burnless 0.1.0

package/dist/chunk-KSP7MJZ3.js

@@ -0,0 +1,4075 @@
+#!/usr/bin/env node
+import { createRequire as __createRequire } from 'node:module';
+import { fileURLToPath as __fileURLToPath } from 'node:url';
+import { dirname as __pathDirname } from 'node:path';
+const require = __createRequire(import.meta.url);
+const __filename = __fileURLToPath(import.meta.url);
+const __dirname = __pathDirname(__filename);
+import {
+  drizzle
+} from "./chunk-IBT7EFKB.js";
+import {
+  src_default
+} from "./chunk-MHVBJUPX.js";
+import {
+  IndexedColumn,
+  PgDatabase,
+  PgTimestamp,
+  SQL,
+  and,
+  asc,
+  boolean,
+  desc,
+  entityKind,
+  eq,
+  gt,
+  inArray,
+  integer,
+  is,
+  isNull,
+  jsonb,
+  lt,
+  lte,
+  numeric,
+  or,
+  pgEnum,
+  pgTable,
+  primaryKey,
+  relations,
+  sql,
+  text,
+  timestamp
+} from "./chunk-RDP4RLLI.js";
+import {
+  __export
+} from "./chunk-BMDIVUSL.js";
+
+// ../../node_modules/.pnpm/drizzle-orm@0.38.4_@electric-sql+pglite@0.5.2_@opentelemetry+api@1.9.0_@types+pg@8.15.6_75139cca41f10c6d94ac9ad65d4511ab/node_modules/drizzle-orm/pg-core/checks.js
+var CheckBuilder = class {
+  constructor(name, value) {
+    this.name = name;
+    this.value = value;
+  }
+  static [entityKind] = "PgCheckBuilder";
+  brand;
+  /** @internal */
+  build(table) {
+    return new Check(table, this);
+  }
+};
+var Check = class {
+  constructor(table, builder) {
+    this.table = table;
+    this.name = builder.name;
+    this.value = builder.value;
+  }
+  static [entityKind] = "PgCheck";
+  name;
+  value;
+};
+function check(name, value) {
+  return new CheckBuilder(name, value);
+}
+
+// ../../node_modules/.pnpm/drizzle-orm@0.38.4_@electric-sql+pglite@0.5.2_@opentelemetry+api@1.9.0_@types+pg@8.15.6_75139cca41f10c6d94ac9ad65d4511ab/node_modules/drizzle-orm/pg-core/indexes.js
+var IndexBuilderOn = class {
+  constructor(unique, name) {
+    this.unique = unique;
+    this.name = name;
+  }
+  static [entityKind] = "PgIndexBuilderOn";
+  on(...columns) {
+    return new IndexBuilder(
+      columns.map((it) => {
+        if (is(it, SQL)) {
+          return it;
+        }
+        it = it;
+        const clonedIndexedColumn = new IndexedColumn(it.name, !!it.keyAsName, it.columnType, it.indexConfig);
+        it.indexConfig = JSON.parse(JSON.stringify(it.defaultConfig));
+        return clonedIndexedColumn;
+      }),
+      this.unique,
+      false,
+      this.name
+    );
+  }
+  onOnly(...columns) {
+    return new IndexBuilder(
+      columns.map((it) => {
+        if (is(it, SQL)) {
+          return it;
+        }
+        it = it;
+        const clonedIndexedColumn = new IndexedColumn(it.name, !!it.keyAsName, it.columnType, it.indexConfig);
+        it.indexConfig = it.defaultConfig;
+        return clonedIndexedColumn;
+      }),
+      this.unique,
+      true,
+      this.name
+    );
+  }
+  /**
+   * Specify what index method to use. Choices are `btree`, `hash`, `gist`, `spgist`, `gin`, `brin`, or user-installed access methods like `bloom`. The default method is `btree.
+   *
+   * If you have the `pg_vector` extension installed in your database, you can use the `hnsw` and `ivfflat` options, which are predefined types.
+   *
+   * **You can always specify any string you want in the method, in case Drizzle doesn't have it natively in its types**
+   *
+   * @param method The name of the index method to be used
+   * @param columns
+   * @returns
+   */
+  using(method, ...columns) {
+    return new IndexBuilder(
+      columns.map((it) => {
+        if (is(it, SQL)) {
+          return it;
+        }
+        it = it;
+        const clonedIndexedColumn = new IndexedColumn(it.name, !!it.keyAsName, it.columnType, it.indexConfig);
+        it.indexConfig = JSON.parse(JSON.stringify(it.defaultConfig));
+        return clonedIndexedColumn;
+      }),
+      this.unique,
+      true,
+      this.name,
+      method
+    );
+  }
+};
+var IndexBuilder = class {
+  static [entityKind] = "PgIndexBuilder";
+  /** @internal */
+  config;
+  constructor(columns, unique, only, name, method = "btree") {
+    this.config = {
+      name,
+      columns,
+      unique,
+      only,
+      method
+    };
+  }
+  concurrently() {
+    this.config.concurrently = true;
+    return this;
+  }
+  with(obj) {
+    this.config.with = obj;
+    return this;
+  }
+  where(condition) {
+    this.config.where = condition;
+    return this;
+  }
+  /** @internal */
+  build(table) {
+    return new Index(this.config, table);
+  }
+};
+var Index = class {
+  static [entityKind] = "PgIndex";
+  config;
+  constructor(config, table) {
+    this.config = { ...config, table };
+  }
+};
+function index(name) {
+  return new IndexBuilderOn(false, name);
+}
+function uniqueIndex(name) {
+  return new IndexBuilderOn(true, name);
+}
+
+// ../db/src/schema.ts
+var schema_exports = {};
+__export(schema_exports, {
+  accountCategoryEnum: () => accountCategoryEnum,
+  accountTypeEnum: () => accountTypeEnum,
+  accounts: () => accounts,
+  aiApiKeyModeEnum: () => aiApiKeyModeEnum,
+  aiConversations: () => aiConversations,
+  aiConversationsRelations: () => aiConversationsRelations,
+  aiDataModeEnum: () => aiDataModeEnum,
+  aiFeatureFlags: () => aiFeatureFlags,
+  aiFeatureFlagsRelations: () => aiFeatureFlagsRelations,
+  aiInsightCache: () => aiInsightCache,
+  aiInsightCacheRelations: () => aiInsightCacheRelations,
+  aiInsightCacheTypeEnum: () => aiInsightCacheTypeEnum,
+  aiMessageRoleEnum: () => aiMessageRoleEnum,
+  aiMessages: () => aiMessages,
+  aiMessagesRelations: () => aiMessagesRelations,
+  aiPendingActionKindEnum: () => aiPendingActionKindEnum,
+  aiPendingActions: () => aiPendingActions,
+  aiPermissionDefaults: () => aiPermissionDefaults,
+  aiPermissionModeEnum: () => aiPermissionModeEnum,
+  aiProviderKindEnum: () => aiProviderKindEnum,
+  aiProviderModelSourceEnum: () => aiProviderModelSourceEnum,
+  aiProviderModels: () => aiProviderModels,
+  aiProviderModelsRelations: () => aiProviderModelsRelations,
+  aiProviders: () => aiProviders,
+  aiProvidersRelations: () => aiProvidersRelations,
+  aiToolAuditLogStatusEnum: () => aiToolAuditLogStatusEnum,
+  aiToolAuditLogs: () => aiToolAuditLogs,
+  aiToolAuditLogsRelations: () => aiToolAuditLogsRelations,
+  aiToolPermissionDecisionEnum: () => aiToolPermissionDecisionEnum,
+  aiUsageLogs: () => aiUsageLogs,
+  aiWriteModeEnum: () => aiWriteModeEnum,
+  apiTokens: () => apiTokens,
+  auditActionEnum: () => auditActionEnum,
+  auditEntityTypeEnum: () => auditEntityTypeEnum,
+  bonusTypeEnum: () => bonusTypeEnum,
+  bonuses: () => bonuses,
+  bonusesRelations: () => bonusesRelations,
+  businessModelEnum: () => businessModelEnum,
+  companies: () => companies,
+  companiesRelations: () => companiesRelations,
+  companyMembers: () => companyMembers,
+  companyMembersRelations: () => companyMembersRelations,
+  companyStageEnum: () => companyStageEnum,
+  consentPurposeEnum: () => consentPurposeEnum,
+  dashboardModeEnum: () => dashboardModeEnum,
+  dashboardPreferences: () => dashboardPreferences,
+  dashboardPreferencesRelations: () => dashboardPreferencesRelations,
+  dataRegionEnum: () => dataRegionEnum,
+  departments: () => departments,
+  departmentsRelations: () => departmentsRelations,
+  equityGrantTypeEnum: () => equityGrantTypeEnum,
+  equityGrants: () => equityGrants,
+  equityGrantsRelations: () => equityGrantsRelations,
+  expenseFrequencyEnum: () => expenseFrequencyEnum,
+  exportLogs: () => exportLogs,
+  financialAccounts: () => financialAccounts,
+  financialAccountsRelations: () => financialAccountsRelations,
+  financialAuditLogs: () => financialAuditLogs,
+  financialAuditLogsRelations: () => financialAuditLogsRelations,
+  forecastLines: () => forecastLines,
+  forecastLinesRelations: () => forecastLinesRelations,
+  forecastMethodEnum: () => forecastMethodEnum,
+  forecastValues: () => forecastValues,
+  forecastValuesRelations: () => forecastValuesRelations,
+  fundingRoundInvestors: () => fundingRoundInvestors,
+  fundingRoundInvestorsRelations: () => fundingRoundInvestorsRelations,
+  fundingRoundTypeEnum: () => fundingRoundTypeEnum,
+  fundingRounds: () => fundingRounds,
+  fundingRoundsRelations: () => fundingRoundsRelations,
+  headcountEmployeeTypeEnum: () => headcountEmployeeTypeEnum,
+  headcountPlans: () => headcountPlans,
+  headcountPlansRelations: () => headcountPlansRelations,
+  importBatchStatusEnum: () => importBatchStatusEnum,
+  importBatches: () => importBatches,
+  importBatchesRelations: () => importBatchesRelations,
+  insightInvalidations: () => insightInvalidations,
+  integrationStatusEnum: () => integrationStatusEnum,
+  integrationTypeEnum: () => integrationTypeEnum,
+  integrations: () => integrations,
+  integrationsRelations: () => integrationsRelations,
+  inviteCodeRedemptions: () => inviteCodeRedemptions,
+  inviteCodeRedemptionsRelations: () => inviteCodeRedemptionsRelations,
+  inviteCodeTypeEnum: () => inviteCodeTypeEnum,
+  inviteCodes: () => inviteCodes,
+  inviteCodesRelations: () => inviteCodesRelations,
+  mcpAuthTypeEnum: () => mcpAuthTypeEnum,
+  mcpConnectionStatusEnum: () => mcpConnectionStatusEnum,
+  mcpConnections: () => mcpConnections,
+  mcpConnectionsRelations: () => mcpConnectionsRelations,
+  mcpCredentials: () => mcpCredentials,
+  mcpCredentialsRelations: () => mcpCredentialsRelations,
+  mcpOwnerScopeEnum: () => mcpOwnerScopeEnum,
+  mcpToolPermEnum: () => mcpToolPermEnum,
+  mcpToolPrefs: () => mcpToolPrefs,
+  mcpToolPrefsRelations: () => mcpToolPrefsRelations,
+  mcpTransportEnum: () => mcpTransportEnum,
+  memberRoleEnum: () => memberRoleEnum,
+  merchantCategoryMappings: () => merchantCategoryMappings,
+  merchantCategoryMappingsRelations: () => merchantCategoryMappingsRelations,
+  metricCategoryEnum: () => metricCategoryEnum,
+  metrics: () => metrics,
+  metricsRelations: () => metricsRelations,
+  notificationSeverityEnum: () => notificationSeverityEnum,
+  notifications: () => notifications,
+  oauthAuthCodes: () => oauthAuthCodes,
+  oauthClients: () => oauthClients,
+  oauthTokens: () => oauthTokens,
+  optionPools: () => optionPools,
+  optionPoolsRelations: () => optionPoolsRelations,
+  privacyConsents: () => privacyConsents,
+  privacyConsentsRelations: () => privacyConsentsRelations,
+  quickActionModeEnum: () => quickActionModeEnum,
+  revenueStreamTypeEnum: () => revenueStreamTypeEnum,
+  revenueStreams: () => revenueStreams,
+  revenueStreamsRelations: () => revenueStreamsRelations,
+  salaryChanges: () => salaryChanges,
+  salaryChangesRelations: () => salaryChangesRelations,
+  scenarioOverrideActionEnum: () => scenarioOverrideActionEnum,
+  scenarioOverrides: () => scenarioOverrides,
+  scenarioOverridesRelations: () => scenarioOverridesRelations,
+  scenarioSourceEnum: () => scenarioSourceEnum,
+  scenarioStatusEnum: () => scenarioStatusEnum,
+  scenarios: () => scenarios,
+  scenariosRelations: () => scenariosRelations,
+  scheduledJobActionKindEnum: () => scheduledJobActionKindEnum,
+  scheduledJobNotifyPolicyEnum: () => scheduledJobNotifyPolicyEnum,
+  scheduledJobRunStatusEnum: () => scheduledJobRunStatusEnum,
+  scheduledJobRunTriggerEnum: () => scheduledJobRunTriggerEnum,
+  scheduledJobRuns: () => scheduledJobRuns,
+  scheduledJobStatusEnum: () => scheduledJobStatusEnum,
+  scheduledJobs: () => scheduledJobs,
+  sessions: () => sessions,
+  shareClassTypeEnum: () => shareClassTypeEnum,
+  shareClasses: () => shareClasses,
+  shareClassesRelations: () => shareClassesRelations,
+  transactionSourceEnum: () => transactionSourceEnum,
+  transactions: () => transactions,
+  transactionsRelations: () => transactionsRelations,
+  userPreferences: () => userPreferences,
+  userPreferencesRelations: () => userPreferencesRelations,
+  users: () => users,
+  usersRelations: () => usersRelations,
+  verificationTokens: () => verificationTokens,
+  weeklyDigests: () => weeklyDigests,
+  weeklyDigestsRelations: () => weeklyDigestsRelations
+});
+var companyStageEnum = pgEnum("company_stage", [
+  "pre_seed",
+  "seed",
+  "series_a",
+  "series_b",
+  "series_c_plus",
+  "bootstrapped"
+]);
+var businessModelEnum = pgEnum("business_model", [
+  "saas",
+  "marketplace",
+  "ecommerce",
+  "services",
+  "hardware",
+  "other"
+]);
+var accountTypeEnum = pgEnum("account_type", [
+  "income",
+  "expense",
+  "asset",
+  "liability",
+  "equity"
+]);
+var accountCategoryEnum = pgEnum("account_category", [
+  "revenue",
+  "cogs",
+  "operating_expense",
+  "other_income",
+  "other_expense",
+  "asset",
+  "liability",
+  "equity"
+]);
+var transactionSourceEnum = pgEnum("transaction_source", [
+  "manual",
+  "import",
+  "integration",
+  "forecast"
+]);
+var scenarioSourceEnum = pgEnum("scenario_source", [
+  "blank",
+  "ai",
+  "template",
+  "clone",
+  "backup"
+]);
+var scenarioStatusEnum = pgEnum("scenario_status", [
+  "active",
+  "promoted",
+  "archived"
+]);
+var scenarioOverrideActionEnum = pgEnum("scenario_override_action", [
+  "create",
+  "modify",
+  "delete"
+]);
+var forecastMethodEnum = pgEnum("forecast_method", [
+  "fixed",
+  "growth_rate",
+  "per_unit",
+  "percentage_of",
+  "custom_formula"
+]);
+var expenseFrequencyEnum = pgEnum("expense_frequency", [
+  "monthly",
+  "quarterly",
+  "annual"
+]);
+var memberRoleEnum = pgEnum("member_role", [
+  "owner",
+  "admin",
+  "editor",
+  "viewer"
+]);
+var integrationTypeEnum = pgEnum("integration_type", [
+  "quickbooks",
+  "xero",
+  "freshbooks",
+  "plaid",
+  "mercury",
+  "gusto",
+  "stripe"
+]);
+var integrationStatusEnum = pgEnum("integration_status", [
+  "active",
+  "disconnected",
+  "error"
+]);
+var fundingRoundTypeEnum = pgEnum("funding_round_type", [
+  "pre_seed",
+  "seed",
+  "series_a",
+  "series_b",
+  "series_c_plus",
+  "debt",
+  "grant",
+  "safe",
+  "convertible"
+]);
+var revenueStreamTypeEnum = pgEnum("revenue_stream_type", [
+  "subscription",
+  "one_time",
+  "usage_based",
+  "services",
+  "marketplace",
+  "ecommerce",
+  "hardware"
+]);
+var metricCategoryEnum = pgEnum("metric_category", [
+  "financial",
+  "saas",
+  "growth",
+  "efficiency",
+  "custom"
+]);
+var aiMessageRoleEnum = pgEnum("ai_message_role", [
+  "user",
+  "assistant",
+  "system"
+]);
+var aiDataModeEnum = pgEnum("ai_data_mode", [
+  "full",
+  "show_cached",
+  "hide_all"
+]);
+var aiWriteModeEnum = pgEnum("ai_write_mode", [
+  "full",
+  "confirm",
+  "read_only"
+]);
+var aiProviderKindEnum = pgEnum("ai_provider_kind", [
+  "anthropic",
+  "openai",
+  "openrouter",
+  "ollama",
+  "google",
+  "mistral",
+  "groq",
+  "openai-compatible"
+]);
+var aiApiKeyModeEnum = pgEnum("ai_api_key_mode", ["managed", "user_provided", "none"]);
+var aiProviderModelSourceEnum = pgEnum("ai_provider_model_source", ["fetched", "manual", "preset"]);
+var aiPermissionModeEnum = pgEnum("ai_permission_mode", [
+  "ask",
+  "session",
+  "always"
+]);
+var aiToolPermissionDecisionEnum = pgEnum("ai_tool_permission_decision", [
+  "auto",
+  "granted_once",
+  "granted_session",
+  "denied"
+]);
+var headcountEmployeeTypeEnum = pgEnum("headcount_employee_type", [
+  "full_time",
+  "part_time",
+  "contractor"
+]);
+var notificationSeverityEnum = pgEnum("notification_severity", [
+  "info",
+  "success",
+  "warning",
+  "error"
+]);
+var mcpTransportEnum = pgEnum("mcp_transport", ["streamable_http", "stdio"]);
+var mcpOwnerScopeEnum = pgEnum("mcp_owner_scope", ["company", "personal"]);
+var mcpAuthTypeEnum = pgEnum("mcp_auth_type", ["oauth", "pat", "none"]);
+var mcpConnectionStatusEnum = pgEnum("mcp_connection_status", [
+  "pending",
+  "connected",
+  "needs_auth",
+  "error",
+  "disabled"
+]);
+var mcpToolPermEnum = pgEnum("mcp_tool_perm", ["read", "write", "delete"]);
+var users = pgTable("users", {
+  id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+  name: text("name"),
+  email: text("email").unique().notNull(),
+  emailVerified: timestamp("email_verified", { mode: "date" }),
+  image: text("image"),
+  passwordHash: text("password_hash"),
+  twoFactorEnabled: boolean("two_factor_enabled").default(false).notNull(),
+  twoFactorSecret: text("two_factor_secret"),
+  twoFactorBackupCodes: text("two_factor_backup_codes"),
+  createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+  updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date())
+});
+var accounts = pgTable(
+  "accounts",
+  {
+    userId: text("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+    type: text("type").notNull(),
+    provider: text("provider").notNull(),
+    providerAccountId: text("provider_account_id").notNull(),
+    refresh_token: text("refresh_token"),
+    access_token: text("access_token"),
+    expires_at: integer("expires_at"),
+    token_type: text("token_type"),
+    scope: text("scope"),
+    id_token: text("id_token"),
+    session_state: text("session_state")
+  },
+  (table) => [
+    primaryKey({ columns: [table.provider, table.providerAccountId] }),
+    index("accounts_user_idx").on(table.userId)
+  ]
+);
+var sessions = pgTable(
+  "sessions",
+  {
+    sessionToken: text("session_token").primaryKey(),
+    userId: text("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+    expires: timestamp("expires", { mode: "date" }).notNull()
+  },
+  (table) => [
+    index("sessions_user_idx").on(table.userId)
+  ]
+);
+var verificationTokens = pgTable(
+  "verification_tokens",
+  {
+    identifier: text("identifier").notNull(),
+    token: text("token").notNull(),
+    expires: timestamp("expires", { mode: "date" }).notNull()
+  },
+  (table) => [
+    primaryKey({ columns: [table.identifier, table.token] })
+  ]
+);
+var dataRegionEnum = pgEnum("data_region", [
+  "us-east",
+  "eu-west",
+  "ap-south"
+]);
+var companies = pgTable("companies", {
+  id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+  name: text("name").notNull(),
+  stage: companyStageEnum("stage").notNull().default("pre_seed"),
+  businessModel: businessModelEnum("business_model").notNull().default("saas"),
+  industry: text("industry"),
+  foundedDate: timestamp("founded_date", { mode: "date" }),
+  fiscalYearEnd: integer("fiscal_year_end").notNull().default(12),
+  currency: text("currency").notNull().default("USD"),
+  locale: text("locale").notNull().default("en-US"),
+  timezone: text("timezone").notNull().default("America/New_York"),
+  region: dataRegionEnum("region").notNull().default("us-east"),
+  ownerId: text("owner_id").notNull().references(() => users.id),
+  billingProvider: text("billing_provider"),
+  billingCustomerId: text("billing_customer_id"),
+  billingSubscriptionId: text("billing_subscription_id"),
+  billingPlan: text("billing_plan").default("free"),
+  benefitsRates: jsonb("benefits_rates").notNull().default({}),
+  foundersOwnershipPercent: numeric("founders_ownership_percent", { precision: 7, scale: 4 }).notNull().default("100.0000"),
+  /** B8 kill switch (expose spec §3): false ⇒ every inbound /mcp call 403s.
