[comp] Production Deploy

.github/workflows/trigger-api-tasks-deploy-main.yml

@@ -37,12 +37,11 @@ jobs:
       - name: Build DB package
         working-directory: ./packages/db
         run: bun run build
-      - name: Copy schema to api and generate client
+      - name: Copy model files to api schema dir and generate client
         working-directory: ./apps/api
         run: |
-          mkdir -p prisma
-          cp ../../packages/db/dist/schema.prisma prisma/schema.prisma
-          bunx prisma generate
+          find ../../packages/db/prisma/schema -name '*.prisma' ! -name 'schema.prisma' -exec cp {} prisma/schema/ \;
+          bunx prisma generate --schema=prisma/schema
       - name: 🚀 Deploy Trigger.dev
         working-directory: ./apps/api
         timeout-minutes: 20

.github/workflows/trigger-api-tasks-deploy-release.yml

@@ -43,12 +43,11 @@ jobs:
         working-directory: ./packages/db
         run: bun run build
 
-      - name: Copy schema to api and generate client
+      - name: Copy model files to api schema dir and generate client
         working-directory: ./apps/api
         run: |
-          mkdir -p prisma
-          cp ../../packages/db/dist/schema.prisma prisma/schema.prisma
-          bunx prisma generate
+          find ../../packages/db/prisma/schema -name '*.prisma' ! -name 'schema.prisma' -exec cp {} prisma/schema/ \;
+          bunx prisma generate --schema=prisma/schema
 
       - name: 🚀 Deploy Trigger.dev
         working-directory: ./apps/api

.github/workflows/trigger-tasks-deploy-main.yml

@@ -36,9 +36,9 @@ jobs:
       - name: Copy schema to app and generate client
         working-directory: ./apps/app
         run: |
-          mkdir -p prisma
-          cp ../../packages/db/dist/schema.prisma prisma/schema.prisma
-          bunx prisma generate
+          mkdir -p prisma/schema
+          find ../../packages/db/prisma/schema -name '*.prisma' ! -name 'schema.prisma' -exec cp {} prisma/schema/ \;
+          bunx prisma generate --schema=prisma/schema
       - name: 🚀 Deploy Trigger.dev
         working-directory: ./apps/app
         timeout-minutes: 20

.github/workflows/trigger-tasks-deploy-release.yml

@@ -42,9 +42,9 @@ jobs:
       - name: Copy schema to app and generate client
         working-directory: ./apps/app
         run: |
-          mkdir -p prisma
-          cp ../../packages/db/dist/schema.prisma prisma/schema.prisma
-          bunx prisma generate
+          mkdir -p prisma/schema
+          find ../../packages/db/prisma/schema -name '*.prisma' ! -name 'schema.prisma' -exec cp {} prisma/schema/ \;
+          bunx prisma generate --schema=prisma/schema
 
       - name: 🚀 Deploy Trigger.dev
         working-directory: ./apps/app

apps/api/.env.example

@@ -11,6 +11,11 @@ APP_AWS_SECRET_ACCESS_KEY=
 APP_AWS_ORG_ASSETS_BUCKET=
 APP_AWS_ENDPOINT="" # optional for using services like MinIO
 
+# Microsoft sign-in (Entra ID / Azure AD)
+AUTH_MICROSOFT_CLIENT_ID=
+AUTH_MICROSOFT_CLIENT_SECRET=
+AUTH_MICROSOFT_TENANT_ID= # 'common' (default), 'organizations', or your tenant GUID
+
 DATABASE_URL=
 
 NOVU_API_KEY=

apps/api/.gitignore

@@ -64,6 +64,8 @@ pids
 report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
 
 
-prisma/schema.prisma
+# Model files are copied here by db:getschema — only schema.prisma is committed
+prisma/schema/*.prisma
+!prisma/schema/schema.prisma
 trigger.config.js
 test/**/*.js

apps/api/Dockerfile.multistage

@@ -46,7 +46,8 @@ COPY --from=deps /app/node_modules ./node_modules
 COPY --from=deps /app/package.json ./package.json
 COPY --from=deps /app/bun.lock ./bun.lock
 
