@wopr-network/defcon 1.0.3 → 1.1.0

package/dist/src/api/server.js

@@ -11,6 +11,21 @@ function extractBearerToken(header) {
         return undefined;
     return header.slice(7).trim() || undefined;
 }
+function requireAdminToken(deps, req) {
+    const configuredToken = deps.adminToken?.trim() || undefined;
+    if (!configuredToken)
+        return null; // open mode
+    const callerToken = extractBearerToken(req.authorization);
+    if (!callerToken) {
+        return { status: 401, body: { error: "Unauthorized: admin endpoints require authentication." } };
+    }
+    const hashA = createHash("sha256").update(configuredToken.trim()).digest();
+    const hashB = createHash("sha256").update(callerToken.trim()).digest();
+    if (!timingSafeEqual(hashA, hashB)) {
+        return { status: 401, body: { error: "Unauthorized: admin endpoints require authentication." } };
+    }
+    return null;
+}
 function requireWorkerToken(deps, req) {
     const configuredToken = deps.workerToken?.trim() || undefined; // treat "" and whitespace-only as unset
     if (!configuredToken)
@@ -198,6 +213,67 @@ export function createHttpServer(deps) {
     router.add("DELETE", "/api/flows/:id", async () => {
         return { status: 501, body: { error: "Flow deletion not implemented" } };
     });
+    // --- Admin: Pause/Resume Flow ---
+    router.add("POST", "/api/admin/flows/:flow/pause", async (req) => {
+        const authErr = requireAdminToken(deps, req);
+        if (authErr)
+            return authErr;
+        const callerToken = extractBearerToken(req.authorization);
+        const result = await callToolHandler(deps.mcpDeps, "admin.flow.pause", { flow_name: req.params.flow }, { adminToken: deps.adminToken, callerToken });
+        return mcpResultToApi(result);
+    });
+    router.add("POST", "/api/admin/flows/:flow/resume", async (req) => {
+        const authErr = requireAdminToken(deps, req);
+        if (authErr)
+            return authErr;
+        const callerToken = extractBearerToken(req.authorization);
+        const result = await callToolHandler(deps.mcpDeps, "admin.flow.resume", { flow_name: req.params.flow }, { adminToken: deps.adminToken, callerToken });
+        return mcpResultToApi(result);
+    });
+    // --- Admin: Cancel Entity ---
+    router.add("POST", "/api/admin/entities/:id/cancel", async (req) => {
+        const authErr = requireAdminToken(deps, req);
+        if (authErr)
+            return authErr;
+        const callerToken = extractBearerToken(req.authorization);
+        const result = await callToolHandler(deps.mcpDeps, "admin.entity.cancel", { entity_id: req.params.id }, { adminToken: deps.adminToken, callerToken });
+        return mcpResultToApi(result);
+    });
+    // --- Admin: Reset Entity ---
+    router.add("POST", "/api/admin/entities/:id/reset", async (req) => {
+        const authErr = requireAdminToken(deps, req);
+        if (authErr)
+            return authErr;
+        const callerToken = extractBearerToken(req.authorization);
+        const result = await callToolHandler(deps.mcpDeps, "admin.entity.reset", { entity_id: req.params.id, target_state: req.body?.target_state }, { adminToken: deps.adminToken, callerToken });
+        return mcpResultToApi(result);
+    });
+    // --- Admin: Drain/Undrain Worker ---
+    router.add("POST", "/api/admin/workers/:workerId/drain", async (req) => {
+        const authErr = requireAdminToken(deps, req);
+        if (authErr)
+            return authErr;
+        const callerToken = extractBearerToken(req.authorization);
+        const result = await callToolHandler(deps.mcpDeps, "admin.worker.drain", { worker_id: req.params.workerId }, { adminToken: deps.adminToken, callerToken });
+        return mcpResultToApi(result);
+    });
+    router.add("POST", "/api/admin/workers/:workerId/undrain", async (req) => {
+        const authErr = requireAdminToken(deps, req);
+        if (authErr)
+            return authErr;
+        const callerToken = extractBearerToken(req.authorization);
+        const result = await callToolHandler(deps.mcpDeps, "admin.worker.undrain", { worker_id: req.params.workerId }, { adminToken: deps.adminToken, callerToken });
+        return mcpResultToApi(result);
+    });
+    // --- Admin: Rerun Gate ---
+    router.add("POST", "/api/admin/entities/:id/gates/:gateName/rerun", async (req) => {
+        const authErr = requireAdminToken(deps, req);
+        if (authErr)
+            return authErr;
+        const callerToken = extractBearerToken(req.authorization);
+        const result = await callToolHandler(deps.mcpDeps, "admin.gate.rerun", { entity_id: req.params.id, gate_name: req.params.gateName }, { adminToken: deps.adminToken, callerToken });
+        return mcpResultToApi(result);
+    });
     // --- HTTP server ---
     const server = http.createServer(async (req, res) => {
         // CORS

