npm - @trycompai/db - Versions diffs - 1.3.22 → 2.0.1 - Mend

@trycompai/db 1.3.22 → 2.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/dist/client.d.ts +1 -1
package/dist/client.d.ts.map +1 -1
package/dist/client.js +23 -3
package/dist/index.d.ts +0 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js +0 -3
package/dist/postinstall.js +1 -1
package/dist/scripts/backfill-framework-versions.d.ts +6 -0
package/dist/scripts/backfill-framework-versions.d.ts.map +1 -0
package/dist/scripts/backfill-framework-versions.js +142 -0
package/package.json +58 -55
package/dist/client.ts +0 -4
package/dist/index.ts +0 -2
package/dist/schema.prisma +0 -2193

package/dist/schema.prisma DELETED Viewed

@@ -1,2193 +0,0 @@
-generator client {
-  provider        = "prisma-client-js"
-  previewFeatures = ["postgresqlExtensions"]
-  binaryTargets   = ["rhel-openssl-3.0.x", "native", "debian-openssl-3.0.x", "linux-musl-openssl-3.0.x", "linux-musl-arm64-openssl-3.0.x"]
-}
-datasource db {
-  provider   = "postgresql"
-  url        = env("DATABASE_URL")
-  extensions = [pgcrypto]
-}
-// ===== attachments.prisma =====
-model Attachment {
-  id         String               @id @default(dbgenerated("generate_prefixed_cuid('att'::text)"))
-  name       String
-  url        String
-  type       AttachmentType
-  entityId   String
-  entityType AttachmentEntityType
-  // Dates
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-  // Relationships
-  organizationId String
-  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  comment        Comment?     @relation(fields: [commentId], references: [id])
-  commentId      String?
-  @@index([entityId, entityType])
-}
-enum AttachmentEntityType {
-  task
-  vendor
-  risk
-  comment
-  trust_nda
-  task_item
-}
-enum AttachmentType {
-  image
-  video
-  audio
-  document
-  other
-}
-// ===== auth.prisma =====
-model User {
-  id                             String    @id @default(dbgenerated("generate_prefixed_cuid('usr'::text)"))
-  name                           String
-  email                          String
-  emailVerified                  Boolean
-  image                          String?
-  createdAt                      DateTime  @default(now())
-  updatedAt                      DateTime  @updatedAt
-  lastLogin                      DateTime?
-  emailNotificationsUnsubscribed Boolean   @default(false)
-  emailPreferences               Json?     @default("{\"policyNotifications\":true,\"taskReminders\":true,\"weeklyTaskDigest\":true,\"unassignedItemsNotifications\":true}")
-  isPlatformAdmin                Boolean   @default(false)
-  accounts           Account[]
-  auditLog           AuditLog[]
-  integrationResults IntegrationResult[]
-  invitations        Invitation[]
-  members            Member[]
-  sessions           Session[]
-  fleetPolicyResults FleetPolicyResult[]
-  @@unique([email])
-}
-model EmployeeTrainingVideoCompletion {
-  id          String    @id @default(dbgenerated("generate_prefixed_cuid('evc'::text)"))
-  completedAt DateTime?
-  videoId     String
-  memberId String
-  member   Member @relation(fields: [memberId], references: [id], onDelete: Cascade)
-  @@unique([memberId, videoId])
-  @@index([memberId])
-}
-model Session {
-  id                   String   @id @default(dbgenerated("generate_prefixed_cuid('ses'::text)"))
-  expiresAt            DateTime
-  token                String
-  createdAt            DateTime @default(now())
-  updatedAt            DateTime @updatedAt
-  ipAddress            String?
-  userAgent            String?
-  userId               String
-  activeOrganizationId String?
-  user                 User     @relation(fields: [userId], references: [id], onDelete: Cascade)
-  @@unique([token])
-}
-model Account {
-  id                    String    @id @default(dbgenerated("generate_prefixed_cuid('acc'::text)"))
-  accountId             String
-  providerId            String
-  userId                String
-  user                  User      @relation(fields: [userId], references: [id], onDelete: Cascade)
-  accessToken           String?
-  refreshToken          String?
-  idToken               String?
-  accessTokenExpiresAt  DateTime?
-  refreshTokenExpiresAt DateTime?
-  scope                 String?
-  password              String?
-  createdAt             DateTime
-  updatedAt             DateTime
-}
-model Verification {
-  id         String   @id @default(dbgenerated("generate_prefixed_cuid('ver'::text)"))
-  identifier String
-  value      String
-  expiresAt  DateTime
-  createdAt  DateTime @default(now())
-  updatedAt  DateTime @updatedAt
-}
-// JWT Plugin - Required by Better Auth JWT plugin
-// https://www.better-auth.com/docs/plugins/jwt
-model Jwks {
-  id         String   @id @default(dbgenerated("generate_prefixed_cuid('jwk'::text)"))
-  publicKey  String
-  privateKey String
-  createdAt  DateTime @default(now())
-  @@map("jwks")
-}
-model Member {
-  id             String       @id @default(dbgenerated("generate_prefixed_cuid('mem'::text)"))
-  organizationId String
-  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  userId         String
-  user           User         @relation(fields: [userId], references: [id], onDelete: Cascade)
-  role           String // Purposefully a string, since BetterAuth doesn't support enums this way
-  createdAt      DateTime     @default(now())
-  department                      Departments                       @default(none)
-  isActive                        Boolean                           @default(true)
-  deactivated                     Boolean                           @default(false)
-  employeeTrainingVideoCompletion EmployeeTrainingVideoCompletion[]
-  fleetDmLabelId                  Int?
-  assignedPolicies       Policy[]             @relation("PolicyAssignee") // Policies where this member is an assignee
-  approvedPolicies       Policy[]             @relation("PolicyApprover") // Policies where this member is an approver
-  approvedSOADocuments   SOADocument[]        @relation("SOADocumentApprover") // SOA documents where this member is an approver
-  risks                  Risk[]
-  tasks                  Task[]
-  vendors                Vendor[]
-  comments               Comment[]
-  auditLogs              AuditLog[]
-  reviewedAccessRequests TrustAccessRequest[] @relation("TrustAccessRequestReviewer")
-  issuedGrants           TrustAccessGrant[]   @relation("IssuedGrants")
-  revokedGrants          TrustAccessGrant[]   @relation("RevokedGrants")
-  createdTaskItems       TaskItem[]           @relation("TaskItemCreator")
-  updatedTaskItems       TaskItem[]           @relation("TaskItemUpdater")
-  assignedTaskItems      TaskItem[]           @relation("TaskItemAssignee")
-  createdFindings        Finding[]            @relation("FindingCreatedBy")
-  publishedPolicyVersions PolicyVersion[]     @relation("PolicyVersionPublisher")
-}
-model Invitation {
-  id             String       @id @default(dbgenerated("generate_prefixed_cuid('inv'::text)"))
-  organizationId String
-  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  email          String
-  role           String // Purposefully a string, since BetterAuth doesn't support enums this way
-  status         String
-  expiresAt      DateTime
-  inviterId      String
-  user           User         @relation(fields: [inviterId], references: [id], onDelete: Cascade)
-  createdAt      DateTime     @default(now())
-}
-// This is only for the app to consume, shouldn't be enforced by DB
-// Otherwise it won't work with Better Auth, as per https://www.better-auth.com/docs/plugins/organization#access-control
-enum Role {
-  owner
-  admin
-  auditor
-  employee
-  contractor
-}
-enum PolicyStatus {
-  draft
-  published
-  needs_review
-}
-// ===== automation-run.prisma =====
-model EvidenceAutomationRun {
-  id        String   @id @default(dbgenerated("generate_prefixed_cuid('ear'::text)"))
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-  // Relations
-  evidenceAutomationId String
-  evidenceAutomation   EvidenceAutomation @relation(fields: [evidenceAutomationId], references: [id], onDelete: Cascade)
-  // Run details
-  status      EvidenceAutomationRunStatus @default(pending)
-  startedAt   DateTime?