-# Copy workspace packages source
+# Copy workspace packages source (node_modules excluded by .dockerignore,
+# but COPY replaces directories so workspace node_modules from deps get wiped)
 COPY packages/auth ./packages/auth
 COPY packages/db ./packages/db
 COPY packages/utils ./packages/utils
@@ -58,7 +59,7 @@ COPY packages/company ./packages/company
 # Copy API source
 COPY apps/api ./apps/api
 
-# Build db first — generates Prisma client needed by other packages
+# Build db — generates Prisma client + compiles dist/ for @trycompai/db consumers
 RUN cd packages/db && bun run build
 
 # Build remaining workspace packages
@@ -67,24 +68,28 @@ RUN cd packages/auth && bun run build \
   && cd ../email && bun run build \
   && cd ../company && bun run build
 
-# Generate Prisma schema for API and build NestJS app
-RUN cd packages/db && node scripts/combine-schemas.js \
-  && cp /app/packages/db/dist/schema.prisma /app/apps/api/prisma/schema.prisma \
-  && cd /app/apps/api && bunx prisma generate && bunx nest build
+# Copy model files to api schema dir, then build NestJS app
+# Note: @prisma/client is already generated by packages/db build (generate-prisma-client-js.js)
+RUN find /app/packages/db/prisma/schema -name '*.prisma' ! -name 'schema.prisma' -exec cp {} /app/apps/api/prisma/schema/ \; \
+  && cd /app/apps/api && bunx nest build
 
 # =============================================================================
 # STAGE 3: Production Runtime
 # =============================================================================
-FROM node:20-slim AS production
+FROM node:22-slim AS production
 
 # Create non-root user before copying files so COPY --chown can use it
 RUN groupadd --system nestjs && useradd --system --gid nestjs --create-home nestjs
 
 WORKDIR /app
 RUN chown nestjs:nestjs /app
 
-# Install runtime dependencies
-RUN apt-get update && apt-get install -y --no-install-recommends wget openssl && rm -rf /var/lib/apt/lists/*
+# Install runtime dependencies + AWS RDS CA certificate bundle
+RUN apt-get update && apt-get install -y --no-install-recommends wget ca-certificates \
+  && wget -q -O /usr/local/share/aws-rds-ca-bundle.pem https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem \
+  && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+ENV NODE_EXTRA_CA_CERTS=/usr/local/share/aws-rds-ca-bundle.pem
 
 # Copy built NestJS app
 COPY --from=builder --chown=nestjs:nestjs /app/apps/api/dist ./dist

apps/api/customPrismaExtension.ts

@@ -33,8 +33,7 @@ export class PrismaExtension implements BuildExtension {
   constructor(private options: PrismaExtensionOptions) {
     this.moduleExternals = [
       '@prisma/client',
-      '@prisma/engines',
-      '@trycompai/db', // Add the published package to externals
+      '@trycompai/db',
     ];
   }
 
@@ -115,17 +114,23 @@ export class PrismaExtension implements BuildExtension {
     const env: Record<string, string | undefined> = {};
 
     // Copy the prisma schema from the published package to the build output path
-    const schemaDestinationPath = join(manifest.outputPath, 'prisma', 'schema.prisma');
-    const schemaDestinationDir = dirname(schemaDestinationPath);
+    // Copy the entire schema directory (multi-file schema)
+    const sourceDir = dirname(schemaPath);
+    const schemaDestinationDir = join(manifest.outputPath, 'prisma', 'schema');
     context.logger.debug(
-      `Copying the prisma schema from ${schemaPath} to ${schemaDestinationPath}`,
+      `Copying the prisma schema directory from ${sourceDir} to ${schemaDestinationDir}`,
     );
     await mkdir(schemaDestinationDir, { recursive: true });
-    await cp(schemaPath, schemaDestinationPath);
+    await cp(sourceDir, schemaDestinationDir, { recursive: true });
 
