fraim 2.0.179 → 2.0.182

package/dist/src/services/admin-service.js

@@ -0,0 +1,229 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AdminService = void 0;
+const crypto_1 = require("crypto");
+const request_utils_1 = require("../fraim/utils/request-utils");
+const email_service_1 = require("./email-service");
+const dashboard_access_1 = require("./dashboard-access");
+const feature_flags_1 = require("../config/feature-flags");
+const email_code_1 = require("./email-code");
+class AdminService {
+    constructor(dbService) {
+        this.dbService = dbService;
+    }
+    /**
+     * Handle sales inquiry submission
+     */
+    async handleSalesInquiry(body, req) {
+        const { email, company, projectDetails, teamSize, timeline, budget, source } = body;
+        if (!email || !company || !projectDetails) {
+            throw new Error('Email, company, and project details are required');
+        }
+        if (!(0, request_utils_1.validateEmail)(email)) {
+            throw new Error('Invalid email address');
+        }
+        const { ip: ipAddress, userAgent } = (0, request_utils_1.getRequestMeta)(req);
+        const inquiry = {
+            email: email.toLowerCase().trim(),
+            company: company.trim(),
+            projectDetails: projectDetails.trim(),
+            teamSize: teamSize?.trim() || 'Not specified',
+            timeline: timeline?.trim() || undefined,
+            budget: budget?.trim() || undefined,
+            source: source || 'website',
+            timestamp: new Date(),
+            ipAddress,
+            userAgent
+        };
+        await this.dbService.createSalesInquiry(inquiry);
+        return inquiry;
+    }
+    /**
+     * Handle website signup submission
+     */
+    async handleWebsiteSignup(body, req) {
+        const { email, name, company, useCase, source } = body;
+        if (!email || !name || !company) {
+            throw new Error('Email, name, and company are required');
+        }
+        if (!(0, request_utils_1.validateEmail)(email)) {
+            throw new Error('Invalid email address');
+        }
+        const { ip: ipAddress, userAgent } = (0, request_utils_1.getRequestMeta)(req);
+        const signup = {
+            email: email.toLowerCase().trim(),
+            name: name.trim(),
+            company: company.trim(),
+            useCase: useCase?.trim(),
+            source: source || 'website',
+            timestamp: new Date(),
+            ipAddress,
+            userAgent
+        };
+        await this.dbService.createWebsiteSignup(signup);
+        return signup;
+    }
+    /**
+     * List all API keys
+     */
+    async listApiKeys() {
+        return await this.dbService.listApiKeys();
+    }
+    /**
+     * Create a new API key
+     */
+    async createApiKey(userId, orgId) {
+        const key = this.dbService.generateApiKey(userId, orgId);
+        const trialExpiresAt = new Date(Date.now() + 14 * 24 * 60 * 60 * 1000); // 14 days
+        await this.dbService.createApiKey({
+            key,
+            userId,
+            orgId,
+            tier: 'trial',
+            status: 'active',
+            expiresAt: trialExpiresAt,
+            stripeCustomerId: null,
+            stripeSubscriptionId: null,
+            currentPeriodEnd: null,
+            cancelAt: null,
+            suspendedAt: null,
+            suspensionReason: null,
+            lastUsedAt: null,
+            apiCallCount: 0,
+            personaSystemActive: (0, feature_flags_1.isPersonaEntitlementsEnabled)() || undefined
+        });
+        return key;
+    }
+    /**
+     * Revoke an API key
+     */
+    async revokeApiKey(key) {
+        return await this.dbService.revokeApiKey(key);
+    }
+    /**
+     * Update expiration for one or more API keys.
+     */
+    async updateApiKeyExpirations(keys, userIds, expiresAt, labels = []) {
+        return await this.dbService.updateApiKeyExpirations(keys, userIds, expiresAt, labels);
+    }
+    /**
+     * Add or remove labels for one or more API keys.
+     */
+    async updateApiKeyLabels(keys, userIds, labels, operation) {
+        return await this.dbService.updateApiKeyLabels(keys, userIds, labels, operation);
+    }
+    /**
+     * List website signups
+     */
+    async getSignups(limit = 100) {
+        return await this.dbService.getWebsiteSignups(limit);
+    }
+    /**
+     * List sales inquiries
+     */
+    async getSalesInquiries(limit = 100) {
+        return await this.dbService.getSalesInquiries(limit);
+    }
+    /**
+     * Request access: send a one-time email code before issuing a trial key.