package/dist/src/api/wire-types.d.ts

@@ -1,6 +1,6 @@
 /**
  * Wire types for defcon's REST and MCP APIs.
- * Exported for consumers (e.g. norad) to import instead of duplicating.
+ * Exported for consumers (e.g. radar) to import instead of duplicating.
  */
 export type ClaimResponse = {
     next_action: "check_back";

package/dist/src/api/wire-types.js

@@ -1,5 +1,5 @@
 /**
  * Wire types for defcon's REST and MCP APIs.
- * Exported for consumers (e.g. norad) to import instead of duplicating.
+ * Exported for consumers (e.g. radar) to import instead of duplicating.
  */
 export {};

package/dist/src/engine/engine.d.ts

@@ -48,7 +48,12 @@ export declare class Engine {
     readonly adapters: Map<string, unknown>;
     private eventEmitter;
     private readonly logger;
+    private drainingWorkers;
     constructor(deps: EngineDeps);
+    drainWorker(workerId: string): void;
+    undrainWorker(workerId: string): void;
+    isDraining(workerId: string): boolean;
+    listDrainingWorkers(): string[];
     processSignal(entityId: string, signal: string, artifacts?: Artifacts, triggeringInvocationId?: string): Promise<ProcessSignalResult>;
     createEntity(flowName: string, refs?: Record<string, {
         adapter: string;

package/dist/src/engine/engine.js

@@ -16,6 +16,7 @@ export class Engine {
     adapters;
     eventEmitter;
     logger;
+    drainingWorkers = new Set();
     constructor(deps) {
         this.entityRepo = deps.entityRepo;
         this.flowRepo = deps.flowRepo;
@@ -26,6 +27,18 @@ export class Engine {
         this.eventEmitter = deps.eventEmitter;
         this.logger = deps.logger ?? consoleLogger;
     }
+    drainWorker(workerId) {
+        this.drainingWorkers.add(workerId);
+    }
+    undrainWorker(workerId) {
+        this.drainingWorkers.delete(workerId);
+    }
+    isDraining(workerId) {
+        return this.drainingWorkers.has(workerId);
+    }
+    listDrainingWorkers() {
+        return Array.from(this.drainingWorkers);
+    }
     async processSignal(entityId, signal, artifacts, triggeringInvocationId) {
         // 1. Load entity
         const entity = await this.entityRepo.get(entityId);
@@ -304,6 +317,10 @@ export class Engine {
         return entity;
     }
     async claimWork(role, flowName, worker_id) {
+        // Skip draining workers entirely
+        if (worker_id && this.drainingWorkers.has(worker_id)) {
+            return "all_claimed";
+        }
         // 1. Find candidate flows filtered by discipline
         let flows;
         if (flowName) {
@@ -316,6 +333,8 @@ export class Engine {
             const allFlows = await this.flowRepo.listAll();
             flows = allFlows.filter((f) => f.discipline === null || f.discipline === role);
         }
+        // Filter out paused flows
+        flows = flows.filter((f) => !f.paused);
         if (flows.length === 0)
             return null;
         const candidates = [];

