lula2 0.7.5 → 0.8.4-nightly.0

package/dist/index.html

@@ -6,28 +6,28 @@
 		<link rel="icon" href="/lula.png" />
 		<meta name="viewport" content="width=device-width, initial-scale=1" />
 		
-		<link rel="modulepreload" href="/_app/immutable/entry/start.Bgy9x4Qb.js">
-		<link rel="modulepreload" href="/_app/immutable/chunks/DH2IP9c7.js">
-		<link rel="modulepreload" href="/_app/immutable/chunks/CxBMFlfX.js">
-		<link rel="modulepreload" href="/_app/immutable/entry/app.CjycYot0.js">
-		<link rel="modulepreload" href="/_app/immutable/chunks/DXSHWIjJ.js">
-		<link rel="modulepreload" href="/_app/immutable/chunks/Cng7c2CG.js">
-		<link rel="modulepreload" href="/_app/immutable/chunks/urFjAlpd.js">
-		<link rel="modulepreload" href="/_app/immutable/chunks/DsuS1uUo.js">
+		<link rel="modulepreload" href="/_app/immutable/entry/start.BZfBvC8E.js">
+		<link rel="modulepreload" href="/_app/immutable/chunks/Dpd5zUJG.js">
+		<link rel="modulepreload" href="/_app/immutable/chunks/DHuA7MQr.js">
+		<link rel="modulepreload" href="/_app/immutable/entry/app.DMutRaVE.js">
+		<link rel="modulepreload" href="/_app/immutable/chunks/DSxRA67V.js">
+		<link rel="modulepreload" href="/_app/immutable/chunks/Ew6_cz_0.js">
+		<link rel="modulepreload" href="/_app/immutable/chunks/CC6oS456.js">
+		<link rel="modulepreload" href="/_app/immutable/chunks/BNu54jRO.js">
 	</head>
 	<body data-sveltekit-preload-data="hover">
 		<div style="display: contents">
 			<script>
 				{
-					__sveltekit_sd3spo = {
+					__sveltekit_1gac0aa = {
 						base: ""
 					};
 
 					const element = document.currentScript.parentElement;
 
 					Promise.all([
-						import("/_app/immutable/entry/start.Bgy9x4Qb.js"),
-						import("/_app/immutable/entry/app.CjycYot0.js")
+						import("/_app/immutable/entry/start.BZfBvC8E.js"),
+						import("/_app/immutable/entry/app.DMutRaVE.js")
 					]).then(([kit, app]) => {
 						kit.start(app, element);
 					});