+     * Security: prevents unauthorized access by requiring email ownership verification.
+     */
+    async requestAccess(body, req) {
+        const { email, name, company, useCase } = body;
+        if (!email || !name || !company) {
+            throw new Error('Email, name, and company are required');
+        }
+        if (!(0, request_utils_1.validateEmail)(email))
+            throw new Error('Invalid email address');
+        const emailLower = email.toLowerCase().trim();
+        try {
+            const { ip: ipAddress, userAgent } = (0, request_utils_1.getRequestMeta)(req);
+            await this.dbService.createWebsiteSignup({
+                email: emailLower,
+                name: name.trim(),
+                company: company.trim(),
+                useCase: useCase?.trim(),
+                source: 'request-access',
+                timestamp: new Date(),
+                ipAddress,
+                userAgent
+            });
+        }
+        catch {
+            // Ignore duplicate or other signup errors; email verification still proceeds.
+        }
+        const verificationToken = (0, crypto_1.randomBytes)(32).toString('hex');
+        const verificationCode = (0, email_code_1.generateEmailCode)();
+        const expiresAt = new Date(Date.now() + 15 * 60 * 1000);
+        await this.dbService.createPendingVerification({
+            token: verificationToken,
+            codeHash: (0, email_code_1.hashEmailCode)(emailLower, verificationCode),
+            email: emailLower,
+            verified: false,
+            expiresAt,
+            createdAt: new Date(),
+            usedAt: null
+        });
+        const emailService = new email_service_1.EmailService();
+        const baseUrl = process.env.BASE_URL || 'https://fraimworks.ai';
+        await emailService.sendEmailCode(emailLower, `${baseUrl}/get-started`, verificationCode, { purpose: 'request-access' });
+        console.log('[FRAIM] request_access email_code_sent', { userId: emailLower });
+        return {
+            success: true,
+            message: 'Check your email for a verification code to start your 14-day free trial'
+        };
+    }
+    async verifyRequestAccessCode(email, code) {
+        if (!(0, request_utils_1.validateEmail)(email))
+            return { success: false, error: 'Invalid email address' };
+        const emailLower = email.toLowerCase().trim();
+        const normalizedCode = (0, email_code_1.normalizeEmailCode)(code);
+        if (normalizedCode.length < 6)
+            return { success: false, error: 'Invalid or expired verification code' };
+        const verification = await this.dbService.consumePendingVerificationByCode(emailLower, (0, email_code_1.hashEmailCode)(emailLower, normalizedCode));
+        if (!verification) {
+            return { success: false, error: 'Invalid or expired verification code' };
+        }
+        const orgId = 'default';
+        const existingKey = await this.dbService.getApiKeyByUserId(emailLower, false);
+        let apiKey;
+        if (existingKey) {
+            apiKey = existingKey.key;
+            console.log('[FRAIM] verify_email_code existing_key_found', { userId: emailLower });
+        }
+        else {
+            apiKey = this.dbService.generateApiKey(emailLower, orgId);
+            const trialExpiresAt = new Date(Date.now() + 14 * 24 * 60 * 60 * 1000);
+            await this.dbService.createApiKey({
+                key: apiKey,
+                userId: emailLower,
+                orgId,
+                tier: 'trial',
+                status: 'active',
+                expiresAt: trialExpiresAt,
+                stripeCustomerId: null,
+                stripeSubscriptionId: null,
+                currentPeriodEnd: null,
+                cancelAt: null,
+                suspendedAt: null,
+                suspensionReason: null,
+                lastUsedAt: null,
+                apiCallCount: 0,
+                personaSystemActive: (0, feature_flags_1.isPersonaEntitlementsEnabled)() || undefined
+            });
+            console.log('[FRAIM] verify_email_code trial_key_created', {
+                userId: emailLower,
+                expiresAt: trialExpiresAt.toISOString()
+            });
+        }
+        const access = await (0, dashboard_access_1.createDashboardAccessLink)(this.dbService, emailLower, apiKey);
+        console.log('[FRAIM] verify_email_code verification_completed', { userId: emailLower });
+        return {
+            success: true,
+            key: apiKey,
+            dashboardToken: access.token,
+            redirectUrl: access.redirectPath
+        };
+    }
+}
+exports.AdminService = AdminService;

