npm - dominus-sdk-nodejs - Versions diffs - 1.23.0 → 1.24.1 - Mend

dominus-sdk-nodejs 1.23.0 → 1.24.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/README.md +58 -43
package/dist/namespaces/db.d.ts +32 -4
package/dist/namespaces/db.d.ts.map +1 -1
package/dist/namespaces/db.js +43 -11
package/dist/namespaces/db.js.map +1 -1
package/docs/architecture.md +186 -23
package/docs/services.md +479 -0
package/package.json +1 -1
package/docs/development.md +0 -30
package/docs/namespaces.md +0 -38

package/README.md CHANGED Viewed

@@ -1,66 +1,81 @@
 # Dominus SDK for Node.js
-TypeScript SDK for CareBridge Dominus services. Provides a single, async-first client that routes through the Dominus Gateway, handles JWT minting/caching, and exposes service namespaces for secrets, data, files, auth, AI workflows, and more.
+TypeScript SDK for CareBridge Dominus services. Provides a single, async-first client that routes through the Dominus Gateway, handles JWT minting/caching, and exposes service namespaces for secrets, database, files, auth, AI workflows, and more.
 ## What This Is
-- Server-side SDK for Node.js 18+ (ESM)
-- Default routing through the Dominus Gateway with base64-encoded JSON bodies
-- Namespace API plus root-level shortcuts for common operations
+- **Server-side SDK** for Node.js 18+ (ESM-only, native fetch)
+- **Gateway-first routing** -- all requests route through the Dominus Gateway (`/api/*` transformed to `/svc/*`)
+- **Base64-encoded JSON bodies** for all request/response payloads (handled transparently)
+- **19 service namespaces** plus root-level shortcuts for common operations
+- **Built-in resilience**: retries with exponential backoff, circuit breaker, JWT caching
 ## Quick Start
-```ts
+```typescript
 import { dominus } from 'dominus-sdk-nodejs';
 process.env.DOMINUS_TOKEN = 'your-psk-token';
+// Database CRUD
 const users = await dominus.db.query('users', { filters: { status: 'active' } });
+await dominus.db.insert('users', { name: 'John', status: 'active' });
+// Cache and locks
 await dominus.redis.set('session:123', { user: 'john' }, { ttl: 3600 });
+// File storage
 const file = await dominus.files.upload(buffer, 'report.pdf', { category: 'reports' });
+// AI agents and workflows
+const result = await dominus.ai.runAgent({ conversationId: 'conv-1', userPrompt: 'analyze data' });
 ```
-## Architecture (SDK View)
-- DOMINUS_TOKEN (PSK) -> Gateway `/jwt/mint` -> JWT cached in `dominusCache`
-- All JSON requests/responses are base64-encoded
-- GET requests send no body; all parameters must be in path or POST body
-- SDK defaults to gateway routing (`/api/*` -> `/svc/*`)
-## Namespaces
-- `dominus.secrets` (Warden) secrets CRUD
-- `dominus.db` / `dominus.secure` (Scribe) database CRUD + audit-logged tables
-- `dominus.redis` (Whisperer) cache, locks, counters
-- `dominus.files` (Archivist) object storage
-- `dominus.auth` (Guardian) users/roles/scopes/tenants/pages
-- `dominus.ddl` (Smith) schema DDL and migrations
-- `dominus.logs` (Herald) structured logs
-- `dominus.portal` (Portal) user sessions/profile
-- `dominus.courier` (Courier) email
-- `dominus.open` (Scribe Open) direct DB access
-- `dominus.health` health checks
-- `dominus.stt` (Oracle) streaming speech-to-text (WebSocket + VAD)
-- `dominus.admin` admin reseed/reset operations
-- `dominus.ai` agent-runtime: LLM, RAG, artifacts, results, orchestration
-- `dominus.workflow` workflow-manager CRUD and execution
-## 2026-02-21 Workflow Contract Alignment
-- `workflow.list()` -> `GET /api/workflow/workflows`
-- `workflow.listCategories()` -> `GET /api/workflow/categories`
-- `workflow.reorderCategory()` -> `PUT /api/workflow/categories/{category_id}/workflows/order`
+## Features
+| Category | Services |
+|----------|----------|
+| **Data & Persistence** | Database CRUD (`db`), secure audit-logged tables (`secure`), secrets (`secrets`), files via B2 (`files`), Redis cache/locks (`redis`) |
+| **Auth & Access** | User/role/scope/tenant/page CRUD (`auth`), session management (`portal`), access control |
+| **AI & Orchestration** | LLM completions multi-provider (`ai`), RAG, artifacts, speech STT/TTS, workflows (`workflow`), agent execution, Oracle streaming STT (`stt`) |
+| **Infrastructure** | Schema DDL + migrations + Schema Builder (`ddl`), structured logging (`logs`), job queue (`jobs`/`processor`), email delivery (`courier`), provisioning (`db.syncSchema`) |
+| **Admin & Ops** | Admin reseed/reset (`admin`), KV sync (`sync`), artifact storage (`artifacts`), health checks (`health`) |
+| **Resilience** | Retries with backoff + jitter, circuit breaker (5 failures / 30s recovery), JWT caching (14 min) |
+## Database Architecture
+The platform uses a **3-role Neon PostgreSQL model**:
+| Role | Database | Purpose |
+|------|----------|---------|
+| `neondb_owner` | both | DDL provisioning, schema sync, migrations |
+| `dominus_user` | `dominus` | Backend schemas: auth, logs, meta, object, rag, agent, observability, workflow, tenant_admin |
+| `open_user` | `dominus_open` | User-facing schemas: tenant_*, cat_* |
+`dominus.db.syncSchema()` is the idempotent provisioning entry point. It creates missing schemas, tables, indexes, and seeds default data across both databases using the appropriate roles.
 ## Configuration
-Required:
-- `DOMINUS_TOKEN` (PSK)
-Optional:
-- `DOMINUS_GATEWAY_URL` (defaults to production gateway)
-- `DOMINUS_BASE_URL` (override base URL; defaults to gateway)
-- `DOMINUS_DEBUG=true` (extra logs)
-- `DOMINUS_HTTP_PROXY` / `DOMINUS_HTTPS_PROXY` (proxy hints only)
+| Variable | Required | Default | Purpose |
+|----------|----------|---------|---------|
+| `DOMINUS_TOKEN` | Yes | -- | PSK for JWT minting |
+| `DOMINUS_GATEWAY_URL` | No | `https://gateway.getdominus.app` | Gateway base URL |
+| `DOMINUS_BASE_URL` | No | Gateway URL | Override base URL for all requests |
+| `DOMINUS_DEBUG` | No | `false` | Enable debug logging |
+| `DOMINUS_CAPTURE_CONSOLE` | No | `false` | Auto-capture console.log to Dominus logs |
+| `DOMINUS_HTTP_PROXY` | No | -- | HTTP proxy hint (informational) |
+| `DOMINUS_HTTPS_PROXY` | No | -- | HTTPS proxy hint (informational) |
 ## Documentation
-- `docs/architecture.md`
-- `docs/namespaces.md`
-- `docs/development.md`
+- [CLAUDE.md](CLAUDE.md) -- LLM and developer guide: conventions, repo map, workflow
+- [docs/architecture.md](docs/architecture.md) -- Technical architecture, request flow, resilience patterns
+- [docs/services.md](docs/services.md) -- Comprehensive reference of all 19 namespaces, endpoints, and methods
+## Version
+Current: **1.24.0** (see `package.json`)
 ## License
-Proprietary - CareBridge Systems
+Proprietary -- CareBridge Systems

package/dist/namespaces/db.d.ts CHANGED Viewed

@@ -7,6 +7,7 @@
 import type { DominusClient } from '../lib/client.js';
 export interface QueryOptions {
     schema?: string;
+    open?: boolean;
     filters?: Record<string, unknown>;
     sortBy?: string;
     sortOrder?: 'ASC' | 'DESC';
@@ -39,14 +40,18 @@ export declare class DbNamespace {
      *
      * @returns List of schema names
      */
-    schemas(): Promise<string[]>;
+    schemas(options?: {
+        open?: boolean;
+    }): Promise<string[]>;
     /**
      * List tables in a schema.
      *
      * @param schema - Schema name (default: "public")
      * @returns List of table metadata
      */
-    tables(schema?: string): Promise<TableInfo[]>;
+    tables(schema?: string, options?: {
+        open?: boolean;
+    }): Promise<TableInfo[]>;
     /**
      * List columns in a table.
      *
@@ -54,7 +59,9 @@ export declare class DbNamespace {
      * @param schema - Schema name (default: "public")
      * @returns List of column metadata
      */
-    columns(table: string, schema?: string): Promise<ColumnInfo[]>;
+    columns(table: string, schema?: string, options?: {
+        open?: boolean;
+    }): Promise<ColumnInfo[]>;
     /**
      * Query table data with filtering, sorting, and pagination.