-  completedAt DateTime?
-  // Results
-  success Boolean?
-  error   String?
-  logs    Json?
-  output  Json?
-  // Evaluation
-  evaluationStatus EvidenceAutomationEvaluationStatus?
-  evaluationReason String?
-  // Metadata
-  triggeredBy EvidenceAutomationTrigger @default(scheduled)
-  runDuration Int? // in milliseconds
-  version     Int? // Version number that was executed (null = draft)
-  Task        Task?                     @relation(fields: [taskId], references: [id])
-  taskId      String?
-  @@index([evidenceAutomationId])
-  @@index([status])
-  @@index([createdAt])
-  @@index([version])
-}
-enum EvidenceAutomationRunStatus {
-  pending
-  running
-  completed
-  failed
-  cancelled
-}
-enum EvidenceAutomationTrigger {
-  manual
-  scheduled
-  api
-}
-enum EvidenceAutomationEvaluationStatus {
-  pass
-  fail
-}
-// ===== automation-version.prisma =====
-model EvidenceAutomationVersion {
-  id        String   @id @default(dbgenerated("generate_prefixed_cuid('eav'::text)"))
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-  // Relations
-  evidenceAutomationId String
-  evidenceAutomation   EvidenceAutomation @relation(fields: [evidenceAutomationId], references: [id], onDelete: Cascade)
-  // Version details
-  version     Int // Sequential version number (1, 2, 3...)
-  scriptKey   String // S3 key for this version's script
-  publishedBy String? // User ID who published
-  changelog   String? // Optional description of changes
-  @@unique([evidenceAutomationId, version])
-  @@index([evidenceAutomationId])
-  @@index([createdAt])
-}
-// ===== automation.prisma =====
-model EvidenceAutomation {
-  id          String   @id @default(dbgenerated("generate_prefixed_cuid('aut'::text)"))
-  name        String
-  description String?
-  createdAt   DateTime @default(now())
-  isEnabled   Boolean  @default(false)
-  chatHistory        String?
-  evaluationCriteria String?
-  taskId String
-  task   Task   @relation(fields: [taskId], references: [id], onDelete: Cascade)
-  // Relations
-  runs     EvidenceAutomationRun[]
-  versions EvidenceAutomationVersion[]
-  @@index([taskId])
-}
-// ===== browserbase-context.prisma =====
-/// Stores Browserbase context IDs for browser-based automation
-/// One context per organization - shared like a normal browser
-model BrowserbaseContext {
-    id String @id @default(dbgenerated("generate_prefixed_cuid('bbc'::text)"))
-    /// Organization that owns this browser context
-    organizationId String       @unique
-    organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-    /// Browserbase context ID from their API
-    contextId String
-    createdAt DateTime @default(now())
-    updatedAt DateTime @updatedAt
-    @@index([organizationId])
-}
-/// Browser automation configuration linked to a task
-model BrowserAutomation {
-    id          String  @id @default(dbgenerated("generate_prefixed_cuid('bau'::text)"))
-    name        String
-    description String?
-    /// Task this automation belongs to
-    taskId String
-    task   Task   @relation(fields: [taskId], references: [id], onDelete: Cascade)
-    /// Starting URL for the automation
-    targetUrl String
-    /// Natural language instruction for the AI agent
-    instruction String
-    /// Whether automation is enabled for scheduled runs
-    isEnabled Boolean @default(false)
-    /// Cron expression for scheduled runs (null = manual only)
-    schedule String?
-    createdAt DateTime @default(now())
-    updatedAt DateTime @updatedAt
-    runs BrowserAutomationRun[]
-    @@index([taskId])
-}
-/// Records of browser automation executions
-model BrowserAutomationRun {
-    id String @id @default(dbgenerated("generate_prefixed_cuid('bar'::text)"))
-    /// Parent automation
-    automationId String
-    automation   BrowserAutomation @relation(fields: [automationId], references: [id], onDelete: Cascade)
-    /// Execution status
-    status BrowserAutomationRunStatus @default(pending)
-    /// Timestamps
-    startedAt   DateTime?
-    completedAt DateTime?
-    /// Duration in milliseconds
-    durationMs Int?
-    /// Screenshot URL in S3 (if successful)
-    screenshotUrl String?
-    /// Evaluation result - whether the automation fulfilled the task requirements
-    evaluationStatus BrowserAutomationEvaluationStatus?
-    /// AI explanation of why it passed or failed
-    evaluationReason String?
-    /// Error message (if failed)
-    error String?
-    createdAt DateTime @default(now())
-    @@index([automationId])
-    @@index([status])
-    @@index([createdAt])
-}
-enum BrowserAutomationEvaluationStatus {
-    pass
-    fail
-}
-enum BrowserAutomationRunStatus {
-    pending
-    running
-    completed
-    failed
-}
-// ===== comment.prisma =====
-model Comment {
-  id         String            @id @default(dbgenerated("generate_prefixed_cuid('cmt'::text)"))
-  content    String
-  entityId   String
-  entityType CommentEntityType
-  // Dates
-  createdAt DateTime @default(now())
-  // Relationships
-  authorId       String
-  author         Member       @relation(fields: [authorId], references: [id])
-  organizationId String
-  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  // Relation to Attachments
-  attachments Attachment[]
-  @@index([entityId])
-}
-enum CommentEntityType {
-  task
-  vendor
-  risk
-  policy
-}
-// ===== context.prisma =====
-model Context {
-  id             String       @id @default(dbgenerated("generate_prefixed_cuid('ctx'::text)"))
-  organizationId String
-  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  question String
-  answer   String
-  tags String[]
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-  @@index([organizationId])
-  @@index([question])
-  @@index([answer])
-  @@index([tags])
-}
-// ===== control.prisma =====
-model Control {
-  // Metadata
-  id          String @id @default(dbgenerated("generate_prefixed_cuid('ctl'::text)"))
-  name        String
-  description String
-  // Review dates
-  lastReviewDate DateTime?
-  nextReviewDate DateTime?
-  // Relationships
-  organization       Organization                    @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  organizationId     String
-  requirementsMapped RequirementMap[]
-  tasks              Task[]
-  policies           Policy[]
-  controlTemplateId  String?
-  controlTemplate    FrameworkEditorControlTemplate? @relation(fields: [controlTemplateId], references: [id])
-  @@index([organizationId])
-}
-// ===== finding.prisma =====
-enum FindingType {
-  soc2
-  iso27001
-}
-enum FindingStatus {
-  open
-  ready_for_review
-  needs_revision
-  closed
-}
-model FindingTemplate {
-  id        String   @id @default(dbgenerated("generate_prefixed_cuid('fnd_t'::text)"))
-  category  String // e.g., "evidence_issue", "further_evidence", "task_specific", "na_incorrect"
-  title     String // Short title
-  content   String // Full message template
-  order     Int      @default(0)
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-  findings Finding[]
-}
-model Finding {
-  id           String        @id @default(dbgenerated("generate_prefixed_cuid('fnd'::text)"))
-  type         FindingType   @default(soc2)
-  status       FindingStatus @default(open)
-  content      String // Custom message or copied from template
-  revisionNote String? // Auditor's note when requesting revision
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-  // Relationships
-  taskId         String
-  task           Task             @relation(fields: [taskId], references: [id], onDelete: Cascade)
-  templateId     String?
