@useatlas/create 0.0.1 → 0.0.3

package/templates/docker/src/lib/agent.ts

@@ -84,84 +84,15 @@ This database uses MySQL. Key differences from PostgreSQL:
 - \`LIMIT offset, count\` or \`LIMIT count OFFSET offset\` — both forms work
 - \`COALESCE\`, \`CASE\`, \`NULLIF\`, \`COUNT\`, \`SUM\`, \`AVG\`, \`MIN\`, \`MAX\` work identically`;
 
-const CLICKHOUSE_DIALECT_GUIDE = `
-
-## SQL Dialect: ClickHouse
-This database uses ClickHouse. Key differences from PostgreSQL:
-- Use \`toYear(col)\` and \`toMonth(col)\` instead of \`EXTRACT(YEAR FROM col)\`
-- Use \`formatDateTime(col, '%Y-%m')\` instead of \`TO_CHAR(col, 'YYYY-MM')\`
-- Use \`toString(col)\` for explicit string casts — no \`::text\` casting
-- Use \`toInt32(col)\`, \`toFloat64(col)\` for numeric casts — no \`::integer\` casting
-- Use \`ifNull(col, default)\` or \`COALESCE(col, default)\` — both work
-- \`arrayJoin(arr)\` unnests array columns into rows
-- No \`UPDATE\` or \`DELETE\` — ClickHouse is append-only OLAP
-- No foreign keys — joins are supported but there are no referential integrity constraints
-- \`count()\` instead of \`COUNT(*)\` — both work but \`count()\` is idiomatic
-- Use single quotes for strings, double quotes or backticks for identifiers
-- \`argMax(col, ordering_col)\` / \`argMin\` for "latest value" queries
-- Date arithmetic: \`today()\`, \`yesterday()\`, \`now()\`, \`toStartOfMonth(col)\`, \`toStartOfWeek(col)\`
-- \`COALESCE\`, \`CASE\`, \`COUNT\`, \`SUM\`, \`AVG\`, \`MIN\`, \`MAX\` work identically
-- Note: Atlas SQL validation uses PostgreSQL-compatible parsing. Avoid ClickHouse-only syntax (PREWHERE, LIMIT BY, WITH TOTALS) — use standard SQL equivalents instead
-- \`EXPLAIN\`, \`SHOW\`, and \`DESCRIBE\` are not available — use the explore tool to read entity schema files instead`;
-
-const SOQL_DIALECT_GUIDE = `
-
-## Query Language: Salesforce SOQL
-This datasource uses Salesforce Object Query Language (SOQL). Key differences from SQL:
-- **No JOINs** — use relationship queries instead:
-  - Child-to-parent: \`SELECT Account.Name FROM Contact\`
-  - Parent-to-child: \`SELECT Name, (SELECT LastName FROM Contacts) FROM Account\`
-- **Object names** instead of table names (e.g. \`Account\`, \`Contact\`, \`Opportunity\`)
-- **Field API names** — always use the API name (e.g. \`FirstName\`), not the label
-- **No wildcards** — \`SELECT *\` is not supported; list fields explicitly
-- **Date literals**: \`TODAY\`, \`YESTERDAY\`, \`LAST_WEEK\`, \`THIS_MONTH\`, \`LAST_N_DAYS:30\`, \`NEXT_N_DAYS:7\`
-- **Date functions**: \`CALENDAR_YEAR(CloseDate)\`, \`CALENDAR_MONTH(CloseDate)\`, \`DAY_IN_MONTH(CloseDate)\`
-- **Aggregate functions**: \`COUNT()\`, \`COUNT(Id)\`, \`SUM(Amount)\`, \`AVG(Amount)\`, \`MIN(Amount)\`, \`MAX(Amount)\`
