npm - @trycompai/db - Versions diffs - 2.0.0 → 2.0.2 - Mend

@trycompai/db 2.0.0 → 2.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (268) hide show

package/dist/schema.prisma CHANGED Viewed

@@ -9,7 +9,6 @@ datasource db {
   extensions = [pgcrypto]
 }
 // ===== attachments.prisma =====
 model Attachment {
   id         String               @id @default(dbgenerated("generate_prefixed_cuid('att'::text)"))
@@ -49,7 +48,6 @@ enum AttachmentType {
   other
 }
 // ===== auth.prisma =====
 model User {
   id                             String    @id @default(dbgenerated("generate_prefixed_cuid('usr'::text)"))
@@ -68,16 +66,20 @@ model User {
   banExpires                     DateTime?
   isPlatformAdmin                Boolean   @default(false)
-  accounts            Account[]
-  auditLog            AuditLog[]
-  integrationResults  IntegrationResult[]
-  invitations         Invitation[]
-  members             Member[]
-  sessions            Session[]
-  fleetPolicyResults  FleetPolicyResult[]
-  evidenceSubmissions EvidenceSubmission[] @relation("EvidenceSubmitter")
-  evidenceReviews     EvidenceSubmission[] @relation("EvidenceReviewer")
-  adminFindings       Finding[]            @relation("AdminFindingCreator")
+  accounts                   Account[]
+  auditLog                   AuditLog[]
+  integrationResults         IntegrationResult[]
+  invitations                Invitation[]
+  members                    Member[]
+  sessions                   Session[]
+  fleetPolicyResults         FleetPolicyResult[]
+  evidenceSubmissions        EvidenceSubmission[] @relation("EvidenceSubmitter")
+  evidenceReviews            EvidenceSubmission[] @relation("EvidenceReviewer")
+  adminFindings              Finding[]            @relation("AdminFindingCreator")
+  timelinePhaseCompletions   TimelinePhase[]
+  lockedTimelineInstances    TimelineInstance[]   @relation("TimelineInstanceLockedBy")
+  unlockedTimelineInstances  TimelineInstance[]   @relation("TimelineInstanceUnlockedBy")
+  publishedFrameworkVersions FrameworkVersion[]   @relation("FrameworkVersionPublisher")
   @@unique([email])
 }
@@ -105,9 +107,15 @@ model Session {
   userId               String
   activeOrganizationId String?
   impersonatedBy       String?
-  user                 User     @relation(fields: [userId], references: [id], onDelete: Cascade)
+  deviceAgent    Boolean  @default(false)
+  deviceAgentFor Device[] @relation("DeviceAgentSession")
+  user User @relation(fields: [userId], references: [id], onDelete: Cascade)
   @@unique([token])
+  @@index([userId])
+  @@index([deviceAgent])
 }
 model Account {
@@ -166,24 +174,26 @@ model Member {
   employeeTrainingVideoCompletion EmployeeTrainingVideoCompletion[]
   fleetDmLabelId                  Int?
-  assignedPolicies        Policy[]             @relation("PolicyAssignee") // Policies where this member is an assignee
-  approvedPolicies        Policy[]             @relation("PolicyApprover") // Policies where this member is an approver
-  approvedSOADocuments    SOADocument[]        @relation("SOADocumentApprover") // SOA documents where this member is an approver
-  risks                   Risk[]
-  tasks                   Task[]
-  vendors                 Vendor[]
-  comments                Comment[]
-  auditLogs               AuditLog[]
-  reviewedAccessRequests  TrustAccessRequest[] @relation("TrustAccessRequestReviewer")
-  issuedGrants            TrustAccessGrant[]   @relation("IssuedGrants")
-  revokedGrants           TrustAccessGrant[]   @relation("RevokedGrants")
-  createdTaskItems        TaskItem[]           @relation("TaskItemCreator")
-  updatedTaskItems        TaskItem[]           @relation("TaskItemUpdater")
-  assignedTaskItems       TaskItem[]           @relation("TaskItemAssignee")
-  createdFindings         Finding[]            @relation("FindingCreatedBy")
-  publishedPolicyVersions PolicyVersion[]      @relation("PolicyVersionPublisher")
-  approvedTasks           Task[]               @relation("TaskApprover")
-  devices                 Device[]
+  assignedPolicies                 Policy[]                 @relation("PolicyAssignee") // Policies where this member is an assignee
+  approvedPolicies                 Policy[]                 @relation("PolicyApprover") // Policies where this member is an approver
+  approvedSOADocuments             SOADocument[]            @relation("SOADocumentApprover") // SOA documents where this member is an approver
+  risks                            Risk[]
+  tasks                            Task[]
+  vendors                          Vendor[]
+  comments                         Comment[]
+  auditLogs                        AuditLog[]
+  reviewedAccessRequests           TrustAccessRequest[]     @relation("TrustAccessRequestReviewer")
+  issuedGrants                     TrustAccessGrant[]       @relation("IssuedGrants")
+  revokedGrants                    TrustAccessGrant[]       @relation("RevokedGrants")
+  createdTaskItems                 TaskItem[]               @relation("TaskItemCreator")
+  updatedTaskItems                 TaskItem[]               @relation("TaskItemUpdater")
+  assignedTaskItems                TaskItem[]               @relation("TaskItemAssignee")
+  createdFindings                  Finding[]                @relation("FindingCreatedBy")
+  subjectFindings                  Finding[]                @relation("FindingSubject")
+  publishedPolicyVersions          PolicyVersion[]          @relation("PolicyVersionPublisher")
+  performedFrameworkSyncOperations FrameworkSyncOperation[] @relation("FrameworkSyncOperationPerformer")
+  approvedTasks                    Task[]                   @relation("TaskApprover")
+  devices                          Device[]
 }
 model Invitation {
@@ -232,7 +242,6 @@ enum PolicyStatus {
   needs_review
 }
 // ===== automation-run.prisma =====
 model EvidenceAutomationRun {
   id        String   @id @default(dbgenerated("generate_prefixed_cuid('ear'::text)"))
@@ -290,7 +299,6 @@ enum EvidenceAutomationEvaluationStatus {
   fail
 }
 // ===== automation-version.prisma =====
 model EvidenceAutomationVersion {
   id        String   @id @default(dbgenerated("generate_prefixed_cuid('eav'::text)"))
@@ -312,14 +320,15 @@ model EvidenceAutomationVersion {
   @@index([createdAt])
 }
 // ===== automation.prisma =====
 model EvidenceAutomation {
-  id          String   @id @default(dbgenerated("generate_prefixed_cuid('aut'::text)"))
-  name        String
-  description String?
-  createdAt   DateTime @default(now())
-  isEnabled   Boolean  @default(false)
+  id                String        @id @default(dbgenerated("generate_prefixed_cuid('aut'::text)"))
+  name              String
+  description       String?
+  createdAt         DateTime      @default(now())
+  isEnabled         Boolean       @default(false)
+  scheduleFrequency TaskFrequency @default(daily)
+  lastRunAt         DateTime?
   chatHistory        String?
   evaluationCriteria String?
@@ -334,106 +343,108 @@ model EvidenceAutomation {
   @@index([taskId])
 }
 // ===== browserbase-context.prisma =====
 /// Stores Browserbase context IDs for browser-based automation
 /// One context per organization - shared like a normal browser
 model BrowserbaseContext {
-    id String @id @default(dbgenerated("generate_prefixed_cuid('bbc'::text)"))
+  id String @id @default(dbgenerated("generate_prefixed_cuid('bbc'::text)"))
-    /// Organization that owns this browser context
-    organizationId String       @unique
-    organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  /// Organization that owns this browser context
+  organizationId String       @unique
+  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-    /// Browserbase context ID from their API
-    contextId String
+  /// Browserbase context ID from their API
+  contextId String
-    createdAt DateTime @default(now())
-    updatedAt DateTime @updatedAt
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
-    @@index([organizationId])
+  @@index([organizationId])
 }
 /// Browser automation configuration linked to a task
 model BrowserAutomation {
-    id          String  @id @default(dbgenerated("generate_prefixed_cuid('bau'::text)"))
-    name        String
-    description String?
+  id          String  @id @default(dbgenerated("generate_prefixed_cuid('bau'::text)"))
+  name        String
+  description String?
-    /// Task this automation belongs to
-    taskId String
-    task   Task   @relation(fields: [taskId], references: [id], onDelete: Cascade)
+  /// Task this automation belongs to
+  taskId String
+  task   Task   @relation(fields: [taskId], references: [id], onDelete: Cascade)
-    /// Starting URL for the automation
-    targetUrl String
+  /// Starting URL for the automation
+  targetUrl String
-    /// Natural language instruction for the AI agent
-    instruction String
+  /// Natural language instruction for the AI agent
+  instruction String
-    /// Whether automation is enabled for scheduled runs
-    isEnabled Boolean @default(false)
+  /// Optional natural-language criteria used to evaluate whether the
+  /// automation's outcome satisfies the auditor's requirement.
+  /// When null, runs don't produce a pass/fail verdict — only a screenshot.
+  evaluationCriteria String?
-    /// Cron expression for scheduled runs (null = manual only)
-    schedule String?
+  /// Whether automation is enabled for scheduled runs
+  isEnabled         Boolean       @default(false)
+  scheduleFrequency TaskFrequency @default(daily)
+  lastRunAt         DateTime?