-    // Add prisma generate command to generate the client from the copied schema
+    // Patch schema.prisma to use prisma-client-js (populates @prisma/client at runtime)
     commands.push(
-      `${binaryForRuntime(manifest.runtime)} node_modules/prisma/build/index.js generate --schema=./prisma/schema.prisma`,
+      `sed -i 's/provider.*=.*"prisma-client"/provider = "prisma-client-js"/' ./prisma/schema/schema.prisma && sed -i '/output.*=.*"/d' ./prisma/schema/schema.prisma`,
+    );
+
+    // Generate client from the multi-file schema directory
+    commands.push(
+      `${binaryForRuntime(manifest.runtime)} node_modules/prisma/build/index.js generate --schema=./prisma/schema`,
     );
 
     // Only handle migrations if requested
@@ -186,11 +191,22 @@ export class PrismaExtension implements BuildExtension {
     context: ExtendedBuildContext,
     schemaSourcePath: string,
   ): Promise<void> {
-    const schemaDir = resolve(context.workingDir, 'prisma');
-    const schemaDestinationPath = resolve(schemaDir, 'schema.prisma');
-
-    await mkdir(schemaDir, { recursive: true });
-    await cp(schemaSourcePath, schemaDestinationPath);
+    // schemaSourcePath points to a file inside the schema directory.
+    // Copy the entire directory (multi-file schema) to the local prisma/schema/ dir.
+    const sourceDir = dirname(schemaSourcePath);
+    const localSchemaDir = resolve(context.workingDir, 'prisma', 'schema');
+
+    await mkdir(localSchemaDir, { recursive: true });
+    await cp(sourceDir, localSchemaDir, { recursive: true });
+
+    // Patch schema.prisma to use prisma-client-js (default output → @prisma/client)
+    const localSchemaFile = resolve(localSchemaDir, 'schema.prisma');
+    const { readFileSync, writeFileSync } = await import('node:fs');
+    let schemaContent = readFileSync(localSchemaFile, 'utf8');
+    schemaContent = schemaContent
+      .replace(/provider\s*=\s*"prisma-client"/g, 'provider = "prisma-client-js"')
+      .replace(/\s*output\s*=\s*"[^"]*"\n?/g, '\n');
+    writeFileSync(localSchemaFile, schemaContent);
 
     const clientEntryPoint = resolve(context.workingDir, 'node_modules/.prisma/client/default.js');
 
@@ -209,7 +225,7 @@ export class PrismaExtension implements BuildExtension {
     }
 
     context.logger.log('Prisma client missing. Generating before Trigger indexing.');
-    await this.runPrismaGenerate(context, prismaBinary, schemaDestinationPath);
+    await this.runPrismaGenerate(context, prismaBinary, localSchemaDir);
   }
 
