chainlesschain 0.66.0 → 0.132.0

package/src/lib/response-cache.js

@@ -154,3 +154,330 @@ export function getCacheStats(db) {
     expired_entries: expired?.cnt || 0,
   };
 }
+
+/* ═══════════════════════════════════════════════════════════════
+ * V2 Surface — Response cache governance layer.
+ * Tracks per-owner cache-profile maturity + per-profile refresh-job
+ * lifecycle independent of SQLite llm_cache table.
+ * ═══════════════════════════════════════════════════════════════ */
+
+export const PROFILE_MATURITY_V2 = Object.freeze({
+  PENDING: "pending",
+  ACTIVE: "active",
+  SUSPENDED: "suspended",
+  ARCHIVED: "archived",
+});
+
+export const REFRESH_JOB_LIFECYCLE_V2 = Object.freeze({
+  QUEUED: "queued",
+  RUNNING: "running",
+  COMPLETED: "completed",
+  FAILED: "failed",
+  CANCELLED: "cancelled",
+});
+
+const PROFILE_TRANSITIONS_V2 = new Map([
+  ["pending", new Set(["active", "archived"])],
+  ["active", new Set(["suspended", "archived"])],
+  ["suspended", new Set(["active", "archived"])],
+  ["archived", new Set()],
+]);
+const PROFILE_TERMINALS_V2 = new Set(["archived"]);
+
+const REFRESH_TRANSITIONS_V2 = new Map([
+  ["queued", new Set(["running", "cancelled"])],
+  ["running", new Set(["completed", "failed", "cancelled"])],
+  ["completed", new Set()],
+  ["failed", new Set()],
+  ["cancelled", new Set()],
+]);
+const REFRESH_TERMINALS_V2 = new Set(["completed", "failed", "cancelled"]);
+
+export const CACHE_DEFAULT_MAX_ACTIVE_PROFILES_PER_OWNER = 25;
+export const CACHE_DEFAULT_MAX_PENDING_REFRESH_JOBS_PER_PROFILE = 4;
+export const CACHE_DEFAULT_PROFILE_IDLE_MS = 1000 * 60 * 60 * 24 * 7; // 7 days
+export const CACHE_DEFAULT_REFRESH_STUCK_MS = 1000 * 60 * 10; // 10 min
+
+const _profilesV2 = new Map();
+const _refreshJobsV2 = new Map();
+let _maxActiveProfilesPerOwnerV2 = CACHE_DEFAULT_MAX_ACTIVE_PROFILES_PER_OWNER;
+let _maxPendingRefreshJobsPerProfileV2 =
+  CACHE_DEFAULT_MAX_PENDING_REFRESH_JOBS_PER_PROFILE;
+let _profileIdleMsV2 = CACHE_DEFAULT_PROFILE_IDLE_MS;
+let _refreshStuckMsV2 = CACHE_DEFAULT_REFRESH_STUCK_MS;
+
+function _posIntCacheV2(n, label) {
+  const v = Math.floor(Number(n));
+  if (!Number.isFinite(v) || v <= 0)
+    throw new Error(`${label} must be a positive integer`);
+  return v;
+}
+
+export function getMaxActiveProfilesPerOwnerV2() {
+  return _maxActiveProfilesPerOwnerV2;
+}
+export function setMaxActiveProfilesPerOwnerV2(n) {
+  _maxActiveProfilesPerOwnerV2 = _posIntCacheV2(n, "maxActiveProfilesPerOwner");
+}
+export function getMaxPendingRefreshJobsPerProfileV2() {
+  return _maxPendingRefreshJobsPerProfileV2;
+}
+export function setMaxPendingRefreshJobsPerProfileV2(n) {
+  _maxPendingRefreshJobsPerProfileV2 = _posIntCacheV2(
+    n,
+    "maxPendingRefreshJobsPerProfile",
+  );
+}
+export function getProfileIdleMsV2() {
+  return _profileIdleMsV2;
+}
+export function setProfileIdleMsV2(n) {
+  _profileIdleMsV2 = _posIntCacheV2(n, "profileIdleMs");
+}
+export function getRefreshStuckMsV2() {
+  return _refreshStuckMsV2;
+}
+export function setRefreshStuckMsV2(n) {
+  _refreshStuckMsV2 = _posIntCacheV2(n, "refreshStuckMs");
