diff --git a/.cursor/rules/after-changes.mdc b/.cursor/rules/after-changes.mdc
new file mode 100644
index 000000000..81a245000
--- /dev/null
+++ b/.cursor/rules/after-changes.mdc
@@ -0,0 +1,38 @@
+---
+description: Always run typecheck and lint after making code changes
+globs: **/*.{ts,tsx}
+alwaysApply: true
+---
+
+# After Code Changes
+
+After making any code changes, **always run these checks**:
+
+```bash
+# TypeScript type checking
+bun run typecheck
+
+# ESLint linting
+bun run lint
+```
+
+## Fix Errors Before Committing
+
+If either check fails:
+
+1. Fix all TypeScript errors first (they break the build)
+2. Fix ESLint errors/warnings
+3. Re-run checks until both pass
+4. Only then commit or deploy
+
+## Common TypeScript Fixes
+
+- **Property does not exist**: Check interface/type definitions, ensure correct property names
+- **Type mismatch**: Verify the expected type vs actual type being passed
+- **Empty interface extends**: Use `type X = SomeType` instead of `interface X extends SomeType {}`
+
+## Common ESLint Fixes
+
+- **Unused variables**: Remove or prefix with `_`
+- **Any type**: Add proper typing
+- **Empty object type**: Use `type` instead of `interface` for type aliases
diff --git a/.cursor/rules/better-auth.mdc b/.cursor/rules/better-auth.mdc
deleted file mode 100644
index 4986ca7a2..000000000
--- a/.cursor/rules/better-auth.mdc
+++ /dev/null
@@ -1,28 +0,0 @@
----
-description: When dealing with auth or authClient related code.
-globs: 
-alwaysApply: false
----
-Only use auth.ts and auth.api methods serverside. To use them you have to pass Next.js headers as follows:
-auth.api.hasPermission({
-  headers: await headers(),
-    body: {
-      permissions: {
-        project: ["create"] // This must match the structure in your access control
-      }
-    }
-});
- 
-
-
- Only use auth-client.ts and authClient on clienside. You do not need to pass headers, it's already contextually aware.
-
- const canCreateProject = await authClient.organization.hasPermission({
-    permissions: {
-        project: ["create"]
-    }
-})
-
-
-For the full list of methods/supported actions reference:
-https://www.better-auth.com/docs/plugins/organization
\ No newline at end of file
diff --git a/.cursor/rules/code-standards.mdc b/.cursor/rules/code-standards.mdc
new file mode 100644
index 000000000..da46b64d1
--- /dev/null
+++ b/.cursor/rules/code-standards.mdc
@@ -0,0 +1,186 @@
+---
+description: General code quality standards and file size limits
+globs: **/*.{ts,tsx}
+alwaysApply: true
+---
+
+# Code Standards
+
+## File Size Limits
+
+**Files must not exceed 300 lines.** When a file approaches this limit, split it.
+
+### ✅ How to Split Large Files
+
+```
+# Before: One 400-line file
+components/TaskList.tsx (400 lines)
+
+# After: Multiple focused files
+components/
+├── TaskList.tsx          # Main component (~100 lines)
+├── TaskListItem.tsx      # Individual item (~80 lines)
+├── TaskListFilters.tsx   # Filter controls (~60 lines)
+└── TaskListEmpty.tsx     # Empty state (~40 lines)
+```
+
+### Splitting Strategies
+
+| File Type | Split By                                     |
+| --------- | -------------------------------------------- |
+| Component | Extract sub-components, hooks, utils         |
+| Hook      | Extract helper functions, split by concern   |
+| Utils     | Group by domain (dates, strings, validation) |
+| Types     | Split by entity (Task, User, Organization)   |
+
+### ❌ Warning Signs
+
+```tsx
+// ❌ File is too long
+// TaskList.tsx - 450 lines with inline helpers, multiple components
+
+// ❌ Multiple components in one file
+export function TaskList() { ... }
+export function TaskCard() { ... }  // Should be separate file
+export function TaskBadge() { ... } // Should be separate file
+```
+
+## Code Quality
+
+### ✅ Always Do This
+
+```tsx
+// Early returns for readability
+function processTask(task: Task | null) {
+  if (!task) return null;
+  if (task.deleted) return null;
+
+  return <TaskCard task={task} />;
+}
+
+// Descriptive names
+const handleTaskComplete = (taskId: string) => { ... };
+const isTaskOverdue = (task: Task) => task.dueDate < new Date();
+
+// Const arrow functions with types
+const formatDate = (date: Date): string => {
+  return date.toLocaleDateString();
+};
+```
+
+### ❌ Never Do This
+
+```tsx
+// No early returns - deeply nested
+function processTask(task) {
+  if (task) {
+    if (!task.deleted) {
+      return <TaskCard task={task} />;
+    }
+  }
+  return null;
+}
+
+// Vague names
+const handleClick = () => { ... }; // Click on what?
+const data = fetchStuff(); // What data?
+
+// Function keyword when const works
+function formatDate(date) { ... }
+```
+
+## Function Parameters
+
+**Use named parameters (object destructuring) for functions with 2+ parameters.**
+
+### ✅ Always Do This
+
+```tsx
+// Named parameters - clear at call site
+const createTask = ({ title, assigneeId, dueDate }: CreateTaskParams) => { ... };
+createTask({ title: 'Review PR', assigneeId: user.id, dueDate: tomorrow });
+
+// Hook with options object
+const useTasks = ({ organizationId, initialData }: UseTasksOptions) => { ... };
+const { tasks } = useTasks({ organizationId: orgId, initialData: serverTasks });
+
+// Component props (always named)
+function TaskCard({ task, onComplete, showDetails }: TaskCardProps) { ... }
+<TaskCard task={task} onComplete={handleComplete} showDetails={true} />
+```
+
+### ❌ Never Do This
+
+```tsx
+// Positional parameters - unclear at call site
+const createTask = (title: string, assigneeId: string, dueDate: Date) => { ... };
+createTask('Review PR', user.id, tomorrow); // What's the 2nd param?
+
+// Multiple positional args are confusing
+const formatRange = (start: Date, end: Date, format: string, timezone: string) => { ... };
+formatRange(startDate, endDate, 'MM/dd', 'UTC'); // Hard to read
+
+// Boolean positional params are the worst
+fetchTasks(orgId, true, false, true); // What do these booleans mean?
+```
+
+### Exception: Single Parameter
+
+```tsx
+// Single param is fine as positional
+const getTask = (taskId: string) => { ... };
+const formatDate = (date: Date) => { ... };
+const isOverdue = (task: Task) => { ... };
+```
+
+## Accessibility
+
+### ✅ Always Include
+
+```tsx
+// Interactive elements need keyboard support
+<div
+  role="button"
+  tabIndex={0}
+  onClick={handleClick}
+  onKeyDown={(e) => e.key === 'Enter' && handleClick()}
+  aria-label="Delete task"
+>
+  <TrashIcon />
+</div>
+
+// Form inputs need labels
+<label htmlFor="task-name">Task Name</label>
+<input id="task-name" type="text" />
+
+// Images need alt text
+<img src={avatar} alt={`${user.name}'s avatar`} />
+```
+
+## DRY Principle
+
+### ✅ Extract Repeated Logic
+
+```tsx
+// Before: Duplicated validation
+if (email && email.includes('@') && email.length > 5) { ... }
+if (email && email.includes('@') && email.length > 5) { ... }
+
+// After: Extracted helper
+const isValidEmail = (email: string) =>
+  email?.includes('@') && email.length > 5;
+
+if (isValidEmail(email)) { ... }
+```
+
+## Checklist
+
+Before committing:
+
+- [ ] No file exceeds 300 lines
+- [ ] Uses early returns for conditionals
+- [ ] Variable/function names are descriptive
+- [ ] Functions with 2+ params use named parameters
+- [ ] Interactive elements have keyboard support
+- [ ] No duplicated logic (DRY)
+- [ ] Const arrow functions with types
diff --git a/.cursor/rules/componentization.mdc b/.cursor/rules/componentization.mdc
new file mode 100644
index 000000000..23fa0af67
--- /dev/null
+++ b/.cursor/rules/componentization.mdc
@@ -0,0 +1,439 @@
+---
+description: Componentization philosophy - reuse over repetition with TailwindCSS and shadcn/ui
+globs: **/*.{ts,tsx}
+alwaysApply: true
+---
+
+# Componentization Philosophy
+
+## Core Principles
+
+### 1. Componentize Everything
+
+**Reuse over repetition.**
+
+- If a pattern appears 2+ times, it MUST be a component
+- No copy-paste UI patterns
+- Every visual element should trace back to a reusable component
+- Manual implementations are technical debt
+
+### 2. Hard Component Enforcement
+
+**Components are immutable contracts.**
+
+```tsx
+// ❌ NEVER - Arbitrary className overrides on design system components
+<Button className="bg-red-500 px-8 rounded-full">Click</Button>
+<Card className="shadow-xl border-2">Content</Card>
+<Badge className="uppercase text-xs tracking-wider">Status</Badge>
+
+// ✅ ALWAYS - Use component variants and props
+<Button variant="destructive" size="lg">Click</Button>
+<Card>Content</Card>
+<Badge variant="outline">Status</Badge>
+```
+
+**Rules:**
+
+- Use Tailwind utility classes in custom components, NOT on design system components
+- Use shadcn/ui variant props (`variant`, `size`) - never override with className
+- Compose from primitives (flex containers, semantic HTML)
+- Use `cn()` utility for conditional class merging
+
+### 3. Extension Strategy
+
+**When you need different styling, extend the component properly.**
+
+#### Option A: Add a Variant (using shadcn patterns)
+
+```tsx
+// In components/ui/badge.tsx - extend variants
+import { cva, type VariantProps } from "class-variance-authority";
+
+const badgeVariants = cva(
+  "inline-flex items-center rounded-md px-2 py-1 text-xs font-medium",
+  {
+    variants: {
+      variant: {
+        default: "bg-primary/10 text-primary",
+        secondary: "bg-secondary text-secondary-foreground",
+        destructive: "bg-destructive/10 text-destructive",
+        outline: "border border-input bg-transparent",
+        // ADD NEW VARIANTS HERE
+        counter: "bg-muted text-muted-foreground tabular-nums font-mono",
+        technical: "bg-teal-500/10 text-teal-600 dark:text-teal-400 font-mono",
+      },
+    },
+    defaultVariants: {
+      variant: "default",
+    },
+  }
+);
+
+// Usage
+<Badge variant="counter">03</Badge>
+<Badge variant="technical">SYS.ID</Badge>
+```
+
+#### Option B: Add Props for Flexibility
+
+```tsx
+// In components/ui/text.tsx - semantic text component
+import { cn } from "@/lib/utils";
+
+interface TextProps extends React.HTMLAttributes<HTMLParagraphElement> {
+  size?: "xs" | "sm" | "base" | "lg";
+  variant?: "default" | "muted" | "primary" | "destructive";
+  mono?: boolean;
+}
+
+const sizeClasses = {
+  xs: "text-xs",
+  sm: "text-sm",
+  base: "text-base",
+  lg: "text-lg",
+};
+
+const variantClasses = {
+  default: "text-foreground",
+  muted: "text-muted-foreground",
+  primary: "text-primary",
+  destructive: "text-destructive",
+};
+
+export const Text = ({ 
+  size = "base", 
+  variant = "default", 
+  mono,
+  className,
+  ...props 
+}: TextProps) => (
+  <p
+    className={cn(
+      sizeClasses[size],
+      variantClasses[variant],
+      mono && "font-mono tabular-nums",
+      className
+    )}
+    {...props}
+  />
+);
+
+// Usage
+<Text size="xs" variant="muted" mono>Technical Label</Text>
+```
+
+#### Option C: Create a New Component
+
+```tsx
+// components/ui/metric-number.tsx
+import { cn } from "@/lib/utils";
+
+interface MetricNumberProps {
+  value: number;
+  size?: "2xl" | "3xl" | "4xl";
+  variant?: "default" | "destructive" | "success";
+}
+
+const sizeClasses = {
+  "2xl": "text-2xl",
+  "3xl": "text-3xl",
+  "4xl": "text-4xl",
+};
+
+const variantClasses = {
+  default: "text-foreground",
+  destructive: "text-red-600 dark:text-red-400",
+  success: "text-green-600 dark:text-green-400",
+};
+
+export const MetricNumber = ({ 
+  value, 
+  size = "4xl", 
+  variant = "default" 
+}: MetricNumberProps) => (
+  <span
+    className={cn(
+      sizeClasses[size],
+      variantClasses[variant],
+      "font-mono font-bold tabular-nums"
+    )}
+  >
+    {String(value).padStart(2, "0")}
+  </span>
+);
+
+// Usage
+<MetricNumber value={42} size="4xl" variant="destructive" />
+```
+
+### 4. Reusability Through Composition
+
+**Build complex UIs from simple, focused components.**
+
+```tsx
+// ❌ BAD: Monolithic custom implementation with raw divs and classes
+<div className="relative group">
+  <div className="absolute inset-0 bg-gradient-to-r from-primary/5 to-transparent" />
+  <div className="border border-border rounded-sm p-4">
+    <div className="flex justify-between items-center">
+      <span className="text-xs font-mono uppercase tracking-wider text-muted-foreground">
+        TITLE
+      </span>
+      <span className="text-xs text-muted-foreground">META</span>
+    </div>
+    <div className="mt-4">
+      <span className="text-4xl font-mono font-bold tabular-nums">42</span>
+    </div>
+    <div className="mt-4 pt-4 border-t">
+      <span className="text-xs font-mono text-muted-foreground">SYS.ID</span>
+    </div>
+  </div>
+</div>
+
+// ✅ GOOD: Composed from reusable components
+<MetricCard
+  title="TITLE"
+  metaLabel="META"
+  footerLabel="SYS.ID"
+>
+  <MetricNumber value={42} size="4xl" />
+</MetricCard>
+```
+
+## Component Development Workflow
+
+### When You Need Custom Styling
+
+1. **Check existing variants**
+   - Review shadcn component variants (`variant`, `size`)
+   - Check if existing props achieve what you need
+
+2. **If existing variants aren't enough, extend the component**
+
+   ```tsx
+   // Add new variant to the cva definition
+   const buttonVariants = cva("...", {
+     variants: {
+       variant: {
+         // existing...
+         newVariant: "bg-teal-500 text-white hover:bg-teal-600", // ADD HERE
+       },
+     },
+   });
+   ```
+
+3. **If it's a new pattern, CREATE A COMPONENT**
+
+   ```tsx
+   // components/ui/your-new-component.tsx
+   import { cn } from "@/lib/utils";
+   
+   interface YourNewComponentProps {
+     children: React.ReactNode;
+     variant?: "default" | "muted";
+   }
+   
+   export const YourNewComponent = ({ 
+     children, 
+     variant = "default" 
+   }: YourNewComponentProps) => (
+     <div className={cn(
+       "flex items-center gap-2 p-4 rounded-md",
+       variant === "default" && "bg-background",
+       variant === "muted" && "bg-muted"
+     )}>
+       {children}
+     </div>
+   );
+   ```
+
+4. **NEVER bypass the design system**
+   - Don't add random className overrides
+   - It breaks consistency
+   - It creates technical debt
+
+## Pattern Recognition
+
+### If You See This Pattern 2+ Times → Componentize
+
+```tsx
+// Repeated list item layout
+<div className="flex items-center justify-between p-4 border-b">
+  <div className="flex flex-col gap-1">
+    <span>{title}</span>
+    <Badge>{status}</Badge>
+  </div>
+  <Button size="sm">View</Button>
+</div>
+→ Create ListItem component
+
+// Repeated counter pattern
+<div className="flex items-center gap-2">
+  <span className="text-xs font-mono text-muted-foreground/60">LABEL</span>
+  <Badge variant="outline" className="tabular-nums">{count}</Badge>
+</div>
+→ Create CounterBadge component
+
+// Repeated status dot
+<div className={cn(
+  "w-2 h-2 rounded-full",
+  active ? "bg-red-500 animate-pulse" : "bg-green-500/50"
+)} />
+→ Create StatusDot component
+
+// Repeated large numbers
+<span className="text-4xl font-mono font-bold tabular-nums">
+  {String(value).padStart(2, "0")}
+</span>
+→ Create MetricNumber component
+```
+
+## Testing Component Compliance
+
+### Before Committing, Check:
+
+- [ ] Uses shadcn/ui base components without className overrides
+- [ ] Semantic props exposed (`variant`, `size`)
+- [ ] No arbitrary style overrides on design system components
+- [ ] Repeated patterns extracted to components
+- [ ] Works in light and dark mode (uses semantic tokens)
+- [ ] Uses Tailwind responsive prefixes (`sm:`, `md:`, `lg:`)
+- [ ] Proper TypeScript types with inference where possible
+
+## Anti-Patterns to Avoid
+
+### ❌ Never Do This
+
+```tsx
+// 1. Raw inline styles
+<div style={{ display: 'flex' }}>Content</div>
+
+// 2. Overriding design system components with className
+<Button className="bg-red-500 hover:bg-red-600">Click</Button>
+
+// 3. Hardcoded colors instead of semantic tokens
+<div className="bg-[#059669]">
+
+// 4. Mixing approaches
+<Card className="shadow-xl p-8 border-2">
+
+// 5. Copy-paste UI patterns
+// If you copy UI code, STOP and componentize it first
+
+// 6. Non-responsive hardcoded values
+<div className="w-[847px]">
+```
+
+### ✅ Always Do This
+
+```tsx
+// 1. Use component variants
+<Button variant="destructive">
+
+// 2. Use exposed props
+<Badge variant="outline" size="sm">
+
+// 3. Compose components
+<Card>
+  <CardHeader>
+    <MetricNumber value={42} />
+  </CardHeader>
+</Card>
+
+// 4. Use semantic color tokens
+<div className="bg-background text-foreground border-border">
+
+// 5. Use responsive prefixes
+<div className="hidden md:block">
+
+// 6. Extract patterns immediately
+// See pattern twice? Make it a component.
+```
+
+## Tailwind + shadcn/ui Reference
+
+### Layout Patterns
+
+```tsx
+// Flex layouts - use gap, not margins
+<div className="flex items-center gap-4">
+<div className="flex flex-col gap-2">
+
+// Grid layouts
+<div className="grid grid-cols-2 md:grid-cols-4 gap-4">
+
+// Responsive visibility
+<div className="hidden md:flex">
+<div className="md:hidden">
+```
+
+### Semantic Colors (CSS Variables)
+
+```tsx
+// Backgrounds
+<div className="bg-background">     // main background
+<div className="bg-muted">          // subtle background
+<div className="bg-card">           // card background
+<div className="bg-primary">        // primary action
+
+// Text
+<span className="text-foreground">       // primary text
+<span className="text-muted-foreground"> // secondary text
+<span className="text-primary">          // accent text
+
+// Borders
+<div className="border-border">     // standard border
+<div className="border-input">      // input border
+
+// With opacity
+<div className="bg-muted/50">
+<span className="text-muted-foreground/60">
+```
+
+### Dark Mode Patterns
+
+```tsx
+// Status colors with dark mode variants
+<div className="bg-green-50 dark:bg-green-950/20 text-green-600 dark:text-green-400">
+<div className="bg-red-50 dark:bg-red-950/20 text-red-600 dark:text-red-400">
+
+// Prefer semantic tokens when possible
+<div className="bg-destructive/10 text-destructive">
+```
+
+### The `cn()` Utility
+
+```tsx
+import { cn } from "@/lib/utils";
+
+// Conditional classes
+<div className={cn(
+  "flex items-center gap-2",
+  isActive && "bg-primary/10",
+  isDisabled && "opacity-50 pointer-events-none"
+)}>
+
+// Merging with component props
+<Button className={cn("w-full", className)}>
+```
+
+## Benefits of This Approach
+
+1. **Consistency** - All instances use the same Tailwind patterns
+2. **Maintainability** - CSS variable changes propagate automatically
+3. **Velocity** - shadcn variants are fast to compose
+4. **Quality** - Built-in accessibility from shadcn/ui
+5. **Scalability** - Semantic tokens work across light/dark modes
+6. **Type Safety** - Full TypeScript support with variant inference
+
+## Summary
+
+**Golden Rule:** If you're about to add className to a design system component, STOP and:
+
+1. Check if a variant/prop exists on the component
+2. Add a variant to the cva definition if needed
+3. Create a new component if it's a unique pattern
+4. NEVER override the component's styling directly
+
+This keeps our design system tight, consistent, and maintainable.
diff --git a/.cursor/rules/create-dialog-on-framework-editor.mdc b/.cursor/rules/create-dialog-on-framework-editor.mdc
deleted file mode 100644
index d2c6cc309..000000000
--- a/.cursor/rules/create-dialog-on-framework-editor.mdc
+++ /dev/null
@@ -1,34 +0,0 @@
----
-description: 
-globs: 
-alwaysApply: false
----
-Rule: Shared Zod Schemas for Client & Server Validation in Next.js
-When implementing features that require data validation using Zod schemas on both the client-side (e.g., in a React form within a Client Component) and the server-side (e.g., within a Next.js Server Action):
-Centralize Schema Definitions:
-Define your Zod schemas in dedicated TypeScript files (e.g., src/lib/schemas/feature-schemas.ts, src/features/my-feature/schemas.ts, or a common schemas.ts if broadly applicable).
-These schema definition files should not include "use client" or "use server" directives, as they are meant to be neutral modules.
-Server Action Implementation ("use server" files):
-Server Action files (marked with "use server") must only export asynchronous functions.
-Import the required Zod schema(s) from your centralized schema file(s) into the Server Action file.
-Use the imported schema for robust server-side validation of any incoming data before processing or database operations. This is a critical security measure.
-Client Component Implementation ("use client" files):
-Import the same Zod schema(s) from your centralized schema file(s) into your Client Components that contain forms.
-Use the schema with a resolver (like zodResolver for react-hook-form) to enable client-side validation, providing immediate feedback to the user.
-When the form is submitted, call the appropriate Server Action, passing the validated (or raw) form data.
-Rationale:
-DRY (Don't Repeat Yourself): Maintains a single source of truth for validation logic, reducing redundancy and potential inconsistencies.
-Next.js Constraints: Adheres to the Next.js App Router constraint that "use server" files can only export async functions. Objects like Zod schemas cannot be directly exported from these files.
-Security: Ensures that all data is re-validated on the server, even if client-side validation is in place, as client-side checks can be bypassed.
-User Experience: Provides immediate validation feedback on the client, improving the form-filling experience.
-Example Workflow Outline:
-Schema Definition (feature-schemas.ts):
-Define the schema, e.g., export const myFeatureSchema = z.object({ /* ...schema details... / });
-Client Component (MyFeatureForm.tsx - 'use client'):
-Import the schema and the server action.
-Set up the form (e.g., react-hook-form) using the schema with its resolver.
-The form's onSubmit handler calls the server action.
-Server Action (my-feature-action.ts - "use server"):
-Mark the file with "use server".
-Import the schema.
-The exported async server action function receives form data, validates it using the schema, and then performs server-side operations.
diff --git a/.cursor/rules/cursor-usage.mdc b/.cursor/rules/cursor-usage.mdc
new file mode 100644
index 000000000..d8a913353
--- /dev/null
+++ b/.cursor/rules/cursor-usage.mdc
@@ -0,0 +1,266 @@
+---
+description: How to write and manage Cursor rules - invoke with @cursor-usage
+globs: .cursor/rules/*.mdc
+alwaysApply: false
+---
+
+# Using Cursor Rules
+
+## Overview
+
+Cursor rules provide system-level instructions to the AI to maintain code consistency, quality, and adherence to project standards. They are stored in the `.cursor/rules/` directory as `.mdc` (Markdown with frontmatter) files.
+
+## Rule File Structure
+
+Each `.mdc` rule file consists of two parts:
+
+### 1. Frontmatter (YAML metadata)
+
+```yaml
+---
+description: Brief overview of what this rule enforces
+globs: **/*.{ts,tsx}
+alwaysApply: true
+---
+```
+
+**Frontmatter Fields:**
+
+- `description`: A clear, concise explanation of the rule's purpose
+- `globs`: Glob pattern to match files where this rule should apply (plain string, no quotes or arrays)
+  - Examples:
+    - `**/*.tsx` - All TSX files
+    - `**/*.{ts,tsx}` - All TS and TSX files
+    - `apps/*/components/**/*.tsx` - All TSX files in any app's components directory
+    - `**/trigger/**/*.ts` - All TS files in trigger directories
+- `alwaysApply`: Boolean indicating if the rule should always be active
+  - `true`: Rule is always active when working on matching files
+  - `false`: Rule can be selectively invoked with `@rule-name`
+
+### 2. Content (Markdown)
+
+The body of the rule file contains the actual guidelines, examples, and instructions written in Markdown format.
+
+## How Rules Are Applied
+
+### Automatic Application
+
+Rules with `alwaysApply: true` are automatically loaded when:
+
+- You open a file matching the `globs` pattern
+- You're working on code that matches the pattern
+- Cursor AI generates or suggests code for matching files
+
+### Manual Invocation
+
+You can reference specific rules in your prompts:
+
+```
+@design-system create a new button component
+```
+
+This explicitly tells Cursor to apply the design-system rule.
+
+## Best Practices for Writing Rules
+
+### 1. Keep Rules Focused
+
+- Each rule file should cover a specific domain (e.g., design system, API patterns, testing)
+- Avoid mixing unrelated concerns in a single rule file
+- Aim for rules under 500 lines for better AI comprehension
+
+### 2. Provide Concrete Examples
+
+Always include:
+
+- ✅ Good examples (what TO do)
+- ❌ Bad examples (what NOT to do)
+- Real code snippets from your project
+
+```tsx
+// ✅ Good: Use semantic tokens
+<div className="bg-background text-foreground">Content</div>
+
+// ❌ Bad: Hardcoded colors
+<div className="bg-white text-black">Content</div>
+```
+
+### 3. Use Clear Section Headers
+
+Organize content with descriptive headers:
+
+```markdown
+## Core Principles
+
+## Rules
+
+## Examples
+
+## Exceptions
+
+## Common Mistakes
+```
+
+### 4. Define Exceptions Explicitly
+
+If there are cases where rules don't apply, state them clearly:
+
+```markdown
+## Exceptions
+
+The ONLY time you can pass className to a design system component is for:
+
+1. Width utilities: `w-full`, `max-w-md`
+2. Responsive display: `hidden`, `md:block`
+```
+
+### 5. Include Checklists
+
+Provide actionable checklists for validation:
+
+```markdown
+## Code Review Checklist
+
+Before committing:
+
+- [ ] Uses semantic color tokens
+- [ ] Works in both light and dark mode
+- [ ] Fully responsive
+```
+
+## Managing Rules
+
+### Creating a New Rule
+
+1. Create a new `.mdc` file in `.cursor/rules/`
+2. Add appropriate frontmatter
+3. Write clear guidelines with examples
+4. Test by working on matching files
+
+### Updating Existing Rules
+
+1. Edit the `.mdc` file
+2. Rules are automatically reloaded
+3. Test changes with relevant files
+
+### Organizing Rules
+
+Recommended structure:
+
+```
+.cursor/rules/
+├── design-system.mdc       # Component usage, variants, composition
+├── code-standards.mdc      # General code quality rules
+├── typescript-rules.mdc    # TypeScript type safety
+├── react-code.mdc          # React patterns and conventions
+├── data-fetching.mdc       # Server/client data patterns
+└── cursor-usage.mdc        # This file - how to use rules
+```
+
+## Rule Scope with Globs
+
+### Common Glob Patterns
+
+```yaml
+# All TypeScript/TSX files
+globs: **/*.{ts,tsx}
+
+# Only TSX files (React components)
+globs: **/*.tsx
+
+# Only trigger task files
+globs: **/trigger/**/*.ts
+
+# Prisma schema files
+globs: **/*.prisma
+
+# All JSON and TypeScript files
+globs: **/*.{ts,tsx,json}
+```
+
+### Glob Pattern Tips
+
+- Use `**` for recursive directory matching
+- Use `*` for single-level wildcard
+- Use `{ts,tsx}` for multiple extensions
+- No quotes or array brackets needed
+- Be specific to avoid over-applying rules
+
+## Debugging Rules
+
+### Rule Not Applying?
+
+1. Check the `globs` pattern matches your file
+2. Verify frontmatter YAML syntax is correct
+3. Ensure `alwaysApply` is set appropriately
+4. Try manually invoking with `@ruleName`
+
+### Rule Conflicting?
+
+1. Check if multiple rules apply to the same files
+2. Make rules more specific with tighter `globs`
+3. Consolidate related rules into one file
+
+## Advanced Features
+
+### Conditional Rules
+
+Use `alwaysApply: false` for rules that should only apply in specific contexts:
+
+```yaml
+---
+description: Performance optimization guidelines
+globs: **/*.ts
+alwaysApply: false
+---
+```
+
+Invoke with: `@performance-optimization refactor this component`
+
+### Hierarchical Rules
+
+More specific globs take precedence:
+
+- `design-system.mdc` with `globs: **/*.tsx` (broad)
+- `trigger.basic.mdc` with `globs: **/trigger/**/*.ts` (specific)
+
+The specific rule will have more weight for trigger files.
+
+## Quick Reference
+
+### Create a New Rule
+
+```bash
+touch .cursor/rules/my-new-rule.mdc
+```
+
+```yaml
+---
+description: What this rule enforces
+globs: **/*.{ts,tsx}
+alwaysApply: true
+---
+
+# Rule Title
+
+## Guidelines
+
+- Point 1
+- Point 2
+```
+
+### Apply a Rule
+
+- Automatic: Save a file matching the `globs` pattern
+- Manual: Use `@my-new-rule` in your prompt
+
+### Debug a Rule
+
+1. Check file matches `globs` pattern
+2. Verify YAML frontmatter syntax
+3. Look for conflicting rules
+4. Try manual invocation
+
+---
+
+**Remember**: Rules are here to help, not hinder. If a rule doesn't make sense for a specific case, discuss with the team and update the rule accordingly.
diff --git a/.cursor/rules/data-fetching-and-writing.mdc b/.cursor/rules/data-fetching-and-writing.mdc
deleted file mode 100644
index e087e8d47..000000000
--- a/.cursor/rules/data-fetching-and-writing.mdc
+++ /dev/null
@@ -1,17 +0,0 @@
----
-description:
-globs:
-alwaysApply: true
----
-
-We use the following conversions for data:
-
-For reading data:
-
-- Always try to fetch data from a server side rendered component (at Next.js page or server component level) and then create client components for anythign that requires useState/useEffect, etc..
-- Only resort to client side fetching if there is a strong reason why server component fetching wouldn't work.
-- Avoid using cache, if you encounter a cache usage, remove it. We will reintroduce this later in an intentional way.
-
-For writing data:
-
-- We use server actions, refer to [create-new-policy.ts](mdc:apps/app/src/actions/policies/create-new-policy.ts) for an example.
diff --git a/.cursor/rules/data-fetching.mdc b/.cursor/rules/data-fetching.mdc
new file mode 100644
index 000000000..816034113
--- /dev/null
+++ b/.cursor/rules/data-fetching.mdc
@@ -0,0 +1,255 @@
+---
+description: Data fetching architecture - server-first with SWR hydration
+globs: **/*.{ts,tsx}
+alwaysApply: true
+---
+
+# Data Fetching Architecture
+
+## Core Principles
+
+1. **Server-first**: Fetch initial data in Next.js server components/pages
+2. **OrgId from params**: Get `organizationId` from URL path params (`params.orgId`), NOT from session
+3. **Pass to client**: Hand initial data + organizationId to client components as props
+4. **SWR hydration**: Client components use SWR hooks with `fallbackData` for instant display
+5. **API client singleton**: Use `apiClient` from `@/lib/api-client` for all backend calls
+
+## Pattern: Server → Client → SWR
+
+### Step 1: Server Page Fetches Initial Data
+
+```tsx
+// app/(app)/[orgId]/tasks/page.tsx
+import { notFound } from 'next/navigation';
+import { getTasks } from './data/queries';
+import { TaskListClient } from './components/TaskListClient';
+
+export default async function TasksPage({ params }: { params: Promise<{ orgId: string }> }) {
+  // Get organizationId from URL path params - NOT from session
+  const { orgId } = await params;
+
+  if (!orgId) {
+    return notFound();
+  }
+
+  // Fetch initial data server-side using orgId from params
+  const tasks = await getTasks(orgId);
+
+  return <TaskListClient organizationId={orgId} initialTasks={tasks} />;
+}
+```
+
+### Step 2: Client Component Receives Initial Data
+
+```tsx
+// app/(app)/[orgId]/tasks/components/TaskListClient.tsx
+'use client';
+
+import { useTasks } from '../hooks/useTasks';
+
+interface TaskListClientProps {
+  organizationId: string;
+  initialTasks: Task[];
+}
+
+export function TaskListClient({ organizationId, initialTasks }: TaskListClientProps) {
+  const { tasks, isLoading, createTask, updateTask, deleteTask, mutate } = useTasks({
+    organizationId,
+    initialData: initialTasks,
+  });
+
+  // Initial render is instant - no loading state
+  // SWR revalidates in background for fresh data
+
+  return (
+    <div>
+      {tasks.map((task) => (
+        <TaskCard key={task.id} task={task} />
+      ))}
+    </div>
+  );
+}
+```
+
+### Step 3: SWR Hook with Initial Data Support
+
+```tsx
+// app/(app)/[orgId]/tasks/hooks/useTasks.ts
+'use client';
+
+import { apiClient } from '@/lib/api-client';
+import useSWR from 'swr';
+
+interface UseTasksOptions {
+  organizationId: string;
+  initialData?: Task[];
+}
+
+export function useTasks({ organizationId, initialData }: UseTasksOptions) {
+  const { data, error, isLoading, mutate } = useSWR(
+    // SWR key - includes orgId for cache isolation
+    ['/v1/tasks', organizationId],
+    // Fetcher using apiClient singleton
+    async ([endpoint, orgId]) => {
+      const response = await apiClient.get<{ tasks: Task[] }>(endpoint, orgId);
+      if (response.error) throw new Error(response.error);
+      return response.data?.tasks ?? [];
+    },
+    {
+      // Pass server-fetched data as initial value
+      fallbackData: initialData,
+      // Don't show loading on initial render (we have fallbackData)
+      revalidateOnMount: true,
+      revalidateOnFocus: false,
+    },
+  );
+
+  // Mutations - call API, then revalidate cache
+  const createTask = async (input: CreateTaskInput) => {
+    const response = await apiClient.post<{ task: Task }>('/v1/tasks', input, organizationId);
+    if (response.error) throw new Error(response.error);
+    mutate(); // Revalidate cache
+    return response.data?.task;
+  };
+
+  const updateTask = async (id: string, input: UpdateTaskInput) => {
+    const response = await apiClient.put<{ task: Task }>(`/v1/tasks/${id}`, input, organizationId);
+    if (response.error) throw new Error(response.error);
+    mutate();
+    return response.data?.task;
+  };
+
+  const deleteTask = async (id: string) => {
+    await apiClient.delete(`/v1/tasks/${id}`, organizationId);
+    mutate();
+  };
+
+  return {
+    tasks: data ?? [],
+    isLoading: !data && !error,
+    error,
+    createTask,
+    updateTask,
+    deleteTask,
+    mutate,
+  };
+}
+```
+
+## The API Client Singleton
+
+Located at `apps/app/src/lib/api-client.ts`:
+
+```tsx
+import { apiClient } from '@/lib/api-client';
+
+// GET request
+const response = await apiClient.get<ResponseType>('/v1/endpoint', organizationId);
+
+// POST request
+const response = await apiClient.post<ResponseType>('/v1/endpoint', body, organizationId);
+
+// PUT request
+const response = await apiClient.put<ResponseType>('/v1/endpoint', body, organizationId);
+
+// DELETE request
+await apiClient.delete('/v1/endpoint', organizationId);
+```
+
+The `apiClient`:
+
+- Automatically adds Bearer token authentication
+- Adds `X-Organization-Id` header for org context
+- Handles token refresh on 401 errors
+- Returns typed `ApiResponse<T>` with `data`, `error`, and `status`
+
+## Existing SWR Utility Hook
+
+Use `useApiSWR` from `@/hooks/use-api-swr` for simpler cases:
+
+```tsx
+import { useApiSWR } from '@/hooks/use-api-swr';
+
+function MyComponent() {
+  const { data, error, isLoading, mutate } = useApiSWR<Task[]>('/v1/tasks');
+
+  // Automatically handles organization context from active org
+}
+```
+
+## Rules
+
+### ✅ Always Do This
+
+```tsx
+// 1. Get organizationId from URL path params
+export default async function Page({ params }: { params: Promise<{ orgId: string }> }) {
+  const { orgId } = await params; // ✅ From URL, not session
+  const data = await fetchData(orgId);
+  return <ClientComponent organizationId={orgId} initialData={data} />;
+}
+
+// 2. Pass initialData to SWR hook
+const { data } = useSWR(key, fetcher, { fallbackData: initialData });
+
+// 3. Use apiClient for all API calls
+const response = await apiClient.get('/v1/endpoint', organizationId);
+
+// 4. Include organizationId in SWR key for cache isolation
+useSWR(['/v1/tasks', organizationId], fetcher);
+
+// 5. Return mutations from hooks
+return { data, createItem, updateItem, deleteItem, mutate };
+
+// 6. Use mutate() after mutations to revalidate
+await apiClient.post('/v1/items', body, orgId);
+mutate(); // Refresh the cache
+```
+
+### ❌ Never Do This
+
+```tsx
+// 1. Get orgId from session instead of URL params
+const session = await auth.api.getSession({ headers: await headers() });
+const orgId = session?.session?.activeOrganizationId; // ❌ Wrong!
+// ✅ Use: const { orgId } = await params;
+
+// 2. Client-only data fetching without server pre-fetch
+function ClientOnlyPage() {
+  const { data, isLoading } = useSWR('/api/data'); // No initial data!
+  if (isLoading) return <Spinner />; // Unnecessary loading state
+}
+
+// 3. Direct fetch() calls instead of apiClient
+const res = await fetch('/api/endpoint'); // Missing auth headers!
+
+// 4. Server actions for data mutations
+('use server');
+export async function createTask() {} // Use API routes instead
+
+// 5. Separate mutation hooks
+export function useCreateTask() {} // Keep mutations in main hook
+export function useUpdateTask() {} // Don't split them out
+```
+
+## File Structure
+
+```
+app/(app)/[orgId]/tasks/
+├── page.tsx                    # Server component - fetches initial data
+├── components/
+│   └── TaskListClient.tsx      # Client component - receives initialData
+├── hooks/
+│   └── useTasks.ts             # SWR hook with mutations
+└── data/
+    └── queries.ts              # Server-side query functions
+```
+
+## Benefits
+
+1. **Instant initial render** - No loading spinner, data is pre-fetched
+2. **Fresh data** - SWR revalidates in background after mount
+3. **Optimistic updates** - Use `mutate()` with optimistic data
+4. **Cache deduplication** - Same endpoint shares cache across components
+5. **Type safety** - `apiClient` returns typed `ApiResponse<T>`
+6. **Auth handled** - JWT tokens managed automatically
diff --git a/.cursor/rules/design-system.mdc b/.cursor/rules/design-system.mdc
index 9a0d82de5..05c57dadb 100644
--- a/.cursor/rules/design-system.mdc
+++ b/.cursor/rules/design-system.mdc
@@ -1,133 +1,186 @@
 ---
-description: Any time we are going to write react components and / or layouts
-alwaysApply: false
+description: Design system guidelines for B2B UI with TailwindCSS and shadcn/ui
+globs: **/*.tsx
+alwaysApply: true
 ---
 
-Rule Name: design-system
-Description:
-Design System & Component Guidelines
+# Design System
 
-## Design Philosophy
+## Core Principles
 
-- **B2B, Modern, Flat, Minimal, Elegant**: All UI should follow a clean, professional aesthetic suitable for business applications
-- **Sleek & Minimal**: Avoid visual clutter, use whitespace effectively, keep interfaces clean
-- **Dark Mode First**: Always ensure components work seamlessly in both light and dark modes
+- **B2B, Modern, Flat, Minimal**: Clean professional aesthetic, no visual clutter
+- **Dark Mode First**: All components must work in both light and dark modes
+- **shadcn/ui Base**: Use shadcn components with variants, not className overrides
 
 ## Component Usage
 
-- **Adhere to Base Components**: Minimize custom overrides and stick to shadcn/ui base components whenever possible
-- **Semantic Color Classes**: Use semantic classes like `text-muted-foreground`, `bg-muted/50` instead of hardcoded colors
-- **Dark Mode Support**: Always use dark mode variants like `bg-green-50 dark:bg-green-950/20`, `text-green-600 dark:text-green-400`
+### ✅ Always Do This
 
-## Typography & Sizing
+```tsx
+// Use shadcn component variants
+<Button variant="destructive" size="sm">Delete</Button>
+<Badge variant="outline">Status</Badge>
+<Card>Content</Card>
 
-- **Moderate Text Sizes**: Avoid overly large text - prefer `text-base`, `text-sm`, `text-xs` over `text-xl+`
-- **Consistent Hierarchy**: Use `font-medium`, `font-semibold` sparingly, prefer `font-normal` with size differentiation
-- **Tabular Numbers**: Use `tabular-nums` class for numeric data to ensure proper alignment
+// Use semantic color tokens
+<div className="bg-background text-foreground">
+<div className="bg-muted text-muted-foreground">
+<div className="border-border">
+
+// Dark mode with explicit variants
+<div className="bg-green-50 dark:bg-green-950/20 text-green-600 dark:text-green-400">
+```
+
+### ❌ Never Do This
+
+```tsx
+// Overriding shadcn components with className
+<Button className="bg-red-500 px-8 rounded-full">Click</Button>
+<Card className="shadow-xl border-2">Content</Card>
+
+// Hardcoded colors
+<div className="bg-white text-black">
+<div className="bg-[#059669]">
+<div style={{ color: '#333' }}>
+```
 
 ## Layout & Spacing
 
-- **Flexbox-First**: ALWAYS prefer flexbox with `gap` over hardcoded margins (`mt-`, `mb-`, `ml-`, `mr-`)
-- **Use Gaps, Not Margins**: Use `gap-2`, `gap-4`, `space-y-4` for spacing between elements
-- **Consistent Spacing**: Use standard Tailwind spacing scale (`space-y-4`, `gap-6`, etc.)
-- **Card-Based Layouts**: Prefer Card components for content organization
-- **Minimal Padding**: Use conservative padding - `p-3`, `p-4` rather than larger values
-- **Clean Separators**: Use subtle borders (`border-t`, `border-muted`) instead of heavy dividers
-- **NEVER Hardcode Margins**: Avoid `mt-4`, `mb-2`, `ml-3` unless absolutely necessary for exceptions
-
-## Color & Visual Elements
-
-- **Status Colors**:
-  - Green for completed/success states
-  - Blue for in-progress/info states
-  - Yellow for warnings
-  - Red for errors/destructive actions
-- **Subtle Indicators**: Use small colored dots (`w-2 h-2 rounded-full`) instead of large icons for status
-- **Minimal Shadows**: Prefer `hover:shadow-sm` over heavy shadow effects
-- **Progress Bars**: Keep thin (`h-1`, `h-2`) for minimal visual weight
+### ✅ Always Do This
 
-## Interactive Elements
+```tsx
+// Flexbox with gap
+<div className="flex items-center gap-4">
+<div className="flex flex-col gap-2">
+<div className="grid grid-cols-2 gap-4">
 
-- **Subtle Hover States**: Use gentle transitions (`transition-shadow`, `hover:shadow-sm`)
-- **Consistent Button Sizing**: Prefer `size="sm"` for most buttons, `size="icon"` for icon-only
-- **Badge Usage**: Keep badges minimal with essential info only (percentages, short status)
+// Responsive prefixes
+<div className="hidden md:flex">
+<div className="p-4 md:p-6">
+```
 
-## Data Display
+### ❌ Never Do This
 
-- **Shared Design Language**: Ensure related components (cards, overviews, details) use consistent patterns
-- **Minimal Stats**: Present data cleanly without excessive decoration
-- **Contextual Icons**: Use small, relevant icons (`h-3 w-3`, `h-4 w-4`) sparingly for context
+```tsx
+// Hardcoded margins
+<div className="mt-4 mb-2 ml-3">
+<Button className="mr-2">
 
-## Anti-Patterns to Avoid
+// Inline styles
+<div style={{ display: 'flex', marginTop: '16px' }}>
 
-- Large text sizes (`text-2xl+` except for main headings)
-- Heavy shadows or borders
-- Excessive use of colored backgrounds
-- Redundant badges or status indicators
-- Complex custom styling overrides
-- Non-semantic color usage (hardcoded hex values)
-- Cluttered layouts with too many visual elements
-  Rule Name: design-system
-  Description:
-  Design System & Component Guidelines
+// Arbitrary pixel values
+<div className="w-[847px] h-[123px]">
+```
 
-## Design Philosophy
+## Typography
 
-- **B2B, Modern, Flat, Minimal, Elegant**: All UI should follow a clean, professional aesthetic suitable for business applications
-- **Sleek & Minimal**: Avoid visual clutter, use whitespace effectively, keep interfaces clean
-- **Dark Mode First**: Always ensure components work seamlessly in both light and dark modes
+### ✅ Always Do This
 
-## Component Usage
+```tsx
+// Moderate sizes
+<span className="text-sm text-muted-foreground">Label</span>
+<p className="text-base">Body text</p>
 
-- **Adhere to Base Components**: Minimize custom overrides and stick to shadcn/ui base components whenever possible
-- **Semantic Color Classes**: Use semantic classes like `text-muted-foreground`, `bg-muted/50` instead of hardcoded colors
-- **Dark Mode Support**: Always use dark mode variants like `bg-green-50 dark:bg-green-950/20`, `text-green-600 dark:text-green-400`
+// Tabular numbers for data
+<span className="tabular-nums font-mono">1,234.56</span>
 
-## Typography & Sizing
+// Semantic hierarchy
+<h1 className="text-lg font-semibold">Page Title</h1>
+<p className="text-sm text-muted-foreground">Description</p>
+```
 
-- **Moderate Text Sizes**: Avoid overly large text - prefer `text-base`, `text-sm`, `text-xs` over `text-xl+`
-- **Consistent Hierarchy**: Use `font-medium`, `font-semibold` sparingly, prefer `font-normal` with size differentiation
-- **Tabular Numbers**: Use `tabular-nums` class for numeric data to ensure proper alignment
+### ❌ Never Do This
 
-## Layout & Spacing
+```tsx
+// Oversized text
+<h1 className="text-4xl font-black">HUGE TITLE</h1>
+
+// Too many font weights
+<span className="font-bold text-xl">
+```
+
+## Colors & Status
+
+### Status Color Patterns
+
+```tsx
+// Success - Green
+<div className="bg-green-50 dark:bg-green-950/20 text-green-600 dark:text-green-400">
+<Badge variant="outline" className="border-green-500 text-green-600">Complete</Badge>
+
+// Error - Red
+<div className="bg-red-50 dark:bg-red-950/20 text-red-600 dark:text-red-400">
+<Badge variant="destructive">Failed</Badge>
 
-- **Flexbox-First**: ALWAYS prefer flexbox with `gap` over hardcoded margins (`mt-`, `mb-`, `ml-`, `mr-`)
-- **Use Gaps, Not Margins**: Use `gap-2`, `gap-4`, `space-y-4` for spacing between elements
-- **Consistent Spacing**: Use standard Tailwind spacing scale (`space-y-4`, `gap-6`, etc.)
-- **Card-Based Layouts**: Prefer Card components for content organization
-- **Minimal Padding**: Use conservative padding - `p-3`, `p-4` rather than larger values
-- **Clean Separators**: Use subtle borders (`border-t`, `border-muted`) instead of heavy dividers
-- **NEVER Hardcode Margins**: Avoid `mt-4`, `mb-2`, `ml-3` unless absolutely necessary for exceptions
-
-## Color & Visual Elements
-
-- **Status Colors**:
-  - Green for completed/success states
-  - Blue for in-progress/info states
-  - Yellow for warnings
-  - Red for errors/destructive actions
-- **Subtle Indicators**: Use small colored dots (`w-2 h-2 rounded-full`) instead of large icons for status
-- **Minimal Shadows**: Prefer `hover:shadow-sm` over heavy shadow effects
-- **Progress Bars**: Keep thin (`h-1`, `h-2`) for minimal visual weight
+// Warning - Yellow
+<div className="bg-yellow-50 dark:bg-yellow-950/20 text-yellow-600 dark:text-yellow-400">
+
+// Info - Blue
+<div className="bg-blue-50 dark:bg-blue-950/20 text-blue-600 dark:text-blue-400">
+```
+
+### Status Indicators
+
+```tsx
+// ✅ Small dots for status
+<div className="w-2 h-2 rounded-full bg-green-500" />
+<div className="w-2 h-2 rounded-full bg-red-500 animate-pulse" />
+
+// ❌ Large icons for simple status
+<CheckCircle className="h-8 w-8 text-green-500" />
+```
 
 ## Interactive Elements
 
-- **Subtle Hover States**: Use gentle transitions (`transition-shadow`, `hover:shadow-sm`)
-- **Consistent Button Sizing**: Prefer `size="sm"` for most buttons, `size="icon"` for icon-only
-- **Badge Usage**: Keep badges minimal with essential info only (percentages, short status)
+```tsx
+// ✅ Subtle hover states
+<div className="transition-shadow hover:shadow-sm">
+<Card className="hover:border-primary/50 transition-colors">
+
+// ✅ Consistent button sizing
+<Button size="sm">Action</Button>
+<Button size="icon"><Icon className="h-4 w-4" /></Button>
+
+// ❌ Heavy shadows and borders
+<Card className="shadow-2xl border-4">
+```
+
+## Icons
+
+```tsx
+// ✅ Small, contextual icons
+<Icon className="h-4 w-4 text-muted-foreground" />
+<Icon className="h-3 w-3" />
+
+// ❌ Oversized icons
+<Icon className="h-12 w-12" />
+```
+
+## Exceptions
+
+The ONLY time you can pass className to a shadcn component:
+
+1. **Width utilities**: `w-full`, `max-w-md`, `flex-1`
+2. **Responsive display**: `hidden`, `md:block`, `lg:flex`
+3. **Grid/flex positioning**: `col-span-2`, `justify-self-end`
 
-## Data Display
+```tsx
+// ✅ Acceptable className usage
+<Button className="w-full">Full Width</Button>
+<Card className="col-span-2">Spanning Card</Card>
+<Badge className="hidden md:inline-flex">Desktop Only</Badge>
+```
 
-- **Shared Design Language**: Ensure related components (cards, overviews, details) use consistent patterns
-- **Minimal Stats**: Present data cleanly without excessive decoration
-- **Contextual Icons**: Use small, relevant icons (`h-3 w-3`, `h-4 w-4`) sparingly for context
+## Checklist
 
-## Anti-Patterns to Avoid
+Before committing UI code:
 
-- Large text sizes (`text-2xl+` except for main headings)
-- Heavy shadows or borders
-- Excessive use of colored backgrounds
-- Redundant badges or status indicators
-- Complex custom styling overrides
-- Non-semantic color usage (hardcoded hex values)
-- Cluttered layouts with too many visual elements
+- [ ] Uses shadcn component variants (not className overrides)
+- [ ] Uses semantic color tokens (`bg-background`, `text-foreground`)
+- [ ] Works in both light and dark mode
+- [ ] Uses `gap` instead of margins for spacing
+- [ ] Text sizes are moderate (`text-sm`, `text-base`)
+- [ ] Icons are small (`h-4 w-4` or smaller)
+- [ ] No hardcoded colors or arbitrary values
+- [ ] Responsive with Tailwind prefixes (`md:`, `lg:`)
diff --git a/.cursor/rules/file-structure.mdc b/.cursor/rules/file-structure.mdc
index 2945a163b..d3d166e2c 100644
--- a/.cursor/rules/file-structure.mdc
+++ b/.cursor/rules/file-structure.mdc
@@ -1,8 +1,121 @@
 ---
-description: 
-globs: 
+description: File structure and colocalization guidelines for Next.js app router
+globs: **/*.{ts,tsx}
 alwaysApply: true
 ---
-Always opt for colocallizing code, where components, actions, etc.. are encapsulated at a route/page level in their own directory. If you encounter examples of non-colocalized code, try to colocalize it.
 
