⇔ `pool IS NULL AND direction IS NULL`.
+     *   - `tier='domain'` ⇒ `pool` and `direction` are populated (the
+     *     DrizzleEventBus inserts always supply them; the bus stamps them
+     *     in AUDIT-3).
+     */
+    tierRoutingCheck: check(
+      "domain_events_tier_routing_check",
+      sql`${t.tier} in ('domain','audit') AND ((${t.tier} = 'audit') = (${t.pool} is null and ${t.direction} is null))`
+    )
+  })
+);
+
+export {
+  domainEvents
+};
+//# sourceMappingURL=chunk-OFRRBC7M.js.map

package/dist/chunk-OFRRBC7M.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../runtime/subsystems/events/domain-events.schema.ts"],"sourcesContent":["/**\n * Drizzle schema for the domain_events outbox table.\n *\n * This table backs the DrizzleEventBus. Events are inserted within the\n * same database transaction as the domain write (outbox pattern). A\n * polling process reads unprocessed rows and dispatches to subscribers.\n *\n * First-class routing columns (EVT-1):\n *   - `pool`       — populated by DrizzleEventBus.publish() (EVT-4); enables\n *                    pool-filtered drain queries without unpacking metadata JSON.\n *                    NULL when `tier='audit'` (audit events are not routed).\n *   - `direction`  — `inbound` | `change` | `outbound`; mirrors the routing\n *                    dimension used by jobs' reserved `events_inbound` /\n *                    `events_change` / `events_outbound` pools.\n *                    NULL when `tier='audit'`.\n *   - `tenant_id`  — conditional: emitted only when `events.multi_tenant: true`\n *                    in `codegen.config.yaml`. The runtime source declares it\n *                    unconditionally; EVT-8's scaffold template handles the\n *                    config-driven include/exclude.\n *\n * Audit-tier column (AUDIT-1):\n *   - `tier`       — `'domain'` | `'audit'`. Defaults to `'domain'`. Audit-tier\n *                    rows are observability-only (subscribers may observe but\n *                    the bridge MUST NOT spawn jobs from them); they have null\n *                    `pool` and `direction` by construction. The CHECK\n *                    constraint `domain_events_tier_routing_check` enforces\n *                    `tier='audit' ⇔ (pool IS NULL AND direction IS NULL)`.\n *\n * The `metadata` JSON column continues to carry these values for protocol\n * stability; the first-class columns are an optimization for drain filtering.\n *\n * Indexes (declared below in the index callback):\n *   - (status, occurred_at)             — polling drain filter\n *   - (aggregate_id, aggregate_type)    — event replay per aggregate\n *   - (pool, status, occurred_at)       — per-pool drain filter (EVT-1)\n *   - (tier, status, occurred_at)       — per-tier filter for the observability\n *                                          viewer's tier toggle (AUDIT-1).\n */\nimport {\n  check,\n  index,\n  jsonb,\n  pgTable,\n  text,\n  timestamp,\n  uuid,\n} from 'drizzle-orm/pg-core';\nimport { sql } from 'drizzle-orm';\nimport type { InferSelectModel } from 'drizzle-orm';\n\nexport const domainEvents = pgTable(\n  'domain_events',\n  {\n    id: uuid('id').primaryKey(),\n    type: text('type').notNull(),\n    aggregateId: text('aggregate_id').notNull(),\n    aggregateType: text('aggregate_type').notNull(),\n    payload: jsonb('payload').notNull().$type<Record<string, unknown>>(),\n    occurredAt: timestamp('occurred_at', { withTimezone: true }).notNull(),\n    processedAt: timestamp('processed_at', { withTimezone: true }),\n    /** Lifecycle status: pending | processed | failed */\n    status: text('status').notNull().default('pending'),\n    /** Error message from the last failed dispatch attempt. */\n    error: text('error'),\n    metadata: jsonb('metadata').