+}
+
+export function getActiveProfileCountV2(ownerId) {
+  let n = 0;
+  for (const p of _profilesV2.values()) {
+    if (p.ownerId === ownerId && p.status === "active") n += 1;
+  }
+  return n;
+}
+
+export function getPendingRefreshJobCountV2(profileId) {
+  let n = 0;
+  for (const j of _refreshJobsV2.values()) {
+    if (
+      j.profileId === profileId &&
+      (j.status === "queued" || j.status === "running")
+    )
+      n += 1;
+  }
+  return n;
+}
+
+function _copyProfileV2(p) {
+  return { ...p, metadata: { ...p.metadata } };
+}
+function _copyRefreshJobV2(j) {
+  return { ...j, metadata: { ...j.metadata } };
+}
+
+export function registerProfileV2(
+  id,
+  { ownerId, label, metadata = {}, now = Date.now() } = {},
+) {
+  if (!id || typeof id !== "string") throw new Error("id must be a string");
+  if (!ownerId || typeof ownerId !== "string")
+    throw new Error("ownerId must be a string");
+  if (!label || typeof label !== "string")
+    throw new Error("label must be a string");
+  if (_profilesV2.has(id)) throw new Error(`profile ${id} already exists`);
+  const p = {
+    id,
+    ownerId,
+    label,
+    status: "pending",
+    createdAt: now,
+    lastSeenAt: now,
+    activatedAt: null,
+    archivedAt: null,
+    metadata: { ...metadata },
+  };
+  _profilesV2.set(id, p);
+  return _copyProfileV2(p);
+}
+
+export function getProfileV2(id) {
+  const p = _profilesV2.get(id);
+  return p ? _copyProfileV2(p) : null;
+}
+
+export function listProfilesV2({ ownerId, status } = {}) {
+  const out = [];
+  for (const p of _profilesV2.values()) {
+    if (ownerId && p.ownerId !== ownerId) continue;
+    if (status && p.status !== status) continue;
+    out.push(_copyProfileV2(p));
+  }
+  return out;
+}
+
+export function setProfileStatusV2(id, next, { now = Date.now() } = {}) {
+  const p = _profilesV2.get(id);
+  if (!p) throw new Error(`profile ${id} not found`);
+  if (!PROFILE_TRANSITIONS_V2.has(next))
+    throw new Error(`unknown profile status: ${next}`);
+  if (PROFILE_TERMINALS_V2.has(p.status))
+    throw new Error(`profile ${id} is in terminal state ${p.status}`);
+  const allowed = PROFILE_TRANSITIONS_V2.get(p.status);
+  if (!allowed.has(next))
+    throw new Error(`cannot transition profile from ${p.status} to ${next}`);
+  if (next === "active") {
+    if (p.status === "pending") {
+      const count = getActiveProfileCountV2(p.ownerId);
+      if (count >= _maxActiveProfilesPerOwnerV2)
+        throw new Error(
+          `owner ${p.ownerId} already at active-profile cap (${_maxActiveProfilesPerOwnerV2})`,
+        );
+    }
+    if (!p.activatedAt) p.activatedAt = now;
+  }
+  if (next === "archived" && !p.archivedAt) p.archivedAt = now;
+  p.status = next;
+  p.lastSeenAt = now;
+  return _copyProfileV2(p);
+}
+
+export function activateProfileV2(id, opts) {
+  return setProfileStatusV2(id, "active", opts);
+}
+export function suspendProfileV2(id, opts) {
+  return setProfileStatusV2(id, "suspended", opts);
+}
+export function archiveProfileV2(id, opts) {
+  return setProfileStatusV2(id, "archived", opts);
+}
+