-    createdAt DateTime @default(now())
-    updatedAt DateTime @updatedAt
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
-    runs BrowserAutomationRun[]
+  runs BrowserAutomationRun[]
-    @@index([taskId])
+  @@index([taskId])
 }
 /// Records of browser automation executions
 model BrowserAutomationRun {
-    id String @id @default(dbgenerated("generate_prefixed_cuid('bar'::text)"))
+  id String @id @default(dbgenerated("generate_prefixed_cuid('bar'::text)"))
-    /// Parent automation
-    automationId String
-    automation   BrowserAutomation @relation(fields: [automationId], references: [id], onDelete: Cascade)
+  /// Parent automation
+  automationId String
+  automation   BrowserAutomation @relation(fields: [automationId], references: [id], onDelete: Cascade)
-    /// Execution status
-    status BrowserAutomationRunStatus @default(pending)
+  /// Execution status
+  status BrowserAutomationRunStatus @default(pending)
-    /// Timestamps
-    startedAt   DateTime?
-    completedAt DateTime?
+  /// Timestamps
+  startedAt   DateTime?
+  completedAt DateTime?
-    /// Duration in milliseconds
-    durationMs Int?
+  /// Duration in milliseconds
+  durationMs Int?
-    /// Screenshot URL in S3 (if successful)
-    screenshotUrl String?
+  /// Screenshot URL in S3 (if successful)
+  screenshotUrl String?
-    /// Evaluation result - whether the automation fulfilled the task requirements
-    evaluationStatus BrowserAutomationEvaluationStatus?
+  /// Evaluation result - whether the automation fulfilled the task requirements
+  evaluationStatus BrowserAutomationEvaluationStatus?
-    /// AI explanation of why it passed or failed
-    evaluationReason String?
+  /// AI explanation of why it passed or failed
+  evaluationReason String?
-    /// Error message (if failed)
-    error String?
+  /// Error message (if failed)
+  error String?
-    createdAt DateTime @default(now())
+  createdAt DateTime @default(now())
-    @@index([automationId])
-    @@index([status])
-    @@index([createdAt])
+  @@index([automationId])
+  @@index([status])
+  @@index([createdAt])
 }
 enum BrowserAutomationEvaluationStatus {
-    pass
-    fail
+  pass
+  fail
 }
 enum BrowserAutomationRunStatus {
-    pending
-    running
-    completed
-    failed
+  pending
+  running
+  completed
+  failed
 }
 // ===== comment.prisma =====
 model Comment {
   id         String            @id @default(dbgenerated("generate_prefixed_cuid('cmt'::text)"))
@@ -463,7 +474,6 @@ enum CommentEntityType {
   policy
 }
 // ===== context.prisma =====
 model Context {
   id             String       @id @default(dbgenerated("generate_prefixed_cuid('ctx'::text)"))
@@ -484,7 +494,6 @@ model Context {
   @@index([tags])
 }
 // ===== control-document-type.prisma =====
 model ControlDocumentType {
   id        String           @id @default(dbgenerated("generate_prefixed_cuid('cdt'::text)"))
@@ -496,7 +505,6 @@ model ControlDocumentType {
   @@index([controlId])
 }
 // ===== control.prisma =====
 model Control {
   // Metadata
@@ -508,19 +516,67 @@ model Control {
   lastReviewDate DateTime?
   nextReviewDate DateTime?
+  // Sync-driven archive (set by FrameworkSyncOperation when the control
+  // template is removed from the framework's latest version and no other
+  // framework instance in the org still references it). Distinct from user
+  // archive (no user archive exists on Control today).
+  archivedAt DateTime?
   // Relationships
-  organization       Organization                    @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  organizationId     String
-  requirementsMapped RequirementMap[]
-  tasks              Task[]
-  policies           Policy[]
-  controlTemplateId  String?
-  controlTemplate    FrameworkEditorControlTemplate? @relation(fields: [controlTemplateId], references: [id])
+  organization         Organization                    @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  organizationId       String
+  requirementsMapped   RequirementMap[]
+  tasks                Task[]
+  policies             Policy[]
+  controlTemplateId    String?
+  controlTemplate      FrameworkEditorControlTemplate? @relation(fields: [controlTemplateId], references: [id])
   controlDocumentTypes ControlDocumentType[]
   @@index([organizationId])
+  @@index([organizationId, archivedAt])
 }
+// ===== custom-framework.prisma =====
+model CustomFramework {
+  id          String @id @default(dbgenerated("generate_prefixed_cuid('cfrm'::text)"))
+  name        String
+  description String
+  version     String @default("1.0.0")
+  organizationId String
+  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  requirements CustomRequirement[]
+  instances    FrameworkInstance[]
+  createdAt DateTime @default(now())
+  updatedAt DateTime @default(now()) @updatedAt
+  @@unique([id, organizationId])
+  @@index([organizationId])
+}
+model CustomRequirement {
+  id          String @id @default(dbgenerated("generate_prefixed_cuid('creq'::text)"))
+  name        String
+  description String
+  identifier  String
+  organizationId    String
+  organization      Organization    @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  customFrameworkId String
+  // Composite FK onto (id, organizationId) so tenant consistency with the
+  // referenced CustomFramework is enforced at the DB level.
+  customFramework   CustomFramework @relation(fields: [customFrameworkId, organizationId], references: [id, organizationId], onDelete: Cascade)
+  requirementMaps RequirementMap[]
+  createdAt DateTime @default(now())
+  updatedAt DateTime @default(now()) @updatedAt
+  @@unique([customFrameworkId, identifier])
+  @@index([organizationId])
+}
 // ===== device.prisma =====
 model Device {
@@ -537,22 +593,28 @@ model Device {
   organizationId String
   organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  isCompliant           Boolean  @default(false)
-  diskEncryptionEnabled Boolean  @default(false)
-  antivirusEnabled      Boolean  @default(false)
-  passwordPolicySet     Boolean  @default(false)
-  screenLockEnabled     Boolean  @default(false)
+  agentSessionId String?
+  agentSession   Session? @relation("DeviceAgentSession", fields: [agentSessionId], references: [id], onDelete: SetNull)
+  isCompliant           Boolean @default(false)
+  diskEncryptionEnabled Boolean @default(false)
+  antivirusEnabled      Boolean @default(false)
+  passwordPolicySet     Boolean @default(false)
+  screenLockEnabled     Boolean @default(false)
   checkDetails          Json?
   lastCheckIn  DateTime?
   agentVersion String?
-  installedAt  DateTime @default(now())
-  updatedAt    DateTime @updatedAt
+  installedAt  DateTime  @default(now())
+  updatedAt    DateTime  @updatedAt
+  findings Finding[]
   @@unique([serialNumber, organizationId])
   @@index([memberId])
   @@index([organizationId])
   @@index([isCompliant])
+  @@index([agentSessionId])
 }
 enum DevicePlatform {
@@ -561,7 +623,6 @@ enum DevicePlatform {
   linux
 }
 // ===== dynamic-integration.prisma =====
 // ===== Dynamic Integration Platform =====
 // Stores integration manifests and declarative check definitions in the database
@@ -569,93 +630,98 @@ enum DevicePlatform {
 /// Stores a full integration manifest as JSON — replaces hand-written TypeScript manifests
 model DynamicIntegration {
-    id          String  @id @default(dbgenerated("generate_prefixed_cuid('din'::text)"))
-    /// Unique slug (e.g., "azure-devops", "office-365")
-    slug        String  @unique
-    /// Display name
-    name        String
-    /// Short description for catalog
-    description String
-    /// Category for grouping
-    category    String
-    /// Logo URL
-    logoUrl     String
-    /// URL to documentation
-    docsUrl     String?
+  id          String  @id @default(dbgenerated("generate_prefixed_cuid('din'::text)"))
+  /// Unique slug (e.g., "azure-devops", "office-365")
+  slug        String  @unique
+  /// Display name
+  name        String
+  /// Short description for catalog
+  description String
+  /// Category for grouping
+  category    String
+  /// Logo URL
+  logoUrl     String
+  /// URL to documentation
+  docsUrl     String?
-    /// API base URL for ctx.fetch
-    baseUrl     String?
-    /// Default headers (JSON object)
-    defaultHeaders Json?
+  /// API base URL for ctx.fetch
+  baseUrl        String?
+  /// Default headers (JSON object)
+  defaultHeaders Json?
-    /// Auth strategy config (JSON — matches AuthStrategy type: oauth2/api_key/basic/jwt/custom)
-    authConfig  Json
+  /// Auth strategy config (JSON — matches AuthStrategy type: oauth2/api_key/basic/jwt/custom)
+  authConfig Json
-    /// Capabilities JSON array (default ["checks"])
-    capabilities Json @default("[\"checks\"]")
+  /// Capabilities JSON array (default ["checks"])
+  capabilities Json @default("[\"checks\"]")
-    /// Whether multiple connections per org are allowed
-    supportsMultipleConnections Boolean @default(false)
+  /// Whether multiple connections per org are allowed
+  supportsMultipleConnections Boolean @default(false)
-    /// Declarative sync definition (JSON — DSL steps that produce employee list)
-    /// When present and capabilities includes 'sync', enables employee sync
-    syncDefinition  Json?
+  /// Declarative sync definition (JSON — DSL steps that produce employee list)
+  /// When present and capabilities includes 'sync', enables employee sync
+  syncDefinition Json?
-    /// Whether this dynamic integration is active
-    isActive    Boolean @default(true)
+  /// Services metadata (JSON array of { id, name, description, enabledByDefault?, implemented? })
+  services Json?