+   *  Tokens stay intact; flipping back on restores access. Default true. */
+  mcpServerEnabled: boolean("mcp_server_enabled").notNull().default(true),
+  createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+  updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date())
+});
+var companyMembers = pgTable(
+  "company_members",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    userId: text("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+    role: memberRoleEnum("role").notNull().default("viewer"),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date())
+  },
+  (table) => [
+    uniqueIndex("company_member_unique").on(table.companyId, table.userId),
+    index("company_member_user_idx").on(table.userId)
+  ]
+);
+var departments = pgTable(
+  "departments",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    name: text("name").notNull(),
+    parentId: text("parent_id"),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date())
+  },
+  (table) => [
+    index("departments_company_idx").on(table.companyId)
+  ]
+);
+var financialAccounts = pgTable(
+  "financial_accounts",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    name: text("name").notNull(),
+    type: accountTypeEnum("type").notNull(),
+    category: accountCategoryEnum("category").notNull(),
+    parentId: text("parent_id"),
+    isSystem: boolean("is_system").notNull().default(false),
+    sortOrder: integer("sort_order").notNull().default(0),
+    // When true, transactions on this account ARE personnel cost that the
+    // headcount plan also models. The compute layer then uses these actuals in
+    // months where they exist and suppresses the headcount-plan cost for those
+    // months, so payroll isn't double-counted (actuals in closed months, plan
+    // in forecast months). See `reconcileHeadcountWithActuals`.
+    coversHeadcount: boolean("covers_headcount").notNull().default(false),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date())
+  },
+  (table) => [
+    index("financial_accounts_company_idx").on(table.companyId),
+    index("financial_accounts_parent_idx").on(table.parentId)
+  ]
+);
+var transactions = pgTable(
+  "transactions",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    accountId: text("account_id").notNull().references(() => financialAccounts.id, { onDelete: "cascade" }),
+    date: timestamp("date", { mode: "date" }).notNull(),
+    amount: numeric("amount", { precision: 18, scale: 2 }).notNull(),
+    description: text("description"),
+    vendor: text("vendor"),
+    notes: text("notes"),
+    source: transactionSourceEnum("source").notNull().default("manual"),
+    externalId: text("external_id"),
+    importBatchId: text("import_batch_id"),
+    metadata: jsonb("metadata"),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date())
+  },
+  (table) => [
+    index("transactions_company_date_idx").on(table.companyId, table.date),
+    index("transactions_account_idx").on(table.accountId),
+    uniqueIndex("transactions_external_id_idx").on(
+      table.companyId,
+      table.externalId
+    ),
+    index("transactions_batch_idx").on(table.importBatchId)
+  ]
+);
+var importBatchStatusEnum = pgEnum("import_batch_status", [
+  "pending",
+  "processing",
+  "completed",
+  "rolled_back",
+  "failed"
+]);
+var importBatches = pgTable(
+  "import_batches",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    fileName: text("file_name").notNull(),
+    status: importBatchStatusEnum("status").notNull().default("pending"),
+    totalRows: integer("total_rows").notNull().default(0),
+    importedCount: integer("imported_count").notNull().default(0),
+    skippedCount: integer("skipped_count").notNull().default(0),
+    errorCount: integer("error_count").notNull().default(0),
+    accountId: text("account_id").references(() => financialAccounts.id),
+    columnMapping: jsonb("column_mapping"),
+    errors: jsonb("errors"),
+    metadata: jsonb("metadata"),
+    rolledBackAt: timestamp("rolled_back_at", { mode: "date" }),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date())
+  },
+  (table) => [
+    index("import_batches_company_idx").on(table.companyId),
+    index("import_batches_account_idx").on(table.accountId)
+  ]
+);
+var scenarios = pgTable(
+  "scenarios",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    name: text("name").notNull(),
+    description: text("description"),
+    source: scenarioSourceEnum("source").notNull().default("blank"),
+    status: scenarioStatusEnum("status").notNull().default("active"),
+    color: text("color"),
+    sourceScenarioId: text("source_scenario_id"),
+    aiConversationId: text("ai_conversation_id"),
+    promotedAt: timestamp("promoted_at", { mode: "date" }),
+    autoDeleteAt: timestamp("auto_delete_at", { mode: "date" }),
+    deletedAt: timestamp("deleted_at", { mode: "date" }),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date())
+  },
+  (table) => [
+    index("scenarios_company_idx").on(table.companyId)
+  ]
+);
+var scenarioOverrides = pgTable(
+  "scenario_overrides",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    scenarioId: text("scenario_id").notNull().references(() => scenarios.id, { onDelete: "cascade" }),
+    entityType: text("entity_type").notNull(),
+    entityId: text("entity_id").notNull(),
+    action: scenarioOverrideActionEnum("action").notNull(),
+    data: jsonb("data"),
+    originalData: jsonb("original_data"),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date())
+  },
+  (table) => [
+    uniqueIndex("scenario_overrides_unique").on(table.scenarioId, table.entityType, table.entityId),
+    index("scenario_overrides_scenario_type").on(table.scenarioId, table.entityType)
+  ]
+);
+var forecastLines = pgTable(
+  "forecast_lines",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    accountId: text("account_id").notNull().references(() => financialAccounts.id, { onDelete: "cascade" }),
+    method: forecastMethodEnum("method").notNull().default("fixed"),
+    parameters: jsonb("parameters").notNull().default({}),
+    startDate: timestamp("start_date", { mode: "date" }).notNull(),
+    endDate: timestamp("end_date", { mode: "date" }),
+    /**
+     * Phase 4 §4.1 — stable identifier a `custom_formula` expression can
+     * reference (`CloudCosts * 2`). Sanitized `^[A-Za-z_][A-Za-z0-9_]*$`;
+     * unique per company when non-null (see partial index below).
+     */
+    name: text("name"),
+    // ── Phase 1 additions (§2.C) ─────────────────────────────────────────
+    notes: text("notes"),
+    vendor: text("vendor"),
+    /**
+     * Explicit per-line expense category override (set in the expense form).
+     * NULL = derive automatically (merchant rules → account → "Uncategorized").
+     * A non-null value WINS over derivation in compute-expenses deriveSubcategory.
+     */
+    subcategory: text("subcategory"),
+    departmentId: text("department_id").references(() => departments.id, {
+      onDelete: "set null"
+    }),
+    frequency: expenseFrequencyEnum("frequency").notNull().default("monthly"),
+    isOneTime: boolean("is_one_time").notNull().default(false),
+    /**
+     * Tri-state recurring flag (Phase 1 §1.5 anomaly refactor).
+     * NULL = user has not declared; UI shows suggestion based on variance.
+     * true/false = explicit user choice.
+     */
+    isRecurring: boolean("is_recurring"),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date())
+  },
+  (table) => [
+    index("forecast_lines_company_idx").on(table.companyId),
+    // Non-unique: Phase 1 consolidated form treats each forecast line as an
+    // independent expense (vendor / notes / department / frequency / isOneTime),
+    // so multiple lines per account are expected.
+    index("forecast_lines_company_account_idx").on(
+      table.companyId,
+      table.accountId
+    ),
+    index("forecast_lines_company_department_idx").on(
+      table.companyId,
+      table.departmentId
+    ),
+    index("forecast_lines_vendor_idx").on(table.companyId, table.vendor),
+    // Phase 4 §4.1 — line names are unique per company when set (NULL allowed).
+    uniqueIndex("forecast_lines_company_name_idx").on(table.companyId, table.name).where(sql`${table.name} IS NOT NULL`)
+  ]
+);
+var forecastValues = pgTable(
+  "forecast_values",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    forecastLineId: text("forecast_line_id").notNull().references(() => forecastLines.id, { onDelete: "cascade" }),
+    month: timestamp("month", { mode: "date" }).notNull(),
+    amount: numeric("amount", { precision: 18, scale: 2 }).notNull(),
+    isOverride: boolean("is_override").notNull().default(false),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull()
+  },
+  (table) => [
+    index("forecast_values_line_idx").on(table.forecastLineId),
+    index("forecast_values_month_idx").on(table.month),
+    uniqueIndex("forecast_values_line_month_idx").on(
+      table.forecastLineId,
+      table.month
+    )
+  ]
+);
+var headcountPlans = pgTable(
+  "headcount_plans",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    departmentId: text("department_id").notNull().references(() => departments.id, { onDelete: "cascade" }),
+    title: text("title").notNull(),
+    name: text("name"),
+    employeeType: headcountEmployeeTypeEnum("employee_type").notNull().default("full_time"),
+    count: numeric("count", { precision: 5, scale: 2 }).notNull().default("1.00"),
+    salary: numeric("salary", { precision: 12, scale: 2 }).notNull(),
+    hourlyRate: numeric("hourly_rate", { precision: 12, scale: 2 }),
+    hoursPerWeek: numeric("hours_per_week", { precision: 5, scale: 2 }),
+    startDate: timestamp("start_date", { mode: "date" }).notNull(),
+    endDate: timestamp("end_date", { mode: "date" }),
+    benefitsRate: numeric("benefits_rate", { precision: 5, scale: 4 }).notNull().default("0.20"),
+    parameters: jsonb("parameters").notNull().default({}),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date())
+  },
+  (table) => [
+    index("headcount_plans_company_idx").on(table.companyId),
+    index("headcount_plans_department_idx").on(table.departmentId)
+  ]
+);
+var equityGrantTypeEnum = pgEnum("equity_grant_type", [
+  "iso",
+  "nso",
+  "rsu"
+]);
+var shareClassTypeEnum = pgEnum("share_class_type", [
+  "common",
+  "preferred"
+]);
+var equityGrants = pgTable(
+  "equity_grants",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    headcountId: text("headcount_id").notNull().references(() => headcountPlans.id, { onDelete: "cascade" }),
+    grantDate: timestamp("grant_date", { mode: "date" }).notNull(),
+    shares: numeric("shares", { precision: 18, scale: 4 }).notNull(),
+    strikePrice: numeric("strike_price", { precision: 18, scale: 4 }),
+    grantType: equityGrantTypeEnum("grant_type").notNull().default("iso"),
+    parameters: jsonb("parameters").notNull().default({}),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date())
+  },
+  (table) => [
+    index("equity_grants_company_idx").on(table.companyId),
+    index("equity_grants_headcount_idx").on(table.headcountId)
+  ]
+);
+var bonusTypeEnum = pgEnum("bonus_type", [
+  "signing",
+  "performance",
+  "retention",
+  "other"
+]);
+var bonuses = pgTable(
+  "bonuses",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    headcountId: text("headcount_id").notNull().references(() => headcountPlans.id, { onDelete: "cascade" }),
+    payoutMonth: timestamp("payout_month", { mode: "date" }).notNull(),
+    amount: numeric("amount", { precision: 12, scale: 2 }).notNull(),
+    type: bonusTypeEnum("type").notNull().default("performance"),
+    notes: text("notes"),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date())
+  },
+  (table) => [
+    index("bonuses_company_idx").on(table.companyId),
+    index("bonuses_headcount_month_idx").on(
+      table.headcountId,
+      table.payoutMonth
+    )
+  ]
+);
+var salaryChanges = pgTable(
+  "salary_changes",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    headcountId: text("headcount_id").notNull().references(() => headcountPlans.id, { onDelete: "cascade" }),
+    effectiveDate: timestamp("effective_date", { mode: "date" }).notNull(),
+    newSalary: numeric("new_salary", { precision: 12, scale: 2 }).notNull(),
+    reason: text("reason"),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date())
+  },
+  (table) => [
+    index("salary_changes_company_idx").on(table.companyId),
+    index("salary_changes_headcount_date_idx").on(
+      table.headcountId,
+      table.effectiveDate
+    )
+  ]
+);
+var revenueStreams = pgTable(
+  "revenue_streams",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    name: text("name").notNull(),
+    type: revenueStreamTypeEnum("type").notNull().default("subscription"),
+    parameters: jsonb("parameters").notNull().default({}),
+    startDate: timestamp("start_date", { mode: "date" }).notNull().defaultNow(),
+    endDate: timestamp("end_date", { mode: "date" }),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date())
+  },
+  (table) => [
+    index("revenue_streams_company_idx").on(table.companyId),
+    index("revenue_streams_active_idx").on(table.companyId, table.startDate, table.endDate)
+  ]
+);
+var fundingRounds = pgTable(
+  "funding_rounds",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    name: text("name").notNull(),
+    type: fundingRoundTypeEnum("type").notNull(),
+    amount: numeric("amount", { precision: 18, scale: 2 }).notNull(),
+    date: timestamp("date", { mode: "date" }).notNull(),
+    preMoneyValuation: numeric("pre_money_valuation", {
+      precision: 18,
+      scale: 2
+    }),
+    dilutionPercent: numeric("dilution_percent", { precision: 7, scale: 4 }),
+    isProjected: boolean("is_projected").notNull().default(false),
+    closeDate: timestamp("close_date", { mode: "date" }),
+    notes: text("notes"),
+    parameters: jsonb("parameters").$type().notNull().default({}),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date())
+  },
+  (table) => [
+    index("funding_rounds_company_idx").on(table.companyId)
+  ]
+);
+var fundingRoundInvestors = pgTable(
+  "funding_round_investors",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    fundingRoundId: text("funding_round_id").notNull().references(() => fundingRounds.id, { onDelete: "cascade" }),
+    name: text("name").notNull(),
+    email: text("email"),
+    amountInvested: numeric("amount_invested", { precision: 18, scale: 2 }).notNull(),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull()
+  },
+  (table) => [
+    index("funding_round_investors_round_idx").on(table.fundingRoundId)
+  ]
+);
+var shareClasses = pgTable(
+  "share_classes",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    name: text("name").notNull(),
+    classType: shareClassTypeEnum("class_type").notNull().default("preferred"),
+    totalAuthorized: numeric("total_authorized", { precision: 18, scale: 0 }).notNull(),
+    totalIssued: numeric("total_issued", { precision: 18, scale: 0 }).notNull().default("0"),
+    parValue: numeric("par_value", { precision: 18, scale: 6 }).notNull().default("0.000001"),
+    liquidationPreference: numeric("liquidation_preference", {
+      precision: 7,
+      scale: 4
+    }).notNull().default("1.0000"),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    deletedAt: timestamp("deleted_at", { mode: "date" })
+  },
+  (table) => [index("share_classes_company_idx").on(table.companyId)]
+);
+var optionPools = pgTable(
+  "option_pools",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    name: text("name").notNull(),
+    totalReserved: numeric("total_reserved", { precision: 18, scale: 0 }).notNull(),
+    refreshDate: timestamp("refresh_date", { mode: "date" }),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    deletedAt: timestamp("deleted_at", { mode: "date" })
+  },
+  (table) => [index("option_pools_company_idx").on(table.companyId)]
+);
+var metrics = pgTable(
+  "metrics",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    name: text("name").notNull(),
+    slug: text("slug").notNull(),
+    formula: text("formula"),
+    isSystem: boolean("is_system").notNull().default(false),
+    category: metricCategoryEnum("category").notNull().default("financial"),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date())
+  },
+  (table) => [
+    uniqueIndex("metrics_company_slug_idx").on(table.companyId, table.slug)
+  ]
+);
+var integrations = pgTable(
+  "integrations",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    type: integrationTypeEnum("type").notNull(),
+    status: integrationStatusEnum("status").notNull().default("active"),
+    lastSyncAt: timestamp("last_sync_at", { mode: "date" }),
+    metadata: jsonb("metadata"),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date())
+  },
+  (table) => [
+    uniqueIndex("integrations_company_type_idx").on(
+      table.companyId,
+      table.type
+    )
+  ]
+);
+var mcpConnections = pgTable(
+  "mcp_connections",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    ownerScope: mcpOwnerScopeEnum("owner_scope").notNull().default("company"),
+    /** Required when ownerScope = personal; null for company-shared. */
+    ownerUserId: text("owner_user_id").references(() => users.id, { onDelete: "cascade" }),
+    name: text("name").notNull(),
+    /** Tool-namespace slug derived from name at create time: mcp__<slug>__<tool>. */
+    slug: text("slug").notNull(),
+    transport: mcpTransportEnum("transport").notNull(),
+    /** streamable_http: server URL. stdio: the executable command. */
+    endpoint: text("endpoint").notNull(),
+    /** stdio only: argv after the command. */
+    args: jsonb("args").$type(),
+    /** stdio only: non-secret env passed to the child process. */
+    env: jsonb("env").$type(),
+    authType: mcpAuthTypeEnum("auth_type").notNull().default("none"),
+    status: mcpConnectionStatusEnum("status").notNull().default("pending"),
+    /** Cached handshake result: { protocolVersion?, serverName?, tools: McpToolInfo[] }. */
+    capabilities: jsonb("capabilities").$type(),
+    lastError: text("last_error"),
+    lastConnectedAt: timestamp("last_connected_at", { mode: "date" }),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date())
+  },
+  (table) => [
+    index("mcp_connections_company_idx").on(table.companyId),
+    index("mcp_connections_owner_idx").on(table.companyId, table.ownerScope, table.ownerUserId),
+    uniqueIndex("mcp_connections_company_name_idx").on(table.companyId, table.name),
+    uniqueIndex("mcp_connections_company_slug_idx").on(table.companyId, table.slug),
+    check(
+      "mcp_connections_personal_owner_check",
+      sql`(owner_scope = 'personal') = (owner_user_id IS NOT NULL)`
+    )
+  ]
+);
+var mcpCredentials = pgTable(
+  "mcp_credentials",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    mcpConnectionId: text("mcp_connection_id").notNull().references(() => mcpConnections.id, { onDelete: "cascade" }),
+    authType: mcpAuthTypeEnum("auth_type").notNull(),
+    /** encryptJson({ accessToken, refreshToken?, expiresAt? } | { token }). NEVER store plaintext. */
+    secret: text("secret"),
+    /** OAuth machinery state (non-secret-ish, but kept server-side only):
+     *  { clientInfo?, codeVerifier?, pendingState?, resourceUrl? }. */