package/dist/src/execution/admin-schemas.d.ts

@@ -114,3 +114,20 @@ export declare const AdminFlowRestoreSchema: z.ZodObject<{
     flow_name: z.ZodString;
     version: z.ZodNumber;
 }, z.core.$strip>;
+export declare const AdminFlowPauseSchema: z.ZodObject<{
+    flow_name: z.ZodString;
+}, z.core.$strip>;
+export declare const AdminEntityCancelSchema: z.ZodObject<{
+    entity_id: z.ZodString;
+}, z.core.$strip>;
+export declare const AdminEntityResetSchema: z.ZodObject<{
+    entity_id: z.ZodString;
+    target_state: z.ZodString;
+}, z.core.$strip>;
+export declare const AdminWorkerDrainSchema: z.ZodObject<{
+    worker_id: z.ZodString;
+}, z.core.$strip>;
+export declare const AdminGateRerunSchema: z.ZodObject<{
+    entity_id: z.ZodString;
+    gate_name: z.ZodString;
+}, z.core.$strip>;

package/dist/src/execution/admin-schemas.js

@@ -123,3 +123,20 @@ export const AdminFlowRestoreSchema = z.object({
     flow_name: z.string().min(1),
     version: z.number().int().min(1),
 });
+export const AdminFlowPauseSchema = z.object({
+    flow_name: z.string().min(1),
+});
+export const AdminEntityCancelSchema = z.object({
+    entity_id: z.string().min(1),
+});
+export const AdminEntityResetSchema = z.object({
+    entity_id: z.string().min(1),
+    target_state: z.string().min(1),
+});
+export const AdminWorkerDrainSchema = z.object({
+    worker_id: z.string().min(1),
+});
+export const AdminGateRerunSchema = z.object({
+    entity_id: z.string().min(1),
+    gate_name: z.string().min(1),
+});

