@trycompai/db 2.0.3 → 2.1.0

package/dist/schema.prisma

@@ -38,7 +38,6 @@ enum AttachmentEntityType {
   comment
   trust_nda
   task_item
-  background_check
 }
 
 enum AttachmentType {
@@ -195,7 +194,6 @@ model Member {
   performedFrameworkSyncOperations FrameworkSyncOperation[] @relation("FrameworkSyncOperationPerformer")
   approvedTasks                    Task[]                   @relation("TaskApprover")
   devices                          Device[]
-  backgroundCheckRequests          BackgroundCheckRequest[]
 }
 
 model Invitation {
@@ -345,71 +343,6 @@ model EvidenceAutomation {
   @@index([taskId])
 }
 
-// ===== background-check.prisma =====
-model BackgroundCheckRequest {
-  id                        String                @id @default(dbgenerated("generate_prefixed_cuid('bcr'::text)"))
-  organizationId            String
-  memberId                  String
-  employeeEmail             String
-  employeeName              String
-  requesterNotes            String?
-  identityBackgroundCheckId String?               @unique
-  candidateUrl              String?
-  status                    BackgroundCheckStatus @default(invited)
-  identityStatus            String?
-  employmentStatus          String?
-  referenceStatus           String?
-  rightToWorkStatus         String?
-  adjudicationStatus        String?
-  stripePaymentIntentId     String?
-  stripePaymentStatus       String?
-  stripeRefundId            String?
-  stripeAmountCents         Int?
-  stripeCurrency            String?
-  lastWebhookEventId        String?
-  lastSyncedAt              DateTime?
-  reportSnapshot            Json?
-  reportSyncedAt            DateTime?
-  createdAt                 DateTime              @default(now())
-  updatedAt                 DateTime              @updatedAt
-
-  organization  Organization                    @relation(fields: [organizationId], references: [id], onDelete: Cascade)
-  member        Member                          @relation(fields: [memberId], references: [id], onDelete: Cascade)
-  webhookEvents BackgroundCheckWebhookEvent[]
-
-  @@unique([organizationId, memberId])
-  @@index([organizationId])
-  @@index([memberId])
-  @@index([status])
-  @@map("background_check_requests")
-}
-
-model BackgroundCheckWebhookEvent {
-  id                        String   @id @default(dbgenerated("generate_prefixed_cuid('bcw'::text)"))
-  eventId                   String   @unique
-  eventType                 String
-  backgroundCheckRequestId  String?
-  identityBackgroundCheckId String?
-  payload                   Json
-  processedAt               DateTime @default(now())
-
-  backgroundCheckRequest BackgroundCheckRequest? @relation(fields: [backgroundCheckRequestId], references: [id], onDelete: SetNull)
-
-  @@index([backgroundCheckRequestId])
-  @@index([identityBackgroundCheckId])
-  @@map("background_check_webhook_events")
-}
-
-enum BackgroundCheckStatus {
-  invited
-  in_progress
-  in_review
-  completed
-  completed_with_flags
-  failed
-  cancelled
-}
-
 // ===== browserbase-context.prisma =====
 /// Stores Browserbase context IDs for browser-based automation
 /// One context per organization - shared like a normal browser
@@ -1731,15 +1664,14 @@ model OrganizationChart {
 
 // ===== organization-billing.prisma =====
 model OrganizationBilling {
-  id                                   String    @id @default(dbgenerated("generate_prefixed_cuid('obil'::text)"))
-  organizationId                       String    @unique @map("organization_id")
-  stripeCustomerId                     String    @map("stripe_customer_id")
-  stripeBackgroundCheckPaymentMethodId String?   @map("stripe_background_check_payment_method_id")
-  backgroundCheckPaymentMethodSetupAt  DateTime? @map("background_check_payment_method_setup_at")
-  createdAt                            DateTime  @default(now()) @map("created_at")
-  updatedAt                            DateTime  @updatedAt @map("updated_at")
+  id               String   @id @default(dbgenerated("generate_prefixed_cuid('obil'::text)"))
+  organizationId   String   @unique @map("organization_id")
+  stripeCustomerId String   @map("stripe_customer_id")
+  createdAt        DateTime @default(now()) @map("created_at")
+  updatedAt        DateTime @updatedAt @map("updated_at")
 
-  organization Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  organization        Organization         @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  pentestSubscription PentestSubscription?
 
