npm - @trycompai/db - Versions diffs - 1.3.22-canary.0 → 2.0.0 - Mend

@trycompai/db 1.3.22-canary.0 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (269) hide show

package/dist/schema.prisma CHANGED Viewed

@@ -1,12 +1,11 @@
 generator client {
-  provider        = "prisma-client-js"
+  provider        = "prisma-client"
+  output          = "../src/generated/prisma"
   previewFeatures = ["postgresqlExtensions"]
-  binaryTargets   = ["rhel-openssl-3.0.x", "native", "debian-openssl-3.0.x", "linux-musl-openssl-3.0.x", "linux-musl-arm64-openssl-3.0.x"]
 }
 datasource db {
   provider   = "postgresql"
-  url        = env("DATABASE_URL")
   extensions = [pgcrypto]
 }
@@ -63,15 +62,22 @@ model User {
   lastLogin                      DateTime?
   emailNotificationsUnsubscribed Boolean   @default(false)
   emailPreferences               Json?     @default("{\"policyNotifications\":true,\"taskReminders\":true,\"weeklyTaskDigest\":true,\"unassignedItemsNotifications\":true}")
+  role                           String?   @default("user")
+  banned                         Boolean?
+  banReason                      String?
+  banExpires                     DateTime?
   isPlatformAdmin                Boolean   @default(false)
-  accounts           Account[]
-  auditLog           AuditLog[]
-  integrationResults IntegrationResult[]
-  invitations        Invitation[]
-  members            Member[]
-  sessions           Session[]
-  fleetPolicyResults FleetPolicyResult[]
+  accounts            Account[]
+  auditLog            AuditLog[]
+  integrationResults  IntegrationResult[]
+  invitations         Invitation[]
+  members             Member[]
+  sessions            Session[]
+  fleetPolicyResults  FleetPolicyResult[]
+  evidenceSubmissions EvidenceSubmission[] @relation("EvidenceSubmitter")
+  evidenceReviews     EvidenceSubmission[] @relation("EvidenceReviewer")
+  adminFindings       Finding[]            @relation("AdminFindingCreator")
   @@unique([email])
 }
@@ -98,6 +104,7 @@ model Session {
   userAgent            String?
   userId               String
   activeOrganizationId String?
+  impersonatedBy       String?
   user                 User     @relation(fields: [userId], references: [id], onDelete: Cascade)
   @@unique([token])
@@ -132,10 +139,11 @@ model Verification {
 // JWT Plugin - Required by Better Auth JWT plugin
 // https://www.better-auth.com/docs/plugins/jwt
 model Jwks {
-  id         String   @id @default(dbgenerated("generate_prefixed_cuid('jwk'::text)"))
+  id         String    @id @default(dbgenerated("generate_prefixed_cuid('jwk'::text)"))
   publicKey  String
   privateKey String
-  createdAt  DateTime @default(now())
+  createdAt  DateTime  @default(now())
+  expiresAt  DateTime?
   @@map("jwks")
 }
@@ -150,27 +158,32 @@ model Member {
   createdAt      DateTime     @default(now())
   department                      Departments                       @default(none)
+  jobTitle                        String?
   isActive                        Boolean                           @default(true)
   deactivated                     Boolean                           @default(false)
+  externalUserId                  String?
+  externalUserSource              String?
   employeeTrainingVideoCompletion EmployeeTrainingVideoCompletion[]
   fleetDmLabelId                  Int?