-  template       FindingTemplate? @relation(fields: [templateId], references: [id])
-  createdById    String
-  createdBy      Member           @relation("FindingCreatedBy", fields: [createdById], references: [id])
-  organizationId String
-  organization   Organization     @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  @@index([taskId])
-  @@index([organizationId, status])
-}
-// ===== fleet-policy-result.prisma =====
-model FleetPolicyResult {
-  id                  String   @id @default(dbgenerated("generate_prefixed_cuid('fpr'::text)"))
-  userId              String
-  organizationId      String
-  fleetPolicyId       Int
-  fleetPolicyName     String
-  fleetPolicyResponse String
-  attachments         String[] @default([])
-  createdAt           DateTime @default(now())
-  updatedAt           DateTime @updatedAt
-  user         User         @relation(fields: [userId], references: [id], onDelete: Cascade)
-  organization Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  @@index([userId])
-  @@index([organizationId])
-}
-// ===== framework-editor.prisma =====
-// --- Data for Framework Editor ---
-model FrameworkEditorVideo {
-  id          String @id @default(dbgenerated("generate_prefixed_cuid('frk_vi'::text)"))
-  title       String
-  description String
-  youtubeId   String
-  url         String
-  // Dates
-  createdAt DateTime @default(now())
-  updatedAt DateTime @default(now()) @updatedAt
-}
-model FrameworkEditorFramework {
-  id          String  @id @default(dbgenerated("generate_prefixed_cuid('frk'::text)"))
-  name        String // e.g., "soc2", "iso27001"
-  version     String
-  description String
-  visible     Boolean @default(false)
-  requirements       FrameworkEditorRequirement[]
-  frameworkInstances FrameworkInstance[]
-  soaConfigurations  SOAFrameworkConfiguration[] // Multiple SOA config versions per framework
-  soaDocuments       SOADocument[] // SOA documents from organizations
-  // Dates
-  createdAt DateTime @default(now())
-  updatedAt DateTime @default(now()) @updatedAt
-}
-model FrameworkEditorRequirement {
-  id          String                   @id @default(dbgenerated("generate_prefixed_cuid('frk_rq'::text)"))
-  frameworkId String
-  framework   FrameworkEditorFramework @relation(fields: [frameworkId], references: [id])
-  name        String // Original requirement ID within that framework, e.g., "Privacy"
-  identifier  String @default("") // Unique identifier for the requirement, e.g., "cc1-1"
-  description String
-  controlTemplates FrameworkEditorControlTemplate[]
-  requirementMaps  RequirementMap[]
-  // Dates
-  createdAt DateTime @default(now())
-  updatedAt DateTime @default(now()) @updatedAt
-}
-model FrameworkEditorPolicyTemplate {
-  id          String      @id @default(dbgenerated("generate_prefixed_cuid('frk_pt'::text)"))
-  name        String
-  description String
-  frequency   Frequency // Using the enum from shared.prisma
-  department  Departments // Using the enum from shared.prisma
-  content     Json
-  controlTemplates FrameworkEditorControlTemplate[]
-  // Dates
-  createdAt DateTime @default(now())
-  updatedAt DateTime @default(now()) @updatedAt
-  // Instances
-  policies Policy[]
-}
-model FrameworkEditorTaskTemplate {
-  id               String               @id @default(dbgenerated("generate_prefixed_cuid('frk_tt'::text)"))
-  name             String
-  description      String
-  frequency        Frequency            // Using the enum from shared.prisma
-  department       Departments          // Using the enum from shared.prisma
-  automationStatus TaskAutomationStatus @default(AUTOMATED)
-  controlTemplates FrameworkEditorControlTemplate[]
-  // Dates
-  createdAt DateTime @default(now())
-  updatedAt DateTime @default(now()) @updatedAt
-  // Instances
-  tasks Task[]
-}
-model FrameworkEditorControlTemplate {
-  id          String @id @default(dbgenerated("generate_prefixed_cuid('frk_ct'::text)"))
-  name        String
-  description String
-  policyTemplates FrameworkEditorPolicyTemplate[]
-  requirements    FrameworkEditorRequirement[]
-  taskTemplates   FrameworkEditorTaskTemplate[]
-  // Dates
-  createdAt DateTime @default(now())
-  updatedAt DateTime @default(now()) @updatedAt
-  // Instances
-  controls Control[]
-}
-// ===== framework.prisma =====
-model FrameworkInstance {
-  // Metadata
-  id             String @id @default(dbgenerated("generate_prefixed_cuid('frm'::text)"))
-  organizationId String
-  frameworkId String
-  framework   FrameworkEditorFramework @relation(fields: [frameworkId], references: [id], onDelete: Cascade)
-  // Relationships
-  organization       Organization     @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  requirementsMapped RequirementMap[]
-  @@unique([organizationId, frameworkId])
-}
-// ===== integration-platform.prisma =====
-// ===== Integration Platform =====
-// New integration platform models for scalable, config-driven integrations
-/// Stores metadata about available integration providers (synced from code manifests)
-model IntegrationProvider {
-    id           String  @id @default(dbgenerated("generate_prefixed_cuid('prv'::text)"))
-    /// Unique slug matching manifest ID (e.g., "github", "slack")
-    slug         String  @unique
-    /// Display name
-    name         String
-    /// Category for grouping
-    category     String
-    /// Hash of manifest for detecting changes
-    manifestHash String?
-    /// Capabilities JSON array
-    capabilities Json    @default("[]")
-    /// Whether provider is active
-    isActive     Boolean @default(true)
-    createdAt DateTime @default(now())
-    updatedAt DateTime @updatedAt
-    connections IntegrationConnection[]
-    @@index([slug])
-    @@index([category])
-}
-/// Represents an organization's connection to an integration provider
-model IntegrationConnection {
-    id String @id @default(dbgenerated("generate_prefixed_cuid('icn'::text)"))
-    /// Reference to the provider
-    providerId String
-    provider   IntegrationProvider @relation(fields: [providerId], references: [id], onDelete: Cascade)
-    /// Organization that owns this connection
-    organizationId String
-    organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-    /// Connection status
-    status IntegrationConnectionStatus @default(pending)
-    /// Auth strategy used (oauth2, api_key, basic, jwt, custom)
-    authStrategy String
-    /// Reference to active credential version
-    activeCredentialVersionId String?
-    /// Last successful sync timestamp
-    lastSyncAt DateTime?
-    /// Next scheduled sync timestamp
-    nextSyncAt DateTime?
-    /// Custom sync cadence (cron expression), null = use default
-    syncCadence String?
-    /// Additional metadata (e.g., connected account info)
-    metadata Json?
-    /// User-configured variables for checks (collected after OAuth)
-    variables Json?
-    /// Error message if status is error
-    errorMessage String?
-    createdAt DateTime @default(now())
-    updatedAt DateTime @updatedAt
-    credentialVersions IntegrationCredentialVersion[]
-    runs               IntegrationRun[]
-    findings           IntegrationPlatformFinding[]
-    checkRuns          IntegrationCheckRun[]
-    @@index([organizationId])
-    @@index([providerId])
-    @@index([providerId, organizationId])
-    @@index([status])
-}
-enum IntegrationConnectionStatus {
-    pending // Awaiting credential setup
-    active // Connected and operational
-    error // Connection has errors
-    paused // Manually paused by user
-    disconnected // User disconnected
-}
-/// Stores encrypted credentials with versioning for audit trail
-model IntegrationCredentialVersion {
-    id String @id @default(dbgenerated("generate_prefixed_cuid('icv'::text)"))
-    /// Parent connection
-    connectionId String
-    connection   IntegrationConnection @relation(fields: [connectionId], references: [id], onDelete: Cascade)
-    /// Encrypted credential payload (JSON with encrypted fields)
-    encryptedPayload Json
-    /// Version number (auto-increment per connection)
-    version Int
-    /// Token expiration (for OAuth tokens)
-    expiresAt DateTime?
-    /// When this version was rotated/replaced
-    rotatedAt DateTime?
-    createdAt DateTime @default(now())
-    @@unique([connectionId, version])
-    @@index([connectionId])
-}
-/// Records each sync/job execution for audit and debugging
-model IntegrationRun {
-    id String @id @default(dbgenerated("generate_prefixed_cuid('irn'::text)"))
-    /// Parent connection
-    connectionId String
-    connection   IntegrationConnection @relation(fields: [connectionId], references: [id], onDelete: Cascade)
-    /// Type of job
-    jobType IntegrationRunJobType
-    /// Execution status
-    status IntegrationRunStatus @default(pending)
-    /// Timestamps
-    startedAt   DateTime?