   @@map("organization_billing")
 }
@@ -1807,11 +1739,9 @@ model Organization {
   integrationOAuthApps   IntegrationOAuthApp[]
   integrationSyncLogs    IntegrationSyncLog[]
 
-  // Pentest credits — wallet of run-credits an org can spend.
-  // Source of credits (trial / future Stripe subscription / top-up)
-  // is metadata on the row; balance is unified.
-  pentestCredits PentestCredits?
-  billing        OrganizationBilling?
+  // Pentest Subscription
+  pentestSubscription PentestSubscription?
+  billing             OrganizationBilling?
 
   // Browser Automation
   browserbaseContext BrowserbaseContext?
@@ -1823,9 +1753,6 @@ model Organization {
   // Device Agent
   devices Device[]
 
-  // Background Checks
-  backgroundCheckRequests BackgroundCheckRequest[]
-
   // Org Chart
   organizationChart OrganizationChart?
 
@@ -1843,51 +1770,26 @@ model Organization {
   @@index([slug])
 }
 
-// ===== pentest-credits.prisma =====
-/// Pentest credit wallet — one row per organization, holding the org's
-/// current quota for penetration test runs.
-///
-/// `balance` is the operative number: decremented atomically when a run is
-/// created, granted by trial bootstrap, future Stripe subscription renewals,
-/// future top-up purchases, etc. The wallet does not differentiate by
-/// source — credits are credits. The most recent grant source is recorded
-/// for support visibility, not for spend logic.
-///
-/// For a full audit trail of every grant/consume, a future
-/// `pentest_credit_entries` ledger table can be layered in. v1 sticks with
-/// running totals (`totalGranted` / `totalConsumed`) for simplicity.
-model PentestCredits {
-  id             String @id @default(dbgenerated("generate_prefixed_cuid('pcr'::text)"))
-  organizationId String @unique @map("organization_id")
-
-  /// Spendable balance. Never negative.
-  /// Enforced both in code (atomic `updateMany WHERE balance > 0` in
-  /// PentestCreditsService.debitOrThrow) AND at the DB level via a
-  /// CHECK constraint added in migration
-  /// `20260429120000_pentest_credits_balance_check`. Prisma's schema
-  /// DSL doesn't currently support CHECK constraints, hence the
-  /// SQL-only migration.
-  balance Int @default(0)
-
-  /// Lifetime totals — useful for analytics and "why do I have N credits?"
-  /// support questions without needing a full ledger.
-  totalGranted  Int @default(0) @map("total_granted")
-  totalConsumed Int @default(0) @map("total_consumed")
-
-  /// Where the most recent grant came from. Free-form string so v2 can add
-  /// new sources (`subscription`, `topup`, `promo`, `refund`, …) without a
-  /// schema change. `trial` is the v1 default.
-  lastGrantSource String @default("trial") @map("last_grant_source")
-
-  createdAt DateTime @default(now()) @map("created_at")
-  updatedAt DateTime @updatedAt        @map("updated_at")
-
-  organization Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+// ===== pentest-subscription.prisma =====
+model PentestSubscription {
+  id                    String   @id @default(dbgenerated("generate_prefixed_cuid('psub'::text)"))
+  organizationId        String   @unique @map("organization_id")
+  organizationBillingId String   @unique @map("organization_billing_id")
+  stripeSubscriptionId  String   @map("stripe_subscription_id")
+  stripePriceId         String   @map("stripe_price_id")
+  stripeOveragePriceId  String?  @map("stripe_overage_price_id")
+  status                String   @default("active") // active | cancelled | past_due
+  includedRunsPerPeriod Int      @default(3) @map("included_runs_per_period")
+  currentPeriodStart    DateTime @map("current_period_start")
+  currentPeriodEnd      DateTime @map("current_period_end")
+  createdAt             DateTime @default(now()) @map("created_at")
+  updatedAt             DateTime @updatedAt @map("updated_at")
+
+  organization        Organization        @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+  organizationBilling OrganizationBilling @relation(fields: [organizationBillingId], references: [id])
 
-  // No explicit @@index([organizationId]) — `@unique` on organizationId
-  // already creates a btree index, and a duplicate would just consume
-  // disk + write amplification with no read benefit.
-  @@map("pentest_credits")
+  @@index([organizationId])
+  @@map("pentest_subscriptions")
 }
 