+    clientRegistration: jsonb("client_registration").$type(),
+    expiresAt: timestamp("expires_at", { mode: "date" }),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date())
+  },
+  (table) => [uniqueIndex("mcp_credentials_connection_idx").on(table.mcpConnectionId)]
+);
+var mcpToolPrefs = pgTable(
+  "mcp_tool_prefs",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    mcpConnectionId: text("mcp_connection_id").notNull().references(() => mcpConnections.id, { onDelete: "cascade" }),
+    toolName: text("tool_name").notNull(),
+    enabled: boolean("enabled").notNull().default(true),
+    permClassOverride: mcpToolPermEnum("perm_class_override"),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date())
+  },
+  (table) => [uniqueIndex("mcp_tool_prefs_connection_tool_idx").on(table.mcpConnectionId, table.toolName)]
+);
+var apiTokens = pgTable(
+  "api_tokens",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    userId: text("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    name: text("name").notNull(),
+    tokenHash: text("token_hash").notNull(),
+    scopes: jsonb("scopes").$type().notNull(),
+    lastFour: text("last_four").notNull(),
+    expiresAt: timestamp("expires_at", { mode: "date" }),
+    lastUsedAt: timestamp("last_used_at", { mode: "date" }),
+    revokedAt: timestamp("revoked_at", { mode: "date" }),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date())
+  },
+  (table) => [
+    uniqueIndex("api_tokens_hash_idx").on(table.tokenHash),
+    index("api_tokens_user_company_idx").on(table.userId, table.companyId),
+    index("api_tokens_company_idx").on(table.companyId)
+  ]
+);
+var oauthClients = pgTable("oauth_clients", {
+  id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+  name: text("name").notNull(),
+  redirectUris: jsonb("redirect_uris").$type().notNull(),
+  createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull()
+});
+var oauthAuthCodes = pgTable(
+  "oauth_auth_codes",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    codeHash: text("code_hash").notNull(),
+    clientId: text("client_id").notNull().references(() => oauthClients.id, { onDelete: "cascade" }),
+    userId: text("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    scopes: jsonb("scopes").$type().notNull(),
+    codeChallenge: text("code_challenge").notNull(),
+    resource: text("resource").notNull(),
+    redirectUri: text("redirect_uri").notNull(),
+    expiresAt: timestamp("expires_at", { mode: "date" }).notNull(),
+    usedAt: timestamp("used_at", { mode: "date" }),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull()
+  },
+  (table) => [uniqueIndex("oauth_auth_codes_hash_idx").on(table.codeHash)]
+);
+var oauthTokens = pgTable(
+  "oauth_tokens",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    grantId: text("grant_id").notNull(),
+    clientId: text("client_id").notNull().references(() => oauthClients.id, { onDelete: "cascade" }),
+    userId: text("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    scopes: jsonb("scopes").$type().notNull(),
+    accessTokenHash: text("access_token_hash").notNull(),
+    refreshTokenHash: text("refresh_token_hash").notNull(),
+    resource: text("resource").notNull(),
+    accessExpiresAt: timestamp("access_expires_at", { mode: "date" }).notNull(),
+    supersededAt: timestamp("superseded_at", { mode: "date" }),
+    revokedAt: timestamp("revoked_at", { mode: "date" }),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date())
+  },
+  (table) => [
+    uniqueIndex("oauth_tokens_access_hash_idx").on(table.accessTokenHash),
+    uniqueIndex("oauth_tokens_refresh_hash_idx").on(table.refreshTokenHash),
+    index("oauth_tokens_grant_idx").on(table.grantId),
+    index("oauth_tokens_user_company_idx").on(table.userId, table.companyId)
+  ]
+);
+var aiFeatureFlags = pgTable(
+  "ai_feature_flags",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    masterEnabled: boolean("master_enabled").notNull().default(true),
+    dataMode: aiDataModeEnum("data_mode").notNull().default("full"),
+    monthlyBudgetCents: integer("monthly_budget_cents").notNull().default(5e3),
+    // $50 default
+    features: jsonb("features").notNull().default({
+      onboarding: true,
+      chat: true,
+      insights: true,
+      uiPersonalization: true,
+      autoCategorization: true,
+      weeklyDigest: true
+    }),
+    // AI write mode — guardrail for AI mutations (full = execute, confirm = ask first, read_only = block)
+    writeMode: aiWriteModeEnum("write_mode").notNull().default("confirm"),
+    // Configurable companion name (default: "Companion")
+    companionName: text("companion_name").notNull().default("Companion"),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date())
+  },
+  (table) => [
+    uniqueIndex("ai_feature_flags_company_idx").on(table.companyId)
+  ]
+);
+var aiProviders = pgTable(
+  "ai_providers",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    name: text("name").notNull(),
+    kind: aiProviderKindEnum("kind").notNull(),
+    baseUrl: text("base_url"),
+    apiKeyEncrypted: text("api_key_encrypted"),
+    apiKeyMode: aiApiKeyModeEnum("api_key_mode").notNull().default("user_provided"),
+    headers: jsonb("headers"),
+    dropParams: jsonb("drop_params"),
+    enabled: boolean("enabled").notNull().default(true),
+    isDefault: boolean("is_default").notNull().default(false),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date())
+  },
+  (table) => [index("ai_providers_company_idx").on(table.companyId)]
+);
+var aiProviderModels = pgTable(
+  "ai_provider_models",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    providerId: text("provider_id").notNull().references(() => aiProviders.id, { onDelete: "cascade" }),
+    modelId: text("model_id").notNull(),
+    displayName: text("display_name"),
+    contextWindow: integer("context_window"),
+    maxOutputTokens: integer("max_output_tokens"),
+    supportsTools: boolean("supports_tools"),
+    supportsImages: boolean("supports_images"),
+    source: aiProviderModelSourceEnum("source").notNull().default("manual"),
+    enabled: boolean("enabled").notNull().default(true),
+    isDefault: boolean("is_default").notNull().default(false),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull()
+  },
+  (table) => [
+    index("ai_provider_models_provider_idx").on(table.providerId),
+    uniqueIndex("ai_provider_models_provider_model_idx").on(table.providerId, table.modelId)
+  ]
+);
+var aiConversations = pgTable(
+  "ai_conversations",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    userId: text("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+    title: text("title"),
+    /** Categories granted "for session" in this conversation, e.g. { write: true }. */
+    sessionGrants: jsonb("session_grants").$type().notNull().default({}),
+    /** S3b: tool ids disabled "for this session" in this conversation, e.g. { "tool_id": true }. */
+    sessionDisabledTools: jsonb("session_disabled_tools").$type().notNull().default({}),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date())
+  },
+  (table) => [
+    index("ai_conversations_company_idx").on(table.companyId),
+    index("ai_conversations_company_user_idx").on(table.companyId, table.userId)
+  ]
+);
+var insightInvalidations = pgTable(
+  "insight_invalidations",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    insightType: text("insight_type").notNull(),
+    // dashboard | revenue | expense | scenario
+    mutationSource: text("mutation_source").notNull(),
+    // which data changed: expenses, revenue, headcount, funding, scenarios, accounts
+    firstInvalidatedAt: timestamp("first_invalidated_at", { mode: "date" }).defaultNow().notNull(),
+    lastMutationAt: timestamp("last_mutation_at", { mode: "date" }).defaultNow().notNull(),
+    processedAt: timestamp("processed_at", { mode: "date" }),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull()
+  },
+  (table) => [
+    uniqueIndex("insight_invalidations_company_type_idx").on(
+      table.companyId,
+      table.insightType
+    ),
+    index("insight_invalidations_pending_idx").on(table.processedAt)
+  ]
+);
+var aiInsightCacheTypeEnum = pgEnum("ai_insight_cache_type", [
+  "dashboard",
+  "revenue",
+  "expense",
+  "scenario",
+  "funding",
+  "team",
+  "reports",
+  "general"
+]);
+var aiInsightCache = pgTable(
+  "ai_insight_cache",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    type: aiInsightCacheTypeEnum("type").notNull(),
+    key: text("key").notNull(),
+    content: jsonb("content").notNull(),
+    expiresAt: timestamp("expires_at", { mode: "date" }),
+    staleAt: timestamp("stale_at", { mode: "date" }),
+    staleReason: text("stale_reason"),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date())
+  },
+  (table) => [
+    index("ai_insight_cache_company_idx").on(table.companyId),
+    uniqueIndex("ai_insight_cache_company_key_idx").on(
+      table.companyId,
+      table.type,
+      table.key
+    )
+  ]
+);
+var aiMessages = pgTable(
+  "ai_messages",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    conversationId: text("conversation_id").notNull().references(() => aiConversations.id, { onDelete: "cascade" }),
+    role: aiMessageRoleEnum("role").notNull(),
+    content: text("content").notNull(),
+    metadata: jsonb("metadata").$type(),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull()
+  },
+  (table) => [
+    index("ai_messages_conversation_created_idx").on(
+      table.conversationId,
+      table.createdAt
+    )
+  ]
+);
+var aiPendingActionKindEnum = pgEnum("ai_pending_action_kind", [
+  "permission",
+  "input",
+  "plan"
+]);
+var aiPendingActions = pgTable(
+  "ai_pending_actions",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    conversationId: text("conversation_id").notNull().references(() => aiConversations.id, { onDelete: "cascade" }),
+    /** Correlates the SSE permission_request/paused event with this row. */
+    pauseId: text("pause_id").notNull(),
+    /** Why the turn paused: a permission decision, or a form-input request. */
+    kind: aiPendingActionKindEnum("kind").notNull().default("permission"),
+    /**
+     * The active scenario the paused turn operates in. Resume MUST run approved
+     * write/delete tools against THIS scenario (loaded scoped to companyId), not
+     * getDefaultScenario — otherwise a pause inside a non-default scenario writes
+     * overrides to the wrong overlay (scenario-safety; spec §5).
+     */
+    scenarioId: text("scenario_id").notNull(),
+    /**
+     * AI-01: the WRITE target for the paused turn. NULL = base view (the tool
+     * handler writes to base tables). Distinct from `scenarioId`, which stays
+     * non-null for READ context (buildAiContext/getOverrideCount on resume). Only
+     * an explicitly-selected, company-validated scenario is a write target.
+     */
+    writeScenarioId: text("write_scenario_id"),
+    /** Raw assistant tool-use content blocks for the paused turn. */
+    assistantBlocks: jsonb("assistant_blocks").notNull(),
+    /** tool_result blocks for tools already executed (auto-allowed/denied). */
+    completedResults: jsonb("completed_results").notNull().default([]),
+    /** Actions awaiting a user decision: [{ requestId, tool, category, ... }]. */
+    pending: jsonb("pending").notNull(),
+    /**
+     * Worklog timeline accumulated before this pause (Plan 5 full-run persistence).
+     * Mirrors @burnless/ai's TimelineNode shape; typed `unknown[]` to avoid a
+     * cross-package schema import.
+     */
+    timeline: jsonb("timeline").$type(),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    resolvedAt: timestamp("resolved_at", { mode: "date" })
+  },
+  (table) => [
+    index("ai_pending_actions_conversation_idx").on(table.conversationId),
+    // At most one UNRESOLVED pending batch per conversation.
+    uniqueIndex("ai_pending_actions_active_idx").on(table.conversationId).where(sql`${table.resolvedAt} IS NULL`)
+  ]
+);
+var dashboardModeEnum = pgEnum("dashboard_mode", [
+  "intelligence",
+  "dynamic",
+  "custom"
+]);
+var dashboardPreferences = pgTable(
+  "dashboard_preferences",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    userId: text("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    /** Global dashboard display mode */
+    mode: dashboardModeEnum("mode").notNull().default("dynamic"),
+    /** Ordered list of hero card metric slugs (4 cards) */
+    heroCards: jsonb("hero_cards").$type().notNull().default([]),
+    /** Ordered list of secondary metric slugs */
+    secondaryMetrics: jsonb("secondary_metrics").$type().notNull().default([]),
+    /** Per-card mode overrides: { [metricSlug]: "intelligence" | "dynamic" | "custom" } */
+    cardModeOverrides: jsonb("card_mode_overrides").$type().notNull().default({}),
+    /** Per-card scenario overrides: { [metricSlug]: scenarioId } */
+    cardScenarioOverrides: jsonb("card_scenario_overrides").$type().notNull().default({}),
+    /** Custom slug overrides: { "pageId:originalSlug": "newSlug" } — card slot → displayed metric */
+    customSlugOverrides: jsonb("custom_slug_overrides").$type().notNull().default({}),
+    /** Typed slot content overrides: { "pageId:slotId": { type, slug?, ... } } */
+    slotOverrides: jsonb("slot_overrides").$type().notNull().default({}),
+    /** Dashboard widget layout: ordered list of { widgetId, w, h } */
+    layout: jsonb("layout").$type().notNull().default([]),
+    /** User-defined custom metric formulas: [{ id, name, formula, dependsOn }] */
+    customMetrics: jsonb("custom_metrics").$type().notNull().default([]),
+    /** Widget IDs the user has explicitly closed/hidden */
+    closedWidgets: jsonb("closed_widgets").$type().notNull().default([]),
+    /**
+     * Per-page layout overrides: { [pageId]: { order: [...], closedWidgets: [...] } }.
+     * `order` is the screen-independent widget order (current model). `layout`
+     * is the legacy coordinate form, retained for backward-compatible reads of
+     * rows written before the fluid-flow migration.
+     */
+    pageLayouts: jsonb("page_layouts").$type().notNull().default({}),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date())
+  },
+  (table) => [
+    uniqueIndex("dashboard_prefs_user_company_idx").on(table.userId, table.companyId)
+  ]
+);
+var usersRelations = relations(users, ({ many }) => ({
+  companyMemberships: many(companyMembers),
+  ownedCompanies: many(companies),
+  dashboardPreferences: many(dashboardPreferences)
+}));
+var companiesRelations = relations(companies, ({ one, many }) => ({
+  owner: one(users, {
+    fields: [companies.ownerId],
+    references: [users.id]
+  }),
+  members: many(companyMembers),
+  financialAccounts: many(financialAccounts),
+  transactions: many(transactions),
+  scenarios: many(scenarios),
+  forecastLines: many(forecastLines),
+  headcountPlans: many(headcountPlans),
+  revenueStreams: many(revenueStreams),
+  departments: many(departments),
+  fundingRounds: many(fundingRounds),
+  metrics: many(metrics),
+  integrations: many(integrations),
+  importBatches: many(importBatches),
+  aiFeatureFlags: many(aiFeatureFlags),
+  aiProviders: many(aiProviders),
+  aiConversations: many(aiConversations),
+  aiInsightCache: many(aiInsightCache),
+  weeklyDigests: many(weeklyDigests),
+  financialAuditLogs: many(financialAuditLogs),
+  dashboardPreferences: many(dashboardPreferences),
+  mcpConnections: many(mcpConnections)
+}));
+var dashboardPreferencesRelations = relations(dashboardPreferences, ({ one }) => ({
+  user: one(users, {
+    fields: [dashboardPreferences.userId],
+    references: [users.id]
+  }),
+  company: one(companies, {
+    fields: [dashboardPreferences.companyId],
+    references: [companies.id]
+  })
+}));
+var companyMembersRelations = relations(companyMembers, ({ one }) => ({
+  company: one(companies, {
+    fields: [companyMembers.companyId],
+    references: [companies.id]
+  }),
+  user: one(users, {
+    fields: [companyMembers.userId],
+    references: [users.id]
+  })
+}));
+var financialAccountsRelations = relations(
+  financialAccounts,
+  ({ one, many }) => ({
+    company: one(companies, {
+      fields: [financialAccounts.companyId],
+      references: [companies.id]
+    }),
+    parent: one(financialAccounts, {
+      fields: [financialAccounts.parentId],
+      references: [financialAccounts.id]
+    }),
+    transactions: many(transactions),
+    forecastLines: many(forecastLines)
+  })
+);
+var transactionsRelations = relations(transactions, ({ one }) => ({
+  company: one(companies, {
+    fields: [transactions.companyId],
+    references: [companies.id]
+  }),
+  account: one(financialAccounts, {
+    fields: [transactions.accountId],
+    references: [financialAccounts.id]
+  }),
+  importBatch: one(importBatches, {
+    fields: [transactions.importBatchId],
+    references: [importBatches.id]
+  })
+}));
+var importBatchesRelations = relations(
+  importBatches,
+  ({ one, many }) => ({
+    company: one(companies, {
+      fields: [importBatches.companyId],
+      references: [companies.id]
+    }),
+    account: one(financialAccounts, {
+      fields: [importBatches.accountId],
+      references: [financialAccounts.id]
+    }),
+    transactions: many(transactions)
+  })
+);
+var scenariosRelations = relations(scenarios, ({ one, many }) => ({
+  company: one(companies, {
+    fields: [scenarios.companyId],
+    references: [companies.id]
+  }),
+  overrides: many(scenarioOverrides)
+}));
+var scenarioOverridesRelations = relations(scenarioOverrides, ({ one }) => ({
+  scenario: one(scenarios, {
+    fields: [scenarioOverrides.scenarioId],
+    references: [scenarios.id]
+  })
+}));
+var forecastLinesRelations = relations(
+  forecastLines,
+  ({ one, many }) => ({
+    company: one(companies, {
+      fields: [forecastLines.companyId],
+      references: [companies.id]
+    }),
+    account: one(financialAccounts, {
+      fields: [forecastLines.accountId],
+      references: [financialAccounts.id]
+    }),
+    values: many(forecastValues)
+  })
+);
+var forecastValuesRelations = relations(forecastValues, ({ one }) => ({
+  forecastLine: one(forecastLines, {
+    fields: [forecastValues.forecastLineId],
+    references: [forecastLines.id]
+  })
+}));
+var departmentsRelations = relations(departments, ({ one, many }) => ({
+  company: one(companies, {
+    fields: [departments.companyId],
+    references: [companies.id]
+  }),
+  headcountPlans: many(headcountPlans)
+}));
+var headcountPlansRelations = relations(headcountPlans, ({ one, many }) => ({
+  company: one(companies, {
+    fields: [headcountPlans.companyId],
+    references: [companies.id]
+  }),
+  department: one(departments, {
+    fields: [headcountPlans.departmentId],
+    references: [departments.id]
+  }),
+  salaryChanges: many(salaryChanges),
+  bonuses: many(bonuses),
+  equityGrants: many(equityGrants)
+}));
+var salaryChangesRelations = relations(salaryChanges, ({ one }) => ({
+  company: one(companies, {
+    fields: [salaryChanges.companyId],
+    references: [companies.id]
+  }),
+  headcount: one(headcountPlans, {
+    fields: [salaryChanges.headcountId],
+    references: [headcountPlans.id]
+  })
+}));
+var bonusesRelations = relations(bonuses, ({ one }) => ({