   private runPrismaGenerate(

apps/api/package.json

@@ -21,16 +21,17 @@
         "@nestjs/platform-express": "^11.1.5",
         "@nestjs/swagger": "^11.2.0",
         "@nestjs/throttler": "^6.5.0",
-        "@prisma/client": "6.18.0",
-        "@prisma/instrumentation": "^6.13.0",
+        "@prisma/adapter-pg": "7.6.0",
+        "@prisma/client": "7.6.0",
+        "@prisma/instrumentation": "7.6.0",
         "@react-email/components": "^0.0.41",
         "@react-email/render": "^2.0.4",
         "@thallesp/nestjs-better-auth": "^2.4.0",
         "@trigger.dev/build": "4.4.3",
         "@trigger.dev/sdk": "4.4.3",
         "@trycompai/auth": "workspace:*",
         "@trycompai/company": "workspace:*",
-        "@trycompai/db": "1.3.22",
+        "@trycompai/db": "workspace:*",
         "@trycompai/email": "workspace:*",
         "@trycompai/integration-platform": "workspace:*",
         "@upstash/ratelimit": "^2.0.8",
@@ -54,7 +55,7 @@
         "nanoid": "^5.1.6",
         "pdf-lib": "^1.17.1",
         "playwright-core": "^1.57.0",
-        "prisma": "6.18.0",
+        "prisma": "7.6.0",
         "react": "^19.1.1",
         "react-dom": "^19.1.0",
         "reflect-metadata": "^0.2.2",
@@ -121,9 +122,9 @@
     "private": true,
     "scripts": {
         "build": "nest build",
-        "build:docker": "bunx prisma generate && nest build",
-        "db:generate": "bun run db:getschema && bunx prisma generate",
-        "db:getschema": "node ../../packages/db/scripts/combine-schemas.js && cp ../../packages/db/dist/schema.prisma prisma/schema.prisma",
+        "build:docker": "bunx prisma generate --schema=prisma/schema && nest build",
+        "db:generate": "bun run db:getschema && bunx prisma generate --schema=prisma/schema",
+        "db:getschema": "find ../../packages/db/prisma/schema -name '*.prisma' ! -name 'schema.prisma' -exec cp {} prisma/schema/ \\;",
         "db:migrate": "cd ../../packages/db && bunx prisma migrate dev && cd ../../apps/api",
         "deploy:trigger-prod": "npx trigger.dev@4.4.3 deploy",
         "dev": "bunx concurrently --kill-others --names \"nest,trigger\" --prefix-colors \"green,blue\" \"nest start --watch\" \"trigger dev\"",

apps/api/prisma/client.ts

@@ -1,7 +1,27 @@
 import { PrismaClient } from '@prisma/client';
+import { PrismaPg } from '@prisma/adapter-pg';
 
 const globalForPrisma = global as unknown as { prisma: PrismaClient };
 
-export const db = globalForPrisma.prisma || new PrismaClient();
+function stripSslMode(connectionString: string): string {
+  const url = new URL(connectionString);
+  url.searchParams.delete('sslmode');
+  return url.toString();
+}
+
+function createPrismaClient(): PrismaClient {
+  const rawUrl = process.env.DATABASE_URL!;
+  const isLocalhost = /localhost|127\.0\.0\.1|::1/.test(rawUrl);
+  // Use verified SSL when NODE_EXTRA_CA_CERTS is set (Docker with RDS CA bundle),
+  // otherwise fall back to unverified SSL (Trigger.dev, Vercel, other environments).
+  const hasCABundle = !!process.env.NODE_EXTRA_CA_CERTS;
+  const ssl = isLocalhost ? undefined : hasCABundle ? true : { rejectUnauthorized: false };
+  // Strip sslmode from the connection string to avoid conflicts with the explicit ssl option
+  const url = ssl !== undefined ? stripSslMode(rawUrl) : rawUrl;
+  const adapter = new PrismaPg({ connectionString: url, ssl });
+  return new PrismaClient({ adapter });
+}
+
+export const db = globalForPrisma.prisma || createPrismaClient();
 
 if (process.env.NODE_ENV !== 'production') globalForPrisma.prisma = db;

apps/api/prisma/schema/schema.prisma

@@ -0,0 +1,9 @@
+generator client {
+  provider        = "prisma-client-js"
+  previewFeatures = ["postgresqlExtensions"]
+}
+
+datasource db {
+  provider   = "postgresql"
+  extensions = [pgcrypto]
+}

apps/api/src/admin-organizations/admin-context.controller.spec.ts

@@ -14,7 +14,7 @@ jest.mock('../auth/auth.server', () => ({
   auth: { api: {} },
 }));
 
-jest.mock('@trycompai/db', () => ({ db: {} }));
+jest.mock('@db', () => ({ db: {} }));
 
 describe('AdminContextController', () => {
   let controller: AdminContextController;

apps/api/src/admin-organizations/admin-evidence.controller.spec.ts

@@ -15,7 +15,7 @@ jest.mock('../auth/auth.server', () => ({
   auth: { api: {} },
 }));
 