-  assignedPolicies       Policy[]             @relation("PolicyAssignee") // Policies where this member is an assignee
-  approvedPolicies       Policy[]             @relation("PolicyApprover") // Policies where this member is an approver
-  approvedSOADocuments   SOADocument[]        @relation("SOADocumentApprover") // SOA documents where this member is an approver
-  risks                  Risk[]
-  tasks                  Task[]
-  vendors                Vendor[]
-  comments               Comment[]
-  auditLogs              AuditLog[]
-  reviewedAccessRequests TrustAccessRequest[] @relation("TrustAccessRequestReviewer")
-  issuedGrants           TrustAccessGrant[]   @relation("IssuedGrants")
-  revokedGrants          TrustAccessGrant[]   @relation("RevokedGrants")
-  createdTaskItems       TaskItem[]           @relation("TaskItemCreator")
-  updatedTaskItems       TaskItem[]           @relation("TaskItemUpdater")
-  assignedTaskItems      TaskItem[]           @relation("TaskItemAssignee")
-  createdFindings        Finding[]            @relation("FindingCreatedBy")
-  publishedPolicyVersions PolicyVersion[]     @relation("PolicyVersionPublisher")
+  assignedPolicies        Policy[]             @relation("PolicyAssignee") // Policies where this member is an assignee
+  approvedPolicies        Policy[]             @relation("PolicyApprover") // Policies where this member is an approver
+  approvedSOADocuments    SOADocument[]        @relation("SOADocumentApprover") // SOA documents where this member is an approver
+  risks                   Risk[]
+  tasks                   Task[]
+  vendors                 Vendor[]
+  comments                Comment[]
+  auditLogs               AuditLog[]
+  reviewedAccessRequests  TrustAccessRequest[] @relation("TrustAccessRequestReviewer")
+  issuedGrants            TrustAccessGrant[]   @relation("IssuedGrants")
+  revokedGrants           TrustAccessGrant[]   @relation("RevokedGrants")
+  createdTaskItems        TaskItem[]           @relation("TaskItemCreator")
+  updatedTaskItems        TaskItem[]           @relation("TaskItemUpdater")
+  assignedTaskItems       TaskItem[]           @relation("TaskItemAssignee")
+  createdFindings         Finding[]            @relation("FindingCreatedBy")
+  publishedPolicyVersions PolicyVersion[]      @relation("PolicyVersionPublisher")
+  approvedTasks           Task[]               @relation("TaskApprover")
+  devices                 Device[]
 }
 model Invitation {
@@ -196,6 +209,23 @@ enum Role {
   contractor
 }
+// Custom roles for dynamic access control
+// This table stores organization-specific custom roles created via better-auth
+// See: https://www.better-auth.com/docs/plugins/organization#dynamic-access-control
+model OrganizationRole {
+  id             String       @id @default(dbgenerated("generate_prefixed_cuid('rol'::text)"))
+  name           String
+  permissions    String       @db.Text // Stored as serialized JSON string for better-auth compatibility
+  obligations    String       @default("{}") @db.Text // JSON: { compliance?: boolean }
+  organizationId String
+  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  createdAt      DateTime     @default(now())
+  updatedAt      DateTime     @updatedAt
+  @@unique([organizationId, name])
+  @@map("organization_role")
+}
 enum PolicyStatus {
   draft
   published
@@ -232,7 +262,7 @@ model EvidenceAutomationRun {
   triggeredBy EvidenceAutomationTrigger @default(scheduled)
   runDuration Int? // in milliseconds
   version     Int? // Version number that was executed (null = draft)
-  Task        Task?                     @relation(fields: [taskId], references: [id])
+  task        Task?                     @relation(fields: [taskId], references: [id])
   taskId      String?
   @@index([evidenceAutomationId])
@@ -455,6 +485,18 @@ model Context {
 }
+// ===== control-document-type.prisma =====
+model ControlDocumentType {
+  id        String           @id @default(dbgenerated("generate_prefixed_cuid('cdt'::text)"))
+  controlId String
+  control   Control          @relation(fields: [controlId], references: [id], onDelete: Cascade)
+  formType  EvidenceFormType
+  @@unique([controlId, formType])
+  @@index([controlId])
+}
 // ===== control.prisma =====
 model Control {
   // Metadata
@@ -474,11 +516,173 @@ model Control {
   policies           Policy[]
   controlTemplateId  String?
   controlTemplate    FrameworkEditorControlTemplate? @relation(fields: [controlTemplateId], references: [id])
+  controlDocumentTypes ControlDocumentType[]
   @@index([organizationId])
 }
+// ===== device.prisma =====
+model Device {
+  id            String         @id @default(dbgenerated("generate_prefixed_cuid('dev'::text)"))
+  name          String
+  hostname      String
+  platform      DevicePlatform
+  osVersion     String
+  serialNumber  String?
+  hardwareModel String?
+  memberId       String
+  member         Member       @relation(fields: [memberId], references: [id], onDelete: Cascade)
+  organizationId String
+  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  isCompliant           Boolean  @default(false)
+  diskEncryptionEnabled Boolean  @default(false)
+  antivirusEnabled      Boolean  @default(false)
+  passwordPolicySet     Boolean  @default(false)
+  screenLockEnabled     Boolean  @default(false)
+  checkDetails          Json?
+  lastCheckIn  DateTime?
+  agentVersion String?