package/dist/index.js

@@ -1669,6 +1669,7 @@ var fileStore_exports = {};
 __export(fileStore_exports, {
   FileStore: () => FileStore
 });
+import { createHash as createHash2 } from "crypto";
 import {
   existsSync as existsSync2,
   promises as fs,
@@ -1681,7 +1682,6 @@ import {
 } from "fs";
 import * as yaml2 from "js-yaml";
 import { join as join2 } from "path";
-import { createHash as createHash2 } from "crypto";
 var FileStore;
 var init_fileStore = __esm({
   "cli/server/infrastructure/fileStore.ts"() {
@@ -1701,6 +1701,40 @@ var init_fileStore = __esm({
           this.refreshControlsCache();
         }
       }
+      /**
+       * Update a single mapping in place, preserving file order
+       */
+      async updateMapping(oldCompositeKey, updatedMapping) {
+        const mappingFiles = this.getAllMappingFiles();
+        for (const file of mappingFiles) {
+          try {
+            const content = readFileSync2(file, "utf8");
+            let mappings = yaml2.load(content) || [];
+            let changed = false;
+            mappings = mappings.map((m) => {
+              const hash = createHash2("sha256").update(JSON.stringify(m)).digest("hex");
+              if (`${m.control_id}:${hash}` === oldCompositeKey) {
+                const clean = { ...updatedMapping };
+                delete clean.hash;
+                changed = true;
+                return clean;
+              }
+              return m;
+            });
+            if (changed) {
+              const yamlContent = yaml2.dump(mappings, {
+                indent: 2,
+                lineWidth: -1,
+                noRefs: true
+              });
+              writeFileSync(file, yamlContent, "utf8");
+              return;
+            }
+          } catch (error) {
+            console.error(`Error processing mapping file ${file}:`, error);
+          }
+        }
+      }
       /**
        * Get simple filename from control ID
        */
@@ -1723,8 +1757,8 @@ var init_fileStore = __esm({
         if (!this.baseDir || this.baseDir === "." || this.baseDir === process.cwd()) {
           return;
         }
-        const lulaConfigPath2 = join2(this.baseDir, "lula.yaml");
-        if (!existsSync2(lulaConfigPath2)) {
+        const lulaConfigPath = join2(this.baseDir, "lula.yaml");
+        if (!existsSync2(lulaConfigPath)) {
           return;
         }
         if (!existsSync2(this.controlsDir)) {
@@ -1883,10 +1917,10 @@ var init_fileStore = __esm({
           return [];
         }
         let controlOrder = null;
+        const lulaConfigPath = join2(this.baseDir, "lula.yaml");
         try {
-          const lulaConfigPath2 = join2(this.baseDir, "lula.yaml");
-          if (existsSync2(lulaConfigPath2)) {
-            const content = readFileSync2(lulaConfigPath2, "utf8");
+          if (existsSync2(lulaConfigPath)) {
+            const content = readFileSync2(lulaConfigPath, "utf8");
             const metadata = yaml2.load(content);
             controlOrder = metadata?.controlOrder || null;
           }
@@ -5143,12 +5177,12 @@ import { fileURLToPath } from "url";
 import { readFileSync as readFileSync4 } from "fs";
 init_debug();
 init_controlHelpers();
-init_serverState();
 init_gitHistory();
+init_serverState();
 import * as yaml5 from "js-yaml";
+import crypto2 from "node:crypto";
 import { join as join5 } from "path";
 import { WebSocket, WebSocketServer } from "ws";
-import crypto2 from "node:crypto";
 var WebSocketManager = class {
   wss = null;
   clients = /* @__PURE__ */ new Set();
@@ -5189,6 +5223,62 @@ var WebSocketManager = class {
           }
           break;
         }
+        case "update-mapping": {
+          const state = getServerState();
+          if (payload && payload.old_composite_key && payload.mapping) {
+            const oldCompositeKey = payload.old_composite_key;
+            const existing = state.mappingsCache.get(oldCompositeKey);
+            if (!existing) {
+              console.error("Mapping not found for update:", oldCompositeKey);
+              break;
+            }
+            const incoming = payload.mapping;
+            const updated = {
+              ...existing,
+              ...incoming,
+              control_id: incoming.control_id || existing.control_id,
+              uuid: incoming.uuid || existing.uuid
+            };
+            if (!updated.hash || updated.hash === "") {
+              updated.hash = crypto2.createHash("sha256").update(JSON.stringify({ ...updated, hash: void 0 })).digest("hex");
+            }
+            const oldHash = existing.hash;
+            const oldControlId = existing.control_id;
+            const oldFamily = oldControlId.split("-")[0];
+            const newHash = updated.hash;
+            const newControlId = updated.control_id;
+            const newFamily = newControlId.split("-")[0];
+            const newCompositeKey = `${newControlId}:${newHash}`;
+            await state.fileStore.updateMapping(oldCompositeKey, updated);
+            const entries = Array.from(state.mappingsCache.entries());
+            const oldIndex = entries.findIndex(([key]) => key === oldCompositeKey);
+            if (oldIndex === -1) {
+              state.mappingsCache.delete(oldCompositeKey);
+              state.mappingsCache.set(newCompositeKey, updated);
+            } else {
+              entries[oldIndex] = [newCompositeKey, updated];
+              state.mappingsCache = new Map(entries);
+            }
+            state.mappingsByFamily.get(oldFamily)?.delete(oldHash);
+            state.mappingsByControl.get(oldControlId)?.delete(oldHash);
+            if (!state.mappingsByFamily.has(newFamily)) {
+              state.mappingsByFamily.set(newFamily, /* @__PURE__ */ new Set());
+            }
+            state.mappingsByFamily.get(newFamily).add(newHash);
+            if (!state.mappingsByControl.has(newControlId)) {
+              state.mappingsByControl.set(newControlId, /* @__PURE__ */ new Set());
+            }
+            state.mappingsByControl.get(newControlId).add(newHash);
+            ws.send(
+              JSON.stringify({
+                type: "mapping-updated",
+                payload: { uuid: updated.uuid, success: true }
+              })
+            );
+            this.broadcastState();
+          }
+          break;
+        }
         case "refresh-controls": {
           const state = getServerState();
           state.controlsCache.clear();