-jest.mock('@trycompai/db', () => ({ db: {} }));
+jest.mock('@db', () => ({ db: {} }));
 
 describe('AdminEvidenceController', () => {
   let controller: AdminEvidenceController;

apps/api/src/admin-organizations/admin-findings.controller.spec.ts

@@ -15,7 +15,7 @@ jest.mock('../auth/auth.server', () => ({
   auth: { api: {} },
 }));
 
-jest.mock('@trycompai/db', () => ({
+jest.mock('@db', () => ({
   db: {},
   FindingStatus: {
     open: 'open',

apps/api/src/admin-organizations/admin-findings.controller.ts

@@ -15,7 +15,7 @@ import {
 } from '@nestjs/common';
 import { ApiOperation, ApiTags } from '@nestjs/swagger';
 import { Throttle } from '@nestjs/throttler';
-import { FindingStatus } from '@trycompai/db';
+import { FindingStatus } from '@db';
 import { PlatformAdminGuard } from '../auth/platform-admin.guard';
 import { FindingsService } from '../findings/findings.service';
 import { CreateFindingDto } from '../findings/dto/create-finding.dto';

apps/api/src/admin-organizations/admin-guard-integration.spec.ts

@@ -16,7 +16,7 @@ jest.mock('../auth/auth.server', () => ({
   },
 }));
 
-jest.mock('@trycompai/db', () => ({
+jest.mock('@db', () => ({
   db: {
     user: {
       findUnique: (...args: unknown[]) => mockFindUnique(...args),

apps/api/src/admin-organizations/admin-organizations.controller.spec.ts

@@ -14,7 +14,7 @@ jest.mock('../auth/auth.server', () => ({
   auth: { api: {} },
 }));
 
-jest.mock('@trycompai/db', () => ({ db: {} }));
+jest.mock('@db', () => ({ db: {} }));
 
 describe('AdminOrganizationsController', () => {
   let controller: AdminOrganizationsController;

apps/api/src/admin-organizations/admin-organizations.service.spec.ts

@@ -1,7 +1,7 @@
 import { NotFoundException, BadRequestException } from '@nestjs/common';
 import { AdminOrganizationsService } from './admin-organizations.service';
 
-jest.mock('@trycompai/db', () => ({
+jest.mock('@db', () => ({
   db: {
     organization: {
       findMany: jest.fn(),
@@ -33,7 +33,7 @@ jest.mock('../email/templates/invite-member', () => ({
   InviteEmail: jest.fn().mockReturnValue(null),
 }));
 
-import { db } from '@trycompai/db';
+import { db } from '@db';
 
 const mockDb = db as jest.Mocked<typeof db>;
 

apps/api/src/admin-organizations/admin-organizations.service.ts

@@ -4,7 +4,7 @@ import {
   BadRequestException,
   Logger,
 } from '@nestjs/common';
-import { AuditLogEntityType, db } from '@trycompai/db';
+import { AuditLogEntityType, db } from '@db';
 import { triggerEmail } from '../email/trigger-email';
 import { InviteEmail } from '../email/templates/invite-member';
 

apps/api/src/admin-organizations/admin-policies.controller.spec.ts

@@ -15,7 +15,7 @@ jest.mock('../auth/auth.server', () => ({
   auth: { api: {} },
 }));
 
-jest.mock('@trycompai/db', () => ({
+jest.mock('@db', () => ({
   db: {
     frameworkInstance: { findMany: jest.fn().mockResolvedValue([]) },
     context: { findMany: jest.fn().mockResolvedValue([]) },

apps/api/src/admin-organizations/admin-policies.controller.ts

@@ -13,7 +13,7 @@ import {
 } from '@nestjs/common';
 import { ApiOperation, ApiTags } from '@nestjs/swagger';
 import { Throttle } from '@nestjs/throttler';
-import { db } from '@trycompai/db';
+import { db } from '@db';
 import {
   PolicyStatus,
   Frequency,