-    createdAt   DateTime @default(now())
-    updatedAt   DateTime @updatedAt
+  /// Whether this dynamic integration is active
+  isActive Boolean @default(true)
-    checks      DynamicCheck[]
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+  checks DynamicCheck[]
-    @@index([slug])
-    @@index([category])
-    @@index([isActive])
+  @@index([slug])
+  @@index([category])
+  @@index([isActive])
 }
 /// Stores a declarative check definition — DSL JSON replaces hand-written run() functions
 model DynamicCheck {
-    id              String  @id @default(dbgenerated("generate_prefixed_cuid('dck'::text)"))
+  id String @id @default(dbgenerated("generate_prefixed_cuid('dck'::text)"))
-    /// Parent integration
-    integrationId   String
-    integration     DynamicIntegration @relation(fields: [integrationId], references: [id], onDelete: Cascade)
+  /// Parent integration
+  integrationId String
+  integration   DynamicIntegration @relation(fields: [integrationId], references: [id], onDelete: Cascade)
-    /// Unique slug within integration (e.g., "mfa_enabled")
-    checkSlug       String
+  /// Unique slug within integration (e.g., "mfa_enabled")
+  checkSlug String
-    /// Human-readable name
-    name            String
-    /// Description of what this check does
-    description     String
+  /// Human-readable name
+  name        String
+  /// Description of what this check does
+  description String
-    /// Task template ID for auto-completion (references TASK_TEMPLATES)
-    taskMapping     String?
+  /// Task template ID for auto-completion (references TASK_TEMPLATES)
+  taskMapping String?
-    /// Default severity for findings
-    defaultSeverity String  @default("medium")
+  /// Default severity for findings
+  defaultSeverity String @default("medium")
-    /// Declarative DSL definition (JSON — the step-by-step instructions)
-    definition      Json
+  /// Service ID this check belongs to (groups checks under a service)
+  service String?
-    /// Check-level variables (JSON array of CheckVariable)
-    variables       Json    @default("[]")
+  /// Declarative DSL definition (JSON — the step-by-step instructions)
+  definition Json
-    /// Whether this check is enabled
-    isEnabled       Boolean @default(true)
+  /// Check-level variables (JSON array of CheckVariable)
+  variables Json @default("[]")
-    /// Display order
-    sortOrder       Int     @default(0)
+  /// Whether this check is enabled
+  isEnabled Boolean @default(true)
-    createdAt       DateTime @default(now())
-    updatedAt       DateTime @updatedAt
+  /// Display order
+  sortOrder Int @default(0)
-    @@unique([integrationId, checkSlug])
-    @@index([integrationId])
-    @@index([isEnabled])
-}
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+  @@unique([integrationId, checkSlug])
+  @@index([integrationId])
+  @@index([isEnabled])
+}
 // ===== evidence-submission.prisma =====
 model EvidenceSubmission {
@@ -682,7 +748,6 @@ model EvidenceSubmission {
   @@index([submittedById, status])
 }
 // ===== finding.prisma =====
 enum FindingType {
   soc2
@@ -696,6 +761,29 @@ enum FindingStatus {
   closed
 }
+enum FindingSeverity {
+  low
+  medium
+  high
+  critical
+}
+enum FindingArea {
+  people
+  documents
+  compliance
+  // "General" buckets for cases where an auditor wants to log something like
+  // "no risks are tracked" or "the policy for X is missing" without picking a
+  // specific Risk/Vendor/Policy row.
+  risks
+  vendors
+  policies
+  // Legacy/unclassified bucket for rows backfilled from the old FindingScope
+  // enum (see migration 20260419120000). Not surfaced as a primary target
+  // option in the Create Finding sheet.
+  other
+}
 model FindingTemplate {
   id        String   @id @default(dbgenerated("generate_prefixed_cuid('fnd_t'::text)"))
   category  String // e.g., "evidence_issue", "further_evidence", "task_specific", "na_incorrect"
@@ -709,37 +797,57 @@ model FindingTemplate {
 }
 model Finding {
-  id           String        @id @default(dbgenerated("generate_prefixed_cuid('fnd'::text)"))
-  type         FindingType   @default(soc2)
-  status       FindingStatus @default(open)
+  id           String          @id @default(dbgenerated("generate_prefixed_cuid('fnd'::text)"))
+  type         FindingType     @default(soc2)
+  status       FindingStatus   @default(open)
+  severity     FindingSeverity @default(medium)
   content      String // Custom message or copied from template
   revisionNote String? // Auditor's note when requesting revision
+  area         FindingArea? // Used when the finding is not tied to a specific item
   createdAt DateTime @default(now())
   updatedAt DateTime @updatedAt
-  // Relationships
+  // Target relationships — exactly one target link should be set (task, evidenceSubmission,
+  // evidenceFormType, policy, vendor, risk, member, device) OR the `area` field for non-item findings.
   taskId               String?
   task                 Task?               @relation(fields: [taskId], references: [id], onDelete: Cascade)
   evidenceSubmissionId String?
   evidenceSubmission   EvidenceSubmission? @relation(fields: [evidenceSubmissionId], references: [id], onDelete: Cascade)
   evidenceFormType     EvidenceFormType?
-  templateId           String?
-  template             FindingTemplate?    @relation(fields: [templateId], references: [id])
-  createdById          String?
-  createdBy            Member?             @relation("FindingCreatedBy", fields: [createdById], references: [id])
-  createdByAdminId     String?
-  createdByAdmin       User?               @relation("AdminFindingCreator", fields: [createdByAdminId], references: [id])
-  organizationId       String
-  organization         Organization        @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  policyId             String?
+  policy               Policy?             @relation(fields: [policyId], references: [id], onDelete: Cascade)
+  vendorId             String?
+  vendor               Vendor?             @relation(fields: [vendorId], references: [id], onDelete: Cascade)
+  riskId               String?
+  risk                 Risk?               @relation(fields: [riskId], references: [id], onDelete: Cascade)
+  memberId             String?
+  member               Member?             @relation("FindingSubject", fields: [memberId], references: [id], onDelete: Cascade)
+  deviceId             String?
+  device               Device?             @relation(fields: [deviceId], references: [id], onDelete: Cascade)
+  // Metadata
+  templateId       String?
+  template         FindingTemplate? @relation(fields: [templateId], references: [id])
+  createdById      String?
+  createdBy        Member?          @relation("FindingCreatedBy", fields: [createdById], references: [id])
+  createdByAdminId String?
+  createdByAdmin   User?            @relation("AdminFindingCreator", fields: [createdByAdminId], references: [id])
+  organizationId   String
+  organization     Organization     @relation(fields: [organizationId], references: [id], onDelete: Cascade)
   @@index([taskId])
   @@index([evidenceSubmissionId])
   @@index([evidenceFormType])
+  @@index([policyId])
+  @@index([vendorId])
+  @@index([riskId])
+  @@index([memberId])
+  @@index([deviceId])
   @@index([organizationId, status])
+  @@index([organizationId, severity])
 }
 // ===== fleet-policy-result.prisma =====
 model FleetPolicyResult {
   id                  String   @id @default(dbgenerated("generate_prefixed_cuid('fpr'::text)"))
@@ -759,7 +867,6 @@ model FleetPolicyResult {
   @@index([organizationId])
 }
 // ===== framework-editor.prisma =====
 // --- Data for Framework Editor ---
 model FrameworkEditorVideo {
@@ -785,6 +892,8 @@ model FrameworkEditorFramework {
   frameworkInstances FrameworkInstance[]
   soaConfigurations  SOAFrameworkConfiguration[] // Multiple SOA config versions per framework
   soaDocuments       SOADocument[] // SOA documents from organizations
+  timelineTemplates  TimelineTemplate[]
+  versions           FrameworkVersion[]
   // Dates
   createdAt DateTime @default(now())
@@ -830,8 +939,8 @@ model FrameworkEditorTaskTemplate {
   id               String               @id @default(dbgenerated("generate_prefixed_cuid('frk_tt'::text)"))
   name             String
   description      String
-  frequency        Frequency            // Using the enum from shared.prisma
-  department       Departments          // Using the enum from shared.prisma
+  frequency        Frequency // Using the enum from shared.prisma
+  department       Departments // Using the enum from shared.prisma
   automationStatus TaskAutomationStatus @default(AUTOMATED)
   controlTemplates FrameworkEditorControlTemplate[]
@@ -862,6 +971,67 @@ model FrameworkEditorControlTemplate {
   controls Control[]
 }
+// ===== framework-sync-operation.prisma =====
+enum FrameworkSyncOperationKind {
+  SYNC
+  ROLLBACK
+}
+model FrameworkSyncOperation {
+  id                  String            @id @default(dbgenerated("generate_prefixed_cuid('fso'::text)"))
+  frameworkInstanceId String
+  frameworkInstance   FrameworkInstance @relation(fields: [frameworkInstanceId], references: [id], onDelete: Cascade)
+  fromVersionId String
+  fromVersion   FrameworkVersion @relation("FrameworkSyncOperationFromVersion", fields: [fromVersionId], references: [id])
+  toVersionId   String
+  toVersion     FrameworkVersion @relation("FrameworkSyncOperationToVersion", fields: [toVersionId], references: [id])
+  kind FrameworkSyncOperationKind
+  performedAt   DateTime @default(now())
+  performedById String?