package/dist/src/services/audit-log-persistence.js

@@ -0,0 +1,60 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.dbBackedAuditLogPersistence = dbBackedAuditLogPersistence;
+function toFraimAuditRecord(record) {
+    const f = record.fields;
+    const userId = typeof f.userId === 'string' ? f.userId : null;
+    const sessionId = typeof f.sessionId === 'string' ? f.sessionId : null;
+    const provider = typeof f.provider === 'string' ? f.provider : undefined;
+    const surface = typeof f.surface === 'string' ? f.surface : undefined;
+    const ip = typeof f.ip === 'string' ? f.ip : null;
+    const userAgent = typeof f.userAgent === 'string' ? f.userAgent : null;
+    const reason = typeof f.reason === 'string' ? f.reason : undefined;
+    const outcome = f.outcome === 'success' || f.outcome === 'failure' ? f.outcome : undefined;
+    const known = new Set(['userId', 'sessionId', 'provider', 'surface', 'ip', 'userAgent', 'reason', 'outcome']);
+    const extra = {};
+    for (const [k, v] of Object.entries(f)) {
+        if (!known.has(k))
+            extra[k] = v;
+    }
+    return {
+        sequence: record.sequence,
+        ts: new Date(record.ts),
+        event: record.event,
+        userId,
+        sessionId,
+        provider,
+        surface,
+        ip,
+        userAgent,
+        reason,
+        outcome,
+        extra: Object.keys(extra).length > 0 ? extra : undefined,
+    };
+}
+function dbBackedAuditLogPersistence(dbService) {
+    return {
+        async append(record) {
+            await dbService.appendAuditRecord(toFraimAuditRecord(record));
+        },
+        async listForUser(userId, sinceMs, limit) {
+            const rows = await dbService.listAuditRecordsForUser(userId, sinceMs, limit);
+            return rows.map(r => ({
+                sequence: r.sequence,
+                ts: r.ts.toISOString(),
+                event: r.event,
+                fields: {
+                    userId: r.userId,
+                    sessionId: r.sessionId,
+                    provider: r.provider,
+                    surface: r.surface,
+                    ip: r.ip,
+                    userAgent: r.userAgent,
+                    reason: r.reason,
+                    outcome: r.outcome,
+                    ...(r.extra ?? {}),
+                },
+            }));
+        },
+    };
+}