-    completedAt DateTime?
-    /// Duration in milliseconds
-    durationMs Int?
-    /// Number of findings from this run
-    findingsCount Int @default(0)
-    /// Error details if failed
-    error Json?
-    /// Additional metadata (trigger source, cursor, etc.)
-    metadata Json?
-    createdAt DateTime @default(now())
-    findings IntegrationPlatformFinding[]
-    @@index([connectionId])
-    @@index([status])
-    @@index([createdAt])
-}
-enum IntegrationRunJobType {
-    full_sync
-    delta_sync
-    webhook
-    manual
-    test_connection
-}
-enum IntegrationRunStatus {
-    pending
-    running
-    success
-    failed
-    cancelled
-}
-/// Stores findings/results from integration syncs
-model IntegrationPlatformFinding {
-    id String @id @default(dbgenerated("generate_prefixed_cuid('ipf'::text)"))
-    /// Parent run (optional - webhooks may not have runs)
-    runId String?
-    run   IntegrationRun? @relation(fields: [runId], references: [id], onDelete: SetNull)
-    /// Parent connection
-    connectionId String
-    connection   IntegrationConnection @relation(fields: [connectionId], references: [id], onDelete: Cascade)
-    /// Resource classification
-    resourceType String
-    resourceId   String
-    /// Finding details
-    title       String
-    description String?
-    /// Severity level
-    severity IntegrationFindingSeverity @default(info)
-    /// Finding status
-    status IntegrationFindingStatus @default(open)
-    /// Remediation guidance
-    remediation String?
-    /// Raw payload from provider
-    rawPayload Json?
-    createdAt DateTime @default(now())
-    updatedAt DateTime @updatedAt
-    @@index([connectionId])
-    @@index([runId])
-    @@index([resourceType, resourceId])
-    @@index([severity])
-    @@index([status])
-}
-enum IntegrationFindingSeverity {
-    info
-    low
-    medium
-    high
-    critical
-}
-enum IntegrationFindingStatus {
-    open
-    resolved
-    ignored
-}
-/// Stores OAuth state for CSRF protection during OAuth flow
-model IntegrationOAuthState {
-    id String @id @default(dbgenerated("generate_prefixed_cuid('ios'::text)"))
-    /// Random state parameter
-    state String @unique
-    /// Provider slug
-    providerSlug String
-    /// Organization initiating the OAuth
-    organizationId String
-    /// User initiating the OAuth
-    userId String
-    /// PKCE code verifier (if using PKCE)
-    codeVerifier String?
-    /// Redirect URL after OAuth completes
-    redirectUrl String?
-    /// Expiration timestamp
-    expiresAt DateTime
-    createdAt DateTime @default(now())
-    @@index([state])
-    @@index([expiresAt])
-}
-/// Stores organization-level OAuth app credentials
-/// Allows orgs (especially self-hosters) to use their own OAuth apps
-model IntegrationOAuthApp {
-    id String @id @default(dbgenerated("generate_prefixed_cuid('ioa'::text)"))
-    /// Provider slug (e.g., "github", "slack")
-    providerSlug String
-    /// Organization that owns this OAuth app config
-    organizationId String
-    organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-    /// Encrypted client ID
-    encryptedClientId Json
-    /// Encrypted client secret
-    encryptedClientSecret Json
-    /// Optional: custom scopes (overrides manifest defaults)
-    customScopes String[]
-    /// Provider-specific settings (e.g., Rippling app name for authorize URL)
-    /// Stored as JSON: { "appName": "compai533c" }
-    customSettings Json?
-    /// Whether this config is active
-    isActive Boolean @default(true)
-    createdAt DateTime @default(now())
-    updatedAt DateTime @updatedAt
-    @@unique([providerSlug, organizationId])
-    @@index([organizationId])
-    @@index([providerSlug])
-}
-/// Records check runs linked to tasks for compliance verification
-model IntegrationCheckRun {
-    id String @id @default(dbgenerated("generate_prefixed_cuid('icr'::text)"))
-    /// Parent connection
-    connectionId String
-    connection   IntegrationConnection @relation(fields: [connectionId], references: [id], onDelete: Cascade)
-    /// Task being verified (optional - checks can run without a task)
-    taskId String?
-    task   Task?   @relation(fields: [taskId], references: [id], onDelete: SetNull)
-    /// Check ID from the manifest
-    checkId String
-    /// Check name (denormalized for display)
-    checkName String
-    /// Execution status
-    status IntegrationRunStatus @default(pending)
-    /// Timestamps
-    startedAt   DateTime?
-    completedAt DateTime?
-    /// Duration in milliseconds
-    durationMs Int?
-    /// Summary counts
-    totalChecked Int @default(0)
-    passedCount  Int @default(0)
-    failedCount  Int @default(0)
-    /// Error message if failed
-    errorMessage String?
-    /// Full execution logs (JSON array)
-    logs Json?
-    createdAt DateTime @default(now())
-    /// Results from this check run
-    results IntegrationCheckResult[]
-    @@index([connectionId])
-    @@index([taskId])
-    @@index([checkId])
-    @@index([status])
-    @@index([createdAt])
-}
-/// Stores individual results (pass/fail) from check runs
-model IntegrationCheckResult {
-    id String @id @default(dbgenerated("generate_prefixed_cuid('icx'::text)"))
-    /// Parent check run
-    checkRunId String
-    checkRun   IntegrationCheckRun @relation(fields: [checkRunId], references: [id], onDelete: Cascade)
-    /// Whether this result is a pass or fail
-    passed Boolean
-    /// Resource classification
-    resourceType String
-    resourceId   String
-    /// Result details
-    title       String
-    description String?
-    /// Severity (for failures)
-    severity IntegrationFindingSeverity?
-    /// Remediation guidance (for failures)
-    remediation String?
-    /// Evidence/proof (JSON - API response data)
-    evidence Json?
-    /// When this evidence was collected
-    collectedAt DateTime @default(now())
-    @@index([checkRunId])
-    @@index([passed])
-    @@index([resourceType, resourceId])
-}
-/// Stores platform-wide OAuth app credentials
-/// Used by platform operators to provide default OAuth apps for all users
-model IntegrationPlatformCredential {
-    id String @id @default(dbgenerated("generate_prefixed_cuid('ipc'::text)"))
-    /// Provider slug (e.g., "github", "slack") - unique per platform
-    providerSlug String @unique
-    /// Encrypted client ID
-    encryptedClientId Json
-    /// Encrypted client secret
-    encryptedClientSecret Json
-    /// Optional: custom scopes (overrides manifest defaults)
-    customScopes String[]
-    /// Provider-specific settings (e.g., Rippling app name for authorize URL)
-    /// Stored as JSON: { "appName": "compai533c" }
-    customSettings Json?
-    /// Whether this credential is active
-    isActive Boolean @default(true)
-    /// Who created this credential
-    createdById String?
-    /// Who last updated this credential
-    updatedById String?
-    createdAt DateTime @default(now())
-    updatedAt DateTime @updatedAt
-    @@index([providerSlug])
-}
-// ===== integration.prisma =====
-model Integration {
-  id             String              @id @default(dbgenerated("generate_prefixed_cuid('int'::text)"))
-  name           String
-  integrationId  String
-  settings       Json
-  userSettings   Json
-  organizationId String
-  lastRunAt      DateTime?
-  organization   Organization        @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  results        IntegrationResult[]
-  @@index([organizationId])
-}
-model IntegrationResult {
-  id             String    @id @default(dbgenerated("generate_prefixed_cuid('itr'::text)"))
-  title          String?
-  description    String?
-  remediation    String?
-  status         String?
-  severity       String?
-  resultDetails  Json?
-  completedAt    DateTime? @default(now())
-  integrationId  String
-  organizationId String
-  assignedUserId String?