+  performedBy   Member?  @relation("FrameworkSyncOperationPerformer", fields: [performedById], references: [id], onDelete: SetNull)
+  // Only set when kind = SYNC
+  rollbackExpiresAt DateTime?
+  // Self-reference: when this sync was reversed, points at the rollback op.
+  rolledBackByOperationId String?                 @unique
+  rolledBackByOperation   FrameworkSyncOperation? @relation("FrameworkSyncOperationRollback", fields: [rolledBackByOperationId], references: [id])
+  rolledBackOperation     FrameworkSyncOperation? @relation("FrameworkSyncOperationRollback")
+  undoPayload Json // structured per undo-payload.types.ts
+  summary     Json // counts for audit log / UI
+  @@index([frameworkInstanceId, performedAt])
+  @@index([frameworkInstanceId, kind])
+}
+// ===== framework-version.prisma =====
+model FrameworkVersion {
+  id          String                   @id @default(dbgenerated("generate_prefixed_cuid('fvr'::text)"))
+  frameworkId String
+  framework   FrameworkEditorFramework @relation(fields: [frameworkId], references: [id], onDelete: Cascade)
+  version       String // semver-ish, e.g., "1.0.0", "2.1.0"
+  publishedAt   DateTime @default(now())
+  publishedById String?
+  publishedBy   User?    @relation("FrameworkVersionPublisher", fields: [publishedById], references: [id], onDelete: SetNull)
+  releaseNotes String? // markdown
+  // Full snapshot of all templates at publish time (see manifest.types.ts).
+  // Immutable once published.
+  manifest Json
+  frameworkInstances FrameworkInstance[]      @relation("FrameworkInstanceCurrentVersion")
+  syncOperationsFrom FrameworkSyncOperation[] @relation("FrameworkSyncOperationFromVersion")
+  syncOperationsTo   FrameworkSyncOperation[] @relation("FrameworkSyncOperationToVersion")
+  @@unique([frameworkId, version])
+  @@index([frameworkId, publishedAt])
+}
 // ===== framework.prisma =====
 model FrameworkInstance {
@@ -869,454 +1039,470 @@ model FrameworkInstance {
   id             String @id @default(dbgenerated("generate_prefixed_cuid('frm'::text)"))
   organizationId String
-  frameworkId String
-  framework   FrameworkEditorFramework @relation(fields: [frameworkId], references: [id], onDelete: Cascade)
+  // Exactly one of frameworkId / customFrameworkId is set (enforced by DB CHECK constraint).
+  frameworkId String?
+  framework   FrameworkEditorFramework? @relation(fields: [frameworkId], references: [id], onDelete: Cascade)
+  customFrameworkId String?
+  // Composite FK onto (id, organizationId) so an FI can only reference a
+  // CustomFramework in its own org. Enforced at the DB level.
+  customFramework   CustomFramework? @relation(fields: [customFrameworkId, organizationId], references: [id, organizationId], onDelete: Cascade)
+  currentVersionId String?
+  currentVersion   FrameworkVersion? @relation("FrameworkInstanceCurrentVersion", fields: [currentVersionId], references: [id], onDelete: Restrict)
   // Relationships
-  organization       Organization     @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  organization       Organization             @relation(fields: [organizationId], references: [id], onDelete: Cascade)
   requirementsMapped RequirementMap[]
+  timelineInstances  TimelineInstance[]
+  syncOperations     FrameworkSyncOperation[]
   @@unique([organizationId, frameworkId])
+  @@unique([organizationId, customFrameworkId])
+  @@index([customFrameworkId])
+  @@index([currentVersionId])
 }
 // ===== integration-platform.prisma =====
 // ===== Integration Platform =====
 // New integration platform models for scalable, config-driven integrations
 /// Stores metadata about available integration providers (synced from code manifests)
 model IntegrationProvider {
-    id           String  @id @default(dbgenerated("generate_prefixed_cuid('prv'::text)"))
-    /// Unique slug matching manifest ID (e.g., "github", "slack")
-    slug         String  @unique
-    /// Display name
-    name         String
-    /// Category for grouping
-    category     String
-    /// Hash of manifest for detecting changes
-    manifestHash String?
-    /// Capabilities JSON array
-    capabilities Json    @default("[]")
-    /// Whether provider is active
-    isActive     Boolean @default(true)
+  id           String  @id @default(dbgenerated("generate_prefixed_cuid('prv'::text)"))
+  /// Unique slug matching manifest ID (e.g., "github", "slack")
+  slug         String  @unique
+  /// Display name
+  name         String
+  /// Category for grouping
+  category     String
+  /// Hash of manifest for detecting changes
+  manifestHash String?
+  /// Capabilities JSON array
+  capabilities Json    @default("[]")
+  /// Whether provider is active
+  isActive     Boolean @default(true)
-    createdAt DateTime @default(now())
-    updatedAt DateTime @updatedAt
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
-    connections IntegrationConnection[]
+  connections IntegrationConnection[]
-    @@index([slug])
-    @@index([category])
+  @@index([slug])
+  @@index([category])
 }
 /// Represents an organization's connection to an integration provider
 model IntegrationConnection {
-    id String @id @default(dbgenerated("generate_prefixed_cuid('icn'::text)"))
+  id String @id @default(dbgenerated("generate_prefixed_cuid('icn'::text)"))
-    /// Reference to the provider
-    providerId String
-    provider   IntegrationProvider @relation(fields: [providerId], references: [id], onDelete: Cascade)
+  /// Reference to the provider
+  providerId String
+  provider   IntegrationProvider @relation(fields: [providerId], references: [id], onDelete: Cascade)
-    /// Organization that owns this connection
-    organizationId String
-    organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  /// Organization that owns this connection
+  organizationId String
+  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-    /// Connection status
-    status IntegrationConnectionStatus @default(pending)
+  /// Connection status
+  status IntegrationConnectionStatus @default(pending)
-    /// Auth strategy used (oauth2, api_key, basic, jwt, custom)
-    authStrategy String
+  /// Auth strategy used (oauth2, api_key, basic, jwt, custom)
+  authStrategy String
-    /// Reference to active credential version
-    activeCredentialVersionId String?
+  /// Reference to active credential version
+  activeCredentialVersionId String?
-    /// Last successful sync timestamp
-    lastSyncAt DateTime?
+  /// Last successful sync timestamp
+  lastSyncAt DateTime?
-    /// Next scheduled sync timestamp
-    nextSyncAt DateTime?
+  /// Next scheduled sync timestamp
+  nextSyncAt DateTime?
-    /// Custom sync cadence (cron expression), null = use default
-    syncCadence String?
+  /// Custom sync cadence (cron expression), null = use default
+  syncCadence String?
-    /// Additional metadata (e.g., connected account info)
-    metadata Json?
+  /// Additional metadata (e.g., connected account info)
+  metadata Json?
-    /// User-configured variables for checks (collected after OAuth)
-    variables Json?
+  /// User-configured variables for checks (collected after OAuth)
+  variables Json?
-    /// Error message if status is error
-    errorMessage String?
+  /// Error message if status is error
+  errorMessage String?
-    createdAt DateTime @default(now())
-    updatedAt DateTime @updatedAt
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
-    credentialVersions IntegrationCredentialVersion[]
-    runs               IntegrationRun[]
-    findings           IntegrationPlatformFinding[]
-    checkRuns          IntegrationCheckRun[]
-    syncLogs           IntegrationSyncLog[]
+  credentialVersions IntegrationCredentialVersion[]
+  runs               IntegrationRun[]
+  findings           IntegrationPlatformFinding[]
+  checkRuns          IntegrationCheckRun[]
+  syncLogs           IntegrationSyncLog[]
+  remediationActions RemediationAction[]
+  remediationBatches RemediationBatch[]
-    @@index([organizationId])
-    @@index([providerId])
-    @@index([providerId, organizationId])
-    @@index([status])
+  @@index([organizationId])
+  @@index([providerId])
+  @@index([providerId, organizationId])
+  @@index([status])
 }
 enum IntegrationConnectionStatus {
-    pending // Awaiting credential setup
-    active // Connected and operational
-    error // Connection has errors
-    paused // Manually paused by user
-    disconnected // User disconnected
+  pending // Awaiting credential setup
+  active // Connected and operational
+  error // Connection has errors
+  paused // Manually paused by user
+  disconnected // User disconnected
 }
 /// Stores encrypted credentials with versioning for audit trail
 model IntegrationCredentialVersion {
-    id String @id @default(dbgenerated("generate_prefixed_cuid('icv'::text)"))
+  id String @id @default(dbgenerated("generate_prefixed_cuid('icv'::text)"))
-    /// Parent connection
-    connectionId String
-    connection   IntegrationConnection @relation(fields: [connectionId], references: [id], onDelete: Cascade)
+  /// Parent connection
+  connectionId String
+  connection   IntegrationConnection @relation(fields: [connectionId], references: [id], onDelete: Cascade)
-    /// Encrypted credential payload (JSON with encrypted fields)
-    encryptedPayload Json
+  /// Encrypted credential payload (JSON with encrypted fields)
+  encryptedPayload Json
-    /// Version number (auto-increment per connection)
-    version Int
+  /// Version number (auto-increment per connection)
+  version Int
-    /// Token expiration (for OAuth tokens)
-    expiresAt DateTime?
+  /// Token expiration (for OAuth tokens)
+  expiresAt DateTime?
-    /// When this version was rotated/replaced
-    rotatedAt DateTime?