package/dist/src/services/audit-log.js

@@ -0,0 +1,69 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.setAuditLogPersistence = setAuditLogPersistence;
+exports.resetAuditLogForTests = resetAuditLogForTests;
+exports.getInMemoryAuditRecords = getInMemoryAuditRecords;
+exports.auditLog = auditLog;
+exports.listAuditEventsForUser = listAuditEventsForUser;
+const inMemorySink = [];
+const inMemoryPersistence = {
+    async append(record) {
+        inMemorySink.push(record);
+    },
+    async listForUser(userId, sinceMs, limit) {
+        const since = Date.now() - sinceMs;
+        return inMemorySink
+            .filter(r => r.fields.userId === userId && new Date(r.ts).getTime() >= since)
+            .slice(-limit);
+    },
+};
+let activePersistence = inMemoryPersistence;
+let sequenceCounter = 0;
+function setAuditLogPersistence(persistence) {
+    activePersistence = persistence;
+}
+function resetAuditLogForTests() {
+    activePersistence = inMemoryPersistence;
+    inMemorySink.length = 0;
+    sequenceCounter = 0;
+}
+function getInMemoryAuditRecords() {
+    return [...inMemorySink];
+}
+async function auditLog(event, fields = {}) {
+    const record = {
+        sequence: ++sequenceCounter,
+        ts: new Date().toISOString(),
+        event,
+        fields,
+    };
+    try {
+        await activePersistence.append(record);
+    }
+    catch (err) {
+        console.error('[FRAIM AUDIT] Failed to persist audit record:', err);
+    }
+    const safeFields = { ...fields };
+    if (typeof safeFields.userId === 'string') {
+        safeFields.userId = redactEmail(safeFields.userId);
+    }
+    console.log(JSON.stringify({
+        kind: 'fraim_audit',
+        sequence: record.sequence,
+        ts: record.ts,
+        event: record.event,
+        ...safeFields,
+    }));
+}
+async function listAuditEventsForUser(userId, sinceMs = 30 * 24 * 60 * 60 * 1000, limit = 200) {
+    return activePersistence.listForUser(userId, sinceMs, limit);
+}
+function redactEmail(email) {
+    const at = email.indexOf('@');
+    if (at < 1)
+        return '***';
+    const local = email.slice(0, at);
+    const domain = email.slice(at + 1);
+    const visible = local.length <= 2 ? local : `${local.slice(0, 2)}***`;
+    return `${visible}@${domain}`;
+}