+export function touchProfileV2(id, { now = Date.now() } = {}) {
+  const p = _profilesV2.get(id);
+  if (!p) throw new Error(`profile ${id} not found`);
+  p.lastSeenAt = now;
+  return _copyProfileV2(p);
+}
+
+export function createRefreshJobV2(
+  id,
+  { profileId, kind = "warm", metadata = {}, now = Date.now() } = {},
+) {
+  if (!id || typeof id !== "string") throw new Error("id must be a string");
+  if (!profileId || typeof profileId !== "string")
+    throw new Error("profileId must be a string");
+  if (_refreshJobsV2.has(id)) throw new Error(`job ${id} already exists`);
+  const count = getPendingRefreshJobCountV2(profileId);
+  if (count >= _maxPendingRefreshJobsPerProfileV2)
+    throw new Error(
+      `profile ${profileId} already at pending-refresh-job cap (${_maxPendingRefreshJobsPerProfileV2})`,
+    );
+  const j = {
+    id,
+    profileId,
+    kind,
+    status: "queued",
+    createdAt: now,
+    lastSeenAt: now,
+    startedAt: null,
+    settledAt: null,
+    metadata: { ...metadata },
+  };
+  _refreshJobsV2.set(id, j);
+  return _copyRefreshJobV2(j);
+}
+
+export function getRefreshJobV2(id) {
+  const j = _refreshJobsV2.get(id);
+  return j ? _copyRefreshJobV2(j) : null;
+}
+
+export function listRefreshJobsV2({ profileId, status } = {}) {
+  const out = [];
+  for (const j of _refreshJobsV2.values()) {
+    if (profileId && j.profileId !== profileId) continue;
+    if (status && j.status !== status) continue;
+    out.push(_copyRefreshJobV2(j));
+  }
+  return out;
+}
+
+export function setRefreshJobStatusV2(id, next, { now = Date.now() } = {}) {
+  const j = _refreshJobsV2.get(id);
+  if (!j) throw new Error(`job ${id} not found`);
+  if (!REFRESH_TRANSITIONS_V2.has(next))
+    throw new Error(`unknown job status: ${next}`);
+  if (REFRESH_TERMINALS_V2.has(j.status))
+    throw new Error(`job ${id} is in terminal state ${j.status}`);
+  const allowed = REFRESH_TRANSITIONS_V2.get(j.status);
+  if (!allowed.has(next))
+    throw new Error(`cannot transition job from ${j.status} to ${next}`);
+  if (next === "running" && !j.startedAt) j.startedAt = now;
+  if (REFRESH_TERMINALS_V2.has(next) && !j.settledAt) j.settledAt = now;
+  j.status = next;
+  j.lastSeenAt = now;
+  return _copyRefreshJobV2(j);
+}
+
+export function startRefreshJobV2(id, opts) {
+  return setRefreshJobStatusV2(id, "running", opts);
+}
+export function completeRefreshJobV2(id, opts) {
+  return setRefreshJobStatusV2(id, "completed", opts);
+}
+export function failRefreshJobV2(id, opts) {
+  return setRefreshJobStatusV2(id, "failed", opts);
+}
+export function cancelRefreshJobV2(id, opts) {
+  return setRefreshJobStatusV2(id, "cancelled", opts);
+}
+
+export function autoSuspendIdleProfilesV2({ now = Date.now() } = {}) {
+  const flipped = [];
+  for (const p of _profilesV2.values()) {
+    if (p.status !== "active") continue;
+    if (now - p.lastSeenAt > _profileIdleMsV2) {
+      p.status = "suspended";
+      p.lastSeenAt = now;
+      flipped.push(_copyProfileV2(p));
+    }
+  }
+  return flipped;
+}
+
+export function autoFailStuckRefreshJobsV2({ now = Date.now() } = {}) {
+  const flipped = [];