      *
@@ -73,6 +80,7 @@ export declare class DbNamespace {
      */
     insert(table: string, data: Record<string, unknown>, options?: {
         schema?: string;
+        open?: boolean;
         reason?: string;
         actor?: string;
     }): Promise<Record<string, unknown>>;
@@ -87,6 +95,7 @@ export declare class DbNamespace {
      */
     update(table: string, data: Record<string, unknown>, filters: Record<string, unknown>, options?: {
         schema?: string;
+        open?: boolean;
         reason?: string;
         actor?: string;
     }): Promise<{
@@ -102,11 +111,27 @@ export declare class DbNamespace {
      */
     delete(table: string, filters: Record<string, unknown>, options?: {
         schema?: string;
+        open?: boolean;
         reason?: string;
         actor?: string;
     }): Promise<{
         affected_rows: number;
     }>;
+    /**
+     * Execute raw SQL queries.
+     *
+     * @param sql - SQL query with $1, $2 style placeholders
+     * @param params - Parameter values for placeholders
+     * @param options - Query options (schema, reason, actor)
+     * @returns Query result with rows and total count
+     */
+    raw(sql: string, params?: unknown[], options?: {
+        schema?: string;
+        open?: boolean;
+        reason?: string;
+        actor?: string;
+        use_shared?: boolean;
+    }): Promise<QueryResult>;
     /**
      * Insert multiple rows at once using a transaction.
      *
@@ -129,7 +154,10 @@ export declare class DbNamespace {
      * Creates missing schemas, tables, indexes, and seeds default data.
      * This is fully idempotent - safe to call multiple times.
      *
-     * Protected schemas synced: auth, logs, meta, object, observability, workflow
+     * 3-role model: neondb_owner (provisioning), dominus_user (backend),
+     * open_user (user DB). Syncs backend schemas (auth, logs, meta, object,
+     * rag, agent, observability, workflow, tenant_admin) to dominus DB and
+     * user schemas (tenant_*, cat_*) to dominus_open DB.
      *
      * @returns Sync result with created schemas, tables, indexes
      */

package/dist/namespaces/db.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"db.d.ts","sourceRoot":"","sources":["../../src/namespaces/db.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAEtD,MAAM,WAAW,YAAY;IAC3B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,KAAK,GAAG,MAAM,CAAC;IAC3B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;IACrC,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,qBAAa,WAAW;IACV,OAAO,CAAC,MAAM;gBAAN,MAAM,EAAE,aAAa;IAEzC;;;;;;;OAOG;IACG,OAAO,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;~~IAQlC~~;;;;;OAKG;IACG,MAAM,CAAC,MAAM,SAAW,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;~~IAQrD~~;;;;;;OAMG;IACG,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,SAAW,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;~~IAQtE~~;;;;;;OAMG;IACG,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,GAAE,YAAiB,GAAG,OAAO,CAAC,WAAW,CAAC;~~IAoC5E~~;;;;;;;OAOG;IACG,MAAM,CACV,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,OAAO,GAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAO,~~GACjE~~,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;~~IAoBnC~~;;;;;;;;OAQG;IACG,MAAM,CACV,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAChC,OAAO,GAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAO,~~GACjE~~,OAAO,CAAC;QAAE,aAAa,EAAE,MAAM,CAAA;KAAE,CAAC;~~IAoBrC~~;;;;;;;OAOG;IACG,MAAM,CACV,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAChC,OAAO,GAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAO,~~GACjE~~,OAAO,CAAC;QAAE,aAAa,EAAE,MAAM,CAAA;KAAE,CAAC;~~IAmBrC~~;;;;;;;OAOG;IACG,UAAU,CACd,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,EACpC,OAAO,GAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAO,GACjE,OAAO,CAAC;QAAE,cAAc,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAA;KAAE,CAAC;IA2C7E~~;;;;;;;;;OASG~~;IACG,UAAU,IAAI,OAAO,CAAC;QAC1B,OAAO,EAAE,OAAO,CAAC;QACjB,cAAc,EAAE,MAAM,EAAE,CAAC;QACzB,cAAc,EAAE,MAAM,EAAE,CAAC;QACzB,eAAe,EAAE,MAAM,EAAE,CAAC;QAC1B,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,OAAO,CAAC,EAAE;YACR,OAAO,EAAE,OAAO,CAAC;YACjB,eAAe,EAAE,MAAM,EAAE,CAAC;SAC3B,CAAC;KACH,CAAC;CAOH"}
1	+ {"version":3,"file":"db.d.ts","sourceRoot":"","sources":["../../src/namespaces/db.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,kBAAkB,CAAC;AAEtD,MAAM,WAAW,YAAY;IAC3B,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAClC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,KAAK,GAAG,MAAM,CAAC;IAC3B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC;IACrC,KAAK,EAAE,MAAM,CAAC;CACf;AAED,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,qBAAa,WAAW;IACV,OAAO,CAAC,MAAM;gBAAN,MAAM,EAAE,aAAa;IAEzC;;;;;;;OAOG;IACG,OAAO,CAAC,OAAO,GAAE;QAAE,IAAI,CAAC,EAAE,OAAO,CAAA;KAAO,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC;IAQlE;;;;;OAKG;IACG,MAAM,CAAC,MAAM,SAAW,EAAE,OAAO,GAAE;QAAE,IAAI,CAAC,EAAE,OAAO,CAAA;KAAO,GAAG,OAAO,CAAC,SAAS,EAAE,CAAC;IAQvF;;;;;;OAMG;IACG,OAAO,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,SAAW,EAAE,OAAO,GAAE;QAAE,IAAI,CAAC,EAAE,OAAO,CAAA;KAAO,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAQxG;;;;;;OAMG;IACG,KAAK,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,GAAE,YAAiB,GAAG,OAAO,CAAC,WAAW,CAAC;IAsC5E;;;;;;;OAOG;IACG,MAAM,CACV,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,OAAO,GAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAO,GACjF,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAqBnC;;;;;;;;OAQG;IACG,MAAM,CACV,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC7B,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAChC,OAAO,GAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAO,GACjF,OAAO,CAAC;QAAE,aAAa,EAAE,MAAM,CAAA;KAAE,CAAC;IAqBrC;;;;;;;OAOG;IACG,MAAM,CACV,KAAK,EAAE,MAAM,EACb,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAChC,OAAO,GAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAO,GACjF,OAAO,CAAC;QAAE,aAAa,EAAE,MAAM,CAAA;KAAE,CAAC;IAoBrC;;;;;;;OAOG;IACG,GAAG,CACP,GAAG,EAAE,MAAM,EACX,MAAM,GAAE,OAAO,EAAO,EACtB,OAAO,GAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,OAAO,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,UAAU,CAAC,EAAE,OAAO,CAAA;KAAO,GACvG,OAAO,CAAC,WAAW,CAAC;IAuBvB;;;;;;;OAOG;IACG,UAAU,CACd,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,EACpC,OAAO,GAAE;QAAE,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAO,GACjE,OAAO,CAAC;QAAE,cAAc,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,CAAA;KAAE,CAAC;IA2C7E;;;;;;;;;;;;OAYG;IACG,UAAU,IAAI,OAAO,CAAC;QAC1B,OAAO,EAAE,OAAO,CAAC;QACjB,cAAc,EAAE,MAAM,EAAE,CAAC;QACzB,cAAc,EAAE,MAAM,EAAE,CAAC;QACzB,eAAe,EAAE,MAAM,EAAE,CAAC;QAC1B,MAAM,EAAE,MAAM,EAAE,CAAC;QACjB,OAAO,CAAC,EAAE;YACR,OAAO,EAAE,OAAO,CAAC;YACjB,eAAe,EAAE,MAAM,EAAE,CAAC;SAC3B,CAAC;KACH,CAAC;CAOH"}

package/dist/namespaces/db.js CHANGED Viewed

@@ -17,10 +17,10 @@ export class DbNamespace {
      *
      * @returns List of schema names
      */
-    async schemas() {
+    async schemas(options = {}) {
         const result = await this.client.request({
             endpoint: '/api/database/schemas',
-            body: {},
+            body: { open: options.open },
         });
         return result.schemas || [];
     }
@@ -30,10 +30,10 @@ export class DbNamespace {
      * @param schema - Schema name (default: "public")
      * @returns List of table metadata
      */
-    async tables(schema = 'public') {
+    async tables(schema = 'public', options = {}) {
         const result = await this.client.request({
             endpoint: '/api/database/tables',
-            body: { schema },
+            body: { schema, open: options.open },
         });
         return result.tables || [];
     }
@@ -44,10 +44,10 @@ export class DbNamespace {
      * @param schema - Schema name (default: "public")
      * @returns List of column metadata
      */
-    async columns(table, schema = 'public') {
+    async columns(table, schema = 'public', options = {}) {
         const result = await this.client.request({
             endpoint: '/api/database/columns',
-            body: { table, schema },
+            body: { table, schema, open: options.open },
         });
         return result.columns || [];
     }
@@ -59,7 +59,7 @@ export class DbNamespace {
      * @returns Query result with rows and total count
      */
     async query(table, options = {}) {
-        const { schema = 'public', filters, sortBy, sortOrder = 'ASC', limit = 100, offset = 0, } = options;
+        const { schema = 'public', open, filters, sortBy, sortOrder = 'ASC', limit = 100, offset = 0, } = options;
         // Build order_by in DB Worker format: [{column, direction}]
         const order_by = sortBy
             ? [{ column: sortBy, direction: sortOrder }]
@@ -69,6 +69,7 @@ export class DbNamespace {
             body: {
                 table,
                 schema,
+                open,
                 where: filters,
                 order_by,
                 limit,
@@ -89,12 +90,13 @@ export class DbNamespace {
      * @returns Inserted row data
      */
     async insert(table, data, options = {}) {
-        const { schema = 'public' } = options;
+        const { schema = 'public', open } = options;
         const result = await this.client.request({
             endpoint: '/api/database/insert',
             body: {
                 table,
                 schema,
+                open,
                 data,
                 returning: ['*'],
             },
@@ -112,12 +114,13 @@ export class DbNamespace {
      * @returns Affected rows count
      */
     async update(table, data, filters, options = {}) {
-        const { schema = 'public' } = options;
+        const { schema = 'public', open } = options;
         const result = await this.client.request({
             endpoint: '/api/database/update',
             body: {
                 table,
                 schema,
+                open,
                 data,
                 where: filters,
                 returning: ['*'],
@@ -134,18 +137,44 @@ export class DbNamespace {
      * @returns Affected rows count
      */
     async delete(table, filters, options = {}) {
-        const { schema = 'public' } = options;
+        const { schema = 'public', open } = options;
         const result = await this.client.request({
             endpoint: '/api/database/delete',
             body: {
                 table,
                 schema,
+                open,
                 where: filters,
                 returning: ['*'],
             },
         });
         return { affected_rows: result.row_count ?? 0 };
     }
+    /**
+     * Execute raw SQL queries.