-The only exception to this rule is code that will be reused across many different components/pages.
\ No newline at end of file
+# File Structure
+
+## Core Principle
+
+**Colocate code at the route/page level.** Components, hooks, actions, and queries should live next to the page that uses them.
+
+## Directory Structure
+
+### ✅ Good: Colocated Structure
+
+```
+app/(app)/[orgId]/tasks/
+├── page.tsx                    # Server component
+├── components/
+│   ├── TaskList.tsx            # Client component
+│   ├── TaskCard.tsx
+│   └── TaskFilters.tsx
+├── hooks/
+│   └── useTasks.ts             # SWR hook with mutations
+├── data/
+│   └── queries.ts              # Server-side queries
+└── actions/
+    └── task-actions.ts         # If needed
+```
+
+### ❌ Bad: Scattered Structure
+
+```
+app/(app)/[orgId]/tasks/page.tsx
+components/tasks/TaskList.tsx      # ❌ Far from page
+components/tasks/TaskCard.tsx      # ❌ Hard to find
+hooks/useTasks.ts                  # ❌ Not colocated
+lib/queries/task-queries.ts        # ❌ Disconnected
+```
+
+## When to Colocate vs Share
+
+### ✅ Colocate When
+
+- Component is only used by one page
+- Hook fetches data specific to one route
+- Query is only called from one page
+
+```
+app/(app)/[orgId]/vendors/
+├── components/
+│   └── VendorTable.tsx         # Only used on vendors page
+├── hooks/
+│   └── useVendors.ts           # Only used here
+└── page.tsx
+```
+
+### ✅ Share When
+
+- Component is used across 3+ pages
+- Utility is genuinely generic
+- Hook is reused across multiple routes
+
+```
+# Shared components live in:
+src/components/ui/              # shadcn primitives
+src/components/shared/          # cross-page components
+
+# Shared hooks live in:
+src/hooks/                      # e.g., useApiSWR, useDebounce
+```
+
+## Rules
+
+1. **Default to colocating** - Start by putting files next to the page
+2. **Move to shared only when reused** - Don't pre-optimize
+3. **Remove unused imports** - Always clean up after refactoring
+4. **One component per file** - Name file same as component
+
+## Examples
+
+### ✅ Creating a New Feature
+
+```tsx
+// app/(app)/[orgId]/risks/page.tsx
+import { RiskTable } from './components/RiskTable';
+import { getRisks } from './data/queries';
+
+export default async function RisksPage({ params }) {
+  const { orgId } = await params;
+  const risks = await getRisks(orgId);
+  return <RiskTable risks={risks} organizationId={orgId} />;
+}
+```
+
+```tsx
+// app/(app)/[orgId]/risks/components/RiskTable.tsx
+'use client';
+import { useRisks } from '../hooks/useRisks';
+// ... component implementation
+```
+
+### ❌ Anti-Pattern: Global Everything
+
+```tsx
+// Don't do this:
+import { RiskTable } from '@/components/risks/RiskTable';
+import { useRisks } from '@/hooks/useRisks';
+import { getRisks } from '@/lib/queries/risks';
+```
+
+## Checklist
+
+Before committing:
+
+- [ ] New components live next to their page
+- [ ] Hooks are colocated with the page that uses them
+- [ ] Shared code is genuinely used by 3+ pages
+- [ ] No unused imports remain
+- [ ] File names match component/hook names
diff --git a/.cursor/rules/forms.mdc b/.cursor/rules/forms.mdc
new file mode 100644
index 000000000..0e99b10dd
--- /dev/null
+++ b/.cursor/rules/forms.mdc
@@ -0,0 +1,423 @@
+---
+description: Form handling with React Hook Form, Zod validation, and shadcn/ui
+globs: **/*.{ts,tsx}
+alwaysApply: true
+---
+
+# Forms: React Hook Form + Zod
+
+## Core Principle
+
+**All forms MUST use React Hook Form with Zod validation. No exceptions.**
+
+## Required Stack
+
+- `react-hook-form` - Form state management
+- `zod` - Schema validation
+- `@hookform/resolvers` - Zod resolver for RHF
+
+## Basic Pattern
+
+```tsx
+import { zodResolver } from '@hookform/resolvers/zod';
+import { useForm } from 'react-hook-form';
+import { z } from 'zod';
+import { Button } from '@/components/ui/button';
+import { Input } from '@/components/ui/input';
+import { Label } from '@/components/ui/label';
+
+// 1. Define schema with Zod
+const formSchema = z.object({
+  email: z.string().email('Invalid email address'),
+  password: z.string().min(8, 'Password must be at least 8 characters'),
+});
+
+// 2. Infer TypeScript type from schema
+type FormData = z.infer<typeof formSchema>;
+
+// 3. Use in component
+function MyForm() {
+  const {
+    register,
+    handleSubmit,
+    formState: { errors, isSubmitting },
+  } = useForm<FormData>({
+    resolver: zodResolver(formSchema),
+    defaultValues: {
+      email: '',
+      password: '',
+    },
+  });
+
+  const onSubmit = async (data: FormData) => {
+    // data is fully typed and validated
+    await submitToApi(data);
+  };
+
+  return (
+    <form onSubmit={handleSubmit(onSubmit)} className="flex flex-col gap-4">
+      <div className="flex flex-col gap-2">
+        <Label htmlFor="email">Email</Label>
+        <Input id="email" {...register('email')} />
+        {errors.email && (
+          <p className="text-sm text-destructive">{errors.email.message}</p>
+        )}
+      </div>
+
+      <Button type="submit" disabled={isSubmitting}>
+        {isSubmitting ? 'Submitting...' : 'Submit'}
+      </Button>
+    </form>
+  );
+}
+```
+
+## Schema Best Practices
+
+### String Validation
+
+```tsx
+const schema = z.object({
+  // Required string with min length
+  name: z.string().min(1, 'Name is required'),
+
+  // Email validation
+  email: z.string().email('Invalid email'),
+
+  // URL validation
+  website: z.string().url('Invalid URL'),
+
+  // Optional string
+  bio: z.string().optional(),
+
+  // String with regex
+  slug: z.string().regex(/^[a-z0-9-]+$/, 'Only lowercase letters, numbers, and hyphens'),
+
+  // Trimmed string (removes whitespace)
+  title: z.string().trim().min(1, 'Title is required'),
+});
+```
+
+### Number Validation
+
+```tsx
+const schema = z.object({
+  // Integer with range
+  age: z.number().int().min(0).max(150),
+
+  // Positive number
+  price: z.number().positive('Must be positive'),
+
+  // Coerce string to number (for inputs)
+  quantity: z.coerce.number().int().min(1),
+});
+```
+
+### Array & Object Validation
+
+```tsx
+const schema = z.object({
+  // Array of strings
+  tags: z.array(z.string()).min(1, 'At least one tag required'),
+
+  // Array of objects
+  items: z.array(
+    z.object({
+      name: z.string(),
+      quantity: z.number(),
+    })
+  ),
+
+  // Nested object
+  address: z.object({
+    street: z.string(),
+    city: z.string(),
+    zip: z.string(),
+  }),
+});
+```
+
+### Conditional Validation
+
+```tsx
+const schema = z
+  .object({
+    hasAccount: z.boolean(),
+    accountId: z.string().optional(),
+  })
+  .refine((data) => !data.hasAccount || data.accountId, {
+    message: 'Account ID required when has account',
+    path: ['accountId'],
+  });
+```
+
+## shadcn/ui Form Components
+
+### Basic Input
+
+```tsx
+<div className="flex flex-col gap-2">
+  <Label htmlFor="name">Name</Label>
+  <Input id="name" {...register('name')} />
+  {errors.name && (
+    <p className="text-sm text-destructive">{errors.name.message}</p>
+  )}
+</div>
+```
+
+### With Controller (for complex components)
+
+```tsx
+import { Controller } from 'react-hook-form';
+import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from '@/components/ui/select';
+
+<Controller
+  name="status"
+  control={control}
+  render={({ field }) => (
+    <Select onValueChange={field.onChange} defaultValue={field.value}>
+      <SelectTrigger>
+        <SelectValue placeholder="Select status" />
+      </SelectTrigger>
+      <SelectContent>
+        <SelectItem value="active">Active</SelectItem>
+        <SelectItem value="inactive">Inactive</SelectItem>
+      </SelectContent>
+    </Select>
+  )}
+/>
+```
+
+### Textarea
+
+```tsx
+import { Textarea } from '@/components/ui/textarea';
+
+<div className="flex flex-col gap-2">
+  <Label htmlFor="description">Description</Label>
+  <Textarea id="description" {...register('description')} rows={5} />
+  {errors.description && (
+    <p className="text-sm text-destructive">{errors.description.message}</p>
+  )}
+</div>
+```
+
+### Checkbox
+
+```tsx
+import { Checkbox } from '@/components/ui/checkbox';
+
+<Controller
+  name="acceptTerms"
+  control={control}
+  render={({ field }) => (
+    <div className="flex items-center gap-2">
+      <Checkbox
+        id="terms"
+        checked={field.value}
+        onCheckedChange={field.onChange}
+      />
+      <Label htmlFor="terms">Accept terms and conditions</Label>
+    </div>
+  )}
+/>
+```
+
+## Form State Management
+
+### Accessing Form State
+
+```tsx
+const {
+  register,
+  handleSubmit,
+  control,
+  watch,
+  setValue,
+  reset,
+  formState: {
+    errors,       // Field errors
+    isSubmitting, // Form is being submitted
+    isValid,      // All fields valid
+    isDirty,      // Form has been modified
+    dirtyFields,  // Which fields were modified
+  },
+} = useForm<FormData>({
+  resolver: zodResolver(schema),
+  mode: 'onChange', // Validate on change (default is 'onSubmit')
+});
+```
+
+### Watching Values
+
+```tsx
+// Watch single field
+const email = watch('email');
+
+// Watch multiple fields
+const [firstName, lastName] = watch(['firstName', 'lastName']);
+
+// Watch all fields
+const allValues = watch();
+```
+
+### Setting Values Programmatically
+
+```tsx
+// Set single value
+setValue('email', 'new@example.com');
+
+// Set and trigger validation
+setValue('email', 'new@example.com', { shouldValidate: true });
+
+// Reset entire form
+reset();
+
+// Reset to specific values
+reset({ email: 'default@example.com', name: '' });
+```
+
+## Error Handling
+
+### API Errors
+
+```tsx
+const { setError, formState: { errors } } = useForm<FormData>();
+
+const onSubmit = async (data: FormData) => {
+  try {
+    await submitToApi(data);
+  } catch (error) {
+    if (error.field) {
+      // Set field-specific error
+      setError(error.field, { message: error.message });
+    } else {
+      // Set root error for general errors
+      setError('root', { message: 'Something went wrong' });
+    }
+  }
+};
+
+// Display root error
+{errors.root && (
+  <div className="text-sm text-destructive">{errors.root.message}</div>
+)}
+```
+
+### Form-Level Validation
+
+```tsx
+const schema = z
+  .object({
+    password: z.string().min(8),
+    confirmPassword: z.string(),
+  })
+  .refine((data) => data.password === data.confirmPassword, {
+    message: "Passwords don't match",
+    path: ['confirmPassword'],
+  });
+```
+
+## Common Patterns
+
+### Form with Loading State
+
+```tsx
+<Button type="submit" disabled={isSubmitting || !isValid}>
+  {isSubmitting ? 'Saving...' : 'Save'}
+</Button>
+```
+
+### Dynamic Form Fields
+
+```tsx
+import { useFieldArray } from 'react-hook-form';
+
+const { fields, append, remove } = useFieldArray({
+  control,
+  name: 'items',
+});
+
+return (
+  <div className="flex flex-col gap-2">
+    {fields.map((field, index) => (
+      <div key={field.id} className="flex items-center gap-2">
+        <Input {...register(`items.${index}.name`)} />
+        <Button type="button" variant="ghost" onClick={() => remove(index)}>
+          Remove
+        </Button>
+      </div>
+    ))}
+    <Button type="button" variant="outline" onClick={() => append({ name: '' })}>
+      Add Item
+    </Button>
+  </div>
+);
+```
+
+## Anti-Patterns to Avoid
+
+### ❌ Don't Use useState for Form Fields
+
+```tsx
+// BAD
+const [email, setEmail] = useState('');
+const [password, setPassword] = useState('');
+
+// GOOD
+const { register } = useForm<FormData>();
+```
+
+### ❌ Don't Validate Manually
+
+```tsx
+// BAD
+const handleSubmit = (e) => {
+  e.preventDefault();
+  if (email.length < 5) {
+    setError('Email too short');
+    return;
+  }
+  // ...
+};
+
+// GOOD
+const schema = z.object({
+  email: z.string().min(5, 'Email too short'),
+});
+```
+
+### ❌ Don't Mix Controlled/Uncontrolled
+
+```tsx
+// BAD - mixing value prop with register
+<Input value={someState} {...register('field')} />
+
+// GOOD - use setValue for external changes
+useEffect(() => {
+  setValue('field', someState);
+}, [someState, setValue]);
+```
+
+### ❌ Don't Forget Button Type
+
+```tsx
+// BAD - buttons without type default to submit
+<button onClick={handleOtherAction}>Other Action</button>
+
+// GOOD - explicit type="button" for non-submit buttons
+<Button type="button" onClick={handleOtherAction}>Other Action</Button>
+<Button type="submit">Submit</Button>
+```
+
+## Checklist Before Committing Forms
+
+- [ ] Schema defined with Zod
+- [ ] TypeScript types inferred from schema (`z.infer<typeof schema>`)
+- [ ] `useForm` with `zodResolver`
+- [ ] All inputs use `register` or `Controller`
+- [ ] Error messages displayed for each field
+- [ ] Submit button has `type="submit"` and disabled state
+- [ ] Other buttons have `type="button"`
+- [ ] Loading state handled (`isSubmitting`)
+- [ ] API errors handled with `setError`
diff --git a/.cursor/rules/imports.mdc b/.cursor/rules/imports.mdc
deleted file mode 100644
index 237e86295..000000000
--- a/.cursor/rules/imports.mdc
+++ /dev/null
@@ -1,6 +0,0 @@
----
-description: 
-globs: 
-alwaysApply: true
----
-Always remove unused imports.
\ No newline at end of file
diff --git a/.cursor/rules/monorepo.mdc b/.cursor/rules/monorepo.mdc
new file mode 100644
index 000000000..b956dfaa8
--- /dev/null
+++ b/.cursor/rules/monorepo.mdc
@@ -0,0 +1,263 @@
+---
+description: Turborepo monorepo structure and best practices
+globs: **/*.{ts,tsx,json}
+alwaysApply: true
+---
+
+# Monorepo Structure (Turborepo)
+
+## Overview
+
+This is a **Turborepo monorepo** with bun as the package manager.
+
+```
+comp/
+├── apps/                    # Deployable applications
+│   ├── api/                 # NestJS backend API
+│   ├── app/                 # Next.js main application
+│   └── portal/              # Next.js trust portal
+├── packages/                # Shared libraries
+│   ├── db/                  # Prisma database package
+│   ├── ui/                  # Shared UI components (shadcn)
+│   ├── email/               # Email templates
+│   ├── utils/               # Shared utilities
+│   ├── tsconfig/            # Shared TypeScript configs
+│   └── ...
+├── turbo.json               # Turborepo configuration
+└── package.json             # Root package.json
+```
+
+## Package Naming
+
+All packages use the `@comp/` or `@trycompai/` scope:
+
+```json
+// packages/ui/package.json
+{ "name": "@trycompai/ui" }
+
+// packages/db/package.json
+{ "name": "@comp/db" }
+```
+
+## Running Commands
+
+### ✅ Always Use Turbo for Multi-Package Commands
+
+```bash
+# Run across all packages
+bun run build          # turbo build
+bun run lint           # turbo lint
+bun run typecheck      # turbo typecheck
+bun run dev            # turbo dev --parallel
+
+# Run for specific package with filter
+turbo build --filter=@trycompai/ui
+turbo dev --filter=apps/app
+```
+
+### ✅ Use Workspace Filter for Single Package
+
+```bash
+# Run script in specific package
+bun run -F @comp/db prisma:generate
+bun run -F apps/app dev
+bun run -F @trycompai/ui build
+```
+
+### ❌ Never Do This
+
+```bash
+# Don't cd into package and run directly
+cd apps/app && bun run dev  # ❌ Breaks turborepo caching
+
+# Don't use npm/yarn
+npm install  # ❌ Use bun
+yarn add     # ❌ Use bun
+```
+
+## Importing Between Packages
+
+### ✅ Always Import from Package Name
+
+```tsx
+// In apps/app - importing from packages
+import { Button } from '@trycompai/ui';
+import { prisma } from '@comp/db';
+import { formatDate } from '@trycompai/utils';
+```
+
+### ❌ Never Use Relative Paths Across Packages
+
+```tsx
+// ❌ Don't do this
+import { Button } from '../../../packages/ui/src/button';
+import { prisma } from '../../packages/db';
+```
+
+## Adding Dependencies
+
+### To a Specific Package
+
+```bash
+# Add to specific workspace
+bun add axios -F apps/app
+bun add -D vitest -F @trycompai/ui
+```
+
+### To Root (Dev Dependencies Only)
+
+```bash
+# Only for tools used across all packages
+bun add -D -w prettier typescript turbo
+```
+
+### ❌ Never Add App Dependencies to Root
+
+```bash
+# ❌ Don't add app-specific deps to root
+bun add -w next react  # Wrong! Add to apps/app
+```
+
+## Shared Configurations
+
+### TypeScript
+
+Extend from shared tsconfig:
+
+```json
+// apps/app/tsconfig.json
+{
+  "extends": "@comp/tsconfig/nextjs.json",
+  "compilerOptions": {
+    "baseUrl": ".",
+    "paths": { "@/*": ["./src/*"] }
+  }
+}
+```
+
+### ESLint & Prettier
+
+Configurations live at root and are shared across all packages.
+
+## Turbo Task Dependencies
+
+```json
+// turbo.json
+{
+  "tasks": {
+    "build": {
+      "dependsOn": ["^build"], // Build dependencies first
+      "outputs": ["dist/**", ".next/**"]
+    },
+    "dev": {
+      "persistent": true,
+      "cache": false
+    }
+  }
+}
+```
+
+### Understanding `^` Prefix
+
+```json
+{
+  "build": {
+    "dependsOn": ["^build"] // Run build in dependencies FIRST
+  },
+  "lint": {
+    "dependsOn": ["^lint"] // Run lint in dependencies FIRST
+  }
+}
+```
+
+## Creating a New Package
+
+1. Create directory in `packages/`:
+
+```bash
+mkdir packages/my-package
+```
+
+2. Add `package.json`:
+
+```json
+{
+  "name": "@trycompai/my-package",
+  "version": "0.0.0",
+  "private": true,
+  "main": "./src/index.ts",
+  "types": "./src/index.ts",
+  "scripts": {
+    "build": "tsup src/index.ts --format cjs,esm --dts",
+    "dev": "tsup src/index.ts --format cjs,esm --dts --watch",
+    "typecheck": "tsc --noEmit"
+  }
+}
+```
+
+3. Add `tsconfig.json`:
+
+```json
+{
+  "extends": "@comp/tsconfig/base.json",
+  "compilerOptions": {
+    "outDir": "dist"
+  },
+  "include": ["src"]
+}
+```
+
+4. Install dependencies:
+
+```bash
+bun install
+```
+
+## Package Boundaries
+
+### ✅ Packages Should Be
+
+- **Self-contained** - All dependencies declared in own package.json
+- **Reusable** - Used by 2+ apps/packages to justify extraction
+- **Focused** - Single responsibility (ui, db, utils, etc.)
+
+### ❌ Don't Create Packages For
+
+- Code only used in one app (colocate instead)
+- Temporary utilities
+- App-specific business logic
+
+## Dependency Syncing
+
+Keep versions consistent across packages:
+
+```bash
+# Check for mismatched versions
+bun run deps:check
+
+# Fix mismatches automatically
+bun run deps:fix
+```
+
+## CI/CD Considerations
+
+Turborepo enables:
+
+- **Caching** - Only rebuild changed packages
+- **Parallelization** - Run independent tasks simultaneously
+- **Affected filtering** - Only test/build what changed
+
+```bash
+# Only build affected packages
+turbo build --filter=[origin/main]
+```
+
+## Checklist
+
+Before committing:
+
+- [ ] Dependencies added to correct package (not root)
+- [ ] Imports use package names, not relative paths
+- [ ] New packages have proper package.json and tsconfig.json
+- [ ] Used `turbo` or `bun run -F` for package-specific commands
+- [ ] Version mismatches resolved with `bun run deps:fix`
diff --git a/.cursor/rules/package-manager.mdc b/.cursor/rules/package-manager.mdc
index cea894441..71384218a 100644
--- a/.cursor/rules/package-manager.mdc
+++ b/.cursor/rules/package-manager.mdc
@@ -1,10 +1,64 @@
 ---
-description: 
-globs: 
+description: Use bun as the package manager for all operations
+globs: **/*.{ts,tsx,json}
 alwaysApply: true
 ---
-Always use bun as our package manager, example:
-bun install axios
-bun remove
+
+# Package Manager
+
+## Core Rule
+
+**Always use `bun` as the package manager.** Never use npm, yarn, or pnpm.
+
+## Commands
+
+### ✅ Always Use Bun
+
+```bash
+# Install dependencies
+bun install
+bun add axios
+bun add -D typescript
+
+# Remove packages
+bun remove axios
+
+# Run scripts
 bun run dev
-bunx prisma migrate dev
\ No newline at end of file
+bun run build
+bun run typecheck
+bun run lint
+
+# Execute binaries
+bunx prisma migrate dev
+bunx prisma generate
+bunx eslint .
+```
+
+### ❌ Never Use These
+
+```bash
+# npm
+npm install
+npm run dev
+npx prisma migrate
+
+# yarn
+yarn add axios
+yarn dev
+
+# pnpm
+pnpm install
+pnpm run dev
+```
+
+## Quick Reference
+
+| Action             | Command                |
+| ------------------ | ---------------------- |
+| Install all deps   | `bun install`          |
+| Add package        | `bun add <package>`    |
+| Add dev dependency | `bun add -D <package>` |
+| Remove package     | `bun remove <package>` |
+| Run script         | `bun run <script>`     |
+| Execute binary     | `bunx <command>`       |
diff --git a/.cursor/rules/prisma.mdc b/.cursor/rules/prisma.mdc
index be6819ad9..4f490eed1 100644
--- a/.cursor/rules/prisma.mdc
+++ b/.cursor/rules/prisma.mdc
@@ -1,19 +1,144 @@
 ---
-description: 
-globs: *.prisma
+description: Prisma schema conventions and migration workflow
+globs: **/*.prisma
 alwaysApply: false
 ---
-In the database schemas (prisma .schema files) we always want to use custom ID's using `generate_prefixed_cuid` such as
 
+# Prisma Schema
+
+## Migration Workflow
+
+**Schema changes happen in `packages/db`, then regenerate types in each app.**
+
+### Step 1: Edit Schema
+
+```bash
+# Schema files are in packages/db/prisma/schema/
+packages/db/prisma/schema/
+├── schema.prisma      # Main schema with datasource
+├── user.prisma        # User models
+├── task.prisma        # Task models
+└── ...
+```
+
+### Step 2: Create Migration
+
+```bash
+# Run from packages/db
+cd packages/db
+bunx prisma migrate dev --name your_migration_name
+```
+
+### Step 3: Regenerate Types in Apps
+
+```bash
+# Each app needs to regenerate Prisma client types
+bun run -F apps/app db:generate
+bun run -F apps/api db:generate
+bun run -F apps/portal db:generate
+
+# Or from root (if configured)
+bun run prisma:generate
+```
+
+### ✅ Always Do This
+
+```bash
+# 1. Make schema changes in packages/db
+# 2. Create migration
+cd packages/db && bunx prisma migrate dev --name add_user_role
+
+# 3. Regenerate types in ALL apps that use the db
+bun run -F apps/app db:generate
+bun run -F apps/api db:generate
+```
+
+### ❌ Never Do This
+
+```bash
+# Don't edit schema in app directories
+apps/app/prisma/schema.prisma  # ❌ Wrong location
+
+# Don't forget to regenerate types
+bunx prisma migrate dev  # ✅ Created migration
+# ... forgot to run db:generate in apps  # ❌ Types out of sync
+```
+
+## Core Rule
+
+**Always use prefixed CUIDs for IDs** using `generate_prefixed_cuid`.
+
+## ID Pattern
+
+### ✅ Always Do This
+
+```prisma
 model User {
- id          String @id @default(dbgenerated("generate_prefixed_cuid('ctl'::text)"))
+  id String @id @default(dbgenerated("generate_prefixed_cuid('usr'::text)"))
+  // ... other fields
 }
 
-Rules
-- Params must include ::text
-- Function calls must be within dbgenerated()
+model Task {
+  id String @id @default(dbgenerated("generate_prefixed_cuid('tsk'::text)"))
+  // ... other fields
+}
+
+model Organization {
+  id String @id @default(dbgenerated("generate_prefixed_cuid('org'::text)"))
+  // ... other fields
+}
+```
+
+### ❌ Never Do This
+
+```prisma
+// Don't use UUID
+model User {
+  id String @id @default(uuid())
+}
+
+// Don't use auto-increment
+model User {
+  id Int @id @default(autoincrement())
+}
+
+// Don't forget ::text cast
+model User {
+  id String @id @default(dbgenerated("generate_prefixed_cuid('usr')")) // ❌ Missing ::text
+}
+```
+
+## Prefix Guidelines
+
+| Entity       | Prefix | Example ID                     |
+| ------------ | ------ | ------------------------------ |
+| User         | `usr`  | `usr_BJRIZLgRPuWt8MvMjkSY82f1` |
+| Organization | `org`  | `org_cK9xMnPqRs2tUvWx3yZa4b5c` |
+| Task         | `tsk`  | `tsk_dE6fGhIj7kLmNoP8qRsT9uVw` |
+| Control      | `ctl`  | `ctl_xY0zAaBb1cDdEe2fFgGh3iIj` |
+| Policy       | `pol`  | `pol_kK4lLmMn5oOpPq6rRsSt7uUv` |
+
+## Rules
+
+1. **Short prefixes** - Use 2-3 characters
+2. **Unique prefixes** - Each model gets its own prefix
+3. **Always cast** - Include `::text` in the function call
+4. **Use dbgenerated** - Wrap the function call in `dbgenerated()`
+
+## Benefits
+
+- Human-readable IDs at a glance (`usr_` vs `org_`)
+- Easy debugging in logs
+- Safe to expose in URLs
+- Unique across all tables
 
-This will generate a user readable ID such as `usr_BJRIZLgRPuWt8MvMjkSY82f1u3580YSW` 
+## Checklist
 
-We should aim for short but unique prefixes, usually 2-3 characters.
+After schema changes:
 
+- [ ] Schema edited in `packages/db/prisma/schema/`
+- [ ] Migration created with `bunx prisma migrate dev`
+- [ ] Types regenerated in `apps/app` with `db:generate`
+- [ ] Types regenerated in `apps/api` with `db:generate`
+- [ ] Types regenerated in `apps/portal` with `db:generate`
+- [ ] New models use prefixed CUID IDs
diff --git a/.cursor/rules/prompt-engineering.mdc b/.cursor/rules/prompt-engineering.mdc
new file mode 100644
index 000000000..59fd25f84
--- /dev/null
+++ b/.cursor/rules/prompt-engineering.mdc
@@ -0,0 +1,184 @@
+---
+description: Prompt engineering best practices - invoke with @prompt-engineering
+globs: .cursor/rules/*.mdc
+alwaysApply: false
+---
+
+# Prompt Engineering Best Practices
+
+Based on [Claude's Prompt Engineering Documentation](https://platform.claude.com/docs/en/build-with-claude/prompt-engineering/overview)
+
+## Core Principles
+
+### 1. Define Success Criteria First
+
+Before writing prompts:
+
+- **Establish clear objectives**: What constitutes a successful response?
+- **Create evaluation metrics**: How will you measure prompt effectiveness?
+- **Draft and iterate**: Start with a first draft and refine based on results
+
+### 2. When to Use Prompt Engineering vs Fine-tuning
+
+Prompt engineering is preferred because:
+
+- **Resource efficient**: Only requires text input, no GPUs
+- **Cost effective**: Uses base model pricing
+- **Maintains updates**: Works across model versions
+- **Time saving**: Instant results vs hours/days for fine-tuning
+- **Minimal data needs**: Works with zero-shot or few-shot
+- **Flexible iteration**: Quick experimentation cycle
+- **Preserves knowledge**: No catastrophic forgetting
+- **Transparent**: Human-readable, easy to debug
+
+---
+
+## The 8 Core Techniques
+
+### 1. Be Clear and Direct
+
+**Principle**: Provide explicit, unambiguous instructions.
+
+```
+❌ Bad: "Tell me about it"
+✅ Good: "Summarize the following article in three bullet points, focusing on key findings"
+
+❌ Bad: "Help with code"
+✅ Good: "Debug this Python function that should return the sum of even numbers in a list"
+```
+
+**Tips**:
+
+- State the task explicitly at the start
+- Specify the desired output format (bullet points, JSON, paragraphs)
+- Include constraints (word count, tone, audience)
+- Mention what to include AND what to exclude
+
+### 2. Use Examples (Multishot Prompting)
+
+**Principle**: Show the model what you want through examples.
+
+```xml
+<examples>
+  <example>
+    <input>The movie was absolutely terrible, waste of time</input>
+    <output>{"sentiment": "negative", "confidence": 0.95}</output>
+  </example>
+  <example>
+    <input>Decent film, not great but watchable</input>
+    <output>{"sentiment": "neutral", "confidence": 0.7}</output>
+  </example>
+  <example>
+    <input>Best movie I've seen this year!</input>
+    <output>{"sentiment": "positive", "confidence": 0.9}</output>
+  </example>
+</examples>
+
+Now analyze: "The special effects were amazing but the plot was confusing"
+```
+
+**Tips**:
+
+- Include 3-5 diverse examples covering edge cases
+- Show examples of BOTH good and bad outputs
+- Match example complexity to your actual use case
+- Order examples from simple to complex
+
+### 3. Let Claude Think (Chain of Thought)
+
+**Principle**: Encourage step-by-step reasoning for complex tasks.
+
+```xml
+<instruction>
+Solve this problem step by step. Show your reasoning before giving the final answer.
+</instruction>
+
+<problem>
+A train leaves Station A at 9:00 AM traveling at 60 mph. Another train leaves
+Station B at 10:00 AM traveling at 80 mph toward Station A. The stations are
+280 miles apart. When will the trains meet?
+</problem>
+
+<thinking>
+[Let Claude work through the problem here]
+</thinking>
+
+<answer>
+[Final answer after reasoning]
+</answer>
+```
+
+**Tips**:
+
+- Use phrases like "Think step by step" or "Explain your reasoning"
+- For complex tasks, explicitly request a thinking section
+- Chain of thought improves accuracy on math, logic, and multi-step problems
+- Can use `<thinking>` tags to separate reasoning from output
+
+### 4. Use XML Tags
+
+**Principle**: Structure prompts with clear delimiters for better parsing.
+
+```xml
+<context>
+You are helping debug a penetration testing tool that automates security scans.
+</context>
+
+<task>
+Analyze the following error log and identify the root cause.
+</task>
+
+<error_log>
+[2024-01-15 10:23:45] ERROR: Connection timeout after 30s
+[2024-01-15 10:23:45] DEBUG: Target: 192.168.1.1:443
+[2024-01-15 10:23:45] DEBUG: Retry attempt 3 of 3
+</error_log>
+
+<output_format>
+Provide your analysis in this format:
+- Root cause: [one sentence]
+- Evidence: [relevant log lines]
+- Recommended fix: [actionable steps]
+</output_format>
+```
+
+**Common XML Tags**:
+
+- `<context>` - Background information
+- `<task>` or `<instruction>` - What to do
+- `<examples>` - Sample inputs/outputs
+- `<constraints>` - Limitations or rules
+- `<output_format>` - Expected response structure
+- `<thinking>` - Reasoning section
+- `<answer>` - Final response
+
+### 5. Give Claude a Role (System Prompts)
+
+**Principle**: Assign a persona to influence response style and expertise.
+
+```xml
+<role>
+You are a senior security researcher with 15 years of experience in penetration
+testing. You specialize in web application security and have discovered multiple
+CVEs. You communicate findings clearly and prioritize actionable recommendations.
+</role>
+
+<task>
+Review this HTTP response and identify potential security vulnerabilities.
+</task>
+```
+
+**Effective Role Elements**:
+
+- Expertise level (senior, expert, specialist)
+- Domain knowledge (security, finance, medicine)
+- Communication style (technical, friendly, formal)
+- Priorities (accuracy, brevity, thoroughness)
+
+### 6. Prefill Claude's Response
+
+**Principle**: Start the response to guide format and direction.
+
+```
+Human: List the top 3 security vulnerabilities in this code.
+```
diff --git a/.cursor/rules/react-code.mdc b/.cursor/rules/react-code.mdc
index 9aca50d91..e1479816a 100644
--- a/.cursor/rules/react-code.mdc
+++ b/.cursor/rules/react-code.mdc
@@ -1,13 +1,193 @@
 ---
-description: 
-globs: *.tsx
-alwaysApply: false
+description: React component standards and best practices
+globs: **/*.tsx
+alwaysApply: true
 ---
-When writing React code follow these standards:
-
-- Always export a named component
-- Always name components in PascalCase i.e (MyComponent)
-- Always name files that export components in PascalCase
-- Always round corners to rounded-xs
-- Always try to keep components small and modular
-- Always use sonner instead of toast.
\ No newline at end of file
+
+# React Code Standards
+
+## Component Structure
+
+### ✅ Always Do This
+
+```tsx
+// Named export with PascalCase
+export function TaskCard({ task }: TaskCardProps) {
+  return (
+    <Card>
+      <CardHeader>{task.title}</CardHeader>
+    </Card>
+  );
+}
+
+// File name matches component: TaskCard.tsx
+```
+
+### ❌ Never Do This
+
+```tsx
+// Default export
+export default function taskCard() { ... }
+
+// Lowercase file name: taskCard.tsx
+// Anonymous export: export default () => { ... }
+```
+
+## State Management
+
+### ✅ Prefer Derived State
+
+```tsx
+// Derive values from existing state
+function TaskList({ tasks }: { tasks: Task[] }) {
+  const completedCount = tasks.filter((t) => t.completed).length;
+  const pendingTasks = tasks.filter((t) => !t.completed);
+
+  return <div>{completedCount} completed</div>;
+}
+```
+
+### ❌ Avoid Unnecessary useEffect
+
+```tsx
+// ❌ BAD: Syncing derived state
+function TaskList({ tasks }) {
+  const [completedCount, setCompletedCount] = useState(0);
+
+  useEffect(() => {
+    setCompletedCount(tasks.filter((t) => t.completed).length);
+  }, [tasks]);
+}
+
+// ❌ BAD: Fetching in useEffect (use SWR instead)
+useEffect(() => {
+  fetch('/api/tasks').then((res) => setTasks(res.data));
+}, []);
+
+// ❌ BAD: Transforming props
+useEffect(() => {
+  setFilteredItems(items.filter((i) => i.active));
+}, [items]);
+```
+
+### ✅ When useEffect IS Appropriate
+
+```tsx
+// Subscribing to external systems
+useEffect(() => {
+  const subscription = eventSource.subscribe(handler);
+  return () => subscription.unsubscribe();
+}, []);
+
+// DOM measurements after render
+useEffect(() => {
+  const rect = ref.current?.getBoundingClientRect();
+  setHeight(rect?.height);
+}, []);
+
+// Third-party library integration
+useEffect(() => {
+  const chart = new Chart(canvasRef.current, config);
+  return () => chart.destroy();
+}, []);
+```
+
+## Notifications
+
+### ✅ Use Sonner
+
+```tsx
+import { toast } from 'sonner';
+
+// Success
+toast.success('Task created successfully');
+
+// Error
+toast.error('Failed to save changes');
+
+// With description
+toast.success('Task created', {
+  description: 'You can view it in your dashboard',
+});
+
+// Promise toast
+toast.promise(saveTask(), {
+  loading: 'Saving...',
+  success: 'Saved!',
+  error: 'Failed to save',
+});
+```
+
+### ❌ Never Use
+
+```tsx
+// Don't use alert
+alert('Task created');
+
+// Don't use other toast libraries
+import { useToast } from '@chakra-ui/react';
+import { toast } from 'react-toastify';
+```
+
+## Component Size
+
+### ✅ Keep Components Small
+
+```tsx
+// Split into focused components
+function TaskPage() {
+  return (
+    <div>
+      <TaskHeader />
+      <TaskFilters />
+      <TaskList />
+      <TaskPagination />
+    </div>
+  );
+}
+
+// Each component handles one thing
+function TaskFilters() {
+  // Only filter logic
+}
+
+function TaskList() {
+  // Only list rendering
+}
+```
+
+### ❌ Avoid Monolithic Components
+
+```tsx
+// ❌ Too much in one component
+function TaskPage() {
+  // 200+ lines of mixed concerns
+  // Filters, list, pagination, modals all in one
+}
+```
+
+## Event Handlers
+
+### ✅ Naming Convention
+
+```tsx
+// Prefix with "handle"
+const handleClick = () => { ... };
+const handleSubmit = (e: FormEvent) => { ... };
+const handleKeyDown = (e: KeyboardEvent) => { ... };
+const handleTaskCreate = (task: Task) => { ... };
+
+<Button onClick={handleClick}>
+<form onSubmit={handleSubmit}>
+```
+
+## Checklist
+
+Before committing React code:
+
+- [ ] Named exports only (no `export default`)
+- [ ] PascalCase component names and file names
+- [ ] No unnecessary `useEffect` for derived state
+- [ ] Uses `sonner` for toasts
+- [ ] Components are small and focused
+- [ ] Event handlers prefixed with `handle`
diff --git a/.cursor/rules/server-actions.mdc b/.cursor/rules/server-actions.mdc
deleted file mode 100644
index a716f2743..000000000
--- a/.cursor/rules/server-actions.mdc
+++ /dev/null
@@ -1,16 +0,0 @@
----
-description:
-globs: *.ts
-alwaysApply: false
----
-- Always use safe-actions [safe-action.ts](mdc:apps/app/src/actions/safe-action.ts), here's an example:
-[delete-integration-connection.ts](mdc:apps/app/src/actions/integrations/delete-integration-connection.ts)
-
-- Always revalidate the path based on the header x-path-name:
-
-		const headersList = await headers();
-		let path =
-			headersList.get("x-pathname") || headersList.get("referer") || "";
-		path = path.replace(/\/[a-z]{2}\//, "/");
-
-		revalidatePath(path);
\ No newline at end of file
diff --git a/.cursor/rules/trigger.advanced-tasks.mdc b/.cursor/rules/trigger.advanced-tasks.mdc
index 78551c1ba..910871ff6 100644
--- a/.cursor/rules/trigger.advanced-tasks.mdc
+++ b/.cursor/rules/trigger.advanced-tasks.mdc
@@ -3,6 +3,7 @@ description: Comprehensive rules to help you write advanced Trigger.dev tasks
 globs: **/trigger/**/*.ts
 alwaysApply: false
 ---
+
 # Trigger.dev Advanced Tasks (v4)
 
 **Advanced patterns and features for writing tasks**
@@ -10,10 +11,10 @@ alwaysApply: false
 ## Tags & Organization
 
 ```ts
-import { task, tags } from "@trigger.dev/sdk";
+import { task, tags } from '@trigger.dev/sdk';
 
 export const processUser = task({
-  id: "process-user",
+  id: 'process-user',
   run: async (payload: { userId: string; orgId: string }, { ctx }) => {
     // Add tags during execution
     await tags.add(`user_${payload.userId}`);
@@ -25,12 +26,12 @@ export const processUser = task({
 
 // Trigger with tags
 await processUser.trigger(
-  { userId: "123", orgId: "abc" },
-  { tags: ["priority", "user_123", "org_abc"] } // Max 10 tags per run
+  { userId: '123', orgId: 'abc' },
+  { tags: ['priority', 'user_123', 'org_abc'] }, // Max 10 tags per run
 );
 
 // Subscribe to tagged runs
-for await (const run of runs.subscribeToRunsWithTag("user_123")) {
+for await (const run of runs.subscribeToRunsWithTag('user_123')) {
   console.log(`User task ${run.id}: ${run.status}`);
 }
 ```
@@ -44,17 +45,17 @@ for await (const run of runs.subscribeToRunsWithTag("user_123")) {
 ## Concurrency & Queues
 
 ```ts
-import { task, queue } from "@trigger.dev/sdk";
+import { task, queue } from '@trigger.dev/sdk';
 
 // Shared queue for related tasks
 const emailQueue = queue({
-  name: "email-processing",
+  name: 'email-processing',
   concurrencyLimit: 5, // Max 5 emails processing simultaneously
 });
 
 // Task-level concurrency
 export const oneAtATime = task({
-  id: "sequential-task",
+  id: 'sequential-task',
   queue: { concurrencyLimit: 1 }, // Process one at a time
   run: async (payload) => {
     // Critical section - only one instance runs
@@ -63,7 +64,7 @@ export const oneAtATime = task({
 
 // Per-user concurrency
 export const processUserData = task({
-  id: "process-user-data",
+  id: 'process-user-data',
   run: async (payload: { userId: string }) => {
     // Override queue with user-specific concurrency
     await childTask.trigger(payload, {
@@ -76,7 +77,7 @@ export const processUserData = task({
 });
 
 export const emailTask = task({
-  id: "send-email",
+  id: 'send-email',
   queue: emailQueue, // Use shared queue
   run: async (payload: { to: string }) => {
     // Send email logic
@@ -87,10 +88,10 @@ export const emailTask = task({
 ## Error Handling & Retries
 
 ```ts
-import { task, retry, AbortTaskRunError } from "@trigger.dev/sdk";
+import { task, retry, AbortTaskRunError } from '@trigger.dev/sdk';
 
 export const resilientTask = task({
-  id: "resilient-task",
+  id: 'resilient-task',
   retry: {
     maxAttempts: 10,
     factor: 1.8, // Exponential backoff multiplier
@@ -100,8 +101,8 @@ export const resilientTask = task({
   },
   catchError: async ({ error, ctx }) => {
     // Custom error handling
-    if (error.code === "FATAL_ERROR") {
-      throw new AbortTaskRunError("Cannot retry this error");
+    if (error.code === 'FATAL_ERROR') {
+      throw new AbortTaskRunError('Cannot retry this error');
     }
 
     // Log error details
@@ -116,11 +117,11 @@ export const resilientTask = task({
       async () => {
         return await unstableApiCall(payload);
       },
-      { maxAttempts: 3 }
+      { maxAttempts: 3 },
     );
 
     // Conditional HTTP retries
-    const response = await retry.fetch("https://api.example.com", {
+    const response = await retry.fetch('https://api.example.com', {
       retry: {
         maxAttempts: 5,
         condition: (response, error) => {
@@ -138,12 +139,12 @@ export const resilientTask = task({
 
 ```ts
 export const heavyTask = task({
-  id: "heavy-computation",
-  machine: { preset: "large-2x" }, // 8 vCPU, 16 GB RAM
+  id: 'heavy-computation',
+  machine: { preset: 'large-2x' }, // 8 vCPU, 16 GB RAM
   maxDuration: 1800, // 30 minutes timeout
   run: async (payload, { ctx }) => {
     // Resource-intensive computation
-    if (ctx.machine.preset === "large-2x") {
+    if (ctx.machine.preset === 'large-2x') {
       // Use all available cores
       return await parallelProcessing(payload);
     }
@@ -154,7 +155,7 @@ export const heavyTask = task({
 
 // Override machine when triggering
 await heavyTask.trigger(payload, {
-  machine: { preset: "medium-1x" }, // Override for this run
+  machine: { preset: 'medium-1x' }, // Override for this run
 });
 ```
 
@@ -171,10 +172,10 @@ await heavyTask.trigger(payload, {
 ## Idempotency
 
 ```ts
-import { task, idempotencyKeys } from "@trigger.dev/sdk";
+import { task, idempotencyKeys } from '@trigger.dev/sdk';
 
 export const paymentTask = task({
-  id: "process-payment",
+  id: 'process-payment',
   retry: {
     maxAttempts: 3,
   },
@@ -185,22 +186,22 @@ export const paymentTask = task({
     // Ensure payment is processed only once
     await chargeCustomer.trigger(payload, {
       idempotencyKey,
-      idempotencyKeyTTL: "24h", // Key expires in 24 hours
+      idempotencyKeyTTL: '24h', // Key expires in 24 hours
     });
   },
 });
 
 // Payload-based idempotency
-import { createHash } from "node:crypto";
+import { createHash } from 'node:crypto';
 
 function createPayloadHash(payload: any): string {
-  const hash = createHash("sha256");
+  const hash = createHash('sha256');
   hash.update(JSON.stringify(payload));
-  return hash.digest("hex");
+  return hash.digest('hex');
 }
 
 export const deduplicatedTask = task({
-  id: "deduplicated-task",
+  id: 'deduplicated-task',
   run: async (payload) => {
     const payloadHash = createPayloadHash(payload);
     const idempotencyKey = await idempotencyKeys.create(payloadHash);
@@ -213,19 +214,19 @@ export const deduplicatedTask = task({
 ## Metadata & Progress Tracking
 
 ```ts
-import { task, metadata } from "@trigger.dev/sdk";
+import { task, metadata } from '@trigger.dev/sdk';
 
 export const batchProcessor = task({
-  id: "batch-processor",
+  id: 'batch-processor',
   run: async (payload: { items: any[] }, { ctx }) => {
     const totalItems = payload.items.length;
 
     // Initialize progress metadata
     metadata
-      .set("progress", 0)
-      .set("totalItems", totalItems)
-      .set("processedItems", 0)
-      .set("status", "starting");
+      .set('progress', 0)
+      .set('totalItems', totalItems)
+      .set('processedItems', 0)
+      .set('status', 'starting');
 
     const results = [];
 
@@ -239,14 +240,14 @@ export const batchProcessor = task({
       // Update progress
       const progress = ((i + 1) / totalItems) * 100;
       metadata
-        .set("progress", progress)
-        .increment("processedItems", 1)
-        .append("logs", `Processed item ${i + 1}/${totalItems}`)
-        .set("currentItem", item.id);
+        .set('progress', progress)
+        .increment('processedItems', 1)
+        .append('logs', `Processed item ${i + 1}/${totalItems}`)
+        .set('currentItem', item.id);
     }
 
     // Final status
-    metadata.set("status", "completed");
+    metadata.set('status', 'completed');
 
     return { results, totalProcessed: results.length };
   },
@@ -254,11 +255,11 @@ export const batchProcessor = task({
 
 // Update parent metadata from child task
 export const childTask = task({
-  id: "child-task",
+  id: 'child-task',
   run: async (payload, { ctx }) => {
     // Update parent task metadata
-    metadata.parent.set("childStatus", "processing");
-    metadata.root.increment("childrenCompleted", 1);
+    metadata.parent.set('childStatus', 'processing');
+    metadata.root.increment('childrenCompleted', 1);
 
     return { processed: true };
   },
@@ -270,15 +271,15 @@ export const childTask = task({
 ### Frontend Triggering (React)
 
 ```tsx
-"use client";
-import { useTaskTrigger } from "@trigger.dev/react-hooks";
-import type { myTask } from "../trigger/tasks";
+'use client';
+import { useTaskTrigger } from '@trigger.dev/react-hooks';
+import type { myTask } from '../trigger/tasks';
 
 function TriggerButton({ accessToken }: { accessToken: string }) {
-  const { submit, handle, isLoading } = useTaskTrigger<typeof myTask>("my-task", { accessToken });
+  const { submit, handle, isLoading } = useTaskTrigger<typeof myTask>('my-task', { accessToken });
 
   return (
-    <button onClick={() => submit({ data: "from frontend" })} disabled={isLoading}>
+    <button onClick={() => submit({ data: 'from frontend' })} disabled={isLoading}>
       Trigger Task
     </button>
   );
@@ -290,7 +291,7 @@ function TriggerButton({ accessToken }: { accessToken: string }) {
 ```ts
 // For payloads > 512KB (max 10MB)
 export const largeDataTask = task({
-  id: "large-data-task",
+  id: 'large-data-task',
   run: async (payload: { dataUrl: string }) => {
     // Trigger.dev automatically handles large payloads
     // For > 10MB, use external storage
@@ -303,7 +304,7 @@ export const largeDataTask = task({
 
 // Best practice: Use presigned URLs for very large files
 await largeDataTask.trigger({
-  dataUrl: "https://s3.amazonaws.com/bucket/large-file.json?presigned=true",
+  dataUrl: 'https://s3.amazonaws.com/bucket/large-file.json?presigned=true',
 });
 ```
 
@@ -311,18 +312,18 @@ await largeDataTask.trigger({
 
 ```ts
 await myTask.trigger(payload, {
-  delay: "2h30m", // Delay execution
-  ttl: "24h", // Expire if not started within 24 hours
+  delay: '2h30m', // Delay execution
+  ttl: '24h', // Expire if not started within 24 hours
   priority: 100, // Higher priority (time offset in seconds)
-  tags: ["urgent", "user_123"],
-  metadata: { source: "api", version: "v2" },
+  tags: ['urgent', 'user_123'],
+  metadata: { source: 'api', version: 'v2' },
   queue: {
-    name: "priority-queue",
+    name: 'priority-queue',
     concurrencyLimit: 10,
   },
-  idempotencyKey: "unique-operation-id",
-  idempotencyKeyTTL: "1h",
-  machine: { preset: "large-1x" },
+  idempotencyKey: 'unique-operation-id',
+  idempotencyKeyTTL: '1h',
+  machine: { preset: 'large-1x' },
   maxAttempts: 5,
 });
 ```
@@ -332,7 +333,7 @@ await myTask.trigger(payload, {
 ```ts
 // Hidden task - not exported, only used internally
 const internalProcessor = task({
-  id: "internal-processor",
+  id: 'internal-processor',
   run: async (payload: { data: string }) => {
     return { processed: payload.data.toUpperCase() };
   },
@@ -340,7 +341,7 @@ const internalProcessor = task({
 
 // Public task that uses hidden task
 export const publicWorkflow = task({
-  id: "public-workflow",
+  id: 'public-workflow',
   run: async (payload: { input: string }) => {
     // Use hidden task internally
     const result = await internalProcessor.triggerAndWait({
@@ -351,7 +352,7 @@ export const publicWorkflow = task({
       return { output: result.output.processed };
     }
 
-    throw new Error("Internal processing failed");
+    throw new Error('Internal processing failed');
   },
 });
 ```
@@ -359,36 +360,36 @@ export const publicWorkflow = task({
 ## Logging & Tracing
 
 ```ts
-import { task, logger } from "@trigger.dev/sdk";
+import { task, logger } from '@trigger.dev/sdk';
 
 export const tracedTask = task({
-  id: "traced-task",
+  id: 'traced-task',
   run: async (payload, { ctx }) => {
-    logger.info("Task started", { userId: payload.userId });
+    logger.info('Task started', { userId: payload.userId });
 
     // Custom trace with attributes
     const user = await logger.trace(
-      "fetch-user",
+      'fetch-user',
       async (span) => {
-        span.setAttribute("user.id", payload.userId);
-        span.setAttribute("operation", "database-fetch");
+        span.setAttribute('user.id', payload.userId);
+        span.setAttribute('operation', 'database-fetch');
 
         const userData = await database.findUser(payload.userId);
-        span.setAttribute("user.found", !!userData);
+        span.setAttribute('user.found', !!userData);
 
         return userData;
       },
-      { userId: payload.userId }
+      { userId: payload.userId },
     );
 
-    logger.debug("User fetched", { user: user.id });
+    logger.debug('User fetched', { user: user.id });
 
     try {
       const result = await processUser(user);
-      logger.info("Processing completed", { result });
+      logger.info('Processing completed', { result });
       return result;
     } catch (error) {
-      logger.error("Processing failed", {
+      logger.error('Processing failed', {
         error: error.message,
         userId: payload.userId,
       });
@@ -401,14 +402,14 @@ export const tracedTask = task({
 ## Usage Monitoring
 
 ```ts
-import { task, usage } from "@trigger.dev/sdk";
+import { task, usage } from '@trigger.dev/sdk';
 
 export const monitoredTask = task({
-  id: "monitored-task",
+  id: 'monitored-task',
   run: async (payload) => {
     // Get current run cost
     const currentUsage = await usage.getCurrent();
-    logger.info("Current cost", {
+    logger.info('Current cost', {
       costInCents: currentUsage.costInCents,
       durationMs: currentUsage.durationMs,
     });
@@ -418,7 +419,7 @@ export const monitoredTask = task({
       return await expensiveOperation(payload);
     });
 
-    logger.info("Operation cost", {
+    logger.info('Operation cost', {
       costInCents: compute.costInCents,
       durationMs: compute.durationMs,
     });
@@ -432,13 +433,13 @@ export const monitoredTask = task({
 
 ```ts
 // Cancel runs
-await runs.cancel("run_123");
+await runs.cancel('run_123');
 
 // Replay runs with same payload
-await runs.replay("run_123");
+await runs.replay('run_123');
 