+  for (const j of _refreshJobsV2.values()) {
+    if (j.status !== "running") continue;
+    if (now - j.lastSeenAt > _refreshStuckMsV2) {
+      j.status = "failed";
+      j.lastSeenAt = now;
+      if (!j.settledAt) j.settledAt = now;
+      flipped.push(_copyRefreshJobV2(j));
+    }
+  }
+  return flipped;
+}
+
+export function getResponseCacheStatsV2() {
+  const profilesByStatus = {};
+  for (const v of Object.values(PROFILE_MATURITY_V2)) profilesByStatus[v] = 0;
+  for (const p of _profilesV2.values()) profilesByStatus[p.status] += 1;
+
+  const jobsByStatus = {};
+  for (const v of Object.values(REFRESH_JOB_LIFECYCLE_V2)) jobsByStatus[v] = 0;
+  for (const j of _refreshJobsV2.values()) jobsByStatus[j.status] += 1;
+
+  return {
+    totalProfilesV2: _profilesV2.size,
+    totalRefreshJobsV2: _refreshJobsV2.size,
+    maxActiveProfilesPerOwner: _maxActiveProfilesPerOwnerV2,
+    maxPendingRefreshJobsPerProfile: _maxPendingRefreshJobsPerProfileV2,
+    profileIdleMs: _profileIdleMsV2,
+    refreshStuckMs: _refreshStuckMsV2,
+    profilesByStatus,
+    jobsByStatus,
+  };
+}
+
+export function _resetStateResponseCacheV2() {
+  _profilesV2.clear();
+  _refreshJobsV2.clear();
+  _maxActiveProfilesPerOwnerV2 = CACHE_DEFAULT_MAX_ACTIVE_PROFILES_PER_OWNER;
+  _maxPendingRefreshJobsPerProfileV2 =
+    CACHE_DEFAULT_MAX_PENDING_REFRESH_JOBS_PER_PROFILE;
+  _profileIdleMsV2 = CACHE_DEFAULT_PROFILE_IDLE_MS;
+  _refreshStuckMsV2 = CACHE_DEFAULT_REFRESH_STUCK_MS;
+}

package/src/lib/scim-manager.js

@@ -210,3 +210,332 @@ export function _resetState() {
   _connectors.clear();
   _syncLog.length = 0;
 }
+
+/* ═══════════════════════════════════════════════════════════════
+ * V2 Surface — SCIM provisioning lifecycle layer.
+ * Tracks identities and sync-job lifecycle independent of legacy
+ * createUser/syncProvision flows above.
+ * ═══════════════════════════════════════════════════════════════ */
+
+export const IDENTITY_LIFECYCLE_V2 = Object.freeze({
+  PENDING: "pending",
+  PROVISIONED: "provisioned",
+  SUSPENDED: "suspended",
+  DEPROVISIONED: "deprovisioned",
+});
+
+export const SYNC_JOB_V2 = Object.freeze({
+  QUEUED: "queued",
+  RUNNING: "running",
+  SUCCEEDED: "succeeded",
+  FAILED: "failed",
+  CANCELLED: "cancelled",
+});
+
+const IDENTITY_TRANSITIONS_V2 = new Map([
+  ["pending", new Set(["provisioned", "deprovisioned"])],
+  ["provisioned", new Set(["suspended", "deprovisioned"])],
+  ["suspended", new Set(["provisioned", "deprovisioned"])],
+  ["deprovisioned", new Set()],
+]);
+const IDENTITY_TERMINALS_V2 = new Set(["deprovisioned"]);
+
+const SYNC_TRANSITIONS_V2 = new Map([
+  ["queued", new Set(["running", "cancelled"])],
+  ["running", new Set(["succeeded", "failed", "cancelled"])],
+  ["succeeded", new Set()],
+  ["failed", new Set()],
+  ["cancelled", new Set()],
+]);
+const SYNC_TERMINALS_V2 = new Set(["succeeded", "failed", "cancelled"]);
+
+export const SCIM_DEFAULT_MAX_PROVISIONED_PER_CONNECTOR = 1000;
+export const SCIM_DEFAULT_MAX_RUNNING_SYNC_PER_CONNECTOR = 2;
+export const SCIM_DEFAULT_IDENTITY_IDLE_MS = 1000 * 60 * 60 * 24 * 90; // 90 days