+     *
+     * @param sql - SQL query with $1, $2 style placeholders
+     * @param params - Parameter values for placeholders
+     * @param options - Query options (schema, reason, actor)
+     * @returns Query result with rows and total count
+     */
+    async raw(sql, params = [], options = {}) {
+        const { schema = 'public', open, use_shared = false } = options;
+        const result = await this.client.request({
+            endpoint: '/api/database/raw',
+            body: {
+                sql,
+                params,
+                schema,
+                open,
+                use_shared,
+            },
+        });
+        return {
+            rows: result.rows || [],
+            total: result.row_count ?? 0,
+        };
+    }
     /**
      * Insert multiple rows at once using a transaction.
      *
@@ -192,7 +221,10 @@ export class DbNamespace {
      * Creates missing schemas, tables, indexes, and seeds default data.
      * This is fully idempotent - safe to call multiple times.
      *
-     * Protected schemas synced: auth, logs, meta, object, observability, workflow
+     * 3-role model: neondb_owner (provisioning), dominus_user (backend),
+     * open_user (user DB). Syncs backend schemas (auth, logs, meta, object,
+     * rag, agent, observability, workflow, tenant_admin) to dominus DB and
+     * user schemas (tenant_*, cat_*) to dominus_open DB.
      *
      * @returns Sync result with created schemas, tables, indexes
      */

package/dist/namespaces/db.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"db.js","sourceRoot":"","sources":["../../src/namespaces/db.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;~~AA+BH~~,MAAM,OAAO,WAAW;IACF;IAApB,YAAoB,MAAqB;QAArB,WAAM,GAAN,MAAM,CAAe;IAAG,CAAC;IAE7C;;;;;;;OAOG;IACH,KAAK,CAAC,OAAO;~~QACX~~,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAwB;YAC9D,QAAQ,EAAE,uBAAuB;YACjC,IAAI,EAAE,EAAE;~~SACT~~,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC;IAC9B,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,MAAM,CAAC,MAAM,GAAG,QAAQ;~~QAC5B~~,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAA0B;YAChE,QAAQ,EAAE,sBAAsB;YAChC,IAAI,EAAE,EAAE,MAAM,EAAE;~~SACjB~~,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC;IAC7B,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,OAAO,CAAC,KAAa,EAAE,MAAM,GAAG,QAAQ;~~QAC5C~~,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAA4B;YAClE,QAAQ,EAAE,uBAAuB;YACjC,IAAI,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE;~~SACxB~~,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC;IAC9B,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,KAAK,CAAC,KAAa,EAAE,UAAwB,EAAE;QACnD,MAAM,EACJ,MAAM,GAAG,QAAQ,EACjB,OAAO,EACP,MAAM,EACN,SAAS,GAAG,KAAK,EACjB,KAAK,GAAG,GAAG,EACX,MAAM,GAAG,CAAC,GACX,GAAG,OAAO,CAAC;QAEZ,4DAA4D;QAC5D,MAAM,QAAQ,GAAG,MAAM;YACrB,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;YAC5C,CAAC,CAAC,SAAS,CAAC;QAEd,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAGrC;YACD,QAAQ,EAAE,sBAAsB;YAChC,IAAI,EAAE;gBACJ,KAAK;gBACL,MAAM;gBACN,KAAK,EAAE,OAAO;gBACd,QAAQ;gBACR,KAAK;gBACL,MAAM;aACP;SACF,CAAC,CAAC;QAEH,OAAO;YACL,IAAI,EAAE,MAAM,CAAC,IAAI,IAAI,EAAE;YACvB,KAAK,EAAE,MAAM,CAAC,SAAS,IAAI,CAAC;SAC7B,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,MAAM,CACV,KAAa,EACb,IAA6B,EAC7B,~~UAAgE~~,EAAE;~~QAElE~~,MAAM,EAAE,MAAM,GAAG,QAAQ,EAAE,GAAG,OAAO,CAAC;~~QAEtC~~,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAGrC;YACD,QAAQ,EAAE,sBAAsB;YAChC,IAAI,EAAE;gBACJ,KAAK;gBACL,MAAM;gBACN,IAAI;gBACJ,SAAS,EAAE,CAAC,GAAG,CAAC;aACjB;SACF,CAAC,CAAC;QAEH,qDAAqD;QACrD,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC;IACpC,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,MAAM,CACV,KAAa,EACb,IAA6B,EAC7B,OAAgC,EAChC,~~UAAgE~~,EAAE;~~QAElE~~,MAAM,EAAE,MAAM,GAAG,QAAQ,EAAE,GAAG,OAAO,CAAC;~~QAEtC~~,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAGrC;YACD,QAAQ,EAAE,sBAAsB;YAChC,IAAI,EAAE;gBACJ,KAAK;gBACL,MAAM;gBACN,IAAI;gBACJ,KAAK,EAAE,OAAO;gBACd,SAAS,EAAE,CAAC,GAAG,CAAC;aACjB;SACF,CAAC,CAAC;QAEH,OAAO,EAAE,aAAa,EAAE,MAAM,CAAC,SAAS,IAAI,CAAC,EAAE,CAAC;IAClD,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,MAAM,CACV,KAAa,EACb,OAAgC,EAChC,~~UAAgE~~,EAAE;~~QAElE~~,MAAM,EAAE,MAAM,GAAG,QAAQ,EAAE,GAAG,OAAO,CAAC;~~QAEtC~~,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAGrC;YACD,QAAQ,EAAE,sBAAsB;YAChC,IAAI,EAAE;gBACJ,KAAK;gBACL,MAAM;gBACN,KAAK,EAAE,OAAO;gBACd,SAAS,EAAE,CAAC,GAAG,CAAC;aACjB;SACF,CAAC,CAAC;QAEH,OAAO,EAAE,aAAa,EAAE,MAAM,CAAC,SAAS,IAAI,CAAC,EAAE,CAAC;IAClD,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,UAAU,CACd,KAAa,EACb,IAAoC,EACpC,UAAgE,EAAE;QAElE,MAAM,EAAE,MAAM,GAAG,QAAQ,EAAE,GAAG,OAAO,CAAC;QAEtC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,OAAO,EAAE,cAAc,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;QACzC,CAAC;QAED,+CAA+C;QAC/C,uEAAuE;QACvE,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QACrC,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzD,MAAM,MAAM,GAAc,EAAE,CAAC;QAC7B,MAAM,YAAY,GAAa,EAAE,CAAC;QAElC,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,MAAM,YAAY,GAAa,EAAE,CAAC;YAClC,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;gBAC1B,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,CAAC;gBAC9B,YAAY,CAAC,IAAI,CAAC,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;YACzC,CAAC;YACD,YAAY,CAAC,IAAI,CAAC,IAAI,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACpD,CAAC;QAED,MAAM,GAAG,GAAG,gBAAgB,KAAK,MAAM,UAAU,YAAY,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC;QAEnG,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAGrC;YACD,QAAQ,EAAE,mBAAmB;YAC7B,IAAI,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE;SAC9B,CAAC,CAAC;QAEH,OAAO;YACL,cAAc,EAAE,MAAM,CAAC,SAAS,IAAI,CAAC;YACrC,IAAI,EAAE,MAAM,CAAC,IAAI;SAClB,CAAC;IACJ,CAAC;IAED,2CAA2C;IAC3C,eAAe;IACf,2CAA2C;IAE3C~~;;;;;;;;;OASG~~;IACH,KAAK,CAAC,UAAU;QAWd,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC;YACzB,QAAQ,EAAE,qBAAqB;YAC/B,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,MAAM,EAAE,uCAAuC;SACzD,CAAC,CAAC;IACL,CAAC;CACF"}