-- **GROUP BY** works similarly to SQL: \`SELECT StageName, COUNT(Id) FROM Opportunity GROUP BY StageName\`
-- **HAVING** clause is supported for filtering aggregates
-- **LIMIT** and \`OFFSET\` are supported
-- **No subqueries in FROM** — subqueries only in WHERE (semi-joins): \`WHERE AccountId IN (SELECT Id FROM Account WHERE ...)\`
-- **No UNION, INTERSECT, EXCEPT**
-- Use the \`querySalesforce\` tool (not \`executeSQL\`) for all Salesforce queries`;
-
-const SNOWFLAKE_DIALECT_GUIDE = `
-
-## SQL Dialect: Snowflake
-This database uses Snowflake. Key differences from PostgreSQL:
-- \`ILIKE\` works for case-insensitive matching (same as PostgreSQL)
-- \`::type\` casting works (e.g. \`col::VARCHAR\`), plus \`TRY_CAST(col AS type)\` for safe casting that returns NULL on failure
-- Identifiers are case-insensitive by default; double-quoted identifiers are case-sensitive
-- Use \`FLATTEN()\` / \`LATERAL FLATTEN(input => col)\` to unnest semi-structured (VARIANT/ARRAY/OBJECT) data
-- \`QUALIFY\` clause filters window function results directly (e.g. \`QUALIFY ROW_NUMBER() OVER (...) = 1\`)
-- \`DATE_TRUNC('month', col)\` syntax (same as PostgreSQL)
-- No \`LIMIT offset, count\` — use \`LIMIT count OFFSET offset\`
-- Use \`LISTAGG(col, ', ')\` instead of \`STRING_AGG(col, ', ')\` or \`ARRAY_AGG(col)\` for aggregation
-- \`COALESCE\`, \`CASE\`, \`NULLIF\`, \`COUNT\`, \`SUM\`, \`AVG\`, \`MIN\`, \`MAX\` work identically`;
-
-const DUCKDB_DIALECT_GUIDE = `
-
-## SQL Dialect: DuckDB
-This database uses DuckDB, an in-process analytical engine. DuckDB's SQL is PostgreSQL-compatible with extensions:
-- \`::type\` casting works (e.g. \`col::INTEGER\`, \`col::VARCHAR\`) — same as PostgreSQL
-- \`ILIKE\` works for case-insensitive matching (same as PostgreSQL)
-- \`EXTRACT(YEAR FROM col)\`, \`DATE_TRUNC('month', col)\`, \`TO_CHAR(col, 'YYYY-MM')\` — same as PostgreSQL
-- \`STRING_AGG(col, ', ')\` works (same as PostgreSQL)
-- \`PERCENTILE_CONT(0.5) WITHIN GROUP (ORDER BY col)\` works for percentile calculations
-- \`LIST_AGG\`, \`ARRAY_AGG\`, \`LIST()\` for array aggregation
-- \`UNNEST(list_col)\` to expand list/array columns into rows
-- Note: Atlas SQL validation uses PostgreSQL-compatible parsing. Avoid DuckDB-only syntax (QUALIFY, EXCLUDE, REPLACE, STRUCT_PACK, COLUMNS(*), COLUMNS(regex), STRUCT literals with curly braces) — use standard SQL equivalents instead
-- \`COALESCE\`, \`CASE\`, \`NULLIF\`, \`COUNT\`, \`SUM\`, \`AVG\`, \`MIN\`, \`MAX\` work identically`;
+// Display names for core DB types. Plugin-registered types fall through
+// to the capitalize fallback intentionally.
+const DIALECT_DISPLAY_NAMES: Record<string, string> = {
+  postgres: "PostgreSQL",
+  mysql: "MySQL",
+};
 