package/dist/src/services/cookie-service.js

@@ -0,0 +1,129 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.__testing = exports.OAUTH_PENDING_COOKIE_NAME = exports.SESSION_COOKIE_NAME = void 0;
+exports.setSessionCookie = setSessionCookie;
+exports.clearSessionCookie = clearSessionCookie;
+exports.setOAuthPendingCookie = setOAuthPendingCookie;
+exports.clearOAuthPendingCookie = clearOAuthPendingCookie;
+exports.readSessionCookie = readSessionCookie;
+exports.readOAuthPendingCookie = readOAuthPendingCookie;
+exports.readBearerToken = readBearerToken;
+exports.SESSION_COOKIE_NAME = 'fraim_session';
+exports.OAUTH_PENDING_COOKIE_NAME = 'fraim_oauth_pending';
+const SESSION_MAX_AGE_SECONDS = 30 * 24 * 60 * 60;
+const OAUTH_PENDING_MAX_AGE_SECONDS = 10 * 60;
+function buildCookieHeader(attrs) {
+    const parts = [`${attrs.name}=${attrs.value}`];
+    parts.push(`Max-Age=${attrs.maxAgeSeconds}`);
+    parts.push(`Path=${attrs.path ?? '/'}`);
+    if (attrs.domain)
+        parts.push(`Domain=${attrs.domain}`);
+    if (attrs.httpOnly !== false)
+        parts.push('HttpOnly');
+    if (attrs.secure !== false)
+        parts.push('Secure');
+    parts.push(`SameSite=${attrs.sameSite ?? 'Lax'}`);
+    return parts.join('; ');
+}
+function isProduction() {
+    return process.env.NODE_ENV === 'production';
+}
+function getCookieDomain() {
+    if (!isProduction())
+        return undefined;
+    // In production, only use a domain if explicitly set. This allows the cookie
+    // to work on any domain (fraimworks.ai, azurewebsites.net, etc.) without
+    // needing domain-specific configuration.
+    return process.env.FRAIM_COOKIE_DOMAIN || undefined;
+}
+function getCookieSecure() {
+    return isProduction();
+}
+function appendSetCookie(res, header) {
+    const existing = res.getHeader('Set-Cookie');
+    if (!existing) {
+        res.setHeader('Set-Cookie', header);
+        return;
+    }
+    if (Array.isArray(existing)) {
+        res.setHeader('Set-Cookie', [...existing, header]);
+        return;
+    }
+    res.setHeader('Set-Cookie', [String(existing), header]);
+}
+function setSessionCookie(res, sessionId) {
+    appendSetCookie(res, buildCookieHeader({
+        name: exports.SESSION_COOKIE_NAME,
+        value: sessionId,
+        maxAgeSeconds: SESSION_MAX_AGE_SECONDS,
+        domain: getCookieDomain(),
+        secure: getCookieSecure(),
+        sameSite: 'Lax',
+    }));
+}
+function clearSessionCookie(res) {
+    appendSetCookie(res, buildCookieHeader({
+        name: exports.SESSION_COOKIE_NAME,
+        value: '',
+        maxAgeSeconds: 0,
+        domain: getCookieDomain(),
+        secure: getCookieSecure(),
+        sameSite: 'Lax',
+    }));
+}
+function setOAuthPendingCookie(res, pendingId) {
+    appendSetCookie(res, buildCookieHeader({
+        name: exports.OAUTH_PENDING_COOKIE_NAME,
+        value: pendingId,
+        maxAgeSeconds: OAUTH_PENDING_MAX_AGE_SECONDS,
+        domain: getCookieDomain(),
+        secure: getCookieSecure(),
+        sameSite: 'Lax',
+    }));
+}
+function clearOAuthPendingCookie(res) {
+    appendSetCookie(res, buildCookieHeader({
+        name: exports.OAUTH_PENDING_COOKIE_NAME,
+        value: '',
+        maxAgeSeconds: 0,
+        domain: getCookieDomain(),
+        secure: getCookieSecure(),
+        sameSite: 'Lax',
+    }));
+}
+function parseCookieHeader(header) {
+    const out = new Map();
+    if (!header)
+        return out;
+    for (const pair of header.split(';')) {
+        const eq = pair.indexOf('=');
+        if (eq < 0)
+            continue;
+        const name = pair.slice(0, eq).trim();
+        const value = pair.slice(eq + 1).trim();
+        if (name)
+            out.set(name, decodeURIComponent(value));
+    }
+    return out;
+}
+function readSessionCookie(req) {
+    const cookies = parseCookieHeader(req.headers.cookie);
+    return cookies.get(exports.SESSION_COOKIE_NAME) || null;
+}
+function readOAuthPendingCookie(req) {
+    const cookies = parseCookieHeader(req.headers.cookie);
+    return cookies.get(exports.OAUTH_PENDING_COOKIE_NAME) || null;
+}
+function readBearerToken(req) {
+    const auth = req.headers.authorization;
+    if (!auth || typeof auth !== 'string')
+        return null;
+    const match = /^Bearer\s+(.+)$/i.exec(auth);
+    return match ? match[1].trim() : null;
+}
+exports.__testing = {
+    buildCookieHeader,
+    parseCookieHeader,
+    SESSION_MAX_AGE_SECONDS,
+    OAUTH_PENDING_MAX_AGE_SECONDS,
+};

package/dist/src/services/dashboard-access.js

@@ -0,0 +1,27 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createDashboardAccessLink = createDashboardAccessLink;
+exports.createDashboardAccessUrl = createDashboardAccessUrl;
+const crypto_1 = require("crypto");
+async function createDashboardAccessLink(dbService, email, apiKey, tokenFactory = () => (0, crypto_1.randomBytes)(32).toString('hex')) {
+    const token = tokenFactory();
+    const expiresAt = new Date(Date.now() + 15 * 60 * 1000);
+    await dbService.createAccessToken({
+        token,
+        email,
+        key: apiKey,
+        expiresAt,
+        createdAt: new Date()
+    });
+    const baseUrl = (process.env.BASE_URL || 'https://fraimworks.ai').replace(/\/$/, '');
+    return {
+        token,
+        expiresAt,
+        dashboardUrl: `${baseUrl}/dashboard?token=${token}`,
+        redirectPath: `/dashboard?token=${token}`
+    };
+}
+async function createDashboardAccessUrl(dbService, email, apiKey, tokenFactory) {
+    const { dashboardUrl } = await createDashboardAccessLink(dbService, email, apiKey, tokenFactory);
+    return dashboardUrl;
+}