+export const SCIM_DEFAULT_SYNC_STUCK_MS = 1000 * 60 * 30; // 30 min
+
+const _identitiesV2 = new Map();
+const _syncJobsV2 = new Map();
+let _maxProvisionedPerConnectorV2 = SCIM_DEFAULT_MAX_PROVISIONED_PER_CONNECTOR;
+let _maxRunningSyncPerConnectorV2 = SCIM_DEFAULT_MAX_RUNNING_SYNC_PER_CONNECTOR;
+let _identityIdleMsV2 = SCIM_DEFAULT_IDENTITY_IDLE_MS;
+let _syncStuckMsV2 = SCIM_DEFAULT_SYNC_STUCK_MS;
+
+function _posIntScimV2(n, label) {
+  const v = Math.floor(Number(n));
+  if (!Number.isFinite(v) || v <= 0)
+    throw new Error(`${label} must be a positive integer`);
+  return v;
+}
+
+export function getMaxProvisionedPerConnectorV2() {
+  return _maxProvisionedPerConnectorV2;
+}
+export function setMaxProvisionedPerConnectorV2(n) {
+  _maxProvisionedPerConnectorV2 = _posIntScimV2(
+    n,
+    "maxProvisionedPerConnector",
+  );
+}
+export function getMaxRunningSyncPerConnectorV2() {
+  return _maxRunningSyncPerConnectorV2;
+}
+export function setMaxRunningSyncPerConnectorV2(n) {
+  _maxRunningSyncPerConnectorV2 = _posIntScimV2(
+    n,
+    "maxRunningSyncPerConnector",
+  );
+}
+export function getIdentityIdleMsV2() {
+  return _identityIdleMsV2;
+}
+export function setIdentityIdleMsV2(n) {
+  _identityIdleMsV2 = _posIntScimV2(n, "identityIdleMs");
+}
+export function getSyncStuckMsV2() {
+  return _syncStuckMsV2;
+}
+export function setSyncStuckMsV2(n) {
+  _syncStuckMsV2 = _posIntScimV2(n, "syncStuckMs");
+}
+
+export function getProvisionedCountV2(connectorId) {
+  let n = 0;
+  for (const i of _identitiesV2.values()) {
+    if (i.connectorId === connectorId && i.status === "provisioned") n += 1;
+  }
+  return n;
+}
+
+export function getRunningSyncCountV2(connectorId) {
+  let n = 0;
+  for (const j of _syncJobsV2.values()) {
+    if (j.connectorId === connectorId && j.status === "running") n += 1;
+  }
+  return n;
+}
+
+function _copyIdentityV2(i) {
+  return { ...i, metadata: { ...i.metadata } };
+}
+function _copySyncV2(j) {
+  return { ...j, metadata: { ...j.metadata } };
+}
+
+export function registerIdentityV2(
+  id,
+  { connectorId, externalId, metadata = {}, now = Date.now() } = {},
+) {
+  if (!id || typeof id !== "string") throw new Error("id must be a string");
+  if (!connectorId || typeof connectorId !== "string")
+    throw new Error("connectorId must be a string");
+  if (!externalId || typeof externalId !== "string")
+    throw new Error("externalId must be a string");
+  if (_identitiesV2.has(id)) throw new Error(`identity ${id} already exists`);
+  const i = {
+    id,
+    connectorId,
+    externalId,
+    status: "pending",
+    createdAt: now,
+    lastSeenAt: now,
+    provisionedAt: null,
+    deprovisionedAt: null,
+    metadata: { ...metadata },
+  };
+  _identitiesV2.set(id, i);
+  return _copyIdentityV2(i);
+}
+
+export function getIdentityV2(id) {
+  const i = _identitiesV2.get(id);
+  return i ? _copyIdentityV2(i) : null;
+}
+
+export function listIdentitiesV2({ connectorId, status } = {}) {
+  const out = [];
+  for (const i of _identitiesV2.values()) {
+    if (connectorId && i.connectorId !== connectorId) continue;