+  /// When this version was rotated/replaced
+  rotatedAt DateTime?
-    createdAt DateTime @default(now())
+  createdAt DateTime @default(now())
-    @@unique([connectionId, version])
-    @@index([connectionId])
+  @@unique([connectionId, version])
+  @@index([connectionId])
 }
 /// Records each sync/job execution for audit and debugging
 model IntegrationRun {
-    id String @id @default(dbgenerated("generate_prefixed_cuid('irn'::text)"))
+  id String @id @default(dbgenerated("generate_prefixed_cuid('irn'::text)"))
-    /// Parent connection
-    connectionId String
-    connection   IntegrationConnection @relation(fields: [connectionId], references: [id], onDelete: Cascade)
+  /// Parent connection
+  connectionId String
+  connection   IntegrationConnection @relation(fields: [connectionId], references: [id], onDelete: Cascade)
-    /// Type of job
-    jobType IntegrationRunJobType
+  /// Type of job
+  jobType IntegrationRunJobType
-    /// Execution status
-    status IntegrationRunStatus @default(pending)
+  /// Execution status
+  status IntegrationRunStatus @default(pending)
-    /// Timestamps
-    startedAt   DateTime?
-    completedAt DateTime?
+  /// Timestamps
+  startedAt   DateTime?
+  completedAt DateTime?
-    /// Duration in milliseconds
-    durationMs Int?
+  /// Duration in milliseconds
+  durationMs Int?
-    /// Number of findings from this run
-    findingsCount Int @default(0)
+  /// Number of findings from this run
+  findingsCount Int @default(0)
-    /// Error details if failed
-    error Json?
+  /// Error details if failed
+  error Json?
-    /// Additional metadata (trigger source, cursor, etc.)
-    metadata Json?
+  /// Additional metadata (trigger source, cursor, etc.)
+  metadata Json?
-    createdAt DateTime @default(now())
+  createdAt DateTime @default(now())
-    findings IntegrationPlatformFinding[]
+  findings IntegrationPlatformFinding[]
-    @@index([connectionId])
-    @@index([status])
-    @@index([createdAt])
+  @@index([connectionId])
+  @@index([status])
+  @@index([createdAt])
 }
 enum IntegrationRunJobType {
-    full_sync
-    delta_sync
-    webhook
-    manual
-    test_connection
+  full_sync
+  delta_sync
+  webhook
+  manual
+  test_connection
 }
 enum IntegrationRunStatus {
-    pending
-    running
-    success
-    failed
-    cancelled
+  pending
+  running
+  success
+  failed
+  cancelled
 }
 /// Stores findings/results from integration syncs
 model IntegrationPlatformFinding {
-    id String @id @default(dbgenerated("generate_prefixed_cuid('ipf'::text)"))
+  id String @id @default(dbgenerated("generate_prefixed_cuid('ipf'::text)"))
-    /// Parent run (optional - webhooks may not have runs)
-    runId String?
-    run   IntegrationRun? @relation(fields: [runId], references: [id], onDelete: SetNull)
+  /// Parent run (optional - webhooks may not have runs)
+  runId String?
+  run   IntegrationRun? @relation(fields: [runId], references: [id], onDelete: SetNull)
-    /// Parent connection
-    connectionId String
-    connection   IntegrationConnection @relation(fields: [connectionId], references: [id], onDelete: Cascade)
+  /// Parent connection
+  connectionId String
+  connection   IntegrationConnection @relation(fields: [connectionId], references: [id], onDelete: Cascade)
-    /// Resource classification
-    resourceType String
-    resourceId   String
+  /// Resource classification
+  resourceType String
+  resourceId   String
-    /// Finding details
-    title       String
-    description String?
+  /// Finding details
+  title       String
+  description String?
-    /// Severity level
-    severity IntegrationFindingSeverity @default(info)
+  /// Severity level
+  severity IntegrationFindingSeverity @default(info)
-    /// Finding status
-    status IntegrationFindingStatus @default(open)
+  /// Finding status
+  status IntegrationFindingStatus @default(open)
-    /// Remediation guidance
-    remediation String?
+  /// Remediation guidance
+  remediation String?
-    /// Raw payload from provider
-    rawPayload Json?
+  /// Raw payload from provider
+  rawPayload Json?
-    createdAt DateTime @default(now())
-    updatedAt DateTime @updatedAt
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
-    @@index([connectionId])
-    @@index([runId])
-    @@index([resourceType, resourceId])
-    @@index([severity])
-    @@index([status])
+  @@index([connectionId])
+  @@index([runId])
+  @@index([resourceType, resourceId])
+  @@index([severity])
+  @@index([status])
 }
 enum IntegrationFindingSeverity {
-    info
-    low
-    medium
-    high
-    critical
+  info
+  low
+  medium
+  high
+  critical
 }
 enum IntegrationFindingStatus {
-    open
-    resolved
-    ignored
+  open
+  resolved
+  ignored
 }
 /// Stores OAuth state for CSRF protection during OAuth flow
 model IntegrationOAuthState {
-    id String @id @default(dbgenerated("generate_prefixed_cuid('ios'::text)"))
+  id String @id @default(dbgenerated("generate_prefixed_cuid('ios'::text)"))
-    /// Random state parameter
-    state String @unique
+  /// Random state parameter
+  state String @unique
-    /// Provider slug
-    providerSlug String
+  /// Provider slug
+  providerSlug String
-    /// Organization initiating the OAuth
-    organizationId String
+  /// Organization initiating the OAuth
+  organizationId String
-    /// User initiating the OAuth
-    userId String
+  /// User initiating the OAuth
+  userId String
-    /// PKCE code verifier (if using PKCE)
-    codeVerifier String?
+  /// PKCE code verifier (if using PKCE)
+  codeVerifier String?
-    /// Redirect URL after OAuth completes
-    redirectUrl String?
+  /// Redirect URL after OAuth completes
+  redirectUrl String?
-    /// Expiration timestamp
-    expiresAt DateTime
+  /// Expiration timestamp
+  expiresAt DateTime
-    createdAt DateTime @default(now())
+  createdAt DateTime @default(now())
-    @@index([state])
-    @@index([expiresAt])
+  @@index([state])
+  @@index([expiresAt])
 }
 /// Stores organization-level OAuth app credentials
 /// Allows orgs (especially self-hosters) to use their own OAuth apps
 model IntegrationOAuthApp {
-    id String @id @default(dbgenerated("generate_prefixed_cuid('ioa'::text)"))
+  id String @id @default(dbgenerated("generate_prefixed_cuid('ioa'::text)"))
-    /// Provider slug (e.g., "github", "slack")
-    providerSlug String
+  /// Provider slug (e.g., "github", "slack")
+  providerSlug String
-    /// Organization that owns this OAuth app config
-    organizationId String
-    organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  /// Organization that owns this OAuth app config
+  organizationId String
+  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-    /// Encrypted client ID
-    encryptedClientId Json
+  /// Encrypted client ID
+  encryptedClientId Json
-    /// Encrypted client secret
-    encryptedClientSecret Json
+  /// Encrypted client secret
+  encryptedClientSecret Json
-    /// Optional: custom scopes (overrides manifest defaults)
-    customScopes String[]
+  /// Optional: custom scopes (overrides manifest defaults)
+  customScopes String[]
-    /// Provider-specific settings (e.g., Rippling app name for authorize URL)
-    /// Stored as JSON: { "appName": "compai533c" }
-    customSettings Json?
+  /// Provider-specific settings (e.g., Rippling app name for authorize URL)
+  /// Stored as JSON: { "appName": "compai533c" }
+  customSettings Json?
-    /// Whether this config is active
-    isActive Boolean @default(true)
+  /// Whether this config is active
+  isActive Boolean @default(true)
-    createdAt DateTime @default(now())
-    updatedAt DateTime @updatedAt
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
-    @@unique([providerSlug, organizationId])
-    @@index([organizationId])
-    @@index([providerSlug])
+  @@unique([providerSlug, organizationId])
+  @@index([organizationId])
+  @@index([providerSlug])
 }
 /// Records check runs linked to tasks for compliance verification
 model IntegrationCheckRun {
-    id String @id @default(dbgenerated("generate_prefixed_cuid('icr'::text)"))
+  id String @id @default(dbgenerated("generate_prefixed_cuid('icr'::text)"))
-    /// Parent connection
-    connectionId String
-    connection   IntegrationConnection @relation(fields: [connectionId], references: [id], onDelete: Cascade)
+  /// Parent connection
+  connectionId String
+  connection   IntegrationConnection @relation(fields: [connectionId], references: [id], onDelete: Cascade)
-    /// Task being verified (optional - checks can run without a task)
-    taskId String?
-    task   Task?   @relation(fields: [taskId], references: [id], onDelete: SetNull)
+  /// Task being verified (optional - checks can run without a task)
+  taskId String?
+  task   Task?   @relation(fields: [taskId], references: [id], onDelete: SetNull)
-    /// Check ID from the manifest
-    checkId String
+  /// Check ID from the manifest
+  checkId String
-    /// Check name (denormalized for display)
-    checkName String
+  /// Check name (denormalized for display)
+  checkName String
-    /// Execution status
-    status IntegrationRunStatus @default(pending)
+  /// Execution status
+  status IntegrationRunStatus @default(pending)
-    /// Timestamps
-    startedAt   DateTime?
-    completedAt DateTime?
+  /// Timestamps
+  startedAt   DateTime?
+  completedAt DateTime?