+  company: one(companies, {
+    fields: [bonuses.companyId],
+    references: [companies.id]
+  }),
+  headcount: one(headcountPlans, {
+    fields: [bonuses.headcountId],
+    references: [headcountPlans.id]
+  })
+}));
+var equityGrantsRelations = relations(equityGrants, ({ one }) => ({
+  company: one(companies, {
+    fields: [equityGrants.companyId],
+    references: [companies.id]
+  }),
+  headcount: one(headcountPlans, {
+    fields: [equityGrants.headcountId],
+    references: [headcountPlans.id]
+  })
+}));
+var revenueStreamsRelations = relations(revenueStreams, ({ one }) => ({
+  company: one(companies, {
+    fields: [revenueStreams.companyId],
+    references: [companies.id]
+  })
+}));
+var fundingRoundsRelations = relations(fundingRounds, ({ one, many }) => ({
+  company: one(companies, { fields: [fundingRounds.companyId], references: [companies.id] }),
+  investors: many(fundingRoundInvestors)
+}));
+var fundingRoundInvestorsRelations = relations(fundingRoundInvestors, ({ one }) => ({
+  round: one(fundingRounds, {
+    fields: [fundingRoundInvestors.fundingRoundId],
+    references: [fundingRounds.id]
+  })
+}));
+var shareClassesRelations = relations(shareClasses, ({ one }) => ({
+  company: one(companies, { fields: [shareClasses.companyId], references: [companies.id] })
+}));
+var optionPoolsRelations = relations(optionPools, ({ one }) => ({
+  company: one(companies, { fields: [optionPools.companyId], references: [companies.id] })
+}));
+var metricsRelations = relations(metrics, ({ one }) => ({
+  company: one(companies, {
+    fields: [metrics.companyId],
+    references: [companies.id]
+  })
+}));
+var integrationsRelations = relations(integrations, ({ one }) => ({
+  company: one(companies, {
+    fields: [integrations.companyId],
+    references: [companies.id]
+  })
+}));
+var aiFeatureFlagsRelations = relations(aiFeatureFlags, ({ one }) => ({
+  company: one(companies, {
+    fields: [aiFeatureFlags.companyId],
+    references: [companies.id]
+  })
+}));
+var aiProvidersRelations = relations(aiProviders, ({ one, many }) => ({
+  company: one(companies, { fields: [aiProviders.companyId], references: [companies.id] }),
+  models: many(aiProviderModels)
+}));
+var aiProviderModelsRelations = relations(aiProviderModels, ({ one }) => ({
+  provider: one(aiProviders, { fields: [aiProviderModels.providerId], references: [aiProviders.id] })
+}));
+var aiConversationsRelations = relations(
+  aiConversations,
+  ({ one, many }) => ({
+    company: one(companies, {
+      fields: [aiConversations.companyId],
+      references: [companies.id]
+    }),
+    user: one(users, {
+      fields: [aiConversations.userId],
+      references: [users.id]
+    }),
+    messages: many(aiMessages)
+  })
+);
+var aiInsightCacheRelations = relations(aiInsightCache, ({ one }) => ({
+  company: one(companies, {
+    fields: [aiInsightCache.companyId],
+    references: [companies.id]
+  })
+}));
+var aiMessagesRelations = relations(aiMessages, ({ one }) => ({
+  conversation: one(aiConversations, {
+    fields: [aiMessages.conversationId],
+    references: [aiConversations.id]
+  })
+}));
+var weeklyDigests = pgTable(
+  "weekly_digests",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    weekStart: timestamp("week_start", { mode: "date" }).notNull(),
+    metrics: jsonb("metrics").notNull(),
+    narrative: text("narrative"),
+    deterministicSummary: text("deterministic_summary").notNull(),
+    emailSentAt: timestamp("email_sent_at", { mode: "date" }),
+    dismissedAt: timestamp("dismissed_at", { mode: "date" }),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull()
+  },
+  (table) => [
+    index("weekly_digests_company_idx").on(table.companyId),
+    uniqueIndex("weekly_digests_company_week_idx").on(
+      table.companyId,
+      table.weekStart
+    )
+  ]
+);
+var weeklyDigestsRelations = relations(weeklyDigests, ({ one }) => ({
+  company: one(companies, {
+    fields: [weeklyDigests.companyId],
+    references: [companies.id]
+  })
+}));
+var consentPurposeEnum = pgEnum("consent_purpose", [
+  "data_processing",
+  "ai_features",
+  "marketing",
+  "analytics"
+]);
+var privacyConsents = pgTable(
+  "privacy_consents",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    userId: text("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+    purpose: consentPurposeEnum("purpose").notNull(),
+    granted: boolean("granted").notNull(),
+    ipAddress: text("ip_address"),
+    userAgent: text("user_agent"),
+    grantedAt: timestamp("granted_at", { mode: "date" }).defaultNow().notNull(),
+    revokedAt: timestamp("revoked_at", { mode: "date" }),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull()
+  },
+  (table) => [
+    index("privacy_consents_user_idx").on(table.userId),
+    index("privacy_consents_user_purpose_idx").on(table.userId, table.purpose)
+  ]
+);
+var privacyConsentsRelations = relations(
+  privacyConsents,
+  ({ one }) => ({
+    user: one(users, {
+      fields: [privacyConsents.userId],
+      references: [users.id]
+    })
+  })
+);
+var merchantCategoryMappings = pgTable(
+  "merchant_category_mappings",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    merchantPattern: text("merchant_pattern").notNull(),
+    accountId: text("account_id").notNull().references(() => financialAccounts.id, { onDelete: "cascade" }),
+    category: accountCategoryEnum("category").notNull(),
+    subcategory: text("subcategory").notNull(),
+    source: text("source").notNull().default("user_override"),
+    overrideCount: integer("override_count").notNull().default(1),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date())
+  },
+  (table) => [
+    index("merchant_mappings_company_idx").on(table.companyId),
+    index("merchant_mappings_pattern_idx").on(table.merchantPattern),
+    index("merchant_mappings_account_idx").on(table.accountId),
+    uniqueIndex("merchant_mappings_company_pattern_idx").on(
+      table.companyId,
+      table.merchantPattern
+    )
+  ]
+);
+var merchantCategoryMappingsRelations = relations(
+  merchantCategoryMappings,
+  ({ one }) => ({
+    company: one(companies, {
+      fields: [merchantCategoryMappings.companyId],
+      references: [companies.id]
+    }),
+    account: one(financialAccounts, {
+      fields: [merchantCategoryMappings.accountId],
+      references: [financialAccounts.id]
+    })
+  })
+);
+var auditActionEnum = pgEnum("audit_action", [
+  "create",
+  "update",
+  "delete",
+  "import",
+  "rollback"
+]);
+var auditEntityTypeEnum = pgEnum("audit_entity_type", [
+  "transaction",
+  "financial_account",
+  "scenario",
+  "forecast_line",
+  "forecast_value",
+  "headcount_plan",
+  "revenue_stream",
+  "funding_round",
+  "import_batch",
+  "department",
+  "metric",
+  "salary_change",
+  "bonus",
+  "equity_grant",
+  "funding_round_investor",
+  "share_class",
+  "option_pool"
+]);
+var financialAuditLogs = pgTable(
+  "financial_audit_logs",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    userId: text("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+    entityType: auditEntityTypeEnum("entity_type").notNull(),
+    entityId: text("entity_id").notNull(),
+    action: auditActionEnum("action").notNull(),
+    changes: jsonb("changes"),
+    // { before?: Record, after?: Record } — null for creates/deletes when full snapshot not needed
+    metadata: jsonb("metadata"),
+    // extra context: IP, user agent, import batch ID, etc.
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull()
+  },
+  (table) => [
+    index("financial_audit_company_idx").on(table.companyId),
+    index("financial_audit_entity_idx").on(table.entityType, table.entityId),
+    index("financial_audit_user_idx").on(table.companyId, table.userId),
+    index("financial_audit_created_idx").on(table.companyId, table.createdAt)
+  ]
+);
+var financialAuditLogsRelations = relations(
+  financialAuditLogs,
+  ({ one }) => ({
+    company: one(companies, {
+      fields: [financialAuditLogs.companyId],
+      references: [companies.id]
+    }),
+    user: one(users, {
+      fields: [financialAuditLogs.userId],
+      references: [users.id]
+    })
+  })
+);
+var scheduledJobActionKindEnum = pgEnum("scheduled_job_action_kind", ["write", "notify"]);
+var scheduledJobStatusEnum = pgEnum("scheduled_job_status", [
+  "active",
+  "disabled",
+  "auto_disabled",
+  "error"
+]);
+var scheduledJobNotifyPolicyEnum = pgEnum("scheduled_job_notify_policy", [
+  "smart",
+  "failures",
+  "every",
+  "off"
+]);
+var scheduledJobRunStatusEnum = pgEnum("scheduled_job_run_status", [
+  "running",
+  "success",
+  "failed",
+  "missed"
+]);
+var scheduledJobRunTriggerEnum = pgEnum("scheduled_job_run_trigger", [
+  "schedule",
+  "manual",
+  "dry_run"
+]);
+var scheduledJobs = pgTable(
+  "scheduled_jobs",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    createdByUserId: text("created_by_user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+    name: text("name").notNull(),
+    prompt: text("prompt").notNull(),
+    actionKind: scheduledJobActionKindEnum("action_kind").notNull(),
+    /** Frozen tool-name allowlist (financial tool names + `mcp__*` names). */
+    allowedTools: jsonb("allowed_tools").$type().notNull().default([]),
+    /** MCP connection ids whose creds the run resolves. */
+    boundConnectionIds: jsonb("bound_connection_ids").$type().notNull().default([]),
+    /** 5-field UTC cron expression. */
+    schedule: text("schedule").notNull(),
+    timezone: text("timezone").notNull().default("UTC"),
+    enabled: boolean("enabled").notNull().default(true),
+    status: scheduledJobStatusEnum("status").notNull().default("active"),
+    notifyPolicy: scheduledJobNotifyPolicyEnum("notify_policy").notNull().default("smart"),
+    consecutiveFailures: integer("consecutive_failures").notNull().default(0),
+    lastRunAt: timestamp("last_run_at", { mode: "date" }),
+    nextRunAt: timestamp("next_run_at", { mode: "date" }),
+    /** Idempotency context handed to the agent on the next run (last-run cursor/summary). */
+    lastRunCursor: jsonb("last_run_cursor").$type(),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date()),
+    deletedAt: timestamp("deleted_at", { mode: "date" })
+  },
+  (table) => [
+    index("scheduled_jobs_company_idx").on(table.companyId),
+    index("scheduled_jobs_due_idx").on(table.enabled, table.nextRunAt)
+  ]
+);
+var scheduledJobRuns = pgTable(
+  "scheduled_job_runs",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    scheduledJobId: text("scheduled_job_id").notNull().references(() => scheduledJobs.id, { onDelete: "cascade" }),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    status: scheduledJobRunStatusEnum("status").notNull(),
+    trigger: scheduledJobRunTriggerEnum("trigger").notNull(),
+    startedAt: timestamp("started_at", { mode: "date" }).defaultNow().notNull(),
+    finishedAt: timestamp("finished_at", { mode: "date" }),
+    durationMs: integer("duration_ms"),
+    tokensUsed: integer("tokens_used"),
+    summary: text("summary"),
+    output: jsonb("output").$type(),
+    error: text("error")
+  },
+  (table) => [
+    index("scheduled_job_runs_job_idx").on(table.scheduledJobId, table.startedAt),
+    index("scheduled_job_runs_company_idx").on(table.companyId)
+  ]
+);
+var aiToolAuditLogStatusEnum = pgEnum("ai_tool_audit_log_status", [
+  "success",
+  "error",
+  "validation_error",
+  "pending_apply"
+]);
+var aiToolAuditLogs = pgTable(
+  "ai_tool_audit_logs",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    userId: text("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+    conversationId: text("conversation_id").references(() => aiConversations.id, { onDelete: "set null" }),
+    /** Set when the tool was an external MCP tool (spec §3.3 audit reuse). */
+    mcpConnectionId: text("mcp_connection_id").references(() => mcpConnections.id, { onDelete: "set null" }),
+    /** When set, links every tool call to its scheduled-job run (S3a Plan 4). */
+    scheduledJobRunId: text("scheduled_job_run_id").references(() => scheduledJobRuns.id, { onDelete: "set null" }),
+    toolName: text("tool_name").notNull(),
+    input: jsonb("input").notNull(),
+    status: aiToolAuditLogStatusEnum("status").notNull(),
+    permissionDecision: aiToolPermissionDecisionEnum("permission_decision"),
+    result: jsonb("result"),
+    durationMs: integer("duration_ms"),
+    /** Audit attribution (expose spec B5): where the call came from.
+     *  Existing chat writers rely on the default — do not backfill. */
+    source: text("source").notNull().default("chat"),
+    /** "pat" | "oauth" — set only for source='mcp_server' rows. */
+    credentialType: text("credential_type"),
+    /** apiTokens.id (PAT) or oauthTokens.grantId (OAuth grant family). */
+    credentialId: text("credential_id"),
+    /** MCP initialize handshake identity, e.g. { name: "burnless-cli", version: "0.1.0" }. */
+    clientInfo: jsonb("client_info").$type(),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull()
+  },
+  (table) => [
+    index("ai_tool_audit_company_idx").on(table.companyId),
+    index("ai_tool_audit_user_idx").on(table.companyId, table.userId),
+    index("ai_tool_audit_created_idx").on(table.companyId, table.createdAt),
+    index("ai_tool_audit_tool_idx").on(table.companyId, table.toolName),
+    index("ai_tool_audit_conversation_idx").on(table.conversationId),
+    index("ai_tool_audit_mcp_connection_idx").on(table.mcpConnectionId),
+    index("ai_tool_audit_scheduled_job_run_idx").on(table.scheduledJobRunId)
+  ]
+);
+var inviteCodeTypeEnum = pgEnum("invite_code_type", [
+  "single_use",
+  "multi_use"
+]);
+var inviteCodes = pgTable(
+  "invite_codes",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    code: text("code").notNull(),
+    type: inviteCodeTypeEnum("type").notNull().default("single_use"),
+    maxRedemptions: integer("max_redemptions").notNull().default(1),
+    currentRedemptions: integer("current_redemptions").notNull().default(0),
+    expiresAt: timestamp("expires_at", { mode: "date" }),
+    freePlatformDays: integer("free_platform_days").notNull().default(30),
+    aiCreditsCents: integer("ai_credits_cents").notNull().default(5e3),
+    // $50 default
+    isActive: boolean("is_active").notNull().default(true),
+    createdBy: text("created_by").notNull().references(() => users.id, { onDelete: "cascade" }),
+    note: text("note"),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date())
+  },
+  (table) => [
+    uniqueIndex("invite_codes_code_idx").on(table.code),
+    index("invite_codes_created_by_idx").on(table.createdBy),
+    index("invite_codes_active_idx").on(table.isActive)
+  ]
+);
+var inviteCodeRedemptions = pgTable(
+  "invite_code_redemptions",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    inviteCodeId: text("invite_code_id").notNull().references(() => inviteCodes.id, { onDelete: "cascade" }),
+    userId: text("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+    redeemedAt: timestamp("redeemed_at", { mode: "date" }).defaultNow().notNull()
+  },
+  (table) => [
+    index("invite_redemptions_code_idx").on(table.inviteCodeId),
+    uniqueIndex("invite_redemptions_user_code_idx").on(
+      table.inviteCodeId,
+      table.userId
+    )
+  ]
+);
+var inviteCodesRelations = relations(inviteCodes, ({ one, many }) => ({
+  creator: one(users, {
+    fields: [inviteCodes.createdBy],
+    references: [users.id]
+  }),
+  redemptions: many(inviteCodeRedemptions)
+}));
+var inviteCodeRedemptionsRelations = relations(
+  inviteCodeRedemptions,
+  ({ one }) => ({
+    inviteCode: one(inviteCodes, {
+      fields: [inviteCodeRedemptions.inviteCodeId],
+      references: [inviteCodes.id]
+    }),
+    user: one(users, {
+      fields: [inviteCodeRedemptions.userId],
+      references: [users.id]
+    })
+  })
+);
+var aiToolAuditLogsRelations = relations(aiToolAuditLogs, ({ one }) => ({
+  company: one(companies, {
+    fields: [aiToolAuditLogs.companyId],
+    references: [companies.id]
+  }),
+  user: one(users, {
+    fields: [aiToolAuditLogs.userId],
+    references: [users.id]
+  }),
+  conversation: one(aiConversations, {
+    fields: [aiToolAuditLogs.conversationId],
+    references: [aiConversations.id]
+  }),
+  mcpConnection: one(mcpConnections, {
+    fields: [aiToolAuditLogs.mcpConnectionId],
+    references: [mcpConnections.id]
+  })
+}));
+var mcpConnectionsRelations = relations(mcpConnections, ({ one, many }) => ({
+  company: one(companies, {
+    fields: [mcpConnections.companyId],
+    references: [companies.id]
+  }),
+  ownerUser: one(users, {
+    fields: [mcpConnections.ownerUserId],
+    references: [users.id]
+  }),
+  credentials: many(mcpCredentials),
+  toolPrefs: many(mcpToolPrefs)
+}));
+var mcpCredentialsRelations = relations(mcpCredentials, ({ one }) => ({
+  mcpConnection: one(mcpConnections, {
+    fields: [mcpCredentials.mcpConnectionId],
+    references: [mcpConnections.id]
+  })
+}));
+var mcpToolPrefsRelations = relations(mcpToolPrefs, ({ one }) => ({
+  mcpConnection: one(mcpConnections, {
+    fields: [mcpToolPrefs.mcpConnectionId],
+    references: [mcpConnections.id]
+  })
+}));
+var quickActionModeEnum = pgEnum("quick_action_mode", [
+  "intelligence",
+  "dynamic",
+  "custom"
+]);
+var userPreferences = pgTable(
+  "user_preferences",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    userId: text("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    sidebarOrder: jsonb("sidebar_order").$type(),
+    // ordered array of nav item IDs
+    quickActionMode: quickActionModeEnum("quick_action_mode").notNull().default("dynamic"),
+    quickActionModeOverrides: jsonb("quick_action_mode_overrides").$type(),
+    // per-action mode overrides
+    customQuickActions: jsonb("custom_quick_actions").$type(),
+    // IDs of pinned quick actions
+    sidebarCollapsed: boolean("sidebar_collapsed").notNull().default(false),
+    /** D11: connection ids this user removed from THEIR AI context (AI-sidebar kill-switch). */
+    disabledMcpConnections: jsonb("disabled_mcp_connections").$type(),
+    /** S3b: built-in tool ids this user disabled from THEIR AI context (Tools-pane kill-switch). */
+    disabledBuiltinTools: jsonb("disabled_builtin_tools").$type(),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date())
+  },
+  (table) => [
+    uniqueIndex("user_preferences_user_company_idx").on(
+      table.userId,
+      table.companyId
+    )
+  ]
+);
+var userPreferencesRelations = relations(
+  userPreferences,
+  ({ one }) => ({
+    user: one(users, {
+      fields: [userPreferences.userId],
+      references: [users.id]
+    }),
+    company: one(companies, {
+      fields: [userPreferences.companyId],
+      references: [companies.id]
+    })
+  })
+);
+var aiPermissionDefaults = pgTable(
+  "ai_permission_defaults",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    userId: text("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    readMode: aiPermissionModeEnum("read_mode").notNull().default("always"),
+    writeMode: aiPermissionModeEnum("write_mode").notNull().default("ask"),
+    // Delete never offers "always" (enforced in app + resolver); column reuses the
+    // shared enum but only "ask" / "session" are ever written.