1	+ {"version":3,"file":"db.js","sourceRoot":"","sources":["../../src/namespaces/db.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAgCH,MAAM,OAAO,WAAW;IACF;IAApB,YAAoB,MAAqB;QAArB,WAAM,GAAN,MAAM,CAAe;IAAG,CAAC;IAE7C;;;;;;;OAOG;IACH,KAAK,CAAC,OAAO,CAAC,UAA8B,EAAE;QAC5C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAAwB;YAC9D,QAAQ,EAAE,uBAAuB;YACjC,IAAI,EAAE,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE;SAC7B,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC;IAC9B,CAAC;IAED;;;;;OAKG;IACH,KAAK,CAAC,MAAM,CAAC,MAAM,GAAG,QAAQ,EAAE,UAA8B,EAAE;QAC9D,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAA0B;YAChE,QAAQ,EAAE,sBAAsB;YAChC,IAAI,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE;SACrC,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,MAAM,IAAI,EAAE,CAAC;IAC7B,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,OAAO,CAAC,KAAa,EAAE,MAAM,GAAG,QAAQ,EAAE,UAA8B,EAAE;QAC9E,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAA4B;YAClE,QAAQ,EAAE,uBAAuB;YACjC,IAAI,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE;SAC5C,CAAC,CAAC;QACH,OAAO,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC;IAC9B,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,KAAK,CAAC,KAAa,EAAE,UAAwB,EAAE;QACnD,MAAM,EACJ,MAAM,GAAG,QAAQ,EACjB,IAAI,EACJ,OAAO,EACP,MAAM,EACN,SAAS,GAAG,KAAK,EACjB,KAAK,GAAG,GAAG,EACX,MAAM,GAAG,CAAC,GACX,GAAG,OAAO,CAAC;QAEZ,4DAA4D;QAC5D,MAAM,QAAQ,GAAG,MAAM;YACrB,CAAC,CAAC,CAAC,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;YAC5C,CAAC,CAAC,SAAS,CAAC;QAEd,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAGrC;YACD,QAAQ,EAAE,sBAAsB;YAChC,IAAI,EAAE;gBACJ,KAAK;gBACL,MAAM;gBACN,IAAI;gBACJ,KAAK,EAAE,OAAO;gBACd,QAAQ;gBACR,KAAK;gBACL,MAAM;aACP;SACF,CAAC,CAAC;QAEH,OAAO;YACL,IAAI,EAAE,MAAM,CAAC,IAAI,IAAI,EAAE;YACvB,KAAK,EAAE,MAAM,CAAC,SAAS,IAAI,CAAC;SAC7B,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,MAAM,CACV,KAAa,EACb,IAA6B,EAC7B,UAAgF,EAAE;QAElF,MAAM,EAAE,MAAM,GAAG,QAAQ,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC;QAE5C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAGrC;YACD,QAAQ,EAAE,sBAAsB;YAChC,IAAI,EAAE;gBACJ,KAAK;gBACL,MAAM;gBACN,IAAI;gBACJ,IAAI;gBACJ,SAAS,EAAE,CAAC,GAAG,CAAC;aACjB;SACF,CAAC,CAAC;QAEH,qDAAqD;QACrD,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC;IACpC,CAAC;IAED;;;;;;;;OAQG;IACH,KAAK,CAAC,MAAM,CACV,KAAa,EACb,IAA6B,EAC7B,OAAgC,EAChC,UAAgF,EAAE;QAElF,MAAM,EAAE,MAAM,GAAG,QAAQ,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC;QAE5C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAGrC;YACD,QAAQ,EAAE,sBAAsB;YAChC,IAAI,EAAE;gBACJ,KAAK;gBACL,MAAM;gBACN,IAAI;gBACJ,IAAI;gBACJ,KAAK,EAAE,OAAO;gBACd,SAAS,EAAE,CAAC,GAAG,CAAC;aACjB;SACF,CAAC,CAAC;QAEH,OAAO,EAAE,aAAa,EAAE,MAAM,CAAC,SAAS,IAAI,CAAC,EAAE,CAAC;IAClD,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,MAAM,CACV,KAAa,EACb,OAAgC,EAChC,UAAgF,EAAE;QAElF,MAAM,EAAE,MAAM,GAAG,QAAQ,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC;QAE5C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAGrC;YACD,QAAQ,EAAE,sBAAsB;YAChC,IAAI,EAAE;gBACJ,KAAK;gBACL,MAAM;gBACN,IAAI;gBACJ,KAAK,EAAE,OAAO;gBACd,SAAS,EAAE,CAAC,GAAG,CAAC;aACjB;SACF,CAAC,CAAC;QAEH,OAAO,EAAE,aAAa,EAAE,MAAM,CAAC,SAAS,IAAI,CAAC,EAAE,CAAC;IAClD,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,GAAG,CACP,GAAW,EACX,SAAoB,EAAE,EACtB,UAAsG,EAAE;QAExG,MAAM,EAAE,MAAM,GAAG,QAAQ,EAAE,IAAI,EAAE,UAAU,GAAG,KAAK,EAAE,GAAG,OAAO,CAAC;QAEhE,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAGrC;YACD,QAAQ,EAAE,mBAAmB;YAC7B,IAAI,EAAE;gBACJ,GAAG;gBACH,MAAM;gBACN,MAAM;gBACN,IAAI;gBACJ,UAAU;aACX;SACF,CAAC,CAAC;QAEH,OAAO;YACL,IAAI,EAAE,MAAM,CAAC,IAAI,IAAI,EAAE;YACvB,KAAK,EAAE,MAAM,CAAC,SAAS,IAAI,CAAC;SAC7B,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,UAAU,CACd,KAAa,EACb,IAAoC,EACpC,UAAgE,EAAE;QAElE,MAAM,EAAE,MAAM,GAAG,QAAQ,EAAE,GAAG,OAAO,CAAC;QAEtC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,CAAC;YACjB,OAAO,EAAE,cAAc,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;QACzC,CAAC;QAED,+CAA+C;QAC/C,uEAAuE;QACvE,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QACrC,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzD,MAAM,MAAM,GAAc,EAAE,CAAC;QAC7B,MAAM,YAAY,GAAa,EAAE,CAAC;QAElC,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,MAAM,YAAY,GAAa,EAAE,CAAC;YAClC,KAAK,MAAM,GAAG,IAAI,OAAO,EAAE,CAAC;gBAC1B,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,IAAI,CAAC,CAAC;gBAC9B,YAAY,CAAC,IAAI,CAAC,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC;YACzC,CAAC;YACD,YAAY,CAAC,IAAI,CAAC,IAAI,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACpD,CAAC;QAED,MAAM,GAAG,GAAG,gBAAgB,KAAK,MAAM,UAAU,YAAY,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,cAAc,CAAC;QAEnG,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,OAAO,CAGrC;YACD,QAAQ,EAAE,mBAAmB;YAC7B,IAAI,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE;SAC9B,CAAC,CAAC;QAEH,OAAO;YACL,cAAc,EAAE,MAAM,CAAC,SAAS,IAAI,CAAC;YACrC,IAAI,EAAE,MAAM,CAAC,IAAI;SAClB,CAAC;IACJ,CAAC;IAED,2CAA2C;IAC3C,eAAe;IACf,2CAA2C;IAE3C;;;;;;;;;;;;OAYG;IACH,KAAK,CAAC,UAAU;QAWd,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC;YACzB,QAAQ,EAAE,qBAAqB;YAC/B,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,MAAM,EAAE,uCAAuC;SACzD,CAAC,CAAC;IACL,CAAC;CACF"}

package/docs/architecture.md CHANGED Viewed

@@ -1,34 +1,197 @@
 # Architecture
 ## Request Flow
-1. SDK reads `DOMINUS_TOKEN` (PSK) from env or constructor.
-2. Gateway JWT minted via `POST /jwt/mint` (base64 body).
-3. JWT is cached in `dominusCache` (encrypted with PSK) and refreshed before expiry.
-4. All JSON requests are base64-encoded; responses are decoded.
-5. SDK routes `/api/*` to `/svc/*` when using the gateway.
+### JWT Minting and Caching
+1. SDK reads `DOMINUS_TOKEN` (PSK) from env or constructor
+2. First request triggers health check (`GET /health` on gateway) for cold-start warmup
+3. Gateway called: `POST /jwt/mint` with base64-encoded body containing PSK
+4. JWT returned and cached in `dominusCache` (encrypted with PSK)
+5. JWT refreshed before expiry (~14 min cache for 15-min lifetime, 1-min buffer)
+6. Concurrent requests share a single mint via mutex (`client.ts:582`)
+### Base64 Encoding
+- **Request**: JSON body encoded to base64 string before transmission
+- **Response**: Base64 string decoded to JSON before returning to caller
+- Handled transparently by `client.ts` -- namespace code never touches encoding
+- Binary operations (`binaryUpload`/`binaryDownload`) bypass base64
+### Service Routing
+- SDK uses `/api/*` paths internally
+- `transformEndpointForGateway()` converts to `/svc/*` for gateway (`client.ts:430`)
+- Example: `dominus.secrets.get()` -> `POST /api/secrets/get` -> gateway -> `/svc/secrets/get`
+### HTTP Method Resolution
+- Default method: `POST`
+- GET requests must explicitly set `method: 'GET'` and send no body
+- Content-Type for JSON: `text/plain` (base64-encoded body)
+- Content-Type for binary: `multipart/form-data` (via FormData)
 ## Gateway Routing
-- Default base URL is the gateway (`DOMINUS_GATEWAY_URL`).