package/dist/src/execution/mcp-server.js

@@ -6,7 +6,7 @@ import { CallToolRequestSchema, ListToolsRequestSchema } from "@modelcontextprot
 import { DEFAULT_TIMEOUT_PROMPT } from "../engine/constants.js";
 import { isTerminal } from "../engine/state-machine.js";
 import { consoleLogger } from "../logger.js";
-import { AdminFlowCreateSchema, AdminFlowRestoreSchema, AdminFlowSnapshotSchema, AdminFlowUpdateSchema, AdminGateAttachSchema, AdminGateCreateSchema, AdminStateCreateSchema, AdminStateUpdateSchema, AdminTransitionCreateSchema, AdminTransitionUpdateSchema, } from "./admin-schemas.js";
+import { AdminEntityCancelSchema, AdminEntityResetSchema, AdminFlowCreateSchema, AdminFlowPauseSchema, AdminFlowRestoreSchema, AdminFlowSnapshotSchema, AdminFlowUpdateSchema, AdminGateAttachSchema, AdminGateCreateSchema, AdminGateRerunSchema, AdminStateCreateSchema, AdminStateUpdateSchema, AdminTransitionCreateSchema, AdminTransitionUpdateSchema, AdminWorkerDrainSchema, } from "./admin-schemas.js";
 import { FlowClaimSchema, FlowFailSchema, FlowGetPromptSchema, FlowReportSchema, FlowSeedSchema, QueryEntitiesSchema, QueryEntitySchema, QueryFlowSchema, QueryInvocationsSchema, } from "./tool-schemas.js";
 function getSystemDefaultGateTimeoutMs() {
     const parsed = parseInt(process.env.DEFCON_DEFAULT_GATE_TIMEOUT_MS ?? "", 10);
@@ -337,6 +337,49 @@ const TOOL_DEFINITIONS = [
             required: ["flow"],
         },
     },
+    {
+        name: "admin.flow.pause",
+        description: "Pause a flow — claimWork() will skip paused flows until resumed.",
+        inputSchema: { type: "object", properties: { flow_name: { type: "string" } }, required: ["flow_name"] },
+    },
+    {
+        name: "admin.flow.resume",
+        description: "Resume a previously paused flow.",
+        inputSchema: { type: "object", properties: { flow_name: { type: "string" } }, required: ["flow_name"] },
+    },
+    {
+        name: "admin.entity.cancel",
+        description: "Cancel an entity — fails active invocation, moves to 'cancelled' terminal state.",
+        inputSchema: { type: "object", properties: { entity_id: { type: "string" } }, required: ["entity_id"] },
+    },
+    {
+        name: "admin.entity.reset",
+        description: "Reset an entity to a target state — clears claimedBy.",
+        inputSchema: {
+            type: "object",
+            properties: { entity_id: { type: "string" }, target_state: { type: "string" } },
+            required: ["entity_id", "target_state"],
+        },
+    },
+    {
+        name: "admin.worker.drain",
+        description: "Mark a worker as draining — claimWork() will skip it.",
+        inputSchema: { type: "object", properties: { worker_id: { type: "string" } }, required: ["worker_id"] },
+    },
+    {
+        name: "admin.worker.undrain",
+        description: "Remove draining flag from a worker.",
+        inputSchema: { type: "object", properties: { worker_id: { type: "string" } }, required: ["worker_id"] },
+    },
+    {
+        name: "admin.gate.rerun",
+        description: "Clear a gate result for an entity and release it so the gate can be re-evaluated.",
+        inputSchema: {
+            type: "object",
+            properties: { entity_id: { type: "string" }, gate_name: { type: "string" } },
+            required: ["entity_id", "gate_name"],
+        },
+    },
 ];
 export function createMcpServer(deps, opts) {
     const server = new Server({ name: "defcon", version: "0.1.0" }, { capabilities: { tools: {} } });
@@ -413,6 +456,20 @@ export async function callToolHandler(deps, name, safeArgs, opts) {
                 return await handleAdminFlowRestore(deps, safeArgs);
             case "admin.entity.create":
                 return await handleAdminEntityCreate(deps, safeArgs);
+            case "admin.flow.pause":
+                return await handleAdminFlowPause(deps, safeArgs);
+            case "admin.flow.resume":
+                return await handleAdminFlowResume(deps, safeArgs);
+            case "admin.entity.cancel":
+                return await handleAdminEntityCancel(deps, safeArgs);
+            case "admin.entity.reset":
+                return await handleAdminEntityReset(deps, safeArgs);
+            case "admin.worker.drain":
+                return await handleAdminWorkerDrain(deps, safeArgs);
+            case "admin.worker.undrain":
+                return await handleAdminWorkerUndrain(deps, safeArgs);
+            case "admin.gate.rerun":
+                return await handleAdminGateRerun(deps, safeArgs);
             default:
                 return errorResult(`Unknown tool: ${name}`);
         }
@@ -707,6 +764,106 @@ async function handleAdminEntityCreate(deps, args) {
     }
     return jsonResult(result);