package/package.json

@@ -1,129 +1,128 @@
 {
-	"name": "lula2",
-	"version": "0.7.5",
-	"description": "A tool for managing compliance as code in your GitHub repositories.",
-	"bin": {
-		"lula2": "./dist/lula2"
-	},
-	"main": "dist/index.js",
-	"types": "dist/index.d.ts",
-	"type": "module",
-	"engines": {
-		"node": ">=22.20.0"
-	},
-	"repository": {
-		"type": "git",
-		"url": "git+https://github.com/defenseunicorns/lula.git"
-	},
-	"keywords": [
-		"compliance",
-		"devops",
-		"devsecops"
-	],
-	"author": "Defense Unicorns",
-	"license": "Apache-2.0",
-	"bugs": {
-		"url": "https://github.com/defenseunicorns/lula/issues"
-	},
-	"homepage": "https://github.com/defenseunicorns/lula#readme",
-	"files": [
-		"/src",
-		"/dist",
-		"!src/**/*.test.ts",
-		"!dist/**/*.test.js*",
-		"!dist/**/*.test.d.ts*"
-	],
-	"scripts": {
-		"dev": "vite dev --port 5173",
-		"dev:api": "tsx --watch index.ts --debug ui --port 3000 --no-open-browser",
-		"dev:full": "concurrently \"npm run dev:api\" \"npm run dev\"",
-		"build": "npm run build:svelte && npm run build:cli && npm run postbuild:cli",
-		"build:svelte": "vite build",
-		"build:cli": "esbuild index.ts cli/**/*.ts --bundle --platform=node --target=node22 --format=esm --outdir=dist --external:express --external:commander --external:js-yaml --external:yaml --external:isomorphic-git --external:glob --external:open --external:ws --external:cors --external:multer --external:@octokit/rest --external:undici --external:xlsx-republish --external:csv-parse",
-		"postbuild:cli": "cp cli-wrapper.mjs dist/lula2 && chmod +x dist/lula2",
-		"preview": "vite preview",
-		"prepare": "svelte-kit sync || echo ''",
-		"check": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json && tsc --noEmit",
-		"check:watch": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json --watch",
-		"format": "prettier --write 'src/**/*.{ts,js,svelte}' 'cli/**/*.ts' 'index.ts' 'tests/**/*.ts'",
-		"format:check": "prettier --check 'src/**/*.{ts,js,svelte}' 'cli/**/*.ts' 'index.ts' 'tests/**/*.ts'",
-		"lint": "prettier --check 'src/**/*.{ts,js,svelte}' 'cli/**/*.ts' 'index.ts' 'tests/**/*.ts' && eslint src cli",
-		"test": "npm run test:unit -- --run --coverage",
-		"test:integration": "vitest --config integration/vitest.config.integration.ts",
-		"test:unit": "vitest"
-	},
-	"dependencies": {
-		"@octokit/rest": "22.0.1",
-		"@types/ws": "8.18.1",
-		"commander": "14.0.2",
-		"cors": "2.8.5",
-		"csv-parse": "6.1.0",
-		"express": "5.2.1",
-		"express-rate-limit": "8.2.1",
-		"flowbite": "4.0.1",
-		"glob": "13.0.0",
-		"isomorphic-git": "1.36.0",
-		"js-yaml": "4.1.1",
-		"multer": "2.0.2",
-		"open": "11.0.0",
-		"undici": "7.16.0",
-		"ws": "8.18.3",
-		"xlsx-republish": "0.20.3",
-		"yaml": "2.8.2"
-	},
-	"devDependencies": {
-		"@commitlint/cli": "^20.0.0",
-		"@commitlint/config-conventional": "^20.0.0",
-		"@defenseunicorns/eslint-config": "^1.1.2",
-		"@eslint/compat": "^2.0.0",
