@trycompai/db 2.0.2 → 2.0.3

package/dist/schema.prisma

@@ -38,6 +38,7 @@ enum AttachmentEntityType {
   comment
   trust_nda
   task_item
+  background_check
 }
 
 enum AttachmentType {
@@ -194,6 +195,7 @@ model Member {
   performedFrameworkSyncOperations FrameworkSyncOperation[] @relation("FrameworkSyncOperationPerformer")
   approvedTasks                    Task[]                   @relation("TaskApprover")
   devices                          Device[]
+  backgroundCheckRequests          BackgroundCheckRequest[]
 }
 
 model Invitation {
@@ -343,6 +345,71 @@ model EvidenceAutomation {
   @@index([taskId])
 }
 
+// ===== background-check.prisma =====
+model BackgroundCheckRequest {
+  id                        String                @id @default(dbgenerated("generate_prefixed_cuid('bcr'::text)"))
+  organizationId            String
+  memberId                  String
+  employeeEmail             String
+  employeeName              String
+  requesterNotes            String?
+  identityBackgroundCheckId String?               @unique
+  candidateUrl              String?
+  status                    BackgroundCheckStatus @default(invited)
+  identityStatus            String?
+  employmentStatus          String?
+  referenceStatus           String?
+  rightToWorkStatus         String?
+  adjudicationStatus        String?
+  stripePaymentIntentId     String?
+  stripePaymentStatus       String?
+  stripeRefundId            String?
+  stripeAmountCents         Int?
+  stripeCurrency            String?
+  lastWebhookEventId        String?
+  lastSyncedAt              DateTime?
+  reportSnapshot            Json?
+  reportSyncedAt            DateTime?
+  createdAt                 DateTime              @default(now())
+  updatedAt                 DateTime              @updatedAt
+
+  organization  Organization                    @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  member        Member                          @relation(fields: [memberId], references: [id], onDelete: Cascade)
+  webhookEvents BackgroundCheckWebhookEvent[]
+
+  @@unique([organizationId, memberId])
+  @@index([organizationId])
+  @@index([memberId])
+  @@index([status])
+  @@map("background_check_requests")
+}
+
+model BackgroundCheckWebhookEvent {
+  id                        String   @id @default(dbgenerated("generate_prefixed_cuid('bcw'::text)"))
+  eventId                   String   @unique
+  eventType                 String
+  backgroundCheckRequestId  String?
+  identityBackgroundCheckId String?
+  payload                   Json
+  processedAt               DateTime @default(now())
+
+  backgroundCheckRequest BackgroundCheckRequest? @relation(fields: [backgroundCheckRequestId], references: [id], onDelete: SetNull)
+
+  @@index([backgroundCheckRequestId])
+  @@index([identityBackgroundCheckId])
+  @@map("background_check_webhook_events")
+}
+
+enum BackgroundCheckStatus {
+  invited
+  in_progress
+  in_review
+  completed
+  completed_with_flags
+  failed
+  cancelled
+}
+
 // ===== browserbase-context.prisma =====
 /// Stores Browserbase context IDs for browser-based automation
 /// One context per organization - shared like a normal browser
@@ -1664,14 +1731,15 @@ model OrganizationChart {
 
 // ===== organization-billing.prisma =====
 model OrganizationBilling {
-  id               String   @id @default(dbgenerated("generate_prefixed_cuid('obil'::text)"))
-  organizationId   String   @unique @map("organization_id")
-  stripeCustomerId String   @map("stripe_customer_id")
-  createdAt        DateTime @default(now()) @map("created_at")
-  updatedAt        DateTime @updatedAt @map("updated_at")
+  id                                   String    @id @default(dbgenerated("generate_prefixed_cuid('obil'::text)"))
+  organizationId                       String    @unique @map("organization_id")
+  stripeCustomerId                     String    @map("stripe_customer_id")
+  stripeBackgroundCheckPaymentMethodId String?   @map("stripe_background_check_payment_method_id")
+  backgroundCheckPaymentMethodSetupAt  DateTime? @map("background_check_payment_method_setup_at")
+  createdAt                            DateTime  @default(now()) @map("created_at")
+  updatedAt                            DateTime  @updatedAt @map("updated_at")
 