-    /// Duration in milliseconds
-    durationMs Int?
+  /// Duration in milliseconds
+  durationMs Int?
-    /// Summary counts
-    totalChecked Int @default(0)
-    passedCount  Int @default(0)
-    failedCount  Int @default(0)
+  /// Summary counts
+  totalChecked Int @default(0)
+  passedCount  Int @default(0)
+  failedCount  Int @default(0)
-    /// Error message if failed
-    errorMessage String?
+  /// Error message if failed
+  errorMessage String?
-    /// Full execution logs (JSON array)
-    logs Json?
+  /// Full execution logs (JSON array)
+  logs Json?
-    createdAt DateTime @default(now())
+  createdAt DateTime @default(now())
-    /// Results from this check run
-    results IntegrationCheckResult[]
+  /// Results from this check run
+  results IntegrationCheckResult[]
-    @@index([connectionId])
-    @@index([taskId])
-    @@index([checkId])
-    @@index([status])
-    @@index([createdAt])
+  @@index([connectionId])
+  @@index([taskId])
+  @@index([checkId])
+  @@index([status])
+  @@index([createdAt])
 }
 /// Stores individual results (pass/fail) from check runs
 model IntegrationCheckResult {
-    id String @id @default(dbgenerated("generate_prefixed_cuid('icx'::text)"))
+  id String @id @default(dbgenerated("generate_prefixed_cuid('icx'::text)"))
+  /// Parent check run
+  checkRunId String
+  checkRun   IntegrationCheckRun @relation(fields: [checkRunId], references: [id], onDelete: Cascade)
-    /// Parent check run
-    checkRunId String
-    checkRun   IntegrationCheckRun @relation(fields: [checkRunId], references: [id], onDelete: Cascade)
+  /// Whether this result is a pass or fail
+  passed Boolean
-    /// Whether this result is a pass or fail
-    passed Boolean
+  /// Resource classification
+  resourceType String
+  resourceId   String
-    /// Resource classification
-    resourceType String
-    resourceId   String
+  /// Result details
+  title       String
+  description String?
-    /// Result details
-    title       String
-    description String?
+  /// Severity (for failures)
+  severity IntegrationFindingSeverity?
-    /// Severity (for failures)
-    severity IntegrationFindingSeverity?
+  /// Remediation guidance (for failures)
+  remediation String?
-    /// Remediation guidance (for failures)
-    remediation String?
+  /// Evidence/proof (JSON - API response data)
+  evidence Json?
-    /// Evidence/proof (JSON - API response data)
-    evidence Json?
+  /// When this evidence was collected
+  collectedAt DateTime @default(now())
-    /// When this evidence was collected
-    collectedAt DateTime @default(now())
+  remediationActions RemediationAction[]
-    @@index([checkRunId])
-    @@index([passed])
-    @@index([resourceType, resourceId])
+  @@index([checkRunId])
+  @@index([passed])
+  @@index([resourceType, resourceId])
 }
 /// Stores platform-wide OAuth app credentials
 /// Used by platform operators to provide default OAuth apps for all users
 model IntegrationPlatformCredential {
-    id String @id @default(dbgenerated("generate_prefixed_cuid('ipc'::text)"))
+  id String @id @default(dbgenerated("generate_prefixed_cuid('ipc'::text)"))
-    /// Provider slug (e.g., "github", "slack") - unique per platform
-    providerSlug String @unique
+  /// Provider slug (e.g., "github", "slack") - unique per platform
+  providerSlug String @unique
-    /// Encrypted client ID
-    encryptedClientId Json
+  /// Encrypted client ID
+  encryptedClientId Json
-    /// Encrypted client secret
-    encryptedClientSecret Json
+  /// Encrypted client secret
+  encryptedClientSecret Json
-    /// Masked display hint for client ID (computed at write time)
-    clientIdHint String?
+  /// Masked display hint for client ID (computed at write time)
+  clientIdHint String?
-    /// Masked display hint for client secret (computed at write time)
-    clientSecretHint String?
+  /// Masked display hint for client secret (computed at write time)
+  clientSecretHint String?
-    /// Optional: custom scopes (overrides manifest defaults)
-    customScopes String[]
+  /// Optional: custom scopes (overrides manifest defaults)
+  customScopes String[]
-    /// Provider-specific settings (e.g., Rippling app name for authorize URL)
-    /// Stored as JSON: { "appName": "compai533c" }
-    customSettings Json?
+  /// Provider-specific settings (e.g., Rippling app name for authorize URL)
+  /// Stored as JSON: { "appName": "compai533c" }
+  customSettings Json?
-    /// Whether this credential is active
-    isActive Boolean @default(true)
+  /// Whether this credential is active
+  isActive Boolean @default(true)
-    /// Who created this credential
-    createdById String?
+  /// Who created this credential
+  createdById String?
-    /// Who last updated this credential
-    updatedById String?
+  /// Who last updated this credential
+  updatedById String?
-    createdAt DateTime @default(now())
-    updatedAt DateTime @updatedAt
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
-    @@index([providerSlug])
+  @@index([providerSlug])
 }
 // ===== integration-sync-log.prisma =====
 // ===== Integration Sync Log =====
 // Generic audit trail for integration sync operations (employee sync, role discovery, etc.)
 model IntegrationSyncLog {
-  id             String                   @id @default(dbgenerated("generate_prefixed_cuid('isl'::text)"))
+  id             String                @id @default(dbgenerated("generate_prefixed_cuid('isl'::text)"))
   connectionId   String
-  connection     IntegrationConnection    @relation(fields: [connectionId], references: [id], onDelete: Cascade)
+  connection     IntegrationConnection @relation(fields: [connectionId], references: [id], onDelete: Cascade)
   organizationId String
-  organization   Organization             @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  organization   Organization          @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  /// Provider slug (e.g., "ramp", "google-workspace", "rippling", "jumpcloud")
+  /// Provider slug (e.g., "google-workspace", "rippling", "jumpcloud")
   provider    String
   /// Event type (e.g., "employee_sync", "role_discovery", "role_mapping_save")
   eventType   String
@@ -1352,7 +1538,6 @@ enum IntegrationSyncLogStatus {
   failed
 }
 // ===== integration.prisma =====
 model Integration {
   id             String              @id @default(dbgenerated("generate_prefixed_cuid('int'::text)"))
@@ -1387,7 +1572,6 @@ model IntegrationResult {
   @@index([integrationId])
 }
 // ===== knowledge-base-document.prisma =====
 model KnowledgeBaseDocument {
   id               String                                @id @default(dbgenerated("generate_prefixed_cuid('kbd'::text)"))
@@ -1421,13 +1605,12 @@ enum KnowledgeBaseDocumentProcessingStatus {
   failed // Processing failed
 }
 // ===== notification-policy.prisma =====
 model RoleNotificationSetting {
-  id                   String       @id @default(dbgenerated("generate_prefixed_cuid('rns'::text)"))
-  organizationId       String
-  organization         Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  role                 String // "owner", "admin", "auditor", "employee", "contractor", or custom role name
+  id             String       @id @default(dbgenerated("generate_prefixed_cuid('rns'::text)"))
+  organizationId String
+  organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  role           String // "owner", "admin", "auditor", "employee", "contractor", or custom role name
   policyNotifications  Boolean @default(true)
   taskReminders        Boolean @default(true)
@@ -1443,7 +1626,6 @@ model RoleNotificationSetting {
   @@map("role_notification_setting")
 }
 // ===== onboarding.prisma =====
 model Onboarding {
   organizationId        String       @id
@@ -1464,7 +1646,6 @@ model Onboarding {
   @@index([organizationId])
 }
 // ===== org-chart.prisma =====
 model OrganizationChart {
   id               String       @id @default(dbgenerated("generate_prefixed_cuid('och'::text)"))
@@ -1481,7 +1662,6 @@ model OrganizationChart {
   @@index([organizationId])
 }
 // ===== organization-billing.prisma =====
 model OrganizationBilling {
   id               String   @id @default(dbgenerated("generate_prefixed_cuid('obil'::text)"))
@@ -1490,31 +1670,30 @@ model OrganizationBilling {
   createdAt        DateTime @default(now()) @map("created_at")
   updatedAt        DateTime @updatedAt @map("updated_at")
-  organization        Organization        @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  organization        Organization         @relation(fields: [organizationId], references: [id], onDelete: Cascade)
   pentestSubscription PentestSubscription?
   @@map("organization_billing")
 }
 // ===== organization.prisma =====
 model Organization {
-  id                  String      @id @default(dbgenerated("generate_prefixed_cuid('org'::text)"))
-  name                String
-  slug                String      @unique @default(dbgenerated("generate_prefixed_cuid('slug'::text)"))
-  logo                String?
-  createdAt           DateTime    @default(now())
-  metadata            String?
-  onboarding          Onboarding?
-  website             String?
-  onboardingCompleted Boolean     @default(false)
-  hasAccess           Boolean     @default(false)
-  advancedModeEnabled             Boolean     @default(false)
-  evidenceApprovalEnabled         Boolean     @default(false)
-  deviceAgentStepEnabled          Boolean     @default(true)
-  securityTrainingStepEnabled     Boolean     @default(true)
-  whistleblowerReportEnabled      Boolean     @default(true)
-  accessRequestFormEnabled        Boolean     @default(true)
+  id                          String      @id @default(dbgenerated("generate_prefixed_cuid('org'::text)"))
+  name                        String
+  slug                        String      @unique @default(dbgenerated("generate_prefixed_cuid('slug'::text)"))
+  logo                        String?
