@trycompai/db 1.3.19-canary.3 → 1.3.20-canary.0

package/dist/client.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAI9C,eAAO,MAAM,EAAE,gIAA+C,CAAC"}
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../src/client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAI9C,eAAO,MAAM,EAAE,gIAIX,CAAC"}

package/dist/client.js

@@ -3,6 +3,9 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.db = void 0;
 const client_1 = require("@prisma/client");
 const globalForPrisma = global;
-exports.db = globalForPrisma.prisma || new client_1.PrismaClient();
+exports.db = globalForPrisma.prisma ||
+    new client_1.PrismaClient({
+        datasourceUrl: process.env.DATABASE_URL,
+    });
 if (process.env.NODE_ENV !== 'production')
     globalForPrisma.prisma = exports.db;

package/dist/schema.prisma

@@ -7,7 +7,6 @@ generator client {
 datasource db {
   provider   = "postgresql"
   url        = env("DATABASE_URL")
-  directUrl  = env("DATABASE_URL")
   extensions = [pgcrypto]
 }
 
@@ -40,6 +39,7 @@ enum AttachmentEntityType {
   risk
   comment
   trust_nda
+  task_item
 }
 
 enum AttachmentType {
@@ -63,6 +63,7 @@ model User {
   lastLogin                      DateTime?
   emailNotificationsUnsubscribed Boolean   @default(false)
   emailPreferences               Json?     @default("{\"policyNotifications\":true,\"taskReminders\":true,\"weeklyTaskDigest\":true,\"unassignedItemsNotifications\":true}")
+  isPlatformAdmin                Boolean   @default(false)
 
   accounts           Account[]
   auditLog           AuditLog[]
@@ -164,6 +165,9 @@ model Member {
   reviewedAccessRequests TrustAccessRequest[] @relation("TrustAccessRequestReviewer")
   issuedGrants           TrustAccessGrant[]   @relation("IssuedGrants")
   revokedGrants          TrustAccessGrant[]   @relation("RevokedGrants")
+  createdTaskItems       TaskItem[]           @relation("TaskItemCreator")
+  updatedTaskItems       TaskItem[]           @relation("TaskItemUpdater")
+  assignedTaskItems      TaskItem[]           @relation("TaskItemAssignee")
 }
 
 model Invitation {
@@ -298,6 +302,105 @@ model EvidenceAutomation {
 }
 
 
+// ===== browserbase-context.prisma =====
+/// Stores Browserbase context IDs for browser-based automation
+/// One context per organization - shared like a normal browser
+model BrowserbaseContext {
+    id String @id @default(dbgenerated("generate_prefixed_cuid('bbc'::text)"))
+
+    /// Organization that owns this browser context
+    organizationId String       @unique
+    organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+
+    /// Browserbase context ID from their API
+    contextId String
+
+    createdAt DateTime @default(now())
+    updatedAt DateTime @updatedAt
+
+    @@index([organizationId])
+}
+
+/// Browser automation configuration linked to a task
+model BrowserAutomation {
+    id          String  @id @default(dbgenerated("generate_prefixed_cuid('bau'::text)"))
+    name        String
+    description String?
+
+    /// Task this automation belongs to
+    taskId String
+    task   Task   @relation(fields: [taskId], references: [id], onDelete: Cascade)
+
+    /// Starting URL for the automation
+    targetUrl String
+
+    /// Natural language instruction for the AI agent
+    instruction String
+
+    /// Whether automation is enabled for scheduled runs
+    isEnabled Boolean @default(false)
+
+    /// Cron expression for scheduled runs (null = manual only)
+    schedule String?
+
+    createdAt DateTime @default(now())
+    updatedAt DateTime @updatedAt
+
+    runs BrowserAutomationRun[]
+
+    @@index([taskId])
+}
+
+/// Records of browser automation executions
+model BrowserAutomationRun {
+    id String @id @default(dbgenerated("generate_prefixed_cuid('bar'::text)"))
+
+    /// Parent automation
+    automationId String
+    automation   BrowserAutomation @relation(fields: [automationId], references: [id], onDelete: Cascade)
+
+    /// Execution status
+    status BrowserAutomationRunStatus @default(pending)
+
+    /// Timestamps
+    startedAt   DateTime?
+    completedAt DateTime?
+
+    /// Duration in milliseconds
+    durationMs Int?
+
+    /// Screenshot URL in S3 (if successful)
+    screenshotUrl String?
+
+    /// Evaluation result - whether the automation fulfilled the task requirements
+    evaluationStatus BrowserAutomationEvaluationStatus?
+
+    /// AI explanation of why it passed or failed
+    evaluationReason String?
+
+    /// Error message (if failed)
+    error String?
+
+    createdAt DateTime @default(now())
+
+    @@index([automationId])
+    @@index([status])
+    @@index([createdAt])
+}
+
+enum BrowserAutomationEvaluationStatus {
+    pass
+    fail
+}
+
+enum BrowserAutomationRunStatus {
+    pending
+    running
+    completed
+    failed
+}
+
+
 // ===== comment.prisma =====
 model Comment {
   id         String            @id @default(dbgenerated("generate_prefixed_cuid('cmt'::text)"))
@@ -491,6 +594,424 @@ model FrameworkInstance {
 }
 