package/dist/src/services/demo-seed-service.js

@@ -0,0 +1,139 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.seedDemoDataForUser = seedDemoDataForUser;
+const crypto_1 = require("crypto");
+const STAGE_JOBS = [
+    { name: 'brainstorming', category: 'brainstorming', jobs: ['idea-exploration', 'opportunity-mapping'] },
+    { name: 'customer-development', category: 'customer-development', jobs: ['interview-preparation', 'process-interview-notes', 'review-customer-development'] },
+    { name: 'product-building', category: 'product-building', jobs: ['feature-specification', 'technical-design', 'feature-implementation', 'pr-iteration'] },
+    { name: 'fundraising', category: 'fundraising', jobs: ['investor-outreach', 'deck-iteration'] },
+    { name: 'gtm', category: 'gtm', jobs: ['gtm-plan', 'channel-tests'] },
+    { name: 'marketing', category: 'marketing', jobs: ['brand-creation', 'whitepaper-thought-leadership'] },
+    { name: 'biz-dev', category: 'biz-dev', jobs: ['partnership-outreach'] },
+    { name: 'ai-management', category: 'ai-management', jobs: ['analyze-why-you-messed-up'] },
+    { name: 'other', category: 'other', jobs: ['follow-your-mentor'] },
+];
+const SKILLS = [
+    { name: 'plan/feature-spec', category: 'product-building' },
+    { name: 'plan/technical-design', category: 'product-building' },
+    { name: 'execute/feature-implementation', category: 'product-building' },
+    { name: 'review/code-review', category: 'product-building' },
+    { name: 'customer/interview', category: 'customer-development' },
+    { name: 'customer/synthesis', category: 'customer-development' },
+    { name: 'gtm/channel-test', category: 'gtm' },
+    { name: 'marketing/copy-iteration', category: 'marketing' },
+];
+const sleep = (ms) => new Promise((r) => setTimeout(r, ms));
+async function insertWithBackoff(collection, doc, attempt = 0) {
+    try {
+        await collection.insertOne(doc);
+    }
+    catch (error) {
+        const msg = String(error?.message || error || '');
+        const is429 = msg.includes('TooManyRequests') || msg.includes('429');
+        if (is429 && attempt < 6) {
+            const wait = 200 * Math.pow(2, attempt) + Math.floor(Math.random() * 100);
+            await sleep(wait);
+            return insertWithBackoff(collection, doc, attempt + 1);
+        }
+        throw error;
+    }
+}
+async function seedDemoDataForUser(dbService, userId) {
+    const now = Date.now();
+    const day = 24 * 60 * 60 * 1000;
+    const db = dbService.db;
+    if (!db)
+        throw new Error('DB not connected');
+    const usageCollectionName = dbService.usageEventsCollectionName || 'fraim_usage_events';
+    const usageCollection = db.collection(usageCollectionName);
+    const qualityCollection = db.collection('fraim_quality_scores');
+    // Make seeding idempotent — wipe any prior partial seed for this user before inserting.
+    await usageCollection.deleteMany({ userId }).catch(() => undefined);
+    await qualityCollection.deleteMany({ userId }).catch(() => undefined);
+    // ~120 job runs spread over 28 days, weighted toward product-building so the doughnut + bars look populated.
+    let jobCount = 0;
+    for (let i = 0; i < 120; i++) {
+        const stage = STAGE_JOBS[i % STAGE_JOBS.length];
+        const jobName = stage.jobs[i % stage.jobs.length];
+        const daysAgo = Math.floor(Math.random() * 28);
+        const hoursAgo = Math.floor(Math.random() * 23);
+        const createdAt = new Date(now - daysAgo * day - hoursAgo * 3600 * 1000);
+        const success = Math.random() > 0.12;
+        const sessionId = `demo-session-${Math.floor(i / 4)}`;
+        const event = {
+            type: 'job',
+            name: jobName,
+            userId,
+            sessionId,
+            success,
+            // Both top-level and args.category — the heatmap aggregation reads args.category.
+            category: stage.category,
+            args: { category: stage.category },
+            jobId: (0, crypto_1.randomUUID)(),