 // Retrieve run with cost details
-const run = await runs.retrieve("run_123");
+const run = await runs.retrieve('run_123');
 console.log(`Cost: ${run.costInCents} cents, Duration: ${run.durationMs}ms`);
 ```
 
diff --git a/.cursor/rules/typescript-rules.mdc b/.cursor/rules/typescript-rules.mdc
index 95d60624e..d9a3d1f6d 100644
--- a/.cursor/rules/typescript-rules.mdc
+++ b/.cursor/rules/typescript-rules.mdc
@@ -1,10 +1,178 @@
 ---
-description: 
-globs: *.ts*
+description: TypeScript type safety rules - no any, no unsafe casting
+globs: **/*.{ts,tsx}
 alwaysApply: true
 ---
-When writing TypeScript code follow these standards:
 
-- Always use TypeScript
-- NEVER use the `any` type as all costs.
-- Try as much as possible to rely on TypeScript's inference instead of explicit type annotations.
\ No newline at end of file
+# TypeScript Standards
+
+## Core Rule
+
+**All code must be type-safe. Never use `any` or unsafe type casting.**
+
+## Type Safety
+
+### ✅ Always Do This
+
+```tsx
+// Explicit types for function parameters and returns
+const createTask = ({ title, assigneeId }: CreateTaskInput): Task => { ... };
+
+// Use unknown for truly unknown data, then narrow
+const parseResponse = (data: unknown): Task => {
+  if (!isTask(data)) throw new Error('Invalid task');
+  return data;
+};
+
+// Type guards for runtime checks
+const isTask = (value: unknown): value is Task => {
+  return typeof value === 'object' && value !== null && 'id' in value;
+};
+
+// Inference where obvious
+const tasks = [task1, task2]; // TypeScript infers Task[]
+const count = tasks.length;   // TypeScript infers number
+```
+
+### ❌ Never Do This
+
+```tsx
+// any - disables all type checking
+const data: any = fetchData();
+function process(input: any) { ... }
+
+// Type assertions to bypass safety
+const task = response as Task;           // ❌ Unsafe assertion
+const task = response as unknown as Task; // ❌ Double assertion hack
+const task = <Task>response;             // ❌ Legacy assertion syntax
+
+// Non-null assertions without checks
+const name = user!.name;      // ❌ Might crash
+const first = items![0]!.id;  // ❌ Multiple assumptions
+
+// @ts-ignore / @ts-expect-error to hide problems
+// @ts-ignore
+brokenCode();
+```
+
+## Handling External Data
+
+### ✅ Validate and Narrow
+
+```tsx
+// API responses - validate with zod
+import { z } from 'zod';
+
+const TaskSchema = z.object({
+  id: z.string(),
+  title: z.string(),
+  status: z.enum(['pending', 'completed']),
+});
+
+const fetchTask = async (id: string): Promise<Task> => {
+  const response = await apiClient.get(`/tasks/${id}`);
+  return TaskSchema.parse(response.data); // Throws if invalid
+};
+
+// JSON parsing
+const parseConfig = (json: string): Config => {
+  const parsed: unknown = JSON.parse(json);
+  return ConfigSchema.parse(parsed);
+};
+```
+
+### ❌ Never Trust External Data
+
+```tsx
+// Don't cast API responses
+const task = (await fetch('/api/task')).json() as Task; // ❌
+
+// Don't assume localStorage shape
+const settings = JSON.parse(localStorage.getItem('settings')!) as Settings; // ❌
+```
+
+## Generics Over Any
+
+### ✅ Use Generics
+
+```tsx
+// Generic function
+const first = <T>(items: T[]): T | undefined => items[0];
+
+// Generic component
+function List<T>({ items, renderItem }: ListProps<T>) {
+  return items.map(renderItem);
+}
+
+// Generic hook
+function useApiSWR<T>(endpoint: string): SWRResponse<T> { ... }
+```
+
+### ❌ Don't Fall Back to Any
+
+```tsx
+// ❌ Lazy any usage
+const first = (items: any[]): any => items[0];
+function List({ items, renderItem }: { items: any[], renderItem: any }) { ... }
+```
+
+## Strict Null Checks
+
+### ✅ Handle Null Properly
+
+```tsx
+// Optional chaining
+const name = user?.profile?.name;
+
+// Nullish coalescing
+const displayName = user.name ?? 'Anonymous';
+
+// Early return for null checks
+const processUser = (user: User | null) => {
+  if (!user) return null;
+  // user is now User (narrowed)
+  return user.name;
+};
+```
+
+### ❌ Don't Assume Non-Null
+
+```tsx
+// Non-null assertion without check
+const name = user!.name; // ❌ Crashes if user is null
+
+// Ignoring possible undefined
+const first = items[0].name; // ❌ Crashes if array is empty
+```
+
+## Exceptions
+
+The ONLY acceptable uses of type assertions:
+
+```tsx
+// 1. Test mocks (in test files only)
+const mockFn = vi.fn() as Mock<typeof realFn>;
+
+// 2. DOM refs after null check
+const input = inputRef.current;
+if (input) {
+  (input as HTMLInputElement).focus();
+}
+
+// 3. Event targets with type narrowing
+const handleChange = (e: Event) => {
+  const target = e.target as HTMLInputElement; // After checking it's an input
+};
+```
+
+## Checklist
+
+Before committing:
+
+- [ ] No `any` types anywhere
+- [ ] No unsafe type assertions (`as Type`)
+- [ ] No non-null assertions (`!`) without prior checks
+- [ ] No `@ts-ignore` or `@ts-expect-error`
+- [ ] External data validated with zod
+- [ ] Generics used instead of any for reusable code
+- [ ] Null/undefined handled with optional chaining or guards
diff --git a/apps/.cursor/rules/trigger.basic.mdc b/apps/.cursor/rules/trigger.basic.mdc
deleted file mode 100644
index 3d96e6657..000000000
--- a/apps/.cursor/rules/trigger.basic.mdc
+++ /dev/null
@@ -1,190 +0,0 @@
----
-description: Only the most important rules for writing basic Trigger.dev tasks
-globs: **/trigger/**/*.ts
-alwaysApply: false
----
-# Trigger.dev Basic Tasks (v4)
-
-**MUST use `@trigger.dev/sdk` (v4), NEVER `client.defineJob`**
-
-## Basic Task
-
-```ts
-import { task } from "@trigger.dev/sdk";
-
-export const processData = task({
-  id: "process-data",
-  retry: {
-    maxAttempts: 10,
-    factor: 1.8,
-    minTimeoutInMs: 500,
-    maxTimeoutInMs: 30_000,
-    randomize: false,
-  },
-  run: async (payload: { userId: string; data: any[] }) => {
-    // Task logic - runs for long time, no timeouts
-    console.log(`Processing ${payload.data.length} items for user ${payload.userId}`);
-    return { processed: payload.data.length };
-  },
-});
-```
-
-## Schema Task (with validation)
-
-```ts
-import { schemaTask } from "@trigger.dev/sdk";
-import { z } from "zod";
-
-export const validatedTask = schemaTask({
-  id: "validated-task",
-  schema: z.object({
-    name: z.string(),
-    age: z.number(),
-    email: z.string().email(),
-  }),
-  run: async (payload) => {
-    // Payload is automatically validated and typed
-    return { message: `Hello ${payload.name}, age ${payload.age}` };
-  },
-});
-```
-
-## Scheduled Task
-
-```ts
-import { schedules } from "@trigger.dev/sdk";
-
-const dailyReport = schedules.task({
-  id: "daily-report",
-  cron: "0 9 * * *", // Daily at 9:00 AM UTC
-  // or with timezone: cron: { pattern: "0 9 * * *", timezone: "America/New_York" },
-  run: async (payload) => {
-    console.log("Scheduled run at:", payload.timestamp);
-    console.log("Last run was:", payload.lastTimestamp);
-    console.log("Next 5 runs:", payload.upcoming);
-
-    // Generate daily report logic
-    return { reportGenerated: true, date: payload.timestamp };
-  },
-});
-```
-
-## Triggering Tasks
-
-### From Backend Code
-
-```ts
-import { tasks } from "@trigger.dev/sdk";
-import type { processData } from "./trigger/tasks";
-
-// Single trigger
-const handle = await tasks.trigger<typeof processData>("process-data", {
-  userId: "123",
-  data: [{ id: 1 }, { id: 2 }],
-});
-
-// Batch trigger
-const batchHandle = await tasks.batchTrigger<typeof processData>("process-data", [
-  { payload: { userId: "123", data: [{ id: 1 }] } },
-  { payload: { userId: "456", data: [{ id: 2 }] } },
-]);
-```
-
-### From Inside Tasks (with Result handling)
-
-```ts
-export const parentTask = task({
-  id: "parent-task",
-  run: async (payload) => {
-    // Trigger and continue
-    const handle = await childTask.trigger({ data: "value" });
-
-    // Trigger and wait - returns Result object, NOT task output
-    const result = await childTask.triggerAndWait({ data: "value" });
-    if (result.ok) {
-      console.log("Task output:", result.output); // Actual task return value
-    } else {
-      console.error("Task failed:", result.error);
-    }
-
-    // Quick unwrap (throws on error)
-    const output = await childTask.triggerAndWait({ data: "value" }).unwrap();
-
-    // Batch trigger and wait
-    const results = await childTask.batchTriggerAndWait([
-      { payload: { data: "item1" } },
-      { payload: { data: "item2" } },
-    ]);
-
-    for (const run of results) {
-      if (run.ok) {
-        console.log("Success:", run.output);
-      } else {
-        console.log("Failed:", run.error);
-      }
-    }
-  },
-});
-
-export const childTask = task({
-  id: "child-task",
-  run: async (payload: { data: string }) => {
-    return { processed: payload.data };
-  },
-});
-```
-
-> Never wrap triggerAndWait or batchTriggerAndWait calls in a Promise.all or Promise.allSettled as this is not supported in Trigger.dev tasks.
-
-## Waits
-
-```ts
-import { task, wait } from "@trigger.dev/sdk";
-
-export const taskWithWaits = task({
-  id: "task-with-waits",
-  run: async (payload) => {
-    console.log("Starting task");
-
-    // Wait for specific duration
-    await wait.for({ seconds: 30 });
-    await wait.for({ minutes: 5 });
-    await wait.for({ hours: 1 });
-    await wait.for({ days: 1 });
-
-    // Wait until specific date
-    await wait.until({ date: new Date("2024-12-25") });
-
-    // Wait for token (from external system)
-    await wait.forToken({
-      token: "user-approval-token",
-      timeoutInSeconds: 3600, // 1 hour timeout
-    });
-
-    console.log("All waits completed");
-    return { status: "completed" };
-  },
-});
-```
-
-> Never wrap wait calls in a Promise.all or Promise.allSettled as this is not supported in Trigger.dev tasks.
-
-## Key Points
-
-- **Result vs Output**: `triggerAndWait()` returns a `Result` object with `ok`, `output`, `error` properties - NOT the direct task output
-- **Type safety**: Use `import type` for task references when triggering from backend
-- **Waits > 5 seconds**: Automatically checkpointed, don't count toward compute usage
-
-## NEVER Use (v2 deprecated)
-
-```ts
-// BREAKS APPLICATION
-client.defineJob({
-  id: "job-id",
-  run: async (payload, io) => {
-    /* ... */
-  },
-});
-```
-
-Use v4 SDK (`@trigger.dev/sdk`), check `result.ok` before accessing `result.output`
diff --git a/apps/api/Dockerfile b/apps/api/Dockerfile
index e2a42ce41..0b016f2fd 100644
--- a/apps/api/Dockerfile
+++ b/apps/api/Dockerfile
@@ -16,6 +16,7 @@ RUN curl -fsSL https://bun.sh/install | bash \
   && bun install --production --ignore-scripts
 
 COPY node_modules/@trycompai ./node_modules/@trycompai
+COPY node_modules/@comp ./node_modules/@comp
 COPY node_modules/@prisma ./node_modules/@prisma
 COPY node_modules/.prisma ./node_modules/.prisma
 
diff --git a/apps/api/package.json b/apps/api/package.json
index bf007b2e0..27ef24fbb 100644
--- a/apps/api/package.json
+++ b/apps/api/package.json
@@ -9,11 +9,13 @@
     "@ai-sdk/openai": "^2.0.65",
     "@aws-sdk/client-s3": "^3.859.0",
     "@aws-sdk/s3-request-presigner": "^3.859.0",
+    "@comp/integration-platform": "workspace:*",
     "@nestjs/common": "^11.0.1",
     "@nestjs/config": "^4.0.2",
     "@nestjs/core": "^11.0.1",
     "@nestjs/platform-express": "^11.1.5",
     "@nestjs/swagger": "^11.2.0",
+    "@nestjs/throttler": "^6.5.0",
     "@prisma/client": "^6.13.0",
     "@prisma/instrumentation": "^6.13.0",
     "@react-email/components": "^0.0.41",
@@ -30,6 +32,7 @@
     "class-validator": "^0.14.2",
     "dotenv": "^17.2.3",
     "exceljs": "^4.4.0",
+    "helmet": "^8.1.0",
     "jose": "^6.0.12",
     "jspdf": "^3.0.3",
     "mammoth": "^1.8.0",
diff --git a/apps/api/packages/docs/openapi.json b/apps/api/packages/docs/openapi.json
new file mode 100644
index 000000000..ecbfb8935
--- /dev/null
+++ b/apps/api/packages/docs/openapi.json
@@ -0,0 +1,11109 @@
+{
+  "openapi": "3.0.0",
+  "paths": {
+    "/v1/organization": {
+      "get": {
+        "description": "Returns detailed information about the authenticated organization. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "OrganizationController_getOrganization_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Organization information retrieved successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "id": {
+                      "type": "string",
+                      "description": "The organization ID",
+                      "example": "org_abc123def456"
+                    },
+                    "name": {
+                      "type": "string",
+                      "description": "Organization name",
+                      "example": "Acme Corporation"
+                    },
+                    "slug": {
+                      "type": "string",
+                      "description": "Organization slug",
+                      "example": "acme-corp"
+                    },
+                    "logo": {
+                      "type": "string",
+                      "nullable": true,
+                      "description": "Organization logo URL",
+                      "example": "https://example.com/logo.png"
+                    },
+                    "metadata": {
+                      "type": "string",
+                      "nullable": true,
+                      "description": "Additional metadata in JSON format",
+                      "example": "{\"theme\": \"dark\", \"preferences\": {}}"
+                    },
+                    "website": {
+                      "type": "string",
+                      "nullable": true,
+                      "description": "Organization website URL",
+                      "example": "https://acme-corp.com"
+                    },
+                    "onboardingCompleted": {
+                      "type": "boolean",
+                      "description": "Whether onboarding is completed",
+                      "example": true
+                    },
+                    "hasAccess": {
+                      "type": "boolean",
+                      "description": "Whether organization has access to the platform",
+                      "example": true
+                    },
+                    "fleetDmLabelId": {
+                      "type": "integer",
+                      "nullable": true,
+                      "description": "FleetDM label ID for device management",
+                      "example": 123
+                    },
+                    "isFleetSetupCompleted": {
+                      "type": "boolean",
+                      "description": "Whether FleetDM setup is completed",
+                      "example": false
+                    },
+                    "createdAt": {
+                      "type": "string",
+                      "format": "date-time",
+                      "description": "When the organization was created"
+                    },
+                    "authType": {
+                      "type": "string",
+                      "enum": [
+                        "api-key",
+                        "session"
+                      ],
+                      "description": "How the request was authenticated"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication or insufficient permissions",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Invalid or expired API key"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Get organization information",
+        "tags": [
+          "Organization"
+        ]
+      },
+      "patch": {
+        "description": "Partially updates the authenticated organization. Only provided fields will be updated. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "OrganizationController_updateOrganization_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "required": true,
+          "description": "Organization update data",
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "properties": {
+                  "name": {
+                    "type": "string",
+                    "description": "Organization name",
+                    "example": "New Acme Corporation"
+                  },
+                  "slug": {
+                    "type": "string",
+                    "description": "Organization slug",
+                    "example": "new-acme-corp"
+                  },
+                  "logo": {
+                    "type": "string",
+                    "description": "Organization logo URL",
+                    "example": "https://example.com/logo.png"
+                  },
+                  "metadata": {
+                    "type": "string",
+                    "description": "Additional metadata in JSON format",
+                    "example": "{\"theme\": \"dark\", \"preferences\": {}}"
+                  },
+                  "website": {
+                    "type": "string",
+                    "description": "Organization website URL",
+                    "example": "https://acme-corp.com"
+                  },
+                  "onboardingCompleted": {
+                    "type": "boolean",
+                    "description": "Whether onboarding is completed",
+                    "example": true
+                  },
+                  "hasAccess": {
+                    "type": "boolean",
+                    "description": "Whether organization has access to the platform",
+                    "example": true
+                  },
+                  "fleetDmLabelId": {
+                    "type": "integer",
+                    "description": "FleetDM label ID for device management",
+                    "example": 123
+                  },
+                  "isFleetSetupCompleted": {
+                    "type": "boolean",
+                    "description": "Whether FleetDM setup is completed",
+                    "example": false
+                  }
+                },
+                "additionalProperties": false
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": "Organization updated successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "id": {
+                      "type": "string",
+                      "description": "The organization ID",
+                      "example": "org_abc123def456"
+                    },
+                    "name": {
+                      "type": "string",
+                      "description": "Organization name",
+                      "example": "New Acme Corporation"
+                    },
+                    "slug": {
+                      "type": "string",
+                      "description": "Organization slug",
+                      "example": "new-acme-corp"
+                    },
+                    "logo": {
+                      "type": "string",
+                      "nullable": true,
+                      "description": "Organization logo URL",
+                      "example": "https://example.com/logo.png"
+                    },
+                    "metadata": {
+                      "type": "string",
+                      "nullable": true,
+                      "description": "Additional metadata in JSON format",
+                      "example": "{\"theme\": \"dark\", \"preferences\": {}}"
+                    },
+                    "website": {
+                      "type": "string",
+                      "nullable": true,
+                      "description": "Organization website URL",
+                      "example": "https://acme-corp.com"
+                    },
+                    "onboardingCompleted": {
+                      "type": "boolean",
+                      "description": "Whether onboarding is completed",
+                      "example": true
+                    },
+                    "hasAccess": {
+                      "type": "boolean",
+                      "description": "Whether organization has access to the platform",
+                      "example": true
+                    },
+                    "fleetDmLabelId": {
+                      "type": "integer",
+                      "nullable": true,
+                      "description": "FleetDM label ID for device management",
+                      "example": 123
+                    },
+                    "isFleetSetupCompleted": {
+                      "type": "boolean",
+                      "description": "Whether FleetDM setup is completed",
+                      "example": false
+                    },
+                    "createdAt": {
+                      "type": "string",
+                      "format": "date-time",
+                      "description": "When the organization was created"
+                    },
+                    "authType": {
+                      "type": "string",
+                      "enum": [
+                        "api-key",
+                        "session"
+                      ],
+                      "description": "How the request was authenticated"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "Bad Request - Invalid update data",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Invalid slug format"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication or insufficient permissions",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Invalid or expired API key"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Organization not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Organization with ID org_abc123def456 not found"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Update organization",
+        "tags": [
+          "Organization"
+        ]
+      },
+      "delete": {
+        "description": "Permanently deletes the authenticated organization. This action cannot be undone. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "OrganizationController_deleteOrganization_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Organization deleted successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "success": {
+                      "type": "boolean",
+                      "description": "Indicates successful deletion",
+                      "example": true
+                    },
+                    "deletedOrganization": {
+                      "type": "object",
+                      "properties": {
+                        "id": {
+                          "type": "string",
+                          "description": "The deleted organization ID",
+                          "example": "org_abc123def456"
+                        },
+                        "name": {
+                          "type": "string",
+                          "description": "The deleted organization name",
+                          "example": "Acme Corporation"
+                        }
+                      }
+                    },
+                    "authType": {
+                      "type": "string",
+                      "enum": [
+                        "api-key",
+                        "session"
+                      ],
+                      "description": "How the request was authenticated"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication or insufficient permissions",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Invalid or expired API key"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Organization not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Organization with ID org_abc123def456 not found"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Delete organization",
+        "tags": [
+          "Organization"
+        ]
+      }
+    },
+    "/v1/people": {
+      "get": {
+        "description": "Returns all members for the authenticated organization with their user information. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "PeopleController_getAllPeople_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "People retrieved successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "data": {
+                      "type": "array",
+                      "items": {
+                        "$ref": "#/components/schemas/PeopleResponseDto"
+                      }
+                    },
+                    "count": {
+                      "type": "number",
+                      "description": "Total number of people",
+                      "example": 25
+                    },
+                    "authType": {
+                      "type": "string",
+                      "enum": [
+                        "api-key",
+                        "session"
+                      ],
+                      "description": "How the request was authenticated"
+                    },
+                    "authenticatedUser": {
+                      "type": "object",
+                      "properties": {
+                        "id": {
+                          "type": "string",
+                          "description": "User ID",
+                          "example": "usr_abc123def456"
+                        },
+                        "email": {
+                          "type": "string",
+                          "description": "User email",
+                          "example": "user@company.com"
+                        }
+                      }
+                    }
+                  }
+                },
+                "example": {
+                  "data": [
+                    {
+                      "id": "mem_abc123def456",
+                      "organizationId": "org_abc123def456",
+                      "userId": "usr_abc123def456",
+                      "role": "admin",
+                      "createdAt": "2024-01-01T00:00:00Z",
+                      "department": "it",
+                      "isActive": true,
+                      "fleetDmLabelId": 123,
+                      "user": {
+                        "id": "usr_abc123def456",
+                        "name": "John Doe",
+                        "email": "john.doe@company.com",
+                        "emailVerified": true,
+                        "image": "https://example.com/avatar.jpg",
+                        "createdAt": "2024-01-01T00:00:00Z",
+                        "updatedAt": "2024-01-15T00:00:00Z",
+                        "lastLogin": "2024-01-15T12:00:00Z"
+                      }
+                    }
+                  ],
+                  "count": 1,
+                  "authType": "api-key",
+                  "authenticatedUser": {
+                    "id": "usr_abc123def456",
+                    "email": "user@company.com"
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication or insufficient permissions",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Invalid or expired API key"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Organization not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Organization with ID org_abc123def456 not found"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal server error",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Failed to retrieve members"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Get all people",
+        "tags": [
+          "People"
+        ]
+      },
+      "post": {
+        "description": "Adds a new member to the authenticated organization. The user must already exist in the system. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "PeopleController_createMember_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "required": true,
+          "description": "Member creation data",
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/CreatePeopleDto"
+              }
+            }
+          }
+        },
+        "responses": {
+          "201": {
+            "description": "Member created successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/PeopleResponseDto"
+                },
+                "example": {
+                  "id": "mem_abc123def456",
+                  "organizationId": "org_abc123def456",
+                  "userId": "usr_abc123def456",
+                  "role": "admin",
+                  "createdAt": "2024-01-01T00:00:00Z",
+                  "department": "it",
+                  "isActive": true,
+                  "fleetDmLabelId": 123,
+                  "user": {
+                    "id": "usr_abc123def456",
+                    "name": "John Doe",
+                    "email": "john.doe@company.com",
+                    "emailVerified": true,
+                    "image": "https://example.com/avatar.jpg",
+                    "createdAt": "2024-01-01T00:00:00Z",
+                    "updatedAt": "2024-01-15T00:00:00Z",
+                    "lastLogin": "2024-01-15T12:00:00Z"
+                  }
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "Bad Request - Invalid member data or user already exists",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "User user@example.com is already a member of this organization"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication or insufficient permissions",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Unauthorized"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Organization or user not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "User with ID usr_abc123def456 not found"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal server error",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Failed to create member"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Create a new member",
+        "tags": [
+          "People"
+        ]
+      }
+    },
+    "/v1/people/bulk": {
+      "post": {
+        "description": "Bulk adds multiple members to the authenticated organization. Each member must have a valid user ID that exists in the system. Members who already exist in the organization or have invalid data will be skipped with error details returned. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "PeopleController_bulkCreateMembers_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "required": true,
+          "description": "Bulk member creation data",
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/BulkCreatePeopleDto"
+              }
+            }
+          }
+        },
+        "responses": {
+          "201": {
+            "description": "Bulk member creation completed",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "created": {
+                      "type": "array",
+                      "items": {
+                        "$ref": "#/components/schemas/PeopleResponseDto"
+                      },
+                      "description": "Successfully created members"
+                    },
+                    "errors": {
+                      "type": "array",
+                      "items": {
+                        "type": "object",
+                        "properties": {
+                          "index": {
+                            "type": "number",
+                            "description": "Index in the original array where the error occurred",
+                            "example": 2
+                          },
+                          "userId": {
+                            "type": "string",
+                            "description": "User ID that failed to be added",
+                            "example": "usr_abc123def456"
+                          },
+                          "error": {
+                            "type": "string",
+                            "description": "Error message explaining why the member could not be created",
+                            "example": "User user@example.com is already a member of this organization"
+                          }
+                        }
+                      },
+                      "description": "Members that failed to be created with error details"
+                    },
+                    "summary": {
+                      "type": "object",
+                      "properties": {
+                        "total": {
+                          "type": "number",
+                          "description": "Total number of members in the request",
+                          "example": 5
+                        },
+                        "successful": {
+                          "type": "number",
+                          "description": "Number of members successfully created",
+                          "example": 3
+                        },
+                        "failed": {
+                          "type": "number",
+                          "description": "Number of members that failed to be created",
+                          "example": 2
+                        }
+                      }
+                    },
+                    "authType": {
+                      "type": "string",
+                      "enum": [
+                        "api-key",
+                        "session"
+                      ],
+                      "description": "How the request was authenticated"
+                    },
+                    "authenticatedUser": {
+                      "type": "object",
+                      "properties": {
+                        "id": {
+                          "type": "string",
+                          "description": "User ID",
+                          "example": "usr_abc123def456"
+                        },
+                        "email": {
+                          "type": "string",
+                          "description": "User email",
+                          "example": "user@company.com"
+                        }
+                      }
+                    }
+                  }
+                },
+                "example": {
+                  "created": [
+                    {
+                      "id": "mem_abc123def456",
+                      "organizationId": "org_abc123def456",
+                      "userId": "usr_abc123def456",
+                      "role": "member",
+                      "createdAt": "2024-01-01T00:00:00Z",
+                      "department": "it",
+                      "isActive": true,
+                      "fleetDmLabelId": 123,
+                      "user": {
+                        "id": "usr_abc123def456",
+                        "name": "John Doe",
+                        "email": "john.doe@company.com",
+                        "emailVerified": true,
+                        "image": "https://example.com/avatar.jpg",
+                        "createdAt": "2024-01-01T00:00:00Z",
+                        "updatedAt": "2024-01-15T00:00:00Z",
+                        "lastLogin": "2024-01-15T12:00:00Z"
+                      }
+                    }
+                  ],
+                  "errors": [
+                    {
+                      "index": 2,
+                      "userId": "usr_xyz789abc123",
+                      "error": "User user2@example.com is already a member of this organization"
+                    }
+                  ],
+                  "summary": {
+                    "total": 2,
+                    "successful": 1,
+                    "failed": 1
+                  },
+                  "authType": "api-key",
+                  "authenticatedUser": {
+                    "id": "usr_admin123",
+                    "email": "admin@company.com"
+                  }
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "Bad Request - Invalid bulk data or validation errors",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Members array cannot be empty"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication or insufficient permissions",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Unauthorized"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Organization not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Organization with ID org_abc123def456 not found"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal server error",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Bulk creation failed"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Add multiple members to organization",
+        "tags": [
+          "People"
+        ]
+      }
+    },
+    "/v1/people/{id}": {
+      "get": {
+        "description": "Returns a specific member by ID for the authenticated organization with their user information. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "PeopleController_getPersonById_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "description": "Member ID",
+            "schema": {
+              "example": "mem_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Person retrieved successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/PeopleResponseDto"
+                },
+                "example": {
+                  "id": "mem_abc123def456",
+                  "organizationId": "org_abc123def456",
+                  "userId": "usr_abc123def456",
+                  "role": "admin",
+                  "createdAt": "2024-01-01T00:00:00Z",
+                  "department": "it",
+                  "isActive": true,
+                  "fleetDmLabelId": 123,
+                  "user": {
+                    "id": "usr_abc123def456",
+                    "name": "John Doe",
+                    "email": "john.doe@company.com",
+                    "emailVerified": true,
+                    "image": "https://example.com/avatar.jpg",
+                    "createdAt": "2024-01-01T00:00:00Z",
+                    "updatedAt": "2024-01-15T00:00:00Z",
+                    "lastLogin": "2024-01-15T12:00:00Z"
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication or insufficient permissions",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Unauthorized"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Organization or member not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Member with ID mem_abc123def456 not found in organization org_abc123def456"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal server error",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Internal server error"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Get person by ID",
+        "tags": [
+          "People"
+        ]
+      },
+      "patch": {
+        "description": "Partially updates a member. Only provided fields will be updated. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "PeopleController_updateMember_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "description": "Member ID",
+            "schema": {
+              "example": "mem_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "required": true,
+          "description": "Member update data",
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/UpdatePeopleDto"
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": "Member updated successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/PeopleResponseDto"
+                },
+                "example": {
+                  "id": "mem_abc123def456",
+                  "organizationId": "org_abc123def456",
+                  "userId": "usr_abc123def456",
+                  "role": "member",
+                  "createdAt": "2024-01-01T00:00:00Z",
+                  "department": "it",
+                  "isActive": true,
+                  "fleetDmLabelId": 123,
+                  "user": {
+                    "id": "usr_abc123def456",
+                    "name": "John Doe",
+                    "email": "john.doe@company.com",
+                    "emailVerified": true,
+                    "image": "https://example.com/avatar.jpg",
+                    "createdAt": "2024-01-01T00:00:00Z",
+                    "updatedAt": "2024-01-15T00:00:00Z",
+                    "lastLogin": "2024-01-15T12:00:00Z"
+                  }
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "Bad Request - Invalid update data or user conflict",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "User user@example.com is already a member of this organization"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication or insufficient permissions",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Unauthorized"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Organization, member, or user not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Member with ID mem_abc123def456 not found in organization org_abc123def456"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal server error",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Internal server error"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Update member",
+        "tags": [
+          "People"
+        ]
+      },
+      "delete": {
+        "description": "Permanently removes a member from the organization. This action cannot be undone. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "PeopleController_deleteMember_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "description": "Member ID",
+            "schema": {
+              "example": "mem_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Member deleted successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "success": {
+                      "type": "boolean",
+                      "description": "Indicates successful deletion",
+                      "example": true
+                    },
+                    "deletedMember": {
+                      "type": "object",
+                      "properties": {
+                        "id": {
+                          "type": "string",
+                          "description": "The deleted member ID",
+                          "example": "mem_abc123def456"
+                        },
+                        "name": {
+                          "type": "string",
+                          "description": "The deleted member name",
+                          "example": "John Doe"
+                        },
+                        "email": {
+                          "type": "string",
+                          "description": "The deleted member email",
+                          "example": "john.doe@company.com"
+                        }
+                      }
+                    },
+                    "authType": {
+                      "type": "string",
+                      "enum": [
+                        "api-key",
+                        "session"
+                      ],
+                      "description": "How the request was authenticated"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication or insufficient permissions",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Unauthorized"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Organization or member not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Member with ID mem_abc123def456 not found in organization org_abc123def456"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal server error",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Failed to delete member"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Delete member",
+        "tags": [
+          "People"
+        ]
+      }
+    },
+    "/v1/risks": {
+      "get": {
+        "description": "Returns all risks for the authenticated organization. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "RisksController_getAllRisks_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Risks retrieved successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "data": {
+                      "type": "array",
+                      "items": {
+                        "type": "object",
+                        "properties": {
+                          "id": {
+                            "type": "string",
+                            "description": "Risk ID",
+                            "example": "rsk_abc123def456"
+                          },
+                          "title": {
+                            "type": "string",
+                            "description": "Risk title",
+                            "example": "Data breach vulnerability in user authentication system"
+                          },
+                          "description": {
+                            "type": "string",
+                            "description": "Risk description",
+                            "example": "Weak password requirements could lead to unauthorized access to user accounts"
+                          },
+                          "category": {
+                            "type": "string",
+                            "enum": [
+                              "customer",
+                              "governance",
+                              "operations",
+                              "other",
+                              "people",
+                              "regulatory",
+                              "reporting",
+                              "resilience",
+                              "technology",
+                              "vendor_management"
+                            ],
+                            "example": "technology"
+                          },
+                          "status": {
+                            "type": "string",
+                            "enum": [
+                              "open",
+                              "pending",
+                              "closed",
+                              "archived"
+                            ],
+                            "example": "open"
+                          },
+                          "likelihood": {
+                            "type": "string",
+                            "enum": [
+                              "very_unlikely",
+                              "unlikely",
+                              "possible",
+                              "likely",
+                              "very_likely"
+                            ],
+                            "example": "possible"
+                          },
+                          "impact": {
+                            "type": "string",
+                            "enum": [
+                              "insignificant",
+                              "minor",
+                              "moderate",
+                              "major",
+                              "severe"
+                            ],
+                            "example": "major"
+                          },
+                          "treatmentStrategy": {
+                            "type": "string",
+                            "enum": [
+                              "accept",
+                              "avoid",
+                              "mitigate",
+                              "transfer"
+                            ],
+                            "example": "mitigate"
+                          },
+                          "assigneeId": {
+                            "type": "string",
+                            "nullable": true,
+                            "description": "ID of the user assigned to this risk",
+                            "example": "mem_abc123def456"
+                          },
+                          "createdAt": {
+                            "type": "string",
+                            "format": "date-time",
+                            "description": "When the risk was created"
+                          },
+                          "updatedAt": {
+                            "type": "string",
+                            "format": "date-time",
+                            "description": "When the risk was last updated"
+                          }
+                        }
+                      }
+                    },
+                    "count": {
+                      "type": "number",
+                      "description": "Total number of risks",
+                      "example": 15
+                    },
+                    "authType": {
+                      "type": "string",
+                      "enum": [
+                        "api-key",
+                        "session"
+                      ],
+                      "description": "How the request was authenticated"
+                    },
+                    "authenticatedUser": {
+                      "type": "object",
+                      "description": "User information (only for session auth)",
+                      "properties": {
+                        "id": {
+                          "type": "string",
+                          "example": "usr_def456ghi789"
+                        },
+                        "email": {
+                          "type": "string",
+                          "example": "user@example.com"
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication or insufficient permissions",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Invalid or expired API key"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Organization not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Organization with ID org_abc123def456 not found"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal server error",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Internal server error"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Get all risks",
+        "tags": [
+          "Risks"
+        ]
+      },
+      "post": {
+        "description": "Creates a new risk for the authenticated organization. All required fields must be provided. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "RisksController_createRisk_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "required": true,
+          "description": "Risk creation data",
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/CreateRiskDto"
+              }
+            }
+          }
+        },
+        "responses": {
+          "201": {
+            "description": "Risk created successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "id": {
+                      "type": "string",
+                      "description": "Risk ID",
+                      "example": "rsk_abc123def456"
+                    },
+                    "title": {
+                      "type": "string",
+                      "description": "Risk title",
+                      "example": "Data breach vulnerability in user authentication system"
+                    },
+                    "description": {
+                      "type": "string",
+                      "description": "Risk description",
+                      "example": "Weak password requirements could lead to unauthorized access to user accounts"
+                    },
+                    "category": {
+                      "type": "string",
+                      "enum": [
+                        "customer",
+                        "governance",
+                        "operations",
+                        "other",
+                        "people",
+                        "regulatory",
+                        "reporting",
+                        "resilience",
+                        "technology",
+                        "vendor_management"
+                      ],
+                      "example": "technology"
+                    },
+                    "department": {
+                      "type": "string",
+                      "enum": [
+                        "none",
+                        "admin",
+                        "gov",
+                        "hr",
+                        "it",
+                        "itsm",
+                        "qms"
+                      ],
+                      "nullable": true,
+                      "example": "it"
+                    },
+                    "status": {
+                      "type": "string",
+                      "enum": [
+                        "open",
+                        "pending",
+                        "closed",
+                        "archived"
+                      ],
+                      "example": "open"
+                    },
+                    "likelihood": {
+                      "type": "string",
+                      "enum": [
+                        "very_unlikely",
+                        "unlikely",
+                        "possible",
+                        "likely",
+                        "very_likely"
+                      ],
+                      "example": "possible"
+                    },
+                    "impact": {
+                      "type": "string",
+                      "enum": [
+                        "insignificant",
+                        "minor",
+                        "moderate",
+                        "major",
+                        "severe"
+                      ],
+                      "example": "major"
+                    },
+                    "residualLikelihood": {
+                      "type": "string",
+                      "enum": [
+                        "very_unlikely",
+                        "unlikely",
+                        "possible",
+                        "likely",
+                        "very_likely"
+                      ],
+                      "example": "unlikely"
+                    },
+                    "residualImpact": {
+                      "type": "string",
+                      "enum": [
+                        "insignificant",
+                        "minor",
+                        "moderate",
+                        "major",
+                        "severe"
+                      ],
+                      "example": "minor"
+                    },
+                    "treatmentStrategyDescription": {
+                      "type": "string",
+                      "nullable": true,
+                      "example": "Implement multi-factor authentication and strengthen password requirements"
+                    },
+                    "treatmentStrategy": {
+                      "type": "string",
+                      "enum": [
+                        "accept",
+                        "avoid",
+                        "mitigate",
+                        "transfer"
+                      ],
+                      "example": "mitigate"
+                    },
+                    "organizationId": {
+                      "type": "string",
+                      "example": "org_abc123def456"
+                    },
+                    "assigneeId": {
+                      "type": "string",
+                      "nullable": true,
+                      "description": "ID of the user assigned to this risk",
+                      "example": "mem_abc123def456"
+                    },
+                    "createdAt": {
+                      "type": "string",
+                      "format": "date-time",
+                      "description": "When the risk was created"
+                    },
+                    "updatedAt": {
+                      "type": "string",
+                      "format": "date-time",
+                      "description": "When the risk was last updated"
+                    },
+                    "authType": {
+                      "type": "string",
+                      "enum": [
+                        "api-key",
+                        "session"
+                      ],
+                      "description": "How the request was authenticated"
+                    },
+                    "authenticatedUser": {
+                      "type": "object",
+                      "description": "User information (only for session auth)",
+                      "properties": {
+                        "id": {
+                          "type": "string",
+                          "example": "usr_def456ghi789"
+                        },
+                        "email": {
+                          "type": "string",
+                          "example": "user@example.com"
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "Bad request - Invalid input data",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "array",
+                      "items": {
+                        "type": "string"
+                      },
+                      "example": [
+                        "title should not be empty",
+                        "description should not be empty",
+                        "category must be a valid enum value"
+                      ]
+                    },
+                    "error": {
+                      "type": "string",
+                      "example": "Bad Request"
+                    },
+                    "statusCode": {
+                      "type": "number",
+                      "example": 400
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication or insufficient permissions",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Invalid or expired API key"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Organization not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Organization with ID org_abc123def456 not found"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal server error",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Internal server error"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Create a new risk",
+        "tags": [
+          "Risks"
+        ]
+      }
+    },
+    "/v1/risks/{id}": {
+      "get": {
+        "description": "Returns a specific risk by ID for the authenticated organization. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "RisksController_getRiskById_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "description": "Risk ID",
+            "schema": {
+              "example": "rsk_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Risk retrieved successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "id": {
+                      "type": "string",
+                      "description": "Risk ID",
+                      "example": "rsk_abc123def456"
+                    },
+                    "title": {
+                      "type": "string",
+                      "description": "Risk title",
+                      "example": "Data breach vulnerability in user authentication system"
+                    },
+                    "description": {
+                      "type": "string",
+                      "description": "Risk description",
+                      "example": "Weak password requirements could lead to unauthorized access to user accounts"
+                    },
+                    "category": {
+                      "type": "string",
+                      "enum": [
+                        "customer",
+                        "governance",
+                        "operations",
+                        "other",
+                        "people",
+                        "regulatory",
+                        "reporting",
+                        "resilience",
+                        "technology",
+                        "vendor_management"
+                      ],
+                      "example": "technology"
+                    },
+                    "department": {
+                      "type": "string",
+                      "enum": [
+                        "none",
+                        "admin",
+                        "gov",
+                        "hr",
+                        "it",
+                        "itsm",
+                        "qms"
+                      ],
+                      "nullable": true,
+                      "example": "it"
+                    },
+                    "status": {
+                      "type": "string",
+                      "enum": [
+                        "open",
+                        "pending",
+                        "closed",
+                        "archived"
+                      ],
+                      "example": "open"
+                    },
+                    "likelihood": {
+                      "type": "string",
+                      "enum": [
+                        "very_unlikely",
+                        "unlikely",
+                        "possible",
+                        "likely",
+                        "very_likely"
+                      ],
+                      "example": "possible"
+                    },
+                    "impact": {
+                      "type": "string",
+                      "enum": [
+                        "insignificant",
+                        "minor",
+                        "moderate",
+                        "major",
+                        "severe"
+                      ],
+                      "example": "major"
+                    },
+                    "residualLikelihood": {
+                      "type": "string",
+                      "enum": [
+                        "very_unlikely",
+                        "unlikely",
+                        "possible",
+                        "likely",
+                        "very_likely"
+                      ],
+                      "example": "unlikely"
+                    },
+                    "residualImpact": {
+                      "type": "string",
+                      "enum": [
+                        "insignificant",
+                        "minor",
+                        "moderate",
+                        "major",
+                        "severe"
+                      ],
+                      "example": "minor"
+                    },
+                    "treatmentStrategyDescription": {
+                      "type": "string",
+                      "nullable": true,
+                      "example": "Implement multi-factor authentication and strengthen password requirements"
+                    },
+                    "treatmentStrategy": {
+                      "type": "string",
+                      "enum": [
+                        "accept",
+                        "avoid",
+                        "mitigate",
+                        "transfer"
+                      ],
+                      "example": "mitigate"
+                    },
+                    "organizationId": {
+                      "type": "string",
+                      "example": "org_abc123def456"
+                    },
+                    "assigneeId": {
+                      "type": "string",
+                      "nullable": true,
+                      "description": "ID of the user assigned to this risk",
+                      "example": "mem_abc123def456"
+                    },
+                    "createdAt": {
+                      "type": "string",
+                      "format": "date-time",
+                      "description": "When the risk was created"
+                    },
+                    "updatedAt": {
+                      "type": "string",
+                      "format": "date-time",
+                      "description": "When the risk was last updated"
+                    },
+                    "authType": {
+                      "type": "string",
+                      "enum": [
+                        "api-key",
+                        "session"
+                      ],
+                      "description": "How the request was authenticated"
+                    },
+                    "authenticatedUser": {
+                      "type": "object",
+                      "description": "User information (only for session auth)",
+                      "properties": {
+                        "id": {
+                          "type": "string",
+                          "example": "usr_def456ghi789"
+                        },
+                        "email": {
+                          "type": "string",
+                          "example": "user@example.com"
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication or insufficient permissions",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Invalid or expired API key"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Risk not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Risk with ID rsk_abc123def456 not found in organization org_abc123def456"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal server error",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Internal server error"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Get risk by ID",
+        "tags": [
+          "Risks"
+        ]
+      },
+      "patch": {
+        "description": "Partially updates a risk. Only provided fields will be updated. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "RisksController_updateRisk_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "description": "Risk ID",
+            "schema": {
+              "example": "rsk_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "required": true,
+          "description": "Risk update data",
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/UpdateRiskDto"
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": "Risk updated successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "id": {
+                      "type": "string",
+                      "description": "Risk ID",
+                      "example": "rsk_abc123def456"
+                    },
+                    "title": {
+                      "type": "string",
+                      "description": "Risk title",
+                      "example": "Data breach vulnerability in user authentication system"
+                    },
+                    "description": {
+                      "type": "string",
+                      "description": "Risk description",
+                      "example": "Weak password requirements could lead to unauthorized access to user accounts"
+                    },
+                    "category": {
+                      "type": "string",
+                      "enum": [
+                        "customer",
+                        "governance",
+                        "operations",
+                        "other",
+                        "people",
+                        "regulatory",
+                        "reporting",
+                        "resilience",
+                        "technology",
+                        "vendor_management"
+                      ],
+                      "example": "technology"
+                    },
+                    "department": {
+                      "type": "string",
+                      "enum": [
+                        "none",
+                        "admin",
+                        "gov",
+                        "hr",
+                        "it",
+                        "itsm",
+                        "qms"
+                      ],
+                      "nullable": true,
+                      "example": "it"
+                    },
+                    "status": {
+                      "type": "string",
+                      "enum": [
+                        "open",
+                        "pending",
+                        "closed",
+                        "archived"
+                      ],
+                      "example": "open"
+                    },
+                    "likelihood": {
+                      "type": "string",
+                      "enum": [
+                        "very_unlikely",
+                        "unlikely",
+                        "possible",
+                        "likely",
+                        "very_likely"
+                      ],
+                      "example": "possible"
+                    },
+                    "impact": {
+                      "type": "string",
+                      "enum": [
+                        "insignificant",
+                        "minor",
+                        "moderate",
+                        "major",
+                        "severe"
+                      ],
+                      "example": "major"
+                    },
+                    "residualLikelihood": {
+                      "type": "string",
+                      "enum": [
+                        "very_unlikely",
+                        "unlikely",
+                        "possible",
+                        "likely",
+                        "very_likely"
+                      ],
+                      "example": "unlikely"
+                    },
+                    "residualImpact": {
+                      "type": "string",
+                      "enum": [
+                        "insignificant",
+                        "minor",
+                        "moderate",
+                        "major",
+                        "severe"
+                      ],
+                      "example": "minor"
+                    },
+                    "treatmentStrategyDescription": {
+                      "type": "string",
+                      "nullable": true,
+                      "example": "Implement multi-factor authentication and strengthen password requirements"
+                    },
+                    "treatmentStrategy": {
+                      "type": "string",
+                      "enum": [
+                        "accept",
+                        "avoid",
+                        "mitigate",
+                        "transfer"
+                      ],
+                      "example": "mitigate"
+                    },
+                    "organizationId": {
+                      "type": "string",
+                      "example": "org_abc123def456"
+                    },
+                    "assigneeId": {
+                      "type": "string",
+                      "nullable": true,
+                      "description": "ID of the user assigned to this risk",
+                      "example": "mem_abc123def456"
+                    },
+                    "createdAt": {
+                      "type": "string",
+                      "format": "date-time",
+                      "description": "When the risk was created"
+                    },
+                    "updatedAt": {
+                      "type": "string",
+                      "format": "date-time",
+                      "description": "When the risk was last updated"
+                    },
+                    "authType": {
+                      "type": "string",
+                      "enum": [
+                        "api-key",
+                        "session"
+                      ],
+                      "description": "How the request was authenticated"
+                    },
+                    "authenticatedUser": {
+                      "type": "object",
+                      "description": "User information (only for session auth)",
+                      "properties": {
+                        "id": {
+                          "type": "string",
+                          "example": "usr_def456ghi789"
+                        },
+                        "email": {
+                          "type": "string",
+                          "example": "user@example.com"
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "Bad request - Invalid input data",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "array",
+                      "items": {
+                        "type": "string"
+                      },
+                      "example": [
+                        "title should not be empty",
+                        "category must be a valid enum value",
+                        "status must be a valid enum value"
+                      ]
+                    },
+                    "error": {
+                      "type": "string",
+                      "example": "Bad Request"
+                    },
+                    "statusCode": {
+                      "type": "number",
+                      "example": 400
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication or insufficient permissions",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Invalid or expired API key"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Risk not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Risk with ID rsk_abc123def456 not found in organization org_abc123def456"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal server error",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Internal server error"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Update risk",
+        "tags": [
+          "Risks"
+        ]
+      },
+      "delete": {
+        "description": "Permanently removes a risk from the organization. This action cannot be undone. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "RisksController_deleteRisk_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "description": "Risk ID",
+            "schema": {
+              "example": "rsk_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Risk deleted successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Risk deleted successfully"
+                    },
+                    "deletedRisk": {
+                      "type": "object",
+                      "properties": {
+                        "id": {
+                          "type": "string",
+                          "description": "Deleted risk ID",
+                          "example": "rsk_abc123def456"
+                        },
+                        "title": {
+                          "type": "string",
+                          "description": "Deleted risk title",
+                          "example": "Data breach vulnerability in user authentication system"
+                        }
+                      }
+                    },
+                    "authType": {
+                      "type": "string",
+                      "enum": [
+                        "api-key",
+                        "session"
+                      ],
+                      "description": "How the request was authenticated"
+                    },
+                    "authenticatedUser": {
+                      "type": "object",
+                      "description": "User information (only for session auth)",
+                      "properties": {
+                        "id": {
+                          "type": "string",
+                          "example": "usr_def456ghi789"
+                        },
+                        "email": {
+                          "type": "string",
+                          "example": "user@example.com"
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication or insufficient permissions",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Invalid or expired API key"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Risk not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Risk with ID rsk_abc123def456 not found in organization org_abc123def456"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal server error",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Internal server error"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Delete risk",
+        "tags": [
+          "Risks"
+        ]
+      }
+    },
+    "/v1/vendors": {
+      "get": {
+        "description": "Returns all vendors for the authenticated organization. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "VendorsController_getAllVendors_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Vendors retrieved successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "data": {
+                      "type": "array",
+                      "items": {
+                        "type": "object",
+                        "properties": {
+                          "id": {
+                            "type": "string",
+                            "description": "Vendor ID",
+                            "example": "vnd_abc123def456"
+                          },
+                          "name": {