-  assignedUser User?       @relation(fields: [assignedUserId], references: [id], onDelete: Cascade)
-  integration  Integration @relation(fields: [integrationId], references: [id], onDelete: Cascade)
-  @@index([integrationId])
-}
-// ===== knowledge-base-document.prisma =====
-model KnowledgeBaseDocument {
-  id               String                                @id @default(dbgenerated("generate_prefixed_cuid('kbd'::text)"))
-  name             String // Original filename
-  description      String? // Optional user description/notes
-  s3Key            String // S3 storage key (e.g., "org123/knowledge-base-documents/timestamp-file.pdf")
-  fileType         String // MIME type (e.g., "application/pdf")
-  fileSize         Int // File size in bytes
-  processingStatus KnowledgeBaseDocumentProcessingStatus @default(pending) // Track indexing status
-  processedAt      DateTime? // When indexing completed
-  triggerRunId     String? // Trigger.dev run ID for tracking processing progress
-  // Dates
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-  // Relationships
-  organizationId String
-  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  @@index([organizationId])
-  @@index([organizationId, processingStatus])
-  @@index([s3Key])
-  @@index([triggerRunId])
-}
-enum KnowledgeBaseDocumentProcessingStatus {
-  pending // Uploaded but not yet processed/indexed
-  processing // Currently being processed/indexed
-  completed // Successfully indexed in vector database
-  failed // Processing failed
-}
-// ===== onboarding.prisma =====
-model Onboarding {
-  organizationId        String       @id
-  organization          Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  policies              Boolean      @default(false)
-  employees             Boolean      @default(false)
-  vendors               Boolean      @default(false)
-  integrations          Boolean      @default(false)
-  risk                  Boolean      @default(false)
-  team                  Boolean      @default(false)
-  tasks                 Boolean      @default(false)
-  callBooked            Boolean      @default(false)
-  companyBookingDetails Json?
-  companyDetails        Json?
-  triggerJobId          String?
-  triggerJobCompleted   Boolean      @default(false)
-  @@index([organizationId])
-}
-// ===== organization.prisma =====
-model Organization {
-  id                  String      @id @default(dbgenerated("generate_prefixed_cuid('org'::text)"))
-  name                String
-  slug                String      @unique @default(dbgenerated("generate_prefixed_cuid('slug'::text)"))
-  logo                String?
-  createdAt           DateTime    @default(now())
-  metadata            String?
-  onboarding          Onboarding?
-  website             String?
-  onboardingCompleted Boolean     @default(false)
-  hasAccess           Boolean     @default(false)
-  advancedModeEnabled Boolean     @default(false)
-  // FleetDM
-  fleetDmLabelId        Int?
-  isFleetSetupCompleted Boolean @default(false)
-  // Employee sync provider (e.g., 'google-workspace', 'rippling')
-  // When set, the scheduled sync will only use this provider
-  employeeSyncProvider String?
-  apiKeys                            ApiKey[]
-  auditLog                           AuditLog[]
-  controls                           Control[]
-  frameworkInstances                 FrameworkInstance[]
-  integrations                       Integration[]
-  invitations                        Invitation[]
-  members                            Member[]
-  policy                             Policy[]
-  risk                               Risk[]
-  vendors                            Vendor[]
-  tasks                              Task[]
-  taskItems                          TaskItem[]
-  comments                           Comment[]
-  attachments                        Attachment[]
-  trust                              Trust[]
-  context                            Context[]
-  secrets                            Secret[]
-  trustAccessRequests                TrustAccessRequest[]
-  trustNdaAgreements                 TrustNDAAgreement[]
-  trustDocuments                     TrustDocument[]
-  trustResources                     TrustResource[]                     @relation("OrganizationTrustResources")
-  trustCustomLinks                   TrustCustomLink[]
-  knowledgeBaseDocuments             KnowledgeBaseDocument[]
-  questionnaires                     Questionnaire[]
-  securityQuestionnaireManualAnswers SecurityQuestionnaireManualAnswer[]
-  soaDocuments                       SOADocument[]
-  primaryColor                       String?
-  trustPortalFaqs                    Json? // Array of { question: string, answer: string, order: number }
-  // Integration Platform
-  integrationConnections IntegrationConnection[]
-  integrationOAuthApps   IntegrationOAuthApp[]
-  // Browser Automation
-  browserbaseContext BrowserbaseContext?
-  fleetPolicyResults FleetPolicyResult[]
-  // Findings
-  findings Finding[]
-  @@index([slug])
-}
-// ===== policy.prisma =====
-enum PolicyDisplayFormat {
-  EDITOR
-  PDF
-}
-model Policy {
-  id               String              @id @default(dbgenerated("generate_prefixed_cuid('pol'::text)"))
-  name             String
-  description      String?
-  status           PolicyStatus        @default(draft)
-  content          Json[]
-  draftContent     Json[]              @default([])
-  frequency        Frequency?
-  department       Departments?
-  isRequiredToSign Boolean             @default(true)
-  signedBy         String[]            @default([])
-  reviewDate       DateTime?
-  isArchived       Boolean             @default(false)
-  displayFormat    PolicyDisplayFormat @default(EDITOR)
-  pdfUrl           String?
-  // Dates
-  createdAt       DateTime  @default(now())
-  updatedAt       DateTime  @updatedAt
-  lastArchivedAt  DateTime?
-  lastPublishedAt DateTime?
-  // Relationships
-  organizationId   String
-  organization     Organization                   @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  assigneeId       String?
-  assignee         Member?                        @relation("PolicyAssignee", fields: [assigneeId], references: [id], onDelete: SetNull, onUpdate: Cascade)
-  approverId       String?
-  approver         Member?                        @relation("PolicyApprover", fields: [approverId], references: [id], onDelete: SetNull, onUpdate: Cascade)
-  policyTemplateId String?
-  policyTemplate   FrameworkEditorPolicyTemplate? @relation(fields: [policyTemplateId], references: [id])
-  controls         Control[]
-  currentVersionId String?                        @unique
-  currentVersion   PolicyVersion?                 @relation("PolicyCurrentVersion", fields: [currentVersionId], references: [id])
-  pendingVersionId String?
-  versions         PolicyVersion[]                @relation("PolicyVersions")
-  @@index([organizationId])
-}
-model PolicyVersion {
-  id        String   @id @default(dbgenerated("generate_prefixed_cuid('pv'::text)"))
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-  // Relations
-  policyId String
-  policy   Policy @relation("PolicyVersions", fields: [policyId], references: [id], onDelete: Cascade)
-  currentForPolicy Policy? @relation("PolicyCurrentVersion")
-  // Version details
-  version       Int
-  content       Json[]
-  pdfUrl        String?
-  publishedById String?
-  publishedBy   Member? @relation("PolicyVersionPublisher", fields: [publishedById], references: [id], onDelete: SetNull)
-  changelog     String?