 
+// ===== integration-platform.prisma =====
+// ===== Integration Platform =====
+// New integration platform models for scalable, config-driven integrations
+
+/// Stores metadata about available integration providers (synced from code manifests)
+model IntegrationProvider {
+    id           String  @id @default(dbgenerated("generate_prefixed_cuid('prv'::text)"))
+    /// Unique slug matching manifest ID (e.g., "github", "slack")
+    slug         String  @unique
+    /// Display name
+    name         String
+    /// Category for grouping
+    category     String
+    /// Hash of manifest for detecting changes
+    manifestHash String?
+    /// Capabilities JSON array
+    capabilities Json    @default("[]")
+    /// Whether provider is active
+    isActive     Boolean @default(true)
+
+    createdAt DateTime @default(now())
+    updatedAt DateTime @updatedAt
+
+    connections IntegrationConnection[]
+
+    @@index([slug])
+    @@index([category])
+}
+
+/// Represents an organization's connection to an integration provider
+model IntegrationConnection {
+    id String @id @default(dbgenerated("generate_prefixed_cuid('icn'::text)"))
+
+    /// Reference to the provider
+    providerId String
+    provider   IntegrationProvider @relation(fields: [providerId], references: [id], onDelete: Cascade)
+
+    /// Organization that owns this connection
+    organizationId String
+    organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+
+    /// Connection status
+    status IntegrationConnectionStatus @default(pending)
+
+    /// Auth strategy used (oauth2, api_key, basic, jwt, custom)
+    authStrategy String
+
+    /// Reference to active credential version
+    activeCredentialVersionId String?
+
+    /// Last successful sync timestamp
+    lastSyncAt DateTime?
+
+    /// Next scheduled sync timestamp
+    nextSyncAt DateTime?
+
+    /// Custom sync cadence (cron expression), null = use default
+    syncCadence String?
+
+    /// Additional metadata (e.g., connected account info)
+    metadata Json?
+
+    /// User-configured variables for checks (collected after OAuth)
+    variables Json?
+
+    /// Error message if status is error
+    errorMessage String?
+
+    createdAt DateTime @default(now())
+    updatedAt DateTime @updatedAt
+
+    credentialVersions IntegrationCredentialVersion[]
+    runs               IntegrationRun[]
+    findings           IntegrationPlatformFinding[]
+    checkRuns          IntegrationCheckRun[]
+
+    @@unique([providerId, organizationId])
+    @@index([organizationId])
+    @@index([providerId])
+    @@index([status])
+}
+
+enum IntegrationConnectionStatus {
+    pending // Awaiting credential setup
+    active // Connected and operational
+    error // Connection has errors
+    paused // Manually paused by user
+    disconnected // User disconnected
+}
+
+/// Stores encrypted credentials with versioning for audit trail
+model IntegrationCredentialVersion {
+    id String @id @default(dbgenerated("generate_prefixed_cuid('icv'::text)"))
+
+    /// Parent connection
+    connectionId String
+    connection   IntegrationConnection @relation(fields: [connectionId], references: [id], onDelete: Cascade)
+
+    /// Encrypted credential payload (JSON with encrypted fields)
+    encryptedPayload Json
+
+    /// Version number (auto-increment per connection)
+    version Int
+
+    /// Token expiration (for OAuth tokens)
+    expiresAt DateTime?
+
+    /// When this version was rotated/replaced
+    rotatedAt DateTime?
+
+    createdAt DateTime @default(now())
+
+    @@unique([connectionId, version])
+    @@index([connectionId])
+}
+
+/// Records each sync/job execution for audit and debugging
+model IntegrationRun {
+    id String @id @default(dbgenerated("generate_prefixed_cuid('irn'::text)"))
+
+    /// Parent connection
+    connectionId String
+    connection   IntegrationConnection @relation(fields: [connectionId], references: [id], onDelete: Cascade)
+
+    /// Type of job
+    jobType IntegrationRunJobType
+
+    /// Execution status
+    status IntegrationRunStatus @default(pending)
+
+    /// Timestamps
+    startedAt   DateTime?
+    completedAt DateTime?
+
+    /// Duration in milliseconds
+    durationMs Int?
+
+    /// Number of findings from this run
+    findingsCount Int @default(0)
+
+    /// Error details if failed
+    error Json?
+
+    /// Additional metadata (trigger source, cursor, etc.)
+    metadata Json?
+
+    createdAt DateTime @default(now())
+
+    findings IntegrationPlatformFinding[]
+
+    @@index([connectionId])
+    @@index([status])
+    @@index([createdAt])
+}
+
+enum IntegrationRunJobType {
+    full_sync
+    delta_sync
+    webhook
+    manual
+    test_connection
+}
+
+enum IntegrationRunStatus {
+    pending
+    running
+    success
+    failed
+    cancelled
+}
+
+/// Stores findings/results from integration syncs
+model IntegrationPlatformFinding {
+    id String @id @default(dbgenerated("generate_prefixed_cuid('ipf'::text)"))
+
+    /// Parent run (optional - webhooks may not have runs)
+    runId String?
+    run   IntegrationRun? @relation(fields: [runId], references: [id], onDelete: SetNull)
+
+    /// Parent connection
+    connectionId String
+    connection   IntegrationConnection @relation(fields: [connectionId], references: [id], onDelete: Cascade)
+
+    /// Resource classification
+    resourceType String
+    resourceId   String
+
+    /// Finding details
+    title       String
+    description String?
+
+    /// Severity level
+    severity IntegrationFindingSeverity @default(info)
+
+    /// Finding status
+    status IntegrationFindingStatus @default(open)
+
+    /// Remediation guidance
+    remediation String?
+
+    /// Raw payload from provider
+    rawPayload Json?
+
+    createdAt DateTime @default(now())