-		"@eslint/eslintrc": "^3.3.1",
-		"@eslint/js": "^9.35.0",
-		"@playwright/test": "^1.55.0",
-		"@sveltejs/adapter-static": "^3.0.9",
-		"@sveltejs/kit": "^2.37.1",
-		"@sveltejs/vite-plugin-svelte": "^6.1.4",
-		"@tailwindcss/vite": "^4.1.13",
-		"@types/cors": "^2.8.19",
-		"@types/express": "^5.0.3",
-		"@types/js-yaml": "^4.0.9",
-		"@types/jsdom": "^27.0.0",
-		"@types/multer": "^2.0.0",
-		"@types/node": "^24.4.0",
-		"@typescript-eslint/eslint-plugin": "^8.42.0",
-		"@typescript-eslint/parser": "^8.42.0",
-		"@vitest/browser": "^4.0.1",
-		"@vitest/coverage-v8": "^4.0.1",
-		"carbon-icons-svelte": "^13.5.0",
-		"carbon-preprocess-svelte": "^0.11.11",
-		"concurrently": "^9.2.1",
-		"esbuild": "^0.27.0",
-		"eslint": "^9.35.0",
-		"eslint-config-prettier": "^10.1.8",
-		"eslint-plugin-jsdoc": "^61.0.0",
-		"eslint-plugin-svelte": "^3.12.2",
-		"globals": "^16.3.0",
-		"husky": "^9.1.7",
-		"jsdom": "^27.0.0",
-		"playwright": "^1.55.0",
-		"prettier": "3.7.4",
-		"prettier-plugin-svelte": "^3.4.0",
-		"semantic-release": "^25.0.1",
-		"shellcheck": "^4.1.0",
-		"svelte": "^5.38.7",
-		"svelte-check": "^4.3.1",
-		"tailwind-merge": "^3.3.1",
-		"tailwindcss": "^4.1.13",
-		"tsx": "^4.20.5",
-		"typescript": "5.9.3",
-		"typescript-eslint": "^8.42.0",
-		"vite": "^7.1.4",
-		"vitest": "^4.0.1",
-		"vitest-browser-svelte": "^2.0.0"
-	},
-	"release": {
-		"branches": [
-			"main",
-			"next"
-		]
-	}
-}
+  "name": "lula2",
+  "version": "0.8.4-nightly.0",
+  "description": "A tool for managing compliance as code in your GitHub repositories.",
+  "bin": {
+    "lula2": "./dist/lula2"
+  },
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "type": "module",
+  "engines": {
+    "node": ">=22.20.0"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/defenseunicorns/lula.git"
+  },
+  "keywords": [
+    "compliance",
+    "devops",
+    "devsecops"
+  ],
+  "author": "Defense Unicorns",
+  "license": "Apache-2.0",
+  "bugs": {
+    "url": "https://github.com/defenseunicorns/lula/issues"
+  },
+  "homepage": "https://github.com/defenseunicorns/lula#readme",
+  "files": [
+    "/src",
+    "/dist",
+    "!src/**/*.test.ts",
+    "!dist/**/*.test.js*",
+    "!dist/**/*.test.d.ts*"
+  ],
+  "dependencies": {
+    "@octokit/rest": "22.0.1",
+    "@types/ws": "8.18.1",
+    "commander": "14.0.2",
+    "cors": "2.8.5",
+    "csv-parse": "6.1.0",
+    "express": "5.2.1",
+    "express-rate-limit": "8.2.1",
+    "flowbite": "4.0.1",
+    "glob": "13.0.0",
+    "isomorphic-git": "1.36.0",
+    "js-yaml": "4.1.1",
+    "multer": "2.0.2",
+    "open": "11.0.0",
+    "undici": "7.16.0",
+    "ws": "8.18.3",
+    "xlsx-republish": "0.20.3",
+    "yaml": "2.8.2"
+  },
+  "devDependencies": {
+    "@commitlint/cli": "^20.0.0",
+    "@commitlint/config-conventional": "^20.0.0",
+    "@defenseunicorns/eslint-config": "^1.1.2",
+    "@eslint/compat": "^2.0.0",
+    "@eslint/eslintrc": "^3.3.1",
+    "@eslint/js": "^9.35.0",