+  installedAt  DateTime @default(now())
+  updatedAt    DateTime @updatedAt
+  @@unique([serialNumber, organizationId])
+  @@index([memberId])
+  @@index([organizationId])
+  @@index([isCompliant])
+}
+enum DevicePlatform {
+  macos
+  windows
+  linux
+}
+// ===== dynamic-integration.prisma =====
+// ===== Dynamic Integration Platform =====
+// Stores integration manifests and declarative check definitions in the database
+// Enables adding new integrations without code changes or deployments
+/// Stores a full integration manifest as JSON — replaces hand-written TypeScript manifests
+model DynamicIntegration {
+    id          String  @id @default(dbgenerated("generate_prefixed_cuid('din'::text)"))
+    /// Unique slug (e.g., "azure-devops", "office-365")
+    slug        String  @unique
+    /// Display name
+    name        String
+    /// Short description for catalog
+    description String
+    /// Category for grouping
+    category    String
+    /// Logo URL
+    logoUrl     String
+    /// URL to documentation
+    docsUrl     String?
+    /// API base URL for ctx.fetch
+    baseUrl     String?
+    /// Default headers (JSON object)
+    defaultHeaders Json?
+    /// Auth strategy config (JSON — matches AuthStrategy type: oauth2/api_key/basic/jwt/custom)
+    authConfig  Json
+    /// Capabilities JSON array (default ["checks"])
+    capabilities Json @default("[\"checks\"]")
+    /// Whether multiple connections per org are allowed
+    supportsMultipleConnections Boolean @default(false)
+    /// Declarative sync definition (JSON — DSL steps that produce employee list)
+    /// When present and capabilities includes 'sync', enables employee sync
+    syncDefinition  Json?
+    /// Whether this dynamic integration is active
+    isActive    Boolean @default(true)
+    createdAt   DateTime @default(now())
+    updatedAt   DateTime @updatedAt
+    checks      DynamicCheck[]
+    @@index([slug])
+    @@index([category])
+    @@index([isActive])
+}
+/// Stores a declarative check definition — DSL JSON replaces hand-written run() functions
+model DynamicCheck {
+    id              String  @id @default(dbgenerated("generate_prefixed_cuid('dck'::text)"))
+    /// Parent integration
+    integrationId   String
+    integration     DynamicIntegration @relation(fields: [integrationId], references: [id], onDelete: Cascade)
+    /// Unique slug within integration (e.g., "mfa_enabled")
+    checkSlug       String
+    /// Human-readable name
+    name            String
+    /// Description of what this check does
+    description     String
+    /// Task template ID for auto-completion (references TASK_TEMPLATES)
+    taskMapping     String?
+    /// Default severity for findings
+    defaultSeverity String  @default("medium")
+    /// Declarative DSL definition (JSON — the step-by-step instructions)
+    definition      Json
+    /// Check-level variables (JSON array of CheckVariable)
+    variables       Json    @default("[]")
+    /// Whether this check is enabled
+    isEnabled       Boolean @default(true)
+    /// Display order
+    sortOrder       Int     @default(0)
+    createdAt       DateTime @default(now())
+    updatedAt       DateTime @updatedAt
+    @@unique([integrationId, checkSlug])
+    @@index([integrationId])
+    @@index([isEnabled])
+}
+// ===== evidence-submission.prisma =====
+model EvidenceSubmission {
+  id             String           @id @default(dbgenerated("generate_prefixed_cuid('evs'::text)"))
+  organizationId String
+  formType       EvidenceFormType
+  submittedById  String?
+  submittedAt    DateTime         @default(now())
+  data           Json
+  status         String           @default("pending")
+  reviewedById   String?
+  reviewedAt     DateTime?
+  reviewReason   String?
+  createdAt      DateTime         @default(now())
+  updatedAt      DateTime         @updatedAt
+  organization Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  submittedBy  User?        @relation("EvidenceSubmitter", fields: [submittedById], references: [id], onDelete: SetNull)
+  reviewedBy   User?        @relation("EvidenceReviewer", fields: [reviewedById], references: [id], onDelete: SetNull)
+  findings     Finding[]
+  @@index([organizationId, formType, submittedAt])
+  @@index([organizationId, formType])
+  @@index([submittedById, status])
+}
 // ===== finding.prisma =====
 enum FindingType {
   soc2
@@ -515,16 +719,23 @@ model Finding {
   updatedAt DateTime @updatedAt
   // Relationships
-  taskId         String
-  task           Task             @relation(fields: [taskId], references: [id], onDelete: Cascade)
-  templateId     String?