+    updatedAt DateTime @updatedAt
+
+    @@index([connectionId])
+    @@index([runId])
+    @@index([resourceType, resourceId])
+    @@index([severity])
+    @@index([status])
+}
+
+enum IntegrationFindingSeverity {
+    info
+    low
+    medium
+    high
+    critical
+}
+
+enum IntegrationFindingStatus {
+    open
+    resolved
+    ignored
+}
+
+/// Stores OAuth state for CSRF protection during OAuth flow
+model IntegrationOAuthState {
+    id String @id @default(dbgenerated("generate_prefixed_cuid('ios'::text)"))
+
+    /// Random state parameter
+    state String @unique
+
+    /// Provider slug
+    providerSlug String
+
+    /// Organization initiating the OAuth
+    organizationId String
+
+    /// User initiating the OAuth
+    userId String
+
+    /// PKCE code verifier (if using PKCE)
+    codeVerifier String?
+
+    /// Redirect URL after OAuth completes
+    redirectUrl String?
+
+    /// Expiration timestamp
+    expiresAt DateTime
+
+    createdAt DateTime @default(now())
+
+    @@index([state])
+    @@index([expiresAt])
+}
+
+/// Stores organization-level OAuth app credentials
+/// Allows orgs (especially self-hosters) to use their own OAuth apps
+model IntegrationOAuthApp {
+    id String @id @default(dbgenerated("generate_prefixed_cuid('ioa'::text)"))
+
+    /// Provider slug (e.g., "github", "slack")
+    providerSlug String
+
+    /// Organization that owns this OAuth app config
+    organizationId String
+    organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+
+    /// Encrypted client ID
+    encryptedClientId Json
+
+    /// Encrypted client secret
+    encryptedClientSecret Json
+
+    /// Optional: custom scopes (overrides manifest defaults)
+    customScopes String[]
+
+    /// Provider-specific settings (e.g., Rippling app name for authorize URL)
+    /// Stored as JSON: { "appName": "compai533c" }
+    customSettings Json?
+
+    /// Whether this config is active
+    isActive Boolean @default(true)
+
+    createdAt DateTime @default(now())
+    updatedAt DateTime @updatedAt
+
+    @@unique([providerSlug, organizationId])
+    @@index([organizationId])
+    @@index([providerSlug])
+}
+
+/// Records check runs linked to tasks for compliance verification
+model IntegrationCheckRun {
+    id String @id @default(dbgenerated("generate_prefixed_cuid('icr'::text)"))
+
+    /// Parent connection
+    connectionId String
+    connection   IntegrationConnection @relation(fields: [connectionId], references: [id], onDelete: Cascade)
+
+    /// Task being verified (optional - checks can run without a task)
+    taskId String?
+    task   Task?   @relation(fields: [taskId], references: [id], onDelete: SetNull)
+
+    /// Check ID from the manifest
+    checkId String
+
+    /// Check name (denormalized for display)
+    checkName String
+
+    /// Execution status
+    status IntegrationRunStatus @default(pending)
+
+    /// Timestamps
+    startedAt   DateTime?
+    completedAt DateTime?
+
+    /// Duration in milliseconds
+    durationMs Int?
+
+    /// Summary counts
+    totalChecked Int @default(0)
+    passedCount  Int @default(0)
+    failedCount  Int @default(0)
+
+    /// Error message if failed
+    errorMessage String?
+
+    /// Full execution logs (JSON array)
+    logs Json?
+
+    createdAt DateTime @default(now())
+
+    /// Results from this check run
+    results IntegrationCheckResult[]
+
+    @@index([connectionId])
+    @@index([taskId])
+    @@index([checkId])
+    @@index([status])
+    @@index([createdAt])
+}
+
+/// Stores individual results (pass/fail) from check runs
+model IntegrationCheckResult {
+    id String @id @default(dbgenerated("generate_prefixed_cuid('icx'::text)"))
+
+    /// Parent check run
+    checkRunId String
+    checkRun   IntegrationCheckRun @relation(fields: [checkRunId], references: [id], onDelete: Cascade)
+
+    /// Whether this result is a pass or fail
+    passed Boolean
+
+    /// Resource classification
+    resourceType String
+    resourceId   String
+
+    /// Result details
+    title       String
+    description String?
+
+    /// Severity (for failures)
+    severity IntegrationFindingSeverity?
+
+    /// Remediation guidance (for failures)
+    remediation String?
+
+    /// Evidence/proof (JSON - API response data)
+    evidence Json?
+
+    /// When this evidence was collected
+    collectedAt DateTime @default(now())
+
+    @@index([checkRunId])
+    @@index([passed])
+    @@index([resourceType, resourceId])
+}
+
+/// Stores platform-wide OAuth app credentials
+/// Used by platform operators to provide default OAuth apps for all users
+model IntegrationPlatformCredential {
+    id String @id @default(dbgenerated("generate_prefixed_cuid('ipc'::text)"))
+
+    /// Provider slug (e.g., "github", "slack") - unique per platform
+    providerSlug String @unique
+
+    /// Encrypted client ID
+    encryptedClientId Json
+
+    /// Encrypted client secret
+    encryptedClientSecret Json
+
+    /// Optional: custom scopes (overrides manifest defaults)
+    customScopes String[]
+
+    /// Provider-specific settings (e.g., Rippling app name for authorize URL)
+    /// Stored as JSON: { "appName": "compai533c" }
+    customSettings Json?
+
+    /// Whether this credential is active
+    isActive Boolean @default(true)
+
+    /// Who created this credential
+    createdById String?
+
+    /// Who last updated this credential
+    updatedById String?
+
+    createdAt DateTime @default(now())
+    updatedAt DateTime @updatedAt
+
+    @@index([providerSlug])
+}
+
+
 // ===== integration.prisma =====
 model Integration {
   id             String              @id @default(dbgenerated("generate_prefixed_cuid('int'::text)"))
@@ -599,6 +1120,10 @@ model Organization {
   fleetDmLabelId        Int?
   isFleetSetupCompleted Boolean @default(false)
 