 function dialectName(dbType: DBType): string {
-  switch (dbType) {
-    case "postgres": return "PostgreSQL";
-    case "mysql": return "MySQL";
-    case "clickhouse": return "ClickHouse";
-    case "snowflake": return "Snowflake";
-    case "duckdb": return "DuckDB";
-    case "salesforce": return "Salesforce (SOQL)";
-    default: { const _: never = dbType; return _; }
-  }
+  return DIALECT_DISPLAY_NAMES[dbType] ?? dbType.charAt(0).toUpperCase() + dbType.slice(1);
 }
 
 function buildMultiSourceSection(
@@ -214,34 +145,30 @@ ${lines.join("\n")}
   return section;
 }
 
-/**
- * Collect Salesforce source metadata via dynamic import to avoid a hard
- * dependency on the salesforce module (it may not be installed).
- */
-function getSfSourceMeta(): ConnectionMetadata[] {
-  try {
-    // eslint-disable-next-line @typescript-eslint/no-require-imports
-    const { describeSalesforceSources } = require("./db/salesforce") as {
-      describeSalesforceSources: () => ConnectionMetadata[];
-    };
-    return describeSalesforceSources();
-  } catch (err) {
-    // jsforce not installed — expected, don't log
-    if (err instanceof Error && err.message.includes("Cannot find module")) return [];
-    log.warn({ err: err instanceof Error ? err.message : String(err) }, "Failed to describe Salesforce sources");
-    return [];
-  }
-}
-
 function appendDialectHints(prompt: string): string {
   const hints = getDialectHints();
   if (hints.length === 0) return prompt;
   return prompt + "\n\n## Additional SQL Dialect Notes\n\n" + hints.map((h) => h.dialect).join("\n\n");
 }
 
+const PYTHON_GUIDANCE = `
+## SQL vs Python
+
+**Use SQL for:** filtering, aggregation, joins, window functions, GROUP BY, HAVING — anything the database handles natively.
+**Use Python for:** statistical analysis (correlations, regressions, hypothesis tests), complex reshaping (pivots, multi-index), time series decomposition, clustering, and advanced visualizations (heatmaps, scatter matrices, violin plots).
+
+**Anti-patterns to avoid:** SELECT * then aggregate in pandas, re-implementing GROUP BY or window functions in Python, using Python for simple counts/sums.
+
+**Chart guidance:** prefer \`_atlas_chart\` (interactive Recharts) for bar/line/pie charts. Use \`chart_path()\` only for advanced matplotlib visualizations that Recharts cannot render.`;
+
 function buildSystemPrompt(registry: ToolRegistry): string {
   let base = SYSTEM_PROMPT_PREFIX + "\n\n" + registry.describe() + "\n\n" + SYSTEM_PROMPT_SUFFIX;
 
+  // Add Python guidance only when the tool is available
+  if (registry.get("executePython")) {
+    base += "\n" + PYTHON_GUIDANCE;
+  }
+
   // Append the pre-indexed semantic layer summary
   const semanticIndex = getSemanticIndex();
   if (semanticIndex) {
@@ -253,9 +180,7 @@ function buildSystemPrompt(registry: ToolRegistry): string {
   if (fragments.length > 0) {
     base += "\n\n" + fragments.join("\n\n");
   }
-  const connectionMeta = connections.describe();
-  const sfMeta = getSfSourceMeta();
-  const meta = [...connectionMeta, ...sfMeta];
+  const meta = connections.describe();
 
   // Single-connection: identical to pre-v0.7 behavior
   if (meta.length <= 1) {
@@ -268,26 +193,21 @@ function buildSystemPrompt(registry: ToolRegistry): string {
       log.debug({ err: err instanceof Error ? err.message : String(err) }, "Could not detect DB type — omitting dialect guide");
       return appendDialectHints(base);
     }
-    switch (dbType) {
-      case "postgres": return appendDialectHints(base);
-      case "mysql": return appendDialectHints(base + MYSQL_DIALECT_GUIDE);
-      case "clickhouse": return appendDialectHints(base + CLICKHOUSE_DIALECT_GUIDE);
-      case "snowflake": return appendDialectHints(base + SNOWFLAKE_DIALECT_GUIDE);
-      case "duckdb": return appendDialectHints(base + DUCKDB_DIALECT_GUIDE);
-      case "salesforce": return appendDialectHints(base + SOQL_DIALECT_GUIDE);
-      default: { const _exhaustive: never = dbType; throw new Error(`Unknown: ${_exhaustive}`); }
+    // Core adapters get their dialect guide inline; everything else is
+    // handled by plugin dialect hints via appendDialectHints().
+    if (dbType === "mysql") {
+      return appendDialectHints(base + MYSQL_DIALECT_GUIDE);
     }
+    return appendDialectHints(base);
   }
 
-  // Multi-connection: list sources + include all relevant dialect guides
+  // Multi-connection: list sources + include core dialect guides
   let prompt = base + "\n\n" + buildMultiSourceSection(meta);
 
   const dbTypes = new Set(meta.map((m) => m.dbType));
   if (dbTypes.has("mysql")) prompt += MYSQL_DIALECT_GUIDE;
-  if (dbTypes.has("clickhouse")) prompt += CLICKHOUSE_DIALECT_GUIDE;
-  if (dbTypes.has("snowflake")) prompt += SNOWFLAKE_DIALECT_GUIDE;
-  if (dbTypes.has("duckdb")) prompt += DUCKDB_DIALECT_GUIDE;
-  if (dbTypes.has("salesforce")) prompt += SOQL_DIALECT_GUIDE;
+  // Non-core dialects (clickhouse, snowflake, duckdb, salesforce, etc.)
+  // are provided by plugins via appendDialectHints().
 