 // ===== policy.prisma =====
@@ -2135,6 +2037,20 @@ model Risk {
   residualImpact               Impact            @default(insignificant)
   treatmentStrategyDescription String?
   treatmentStrategy            RiskTreatmentType @default(accept)
+  // Per-strategy text store. When the user switches strategies, the current
+  // `treatmentStrategyDescription` is moved into this map under the OLD
+  // strategy key, and the NEW strategy's saved value is loaded back into the
+  // active field. Lets users keep an independent Mitigate plan + Accept
+  // rationale + Transfer rationale on the same risk.
+  // Shape: { mitigate?: string, accept?: string, transfer?: string, avoid?: string }
+  strategyDescriptions         Json?
+
+  // Active auto-link suggestion run (trigger.dev). Set when the user kicks
+  // off an AI suggest scan; cleared when the user applies or discards. Lets
+  // the UI resume an in-flight or completed-but-unreviewed scan after a
+  // page reload so progress isn't lost.
+  autoLinkRunId        String?
+  autoLinkRunStartedAt DateTime?
 
   // Dates
   createdAt DateTime @default(now())
@@ -2207,19 +2123,6 @@ model SecurityPenetrationTestRun {
   createdAt      DateTime @default(now()) @map("created_at")
   updatedAt      DateTime @updatedAt @map("updated_at")
 
-  /// Set the first time we refund this run's credit (e.g. on
-  /// `pentest.failed` / `pentest.cancelled` webhooks). Used to make the
-  /// refund idempotent — webhook redelivery cannot double-credit because
-  /// the second attempt sees a non-null value here.
-  creditRefundedAt DateTime? @map("credit_refunded_at")
-
-  /// Set the first time we write a `pentest_completed` audit-log entry
-  /// for this run. Webhook redelivery would otherwise create duplicate
-  /// rows in `audit_log` because Maced retries `pentest.completed` on
-  /// transient delivery failures. The atomic claim on this column
-  /// guarantees one audit row per run regardless of retry count.
-  completedAuditAt DateTime? @map("completed_audit_at")
-
   organization Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
 
   @@unique([providerRunId])
@@ -2313,7 +2216,6 @@ enum AuditLogEntityType {
   integration
   trust
   finding
-  pentest
 }
 
 enum EvidenceFormType {
@@ -2797,7 +2699,6 @@ model Trust {
   soc2          Boolean @default(false)
   soc2type1     Boolean @default(false)
   soc2type2     Boolean @default(false)
-  soc3          Boolean @default(false)
   iso27001      Boolean @default(false)
   iso42001      Boolean @default(false)
   nen7510       Boolean @default(false)
@@ -2809,7 +2710,6 @@ model Trust {
   soc2_status      FrameworkStatus @default(started)
   soc2type1_status FrameworkStatus @default(started)
   soc2type2_status FrameworkStatus @default(started)
-  soc3_status      FrameworkStatus @default(started)
   iso27001_status  FrameworkStatus @default(started)
   iso42001_status  FrameworkStatus @default(started)
   nen7510_status   FrameworkStatus @default(started)
@@ -2850,7 +2750,6 @@ enum TrustFramework {
   hipaa
   soc2_type1
   soc2_type2
-  soc3
   pci_dss
   nen_7510
   iso_9001
@@ -3044,6 +2943,10 @@ model Vendor {
   inherentImpact      Impact         @default(insignificant)
   residualProbability Likelihood     @default(very_unlikely)
   residualImpact      Impact         @default(insignificant)
+  treatmentStrategy            RiskTreatmentType @default(accept)
+  treatmentStrategyDescription String?
+  // See `Risk.strategyDescriptions`.
+  strategyDescriptions         Json?
   website             String?
   isSubProcessor      Boolean        @default(false)
 
@@ -3053,6 +2956,11 @@ model Vendor {
   trustPortalOrder  Int?
   complianceBadges  Json? // Array of { type: 'soc2' | 'iso27001' | etc, verified: boolean }
 
+  // Active auto-link suggestion run (trigger.dev). Same semantics as
+  // Risk.autoLinkRunId — lets the UI resume an in-flight scan on reload.
+  autoLinkRunId        String?
+  autoLinkRunStartedAt DateTime?
+
   createdAt DateTime @default(now())
   updatedAt DateTime @updatedAt
 

package/package.json

@@ -1,7 +1,7 @@
 {
     "name": "@trycompai/db",
     "description": "Database package with Prisma client and schema for Comp AI",
-    "version": "2.0.3",
+    "version": "2.1.0",
     "dependencies": {
         "@prisma/adapter-pg": "7.6.0",
         "@prisma/client": "7.6.0",