+            jobPhase: 'submission',
+            createdAt,
+        };
+        if (i % 3 === 0)
+            event.repoIdentifier = 'demo-org/demo-app';
+        await insertWithBackoff(usageCollection, event);
+        jobCount += 1;
+    }
+    // ~40 skill invocations to light up the brain heatmap across regions.
+    let skillCount = 0;
+    for (let i = 0; i < 40; i++) {
+        const skill = SKILLS[i % SKILLS.length];
+        const daysAgo = Math.floor(Math.random() * 28);
+        const createdAt = new Date(now - daysAgo * day - 3600 * 1000 * (i % 23));
+        const sessionId = `demo-session-${Math.floor(i / 3)}`;
+        await insertWithBackoff(usageCollection, {
+            type: 'skill',
+            name: skill.name,
+            userId,
+            sessionId,
+            success: true,
+            category: skill.category,
+            args: { category: skill.category },
+            createdAt,
+        });
+        skillCount += 1;
+    }
+    // Quality assessments use the dashboard's canonical stage categories.
+    const QUALITY_STAGES = [
+        { category: 'customer-development', jobName: 'process-interview-notes' },
+        { category: 'business-strategy', jobName: 'review-business-strategy' },
+        { category: 'branding', jobName: 'branding-quality-audit' },
+        { category: 'product-quality', jobName: 'code-quality-assessment' },
+        { category: 'test-quality', jobName: 'test-quality-assessment' },
+        { category: 'security', jobName: 'security-review' },
+        { category: 'production-readiness', jobName: 'production-readiness-review' },
+        { category: 'fundraising', jobName: 'fundraising-evidence-review' },
+        { category: 'go-to-market', jobName: 'marketing-strategy-definition' },
+    ];
+    let qualityCount = 0;
+    for (const stage of QUALITY_STAGES) {
+        for (let n = 0; n < 3; n++) {
+            const composite = 4.5 + n * 1.5 + Math.random();
+            const createdAt = new Date(now - (21 - n * 7) * day);
+            const record = {
+                userId,
+                jobName: stage.jobName,
+                jobId: (0, crypto_1.randomUUID)(),
+                sessionId: `demo-session-q-${stage.category}-${n}`,
+                stageCategory: stage.category,
+                scores: {
+                    composite: Number(composite.toFixed(2)),
+                    market_evidence: { score: Number((composite - 0.4).toFixed(2)), rationale: 'Synthetic demo data.' },
+                    strategic_coherence: { score: Number((composite - 0.2).toFixed(2)), rationale: 'Synthetic demo data.' },
+                    standards_compliance: Number((composite + 0.1).toFixed(2)),
+                    coaching: 'Synthetic demo coaching note. Keep iterating.',
+                },
+                artifactPath: `docs/${stage.category}/${stage.jobName}-demo-${n}.md`,
+                createdAt,
+            };
+            await insertWithBackoff(qualityCollection, record);
+            qualityCount += 1;
+        }
+    }
+    return { jobEventsInserted: jobCount, skillEventsInserted: skillCount, qualityRecordsInserted: qualityCount };
+}

package/dist/src/services/email-code.js

@@ -0,0 +1,23 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateEmailCode = generateEmailCode;
+exports.normalizeEmailCode = normalizeEmailCode;
+exports.hashEmailCode = hashEmailCode;
+const crypto_1 = require("crypto");
+const EMAIL_CODE_ALPHABET = 'ABCDEFGHJKLMNPQRSTUVWXYZ23456789';
+function generateEmailCode() {
+    const bytes = (0, crypto_1.randomBytes)(8);
+    let code = '';
+    for (const byte of bytes) {
+        code += EMAIL_CODE_ALPHABET[byte % EMAIL_CODE_ALPHABET.length];
+    }
+    return code;
+}
+function normalizeEmailCode(input) {
+    return String(input ?? '').toUpperCase().replace(/[^A-Z0-9]/g, '');
+}
+function hashEmailCode(email, code) {
+    return (0, crypto_1.createHash)('sha256')
+        .update(`${email.toLowerCase()}:${normalizeEmailCode(code)}`)
+        .digest('hex');
+}