-  @@unique([policyId, version])
-  @@index([policyId])
-  @@index([createdAt])
-}
-// ===== questionnaire.prisma =====
-model Questionnaire {
-  id                String              @id @default(dbgenerated("generate_prefixed_cuid('qst'::text)"))
-  filename          String // Original filename
-  s3Key             String // S3 storage key for the uploaded file
-  fileType          String // MIME type (e.g., "application/pdf")
-  fileSize          Int // File size in bytes
-  status            QuestionnaireStatus @default(parsing) // Parsing status
-  parsedAt          DateTime? // When parsing completed
-  totalQuestions    Int                 @default(0) // Total number of questions parsed
-  answeredQuestions Int                 @default(0) // Number of questions with answers
-  source            String              @default("internal") // Source of the questionnaire: 'internal' (from app) or 'external' (from trust portal)
-  // Dates
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-  // Relationships
-  organizationId String
-  organization   Organization                        @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  questions      QuestionnaireQuestionAnswer[]
-  manualAnswers  SecurityQuestionnaireManualAnswer[] // Manual answers saved from this questionnaire
-  @@index([organizationId])
-  @@index([organizationId, createdAt])
-  @@index([status])
-  @@index([source])
-}
-model QuestionnaireQuestionAnswer {
-  id            String                    @id @default(dbgenerated("generate_prefixed_cuid('qqa'::text)"))
-  question      String // The question text
-  answer        String? // The answer (nullable if not provided in file or not generated yet)
-  status        QuestionnaireAnswerStatus @default(untouched) // Answer status
-  questionIndex Int // Order/index of the question in the questionnaire
-  sources       Json? // Sources used for generated answers (array of source objects)
-  generatedAt   DateTime? // When answer was generated (if status is generated)
-  updatedBy     String? // User ID who last updated the answer (if manual)
-  // Dates
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-  // Relationships
-  questionnaireId String
-  questionnaire   Questionnaire @relation(fields: [questionnaireId], references: [id], onDelete: Cascade)
-  @@index([questionnaireId])
-  @@index([questionnaireId, questionIndex])
-  @@index([status])
-}
-enum QuestionnaireStatus {
-  parsing // Currently being parsed
-  completed // Successfully parsed
-  failed // Parsing failed
-}
-enum QuestionnaireAnswerStatus {
-  untouched // No answer yet (empty or not generated)
-  generated // AI generated answer
-  manual // Manually written/edited by user
-}
-// ===== requirement.prisma =====
-model RequirementMap {
-  id String @id @default(dbgenerated("generate_prefixed_cuid('req'::text)"))
-  requirementId String
-  requirement   FrameworkEditorRequirement @relation(fields: [requirementId], references: [id], onDelete: Cascade)
-  controlId String
-  control   Control @relation(fields: [controlId], references: [id], onDelete: Cascade)
-  frameworkInstanceId String
-  frameworkInstance   FrameworkInstance @relation(fields: [frameworkInstanceId], references: [id], onDelete: Cascade)
-  @@unique([controlId, frameworkInstanceId, requirementId])
-  @@index([requirementId, frameworkInstanceId])
-}
-// ===== risk.prisma =====
-model Risk {
-  // Metadata
-  id                           String            @id @default(dbgenerated("generate_prefixed_cuid('rsk'::text)"))
-  title                        String
-  description                  String
-  category                     RiskCategory
-  department                   Departments?
-  status                       RiskStatus        @default(open)
-  likelihood                   Likelihood        @default(very_unlikely)
-  impact                       Impact            @default(insignificant)
-  residualLikelihood           Likelihood        @default(very_unlikely)
-  residualImpact               Impact            @default(insignificant)
-  treatmentStrategyDescription String?
-  treatmentStrategy            RiskTreatmentType @default(accept)
-  // Dates
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-  // Relationships
-  organizationId String
-  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  assigneeId     String?
-  assignee       Member?      @relation(fields: [assigneeId], references: [id])
-  tasks          Task[]
-  @@index([organizationId])
-  @@index([category])
-  @@index([status])
-}
-enum RiskTreatmentType {
-  accept
-  avoid
-  mitigate
-  transfer
-}
-enum RiskCategory {
-  customer
-  fraud
-  governance
-  operations
-  other
-  people
-  regulatory
-  reporting
-  resilience
-  technology
-  vendor_management
-}
-enum RiskStatus {
-  open
-  pending
-  closed
-  archived
-}
-// ===== secret.prisma =====
-model Secret {
-  id             String    @id @default(dbgenerated("generate_prefixed_cuid('sec'::text)"))
-  organizationId String    @map("organization_id")
-  name           String
-  value          String    @db.Text // Encrypted value
-  description    String?   @db.Text
-  category       String? // e.g., "api", "webhook", "database", etc.
-  lastUsedAt     DateTime? @map("last_used_at")
-  createdAt      DateTime  @default(now()) @map("created_at")
-  updatedAt      DateTime  @updatedAt @map("updated_at")
-  organization Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  @@unique([organizationId, name])
-  @@map("secrets")
-}
-// ===== security-questionnaire-manual-answer.prisma =====
-model SecurityQuestionnaireManualAnswer {
-  id       String   @id @default(dbgenerated("generate_prefixed_cuid('sqma'::text)"))
-  question String // The question text
-  answer   String // The answer text (required for saved answers)
-  tags     String[] @default([]) // Optional tags for categorization
-  // Optional reference to original questionnaire (for tracking)
-  sourceQuestionnaireId String?
-  sourceQuestionnaire   Questionnaire? @relation(fields: [sourceQuestionnaireId], references: [id], onDelete: SetNull)
-  // User who created/updated this answer
-  createdBy String? // User ID
-  updatedBy String? // User ID
-  // Dates
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-  // Relationships
-  organizationId String
-  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  @@unique([organizationId, question]) // Prevent duplicate questions per organization
-  @@index([organizationId])
-  @@index([organizationId, question])
-  @@index([tags])
-  @@index([createdAt])
-}
-// ===== shared.prisma =====
-model ApiKey {
-  id         String    @id @default(dbgenerated("generate_prefixed_cuid('apk'::text)"))
-  name       String
-  key        String    @unique
-  salt       String?
-  createdAt  DateTime  @default(now())
-  expiresAt  DateTime?
-  lastUsedAt DateTime?
-  isActive   Boolean   @default(true)
-  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  organizationId String
-  @@index([organizationId])
-  @@index([key])
-}
-model AuditLog {
-  id             String              @id @default(dbgenerated("generate_prefixed_cuid('aud'::text)"))
-  timestamp      DateTime            @default(now())
-  organizationId String
-  userId         String
-  memberId       String?
-  data           Json
-  description    String?
-  entityId       String?
-  entityType     AuditLogEntityType?
-  organization Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  user         User         @relation(fields: [userId], references: [id], onDelete: Cascade)
-  member       Member?      @relation(fields: [memberId], references: [id], onDelete: Cascade)
-  @@index([userId])
-  @@index([organizationId])
-  @@index([memberId])
-  @@index([entityType])
-}
-enum AuditLogEntityType {
-  organization
-  framework
-  requirement
-  control
-  policy
-  task
-  people
-  risk
-  vendor
-  tests
-  integration
-  trust
-  finding
-}
-model GlobalVendors {
-  website                     String   @id @unique
-  company_name                String?
-  legal_name                  String?
-  company_description         String?
-  company_hq_address          String?
-  privacy_policy_url          String?
-  terms_of_service_url        String?
-  service_level_agreement_url String?
-  security_page_url           String?
-  trust_page_url              String?
-  security_certifications     String[]
-  subprocessors               String[]
-  type_of_company             String?
-  // Vendor Risk Assessment (shared across all organizations)
-  riskAssessmentData      Json?
-  riskAssessmentVersion   String?
-  riskAssessmentUpdatedAt DateTime?
-  approved  Boolean  @default(false)
-  createdAt DateTime @default(now())
-  @@index([website])
-}
-enum Departments {
-  none
-  admin
-  gov
-  hr
-  it
-  itsm
-  qms
-}
-enum Frequency {
-  monthly
-  quarterly
-  yearly
-}
-enum Likelihood {
-  very_unlikely
-  unlikely
-  possible
-  likely
-  very_likely
-}
-enum Impact {
-  insignificant
-  minor
-  moderate
-  major
-  severe
-}
-// ===== soa.prisma =====
-// Statement of Applicability (SOA) Auto-complete Configuration and Answers
-model SOAFrameworkConfiguration {
-  id          String                   @id @default(dbgenerated("generate_prefixed_cuid('soa_cfg'::text)"))
-  frameworkId String
-  framework   FrameworkEditorFramework @relation(fields: [frameworkId], references: [id], onDelete: Cascade)
-  // Configuration versioning - allows multiple configurations per framework
-  version  Int     @default(1) // Version number for this configuration (increments when config changes)
-  isLatest Boolean @default(true) // Whether this is the latest configuration version
-  // Column definitions for SOA structure (template used when creating new documents)
-  columns Json // Array of { name: string, type: string } objects
-  // Example: [{ name: "Control ID", type: "string" }, { name: "Control Name", type: "string" }, { name: "Applicable", type: "boolean" }, { name: "Justification", type: "text" }]
-  // Predefined questions for this framework
-  // Documents reference a specific configuration version via SOADocument.configurationId
-  // Old documents keep their old config version, new documents use new config version
-  questions Json // Array of question objects with unique IDs
-  // Example: [{ id: "A.5.1.1", text: "Is this control applicable?", columnMapping: "Applicable", controlId: "A.5.1.1" }, ...]