+    deleteMode: aiPermissionModeEnum("delete_mode").notNull().default("ask"),
+    webSearchMode: aiPermissionModeEnum("web_search_mode").notNull().default("always"),
+    browserUseMode: aiPermissionModeEnum("browser_use_mode").notNull().default("ask"),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull(),
+    updatedAt: timestamp("updated_at", { mode: "date" }).defaultNow().notNull().$onUpdate(() => /* @__PURE__ */ new Date())
+  },
+  (table) => [
+    uniqueIndex("ai_permission_defaults_user_company_idx").on(
+      table.userId,
+      table.companyId
+    )
+  ]
+);
+var aiUsageLogs = pgTable(
+  "ai_usage_logs",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    feature: text("feature").notNull(),
+    tier: text("tier").notNull(),
+    provider: text("provider").notNull(),
+    model: text("model").notNull(),
+    inputTokens: integer("input_tokens").notNull(),
+    outputTokens: integer("output_tokens").notNull(),
+    estimatedCostMicros: integer("estimated_cost_micros").notNull().default(0),
+    durationMs: integer("duration_ms"),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull()
+  },
+  (table) => [
+    index("ai_usage_company_idx").on(table.companyId),
+    index("ai_usage_feature_idx").on(table.companyId, table.feature),
+    index("ai_usage_created_idx").on(table.companyId, table.createdAt)
+  ]
+);
+var exportLogs = pgTable(
+  "export_logs",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    userId: text("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+    exportType: text("export_type").notNull(),
+    format: text("format").notNull(),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull()
+  },
+  (table) => [
+    index("export_logs_company_idx").on(table.companyId),
+    index("export_logs_company_created_idx").on(table.companyId, table.createdAt),
+    index("export_logs_user_idx").on(table.userId)
+  ]
+);
+var notifications = pgTable(
+  "notifications",
+  {
+    id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
+    companyId: text("company_id").notNull().references(() => companies.id, { onDelete: "cascade" }),
+    userId: text("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
+    category: text("category").notNull(),
+    title: text("title").notNull(),
+    body: text("body"),
+    severity: notificationSeverityEnum("severity").notNull().default("info"),
+    link: text("link"),
+    metadata: jsonb("metadata"),
+    readAt: timestamp("read_at", { mode: "date" }),
+    createdAt: timestamp("created_at", { mode: "date" }).defaultNow().notNull()
+  },
+  (table) => [
+    index("notifications_user_idx").on(table.userId, table.companyId),
+    index("notifications_unread_idx").on(table.userId, table.readAt),
+    index("notifications_created_idx").on(table.createdAt)
+  ]
+);
+
+// ../db/src/client/resolve.ts
+import { homedir } from "os";
+import { join } from "path";
+var BurnlessDbConfigError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "BurnlessDbConfigError";
+  }
+};
+var POSTGRES_URL = /^postgres(ql)?:\/\//i;
+function defaultDataDir(env) {
+  return env.BURNLESS_DATA_DIR && env.BURNLESS_DATA_DIR.trim().length > 0 ? env.BURNLESS_DATA_DIR : join(homedir(), ".burnless", "data");
+}
+function resolveDriver(env) {
+  const override = env.BURNLESS_DB_DRIVER?.trim().toLowerCase();
+  const url = env.DATABASE_URL;
+  const hasPgUrl = typeof url === "string" && POSTGRES_URL.test(url);
+  if (override) {
+    if (override === "postgres") {
+      if (!hasPgUrl) {
+        throw new BurnlessDbConfigError(
+          "BURNLESS_DB_DRIVER=postgres requires a postgres(ql):// DATABASE_URL"
+        );
+      }
+      return { driver: "postgres", connectionString: url };
+    }
+    if (override === "pglite") {
+      return { driver: "pglite", dataDir: defaultDataDir(env) };
+    }
+    throw new BurnlessDbConfigError(
+      `Unknown BURNLESS_DB_DRIVER="${env.BURNLESS_DB_DRIVER}" (expected "postgres" or "pglite")`
+    );
+  }
+  if (hasPgUrl) return { driver: "postgres", connectionString: url };
+  return { driver: "pglite", dataDir: defaultDataDir(env) };
+}
+
+// ../db/src/client/create.ts
+import { mkdirSync } from "fs";
+import { createRequire } from "module";
+import { pathToFileURL } from "url";
+import { PGlite } from "@electric-sql/pglite";
+function pgliteVectorExtension() {
+  const fromEnv = process.env.BURNLESS_PGLITE_VECTOR_BUNDLE?.trim();
+  const bundlePath = fromEnv ? pathToFileURL(fromEnv) : new URL(
+    "./vector.tar.gz",
+    pathToFileURL(
+      createRequire(import.meta.url).resolve("@electric-sql/pglite-pgvector")
+    )
+  );
+  return {
+    name: "vector",
+    setup: async (_pg, emscriptenOpts) => ({ emscriptenOpts, bundlePath })
+  };
+}
+async function createClient(resolved) {
+  if (resolved.driver === "postgres") {
+    const { drizzle: drizzlePostgres } = await import("./postgres-js-SQJTBL3M.js");
+    const { default: postgres } = await import("./src-LUBD7RKO.js");
+    const client = postgres(resolved.connectionString, { max: 10 });
+    return {
+      db: drizzlePostgres(client, { schema: schema_exports }),
+      dialect: "postgres",
+      raw: client,
+      close: () => client.end()
+    };
+  }
+  mkdirSync(resolved.dataDir, { recursive: true });
+  const { drizzle: drizzlePglite } = await import("./pglite-KKF2QVEJ.js");
+  const pglite = await PGlite.create(resolved.dataDir, {
+    extensions: { vector: pgliteVectorExtension() }
+  });
+  const db2 = drizzlePglite(pglite, { schema: schema_exports });
+  await db2.execute(sql`CREATE EXTENSION IF NOT EXISTS vector`);
+  return {
+    db: db2,
+    dialect: "pglite",
+    raw: pglite,
+    close: () => pglite.close()
+  };
+}
+
+// ../db/src/client/migrate.ts
+import { dirname, join as join2 } from "path";
+import { fileURLToPath } from "url";
+
+// ../../node_modules/.pnpm/drizzle-orm@0.38.4_@electric-sql+pglite@0.5.2_@opentelemetry+api@1.9.0_@types+pg@8.15.6_75139cca41f10c6d94ac9ad65d4511ab/node_modules/drizzle-orm/migrator.js
+import crypto2 from "crypto";
+import fs from "fs";
+function readMigrationFiles(config) {
+  const migrationFolderTo = config.migrationsFolder;
+  const migrationQueries = [];
+  const journalPath = `${migrationFolderTo}/meta/_journal.json`;
+  if (!fs.existsSync(journalPath)) {
+    throw new Error(`Can't find meta/_journal.json file`);
+  }
+  const journalAsString = fs.readFileSync(`${migrationFolderTo}/meta/_journal.json`).toString();
+  const journal = JSON.parse(journalAsString);
+  for (const journalEntry of journal.entries) {
+    const migrationPath = `${migrationFolderTo}/${journalEntry.tag}.sql`;
+    try {
+      const query = fs.readFileSync(`${migrationFolderTo}/${journalEntry.tag}.sql`).toString();
+      const result = query.split("--> statement-breakpoint").map((it) => {
+        return it;
+      });
+      migrationQueries.push({
+        sql: result,
+        bps: journalEntry.breakpoints,
+        folderMillis: journalEntry.when,
+        hash: crypto2.createHash("sha256").update(query).digest("hex")
+      });
+    } catch {
+      throw new Error(`No file ${migrationPath} found in ${migrationFolderTo} folder`);
+    }
+  }
+  return migrationQueries;
+}
+
+// ../../node_modules/.pnpm/drizzle-orm@0.38.4_@electric-sql+pglite@0.5.2_@opentelemetry+api@1.9.0_@types+pg@8.15.6_75139cca41f10c6d94ac9ad65d4511ab/node_modules/drizzle-orm/pglite/migrator.js
+async function migrate(db2, config) {
+  const migrations = readMigrationFiles(config);
+  await db2.dialect.migrate(migrations, db2.session, config);
+}
+
+// ../../node_modules/.pnpm/drizzle-orm@0.38.4_@electric-sql+pglite@0.5.2_@opentelemetry+api@1.9.0_@types+pg@8.15.6_75139cca41f10c6d94ac9ad65d4511ab/node_modules/drizzle-orm/postgres-js/migrator.js
+async function migrate2(db2, config) {
+  const migrations = readMigrationFiles(config);
+  await db2.dialect.migrate(migrations, db2.session, config);
+}
+
+// ../db/src/client/migrate.ts
+function shouldAutoMigrate(dialect, env) {
+  const raw = env.BURNLESS_AUTO_MIGRATE;
+  if (typeof raw === "string" && raw.length > 0) return raw === "true";
+  return dialect === "pglite";
+}
+function getMigrationsFolder() {
+  const override = process.env.BURNLESS_MIGRATIONS_DIR;
+  if (override && override.trim().length > 0) return override;
+  return join2(dirname(fileURLToPath(import.meta.url)), "../../drizzle");
+}
+async function applyMigrations(handle) {
+  const migrationsFolder = getMigrationsFolder();
+  if (handle.dialect === "pglite") {
+    await migrate(handle.db, { migrationsFolder });
+  } else {
+    await migrate2(handle.db, { migrationsFolder });
+  }
+}
+
+// ../db/src/queries/company.ts
+async function getCompanyForUser(userId) {
+  const [membership] = await db.select({ companyId: companyMembers.companyId, role: companyMembers.role }).from(companyMembers).where(eq(companyMembers.userId, userId)).limit(1);
+  return membership ?? null;
+}
+async function getUserWithCompany(userId) {
+  const [row] = await db.select({
+    id: users.id,
+    email: users.email,
+    name: users.name,
+    image: users.image,
+    companyId: companyMembers.companyId,
+    role: companyMembers.role
+  }).from(users).innerJoin(companyMembers, eq(companyMembers.userId, users.id)).where(eq(users.id, userId)).limit(1);
+  return row ?? null;
+}
+async function getCompanyById(companyId) {
+  const [row] = await db.select().from(companies).where(eq(companies.id, companyId)).limit(1);
+  return row ?? null;
+}
+async function listCompaniesForUser(userId) {
+  return db.select({
+    companyId: companyMembers.companyId,
+    role: companyMembers.role,
+    name: companies.name
+  }).from(companyMembers).innerJoin(companies, eq(companyMembers.companyId, companies.id)).where(eq(companyMembers.userId, userId));
+}
+
+// ../db/src/queries/scenario.ts
+var notDeleted = isNull(scenarios.deletedAt);
+async function getScenarioForCompany(scenarioId, companyId) {
+  const [row] = await db.select().from(scenarios).where(and(eq(scenarios.id, scenarioId), eq(scenarios.companyId, companyId), notDeleted));
+  return row ?? null;
+}
+async function getDefaultScenario(companyId) {
+  const [row] = await db.select().from(scenarios).where(and(eq(scenarios.companyId, companyId), notDeleted)).orderBy(scenarios.createdAt).limit(1);
+  return row ?? null;
+}
+async function getScenarioData(scenarioId, companyId) {
+  const [fLines, accounts2, revStreams, hcPlans] = await Promise.all([
+    db.select().from(forecastLines).where(eq(forecastLines.companyId, companyId)),
+    db.select().from(financialAccounts).where(eq(financialAccounts.companyId, companyId)),
+    db.select().from(revenueStreams).where(eq(revenueStreams.companyId, companyId)),
+    db.select().from(headcountPlans).where(eq(headcountPlans.companyId, companyId))
+  ]);
+  return { forecastLines: fLines, accounts: accounts2, revenueStreams: revStreams, headcountPlans: hcPlans };
+}
+async function getScenarioDataWithValues(scenarioId, companyId) {
+  const base = await getScenarioData(scenarioId, companyId);
+  const lineIds = base.forecastLines.map((l) => l.id);
+  const [values, funding] = await Promise.all([
+    lineIds.length > 0 ? db.select().from(forecastValues).where(inArray(forecastValues.forecastLineId, lineIds)) : Promise.resolve([]),
+    db.select().from(fundingRounds).where(eq(fundingRounds.companyId, companyId))
+  ]);
+  return { ...base, forecastValues: values, fundingRounds: funding };
+}
+
+// ../db/src/queries/crud.ts
+async function findByIdForCompany(table, id, companyId) {
+  const [row] = await db.select().from(table).where(and(eq(table.id, id), eq(table.companyId, companyId))).limit(1);
+  return row ?? null;
+}
+async function updateForCompany(table, id, companyId, data) {
+  const [row] = await db.update(table).set(data).where(and(eq(table.id, id), eq(table.companyId, companyId))).returning();
+  return row ?? null;
+}
+async function deleteForCompany(table, id, companyId) {
+  const [row] = await db.delete(table).where(and(eq(table.id, id), eq(table.companyId, companyId))).returning();
+  return row ?? null;
+}
+async function listForCompany(table, companyId) {
+  const rows = await db.select().from(table).where(eq(table.companyId, companyId));
+  return rows;
+}
+
+// ../db/src/queries/scenario-overrides.ts
+async function getOverridesForScenario(scenarioId, entityType) {
+  const conditions = [eq(scenarioOverrides.scenarioId, scenarioId)];
+  if (entityType) conditions.push(eq(scenarioOverrides.entityType, entityType));
+  return db.select().from(scenarioOverrides).where(and(...conditions));
+}
+async function upsertOverride(scenarioId, entityType, entityId, action, data, originalData) {
+  return db.insert(scenarioOverrides).values({
+    scenarioId,
+    entityType,
+    entityId,
+    action,
+    data,
+    originalData
+  }).onConflictDoUpdate({
+    target: [
+      scenarioOverrides.scenarioId,
+      scenarioOverrides.entityType,
+      scenarioOverrides.entityId
+    ],
+    set: { action, data, originalData, updatedAt: /* @__PURE__ */ new Date() }
+  }).returning();
+}
+async function deleteOverride(overrideId) {
+  return db.delete(scenarioOverrides).where(eq(scenarioOverrides.id, overrideId));
+}
+async function deleteOverrideByEntity(scenarioId, entityType, entityId) {
+  return db.delete(scenarioOverrides).where(
+    and(
+      eq(scenarioOverrides.scenarioId, scenarioId),
+      eq(scenarioOverrides.entityType, entityType),
+      eq(scenarioOverrides.entityId, entityId)
+    )
+  );
+}
+async function getOverrideCount(scenarioId) {
+  const [result] = await db.select({ count: sql`count(*)::int` }).from(scenarioOverrides).where(eq(scenarioOverrides.scenarioId, scenarioId));
+  return result?.count ?? 0;
+}
+async function getOverrideCounts(scenarioIds) {
+  if (scenarioIds.length === 0) return /* @__PURE__ */ new Map();
+  const rows = await db.select({
+    scenarioId: scenarioOverrides.scenarioId,
+    count: sql`count(*)::int`
+  }).from(scenarioOverrides).where(inArray(scenarioOverrides.scenarioId, scenarioIds)).groupBy(scenarioOverrides.scenarioId);
+  const map = /* @__PURE__ */ new Map();
+  for (const r of rows) map.set(r.scenarioId, r.count);
+  return map;
+}
+async function getOverrideBreakdown(scenarioIds) {
+  if (scenarioIds.length === 0) return [];
+  return db.select({
+    scenarioId: scenarioOverrides.scenarioId,
+    entityType: scenarioOverrides.entityType,
+    action: scenarioOverrides.action,
+    count: sql`count(*)::int`
+  }).from(scenarioOverrides).where(inArray(scenarioOverrides.scenarioId, scenarioIds)).groupBy(scenarioOverrides.scenarioId, scenarioOverrides.entityType, scenarioOverrides.action);
+}
+
+// ../db/src/queries/funding.ts
+async function listInvestorsForRound(fundingRoundId) {
+  return db.select().from(fundingRoundInvestors).where(eq(fundingRoundInvestors.fundingRoundId, fundingRoundId)).orderBy(asc(fundingRoundInvestors.createdAt));
+}
+async function listShareClasses(companyId) {
+  return db.select().from(shareClasses).where(and(eq(shareClasses.companyId, companyId), isNull(shareClasses.deletedAt))).orderBy(asc(shareClasses.createdAt));
+}
+async function listOptionPools(companyId) {
+  return db.select().from(optionPools).where(and(eq(optionPools.companyId, companyId), isNull(optionPools.deletedAt))).orderBy(asc(optionPools.createdAt));
+}
+async function createShareClass(companyId, data) {
+  const [row] = await db.insert(shareClasses).values({ ...data, companyId }).returning();
+  return row;
+}
+async function updateShareClass(id, companyId, changes) {
+  return updateForCompany(shareClasses, id, companyId, changes);
+}
+async function softDeleteShareClass(id, companyId) {
+  return updateForCompany(shareClasses, id, companyId, { deletedAt: /* @__PURE__ */ new Date() });
+}
+async function createOptionPool(companyId, data) {
+  const [row] = await db.insert(optionPools).values({ ...data, companyId }).returning();
+  return row;
+}
+async function updateOptionPool(id, companyId, changes) {
+  return updateForCompany(optionPools, id, companyId, changes);
+}
+async function softDeleteOptionPool(id, companyId) {
+  return updateForCompany(optionPools, id, companyId, { deletedAt: /* @__PURE__ */ new Date() });
+}
+async function countOptionPools(companyId) {
+  const [result] = await db.select({ count: sql`count(*)::int` }).from(optionPools).where(and(eq(optionPools.companyId, companyId), isNull(optionPools.deletedAt)));
+  return result?.count ?? 0;
+}
+
+// ../db/src/queries/scenario-resolver.ts
+async function resolveEntities(entityType, baseEntities, scenarioId) {
+  if (!scenarioId) {
+    return baseEntities.map((e) => ({ ...e, _override: null }));
+  }
+  const overrides = await db.select().from(scenarioOverrides).where(
+    and(
+      eq(scenarioOverrides.scenarioId, scenarioId),
+      eq(scenarioOverrides.entityType, entityType)
+    )
+  );
+  const overrideMap = new Map(overrides.map((o) => [o.entityId, o]));
+  const matchedOverrideIds = /* @__PURE__ */ new Set();
+  const result = [];
+  for (const entity of baseEntities) {
+    const override = overrideMap.get(entity.id);
+    if (!override) {
+      result.push({ ...entity, _override: null });
+    } else if (override.action === "modify") {
+      matchedOverrideIds.add(override.id);
+      result.push({ ...override.data, _override: "modified" });
+    } else if (override.action === "delete") {
+      matchedOverrideIds.add(override.id);
+      continue;
+    }
+  }
+  for (const o of overrides.filter((o2) => o2.action === "create")) {
+    result.push({ ...o.data, _override: "created" });
+  }
+  for (const o of overrides.filter(
+    (o2) => o2.action === "modify" && !matchedOverrideIds.has(o2.id)
+  )) {
+    result.push({ ...o.data, _override: "created" });
+  }
+  return result;
+}
+async function getResolvedData(companyId, scenarioId) {
+  const [
+    baseRevenue,
+    baseHeadcount,
+    baseForecast,
+    baseFunding,
+    baseDepts,
+    baseAccounts,
+    baseShareClasses,
+    baseOptionPools
+  ] = await Promise.all([
+    db.select().from(revenueStreams).where(eq(revenueStreams.companyId, companyId)),
+    db.select().from(headcountPlans).where(eq(headcountPlans.companyId, companyId)),
+    db.select().from(forecastLines).where(eq(forecastLines.companyId, companyId)),