+    "@playwright/test": "^1.55.0",
+    "@sveltejs/adapter-static": "^3.0.9",
+    "@sveltejs/kit": "^2.37.1",
+    "@sveltejs/vite-plugin-svelte": "^6.1.4",
+    "@tailwindcss/vite": "^4.1.13",
+    "@types/cors": "^2.8.19",
+    "@types/express": "^5.0.3",
+    "@types/js-yaml": "^4.0.9",
+    "@types/jsdom": "^27.0.0",
+    "@types/multer": "^2.0.0",
+    "@types/node": "^25.0.0",
+    "@typescript-eslint/eslint-plugin": "^8.42.0",
+    "@typescript-eslint/parser": "^8.42.0",
+    "@vitest/browser": "^4.0.1",
+    "@vitest/coverage-v8": "^4.0.1",
+    "carbon-icons-svelte": "^13.5.0",
+    "carbon-preprocess-svelte": "^0.11.11",
+    "concurrently": "^9.2.1",
+    "esbuild": "^0.27.0",
+    "eslint": "^9.35.0",
+    "eslint-config-prettier": "^10.1.8",
+    "eslint-plugin-jsdoc": "^61.0.0",
+    "eslint-plugin-svelte": "^3.12.2",
+    "globals": "^16.3.0",
+    "husky": "^9.1.7",
+    "jsdom": "^27.0.0",
+    "playwright": "^1.55.0",
+    "prettier": "3.7.4",
+    "prettier-plugin-svelte": "^3.4.0",
+    "semantic-release": "^25.0.1",
+    "shellcheck": "^4.1.0",
+    "svelte": "^5.38.7",
+    "svelte-check": "^4.3.1",
+    "tailwind-merge": "^3.3.1",
+    "tailwindcss": "^4.1.13",
+    "tsx": "^4.20.5",
+    "typescript": "5.9.3",
+    "typescript-eslint": "^8.42.0",
+    "vite": "^7.1.4",
+    "vitest": "^4.0.1",
+    "vitest-browser-svelte": "^2.0.0"
+  },
+  "release": {
+    "branches": [
+      "main",
+      "next"
+    ]
+  },
+  "scripts": {
+    "dev": "vite dev --port 5173",
+    "dev:api": "tsx --watch index.ts --debug ui --port 3000 --no-open-browser",
+    "dev:full": "concurrently \"npm run dev:api\" \"npm run dev\"",
+    "build": "npm run build:svelte && npm run build:cli && npm run postbuild:cli",
+    "build:svelte": "vite build",
+    "build:cli": "esbuild index.ts cli/**/*.ts --bundle --platform=node --target=node22 --format=esm --outdir=dist --external:express --external:commander --external:js-yaml --external:yaml --external:isomorphic-git --external:glob --external:open --external:ws --external:cors --external:multer --external:@octokit/rest --external:undici --external:xlsx-republish --external:csv-parse",
+    "postbuild:cli": "cp cli-wrapper.mjs dist/lula2 && chmod +x dist/lula2",
+    "preview": "vite preview",
+    "check": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json && tsc --noEmit",
+    "check:watch": "svelte-kit sync && svelte-check --tsconfig ./tsconfig.json --watch",
+    "format": "prettier --write 'src/**/*.{ts,js,svelte}' 'cli/**/*.ts' 'index.ts' 'tests/**/*.ts'",
+    "format:check": "prettier --check 'src/**/*.{ts,js,svelte}' 'cli/**/*.ts' 'index.ts' 'tests/**/*.ts'",
+    "lint": "prettier --check 'src/**/*.{ts,js,svelte}' 'cli/**/*.ts' 'index.ts' 'tests/**/*.ts' && eslint src cli",
+    "test": "npm run test:unit -- --run --coverage",
+    "test:integration": "vitest --config integration/vitest.config.integration.ts",
+    "test:unit": "vitest"
+  }
+}