+  // Employee sync provider (e.g., 'google-workspace', 'rippling')
+  // When set, the scheduled sync will only use this provider
+  employeeSyncProvider String?
+
   apiKeys                            ApiKey[]
   auditLog                           AuditLog[]
   controls                           Control[]
@@ -610,6 +1135,7 @@ model Organization {
   risk                               Risk[]
   vendors                            Vendor[]
   tasks                              Task[]
+  taskItems                          TaskItem[]
   comments                           Comment[]
   attachments                        Attachment[]
   trust                              Trust[]
@@ -618,12 +1144,22 @@ model Organization {
   trustAccessRequests                TrustAccessRequest[]
   trustNdaAgreements                 TrustNDAAgreement[]
   trustDocuments                     TrustDocument[]
-  trustResources                     TrustResource[] @relation("OrganizationTrustResources")
+  trustResources                     TrustResource[]                     @relation("OrganizationTrustResources")
   knowledgeBaseDocuments             KnowledgeBaseDocument[]
   questionnaires                     Questionnaire[]
   securityQuestionnaireManualAnswers SecurityQuestionnaireManualAnswer[]
   soaDocuments                       SOADocument[]
   primaryColor                       String?
+  trustPortalFaqs                    Json? // Array of { question: string, answer: string, order: number }
+
+
+  // Integration Platform
+  integrationConnections IntegrationConnection[]
+  integrationOAuthApps   IntegrationOAuthApp[]
+
+  // Browser Automation
+  browserbaseContext BrowserbaseContext?
+
   @@index([slug])
 }
 