-  organization        Organization         @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  pentestSubscription PentestSubscription?
+  organization Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
 
   @@map("organization_billing")
 }
@@ -1739,9 +1807,11 @@ model Organization {
   integrationOAuthApps   IntegrationOAuthApp[]
   integrationSyncLogs    IntegrationSyncLog[]
 
-  // Pentest Subscription
-  pentestSubscription PentestSubscription?
-  billing             OrganizationBilling?
+  // Pentest credits — wallet of run-credits an org can spend.
+  // Source of credits (trial / future Stripe subscription / top-up)
+  // is metadata on the row; balance is unified.
+  pentestCredits PentestCredits?
+  billing        OrganizationBilling?
 
   // Browser Automation
   browserbaseContext BrowserbaseContext?
@@ -1753,6 +1823,9 @@ model Organization {
   // Device Agent
   devices Device[]
 
+  // Background Checks
+  backgroundCheckRequests BackgroundCheckRequest[]
+
   // Org Chart
   organizationChart OrganizationChart?
 
@@ -1770,26 +1843,51 @@ model Organization {
   @@index([slug])
 }
 
-// ===== pentest-subscription.prisma =====
-model PentestSubscription {
-  id                    String   @id @default(dbgenerated("generate_prefixed_cuid('psub'::text)"))
-  organizationId        String   @unique @map("organization_id")
-  organizationBillingId String   @unique @map("organization_billing_id")
-  stripeSubscriptionId  String   @map("stripe_subscription_id")
-  stripePriceId         String   @map("stripe_price_id")
-  stripeOveragePriceId  String?  @map("stripe_overage_price_id")
-  status                String   @default("active") // active | cancelled | past_due
-  includedRunsPerPeriod Int      @default(3) @map("included_runs_per_period")
-  currentPeriodStart    DateTime @map("current_period_start")
-  currentPeriodEnd      DateTime @map("current_period_end")
-  createdAt             DateTime @default(now()) @map("created_at")
-  updatedAt             DateTime @updatedAt @map("updated_at")
-
-  organization        Organization        @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  organizationBilling OrganizationBilling @relation(fields: [organizationBillingId], references: [id])
+// ===== pentest-credits.prisma =====
+/// Pentest credit wallet — one row per organization, holding the org's
+/// current quota for penetration test runs.
+///
+/// `balance` is the operative number: decremented atomically when a run is
+/// created, granted by trial bootstrap, future Stripe subscription renewals,
+/// future top-up purchases, etc. The wallet does not differentiate by
+/// source — credits are credits. The most recent grant source is recorded
+/// for support visibility, not for spend logic.
+///
+/// For a full audit trail of every grant/consume, a future
+/// `pentest_credit_entries` ledger table can be layered in. v1 sticks with
+/// running totals (`totalGranted` / `totalConsumed`) for simplicity.
+model PentestCredits {
+  id             String @id @default(dbgenerated("generate_prefixed_cuid('pcr'::text)"))
+  organizationId String @unique @map("organization_id")
+
+  /// Spendable balance. Never negative.
+  /// Enforced both in code (atomic `updateMany WHERE balance > 0` in
+  /// PentestCreditsService.debitOrThrow) AND at the DB level via a
+  /// CHECK constraint added in migration
+  /// `20260429120000_pentest_credits_balance_check`. Prisma's schema
+  /// DSL doesn't currently support CHECK constraints, hence the
+  /// SQL-only migration.
+  balance Int @default(0)
+
+  /// Lifetime totals — useful for analytics and "why do I have N credits?"
+  /// support questions without needing a full ledger.
+  totalGranted  Int @default(0) @map("total_granted")
+  totalConsumed Int @default(0) @map("total_consumed")
+
+  /// Where the most recent grant came from. Free-form string so v2 can add
+  /// new sources (`subscription`, `topup`, `promo`, `refund`, …) without a
+  /// schema change. `trial` is the v1 default.
+  lastGrantSource String @default("trial") @map("last_grant_source")
+
+  createdAt DateTime @default(now()) @map("created_at")
+  updatedAt DateTime @updatedAt        @map("updated_at")
 