+    db.select().from(fundingRounds).where(eq(fundingRounds.companyId, companyId)),
+    db.select().from(departments).where(eq(departments.companyId, companyId)),
+    db.select().from(financialAccounts).where(eq(financialAccounts.companyId, companyId)),
+    listShareClasses(companyId),
+    listOptionPools(companyId)
+  ]);
+  const roundIds = baseFunding.map((r) => r.id);
+  const baseInvestors = roundIds.length > 0 ? await db.select().from(fundingRoundInvestors).where(inArray(fundingRoundInvestors.fundingRoundId, roundIds)) : [];
+  const [
+    revenueResolved,
+    headcountResolved,
+    forecastResolved,
+    fundingResolved,
+    deptsResolved,
+    accountsResolved
+  ] = await Promise.all([
+    resolveEntities("revenue_stream", baseRevenue, scenarioId),
+    resolveEntities("headcount_plan", baseHeadcount, scenarioId),
+    resolveEntities("forecast_line", baseForecast, scenarioId),
+    resolveEntities("funding_round", baseFunding, scenarioId),
+    resolveEntities("department", baseDepts, scenarioId),
+    resolveEntities("financial_account", baseAccounts, scenarioId)
+  ]);
+  return {
+    revenueStreams: revenueResolved,
+    headcountPlans: headcountResolved,
+    forecastLines: forecastResolved,
+    fundingRounds: fundingResolved,
+    departments: deptsResolved,
+    financialAccounts: accountsResolved,
+    fundingRoundInvestors: baseInvestors.filter(
+      (i) => fundingResolved.some((r) => r.id === i.fundingRoundId)
+    ),
+    shareClasses: baseShareClasses,
+    optionPools: baseOptionPools
+  };
+}
+
+// ../db/src/queries/scenario-mutations.ts
+async function assertScenarioOwned(scenarioId, companyId) {
+  const [owned] = await db.select({ id: scenarios.id }).from(scenarios).where(and(eq(scenarios.id, scenarioId), eq(scenarios.companyId, companyId))).limit(1);
+  if (!owned) {
+    throw new Error(`Scenario ${scenarioId} not found for company ${companyId}`);
+  }
+}
+var MERGABLE_JSONB_KEYS = /* @__PURE__ */ new Set(["parameters"]);
+function isPlainObject(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value) && Object.getPrototypeOf(value) === Object.prototype;
+}
+function mergeChanges(base, changes) {
+  const merged = { ...base, ...changes };
+  for (const key of MERGABLE_JSONB_KEYS) {
+    const baseVal = base[key];
+    const changeVal = changes[key];
+    if (isPlainObject(baseVal) && isPlainObject(changeVal)) {
+      merged[key] = { ...baseVal, ...changeVal };
+    }
+  }
+  return merged;
+}
+function validateOverridable(entityType, baseEntity) {
+  if (entityType === "financial_account" && baseEntity?.isSystem) {
+    throw new Error("System accounts cannot be modified in scenarios");
+  }
+}
+async function planScenarioInsert(entityType, table, data, scenarioId, companyId) {
+  if (!scenarioId) throw new Error("planScenarioInsert requires an active scenario");
+  await assertScenarioOwned(scenarioId, companyId);
+  const id = data.id ?? crypto.randomUUID();
+  const entityData = { ...data, id };
+  return { action: "create", entityType, entityId: id, before: null, after: entityData };
+}
+async function commitScenarioPlan(scenarioId, plan) {
+  if (plan.action === "remove_override") {
+    await deleteOverrideByEntity(scenarioId, plan.entityType, plan.entityId);
+    return;
+  }
+  await upsertOverride(scenarioId, plan.entityType, plan.entityId, plan.action, plan.after, plan.before);
+}
+async function planScenarioUpdate(entityType, table, entityId, changes, scenarioId, companyId) {
+  if (!scenarioId) throw new Error("planScenarioUpdate requires an active scenario");
+  if (entityType === "funding_round" && changes && "type" in changes) {
+    const { type: _stripped, ...rest } = changes;
+    changes = rest;
+  }
+  await assertScenarioOwned(scenarioId, companyId);
+  const existing = await db.select().from(scenarioOverrides).where(
+    and(
+      eq(scenarioOverrides.scenarioId, scenarioId),
+      eq(scenarioOverrides.entityType, entityType),
+      eq(scenarioOverrides.entityId, entityId)
+    )
+  ).then((r) => r[0]);
+  if (existing) {
+    const after2 = mergeChanges(
+      existing.data,
+      changes
+    );
+    return {
+      action: existing.action,
+      entityType,
+      entityId,
+      before: existing.originalData ?? null,
+      after: after2
+    };
+  }
+  const [baseEntity] = await db.select().from(table).where(and(eq(table.id, entityId), eq(table.companyId, companyId)));
+  if (!baseEntity) throw new Error(`Entity ${entityType}/${entityId} not found`);
+  validateOverridable(entityType, baseEntity);
+  const after = mergeChanges(
+    baseEntity,
+    changes
+  );
+  return {
+    action: "modify",
+    entityType,
+    entityId,
+    before: baseEntity,
+    after
+  };
+}
+async function planScenarioDelete(entityType, table, entityId, scenarioId, companyId) {
+  if (!scenarioId) throw new Error("planScenarioDelete requires an active scenario");
+  await assertScenarioOwned(scenarioId, companyId);
+  const existing = await db.select().from(scenarioOverrides).where(
+    and(
+      eq(scenarioOverrides.scenarioId, scenarioId),
+      eq(scenarioOverrides.entityType, entityType),
+      eq(scenarioOverrides.entityId, entityId)
+    )
+  ).then((r) => r[0]);
+  if (existing?.action === "create") {
+    return [
+      {
+        action: "remove_override",
+        entityType,
+        entityId,
+        before: existing.data ?? null,
+        after: null
+      }
+    ];
+  }
+  const [baseEntity] = await db.select().from(table).where(and(eq(table.id, entityId), eq(table.companyId, companyId)));
+  if (!baseEntity) throw new Error(`Entity ${entityType}/${entityId} not found`);
+  validateOverridable(entityType, baseEntity);
+  const plans = [
+    {
+      action: "delete",
+      entityType,
+      entityId,
+      before: baseEntity,
+      after: null
+    }
+  ];
+  if (entityType === "department") {
+    const children = await db.select().from(departments).where(eq(departments.parentId, entityId));
+    for (const child of children) {
+      plans.push(
+        ...await planScenarioDelete("department", departments, child.id, scenarioId, companyId)
+      );
+    }
+  }
+  return plans;
+}
+async function scenarioInsert(entityType, table, data, scenarioId, companyId) {
+  if (!scenarioId) {
+    const [row] = await db.insert(table).values(data).returning();
+    return row;
+  }
+  const plan = await planScenarioInsert(entityType, table, data, scenarioId, companyId);
+  await commitScenarioPlan(scenarioId, plan);
+  return plan.after;
+}
+async function scenarioUpdate(entityType, table, entityId, changes, scenarioId, companyId) {
+  if (!scenarioId) {
+    if (entityType === "funding_round" && changes && "type" in changes) {
+      const { type: _stripped, ...rest } = changes;
+      changes = rest;
+    }
+    const [row] = await db.update(table).set(changes).where(and(eq(table.id, entityId), eq(table.companyId, companyId))).returning();
+    return row;
+  }
+  const plan = await planScenarioUpdate(entityType, table, entityId, changes, scenarioId, companyId);
+  await commitScenarioPlan(scenarioId, plan);
+  return plan.after;
+}
+async function scenarioDelete(entityType, table, entityId, scenarioId, companyId) {
+  if (!scenarioId) {
+    const deleted = await db.delete(table).where(and(eq(table.id, entityId), eq(table.companyId, companyId))).returning();
+    if (deleted.length > 0) {
+      await db.delete(scenarioOverrides).where(
+        and(
+          eq(scenarioOverrides.entityType, entityType),
+          eq(scenarioOverrides.entityId, entityId)
+        )
+      );
+    }
+    return deleted.length > 0;
+  }
+  const plans = await planScenarioDelete(entityType, table, entityId, scenarioId, companyId);
+  for (const plan of plans) {
+    await commitScenarioPlan(scenarioId, plan);
+  }
+  return true;
+}
+
+// ../db/src/queries/scenario-promotion.ts
+function getTableForEntityType(entityType) {
+  const map = {
+    revenue_stream: revenueStreams,
+    headcount_plan: headcountPlans,
+    forecast_line: forecastLines,
+    funding_round: fundingRounds,
+    department: departments,
+    financial_account: financialAccounts,
+    salary_change: salaryChanges,
+    bonus: bonuses,
+    equity_grant: equityGrants
+  };
+  const table = map[entityType];
+  if (!table) throw new Error(`Unknown entity type: ${entityType}`);
+  return table;
+}
+function rehydrateForTable(table, data) {
+  const result = { ...data };
+  const columns = table[/* @__PURE__ */ Symbol.for("drizzle:Columns")] ?? table;
+  for (const [key, col] of Object.entries(columns)) {
+    if (col instanceof PgTimestamp && typeof result[key] === "string") {
+      result[key] = new Date(result[key]);
+    }
+  }
+  return result;
+}
+async function promoteScenario(scenarioId, companyId) {
+  return db.transaction(async (tx) => {
+    const [backup] = await tx.insert(scenarios).values({
+      companyId,
+      name: `Backup (pre-promote, ${(/* @__PURE__ */ new Date()).toLocaleDateString()})`,
+      source: "backup",
+      status: "active",
+      sourceScenarioId: scenarioId,
+      autoDeleteAt: new Date(Date.now() + 7 * 24 * 60 * 60 * 1e3)
+      // 7 days
+    }).returning();
+    const affectedTypes = await tx.selectDistinct({ entityType: scenarioOverrides.entityType }).from(scenarioOverrides).where(eq(scenarioOverrides.scenarioId, scenarioId));
+    for (const { entityType } of affectedTypes) {
+      const table = getTableForEntityType(entityType);
+      const baseEntities = await tx.select().from(table).where(eq(table.companyId, companyId));
+      for (const entity of baseEntities) {
+        await tx.insert(scenarioOverrides).values({
+          scenarioId: backup.id,
+          entityType,
+          entityId: entity.id,
+          action: "modify",
+          data: entity,
+          originalData: entity
+        });
+      }
+    }
+    const overrides = await tx.select().from(scenarioOverrides).where(eq(scenarioOverrides.scenarioId, scenarioId));
+    for (const override of overrides) {
+      const table = getTableForEntityType(override.entityType);
+      if (override.action === "modify") {
+        const hydrated = rehydrateForTable(table, override.data);
+        await tx.update(table).set(hydrated).where(eq(table.id, override.entityId));
+        const [exists] = await tx.select({ id: table.id }).from(table).where(eq(table.id, override.entityId));
+        if (!exists) {
+          await tx.insert(table).values(hydrated);
+        }
+      } else if (override.action === "create") {
+        const hydrated = rehydrateForTable(table, override.data);
+        await tx.insert(table).values(hydrated);
+      } else if (override.action === "delete") {
+        await tx.delete(table).where(eq(table.id, override.entityId));
+      }
+    }
+    await tx.update(scenarios).set({
+      status: "promoted",
+      promotedAt: /* @__PURE__ */ new Date()
+    }).where(eq(scenarios.id, scenarioId));
+    return { backup, promotedScenarioId: scenarioId };
+  });
+}
+
+// ../db/src/queries/company-financial-data.ts
+async function hasFinancialData(companyId) {
+  const [row] = await db.select({
+    has: sql`(
+        EXISTS(SELECT 1 FROM revenue_streams WHERE company_id = ${companyId})
+        OR EXISTS(SELECT 1 FROM transactions WHERE company_id = ${companyId})
+        OR EXISTS(SELECT 1 FROM headcount_plans WHERE company_id = ${companyId})
+        OR EXISTS(SELECT 1 FROM funding_rounds WHERE company_id = ${companyId})
+      )`
+  }).from(companies).where(eq(companies.id, companyId)).limit(1);
+  return row?.has === true;
+}
+
+// ../db/src/queries/entity-types.ts
+var SCENARIO_ENTITY_TYPES = [
+  "revenue_stream",
+  "transaction",
+  "forecast_line",
+  "headcount_plan",
+  "funding_round",
+  "department",
+  "financial_account",
+  "salary_change",
+  "bonus",
+  "equity_grant"
+];
+
+// ../db/src/queries/salary-changes.ts
+async function listSalaryChanges(companyId, headcountId) {
+  return db.select().from(salaryChanges).where(
+    and(
+      eq(salaryChanges.companyId, companyId),
+      eq(salaryChanges.headcountId, headcountId)
+    )
+  );
+}
+async function listResolvedSalaryChanges(companyId, headcountId, scenarioId) {
+  const base = await listSalaryChanges(companyId, headcountId);
+  const resolved = await resolveEntities(
+    "salary_change",
+    base,
+    scenarioId
+  );
+  return resolved.filter((r) => r.headcountId === headcountId);
+}
+async function createSalaryChange(data, scenarioId, companyId) {
+  return scenarioInsert("salary_change", salaryChanges, data, scenarioId, companyId);
+}
+async function updateSalaryChange(id, changes, scenarioId, companyId) {
+  return scenarioUpdate("salary_change", salaryChanges, id, changes, scenarioId, companyId);
+}
+async function removeSalaryChange(id, scenarioId, companyId) {
+  return scenarioDelete("salary_change", salaryChanges, id, scenarioId, companyId);
+}
+
+// ../db/src/queries/bonuses.ts
+async function listBonuses(companyId, headcountId) {
+  return db.select().from(bonuses).where(
+    and(
+      eq(bonuses.companyId, companyId),
+      eq(bonuses.headcountId, headcountId)
+    )
+  );
+}
+async function listResolvedBonuses(companyId, headcountId, scenarioId) {
+  const base = await listBonuses(companyId, headcountId);
+  const resolved = await resolveEntities("bonus", base, scenarioId);
+  return resolved.filter((r) => r.headcountId === headcountId);
+}
+async function createBonus(data, scenarioId, companyId) {
+  return scenarioInsert("bonus", bonuses, data, scenarioId, companyId);
+}
+async function updateBonus(id, changes, scenarioId, companyId) {
+  return scenarioUpdate("bonus", bonuses, id, changes, scenarioId, companyId);
+}
+async function removeBonus(id, scenarioId, companyId) {
+  return scenarioDelete("bonus", bonuses, id, scenarioId, companyId);
+}
+
+// ../db/src/queries/equity-grants.ts
+async function listEquityGrants(companyId, headcountId) {
+  return db.select().from(equityGrants).where(
+    and(
+      eq(equityGrants.companyId, companyId),
+      eq(equityGrants.headcountId, headcountId)
+    )
+  );
+}
+async function listResolvedEquityGrants(companyId, headcountId, scenarioId) {
+  const base = await listEquityGrants(companyId, headcountId);
+  const resolved = await resolveEntities(
+    "equity_grant",
+    base,
+    scenarioId
+  );
+  return resolved.filter((r) => r.headcountId === headcountId);
+}
+async function createEquityGrant(data, scenarioId, companyId) {
+  return scenarioInsert("equity_grant", equityGrants, data, scenarioId, companyId);
+}
+async function updateEquityGrant(id, changes, scenarioId, companyId) {
+  return scenarioUpdate(
+    "equity_grant",
+    equityGrants,
+    id,
+    changes,
+    scenarioId,
+    companyId
+  );
+}
+async function removeEquityGrant(id, scenarioId, companyId) {
+  return scenarioDelete("equity_grant", equityGrants, id, scenarioId, companyId);
+}
+
+// ../db/src/queries/ai-permissions.ts
+async function getPermissionDefaults(userId, companyId) {
+  const [row] = await db.select().from(aiPermissionDefaults).where(
+    and(
+      eq(aiPermissionDefaults.userId, userId),
+      eq(aiPermissionDefaults.companyId, companyId)
+    )
+  ).limit(1);
+  return row ?? null;
+}
+async function upsertPermissionDefaults(userId, companyId, patch) {
+  await db.insert(aiPermissionDefaults).values({ userId, companyId, ...patch }).onConflictDoUpdate({
+    target: [aiPermissionDefaults.userId, aiPermissionDefaults.companyId],
+    set: { ...patch, updatedAt: /* @__PURE__ */ new Date() }
+  });
+}
+async function getSessionGrants(conversationId) {
+  const [row] = await db.select({ grants: aiConversations.sessionGrants }).from(aiConversations).where(eq(aiConversations.id, conversationId)).limit(1);
+  return row?.grants ?? {};
+}
+async function grantSessionPermission(conversationId, category) {
+  const current = await getSessionGrants(conversationId);
+  const next = { ...current, [category]: true };
+  await db.update(aiConversations).set({ sessionGrants: next }).where(eq(aiConversations.id, conversationId));
+}
+async function resetSessionGrants(conversationId) {
+  await db.update(aiConversations).set({ sessionGrants: {} }).where(eq(aiConversations.id, conversationId));
+}
+async function getSessionDisabledTools(conversationId) {
+  const [row] = await db.select({ disabled: aiConversations.sessionDisabledTools }).from(aiConversations).where(eq(aiConversations.id, conversationId)).limit(1);
+  return row?.disabled ?? {};
+}
+async function setSessionDisabledTool(conversationId, key, disabled) {
+  const current = await getSessionDisabledTools(conversationId);
+  const next = { ...current };
+  if (disabled) next[key] = true;
+  else delete next[key];
+  await db.update(aiConversations).set({ sessionDisabledTools: next }).where(eq(aiConversations.id, conversationId));
+}
+async function resetSessionDisabledTools(conversationId) {
+  await db.update(aiConversations).set({ sessionDisabledTools: {} }).where(eq(aiConversations.id, conversationId));
+}
+async function createPendingAction(input) {
+  const [row] = await db.insert(aiPendingActions).values({
+    conversationId: input.conversationId,
+    pauseId: input.pauseId,
+    kind: input.kind ?? "permission",
+    scenarioId: input.scenarioId,
+    writeScenarioId: input.writeScenarioId ?? null,
+    assistantBlocks: input.assistantBlocks,
+    completedResults: input.completedResults,
+    pending: input.pending
+  }).returning();
+  return row;
+}
+async function getActivePendingAction(conversationId) {
+  const [row] = await db.select().from(aiPendingActions).where(
+    and(
+      eq(aiPendingActions.conversationId, conversationId),
+      isNull(aiPendingActions.resolvedAt)
+    )
+  ).limit(1);
+  return row ?? null;
+}
+async function resolvePendingAction(id) {
+  await db.update(aiPendingActions).set({ resolvedAt: /* @__PURE__ */ new Date() }).where(eq(aiPendingActions.id, id));
+}
+async function updatePendingActionTimeline(pauseId, timeline) {
+  await db.update(aiPendingActions).set({ timeline }).where(and(eq(aiPendingActions.pauseId, pauseId), isNull(aiPendingActions.resolvedAt)));
+}
+
+// ../db/src/queries/local-user.ts