@@ -681,6 +1217,7 @@ model Questionnaire {
   parsedAt          DateTime? // When parsing completed
   totalQuestions    Int                 @default(0) // Total number of questions parsed
   answeredQuestions Int                 @default(0) // Number of questions with answers
+  source            String              @default("internal") // Source of the questionnaire: 'internal' (from app) or 'external' (from trust portal)
 
   // Dates
   createdAt DateTime @default(now())
@@ -695,6 +1232,7 @@ model Questionnaire {
   @@index([organizationId])
   @@index([organizationId, createdAt])
   @@index([status])
+  @@index([source])
 }
 
 model QuestionnaireQuestionAnswer {
@@ -1107,6 +1645,64 @@ enum SOAAnswerStatus {
 }
 
 
+// ===== task-item.prisma =====
+model TaskItem {
+  id          String            @id @default(dbgenerated("generate_prefixed_cuid('tski'::text)"))
+  title       String
+  description String?
+  status      TaskItemStatus    @default(todo)
+  priority    TaskItemPriority  @default(medium)
+  
+  // Polymorphic relation (like Comment and Attachment)
+  entityId   String
+  entityType TaskItemEntityType
+  
+  // Assignment (nullable)
+  assigneeId  String?
+  assignee   Member?           @relation("TaskItemAssignee", fields: [assigneeId], references: [id], onDelete: SetNull)
+  
+  // Creator & Updater
+  createdById String
+  createdBy   Member           @relation("TaskItemCreator", fields: [createdById], references: [id])
+  updatedById String?
+  updatedBy   Member?          @relation("TaskItemUpdater", fields: [updatedById], references: [id])
+  
+  // Relationships
+  organizationId String
+  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  
+  // Dates
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+  
+  @@index([entityId, entityType])
+  @@index([organizationId])
+  @@index([assigneeId])
+  @@index([status])
+  @@index([priority])
+}
+
+enum TaskItemStatus {
+  todo
+  in_progress
+  in_review
+  done
+  canceled
+}
+
+enum TaskItemPriority {
+  urgent
+  high
+  medium
+  low
+}
+
+enum TaskItemEntityType {
+  vendor
+  risk
+}
+
+
 // ===== task.prisma =====
 model Task {
   // Metadata
@@ -1135,8 +1731,10 @@ model Task {
   vendors             Vendor[]
   risks               Risk[]
   evidenceAutomations EvidenceAutomation[]
+  browserAutomations  BrowserAutomation[]
 
   EvidenceAutomationRun EvidenceAutomationRun[]
+  integrationCheckRuns  IntegrationCheckRun[]
 }
 
 enum TaskStatus {

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@trycompai/db",
   "description": "Database package with Prisma client and schema for Comp AI",
-  "version": "1.3.19-canary.3",
+  "version": "1.3.20-canary.0",
   "dependencies": {
     "@prisma/client": "^6.13.0",
     "dotenv": "^16.4.5",
@@ -14,8 +14,16 @@
     "typescript": "^5.9.2"
   },
   "exports": {
-    ".": "./dist/index.js",
-    "./postinstall": "./dist/postinstall.js"
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./src/index.ts",
+      "default": "./dist/index.js"
+    },
+    "./postinstall": {
+      "import": "./dist/postinstall.js",
+      "types": "./src/postinstall.ts",
+      "default": "./dist/postinstall.js"
+    }
   },
   "bin": {
     "comp-prisma-postinstall": "./dist/postinstall.js"
@@ -38,6 +46,7 @@
     "check-types": "tsc --noEmit",
     "db:generate": "prisma generate",
     "db:migrate": "prisma migrate dev",
+    "db:migrate:reset": "prisma migrate reset",
     "db:push": "prisma db push",
     "db:seed": "bun prisma/seed/seed.ts",
     "db:studio": "prisma studio",