   return appendDialectHints(prompt);
 }
@@ -438,7 +358,7 @@ export async function runAgent({
       maxOutputTokens: 4096,
       stopWhen: stepCountIs(25),
       // totalMs: 180s for self-hosted (full agent loop budget).
-      // On Vercel, maxDuration caps the serverless function at 60s.
+      // On Vercel, maxDuration caps the serverless function at 300s (Pro plan).
       timeout: { totalMs: 180_000, stepMs: 30_000, chunkMs: 5_000 },
 
       onError: ({ error }) => {

package/templates/docker/src/lib/auth/__tests__/migrate.test.ts

@@ -56,6 +56,7 @@ const MANAGED_VARS = [
   "BETTER_AUTH_SECRET",
   "ATLAS_AUTH_JWKS_URL",
   "ATLAS_API_KEY",
+  "ATLAS_ADMIN_EMAIL",
 ] as const;
 
 const saved: Record<string, string | undefined> = {};
@@ -74,6 +75,7 @@ beforeEach(() => {
   delete process.env.BETTER_AUTH_SECRET;
   delete process.env.ATLAS_AUTH_JWKS_URL;
   delete process.env.ATLAS_API_KEY;
+  delete process.env.ATLAS_ADMIN_EMAIL;
 });
 
 afterEach(() => {
@@ -99,7 +101,7 @@ describe("migrateAuthTables", () => {
 
     await migrateAuthTables();
 
-    // migrateInternalDB: 3 audit_log + 4 conversations/messages + 2 starred column + 3 slack + 5 action_log + 2 source tracking = 19 queries
+    // migrateInternalDB: 3 audit_log + 4 conversations/messages + 2 starred column + 3 slack + 5 action_log + 2 source tracking + 7 scheduled_tasks = 26 queries
     expect(queries.length).toBe(26);
     expect(queries[0]).toContain("CREATE TABLE IF NOT EXISTS audit_log");
   });
@@ -141,8 +143,8 @@ describe("migrateAuthTables", () => {
     await migrateAuthTables();
     await migrateAuthTables();
 
-    // Internal DB migration runs once (26 queries: audit_log + conversations/messages + starred column + slack + action_log + source tracking + scheduled_tasks/runs)
-    expect(queries.length).toBe(26);
+    // Internal DB migration runs once (26 queries) + 1 ALTER TABLE for password_change_required (managed mode)
+    expect(queries.length).toBe(27);
     // Better Auth migration runs once
     expect(getMigrationCount()).toBe(1);
   });

package/templates/docker/src/lib/auth/middleware.ts

@@ -156,6 +156,28 @@ export function _setValidatorOverrides(overrides: {
   _byotOverride = overrides.byot ?? null;
 }
 
+/**
+ * Categorize an auth error for diagnostic logging.
+ * Helps operators quickly identify whether a failure is a database issue,
+ * network problem, configuration error, or a programming bug.
+ */
+function categorizeAuthError(err: unknown): string {
+  if (err instanceof TypeError || err instanceof ReferenceError || err instanceof SyntaxError) {
+    return "programming-error";
+  }
+  const msg = err instanceof Error ? err.message : String(err);
+  if (/ECONNREFUSED|ENOTFOUND|ETIMEDOUT|ECONNRESET|fetch failed/i.test(msg)) {
+    return "network-error";
+  }
+  if (/relation.*does not exist|database|SQLITE|pg_|connect|pool/i.test(msg)) {
+    return "database-error";
+  }
+  if (/secret|config|env|missing|undefined|not set/i.test(msg)) {
+    return "config-error";
+  }
+  return "unknown";
+}
+
 /** Authenticate an incoming request based on the detected auth mode. */
 export async function authenticateRequest(req: Request): Promise<AuthResult> {
   const mode = detectAuthMode();
@@ -171,9 +193,11 @@ export async function authenticateRequest(req: Request): Promise<AuthResult> {
       try {
         return await (_managedOverride ?? validateManaged)(req);
       } catch (err) {
+        const category = categorizeAuthError(err);
         log.error(
-          { err: err instanceof Error ? err : new Error(String(err)), mode },
-          "Managed auth error",
+          { err: err instanceof Error ? err : new Error(String(err)), mode, category },
+          "Managed auth error (%s)",
+          category,
         );
         if (err instanceof TypeError || err instanceof ReferenceError || err instanceof SyntaxError) {
           log.error({ err, mode }, "BUG: Unexpected programming error in auth validator");
@@ -190,9 +214,11 @@ export async function authenticateRequest(req: Request): Promise<AuthResult> {
       try {
         return await (_byotOverride ?? validateBYOT)(req);
       } catch (err) {
+        const category = categorizeAuthError(err);
         log.error(
-          { err: err instanceof Error ? err : new Error(String(err)), mode },
-          "BYOT auth error",
+          { err: err instanceof Error ? err : new Error(String(err)), mode, category },
+          "BYOT auth error (%s)",
+          category,
         );
         if (err instanceof TypeError || err instanceof ReferenceError || err instanceof SyntaxError) {
           log.error({ err, mode }, "BUG: Unexpected programming error in auth validator");