 }
+async function handleAdminFlowPause(deps, args) {
+    const v = validateInput(AdminFlowPauseSchema, args);
+    if (!v.ok)
+        return v.result;
+    const flow = await deps.flows.getByName(v.data.flow_name);
+    if (!flow)
+        return errorResult(`Flow not found: ${v.data.flow_name}`);
+    await deps.flows.update(flow.id, { paused: true });
+    emitDefinitionChanged(deps.eventRepo, flow.id, "admin.flow.pause", { name: v.data.flow_name });
+    return jsonResult({ paused: true, flow: v.data.flow_name });
+}
+async function handleAdminFlowResume(deps, args) {
+    const v = validateInput(AdminFlowPauseSchema, args);
+    if (!v.ok)
+        return v.result;
+    const flow = await deps.flows.getByName(v.data.flow_name);
+    if (!flow)
+        return errorResult(`Flow not found: ${v.data.flow_name}`);
+    await deps.flows.update(flow.id, { paused: false });
+    emitDefinitionChanged(deps.eventRepo, flow.id, "admin.flow.resume", { name: v.data.flow_name });
+    return jsonResult({ paused: false, flow: v.data.flow_name });
+}
+async function handleAdminEntityCancel(deps, args) {
+    const v = validateInput(AdminEntityCancelSchema, args);
+    if (!v.ok)
+        return v.result;
+    const entity = await deps.entities.get(v.data.entity_id);
+    if (!entity)
+        return errorResult(`Entity not found: ${v.data.entity_id}`);
+    const invocations = await deps.invocations.findByEntity(v.data.entity_id);
+    for (const inv of invocations) {
+        if (inv.completedAt === null && inv.failedAt === null) {
+            await deps.invocations.fail(inv.id, "Cancelled by admin");
+        }
+    }
+    await deps.entities.cancelEntity(v.data.entity_id);
+    return jsonResult({ cancelled: true, entity_id: v.data.entity_id });
+}
+async function handleAdminEntityReset(deps, args) {
+    const v = validateInput(AdminEntityResetSchema, args);
+    if (!v.ok)
+        return v.result;
+    const entity = await deps.entities.get(v.data.entity_id);
+    if (!entity)
+        return errorResult(`Entity not found: ${v.data.entity_id}`);
+    const flow = await deps.flows.get(entity.flowId);
+    if (!flow)
+        return errorResult(`Flow not found for entity: ${v.data.entity_id}`);
+    const targetState = flow.states.find((s) => s.name === v.data.target_state);
+    if (!targetState)
+        return errorResult(`State '${v.data.target_state}' not found in flow '${flow.name}'`);
+    const invocations = await deps.invocations.findByEntity(v.data.entity_id);
+    for (const inv of invocations) {
+        if (inv.completedAt === null && inv.failedAt === null) {
+            await deps.invocations.fail(inv.id, "Reset by admin");
+        }
+    }
+    const updated = await deps.entities.resetEntity(v.data.entity_id, v.data.target_state);
+    return jsonResult({ reset: true, entity_id: v.data.entity_id, state: updated.state });
+}
+async function handleAdminWorkerDrain(deps, args) {
+    const v = validateInput(AdminWorkerDrainSchema, args);
+    if (!v.ok)
+        return v.result;
+    if (!deps.engine)
+        return errorResult("Engine not available");
+    deps.engine.drainWorker(v.data.worker_id);
+    return jsonResult({ draining: true, worker_id: v.data.worker_id });
+}
+async function handleAdminWorkerUndrain(deps, args) {
+    const v = validateInput(AdminWorkerDrainSchema, args);
+    if (!v.ok)
+        return v.result;
+    if (!deps.engine)
+        return errorResult("Engine not available");
+    deps.engine.undrainWorker(v.data.worker_id);
+    return jsonResult({ draining: false, worker_id: v.data.worker_id });
+}
+async function handleAdminGateRerun(deps, args) {
+    const v = validateInput(AdminGateRerunSchema, args);
+    if (!v.ok)
+        return v.result;
+    const entity = await deps.entities.get(v.data.entity_id);
+    if (!entity)
+        return errorResult(`Entity not found: ${v.data.entity_id}`);
+    const gate = await deps.gates.getByName(v.data.gate_name);
+    if (!gate)
+        return errorResult(`Gate not found: ${v.data.gate_name}`);
+    await deps.gates.clearResult(v.data.entity_id, gate.id);
+    const invocations = await deps.invocations.findByEntity(v.data.entity_id);
+    for (const inv of invocations) {
+        if (inv.completedAt === null && inv.failedAt === null) {
+            await deps.invocations.fail(inv.id, "Gate rerun by admin");
+        }
+    }
+    if (entity.claimedBy) {
+        await deps.entities.release(entity.id, entity.claimedBy);
+    }
+    return jsonResult({ rerun: true, entity_id: v.data.entity_id, gate: v.data.gate_name });
+}
 /** Start the MCP server on stdio transport. */
 export async function startStdioServer(deps, opts) {
     const server = createMcpServer(deps, opts);