+                            "type": "string",
+                            "description": "Vendor name",
+                            "example": "CloudTech Solutions Inc."
+                          },
+                          "description": {
+                            "type": "string",
+                            "description": "Vendor description",
+                            "example": "Cloud infrastructure provider offering AWS-like services"
+                          },
+                          "category": {
+                            "type": "string",
+                            "enum": [
+                              "cloud",
+                              "infrastructure",
+                              "software_as_a_service",
+                              "finance",
+                              "marketing",
+                              "sales",
+                              "hr",
+                              "other"
+                            ],
+                            "example": "cloud"
+                          },
+                          "status": {
+                            "type": "string",
+                            "enum": [
+                              "not_assessed",
+                              "in_progress",
+                              "assessed"
+                            ],
+                            "example": "not_assessed"
+                          },
+                          "inherentProbability": {
+                            "type": "string",
+                            "enum": [
+                              "very_unlikely",
+                              "unlikely",
+                              "possible",
+                              "likely",
+                              "very_likely"
+                            ],
+                            "example": "possible"
+                          },
+                          "inherentImpact": {
+                            "type": "string",
+                            "enum": [
+                              "insignificant",
+                              "minor",
+                              "moderate",
+                              "major",
+                              "severe"
+                            ],
+                            "example": "moderate"
+                          },
+                          "residualProbability": {
+                            "type": "string",
+                            "enum": [
+                              "very_unlikely",
+                              "unlikely",
+                              "possible",
+                              "likely",
+                              "very_likely"
+                            ],
+                            "example": "unlikely"
+                          },
+                          "residualImpact": {
+                            "type": "string",
+                            "enum": [
+                              "insignificant",
+                              "minor",
+                              "moderate",
+                              "major",
+                              "severe"
+                            ],
+                            "example": "minor"
+                          },
+                          "website": {
+                            "type": "string",
+                            "nullable": true,
+                            "example": "https://www.cloudtechsolutions.com"
+                          },
+                          "assigneeId": {
+                            "type": "string",
+                            "nullable": true,
+                            "description": "ID of the user assigned to manage this vendor",
+                            "example": "mem_abc123def456"
+                          },
+                          "createdAt": {
+                            "type": "string",
+                            "format": "date-time",
+                            "description": "When the vendor was created"
+                          },
+                          "updatedAt": {
+                            "type": "string",
+                            "format": "date-time",
+                            "description": "When the vendor was last updated"
+                          }
+                        }
+                      }
+                    },
+                    "count": {
+                      "type": "number",
+                      "description": "Total number of vendors",
+                      "example": 12
+                    },
+                    "authType": {
+                      "type": "string",
+                      "enum": [
+                        "api-key",
+                        "session"
+                      ],
+                      "description": "How the request was authenticated"
+                    },
+                    "authenticatedUser": {
+                      "type": "object",
+                      "description": "User information (only for session auth)",
+                      "properties": {
+                        "id": {
+                          "type": "string",
+                          "example": "usr_def456ghi789"
+                        },
+                        "email": {
+                          "type": "string",
+                          "example": "user@example.com"
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication or insufficient permissions",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Invalid or expired API key"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Organization not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Organization with ID org_abc123def456 not found"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal server error",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Internal server error"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Get all vendors",
+        "tags": [
+          "Vendors"
+        ]
+      },
+      "post": {
+        "description": "Creates a new vendor for the authenticated organization. All required fields must be provided. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "VendorsController_createVendor_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "required": true,
+          "description": "Vendor creation data",
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/CreateVendorDto"
+              }
+            }
+          }
+        },
+        "responses": {
+          "201": {
+            "description": "Vendor created successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "id": {
+                      "type": "string",
+                      "description": "Vendor ID",
+                      "example": "vnd_abc123def456"
+                    },
+                    "name": {
+                      "type": "string",
+                      "description": "Vendor name",
+                      "example": "CloudTech Solutions Inc."
+                    },
+                    "description": {
+                      "type": "string",
+                      "description": "Vendor description",
+                      "example": "Cloud infrastructure provider offering AWS-like services including compute, storage, and networking solutions for enterprise customers."
+                    },
+                    "category": {
+                      "type": "string",
+                      "enum": [
+                        "cloud",
+                        "infrastructure",
+                        "software_as_a_service",
+                        "finance",
+                        "marketing",
+                        "sales",
+                        "hr",
+                        "other"
+                      ],
+                      "example": "cloud"
+                    },
+                    "status": {
+                      "type": "string",
+                      "enum": [
+                        "not_assessed",
+                        "in_progress",
+                        "assessed"
+                      ],
+                      "example": "not_assessed"
+                    },
+                    "inherentProbability": {
+                      "type": "string",
+                      "enum": [
+                        "very_unlikely",
+                        "unlikely",
+                        "possible",
+                        "likely",
+                        "very_likely"
+                      ],
+                      "example": "possible"
+                    },
+                    "inherentImpact": {
+                      "type": "string",
+                      "enum": [
+                        "insignificant",
+                        "minor",
+                        "moderate",
+                        "major",
+                        "severe"
+                      ],
+                      "example": "moderate"
+                    },
+                    "residualProbability": {
+                      "type": "string",
+                      "enum": [
+                        "very_unlikely",
+                        "unlikely",
+                        "possible",
+                        "likely",
+                        "very_likely"
+                      ],
+                      "example": "unlikely"
+                    },
+                    "residualImpact": {
+                      "type": "string",
+                      "enum": [
+                        "insignificant",
+                        "minor",
+                        "moderate",
+                        "major",
+                        "severe"
+                      ],
+                      "example": "minor"
+                    },
+                    "website": {
+                      "type": "string",
+                      "nullable": true,
+                      "example": "https://www.cloudtechsolutions.com"
+                    },
+                    "organizationId": {
+                      "type": "string",
+                      "example": "org_abc123def456"
+                    },
+                    "assigneeId": {
+                      "type": "string",
+                      "nullable": true,
+                      "description": "ID of the user assigned to manage this vendor",
+                      "example": "mem_abc123def456"
+                    },
+                    "createdAt": {
+                      "type": "string",
+                      "format": "date-time",
+                      "description": "When the vendor was created"
+                    },
+                    "updatedAt": {
+                      "type": "string",
+                      "format": "date-time",
+                      "description": "When the vendor was last updated"
+                    },
+                    "authType": {
+                      "type": "string",
+                      "enum": [
+                        "api-key",
+                        "session"
+                      ],
+                      "description": "How the request was authenticated"
+                    },
+                    "authenticatedUser": {
+                      "type": "object",
+                      "description": "User information (only for session auth)",
+                      "properties": {
+                        "id": {
+                          "type": "string",
+                          "example": "usr_def456ghi789"
+                        },
+                        "email": {
+                          "type": "string",
+                          "example": "user@example.com"
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "Bad request - Invalid input data",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "array",
+                      "items": {
+                        "type": "string"
+                      },
+                      "example": [
+                        "name should not be empty",
+                        "description should not be empty",
+                        "category must be a valid enum value",
+                        "website must be a URL address"
+                      ]
+                    },
+                    "error": {
+                      "type": "string",
+                      "example": "Bad Request"
+                    },
+                    "statusCode": {
+                      "type": "number",
+                      "example": 400
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication or insufficient permissions",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Invalid or expired API key"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Organization not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Organization with ID org_abc123def456 not found"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal server error",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Internal server error"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Create a new vendor",
+        "tags": [
+          "Vendors"
+        ]
+      }
+    },
+    "/v1/vendors/{id}": {
+      "get": {
+        "description": "Returns a specific vendor by ID for the authenticated organization. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "VendorsController_getVendorById_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "description": "Vendor ID",
+            "schema": {
+              "example": "vnd_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Vendor retrieved successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "id": {
+                      "type": "string",
+                      "description": "Vendor ID",
+                      "example": "vnd_abc123def456"
+                    },
+                    "name": {
+                      "type": "string",
+                      "description": "Vendor name",
+                      "example": "CloudTech Solutions Inc."
+                    },
+                    "description": {
+                      "type": "string",
+                      "description": "Vendor description",
+                      "example": "Cloud infrastructure provider offering AWS-like services including compute, storage, and networking solutions for enterprise customers."
+                    },
+                    "category": {
+                      "type": "string",
+                      "enum": [
+                        "cloud",
+                        "infrastructure",
+                        "software_as_a_service",
+                        "finance",
+                        "marketing",
+                        "sales",
+                        "hr",
+                        "other"
+                      ],
+                      "example": "cloud"
+                    },
+                    "status": {
+                      "type": "string",
+                      "enum": [
+                        "not_assessed",
+                        "in_progress",
+                        "assessed"
+                      ],
+                      "example": "not_assessed"
+                    },
+                    "inherentProbability": {
+                      "type": "string",
+                      "enum": [
+                        "very_unlikely",
+                        "unlikely",
+                        "possible",
+                        "likely",
+                        "very_likely"
+                      ],
+                      "example": "possible"
+                    },
+                    "inherentImpact": {
+                      "type": "string",
+                      "enum": [
+                        "insignificant",
+                        "minor",
+                        "moderate",
+                        "major",
+                        "severe"
+                      ],
+                      "example": "moderate"
+                    },
+                    "residualProbability": {
+                      "type": "string",
+                      "enum": [
+                        "very_unlikely",
+                        "unlikely",
+                        "possible",
+                        "likely",
+                        "very_likely"
+                      ],
+                      "example": "unlikely"
+                    },
+                    "residualImpact": {
+                      "type": "string",
+                      "enum": [
+                        "insignificant",
+                        "minor",
+                        "moderate",
+                        "major",
+                        "severe"
+                      ],
+                      "example": "minor"
+                    },
+                    "website": {
+                      "type": "string",
+                      "nullable": true,
+                      "example": "https://www.cloudtechsolutions.com"
+                    },
+                    "organizationId": {
+                      "type": "string",
+                      "example": "org_abc123def456"
+                    },
+                    "assigneeId": {
+                      "type": "string",
+                      "nullable": true,
+                      "description": "ID of the user assigned to manage this vendor",
+                      "example": "mem_abc123def456"
+                    },
+                    "createdAt": {
+                      "type": "string",
+                      "format": "date-time",
+                      "description": "When the vendor was created"
+                    },
+                    "updatedAt": {
+                      "type": "string",
+                      "format": "date-time",
+                      "description": "When the vendor was last updated"
+                    },
+                    "authType": {
+                      "type": "string",
+                      "enum": [
+                        "api-key",
+                        "session"
+                      ],
+                      "description": "How the request was authenticated"
+                    },
+                    "authenticatedUser": {
+                      "type": "object",
+                      "description": "User information (only for session auth)",
+                      "properties": {
+                        "id": {
+                          "type": "string",
+                          "example": "usr_def456ghi789"
+                        },
+                        "email": {
+                          "type": "string",
+                          "example": "user@example.com"
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication or insufficient permissions",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Invalid or expired API key"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Vendor not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Vendor with ID vnd_abc123def456 not found in organization org_abc123def456"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal server error",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Internal server error"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Get vendor by ID",
+        "tags": [
+          "Vendors"
+        ]
+      },
+      "patch": {
+        "description": "Partially updates a vendor. Only provided fields will be updated. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "VendorsController_updateVendor_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "description": "Vendor ID",
+            "schema": {
+              "example": "vnd_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "required": true,
+          "description": "Vendor update data",
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/UpdateVendorDto"
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": "Vendor updated successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "id": {
+                      "type": "string",
+                      "description": "Vendor ID",
+                      "example": "vnd_abc123def456"
+                    },
+                    "name": {
+                      "type": "string",
+                      "description": "Vendor name",
+                      "example": "CloudTech Solutions Inc."
+                    },
+                    "description": {
+                      "type": "string",
+                      "description": "Vendor description",
+                      "example": "Cloud infrastructure provider offering AWS-like services including compute, storage, and networking solutions for enterprise customers."
+                    },
+                    "category": {
+                      "type": "string",
+                      "enum": [
+                        "cloud",
+                        "infrastructure",
+                        "software_as_a_service",
+                        "finance",
+                        "marketing",
+                        "sales",
+                        "hr",
+                        "other"
+                      ],
+                      "example": "cloud"
+                    },
+                    "status": {
+                      "type": "string",
+                      "enum": [
+                        "not_assessed",
+                        "in_progress",
+                        "assessed"
+                      ],
+                      "example": "assessed"
+                    },
+                    "inherentProbability": {
+                      "type": "string",
+                      "enum": [
+                        "very_unlikely",
+                        "unlikely",
+                        "possible",
+                        "likely",
+                        "very_likely"
+                      ],
+                      "example": "possible"
+                    },
+                    "inherentImpact": {
+                      "type": "string",
+                      "enum": [
+                        "insignificant",
+                        "minor",
+                        "moderate",
+                        "major",
+                        "severe"
+                      ],
+                      "example": "moderate"
+                    },
+                    "residualProbability": {
+                      "type": "string",
+                      "enum": [
+                        "very_unlikely",
+                        "unlikely",
+                        "possible",
+                        "likely",
+                        "very_likely"
+                      ],
+                      "example": "unlikely"
+                    },
+                    "residualImpact": {
+                      "type": "string",
+                      "enum": [
+                        "insignificant",
+                        "minor",
+                        "moderate",
+                        "major",
+                        "severe"
+                      ],
+                      "example": "minor"
+                    },
+                    "website": {
+                      "type": "string",
+                      "nullable": true,
+                      "example": "https://www.cloudtechsolutions.com"
+                    },
+                    "organizationId": {
+                      "type": "string",
+                      "example": "org_abc123def456"
+                    },
+                    "assigneeId": {
+                      "type": "string",
+                      "nullable": true,
+                      "description": "ID of the user assigned to manage this vendor",
+                      "example": "mem_abc123def456"
+                    },
+                    "createdAt": {
+                      "type": "string",
+                      "format": "date-time",
+                      "description": "When the vendor was created"
+                    },
+                    "updatedAt": {
+                      "type": "string",
+                      "format": "date-time",
+                      "description": "When the vendor was last updated"
+                    },
+                    "authType": {
+                      "type": "string",
+                      "enum": [
+                        "api-key",
+                        "session"
+                      ],
+                      "description": "How the request was authenticated"
+                    },
+                    "authenticatedUser": {
+                      "type": "object",
+                      "description": "User information (only for session auth)",
+                      "properties": {
+                        "id": {
+                          "type": "string",
+                          "example": "usr_def456ghi789"
+                        },
+                        "email": {
+                          "type": "string",
+                          "example": "user@example.com"
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "Bad request - Invalid input data",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "array",
+                      "items": {
+                        "type": "string"
+                      },
+                      "example": [
+                        "name should not be empty",
+                        "category must be a valid enum value",
+                        "status must be a valid enum value",
+                        "website must be a URL address"
+                      ]
+                    },
+                    "error": {
+                      "type": "string",
+                      "example": "Bad Request"
+                    },
+                    "statusCode": {
+                      "type": "number",
+                      "example": 400
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication or insufficient permissions",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Invalid or expired API key"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Vendor not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Vendor with ID vnd_abc123def456 not found in organization org_abc123def456"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal server error",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Internal server error"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Update vendor",
+        "tags": [
+          "Vendors"
+        ]
+      },
+      "delete": {
+        "description": "Permanently removes a vendor from the organization. This action cannot be undone. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "VendorsController_deleteVendor_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "description": "Vendor ID",
+            "schema": {
+              "example": "vnd_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Vendor deleted successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Vendor deleted successfully"
+                    },
+                    "deletedVendor": {
+                      "type": "object",
+                      "properties": {
+                        "id": {
+                          "type": "string",
+                          "description": "Deleted vendor ID",
+                          "example": "vnd_abc123def456"
+                        },
+                        "name": {
+                          "type": "string",
+                          "description": "Deleted vendor name",
+                          "example": "CloudTech Solutions Inc."
+                        }
+                      }
+                    },
+                    "authType": {
+                      "type": "string",
+                      "enum": [
+                        "api-key",
+                        "session"
+                      ],
+                      "description": "How the request was authenticated"
+                    },
+                    "authenticatedUser": {
+                      "type": "object",
+                      "description": "User information (only for session auth)",
+                      "properties": {
+                        "id": {
+                          "type": "string",
+                          "example": "usr_def456ghi789"
+                        },
+                        "email": {
+                          "type": "string",
+                          "example": "user@example.com"
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication or insufficient permissions",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Invalid or expired API key"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Vendor not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Vendor with ID vnd_abc123def456 not found in organization org_abc123def456"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal server error",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Internal server error"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Delete vendor",
+        "tags": [
+          "Vendors"
+        ]
+      }
+    },
+    "/v1/context": {
+      "get": {
+        "description": "Returns all context entries for the authenticated organization. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "ContextController_getAllContext_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Context entries retrieved successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "data": {
+                      "type": "array",
+                      "items": {
+                        "type": "object",
+                        "properties": {
+                          "id": {
+                            "type": "string"
+                          },
+                          "organizationId": {
+                            "type": "string"
+                          },
+                          "question": {
+                            "type": "string"
+                          },
+                          "answer": {
+                            "type": "string"
+                          },
+                          "tags": {
+                            "type": "array",
+                            "items": {
+                              "type": "string"
+                            }
+                          },
+                          "createdAt": {
+                            "type": "string",
+                            "format": "date-time"
+                          },
+                          "updatedAt": {
+                            "type": "string",
+                            "format": "date-time"
+                          }
+                        }
+                      }
+                    },
+                    "count": {
+                      "type": "number"
+                    },
+                    "authType": {
+                      "type": "string",
+                      "enum": [
+                        "api-key",
+                        "session"
+                      ]
+                    }
+                  }
+                },
+                "example": {
+                  "data": [
+                    {
+                      "id": "ctx_abc123def456",
+                      "organizationId": "org_xyz789uvw012",
+                      "question": "How do we handle user authentication in our application?",
+                      "answer": "We use a hybrid authentication system supporting both API keys and session-based authentication.",
+                      "tags": [
+                        "authentication",
+                        "security",
+                        "api",
+                        "sessions"
+                      ],
+                      "createdAt": "2024-01-15T10:30:00.000Z",
+                      "updatedAt": "2024-01-15T14:20:00.000Z"
+                    },
+                    {
+                      "id": "ctx_ghi789jkl012",
+                      "organizationId": "org_xyz789uvw012",
+                      "question": "What database do we use and why?",
+                      "answer": "We use PostgreSQL as our primary database with Prisma as the ORM.",
+                      "tags": [
+                        "database",
+                        "postgresql",
+                        "prisma",
+                        "architecture"
+                      ],
+                      "createdAt": "2024-01-14T09:15:00.000Z",
+                      "updatedAt": "2024-01-14T09:15:00.000Z"
+                    }
+                  ],
+                  "count": 2,
+                  "authType": "apikey"
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid or missing authentication",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string"
+                    },
+                    "statusCode": {
+                      "type": "number",
+                      "example": 401
+                    }
+                  }
+                },
+                "example": {
+                  "message": "Unauthorized",
+                  "statusCode": 401
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Organization not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string"
+                    },
+                    "statusCode": {
+                      "type": "number",
+                      "example": 404
+                    }
+                  }
+                },
+                "example": {
+                  "message": "Organization not found",
+                  "statusCode": 404
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal server error",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string"
+                    },
+                    "statusCode": {
+                      "type": "number",
+                      "example": 500
+                    }
+                  }
+                },
+                "example": {
+                  "message": "Internal server error",
+                  "statusCode": 500
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Get all context entries",
+        "tags": [
+          "Context"
+        ]
+      },
+      "post": {
+        "description": "Creates a new context entry for the authenticated organization. All required fields must be provided. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "ContextController_createContext_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "required": true,
+          "description": "Context entry data",
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/CreateContextDto"
+              },
+              "examples": {
+                "Authentication Context": {
+                  "value": {
+                    "question": "How do we handle user authentication in our application?",
+                    "answer": "We use a hybrid authentication system supporting both API keys and session-based authentication. API keys are used for programmatic access while sessions are used for web interface interactions.",
+                    "tags": [
+                      "authentication",
+                      "security",
+                      "api",
+                      "sessions"
+                    ]
+                  }
+                },
+                "Database Context": {
+                  "value": {
+                    "question": "What database do we use and why?",
+                    "answer": "We use PostgreSQL as our primary database with Prisma as the ORM. PostgreSQL provides excellent performance, ACID compliance, and supports advanced features like JSON columns and full-text search.",
+                    "tags": [
+                      "database",
+                      "postgresql",
+                      "prisma",
+                      "architecture"
+                    ]
+                  }
+                }
+              }
+            }
+          }
+        },
+        "responses": {
+          "201": {
+            "description": "Context entry created successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "id": {
+                      "type": "string"
+                    },
+                    "organizationId": {
+                      "type": "string"
+                    },
+                    "question": {
+                      "type": "string"
+                    },
+                    "answer": {
+                      "type": "string"
+                    },
+                    "tags": {
+                      "type": "array",
+                      "items": {
+                        "type": "string"
+                      }
+                    },
+                    "createdAt": {
+                      "type": "string",
+                      "format": "date-time"
+                    },
+                    "updatedAt": {
+                      "type": "string",
+                      "format": "date-time"
+                    },
+                    "authType": {
+                      "type": "string",
+                      "enum": [
+                        "api-key",
+                        "session"
+                      ]
+                    }
+                  }
+                },
+                "example": {
+                  "id": "ctx_abc123def456",
+                  "organizationId": "org_xyz789uvw012",
+                  "question": "How do we handle user authentication in our application?",
+                  "answer": "We use a hybrid authentication system supporting both API keys and session-based authentication.",
+                  "tags": [
+                    "authentication",
+                    "security",
+                    "api",
+                    "sessions"
+                  ],
+                  "createdAt": "2024-01-15T10:30:00.000Z",
+                  "updatedAt": "2024-01-15T10:30:00.000Z",
+                  "authType": "apikey"
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "Bad request - Invalid input data",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "array",
+                      "items": {
+                        "type": "string"
+                      }
+                    },
+                    "error": {
+                      "type": "string"
+                    },
+                    "statusCode": {
+                      "type": "number"
+                    }
+                  }
+                },
+                "example": {
+                  "message": [
+                    "question should not be empty",
+                    "answer should not be empty"
+                  ],
+                  "error": "Bad Request",
+                  "statusCode": 400
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid or missing authentication",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string"
+                    },
+                    "statusCode": {
+                      "type": "number",
+                      "example": 401
+                    }
+                  }
+                },
+                "example": {
+                  "message": "Unauthorized",
+                  "statusCode": 401
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Organization not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string"
+                    },
+                    "statusCode": {
+                      "type": "number",
+                      "example": 404
+                    }
+                  }
+                },
+                "example": {
+                  "message": "Organization not found",
+                  "statusCode": 404
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal server error",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string"
+                    },
+                    "statusCode": {
+                      "type": "number",
+                      "example": 500
+                    }
+                  }
+                },
+                "example": {
+                  "message": "Internal server error",
+                  "statusCode": 500
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Create a new context entry",
+        "tags": [
+          "Context"
+        ]
+      }
+    },
+    "/v1/context/{id}": {
+      "get": {
+        "description": "Returns a specific context entry by ID for the authenticated organization. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "ContextController_getContextById_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "description": "Context entry ID",
+            "schema": {
+              "example": "ctx_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Context entry retrieved successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "id": {
+                      "type": "string",
+                      "example": "ctx_abc123def456"
+                    },
+                    "organizationId": {
+                      "type": "string",
+                      "example": "org_xyz789uvw012"
+                    },
+                    "question": {
+                      "type": "string"
+                    },
+                    "answer": {
+                      "type": "string"
+                    },
+                    "tags": {
+                      "type": "array",
+                      "items": {
+                        "type": "string"
+                      },
+                      "example": [
+                        "authentication",
+                        "security"
+                      ]
+                    },
+                    "createdAt": {
+                      "type": "string",
+                      "format": "date-time"
+                    },
+                    "updatedAt": {
+                      "type": "string",
+                      "format": "date-time"
+                    },
+                    "authType": {
+                      "type": "string",
+                      "enum": [
+                        "api-key",
+                        "session"
+                      ]
+                    }
+                  }
+                },
+                "example": {
+                  "id": "ctx_abc123def456",
+                  "organizationId": "org_xyz789uvw012",
+                  "question": "How do we handle user authentication in our application?",
+                  "answer": "We use a hybrid authentication system supporting both API keys and session-based authentication.",
+                  "tags": [
+                    "authentication",
+                    "security",
+                    "api",
+                    "sessions"
+                  ],
+                  "createdAt": "2024-01-15T10:30:00.000Z",
+                  "updatedAt": "2024-01-15T14:20:00.000Z",
+                  "authType": "apikey"
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid or missing authentication",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Unauthorized"
+                    },
+                    "statusCode": {
+                      "type": "number",
+                      "example": 401
+                    }
+                  }
+                },
+                "example": {
+                  "message": "Unauthorized",
+                  "statusCode": 401
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Context entry not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string"
+                    },
+                    "statusCode": {
+                      "type": "number",
+                      "example": 404
+                    }
+                  }
+                },
+                "example": {
+                  "message": "Context entry with ID ctx_abc123def456 not found in organization org_xyz789uvw012",
+                  "statusCode": 404
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal server error",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string"
+                    },
+                    "statusCode": {
+                      "type": "number",
+                      "example": 500
+                    }
+                  }
+                },
+                "example": {
+                  "message": "Internal server error",
+                  "statusCode": 500
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Get context entry by ID",
+        "tags": [
+          "Context"
+        ]
+      },
+      "patch": {
+        "description": "Partially updates a context entry. Only provided fields will be updated. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "ContextController_updateContext_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "description": "Context entry ID",
+            "schema": {
+              "example": "ctx_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "required": true,
+          "description": "Partial context entry data to update",
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/UpdateContextDto"
+              },
+              "examples": {
+                "Update Tags": {
+                  "value": {
+                    "tags": [
+                      "authentication",
+                      "security",
+                      "api",
+                      "sessions",
+                      "updated"
+                    ]
+                  }
+                },
+                "Update Answer": {
+                  "value": {
+                    "answer": "Updated: We use a hybrid authentication system supporting both API keys and session-based authentication. Recent updates include support for OAuth2 providers."
+                  }
+                }
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": "Context entry updated successfully",
+            "content": {
+              "application/json": {
+                "example": {
+                  "id": "ctx_abc123def456",
+                  "organizationId": "org_xyz789uvw012",
+                  "question": "How do we handle user authentication in our application?",
+                  "answer": "Updated: We use a hybrid authentication system supporting both API keys and session-based authentication with OAuth2 support.",
+                  "tags": [
+                    "authentication",
+                    "security",
+                    "api",
+                    "sessions",
+                    "oauth2"
+                  ],
+                  "createdAt": "2024-01-15T10:30:00.000Z",
+                  "updatedAt": "2024-01-15T15:45:00.000Z",
+                  "authType": "apikey"
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "Bad request - Invalid input data",
+            "content": {
+              "application/json": {
+                "example": {
+                  "message": [
+                    "tags must be an array of strings"
+                  ],
+                  "error": "Bad Request",
+                  "statusCode": 400
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid or missing authentication",
+            "content": {
+              "application/json": {
+                "example": {
+                  "message": "Unauthorized",
+                  "statusCode": 401
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Context entry not found",
+            "content": {
+              "application/json": {
+                "example": {
+                  "message": "Context entry with ID ctx_abc123def456 not found in organization org_xyz789uvw012",
+                  "statusCode": 404
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal server error",
+            "content": {
+              "application/json": {
+                "example": {
+                  "message": "Internal server error",
+                  "statusCode": 500
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Update context entry",
+        "tags": [
+          "Context"
+        ]
+      },
+      "delete": {
+        "description": "Permanently removes a context entry from the organization. This action cannot be undone. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "ContextController_deleteContext_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "description": "Context entry ID",
+            "schema": {
+              "example": "ctx_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Context entry deleted successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string"
+                    },
+                    "deletedContext": {
+                      "type": "object",
+                      "properties": {
+                        "id": {
+                          "type": "string"
+                        },
+                        "question": {
+                          "type": "string"
+                        }
+                      }
+                    },
+                    "authType": {
+                      "type": "string",
+                      "enum": [
+                        "api-key",
+                        "session"
+                      ]
+                    }
+                  }
+                },
+                "example": {
+                  "message": "Context entry deleted successfully",
+                  "deletedContext": {
+                    "id": "ctx_abc123def456",
+                    "question": "How do we handle user authentication in our application?"
+                  },
+                  "authType": "apikey"
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid or missing authentication",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string"
+                    },
+                    "statusCode": {
+                      "type": "number",
+                      "example": 401
+                    }
+                  }
+                },
+                "example": {
+                  "message": "Unauthorized",
+                  "statusCode": 401
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Context entry not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string"
+                    },
+                    "statusCode": {
+                      "type": "number",
+                      "example": 404
+                    }
+                  }
+                },
+                "example": {
+                  "message": "Context entry with ID ctx_abc123def456 not found in organization org_xyz789uvw012",
+                  "statusCode": 404
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal server error",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string"
+                    },
+                    "statusCode": {
+                      "type": "number",
+                      "example": 500
+                    }
+                  }
+                },
+                "example": {
+                  "message": "Internal server error",
+                  "statusCode": 500
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Delete context entry",
+        "tags": [
+          "Context"
+        ]
+      }
+    },
+    "/v1/devices": {
+      "get": {
+        "description": "Returns all devices for the authenticated organization from FleetDM. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "DevicesController_getAllDevices_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Devices retrieved successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "data": {
+                      "type": "array",
+                      "items": {
+                        "$ref": "#/components/schemas/DeviceResponseDto"
+                      }
+                    },
+                    "count": {
+                      "type": "number",
+                      "description": "Total number of devices",
+                      "example": 25
+                    },
+                    "authType": {
+                      "type": "string",
+                      "enum": [
+                        "api-key",
+                        "session"
+                      ],
+                      "description": "How the request was authenticated"
+                    },
+                    "authenticatedUser": {
+                      "type": "object",
+                      "properties": {
+                        "id": {
+                          "type": "string",
+                          "description": "User ID",
+                          "example": "usr_abc123def456"
+                        },
+                        "email": {
+                          "type": "string",
+                          "description": "User email",
+                          "example": "user@company.com"
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication or insufficient permissions",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Invalid or expired API key"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Organization not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Organization with ID org_abc123def456 not found"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal server error - FleetDM integration issue",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Organization does not have FleetDM configured"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Get all devices",
+        "tags": [
+          "Devices"
+        ]
+      }
+    },
+    "/v1/devices/member/{memberId}": {
+      "get": {
+        "description": "Returns all devices assigned to a specific member within the authenticated organization. Devices are fetched from FleetDM using the member's dedicated fleetDmLabelId. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "DevicesController_getDevicesByMember_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "memberId",
+            "required": true,
+            "in": "path",
+            "description": "Member ID to get devices for",
+            "schema": {
+              "example": "mem_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Member devices retrieved successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/DevicesByMemberResponseDto"
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication or insufficient permissions",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Unauthorized"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Organization or member not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Member with ID mem_abc123def456 not found in organization org_abc123def456"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal server error - FleetDM integration issue"
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Get devices by member ID",
+        "tags": [
+          "Devices"
+        ]
+      }
+    },
+    "/v1/policies": {
+      "get": {
+        "description": "Returns all policies for the authenticated organization. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "PoliciesController_getAllPolicies_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Policies retrieved successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "array",
+                  "items": {
+                    "$ref": "#/components/schemas/PolicyResponseDto"
+                  }
+                },
+                "example": [
+                  {
+                    "id": "pol_abc123def456",
+                    "name": "Data Privacy Policy",
+                    "status": "draft",
+                    "content": [
+                      {
+                        "type": "paragraph",
+                        "content": [
+                          {
+                            "type": "text",
+                            "text": "..."
+                          }
+                        ]
+                      }
+                    ],
+                    "isRequiredToSign": true,
+                    "signedBy": [],
+                    "createdAt": "2024-01-01T00:00:00.000Z",
+                    "updatedAt": "2024-01-15T00:00:00.000Z",
+                    "organizationId": "org_abc123def456"
+                  }
+                ]
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication or insufficient permissions",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Unauthorized"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Get all policies",
+        "tags": [
+          "Policies"
+        ]
+      },
+      "post": {
+        "description": "Creates a new policy for the authenticated organization. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "PoliciesController_createPolicy_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "required": true,
+          "description": "Policy creation data",
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/CreatePolicyDto"
+              }
+            }
+          }
+        },
+        "responses": {
+          "201": {
+            "description": "Policy created successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/PolicyResponseDto"
+                },
+                "example": {
+                  "id": "pol_abc123def456",
+                  "name": "Data Privacy Policy",
+                  "description": "This policy outlines how we handle and protect personal data",
+                  "status": "draft",
+                  "content": [
+                    {
+                      "type": "paragraph",
+                      "content": [
+                        {
+                          "type": "text",
+                          "text": "Policy content here"
+                        }
+                      ]
+                    }
+                  ],
+                  "frequency": "yearly",
+                  "department": "it",
+                  "isRequiredToSign": true,
+                  "signedBy": [],
+                  "reviewDate": "2024-12-31T00:00:00.000Z",
+                  "isArchived": false,
+                  "createdAt": "2024-01-01T00:00:00.000Z",
+                  "updatedAt": "2024-01-15T00:00:00.000Z",
+                  "organizationId": "org_abc123def456",
+                  "assigneeId": "usr_abc123def456",
+                  "approverId": "usr_xyz789abc123"
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "Bad Request - Invalid policy data",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Invalid policy content format"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication or insufficient permissions",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Unauthorized"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Create a new policy",
+        "tags": [
+          "Policies"
+        ]
+      }
+    },
+    "/v1/policies/{id}": {
+      "get": {
+        "description": "Returns a specific policy by ID for the authenticated organization. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "PoliciesController_getPolicy_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "description": "Policy ID",
+            "schema": {
+              "example": "pol_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Policy retrieved successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/PolicyResponseDto"
+                },
+                "example": {
+                  "id": "pol_abc123def456",
+                  "name": "Data Privacy Policy",
+                  "status": "draft",
+                  "content": [
+                    {
+                      "type": "paragraph",
+                      "content": [
+                        {
+                          "type": "text",
+                          "text": "..."
+                        }
+                      ]
+                    }
+                  ],
+                  "isRequiredToSign": true,
+                  "signedBy": [],
+                  "createdAt": "2024-01-01T00:00:00.000Z",
+                  "updatedAt": "2024-01-15T00:00:00.000Z",
+                  "organizationId": "org_abc123def456"
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication or insufficient permissions",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Unauthorized"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Policy not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Policy with ID pol_abc123def456 not found"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Get policy by ID",
+        "tags": [
+          "Policies"
+        ]
+      },
+      "patch": {
+        "description": "Partially updates a policy. Only provided fields will be updated. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "PoliciesController_updatePolicy_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "description": "Policy ID",
+            "schema": {
+              "example": "pol_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "required": true,
+          "description": "Policy update data",
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/UpdatePolicyDto"
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": "Policy updated successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/PolicyResponseDto"
+                },
+                "example": {
+                  "id": "pol_abc123def456",
+                  "name": "Data Privacy Policy",
+                  "description": "This policy outlines how we handle and protect personal data",
+                  "status": "published",
+                  "content": [
+                    {
+                      "type": "heading",
+                      "attrs": {
+                        "level": 2
+                      },
+                      "content": [
+                        {
+                          "type": "text",
+                          "text": "Purpose"
+                        }
+                      ]
+                    }
+                  ],
+                  "frequency": "yearly",
+                  "department": "it",
+                  "isRequiredToSign": true,
+                  "signedBy": [
+                    "usr_123"
+                  ],
+                  "reviewDate": "2024-12-31T00:00:00.000Z",
+                  "isArchived": false,
+                  "createdAt": "2024-01-01T00:00:00.000Z",
+                  "updatedAt": "2024-01-15T00:00:00.000Z",
+                  "organizationId": "org_abc123def456",
+                  "assigneeId": "usr_abc123def456",
+                  "approverId": "usr_xyz789abc123"
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "Bad Request - Invalid update data",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Validation failed"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication or insufficient permissions",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Unauthorized"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Policy not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Policy with ID pol_abc123def456 not found"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Update policy",
+        "tags": [
+          "Policies"
+        ]
+      },
+      "delete": {
+        "description": "Permanently deletes a policy. This action cannot be undone. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "PoliciesController_deletePolicy_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "description": "Policy ID",
+            "schema": {
+              "example": "pol_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Policy deleted successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "success": {
+                      "type": "boolean",
+                      "description": "Indicates successful deletion",
+                      "example": true
+                    },
+                    "deletedPolicy": {
+                      "type": "object",
+                      "properties": {
+                        "id": {
+                          "type": "string",
+                          "description": "The deleted policy ID",
+                          "example": "pol_abc123def456"
+                        },
+                        "name": {
+                          "type": "string",
+                          "description": "The deleted policy name",
+                          "example": "Data Privacy Policy"
+                        }
+                      }
+                    },
+                    "authType": {
+                      "type": "string",
+                      "enum": [
+                        "api-key",
+                        "session"
+                      ],
+                      "description": "How the request was authenticated"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication or insufficient permissions",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Unauthorized"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Policy not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Policy with ID pol_abc123def456 not found"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Delete policy",
+        "tags": [
+          "Policies"
+        ]
+      }
+    },
+    "/v1/policies/{id}/ai-chat": {
+      "post": {
+        "description": "Stream AI responses for policy editing assistance. Returns a text/event-stream with AI-generated suggestions.",
+        "operationId": "PoliciesController_aiChatPolicy_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "description": "Policy ID",
+            "schema": {
+              "example": "pol_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "required": true,
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/AISuggestPolicyRequestDto"
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": "Streaming AI response",
+            "content": {
+              "text/event-stream": {
+                "schema": {
+                  "type": "string"
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          },
+          "404": {
+            "description": "Policy not found"
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Chat with AI about a policy",
+        "tags": [
+          "Policies"
+        ]
+      }
+    },
+    "/v1/device-agent/mac": {
+      "get": {
+        "description": "Downloads the Comp AI Device Agent installer for macOS as a DMG file. The agent helps monitor device compliance and security policies. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "DeviceAgentController_downloadMacAgent_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "default": {
+            "description": "macOS agent DMG file download",
+            "content": {
+              "application/x-apple-diskimage": {
+                "schema": {
+                  "type": "string",
+                  "format": "binary"
+                },
+                "example": "Binary DMG file content"
+              }
+            },
+            "headers": {
+              "Content-Disposition": {
+                "description": "Indicates file should be downloaded with specific filename",
+                "schema": {
+                  "type": "string",
+                  "example": "attachment; filename=\"Comp AI Agent-1.0.0-arm64.dmg\""
+                }
+              },
+              "Content-Type": {
+                "description": "MIME type for macOS disk image",
+                "schema": {
+                  "type": "string",
+                  "example": "application/x-apple-diskimage"
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Download macOS Device Agent",
+        "tags": [
+          "Device Agent"
+        ]
+      }
+    },
+    "/v1/device-agent/windows": {
+      "get": {
+        "description": "Downloads a ZIP package containing the Comp AI Device Agent installer for Windows, along with setup scripts and instructions. The package includes an MSI installer, setup batch script customized for the organization and user, and a README with installation instructions. Supports both API key authentication (X-API-Key header) and session authentication (cookies + X-Organization-Id header).",
+        "operationId": "DeviceAgentController_downloadWindowsAgent_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "default": {
+            "description": "Windows agent ZIP file download containing MSI installer and setup scripts",
+            "content": {
+              "application/zip": {
+                "schema": {
+                  "type": "string",
+                  "format": "binary"
+                },
+                "example": "Binary ZIP file content"
+              }
+            },
+            "headers": {
+              "Content-Disposition": {
+                "description": "Indicates file should be downloaded with specific filename",
+                "schema": {
+                  "type": "string",
+                  "example": "attachment; filename=\"compai-device-agent-windows.zip\""
+                }
+              },
+              "Content-Type": {
+                "description": "MIME type for ZIP archive",
+                "schema": {
+                  "type": "string",
+                  "example": "application/zip"
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Download Windows Device Agent ZIP",
+        "tags": [
+          "Device Agent"
+        ]
+      }
+    },
+    "/v1/attachments/{attachmentId}/download": {
+      "get": {
+        "description": "Generate a fresh signed URL for downloading any attachment",
+        "operationId": "AttachmentsController_getAttachmentDownloadUrl_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "attachmentId",
+            "required": true,
+            "in": "path",
+            "description": "Unique attachment identifier",
+            "schema": {
+              "example": "att_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Download URL generated successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "downloadUrl": {
+                      "type": "string",
+                      "description": "Signed URL for downloading the file",
+                      "example": "https://bucket.s3.amazonaws.com/path/to/file.pdf?signature=..."
+                    },
+                    "expiresIn": {
+                      "type": "number",
+                      "description": "URL expiration time in seconds",
+                      "example": 900
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Get attachment download URL",
+        "tags": [
+          "Attachments"
+        ]
+      }
+    },
+    "/v1/tasks": {
+      "get": {
+        "description": "Retrieve all tasks for the authenticated organization",
+        "operationId": "TasksController_getTasks_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Tasks retrieved successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "array",
+                  "items": {
+                    "$ref": "#/components/schemas/TaskResponseDto"
+                  }
+                },
+                "example": [
+                  {
+                    "id": "tsk_abc123def456",
+                    "title": "Implement user authentication",
+                    "description": "Add OAuth 2.0 authentication to the platform",
+                    "status": "in_progress",
+                    "createdAt": "2024-01-15T10:30:00Z",
+                    "updatedAt": "2024-01-15T10:30:00Z"
+                  }
+                ]
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Unauthorized"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Get all tasks",
+        "tags": [
+          "Tasks"
+        ]
+      }
+    },
+    "/v1/tasks/{taskId}": {
+      "get": {
+        "description": "Retrieve a specific task by its ID",
+        "operationId": "TasksController_getTask_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "taskId",
+            "required": true,
+            "in": "path",
+            "description": "Unique task identifier",
+            "schema": {
+              "example": "tsk_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Task retrieved successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/TaskResponseDto"
+                },
+                "example": {
+                  "id": "tsk_abc123def456",
+                  "title": "Implement user authentication",
+                  "description": "Add OAuth 2.0 authentication to the platform",
+                  "status": "in_progress",
+                  "createdAt": "2024-01-15T10:30:00Z",
+                  "updatedAt": "2024-01-15T10:30:00Z"
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Task not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Task with ID tsk_abc123def456 not found"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Get task by ID",
+        "tags": [
+          "Tasks"
+        ]
+      }
+    },
+    "/v1/tasks/{taskId}/attachments": {
+      "get": {
+        "description": "Retrieve all attachments for a specific task",
+        "operationId": "TasksController_getTaskAttachments_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "taskId",
+            "required": true,
+            "in": "path",
+            "description": "Unique task identifier",
+            "schema": {
+              "example": "tsk_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Attachments retrieved successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "array",
+                  "items": {
+                    "$ref": "#/components/schemas/AttachmentResponseDto"
+                  }
+                },
+                "example": [
+                  {
+                    "id": "att_abc123def456",
+                    "name": "evidence.pdf",
+                    "type": "application/pdf",
+                    "size": 123456,
+                    "downloadUrl": "https://bucket.s3.amazonaws.com/path/to/file.pdf?signature=...",
+                    "createdAt": "2024-01-15T10:30:00Z"
+                  }
+                ]
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Unauthorized"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Task not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Task with ID tsk_abc123def456 not found"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Get task attachments",
+        "tags": [
+          "Tasks"
+        ]
+      },
+      "post": {
+        "description": "Upload a file attachment to a specific task",
+        "operationId": "TasksController_uploadTaskAttachment_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "taskId",
+            "required": true,
+            "in": "path",
+            "description": "Unique task identifier",
+            "schema": {
+              "example": "tsk_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "required": true,
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/UploadAttachmentDto"
+              }
+            }
+          }
+        },
+        "responses": {
+          "201": {
+            "description": "Attachment uploaded successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/AttachmentResponseDto"
+                },
+                "example": {
+                  "id": "att_abc123def456",
+                  "entityId": "tsk_abc123def456",
+                  "entityType": "task",
+                  "fileName": "evidence.pdf",
+                  "fileType": "application/pdf",
+                  "fileSize": 123456,
+                  "createdAt": "2024-01-01T00:00:00Z",
+                  "createdBy": "usr_abc123def456"
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "Invalid file data or file too large",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "File exceeds maximum allowed size"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Unauthorized"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Task not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Task with ID tsk_abc123def456 not found"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Upload attachment to task",
+        "tags": [
+          "Tasks"