-  template       FindingTemplate? @relation(fields: [templateId], references: [id])
-  createdById    String
-  createdBy      Member           @relation("FindingCreatedBy", fields: [createdById], references: [id])
-  organizationId String
-  organization   Organization     @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  taskId               String?
+  task                 Task?               @relation(fields: [taskId], references: [id], onDelete: Cascade)
+  evidenceSubmissionId String?
+  evidenceSubmission   EvidenceSubmission? @relation(fields: [evidenceSubmissionId], references: [id], onDelete: Cascade)
+  evidenceFormType     EvidenceFormType?
+  templateId           String?
+  template             FindingTemplate?    @relation(fields: [templateId], references: [id])
+  createdById          String?
+  createdBy            Member?             @relation("FindingCreatedBy", fields: [createdById], references: [id])
+  createdByAdminId     String?
+  createdByAdmin       User?               @relation("AdminFindingCreator", fields: [createdByAdminId], references: [id])
+  organizationId       String
+  organization         Organization        @relation(fields: [organizationId], references: [id], onDelete: Cascade)
   @@index([taskId])
+  @@index([evidenceSubmissionId])
+  @@index([evidenceFormType])
   @@index([organizationId, status])
 }
@@ -641,6 +852,7 @@ model FrameworkEditorControlTemplate {
   policyTemplates FrameworkEditorPolicyTemplate[]
   requirements    FrameworkEditorRequirement[]
   taskTemplates   FrameworkEditorTaskTemplate[]
+  documentTypes   EvidenceFormType[]
   // Dates
   createdAt DateTime @default(now())
@@ -743,6 +955,7 @@ model IntegrationConnection {
     runs               IntegrationRun[]
     findings           IntegrationPlatformFinding[]
     checkRuns          IntegrationCheckRun[]
+    syncLogs           IntegrationSyncLog[]
     @@index([organizationId])
     @@index([providerId])
@@ -1063,6 +1276,12 @@ model IntegrationPlatformCredential {
     /// Encrypted client secret
     encryptedClientSecret Json
+    /// Masked display hint for client ID (computed at write time)
+    clientIdHint String?
+    /// Masked display hint for client secret (computed at write time)
+    clientSecretHint String?
     /// Optional: custom scopes (overrides manifest defaults)
     customScopes String[]
@@ -1086,6 +1305,54 @@ model IntegrationPlatformCredential {
 }
+// ===== integration-sync-log.prisma =====
+// ===== Integration Sync Log =====
+// Generic audit trail for integration sync operations (employee sync, role discovery, etc.)
+model IntegrationSyncLog {
+  id             String                   @id @default(dbgenerated("generate_prefixed_cuid('isl'::text)"))
+  connectionId   String
+  connection     IntegrationConnection    @relation(fields: [connectionId], references: [id], onDelete: Cascade)
+  organizationId String
+  organization   Organization             @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  /// Provider slug (e.g., "ramp", "google-workspace", "rippling", "jumpcloud")
+  provider    String
+  /// Event type (e.g., "employee_sync", "role_discovery", "role_mapping_save")
+  eventType   String
+  /// Execution status
+  status      IntegrationSyncLogStatus @default(pending)
+  /// When the operation started executing
+  startedAt   DateTime?
+  /// When the operation completed (success or failure)
+  completedAt DateTime?
+  /// Duration in milliseconds
+  durationMs  Int?
+  /// Flexible result payload (e.g., { imported, deactivated, reactivated, skipped, errors })
+  result      Json?
+  /// Error message if failed
+  error       String?
+  /// How the sync was triggered: "manual", "scheduled", "api"
+  triggeredBy String?
+  /// User who triggered the sync (null for automated/cron)
+  userId      String?