+  createdAt                   DateTime    @default(now())
+  metadata                    String?
+  onboarding                  Onboarding?
+  website                     String?
+  onboardingCompleted         Boolean     @default(false)
+  hasAccess                   Boolean     @default(false)
+  advancedModeEnabled         Boolean     @default(false)
+  evidenceApprovalEnabled     Boolean     @default(false)
+  deviceAgentStepEnabled      Boolean     @default(true)
+  securityTrainingStepEnabled Boolean     @default(true)
+  whistleblowerReportEnabled  Boolean     @default(true)
+  accessRequestFormEnabled    Boolean     @default(true)
   // FleetDM
   fleetDmLabelId        Int?
@@ -1578,13 +1757,19 @@ model Organization {
   organizationChart OrganizationChart?
   // RBAC
-  organizationRoles          OrganizationRole[]
-  roleNotificationSettings   RoleNotificationSetting[]
+  organizationRoles        OrganizationRole[]
+  roleNotificationSettings RoleNotificationSetting[]
+  // Timeline
+  timelineInstances TimelineInstance[]
+  // Custom frameworks / requirements authored by this org
+  customFrameworks   CustomFramework[]
+  customRequirements CustomRequirement[]
   @@index([slug])
 }
 // ===== pentest-subscription.prisma =====
 model PentestSubscription {
   id                    String   @id @default(dbgenerated("generate_prefixed_cuid('psub'::text)"))
@@ -1607,7 +1792,6 @@ model PentestSubscription {
   @@map("pentest_subscriptions")
 }
 // ===== policy.prisma =====
 enum PolicyDisplayFormat {
   EDITOR
@@ -1615,7 +1799,7 @@ enum PolicyDisplayFormat {
 }
 enum PolicyVisibility {
-  ALL        // Visible to everyone in organization
+  ALL // Visible to everyone in organization
   DEPARTMENT // Only visible to specified departments
 }
@@ -1645,6 +1829,12 @@ model Policy {
   lastArchivedAt  DateTime?
   lastPublishedAt DateTime?
+  // Sync-driven archive. Distinct from `isArchived` (which is user-initiated
+  // archiving of a published policy). UI should hide a policy if EITHER is
+  // set: `WHERE isArchived = false AND archivedAt IS NULL`. Rollback restores
+  // only `archivedAt`, never touches `isArchived`.
+  archivedAt DateTime?
   // Relationships
   organizationId   String
   organization     Organization                   @relation(fields: [organizationId], references: [id], onDelete: Cascade)
@@ -1659,8 +1849,10 @@ model Policy {
   currentVersion   PolicyVersion?                 @relation("PolicyCurrentVersion", fields: [currentVersionId], references: [id])
   pendingVersionId String?
   versions         PolicyVersion[]                @relation("PolicyVersions")
+  findings         Finding[]
   @@index([organizationId])
+  @@index([organizationId, archivedAt])
 }
 model PolicyVersion {
@@ -1669,8 +1861,8 @@ model PolicyVersion {
   updatedAt DateTime @updatedAt
   // Relations
-  policyId String
-  policy   Policy @relation("PolicyVersions", fields: [policyId], references: [id], onDelete: Cascade)
+  policyId         String
+  policy           Policy  @relation("PolicyVersions", fields: [policyId], references: [id], onDelete: Cascade)
   currentForPolicy Policy? @relation("PolicyCurrentVersion")
   // Version details
@@ -1686,7 +1878,6 @@ model PolicyVersion {
   @@index([createdAt])
 }
 // ===== questionnaire.prisma =====
 model Questionnaire {
   id                String              @id @default(dbgenerated("generate_prefixed_cuid('qst'::text)"))
@@ -1751,13 +1942,68 @@ enum QuestionnaireAnswerStatus {
   manual // Manually written/edited by user
 }
+// ===== remediation-action.prisma =====
+model RemediationAction {
+  id                 String    @id @default(dbgenerated("generate_prefixed_cuid('rma'::text)"))
+  checkResultId      String
+  connectionId       String
+  organizationId     String
+  initiatedById      String
+  remediationKey     String
+  resourceId         String
+  resourceType       String
+  previousState      Json
+  appliedState       Json
+  status             String    @default("pending")
+  riskLevel          String?
+  acknowledgmentText String?
+  acknowledgedAt     DateTime?
+  errorMessage       String?
+  executedAt         DateTime?
+  rolledBackAt       DateTime?
+  createdAt          DateTime  @default(now())
+  updatedAt          DateTime  @updatedAt
+  checkResult IntegrationCheckResult @relation(fields: [checkResultId], references: [id], onDelete: Cascade)
+  connection  IntegrationConnection  @relation(fields: [connectionId], references: [id], onDelete: Cascade)
+  @@index([connectionId])
+  @@index([organizationId])
+  @@index([checkResultId])
+}
+// ===== remediation-batch.prisma =====
+model RemediationBatch {
+  id             String   @id @default(dbgenerated("generate_prefixed_cuid('rmb'::text)"))
+  connectionId   String
+  organizationId String
+  initiatedById  String
+  triggerRunId   String?
+  status         String   @default("pending") // pending, running, done, cancelled
+  findings       Json     @default("[]") // Array of { id, key, title, status, error? }
+  fixed          Int      @default(0)
+  skipped        Int      @default(0)
+  failed         Int      @default(0)
+  createdAt      DateTime @default(now())
+  updatedAt      DateTime @updatedAt
+  connection IntegrationConnection @relation(fields: [connectionId], references: [id], onDelete: Cascade)
+  @@index([connectionId])
+  @@index([organizationId])
+  @@index([status])
+}
 // ===== requirement.prisma =====
 model RequirementMap {
   id String @id @default(dbgenerated("generate_prefixed_cuid('req'::text)"))
-  requirementId String
-  requirement   FrameworkEditorRequirement @relation(fields: [requirementId], references: [id], onDelete: Cascade)
+  // Exactly one of requirementId / customRequirementId is set (enforced by DB CHECK constraint).
+  requirementId String?
+  requirement   FrameworkEditorRequirement? @relation(fields: [requirementId], references: [id], onDelete: Cascade)
+  customRequirementId String?
+  customRequirement   CustomRequirement? @relation(fields: [customRequirementId], references: [id], onDelete: Cascade)
   controlId String
   control   Control @relation(fields: [controlId], references: [id], onDelete: Cascade)
@@ -1765,11 +2011,17 @@ model RequirementMap {
   frameworkInstanceId String
   frameworkInstance   FrameworkInstance @relation(fields: [frameworkInstanceId], references: [id], onDelete: Cascade)
+  // Sync-driven archive — edges are framework-scoped, so these always archive
+  // cleanly when the mapping disappears from the framework's latest version.
+  archivedAt DateTime?
   @@unique([controlId, frameworkInstanceId, requirementId])
+  @@unique([controlId, frameworkInstanceId, customRequirementId])
   @@index([requirementId, frameworkInstanceId])
+  @@index([customRequirementId, frameworkInstanceId])
+  @@index([frameworkInstanceId, archivedAt])
 }
 // ===== risk.prisma =====
 model Risk {
   // Metadata
@@ -1796,6 +2048,7 @@ model Risk {
   assigneeId     String?
   assignee       Member?      @relation(fields: [assigneeId], references: [id])
   tasks          Task[]
+  findings       Finding[]
   @@index([organizationId])
   @@index([category])
@@ -1830,7 +2083,6 @@ enum RiskStatus {
   archived
 }
 // ===== secret.prisma =====
 model Secret {
   id             String    @id @default(dbgenerated("generate_prefixed_cuid('sec'::text)"))
@@ -1849,14 +2101,13 @@ model Secret {
   @@map("secrets")
 }
 // ===== security-penetration-test-run.prisma =====
 model SecurityPenetrationTestRun {
-  id           String   @id @default(dbgenerated("generate_prefixed_cuid('ptr'::text)"))
-  organizationId String @map("organization_id")
-  providerRunId String  @map("provider_run_id")
-  createdAt    DateTime @default(now()) @map("created_at")
-  updatedAt    DateTime @updatedAt @map("updated_at")
+  id             String   @id @default(dbgenerated("generate_prefixed_cuid('ptr'::text)"))
+  organizationId String   @map("organization_id")
+  providerRunId  String   @map("provider_run_id")
+  createdAt      DateTime @default(now()) @map("created_at")
+  updatedAt      DateTime @updatedAt @map("updated_at")
   organization Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
@@ -1865,7 +2116,6 @@ model SecurityPenetrationTestRun {
   @@map("security_penetration_test_runs")
 }
 // ===== security-questionnaire-manual-answer.prisma =====
 model SecurityQuestionnaireManualAnswer {
   id       String   @id @default(dbgenerated("generate_prefixed_cuid('sqma'::text)"))
@@ -1896,7 +2146,6 @@ model SecurityQuestionnaireManualAnswer {
   @@index([createdAt])
 }
 // ===== shared.prisma =====
 model ApiKey {
   id         String    @id @default(dbgenerated("generate_prefixed_cuid('apk'::text)"))
@@ -2028,7 +2277,6 @@ enum Impact {
   severe
 }
 // ===== soa.prisma =====
 // Statement of Applicability (SOA) Auto-complete Configuration and Answers
@@ -2092,9 +2340,9 @@ model SOADocument {
   answeredQuestions Int @default(0) // Number of questions with answers
   // Approval tracking
-  preparedBy String  @default("Comp AI") // Always "Comp AI"
+  preparedBy String    @default("Comp AI") // Always "Comp AI"
   approverId String? // Member ID who will approve this document (set when submitted for approval)
-  approver   Member? @relation("SOADocumentApprover", fields: [approverId], references: [id], onDelete: SetNull, onUpdate: Cascade)
+  approver   Member?   @relation("SOADocumentApprover", fields: [approverId], references: [id], onDelete: SetNull, onUpdate: Cascade)
   approvedAt DateTime? // When document was approved
   // Dates
@@ -2165,37 +2413,36 @@ enum SOAAnswerStatus {
   manual // Manually written/edited by user
 }
 // ===== task-item.prisma =====
 model TaskItem {
-  id          String            @id @default(dbgenerated("generate_prefixed_cuid('tski'::text)"))
+  id          String           @id @default(dbgenerated("generate_prefixed_cuid('tski'::text)"))
   title       String
   description String?