package/src/lib/components/controls/MappingCard.svelte

@@ -27,6 +27,7 @@
 			onDelete?.(mapping.hash!);
 		}
 	}
+
 </script>
 
 <div
@@ -75,7 +76,11 @@
 		<p class="text-sm text-gray-700 dark:text-gray-300 leading-relaxed mb-4">
 			{mapping.justification}
 		</p>
-		
+		{#if mapping.cci}
+			<div class="mb-4">
+				<h4 class="text-xs font-semibold text-gray-600 dark:text-gray-400 tracking-wider mb-2">CCIs:<span class="text-xs font-mono  text-gray-500 dark:text-gray-300 ml-2 break-all" title="CCIs">{mapping.cci}</span></h4>
+			</div>
+		{/if}
 		{#if mapping.source_entries && mapping.source_entries.length > 0}
 			<div class="mb-4">
 				<h4 class="text-xs font-semibold text-gray-600 dark:text-gray-400 uppercase tracking-wider mb-2">Source References</h4>

package/src/lib/components/controls/MappingForm.svelte

@@ -11,6 +11,7 @@
 		justification: string;
 		status: 'planned' | 'implemented' | 'verified';
 		source_entries: SourceEntry[];
+		cci: string;
 	}
 
 	interface Props {
@@ -19,6 +20,7 @@
 		onCancel: () => void;
 		loading?: boolean;
 		submitLabel?: string;
+		cci?: string;
 	}
 
 	let {
@@ -26,14 +28,16 @@
 		onSubmit,
 		onCancel,
 		loading = false,
-		submitLabel = 'Create Mapping'
+		submitLabel = 'Create Mapping',
+		cci
 	}: Props = $props();
 
 	let formData = $state<MappingFormData>({
 		uuid: initialData.uuid || '',
 		justification: initialData.justification || '',
 		status: initialData.status || 'planned',
-		source_entries: initialData.source_entries || []
+		source_entries: initialData.source_entries || [],
+		cci: initialData.cci ?? ''
 	});
 	
 	let newLocation = $state('');
@@ -42,6 +46,25 @@
 	const statusOptions = ['planned', 'implemented', 'verified'];
 
 	const isValid = $derived(formData.justification.trim().length > 0);
+	
+	const cciOptions = $derived(
+		(cci ?? '')
+			.split(';')
+			.map((s) => s.trim())
+			.filter(Boolean)
+	);
+
+	
+	let selectedCCIs = $derived(
+		(formData.cci ?? '')
+			.split(';')
+			.map((s) => s.trim())
+			.filter(Boolean)
+	);
+
+	$effect(() => {
+		formData.cci = selectedCCIs.join('; ');
+	});
 