+  createdAt DateTime @default(now())
+  @@index([connectionId])
+  @@index([organizationId])
+  @@index([provider])
+  @@index([createdAt])
+}
+enum IntegrationSyncLogStatus {
+  pending
+  running
+  success
+  failed
+}
 // ===== integration.prisma =====
 model Integration {
   id             String              @id @default(dbgenerated("generate_prefixed_cuid('int'::text)"))
@@ -1155,6 +1422,28 @@ enum KnowledgeBaseDocumentProcessingStatus {
 }
+// ===== notification-policy.prisma =====
+model RoleNotificationSetting {
+  id                   String       @id @default(dbgenerated("generate_prefixed_cuid('rns'::text)"))
+  organizationId       String
+  organization         Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  role                 String // "owner", "admin", "auditor", "employee", "contractor", or custom role name
+  policyNotifications  Boolean @default(true)
+  taskReminders        Boolean @default(true)
+  taskAssignments      Boolean @default(true)
+  taskMentions         Boolean @default(true)
+  weeklyTaskDigest     Boolean @default(true)
+  findingNotifications Boolean @default(true)
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+  @@unique([organizationId, role])
+  @@map("role_notification_setting")
+}
 // ===== onboarding.prisma =====
 model Onboarding {
   organizationId        String       @id
@@ -1176,6 +1465,38 @@ model Onboarding {
 }
+// ===== org-chart.prisma =====
+model OrganizationChart {
+  id               String       @id @default(dbgenerated("generate_prefixed_cuid('och'::text)"))
+  organizationId   String       @unique
+  organization     Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  name             String       @default("Organization Chart")
+  type             String       @default("interactive") // "interactive" or "uploaded"
+  nodes            Json         @default("[]")
+  edges            Json         @default("[]")
+  uploadedImageUrl String? // S3 key when type="uploaded"
+  createdAt        DateTime     @default(now())
+  updatedAt        DateTime     @updatedAt
+  @@index([organizationId])
+}
+// ===== organization-billing.prisma =====
+model OrganizationBilling {
+  id               String   @id @default(dbgenerated("generate_prefixed_cuid('obil'::text)"))
+  organizationId   String   @unique @map("organization_id")
+  stripeCustomerId String   @map("stripe_customer_id")
+  createdAt        DateTime @default(now()) @map("created_at")
+  updatedAt        DateTime @updatedAt @map("updated_at")
+  organization        Organization        @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  pentestSubscription PentestSubscription?
+  @@map("organization_billing")
+}
 // ===== organization.prisma =====
 model Organization {
   id                  String      @id @default(dbgenerated("generate_prefixed_cuid('org'::text)"))
@@ -1188,7 +1509,12 @@ model Organization {
   website             String?
   onboardingCompleted Boolean     @default(false)
   hasAccess           Boolean     @default(false)
-  advancedModeEnabled Boolean     @default(false)
+  advancedModeEnabled             Boolean     @default(false)
+  evidenceApprovalEnabled         Boolean     @default(false)
+  deviceAgentStepEnabled          Boolean     @default(true)
+  securityTrainingStepEnabled     Boolean     @default(true)
+  whistleblowerReportEnabled      Boolean     @default(true)
+  accessRequestFormEnabled        Boolean     @default(true)
   // FleetDM
   fleetDmLabelId        Int?
@@ -1212,9 +1538,11 @@ model Organization {
   taskItems                          TaskItem[]
   comments                           Comment[]
   attachments                        Attachment[]
+  evidenceSubmissions                EvidenceSubmission[]
   trust                              Trust[]
   context                            Context[]
   secrets                            Secret[]
+  securityPenetrationTestRuns        SecurityPenetrationTestRun[]
   trustAccessRequests                TrustAccessRequest[]
   trustNdaAgreements                 TrustNDAAgreement[]
   trustDocuments                     TrustDocument[]
@@ -1230,6 +1558,11 @@ model Organization {
   // Integration Platform
   integrationConnections IntegrationConnection[]
   integrationOAuthApps   IntegrationOAuthApp[]
+  integrationSyncLogs    IntegrationSyncLog[]
+  // Pentest Subscription
+  pentestSubscription PentestSubscription?
+  billing             OrganizationBilling?
   // Browser Automation
   browserbaseContext BrowserbaseContext?
@@ -1238,16 +1571,54 @@ model Organization {
   // Findings
   findings Finding[]
+  // Device Agent
+  devices Device[]
+  // Org Chart
+  organizationChart OrganizationChart?