-  // IMPORTANT: question.id must be unique and stable - this is what SOAAnswer.questionId references
-  // Dates
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-  // Relationships
-  documents SOADocument[]
-  @@unique([frameworkId, version]) // Prevent duplicate configuration versions
-  @@index([frameworkId])
-  @@index([frameworkId, version])
-  @@index([frameworkId, isLatest])
-}
-model SOADocument {
-  id String @id @default(dbgenerated("generate_prefixed_cuid('soa_doc'::text)"))
-  // Framework and organization context
-  frameworkId    String
-  framework      FrameworkEditorFramework @relation(fields: [frameworkId], references: [id], onDelete: Cascade)
-  organizationId String
-  organization   Organization             @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  // Configuration reference - references a specific SOAFrameworkConfiguration version
-  // Each document version can use a different configuration version
-  // Old documents keep their old config, new documents use new config
-  configurationId String
-  configuration   SOAFrameworkConfiguration @relation(fields: [configurationId], references: [id], onDelete: Cascade)
-  // Document versioning
-  version  Int     @default(1) // Version number for this document (increments yearly)
-  isLatest Boolean @default(true) // Whether this is the latest version
-  // Document status
-  status SOADocumentStatus @default(draft) // draft, in_progress, completed
-  // Document metadata
-  totalQuestions    Int @default(0) // Total number of questions in this document
-  answeredQuestions Int @default(0) // Number of questions with answers
-  // Approval tracking
-  preparedBy String  @default("Comp AI") // Always "Comp AI"
-  approverId String? // Member ID who will approve this document (set when submitted for approval)
-  approver   Member? @relation("SOADocumentApprover", fields: [approverId], references: [id], onDelete: SetNull, onUpdate: Cascade)
-  approvedAt DateTime? // When document was approved
-  // Dates
-  completedAt DateTime? // When document was completed
-  createdAt   DateTime  @default(now())
-  updatedAt   DateTime  @updatedAt
-  // Relationships
-  answers SOAAnswer[]
-  @@unique([frameworkId, organizationId, version]) // Prevent duplicate versions
-  @@index([frameworkId, organizationId])
-  @@index([frameworkId, organizationId, version])
-  @@index([frameworkId, organizationId, isLatest])
-  @@index([configurationId])
-  @@index([status])
-}
-model SOAAnswer {
-  id String @id @default(dbgenerated("generate_prefixed_cuid('soa_ans'::text)"))
-  // Document context (replaces direct framework/organization link)
-  documentId String
-  document   SOADocument @relation(fields: [documentId], references: [id], onDelete: Cascade)
-  // Question reference - references question.id from SOADocument.configuration.questions
-  // References the specific configuration version that the document uses
-  // If config changes, old documents still reference their old config version
-  questionId String // Must match a question.id from SOADocument.configuration.questions
-  // Answer data - simple text answer
-  answer String? // Text answer (nullable if not generated yet)
-  // Answer metadata
-  status      SOAAnswerStatus @default(untouched) // untouched, generated, manual
-  sources     Json? // Sources used for generated answers (similar to questionnaire)
-  generatedAt DateTime? // When answer was generated
-  // Answer versioning (within the document)
-  answerVersion  Int     @default(1) // Version number for this specific answer
-  isLatestAnswer Boolean @default(true) // Whether this is the latest version of this answer
-  // User tracking
-  createdBy String? // User ID who created this answer
-  updatedBy String? // User ID who last updated this answer
-  // Dates
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-  @@unique([documentId, questionId, answerVersion]) // Prevent duplicate answer versions
-  @@index([documentId])
-  @@index([documentId, questionId])
-  @@index([documentId, questionId, isLatestAnswer])
-  @@index([status])
-}
-enum SOADocumentStatus {
-  draft // Document is being created/edited
-  in_progress // Document is being generated
-  needs_review // Document is submitted for approval
-  completed // Document is complete and approved
-}
-enum SOAAnswerStatus {
-  untouched // No answer yet (not generated)
-  generated // AI generated answer
-  manual // Manually written/edited by user
-}
-// ===== task-item.prisma =====
-model TaskItem {
-  id          String            @id @default(dbgenerated("generate_prefixed_cuid('tski'::text)"))
-  title       String
-  description String?
-  status      TaskItemStatus    @default(todo)
-  priority    TaskItemPriority  @default(medium)
-  // Polymorphic relation (like Comment and Attachment)
-  entityId   String
-  entityType TaskItemEntityType
-  // Assignment (nullable)
-  assigneeId  String?
-  assignee   Member?           @relation("TaskItemAssignee", fields: [assigneeId], references: [id], onDelete: SetNull)
-  // Creator & Updater
-  createdById String
-  createdBy   Member           @relation("TaskItemCreator", fields: [createdById], references: [id])
-  updatedById String?
-  updatedBy   Member?          @relation("TaskItemUpdater", fields: [updatedById], references: [id])
-  // Relationships
-  organizationId String
-  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  // Dates
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-  @@index([entityId, entityType])
-  @@index([organizationId])
-  @@index([assigneeId])
-  @@index([status])
-  @@index([priority])
-}
-enum TaskItemStatus {
-  todo
-  in_progress
-  in_review
-  done
-  canceled
-}
-enum TaskItemPriority {
-  urgent
-  high
-  medium
-  low
-}
-enum TaskItemEntityType {
-  vendor
-  risk
-}
-// ===== task.prisma =====
-model Task {
-  // Metadata
-  id          String         @id @default(dbgenerated("generate_prefixed_cuid('tsk'::text)"))
-  title       String
-  description String
-  status           TaskStatus           @default(todo)
-  automationStatus TaskAutomationStatus @default(AUTOMATED)
-  frequency        TaskFrequency?
-  department  Departments?   @default(none)
-  order       Int            @default(0)
-  // Dates
-  createdAt       DateTime  @default(now())
-  updatedAt       DateTime  @updatedAt
-  lastCompletedAt DateTime?
-  reviewDate      DateTime?
-  // Relationships
-  assigneeId          String?
-  assignee            Member?                      @relation(fields: [assigneeId], references: [id])
-  organizationId      String
-  organization        Organization                 @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  taskTemplateId      String?
-  taskTemplate        FrameworkEditorTaskTemplate? @relation(fields: [taskTemplateId], references: [id])
-  controls            Control[]
-  vendors             Vendor[]
-  risks               Risk[]
-  evidenceAutomations EvidenceAutomation[]
-  browserAutomations  BrowserAutomation[]
-  EvidenceAutomationRun EvidenceAutomationRun[]
-  integrationCheckRuns  IntegrationCheckRun[]
-  findings              Finding[]
-}
-enum TaskStatus {
-  todo
-  in_progress
-  done
-  not_relevant
-  failed
-}
-enum TaskFrequency {
-  daily
-  weekly
-  monthly
-  quarterly
-  yearly
-}
-enum TaskAutomationStatus {
-  AUTOMATED
-  MANUAL
-}
-// ===== trust.prisma =====
-model Trust {
-  organizationId     String
-  organization       Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  friendlyUrl        String?      @unique
-  domain             String?
-  domainVerified     Boolean      @default(false)
-  isVercelDomain     Boolean      @default(false)
-  vercelVerification String?
-  status             TrustStatus  @default(published)
-  contactEmail       String?
-  /// Domains that bypass NDA signing when requesting trust portal access
-  allowedDomains String[] @default([])
-  email         String?