-  @@index([organizationId])
-  @@map("pentest_subscriptions")
+  organization Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+
+  // No explicit @@index([organizationId]) — `@unique` on organizationId
+  // already creates a btree index, and a duplicate would just consume
+  // disk + write amplification with no read benefit.
+  @@map("pentest_credits")
 }
 
 // ===== policy.prisma =====
@@ -2109,6 +2207,19 @@ model SecurityPenetrationTestRun {
   createdAt      DateTime @default(now()) @map("created_at")
   updatedAt      DateTime @updatedAt @map("updated_at")
 
+  /// Set the first time we refund this run's credit (e.g. on
+  /// `pentest.failed` / `pentest.cancelled` webhooks). Used to make the
+  /// refund idempotent — webhook redelivery cannot double-credit because
+  /// the second attempt sees a non-null value here.
+  creditRefundedAt DateTime? @map("credit_refunded_at")
+
+  /// Set the first time we write a `pentest_completed` audit-log entry
+  /// for this run. Webhook redelivery would otherwise create duplicate
+  /// rows in `audit_log` because Maced retries `pentest.completed` on
+  /// transient delivery failures. The atomic claim on this column
+  /// guarantees one audit row per run regardless of retry count.
+  completedAuditAt DateTime? @map("completed_audit_at")
+
   organization Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
 
   @@unique([providerRunId])
@@ -2202,6 +2313,7 @@ enum AuditLogEntityType {
   integration
   trust
   finding
+  pentest
 }
 
 enum EvidenceFormType {
@@ -2333,7 +2445,7 @@ model SOADocument {
   isLatest Boolean @default(true) // Whether this is the latest version
 
   // Document status
-  status SOADocumentStatus @default(draft) // draft, in_progress, completed
+  status SOADocumentStatus @default(draft) // draft, in_progress, needs_review, completed
 
   // Document metadata
   totalQuestions    Int @default(0) // Total number of questions in this document
@@ -2344,6 +2456,7 @@ model SOADocument {
   approverId String? // Member ID who will approve this document (set when submitted for approval)
   approver   Member?   @relation("SOADocumentApprover", fields: [approverId], references: [id], onDelete: SetNull, onUpdate: Cascade)
   approvedAt DateTime? // When document was approved
+  declinedAt DateTime? // When document was declined
 
   // Dates
   completedAt DateTime? // When document was completed
@@ -2684,6 +2797,7 @@ model Trust {
   soc2          Boolean @default(false)
   soc2type1     Boolean @default(false)
   soc2type2     Boolean @default(false)
+  soc3          Boolean @default(false)
   iso27001      Boolean @default(false)
   iso42001      Boolean @default(false)
   nen7510       Boolean @default(false)
@@ -2695,6 +2809,7 @@ model Trust {
   soc2_status      FrameworkStatus @default(started)
   soc2type1_status FrameworkStatus @default(started)
   soc2type2_status FrameworkStatus @default(started)
+  soc3_status      FrameworkStatus @default(started)
   iso27001_status  FrameworkStatus @default(started)
   iso42001_status  FrameworkStatus @default(started)
   nen7510_status   FrameworkStatus @default(started)
@@ -2735,6 +2850,7 @@ enum TrustFramework {
   hipaa
   soc2_type1
   soc2_type2
+  soc3
   pci_dss
   nen_7510
   iso_9001

package/package.json

@@ -1,7 +1,7 @@
 {
     "name": "@trycompai/db",
     "description": "Database package with Prisma client and schema for Comp AI",
-    "version": "2.0.2",
+    "version": "2.0.3",
     "dependencies": {
         "@prisma/adapter-pg": "7.6.0",
         "@prisma/client": "7.6.0",