+        ]
+      }
+    },
+    "/v1/tasks/{taskId}/attachments/{attachmentId}/download": {
+      "get": {
+        "description": "Generate a signed URL for downloading a task attachment",
+        "operationId": "TasksController_getTaskAttachmentDownloadUrl_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "taskId",
+            "required": true,
+            "in": "path",
+            "description": "Unique task identifier",
+            "schema": {
+              "example": "tsk_abc123def456",
+              "type": "string"
+            }
+          },
+          {
+            "name": "attachmentId",
+            "required": true,
+            "in": "path",
+            "description": "Unique attachment identifier",
+            "schema": {
+              "example": "att_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Download URL generated successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "downloadUrl": {
+                      "type": "string",
+                      "description": "Signed URL for downloading the file",
+                      "example": "https://bucket.s3.amazonaws.com/path/to/file.pdf?signature=..."
+                    },
+                    "expiresIn": {
+                      "type": "number",
+                      "description": "URL expiration time in seconds",
+                      "example": 900
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Unauthorized"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Task or attachment not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Task or attachment not found"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Get attachment download URL",
+        "tags": [
+          "Tasks"
+        ]
+      }
+    },
+    "/v1/tasks/{taskId}/attachments/{attachmentId}": {
+      "delete": {
+        "description": "Delete a specific attachment from a task",
+        "operationId": "TasksController_deleteTaskAttachment_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "taskId",
+            "required": true,
+            "in": "path",
+            "description": "Unique task identifier",
+            "schema": {
+              "example": "tsk_abc123def456",
+              "type": "string"
+            }
+          },
+          {
+            "name": "attachmentId",
+            "required": true,
+            "in": "path",
+            "description": "Unique attachment identifier",
+            "schema": {
+              "example": "att_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Attachment deleted successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "success": {
+                      "type": "boolean",
+                      "example": true
+                    },
+                    "deletedAttachmentId": {
+                      "type": "string",
+                      "example": "att_abc123def456"
+                    },
+                    "message": {
+                      "type": "string",
+                      "example": "Attachment deleted successfully"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Unauthorized"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Task or attachment not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Task or attachment not found"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Delete task attachment",
+        "tags": [
+          "Tasks"
+        ]
+      }
+    },
+    "/v1/tasks/{taskId}/automations": {
+      "get": {
+        "description": "Retrieve all automations for a specific task",
+        "operationId": "AutomationsController_getTaskAutomations_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "taskId",
+            "required": true,
+            "in": "path",
+            "description": "Unique task identifier",
+            "schema": {
+              "example": "tsk_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Automations retrieved successfully"
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Get all automations for a task",
+        "tags": [
+          "Task Automations"
+        ]
+      },
+      "post": {
+        "description": "Create an automation for collecting evidence for a specific task",
+        "operationId": "AutomationsController_createAutomation_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "taskId",
+            "required": true,
+            "in": "path",
+            "description": "Unique task identifier",
+            "schema": {
+              "example": "tsk_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "201": {
+            "description": "Automation created successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "success": {
+                      "type": "boolean",
+                      "example": true
+                    },
+                    "automation": {
+                      "type": "object",
+                      "properties": {
+                        "id": {
+                          "type": "string",
+                          "example": "auto_abc123def456"
+                        },
+                        "name": {
+                          "type": "string",
+                          "example": "Task Name - Evidence Collection"
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "Bad request - Invalid task ID or organization ID",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Invalid task ID or organization ID"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Unauthorized"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Task not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Task not found"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Create a new evidence automation",
+        "tags": [
+          "Task Automations"
+        ]
+      }
+    },
+    "/v1/tasks/{taskId}/automations/{automationId}": {
+      "get": {
+        "description": "Retrieve details for a specific automation",
+        "operationId": "AutomationsController_getAutomation_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "taskId",
+            "required": true,
+            "in": "path",
+            "description": "Unique task identifier",
+            "schema": {
+              "example": "tsk_abc123def456",
+              "type": "string"
+            }
+          },
+          {
+            "name": "automationId",
+            "required": true,
+            "in": "path",
+            "description": "Unique automation identifier",
+            "schema": {
+              "example": "auto_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Automation details retrieved successfully"
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Get automation details",
+        "tags": [
+          "Task Automations"
+        ]
+      },
+      "patch": {
+        "description": "Update the name or description of an existing automation",
+        "operationId": "AutomationsController_updateAutomation_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "taskId",
+            "required": true,
+            "in": "path",
+            "description": "Unique task identifier",
+            "schema": {
+              "example": "tsk_abc123def456",
+              "type": "string"
+            }
+          },
+          {
+            "name": "automationId",
+            "required": true,
+            "in": "path",
+            "description": "Unique automation identifier",
+            "schema": {
+              "example": "auto_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "required": true,
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/UpdateAutomationDto"
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": "Automation updated successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "success": {
+                      "type": "boolean",
+                      "example": true
+                    },
+                    "automation": {
+                      "type": "object",
+                      "properties": {
+                        "id": {
+                          "type": "string",
+                          "example": "auto_abc123def456"
+                        },
+                        "name": {
+                          "type": "string",
+                          "example": "Updated Automation Name"
+                        },
+                        "description": {
+                          "type": "string",
+                          "example": "Updated description"
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "Bad request - Invalid automation ID or data",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Invalid automation data"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Unauthorized"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Automation not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Automation not found"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Update an existing automation",
+        "tags": [
+          "Task Automations"
+        ]
+      },
+      "delete": {
+        "description": "Delete a specific automation and all its associated data",
+        "operationId": "AutomationsController_deleteAutomation_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "taskId",
+            "required": true,
+            "in": "path",
+            "description": "Unique task identifier",
+            "schema": {
+              "example": "tsk_abc123def456",
+              "type": "string"
+            }
+          },
+          {
+            "name": "automationId",
+            "required": true,
+            "in": "path",
+            "description": "Unique automation identifier",
+            "schema": {
+              "example": "auto_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Automation deleted successfully"
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Delete an automation",
+        "tags": [
+          "Task Automations"
+        ]
+      }
+    },
+    "/v1/tasks/{taskId}/automations/{automationId}/versions": {
+      "get": {
+        "description": "Retrieve all published versions of an automation script",
+        "operationId": "AutomationsController_getAutomationVersions_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "taskId",
+            "required": true,
+            "in": "path",
+            "description": "Task ID",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "automationId",
+            "required": true,
+            "in": "path",
+            "description": "Automation ID",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "limit",
+            "required": true,
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "offset",
+            "required": true,
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Versions retrieved successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "success": {
+                      "type": "boolean"
+                    },
+                    "versions": {
+                      "type": "array",
+                      "items": {
+                        "type": "object",
+                        "properties": {
+                          "id": {
+                            "type": "string"
+                          },
+                          "version": {
+                            "type": "number"
+                          },
+                          "scriptKey": {
+                            "type": "string"
+                          },
+                          "changelog": {
+                            "type": "string",
+                            "nullable": true
+                          },
+                          "publishedBy": {
+                            "type": "string",
+                            "nullable": true
+                          },
+                          "createdAt": {
+                            "type": "string",
+                            "format": "date-time"
+                          }
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Get all versions for an automation",
+        "tags": [
+          "Task Automations"
+        ]
+      }
+    },
+    "/v1/tasks/{taskId}/automations/runs": {
+      "get": {
+        "description": "Retrieve all evidence automation runs across automations for a specific task",
+        "operationId": "AutomationsController_getTaskAutomationRuns_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "taskId",
+            "required": true,
+            "in": "path",
+            "description": "Task ID",
+            "schema": {
+              "example": "tsk_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Automation runs retrieved successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "array",
+                  "items": {
+                    "type": "object",
+                    "properties": {
+                      "id": {
+                        "type": "string",
+                        "example": "ear_abc123def456"
+                      },
+                      "status": {
+                        "type": "string",
+                        "enum": [
+                          "PENDING",
+                          "RUNNING",
+                          "COMPLETED",
+                          "FAILED"
+                        ]
+                      },
+                      "trigger": {
+                        "type": "string",
+                        "enum": [
+                          "MANUAL",
+                          "SCHEDULED",
+                          "EVENT"
+                        ]
+                      },
+                      "createdAt": {
+                        "type": "string",
+                        "format": "date-time"
+                      },
+                      "completedAt": {
+                        "type": "string",
+                        "format": "date-time",
+                        "nullable": true
+                      },
+                      "error": {
+                        "type": "object",
+                        "nullable": true
+                      }
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Get all automation runs for a task",
+        "tags": [
+          "Task Automations"
+        ]
+      }
+    },
+    "/v1/comments": {
+      "get": {
+        "description": "Retrieve all comments for a specific entity (task, policy, vendor, etc.)",
+        "operationId": "CommentsController_getComments_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "entityId",
+            "required": true,
+            "in": "query",
+            "description": "ID of the entity to get comments for",
+            "schema": {
+              "example": "tsk_abc123def456",
+              "type": "string"
+            }
+          },
+          {
+            "name": "entityType",
+            "required": true,
+            "in": "query",
+            "description": "Type of entity",
+            "schema": {
+              "enum": [
+                "task",
+                "vendor",
+                "risk",
+                "policy"
+              ],
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Comments retrieved successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "array",
+                  "items": {
+                    "$ref": "#/components/schemas/CommentResponseDto"
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Get comments for an entity",
+        "tags": [
+          "Comments"
+        ]
+      },
+      "post": {
+        "description": "Create a comment on an entity with optional file attachments",
+        "operationId": "CommentsController_createComment_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "required": true,
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/CreateCommentDto"
+              }
+            }
+          }
+        },
+        "responses": {
+          "201": {
+            "description": "Comment created successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/CommentResponseDto"
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Create a new comment",
+        "tags": [
+          "Comments"
+        ]
+      }
+    },
+    "/v1/comments/{commentId}": {
+      "put": {
+        "description": "Update the content of an existing comment (author only)",
+        "operationId": "CommentsController_updateComment_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "commentId",
+            "required": true,
+            "in": "path",
+            "description": "Unique comment identifier",
+            "schema": {
+              "example": "cmt_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "required": true,
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/UpdateCommentDto"
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": "Comment updated successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/CommentResponseDto"
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Update a comment",
+        "tags": [
+          "Comments"
+        ]
+      },
+      "delete": {
+        "description": "Delete a comment and all its attachments (author only)",
+        "operationId": "CommentsController_deleteComment_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "commentId",
+            "required": true,
+            "in": "path",
+            "description": "Unique comment identifier",
+            "schema": {
+              "example": "cmt_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Comment deleted successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "success": {
+                      "type": "boolean",
+                      "example": true
+                    },
+                    "deletedCommentId": {
+                      "type": "string",
+                      "example": "cmt_abc123def456"
+                    },
+                    "message": {
+                      "type": "string",
+                      "example": "Comment deleted successfully"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid authentication",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Unauthorized"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Comment not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "message": {
+                      "type": "string",
+                      "example": "Comment with ID cmt_abc123def456 not found"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Delete a comment",
+        "tags": [
+          "Comments"
+        ]
+      }
+    },
+    "/v1/health": {
+      "get": {
+        "description": "Returns the health status of the API",
+        "operationId": "HealthController_getHealth_v1",
+        "parameters": [],
+        "responses": {
+          "200": {
+            "description": "API is healthy",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "status": {
+                      "type": "string",
+                      "example": "ok"
+                    },
+                    "timestamp": {
+                      "type": "string",
+                      "format": "date-time"
+                    },
+                    "uptime": {
+                      "type": "number",
+                      "description": "Process uptime in seconds"
+                    },
+                    "version": {
+                      "type": "string",
+                      "example": "1.0.0"
+                    }
+                  }
+                }
+              }
+            }
+          }
+        },
+        "summary": "Health check",
+        "tags": [
+          "Health"
+        ]
+      }
+    },
+    "/v1/trust-portal/domain/status": {
+      "get": {
+        "description": "Retrieve the verification status and DNS records for a custom domain configured in the Vercel trust portal project",
+        "operationId": "TrustPortalController_getDomainStatus_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "domain",
+            "required": true,
+            "in": "query",
+            "description": "The domain name to check status for",
+            "schema": {
+              "example": "portal.example.com",
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Domain status retrieved successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/DomainStatusResponseDto"
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid or missing authentication"
+          },
+          "500": {
+            "description": "Failed to retrieve domain status from Vercel"
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Get domain verification status",
+        "tags": [
+          "Trust Portal"
+        ]
+      }
+    },
+    "/v1/trust-access/{friendlyUrl}/requests": {
+      "post": {
+        "description": "External users submit request for data access from trust site",
+        "operationId": "TrustAccessController_createAccessRequest_v1",
+        "parameters": [
+          {
+            "name": "friendlyUrl",
+            "required": true,
+            "in": "path",
+            "description": "Trust Portal friendly URL or Organization ID",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "required": true,
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/CreateAccessRequestDto"
+              }
+            }
+          }
+        },
+        "responses": {
+          "201": {
+            "description": "Access request created and sent for review"
+          }
+        },
+        "summary": "Submit data access request",
+        "tags": [
+          "Trust Access"
+        ]
+      }
+    },
+    "/v1/trust-access/admin/requests": {
+      "get": {
+        "description": "Get all access requests for organization",
+        "operationId": "TrustAccessController_listAccessRequests_v1",
+        "parameters": [
+          {
+            "name": "status",
+            "required": false,
+            "in": "query",
+            "schema": {
+              "type": "string",
+              "enum": [
+                "under_review",
+                "approved",
+                "denied",
+                "canceled"
+              ]
+            }
+          },
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Access requests retrieved"
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "List access requests",
+        "tags": [
+          "Trust Access"
+        ]
+      }
+    },
+    "/v1/trust-access/admin/requests/{id}": {
+      "get": {
+        "description": "Get detailed information about a specific access request",
+        "operationId": "TrustAccessController_getAccessRequest_v1",
+        "parameters": [
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Request details returned"
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Get access request details",
+        "tags": [
+          "Trust Access"
+        ]
+      }
+    },
+    "/v1/trust-access/admin/requests/{id}/approve": {
+      "post": {
+        "description": "Approve request and create time-limited grant",
+        "operationId": "TrustAccessController_approveRequest_v1",
+        "parameters": [
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "required": true,
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/ApproveAccessRequestDto"
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": "Request approved successfully"
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Approve access request",
+        "tags": [
+          "Trust Access"
+        ]
+      }
+    },
+    "/v1/trust-access/admin/requests/{id}/deny": {
+      "post": {
+        "description": "Reject access request with reason",
+        "operationId": "TrustAccessController_denyRequest_v1",
+        "parameters": [
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "required": true,
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/DenyAccessRequestDto"
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": "Request denied"
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Deny access request",
+        "tags": [
+          "Trust Access"
+        ]
+      }
+    },
+    "/v1/trust-access/admin/grants": {
+      "get": {
+        "description": "Get all active and expired grants",
+        "operationId": "TrustAccessController_listGrants_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Grants retrieved"
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "List access grants",
+        "tags": [
+          "Trust Access"
+        ]
+      }
+    },
+    "/v1/trust-access/admin/grants/{id}/revoke": {
+      "post": {
+        "description": "Immediately revoke active grant",
+        "operationId": "TrustAccessController_revokeGrant_v1",
+        "parameters": [
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "required": true,
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/RevokeGrantDto"
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": "Grant revoked"
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Revoke access grant",
+        "tags": [
+          "Trust Access"
+        ]
+      }
+    },
+    "/v1/trust-access/nda/{token}": {
+      "get": {
+        "description": "Fetch NDA agreement details for signing",
+        "operationId": "TrustAccessController_getNda_v1",
+        "parameters": [
+          {
+            "name": "token",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "NDA details returned"
+          }
+        },
+        "summary": "Get NDA details by token",
+        "tags": [
+          "Trust Access"
+        ]
+      }
+    },
+    "/v1/trust-access/nda/{token}/preview-nda": {
+      "post": {
+        "description": "Generate preview NDA PDF for external user before signing",
+        "operationId": "TrustAccessController_previewNdaByToken_v1",
+        "parameters": [
+          {
+            "name": "token",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Preview NDA generated"
+          }
+        },
+        "summary": "Preview NDA by token",
+        "tags": [
+          "Trust Access"
+        ]
+      }
+    },
+    "/v1/trust-access/nda/{token}/sign": {
+      "post": {
+        "description": "Sign NDA agreement, generate watermarked PDF, and create access grant",
+        "operationId": "TrustAccessController_signNda_v1",
+        "parameters": [
+          {
+            "name": "token",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "required": true,
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/SignNdaDto"
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": "NDA signed successfully"
+          }
+        },
+        "summary": "Sign NDA",
+        "tags": [
+          "Trust Access"
+        ]
+      }
+    },
+    "/v1/trust-access/admin/requests/{id}/resend-nda": {
+      "post": {
+        "description": "Resend NDA signing email to requester",
+        "operationId": "TrustAccessController_resendNda_v1",
+        "parameters": [
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "NDA email resent"
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Resend NDA email",
+        "tags": [
+          "Trust Access"
+        ]
+      }
+    },
+    "/v1/trust-access/admin/requests/{id}/preview-nda": {
+      "post": {
+        "description": "Generate preview NDA with watermark and save to S3 with preview-* prefix",
+        "operationId": "TrustAccessController_previewNda_v1",
+        "parameters": [
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Preview NDA generated"
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Preview NDA PDF",
+        "tags": [
+          "Trust Access"
+        ]
+      }
+    },
+    "/v1/trust-access/{friendlyUrl}/reclaim": {
+      "post": {
+        "description": "Generate access link for users with existing grants to redownload data",
+        "operationId": "TrustAccessController_reclaimAccess_v1",
+        "parameters": [
+          {
+            "name": "friendlyUrl",
+            "required": true,
+            "in": "path",
+            "description": "Trust Portal friendly URL or Organization ID",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "required": true,
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/ReclaimAccessDto"
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": "Access link sent to email"
+          }
+        },
+        "summary": "Reclaim access",
+        "tags": [
+          "Trust Access"
+        ]
+      }
+    },
+    "/v1/trust-access/access/{token}": {
+      "get": {
+        "description": "Retrieve compliance data using access token",
+        "operationId": "TrustAccessController_getGrantByAccessToken_v1",
+        "parameters": [
+          {
+            "name": "token",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Grant data returned"
+          }
+        },
+        "summary": "Get grant data by access token",
+        "tags": [
+          "Trust Access"
+        ]
+      }
+    },
+    "/v1/trust-access/access/{token}/policies": {
+      "get": {
+        "description": "Get list of published policies available for download",
+        "operationId": "TrustAccessController_getPoliciesByAccessToken_v1",
+        "parameters": [
+          {
+            "name": "token",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Policies list returned"
+          }
+        },
+        "summary": "List policies by access token",
+        "tags": [
+          "Trust Access"
+        ]
+      }
+    },
+    "/v1/trust-access/access/{token}/policies/download-all": {
+      "get": {
+        "description": "Generate combined PDF from all published policy content with watermark",
+        "operationId": "TrustAccessController_downloadAllPolicies_v1",
+        "parameters": [
+          {
+            "name": "token",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Download URL for watermarked PDF returned"
+          }
+        },
+        "summary": "Download all policies as watermarked PDF",
+        "tags": [
+          "Trust Access"
+        ]
+      }
+    },
+    "/v1/framework-editor/task-template": {
+      "get": {
+        "description": "Retrieve all framework editor task templates",
+        "operationId": "TaskTemplateController_getAllTaskTemplates_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Successfully retrieved all framework editor task templates",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "example": {
+                    "data": [
+                      {
+                        "id": "frk_tt_abc123def456",
+                        "name": "Monthly Security Review",
+                        "description": "Review and update security policies on a monthly basis",
+                        "frequency": "monthly",
+                        "department": "it",
+                        "createdAt": "2025-01-01T00:00:00.000Z",
+                        "updatedAt": "2025-01-01T00:00:00.000Z"
+                      }
+                    ],
+                    "count": 1,
+                    "authType": "session",
+                    "authenticatedUser": {
+                      "id": "user_123",
+                      "email": "user@example.com"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid or missing authentication",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "example": {
+                    "statusCode": 401,
+                    "message": "Unauthorized"
+                  }
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal server error",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "example": {
+                    "statusCode": 500,
+                    "message": "Internal server error"
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Get all framework editor task templates",
+        "tags": [
+          "Framework Editor Task Templates"
+        ]
+      }
+    },
+    "/v1/framework-editor/task-template/{id}": {
+      "get": {
+        "description": "Retrieve a specific framework editor task template by its ID",
+        "operationId": "TaskTemplateController_getTaskTemplateById_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "description": "Framework editor task template ID",
+            "schema": {
+              "example": "frk_tt_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Successfully retrieved framework editor task template",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "example": {
+                    "id": "frk_tt_abc123def456",
+                    "name": "Monthly Security Review",
+                    "description": "Review and update security policies on a monthly basis",
+                    "frequency": "monthly",
+                    "department": "it",
+                    "createdAt": "2025-01-01T00:00:00.000Z",
+                    "updatedAt": "2025-01-01T00:00:00.000Z",
+                    "authType": "session",
+                    "authenticatedUser": {
+                      "id": "user_123",
+                      "email": "user@example.com"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid or missing authentication",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "example": {
+                    "statusCode": 401,
+                    "message": "Unauthorized"
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Framework editor task template not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "example": {
+                    "statusCode": 404,
+                    "message": "Framework editor task template with ID frk_tt_abc123def456 not found"
+                  }
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal server error",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "example": {
+                    "statusCode": 500,
+                    "message": "Internal server error"
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Get framework editor task template by ID",
+        "tags": [
+          "Framework Editor Task Templates"
+        ]
+      },
+      "patch": {
+        "description": "Update a framework editor task template by ID",
+        "operationId": "TaskTemplateController_updateTaskTemplate_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "description": "Framework editor task template ID",
+            "schema": {
+              "example": "frk_tt_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "requestBody": {
+          "required": true,
+          "description": "Update framework editor task template data",
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/UpdateTaskTemplateDto"
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": "Successfully updated framework editor task template",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "example": {
+                    "id": "frk_tt_abc123def456",
+                    "name": "Monthly Security Review (Updated)",
+                    "description": "Review and update security policies on a monthly basis",
+                    "frequency": "monthly",
+                    "department": "it",
+                    "createdAt": "2025-01-01T00:00:00.000Z",
+                    "updatedAt": "2025-01-02T00:00:00.000Z",
+                    "authType": "session",
+                    "authenticatedUser": {
+                      "id": "user_123",
+                      "email": "user@example.com"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "Bad request - Invalid data provided",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "example": {
+                    "statusCode": 400,
+                    "message": "Validation failed"
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid or missing authentication",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "example": {
+                    "statusCode": 401,
+                    "message": "Unauthorized"
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Framework editor task template not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "example": {
+                    "statusCode": 404,
+                    "message": "Framework editor task template with ID frk_tt_abc123def456 not found"
+                  }
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal server error",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "example": {
+                    "statusCode": 500,
+                    "message": "Internal server error"
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Update framework editor task template",
+        "tags": [
+          "Framework Editor Task Templates"
+        ]
+      },
+      "delete": {
+        "description": "Delete a framework editor task template by ID",
+        "operationId": "TaskTemplateController_deleteTaskTemplate_v1",
+        "parameters": [
+          {
+            "name": "X-Organization-Id",
+            "in": "header",
+            "description": "Organization ID (required for session auth, optional for API key auth)",
+            "required": false,
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "description": "Framework editor task template ID",
+            "schema": {
+              "example": "frk_tt_abc123def456",
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Successfully deleted framework editor task template",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "example": {
+                    "message": "Framework editor task template deleted successfully",
+                    "deletedTaskTemplate": {
+                      "id": "frk_tt_abc123def456",
+                      "name": "Monthly Security Review"
+                    },
+                    "authType": "session",
+                    "authenticatedUser": {
+                      "id": "user_123",
+                      "email": "user@example.com"
+                    }
+                  }
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Invalid or missing authentication",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "example": {
+                    "statusCode": 401,
+                    "message": "Unauthorized"
+                  }
+                }
+              }
+            }
+          },
+          "404": {
+            "description": "Framework editor task template not found",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "example": {
+                    "statusCode": 404,
+                    "message": "Framework editor task template with ID frk_tt_abc123def456 not found"
+                  }
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal server error",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "example": {
+                    "statusCode": 500,
+                    "message": "Internal server error"
+                  }
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "apikey": []
+          }
+        ],
+        "summary": "Delete framework editor task template",
+        "tags": [
+          "Framework Editor Task Templates"
+        ]
+      }
+    },
+    "/v1/integrations/oauth/availability": {
+      "get": {
+        "operationId": "OAuthController_checkAvailability_v1",
+        "parameters": [
+          {
+            "name": "providerSlug",
+            "required": true,
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "organizationId",
+            "required": true,
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "OAuth"
+        ]
+      }
+    },
+    "/v1/integrations/oauth/start": {
+      "post": {
+        "operationId": "OAuthController_startOAuth_v1",
+        "parameters": [],
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "OAuth"
+        ]
+      }
+    },
+    "/v1/integrations/oauth/callback": {
+      "get": {
+        "operationId": "OAuthController_oauthCallback_v1",
+        "parameters": [],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "OAuth"
+        ]
+      }
+    },
+    "/v1/integrations/oauth-apps": {
+      "get": {
+        "operationId": "OAuthAppsController_listOAuthApps_v1",
+        "parameters": [
+          {
+            "name": "organizationId",
+            "required": true,
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "OAuthApps"
+        ]
+      },
+      "post": {
+        "operationId": "OAuthAppsController_saveOAuthApp_v1",
+        "parameters": [],
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "OAuthApps"
+        ]
+      }
+    },
+    "/v1/integrations/oauth-apps/setup/{providerSlug}": {
+      "get": {
+        "operationId": "OAuthAppsController_getSetupInfo_v1",
+        "parameters": [
+          {
+            "name": "providerSlug",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "organizationId",
+            "required": true,
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "OAuthApps"
+        ]
+      }
+    },
+    "/v1/integrations/oauth-apps/{providerSlug}": {
+      "delete": {
+        "operationId": "OAuthAppsController_deleteOAuthApp_v1",
+        "parameters": [
+          {
+            "name": "providerSlug",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "organizationId",
+            "required": true,
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "OAuthApps"
+        ]
+      }
+    },
+    "/v1/integrations/connections/providers": {
+      "get": {
+        "operationId": "ConnectionsController_listProviders_v1",
+        "parameters": [
+          {
+            "name": "activeOnly",
+            "required": true,
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Connections"
+        ]
+      }
+    },
+    "/v1/integrations/connections/providers/{slug}": {
+      "get": {
+        "operationId": "ConnectionsController_getProvider_v1",
+        "parameters": [
+          {
+            "name": "slug",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Connections"
+        ]
+      }
+    },
+    "/v1/integrations/connections": {
+      "get": {
+        "operationId": "ConnectionsController_listConnections_v1",
+        "parameters": [],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Connections"
+        ]
+      },
+      "post": {
+        "operationId": "ConnectionsController_createConnection_v1",
+        "parameters": [],
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Connections"
+        ]
+      }
+    },
+    "/v1/integrations/connections/{id}": {
+      "get": {
+        "operationId": "ConnectionsController_getConnection_v1",
+        "parameters": [
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Connections"
+        ]
+      },
+      "delete": {
+        "operationId": "ConnectionsController_deleteConnection_v1",
+        "parameters": [
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Connections"
+        ]
+      }
+    },
+    "/v1/integrations/connections/{id}/test": {
+      "post": {
+        "operationId": "ConnectionsController_testConnection_v1",
+        "parameters": [
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Connections"
+        ]
+      }
+    },
+    "/v1/integrations/connections/{id}/pause": {
+      "post": {
+        "operationId": "ConnectionsController_pauseConnection_v1",
+        "parameters": [
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Connections"
+        ]
+      }
+    },
+    "/v1/integrations/connections/{id}/resume": {
+      "post": {
+        "operationId": "ConnectionsController_resumeConnection_v1",
+        "parameters": [
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Connections"
+        ]
+      }
+    },
+    "/v1/integrations/connections/{id}/disconnect": {
+      "post": {
+        "operationId": "ConnectionsController_disconnectConnection_v1",
+        "parameters": [
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Connections"
+        ]
+      }
+    },
+    "/v1/admin/integrations": {
+      "get": {
+        "operationId": "AdminIntegrationsController_listIntegrations_v1",
+        "parameters": [],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "AdminIntegrations"
+        ]
+      }
+    },
+    "/v1/admin/integrations/{providerSlug}": {
+      "get": {
+        "operationId": "AdminIntegrationsController_getIntegration_v1",
+        "parameters": [
+          {
+            "name": "providerSlug",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "AdminIntegrations"
+        ]
+      }
+    },
+    "/v1/admin/integrations/credentials": {
+      "post": {
+        "operationId": "AdminIntegrationsController_savePlatformCredentials_v1",
+        "parameters": [],
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "AdminIntegrations"
+        ]
+      }
+    },
+    "/v1/admin/integrations/credentials/{providerSlug}": {
+      "delete": {
+        "operationId": "AdminIntegrationsController_deletePlatformCredentials_v1",
+        "parameters": [
+          {
+            "name": "providerSlug",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "AdminIntegrations"
+        ]
+      }
+    },
+    "/v1/integrations/checks/providers/{providerSlug}": {
+      "get": {
+        "operationId": "ChecksController_listProviderChecks_v1",
+        "parameters": [
+          {
+            "name": "providerSlug",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Checks"
+        ]
+      }
+    },
+    "/v1/integrations/checks/connections/{connectionId}": {
+      "get": {
+        "operationId": "ChecksController_listConnectionChecks_v1",
+        "parameters": [
+          {
+            "name": "connectionId",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Checks"
+        ]
+      }
+    },
+    "/v1/integrations/checks/connections/{connectionId}/run": {
+      "post": {
+        "operationId": "ChecksController_runConnectionChecks_v1",
+        "parameters": [
+          {
+            "name": "connectionId",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Checks"
+        ]
+      }
+    },
+    "/v1/integrations/checks/connections/{connectionId}/run/{checkId}": {
+      "post": {
+        "operationId": "ChecksController_runSingleCheck_v1",
+        "parameters": [
+          {
+            "name": "connectionId",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "checkId",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Checks"
+        ]
+      }
+    },
+    "/v1/integrations/variables/providers/{providerSlug}": {
+      "get": {
+        "operationId": "VariablesController_getProviderVariables_v1",
+        "parameters": [
+          {
+            "name": "providerSlug",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Variables"
+        ]
+      }
+    },
+    "/v1/integrations/variables/connections/{connectionId}": {
+      "get": {
+        "operationId": "VariablesController_getConnectionVariables_v1",
+        "parameters": [
+          {
+            "name": "connectionId",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Variables"
+        ]
+      },
+      "post": {
+        "operationId": "VariablesController_saveConnectionVariables_v1",
+        "parameters": [
+          {
+            "name": "connectionId",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Variables"
+        ]
+      }
+    },
+    "/v1/integrations/variables/connections/{connectionId}/options/{variableId}": {
+      "get": {
+        "operationId": "VariablesController_fetchVariableOptions_v1",
+        "parameters": [
+          {
+            "name": "connectionId",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "variableId",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Variables"
+        ]
+      }
+    },
+    "/v1/integrations/tasks/template/{templateId}/checks": {
+      "get": {
+        "operationId": "TaskIntegrationsController_getChecksForTaskTemplate_v1",
+        "parameters": [
+          {
+            "name": "templateId",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "organizationId",
+            "required": true,
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "TaskIntegrations"
+        ]
+      }
+    },
+    "/v1/integrations/tasks/{taskId}/checks": {
+      "get": {
+        "operationId": "TaskIntegrationsController_getChecksForTask_v1",
+        "parameters": [
+          {
+            "name": "taskId",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "organizationId",
+            "required": true,
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "TaskIntegrations"
+        ]
+      }
+    },
+    "/v1/integrations/tasks/{taskId}/run-check": {
+      "post": {
+        "operationId": "TaskIntegrationsController_runCheckForTask_v1",
+        "parameters": [
+          {
+            "name": "taskId",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "organizationId",
+            "required": true,
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "TaskIntegrations"
+        ]
+      }
+    },
+    "/v1/integrations/tasks/{taskId}/runs": {
+      "get": {
+        "operationId": "TaskIntegrationsController_getTaskCheckRuns_v1",
+        "parameters": [
+          {
+            "name": "taskId",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "organizationId",
+            "required": true,
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "limit",
+            "required": true,
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "TaskIntegrations"
+        ]
+      }
+    }
+  },
+  "info": {
+    "title": "API Documentation",
+    "description": "The API documentation for this application",
+    "version": "1.0",
+    "contact": {}
+  },
+  "tags": [],
+  "servers": [
+    {
+      "url": "https://api.trycomp.ai",
+      "description": "API Server"
+    }
+  ],
+  "components": {
+    "securitySchemes": {
+      "apikey": {
+        "type": "apiKey",
+        "in": "header",
+        "name": "X-API-Key",
+        "description": "API key for authentication"
+      }
+    },
+    "schemas": {
+      "UserResponseDto": {
+        "type": "object",
+        "properties": {
+          "id": {
+            "type": "string",
+            "description": "User ID",
+            "example": "usr_abc123def456"
+          },
+          "name": {
+            "type": "string",
+            "description": "User name",
+            "example": "John Doe"
+          },
+          "email": {
+            "type": "string",
+            "description": "User email",
+            "example": "john.doe@company.com"
+          },
+          "emailVerified": {
+            "type": "boolean",
+            "description": "Whether email is verified",
+            "example": true
+          },
+          "image": {
+            "type": "object",
+            "description": "User profile image URL",
+            "example": "https://example.com/avatar.jpg",
+            "nullable": true
+          },
+          "createdAt": {
+            "format": "date-time",
+            "type": "string",
+            "description": "When the user was created",
+            "example": "2024-01-01T00:00:00Z"
+          },
+          "updatedAt": {
+            "format": "date-time",
+            "type": "string",
+            "description": "When the user was last updated",
+            "example": "2024-01-15T00:00:00Z"
+          },
+          "lastLogin": {
+            "type": "object",
+            "description": "Last login time",
+            "example": "2024-01-15T12:00:00Z",
+            "nullable": true
+          }
+        },
+        "required": [
+          "id",
+          "name",
+          "email",
+          "emailVerified",
+          "image",
+          "createdAt",
+          "updatedAt",
+          "lastLogin"
+        ]
+      },
+      "PeopleResponseDto": {
+        "type": "object",
+        "properties": {
+          "id": {
+            "type": "string",
+            "description": "Member ID",
+            "example": "mem_abc123def456"
+          },
+          "organizationId": {
+            "type": "string",
+            "description": "Organization ID this member belongs to",
+            "example": "org_abc123def456"
+          },
+          "userId": {
+            "type": "string",
+            "description": "User ID associated with member",
+            "example": "usr_abc123def456"
+          },
+          "role": {
+            "type": "string",
+            "description": "Member role",
+            "example": "admin"
+          },
+          "createdAt": {
+            "format": "date-time",
+            "type": "string",
+            "description": "When the member was created",
+            "example": "2024-01-01T00:00:00Z"
+          },
+          "department": {
+            "type": "string",
+            "description": "Member department",
+            "enum": [
+              "none",
+              "admin",
+              "gov",
+              "hr",
+              "it",
+              "itsm",
+              "qms"
+            ],
+            "example": "it"
+          },
+          "isActive": {
+            "type": "boolean",
+            "description": "Whether member is active",
+            "example": true
+          },
+          "fleetDmLabelId": {
+            "type": "object",
+            "description": "FleetDM label ID for member devices",
+            "example": 123,
+            "nullable": true
+          },
+          "user": {
+            "description": "User information",
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/UserResponseDto"
+              }
+            ]
+          }
+        },
+        "required": [
+          "id",
+          "organizationId",
+          "userId",
+          "role",
+          "createdAt",
+          "department",
+          "isActive",
+          "fleetDmLabelId",
+          "user"
+        ]
+      },
+      "CreatePeopleDto": {
+        "type": "object",
+        "properties": {
+          "userId": {
+            "type": "string",
+            "description": "User ID to associate with this member",
+            "example": "usr_abc123def456"
+          },
+          "role": {
+            "type": "string",
+            "description": "Role for the member",
+            "example": "admin"
+          },
+          "department": {
+            "type": "string",
+            "description": "Member department",
+            "enum": [
+              "none",
+              "admin",
+              "gov",
+              "hr",
+              "it",
+              "itsm",
+              "qms"
+            ],
+            "example": "it"
+          },
+          "isActive": {
+            "type": "boolean",
+            "description": "Whether member is active",
+            "example": true
+          },
+          "fleetDmLabelId": {
+            "type": "number",
+            "description": "FleetDM label ID for member devices",
+            "example": 123
+          }
+        },
+        "required": [
+          "userId",
+          "role"
+        ]
+      },
+      "BulkCreatePeopleDto": {
+        "type": "object",
+        "properties": {
+          "members": {
+            "description": "Array of members to create",
+            "example": [
+              {
+                "userId": "usr_abc123def456",
+                "role": "admin",
+                "department": "it",
+                "isActive": true,
+                "fleetDmLabelId": 123
+              },
+              {
+                "userId": "usr_def456ghi789",
+                "role": "member",
+                "department": "hr",
+                "isActive": true
+              }
+            ],
+            "type": "array",
+            "items": {
+              "$ref": "#/components/schemas/CreatePeopleDto"
+            }
+          }
+        },
+        "required": [
+          "members"
+        ]
+      },
+      "UpdatePeopleDto": {
+        "type": "object",
+        "properties": {
+          "userId": {
+            "type": "string",
+            "description": "User ID to associate with this member",
+            "example": "usr_abc123def456"
+          },
+          "role": {
+            "type": "string",
+            "description": "Role for the member",
+            "example": "admin"
+          },
+          "department": {
+            "type": "string",
+            "description": "Member department",
+            "enum": [
+              "none",
+              "admin",
+              "gov",
+              "hr",
+              "it",
+              "itsm",
+              "qms"
+            ],
+            "example": "it"
+          },
+          "isActive": {
+            "type": "boolean",
+            "description": "Whether to deactivate this member (soft delete)",
+            "example": false
+          },
+          "fleetDmLabelId": {
+            "type": "number",
+            "description": "FleetDM label ID for member devices",
+            "example": 123
+          }
+        }
+      },
+      "CreateRiskDto": {
+        "type": "object",
+        "properties": {
+          "title": {
+            "type": "string",
+            "description": "Risk title",
+            "example": "Data breach vulnerability in user authentication system"
+          },
+          "description": {
+            "type": "string",
+            "description": "Detailed description of the risk",
+            "example": "Weak password requirements could lead to unauthorized access to user accounts"
+          },
+          "category": {
+            "type": "string",
+            "description": "Risk category",
+            "enum": [
+              "customer",
+              "fraud",
+              "governance",
+              "operations",
+              "other",
+              "people",
+              "regulatory",
+              "reporting",
+              "resilience",
+              "technology",
+              "vendor_management"
+            ],
+            "example": "technology"
+          },
+          "department": {
+            "type": "string",
+            "description": "Department responsible for the risk",
+            "enum": [
+              "none",
+              "admin",
+              "gov",
+              "hr",
+              "it",
+              "itsm",
+              "qms"
+            ],
+            "example": "it"
+          },
+          "status": {
+            "type": "string",
+            "description": "Current status of the risk",
+            "enum": [
+              "open",
+              "pending",
+              "closed",
+              "archived"
+            ],
+            "default": "open",
+            "example": "open"
+          },
+          "likelihood": {
+            "type": "string",
+            "description": "Likelihood of the risk occurring",
+            "enum": [
+              "very_unlikely",
+              "unlikely",
+              "possible",
+              "likely",
+              "very_likely"
+            ],
+            "default": "very_unlikely",
+            "example": "possible"
+          },
+          "impact": {
+            "type": "string",
+            "description": "Impact if the risk materializes",
+            "enum": [
+              "insignificant",
+              "minor",
+              "moderate",
+              "major",
+              "severe"
+            ],
+            "default": "insignificant",
+            "example": "major"
+          },
+          "residualLikelihood": {
+            "type": "string",
+            "description": "Residual likelihood after treatment",
+            "enum": [
+              "very_unlikely",
+              "unlikely",
+              "possible",
+              "likely",
+              "very_likely"
+            ],
+            "default": "very_unlikely",
+            "example": "unlikely"
+          },
+          "residualImpact": {
+            "type": "string",
+            "description": "Residual impact after treatment",
+            "enum": [
+              "insignificant",
+              "minor",
+              "moderate",
+              "major",
+              "severe"
+            ],
+            "default": "insignificant",
+            "example": "minor"
+          },
+          "treatmentStrategyDescription": {
+            "type": "string",
+            "description": "Description of the treatment strategy",
+            "example": "Implement multi-factor authentication and strengthen password requirements"
+          },
+          "treatmentStrategy": {
+            "type": "string",
+            "description": "Risk treatment strategy",
+            "enum": [
+              "accept",
+              "avoid",
+              "mitigate",
+              "transfer"
+            ],
+            "default": "accept",
+            "example": "mitigate"
+          },
+          "assigneeId": {
+            "type": "string",
+            "description": "ID of the user assigned to this risk",
+            "example": "mem_abc123def456"
+          }
+        },
+        "required": [
+          "title",
+          "description",
+          "category",
+          "status",
+          "likelihood",
+          "impact",
+          "residualLikelihood",
+          "residualImpact",
+          "treatmentStrategy"
+        ]
+      },
+      "UpdateRiskDto": {
+        "type": "object",
+        "properties": {
+          "title": {
+            "type": "string",
+            "description": "Risk title",
+            "example": "Data breach vulnerability in user authentication system"
+          },
+          "description": {
+            "type": "string",
+            "description": "Detailed description of the risk",
+            "example": "Weak password requirements could lead to unauthorized access to user accounts"
+          },
+          "category": {
+            "type": "string",
+            "description": "Risk category",
+            "enum": [
+              "customer",
+              "fraud",
+              "governance",
+              "operations",
+              "other",
+              "people",
+              "regulatory",
+              "reporting",
+              "resilience",
+              "technology",
+              "vendor_management"
+            ],
+            "example": "technology"
+          },
+          "department": {
+            "type": "string",
+            "description": "Department responsible for the risk",
+            "enum": [
+              "none",
+              "admin",
+              "gov",
+              "hr",
+              "it",
+              "itsm",
+              "qms"
+            ],
+            "example": "it"
+          },
+          "status": {
+            "type": "string",
+            "description": "Current status of the risk",
+            "enum": [
+              "open",
+              "pending",
+              "closed",
+              "archived"
+            ],
+            "default": "open",
+            "example": "open"
+          },
+          "likelihood": {
+            "type": "string",
+            "description": "Likelihood of the risk occurring",
+            "enum": [
+              "very_unlikely",
+              "unlikely",
+              "possible",
+              "likely",
+              "very_likely"
+            ],
+            "default": "very_unlikely",
+            "example": "possible"
+          },
+          "impact": {
+            "type": "string",
+            "description": "Impact if the risk materializes",
+            "enum": [
+              "insignificant",
+              "minor",
+              "moderate",
+              "major",
+              "severe"
+            ],
+            "default": "insignificant",
+            "example": "major"
+          },
+          "residualLikelihood": {
+            "type": "string",
+            "description": "Residual likelihood after treatment",
+            "enum": [
+              "very_unlikely",
+              "unlikely",
+              "possible",
+              "likely",
+              "very_likely"
+            ],
+            "default": "very_unlikely",
+            "example": "unlikely"
+          },
+          "residualImpact": {
+            "type": "string",
+            "description": "Residual impact after treatment",
+            "enum": [
+              "insignificant",
+              "minor",
+              "moderate",
+              "major",
+              "severe"
+            ],
+            "default": "insignificant",
+            "example": "minor"
+          },
+          "treatmentStrategyDescription": {
+            "type": "string",
+            "description": "Description of the treatment strategy",
+            "example": "Implement multi-factor authentication and strengthen password requirements"
+          },
+          "treatmentStrategy": {
+            "type": "string",
+            "description": "Risk treatment strategy",
+            "enum": [
+              "accept",
+              "avoid",
+              "mitigate",
+              "transfer"
+            ],
+            "default": "accept",
+            "example": "mitigate"
+          },
+          "assigneeId": {
+            "type": "string",
+            "description": "ID of the user assigned to this risk",
+            "example": "mem_abc123def456"
+          }
+        }
+      },
+      "CreateVendorDto": {
+        "type": "object",
+        "properties": {
+          "name": {
+            "type": "string",
+            "description": "Vendor name",
+            "example": "CloudTech Solutions Inc."
+          },
+          "description": {
+            "type": "string",
+            "description": "Detailed description of the vendor and services provided",
+            "example": "Cloud infrastructure provider offering AWS-like services including compute, storage, and networking solutions for enterprise customers."
+          },
+          "category": {
+            "type": "string",
+            "description": "Vendor category",
+            "enum": [
+              "cloud",
+              "infrastructure",
+              "software_as_a_service",
+              "finance",
+              "marketing",
+              "sales",
+              "hr",
+              "other"
+            ],
+            "default": "other",
+            "example": "cloud"
+          },
+          "status": {
+            "type": "string",
+            "description": "Assessment status of the vendor",
+            "enum": [
+              "not_assessed",
+              "in_progress",
+              "assessed"
+            ],
+            "default": "not_assessed",
+            "example": "not_assessed"
+          },
+          "inherentProbability": {
+            "type": "string",
+            "description": "Inherent probability of risk before controls",
+            "enum": [
+              "very_unlikely",
+              "unlikely",
+              "possible",
+              "likely",
+              "very_likely"
+            ],
+            "default": "very_unlikely",
+            "example": "possible"
+          },
+          "inherentImpact": {
+            "type": "string",
+            "description": "Inherent impact of risk before controls",
+            "enum": [
+              "insignificant",
+              "minor",
+              "moderate",
+              "major",
+              "severe"
+            ],
+            "default": "insignificant",
+            "example": "moderate"
+          },
+          "residualProbability": {
+            "type": "string",
+            "description": "Residual probability after controls are applied",
+            "enum": [
+              "very_unlikely",
+              "unlikely",
+              "possible",
+              "likely",
+              "very_likely"
+            ],
+            "default": "very_unlikely",
+            "example": "unlikely"
+          },
+          "residualImpact": {
+            "type": "string",
+            "description": "Residual impact after controls are applied",
+            "enum": [
+              "insignificant",
+              "minor",
+              "moderate",
+              "major",
+              "severe"
+            ],
+            "default": "insignificant",
+            "example": "minor"
+          },
+          "website": {
+            "type": "string",
+            "description": "Vendor website URL",
+            "example": "https://www.cloudtechsolutions.com"
+          },
+          "assigneeId": {
+            "type": "string",
+            "description": "ID of the user assigned to manage this vendor",
+            "example": "mem_abc123def456"
+          }
+        },
+        "required": [
+          "name",
+          "description",
+          "category",
+          "status",
+          "inherentProbability",
+          "inherentImpact",
+          "residualProbability",
+          "residualImpact"
+        ]
+      },
+      "UpdateVendorDto": {
+        "type": "object",
+        "properties": {
+          "name": {
+            "type": "string",
+            "description": "Vendor name",
+            "example": "CloudTech Solutions Inc."
+          },
+          "description": {
+            "type": "string",
+            "description": "Detailed description of the vendor and services provided",
+            "example": "Cloud infrastructure provider offering AWS-like services including compute, storage, and networking solutions for enterprise customers."
+          },
+          "category": {
+            "type": "string",
+            "description": "Vendor category",
+            "enum": [
+              "cloud",
+              "infrastructure",
+              "software_as_a_service",
+              "finance",
+              "marketing",
+              "sales",
+              "hr",
+              "other"
+            ],
+            "default": "other",
+            "example": "cloud"
+          },
+          "status": {
+            "type": "string",
+            "description": "Assessment status of the vendor",
+            "enum": [
+              "not_assessed",
+              "in_progress",
+              "assessed"
+            ],
+            "default": "not_assessed",
+            "example": "not_assessed"
+          },
+          "inherentProbability": {
+            "type": "string",
+            "description": "Inherent probability of risk before controls",
+            "enum": [
+              "very_unlikely",
+              "unlikely",
+              "possible",
+              "likely",
+              "very_likely"
+            ],
+            "default": "very_unlikely",
+            "example": "possible"
+          },
+          "inherentImpact": {
+            "type": "string",
+            "description": "Inherent impact of risk before controls",
+            "enum": [
+              "insignificant",
+              "minor",
+              "moderate",
+              "major",
+              "severe"
+            ],
+            "default": "insignificant",
+            "example": "moderate"
+          },
+          "residualProbability": {
+            "type": "string",
+            "description": "Residual probability after controls are applied",
+            "enum": [
+              "very_unlikely",
+              "unlikely",
+              "possible",
+              "likely",
+              "very_likely"
+            ],
+            "default": "very_unlikely",
+            "example": "unlikely"
+          },
+          "residualImpact": {
+            "type": "string",
+            "description": "Residual impact after controls are applied",
+            "enum": [
+              "insignificant",
+              "minor",
+              "moderate",
+              "major",
+              "severe"
+            ],
+            "default": "insignificant",
+            "example": "minor"
+          },
+          "website": {
+            "type": "string",
+            "description": "Vendor website URL",
+            "example": "https://www.cloudtechsolutions.com"
+          },
+          "assigneeId": {
+            "type": "string",
+            "description": "ID of the user assigned to manage this vendor",
+            "example": "mem_abc123def456"
+          }
+        }
+      },
+      "CreateContextDto": {
+        "type": "object",
+        "properties": {
+          "question": {
+            "type": "string",
+            "description": "The question or topic this context entry addresses",
+            "example": "How do we handle user authentication in our application?"
+          },
+          "answer": {
+            "type": "string",
+            "description": "The answer or detailed explanation for the question",
+            "example": "We use a hybrid authentication system supporting both API keys and session-based authentication. API keys are used for programmatic access while sessions are used for web interface interactions."
+          },
+          "tags": {
+            "description": "Tags to categorize and help search this context entry",
+            "example": [
+              "authentication",
+              "security",
+              "api",
+              "sessions"
+            ],
+            "type": "array",
+            "items": {
+              "type": "string"
+            }
+          }
+        },
+        "required": [
+          "question",
+          "answer"
+        ]
+      },
+      "UpdateContextDto": {
+        "type": "object",
+        "properties": {
+          "question": {
+            "type": "string",
+            "description": "The question or topic this context entry addresses",
+            "example": "How do we handle user authentication in our application?"
+          },
+          "answer": {
+            "type": "string",
+            "description": "The answer or detailed explanation for the question",
+            "example": "We use a hybrid authentication system supporting both API keys and session-based authentication. API keys are used for programmatic access while sessions are used for web interface interactions."
+          },
+          "tags": {
+            "description": "Tags to categorize and help search this context entry",
+            "example": [
+              "authentication",
+              "security",
+              "api",
+              "sessions"
+            ],
+            "type": "array",
+            "items": {
+              "type": "string"
+            }
+          }
+        }
+      },
+      "FleetPolicyDto": {
+        "type": "object",
+        "properties": {
+          "id": {
+            "type": "number",
+            "description": "Policy ID",
+            "example": 123
+          },
+          "name": {
+            "type": "string",
+            "description": "Policy name",
+            "example": "Password Policy"
+          },
+          "query": {
+            "type": "string",
+            "description": "Policy query",
+            "example": "SELECT * FROM users;"
+          },
+          "critical": {
+            "type": "boolean",
+            "description": "Whether policy is critical",
+            "example": true
+          },
+          "description": {
+            "type": "string",
+            "description": "Policy description",
+            "example": "Ensures strong passwords"
+          },
+          "author_id": {
+            "type": "number",
+            "description": "Author ID",
+            "example": 456
+          },
+          "author_name": {
+            "type": "string",
+            "description": "Author name",
+            "example": "John Doe"
+          },
+          "author_email": {
+            "type": "string",
+            "description": "Author email",
+            "example": "john@example.com"
+          },
+          "team_id": {
+            "type": "object",
+            "description": "Team ID",
+            "example": 789,
+            "nullable": true
+          },
+          "resolution": {
+            "type": "string",
+            "description": "Policy resolution",
+            "example": "Update password settings"
+          },