 	function handleSubmit() {
 		if (!isValid || loading) return;
@@ -54,7 +77,8 @@
 			uuid: initialData.uuid || '',
 			justification: initialData.justification || '',
 			status: initialData.status || 'planned',
-			source_entries: initialData.source_entries || []
+			source_entries: initialData.source_entries || [],
+			cci: initialData.cci ?? ''
 		};
 		newLocation = '';
 		newShasum = '';
@@ -101,6 +125,15 @@
 				placeholder="Explain how this compliance artifact satisfies the control requirements..."
 				required
 			/>
+			{#if cci}
+			<FormField
+				id="mapping-cci"
+				label="Mapping CCI(s)"
+				type="multiselect"
+				bind:value={selectedCCIs}
+				options={cciOptions}
+			/>
+			{/if}
 
 			<FormField
 				id="mapping-status"

package/src/lib/components/controls/renderers/EditableFieldRenderer.svelte

@@ -42,6 +42,63 @@
 				<option value={option}>{option}</option>
 			{/each}
 		</select>
+	{:else if field.ui_type === 'multiselect' && field.options}
+			{@const currentValues = Array.isArray(value) ? (value as string[]) : []}
+
+		<div id={fieldId} class="flex flex-wrap gap-2">
+			{#each field.options as option (option)}
+				{@const selected = currentValues.includes(option)}
+
+				<label
+					class={`inline-flex items-center gap-2 px-3 py-1.5 rounded-lg border text-sm cursor-pointer transition-colors
+						focus-within:ring-2 focus-within:ring-blue-500 focus-within:ring-offset-2
+						dark:focus-within:ring-offset-gray-900
+						${
+							selected
+								? 'bg-blue-50 border-blue-500 text-blue-700 dark:bg-blue-900/40 dark:border-blue-400 dark:text-blue-100'
+								: 'bg-white dark:bg-gray-900 border-gray-300 dark:border-gray-600 text-gray-800 dark:text-gray-200'
+						}
+						${!field.editable ? 'opacity-50 cursor-not-allowed' : ''}
+					`}
+				>
+					<input
+						type="checkbox"
+						value={option}
+						checked={selected}
+						disabled={!field.editable}
+						onchange={(e: Event) => {
+							const input = e.currentTarget as HTMLInputElement;
+							const current = Array.isArray(value) ? (value as string[]) : [];
+							let updated: string[];
+
+							if (input.checked) {
+								updated = current.includes(option) ? current : [...current, option];
+							} else {
+								updated = current.filter((v) => v !== option);
+							}
+
+							value = updated;
+							onChange();
+						}}
+						class="sr-only"
+					/>
+
+					<span
+						class={`inline-flex items-center justify-center w-4 h-4 rounded border text-[10px] font-bold
+							${
+								selected
+									? 'border-blue-500 bg-blue-500 text-white'
+									: 'border-gray-400 bg-transparent text-transparent'
+							}
+						`}
+					>
+						✓
+					</span>
+
+					<span>{option}</span>
+				</label>
+			{/each}
+		</div>
 	{:else if field.ui_type === 'textarea' || field.ui_type === 'long_text'}
 		<textarea
 			id={fieldId}

package/src/lib/components/controls/tabs/CustomFieldsTab.svelte

@@ -49,6 +49,7 @@
 		// Dropdowns and short fields can be side by side
 		if (
 			field.ui_type === 'select' ||
+			field.ui_type === 'multiselect' ||
 			field.ui_type === 'boolean' ||
 			field.ui_type === 'date' ||
 			field.ui_type === 'number' ||

package/src/lib/components/controls/tabs/ImplementationTab.svelte

@@ -48,6 +48,7 @@
 		// Dropdowns and short fields can be side by side
 		if (
 			field.ui_type === 'select' ||
+			field.ui_type === 'multiselect' ||
 			field.ui_type === 'boolean' ||
 			field.ui_type === 'date' ||
 			field.ui_type === 'number' ||