-- `DOMINUS_BASE_URL` can override the base (defaults to gateway).
-- `useGateway: true` forces gateway base URL for a request.
-## Resilience
-- Retries: 3 attempts with exponential backoff + jitter.
-- Circuit breaker: opens after 5 failures, 30s recovery.
-- JWT mint retries on gateway cold starts (401/5xx).
-- Default request timeout: 30s (max 5 min when overridden).
+### URL Resolution
+- **Default**: `DOMINUS_GATEWAY_URL` or `https://gateway.getdominus.app`
+- **Override**: `DOMINUS_BASE_URL` (defaults to gateway URL if unset)
+- **Per-request**: `useGateway: true` forces gateway base URL (used for agent-runtime, workflow-manager, sync-worker)
+### Header Injection
+- `Authorization`: `Bearer <jwt>` (service JWT or user JWT)
+- `Content-Type`: `text/plain` for JSON, omitted for FormData (browser sets boundary)
+- `Accept`: `text/event-stream` for SSE streaming, `audio/*` for binary download
+## Database Architecture: 3-Role Model
+The platform uses **Neon PostgreSQL** with a hybrid tenant model and three database roles:
+| Role | Database | Purpose | Schemas |
+|------|----------|---------|---------|
+| `neondb_owner` | both | DDL provisioning, schema sync, migrations | Creates/alters all schemas |
+| `dominus_user` | `dominus` | Backend application queries | auth, logs, meta, object, rag, agent, observability, workflow, tenant_admin |
+| `open_user` | `dominus_open` | User-facing data queries | tenant_*, cat_* |
+### Provisioning: `syncSchema()`
+- Entry point: `dominus.db.syncSchema()` (`src/namespaces/db.ts:327`)
+- Endpoint: `POST /api/provision/sync`
+- Timeout: 2 minutes
+- Fully idempotent -- safe to call repeatedly
+- Creates missing schemas, tables, indexes across both databases
+- Seeds default data (admin tenant, scopes, roles, pages)
+- Runs with `neondb_owner` credentials for full DDL access
+### Schema Builder (DDL Namespace)
+The `ddl` namespace provides category-scoped migrations via the Schema Builder:
+- **Preview**: Generate migration SQL without applying
+- **Apply**: Execute migration across all tenant schemas in a category
+- **Sync**: Bring lagging tenants up to the latest migration version
+- **Reset**: Factory-reset a category or individual tenant schema
+- Migrations stored in B2 storage, tracked in `meta.alembic_version`
+## Resilience Patterns
+### Retries
+- **Default**: 3 attempts (`client.ts:66`)
+- **Backoff**: Exponential with jitter (base 1s, max 15s) (`client.ts:128-136`)
+- **4xx errors**: NOT retried (client errors are deterministic)
+- **5xx errors**: Retried with backoff
+- **JWT mint retries**: Separate loop, 3 attempts with base 2s, max 10s (`client.ts:457`)
+### Circuit Breaker
+- **Opens after**: 5 consecutive failures (`client.ts:85`)
+- **Recovery**: 30 seconds (`client.ts:86`)
+- **States**: closed -> open -> half-open -> closed
+- **Scope**: Global in-memory state (not per-service)
+### Timeouts
+- **Default**: 30 seconds per request (`client.ts:67`)
+- **Maximum**: 5 minutes (300,000ms cap in `client.ts:832`)
+- **JWT mint**: 30 seconds
+- **Health check**: 15 seconds with 2 retries
+- **Streaming**: 5 minutes default
+- **Schema sync / migrations**: 2 minutes
+## JWT Verification
+### Local Verification (`verifyJwtLocally()`)
+- Fetches JWKS from `GET /jwt/jwks` on gateway
+- Verifies RS256 signature using Web Crypto API
+- Checks expiry (`exp`), not-before (`nbf`), issued-at (`iat`) claims
+### JWKS Caching
+- Cached 1 hour after fetch
+- Stale cache used if refresh fails (fail-open for availability)
+- Key rotation: if `kid` not found, cache invalidated and JWKS re-fetched
-## Local JWT Verification
-- `verifyJwtLocally()` fetches JWKS from gateway `/jwt/jwks` and verifies signatures.
-- JWKS cached for 1 hour; stale cache used if refresh fails.
+### JWT Claims
+- `iss`: Issuer (gateway)
+- `sub`: Subject (user ID)
+- `project_id`: Project identifier
+- `is_system`: Boolean for system/admin users
+- `iat`, `exp`: Issue and expiration timestamps
+### JWT Delegation (`delegateJwt()`)
+- Mints a JWT for a target project via `POST /jwt/delegate`
+- Used by admin-level services (MCP) for cross-project operations
+- Accepts `targetProjectId`, `targetEnvironment`, optional `useShared`
 ## Streaming and Binary
-- SSE streaming via `streamRequest()` (Agent/LLM workflows).
-- Binary uploads/downloads via `binaryUpload()` / `binaryDownload()` for STT/TTS and RAG ingest.
+### Server-Sent Events (SSE)
+- `streamRequest()` in `client.ts:996`
+- Handles connection management and SSE event parsing
+- Yields parsed JSON chunks as `AsyncGenerator`
+- Supports `event:` and `data:` SSE fields
+- `[DONE]` sentinel terminates stream
+- Used by `ai.streamAgent()`, `ai.completeStream()`
+### Binary Upload
+- `binaryUpload()` in `client.ts:1105`
+- Uses `multipart/form-data` via native `FormData`
+- No base64 wrapping -- raw bytes
+- Used for file uploads, STT audio, RAG document ingest
+### Binary Download
+- `binaryDownload()` in `client.ts:1180`
+- Returns raw `Buffer`
+- Used for TTS playback, artifact retrieval
 ## Environment Variables
-- `DOMINUS_TOKEN` (required)
-- `DOMINUS_GATEWAY_URL` (optional)
-- `DOMINUS_BASE_URL` (optional)
-- `DOMINUS_DEBUG=true` (optional)
-- `DOMINUS_HTTP_PROXY` / `DOMINUS_HTTPS_PROXY` (optional, informational)
+| Variable | Required | Default | Purpose |
+|----------|----------|---------|---------|
+| `DOMINUS_TOKEN` | Yes | -- | PSK for JWT minting |
+| `DOMINUS_GATEWAY_URL` | No | `https://gateway.getdominus.app` | Gateway base URL |
+| `DOMINUS_BASE_URL` | No | Gateway URL | Override base URL |
+| `DOMINUS_DEBUG` | No | `false` | Verbose debug logging |
+| `DOMINUS_CAPTURE_CONSOLE` | No | `false` | Forward console output to logs |
+| `DOMINUS_HTTP_PROXY` | No | -- | HTTP proxy (informational) |
+| `DOMINUS_HTTPS_PROXY` | No | -- | HTTPS proxy (informational) |
+## Error Handling
+### HTTP Status to Error Class Mapping
+| Status | Error Class | Cause |
+|--------|-------------|-------|
+| 400 | `ValidationError` | Invalid input |
+| 401 | `AuthenticationError` | Invalid/expired JWT |
+| 403 | `AuthorizationError` | Permission denied |
+| 404 | `NotFoundError` | Resource not found |
+| 409 | `ConflictError` | Duplicate/conflict |
+| 5xx | `ServiceError` | Server error |
+| Network | `ConnectionError` | Network/DNS failure |
+| Timeout | `TimeoutError` | Request exceeded timeout |
+### Error Properties
+```typescript
+error.message      // Human-readable message
+error.statusCode   // HTTP status (if applicable)
+error.details      // Response body object (if applicable)
+error.endpoint     // Endpoint that failed
+```
+## Security
+### PSK Management
+- `DOMINUS_TOKEN` never exposed in logs (masked in debug output)
+- PSK used only for JWT minting, not stored long-term
+- JWT used for all subsequent requests
+### Base64 Encoding
+- Base64 is encoding, NOT encryption
+- All security provided by TLS/HTTPS in transit
+- Backend validates all inputs regardless of encoding
+### Secure Tables
+- Registered via `auth.createSecureTable()`
+- Every access requires `reason` (audit context) and `actor` (user identifier)
+- Server-side audit trail recorded with reason + actor
+## Observability
+### Debug Logging
+`DOMINUS_DEBUG=true` enables: request/response bodies, retry attempts, circuit breaker state changes, JWT lifecycle.
+### Console Capture
+`DOMINUS_CAPTURE_CONSOLE=true` forwards `console.log/warn/error/debug/info` to Dominus logs. Fire-and-forget, never blocks. Call `dominus.captureConsole()` / `dominus.releaseConsole()` programmatically.
+### Request Timing
+Each request tracks: total time including retries, individual attempt times, circuit breaker recovery time.

package/docs/services.md ADDED Viewed

@@ -0,0 +1,479 @@
+# Services Reference
+All 19 service namespaces with actual endpoints and method signatures from source code.
+Gateway routing: all `/api/*` paths are transformed to `/svc/*` by the client.