+          "platform": {
+            "type": "string",
+            "description": "Platform",
+            "example": "darwin"
+          },
+          "calendar_events_enabled": {
+            "type": "boolean",
+            "description": "Calendar events enabled",
+            "example": false
+          },
+          "created_at": {
+            "type": "string",
+            "description": "Created at",
+            "example": "2024-01-01T00:00:00Z"
+          },
+          "updated_at": {
+            "type": "string",
+            "description": "Updated at",
+            "example": "2024-01-15T00:00:00Z"
+          },
+          "response": {
+            "type": "string",
+            "description": "Policy response",
+            "example": "compliant"
+          }
+        },
+        "required": [
+          "id",
+          "name",
+          "query",
+          "critical",
+          "description",
+          "author_id",
+          "author_name",
+          "author_email",
+          "team_id",
+          "resolution",
+          "platform",
+          "calendar_events_enabled",
+          "created_at",
+          "updated_at",
+          "response"
+        ]
+      },
+      "DeviceResponseDto": {
+        "type": "object",
+        "properties": {
+          "created_at": {
+            "type": "string",
+            "description": "Device created at",
+            "example": "2024-01-01T00:00:00Z"
+          },
+          "updated_at": {
+            "type": "string",
+            "description": "Device updated at",
+            "example": "2024-01-15T00:00:00Z"
+          },
+          "software": {
+            "type": "array",
+            "description": "Software list",
+            "items": {
+              "type": "object"
+            }
+          },
+          "software_updated_at": {
+            "type": "string",
+            "description": "Software updated at",
+            "example": "2024-01-10T00:00:00Z"
+          },
+          "id": {
+            "type": "number",
+            "description": "Device ID",
+            "example": 123
+          },
+          "detail_updated_at": {
+            "type": "string",
+            "description": "Detail updated at",
+            "example": "2024-01-10T00:00:00Z"
+          },
+          "label_updated_at": {
+            "type": "string",
+            "description": "Label updated at",
+            "example": "2024-01-10T00:00:00Z"
+          },
+          "policy_updated_at": {
+            "type": "string",
+            "description": "Policy updated at",
+            "example": "2024-01-10T00:00:00Z"
+          },
+          "last_enrolled_at": {
+            "type": "string",
+            "description": "Last enrolled at",
+            "example": "2024-01-01T00:00:00Z"
+          },
+          "seen_time": {
+            "type": "string",
+            "description": "Last seen time",
+            "example": "2024-01-15T12:00:00Z"
+          },
+          "refetch_requested": {
+            "type": "boolean",
+            "description": "Refetch requested",
+            "example": false
+          },
+          "hostname": {
+            "type": "string",
+            "description": "Hostname",
+            "example": "johns-macbook"
+          },
+          "uuid": {
+            "type": "string",
+            "description": "Device UUID",
+            "example": "abc123def456"
+          },
+          "platform": {
+            "type": "string",
+            "description": "Platform",
+            "example": "darwin"
+          },
+          "osquery_version": {
+            "type": "string",
+            "description": "Osquery version",
+            "example": "5.10.2"
+          },
+          "orbit_version": {
+            "type": "string",
+            "description": "Orbit version",
+            "example": "1.19.0"
+          },
+          "fleet_desktop_version": {
+            "type": "string",
+            "description": "Fleet desktop version",
+            "example": "1.19.0"
+          },
+          "scripts_enabled": {
+            "type": "boolean",
+            "description": "Scripts enabled",
+            "example": true
+          },
+          "os_version": {
+            "type": "string",
+            "description": "OS version",
+            "example": "macOS 14.2.1"
+          },
+          "build": {
+            "type": "string",
+            "description": "Build",
+            "example": "23C71"
+          },
+          "platform_like": {
+            "type": "string",
+            "description": "Platform like",
+            "example": "darwin"
+          },
+          "code_name": {
+            "type": "string",
+            "description": "Code name",
+            "example": "sonoma"
+          },
+          "uptime": {
+            "type": "number",
+            "description": "Uptime in seconds",
+            "example": 86400
+          },
+          "memory": {
+            "type": "number",
+            "description": "Memory in bytes",
+            "example": 17179869184
+          },
+          "cpu_type": {
+            "type": "string",
+            "description": "CPU type",
+            "example": "x86_64"
+          },
+          "cpu_subtype": {
+            "type": "string",
+            "description": "CPU subtype",
+            "example": "x86_64h"
+          },
+          "cpu_brand": {
+            "type": "string",
+            "description": "CPU brand",
+            "example": "Intel(R) Core(TM) i7-9750H"
+          },
+          "cpu_physical_cores": {
+            "type": "number",
+            "description": "CPU physical cores",
+            "example": 6
+          },
+          "cpu_logical_cores": {
+            "type": "number",
+            "description": "CPU logical cores",
+            "example": 12
+          },
+          "hardware_vendor": {
+            "type": "string",
+            "description": "Hardware vendor",
+            "example": "Apple Inc."
+          },
+          "hardware_model": {
+            "type": "string",
+            "description": "Hardware model",
+            "example": "MacBookPro16,1"
+          },
+          "hardware_version": {
+            "type": "string",
+            "description": "Hardware version",
+            "example": "1.0"
+          },
+          "hardware_serial": {
+            "type": "string",
+            "description": "Hardware serial",
+            "example": "C02XW0AAJGH6"
+          },
+          "computer_name": {
+            "type": "string",
+            "description": "Computer name",
+            "example": "John's MacBook Pro"
+          },
+          "public_ip": {
+            "type": "string",
+            "description": "Public IP",
+            "example": "203.0.113.1"
+          },
+          "primary_ip": {
+            "type": "string",
+            "description": "Primary IP",
+            "example": "192.168.1.100"
+          },
+          "primary_mac": {
+            "type": "string",
+            "description": "Primary MAC",
+            "example": "00:11:22:33:44:55"
+          },
+          "distributed_interval": {
+            "type": "number",
+            "description": "Distributed interval",
+            "example": 10
+          },
+          "config_tls_refresh": {
+            "type": "number",
+            "description": "Config TLS refresh",
+            "example": 3600
+          },
+          "logger_tls_period": {
+            "type": "number",
+            "description": "Logger TLS period",
+            "example": 300
+          },
+          "team_id": {
+            "type": "object",
+            "description": "Team ID",
+            "example": 1,
+            "nullable": true
+          },
+          "pack_stats": {
+            "type": "array",
+            "description": "Pack stats",
+            "items": {
+              "type": "object"
+            }
+          },
+          "team_name": {
+            "type": "object",
+            "description": "Team name",
+            "example": "Engineering",
+            "nullable": true
+          },
+          "users": {
+            "type": "array",
+            "description": "Users",
+            "items": {
+              "type": "object"
+            }
+          },
+          "gigs_disk_space_available": {
+            "type": "number",
+            "description": "Disk space available in GB",
+            "example": 250.5
+          },
+          "percent_disk_space_available": {
+            "type": "number",
+            "description": "Percent disk space available",
+            "example": 75.2
+          },
+          "gigs_total_disk_space": {
+            "type": "number",
+            "description": "Total disk space in GB",
+            "example": 500
+          },
+          "disk_encryption_enabled": {
+            "type": "boolean",
+            "description": "Disk encryption enabled",
+            "example": true
+          },
+          "issues": {
+            "type": "object",
+            "description": "Issues",
+            "additionalProperties": true
+          },
+          "mdm": {
+            "type": "object",
+            "description": "MDM info",
+            "additionalProperties": true
+          },
+          "refetch_critical_queries_until": {
+            "type": "object",
+            "description": "Refetch critical queries until",
+            "example": "2024-01-20T00:00:00Z",
+            "nullable": true
+          },
+          "last_restarted_at": {
+            "type": "string",
+            "description": "Last restarted at",
+            "example": "2024-01-10T08:00:00Z"
+          },
+          "policies": {
+            "description": "Policies",
+            "type": "array",
+            "items": {
+              "$ref": "#/components/schemas/FleetPolicyDto"
+            }
+          },
+          "labels": {
+            "type": "array",
+            "description": "Labels",
+            "items": {
+              "type": "object"
+            }
+          },
+          "packs": {
+            "type": "array",
+            "description": "Packs",
+            "items": {
+              "type": "object"
+            }
+          },
+          "batteries": {
+            "type": "array",
+            "description": "Batteries",
+            "items": {
+              "type": "object"
+            }
+          },
+          "end_users": {
+            "type": "array",
+            "description": "End users",
+            "items": {
+              "type": "object"
+            }
+          },
+          "last_mdm_enrolled_at": {
+            "type": "string",
+            "description": "Last MDM enrolled at",
+            "example": "2024-01-01T00:00:00Z"
+          },
+          "last_mdm_checked_in_at": {
+            "type": "string",
+            "description": "Last MDM checked in at",
+            "example": "2024-01-15T12:00:00Z"
+          },
+          "status": {
+            "type": "string",
+            "description": "Device status",
+            "example": "online"
+          },
+          "display_text": {
+            "type": "string",
+            "description": "Display text",
+            "example": "Johns MacBook Pro"
+          },
+          "display_name": {
+            "type": "string",
+            "description": "Display name",
+            "example": "John's MacBook Pro"
+          }
+        },
+        "required": [
+          "created_at",
+          "updated_at",
+          "software",
+          "software_updated_at",
+          "id",
+          "detail_updated_at",
+          "label_updated_at",
+          "policy_updated_at",
+          "last_enrolled_at",
+          "seen_time",
+          "refetch_requested",
+          "hostname",
+          "uuid",
+          "platform",
+          "osquery_version",
+          "orbit_version",
+          "fleet_desktop_version",
+          "scripts_enabled",
+          "os_version",
+          "build",
+          "platform_like",
+          "code_name",
+          "uptime",
+          "memory",
+          "cpu_type",
+          "cpu_subtype",
+          "cpu_brand",
+          "cpu_physical_cores",
+          "cpu_logical_cores",
+          "hardware_vendor",
+          "hardware_model",
+          "hardware_version",
+          "hardware_serial",
+          "computer_name",
+          "public_ip",
+          "primary_ip",
+          "primary_mac",
+          "distributed_interval",
+          "config_tls_refresh",
+          "logger_tls_period",
+          "team_id",
+          "pack_stats",
+          "team_name",
+          "users",
+          "gigs_disk_space_available",
+          "percent_disk_space_available",
+          "gigs_total_disk_space",
+          "disk_encryption_enabled",
+          "issues",
+          "mdm",
+          "refetch_critical_queries_until",
+          "last_restarted_at",
+          "policies",
+          "labels",
+          "packs",
+          "batteries",
+          "end_users",
+          "last_mdm_enrolled_at",
+          "last_mdm_checked_in_at",
+          "status",
+          "display_text",
+          "display_name"
+        ]
+      },
+      "MemberResponseDto": {
+        "type": "object",
+        "properties": {
+          "id": {
+            "type": "string",
+            "description": "Member ID",
+            "example": "mem_abc123def456"
+          },
+          "userId": {
+            "type": "string",
+            "description": "User ID associated with member",
+            "example": "usr_abc123def456"
+          },
+          "role": {
+            "type": "string",
+            "description": "Member role",
+            "example": "admin"
+          },
+          "department": {
+            "type": "object",
+            "description": "Member department",
+            "example": "engineering",
+            "nullable": true
+          },
+          "isActive": {
+            "type": "boolean",
+            "description": "Whether member is active",
+            "example": true
+          },
+          "fleetDmLabelId": {
+            "type": "object",
+            "description": "FleetDM label ID for member devices",
+            "example": 123,
+            "nullable": true
+          },
+          "organizationId": {
+            "type": "string",
+            "description": "Organization ID this member belongs to",
+            "example": "org_abc123def456"
+          },
+          "createdAt": {
+            "format": "date-time",
+            "type": "string",
+            "description": "When the member was created",
+            "example": "2024-01-01T00:00:00Z"
+          }
+        },
+        "required": [
+          "id",
+          "userId",
+          "role",
+          "department",
+          "isActive",
+          "fleetDmLabelId",
+          "organizationId",
+          "createdAt"
+        ]
+      },
+      "DevicesByMemberResponseDto": {
+        "type": "object",
+        "properties": {
+          "data": {
+            "description": "Array of devices assigned to the member",
+            "type": "array",
+            "items": {
+              "$ref": "#/components/schemas/DeviceResponseDto"
+            }
+          },
+          "count": {
+            "type": "number",
+            "description": "Total number of devices for this member",
+            "example": 3
+          },
+          "member": {
+            "description": "Member information",
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/MemberResponseDto"
+              }
+            ]
+          },
+          "authType": {
+            "type": "string",
+            "description": "How the request was authenticated",
+            "enum": [
+              "api-key",
+              "session"
+            ],
+            "example": "api-key"
+          },
+          "authenticatedUser": {
+            "type": "object",
+            "description": "Authenticated user information (present for session auth)",
+            "example": {
+              "id": "usr_abc123def456",
+              "email": "user@company.com"
+            }
+          }
+        },
+        "required": [
+          "data",
+          "count",
+          "member",
+          "authType"
+        ]
+      },
+      "PolicyResponseDto": {
+        "type": "object",
+        "properties": {
+          "id": {
+            "type": "string",
+            "description": "The policy ID",
+            "example": "pol_abc123def456"
+          },
+          "name": {
+            "type": "string",
+            "description": "Name of the policy",
+            "example": "Data Privacy Policy"
+          },
+          "description": {
+            "type": "string",
+            "description": "Description of the policy",
+            "example": "This policy outlines how we handle and protect personal data",
+            "nullable": true
+          },
+          "status": {
+            "type": "string",
+            "description": "Status of the policy",
+            "enum": [
+              "draft",
+              "published",
+              "needs_review"
+            ],
+            "example": "draft"
+          },
+          "content": {
+            "type": "array",
+            "description": "Content of the policy as TipTap JSON (array of nodes)",
+            "example": [
+              {
+                "type": "heading",
+                "attrs": {
+                  "level": 2,
+                  "textAlign": null
+                },
+                "content": [
+                  {
+                    "type": "text",
+                    "text": "Purpose"
+                  }
+                ]
+              },
+              {
+                "type": "paragraph",
+                "attrs": {
+                  "textAlign": null
+                },
+                "content": [
+                  {
+                    "type": "text",
+                    "text": "Verify workforce integrity and grant the right access at start, revoke at end."
+                  }
+                ]
+              }
+            ],
+            "items": {
+              "type": "object",
+              "additionalProperties": true
+            }
+          },
+          "frequency": {
+            "type": "string",
+            "description": "Review frequency of the policy",
+            "enum": [
+              "monthly",
+              "quarterly",
+              "yearly"
+            ],
+            "example": "yearly",
+            "nullable": true
+          },
+          "department": {
+            "type": "string",
+            "description": "Department this policy applies to",
+            "enum": [
+              "none",
+              "admin",
+              "gov",
+              "hr",
+              "it",
+              "itsm",
+              "qms"
+            ],
+            "example": "it",
+            "nullable": true
+          },
+          "isRequiredToSign": {
+            "type": "boolean",
+            "description": "Whether this policy requires a signature",
+            "example": true
+          },
+          "signedBy": {
+            "type": "array",
+            "description": "List of user IDs who have signed this policy",
+            "example": [
+              "usr_123",
+              "usr_456"
+            ],
+            "items": {
+              "type": "string"
+            }
+          },
+          "reviewDate": {
+            "format": "date-time",
+            "type": "string",
+            "description": "Review date for the policy",
+            "example": "2024-12-31T00:00:00.000Z",
+            "nullable": true
+          },
+          "isArchived": {
+            "type": "boolean",
+            "description": "Whether this policy is archived",
+            "example": false
+          },
+          "createdAt": {
+            "format": "date-time",
+            "type": "string",
+            "description": "When the policy was created",
+            "example": "2024-01-01T00:00:00.000Z"
+          },
+          "updatedAt": {
+            "format": "date-time",
+            "type": "string",
+            "description": "When the policy was last updated",
+            "example": "2024-01-15T00:00:00.000Z"
+          },
+          "lastArchivedAt": {
+            "format": "date-time",
+            "type": "string",
+            "description": "When the policy was last archived",
+            "example": "2024-02-01T00:00:00.000Z",
+            "nullable": true
+          },
+          "lastPublishedAt": {
+            "format": "date-time",
+            "type": "string",
+            "description": "When the policy was last published",
+            "example": "2024-01-10T00:00:00.000Z",
+            "nullable": true
+          },
+          "organizationId": {
+            "type": "string",
+            "description": "Organization ID this policy belongs to",
+            "example": "org_abc123def456"
+          },
+          "assigneeId": {
+            "type": "string",
+            "description": "ID of the user assigned to this policy",
+            "example": "usr_abc123def456",
+            "nullable": true
+          },
+          "approverId": {
+            "type": "string",
+            "description": "ID of the user who approved this policy",
+            "example": "usr_xyz789abc123",
+            "nullable": true
+          },
+          "policyTemplateId": {
+            "type": "string",
+            "description": "ID of the policy template this policy is based on",
+            "example": "plt_template123",
+            "nullable": true
+          }
+        },
+        "required": [
+          "id",
+          "name",
+          "description",
+          "status",
+          "content",
+          "frequency",
+          "department",
+          "isRequiredToSign",
+          "signedBy",
+          "reviewDate",
+          "isArchived",
+          "createdAt",
+          "updatedAt",
+          "lastArchivedAt",
+          "lastPublishedAt",
+          "organizationId",
+          "assigneeId",
+          "approverId",
+          "policyTemplateId"
+        ]
+      },
+      "CreatePolicyDto": {
+        "type": "object",
+        "properties": {
+          "name": {
+            "type": "string",
+            "description": "Name of the policy",
+            "example": "Data Privacy Policy"
+          },
+          "description": {
+            "type": "string",
+            "description": "Description of the policy",
+            "example": "This policy outlines how we handle and protect personal data"
+          },
+          "status": {
+            "type": "string",
+            "description": "Status of the policy",
+            "enum": [
+              "draft",
+              "published",
+              "needs_review"
+            ],
+            "example": "draft"
+          },
+          "content": {
+            "type": "array",
+            "description": "Content of the policy as TipTap JSON (array of nodes)",
+            "example": [
+              {
+                "type": "heading",
+                "attrs": {
+                  "level": 2,
+                  "textAlign": null
+                },
+                "content": [
+                  {
+                    "type": "text",
+                    "text": "Purpose"
+                  }
+                ]
+              },
+              {
+                "type": "paragraph",
+                "attrs": {
+                  "textAlign": null
+                },
+                "content": [
+                  {
+                    "type": "text",
+                    "text": "Verify workforce integrity and grant the right access at start, revoke at end."
+                  }
+                ]
+              }
+            ],
+            "items": {
+              "type": "object",
+              "additionalProperties": true
+            }
+          },
+          "frequency": {
+            "type": "string",
+            "description": "Review frequency of the policy",
+            "enum": [
+              "monthly",
+              "quarterly",
+              "yearly"
+            ],
+            "example": "yearly"
+          },
+          "department": {
+            "type": "string",
+            "description": "Department this policy applies to",
+            "enum": [
+              "none",
+              "admin",
+              "gov",
+              "hr",
+              "it",
+              "itsm",
+              "qms"
+            ],
+            "example": "it"
+          },
+          "isRequiredToSign": {
+            "type": "boolean",
+            "description": "Whether this policy requires a signature",
+            "example": true
+          },
+          "reviewDate": {
+            "type": "string",
+            "description": "Review date for the policy",
+            "example": "2024-12-31T00:00:00.000Z"
+          },
+          "assigneeId": {
+            "type": "string",
+            "description": "ID of the user assigned to this policy",
+            "example": "usr_abc123def456"
+          },
+          "approverId": {
+            "type": "string",
+            "description": "ID of the user who approved this policy",
+            "example": "usr_xyz789abc123"
+          },
+          "policyTemplateId": {
+            "type": "string",
+            "description": "ID of the policy template this policy is based on",
+            "example": "plt_template123"
+          },
+          "signedBy": {
+            "type": "array",
+            "description": "List of user IDs who have signed this policy",
+            "example": [
+              "usr_123",
+              "usr_456"
+            ],
+            "items": {
+              "type": "string"
+            }
+          }
+        },
+        "required": [
+          "name",
+          "content"
+        ]
+      },
+      "UpdatePolicyDto": {
+        "type": "object",
+        "properties": {
+          "name": {
+            "type": "string",
+            "description": "Name of the policy",
+            "example": "Data Privacy Policy"
+          },
+          "description": {
+            "type": "string",
+            "description": "Description of the policy",
+            "example": "This policy outlines how we handle and protect personal data"
+          },
+          "status": {
+            "type": "string",
+            "description": "Status of the policy",
+            "enum": [
+              "draft",
+              "published",
+              "needs_review"
+            ],
+            "example": "draft"
+          },
+          "content": {
+            "type": "array",
+            "description": "Content of the policy as TipTap JSON (array of nodes)",
+            "example": [
+              {
+                "type": "heading",
+                "attrs": {
+                  "level": 2,
+                  "textAlign": null
+                },
+                "content": [
+                  {
+                    "type": "text",
+                    "text": "Purpose"
+                  }
+                ]
+              },
+              {
+                "type": "paragraph",
+                "attrs": {
+                  "textAlign": null
+                },
+                "content": [
+                  {
+                    "type": "text",
+                    "text": "Verify workforce integrity and grant the right access at start, revoke at end."
+                  }
+                ]
+              }
+            ],
+            "items": {
+              "type": "object",
+              "additionalProperties": true
+            }
+          },
+          "frequency": {
+            "type": "string",
+            "description": "Review frequency of the policy",
+            "enum": [
+              "monthly",
+              "quarterly",
+              "yearly"
+            ],
+            "example": "yearly"
+          },
+          "department": {
+            "type": "string",
+            "description": "Department this policy applies to",
+            "enum": [
+              "none",
+              "admin",
+              "gov",
+              "hr",
+              "it",
+              "itsm",
+              "qms"
+            ],
+            "example": "it"
+          },
+          "isRequiredToSign": {
+            "type": "boolean",
+            "description": "Whether this policy requires a signature",
+            "example": true
+          },
+          "reviewDate": {
+            "type": "string",
+            "description": "Review date for the policy",
+            "example": "2024-12-31T00:00:00.000Z"
+          },
+          "assigneeId": {
+            "type": "string",
+            "description": "ID of the user assigned to this policy",
+            "example": "usr_abc123def456"
+          },
+          "approverId": {
+            "type": "string",
+            "description": "ID of the user who approved this policy",
+            "example": "usr_xyz789abc123"
+          },
+          "policyTemplateId": {
+            "type": "string",
+            "description": "ID of the policy template this policy is based on",
+            "example": "plt_template123"
+          },
+          "signedBy": {
+            "type": "array",
+            "description": "List of user IDs who have signed this policy",
+            "example": [
+              "usr_123",
+              "usr_456"
+            ],
+            "items": {
+              "type": "string"
+            }
+          },
+          "isArchived": {
+            "type": "boolean",
+            "description": "Whether to archive this policy",
+            "example": false
+          }
+        }
+      },
+      "AISuggestPolicyRequestDto": {
+        "type": "object",
+        "properties": {
+          "instructions": {
+            "type": "string",
+            "description": "User instructions about what changes to make to the policy",
+            "example": "Update the data retention section to specify a 7-year retention period"
+          },
+          "chatHistory": {
+            "type": "array",
+            "description": "Chat history for context (array of messages with role and content)",
+            "example": [
+              {
+                "role": "user",
+                "content": "Update the data retention policy"
+              },
+              {
+                "role": "assistant",
+                "content": "I can help with that..."
+              }
+            ],
+            "items": {
+              "type": "object",
+              "properties": {
+                "role": {
+                  "type": "string",
+                  "enum": [
+                    "user",
+                    "assistant"
+                  ]
+                },
+                "content": {
+                  "type": "string"
+                }
+              }
+            }
+          }
+        },
+        "required": [
+          "instructions"
+        ]
+      },
+      "TaskResponseDto": {
+        "type": "object",
+        "properties": {
+          "id": {
+            "type": "string",
+            "description": "Unique identifier for the task",
+            "example": "tsk_abc123def456"
+          },
+          "title": {
+            "type": "string",
+            "description": "Task title",
+            "example": "Implement user authentication"
+          },
+          "description": {
+            "type": "string",
+            "description": "Task description",
+            "example": "Add OAuth 2.0 authentication to the platform"
+          },
+          "status": {
+            "type": "string",
+            "description": "Task status",
+            "example": "in_progress",
+            "enum": [
+              "todo",
+              "in_progress",
+              "done",
+              "blocked"
+            ]
+          },
+          "createdAt": {
+            "format": "date-time",
+            "type": "string",
+            "description": "Task creation timestamp",
+            "example": "2024-01-15T10:30:00Z"
+          },
+          "updatedAt": {
+            "format": "date-time",
+            "type": "string",
+            "description": "Task last update timestamp",
+            "example": "2024-01-15T10:30:00Z"
+          },
+          "taskTemplateId": {
+            "type": "object",
+            "description": "Task template ID",
+            "example": "frk_tt_68406e353df3bc002994acef",
+            "nullable": true
+          }
+        },
+        "required": [
+          "id",
+          "title",
+          "status",
+          "createdAt",
+          "updatedAt"
+        ]
+      },
+      "AttachmentResponseDto": {
+        "type": "object",
+        "properties": {
+          "id": {
+            "type": "string",
+            "description": "Unique identifier for the attachment",
+            "example": "att_abc123def456"
+          },
+          "name": {
+            "type": "string",
+            "description": "Original filename",
+            "example": "document.pdf"
+          },
+          "type": {
+            "type": "string",
+            "description": "File type/MIME type",
+            "example": "application/pdf"
+          },
+          "size": {
+            "type": "number",
+            "description": "File size in bytes",
+            "example": 1024000
+          },
+          "downloadUrl": {
+            "type": "string",
+            "description": "Signed URL for downloading the file (temporary)",
+            "example": "https://bucket.s3.amazonaws.com/path/to/file.pdf?signature=..."
+          },
+          "createdAt": {
+            "format": "date-time",
+            "type": "string",
+            "description": "Upload timestamp",
+            "example": "2024-01-15T10:30:00Z"
+          }
+        },
+        "required": [
+          "id",
+          "name",
+          "type",
+          "size",
+          "downloadUrl",
+          "createdAt"
+        ]
+      },
+      "UploadAttachmentDto": {
+        "type": "object",
+        "properties": {
+          "fileName": {
+            "type": "string",
+            "description": "Name of the file",
+            "example": "document.pdf",
+            "maxLength": 255
+          },
+          "fileType": {
+            "type": "string",
+            "description": "MIME type of the file",
+            "example": "application/pdf"
+          },
+          "fileData": {
+            "type": "string",
+            "description": "Base64 encoded file data",
+            "example": "iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mP8/5+hHgAHggJ/PchI7wAAAABJRU5ErkJggg=="
+          },
+          "description": {
+            "type": "string",
+            "description": "Description of the attachment",
+            "example": "Meeting notes from Q4 planning session",
+            "maxLength": 500
+          }
+        },
+        "required": [
+          "fileName",
+          "fileType",
+          "fileData"
+        ]
+      },
+      "UpdateAutomationDto": {
+        "type": "object",
+        "properties": {
+          "name": {
+            "type": "string",
+            "description": "Automation name",
+            "example": "GitHub Security Check - Evidence Collection"
+          },
+          "description": {
+            "type": "string",
+            "description": "Automation description",
+            "example": "Collects evidence about GitHub repository security settings"
+          }
+        }
+      },
+      "AuthorResponseDto": {
+        "type": "object",
+        "properties": {
+          "id": {
+            "type": "string",
+            "description": "User ID",
+            "example": "usr_abc123def456"
+          },
+          "name": {
+            "type": "string",
+            "description": "User name",
+            "example": "John Doe"
+          },
+          "email": {
+            "type": "string",
+            "description": "User email",
+            "example": "john.doe@company.com"
+          },
+          "image": {
+            "type": "object",
+            "description": "User profile image URL",
+            "example": "https://example.com/avatar.jpg",
+            "nullable": true
+          },
+          "deactivated": {
+            "type": "boolean",
+            "description": "Whether the user is deactivated",
+            "example": false,
+            "nullable": true
+          }
+        },
+        "required": [
+          "id",
+          "name",
+          "email",
+          "image",
+          "deactivated"
+        ]
+      },
+      "AttachmentMetadataDto": {
+        "type": "object",
+        "properties": {
+          "id": {
+            "type": "string",
+            "description": "Unique identifier for the attachment",
+            "example": "att_abc123def456"
+          },
+          "name": {
+            "type": "string",
+            "description": "Original filename",
+            "example": "document.pdf"
+          },
+          "type": {
+            "type": "string",
+            "description": "File type/MIME type",
+            "example": "application/pdf"
+          },
+          "createdAt": {
+            "format": "date-time",
+            "type": "string",
+            "description": "Upload timestamp",
+            "example": "2024-01-15T10:30:00Z"
+          }
+        },
+        "required": [
+          "id",
+          "name",
+          "type",
+          "createdAt"
+        ]
+      },
+      "CommentResponseDto": {
+        "type": "object",
+        "properties": {
+          "id": {
+            "type": "string",
+            "description": "Unique identifier for the comment",
+            "example": "cmt_abc123def456"
+          },
+          "content": {
+            "type": "string",
+            "description": "Comment content",
+            "example": "This task needs to be completed by end of week"
+          },
+          "author": {
+            "description": "Comment author information",
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/AuthorResponseDto"
+              }
+            ]
+          },
+          "attachments": {
+            "description": "Attachment metadata (URLs generated on-demand)",
+            "type": "array",
+            "items": {
+              "$ref": "#/components/schemas/AttachmentMetadataDto"
+            }
+          },
+          "createdAt": {
+            "format": "date-time",
+            "type": "string",
+            "description": "Comment creation timestamp",
+            "example": "2024-01-15T10:30:00Z"
+          }
+        },
+        "required": [
+          "id",
+          "content",
+          "author",
+          "attachments",
+          "createdAt"
+        ]
+      },
+      "CreateCommentDto": {
+        "type": "object",
+        "properties": {
+          "content": {
+            "type": "string",
+            "description": "Content of the comment",
+            "example": "This task needs to be completed by end of week",
+            "maxLength": 2000
+          },
+          "entityId": {
+            "type": "string",
+            "description": "ID of the entity to comment on",
+            "example": "tsk_abc123def456"
+          },
+          "entityType": {
+            "type": "string",
+            "description": "Type of entity being commented on",
+            "enum": [
+              "task",
+              "vendor",
+              "risk",
+              "policy"
+            ],
+            "example": "task"
+          },
+          "attachments": {
+            "description": "Optional attachments to include with the comment",
+            "type": "array",
+            "items": {
+              "$ref": "#/components/schemas/UploadAttachmentDto"
+            }
+          }
+        },
+        "required": [
+          "content",
+          "entityId",
+          "entityType"
+        ]
+      },
+      "UpdateCommentDto": {
+        "type": "object",
+        "properties": {
+          "content": {
+            "type": "string",
+            "description": "Updated content of the comment",
+            "example": "This task needs to be completed by end of week (updated)",
+            "maxLength": 2000
+          }
+        },
+        "required": [
+          "content"
+        ]
+      },
+      "DomainVerificationDto": {
+        "type": "object",
+        "properties": {
+          "type": {
+            "type": "string",
+            "description": "Verification type (e.g., TXT, CNAME)"
+          },
+          "domain": {
+            "type": "string",
+            "description": "Domain for verification"
+          },
+          "value": {
+            "type": "string",
+            "description": "Verification value"
+          },
+          "reason": {
+            "type": "string",
+            "description": "Reason for verification status"
+          }
+        },
+        "required": [
+          "type",
+          "domain",
+          "value"
+        ]
+      },
+      "DomainStatusResponseDto": {
+        "type": "object",
+        "properties": {
+          "domain": {
+            "type": "string",
+            "description": "The domain name"
+          },
+          "verified": {
+            "type": "boolean",
+            "description": "Whether the domain is verified"
+          },
+          "verification": {
+            "description": "Verification records for the domain",
+            "type": "array",
+            "items": {
+              "$ref": "#/components/schemas/DomainVerificationDto"
+            }
+          }
+        },
+        "required": [
+          "domain",
+          "verified"
+        ]
+      },
+      "CreateAccessRequestDto": {
+        "type": "object",
+        "properties": {
+          "name": {
+            "type": "string"
+          },
+          "email": {
+            "type": "string"
+          },
+          "company": {
+            "type": "string"
+          },
+          "jobTitle": {
+            "type": "string"
+          },
+          "purpose": {
+            "type": "string"
+          },
+          "requestedDurationDays": {
+            "type": "number",
+            "minimum": 1
+          }
+        },
+        "required": [
+          "name",
+          "email"
+        ]
+      },
+      "ApproveAccessRequestDto": {
+        "type": "object",
+        "properties": {
+          "durationDays": {
+            "type": "number",
+            "minimum": 1
+          }
+        }
+      },
+      "DenyAccessRequestDto": {
+        "type": "object",
+        "properties": {
+          "reason": {
+            "type": "string"
+          }
+        },
+        "required": [
+          "reason"
+        ]
+      },
+      "RevokeGrantDto": {
+        "type": "object",
+        "properties": {
+          "reason": {
+            "type": "string"
+          }
+        },
+        "required": [
+          "reason"
+        ]
+      },
+      "SignNdaDto": {
+        "type": "object",
+        "properties": {
+          "name": {
+            "type": "string"
+          },
+          "email": {
+            "type": "string"
+          },
+          "accept": {
+            "type": "boolean"
+          }
+        },
+        "required": [
+          "name",
+          "email",
+          "accept"
+        ]
+      },
+      "ReclaimAccessDto": {
+        "type": "object",
+        "properties": {
+          "email": {
+            "type": "string"
+          }
+        },
+        "required": [
+          "email"
+        ]
+      },
+      "UpdateTaskTemplateDto": {
+        "type": "object",
+        "properties": {
+          "name": {
+            "type": "string",
+            "description": "Task template name",
+            "example": "Monthly Security Review"
+          },
+          "description": {
+            "type": "string",
+            "description": "Detailed description of the task template",
+            "example": "Review and update security policies on a monthly basis"
+          },
+          "frequency": {
+            "type": "string",
+            "description": "Frequency of the task",
+            "enum": [
+              "monthly",
+              "quarterly",
+              "yearly"
+            ],
+            "example": "monthly"
+          },
+          "department": {
+            "type": "string",
+            "description": "Department responsible for the task",
+            "enum": [
+              "none",
+              "admin",
+              "gov",
+              "hr",
+              "it",
+              "itsm",
+              "qms"
+            ],
+            "example": "it"
+          }
+        }
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/apps/api/prisma/client.d.ts b/apps/api/prisma/client.d.ts
new file mode 100644
index 000000000..c9d2501a4
--- /dev/null
+++ b/apps/api/prisma/client.d.ts
@@ -0,0 +1,2 @@
+import { PrismaClient } from '@prisma/client';
+export declare const db: PrismaClient<import("@prisma/client").Prisma.PrismaClientOptions, never, import("@prisma/client/runtime/library").DefaultArgs>;
diff --git a/apps/api/prisma/client.js b/apps/api/prisma/client.js
new file mode 100644
index 000000000..47ab4f329
--- /dev/null
+++ b/apps/api/prisma/client.js
@@ -0,0 +1,9 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.db = void 0;
+const client_1 = require("@prisma/client");
+const globalForPrisma = global;
+exports.db = globalForPrisma.prisma || new client_1.PrismaClient();
+if (process.env.NODE_ENV !== 'production')
+    globalForPrisma.prisma = exports.db;
+//# sourceMappingURL=client.js.map
\ No newline at end of file
diff --git a/apps/api/prisma/client.js.map b/apps/api/prisma/client.js.map
new file mode 100644
index 000000000..b3b68e38c
--- /dev/null
+++ b/apps/api/prisma/client.js.map
@@ -0,0 +1 @@
+{"version":3,"file":"client.js","sourceRoot":"","sources":["client.ts"],"names":[],"mappings":";;;AAAA,2CAA8C;AAE9C,MAAM,eAAe,GAAG,MAA6C,CAAC;AAEzD,QAAA,EAAE,GAAG,eAAe,CAAC,MAAM,IAAI,IAAI,qBAAY,EAAE,CAAC;AAE/D,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,YAAY;IAAE,eAAe,CAAC,MAAM,GAAG,UAAE,CAAC"}
\ No newline at end of file
diff --git a/apps/api/prisma/index.d.ts b/apps/api/prisma/index.d.ts
new file mode 100644
index 000000000..54d1c4b9c
--- /dev/null
+++ b/apps/api/prisma/index.d.ts
@@ -0,0 +1,2 @@
+export * from '@prisma/client';
+export { db } from './client';
diff --git a/apps/api/prisma/index.js b/apps/api/prisma/index.js
new file mode 100644
index 000000000..a818c9966
--- /dev/null
+++ b/apps/api/prisma/index.js
@@ -0,0 +1,21 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.db = void 0;
+__exportStar(require("@prisma/client"), exports);
+var client_1 = require("./client");
+Object.defineProperty(exports, "db", { enumerable: true, get: function () { return client_1.db; } });
+//# sourceMappingURL=index.js.map
\ No newline at end of file
diff --git a/apps/api/prisma/index.js.map b/apps/api/prisma/index.js.map
new file mode 100644
index 000000000..398071a25
--- /dev/null
+++ b/apps/api/prisma/index.js.map
@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAAA,iDAA+B;AAC/B,mCAA8B;AAArB,4FAAA,EAAE,OAAA"}
\ No newline at end of file
diff --git a/apps/api/src/app.module.ts b/apps/api/src/app.module.ts
index ed53b359e..cd674a6da 100644
--- a/apps/api/src/app.module.ts
+++ b/apps/api/src/app.module.ts
@@ -1,5 +1,7 @@
 import { Module } from '@nestjs/common';
 import { ConfigModule } from '@nestjs/config';
+import { ThrottlerModule, ThrottlerGuard } from '@nestjs/throttler';
+import { APP_GUARD } from '@nestjs/core';
 import { AppController } from './app.controller';
 import { AppService } from './app.service';
 import { AttachmentsModule } from './attachments/attachments.module';
@@ -23,6 +25,8 @@ import { QuestionnaireModule } from './questionnaire/questionnaire.module';
 import { VectorStoreModule } from './vector-store/vector-store.module';
 import { KnowledgeBaseModule } from './knowledge-base/knowledge-base.module';
 import { SOAModule } from './soa/soa.module';
+import { IntegrationPlatformModule } from './integration-platform/integration-platform.module';
+import { CloudSecurityModule } from './cloud-security/cloud-security.module';
 
 @Module({
   imports: [
@@ -35,6 +39,12 @@ import { SOAModule } from './soa/soa.module';
         abortEarly: true,
       },
     }),
+    ThrottlerModule.forRoot([
+      {
+        ttl: 60000, // 60 seconds
+        limit: 100, // 100 requests per minute per IP
+      },
+    ]),
     AuthModule,
     OrganizationModule,
     PeopleModule,
@@ -54,8 +64,16 @@ import { SOAModule } from './soa/soa.module';
     VectorStoreModule,
     KnowledgeBaseModule,
     SOAModule,
+    IntegrationPlatformModule,
+    CloudSecurityModule,
   ],
   controllers: [AppController],
-  providers: [AppService],
+  providers: [
+    AppService,
+    {
+      provide: APP_GUARD,
+      useClass: ThrottlerGuard,
+    },
+  ],
 })
 export class AppModule {}
diff --git a/apps/api/src/app/s3.ts b/apps/api/src/app/s3.ts
index e22e8b6b0..30e6c0393 100644
--- a/apps/api/src/app/s3.ts
+++ b/apps/api/src/app/s3.ts
@@ -103,7 +103,8 @@ export function extractS3KeyFromUrl(url: string): string {
 
   // Check for domain-like patterns (e.g., "example.com", "sub.example.com")
   // S3 keys should not contain domain patterns
-  const domainPattern = /^[a-z0-9]([a-z0-9-]*[a-z0-9])?(\.[a-z0-9]([a-z0-9-]*[a-z0-9])?)*\.[a-z]{2,}(\/|$)/i;
+  const domainPattern =
+    /^[a-z0-9]([a-z0-9-]*[a-z0-9])?(\.[a-z0-9]([a-z0-9-]*[a-z0-9])?)*\.[a-z]{2,}(\/|$)/i;
   if (domainPattern.test(url)) {
     throw new Error('Invalid input: Domain-like pattern detected in S3 key');
   }
diff --git a/apps/api/src/auth/platform-admin.guard.ts b/apps/api/src/auth/platform-admin.guard.ts
new file mode 100644
index 000000000..53c5ee85e
--- /dev/null
+++ b/apps/api/src/auth/platform-admin.guard.ts
@@ -0,0 +1,153 @@
+import {
+  CanActivate,
+  ExecutionContext,
+  Injectable,
+  UnauthorizedException,
+  ForbiddenException,
+} from '@nestjs/common';
+import { ConfigService } from '@nestjs/config';
+import { db } from '@trycompai/db';
+import { createRemoteJWKSet, jwtVerify } from 'jose';
+import type { BetterAuthConfig } from '../config/better-auth.config';
+
+interface PlatformAdminRequest {
+  userId?: string;
+  userEmail?: string;
+  isPlatformAdmin?: boolean;
+  headers: {
+    authorization?: string;
+    [key: string]: string | undefined;
+  };
+}
+
+@Injectable()
+export class PlatformAdminGuard implements CanActivate {
+  private readonly betterAuthUrl: string;
+
+  constructor(private readonly configService: ConfigService) {
+    const betterAuthConfig =
+      this.configService.get<BetterAuthConfig>('betterAuth');
+    this.betterAuthUrl =
+      betterAuthConfig?.url || process.env.BETTER_AUTH_URL || '';
+
+    if (!this.betterAuthUrl) {
+      console.warn(
+        '[PlatformAdminGuard] BETTER_AUTH_URL not configured. Authentication will fail.',
+      );
+    }
+  }
+
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    const request = context.switchToHttp().getRequest<PlatformAdminRequest>();
+
+    // Only accept JWT authentication for admin routes
+    const authHeader = request.headers['authorization'];
+    if (!authHeader?.startsWith('Bearer ')) {
+      throw new UnauthorizedException(
+        'Platform admin routes require JWT authentication',
+      );
+    }
+
+    // Verify JWT and get user
+    const user = await this.verifyJwtAndGetUser(authHeader);
+
+    if (!user) {
+      throw new UnauthorizedException('Invalid or expired JWT token');
+    }
+
+    // Check if user is a platform admin
+    if (!user.isPlatformAdmin) {
+      throw new ForbiddenException(
+        'Access denied: Platform admin privileges required',
+      );
+    }
+
+    // Set request context
+    request.userId = user.id;
+    request.userEmail = user.email;
+    request.isPlatformAdmin = true;
+
+    return true;
+  }
+
+  private async verifyJwtAndGetUser(authHeader: string): Promise<{
+    id: string;
+    email: string;
+    isPlatformAdmin: boolean;
+  } | null> {
+    try {
+      if (!this.betterAuthUrl) {
+        console.error(
+          '[PlatformAdminGuard] BETTER_AUTH_URL environment variable is not set',
+        );
+        return null;
+      }
+
+      const token = authHeader.substring(7);
+      const jwksUrl = `${this.betterAuthUrl}/api/auth/jwks`;
+
+      const JWKS = createRemoteJWKSet(new URL(jwksUrl), {
+        cacheMaxAge: 60000,
+        cooldownDuration: 10000,
+      });
+
+      let payload;
+      try {
+        payload = (
+          await jwtVerify(token, JWKS, {
+            issuer: this.betterAuthUrl,
+            audience: this.betterAuthUrl,
+          })
+        ).payload;
+      } catch (verifyError: unknown) {
+        const error = verifyError as { code?: string; message?: string };
+        if (
+          error.code === 'ERR_JWKS_NO_MATCHING_KEY' ||
+          error.message?.includes('no applicable key found')
+        ) {
+          const freshJWKS = createRemoteJWKSet(new URL(jwksUrl), {
+            cacheMaxAge: 0,
+            cooldownDuration: 0,
+          });
+
+          payload = (
+            await jwtVerify(token, freshJWKS, {
+              issuer: this.betterAuthUrl,
+              audience: this.betterAuthUrl,
+            })
+          ).payload;
+        } else {
+          throw verifyError;
+        }
+      }
+
+      const userId = payload.id as string;
+      if (!userId) {
+        return null;
+      }
+
+      // Fetch user from database to check isPlatformAdmin
+      const user = await db.user.findUnique({
+        where: { id: userId },
+        select: {
+          id: true,
+          email: true,
+          isPlatformAdmin: true,
+        },
+      });
+
+      if (!user) {
+        return null;
+      }
+
+      return {
+        id: user.id,
+        email: user.email,
+        isPlatformAdmin: user.isPlatformAdmin,
+      };
+    } catch (error) {
+      console.error('[PlatformAdminGuard] JWT verification failed:', error);
+      return null;
+    }
+  }
+}
diff --git a/apps/api/src/cloud-security/cloud-security.controller.ts b/apps/api/src/cloud-security/cloud-security.controller.ts
new file mode 100644
index 000000000..0e8859983
--- /dev/null
+++ b/apps/api/src/cloud-security/cloud-security.controller.ts
@@ -0,0 +1,56 @@
+import {
+  Controller,
+  Post,
+  Param,
+  Headers,
+  Logger,
+  HttpException,
+  HttpStatus,
+} from '@nestjs/common';
+import { CloudSecurityService } from './cloud-security.service';
+
+@Controller({ path: 'cloud-security', version: '1' })
+export class CloudSecurityController {
+  private readonly logger = new Logger(CloudSecurityController.name);
+
+  constructor(private readonly cloudSecurityService: CloudSecurityService) {}
+
+  @Post('scan/:connectionId')
+  async scan(
+    @Param('connectionId') connectionId: string,
+    @Headers('x-organization-id') organizationId: string,
+  ) {
+    if (!organizationId) {
+      throw new HttpException(
+        'Organization ID required',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    this.logger.log(
+      `Cloud security scan requested for connection ${connectionId}`,
+    );
+
+    const result = await this.cloudSecurityService.scan(
+      connectionId,
+      organizationId,
+    );
+
+    if (!result.success) {
+      throw new HttpException(
+        {
+          message: result.error || 'Scan failed',
+          provider: result.provider,
+        },
+        HttpStatus.INTERNAL_SERVER_ERROR,
+      );
+    }
+
+    return {
+      success: true,
+      provider: result.provider,
+      findingsCount: result.findings.length,
+      scannedAt: result.scannedAt,
+    };
+  }
+}
diff --git a/apps/api/src/cloud-security/cloud-security.module.ts b/apps/api/src/cloud-security/cloud-security.module.ts
new file mode 100644
index 000000000..90a9db57e
--- /dev/null
+++ b/apps/api/src/cloud-security/cloud-security.module.ts
@@ -0,0 +1,20 @@
+import { Module } from '@nestjs/common';
+import { CloudSecurityController } from './cloud-security.controller';
+import { CloudSecurityService } from './cloud-security.service';
+import { GCPSecurityService } from './providers/gcp-security.service';
+import { AWSSecurityService } from './providers/aws-security.service';
+import { AzureSecurityService } from './providers/azure-security.service';
+import { IntegrationPlatformModule } from '../integration-platform/integration-platform.module';
+
+@Module({
+  imports: [IntegrationPlatformModule],
+  controllers: [CloudSecurityController],
+  providers: [
+    CloudSecurityService,
+    GCPSecurityService,
+    AWSSecurityService,
+    AzureSecurityService,
+  ],
+  exports: [CloudSecurityService],
+})
+export class CloudSecurityModule {}
diff --git a/apps/api/src/cloud-security/cloud-security.service.ts b/apps/api/src/cloud-security/cloud-security.service.ts
new file mode 100644
index 000000000..6f1a51eab
--- /dev/null
+++ b/apps/api/src/cloud-security/cloud-security.service.ts
@@ -0,0 +1,264 @@
+import { Injectable, Logger } from '@nestjs/common';
+import { db } from '@db';
+import { getManifest } from '@comp/integration-platform';
+import { CredentialVaultService } from '../integration-platform/services/credential-vault.service';
+import { OAuthCredentialsService } from '../integration-platform/services/oauth-credentials.service';
+import { GCPSecurityService } from './providers/gcp-security.service';
+import { AWSSecurityService } from './providers/aws-security.service';
+import { AzureSecurityService } from './providers/azure-security.service';
+
+export interface SecurityFinding {
+  id: string;
+  title: string;
+  description: string;
+  severity: 'info' | 'low' | 'medium' | 'high' | 'critical';
+  resourceType: string;
+  resourceId: string;
+  remediation?: string;
+  evidence?: Record<string, unknown>;
+  createdAt: string;
+  passed?: boolean; // Whether this is a passing check (default: false)
+}
+
+export interface ScanResult {
+  success: boolean;
+  provider: string;
+  findings: SecurityFinding[];
+  scannedAt: string;
+  error?: string;
+}
+
+@Injectable()
+export class CloudSecurityService {
+  private readonly logger = new Logger(CloudSecurityService.name);
+
+  constructor(
+    private readonly credentialVaultService: CredentialVaultService,
+    private readonly oauthCredentialsService: OAuthCredentialsService,
+    private readonly gcpService: GCPSecurityService,
+    private readonly awsService: AWSSecurityService,
+    private readonly azureService: AzureSecurityService,
+  ) {}
+
+  async scan(
+    connectionId: string,
+    organizationId: string,
+  ): Promise<ScanResult> {
+    this.logger.log(
+      `Starting cloud security scan for connection ${connectionId}`,
+    );
+
+    // Get connection
+    const connection = await db.integrationConnection.findFirst({
+      where: {
+        id: connectionId,
+        organizationId,
+        status: 'active',
+      },
+      include: {
+        provider: true,
+      },
+    });
+
+    if (!connection) {
+      return {
+        success: false,
+        provider: 'unknown',
+        findings: [],
+        scannedAt: new Date().toISOString(),
+        error: 'Connection not found or inactive',
+      };
+    }
+
+    const providerSlug = connection.provider.slug;
+    this.logger.log(`Scanning ${providerSlug} provider`);
+
+    // Get credentials - for OAuth providers, handle token refresh
+    let credentials: Record<string, unknown>;
+    try {
+      const manifest = getManifest(providerSlug);
+      const isOAuth = manifest?.auth?.type === 'oauth2';
+
+      if (isOAuth && manifest.auth.type === 'oauth2') {
+        const oauthConfig = manifest.auth.config;
+
+        // Get OAuth app credentials (decrypted)
+        const oauthCreds = await this.oauthCredentialsService.getCredentials(
+          providerSlug,
+          organizationId,
+        );
+
+        if (!oauthCreds) {
+          return {
+            success: false,
+            provider: providerSlug,
+            findings: [],
+            scannedAt: new Date().toISOString(),
+            error: 'OAuth app not configured for this provider',
+          };
+        }
+
+        // Get valid access token (with refresh if needed)
+        const accessToken =
+          await this.credentialVaultService.getValidAccessToken(connectionId, {
+            tokenUrl: oauthConfig.tokenUrl,
+            clientId: oauthCreds.clientId,
+            clientSecret: oauthCreds.clientSecret,
+            clientAuthMethod: oauthConfig.clientAuthMethod,
+          });
+
+        if (!accessToken) {
+          return {
+            success: false,
+            provider: providerSlug,
+            findings: [],
+            scannedAt: new Date().toISOString(),
+            error: 'OAuth token expired. Please reconnect the integration.',
+          };
+        }
+
+        // Get full credentials and update with fresh access token
+        const decrypted =
+          await this.credentialVaultService.getDecryptedCredentials(
+            connectionId,
+          );
+        credentials = { ...decrypted, access_token: accessToken };
+      } else {
+        // Non-OAuth (custom auth like AWS IAM Role)
+        const decrypted =
+          await this.credentialVaultService.getDecryptedCredentials(
+            connectionId,
+          );
+        if (!decrypted) {
+          return {
+            success: false,
+            provider: providerSlug,
+            findings: [],
+            scannedAt: new Date().toISOString(),
+            error: 'No credentials found',
+          };
+        }
+        credentials = decrypted;
+      }
+    } catch (error) {
+      this.logger.error(`Failed to get credentials: ${error}`);
+      return {
+        success: false,
+        provider: providerSlug,
+        findings: [],
+        scannedAt: new Date().toISOString(),
+        error: 'Failed to get credentials',
+      };
+    }
+
+    // Get variables for the scan
+    const variables = (connection.variables as Record<string, unknown>) || {};
+
+    try {
+      let findings: SecurityFinding[];
+
+      switch (providerSlug) {
+        case 'gcp':
+          findings = await this.gcpService.scanSecurityFindings(
+            credentials,
+            variables,
+          );
+          break;
+        case 'aws':
+          findings = await this.awsService.scanSecurityFindings(
+            credentials,
+            variables,
+          );
+          break;
+        case 'azure':
+          findings = await this.azureService.scanSecurityFindings(
+            credentials,
+            variables,
+          );
+          break;
+        default:
+          return {
+            success: false,
+            provider: providerSlug,
+            findings: [],
+            scannedAt: new Date().toISOString(),
+            error: `Unsupported provider: ${providerSlug}`,
+          };
+      }
+
+      // Store findings in database
+      await this.storeFindings(connectionId, providerSlug, findings);
+
+      // Update last sync time
+      await db.integrationConnection.update({
+        where: { id: connectionId },
+        data: { lastSyncAt: new Date() },
+      });
+
+      this.logger.log(
+        `Scan complete: ${findings.length} findings for ${providerSlug}`,
+      );
+
+      return {
+        success: true,
+        provider: providerSlug,
+        findings,
+        scannedAt: new Date().toISOString(),
+      };
+    } catch (error) {
+      const errorMessage =
+        error instanceof Error ? error.message : String(error);
+      this.logger.error(`Scan failed for ${providerSlug}: ${errorMessage}`);
+
+      return {
+        success: false,
+        provider: providerSlug,
+        findings: [],
+        scannedAt: new Date().toISOString(),
+        error: errorMessage,
+      };
+    }
+  }
+
+  private async storeFindings(
+    connectionId: string,
+    provider: string,
+    findings: SecurityFinding[],
+  ): Promise<void> {
+    const passedCount = findings.filter((f) => f.passed).length;
+    const failedCount = findings.filter((f) => !f.passed).length;
+
+    // Create a scan run record
+    const scanRun = await db.integrationCheckRun.create({
+      data: {
+        connectionId,
+        checkId: `${provider}-security-scan`,
+        checkName: `${provider.toUpperCase()} Security Scan`,
+        status: 'success',
+        startedAt: new Date(),
+        completedAt: new Date(),
+        totalChecked: findings.length,
+        passedCount,
+        failedCount,
+      },
+    });
+
+    // Store each finding as a check result
+    if (findings.length > 0) {
+      await db.integrationCheckResult.createMany({
+        data: findings.map((finding) => ({
+          checkRunId: scanRun.id,
+          passed: finding.passed ?? false,
+          resourceType: finding.resourceType,
+          resourceId: finding.resourceId,
+          title: finding.title,
+          description: finding.description,
+          severity: finding.passed ? 'info' : finding.severity, // Passed checks are info level
+          remediation: finding.remediation,
+          evidence: (finding.evidence || {}) as object,
+          collectedAt: new Date(finding.createdAt),
+        })),
+      });
+    }
+  }
+}
diff --git a/apps/api/src/cloud-security/providers/aws-security.service.ts b/apps/api/src/cloud-security/providers/aws-security.service.ts
new file mode 100644
index 000000000..c897ca913
--- /dev/null
+++ b/apps/api/src/cloud-security/providers/aws-security.service.ts
@@ -0,0 +1,194 @@
+import { Injectable, Logger } from '@nestjs/common';
+import { AssumeRoleCommand, STSClient } from '@aws-sdk/client-sts';
+import {
+  GetFindingsCommand,
+  SecurityHubClient,
+  type GetFindingsCommandInput,
+} from '@aws-sdk/client-securityhub';
+import type { SecurityFinding } from '../cloud-security.service';
+
+@Injectable()
+export class AWSSecurityService {
+  private readonly logger = new Logger(AWSSecurityService.name);
+
+  async scanSecurityFindings(
+    credentials: Record<string, unknown>,
+    variables: Record<string, unknown>,
+  ): Promise<SecurityFinding[]> {
+    // Determine auth method
+    const isRoleAuth = credentials.roleArn && credentials.externalId;
+    const isKeyAuth =
+      credentials.access_key_id && credentials.secret_access_key;
+
+    if (!isRoleAuth && !isKeyAuth) {
+      throw new Error(
+        'AWS credentials missing. Provide IAM Role or Access Keys.',
+      );
+    }
+
+    const region =
+      (credentials.region as string) ||
+      (variables.region as string) ||
+      'us-east-1';
+
+    let awsCredentials: {
+      accessKeyId: string;
+      secretAccessKey: string;
+      sessionToken?: string;
+    };
+
+    if (isRoleAuth) {
+      // IAM Role assumption
+      const roleArn = credentials.roleArn as string;
+      const externalId = credentials.externalId as string;
+
+      this.logger.log(`Assuming role ${roleArn} in region ${region}`);
+
+      const sts = new STSClient({ region });
+      const assumeRoleResponse = await sts.send(
+        new AssumeRoleCommand({
+          RoleArn: roleArn,
+          ExternalId: externalId,
+          RoleSessionName: 'CompSecurityAudit',
+          DurationSeconds: 3600,
+        }),
+      );
+
+      if (!assumeRoleResponse.Credentials) {
+        throw new Error('Failed to assume role - no credentials returned');
+      }
+
+      awsCredentials = {
+        accessKeyId: assumeRoleResponse.Credentials.AccessKeyId!,
+        secretAccessKey: assumeRoleResponse.Credentials.SecretAccessKey!,
+        sessionToken: assumeRoleResponse.Credentials.SessionToken!,
+      };
+    } else {
+      // Direct access keys
+      awsCredentials = {
+        accessKeyId: credentials.access_key_id as string,
+        secretAccessKey: credentials.secret_access_key as string,
+      };
+    }
+
+    // Create Security Hub client
+    const securityHub = new SecurityHubClient({
+      region,
+      credentials: awsCredentials,
+    });
+
+    this.logger.log(`Scanning AWS Security Hub in region ${region}`);
+
+    try {
+      const findings = await this.fetchSecurityHubFindings(securityHub);
+      this.logger.log(`Found ${findings.length} AWS security findings`);
+      return findings;
+    } catch (error) {
+      const errorMessage =
+        error instanceof Error ? error.message : String(error);
+
+      if (
+        errorMessage.includes('not subscribed') ||
+        errorMessage.includes('AccessDenied')
+      ) {
+        this.logger.warn('Security Hub not enabled in this region');
+        return [];
+      }
+
+      throw error;
+    }
+  }
+
+  private async fetchSecurityHubFindings(
+    securityHub: SecurityHubClient,
+  ): Promise<SecurityFinding[]> {
+    const allFindings: SecurityFinding[] = [];
+
+    const params: GetFindingsCommandInput = {
+      Filters: {
+        WorkflowStatus: [
+          { Value: 'NEW', Comparison: 'EQUALS' },
+          { Value: 'NOTIFIED', Comparison: 'EQUALS' },
+        ],
+        RecordState: [{ Value: 'ACTIVE', Comparison: 'EQUALS' }],
+      },
+      MaxResults: 100,
+    };
+
+    let response = await securityHub.send(new GetFindingsCommand(params));
+
+    if (response.Findings) {
+      for (const finding of response.Findings) {
+        allFindings.push(this.mapFinding(finding));
+      }
+    }
+
+    // Paginate
+    let nextToken = response.NextToken;
+    while (nextToken && allFindings.length < 500) {
+      response = await securityHub.send(
+        new GetFindingsCommand({
+          ...params,
+          NextToken: nextToken,
+        }),
+      );
+
+      if (response.Findings) {
+        for (const finding of response.Findings) {
+          if (allFindings.length >= 500) break;
+          allFindings.push(this.mapFinding(finding));
+        }
+      }
+
+      nextToken = response.NextToken;
+    }
+
+    return allFindings;
+  }
+
+  private mapFinding(finding: {
+    Id?: string;
+    Title?: string;
+    Description?: string;
+    Remediation?: { Recommendation?: { Text?: string } };
+    Severity?: { Label?: string };
+    Resources?: Array<{ Type?: string; Id?: string }>;
+    AwsAccountId?: string;
+    Region?: string;
+    Compliance?: { Status?: string };
+    GeneratorId?: string;
+    CreatedAt?: string;
+    UpdatedAt?: string;
+  }): SecurityFinding {
+    const severityMap: Record<string, SecurityFinding['severity']> = {
+      INFORMATIONAL: 'info',
+      LOW: 'low',
+      MEDIUM: 'medium',
+      HIGH: 'high',
+      CRITICAL: 'critical',
+    };
+
+    const complianceStatus = finding.Compliance?.Status;
+    const passed = complianceStatus === 'PASSED';
+
+    return {
+      id: finding.Id || '',
+      title: finding.Title || 'Untitled Finding',
+      description: finding.Description || 'No description available',
+      severity: severityMap[finding.Severity?.Label || 'INFO'] || 'medium',
+      resourceType: finding.Resources?.[0]?.Type || 'unknown',
+      resourceId: finding.Resources?.[0]?.Id || 'unknown',
+      remediation:
+        finding.Remediation?.Recommendation?.Text || 'No remediation available',
+      evidence: {
+        awsAccountId: finding.AwsAccountId,
+        region: finding.Region,
+        complianceStatus,
+        generatorId: finding.GeneratorId,
+        updatedAt: finding.UpdatedAt,
+      },
+      createdAt: finding.CreatedAt || new Date().toISOString(),
+      passed,
+    };
+  }
+}
diff --git a/apps/api/src/cloud-security/providers/azure-security.service.ts b/apps/api/src/cloud-security/providers/azure-security.service.ts
new file mode 100644
index 000000000..b9cbc8dd9
--- /dev/null
+++ b/apps/api/src/cloud-security/providers/azure-security.service.ts
@@ -0,0 +1,274 @@
+import { Injectable, Logger } from '@nestjs/common';
+import type { SecurityFinding } from '../cloud-security.service';
+
+interface AzureSecurityAlert {
+  name: string;
+  properties: {
+    alertDisplayName: string;
+    description: string;
+    severity: string;
+    status: string;
+    alertType: string;
+    compromisedEntity?: string;
+    intent?: string;
+    startTimeUtc?: string;
+    resourceIdentifiers?: unknown[];
+    remediationSteps?: string[];
+  };
+}
+
+interface AzureSecurityAssessment {
+  name: string;
+  properties: {
+    displayName: string;
+    status: {
+      code: string;
+      description?: string;
+    };
+    metadata?: {
+      severity?: string;
+      description?: string;
+      remediationDescription?: string;
+      category?: string;
+    };
+    resourceDetails?: unknown;
+  };
+}
+
+interface AzureListResponse<T> {
+  value: T[];
+  nextLink?: string;
+}
+
+@Injectable()
+export class AzureSecurityService {
+  private readonly logger = new Logger(AzureSecurityService.name);
+
+  async scanSecurityFindings(
+    credentials: Record<string, unknown>,
+    _variables: Record<string, unknown>,
+  ): Promise<SecurityFinding[]> {
+    const tenantId = credentials.tenantId as string;
+    const clientId = credentials.clientId as string;
+    const clientSecret = credentials.clientSecret as string;
+    const subscriptionId = credentials.subscriptionId as string;
+
+    if (!tenantId || !clientId || !clientSecret || !subscriptionId) {
+      throw new Error(
+        'Azure credentials incomplete. Ensure tenantId, clientId, clientSecret, and subscriptionId are configured.',
+      );
+    }
+
+    this.logger.log(`Scanning Azure subscription ${subscriptionId}`);
+
+    // Get access token
+    const accessToken = await this.getAccessToken(
+      tenantId,
+      clientId,
+      clientSecret,
+    );
+
+    const findings: SecurityFinding[] = [];
+
+    // Fetch security alerts
+    try {
+      const alerts = await this.getSecurityAlerts(accessToken, subscriptionId);
+      const activeAlerts = alerts.filter(
+        (a) => a.properties.status === 'Active',
+      );
+
+      this.logger.log(`Found ${activeAlerts.length} active security alerts`);
+
+      for (const alert of activeAlerts) {
+        findings.push({
+          id: alert.name,
+          title: alert.properties.alertDisplayName,
+          description: alert.properties.description,
+          severity: this.mapSeverity(alert.properties.severity),
+          resourceType: 'security-alert',
+          resourceId: alert.name,
+          remediation:
+            alert.properties.remediationSteps?.join('\n') ||
+            'Review the alert in Microsoft Defender for Cloud',
+          evidence: {
+            alertType: alert.properties.alertType,
+            compromisedEntity: alert.properties.compromisedEntity,
+            intent: alert.properties.intent,
+            startTime: alert.properties.startTimeUtc,
+          },
+          createdAt: alert.properties.startTimeUtc || new Date().toISOString(),
+        });
+      }
+    } catch (error) {
+      const errorMsg = error instanceof Error ? error.message : String(error);
+      this.logger.warn(`Failed to fetch security alerts: ${errorMsg}`);
+
+      if (
+        errorMsg.includes('403') ||
+        errorMsg.includes('AuthorizationFailed')
+      ) {
+        findings.push({
+          id: `permission-alerts-${subscriptionId}`,
+          title: 'Unable to access Security Alerts',