+  // RBAC
+  organizationRoles          OrganizationRole[]
+  roleNotificationSettings   RoleNotificationSetting[]
   @@index([slug])
 }
+// ===== pentest-subscription.prisma =====
+model PentestSubscription {
+  id                    String   @id @default(dbgenerated("generate_prefixed_cuid('psub'::text)"))
+  organizationId        String   @unique @map("organization_id")
+  organizationBillingId String   @unique @map("organization_billing_id")
+  stripeSubscriptionId  String   @map("stripe_subscription_id")
+  stripePriceId         String   @map("stripe_price_id")
+  stripeOveragePriceId  String?  @map("stripe_overage_price_id")
+  status                String   @default("active") // active | cancelled | past_due
+  includedRunsPerPeriod Int      @default(3) @map("included_runs_per_period")
+  currentPeriodStart    DateTime @map("current_period_start")
+  currentPeriodEnd      DateTime @map("current_period_end")
+  createdAt             DateTime @default(now()) @map("created_at")
+  updatedAt             DateTime @updatedAt @map("updated_at")
+  organization        Organization        @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  organizationBilling OrganizationBilling @relation(fields: [organizationBillingId], references: [id])
+  @@index([organizationId])
+  @@map("pentest_subscriptions")
+}
 // ===== policy.prisma =====
 enum PolicyDisplayFormat {
   EDITOR
   PDF
 }
+enum PolicyVisibility {
+  ALL        // Visible to everyone in organization
+  DEPARTMENT // Only visible to specified departments
+}
 model Policy {
   id               String              @id @default(dbgenerated("generate_prefixed_cuid('pol'::text)"))
   name             String
@@ -1264,6 +1635,10 @@ model Policy {
   displayFormat    PolicyDisplayFormat @default(EDITOR)
   pdfUrl           String?
+  // Visibility settings (for department-specific policies)
+  visibility           PolicyVisibility @default(ALL)
+  visibleToDepartments Departments[]    @default([])
   // Dates
   createdAt       DateTime  @default(now())
   updatedAt       DateTime  @updatedAt
@@ -1475,6 +1850,22 @@ model Secret {
 }
+// ===== security-penetration-test-run.prisma =====
+model SecurityPenetrationTestRun {
+  id           String   @id @default(dbgenerated("generate_prefixed_cuid('ptr'::text)"))
+  organizationId String @map("organization_id")
+  providerRunId String  @map("provider_run_id")
+  createdAt    DateTime @default(now()) @map("created_at")
+  updatedAt    DateTime @updatedAt @map("updated_at")
+  organization Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  @@unique([providerRunId])
+  @@index([organizationId])
+  @@map("security_penetration_test_runs")
+}
 // ===== security-questionnaire-manual-answer.prisma =====
 model SecurityQuestionnaireManualAnswer {
   id       String   @id @default(dbgenerated("generate_prefixed_cuid('sqma'::text)"))
@@ -1511,17 +1902,20 @@ model ApiKey {
   id         String    @id @default(dbgenerated("generate_prefixed_cuid('apk'::text)"))
   name       String
   key        String    @unique
+  keyPrefix  String?
   salt       String?
   createdAt  DateTime  @default(now())
   expiresAt  DateTime?
   lastUsedAt DateTime?
   isActive   Boolean   @default(true)
+  scopes     String[]  @default([])
   organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
   organizationId String
   @@index([organizationId])
   @@index([key])
+  @@index([keyPrefix])
 }
 model AuditLog {
@@ -1561,6 +1955,21 @@ enum AuditLogEntityType {
   finding
 }
+enum EvidenceFormType {
+  board_meeting                   @map("board-meeting")
+  it_leadership_meeting           @map("it-leadership-meeting")
+  risk_committee_meeting          @map("risk-committee-meeting")
+  meeting
+  access_request                  @map("access-request")
+  whistleblower_report            @map("whistleblower-report")
+  penetration_test                @map("penetration-test")
+  rbac_matrix                     @map("rbac-matrix")
+  infrastructure_inventory        @map("infrastructure-inventory")
+  employee_performance_evaluation @map("employee-performance-evaluation")
+  network_diagram                 @map("network-diagram")
+  tabletop_exercise               @map("tabletop-exercise")
+}
 model GlobalVendors {
   website                     String   @id @unique
   company_name                String?
@@ -1846,14 +2255,21 @@ model Task {
   evidenceAutomations EvidenceAutomation[]
   browserAutomations  BrowserAutomation[]
-  EvidenceAutomationRun EvidenceAutomationRun[]
+  evidenceAutomationRuns EvidenceAutomationRun[]
   integrationCheckRuns  IntegrationCheckRun[]
   findings              Finding[]
+  // Evidence approval
+  approverId     String?
+  approver       Member?     @relation("TaskApprover", fields: [approverId], references: [id])
+  approvedAt     DateTime?
+  previousStatus TaskStatus?
 }
 enum TaskStatus {
   todo
   in_progress
+  in_review
   done
   not_relevant
   failed
@@ -1917,6 +2333,9 @@ model Trust {
   overviewContent String? // Markdown content with links
   showOverview    Boolean @default(false)
+  // Favicon for trust portal (stored in S3)
+  favicon String?
   @@id([status, organizationId])
   @@unique([organizationId])
   @@index([organizationId])