+var LOCAL_OWNER_EMAIL = "owner@localhost";
+var LOCAL_OWNER_ID = "00000000-0000-4000-a000-000000000000";
+var LOCAL_OWNER_COMPANY_ID = "00000000-0000-4000-a000-000000000001";
+async function createOwnerUserIfNone() {
+  const [existing] = await db.select({ id: users.id }).from(users).limit(1);
+  if (existing) return;
+  await db.insert(users).values({
+    id: LOCAL_OWNER_ID,
+    email: LOCAL_OWNER_EMAIL,
+    name: "Owner",
+    emailVerified: /* @__PURE__ */ new Date(),
+    passwordHash: null
+  }).onConflictDoNothing({ target: users.email });
+}
+async function createOwnerCompanyIfNone(ownerId) {
+  const [existing] = await db.select({ id: companyMembers.id }).from(companyMembers).limit(1);
+  if (existing) return;
+  await db.transaction(async (tx) => {
+    await tx.insert(companies).values({
+      id: LOCAL_OWNER_COMPANY_ID,
+      name: "My Company",
+      ownerId
+    }).onConflictDoNothing({ target: companies.id });
+    await tx.insert(companyMembers).values({
+      companyId: LOCAL_OWNER_COMPANY_ID,
+      userId: ownerId,
+      role: "owner"
+    }).onConflictDoNothing();
+  });
+}
+async function getOwnerUser() {
+  const [u] = await db.select({ id: users.id, email: users.email, name: users.name, image: users.image }).from(users).orderBy(asc(users.createdAt), asc(users.id)).limit(1);
+  return u ?? null;
+}
+async function isOwnerClaimed() {
+  const [u] = await db.select({ passwordHash: users.passwordHash }).from(users).orderBy(asc(users.createdAt), asc(users.id)).limit(1);
+  return u != null && u.passwordHash != null;
+}
+async function listUsers() {
+  const rows = await db.select({ id: users.id, email: users.email, name: users.name, passwordHash: users.passwordHash }).from(users).orderBy(asc(users.createdAt), asc(users.id));
+  return rows.map((r) => ({ id: r.id, email: r.email, name: r.name, claimed: r.passwordHash != null }));
+}
+async function createUser(input) {
+  const id = crypto.randomUUID();
+  await db.insert(users).values({
+    id,
+    email: input.email,
+    name: input.name ?? null,
+    emailVerified: /* @__PURE__ */ new Date(),
+    passwordHash: input.passwordHash
+  });
+  return { id };
+}
+async function setUserPassword(email, passwordHash) {
+  const updated = await db.update(users).set({ passwordHash }).where(eq(users.email, email)).returning({ id: users.id });
+  return updated.length;
+}
+
+// ../db/src/crypto.ts
+import { createCipheriv, createDecipheriv, randomBytes } from "crypto";
+var VERSION = "v1";
+var cachedKey;
+function getKey() {
+  if (cachedKey === void 0) {
+    const raw = process.env.SECRETS_ENCRYPTION_KEY;
+    if (!raw) {
+      cachedKey = null;
+    } else {
+      const buf = Buffer.from(raw, "base64");
+      if (buf.length !== 32) {
+        cachedKey = void 0;
+        throw new Error("SECRETS_ENCRYPTION_KEY must be exactly 32 bytes, base64-encoded");
+      }
+      cachedKey = buf;
+    }
+  }
+  if (!cachedKey) {
+    throw new Error(
+      "SECRETS_ENCRYPTION_KEY is not set \u2014 required to store/read encrypted credentials. Generate one with: openssl rand -base64 32"
+    );
+  }
+  return cachedKey;
+}
+function encryptSecret(plaintext) {
+  const key = getKey();
+  const iv = randomBytes(12);
+  const cipher = createCipheriv("aes-256-gcm", key, iv);
+  const ciphertext = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return [VERSION, iv.toString("base64"), tag.toString("base64"), ciphertext.toString("base64")].join(":");
+}
+function decryptSecret(blob) {
+  const key = getKey();
+  const parts = blob.split(":");
+  if (parts.length !== 4 || parts[0] !== VERSION || !parts[1] || !parts[2] || !parts[3]) {
+    throw new Error("Malformed secret blob");
+  }
+  const tag = Buffer.from(parts[2], "base64");
+  if (tag.length !== 16) {
+    throw new Error("Malformed secret blob");
+  }
+  const decipher = createDecipheriv("aes-256-gcm", key, Buffer.from(parts[1], "base64"));
+  decipher.setAuthTag(tag);
+  return Buffer.concat([decipher.update(Buffer.from(parts[3], "base64")), decipher.final()]).toString("utf8");
+}
+function encryptJson(value) {
+  return encryptSecret(JSON.stringify(value));
+}
+function decryptJson(blob) {
+  return JSON.parse(decryptSecret(blob));
+}
+function __resetSecretsKeyCache() {
+  cachedKey = void 0;
+}
+
+// ../db/src/queries/mcp.ts
+function slugifyConnectionName(name) {
+  const slug = name.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "");
+  if (!slug)
+    throw new Error(
+      "Connection name must contain at least one alphanumeric character"
+    );
+  return slug;
+}
+function visibleWhere(companyId, userId) {
+  return and(
+    eq(mcpConnections.companyId, companyId),
+    or(
+      eq(mcpConnections.ownerScope, "company"),
+      eq(mcpConnections.ownerUserId, userId)
+    )
+  );
+}
+async function listVisibleConnections(companyId, userId) {
+  return db.select().from(mcpConnections).where(visibleWhere(companyId, userId));
+}
+async function getVisibleConnection(id, companyId, userId) {
+  const rows = await db.select().from(mcpConnections).where(and(eq(mcpConnections.id, id), visibleWhere(companyId, userId))).limit(1);
+  return rows[0] ?? null;
+}
+async function createMcpConnection(data) {
+  if (data.ownerScope === "personal" && !data.ownerUserId) {
+    throw new Error("Personal connections require ownerUserId");
+  }
+  const [row] = await db.insert(mcpConnections).values({ ...data, slug: slugifyConnectionName(data.name) }).returning();
+  return row;
+}
+async function updateMcpConnection(id, companyId, patch) {
+  const values = { ...patch };
+  if (patch.name) values.slug = slugifyConnectionName(patch.name);
+  const rows = await db.update(mcpConnections).set(values).where(
+    and(
+      eq(mcpConnections.id, id),
+      eq(mcpConnections.companyId, companyId)
+    )
+  ).returning();
+  return rows[0] ?? null;
+}
+async function deleteMcpConnection(id, companyId) {
+  const rows = await db.delete(mcpConnections).where(
+    and(
+      eq(mcpConnections.id, id),
+      eq(mcpConnections.companyId, companyId)
+    )
+  ).returning({ id: mcpConnections.id });
+  return rows.length > 0;
+}
+async function saveMcpCredentials(mcpConnectionId, authType, secret, clientRegistration) {
+  const encrypted = secret === null ? null : encryptJson(secret);
+  const expiresAt = secret && "expiresAt" in secret && secret.expiresAt ? new Date(secret.expiresAt) : null;
+  await db.insert(mcpCredentials).values({
+    mcpConnectionId,
+    authType,
+    secret: encrypted,
+    clientRegistration,
+    expiresAt
+  }).onConflictDoUpdate({
+    target: mcpCredentials.mcpConnectionId,
+    set: {
+      authType,
+      ...secret !== null ? { secret: encrypted, expiresAt } : {},
+      ...clientRegistration !== void 0 ? { clientRegistration } : {}
+    }
+  });
+}
+async function getMcpCredentialsRow(mcpConnectionId) {
+  const rows = await db.select().from(mcpCredentials).where(eq(mcpCredentials.mcpConnectionId, mcpConnectionId)).limit(1);
+  return rows[0] ?? null;
+}
+async function getDecryptedMcpSecret(mcpConnectionId) {
+  const row = await getMcpCredentialsRow(mcpConnectionId);
+  if (!row?.secret) return null;
+  return decryptJson(row.secret);
+}
+async function listMcpToolPrefs(mcpConnectionId) {
+  return db.select().from(mcpToolPrefs).where(eq(mcpToolPrefs.mcpConnectionId, mcpConnectionId));
+}
+async function upsertMcpToolPref(mcpConnectionId, toolName, patch) {
+  await db.insert(mcpToolPrefs).values({
+    mcpConnectionId,
+    toolName,
+    enabled: patch.enabled ?? true,
+    permClassOverride: patch.permClassOverride ?? null
+  }).onConflictDoUpdate({
+    target: [mcpToolPrefs.mcpConnectionId, mcpToolPrefs.toolName],
+    set: {
+      ...patch.enabled !== void 0 ? { enabled: patch.enabled } : {},
+      ...patch.permClassOverride !== void 0 ? { permClassOverride: patch.permClassOverride } : {}
+    }
+  });
+}
+async function getDisabledMcpConnectionIds(userId, companyId) {
+  const rows = await db.select({ disabled: userPreferences.disabledMcpConnections }).from(userPreferences).where(
+    and(
+      eq(userPreferences.userId, userId),
+      eq(userPreferences.companyId, companyId)
+    )
+  ).limit(1);
+  return rows[0]?.disabled ?? [];
+}
+async function getDisabledBuiltinTools(userId, companyId) {
+  const rows = await db.select({ disabled: userPreferences.disabledBuiltinTools }).from(userPreferences).where(
+    and(
+      eq(userPreferences.userId, userId),
+      eq(userPreferences.companyId, companyId)
+    )
+  ).limit(1);
+  return rows[0]?.disabled ?? [];
+}
+async function upsertUserPreferences(userId, companyId, patch) {
+  const [row] = await db.insert(userPreferences).values({ userId, companyId, ...patch }).onConflictDoUpdate({
+    target: [userPreferences.userId, userPreferences.companyId],
+    set: patch
+  }).returning();
+  return row;
+}
+
+// ../db/src/queries/ai-providers.ts
+function toPublic(row) {
+  const { apiKeyEncrypted, ...rest } = row;
+  return { ...rest, apiKeySet: apiKeyEncrypted != null };
+}
+async function withModelSummary(row) {
+  const models = await listAiProviderModels(row.id);
+  const defaultModelId = models.find((m) => m.isDefault)?.modelId ?? null;
+  return { ...toPublic(row), modelCount: models.length, defaultModelId };
+}
+async function listAiProviders(companyId) {
+  const rows = await db.select().from(aiProviders).where(eq(aiProviders.companyId, companyId));
+  return Promise.all(rows.map(withModelSummary));
+}
+async function getAiProvider(id, companyId) {
+  const [row] = await db.select().from(aiProviders).where(and(eq(aiProviders.id, id), eq(aiProviders.companyId, companyId))).limit(1);
+  return row ? withModelSummary(row) : null;
+}
+async function createAiProvider(data) {
+  const existing = await db.select({ id: aiProviders.id }).from(aiProviders).where(eq(aiProviders.companyId, data.companyId)).limit(1);
+  const isDefault = existing.length === 0;
+  const [row] = await db.insert(aiProviders).values({
+    companyId: data.companyId,
+    name: data.name,
+    kind: data.kind,
+    baseUrl: data.baseUrl ?? null,
+    apiKeyEncrypted: data.apiKey ? encryptSecret(data.apiKey) : null,
+    apiKeyMode: data.apiKeyMode ?? "user_provided",
+    headers: data.headers ?? null,
+    dropParams: data.dropParams ?? null,
+    isDefault
+  }).returning();
+  return withModelSummary(row);
+}
+async function updateAiProvider(id, companyId, patch) {
+  const values = {};
+  if (patch.name !== void 0) values.name = patch.name;
+  if (patch.baseUrl !== void 0) values.baseUrl = patch.baseUrl;
+  if (patch.apiKeyMode !== void 0) values.apiKeyMode = patch.apiKeyMode;
+  if (patch.headers !== void 0) values.headers = patch.headers;
+  if (patch.dropParams !== void 0) values.dropParams = patch.dropParams;
+  if (patch.enabled !== void 0) values.enabled = patch.enabled;
+  if (patch.apiKey !== void 0) values.apiKeyEncrypted = patch.apiKey ? encryptSecret(patch.apiKey) : null;
+  if (Object.keys(values).length === 0) return getAiProvider(id, companyId);
+  const [row] = await db.update(aiProviders).set(values).where(and(eq(aiProviders.id, id), eq(aiProviders.companyId, companyId))).returning();
+  return row ? withModelSummary(row) : null;
+}
+async function deleteAiProvider(id, companyId) {
+  const rows = await db.delete(aiProviders).where(and(eq(aiProviders.id, id), eq(aiProviders.companyId, companyId))).returning({ id: aiProviders.id });
+  return rows.length > 0;
+}
+async function setDefaultAiProvider(id, companyId) {
+  const target = await getAiProvider(id, companyId);
+  if (!target) return false;
+  await db.transaction(async (tx) => {
+    await tx.update(aiProviders).set({ isDefault: false }).where(eq(aiProviders.companyId, companyId));
+    await tx.update(aiProviders).set({ isDefault: true }).where(and(eq(aiProviders.id, id), eq(aiProviders.companyId, companyId)));
+  });
+  return true;
+}
+async function getDefaultAiProvider(companyId) {
+  const [row] = await db.select().from(aiProviders).where(and(eq(aiProviders.companyId, companyId), eq(aiProviders.isDefault, true), eq(aiProviders.enabled, true))).limit(1);
+  return row ?? null;
+}
+async function getDecryptedProviderKey(id, companyId) {
+  const [row] = await db.select({ enc: aiProviders.apiKeyEncrypted }).from(aiProviders).where(and(eq(aiProviders.id, id), eq(aiProviders.companyId, companyId))).limit(1);
+  if (!row?.enc) return null;
+  return decryptSecret(row.enc);
+}
+async function listAiProviderModels(providerId) {
+  return db.select().from(aiProviderModels).where(eq(aiProviderModels.providerId, providerId));
+}
+async function addAiProviderModel(providerId, data) {
+  const [row] = await db.insert(aiProviderModels).values({
+    providerId,
+    modelId: data.modelId,
+    displayName: data.displayName ?? null,
+    contextWindow: data.contextWindow ?? null,
+    maxOutputTokens: data.maxOutputTokens ?? null,
+    supportsTools: data.supportsTools ?? null,
+    supportsImages: data.supportsImages ?? null,
+    source: data.source,
+    enabled: data.enabled ?? true
+  }).onConflictDoUpdate({
+    target: [aiProviderModels.providerId, aiProviderModels.modelId],
+    set: {
+      displayName: data.displayName ?? null,
+      contextWindow: data.contextWindow ?? null,
+      maxOutputTokens: data.maxOutputTokens ?? null,
+      supportsTools: data.supportsTools ?? null,
+      supportsImages: data.supportsImages ?? null
+    }
+  }).returning();
+  return row;
+}
+async function setDefaultAiProviderModel(modelId, providerId) {
+  const [target] = await db.select({ id: aiProviderModels.id }).from(aiProviderModels).where(and(eq(aiProviderModels.id, modelId), eq(aiProviderModels.providerId, providerId))).limit(1);
+  if (!target) return false;
+  await db.transaction(async (tx) => {
+    await tx.update(aiProviderModels).set({ isDefault: false }).where(eq(aiProviderModels.providerId, providerId));
+    await tx.update(aiProviderModels).set({ isDefault: true }).where(and(eq(aiProviderModels.id, modelId), eq(aiProviderModels.providerId, providerId)));
+  });
+  return true;
+}
+async function getResolvedDefaultModelId(providerId) {
+  const [row] = await db.select({ modelId: aiProviderModels.modelId }).from(aiProviderModels).where(and(eq(aiProviderModels.providerId, providerId), eq(aiProviderModels.isDefault, true), eq(aiProviderModels.enabled, true))).limit(1);
+  return row?.modelId ?? null;
+}
+
+// ../db/src/token-hash.ts
+import { createHash, randomBytes as randomBytes2 } from "crypto";
+function sha256hex(value) {
+  return createHash("sha256").update(value, "utf8").digest("hex");
+}
+function generateSecretToken(prefix) {
+  const secret = randomBytes2(32).toString("base64url");
+  const token = `${prefix}${secret}`;
+  return { token, hash: sha256hex(token), lastFour: secret.slice(-4) };
+}
+
+// ../db/src/queries/api-tokens.ts
+function roleScopeCap(role) {
+  if (role === "viewer") return ["read"];
+  if (role === "editor" || role === "admin" || role === "owner") {
+    return ["read", "write", "delete"];
+  }
+  return [];
+}
+async function mintApiToken(input) {
+  const generated = generateSecretToken("bl_pat_");
+  const [row] = await db.insert(apiTokens).values({
+    userId: input.userId,
+    companyId: input.companyId,
+    name: input.name,
+    tokenHash: generated.hash,
+    scopes: input.scopes,
+    lastFour: generated.lastFour,
+    expiresAt: input.expiresAt ?? null
+  }).returning();
+  return { row, plaintext: generated.token };
+}
+async function listApiTokensForUser(companyId, userId) {
+  return db.select().from(apiTokens).where(
+    and(
+      eq(apiTokens.companyId, companyId),
+      eq(apiTokens.userId, userId),
+      isNull(apiTokens.revokedAt)
+    )
+  );
+}
+async function revokeApiToken(id, companyId, userId) {
+  const rows = await db.update(apiTokens).set({ revokedAt: /* @__PURE__ */ new Date() }).where(
+    and(
+      eq(apiTokens.id, id),
+      eq(apiTokens.companyId, companyId),
+      eq(apiTokens.userId, userId),
+      isNull(apiTokens.revokedAt)
+    )
+  ).returning({ id: apiTokens.id });
+  return rows.length > 0;
+}
+async function findApiTokenByHash(tokenHash) {
+  const rows = await db.select().from(apiTokens).where(eq(apiTokens.tokenHash, tokenHash)).limit(1);
+  return rows[0] ?? null;
+}
+async function touchApiTokenLastUsed(id) {
+  const cutoff = new Date(Date.now() - 6e4);
+  await db.update(apiTokens).set({ lastUsedAt: /* @__PURE__ */ new Date() }).where(
+    and(
+      eq(apiTokens.id, id),
+      or(isNull(apiTokens.lastUsedAt), lt(apiTokens.lastUsedAt, cutoff))
+    )
+  );
+}
+
+// ../db/src/queries/notifications.ts
+async function createNotification(input) {
+  const [row] = await db.insert(notifications).values({
+    companyId: input.companyId,
+    userId: input.userId,
+    category: input.category,
+    title: input.title,
+    body: input.body ?? null,
+    severity: input.severity ?? "info",
+    link: input.link ?? null,
+    metadata: input.metadata ?? null
+  }).returning();
+  return row;
+}
+async function listNotificationsForUser(userId, companyId, limit = 50) {
+  return db.select().from(notifications).where(and(eq(notifications.userId, userId), eq(notifications.companyId, companyId))).orderBy(desc(notifications.createdAt)).limit(limit);
+}
+async function countUnreadNotifications(userId, companyId) {
+  const [row] = await db.select({ count: sql`count(*)::int` }).from(notifications).where(
+    and(
+      eq(notifications.userId, userId),
+      eq(notifications.companyId, companyId),
+      isNull(notifications.readAt)
+    )
+  );
+  return row?.count ?? 0;
+}
+async function markNotificationsRead(userId, companyId, opts) {
+  const scope = and(eq(notifications.userId, userId), eq(notifications.companyId, companyId));
+  if (opts.all) {
+    await db.update(notifications).set({ readAt: /* @__PURE__ */ new Date() }).where(and(scope, isNull(notifications.readAt)));
+    return;
+  }
+  if (opts.ids && opts.ids.length > 0) {
+    await db.update(notifications).set({ readAt: /* @__PURE__ */ new Date() }).where(and(scope, inArray(notifications.id, opts.ids)));
+  }
+}
+
+// ../db/src/queries/oauth.ts
+var AUTH_CODE_TTL_MS = 10 * 60 * 1e3;
+var ACCESS_TOKEN_TTL_MS = 60 * 60 * 1e3;
+async function createOauthClient(input) {