+    if (status && i.status !== status) continue;
+    out.push(_copyIdentityV2(i));
+  }
+  return out;
+}
+
+export function setIdentityStatusV2(id, next, { now = Date.now() } = {}) {
+  const i = _identitiesV2.get(id);
+  if (!i) throw new Error(`identity ${id} not found`);
+  if (!IDENTITY_TRANSITIONS_V2.has(next))
+    throw new Error(`unknown identity status: ${next}`);
+  if (IDENTITY_TERMINALS_V2.has(i.status))
+    throw new Error(`identity ${id} is in terminal state ${i.status}`);
+  const allowed = IDENTITY_TRANSITIONS_V2.get(i.status);
+  if (!allowed.has(next))
+    throw new Error(`cannot transition identity from ${i.status} to ${next}`);
+  if (next === "provisioned") {
+    if (i.status === "pending") {
+      const count = getProvisionedCountV2(i.connectorId);
+      if (count >= _maxProvisionedPerConnectorV2)
+        throw new Error(
+          `connector ${i.connectorId} already at provisioned cap (${_maxProvisionedPerConnectorV2})`,
+        );
+    }
+    if (!i.provisionedAt) i.provisionedAt = now;
+  }
+  if (next === "deprovisioned" && !i.deprovisionedAt) i.deprovisionedAt = now;
+  i.status = next;
+  i.lastSeenAt = now;
+  return _copyIdentityV2(i);
+}
+
+export function provisionIdentityV2(id, opts) {
+  return setIdentityStatusV2(id, "provisioned", opts);
+}
+export function suspendIdentityV2(id, opts) {
+  return setIdentityStatusV2(id, "suspended", opts);
+}
+export function deprovisionIdentityV2(id, opts) {
+  return setIdentityStatusV2(id, "deprovisioned", opts);
+}
+
+export function touchIdentityV2(id, { now = Date.now() } = {}) {
+  const i = _identitiesV2.get(id);
+  if (!i) throw new Error(`identity ${id} not found`);
+  i.lastSeenAt = now;
+  return _copyIdentityV2(i);
+}
+
+export function createSyncJobV2(
+  id,
+  { connectorId, kind = "full", metadata = {}, now = Date.now() } = {},
+) {
+  if (!id || typeof id !== "string") throw new Error("id must be a string");
+  if (!connectorId || typeof connectorId !== "string")
+    throw new Error("connectorId must be a string");
+  if (_syncJobsV2.has(id)) throw new Error(`syncJob ${id} already exists`);
+  const j = {
+    id,
+    connectorId,
+    kind,
+    status: "queued",
+    createdAt: now,
+    lastSeenAt: now,
+    startedAt: null,
+    finishedAt: null,
+    metadata: { ...metadata },
+  };
+  _syncJobsV2.set(id, j);
+  return _copySyncV2(j);
+}
+
+export function getSyncJobV2(id) {
+  const j = _syncJobsV2.get(id);
+  return j ? _copySyncV2(j) : null;
+}
+
+export function listSyncJobsV2({ connectorId, status } = {}) {
+  const out = [];
+  for (const j of _syncJobsV2.values()) {
+    if (connectorId && j.connectorId !== connectorId) continue;
+    if (status && j.status !== status) continue;
+    out.push(_copySyncV2(j));
+  }
+  return out;
+}
+
+export function setSyncJobStatusV2(id, next, { now = Date.now() } = {}) {
+  const j = _syncJobsV2.get(id);
+  if (!j) throw new Error(`syncJob ${id} not found`);
+  if (!SYNC_TRANSITIONS_V2.has(next))
+    throw new Error(`unknown syncJob status: ${next}`);
+  if (SYNC_TERMINALS_V2.has(j.status))
+    throw new Error(`syncJob ${id} is in terminal state ${j.status}`);