+## 1. secrets (Warden)
+Encrypted secrets management. Single endpoint with action-based dispatch.
+| Method | Endpoint | Action |
+|--------|----------|--------|
+| `get(key)` | `POST /api/warden/secrets` | `get` |
+| `upsert(key, value, comment?)` | `POST /api/warden/secrets` | `update` (falls back to `create`) |
+| `list(prefix?)` | `POST /api/warden/secrets` | `list` |
+| `delete(key)` | `POST /api/warden/secrets` | `delete` |
+**Root shortcuts:** `dominus.get(key)`, `dominus.upsert(key, value, comment?)`
+---
+## 2. db (Scribe)
+Database CRUD via DB Worker. Includes provisioning.
+| Method | Endpoint | HTTP |
+|--------|----------|------|
+| `schemas()` | `/api/database/schemas` | POST |
+| `tables(schema?)` | `/api/database/tables` | POST |
+| `columns(table, schema?)` | `/api/database/columns` | POST |
+| `query(table, options?)` | `/api/database/select` | POST |
+| `insert(table, data, options?)` | `/api/database/insert` | POST |
+| `update(table, data, filters, options?)` | `/api/database/update` | POST |
+| `delete(table, filters, options?)` | `/api/database/delete` | POST |
+| `raw(sql, params?, options?)` | `/api/database/raw` | POST |
+| `bulkInsert(table, rows, options?)` | `/api/database/raw` | POST |
+| `syncSchema()` | `/api/provision/sync` | POST |
+**Root shortcuts:** `dominus.listTables()`, `dominus.queryTable()`, `dominus.insertRow()`, `dominus.updateRows()`, `dominus.deleteRows()`, `dominus.listColumns()`
+### Provisioning: syncSchema()
+Idempotent schema provisioning using the **3-role model**:
+| Role | Database | Schemas |
+|------|----------|---------|
+| `neondb_owner` | both | DDL provisioning (runs syncSchema) |
+| `dominus_user` | `dominus` | auth, logs, meta, object, rag, agent, observability, workflow, tenant_admin |
+| `open_user` | `dominus_open` | tenant_*, cat_* |
+Creates missing schemas, tables, indexes, and seeds default data. 2-minute timeout.
+Source: `src/namespaces/db.ts:327`
+---
+## 3. secure (Scribe)
+Audit-logged table access. All operations require `SecureAccessContext` with `reason` and `actor`.
+| Method | Endpoint | HTTP |
+|--------|----------|------|
+| `tables(schema?)` | `/api/scribe/data/{schema}/tables` | GET |
+| `columns(table, schema?)` | `/api/scribe/data/{schema}/{table}/columns` | GET |
+| `query(table, context, options?)` | `/api/scribe/data/{schema}/{table}/query` | POST |
+| `insert(table, data, context, schema?)` | `/api/scribe/data/{schema}/{table}/insert` | POST |
+| `update(table, data, filters, context, schema?)` | `/api/scribe/data/{schema}/{table}/update` | POST |
+| `delete(table, filters, context, schema?)` | `/api/scribe/data/{schema}/{table}/delete` | POST |
+| `bulkInsert(table, rows, context, schema?)` | `/api/scribe/data/{schema}/{table}/bulk-insert` | POST |
+---
+## 4. redis (Whisperer)
+Redis cache via Upstash REST API. TTL enforced: 60s-86400s.
+| Method | Endpoint | HTTP |
+|--------|----------|------|
+| `set(key, value, ttl?, category?)` | `/api/whisperer/set` | POST |
+| `get(key, options?)` | `/api/whisperer/get` | POST |
+| `delete(key, category?)` | `/api/whisperer/delete` | POST |
+| `list(options?)` | `/api/whisperer/list` | POST |
+| `mget(keys)` | `/api/whisperer/mget` | POST |
+| `setnx(key, value, ttl?, category?)` | `/api/whisperer/setnx` | POST |
+| `incr(key, delta?, ttl?, category?)` | `/api/whisperer/incr` | POST |
+| `hset(key, field, value, ttl?, category?)` | `/api/whisperer/hset` | POST |
+| `hget(key, field, category?)` | `/api/whisperer/hget` | POST |
+| `hgetall(key, category?)` | `/api/whisperer/hgetall` | POST |
+| `hdel(key, field, category?)` | `/api/whisperer/hdel` | POST |
+| `type(key, category?)` | `/api/whisperer/type` | POST |
+| `smembers(key, category?)` | `/api/whisperer/smembers` | POST |
+| `lrange(key, options?)` | `/api/whisperer/lrange` | POST |
+---
+## 5. files (Archivist)
+File storage via Backblaze B2. Supports upload, download, browse, views, and folders.
+| Method | Endpoint | HTTP |
+|--------|----------|------|
+| `upload(data, filename, options?)` | `/api/archivist/upload` | POST |
+| `download(options)` | `/api/archivist/download` | POST |
+| `fetch(options)` | `/api/archivist/fetch` | POST |
+| `list(options?)` | `/api/archivist/list` | POST |
+| `delete(options)` | `/api/archivist/delete` | POST |
+| `move(fileId, options)` | `/api/archivist/move` | POST |
+| `updateMeta(fileId, options)` | `/api/archivist/update` | POST |
+| `browse(options)` | `/api/archivist/browse` | POST |
+| `getStorageStats()` | `/api/archivist/stats` | POST |
+| `listCategories()` | `/api/archivist/categories` | POST |
+| `listViews(options?)` | `/api/archivist/views` | POST |
+| `listCategoriesInView(view)` | `/api/archivist/view-categories` | POST |
+| `createFolder(options)` | `/api/archivist/folder` | POST |
+| `deleteFolder(options)` | `/api/archivist/folder` | DELETE |
+| `factoryReset(options?)` | `/api/admin/factory-reset-storage` | POST |
+---
+## 6. auth (Guardian)
+User, role, scope, client, tenant, page management. Full CRUD. Source: `src/namespaces/auth.ts`
+**Users:** `createUser`, `getUser`, `updateUser`, `deleteUser`, `listUsers`, `inviteUser`
+- Endpoints: `/api/guardian/users`, `/api/guardian/users/{id}`
+**Roles:** `createRole`, `getRole`, `updateRole`, `deleteRole`, `listRoles`
+- Endpoints: `/api/guardian/roles`, `/api/guardian/roles/{id}`
+**Scopes:** `createScope`, `getScope`, `updateScope`, `deleteScope`, `listScopes`
+- Endpoints: `/api/guardian/scopes`, `/api/guardian/scopes/{id}`
+**Clients:** `createClient`, `getClient`, `updateClient`, `deleteClient`, `listClients`
+- Endpoints: `/api/guardian/clients`, `/api/guardian/clients/{id}`
+**Tenants:** `createTenant`, `getTenant`, `updateTenant`, `deleteTenant`, `listTenants`
+- Endpoints: `/api/guardian/tenants`, `/api/guardian/tenants/{id}`
+**Tenant Categories:** `createTenantCategory`, `listTenantCategories`, `getTenantCategory`, `deleteTenantCategory`
+- Endpoints: `/api/guardian/tenant-categories`, `/api/guardian/tenant-categories/{id}`
+**Pages:** `createPage`, `getPage`, `updatePage`, `deletePage`, `listPages`
+- Endpoints: `/api/guardian/pages`, `/api/guardian/pages/{id}`
+**Navigation:** `createNavItem`, `updateNavItem`, `deleteNavItem`, `listNavItems`, `reorderNavItems`
+- Endpoints: `/api/guardian/navigation`, `/api/guardian/navigation/{id}`, `/api/guardian/navigation/reorder`
+**Secure Tables:** `createSecureTable`, `listSecureTables`, `getSecureTable`, `deleteSecureTable`
+- Endpoints: `/api/guardian/secure-tables`, `/api/guardian/secure-tables/{id}`
+**Role/Scope Assignments:** `assignRoleToUser`, `removeRoleFromUser`, `assignScopeToRole`, `removeScopeFromRole`
+- Endpoints: `/api/guardian/users/{id}/roles/{roleId}`, `/api/guardian/roles/{id}/scopes/{scopeId}`
+---
+## 7. portal (Portal)
+User-facing authentication, sessions, profile, navigation, registration.