-  status      TaskItemStatus    @default(todo)
-  priority    TaskItemPriority  @default(medium)
+  status      TaskItemStatus   @default(todo)
+  priority    TaskItemPriority @default(medium)
   // Polymorphic relation (like Comment and Attachment)
   entityId   String
   entityType TaskItemEntityType
   // Assignment (nullable)
-  assigneeId  String?
-  assignee   Member?           @relation("TaskItemAssignee", fields: [assigneeId], references: [id], onDelete: SetNull)
+  assigneeId String?
+  assignee   Member? @relation("TaskItemAssignee", fields: [assigneeId], references: [id], onDelete: SetNull)
   // Creator & Updater
   createdById String
-  createdBy   Member           @relation("TaskItemCreator", fields: [createdById], references: [id])
+  createdBy   Member  @relation("TaskItemCreator", fields: [createdById], references: [id])
   updatedById String?
-  updatedBy   Member?          @relation("TaskItemUpdater", fields: [updatedById], references: [id])
+  updatedBy   Member? @relation("TaskItemUpdater", fields: [updatedById], references: [id])
   // Relationships
   organizationId String
   organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
   // Dates
   createdAt DateTime @default(now())
   updatedAt DateTime @updatedAt
   @@index([entityId, entityType])
   @@index([organizationId])
   @@index([assigneeId])
@@ -2223,18 +2470,19 @@ enum TaskItemEntityType {
   risk
 }
 // ===== task.prisma =====
 model Task {
   // Metadata
-  id          String         @id @default(dbgenerated("generate_prefixed_cuid('tsk'::text)"))
-  title       String
-  description String
-  status           TaskStatus           @default(todo)
-  automationStatus TaskAutomationStatus @default(AUTOMATED)
-  frequency        TaskFrequency?
-  department  Departments?   @default(none)
-  order       Int            @default(0)
+  id                           String               @id @default(dbgenerated("generate_prefixed_cuid('tsk'::text)"))
+  title                        String
+  description                  String
+  status                       TaskStatus           @default(todo)
+  automationStatus             TaskAutomationStatus @default(AUTOMATED)
+  frequency                    TaskFrequency?
+  integrationScheduleFrequency TaskFrequency        @default(daily)
+  integrationLastRunAt         DateTime?
+  department                   Departments?         @default(none)
+  order                        Int                  @default(0)
   // Dates
   createdAt       DateTime  @default(now())
@@ -2256,14 +2504,19 @@ model Task {
   browserAutomations  BrowserAutomation[]
   evidenceAutomationRuns EvidenceAutomationRun[]
-  integrationCheckRuns  IntegrationCheckRun[]
-  findings              Finding[]
+  integrationCheckRuns   IntegrationCheckRun[]
+  findings               Finding[]
   // Evidence approval
   approverId     String?
   approver       Member?     @relation("TaskApprover", fields: [approverId], references: [id])
   approvedAt     DateTime?
   previousStatus TaskStatus?
+  // Sync-driven archive — see Control.archivedAt.
+  archivedAt DateTime?
+  @@index([organizationId, archivedAt])
 }
 enum TaskStatus {
@@ -2288,6 +2541,128 @@ enum TaskAutomationStatus {
   MANUAL
 }
+// ===== timeline.prisma =====
+enum TimelineStatus {
+  DRAFT
+  ACTIVE
+  PAUSED
+  COMPLETED
+}
+enum TimelinePhaseStatus {
+  PENDING
+  IN_PROGRESS
+  COMPLETED
+}
+enum PhaseCompletionType {
+  AUTO_TASKS
+  AUTO_POLICIES
+  AUTO_PEOPLE
+  AUTO_FINDINGS
+  AUTO_UPLOAD
+  MANUAL
+}
+model TimelineTemplate {
+  id              String   @id @default(dbgenerated("generate_prefixed_cuid('tml'::text)"))
+  frameworkId     String
+  name            String
+  trackKey        String   @default("primary")
+  cycleNumber     Int
+  templateKey     String?
+  nextTemplateKey String?
+  createdAt       DateTime @default(now())
+  updatedAt       DateTime @updatedAt
+  framework FrameworkEditorFramework @relation(fields: [frameworkId], references: [id])
+  phases    TimelinePhaseTemplate[]
+  instances TimelineInstance[]
+  @@unique([frameworkId, trackKey, cycleNumber])
+  // Note: Postgres treats NULLs as distinct in unique indexes, so this
+  // constraint only enforces uniqueness among rows where templateKey is set.
+  // That's intentional — frameworks without explicit keys (legacy defaults)
+  // are uniquely identified by the (frameworkId, trackKey, cycleNumber)
+  // constraint above, so multiple NULL templateKey rows are permitted.
+  @@unique([frameworkId, templateKey])
+}
+model TimelinePhaseTemplate {
+  id                      String              @id @default(dbgenerated("generate_prefixed_cuid('tpt'::text)"))
+  templateId              String
+  name                    String
+  description             String?
+  groupLabel              String?
+  orderIndex              Int
+  defaultDurationWeeks    Int
+  completionType          PhaseCompletionType @default(MANUAL)
+  locksTimelineOnComplete Boolean             @default(false)
+  createdAt               DateTime            @default(now())
+  updatedAt               DateTime            @updatedAt
+  template TimelineTemplate @relation(fields: [templateId], references: [id], onDelete: Cascade)
+  phases   TimelinePhase[]
+}
+model TimelineInstance {
+  id                  String         @id @default(dbgenerated("generate_prefixed_cuid('tli'::text)"))
+  organizationId      String
+  frameworkInstanceId String
+  templateId          String
+  trackKey            String         @default("primary")
+  cycleNumber         Int
+  status              TimelineStatus @default(DRAFT)
+  startDate           DateTime?
+  pausedAt            DateTime?
+  lockedAt            DateTime?
+  lockedById          String?
+  unlockedAt          DateTime?
+  unlockedById        String?
+  unlockReason        String?
+  completedAt         DateTime?
+  createdAt           DateTime       @default(now())
+  updatedAt           DateTime       @updatedAt
+  organization      Organization      @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  frameworkInstance FrameworkInstance @relation(fields: [frameworkInstanceId], references: [id], onDelete: Cascade)
+  template          TimelineTemplate  @relation(fields: [templateId], references: [id])
+  lockedBy          User?             @relation("TimelineInstanceLockedBy", fields: [lockedById], references: [id])
+  unlockedBy        User?             @relation("TimelineInstanceUnlockedBy", fields: [unlockedById], references: [id])
+  phases            TimelinePhase[]
+  @@unique([frameworkInstanceId, trackKey, cycleNumber])
+}
+model TimelinePhase {
+  id                      String              @id @default(dbgenerated("generate_prefixed_cuid('tlp'::text)"))
+  instanceId              String
+  phaseTemplateId         String?
+  name                    String
+  description             String?
+  groupLabel              String?
+  orderIndex              Int
+  status                  TimelinePhaseStatus @default(PENDING)
+  startDate               DateTime?
+  endDate                 DateTime?
+  durationWeeks           Int
+  completionType          PhaseCompletionType @default(MANUAL)
+  locksTimelineOnComplete Boolean             @default(false)
+  regressedAt             DateTime?
+  datesPinned             Boolean             @default(false)
+  completedAt             DateTime?
+  completedById           String?
+  readyForReview          Boolean             @default(false)
+  readyForReviewAt        DateTime?
+  documentUrl             String?
+  documentName            String?
+  createdAt               DateTime            @default(now())
+  updatedAt               DateTime            @updatedAt
+  instance      TimelineInstance       @relation(fields: [instanceId], references: [id], onDelete: Cascade)
+  phaseTemplate TimelinePhaseTemplate? @relation(fields: [phaseTemplateId], references: [id])
+  completedBy   User?                  @relation(fields: [completedById], references: [id])
+}
 // ===== trust.prisma =====
 model Trust {
@@ -2542,7 +2917,6 @@ model TrustCustomLink {
   @@index([organizationId, isActive, order])
 }
 // ===== vendor.prisma =====
 model Vendor {
   id                  String         @id @default(dbgenerated("generate_prefixed_cuid('vnd'::text)"))
@@ -2572,6 +2946,7 @@ model Vendor {
   assignee       Member?         @relation(fields: [assigneeId], references: [id], onDelete: Cascade)
   contacts       VendorContact[]
   tasks          Task[]
+  findings       Finding[]
   @@index([organizationId])
   @@index([assigneeId])