package/dist/src/repositories/drizzle/entity.repo.d.ts

@@ -23,5 +23,7 @@ export declare class DrizzleEntityRepository implements IEntityRepository {
     reapExpired(ttlMs: number): Promise<string[]>;
     setAffinity(entityId: string, workerId: string, role: string, expiresAt: Date): Promise<void>;
     clearExpiredAffinity(): Promise<string[]>;
+    cancelEntity(entityId: string): Promise<void>;
+    resetEntity(entityId: string, targetState: string): Promise<Entity>;
 }
 export {};

package/dist/src/repositories/drizzle/entity.repo.js

@@ -188,4 +188,21 @@ export class DrizzleEntityRepository {
             .all();
         return rows.map((r) => r.id);
     }
+    async cancelEntity(entityId) {
+        await this.db
+            .update(entities)
+            .set({ state: "cancelled", claimedBy: null, claimedAt: null, updatedAt: Date.now() })
+            .where(eq(entities.id, entityId));
+    }
+    async resetEntity(entityId, targetState) {
+        const now = Date.now();
+        await this.db
+            .update(entities)
+            .set({ state: targetState, claimedBy: null, claimedAt: null, updatedAt: now })
+            .where(eq(entities.id, entityId));
+        const rows = await this.db.select().from(entities).where(eq(entities.id, entityId)).limit(1);
+        if (rows.length === 0)
+            throw new NotFoundError(`Entity not found: ${entityId}`);
+        return this.toEntity(rows[0]);
+    }
 }

package/dist/src/repositories/drizzle/flow.repo.js

@@ -47,6 +47,7 @@ function rowToFlow(r, states, transitions) {
         discipline: r.discipline ?? null,
         defaultModelTier: r.defaultModelTier ?? null,
         timeoutPrompt: r.timeoutPrompt ?? null,
+        paused: !!r.paused,
         createdAt: toDate(r.createdAt),
         updatedAt: toDate(r.updatedAt),
         states,
@@ -91,6 +92,7 @@ export class DrizzleFlowRepository {
             discipline: input.discipline ?? null,
             defaultModelTier: input.defaultModelTier ?? null,
             timeoutPrompt: input.timeoutPrompt ?? null,
+            paused: input.paused ? 1 : 0,
             createdAt: now,
             updatedAt: now,
         };
@@ -148,6 +150,8 @@ export class DrizzleFlowRepository {
             updateValues.defaultModelTier = changes.defaultModelTier;
         if (changes.timeoutPrompt !== undefined)
             updateValues.timeoutPrompt = changes.timeoutPrompt;
+        if (changes.paused !== undefined)
+            updateValues.paused = changes.paused ? 1 : 0;
         this.db.update(flowDefinitions).set(updateValues).where(eq(flowDefinitions.id, id)).run();
         const updated = this.db.select().from(flowDefinitions).where(eq(flowDefinitions.id, id)).all();
         return this.hydrateFlow(updated[0]);

package/dist/src/repositories/drizzle/gate.repo.d.ts

@@ -12,5 +12,6 @@ export declare class DrizzleGateRepository implements IGateRepository {
     record(entityId: string, gateId: string, passed: boolean, output: string): Promise<GateResult>;
     update(id: string, changes: Partial<Pick<Gate, "command" | "functionRef" | "apiConfig" | "timeoutMs" | "failurePrompt" | "timeoutPrompt">>): Promise<Gate>;
     resultsFor(entityId: string): Promise<GateResult[]>;
+    clearResult(entityId: string, gateId: string): Promise<void>;
 }
 export {};

package/dist/src/repositories/drizzle/gate.repo.js

@@ -1,5 +1,5 @@
 import { randomUUID } from "node:crypto";
-import { asc, eq, sql } from "drizzle-orm";
+import { and, asc, eq, sql } from "drizzle-orm";
 import { InternalError } from "../../errors.js";
 import { gateDefinitions, gateResults } from "./schema.js";
 function toGate(row) {
@@ -96,4 +96,10 @@ export class DrizzleGateRepository {
             .all();
         return rows.map(toGateResult);
     }
+    async clearResult(entityId, gateId) {
+        this.db
+            .delete(gateResults)
+            .where(and(eq(gateResults.entityId, entityId), eq(gateResults.gateId, gateId)))
+            .run();
+    }
 }