+| Method | Endpoint | HTTP |
+|--------|----------|------|
+| `login(username, password, tenantId?)` | `/api/portal/auth/login` | POST |
+| `loginClient(psk, tenantId?)` | `/api/portal/auth/login-client` | POST |
+| `logout(userToken?)` | `/api/portal/auth/logout` | POST |
+| `refresh(userToken?)` | `/api/portal/auth/refresh` | POST |
+| `me(userToken?)` | `/api/portal/auth/me` | GET |
+| `switchTenant(tenantId, userToken?)` | `/api/portal/auth/switch-tenant` | POST |
+| `changePassword(current, new, userToken?)` | `/api/portal/security/change-password` | POST |
+| `requestPasswordReset(email)` | `/api/portal/security/request-reset` | POST |
+| `confirmPasswordReset(token, newPassword)` | `/api/portal/security/confirm-reset` | POST |
+| `listSessions(userToken?)` | `/api/portal/security/sessions` | GET |
+| `revokeSession(sessionId, userToken?)` | `/api/portal/security/sessions/{id}` | DELETE |
+| `revokeAllSessions(userToken?)` | `/api/portal/security/sessions/revoke-all` | POST |
+| `getProfile(userToken?)` | `/api/portal/profile` | GET |
+| `updateProfile(params, userToken?)` | `/api/portal/profile` | PUT |
+| `getPreferences(userToken?)` | `/api/portal/profile/preferences` | GET |
+| `updatePreferences(params, userToken?)` | `/api/portal/profile/preferences` | PUT |
+| `getNavigation(userToken?, options?)` | `/api/portal/nav` | GET |
+| `checkPageAccess(pagePath, userToken?)` | `/api/portal/nav/check-access` | POST |
+| `register(username, email, password, tenantId)` | `/api/portal/register` | POST |
+| `verifyEmail(token)` | `/api/portal/register/verify` | POST |
+| `resendVerification(email)` | `/api/portal/register/resend-verification` | POST |
+| `acceptInvitation(token, password)` | `/api/portal/register/accept-invitation` | POST |
+---
+## 8. ddl (Smith)
+Schema DDL, migrations, provisioning, and Schema Builder.
+### Direct DDL
+| Method | Endpoint | HTTP |
+|--------|----------|------|
+| `createTable(name, columns, schema?)` | `/api/smith/schema/create-table` | POST |
+| `dropTable(name, schema?)` | `/api/smith/schema/drop-table` | POST |
+| `addColumn(table, column, schema?)` | `/api/smith/schema/add-column` | POST |
+| `dropColumn(table, column, schema?)` | `/api/smith/schema/drop-column` | POST |
+| `alterColumn(table, column, changes, schema?)` | `/api/smith/schema/alter-column` | POST |
+| `createIndex(table, name, columns, options?)` | `/api/smith/schema/create-index` | POST |
+| `dropIndex(name, schema?)` | `/api/smith/schema/drop-index` | POST |
+### Category DDL (atomic multi-schema)
+| Method | Endpoint |
+|--------|----------|
+| `categoryCreateTable(slug, name, columns)` | `/api/smith/category/create-table` |
+| `categoryAddColumn(slug, name, column)` | `/api/smith/category/add-column` |
+### Migrations
+| Method | Endpoint | HTTP |
+|--------|----------|------|
+| `listMigrations(schema)` | `/api/smith/migrations/list/{schema}` | GET |
+| `listCategoryMigrations(slug)` | `/api/smith/migrations/category/{slug}/list` | GET |
+| `applyMigration(schema, id)` | `/api/smith/migrations/apply` | POST |
+| `rollbackMigration(schema, id)` | `/api/smith/migrations/rollback` | POST |
+### Provisioning
+| Method | Endpoint |
+|--------|----------|
+| `provisionTenantSchema(slug, categorySlug?)` | `/api/smith/provision/tenant-schema` |
+| `provisionTenantFromCategory(slug, categorySlug)` | `/api/smith/provision/tenant-from-category` |
+### Schema Builder
+| Method | Endpoint | HTTP |
+|--------|----------|------|
+| `getCategoryStructure(slug)` | `/api/database/builder/category/{slug}/structure` | GET |
+| `getCategoryMigrationHistory(slug)` | `/api/database/builder/category/{slug}/migrations` | GET |
+| `previewMigration(slug, op, params, name)` | `/api/database/builder/category/{slug}/preview-migration` | POST |
+| `applyBuilderMigration(slug, op, params, name)` | `/api/database/builder/category/{slug}/apply-migration` | POST |
+| `getMigrationFile(slug, versionId)` | `/api/database/builder/category/{slug}/migrations/{id}` | GET |
+| `getTenantSyncStatus(slug)` | `/api/database/builder/category/{slug}/sync-status` | GET |
+| `syncTenantsToLatest(slug)` | `/api/database/builder/category/{slug}/sync-tenants` | POST |
+| `resetCategorySchema(slug)` | `/api/database/builder/category/{slug}/reset` | DELETE |
+| `resetTenantSchema(slug, tenant)` | `/api/database/builder/category/{slug}/tenants/{t}/reset` | DELETE |
+| `deleteMigration(slug, versionId)` | `/api/database/builder/category/{slug}/migrations/{id}` | DELETE |
+**Root shortcuts:** `dominus.addTable()`, `dominus.deleteTable()`, `dominus.addColumn()`, `dominus.deleteColumn()`
+---
+## 9. open (Scribe Open)
+Direct database access for advanced use cases.
+| Method | Endpoint | HTTP |
+|--------|----------|------|
+| `dsn()` | `/api/scribe/open/dsn` | GET |
+| `execute(sql, params?)` | `/api/scribe/open/execute` | POST |
+---
+## 10. logs (Herald)
+Structured logging via Logs Worker. `useGateway: true`.
+| Method | Endpoint | HTTP |
+|--------|----------|------|
+| `debug(msg, context?, category?)` | `/api/logs/ingest` | POST |
+| `info(msg, context?, category?)` | `/api/logs/ingest` | POST |
+| `notice(msg, context?, category?)` | `/api/logs/ingest` | POST |
+| `warn(msg, context?, category?)` | `/api/logs/ingest` | POST |
+| `error(msg, context?, options?)` | `/api/logs/ingest` | POST |
+| `critical(msg, context?, options?)` | `/api/logs/ingest` | POST |
+| `tail(options?)` | `/api/logs/tail` | GET |
+| `query(options?)` | `/api/logs/tail` | GET |
+| `batch(events)` | `/api/logs/ingest` | POST |
+All log methods auto-capture callsite (file, function) from the stack. Batch max: 100 events.
+---
+## 11. health
+Service health checks. No authentication required for `check()`.
+| Method | Endpoint | HTTP |
+|--------|----------|------|
+| `check()` | `/api/health` | GET (direct fetch, no base64) |
+| `ping()` | `/api/health/ping` | GET |
+| `warmup()` | `/api/health/warmup` | GET |
+---
+## 12. courier (Courier)
+Email delivery via Postmark templates.
+| Method | Endpoint | HTTP |
+|--------|----------|------|
+| `send(templateAlias, to, from, model, options?)` | `/api/courier/send` | POST |
+| `sendWelcome(to, from, params)` | `/api/courier/send` | POST |
+| `sendPasswordReset(to, from, params)` | `/api/courier/send` | POST |
+| `sendEmailVerification(to, from, params)` | `/api/courier/send` | POST |
+| `sendInvitation(to, from, params)` | `/api/courier/send` | POST |
+---
+## 13. ai (Agent Runtime)
+LLM agent execution, completions, RAG, artifacts, speech, workflows. `useGateway: true`.
+**Agent execution:** `runAgent(params)`, `streamAgent(params)`, `runAgentAsync(params)`
+**LLM completions:** `complete(params)`, `completeStream(params)`
+**Speech:** `stt(audio, options?)`, `tts(text, options?)`
+**Setup:** `setup(options?)`
+**Sub-namespaces:**
+- `ai.rag.*` -- RAG corpus management (ensure, upsert, search, list, ingest, getStats)
+- `ai.artifacts.*` -- Artifact CRUD (create, fetch, list, delete)
+- `ai.results.*` -- Async task polling (poll)
+- `ai.workflow.*` -- Workflow execution (execute, cancel, list)
+- `ai.tools.*` -- Tool registry (list, enable, disable)
+---
+## 14. workflow (Workflow Manager)
+Workflow CRUD, categories/pipelines, templates, tools, execution. `useGateway: true`.
+### Workflows
+| Method | Endpoint | HTTP |
+|--------|----------|------|
+| `save(options)` | `/api/workflow/workflows` | POST |
+| `get(id, options?)` | `/api/workflow/workflows/{id}` | GET |
+| `list(options?)` | `/api/workflow/workflows` | GET |
+| `delete(id)` | `/api/workflow/workflows/{id}` | DELETE |
+### Categories
+| Method | Endpoint | HTTP |
+|--------|----------|------|
+| `createCategory(options)` | `/api/workflow/categories` | POST |
+| `getCategory(id, options?)` | `/api/workflow/categories/{id}` | GET |
+| `listCategories(options?)` | `/api/workflow/categories` | GET |
+| `deleteCategory(id)` | `/api/workflow/categories/{id}` | DELETE |
+| `addToCategory(catId, wfId, pos?)` | `/api/workflow/categories/{id}/workflows` | POST |
+| `removeFromCategory(catId, wfId)` | `/api/workflow/categories/{id}/workflows/{wfId}` | DELETE |
+| `reorderCategory(catId, order)` | `/api/workflow/categories/{id}/workflows/order` | PUT |
+### Templates
+| Method | Endpoint | HTTP |
+|--------|----------|------|
+| `listTemplates()` | `/api/workflow/templates` | GET |
+| `getTemplate(id, options?)` | `/api/workflow/templates/{id}` | GET |
+| `copyTemplate(id, options?)` | `/api/workflow/templates/{id}/copy` | POST |
+### Execution
+| Method | Endpoint | HTTP |
+|--------|----------|------|
+| `execute(wfId, context?)` | `/api/workflow/execute/workflow` | POST |
+| `executeAsync(wfId, options?)` | `/api/workflow/execute/workflow` | POST |
+| `executeCategory(catId, options?)` | `/api/workflow/execute/category` | POST |
+### Tools
+| Method | Endpoint | HTTP |
+|--------|----------|------|
+| `listTools(options?)` | `/api/workflow/tools` | GET |
+| `getTool(id)` | `/api/workflow/tools/{id}` | GET |
+| `registerTool(options)` | `/api/workflow/tools` | POST |
+| `updateTool(id, options)` | `/api/workflow/tools/{id}` | PUT |
+| `deleteTool(id)` | `/api/workflow/tools/{id}` | DELETE |
+| `enableTool(id)` | `/api/workflow/tools/{id}/enable` | POST |
+| `disableTool(id)` | `/api/workflow/tools/{id}/disable` | POST |
+### Admin
+| Method | Endpoint | HTTP |
+|--------|----------|------|
+| `seed(options?)` | `/api/workflow/admin/seed` | POST |
+| `factoryReset(options)` | `/api/workflow/admin/factory-reset` | POST |
+---
+## 15. stt / oracle (Oracle)
+Streaming speech-to-text with WebSocket and VAD. Browser-side only.