+          description:
+            'The service principal does not have permission to read security alerts.',
+          severity: 'medium',
+          resourceType: 'security-alerts',
+          resourceId: subscriptionId,
+          remediation:
+            'Assign the "Security Reader" role to your App Registration on the subscription.',
+          evidence: { error: errorMsg },
+          createdAt: new Date().toISOString(),
+        });
+      }
+    }
+
+    // Fetch security assessments
+    try {
+      const assessments = await this.getSecurityAssessments(
+        accessToken,
+        subscriptionId,
+      );
+      const unhealthy = assessments.filter(
+        (a) => a.properties.status.code === 'Unhealthy',
+      );
+
+      this.logger.log(
+        `Found ${unhealthy.length} unhealthy security assessments`,
+      );
+
+      // Limit to 50 to avoid overwhelming
+      for (const assessment of unhealthy.slice(0, 50)) {
+        findings.push({
+          id: assessment.name,
+          title: assessment.properties.displayName,
+          description:
+            assessment.properties.metadata?.description ||
+            assessment.properties.status.description ||
+            'Security assessment failed',
+          severity: this.mapSeverity(
+            assessment.properties.metadata?.severity || 'Medium',
+          ),
+          resourceType: 'security-assessment',
+          resourceId: assessment.name,
+          remediation:
+            assessment.properties.metadata?.remediationDescription ||
+            'Review and remediate in Microsoft Defender for Cloud',
+          evidence: {
+            status: assessment.properties.status,
+            category: assessment.properties.metadata?.category,
+          },
+          createdAt: new Date().toISOString(),
+        });
+      }
+    } catch (error) {
+      const errorMsg = error instanceof Error ? error.message : String(error);
+      this.logger.warn(`Failed to fetch security assessments: ${errorMsg}`);
+
+      if (
+        errorMsg.includes('403') ||
+        errorMsg.includes('AuthorizationFailed')
+      ) {
+        findings.push({
+          id: `permission-assessments-${subscriptionId}`,
+          title: 'Unable to access Security Assessments',
+          description:
+            'The service principal does not have permission to read security assessments.',
+          severity: 'medium',
+          resourceType: 'security-assessments',
+          resourceId: subscriptionId,
+          remediation:
+            'Assign the "Security Reader" role to your App Registration on the subscription.',
+          evidence: { error: errorMsg },
+          createdAt: new Date().toISOString(),
+        });
+      }
+    }
+
+    this.logger.log(`Azure scan complete: ${findings.length} total findings`);
+    return findings;
+  }
+
+  private async getAccessToken(
+    tenantId: string,
+    clientId: string,
+    clientSecret: string,
+  ): Promise<string> {
+    const tokenUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`;
+
+    const body = new URLSearchParams({
+      client_id: clientId,
+      client_secret: clientSecret,
+      scope: 'https://management.azure.com/.default',
+      grant_type: 'client_credentials',
+    });
+
+    const response = await fetch(tokenUrl, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      body: body.toString(),
+    });
+
+    if (!response.ok) {
+      const error = await response.text();
+      throw new Error(`Azure authentication failed: ${error}`);
+    }
+
+    const data = await response.json();
+    return data.access_token;
+  }
+
+  private async getSecurityAlerts(
+    accessToken: string,
+    subscriptionId: string,
+  ): Promise<AzureSecurityAlert[]> {
+    const url = `https://management.azure.com/subscriptions/${subscriptionId}/providers/Microsoft.Security/alerts?api-version=2022-01-01`;
+    return this.fetchAllPages<AzureSecurityAlert>(accessToken, url);
+  }
+
+  private async getSecurityAssessments(
+    accessToken: string,
+    subscriptionId: string,
+  ): Promise<AzureSecurityAssessment[]> {
+    const url = `https://management.azure.com/subscriptions/${subscriptionId}/providers/Microsoft.Security/assessments?api-version=2021-06-01`;
+    return this.fetchAllPages<AzureSecurityAssessment>(accessToken, url);
+  }
+
+  private async fetchAllPages<T>(
+    accessToken: string,
+    initialUrl: string,
+  ): Promise<T[]> {
+    const results: T[] = [];
+    let url: string | undefined = initialUrl;
+
+    while (url) {
+      const response = await fetch(url, {
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          'Content-Type': 'application/json',
+        },
+      });
+
+      if (!response.ok) {
+        const error = await response.text();
+        throw new Error(`Azure API error (${response.status}): ${error}`);
+      }
+
+      const data: AzureListResponse<T> = await response.json();
+      results.push(...data.value);
+      url = data.nextLink;
+    }
+
+    return results;
+  }
+
+  private mapSeverity(azureSeverity: string): SecurityFinding['severity'] {
+    const map: Record<string, SecurityFinding['severity']> = {
+      High: 'high',
+      Medium: 'medium',
+      Low: 'low',
+      Informational: 'info',
+    };
+    return map[azureSeverity] || 'medium';
+  }
+}
diff --git a/apps/api/src/cloud-security/providers/gcp-security.service.ts b/apps/api/src/cloud-security/providers/gcp-security.service.ts
new file mode 100644
index 000000000..ecd830e42
--- /dev/null
+++ b/apps/api/src/cloud-security/providers/gcp-security.service.ts
@@ -0,0 +1,148 @@
+import { Injectable, Logger } from '@nestjs/common';
+import type { SecurityFinding } from '../cloud-security.service';
+
+interface GCPFindingResult {
+  finding: {
+    name: string;
+    category: string;
+    severity: string;
+    state: string;
+    resourceName: string;
+    description?: string;
+    createTime: string;
+    eventTime: string;
+  };
+}
+
+@Injectable()
+export class GCPSecurityService {
+  private readonly logger = new Logger(GCPSecurityService.name);
+
+  async scanSecurityFindings(
+    credentials: Record<string, unknown>,
+    variables: Record<string, unknown>,
+  ): Promise<SecurityFinding[]> {
+    const accessToken = credentials.access_token as string;
+    const organizationId = variables.organization_id as string;
+
+    if (!accessToken) {
+      throw new Error('Access token is required');
+    }
+
+    if (!organizationId) {
+      throw new Error(
+        'Organization ID is required. Configure it in the integration variables.',
+      );
+    }
+
+    this.logger.log(
+      `Scanning GCP Security Command Center for org ${organizationId}`,
+    );
+
+    const allFindings: SecurityFinding[] = [];
+    let pageToken: string | undefined;
+
+    do {
+      const response = await this.fetchSecurityFindings(
+        accessToken,
+        organizationId,
+        pageToken,
+      );
+
+      for (const result of response.findings) {
+        const finding = result.finding;
+        const severity = this.mapSeverity(finding.severity);
+
+        allFindings.push({
+          id: finding.name,
+          title: finding.category,
+          description:
+            finding.description || `Security finding: ${finding.category}`,
+          severity,
+          resourceType: 'gcp-resource',
+          resourceId: finding.resourceName,
+          remediation:
+            'Review and remediate this finding in GCP Security Command Centre',
+          evidence: {
+            findingName: finding.name,
+            category: finding.category,
+            state: finding.state,
+            resourceName: finding.resourceName,
+            severity: finding.severity,
+            eventTime: finding.eventTime,
+          },
+          createdAt: finding.createTime,
+        });
+      }
+
+      pageToken = response.nextPageToken;
+    } while (pageToken);
+
+    this.logger.log(`Found ${allFindings.length} GCP security findings`);
+    return allFindings;
+  }
+
+  private async fetchSecurityFindings(
+    accessToken: string,
+    organizationId: string,
+    pageToken?: string,
+  ): Promise<{ findings: GCPFindingResult[]; nextPageToken?: string }> {
+    const url = new URL(
+      `https://securitycenter.googleapis.com/v2/organizations/${organizationId}/sources/-/findings`,
+    );
+    url.searchParams.set('pageSize', '100');
+    url.searchParams.set('filter', 'state="ACTIVE"');
+
+    if (pageToken) {
+      url.searchParams.set('pageToken', pageToken);
+    }
+
+    const response = await fetch(url.toString(), {
+      method: 'GET',
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+        'Content-Type': 'application/json',
+      },
+    });
+
+    if (!response.ok) {
+      const errorText = await response.text();
+      this.logger.error(`GCP API error: ${errorText}`);
+
+      // Parse and provide helpful error messages
+      if (errorText.includes('ACCESS_TOKEN_SCOPE_INSUFFICIENT')) {
+        throw new Error(
+          'OAuth scopes insufficient. Please disconnect and reconnect the GCP integration.',
+        );
+      }
+
+      if (
+        errorText.includes('PERMISSION_DENIED') ||
+        errorText.includes('403')
+      ) {
+        throw new Error(
+          'Permission denied. Grant the "Security Center Findings Viewer" role to your Google account at the organization level.',
+        );
+      }
+
+      throw new Error(`GCP API error (${response.status}): ${errorText}`);
+    }
+
+    const data = await response.json();
+
+    return {
+      findings: data.listFindingsResults || [],
+      nextPageToken: data.nextPageToken,
+    };
+  }
+
+  private mapSeverity(gcpSeverity: string): SecurityFinding['severity'] {
+    const map: Record<string, SecurityFinding['severity']> = {
+      CRITICAL: 'critical',
+      HIGH: 'high',
+      MEDIUM: 'medium',
+      LOW: 'low',
+    };
+    return map[gcpSeverity] || 'medium';
+  }
+}
diff --git a/apps/api/src/common/filters/cors-exception.filter.ts b/apps/api/src/common/filters/cors-exception.filter.ts
new file mode 100644
index 000000000..bb455da0b
--- /dev/null
+++ b/apps/api/src/common/filters/cors-exception.filter.ts
@@ -0,0 +1,55 @@
+import {
+  ExceptionFilter,
+  Catch,
+  ArgumentsHost,
+  HttpException,
+} from '@nestjs/common';
+import type { Response, Request } from 'express';
+
+@Catch(HttpException)
+export class CorsExceptionFilter implements ExceptionFilter {
+  catch(exception: HttpException, host: ArgumentsHost) {
+    const ctx = host.switchToHttp();
+    const response = ctx.getResponse<Response>();
+    const request = ctx.getRequest<Request>();
+    const status = exception.getStatus();
+
+    // Get the request origin
+    const origin = request.headers.origin;
+
+    // Set CORS headers on error responses
+    if (origin) {
+      const isDevelopment = process.env.NODE_ENV !== 'production';
+      const allowedOrigins = [
+        'http://localhost:3000',
+        'http://localhost:3001',
+        'http://127.0.0.1:3000',
+        'https://app.trycomp.ai',
+        'https://trycomp.ai',
+        process.env.APP_URL,
+      ].filter(Boolean) as string[];
+
+      const isAllowed =
+        allowedOrigins.includes(origin) ||
+        (isDevelopment &&
+          (origin.includes('localhost') ||
+            origin.includes('127.0.0.1') ||
+            origin.includes('ngrok')));
+
+      if (isAllowed) {
+        response.setHeader('Access-Control-Allow-Origin', origin);
+        response.setHeader('Access-Control-Allow-Credentials', 'true');
+        response.setHeader(
+          'Access-Control-Allow-Methods',
+          'GET,POST,PUT,DELETE,PATCH,OPTIONS',
+        );
+        response.setHeader(
+          'Access-Control-Allow-Headers',
+          'Content-Type,Authorization,X-API-Key,X-Organization-Id',
+        );
+      }
+    }
+
+    response.status(status).json(exception.getResponse());
+  }
+}
diff --git a/apps/api/src/config/load-env.ts b/apps/api/src/config/load-env.ts
index 65f442948..5e78b9828 100644
--- a/apps/api/src/config/load-env.ts
+++ b/apps/api/src/config/load-env.ts
@@ -33,4 +33,3 @@ export function ensureEnvLoaded(): void {
     loadEnv();
   }
 }
-
diff --git a/apps/api/src/device-agent/device-agent.service.ts b/apps/api/src/device-agent/device-agent.service.ts
index 33cbe9d70..254340142 100644
--- a/apps/api/src/device-agent/device-agent.service.ts
+++ b/apps/api/src/device-agent/device-agent.service.ts
@@ -66,7 +66,11 @@ export class DeviceAgentService {
     }
   }
 
-  async downloadWindowsAgent(): Promise<{ stream: Readable; filename: string; contentType: string }> {
+  async downloadWindowsAgent(): Promise<{
+    stream: Readable;
+    filename: string;
+    contentType: string;
+  }> {
     try {
       const windowsPackageFilename = 'Comp AI Agent 1.0.0.exe';
       const packageKey = `windows/${windowsPackageFilename}`;
@@ -81,7 +85,9 @@ export class DeviceAgentService {
       const s3Response = await this.s3Client.send(getObjectCommand);
 
       if (!s3Response.Body) {
-        throw new NotFoundException('Windows agent executable file not found in S3');
+        throw new NotFoundException(
+          'Windows agent executable file not found in S3',
+        );
       }
 
       // Use S3 stream directly as Node.js Readable
diff --git a/apps/api/src/integration-platform/controllers/admin-integrations.controller.ts b/apps/api/src/integration-platform/controllers/admin-integrations.controller.ts
new file mode 100644
index 000000000..1b0ab1a99
--- /dev/null
+++ b/apps/api/src/integration-platform/controllers/admin-integrations.controller.ts
@@ -0,0 +1,197 @@
+import {
+  Controller,
+  Get,
+  Post,
+  Delete,
+  Body,
+  Param,
+  HttpException,
+  HttpStatus,
+  Logger,
+  UseGuards,
+} from '@nestjs/common';
+import { OAuthCredentialsService } from '../services/oauth-credentials.service';
+import { PlatformCredentialRepository } from '../repositories/platform-credential.repository';
+import { getAllManifests, getManifest } from '@comp/integration-platform';
+import { PlatformAdminGuard } from '../../auth/platform-admin.guard';
+
+interface SavePlatformCredentialDto {
+  providerSlug: string;
+  clientId: string;
+  clientSecret: string;
+  customScopes?: string[];
+  customSettings?: Record<string, unknown>;
+}
+
+@Controller({ path: 'admin/integrations', version: '1' })
+@UseGuards(PlatformAdminGuard)
+export class AdminIntegrationsController {
+  private readonly logger = new Logger(AdminIntegrationsController.name);
+
+  constructor(
+    private readonly oauthCredentialsService: OAuthCredentialsService,
+    private readonly platformCredentialRepository: PlatformCredentialRepository,
+  ) {}
+
+  /**
+   * List all integrations with their credential status
+   */
+  @Get()
+  async listIntegrations() {
+    const manifests = getAllManifests();
+    const platformCredentials =
+      await this.platformCredentialRepository.findAll();
+
+    // Create a map of configured credentials
+    const configuredProviders = new Set(
+      platformCredentials.map((c) => c.providerSlug),
+    );
+
+    return manifests.map((manifest) => {
+      const credential = platformCredentials.find(
+        (c) => c.providerSlug === manifest.id,
+      );
+
+      return {
+        id: manifest.id,
+        name: manifest.name,
+        description: manifest.description,
+        category: manifest.category,
+        logoUrl: manifest.logoUrl,
+        authType: manifest.auth.type,
+        capabilities: manifest.capabilities,
+        isActive: manifest.isActive,
+        docsUrl: manifest.docsUrl,
+        // Credential status
+        hasCredentials: configuredProviders.has(manifest.id),
+        credentialConfiguredAt: credential?.createdAt,
+        credentialUpdatedAt: credential?.updatedAt,
+        // OAuth-specific info
+        ...(manifest.auth.type === 'oauth2' && {
+          setupInstructions: manifest.auth.config.setupInstructions,
+          createAppUrl: manifest.auth.config.createAppUrl,
+          requiredScopes: manifest.auth.config.scopes,
+          authorizeUrl: manifest.auth.config.authorizeUrl,
+        }),
+      };
+    });
+  }
+
+  /**
+   * Get details for a specific integration
+   */
+  @Get(':providerSlug')
+  async getIntegration(@Param('providerSlug') providerSlug: string) {
+    const manifest = getManifest(providerSlug);
+    if (!manifest) {
+      throw new HttpException(
+        `Provider ${providerSlug} not found`,
+        HttpStatus.NOT_FOUND,
+      );
+    }
+
+    const credential =
+      await this.platformCredentialRepository.findByProviderSlug(providerSlug);
+
+    return {
+      id: manifest.id,
+      name: manifest.name,
+      description: manifest.description,
+      category: manifest.category,
+      authType: manifest.auth.type,
+      capabilities: manifest.capabilities,
+      isActive: manifest.isActive,
+      docsUrl: manifest.docsUrl,
+      // Credential status (don't expose actual credentials)
+      hasCredentials: !!credential,
+      credentialIsActive: credential?.isActive ?? false,
+      credentialConfiguredAt: credential?.createdAt,
+      credentialUpdatedAt: credential?.updatedAt,
+      credentialCustomScopes: credential?.customScopes,
+      // OAuth-specific info
+      ...(manifest.auth.type === 'oauth2' && {
+        setupInstructions: manifest.auth.config.setupInstructions,
+        createAppUrl: manifest.auth.config.createAppUrl,
+        requiredScopes: manifest.auth.config.scopes,
+        callbackUrl: `${process.env.BASE_URL || 'http://localhost:3333'}/v1/integrations/oauth/callback`,
+      }),
+    };
+  }
+
+  /**
+   * Save platform credentials for an integration
+   */
+  @Post('credentials')
+  async savePlatformCredentials(
+    @Body() body: SavePlatformCredentialDto,
+    // TODO: Get userId from auth context
+  ) {
+    const {
+      providerSlug,
+      clientId,
+      clientSecret,
+      customScopes,
+      customSettings,
+    } = body;
+
+    // Validate provider exists
+    const manifest = getManifest(providerSlug);
+    if (!manifest) {
+      throw new HttpException(
+        `Provider ${providerSlug} not found`,
+        HttpStatus.NOT_FOUND,
+      );
+    }
+
+    // Validate it's an OAuth provider
+    if (manifest.auth.type !== 'oauth2') {
+      throw new HttpException(
+        `Provider ${providerSlug} does not use OAuth`,
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    // Validate required fields
+    if (!clientId || !clientSecret) {
+      throw new HttpException(
+        'clientId and clientSecret are required',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    await this.oauthCredentialsService.savePlatformCredentials(
+      providerSlug,
+      clientId,
+      clientSecret,
+      customScopes,
+      customSettings,
+      // userId from auth context would go here
+    );
+
+    this.logger.log(`Platform credentials saved for ${providerSlug}`);
+
+    return { success: true };
+  }
+
+  /**
+   * Delete platform credentials for an integration
+   */
+  @Delete('credentials/:providerSlug')
+  async deletePlatformCredentials(@Param('providerSlug') providerSlug: string) {
+    const credential =
+      await this.platformCredentialRepository.findByProviderSlug(providerSlug);
+
+    if (!credential) {
+      throw new HttpException(
+        `No credentials found for ${providerSlug}`,
+        HttpStatus.NOT_FOUND,
+      );
+    }
+
+    await this.oauthCredentialsService.deletePlatformCredentials(providerSlug);
+
+    this.logger.log(`Platform credentials deleted for ${providerSlug}`);
+
+    return { success: true };
+  }
+}
diff --git a/apps/api/src/integration-platform/controllers/checks.controller.ts b/apps/api/src/integration-platform/controllers/checks.controller.ts
new file mode 100644
index 000000000..efb22edf6
--- /dev/null
+++ b/apps/api/src/integration-platform/controllers/checks.controller.ts
@@ -0,0 +1,297 @@
+import {
+  Controller,
+  Get,
+  Post,
+  Param,
+  Body,
+  HttpException,
+  HttpStatus,
+  Logger,
+} from '@nestjs/common';
+import {
+  getManifest,
+  getAvailableChecks,
+  runAllChecks,
+} from '@comp/integration-platform';
+import { ConnectionRepository } from '../repositories/connection.repository';
+import { CredentialVaultService } from '../services/credential-vault.service';
+import { ProviderRepository } from '../repositories/provider.repository';
+import { CheckRunRepository } from '../repositories/check-run.repository';
+
+interface RunChecksDto {
+  checkId?: string;
+}
+
+@Controller({ path: 'integrations/checks', version: '1' })
+export class ChecksController {
+  private readonly logger = new Logger(ChecksController.name);
+
+  constructor(
+    private readonly connectionRepository: ConnectionRepository,
+    private readonly providerRepository: ProviderRepository,
+    private readonly credentialVaultService: CredentialVaultService,
+    private readonly checkRunRepository: CheckRunRepository,
+  ) {}
+
+  /**
+   * List available checks for a provider
+   */
+  @Get('providers/:providerSlug')
+  async listProviderChecks(@Param('providerSlug') providerSlug: string) {
+    const manifest = getManifest(providerSlug);
+    if (!manifest) {
+      throw new HttpException(
+        `Provider ${providerSlug} not found`,
+        HttpStatus.NOT_FOUND,
+      );
+    }
+
+    return {
+      providerSlug,
+      providerName: manifest.name,
+      checks: getAvailableChecks(manifest),
+    };
+  }
+
+  /**
+   * List available checks for a connection
+   */
+  @Get('connections/:connectionId')
+  async listConnectionChecks(@Param('connectionId') connectionId: string) {
+    const connection = await this.connectionRepository.findById(connectionId);
+    if (!connection) {
+      throw new HttpException('Connection not found', HttpStatus.NOT_FOUND);
+    }
+
+    const provider = await this.providerRepository.findById(
+      connection.providerId,
+    );
+    if (!provider) {
+      throw new HttpException('Provider not found', HttpStatus.NOT_FOUND);
+    }
+
+    const manifest = getManifest(provider.slug);
+    if (!manifest) {
+      throw new HttpException(
+        `Manifest for ${provider.slug} not found`,
+        HttpStatus.NOT_FOUND,
+      );
+    }
+
+    return {
+      connectionId,
+      providerSlug: provider.slug,
+      providerName: manifest.name,
+      connectionStatus: connection.status,
+      checks: getAvailableChecks(manifest),
+    };
+  }
+
+  /**
+   * Run checks for a connection
+   */
+  @Post('connections/:connectionId/run')
+  async runConnectionChecks(
+    @Param('connectionId') connectionId: string,
+    @Body() body: RunChecksDto,
+  ) {
+    const connection = await this.connectionRepository.findById(connectionId);
+    if (!connection) {
+      throw new HttpException('Connection not found', HttpStatus.NOT_FOUND);
+    }
+
+    if (connection.status !== 'active') {
+      throw new HttpException(
+        `Connection is not active (status: ${connection.status})`,
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    const provider = await this.providerRepository.findById(
+      connection.providerId,
+    );
+    if (!provider) {
+      throw new HttpException('Provider not found', HttpStatus.NOT_FOUND);
+    }
+
+    const manifest = getManifest(provider.slug);
+    if (!manifest) {
+      throw new HttpException(
+        `Manifest for ${provider.slug} not found`,
+        HttpStatus.NOT_FOUND,
+      );
+    }
+
+    if (!manifest.checks || manifest.checks.length === 0) {
+      throw new HttpException(
+        `No checks defined for ${provider.slug}`,
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    // Get decrypted credentials
+    const credentials =
+      await this.credentialVaultService.getDecryptedCredentials(connectionId);
+
+    if (!credentials) {
+      throw new HttpException(
+        'No credentials found for connection',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    // Validate credentials based on auth type
+    if (manifest.auth.type === 'oauth2' && !credentials.access_token) {
+      throw new HttpException(
+        'No valid OAuth credentials found. Please reconnect.',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    if (manifest.auth.type === 'api_key') {
+      const apiKeyField = manifest.auth.config.name;
+      if (!credentials[apiKeyField] && !credentials.api_key) {
+        throw new HttpException(
+          'API key not found. Please reconnect the integration.',
+          HttpStatus.BAD_REQUEST,
+        );
+      }
+    }
+
+    if (manifest.auth.type === 'basic') {
+      const usernameField = manifest.auth.config.usernameField || 'username';
+      const passwordField = manifest.auth.config.passwordField || 'password';
+      if (!credentials[usernameField] || !credentials[passwordField]) {
+        throw new HttpException(
+          'Username and password required. Please reconnect the integration.',
+          HttpStatus.BAD_REQUEST,
+        );
+      }
+    }
+
+    if (
+      manifest.auth.type === 'custom' &&
+      Object.keys(credentials).length === 0
+    ) {
+      throw new HttpException(
+        'No valid credentials found for custom integration',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    // Get user-configured variables
+    const variables =
+      (connection.variables as Record<
+        string,
+        string | number | boolean | string[] | undefined
+      >) || {};
+
+    this.logger.log(
+      `Running checks for connection ${connectionId} (${provider.slug})${body.checkId ? ` - check: ${body.checkId}` : ''}`,
+    );
+
+    // Create a check run record
+    const checkRun = await this.checkRunRepository.create({
+      connectionId,
+      checkId: body.checkId || 'all',
+      checkName: body.checkId || 'All Checks',
+    });
+
+    try {
+      // Run checks
+      const result = await runAllChecks({
+        manifest,
+        accessToken: credentials.access_token ?? undefined,
+        credentials: credentials,
+        variables,
+        connectionId,
+        organizationId: connection.organizationId,
+        checkId: body.checkId,
+        logger: {
+          info: (msg, data) => this.logger.log(msg, data),
+          warn: (msg, data) => this.logger.warn(msg, data),
+          error: (msg, data) => this.logger.error(msg, data),
+        },
+      });
+
+      this.logger.log(
+        `Checks completed for ${connectionId}: ${result.totalFindings} findings, ${result.totalPassing} passing`,
+      );
+
+      // Store all results (findings and passing)
+      const resultsToStore = result.results.flatMap((checkResult) => [
+        ...checkResult.result.findings.map((finding) => ({
+          checkRunId: checkRun.id,
+          passed: false,
+          title: finding.title,
+          description: finding.description || '',
+          resourceType: finding.resourceType,
+          resourceId: finding.resourceId,
+          severity: finding.severity,
+          remediation: finding.remediation,
+          evidence: JSON.parse(JSON.stringify(finding.evidence || {})),
+        })),
+        ...checkResult.result.passingResults.map((passing) => ({
+          checkRunId: checkRun.id,
+          passed: true,
+          title: passing.title,
+          description: passing.description || '',
+          resourceType: passing.resourceType,
+          resourceId: passing.resourceId,
+          severity: 'info' as const,
+          remediation: undefined,
+          evidence: JSON.parse(JSON.stringify(passing.evidence || {})),
+        })),
+      ]);
+
+      if (resultsToStore.length > 0) {
+        await this.checkRunRepository.addResults(resultsToStore);
+      }
+
+      // Update the check run status
+      const startTime = checkRun.startedAt?.getTime() || Date.now();
+      await this.checkRunRepository.complete(checkRun.id, {
+        status: result.totalFindings > 0 ? 'failed' : 'success',
+        durationMs: Date.now() - startTime,
+        totalChecked: result.results.length,
+        passedCount: result.totalPassing,
+        failedCount: result.totalFindings,
+      });
+
+      return {
+        connectionId,
+        providerSlug: provider.slug,
+        checkRunId: checkRun.id,
+        ...result,
+      };
+    } catch (error) {
+      // Mark the check run as failed
+      const startTime = checkRun.startedAt?.getTime() || Date.now();
+      await this.checkRunRepository.complete(checkRun.id, {
+        status: 'failed',
+        durationMs: Date.now() - startTime,
+        totalChecked: 0,
+        passedCount: 0,
+        failedCount: 0,
+        errorMessage: error instanceof Error ? error.message : String(error),
+      });
+
+      this.logger.error(`Check execution failed: ${error}`);
+      throw new HttpException(
+        `Check execution failed: ${error instanceof Error ? error.message : String(error)}`,
+        HttpStatus.INTERNAL_SERVER_ERROR,
+      );
+    }
+  }
+
+  /**
+   * Run a specific check for a connection
+   */
+  @Post('connections/:connectionId/run/:checkId')
+  async runSingleCheck(
+    @Param('connectionId') connectionId: string,
+    @Param('checkId') checkId: string,
+  ) {
+    return this.runConnectionChecks(connectionId, { checkId });
+  }
+}
diff --git a/apps/api/src/integration-platform/controllers/connections.controller.ts b/apps/api/src/integration-platform/controllers/connections.controller.ts
new file mode 100644
index 000000000..073a2eb14
--- /dev/null
+++ b/apps/api/src/integration-platform/controllers/connections.controller.ts
@@ -0,0 +1,688 @@
+import {
+  Controller,
+  Get,
+  Post,
+  Put,
+  Delete,
+  Param,
+  Body,
+  Query,
+  HttpException,
+  HttpStatus,
+  Logger,
+} from '@nestjs/common';
+import { ConnectionService } from '../services/connection.service';
+import { CredentialVaultService } from '../services/credential-vault.service';
+import { OAuthCredentialsService } from '../services/oauth-credentials.service';
+import { AutoCheckRunnerService } from '../services/auto-check-runner.service';
+import { ProviderRepository } from '../repositories/provider.repository';
+import {
+  getManifest,
+  getAllManifests,
+  getActiveManifests,
+  TASK_TEMPLATE_INFO,
+  type OAuthConfig,
+  type TaskTemplateId,
+} from '@comp/integration-platform';
+
+interface CreateConnectionDto {
+  providerSlug: string;
+  organizationId: string;
+  credentials?: Record<string, string>;
+}
+
+interface ListConnectionsQuery {
+  organizationId: string;
+}
+
+@Controller({ path: 'integrations/connections', version: '1' })
+export class ConnectionsController {
+  private readonly logger = new Logger(ConnectionsController.name);
+
+  constructor(
+    private readonly connectionService: ConnectionService,
+    private readonly credentialVaultService: CredentialVaultService,
+    private readonly oauthCredentialsService: OAuthCredentialsService,
+    private readonly autoCheckRunnerService: AutoCheckRunnerService,
+    private readonly providerRepository: ProviderRepository,
+  ) {}
+
+  /**
+   * List all available integration providers
+   */
+  @Get('providers')
+  async listProviders(@Query('activeOnly') activeOnly?: string) {
+    const manifests =
+      activeOnly === 'true' ? getActiveManifests() : getAllManifests();
+
+    // Check platform credentials for OAuth providers
+    const oauthProviderSlugs = manifests
+      .filter((m) => m.auth.type === 'oauth2')
+      .map((m) => m.id);
+
+    const platformCredentialsMap = new Map<string, boolean>();
+    for (const slug of oauthProviderSlugs) {
+      const availability = await this.oauthCredentialsService.checkAvailability(
+        slug,
+        '', // Empty org ID to just check platform credentials
+      );
+      platformCredentialsMap.set(slug, availability.hasPlatformCredentials);
+    }
+
+    return manifests.map((m) => {
+      // Get credential fields - from custom auth config or from manifest
+      const credentialFields =
+        m.auth.type === 'custom' && m.auth.config.credentialFields
+          ? m.auth.config.credentialFields
+          : m.credentialFields;
+
+      // Get setup instructions for custom auth
+      const setupInstructions =
+        m.auth.type === 'custom' ? m.auth.config.setupInstructions : undefined;
+
+      // For OAuth providers, check if platform credentials are configured
+      const oauthConfigured =
+        m.auth.type === 'oauth2'
+          ? (platformCredentialsMap.get(m.id) ?? false)
+          : undefined;
+
+      // Get mapped tasks from checks and collect required variables
+      const mappedTasks: Array<{ id: string; name: string }> = [];
+      const seenTaskIds = new Set<string>();
+      const requiredVariables = new Set<string>();
+
+      for (const check of m.checks || []) {
+        if (check.taskMapping && !seenTaskIds.has(check.taskMapping)) {
+          seenTaskIds.add(check.taskMapping);
+          const taskInfo =
+            TASK_TEMPLATE_INFO[check.taskMapping as TaskTemplateId];
+          if (taskInfo) {
+            mappedTasks.push({ id: check.taskMapping, name: taskInfo.name });
+          }
+        }
+        // Collect required variables
+        if (check.variables) {
+          for (const variable of check.variables) {
+            if (variable.required) {
+              requiredVariables.add(variable.id);
+            }
+          }
+        }
+      }
+
+      return {
+        id: m.id,
+        name: m.name,
+        description: m.description,
+        category: m.category,
+        logoUrl: m.logoUrl,
+        authType: m.auth.type,
+        capabilities: m.capabilities,
+        isActive: m.isActive,
+        docsUrl: m.docsUrl,
+        credentialFields,
+        setupInstructions,
+        oauthConfigured,
+        mappedTasks,
+        requiredVariables: Array.from(requiredVariables),
+      };
+    });
+  }
+
+  /**
+   * Get a specific provider's details
+   */
+  @Get('providers/:slug')
+  async getProvider(@Param('slug') slug: string) {
+    const manifest = getManifest(slug);
+    if (!manifest) {
+      throw new HttpException(
+        `Provider ${slug} not found`,
+        HttpStatus.NOT_FOUND,
+      );
+    }
+
+    // Get credential fields - from custom auth config or from manifest
+    const credentialFields =
+      manifest.auth.type === 'custom' && manifest.auth.config.credentialFields
+        ? manifest.auth.config.credentialFields
+        : manifest.credentialFields;
+
+    // Get setup instructions for custom auth
+    const setupInstructions =
+      manifest.auth.type === 'custom'
+        ? manifest.auth.config.setupInstructions
+        : undefined;
+
+    // Get mapped tasks from checks
+    const mappedTasks: Array<{ id: string; name: string }> = [];
+    const seenTaskIds = new Set<string>();
+
+    // Collect required variables from all checks
+    const requiredVariables = new Set<string>();
+    for (const check of manifest.checks || []) {
+      if (check.taskMapping && !seenTaskIds.has(check.taskMapping)) {
+        seenTaskIds.add(check.taskMapping);
+        const taskInfo =
+          TASK_TEMPLATE_INFO[check.taskMapping as TaskTemplateId];
+        if (taskInfo) {
+          mappedTasks.push({ id: check.taskMapping, name: taskInfo.name });
+        }
+      }
+      // Collect required variables
+      if (check.variables) {
+        for (const variable of check.variables) {
+          if (variable.required) {
+            requiredVariables.add(variable.id);
+          }
+        }
+      }
+    }
+
+    return {
+      id: manifest.id,
+      name: manifest.name,
+      description: manifest.description,
+      category: manifest.category,
+      logoUrl: manifest.logoUrl,
+      authType: manifest.auth.type,
+      capabilities: manifest.capabilities,
+      isActive: manifest.isActive,
+      docsUrl: manifest.docsUrl,
+      credentialFields,
+      setupInstructions,
+      mappedTasks,
+      requiredVariables: Array.from(requiredVariables),
+    };
+  }
+
+  /**
+   * List connections for an organization
+   */
+  @Get()
+  async listConnections(@Query() query: ListConnectionsQuery) {
+    const { organizationId } = query;
+
+    if (!organizationId) {
+      throw new HttpException(
+        'organizationId is required',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    const connections =
+      await this.connectionService.getOrganizationConnections(organizationId);
+
+    return connections.map((c) => ({
+      id: c.id,
+      providerId: c.providerId,
+      providerSlug: (c as any).provider?.slug,
+      providerName: (c as any).provider?.name,
+      status: c.status,
+      authStrategy: c.authStrategy,
+      lastSyncAt: c.lastSyncAt,
+      nextSyncAt: c.nextSyncAt,
+      errorMessage: c.errorMessage,
+      variables: c.variables,
+      createdAt: c.createdAt,
+    }));
+  }
+
+  /**
+   * Get a specific connection
+   */
+  @Get(':id')
+  async getConnection(@Param('id') id: string) {
+    const connection = await this.connectionService.getConnection(id);
+    const providerSlug = (connection as { provider?: { slug: string } })
+      .provider?.slug;
+
+    // Get credential fields for custom auth integrations
+    let credentialFields: Array<{
+      id: string;
+      label: string;
+      type: string;
+      required: boolean;
+      placeholder?: string;
+      helpText?: string;
+      options?: Array<{ value: string; label: string }>;
+    }> = [];
+
+    if (providerSlug) {
+      const manifest = getManifest(providerSlug);
+      if (
+        manifest?.auth.type === 'custom' &&
+        manifest.auth.config.credentialFields
+      ) {
+        credentialFields = manifest.auth.config.credentialFields;
+      }
+    }
+
+    return {
+      id: connection.id,
+      providerId: connection.providerId,
+      providerSlug,
+      providerName: (connection as { provider?: { name: string } }).provider
+        ?.name,
+      status: connection.status,
+      authStrategy: connection.authStrategy,
+      lastSyncAt: connection.lastSyncAt,
+      nextSyncAt: connection.nextSyncAt,
+      syncCadence: connection.syncCadence,
+      metadata: connection.metadata,
+      variables: connection.variables,
+      errorMessage: connection.errorMessage,
+      createdAt: connection.createdAt,
+      updatedAt: connection.updatedAt,
+      credentialFields,
+    };
+  }
+
+  /**
+   * Create a new connection with API key credentials
+   */
+  @Post()
+  async createConnection(@Body() body: CreateConnectionDto) {
+    const { providerSlug, organizationId, credentials } = body;
+
+    // Validate provider
+    const manifest = getManifest(providerSlug);
+    if (!manifest) {
+      throw new HttpException(
+        `Provider ${providerSlug} not found`,
+        HttpStatus.NOT_FOUND,
+      );
+    }
+
+    // For OAuth providers, redirect to OAuth flow
+    if (manifest.auth.type === 'oauth2') {
+      throw new HttpException(
+        'Use /integrations/oauth/start for OAuth providers',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    // Ensure provider exists in DB
+    await this.providerRepository.upsert({
+      slug: manifest.id,
+      name: manifest.name,
+      category: manifest.category,
+      capabilities: manifest.capabilities,
+      isActive: manifest.isActive,
+    });
+
+    // Create connection
+    const connection = await this.connectionService.createConnection({
+      providerSlug,
+      organizationId,
+      authStrategy: manifest.auth.type,
+    });
+
+    // Store credentials if provided
+    if (credentials && Object.keys(credentials).length > 0) {
+      await this.credentialVaultService.storeApiKeyCredentials(
+        connection.id,
+        credentials,
+      );
+    }
+
+    this.logger.log(
+      `Created connection for ${providerSlug}, org: ${organizationId}`,
+    );
+
+    // Auto-run checks if possible (fire and forget)
+    this.autoCheckRunnerService
+      .tryAutoRunChecks(connection.id)
+      .then((didRun) => {
+        if (didRun) {
+          this.logger.log(
+            `Auto-ran checks for ${providerSlug} after connection created`,
+          );
+        }
+      })
+      .catch((err) => {
+        this.logger.warn(
+          `Failed to auto-run checks after connection: ${err.message}`,
+        );
+      });
+
+    return {
+      id: connection.id,
+      providerId: connection.providerId,
+      status: connection.status,
+      authStrategy: connection.authStrategy,
+      createdAt: connection.createdAt,
+    };
+  }
+
+  /**
+   * Test a connection's credentials
+   */
+  @Post(':id/test')
+  async testConnection(@Param('id') id: string) {
+    const connection = await this.connectionService.getConnection(id);
+    const providerSlug = (connection as any).provider?.slug;
+
+    if (!providerSlug) {
+      throw new HttpException(
+        'Provider not found for connection',
+        HttpStatus.NOT_FOUND,
+      );
+    }
+
+    const manifest = getManifest(providerSlug);
+    if (!manifest?.handler?.testConnection) {
+      throw new HttpException(
+        `Provider ${providerSlug} does not support connection testing`,
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    // Get credentials
+    const credentials =
+      await this.credentialVaultService.getDecryptedCredentials(connection.id);
+    if (!credentials) {
+      throw new HttpException(
+        'No credentials found for connection',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    try {
+      const isValid = await manifest.handler.testConnection(credentials);
+
+      if (isValid) {
+        await this.connectionService.activateConnection(connection.id);
+        return { success: true, message: 'Connection test successful' };
+      } else {
+        await this.connectionService.setConnectionError(
+          connection.id,
+          'Connection test failed',
+        );
+        return { success: false, message: 'Connection test failed' };
+      }
+    } catch (err) {
+      const errorMessage =
+        err instanceof Error ? err.message : 'Connection test failed';
+      await this.connectionService.setConnectionError(
+        connection.id,
+        errorMessage,
+      );
+      return { success: false, message: errorMessage };
+    }
+  }
+
+  /**
+   * Pause a connection
+   */
+  @Post(':id/pause')
+  async pauseConnection(@Param('id') id: string) {
+    const connection = await this.connectionService.pauseConnection(id);
+    return { id: connection.id, status: connection.status };
+  }
+
+  /**
+   * Resume a paused connection
+   */
+  @Post(':id/resume')
+  async resumeConnection(@Param('id') id: string) {
+    const connection = await this.connectionService.activateConnection(id);
+    return { id: connection.id, status: connection.status };
+  }
+
+  /**
+   * Disconnect (soft delete) a connection
+   */
+  @Post(':id/disconnect')
+  async disconnectConnection(@Param('id') id: string) {
+    const connection = await this.connectionService.disconnectConnection(id);
+    return { id: connection.id, status: connection.status };
+  }
+
+  /**
+   * Delete a connection permanently
+   */
+  @Delete(':id')
+  async deleteConnection(@Param('id') id: string) {
+    await this.connectionService.deleteConnection(id);
+    return { success: true };
+  }
+
+  /**
+   * Get valid credentials for a connection, refreshing OAuth tokens if needed.
+   * Used by scheduled jobs to ensure tokens are valid before running checks.
+   */
+  @Post(':id/ensure-valid-credentials')
+  async ensureValidCredentials(
+    @Param('id') id: string,
+    @Query('organizationId') organizationId: string,
+  ) {
+    if (!organizationId) {
+      throw new HttpException(
+        'organizationId is required',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    const connection = await this.connectionService.getConnection(id);
+
+    if (connection.organizationId !== organizationId) {
+      throw new HttpException('Connection not found', HttpStatus.NOT_FOUND);
+    }
+
+    if (connection.status !== 'active') {
+      throw new HttpException(
+        'Connection is not active',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    const providerSlug = (connection as { provider?: { slug: string } })
+      .provider?.slug;
+    if (!providerSlug) {
+      throw new HttpException(
+        'Provider not found for connection',
+        HttpStatus.NOT_FOUND,
+      );
+    }
+
+    const manifest = getManifest(providerSlug);
+    if (!manifest) {
+      throw new HttpException(
+        `Manifest not found for ${providerSlug}`,
+        HttpStatus.NOT_FOUND,
+      );
+    }
+
+    // Check if token needs refresh (for OAuth integrations that support it)
+    if (manifest.auth.type === 'oauth2') {
+      const oauthConfig = manifest.auth.config;
+
+      // Skip refresh for providers that don't support refresh tokens (e.g., GitHub)
+      const supportsRefresh = oauthConfig.supportsRefreshToken !== false;
+
+      if (supportsRefresh) {
+        const needsRefresh = await this.credentialVaultService.needsRefresh(id);
+
+        if (needsRefresh) {
+          this.logger.log(
+            `Token needs refresh for connection ${id}, attempting refresh...`,
+          );
+
+          const oauthCredentials =
+            await this.oauthCredentialsService.getCredentials(
+              providerSlug,
+              organizationId,
+            );
+
+          if (!oauthCredentials) {
+            throw new HttpException(
+              'OAuth credentials not configured',
+              HttpStatus.BAD_REQUEST,
+            );
+          }
+
+          const newToken = await this.credentialVaultService.refreshOAuthTokens(
+            id,
+            {
+              tokenUrl: oauthConfig.tokenUrl,
+              refreshUrl: oauthConfig.refreshUrl,
+              clientId: oauthCredentials.clientId,
+              clientSecret: oauthCredentials.clientSecret,
+              clientAuthMethod: oauthConfig.clientAuthMethod,
+            },
+          );
+
+          if (!newToken) {
+            // Refresh failed - connection needs to be re-established
+            await this.connectionService.setConnectionError(
+              id,
+              'OAuth token expired and refresh failed. Please reconnect.',
+            );
+            throw new HttpException(
+              'Token refresh failed. Please reconnect the integration.',
+              HttpStatus.UNAUTHORIZED,
+            );
+          }
+
+          this.logger.log(`Successfully refreshed token for connection ${id}`);
+        }
+      }
+    }
+
+    // Get current credentials
+    const credentials =
+      await this.credentialVaultService.getDecryptedCredentials(id);
+
+    if (!credentials) {
+      throw new HttpException(
+        'No credentials found for connection',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    // For OAuth, validate access_token exists
+    if (manifest.auth.type === 'oauth2' && !credentials.access_token) {
+      throw new HttpException(
+        'No valid OAuth credentials found. Please reconnect.',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    // For API key auth, validate key exists
+    if (manifest.auth.type === 'api_key') {
+      const apiKeyField = manifest.auth.config.name;
+      if (!credentials[apiKeyField] && !credentials.api_key) {
+        throw new HttpException('API key not found', HttpStatus.BAD_REQUEST);
+      }
+    }
+
+    // For basic auth, validate username and password exist
+    if (manifest.auth.type === 'basic') {
+      const usernameField = manifest.auth.config.usernameField || 'username';
+      const passwordField = manifest.auth.config.passwordField || 'password';
+      if (!credentials[usernameField] || !credentials[passwordField]) {
+        throw new HttpException(
+          'Username and password required',
+          HttpStatus.BAD_REQUEST,
+        );
+      }
+    }
+
+    // For custom auth (like AWS), validate credentials exist
+    if (
+      manifest.auth.type === 'custom' &&
+      Object.keys(credentials).length === 0
+    ) {
+      throw new HttpException(
+        'No valid credentials found for custom integration',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    return {
+      success: true,
+      accessToken: credentials.access_token ?? undefined,
+      credentials,
+    };
+  }
+
+  /**
+   * Update credentials for a custom auth connection
+   */
+  @Put(':id/credentials')
+  async updateCredentials(
+    @Param('id') id: string,
+    @Query('organizationId') organizationId: string,
+    @Body() body: { credentials: Record<string, string> },
+  ) {
+    if (!organizationId) {
+      throw new HttpException(
+        'organizationId is required',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    const connection = await this.connectionService.getConnection(id);
+
+    if (connection.organizationId !== organizationId) {
+      throw new HttpException('Connection not found', HttpStatus.NOT_FOUND);
+    }
+
+    const providerSlug = (connection as { provider?: { slug: string } })
+      .provider?.slug;
+    if (!providerSlug) {
+      throw new HttpException(
+        'Provider not found for connection',
+        HttpStatus.NOT_FOUND,
+      );
+    }
+
+    const manifest = getManifest(providerSlug);
+    if (!manifest) {
+      throw new HttpException(
+        `Manifest not found for ${providerSlug}`,
+        HttpStatus.NOT_FOUND,
+      );
+    }
+
+    // Only allow updating credentials for non-OAuth integrations
+    if (manifest.auth.type === 'oauth2') {
+      throw new HttpException(
+        'Credential updates are not supported for OAuth integrations. Please disconnect and reconnect to refresh the OAuth token.',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    // Store the new credentials
+    await this.credentialVaultService.storeApiKeyCredentials(
+      id,
+      body.credentials,
+    );
+
+    // Reactivate the connection if it was in error state
+    if (connection.status === 'error') {
+      await this.connectionService.activateConnection(id);
+    }
+
+    this.logger.log(`Updated credentials for connection ${id}`);
+
+    // Auto-run checks if possible (fire and forget)
+    this.autoCheckRunnerService
+      .tryAutoRunChecks(id)
+      .then((didRun) => {
+        if (didRun) {
+          this.logger.log(
+            `Auto-ran checks for connection ${id} after credential update`,
+          );
+        }
+      })
+      .catch((err) => {
+        this.logger.warn(
+          `Failed to auto-run checks after credential update: ${err.message}`,
+        );
+      });
+
+    return { success: true };
+  }
+}
diff --git a/apps/api/src/integration-platform/controllers/oauth-apps.controller.ts b/apps/api/src/integration-platform/controllers/oauth-apps.controller.ts
new file mode 100644
index 000000000..5713d540c
--- /dev/null
+++ b/apps/api/src/integration-platform/controllers/oauth-apps.controller.ts
@@ -0,0 +1,180 @@
+import {
+  Controller,
+  Get,
+  Post,
+  Delete,
+  Body,
+  Param,
+  Query,
+  HttpException,
+  HttpStatus,
+  Logger,
+} from '@nestjs/common';
+import { OAuthCredentialsService } from '../services/oauth-credentials.service';
+import { OAuthAppRepository } from '../repositories/oauth-app.repository';
+import { getManifest } from '@comp/integration-platform';
+
+interface SaveOAuthAppDto {
+  providerSlug: string;
+  organizationId: string;
+  clientId: string;
+  clientSecret: string;
+  customScopes?: string[];
+}
+
+@Controller({ path: 'integrations/oauth-apps', version: '1' })
+export class OAuthAppsController {
+  private readonly logger = new Logger(OAuthAppsController.name);
+
+  constructor(
+    private readonly oauthCredentialsService: OAuthCredentialsService,
+    private readonly oauthAppRepository: OAuthAppRepository,
+  ) {}
+
+  /**
+   * List custom OAuth apps for an organization
+   */
+  @Get()
+  async listOAuthApps(@Query('organizationId') organizationId: string) {
+    if (!organizationId) {
+      throw new HttpException(
+        'organizationId is required',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    const apps =
+      await this.oauthAppRepository.findByOrganization(organizationId);
+
+    // Don't expose encrypted credentials, just metadata
+    return apps.map((app) => ({
+      providerSlug: app.providerSlug,
+      customScopes: app.customScopes,
+      isActive: app.isActive,
+      createdAt: app.createdAt,
+      updatedAt: app.updatedAt,
+    }));
+  }
+
+  /**
+   * Get OAuth app setup info for a provider
+   */
+  @Get('setup/:providerSlug')
+  async getSetupInfo(
+    @Param('providerSlug') providerSlug: string,
+    @Query('organizationId') organizationId: string,
+  ) {
+    const manifest = getManifest(providerSlug);
+    if (!manifest) {
+      throw new HttpException(
+        `Provider ${providerSlug} not found`,
+        HttpStatus.NOT_FOUND,
+      );
+    }
+
+    if (manifest.auth.type !== 'oauth2') {
+      throw new HttpException(
+        `Provider ${providerSlug} does not use OAuth`,
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    const oauthConfig = manifest.auth.config;
+    const availability = await this.oauthCredentialsService.checkAvailability(
+      providerSlug,
+      organizationId,
+    );
+
+    // Build callback URL that user needs to configure in their OAuth app
+    const callbackUrl = `${process.env.BASE_URL || 'http://localhost:3333'}/v1/integrations/oauth/callback`;
+
+    return {
+      providerSlug,
+      providerName: manifest.name,
+      ...availability,
+      requiredScopes: oauthConfig.scopes,
+      callbackUrl,
+      setupInstructions: oauthConfig.setupInstructions,
+      createAppUrl: oauthConfig.createAppUrl,
+    };
+  }
+
+  /**
+   * Save custom OAuth app credentials for an organization
+   */
+  @Post()
+  async saveOAuthApp(@Body() body: SaveOAuthAppDto) {
+    const {
+      providerSlug,
+      organizationId,
+      clientId,
+      clientSecret,
+      customScopes,
+    } = body;
+
+    // Validate provider
+    const manifest = getManifest(providerSlug);
+    if (!manifest) {
+      throw new HttpException(
+        `Provider ${providerSlug} not found`,
+        HttpStatus.NOT_FOUND,
+      );
+    }
+
+    if (manifest.auth.type !== 'oauth2') {
+      throw new HttpException(
+        `Provider ${providerSlug} does not use OAuth`,
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    // Validate required fields
+    if (!clientId || !clientSecret) {
+      throw new HttpException(
+        'clientId and clientSecret are required',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    await this.oauthCredentialsService.saveOrgCredentials(
+      providerSlug,
+      organizationId,
+      clientId,
+      clientSecret,
+      customScopes,
+    );
+
+    this.logger.log(
+      `Saved custom OAuth app for ${providerSlug}, org: ${organizationId}`,
+    );
+
+    return { success: true };
+  }
+
+  /**
+   * Delete custom OAuth app credentials for an organization
+   */
+  @Delete(':providerSlug')
+  async deleteOAuthApp(
+    @Param('providerSlug') providerSlug: string,
+    @Query('organizationId') organizationId: string,
+  ) {
+    if (!organizationId) {
+      throw new HttpException(
+        'organizationId is required',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    await this.oauthCredentialsService.deleteOrgCredentials(
+      providerSlug,
+      organizationId,
+    );
+
+    this.logger.log(
+      `Deleted custom OAuth app for ${providerSlug}, org: ${organizationId}`,
+    );
+
+    return { success: true };
+  }
+}
diff --git a/apps/api/src/integration-platform/controllers/oauth.controller.ts b/apps/api/src/integration-platform/controllers/oauth.controller.ts
new file mode 100644
index 000000000..102017f1d
--- /dev/null
+++ b/apps/api/src/integration-platform/controllers/oauth.controller.ts
@@ -0,0 +1,494 @@
+import {
+  Controller,
+  Get,
+  Post,
+  Query,
+  Body,
+  Res,
+  HttpException,
+  HttpStatus,
+  Logger,
+} from '@nestjs/common';
+import type { Response } from 'express';
+import { randomBytes, createHash } from 'crypto';
+import { OAuthStateRepository } from '../repositories/oauth-state.repository';
+import { ProviderRepository } from '../repositories/provider.repository';
+import { ConnectionRepository } from '../repositories/connection.repository';
+import { CredentialVaultService } from '../services/credential-vault.service';
+import { ConnectionService } from '../services/connection.service';
+import { OAuthCredentialsService } from '../services/oauth-credentials.service';
+import { AutoCheckRunnerService } from '../services/auto-check-runner.service';
+import { getManifest, type OAuthConfig } from '@comp/integration-platform';
+
+interface StartOAuthDto {
+  providerSlug: string;
+  organizationId: string;
+  userId: string;
+  redirectUrl?: string;
+}
+
+interface OAuthCallbackQuery {
+  code: string;
+  state: string;
+  error?: string;
+  error_description?: string;
+}
+
+@Controller({ path: 'integrations/oauth', version: '1' })
+export class OAuthController {
+  private readonly logger = new Logger(OAuthController.name);
+
+  constructor(
+    private readonly oauthStateRepository: OAuthStateRepository,
+    private readonly providerRepository: ProviderRepository,
+    private readonly connectionRepository: ConnectionRepository,
+    private readonly credentialVaultService: CredentialVaultService,
+    private readonly connectionService: ConnectionService,
+    private readonly oauthCredentialsService: OAuthCredentialsService,
+    private readonly autoCheckRunnerService: AutoCheckRunnerService,
+  ) {}
+
+  /**
+   * Check if OAuth credentials are available for a provider
+   */
+  @Get('availability')
+  async checkAvailability(
+    @Query('providerSlug') providerSlug: string,
+    @Query('organizationId') organizationId: string,
+  ) {
+    if (!providerSlug || !organizationId) {
+      throw new HttpException(
+        'providerSlug and organizationId are required',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    return this.oauthCredentialsService.checkAvailability(
+      providerSlug,
+      organizationId,
+    );
+  }
+
+  /**
+   * Start OAuth flow - returns authorization URL
+   */
+  @Post('start')
+  async startOAuth(
+    @Body() body: StartOAuthDto,
+  ): Promise<{ authorizationUrl: string }> {
+    const { providerSlug, organizationId, userId, redirectUrl } = body;
+
+    // Get manifest and OAuth config
+    const manifest = getManifest(providerSlug);
+    if (!manifest) {
+      throw new HttpException(
+        `Provider ${providerSlug} not found`,
+        HttpStatus.NOT_FOUND,
+      );
+    }
+
+    if (manifest.auth.type !== 'oauth2') {
+      throw new HttpException(
+        `Provider ${providerSlug} does not use OAuth`,
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    const oauthConfig = manifest.auth.config;
+
+    // Get OAuth credentials (org-level or platform-level)
+    const credentials = await this.oauthCredentialsService.getCredentials(
+      providerSlug,
+      organizationId,
+    );
+
+    if (!credentials) {
+      const availability = await this.oauthCredentialsService.checkAvailability(
+        providerSlug,
+        organizationId,
+      );
+      throw new HttpException(
+        {
+          message: `No OAuth credentials available for ${providerSlug}`,
+          setupInstructions: availability.setupInstructions,
+          createAppUrl: availability.createAppUrl,
+        },
+        HttpStatus.PRECONDITION_FAILED,
+      );
+    }
+
+    // Ensure provider exists in DB
+    await this.providerRepository.upsert({
+      slug: manifest.id,
+      name: manifest.name,
+      category: manifest.category,
+      capabilities: manifest.capabilities,
+      isActive: manifest.isActive,
+    });
+
+    // Generate PKCE code verifier if needed
+    let codeVerifier: string | undefined;
+    let codeChallenge: string | undefined;
+
+    if (oauthConfig.pkce) {
+      codeVerifier = randomBytes(32).toString('base64url');
+      codeChallenge = createHash('sha256')
+        .update(codeVerifier)
+        .digest('base64url');
+    }
+
+    // Create OAuth state record
+    const oauthState = await this.oauthStateRepository.create({
+      providerSlug,
+      organizationId,
+      userId,
+      codeVerifier,
+      redirectUrl,
+    });
+
+    // Build authorization URL, replacing any placeholders with custom settings
+    let authorizeUrl = oauthConfig.authorizeUrl;
+    if (credentials.customSettings) {
+      // Replace {APP_NAME} placeholder with custom setting (used by Rippling, etc.)
+      if (credentials.customSettings.appName) {
+        authorizeUrl = authorizeUrl.replace(
+          '{APP_NAME}',
+          String(credentials.customSettings.appName),
+        );
+      }
+    }
+    const authUrl = new URL(authorizeUrl);
+
+    // Standard OAuth2 params
+    authUrl.searchParams.set('client_id', credentials.clientId);
+    authUrl.searchParams.set('response_type', 'code');
+    authUrl.searchParams.set('state', oauthState.state);
+
+    // Callback URL
+    const callbackUrl = `${process.env.BASE_URL || 'http://localhost:3333'}/v1/integrations/oauth/callback`;
+    authUrl.searchParams.set('redirect_uri', callbackUrl);
+
+    // Scopes
+    if (credentials.scopes.length > 0) {
+      authUrl.searchParams.set('scope', credentials.scopes.join(' '));
+    }
+
+    // PKCE
+    if (codeChallenge) {
+      authUrl.searchParams.set('code_challenge', codeChallenge);
+      authUrl.searchParams.set('code_challenge_method', 'S256');
+    }
+
+    // Additional authorization params from manifest
+    if (oauthConfig.authorizationParams) {
+      for (const [key, value] of Object.entries(
+        oauthConfig.authorizationParams,
+      )) {
+        authUrl.searchParams.set(key, String(value));
+      }
+    }
+
+    this.logger.log(
+      `Starting OAuth flow for ${providerSlug}, org: ${organizationId} (credentials from ${credentials.source})`,
+    );
+
+    return { authorizationUrl: authUrl.toString() };
+  }
+
+  /**
+   * OAuth callback - exchanges code for tokens
+   */
+  @Get('callback')
+  async oauthCallback(
+    @Query() query: OAuthCallbackQuery,
+    @Res() res: Response,
+  ): Promise<void> {
+    const { code, state, error, error_description } = query;
+
+    // Handle OAuth errors
+    if (error) {
+      this.logger.error(`OAuth error: ${error} - ${error_description}`);
+      const errorUrl = this.buildRedirectUrl(null, {
+        error,
+        error_description: error_description || 'OAuth authorization failed',
+      });
+      res.redirect(errorUrl);
+      return;
+    }
+
+    if (!code || !state) {
+      const errorUrl = this.buildRedirectUrl(null, {
+        error: 'invalid_request',
+        error_description: 'Missing code or state parameter',
+      });
+      res.redirect(errorUrl);
+      return;
+    }
+
+    // Validate state
+    const oauthState = await this.oauthStateRepository.findByState(state);
+    if (!oauthState) {
+      const errorUrl = this.buildRedirectUrl(null, {
+        error: 'invalid_state',
+        error_description: 'Invalid or expired OAuth state',
+      });
+      res.redirect(errorUrl);
+      return;
+    }
+
+    if (oauthState.expiresAt < new Date()) {
+      await this.oauthStateRepository.delete(state);
+      const errorUrl = this.buildRedirectUrl(
+        oauthState.redirectUrl,
+        {
+          error: 'expired_state',
+          error_description: 'OAuth state has expired',
+        },
+        oauthState.organizationId,
+      );
+      res.redirect(errorUrl);
+      return;
+    }
+
+    try {
+      // Get manifest and OAuth config
+      const manifest = getManifest(oauthState.providerSlug);
+      if (!manifest || manifest.auth.type !== 'oauth2') {
+        throw new Error(`Invalid provider: ${oauthState.providerSlug}`);
+      }
+
+      const oauthConfig = manifest.auth.config;
+
+      // Get OAuth credentials
+      const credentials = await this.oauthCredentialsService.getCredentials(
+        oauthState.providerSlug,
+        oauthState.organizationId,
+      );
+
+      if (!credentials) {
+        throw new Error('OAuth credentials no longer available');
+      }
+
+      // Exchange code for tokens
+      const tokens = await this.exchangeCodeForTokens(
+        oauthConfig,
+        credentials,
+        code,
+        oauthState.codeVerifier,
+      );
+
+      // Get or create provider
+      const provider = await this.providerRepository.findBySlug(
+        oauthState.providerSlug,
+      );
+      if (!provider) {
+        throw new Error(`Provider not found: ${oauthState.providerSlug}`);
+      }
+
+      // Get or create connection
+      let connection = await this.connectionRepository.findByProviderAndOrg(
+        provider.id,
+        oauthState.organizationId,
+      );
+
+      if (!connection) {
+        connection = await this.connectionService.createConnection({
+          providerSlug: oauthState.providerSlug,
+          organizationId: oauthState.organizationId,
+          authStrategy: 'oauth2',
+        });
+      }
+
+      // Store tokens
+      await this.credentialVaultService.storeOAuthTokens(connection.id, tokens);
+
+      // Provider-specific post-OAuth actions
+      if (oauthState.providerSlug === 'rippling') {
+        // Rippling requires calling mark_app_installed to finalize
+        // See: https://developer.rippling.com/documentation/developer-portal/v2-guides/installation
+        await this.markRipplingAppInstalled(tokens.access_token);
+      }
+
+      // Clean up state
+      await this.oauthStateRepository.delete(state);
+
+      this.logger.log(
+        `OAuth completed for ${oauthState.providerSlug}, org: ${oauthState.organizationId}`,
+      );
+
+      // Auto-run checks if possible (fire and forget - don't block the redirect)
+      this.autoCheckRunnerService
+        .tryAutoRunChecks(connection.id)
+        .then((didRun) => {
+          if (didRun) {
+            this.logger.log(
+              `Auto-ran checks for ${oauthState.providerSlug} after OAuth`,
+            );
+          }
+        })
+        .catch((err) => {
+          this.logger.warn(
+            `Failed to auto-run checks after OAuth: ${err.message}`,
+          );
+        });
+
+      // Redirect to success URL
+      const successUrl = this.buildRedirectUrl(
+        oauthState.redirectUrl,
+        {
+          success: 'true',
+          provider: oauthState.providerSlug,
+        },
+        oauthState.organizationId,
+      );
+      res.redirect(successUrl);
+    } catch (err) {
+      this.logger.error(`OAuth callback error: ${err}`);
+      await this.oauthStateRepository.delete(state);
+
+      const errorUrl = this.buildRedirectUrl(
+        oauthState.redirectUrl,
+        {
+          error: 'token_exchange_failed',
+          error_description:
+            err instanceof Error
+              ? err.message
+              : 'Failed to exchange code for tokens',
+        },
+        oauthState.organizationId,
+      );
+      res.redirect(errorUrl);
+    }
+  }
+
+  private async exchangeCodeForTokens(
+    config: OAuthConfig,
+    credentials: { clientId: string; clientSecret: string },
+    code: string,
+    codeVerifier?: string | null,
+  ): Promise<{
+    access_token: string;
+    refresh_token?: string;
+    token_type?: string;
+    expires_in?: number;
+    scope?: string;
+  }> {
+    const callbackUrl = `${process.env.BASE_URL || 'http://localhost:3333'}/v1/integrations/oauth/callback`;
+
+    // Build token request body
+    const body = new URLSearchParams({
+      grant_type: 'authorization_code',
+      code,
+      redirect_uri: callbackUrl,
+    });
+
+    // Add PKCE verifier if present
+    if (codeVerifier) {
+      body.set('code_verifier', codeVerifier);
+    }
+
+    // Add additional token params from manifest
+    if (config.tokenParams) {
+      for (const [key, value] of Object.entries(config.tokenParams)) {
+        body.set(key, String(value));
+      }
+    }
+
+    // Prepare headers
+    const headers: Record<string, string> = {
+      'Content-Type': 'application/x-www-form-urlencoded',
+      Accept: 'application/json',
+    };
+
+    // Add client credentials based on auth method
+    if (config.clientAuthMethod === 'header') {
+      const creds = Buffer.from(
+        `${credentials.clientId}:${credentials.clientSecret}`,
+      ).toString('base64');
+      headers['Authorization'] = `Basic ${creds}`;
+    } else {
+      // Default: send in body
+      body.set('client_id', credentials.clientId);
+      body.set('client_secret', credentials.clientSecret);
+    }
+
+    // Make token request
+    const response = await fetch(config.tokenUrl, {
+      method: 'POST',
+      headers,
+      body: body.toString(),
+    });
+
+    if (!response.ok) {
+      await response.text(); // consume body
+      this.logger.error(`Token exchange failed: ${response.status}`);
+      throw new Error(`Token exchange failed: ${response.status}`);
+    }
+
+    const tokens = await response.json();
+
+    if (!tokens.access_token) {
+      throw new Error('No access token in response');
+    }
+
+    return tokens;
+  }
+
+  /**
+   * Mark Rippling app as installed (required by Rippling)
+   * See: https://developer.rippling.com/documentation/developer-portal/v2-guides/installation
+   */
+  private async markRipplingAppInstalled(accessToken: string): Promise<void> {
+    try {
+      const response = await fetch(
+        'https://api.rippling.com/platform/api/mark_app_installed',
+        {
+          method: 'POST',
+          headers: {
+            Accept: 'application/json',
+            Authorization: `Bearer ${accessToken}`,
+          },
+        },
+      );
+
+      if (!response.ok) {
+        const errorText = await response.text();
+        this.logger.warn(
+          `Failed to mark Rippling app as installed: ${response.status} - ${errorText}`,
+        );
+        // Don't throw - the OAuth flow itself succeeded
+      } else {
+        await response.json(); // consume body
+        this.logger.log('Rippling app marked as installed');
+      }
+    } catch (error) {
+      this.logger.warn(`Error marking Rippling app as installed: ${error}`);
+      // Don't throw - the OAuth flow itself succeeded
+    }
+  }
+
+  private buildRedirectUrl(
+    baseUrl: string | null | undefined,
+    params: Record<string, string>,
+    organizationId?: string,
+  ): string {
+    // Use provided URL or build default with org ID
+    let targetUrl: string;
+    if (baseUrl) {
+      targetUrl = baseUrl;
+    } else {
+      targetUrl = `${process.env.APP_URL || 'http://localhost:3000'}`;
+      if (organizationId) {
+        targetUrl += `/${organizationId}/integrations`;
+      } else {
+        targetUrl += '/integrations';
+      }
+    }
+
+    const url = new URL(targetUrl);
+    for (const [key, value] of Object.entries(params)) {
+      url.searchParams.set(key, value);
+    }
+    return url.toString();
+  }
+}
diff --git a/apps/api/src/integration-platform/controllers/sync.controller.ts b/apps/api/src/integration-platform/controllers/sync.controller.ts
new file mode 100644
index 000000000..f34117014
--- /dev/null
+++ b/apps/api/src/integration-platform/controllers/sync.controller.ts
@@ -0,0 +1,907 @@
+import {
+  Controller,
+  Post,
+  Get,
+  Query,
+  Body,
+  HttpException,
+  HttpStatus,
+  Logger,
+} from '@nestjs/common';
+import { db } from '@db';
+import { ConnectionRepository } from '../repositories/connection.repository';
+import { CredentialVaultService } from '../services/credential-vault.service';
+import { OAuthCredentialsService } from '../services/oauth-credentials.service';
+import { getManifest, type OAuthConfig } from '@comp/integration-platform';
+
+interface SyncQuery {
+  organizationId: string;
+  connectionId: string;
+}
+
+interface GoogleWorkspaceUser {
+  id: string;
+  primaryEmail: string;
+  name: {
+    fullName: string;
+    givenName?: string;
+    familyName?: string;
+  };
+  isAdmin?: boolean;
+  suspended?: boolean;
+  orgUnitPath?: string;
+}
+
+interface GoogleWorkspaceUsersResponse {
+  users?: GoogleWorkspaceUser[];
+  nextPageToken?: string;
+}
+
+@Controller({ path: 'integrations/sync', version: '1' })
+export class SyncController {
+  private readonly logger = new Logger(SyncController.name);
+
+  constructor(
+    private readonly connectionRepository: ConnectionRepository,
+    private readonly credentialVaultService: CredentialVaultService,
+    private readonly oauthCredentialsService: OAuthCredentialsService,
+  ) {}
+
+  /**
+   * Sync employees from Google Workspace
+   */
+  @Post('google-workspace/employees')
+  async syncGoogleWorkspaceEmployees(@Query() query: SyncQuery) {
+    const { organizationId, connectionId } = query;
+
+    if (!organizationId || !connectionId) {
+      throw new HttpException(
+        'organizationId and connectionId are required',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    // Get the connection
+    const connection = await this.connectionRepository.findById(connectionId);
+    if (!connection) {
+      throw new HttpException('Connection not found', HttpStatus.NOT_FOUND);
+    }
+
+    if (connection.organizationId !== organizationId) {
+      throw new HttpException('Connection not found', HttpStatus.NOT_FOUND);
+    }
+
+    // Get the provider to check the slug
+    const provider = await db.integrationProvider.findUnique({
+      where: { id: connection.providerId },
+    });
+
+    if (!provider || provider.slug !== 'google-workspace') {
+      throw new HttpException(
+        'This endpoint only supports Google Workspace connections',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    // Get the manifest
+    const manifest = getManifest('google-workspace');
+    if (!manifest) {
+      throw new HttpException(
+        'Google Workspace manifest not found',
+        HttpStatus.INTERNAL_SERVER_ERROR,
+      );
+    }
+
+    // Get credentials
+    let credentials =
+      await this.credentialVaultService.getDecryptedCredentials(connectionId);
+    if (!credentials?.access_token) {
+      throw new HttpException(
+        'No valid credentials found. Please reconnect the integration.',
+        HttpStatus.UNAUTHORIZED,
+      );
+    }
+
+    // Try to refresh the token if it might be expired (Google tokens expire after 1 hour)
+    if (manifest.auth.type === 'oauth2' && credentials.refresh_token) {
+      const oauthConfig = manifest.auth.config;
+      try {
+        // Get OAuth credentials (client ID/secret) for the refresh
+        const oauthCredentials =
+          await this.oauthCredentialsService.getCredentials(
+            'google-workspace',
+            organizationId,
+          );
+
+        if (oauthCredentials) {
+          const newToken = await this.credentialVaultService.refreshOAuthTokens(
+            connectionId,
+            {
+              tokenUrl: oauthConfig.tokenUrl,
+              refreshUrl: oauthConfig.refreshUrl,
+              clientId: oauthCredentials.clientId,
+              clientSecret: oauthCredentials.clientSecret,
+              clientAuthMethod: oauthConfig.clientAuthMethod,
+            },
+          );
+          if (newToken) {
+            // Re-fetch credentials to get the new token
+            credentials =
+              await this.credentialVaultService.getDecryptedCredentials(
+                connectionId,