$type<Record<string, unknown>>(),\n    /** Routing pool (e.g. `events_inbound`, `events_change`, `events_outbound`). Populated by DrizzleEventBus.publish() in EVT-4. NULL when `tier='audit'`. */\n    pool: text('pool'),\n    /** Routing direction: `inbound` | `change` | `outbound`. Populated by DrizzleEventBus.publish() in EVT-4. NULL when `tier='audit'`. */\n    direction: text('direction'),\n    /**\n     * Event tier: `'domain'` (default) or `'audit'`. Audit-tier rows are\n     * observability-only and have null `pool`/`direction` by construction —\n     * enforced by the `domain_events_tier_routing_check` CHECK constraint\n     * declared below. (AUDIT-1)\n     */\n    tier: text('tier').notNull().default('domain'),\n    // conditional: emitted only when events.multi_tenant: true\n    tenantId: text('tenant_id'),\n  },\n  (t) => ({\n    /** Polling drain filter (existing — promoted from comment to declaration in EVT-1). */\n    idxDomainEventsStatusOccurredAt: index('idx_domain_events_status_occurred_at').on(\n      t.status,\n      t.occurredAt,\n    ),\n    /** Event replay per aggregate (existing — promoted from comment to declaration in EVT-1). */\n    idxDomainEventsAggregate: index('idx_domain_events_aggregate').on(\n      t.aggregateId,\n      t.aggregateType,\n    ),\n    /** Per-pool drain filter (EVT-1). Enables DrizzleEventBus to drain a single pool without scanning all events. */\n    idxDomainEventsPoolStatusOccurredAt: index(\n      'idx_domain_events_pool_status_occurred_at',\n    ).on(t.pool, t.status, t.occurredAt),\n    /** Per-tier filter (AUDIT-1). Backs the observability viewer's tier toggle. */\n    idxDomainEventsTierStatusOccurredAt: index(\n      'idx_domain_events_tier_status_occurred_at',\n    ).on(t.tier, t.status, t.occurredAt),\n    /**\n     * Tier ↔ routing-fields invariant (AUDIT-1):\n     *   - `tier` is one of `'domain' | 'audit'`.\n     *   - `tier='audit'` ⇔ `pool IS NULL AND direction IS NULL`.\n     *   - `tier='domain'` ⇒ `pool` and `direction` are populated (the\n     *     DrizzleEventBus inserts always supply them; the bus stamps them\n     *     in AUDIT-3).\n     */\n    tierRoutingCheck: check(\n      'domain_events_tier_routing_check',\n      sql`${t.tier} in ('domain','audit') AND ((${t.tier} = 'audit') = (${t.pool} is null and ${t.direction} is null))`,\n    ),\n  }),\n);\n\nexport type DomainEventRecord = InferSelectModel<typeof domainEvents>;\n"],"mappings":";AAsCA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AACP,SAAS,WAAW;AAGb,IAAM,eAAe;AAAA,EAC1B;AAAA,EACA;AAAA,IACE,IAAI,KAAK,IAAI,EAAE,WAAW;AAAA,IAC1B,MAAM,KAAK,MAAM,EAAE,QAAQ;AAAA,IAC3B,aAAa,KAAK,cAAc,EAAE,QAAQ;AAAA,IAC1C,eAAe,KAAK,gBAAgB,EAAE,QAAQ;AAAA,IAC9C,SAAS,MAAM,SAAS,EAAE,QAAQ,EAAE,MAA+B;AAAA,IACnE,YAAY,UAAU,eAAe,EAAE,cAAc,KAAK,CAAC,EAAE,QAAQ;AAAA,IACrE,aAAa,UAAU,gBAAgB,EAAE,cAAc,KAAK,CAAC;AAAA;AAAA,IAE7D,QAAQ,KAAK,QAAQ,EAAE,QAAQ,EAAE,QAAQ,SAAS;AAAA;AAAA,IAElD,OAAO,KAAK,OAAO;AAAA,IACnB,UAAU,MAAM,UAAU,EAAE,MAA+B;AAAA;AAAA,IAE3D,MAAM,KAAK,MAAM;AAAA;AAAA,IAEjB,WAAW,KAAK,WAAW;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IAO3B,MAAM,KAAK,MAAM,EAAE,QAAQ,EAAE,QAAQ,QAAQ;AAAA;AAAA,IAE7C,UAAU,KAAK,WAAW;AAAA,EAC5B;AAAA,EACA,CAAC,OAAO;AAAA;AAAA,IAEN,iCAAiC,MAAM,sCAAsC,EAAE;AAAA,MAC7E,EAAE;AAAA,MACF,EAAE;AAAA,IACJ;AAAA;AAAA,IAEA,0BAA0B,MAAM,6BAA6B,EAAE;AAAA,MAC7D,EAAE;AAAA,MACF,EAAE;AAAA,IACJ;AAAA;AAAA,IAEA,qCAAqC;AAAA,MACnC;AAAA,IACF,EAAE,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU;AAAA;AAAA,IAEnC,qCAAqC;AAAA,MACnC;AAAA,IACF,EAAE,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,UAAU;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,IASnC,kBAAkB;AAAA,MAChB;AAAA,MACA,MAAM,EAAE,IAAI,gCAAgC,EAAE,IAAI,kBAAkB,EAAE,IAAI,gBAAgB,EAAE,SAAS;AAAA,IACvG;AAAA,EACF;AACF;","names":[]}