package/templates/docker/src/lib/auth/migrate.ts

@@ -63,7 +63,20 @@ export async function migrateAuthTables(): Promise<void> {
     const ctx = await auth.$context;
     await ctx.runMigrations();
     log.info("Better Auth migration complete");
+
+    // Add password_change_required column to Better Auth's user table.
+    // Must run AFTER Better Auth migrations (which create the "user" table).
+    try {
+      await internalQuery(
+        `ALTER TABLE "user" ADD COLUMN IF NOT EXISTS password_change_required BOOLEAN NOT NULL DEFAULT false`,
+      );
+    } catch {
+      log.warn("Could not add password_change_required column — password change enforcement will be skipped");
+    }
+
     await bootstrapAdminUser();
+    await seedDevUser(auth);
+    await backfillPasswordChangeFlag();
   } catch (err) {
     log.error({ err }, "Better Auth migration failed — managed auth may not work");
     _migrationError = "Connected to the internal database but Better Auth migration failed. Managed auth may not work. Check database permissions (CREATE TABLE).";
@@ -104,6 +117,90 @@ async function bootstrapAdminUser(): Promise<void> {
   }
 }
 
+/**
+ * Seed a default dev admin account when no users exist.
+ * Only runs when ATLAS_ADMIN_EMAIL is set — uses that email with a
+ * well-known password ("atlas-dev"). The databaseHook in server.ts
+ * promotes this user to admin on creation.
+ *
+ * Skips silently if any users already exist (idempotent).
+ */
+async function seedDevUser(auth: { api: Record<string, unknown> }): Promise<void> {
+  const adminEmail = process.env.ATLAS_ADMIN_EMAIL?.toLowerCase().trim();
+  if (!adminEmail) return;
+
+  try {
+    const userCount = await internalQuery<{ count: string }>(
+      `SELECT COUNT(*) as count FROM "user"`,
+    );
+    if (parseInt(String(userCount[0]?.count ?? "0"), 10) > 0) return;
+
+    // Use Better Auth's createUser API (from the admin plugin)
+    const createUser = auth.api.createUser as (opts: {
+      body: { email: string; password: string; name: string; role: string };
+    }) => Promise<unknown>;
+
+    await createUser({
+      body: {
+        email: adminEmail,
+        password: "atlas-dev",
+        name: "Atlas Admin",
+        role: "admin",
+      },
+    });
+
+    // Mark the seeded user as requiring a password change
+    await internalQuery(
+      `UPDATE "user" SET password_change_required = true WHERE LOWER(email) = $1`,
+      [adminEmail],
+    );
+
+    log.info({ email: adminEmail }, "Dev admin account seeded (password: atlas-dev)");
+  } catch (err) {
+    // User might already exist from a previous partial boot — not fatal
+    log.debug({ err }, "Dev user seed skipped or failed");
+  }
+}
+
+/**
+ * Backfill: if the dev admin user exists with the default password and
+ * password_change_required is false, set the flag. Handles upgrades where
+ * the column was added after the user was already seeded.
+ */
+async function backfillPasswordChangeFlag(): Promise<void> {
+  const adminEmail = process.env.ATLAS_ADMIN_EMAIL?.toLowerCase().trim();
+  if (!adminEmail) return;
+
+  try {
+    // Only backfill if the user exists and doesn't already have the flag set
+    const rows = await internalQuery<{ id: string; password_change_required: boolean }>(
+      `SELECT u.id, u.password_change_required FROM "user" u
+       JOIN "account" a ON a."userId" = u.id AND a."providerId" = 'credential'
+       WHERE LOWER(u.email) = $1`,
+      [adminEmail],
+    );
+    if (rows.length === 0 || rows[0].password_change_required) return;
+
+    // Check if the password is still the default "atlas-dev"
+    const account = await internalQuery<{ password: string }>(
+      `SELECT password FROM "account" WHERE "userId" = $1 AND "providerId" = 'credential'`,
+      [rows[0].id],
+    );
+    if (account.length === 0 || !account[0].password) return;
+
+    const isDefault = await Bun.password.verify("atlas-dev", account[0].password);
+    if (!isDefault) return;
+
+    await internalQuery(
+      `UPDATE "user" SET password_change_required = true WHERE id = $1`,
+      [rows[0].id],
+    );
+    log.info({ email: adminEmail }, "Backfill: flagged dev admin for password change");
+  } catch (err) {
+    log.debug({ err }, "Backfill password change flag skipped");
+  }
+}
+
 /** Reset migration state. For testing only. */
 export function resetMigrationState(): void {
   _migrated = false;