package/dist/src/repositories/drizzle/schema.d.ts

@@ -256,6 +256,23 @@ export declare const flowDefinitions: import("drizzle-orm/sqlite-core").SQLiteTa
         }, {}, {
             length: number | undefined;
         }>;
+        paused: import("drizzle-orm/sqlite-core").SQLiteColumn<{
+            name: "paused";
+            tableName: "flow_definitions";
+            dataType: "number";
+            columnType: "SQLiteInteger";
+            data: number;
+            driverParam: number;
+            notNull: false;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
         createdAt: import("drizzle-orm/sqlite-core").SQLiteColumn<{
             name: "created_at";
             tableName: "flow_definitions";

package/dist/src/repositories/drizzle/schema.js

@@ -15,6 +15,7 @@ export const flowDefinitions = sqliteTable("flow_definitions", {
     discipline: text("discipline"),
     defaultModelTier: text("default_model_tier"),
     timeoutPrompt: text("timeout_prompt"),
+    paused: integer("paused").default(0),
     createdAt: integer("created_at"),
     updatedAt: integer("updated_at"),
 });

package/dist/src/repositories/interfaces.d.ts

@@ -130,6 +130,7 @@ export interface Flow {
     discipline: string | null;
     defaultModelTier: string | null;
     timeoutPrompt: string | null;
+    paused: boolean;
     createdAt: Date | null;
     updatedAt: Date | null;
     states: State[];
@@ -159,6 +160,7 @@ export interface CreateFlowInput {
     discipline?: string;
     defaultModelTier?: string;
     timeoutPrompt?: string;
+    paused?: boolean;
 }
 /** Input for adding a state to a flow */
 export interface CreateStateInput {
@@ -225,6 +227,10 @@ export interface IEntityRepository {
         childFlow: string;
         spawnedAt: string;
     }): Promise<void>;
+    /** Move entity to 'cancelled' terminal state and clear claimedBy/claimedAt. */
+    cancelEntity(entityId: string): Promise<void>;
+    /** Move entity to targetState and clear claimedBy/claimedAt. Returns the updated entity. */
+    resetEntity(entityId: string, targetState: string): Promise<Entity>;
 }
 /** Fields that can be updated on a flow's top-level definition */
 export type UpdateFlowInput = Partial<Omit<Flow, "id" | "states" | "transitions" | "createdAt" | "updatedAt">>;
@@ -318,4 +324,6 @@ export interface IGateRepository {
     resultsFor(entityId: string): Promise<GateResult[]>;
     /** Update mutable fields on a gate definition. */
     update(id: string, changes: Partial<Pick<Gate, "command" | "functionRef" | "apiConfig" | "timeoutMs" | "failurePrompt" | "timeoutPrompt">>): Promise<Gate>;
+    /** Delete the gate result for a specific entity+gate combination. */
+    clearResult(entityId: string, gateId: string): Promise<void>;
 }

package/drizzle/0011_modern_anita_blake.sql

@@ -0,0 +1,19 @@
+PRAGMA foreign_keys=OFF;--> statement-breakpoint
+CREATE TABLE `__new_gate_definitions` (
+	`id` text PRIMARY KEY NOT NULL,
+	`name` text NOT NULL,
+	`type` text NOT NULL,
+	`command` text,
+	`function_ref` text,
+	`api_config` text,
+	`timeout_ms` integer,
+	`failure_prompt` text,
+	`timeout_prompt` text
+);
+--> statement-breakpoint
+INSERT INTO `__new_gate_definitions`("id", "name", "type", "command", "function_ref", "api_config", "timeout_ms", "failure_prompt", "timeout_prompt") SELECT "id", "name", "type", "command", "function_ref", "api_config", "timeout_ms", "failure_prompt", "timeout_prompt" FROM `gate_definitions`;--> statement-breakpoint
+DROP TABLE `gate_definitions`;--> statement-breakpoint
+ALTER TABLE `__new_gate_definitions` RENAME TO `gate_definitions`;--> statement-breakpoint
+PRAGMA foreign_keys=ON;--> statement-breakpoint
+CREATE UNIQUE INDEX `gate_definitions_name_unique` ON `gate_definitions` (`name`);--> statement-breakpoint
+ALTER TABLE `flow_definitions` ADD `paused` integer DEFAULT 0;