-  privacyPolicy String?
-  soc2          Boolean @default(false)
-  soc2type1     Boolean @default(false)
-  soc2type2     Boolean @default(false)
-  iso27001      Boolean @default(false)
-  iso42001      Boolean @default(false)
-  nen7510       Boolean @default(false)
-  gdpr          Boolean @default(false)
-  hipaa         Boolean @default(false)
-  pci_dss       Boolean @default(false)
-  iso9001       Boolean @default(false)
-  soc2_status      FrameworkStatus @default(started)
-  soc2type1_status FrameworkStatus @default(started)
-  soc2type2_status FrameworkStatus @default(started)
-  iso27001_status  FrameworkStatus @default(started)
-  iso42001_status  FrameworkStatus @default(started)
-  nen7510_status   FrameworkStatus @default(started)
-  gdpr_status      FrameworkStatus @default(started)
-  hipaa_status     FrameworkStatus @default(started)
-  pci_dss_status   FrameworkStatus @default(started)
-  iso9001_status   FrameworkStatus @default(started)
-  // Overview section for public trust portal
-  overviewTitle   String?
-  overviewContent String? // Markdown content with links
-  showOverview    Boolean @default(false)
-  // Favicon for trust portal (stored in S3)
-  favicon String?
-  @@id([status, organizationId])
-  @@unique([organizationId])
-  @@index([organizationId])
-  @@index([friendlyUrl])
-}
-enum TrustStatus {
-  draft
-  published
-}
-enum FrameworkStatus {
-  started
-  in_progress
-  compliant
-}
-enum TrustFramework {
-  iso_27001
-  iso_42001
-  gdpr
-  hipaa
-  soc2_type1
-  soc2_type2
-  pci_dss
-  nen_7510
-  iso_9001
-}
-model TrustResource {
-  id             String         @id @default(dbgenerated("generate_prefixed_cuid('tcr'::text)"))
-  organizationId String
-  organization   Organization   @relation("OrganizationTrustResources", fields: [organizationId], references: [id], onDelete: Cascade)
-  framework      TrustFramework
-  s3Key          String
-  fileName       String
-  fileSize       Int
-  createdAt      DateTime       @default(now())
-  updatedAt      DateTime       @updatedAt
-  @@unique([organizationId, framework])
-  @@index([organizationId])
-}
-model TrustAccessRequest {
-  id             String       @id @default(dbgenerated("generate_prefixed_cuid('tar'::text)"))
-  organizationId String
-  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  name                  String
-  email                 String
-  company               String?
-  jobTitle              String?
-  purpose               String?
-  requestedDurationDays Int?
-  status           TrustAccessRequestStatus @default(under_review)
-  reviewerMemberId String?
-  reviewer         Member?                  @relation("TrustAccessRequestReviewer", fields: [reviewerMemberId], references: [id], onDelete: SetNull)
-  reviewedAt       DateTime?
-  decisionReason   String?
-  ipAddress String?
-  userAgent String?
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-  grant         TrustAccessGrant?   @relation("RequestGrant")
-  ndaAgreements TrustNDAAgreement[] @relation("RequestNDA")
-  @@index([organizationId])
-  @@index([email])
-  @@index([status])
-  @@index([organizationId, status])
-}
-model TrustAccessGrant {
-  id String @id @default(dbgenerated("generate_prefixed_cuid('tag'::text)"))
-  accessRequestId String             @unique
-  accessRequest   TrustAccessRequest @relation("RequestGrant", fields: [accessRequestId], references: [id], onDelete: Cascade)
-  subjectEmail String
-  status    TrustAccessGrantStatus @default(active)
-  expiresAt DateTime
-  accessToken          String?   @unique
-  accessTokenExpiresAt DateTime?
-  issuedByMemberId String?
-  issuedBy         Member? @relation("IssuedGrants", fields: [issuedByMemberId], references: [id], onDelete: SetNull)
-  revokedAt         DateTime?
-  revokedByMemberId String?
-  revokedBy         Member?   @relation("RevokedGrants", fields: [revokedByMemberId], references: [id], onDelete: SetNull)
-  revokeReason      String?
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-  ndaAgreement TrustNDAAgreement? @relation("GrantNDA")
-  @@index([accessRequestId])
-  @@index([subjectEmail])
-  @@index([status])
-  @@index([expiresAt])
-  @@index([status, expiresAt])
-  @@index([accessToken])
-}
-enum TrustAccessRequestStatus {
-  under_review
-  approved
-  denied
-  canceled
-}
-enum TrustAccessGrantStatus {
-  active
-  expired
-  revoked
-}
-model TrustNDAAgreement {
-  id String @id @default(dbgenerated("generate_prefixed_cuid('tna'::text)"))
-  organizationId String
-  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  accessRequestId String
-  accessRequest   TrustAccessRequest @relation("RequestNDA", fields: [accessRequestId], references: [id], onDelete: Cascade)
-  grantId String?           @unique
-  grant   TrustAccessGrant? @relation("GrantNDA", fields: [grantId], references: [id], onDelete: SetNull)
-  signerName  String?
-  signerEmail String?
-  status TrustNDAStatus @default(pending)
-  signToken          String   @unique
-  signTokenExpiresAt DateTime
-  pdfTemplateKey String?
-  pdfSignedKey   String?
-  signedAt DateTime?
-  ipAddress String?
-  userAgent String?
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-  @@index([organizationId])
-  @@index([accessRequestId])
-  @@index([signToken])
-  @@index([status])
-}
-enum TrustNDAStatus {
-  pending
-  signed
-  void
-}
-model TrustDocument {
-  id String @id @default(dbgenerated("generate_prefixed_cuid('tdoc'::text)"))
-  organizationId String
-  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  name        String
-  description String?
-  s3Key       String
-  isActive Boolean @default(true)
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-  @@index([organizationId])
-  @@index([organizationId, isActive])
-}
-model TrustCustomLink {
-  id String @id @default(dbgenerated("generate_prefixed_cuid('tcl'::text)"))
-  organizationId String
-  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  title       String
-  description String?
-  url         String
-  order       Int     @default(0)
-  isActive    Boolean @default(true)
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-  @@index([organizationId])
-  @@index([organizationId, isActive, order])
-}
-// ===== vendor.prisma =====
-model Vendor {
-  id                  String         @id @default(dbgenerated("generate_prefixed_cuid('vnd'::text)"))
-  name                String
-  description         String
-  category            VendorCategory @default(other)
-  status              VendorStatus   @default(not_assessed)
-  inherentProbability Likelihood     @default(very_unlikely)
-  inherentImpact      Impact         @default(insignificant)
-  residualProbability Likelihood     @default(very_unlikely)
-  residualImpact      Impact         @default(insignificant)
-  website             String?
-  isSubProcessor      Boolean        @default(false)
-  // Trust Portal display settings
-  logoUrl           String?
-  showOnTrustPortal Boolean @default(false)
-  trustPortalOrder  Int?
-  complianceBadges  Json? // Array of { type: 'soc2' | 'iso27001' | etc, verified: boolean }
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-  organizationId String
-  organization   Organization    @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  assigneeId     String?
-  assignee       Member?         @relation(fields: [assigneeId], references: [id], onDelete: Cascade)
-  contacts       VendorContact[]
-  tasks          Task[]
-  @@index([organizationId])
-  @@index([assigneeId])
-  @@index([category])
-}
-model VendorContact {
-  id        String   @id @default(dbgenerated("generate_prefixed_cuid('vct'::text)"))
-  vendorId  String
-  name      String
-  email     String
-  phone     String
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
-  Vendor    Vendor   @relation(fields: [vendorId], references: [id], onDelete: Cascade)
-  @@index([vendorId])
-}
-enum VendorCategory {
-  cloud
-  infrastructure
-  software_as_a_service
-  finance
-  marketing
-  sales
-  hr
-  other
-}
-enum VendorStatus {
-  not_assessed
-  in_progress
-  assessed
-}