package/templates/docker/src/lib/auth/server.ts

@@ -71,12 +71,23 @@ export function getAuthInstance(): AuthInstance {
     } catch { /* ignore malformed URL */ }
   }
 
+  // Resolve base URL: explicit env var > Vercel auto-detect > undefined (Better Auth auto-detect).
+  // On Vercel, VERCEL_PROJECT_PRODUCTION_URL or VERCEL_URL are always set.
+  // Without a baseURL, Better Auth logs a noisy warning on every cold start.
+  const baseURL =
+    process.env.BETTER_AUTH_URL ||
+    (process.env.VERCEL_PROJECT_PRODUCTION_URL
+      ? `https://${process.env.VERCEL_PROJECT_PRODUCTION_URL}`
+      : process.env.VERCEL_URL
+        ? `https://${process.env.VERCEL_URL}`
+        : undefined);
+
   const instance = betterAuth({
     // getInternalDB() returns a pg.Pool typed as InternalPool.
     // Cast needed because Better Auth expects its own pool/adapter type.
     database: getInternalDB() as unknown as Parameters<typeof betterAuth>[0]["database"],
     secret,
-    baseURL: process.env.BETTER_AUTH_URL,
+    baseURL,
     emailAndPassword: {
       enabled: true,
       requireEmailVerification: false,

package/templates/docker/src/lib/config.ts

@@ -48,9 +48,9 @@ const RateLimitConfigSchema = z.object({
 export type RateLimitConfig = z.infer<typeof RateLimitConfigSchema>;
 
 const DatasourceConfigSchema = z.object({
-  /** Database connection string (postgresql://, mysql://, clickhouse://, snowflake://, duckdb://, or salesforce://). */
+  /** Database connection string (postgresql:// or mysql:// for core; other schemes via plugins). */
   url: z.string().min(1, "Datasource URL must not be empty"),
-  /** PostgreSQL schema name (sets search_path). Ignored for MySQL, ClickHouse, Snowflake, DuckDB, and Salesforce. */
+  /** PostgreSQL schema name (sets search_path). Ignored for MySQL and plugin-managed connections. */
   schema: z.string().optional(),
   /** Human-readable description shown in the agent system prompt. */
   description: z.string().optional(),
@@ -167,7 +167,7 @@ const AtlasConfigSchema = z.object({
 
   /**
    * Plugin instances to register at boot. Each element should satisfy
-   * the `AtlasPlugin` interface from `@atlas/plugin-sdk`.
+   * the `AtlasPlugin` interface from `@useatlas/plugin-sdk`.
    *
    * Zod validates structural shape (id, type, version) at config load
    * time. Plugin-level configSchema validation happens at factory call
@@ -379,6 +379,7 @@ async function tryLoadConfigFile(
         );
       }
       const raw = mod.default;
+      log.debug({ file: filePath }, "Config file loaded successfully");
       return raw;
     } catch (err) {
       // If the file exists but fails to parse/import, that is a hard error
@@ -398,7 +399,7 @@ async function tryLoadConfigFile(
 // Plugin shape validation
 // ---------------------------------------------------------------------------
 