+```typescript
+const session = dominus.stt.createSession(userJwt);
+session.onUtterance = (text) => handleText(text);
+session.onVADStateChange = (state) => updateUI(state);
+await session.start();
+// ... user speaks ...
+await session.stop();
+```
+VAD states: `IDLE` -> `ARMED` -> `SPEAKING` -> `TRAILING`
+---
+## 16. admin
+Infrastructure operations with elevated privileges. Uses `neondb_owner` credentials.
+| Method | Endpoint | HTTP | Notes |
+|--------|----------|------|-------|
+| `reseedAdminCategory()` | `/api/admin/reseed-admin-category` | POST | Idempotent, seeds baseline data |
+| `resetAdminCategory()` | `/api/admin/reset-admin-category` | DELETE | DESTRUCTIVE: drops tenant_admin |
+| `exportTokens()` | `/api/admin/tokens/export` | GET | `useGateway: true` |
+| `seedKV()` | `/api/admin/kv/seed` | POST | `useGateway: true` |
+---
+## 17. sync (Sync Worker)
+KV cache synchronization. `useGateway: true`. Requires admin system level.
+| Method | Endpoint | HTTP |
+|--------|----------|------|
+| `triggerSync()` | `/api/sync/` | POST |
+| `getHealth()` | `/api/sync/health` | GET |
+---
+## 18. artifacts (Artifact Worker)
+Temporary artifact storage (Redis < 1MB, B2 >= 1MB). `useGateway: true`.
+| Method | Endpoint | HTTP |
+|--------|----------|------|
+| `list(options?)` | `/api/artifact/list` | POST |
+| `getHealth()` | `/api/artifact/health` | GET |
+| `store(options)` | `/api/artifact/store` | POST |
+| `retrieve(key)` | `/api/artifact/retrieve` | POST |
+| `delete(key)` | `/api/artifact/delete` | POST |
+| `cleanup(options?)` | `/api/artifact/cleanup` | POST |
+---
+## 19. jobs (Job Worker) + processor (Job Processor)
+### jobs -- `useGateway: true`
+| Method | Endpoint | HTTP |
+|--------|----------|------|
+| `enqueue(jobType, payload)` | `/api/job/enqueue` | POST |
+| `getStatus(jobId)` | `/api/job/status` | POST |
+| `getResult(jobId, timeoutMs?)` | `/api/job/result` | POST |
+| `listDeadLetterJobs(jobType?)` | `/api/job/dead-letter` | POST |
+| `retryJob(jobId)` | `/api/job/dead-letter` | POST |
+| `discardJob(jobId)` | `/api/job/dead-letter` | POST |
+| `list(options?)` | `/api/job/list` | POST |
+| `getHealth()` | `/api/job/health` | GET |
+Job types: `db_query`, `db_ddl`, `db_migration`, `file_upload`, `workflow_exec`
+### processor -- `useGateway: true`
+| Method | Endpoint | HTTP |
+|--------|----------|------|
+| `getHealth()` | `/api/processor/health` | GET |
+| `processAll(jobType?)` | `/api/processor/process` | POST |
+| `processOne(jobType?)` | `/api/processor/process-one` | POST |
+---
+## Summary
+| # | Namespace | Backend Service | Endpoint Prefix | Gateway |
+|---|-----------|----------------|-----------------|---------|
+| 1 | secrets | Warden | `/api/warden/` | default |
+| 2 | db | Scribe (DB Worker) | `/api/database/`, `/api/provision/` | default |
+| 3 | secure | Scribe | `/api/scribe/data/` | default |
+| 4 | redis | Whisperer | `/api/whisperer/` | default |
+| 5 | files | Archivist (B2 Worker) | `/api/archivist/` | default |
+| 6 | auth | Guardian | `/api/guardian/` | default |
+| 7 | portal | Portal | `/api/portal/` | default |
+| 8 | ddl | Smith | `/api/smith/`, `/api/database/builder/` | default |
+| 9 | open | Scribe Open | `/api/scribe/open/` | default |
+| 10 | logs | Herald (Logs Worker) | `/api/logs/` | explicit |
+| 11 | health | Gateway | `/api/health/` | default |
+| 12 | courier | Courier | `/api/courier/` | default |
+| 13 | ai | Agent Runtime | `/api/agent/` | explicit |
+| 14 | workflow | Workflow Manager | `/api/workflow/` | explicit |
+| 15 | stt | Oracle | WebSocket | n/a |
+| 16 | admin | Admin | `/api/admin/` | mixed |
+| 17 | sync | Sync Worker | `/api/sync/` | explicit |
+| 18 | artifacts | Artifact Worker | `/api/artifact/` | explicit |
+| 19 | jobs+processor | Job Worker + Processor | `/api/job/`, `/api/processor/` | explicit |
+**"explicit"** = passes `useGateway: true` in request options.
+**"default"** = uses `BASE_URL` (which defaults to gateway).
+Total: **19 namespaces**, **200+ methods** covering data, auth, AI, infrastructure, and admin operations.

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "dominus-sdk-nodejs",
-  "version": "1.23.0",
+  "version": "1.24.1",
   "description": "Node.js SDK for the Dominus Orchestrator Platform",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/docs/development.md DELETED Viewed

@@ -1,30 +0,0 @@
-# Development
-## Requirements
-- Node.js 18+ (native fetch)
-- TypeScript 5.6+
-## Commands
-```bash
-npm install
-npm run lint   # type-check
-npm run test   # node --test
-npm run build  # tsc
-```
-## Publishing
-Publishing is handled by GitHub Actions on branch push:
-- `development` -> publishes as `dominus-sdk-nodejs-dev`
-- `staging` -> publishes as `dominus-sdk-nodejs-staging`
-- `production` -> publishes as `dominus-sdk-nodejs`
-Before publishing:
-1. Bump `package.json` version
-2. Ensure `dist/` builds cleanly
-3. Update docs under `docs/`
-## Adding APIs
-- Add methods in the relevant `src/namespaces/*.ts` file
-- Export types and helpers from `src/index.ts`
-- Use `client.request()` for JSON, `streamRequest()` for SSE, `binaryUpload/Download()` for bytes
-- Always set `method: 'GET'` for GET endpoints

package/docs/namespaces.md DELETED Viewed

@@ -1,38 +0,0 @@
-# Namespaces
-## Core Services
-- `secrets` (Warden): secrets CRUD
-- `db` (Scribe): database CRUD, filters, pagination
-- `secure` (Scribe): secure-table access with audit `reason` + `actor`
-- `redis` (Whisperer): cache, locks, counters, hashes (TTL required)
-- `files` (Archivist): upload/download/list/move/update metadata
-- `auth` (Guardian): users, roles, scopes, tenants, pages/navigation
-- `ddl` (Smith): schema DDL, migrations, provisioning
-- `logs` (Herald): structured logs + queries
-- `portal` (Portal): user login, sessions, profile, navigation
-- `courier` (Courier): email delivery
-- `open` (Scribe Open): direct SQL execution / DSN
-- `health`: service health/ping/warmup
-## AI + Orchestration
-- `ai.runAgent`, `ai.streamAgent`, `ai.runAgentAsync`
-- `ai.complete`, `ai.completeStream` (multi-provider LLM completions)
-- `ai.rag` (list/ensure/stats/upsert/search/ingest)
-- `ai.artifacts` (create/fetch/list/delete)
-- `ai.results` (async result polling)
-- `ai.workflow` (workflow orchestration in agent-runtime)
-- `ai.tools` (tool registry, default-deny)
-- `ai.stt` / `ai.tts` (speech services)
-- `ai.setup` (pre-flight session setup)
-## Workflow Manager
-- `workflow` namespace manages workflow CRUD, categories, templates, and execution
-- List calls use canonical GET routes:
-  - `workflow.list()` -> `/api/workflow/workflows`
-  - `workflow.listCategories()` -> `/api/workflow/categories`
-## Streaming STT
-- `stt` (Oracle) creates streaming transcription sessions with VAD
-## Admin
-- `admin.reseedAdminCategory()` and `admin.resetAdminCategory()` (destructive)