+  const allowed = SYNC_TRANSITIONS_V2.get(j.status);
+  if (!allowed.has(next))
+    throw new Error(`cannot transition syncJob from ${j.status} to ${next}`);
+  if (next === "running" && j.status === "queued") {
+    const count = getRunningSyncCountV2(j.connectorId);
+    if (count >= _maxRunningSyncPerConnectorV2)
+      throw new Error(
+        `connector ${j.connectorId} already at running-sync cap (${_maxRunningSyncPerConnectorV2})`,
+      );
+    if (!j.startedAt) j.startedAt = now;
+  }
+  if (SYNC_TERMINALS_V2.has(next) && !j.finishedAt) j.finishedAt = now;
+  j.status = next;
+  j.lastSeenAt = now;
+  return _copySyncV2(j);
+}
+
+export function startSyncJobV2(id, opts) {
+  return setSyncJobStatusV2(id, "running", opts);
+}
+export function succeedSyncJobV2(id, opts) {
+  return setSyncJobStatusV2(id, "succeeded", opts);
+}
+export function failSyncJobV2(id, opts) {
+  return setSyncJobStatusV2(id, "failed", opts);
+}
+export function cancelSyncJobV2(id, opts) {
+  return setSyncJobStatusV2(id, "cancelled", opts);
+}
+
+export function autoDeprovisionIdleIdentitiesV2({ now = Date.now() } = {}) {
+  const flipped = [];
+  for (const i of _identitiesV2.values()) {
+    if (i.status === "deprovisioned" || i.status === "pending") continue;
+    if (now - i.lastSeenAt > _identityIdleMsV2) {
+      i.status = "deprovisioned";
+      i.lastSeenAt = now;
+      if (!i.deprovisionedAt) i.deprovisionedAt = now;
+      flipped.push(_copyIdentityV2(i));
+    }
+  }
+  return flipped;
+}
+
+export function autoFailStuckSyncJobsV2({ now = Date.now() } = {}) {
+  const flipped = [];
+  for (const j of _syncJobsV2.values()) {
+    if (j.status !== "running") continue;
+    const ref = j.startedAt ?? j.lastSeenAt;
+    if (now - ref > _syncStuckMsV2) {
+      j.status = "failed";
+      j.lastSeenAt = now;
+      if (!j.finishedAt) j.finishedAt = now;
+      flipped.push(_copySyncV2(j));
+    }
+  }
+  return flipped;
+}
+
+export function getScimManagerStatsV2() {
+  const identitiesByStatus = {};
+  for (const v of Object.values(IDENTITY_LIFECYCLE_V2))
+    identitiesByStatus[v] = 0;
+  for (const i of _identitiesV2.values()) identitiesByStatus[i.status] += 1;
+
+  const syncJobsByStatus = {};
+  for (const v of Object.values(SYNC_JOB_V2)) syncJobsByStatus[v] = 0;
+  for (const j of _syncJobsV2.values()) syncJobsByStatus[j.status] += 1;
+
+  return {
+    totalIdentitiesV2: _identitiesV2.size,
+    totalSyncJobsV2: _syncJobsV2.size,
+    maxProvisionedPerConnector: _maxProvisionedPerConnectorV2,
+    maxRunningSyncPerConnector: _maxRunningSyncPerConnectorV2,
+    identityIdleMs: _identityIdleMsV2,
+    syncStuckMs: _syncStuckMsV2,
+    identitiesByStatus,
+    syncJobsByStatus,
+  };
+}
+
+export function _resetStateScimManagerV2() {
+  _identitiesV2.clear();
+  _syncJobsV2.clear();
+  _maxProvisionedPerConnectorV2 = SCIM_DEFAULT_MAX_PROVISIONED_PER_CONNECTOR;
+  _maxRunningSyncPerConnectorV2 = SCIM_DEFAULT_MAX_RUNNING_SYNC_PER_CONNECTOR;
+  _identityIdleMsV2 = SCIM_DEFAULT_IDENTITY_IDLE_MS;
+  _syncStuckMsV2 = SCIM_DEFAULT_SYNC_STUCK_MS;
+}