-const VALID_PLUGIN_TYPES = new Set(["datasource", "context", "interaction", "action"]);
+const VALID_PLUGIN_TYPES = new Set(["datasource", "context", "interaction", "action", "sandbox"]);
 
 /**
  * Validate plugin array entries have the required structural shape:
@@ -446,11 +447,17 @@ function validatePlugins(plugins: unknown[]): void {
       }
     }
 
-    // type
-    if (!("type" in obj) || typeof obj.type !== "string") {
-      errors.push(`${label} is missing "type" (string)`);
-    } else if (!VALID_PLUGIN_TYPES.has(obj.type)) {
-      errors.push(`${label} has invalid type "${obj.type}" — must be one of: datasource, context, interaction, action`);
+    // types
+    if (!("types" in obj) || !Array.isArray(obj.types)) {
+      errors.push(`${label} is missing "types" (array of plugin types)`);
+    } else if (obj.types.length === 0) {
+      errors.push(`${label} has an empty "types" array — must contain at least one plugin type`);
+    } else {
+      for (const t of obj.types) {
+        if (typeof t !== "string" || !VALID_PLUGIN_TYPES.has(t)) {
+          errors.push(`${label} has invalid type "${t}" in "types" — must be one of: ${[...VALID_PLUGIN_TYPES].join(", ")}`);
+        }
+      }
     }
 
     // version
@@ -575,44 +582,35 @@ export async function applyDatasources(
   }
 
   const connRegistry = registry ?? (await import("./db/connection")).connections;
-  const { detectDBType } = await import("./db/connection");
 
   connRegistry.setMaxTotalConnections(config.maxTotalConnections);
 
   for (const [id, ds] of Object.entries(config.datasources)) {
     try {
-      const dbType = detectDBType(ds.url);
-      if (dbType === "salesforce") {
-        log.info({ connectionId: id }, "Registering Salesforce datasource from config");
-        const { parseSalesforceURL, registerSalesforceSource } = await import("./db/salesforce");
-        const sfConfig = parseSalesforceURL(ds.url);
-        registerSalesforceSource(id, sfConfig);
-      } else {
-        log.info({ connectionId: id }, "Registering datasource from config");
-        connRegistry.register(id, {
-          url: ds.url,
-          schema: ds.schema,
-          description: ds.description,
-          maxConnections: ds.maxConnections,
-          idleTimeoutMs: ds.idleTimeoutMs,
-        });
-
-        // Fire initial health check — logs on failure but does not block startup.
-        // A degraded connection is still usable (the DB may recover).
-        connRegistry.healthCheck(id).then((result) => {
-          if (result.status !== "healthy") {
-            log.warn(
-              { connectionId: id, status: result.status, message: result.message },
-              "Datasource registered but initial health check failed — connection may be misconfigured",
-            );
-          }
-        }).catch((healthErr) => {
+      log.info({ connectionId: id }, "Registering datasource from config");
+      connRegistry.register(id, {
+        url: ds.url,
+        schema: ds.schema,
+        description: ds.description,
+        maxConnections: ds.maxConnections,
+        idleTimeoutMs: ds.idleTimeoutMs,
+      });
+
+      // Fire initial health check — logs on failure but does not block startup.
+      // A degraded connection is still usable (the DB may recover).
+      connRegistry.healthCheck(id).then((result) => {
+        if (result.status !== "healthy") {
           log.warn(
-            { err: healthErr instanceof Error ? healthErr.message : String(healthErr), connectionId: id },
-            "Initial health check failed after registration",
+            { connectionId: id, status: result.status, message: result.message },
+            "Datasource registered but initial health check failed — connection may be misconfigured",
           );
-        });
-      }
+        }
+      }).catch((healthErr) => {
+        log.warn(
+          { err: healthErr instanceof Error ? healthErr.message : String(healthErr), connectionId: id },
+          "Initial health check failed after registration",
+        );
+      });
 
       if (ds.rateLimit) {
         const { registerSourceRateLimit } = await import("./db/source-rate-limit");