+  const [row] = await db.insert(oauthClients).values({ name: input.name, redirectUris: input.redirectUris }).returning();
+  return row;
+}
+async function getOauthClientById(clientId) {
+  const rows = await db.select().from(oauthClients).where(eq(oauthClients.id, clientId)).limit(1);
+  return rows[0] ?? null;
+}
+async function createAuthCode(input) {
+  const generated = generateSecretToken("bl_ac_");
+  await db.insert(oauthAuthCodes).values({
+    codeHash: generated.hash,
+    clientId: input.clientId,
+    userId: input.userId,
+    companyId: input.companyId,
+    scopes: input.scopes,
+    codeChallenge: input.codeChallenge,
+    resource: input.resource,
+    redirectUri: input.redirectUri,
+    expiresAt: new Date(Date.now() + AUTH_CODE_TTL_MS)
+  });
+  return { code: generated.token };
+}
+async function consumeAuthCode(code) {
+  const rows = await db.update(oauthAuthCodes).set({ usedAt: /* @__PURE__ */ new Date() }).where(
+    and(
+      eq(oauthAuthCodes.codeHash, sha256hex(code)),
+      isNull(oauthAuthCodes.usedAt),
+      gt(oauthAuthCodes.expiresAt, /* @__PURE__ */ new Date())
+    )
+  ).returning();
+  return rows[0] ?? null;
+}
+async function issueOauthTokens(input) {
+  const access = generateSecretToken("bl_at_");
+  const refresh = generateSecretToken("bl_rt_");
+  const [row] = await db.insert(oauthTokens).values({
+    grantId: input.grantId ?? crypto.randomUUID(),
+    clientId: input.clientId,
+    userId: input.userId,
+    companyId: input.companyId,
+    scopes: input.scopes,
+    accessTokenHash: access.hash,
+    refreshTokenHash: refresh.hash,
+    resource: input.resource,
+    accessExpiresAt: new Date(Date.now() + ACCESS_TOKEN_TTL_MS)
+  }).returning();
+  return { accessToken: access.token, refreshToken: refresh.token, row };
+}
+async function findOauthTokenByAccessHash(accessTokenHash) {
+  const rows = await db.select().from(oauthTokens).where(eq(oauthTokens.accessTokenHash, accessTokenHash)).limit(1);
+  return rows[0] ?? null;
+}
+async function rotateRefreshToken(refreshToken, clientId) {
+  const hash = sha256hex(refreshToken);
+  const result = await db.transaction(async (tx) => {
+    const claimed = await tx.update(oauthTokens).set({ supersededAt: /* @__PURE__ */ new Date() }).where(
+      and(
+        eq(oauthTokens.refreshTokenHash, hash),
+        eq(oauthTokens.clientId, clientId),
+        isNull(oauthTokens.supersededAt),
+        isNull(oauthTokens.revokedAt)
+      )
+    ).returning();
+    if (claimed.length === 0) {
+      return null;
+    }
+    const claimedRow = claimed[0];
+    const access = generateSecretToken("bl_at_");
+    const refresh = generateSecretToken("bl_rt_");
+    const [newRow] = await tx.insert(oauthTokens).values({
+      grantId: claimedRow.grantId,
+      clientId: claimedRow.clientId,
+      userId: claimedRow.userId,
+      companyId: claimedRow.companyId,
+      scopes: claimedRow.scopes,
+      accessTokenHash: access.hash,
+      refreshTokenHash: refresh.hash,
+      resource: claimedRow.resource,
+      accessExpiresAt: new Date(Date.now() + ACCESS_TOKEN_TTL_MS)
+    }).returning();
+    return {
+      accessToken: access.token,
+      refreshToken: refresh.token,
+      row: newRow
+    };
+  });
+  if (result !== null) {
+    return { status: "rotated", ...result };
+  }
+  const existing = await db.select().from(oauthTokens).where(eq(oauthTokens.refreshTokenHash, hash)).limit(1);
+  const row = existing[0];
+  if (!row || row.revokedAt) return { status: "invalid" };
+  if (!row.supersededAt) return { status: "invalid" };
+  await db.update(oauthTokens).set({ revokedAt: /* @__PURE__ */ new Date() }).where(and(eq(oauthTokens.grantId, row.grantId), isNull(oauthTokens.revokedAt)));
+  return { status: "reuse_detected" };
+}
+async function listOauthGrantsForUser(companyId, userId) {
+  return db.select({
+    grantId: oauthTokens.grantId,
+    clientId: oauthTokens.clientId,
+    clientName: oauthClients.name,
+    scopes: oauthTokens.scopes,
+    createdAt: oauthTokens.createdAt
+  }).from(oauthTokens).innerJoin(oauthClients, eq(oauthTokens.clientId, oauthClients.id)).where(
+    and(
+      eq(oauthTokens.companyId, companyId),
+      eq(oauthTokens.userId, userId),
+      isNull(oauthTokens.revokedAt),
+      isNull(oauthTokens.supersededAt)
+    )
+  );
+}
+async function revokeOauthGrant(grantId, companyId, userId) {
+  const rows = await db.update(oauthTokens).set({ revokedAt: /* @__PURE__ */ new Date() }).where(
+    and(
+      eq(oauthTokens.grantId, grantId),
+      eq(oauthTokens.companyId, companyId),
+      eq(oauthTokens.userId, userId),
+      isNull(oauthTokens.revokedAt)
+    )
+  ).returning({ id: oauthTokens.id });
+  return rows.length > 0;
+}
+
+// ../db/src/queries/scheduled-jobs.ts
+async function createScheduledJob(input) {
+  const [row] = await db.insert(scheduledJobs).values({
+    companyId: input.companyId,
+    createdByUserId: input.createdByUserId,
+    name: input.name,
+    prompt: input.prompt,
+    actionKind: input.actionKind,
+    allowedTools: input.allowedTools,
+    boundConnectionIds: input.boundConnectionIds,
+    schedule: input.schedule,
+    timezone: input.timezone ?? "UTC",
+    notifyPolicy: input.notifyPolicy ?? "smart",
+    nextRunAt: input.nextRunAt
+  }).returning();
+  if (!row) throw new Error("createScheduledJob: insert returned no row");
+  return row;
+}
+async function getScheduledJob(id, companyId) {
+  const [row] = await db.select().from(scheduledJobs).where(and(eq(scheduledJobs.id, id), eq(scheduledJobs.companyId, companyId), isNull(scheduledJobs.deletedAt)));
+  return row ?? null;
+}
+async function getScheduledJobById(id) {
+  const [row] = await db.select().from(scheduledJobs).where(and(eq(scheduledJobs.id, id), isNull(scheduledJobs.deletedAt)));
+  return row ?? null;
+}
+async function listScheduledJobs(companyId) {
+  return db.select().from(scheduledJobs).where(and(eq(scheduledJobs.companyId, companyId), isNull(scheduledJobs.deletedAt))).orderBy(desc(scheduledJobs.createdAt));
+}
+async function countScheduledJobs(companyId) {
+  const [row] = await db.select({ count: sql`count(*)::int` }).from(scheduledJobs).where(and(eq(scheduledJobs.companyId, companyId), isNull(scheduledJobs.deletedAt)));
+  return row?.count ?? 0;
+}
+async function updateScheduledJob(id, companyId, patch) {
+  const [row] = await db.update(scheduledJobs).set(patch).where(and(eq(scheduledJobs.id, id), eq(scheduledJobs.companyId, companyId), isNull(scheduledJobs.deletedAt))).returning();
+  return row ?? null;
+}
+async function softDeleteScheduledJob(id, companyId) {
+  await db.update(scheduledJobs).set({ deletedAt: /* @__PURE__ */ new Date(), enabled: false }).where(and(eq(scheduledJobs.id, id), eq(scheduledJobs.companyId, companyId)));
+}
+async function listDueScheduledJobs(now) {
+  return db.select().from(scheduledJobs).where(
+    and(
+      eq(scheduledJobs.enabled, true),
+      eq(scheduledJobs.status, "active"),
+      isNull(scheduledJobs.deletedAt),
+      lte(scheduledJobs.nextRunAt, now)
+    )
+  ).orderBy(asc(scheduledJobs.nextRunAt));
+}
+async function startScheduledJobRun(input) {
+  const [row] = await db.insert(scheduledJobRuns).values({ scheduledJobId: input.scheduledJobId, companyId: input.companyId, status: "running", trigger: input.trigger, startedAt: /* @__PURE__ */ new Date() }).returning();
+  if (!row) throw new Error("startScheduledJobRun: insert returned no row");
+  return row;
+}
+async function finishScheduledJobRun(runId, companyId, result) {
+  const scope = and(eq(scheduledJobRuns.id, runId), eq(scheduledJobRuns.companyId, companyId));
+  const [existing] = await db.select({ startedAt: scheduledJobRuns.startedAt }).from(scheduledJobRuns).where(scope);
+  const finishedAt = /* @__PURE__ */ new Date();
+  const durationMs = existing ? Math.max(0, finishedAt.getTime() - existing.startedAt.getTime()) : null;
+  const [row] = await db.update(scheduledJobRuns).set({
+    status: result.status,
+    summary: result.summary ?? null,
+    tokensUsed: result.tokensUsed ?? null,
+    output: result.output ?? null,
+    error: result.error ?? null,
+    finishedAt,
+    durationMs
+  }).where(scope).returning();
+  if (!row) throw new Error("finishScheduledJobRun: update returned no row");
+  return row;
+}
+async function recordMissedRun(scheduledJobId, companyId, summary) {
+  const now = /* @__PURE__ */ new Date();
+  const [row] = await db.insert(scheduledJobRuns).values({
+    scheduledJobId,
+    companyId,
+    status: "missed",
+    trigger: "schedule",
+    startedAt: now,
+    finishedAt: now,
+    durationMs: 0,
+    summary
+  }).returning();
+  if (!row) throw new Error("recordMissedRun: insert returned no row");
+  return row;
+}
+async function listScheduledJobRuns(scheduledJobId, companyId, limit = 50) {
+  return db.select().from(scheduledJobRuns).where(and(eq(scheduledJobRuns.scheduledJobId, scheduledJobId), eq(scheduledJobRuns.companyId, companyId))).orderBy(desc(scheduledJobRuns.startedAt)).limit(limit);
+}
+
+// ../db/src/index.ts
+var g = globalThis;
+function lazySyncPostgresOrThrow() {
+  const resolved = resolveDriver(process.env);
+  if (resolved.driver !== "postgres") {
+    throw new Error(
+      "Database not initialized \u2014 initDatabase() must run first (instrumentation.register does this on boot). PGLite cannot be created synchronously."
+    );
+  }
+  const client = src_default(resolved.connectionString, { max: 10 });
+  const db2 = drizzle(client, { schema: schema_exports });
+  g.__burnless_db = db2;
+  g.__burnless_handle = { db: db2, dialect: "postgres", raw: client, close: () => client.end() };
+  return db2;
+}
+function resolveLiveDb() {
+  return g.__burnless_db ?? lazySyncPostgresOrThrow();
+}
+var db = new Proxy({}, {
+  get(_t, prop, receiver) {
+    const live = resolveLiveDb();
+    const value = Reflect.get(live, prop, receiver);
+    return typeof value === "function" ? value.bind(live) : value;
+  },
+  has(_t, prop) {
+    return Reflect.has(resolveLiveDb(), prop);
+  },
+  // Drizzle's `is(db, PgDatabase)` (used by @auth/drizzle-adapter at import time,
+  // before initDatabase() runs) checks the prototype chain. Both postgres-js and
+  // PGLite drizzle instances are PgDatabase subclasses (public type is
+  // PostgresJsDatabase, a PgDatabase). Forwarding getPrototypeOf to PgDatabase.prototype
+  // makes the Proxy type-detectable WITHOUT a live instance — so adapter construction
+  // works during `next build` page-data collection (no DATABASE_URL yet). spec §6.
+  getPrototypeOf() {
+    return PgDatabase.prototype;
+  }
+});
+async function initDatabase() {
+  if (g.__burnless_db) return g.__burnless_db;
+  const resolved = resolveDriver(process.env);
+  const handle = await createClient(resolved);
+  if (shouldAutoMigrate(handle.dialect, process.env)) {
+    await applyMigrations(handle);
+  }
+  g.__burnless_db = handle.db;
+  g.__burnless_handle = handle;
+  if (handle.dialect === "pglite") g.__burnless_pglite = handle.raw;
+  return handle.db;
+}
+function isDatabaseBooted() {
+  return Boolean(g.__burnless_db);
+}
+async function closeDatabase() {
+  const handle = g.__burnless_handle;
+  delete g.__burnless_db;
+  delete g.__burnless_handle;
+  delete g.__burnless_pglite;
+  if (handle) await handle.close();
+}
+function execRows(result) {
+  return Array.isArray(result) ? result : result.rows ?? [];
+}
+
+export {
+  companyStageEnum,
+  businessModelEnum,
+  accountTypeEnum,
+  accountCategoryEnum,
+  transactionSourceEnum,
+  scenarioSourceEnum,
+  scenarioStatusEnum,
+  scenarioOverrideActionEnum,
+  forecastMethodEnum,
+  expenseFrequencyEnum,
+  memberRoleEnum,
+  integrationTypeEnum,
+  integrationStatusEnum,
+  fundingRoundTypeEnum,
+  revenueStreamTypeEnum,
+  metricCategoryEnum,
+  aiMessageRoleEnum,
+  aiDataModeEnum,
+  aiWriteModeEnum,
+  aiProviderKindEnum,
+  aiApiKeyModeEnum,
+  aiProviderModelSourceEnum,
+  aiPermissionModeEnum,
+  aiToolPermissionDecisionEnum,
+  headcountEmployeeTypeEnum,
+  notificationSeverityEnum,
+  mcpTransportEnum,
+  mcpOwnerScopeEnum,
+  mcpAuthTypeEnum,
+  mcpConnectionStatusEnum,
+  mcpToolPermEnum,
+  users,
+  accounts,
+  sessions,
+  verificationTokens,
+  dataRegionEnum,
+  companies,
+  companyMembers,
+  departments,
+  financialAccounts,
+  transactions,
+  importBatchStatusEnum,
+  importBatches,
+  scenarios,
+  scenarioOverrides,
+  forecastLines,
+  forecastValues,
+  headcountPlans,
+  equityGrantTypeEnum,
+  shareClassTypeEnum,
+  equityGrants,
+  bonusTypeEnum,
+  bonuses,
+  salaryChanges,
+  revenueStreams,
+  fundingRounds,
+  fundingRoundInvestors,
+  shareClasses,
+  optionPools,
+  metrics,
+  integrations,
+  mcpConnections,
+  mcpCredentials,
+  mcpToolPrefs,
+  apiTokens,
+  oauthClients,
+  oauthAuthCodes,
+  oauthTokens,
+  aiFeatureFlags,
+  aiProviders,
+  aiProviderModels,
+  aiConversations,
+  insightInvalidations,
+  aiInsightCacheTypeEnum,
+  aiInsightCache,
+  aiMessages,
+  aiPendingActionKindEnum,
+  aiPendingActions,
+  dashboardModeEnum,
+  dashboardPreferences,
+  usersRelations,
+  companiesRelations,
+  dashboardPreferencesRelations,
+  companyMembersRelations,
+  financialAccountsRelations,
+  transactionsRelations,
+  importBatchesRelations,
+  scenariosRelations,
+  scenarioOverridesRelations,
+  forecastLinesRelations,
+  forecastValuesRelations,
+  departmentsRelations,
+  headcountPlansRelations,
+  salaryChangesRelations,
+  bonusesRelations,
+  equityGrantsRelations,
+  revenueStreamsRelations,
+  fundingRoundsRelations,
+  fundingRoundInvestorsRelations,
+  shareClassesRelations,
+  optionPoolsRelations,
+  metricsRelations,
+  integrationsRelations,
+  aiFeatureFlagsRelations,
+  aiProvidersRelations,
+  aiProviderModelsRelations,
+  aiConversationsRelations,
+  aiInsightCacheRelations,
+  aiMessagesRelations,
+  weeklyDigests,
+  weeklyDigestsRelations,
+  consentPurposeEnum,
+  privacyConsents,
+  privacyConsentsRelations,
+  merchantCategoryMappings,
+  merchantCategoryMappingsRelations,
+  auditActionEnum,
+  auditEntityTypeEnum,
+  financialAuditLogs,
+  financialAuditLogsRelations,
+  scheduledJobActionKindEnum,
+  scheduledJobStatusEnum,
+  scheduledJobNotifyPolicyEnum,
+  scheduledJobRunStatusEnum,
+  scheduledJobRunTriggerEnum,
+  scheduledJobs,
+  scheduledJobRuns,
+  aiToolAuditLogStatusEnum,
+  aiToolAuditLogs,
+  inviteCodeTypeEnum,
+  inviteCodes,
+  inviteCodeRedemptions,
+  inviteCodesRelations,
+  inviteCodeRedemptionsRelations,
+  aiToolAuditLogsRelations,
+  mcpConnectionsRelations,
+  mcpCredentialsRelations,
+  mcpToolPrefsRelations,
+  quickActionModeEnum,
+  userPreferences,
+  userPreferencesRelations,
+  aiPermissionDefaults,
+  aiUsageLogs,
+  exportLogs,
+  notifications,
+  schema_exports,
+  BurnlessDbConfigError,
+  resolveDriver,
+  createClient,
+  shouldAutoMigrate,
+  applyMigrations,
+  getCompanyForUser,
+  getUserWithCompany,
+  getCompanyById,
+  listCompaniesForUser,
+  getScenarioForCompany,
+  getDefaultScenario,
+  getScenarioData,
+  getScenarioDataWithValues,
+  findByIdForCompany,
+  updateForCompany,
+  deleteForCompany,
+  listForCompany,
+  getOverridesForScenario,
+  upsertOverride,
+  deleteOverride,
+  deleteOverrideByEntity,
+  getOverrideCount,
+  getOverrideCounts,
+  getOverrideBreakdown,
+  listInvestorsForRound,
+  listShareClasses,
+  listOptionPools,
+  createShareClass,
+  updateShareClass,
+  softDeleteShareClass,
+  createOptionPool,
+  updateOptionPool,
+  softDeleteOptionPool,
+  countOptionPools,
+  resolveEntities,
+  getResolvedData,
+  planScenarioInsert,
+  commitScenarioPlan,
+  planScenarioUpdate,
+  planScenarioDelete,
+  scenarioInsert,
+  scenarioUpdate,
+  scenarioDelete,
+  promoteScenario,
+  hasFinancialData,
+  SCENARIO_ENTITY_TYPES,
+  listSalaryChanges,
+  listResolvedSalaryChanges,
+  createSalaryChange,
+  updateSalaryChange,
+  removeSalaryChange,
+  listBonuses,
+  listResolvedBonuses,
+  createBonus,
+  updateBonus,
+  removeBonus,
+  listEquityGrants,
+  listResolvedEquityGrants,
+  createEquityGrant,
+  updateEquityGrant,
+  removeEquityGrant,
+  getPermissionDefaults,
+  upsertPermissionDefaults,
+  getSessionGrants,
+  grantSessionPermission,
+  resetSessionGrants,
+  getSessionDisabledTools,
+  setSessionDisabledTool,
+  resetSessionDisabledTools,
+  createPendingAction,
+  getActivePendingAction,
+  resolvePendingAction,
+  updatePendingActionTimeline,
+  LOCAL_OWNER_EMAIL,
+  LOCAL_OWNER_ID,
+  LOCAL_OWNER_COMPANY_ID,
+  createOwnerUserIfNone,
+  createOwnerCompanyIfNone,
+  getOwnerUser,
+  isOwnerClaimed,
+  listUsers,
+  createUser,
+  setUserPassword,
+  encryptSecret,
+  decryptSecret,
+  encryptJson,
+  decryptJson,
+  __resetSecretsKeyCache,
+  slugifyConnectionName,
+  listVisibleConnections,
+  getVisibleConnection,
+  createMcpConnection,
+  updateMcpConnection,
+  deleteMcpConnection,
+  saveMcpCredentials,
+  getMcpCredentialsRow,
+  getDecryptedMcpSecret,
+  listMcpToolPrefs,
+  upsertMcpToolPref,
+  getDisabledMcpConnectionIds,
+  getDisabledBuiltinTools,
+  upsertUserPreferences,
+  listAiProviders,
+  getAiProvider,
+  createAiProvider,
+  updateAiProvider,
+  deleteAiProvider,
+  setDefaultAiProvider,
+  getDefaultAiProvider,
+  getDecryptedProviderKey,
+  listAiProviderModels,
+  addAiProviderModel,
+  setDefaultAiProviderModel,
+  getResolvedDefaultModelId,
+  sha256hex,
+  generateSecretToken,
+  roleScopeCap,
+  mintApiToken,
+  listApiTokensForUser,
+  revokeApiToken,
+  findApiTokenByHash,
+  touchApiTokenLastUsed,
+  createNotification,
+  listNotificationsForUser,
+  countUnreadNotifications,
+  markNotificationsRead,
+  createOauthClient,
+  getOauthClientById,
+  createAuthCode,
+  consumeAuthCode,
+  issueOauthTokens,
+  findOauthTokenByAccessHash,
+  rotateRefreshToken,
+  listOauthGrantsForUser,
+  revokeOauthGrant,
+  createScheduledJob,
+  getScheduledJob,
+  getScheduledJobById,
+  listScheduledJobs,
+  countScheduledJobs,
+  updateScheduledJob,
+  softDeleteScheduledJob,
+  listDueScheduledJobs,
+  startScheduledJobRun,
+  finishScheduledJobRun,
+  recordMissedRun,
+  listScheduledJobRuns,
+  db,
+  initDatabase,
+  isDatabaseBooted,
+  closeDatabase,
+  execRows
+};