+              );
+            if (!credentials?.access_token) {
+              throw new Error('Failed to get refreshed credentials');
+            }
+            this.logger.log(
+              'Successfully refreshed Google Workspace OAuth token',
+            );
+          }
+        }
+      } catch (refreshError) {
+        this.logger.warn(
+          `Token refresh failed, trying with existing token: ${refreshError}`,
+        );
+      }
+    }
+
+    // Final check that we have valid credentials
+    const accessToken = credentials?.access_token;
+    if (!accessToken) {
+      throw new HttpException(
+        'No valid credentials found. Please reconnect the integration.',
+        HttpStatus.UNAUTHORIZED,
+      );
+    }
+
+    // Fetch users from Google Workspace
+    const users: GoogleWorkspaceUser[] = [];
+    let nextPageToken: string | undefined;
+
+    try {
+      do {
+        const url = new URL(
+          'https://admin.googleapis.com/admin/directory/v1/users',
+        );
+        url.searchParams.set('customer', 'my_customer');
+        url.searchParams.set('maxResults', '500');
+        url.searchParams.set('orderBy', 'email');
+        if (nextPageToken) {
+          url.searchParams.set('pageToken', nextPageToken);
+        }
+
+        const response = await fetch(url.toString(), {
+          headers: {
+            Authorization: `Bearer ${accessToken}`,
+            'Content-Type': 'application/json',
+          },
+        });
+
+        if (!response.ok) {
+          if (response.status === 401) {
+            throw new HttpException(
+              'Google Workspace credentials expired. Please reconnect.',
+              HttpStatus.UNAUTHORIZED,
+            );
+          }
+          const errorText = await response.text();
+          this.logger.error(
+            `Google API error: ${response.status} ${response.statusText}`,
+          );
+          throw new HttpException(
+            'Failed to fetch users from Google Workspace',
+            HttpStatus.BAD_GATEWAY,
+          );
+        }
+
+        const data: GoogleWorkspaceUsersResponse = await response.json();
+        if (data.users) {
+          users.push(...data.users);
+        }
+        nextPageToken = data.nextPageToken;
+      } while (nextPageToken);
+    } catch (error) {
+      if (error instanceof HttpException) throw error;
+      this.logger.error(`Error fetching Google Workspace users: ${error}`);
+      throw new HttpException(
+        'Failed to fetch users from Google Workspace',
+        HttpStatus.BAD_GATEWAY,
+      );
+    }
+
+    // Separate active and suspended users
+    const activeUsers = users.filter((u) => !u.suspended);
+    const suspendedEmails = new Set(
+      users.filter((u) => u.suspended).map((u) => u.primaryEmail.toLowerCase()),
+    );
+    const activeEmails = new Set(
+      activeUsers.map((u) => u.primaryEmail.toLowerCase()),
+    );
+
+    this.logger.log(
+      `Found ${activeUsers.length} active users and ${suspendedEmails.size} suspended users in Google Workspace`,
+    );
+
+    // Import users into the organization
+    const results = {
+      imported: 0,
+      skipped: 0,
+      deactivated: 0,
+      reactivated: 0,
+      errors: 0,
+      details: [] as Array<{
+        email: string;
+        status:
+          | 'imported'
+          | 'skipped'
+          | 'deactivated'
+          | 'reactivated'
+          | 'error';
+        reason?: string;
+      }>,
+    };
+
+    for (const gwUser of activeUsers) {
+      try {
+        // Check if user already exists
+        const existingUser = await db.user.findUnique({
+          where: { email: gwUser.primaryEmail },
+        });
+
+        let userId: string;
+
+        if (existingUser) {
+          userId = existingUser.id;
+        } else {
+          // Create new user
+          const newUser = await db.user.create({
+            data: {
+              email: gwUser.primaryEmail,
+              name: gwUser.name.fullName || gwUser.primaryEmail.split('@')[0],
+              emailVerified: true, // Google Workspace users are verified
+            },
+          });
+          userId = newUser.id;
+        }
+
+        // Check if member already exists in this org
+        const existingMember = await db.member.findFirst({
+          where: {
+            organizationId,
+            userId,
+          },
+        });
+
+        if (existingMember) {
+          // If member was deactivated but is now active in GW, reactivate them
+          if (existingMember.deactivated) {
+            await db.member.update({
+              where: { id: existingMember.id },
+              data: { deactivated: false, isActive: true },
+            });
+            results.reactivated++;
+            results.details.push({
+              email: gwUser.primaryEmail,
+              status: 'reactivated',
+              reason: 'User is active again in Google Workspace',
+            });
+          } else {
+            results.skipped++;
+            results.details.push({
+              email: gwUser.primaryEmail,
+              status: 'skipped',
+              reason: 'Already a member',
+            });
+          }
+          continue;
+        }
+
+        // Create member - always as employee, admins can be promoted manually
+        await db.member.create({
+          data: {
+            organizationId,
+            userId,
+            role: 'employee',
+            isActive: true,
+          },
+        });
+
+        results.imported++;
+        results.details.push({
+          email: gwUser.primaryEmail,
+          status: 'imported',
+        });
+      } catch (error) {
+        this.logger.error(`Error importing Google Workspace user: ${error}`);
+        results.errors++;
+        results.details.push({
+          email: gwUser.primaryEmail,
+          status: 'error',
+          reason: error instanceof Error ? error.message : 'Unknown error',
+        });
+      }
+    }
+
+    // Deactivate members who are suspended OR deleted in Google Workspace
+    // Get all active members in this org
+    const allOrgMembers = await db.member.findMany({
+      where: {
+        organizationId,
+        deactivated: false,
+      },
+      include: {
+        user: true,
+      },
+    });
+
+    // Get the domain from active users to only check members with matching domain
+    const gwDomains = new Set(
+      activeUsers.map((u) => u.primaryEmail.split('@')[1]?.toLowerCase()),
+    );
+
+    for (const member of allOrgMembers) {
+      const memberEmail = member.user.email.toLowerCase();
+      const memberDomain = memberEmail.split('@')[1];
+
+      // Only check members whose email domain matches the Google Workspace domain
+      if (!memberDomain || !gwDomains.has(memberDomain)) {
+        continue;
+      }
+
+      // If this member's email is suspended OR not in the active list, deactivate them
+      const isSuspended = suspendedEmails.has(memberEmail);
+      const isDeleted =
+        !activeEmails.has(memberEmail) && !suspendedEmails.has(memberEmail);
+
+      if (isSuspended || isDeleted) {
+        try {
+          await db.member.update({
+            where: { id: member.id },
+            data: { deactivated: true, isActive: false },
+          });
+          results.deactivated++;
+          results.details.push({
+            email: member.user.email,
+            status: 'deactivated',
+            reason: isSuspended
+              ? 'User is suspended in Google Workspace'
+              : 'User was removed from Google Workspace',
+          });
+        } catch (error) {
+          this.logger.error(`Error deactivating member: ${error}`);
+        }
+      }
+    }
+
+    this.logger.log(
+      `Google Workspace sync complete: ${results.imported} imported, ${results.reactivated} reactivated, ${results.deactivated} deactivated, ${results.skipped} skipped, ${results.errors} errors`,
+    );
+
+    return {
+      success: true,
+      totalFound: activeUsers.length,
+      totalSuspended: suspendedEmails.size,
+      ...results,
+    };
+  }
+
+  /**
+   * Check if Google Workspace is connected for an organization
+   */
+  @Post('google-workspace/status')
+  async getGoogleWorkspaceStatus(
+    @Query('organizationId') organizationId: string,
+  ) {
+    if (!organizationId) {
+      throw new HttpException(
+        'organizationId is required',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    const connection = await this.connectionRepository.findBySlugAndOrg(
+      'google-workspace',
+      organizationId,
+    );
+
+    if (!connection || connection.status !== 'active') {
+      return {
+        connected: false,
+        connectionId: null,
+        lastSyncAt: null,
+        nextSyncAt: null,
+      };
+    }
+
+    return {
+      connected: true,
+      connectionId: connection.id,
+      lastSyncAt: connection.lastSyncAt?.toISOString() ?? null,
+      nextSyncAt: connection.nextSyncAt?.toISOString() ?? null,
+    };
+  }
+
+  /**
+   * Sync employees from Rippling
+   */
+  @Post('rippling/employees')
+  async syncRipplingEmployees(@Query() query: SyncQuery) {
+    const { organizationId, connectionId } = query;
+
+    if (!organizationId || !connectionId) {
+      throw new HttpException(
+        'organizationId and connectionId are required',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    // Get the connection
+    const connection = await this.connectionRepository.findById(connectionId);
+    if (!connection) {
+      throw new HttpException('Connection not found', HttpStatus.NOT_FOUND);
+    }
+
+    if (connection.organizationId !== organizationId) {
+      throw new HttpException('Connection not found', HttpStatus.NOT_FOUND);
+    }
+
+    // Get the provider to check the slug
+    const provider = await db.integrationProvider.findUnique({
+      where: { id: connection.providerId },
+    });
+
+    if (!provider || provider.slug !== 'rippling') {
+      throw new HttpException(
+        'This endpoint only supports Rippling connections',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    // Get credentials
+    let credentials =
+      await this.credentialVaultService.getDecryptedCredentials(connectionId);
+
+    if (!credentials?.access_token) {
+      throw new HttpException(
+        'No valid credentials found. Please reconnect the integration.',
+        HttpStatus.UNAUTHORIZED,
+      );
+    }
+
+    // Try to refresh the token if it might be expired
+    const manifest = getManifest('rippling');
+    const oauthConfig =
+      manifest?.auth.type === 'oauth2' ? manifest.auth.config : null;
+
+    if (oauthConfig?.supportsRefreshToken && credentials.refresh_token) {
+      try {
+        const oauthCredentials =
+          await this.oauthCredentialsService.getCredentials(
+            'rippling',
+            organizationId,
+          );
+
+        if (oauthCredentials) {
+          const newToken = await this.credentialVaultService.refreshOAuthTokens(
+            connectionId,
+            {
+              tokenUrl: oauthConfig.tokenUrl,
+              clientId: oauthCredentials.clientId,
+              clientSecret: oauthCredentials.clientSecret,
+              clientAuthMethod: oauthConfig.clientAuthMethod,
+            },
+          );
+          if (newToken) {
+            credentials =
+              await this.credentialVaultService.getDecryptedCredentials(
+                connectionId,
+              );
+            if (!credentials?.access_token) {
+              throw new Error('Failed to get refreshed credentials');
+            }
+            this.logger.log('Successfully refreshed Rippling OAuth token');
+          }
+        }
+      } catch (refreshError) {
+        this.logger.warn(
+          `Token refresh failed, trying with existing token: ${refreshError}`,
+        );
+      }
+    }
+
+    // Verify we still have valid credentials after potential refresh
+    if (!credentials?.access_token) {
+      throw new HttpException(
+        'No valid credentials found after refresh attempt. Please reconnect.',
+        HttpStatus.UNAUTHORIZED,
+      );
+    }
+
+    // Fetch workers from Rippling V2 REST API
+    // See: https://developer.rippling.com/documentation/developer-portal/v2-guides/user-management
+    interface RipplingWorker {
+      id: string;
+      name?: string;
+      first_name?: string;
+      last_name?: string;
+      work_email?: string;
+      personal_email?: string;
+      status?: string; // 'ACTIVE', 'TERMINATED', etc.
+      employment_type?: string;
+      start_date?: string;
+      termination_date?: string;
+      user?: {
+        number?: string; // unique employee identifier
+      };
+    }
+
+    interface RipplingResponse {
+      results?: RipplingWorker[];
+      next_link?: string;
+    }
+
+    const accessToken = credentials.access_token;
+
+    const workers: RipplingWorker[] = [];
+
+    try {
+      // Rippling V2 REST API endpoint for listing workers
+      // See: https://developer.rippling.com/documentation/developer-portal/v2-guides/user-management
+      let nextUrl: string | null = 'https://rest.ripplingapis.com/workers';
+
+      while (nextUrl) {
+        this.logger.log('Fetching Rippling workers...');
+
+        const response = await fetch(nextUrl, {
+          headers: {
+            Authorization: `Bearer ${accessToken}`,
+            Accept: 'application/json',
+          },
+        });
+
+        if (!response.ok) {
+          await response.text(); // consume body
+          this.logger.error(
+            `Rippling API error: ${response.status} ${response.statusText}`,
+          );
+
+          if (response.status === 401) {
+            throw new HttpException(
+              'Rippling credentials expired. Please reconnect.',
+              HttpStatus.UNAUTHORIZED,
+            );
+          }
+
+          if (response.status === 403) {
+            throw new HttpException(
+              'Access denied. Make sure the Rippling app has the required scopes and is properly authorized.',
+              HttpStatus.FORBIDDEN,
+            );
+          }
+
+          throw new HttpException(
+            `Rippling API error: ${response.status} ${response.statusText}`,
+            HttpStatus.BAD_GATEWAY,
+          );
+        }
+
+        const data: RipplingResponse = await response.json();
+
+        // V2 API returns { results: [...], next_link: "..." }
+        if (data.results && Array.isArray(data.results)) {
+          workers.push(...data.results);
+        } else if (Array.isArray(data)) {
+          // Fallback if API returns array directly
+          workers.push(...(data as unknown as RipplingWorker[]));
+          break;
+        }
+
+        // Handle pagination
+        nextUrl = data.next_link || null;
+      }
+    } catch (error) {
+      if (error instanceof HttpException) throw error;
+      this.logger.error(`Error fetching Rippling workers: ${error}`);
+      throw new HttpException(
+        `Failed to fetch workers from Rippling: ${error instanceof Error ? error.message : 'Unknown error'}`,
+        HttpStatus.BAD_GATEWAY,
+      );
+    }
+
+    // Helper to get email from worker (V2 uses snake_case)
+    const getWorkerEmail = (w: RipplingWorker): string =>
+      (w.work_email || w.personal_email || '').toLowerCase();
+
+    // Helper to check if worker is active
+    const isWorkerActive = (w: RipplingWorker): boolean => {
+      const status = w.status || '';
+      return status.toUpperCase() === 'ACTIVE';
+    };
+
+    // Filter to active workers only
+    const activeWorkers = workers.filter(isWorkerActive);
+    const inactiveEmails = new Set(
+      workers
+        .filter((w) => !isWorkerActive(w))
+        .map(getWorkerEmail)
+        .filter(Boolean),
+    );
+    const activeEmails = new Set(
+      activeWorkers.map(getWorkerEmail).filter(Boolean),
+    );
+
+    this.logger.log(
+      `Found ${activeWorkers.length} active workers and ${inactiveEmails.size} inactive/terminated workers in Rippling`,
+    );
+
+    // Derive domains from Rippling workers to match against our members
+    const ripplingDomains = new Set(
+      activeWorkers.map((w) => getWorkerEmail(w).split('@')[1]).filter(Boolean),
+    );
+
+    // Get all existing members
+    const allOrgMembers = await db.member.findMany({
+      where: {
+        organizationId,
+        deactivated: false,
+      },
+      include: { user: true },
+    });
+
+    const results = {
+      imported: 0,
+      reactivated: 0,
+      deactivated: 0,
+      skipped: 0,
+      errors: 0,
+      details: [] as Array<{
+        email: string;
+        status:
+          | 'imported'
+          | 'skipped'
+          | 'deactivated'
+          | 'reactivated'
+          | 'error';
+        reason?: string;
+      }>,
+    };
+
+    // Process active workers
+    for (const worker of activeWorkers) {
+      const email = getWorkerEmail(worker);
+      if (!email) {
+        results.skipped++;
+        continue;
+      }
+
+      try {
+        let userId: string;
+        const existingUser = await db.user.findUnique({
+          where: { email },
+        });
+
+        if (existingUser) {
+          userId = existingUser.id;
+        } else {
+          // V2 API uses snake_case (first_name, last_name)
+          const name =
+            worker.name ||
+            [worker.first_name, worker.last_name].filter(Boolean).join(' ') ||
+            email.split('@')[0];
+
+          const newUser = await db.user.create({
+            data: {
+              email,
+              name,
+              emailVerified: true,
+            },
+          });
+          userId = newUser.id;
+        }
+
+        const existingMember = await db.member.findFirst({
+          where: { organizationId, userId },
+        });
+
+        if (existingMember) {
+          if (existingMember.deactivated) {
+            await db.member.update({
+              where: { id: existingMember.id },
+              data: { deactivated: false, isActive: true },
+            });
+            results.reactivated++;
+            results.details.push({
+              email,
+              status: 'reactivated',
+              reason: 'Worker reactivated in Rippling',
+            });
+          } else {
+            results.skipped++;
+            results.details.push({
+              email,
+              status: 'skipped',
+              reason: 'Already an active member',
+            });
+          }
+        } else {
+          await db.member.create({
+            data: {
+              organizationId,
+              userId,
+              role: 'employee',
+              isActive: true,
+            },
+          });
+          results.imported++;
+          results.details.push({ email, status: 'imported' });
+        }
+      } catch (error) {
+        this.logger.error(`Error importing Rippling worker: ${error}`);
+        results.errors++;
+        results.details.push({
+          email,
+          status: 'error',
+          reason: error instanceof Error ? error.message : 'Unknown error',
+        });
+      }
+    }
+
+    // Deactivate members no longer in Rippling
+    for (const member of allOrgMembers) {
+      const memberEmail = member.user.email.toLowerCase();
+      const memberDomain = memberEmail.split('@')[1];
+
+      // Only check members whose email domain matches one of the Rippling domains
+      if (!memberDomain || !ripplingDomains.has(memberDomain)) {
+        continue;
+      }
+
+      if (!activeEmails.has(memberEmail)) {
+        const isInactive = inactiveEmails.has(memberEmail);
+        const reason = isInactive
+          ? 'Employee is inactive in Rippling'
+          : 'Employee was removed from Rippling';
+
+        await db.member.update({
+          where: { id: member.id },
+          data: { deactivated: true, isActive: false },
+        });
+        results.deactivated++;
+        results.details.push({
+          email: member.user.email,
+          status: 'deactivated',
+          reason,
+        });
+      }
+    }
+
+    this.logger.log(
+      `Rippling sync complete: ${results.imported} imported, ${results.reactivated} reactivated, ${results.deactivated} deactivated, ${results.skipped} skipped, ${results.errors} errors`,
+    );
+
+    return {
+      success: true,
+      totalFound: workers.length,
+      totalInactive: inactiveEmails.size,
+      ...results,
+    };
+  }
+
+  /**
+   * Check if Rippling is connected for an organization
+   */
+  @Post('rippling/status')
+  async getRipplingStatus(@Query('organizationId') organizationId: string) {
+    if (!organizationId) {
+      throw new HttpException(
+        'organizationId is required',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    const connection = await this.connectionRepository.findBySlugAndOrg(
+      'rippling',
+      organizationId,
+    );
+
+    if (!connection || connection.status !== 'active') {
+      return {
+        connected: false,
+        connectionId: null,
+        lastSyncAt: null,
+        nextSyncAt: null,
+      };
+    }
+
+    return {
+      connected: true,
+      connectionId: connection.id,
+      lastSyncAt: connection.lastSyncAt?.toISOString() ?? null,
+      nextSyncAt: connection.nextSyncAt?.toISOString() ?? null,
+    };
+  }
+
+  /**
+   * Get the current employee sync provider for an organization
+   */
+  @Get('employee-sync-provider')
+  async getEmployeeSyncProvider(
+    @Query('organizationId') organizationId: string,
+  ) {
+    if (!organizationId) {
+      throw new HttpException(
+        'organizationId is required',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    const org = await db.organization.findUnique({
+      where: { id: organizationId },
+      select: { employeeSyncProvider: true },
+    });
+
+    if (!org) {
+      throw new HttpException('Organization not found', HttpStatus.NOT_FOUND);
+    }
+
+    return {
+      provider: org.employeeSyncProvider,
+    };
+  }
+
+  /**
+   * Set the employee sync provider for an organization
+   */
+  @Post('employee-sync-provider')
+  async setEmployeeSyncProvider(
+    @Query('organizationId') organizationId: string,
+    @Body() body: { provider: string | null },
+  ) {
+    if (!organizationId) {
+      throw new HttpException(
+        'organizationId is required',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    const { provider } = body;
+
+    // Validate provider if set
+    if (provider) {
+      const validProviders = ['google-workspace', 'rippling'];
+      if (!validProviders.includes(provider)) {
+        throw new HttpException(
+          `Invalid provider. Must be one of: ${validProviders.join(', ')}`,
+          HttpStatus.BAD_REQUEST,
+        );
+      }
+
+      // Check if the provider is actually connected
+      const connection = await this.connectionRepository.findBySlugAndOrg(
+        provider,
+        organizationId,
+      );
+
+      if (!connection || connection.status !== 'active') {
+        throw new HttpException(
+          `Provider ${provider} is not connected`,
+          HttpStatus.BAD_REQUEST,
+        );
+      }
+    }
+
+    await db.organization.update({
+      where: { id: organizationId },
+      data: { employeeSyncProvider: provider },
+    });
+
+    this.logger.log(
+      `Set employee sync provider to ${provider || 'none'} for org ${organizationId}`,
+    );
+
+    return {
+      success: true,
+      provider,
+    };
+  }
+}
diff --git a/apps/api/src/integration-platform/controllers/task-integrations.controller.ts b/apps/api/src/integration-platform/controllers/task-integrations.controller.ts
new file mode 100644
index 000000000..b3e82e24d
--- /dev/null
+++ b/apps/api/src/integration-platform/controllers/task-integrations.controller.ts
@@ -0,0 +1,554 @@
+import {
+  Controller,
+  Get,
+  Post,
+  Param,
+  Query,
+  Body,
+  HttpException,
+  HttpStatus,
+  Logger,
+} from '@nestjs/common';
+import {
+  getActiveManifests,
+  getManifest,
+  runAllChecks,
+  type CheckRunResult,
+  type OAuthConfig,
+} from '@comp/integration-platform';
+import { ConnectionRepository } from '../repositories/connection.repository';
+import { ProviderRepository } from '../repositories/provider.repository';
+import { CheckRunRepository } from '../repositories/check-run.repository';
+import { CredentialVaultService } from '../services/credential-vault.service';
+import { OAuthCredentialsService } from '../services/oauth-credentials.service';
+import { db } from '@db';
+import type { Prisma } from '@prisma/client';
+
+interface TaskIntegrationCheck {
+  integrationId: string;
+  integrationName: string;
+  integrationLogoUrl: string;
+  checkId: string;
+  checkName: string;
+  checkDescription: string;
+  isConnected: boolean;
+  needsConfiguration: boolean;
+  connectionId?: string;
+  connectionStatus?: string;
+  lastRunAt?: Date;
+  lastRunStatus?: 'success' | 'failed' | 'error';
+  lastRunFindings?: number;
+  lastRunPassing?: number;
+  /** For OAuth providers: whether platform/org admin has configured credentials */
+  authType: 'oauth2' | 'custom' | 'api_key' | 'basic' | 'jwt';
+  oauthConfigured?: boolean;
+}
+
+interface RunCheckForTaskDto {
+  connectionId: string;
+  checkId: string;
+}
+
+@Controller({ path: 'integrations/tasks', version: '1' })
+export class TaskIntegrationsController {
+  private readonly logger = new Logger(TaskIntegrationsController.name);
+
+  constructor(
+    private readonly connectionRepository: ConnectionRepository,
+    private readonly providerRepository: ProviderRepository,
+    private readonly checkRunRepository: CheckRunRepository,
+    private readonly credentialVaultService: CredentialVaultService,
+    private readonly oauthCredentialsService: OAuthCredentialsService,
+  ) {}
+
+  /**
+   * Get all integration checks that can auto-complete a specific task template
+   */
+  @Get('template/:templateId/checks')
+  async getChecksForTaskTemplate(
+    @Param('templateId') templateId: string,
+    @Query('organizationId') organizationId: string,
+  ): Promise<{ checks: TaskIntegrationCheck[] }> {
+    if (!organizationId) {
+      throw new HttpException(
+        'organizationId is required',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    const manifests = getActiveManifests();
+    const checks: TaskIntegrationCheck[] = [];
+
+    // Get all connections for this org with provider info
+    const connectionsRaw =
+      await this.connectionRepository.findByOrganization(organizationId);
+
+    // Cast to include provider relation
+    const connections = connectionsRaw as Array<
+      (typeof connectionsRaw)[0] & { provider?: { slug: string } }
+    >;
+
+    for (const manifest of manifests) {
+      if (!manifest.checks) continue;
+
+      for (const check of manifest.checks) {
+        // Check if this check maps to the requested task template
+        if (check.taskMapping === templateId) {
+          // Find if there's a connection for this integration
+          const connection = connections.find(
+            (c) => c.provider?.slug === manifest.id,
+          );
+
+          // Check if required variables are configured
+          let needsConfiguration = false;
+          if (connection && connection.status === 'active' && check.variables) {
+            const connectionVars =
+              (connection.variables as Record<string, unknown>) || {};
+            for (const variable of check.variables) {
+              if (variable.required) {
+                const value = connectionVars[variable.id];
+                if (
+                  value === undefined ||
+                  value === null ||
+                  value === '' ||
+                  (Array.isArray(value) && value.length === 0)
+                ) {
+                  needsConfiguration = true;
+                  break;
+                }
+              }
+            }
+          }
+
+          // Check if OAuth is configured for OAuth providers
+          let oauthConfigured: boolean | undefined;
+          if (manifest.auth.type === 'oauth2') {
+            const availability =
+              await this.oauthCredentialsService.checkAvailability(
+                manifest.id,
+                organizationId,
+              );
+            oauthConfigured = availability.available;
+          }
+
+          checks.push({
+            integrationId: manifest.id,
+            integrationName: manifest.name,
+            integrationLogoUrl: manifest.logoUrl,
+            checkId: check.id,
+            checkName: check.name,
+            checkDescription: check.description,
+            isConnected: !!connection && connection.status === 'active',
+            needsConfiguration,
+            connectionId: connection?.id,
+            connectionStatus: connection?.status,
+            authType: manifest.auth.type,
+            oauthConfigured,
+          });
+        }
+      }
+    }
+
+    return { checks };
+  }
+
+  /**
+   * Get integration checks for a specific task (by task ID)
+   */
+  @Get(':taskId/checks')
+  async getChecksForTask(
+    @Param('taskId') taskId: string,
+    @Query('organizationId') organizationId: string,
+  ): Promise<{
+    checks: TaskIntegrationCheck[];
+    task: { id: string; title: string; templateId: string | null };
+  }> {
+    if (!organizationId) {
+      throw new HttpException(
+        'organizationId is required',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    // Get the task to find its template ID
+    const task = await db.task.findUnique({
+      where: { id: taskId, organizationId },
+      select: { id: true, title: true, taskTemplateId: true },
+    });
+
+    if (!task) {
+      throw new HttpException('Task not found', HttpStatus.NOT_FOUND);
+    }
+
+    if (!task.taskTemplateId) {
+      return {
+        checks: [],
+        task: { id: task.id, title: task.title, templateId: null },
+      };
+    }
+
+    // Get checks for this template
+    const { checks } = await this.getChecksForTaskTemplate(
+      task.taskTemplateId,
+      organizationId,
+    );
+
+    return {
+      checks,
+      task: { id: task.id, title: task.title, templateId: task.taskTemplateId },
+    };
+  }
+
+  /**
+   * Run a specific check for a task and store results
+   */
+  @Post(':taskId/run-check')
+  async runCheckForTask(
+    @Param('taskId') taskId: string,
+    @Query('organizationId') organizationId: string,
+    @Body() body: RunCheckForTaskDto,
+  ): Promise<{
+    success: boolean;
+    result?: CheckRunResult;
+    error?: string;
+    checkRunId?: string;
+    taskStatus?: string | null;
+  }> {
+    if (!organizationId) {
+      throw new HttpException(
+        'organizationId is required',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    const { connectionId, checkId } = body;
+
+    // Verify task exists
+    const task = await db.task.findUnique({
+      where: { id: taskId, organizationId },
+    });
+
+    if (!task) {
+      throw new HttpException('Task not found', HttpStatus.NOT_FOUND);
+    }
+
+    // Get connection
+    const connection = await this.connectionRepository.findById(connectionId);
+    if (!connection || connection.organizationId !== organizationId) {
+      throw new HttpException('Connection not found', HttpStatus.NOT_FOUND);
+    }
+
+    if (connection.status !== 'active') {
+      throw new HttpException(
+        'Connection is not active',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    // Get provider and manifest
+    const provider = await this.providerRepository.findById(
+      connection.providerId,
+    );
+    if (!provider) {
+      throw new HttpException('Provider not found', HttpStatus.NOT_FOUND);
+    }
+
+    const manifest = getManifest(provider.slug);
+    if (!manifest) {
+      throw new HttpException('Manifest not found', HttpStatus.NOT_FOUND);
+    }
+
+    // Get credentials
+    const credentials =
+      await this.credentialVaultService.getDecryptedCredentials(connectionId);
+
+    // Validate credentials based on auth type
+    if (!credentials) {
+      throw new HttpException(
+        'No credentials found for connection',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    // For OAuth, require access_token. For custom auth (like AWS), check for required fields
+    if (manifest.auth.type === 'oauth2' && !credentials.access_token) {
+      throw new HttpException(
+        'No valid OAuth credentials found. Please reconnect.',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    // For custom auth, the credentials are the form field values directly
+    if (
+      manifest.auth.type === 'custom' &&
+      Object.keys(credentials).length === 0
+    ) {
+      throw new HttpException(
+        'No valid credentials found for custom integration',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    const variables =
+      (connection.variables as Record<
+        string,
+        string | number | boolean | string[] | undefined
+      >) || {};
+
+    // Find the check definition to get the name
+    const checkDef = manifest.checks?.find((c) => c.id === checkId);
+    if (!checkDef) {
+      throw new HttpException(
+        `Check ${checkId} not found`,
+        HttpStatus.NOT_FOUND,
+      );
+    }
+
+    // Build token refresh callback for OAuth integrations that support it
+    let onTokenRefresh: (() => Promise<string | null>) | undefined;
+    if (manifest.auth.type === 'oauth2') {
+      const oauthConfig = manifest.auth.config;
+
+      // Only set up refresh callback if provider supports refresh tokens
+      const supportsRefresh = oauthConfig.supportsRefreshToken !== false;
+
+      if (supportsRefresh) {
+        const oauthCredentials =
+          await this.oauthCredentialsService.getCredentials(
+            provider.slug,
+            organizationId,
+          );
+
+        if (oauthCredentials) {
+          onTokenRefresh = async () => {
+            return this.credentialVaultService.refreshOAuthTokens(
+              connectionId,
+              {
+                tokenUrl: oauthConfig.tokenUrl,
+                refreshUrl: oauthConfig.refreshUrl,
+                clientId: oauthCredentials.clientId,
+                clientSecret: oauthCredentials.clientSecret,
+                clientAuthMethod: oauthConfig.clientAuthMethod,
+              },
+            );
+          };
+        }
+      }
+    }
+
+    // Create check run record
+    const checkRun = await this.checkRunRepository.create({
+      connectionId,
+      taskId,
+      checkId,
+      checkName: checkDef.name,
+    });
+
+    try {
+      // Run the specific check
+      const result = await runAllChecks({
+        manifest,
+        accessToken: credentials.access_token ?? undefined,
+        credentials: credentials,
+        variables,
+        connectionId,
+        organizationId,
+        checkId, // Only run this specific check
+        onTokenRefresh,
+        logger: {
+          info: (msg, data) => this.logger.log(msg, data),
+          warn: (msg, data) => this.logger.warn(msg, data),
+          error: (msg, data) => this.logger.error(msg, data),
+        },
+      });
+
+      const checkResult = result.results[0];
+
+      if (!checkResult) {
+        await this.checkRunRepository.complete(checkRun.id, {
+          status: 'failed',
+          durationMs: 0,
+          totalChecked: 0,
+          passedCount: 0,
+          failedCount: 0,
+          errorMessage: 'Check not found in manifest',
+        });
+        return { success: false, error: 'Check not found' };
+      }
+
+      // Store individual results
+      const resultsToStore = [
+        // Passing results
+        ...checkResult.result.passingResults.map((r) => ({
+          checkRunId: checkRun.id,
+          passed: true,
+          resourceType: r.resourceType,
+          resourceId: r.resourceId,
+          title: r.title,
+          description: r.description,
+          evidence: r.evidence as Prisma.InputJsonValue,
+        })),
+        // Findings (failures)
+        ...checkResult.result.findings.map((f) => ({
+          checkRunId: checkRun.id,
+          passed: false,
+          resourceType: f.resourceType,
+          resourceId: f.resourceId,
+          title: f.title,
+          description: f.description,
+          severity: f.severity as
+            | 'info'
+            | 'low'
+            | 'medium'
+            | 'high'
+            | 'critical',
+          remediation: f.remediation,
+          evidence: f.evidence as Prisma.InputJsonValue,
+        })),
+      ];
+
+      if (resultsToStore.length > 0) {
+        await this.checkRunRepository.addResults(resultsToStore);
+      }
+
+      // Complete the check run
+      await this.checkRunRepository.complete(checkRun.id, {
+        status: checkResult.status === 'error' ? 'failed' : checkResult.status,
+        durationMs: checkResult.durationMs,
+        totalChecked:
+          checkResult.result.summary?.totalChecked ||
+          checkResult.result.passingResults.length +
+            checkResult.result.findings.length,
+        passedCount: checkResult.result.passingResults.length,
+        failedCount: checkResult.result.findings.length,
+        errorMessage: checkResult.error,
+        logs: JSON.parse(
+          JSON.stringify(checkResult.result.logs),
+        ) as Prisma.InputJsonValue,
+      });
+
+      this.logger.log(
+        `Check ${checkId} for task ${taskId}: ${checkResult.status} - ${checkResult.result.findings.length} findings, ${checkResult.result.passingResults.length} passing`,
+      );
+
+      // Update task status based on check results
+      const hasFindings = checkResult.result.findings.length > 0;
+      const hasPassing = checkResult.result.passingResults.length > 0;
+      const newStatus = hasFindings ? 'failed' : hasPassing ? 'done' : null;
+
+      if (newStatus) {
+        // Only update review date if transitioning to done from a different status
+        const isTransitioningToDone =
+          newStatus === 'done' && task.status !== 'done';
+
+        // Calculate next review date based on frequency
+        let reviewDate: Date | undefined;
+        if (isTransitioningToDone && task.frequency) {
+          reviewDate = new Date();
+          switch (task.frequency) {
+            case 'monthly':
+              reviewDate.setMonth(reviewDate.getMonth() + 1);
+              break;
+            case 'quarterly':
+              reviewDate.setMonth(reviewDate.getMonth() + 3);
+              break;
+            case 'yearly':
+              reviewDate.setFullYear(reviewDate.getFullYear() + 1);
+              break;
+          }
+        }
+
+        await db.task.update({
+          where: { id: taskId },
+          data: {
+            status: newStatus,
+            ...(reviewDate ? { reviewDate } : {}),
+          },
+        });
+        this.logger.log(
+          `Updated task ${taskId} status to ${newStatus}${reviewDate ? `, next review: ${reviewDate.toISOString()}` : ''}`,
+        );
+      }
+
+      return {
+        success: true,
+        result: checkResult,
+        checkRunId: checkRun.id,
+        taskStatus: newStatus,
+      };
+    } catch (error) {
+      // Mark run as failed
+      await this.checkRunRepository.complete(checkRun.id, {
+        status: 'failed',
+        durationMs: Date.now() - checkRun.startedAt!.getTime(),
+        totalChecked: 0,
+        passedCount: 0,
+        failedCount: 0,
+        errorMessage: error instanceof Error ? error.message : String(error),
+      });
+
+      this.logger.error(`Failed to run check: ${error}`);
+      return {
+        success: false,
+        error: error instanceof Error ? error.message : String(error),
+        checkRunId: checkRun.id,
+      };
+    }
+  }
+
+  /**
+   * Get check run history for a task
+   */
+  @Get(':taskId/runs')
+  async getTaskCheckRuns(
+    @Param('taskId') taskId: string,
+    @Query('organizationId') organizationId: string,
+    @Query('limit') limit?: string,
+  ) {
+    if (!organizationId) {
+      throw new HttpException(
+        'organizationId is required',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    const runs = await this.checkRunRepository.findByTask(
+      taskId,
+      limit ? parseInt(limit, 10) : 10,
+    );
+
+    return {
+      runs: runs.map((run) => ({
+        id: run.id,
+        checkId: run.checkId,
+        checkName: run.checkName,
+        status: run.status,
+        startedAt: run.startedAt,
+        completedAt: run.completedAt,
+        durationMs: run.durationMs,
+        totalChecked: run.totalChecked,
+        passedCount: run.passedCount,
+        failedCount: run.failedCount,
+        errorMessage: run.errorMessage,
+        logs: run.logs,
+        provider: {
+          slug: (run.connection as any).provider?.slug,
+          name: (run.connection as any).provider?.name,
+        },
+        results: run.results.map((r) => ({
+          id: r.id,
+          passed: r.passed,
+          resourceType: r.resourceType,
+          resourceId: r.resourceId,
+          title: r.title,
+          description: r.description,
+          severity: r.severity,
+          remediation: r.remediation,
+          evidence: r.evidence,
+          collectedAt: r.collectedAt,
+        })),
+        createdAt: run.createdAt,
+      })),
+    };
+  }
+}
diff --git a/apps/api/src/integration-platform/controllers/variables.controller.ts b/apps/api/src/integration-platform/controllers/variables.controller.ts
new file mode 100644
index 000000000..b45d582d9
--- /dev/null
+++ b/apps/api/src/integration-platform/controllers/variables.controller.ts
@@ -0,0 +1,351 @@
+import {
+  Controller,
+  Get,
+  Post,
+  Param,
+  Body,
+  Query,
+  HttpException,
+  HttpStatus,
+  Logger,
+} from '@nestjs/common';
+import { getManifest, type CheckVariable } from '@comp/integration-platform';
+import { ConnectionRepository } from '../repositories/connection.repository';
+import { ProviderRepository } from '../repositories/provider.repository';
+import { CredentialVaultService } from '../services/credential-vault.service';
+import { AutoCheckRunnerService } from '../services/auto-check-runner.service';
+
+interface SaveVariablesDto {
+  variables: Record<string, string | number | boolean | string[]>;
+}
+
+interface VariableOption {
+  value: string;
+  label: string;
+}
+
+interface VariableDefinition {
+  id: string;
+  label: string;
+  type: string;
+  required: boolean;
+  default?: string | number | boolean | string[];
+  helpText?: string;
+  placeholder?: string;
+  options?: VariableOption[];
+  hasDynamicOptions: boolean;
+}
+
+@Controller({ path: 'integrations/variables', version: '1' })
+export class VariablesController {
+  private readonly logger = new Logger(VariablesController.name);
+
+  constructor(
+    private readonly connectionRepository: ConnectionRepository,
+    private readonly providerRepository: ProviderRepository,
+    private readonly credentialVaultService: CredentialVaultService,
+    private readonly autoCheckRunnerService: AutoCheckRunnerService,
+  ) {}
+
+  /**
+   * Get all variables required for a provider's checks
+   */
+  @Get('providers/:providerSlug')
+  async getProviderVariables(
+    @Param('providerSlug') providerSlug: string,
+  ): Promise<{ variables: VariableDefinition[] }> {
+    const manifest = getManifest(providerSlug);
+    if (!manifest) {
+      throw new HttpException(
+        `Provider ${providerSlug} not found`,
+        HttpStatus.NOT_FOUND,
+      );
+    }
+
+    // Collect all unique variables from all checks
+    const variableMap = new Map<string, CheckVariable>();
+
+    for (const check of manifest.checks || []) {
+      for (const variable of check.variables || []) {
+        if (!variableMap.has(variable.id)) {
+          variableMap.set(variable.id, variable);
+        }
+      }
+    }
+
+    const variables: VariableDefinition[] = Array.from(
+      variableMap.values(),
+    ).map((v) => ({
+      id: v.id,
+      label: v.label,
+      type: v.type,
+      required: v.required || false,
+      default: v.default,
+      helpText: v.helpText,
+      placeholder: v.placeholder,
+      options: v.options,
+      hasDynamicOptions: !!v.fetchOptions,
+    }));
+
+    return { variables };
+  }
+
+  /**
+   * Get variables for a specific connection (with current values)
+   */
+  @Get('connections/:connectionId')
+  async getConnectionVariables(@Param('connectionId') connectionId: string) {
+    const connection = await this.connectionRepository.findById(connectionId);
+    if (!connection) {
+      throw new HttpException('Connection not found', HttpStatus.NOT_FOUND);
+    }
+
+    const provider = await this.providerRepository.findById(
+      connection.providerId,
+    );
+    if (!provider) {
+      throw new HttpException('Provider not found', HttpStatus.NOT_FOUND);
+    }
+
+    const manifest = getManifest(provider.slug);
+    if (!manifest) {
+      throw new HttpException(
+        `Manifest for ${provider.slug} not found`,
+        HttpStatus.NOT_FOUND,
+      );
+    }
+
+    // Collect all unique variables
+    const variableMap = new Map<string, CheckVariable>();
+    for (const check of manifest.checks || []) {
+      for (const variable of check.variables || []) {
+        if (!variableMap.has(variable.id)) {
+          variableMap.set(variable.id, variable);
+        }
+      }
+    }
+
+    // Get current values from connection
+    const currentValues =
+      (connection.variables as Record<string, unknown>) || {};
+
+    const variables = Array.from(variableMap.values()).map((v) => ({
+      id: v.id,
+      label: v.label,
+      type: v.type,
+      required: v.required || false,
+      default: v.default,
+      helpText: v.helpText,
+      placeholder: v.placeholder,
+      options: v.options,
+      hasDynamicOptions: !!v.fetchOptions,
+      currentValue: currentValues[v.id],
+    }));
+
+    return {
+      connectionId,
+      providerSlug: provider.slug,
+      variables,
+    };
+  }
+
+  /**
+   * Fetch dynamic options for a variable (requires active connection)
+   */
+  @Get('connections/:connectionId/options/:variableId')
+  async fetchVariableOptions(
+    @Param('connectionId') connectionId: string,
+    @Param('variableId') variableId: string,
+  ): Promise<{ options: VariableOption[] }> {
+    const connection = await this.connectionRepository.findById(connectionId);
+    if (!connection) {
+      throw new HttpException('Connection not found', HttpStatus.NOT_FOUND);
+    }
+
+    if (connection.status !== 'active') {
+      throw new HttpException(
+        'Connection must be active to fetch options',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    const provider = await this.providerRepository.findById(
+      connection.providerId,
+    );
+    if (!provider) {
+      throw new HttpException('Provider not found', HttpStatus.NOT_FOUND);
+    }
+
+    const manifest = getManifest(provider.slug);
+    if (!manifest) {
+      throw new HttpException(
+        `Manifest for ${provider.slug} not found`,
+        HttpStatus.NOT_FOUND,
+      );
+    }
+
+    // Find the variable definition
+    let variable: CheckVariable | undefined;
+    for (const check of manifest.checks || []) {
+      variable = check.variables?.find((v) => v.id === variableId);
+      if (variable) break;
+    }
+
+    if (!variable) {
+      throw new HttpException(
+        `Variable ${variableId} not found`,
+        HttpStatus.NOT_FOUND,
+      );
+    }
+
+    if (!variable.fetchOptions) {
+      // Return static options if available
+      return { options: variable.options || [] };
+    }
+
+    // Get credentials to make authenticated requests
+    const credentials =
+      await this.credentialVaultService.getDecryptedCredentials(connectionId);
+
+    if (!credentials?.access_token) {
+      throw new HttpException(
+        'No valid credentials found',
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    const baseUrl = manifest.baseUrl || '';
+    const defaultHeaders = manifest.defaultHeaders || {};
+
+    const buildHeaders = () => ({
+      ...defaultHeaders,
+      Authorization: `Bearer ${credentials.access_token}`,
+    });
+
+    // Create minimal context for fetching options
+    const fetchContext = {
+      accessToken: credentials.access_token,
+
+      fetch: async <T = unknown>(path: string): Promise<T> => {
+        const url = new URL(path, baseUrl);
+        const response = await fetch(url.toString(), {
+          headers: buildHeaders(),
+        });
+        if (!response.ok) throw new Error(`HTTP ${response.status}`);
+        return response.json();
+      },
+
+      fetchAllPages: async <T = unknown>(path: string): Promise<T[]> => {
+        const allItems: T[] = [];
+        let page = 1;
+        const perPage = 100;
+
+        while (page <= 10) {
+          const url = new URL(path, baseUrl);
+          url.searchParams.set('page', String(page));
+          url.searchParams.set('per_page', String(perPage));
+
+          const response = await fetch(url.toString(), {
+            headers: buildHeaders(),
+          });
+          if (!response.ok) throw new Error(`HTTP ${response.status}`);
+
+          const items: T[] = await response.json();
+          if (!Array.isArray(items) || items.length === 0) break;
+
+          allItems.push(...items);
+          if (items.length < perPage) break;
+          page++;
+        }
+
+        return allItems;
+      },
+
+      graphql: async <T = unknown>(
+        query: string,
+        variables?: Record<string, unknown>,
+      ): Promise<T> => {
+        const endpoint = `${baseUrl}/graphql`;
+        const response = await fetch(endpoint, {
+          method: 'POST',
+          headers: { ...buildHeaders(), 'Content-Type': 'application/json' },
+          body: JSON.stringify({ query, variables }),
+        });
+
+        if (!response.ok) throw new Error(`HTTP ${response.status}`);
+
+        const result = (await response.json()) as {
+          data?: T;
+          errors?: Array<{ message: string }>;
+        };
+
+        if (result.errors?.length) {
+          throw new Error(
+            `GraphQL: ${result.errors.map((e) => e.message).join(', ')}`,
+          );
+        }
+        if (!result.data) throw new Error('GraphQL response missing data');
+
+        return result.data;
+      },
+    };
+
+    try {
+      this.logger.log(`Fetching options for variable ${variableId}`);
+      const options = await variable.fetchOptions(fetchContext);
+      return { options };
+    } catch (error) {
+      this.logger.error(`Failed to fetch options: ${error}`);
+      throw new HttpException(
+        `Failed to fetch options: ${error instanceof Error ? error.message : String(error)}`,
+        HttpStatus.INTERNAL_SERVER_ERROR,
+      );
+    }
+  }
+
+  /**
+   * Save variable values for a connection
+   */
+  @Post('connections/:connectionId')
+  async saveConnectionVariables(
+    @Param('connectionId') connectionId: string,
+    @Body() body: SaveVariablesDto,
+  ) {
+    const connection = await this.connectionRepository.findById(connectionId);
+    if (!connection) {
+      throw new HttpException('Connection not found', HttpStatus.NOT_FOUND);
+    }
+
+    // Merge with existing variables
+    const existingVariables =
+      (connection.variables as Record<string, unknown>) || {};
+    const newVariables = {
+      ...existingVariables,
+      ...body.variables,
+    };
+
+    await this.connectionRepository.update(connectionId, {
+      variables: newVariables,
+    });
+
+    this.logger.log(`Saved variables for connection ${connectionId}`);
+
+    // Auto-run checks if possible (fire and forget)
+    this.autoCheckRunnerService
+      .tryAutoRunChecks(connectionId)
+      .then((didRun) => {
+        if (didRun) {
+          this.logger.log(
+            `Auto-ran checks for connection ${connectionId} after variables saved`,
+          );
+        }
+      })
+      .catch((err) => {
+        this.logger.warn(
+          `Failed to auto-run checks after saving variables: ${err.message}`,
+        );
+      });
+
+    return { success: true, variables: newVariables };
+  }
+}
diff --git a/apps/api/src/integration-platform/controllers/webhook.controller.ts b/apps/api/src/integration-platform/controllers/webhook.controller.ts
new file mode 100644
index 000000000..7c5b2367d
--- /dev/null
+++ b/apps/api/src/integration-platform/controllers/webhook.controller.ts
@@ -0,0 +1,210 @@
+import {
+  Controller,
+  Post,
+  Param,
+  Body,
+  Headers,
+  HttpException,
+  HttpStatus,
+  Logger,
+  type RawBodyRequest,
+  Req,
+} from '@nestjs/common';
+import { Request } from 'express';
+import { createHmac, timingSafeEqual } from 'crypto';
+import { getManifest } from '@comp/integration-platform';
+import type { WebhookConfig } from '@comp/integration-platform';
+import { ConnectionRepository } from '../repositories/connection.repository';
+import { db, Prisma } from '@db';
+
+type WebhookPayload = Record<string, unknown>;
+
+function extractSignature(
+  headers: Record<string, string>,
+  headerName: string,
+): string | null {
+  const key = headerName.toLowerCase();
+  return headers[key] ?? headers[headerName] ?? null;
+}
+
+function parseSignatureValue(signature: string): string {
+  // Handle formats like "sha256=abc123" or "v0=abc123"
+  const eqIndex = signature.indexOf('=');
+  return eqIndex >= 0 ? signature.slice(eqIndex + 1) : signature;
+}
+
+function verifyHmac(
+  rawBody: Buffer,
+  secret: string,
+  algorithm: string,
+  providedSignature: string,
+): boolean {
+  const hmac = createHmac(algorithm, secret);
+  hmac.update(rawBody);
+  const expected = hmac.digest('hex');
+
+  try {
+    const expectedBuf = Buffer.from(expected, 'hex');
+    const providedBuf = Buffer.from(providedSignature, 'hex');
+    return (
+      expectedBuf.length === providedBuf.length &&
+      timingSafeEqual(expectedBuf, providedBuf)
+    );
+  } catch {
+    return false;
+  }
+}
+
+function getEventType(headers: Record<string, string>): string {
+  return headers['x-github-event'] ?? headers['x-event-type'] ?? 'unknown';
+}
+
+@Controller({ path: 'integrations/webhooks', version: '1' })
+export class WebhookController {
+  private readonly logger = new Logger(WebhookController.name);
+
+  constructor(private readonly connectionRepository: ConnectionRepository) {}
+
+  @Post(':providerSlug/:connectionId')
+  async handleWebhook(
+    @Param('providerSlug') providerSlug: string,
+    @Param('connectionId') connectionId: string,
+    @Headers() headers: Record<string, string>,
+    @Body() body: WebhookPayload,
+    @Req() req: RawBodyRequest<Request>,
+  ) {
+    const manifest = getManifest(providerSlug);
+    if (!manifest) {
+      throw new HttpException(
+        `Unknown provider: ${providerSlug}`,
+        HttpStatus.NOT_FOUND,
+      );
+    }
+
+    if (!manifest.capabilities.includes('webhook') || !manifest.webhook) {
+      throw new HttpException(
+        `${providerSlug} does not support webhooks`,
+        HttpStatus.BAD_REQUEST,
+      );
+    }
+
+    const connection = await this.connectionRepository.findById(connectionId);
+    if (!connection) {
+      throw new HttpException('Connection not found', HttpStatus.NOT_FOUND);
+    }
+
+    if (connection.status !== 'active') {
+      throw new HttpException('Connection not active', HttpStatus.BAD_REQUEST);
+    }
+
+    const webhookConfig = manifest.webhook;
+    if (webhookConfig.secretHeader && webhookConfig.signatureAlgorithm) {
+      const valid = await this.verifySignature(
+        req,
+        headers,
+        connection.id,
+        webhookConfig,
+      );
+      if (!valid) {
+        throw new HttpException('Invalid signature', HttpStatus.UNAUTHORIZED);
+      }
+    }
+
+    return this.processWebhook(connectionId, body, headers, manifest);
+  }
+
+  private async verifySignature(
+    req: RawBodyRequest<Request>,
+    headers: Record<string, string>,
+    connectionId: string,
+    config: WebhookConfig,
+  ): Promise<boolean> {
+    const { secretHeader, signatureAlgorithm } = config;
+    if (!secretHeader || !signatureAlgorithm) return true;
+
+    const signature = extractSignature(headers, secretHeader);
+    if (!signature) {
+      this.logger.warn(`Missing ${secretHeader} header`);
+      return false;
+    }
+
+    const connection = await this.connectionRepository.findById(connectionId);
+    const metadata = connection?.metadata as Record<string, unknown> | null;
+    const secret = metadata?.webhookSecret as string | undefined;
+    if (!secret) {
+      this.logger.warn(`No webhook secret for connection ${connectionId}`);
+      return false;
+    }
+
+    const rawBody = req.rawBody;
+    if (!rawBody) {
+      this.logger.warn('Raw body unavailable');
+      return false;
+    }
+
+    return verifyHmac(
+      rawBody,
+      secret,
+      signatureAlgorithm,
+      parseSignatureValue(signature),
+    );
+  }
+
+  private async processWebhook(
+    connectionId: string,
+    payload: WebhookPayload,
+    headers: Record<string, string>,
+    manifest: NonNullable<ReturnType<typeof getManifest>>,
+  ): Promise<{ success: boolean; findingsCreated?: number }> {
+    const eventType = getEventType(headers);
+
+    if (manifest.handler?.handleWebhook) {
+      const findings = await manifest.handler.handleWebhook(payload, headers);
+
+      if (findings?.length) {
+        const run = await db.integrationRun.create({
+          data: {
+            connectionId,
+            jobType: 'webhook',
+            status: 'success',
+            startedAt: new Date(),
+            completedAt: new Date(),
+            findingsCount: findings.length,
+            metadata: { eventType },
+          },
+        });
+
+        await db.integrationPlatformFinding.createMany({
+          data: findings.map((f) => ({
+            runId: run.id,
+            connectionId,
+            resourceType: f.resourceType,
+            resourceId: f.resourceId,
+            title: f.title,
+            description: f.description ?? '',
+            severity: f.severity,
+            status: 'open',
+            remediation: f.remediation ?? '',
+            rawPayload: (f.rawPayload ?? {}) as Prisma.InputJsonValue,
+          })),
+        });
+
+        return { success: true, findingsCreated: findings.length };
+      }
+    }
+
+    await db.integrationRun.create({
+      data: {
+        connectionId,
+        jobType: 'webhook',
+        status: 'success',
+        startedAt: new Date(),
+        completedAt: new Date(),
+        findingsCount: 0,
+        metadata: { eventType },
+      },
+    });
+
+    return { success: true };
+  }
+}
diff --git a/apps/api/src/integration-platform/integration-platform.module.ts b/apps/api/src/integration-platform/integration-platform.module.ts
new file mode 100644
index 000000000..bf404f62f
--- /dev/null
+++ b/apps/api/src/integration-platform/integration-platform.module.ts
@@ -0,0 +1,57 @@
+import { Module } from '@nestjs/common';
+import { OAuthController } from './controllers/oauth.controller';
+import { OAuthAppsController } from './controllers/oauth-apps.controller';
+import { ConnectionsController } from './controllers/connections.controller';
+import { AdminIntegrationsController } from './controllers/admin-integrations.controller';
+import { ChecksController } from './controllers/checks.controller';
+import { VariablesController } from './controllers/variables.controller';
+import { TaskIntegrationsController } from './controllers/task-integrations.controller';
+import { WebhookController } from './controllers/webhook.controller';
+import { SyncController } from './controllers/sync.controller';
+import { CredentialVaultService } from './services/credential-vault.service';
+import { ConnectionService } from './services/connection.service';
+import { OAuthCredentialsService } from './services/oauth-credentials.service';
+import { AutoCheckRunnerService } from './services/auto-check-runner.service';
+import { ProviderRepository } from './repositories/provider.repository';
+import { ConnectionRepository } from './repositories/connection.repository';
+import { CredentialRepository } from './repositories/credential.repository';
+import { OAuthStateRepository } from './repositories/oauth-state.repository';
+import { OAuthAppRepository } from './repositories/oauth-app.repository';
+import { PlatformCredentialRepository } from './repositories/platform-credential.repository';
+import { CheckRunRepository } from './repositories/check-run.repository';
+
+@Module({
+  controllers: [
+    OAuthController,
+    OAuthAppsController,
+    ConnectionsController,
+    AdminIntegrationsController,
+    ChecksController,
+    VariablesController,
+    TaskIntegrationsController,
+    WebhookController,
+    SyncController,
+  ],
+  providers: [
+    // Services
+    CredentialVaultService,
+    ConnectionService,
+    OAuthCredentialsService,
+    AutoCheckRunnerService,
+    // Repositories
+    ProviderRepository,
+    ConnectionRepository,
+    CredentialRepository,
+    OAuthStateRepository,
+    OAuthAppRepository,
+    PlatformCredentialRepository,
+    CheckRunRepository,
+  ],
+  exports: [
+    CredentialVaultService,
+    ConnectionService,
+    OAuthCredentialsService,
+    AutoCheckRunnerService,
+  ],
+})
+export class IntegrationPlatformModule {}
diff --git a/apps/api/src/integration-platform/repositories/check-run.repository.ts b/apps/api/src/integration-platform/repositories/check-run.repository.ts
new file mode 100644
index 000000000..c95bd2060
--- /dev/null
+++ b/apps/api/src/integration-platform/repositories/check-run.repository.ts
@@ -0,0 +1,206 @@
+import { Injectable } from '@nestjs/common';
+import { db } from '@db';
+import type { IntegrationRunStatus, Prisma } from '@prisma/client';
+
+export interface CreateCheckRunDto {
+  connectionId: string;
+  taskId?: string;
+  checkId: string;
+  checkName: string;
+}
+
+export interface CompleteCheckRunDto {
+  status: 'success' | 'failed';
+  durationMs: number;
+  totalChecked: number;
+  passedCount: number;
+  failedCount: number;
+  errorMessage?: string;
+  logs?: Prisma.InputJsonValue;
+}
+
+export interface CreateCheckResultDto {
+  checkRunId: string;
+  passed: boolean;
+  resourceType: string;
+  resourceId: string;
+  title: string;
+  description?: string;
+  severity?: 'info' | 'low' | 'medium' | 'high' | 'critical';
+  remediation?: string;
+  evidence?: Prisma.InputJsonValue;
+}
+
+@Injectable()
+export class CheckRunRepository {
+  /**
+   * Create a new check run (status = running)
+   */
+  async create(data: CreateCheckRunDto) {
+    return db.integrationCheckRun.create({
+      data: {
+        connectionId: data.connectionId,
+        taskId: data.taskId,
+        checkId: data.checkId,
+        checkName: data.checkName,
+        status: 'running',
+        startedAt: new Date(),
+      },
+    });
+  }
+
+  /**
+   * Complete a check run with results
+   */
+  async complete(id: string, data: CompleteCheckRunDto) {
+    return db.integrationCheckRun.update({
+      where: { id },
+      data: {
+        status: data.status,
+        completedAt: new Date(),
+        durationMs: data.durationMs,
+        totalChecked: data.totalChecked,
+        passedCount: data.passedCount,
+        failedCount: data.failedCount,
+        errorMessage: data.errorMessage,
+        logs: data.logs,
+      },
+    });
+  }
+
+  /**
+   * Add a result to a check run
+   */
+  async addResult(data: CreateCheckResultDto) {
+    return db.integrationCheckResult.create({
+      data: {
+        checkRunId: data.checkRunId,
+        passed: data.passed,
+        resourceType: data.resourceType,
+        resourceId: data.resourceId,
+        title: data.title,
+        description: data.description,
+        severity: data.severity,
+        remediation: data.remediation,
+        evidence: data.evidence,
+      },
+    });
+  }
+
+  /**
+   * Add multiple results in a batch
+   */
+  async addResults(results: CreateCheckResultDto[]) {
+    return db.integrationCheckResult.createMany({
+      data: results.map((r) => ({
+        checkRunId: r.checkRunId,
+        passed: r.passed,
+        resourceType: r.resourceType,
+        resourceId: r.resourceId,
+        title: r.title,
+        description: r.description,
+        severity: r.severity,
+        remediation: r.remediation,
+        evidence: r.evidence,
+      })),
+    });
+  }
+
+  /**
+   * Get a check run by ID with results
+   */
+  async findById(id: string) {
+    return db.integrationCheckRun.findUnique({
+      where: { id },
+      include: {
+        results: true,
+        connection: {
+          include: {
+            provider: true,
+          },
+        },
+      },
+    });
+  }
+
+  /**
+   * Get check runs for a task
+   */
+  async findByTask(taskId: string, limit = 10) {
+    return db.integrationCheckRun.findMany({
+      where: { taskId },
+      include: {
+        results: true,
+        connection: {
+          include: {
+            provider: true,
+          },
+        },
+      },
+      orderBy: { createdAt: 'desc' },
+      take: limit,
+    });
+  }
+
+  /**
+   * Get the latest check run for a specific check on a task
+   */
+  async findLatestByTaskAndCheck(taskId: string, checkId: string) {
+    return db.integrationCheckRun.findFirst({
+      where: { taskId, checkId },
+      include: {
+        results: true,
+      },
+      orderBy: { createdAt: 'desc' },
+    });
+  }
+
+  /**
+   * Get check runs for a connection
+   */
+  async findByConnection(connectionId: string, limit = 20) {
+    return db.integrationCheckRun.findMany({
+      where: { connectionId },
+      include: {
+        results: true,
+        task: {
+          select: {
+            id: true,
+            title: true,
+          },
+        },
+      },
+      orderBy: { createdAt: 'desc' },
+      take: limit,
+    });
+  }
+
+  /**
+   * Get all check runs for an organization (via connections)
+   */
+  async findByOrganization(organizationId: string, limit = 50) {
+    return db.integrationCheckRun.findMany({
+      where: {
+        connection: {
+          organizationId,
+        },
+      },
+      include: {
+        results: true,
+        connection: {
+          include: {
+            provider: true,
+          },
+        },
+        task: {
+          select: {
+            id: true,
+            title: true,
+          },
+        },
+      },
+      orderBy: { createdAt: 'desc' },
+      take: limit,
+    });
+  }
+}
diff --git a/apps/api/src/integration-platform/repositories/connection.repository.ts b/apps/api/src/integration-platform/repositories/connection.repository.ts
new file mode 100644
index 000000000..7501c9ce6
--- /dev/null
+++ b/apps/api/src/integration-platform/repositories/connection.repository.ts
@@ -0,0 +1,158 @@
+import { Injectable } from '@nestjs/common';
+import { db } from '@db';
+import type {
+  IntegrationConnection,
+  IntegrationConnectionStatus,
+} from '@prisma/client';
+
+export interface CreateConnectionDto {
+  providerId: string;
+  organizationId: string;
+  authStrategy: string;
+  metadata?: object;
+}
+
+export interface UpdateConnectionDto {
+  status?: IntegrationConnectionStatus;
+  activeCredentialVersionId?: string | null;
+  lastSyncAt?: Date;
+  nextSyncAt?: Date;
+  syncCadence?: string | null;
+  metadata?: object;
+  variables?: object;
+  errorMessage?: string | null;
+}
+
+@Injectable()
+export class ConnectionRepository {
+  async findById(id: string): Promise<IntegrationConnection | null> {
+    return db.integrationConnection.findUnique({
+      where: { id },
+      include: {
+        provider: true,
+      },
+    });
+  }
+
+  async findByProviderAndOrg(
+    providerId: string,
+    organizationId: string,
+  ): Promise<IntegrationConnection | null> {
+    return db.integrationConnection.findUnique({
+      where: {
+        providerId_organizationId: {
+          providerId,
+          organizationId,
+        },
+      },
+      include: {
+        provider: true,
+      },
+    });
+  }
+
+  async findBySlugAndOrg(
+    providerSlug: string,
+    organizationId: string,
+  ): Promise<IntegrationConnection | null> {
+    const provider = await db.integrationProvider.findUnique({
+      where: { slug: providerSlug },
+    });
+
+    if (!provider) return null;
+
+    return this.findByProviderAndOrg(provider.id, organizationId);
+  }
+
+  async findByOrganization(
+    organizationId: string,
+  ): Promise<IntegrationConnection[]> {
+    return db.integrationConnection.findMany({
+      where: { organizationId },
+      include: {
+        provider: true,
+      },
+      orderBy: { createdAt: 'desc' },
+    });
+  }
+
+  async findActiveByOrganization(
+    organizationId: string,
+  ): Promise<IntegrationConnection[]> {
+    return db.integrationConnection.findMany({
+      where: {
+        organizationId,
+        status: 'active',
+      },
+      include: {
+        provider: true,
+      },
+      orderBy: { createdAt: 'desc' },
+    });
+  }
+
+  async create(data: CreateConnectionDto): Promise<IntegrationConnection> {
+    return db.integrationConnection.create({
+      data: {
+        providerId: data.providerId,
+        organizationId: data.organizationId,
+        authStrategy: data.authStrategy,
+        status: 'pending',
+        metadata: data.metadata,
+      },
+      include: {
+        provider: true,
+      },
+    });
+  }
+
+  async update(
+    id: string,
+    data: UpdateConnectionDto,
+  ): Promise<IntegrationConnection> {
+    return db.integrationConnection.update({
+      where: { id },
+      data,
+      include: {
+        provider: true,
+      },
+    });
+  }
+
+  async updateStatus(
+    id: string,
+    status: IntegrationConnectionStatus,
+    errorMessage?: string,
+  ): Promise<IntegrationConnection> {
+    return db.integrationConnection.update({
+      where: { id },
+      data: {
+        status,
+        errorMessage: errorMessage ?? null,
+      },
+      include: {
+        provider: true,
+      },
+    });
+  }
+
+  async delete(id: string): Promise<void> {
+    await db.integrationConnection.delete({
+      where: { id },
+    });
+  }
+
+  async deleteByProviderAndOrg(
+    providerId: string,
+    organizationId: string,
+  ): Promise<void> {
+    await db.integrationConnection.delete({
+      where: {
+        providerId_organizationId: {
+          providerId,
+          organizationId,
+        },
+      },
+    });
+  }
+}
diff --git a/apps/api/src/integration-platform/repositories/credential.repository.ts b/apps/api/src/integration-platform/repositories/credential.repository.ts
new file mode 100644
index 000000000..e3935ba1c
--- /dev/null
+++ b/apps/api/src/integration-platform/repositories/credential.repository.ts
@@ -0,0 +1,98 @@
+import { Injectable } from '@nestjs/common';
+import { db } from '@db';
+import type { IntegrationCredentialVersion } from '@prisma/client';
+
+export interface CreateCredentialVersionDto {
+  connectionId: string;
+  encryptedPayload: object;
+  expiresAt?: Date;
+}
+
+@Injectable()
+export class CredentialRepository {
+  async findById(id: string): Promise<IntegrationCredentialVersion | null> {
+    return db.integrationCredentialVersion.findUnique({
+      where: { id },
+    });
+  }
+
+  async findLatestByConnection(
+    connectionId: string,
+  ): Promise<IntegrationCredentialVersion | null> {
+    return db.integrationCredentialVersion.findFirst({
+      where: { connectionId },
+      orderBy: { version: 'desc' },
+    });
+  }
+
+  async findByConnectionAndVersion(
+    connectionId: string,
+    version: number,
+  ): Promise<IntegrationCredentialVersion | null> {
+    return db.integrationCredentialVersion.findUnique({
+      where: {
+        connectionId_version: {
+          connectionId,
+          version,
+        },
+      },
+    });
+  }
+
+  async findAllByConnection(
+    connectionId: string,
+  ): Promise<IntegrationCredentialVersion[]> {
+    return db.integrationCredentialVersion.findMany({
+      where: { connectionId },
+      orderBy: { version: 'desc' },
+    });
+  }
+
+  async create(
+    data: CreateCredentialVersionDto,
+  ): Promise<IntegrationCredentialVersion> {
+    // Get the next version number
+    const latestVersion = await this.findLatestByConnection(data.connectionId);
+    const nextVersion = (latestVersion?.version ?? 0) + 1;
+
+    return db.integrationCredentialVersion.create({
+      data: {
+        connectionId: data.connectionId,
+        encryptedPayload: data.encryptedPayload,
+        version: nextVersion,
+        expiresAt: data.expiresAt,
+      },
+    });
+  }
+
+  async markRotated(id: string): Promise<IntegrationCredentialVersion> {
+    return db.integrationCredentialVersion.update({
+      where: { id },
+      data: {
+        rotatedAt: new Date(),
+      },
+    });
+  }
+
+  async deleteOldVersions(
+    connectionId: string,
+    keepCount: number = 5,
+  ): Promise<number> {
+    const versions = await db.integrationCredentialVersion.findMany({
+      where: { connectionId },
+      orderBy: { version: 'desc' },
+      skip: keepCount,
+      select: { id: true },
+    });
+
+    if (versions.length === 0) return 0;
+
+    const result = await db.integrationCredentialVersion.deleteMany({
+      where: {
+        id: { in: versions.map((v) => v.id) },
+      },
+    });
+
+    return result.count;
+  }
+}
diff --git a/apps/api/src/integration-platform/repositories/oauth-app.repository.ts b/apps/api/src/integration-platform/repositories/oauth-app.repository.ts
new file mode 100644
index 000000000..465b9d87c
--- /dev/null
+++ b/apps/api/src/integration-platform/repositories/oauth-app.repository.ts
@@ -0,0 +1,148 @@
+import { Injectable } from '@nestjs/common';
+import { db } from '@db';
+import type { IntegrationOAuthApp, Prisma } from '@prisma/client';
+
+export interface CreateOAuthAppDto {
+  providerSlug: string;
+  organizationId: string;
+  encryptedClientId: object;
+  encryptedClientSecret: object;
+  customScopes?: string[];
+  customSettings?: Prisma.InputJsonValue;
+}
+
+export interface UpdateOAuthAppDto {
+  encryptedClientId?: object;
+  encryptedClientSecret?: object;
+  customScopes?: string[];
+  customSettings?: Prisma.InputJsonValue;
+  isActive?: boolean;
+}
+
+@Injectable()
+export class OAuthAppRepository {
+  async findByProviderAndOrg(
+    providerSlug: string,
+    organizationId: string,
+  ): Promise<IntegrationOAuthApp | null> {
+    return db.integrationOAuthApp.findUnique({
+      where: {
+        providerSlug_organizationId: {
+          providerSlug,
+          organizationId,
+        },
+      },
+    });
+  }
+
+  async findActiveByProviderAndOrg(
+    providerSlug: string,
+    organizationId: string,
+  ): Promise<IntegrationOAuthApp | null> {
+    return db.integrationOAuthApp.findFirst({
+      where: {
+        providerSlug,
+        organizationId,
+        isActive: true,
+      },
+    });
+  }
+
+  async findByOrganization(
+    organizationId: string,
+  ): Promise<IntegrationOAuthApp[]> {
+    return db.integrationOAuthApp.findMany({
+      where: { organizationId },
+      orderBy: { providerSlug: 'asc' },
+    });
+  }
+
+  async create(data: CreateOAuthAppDto): Promise<IntegrationOAuthApp> {
+    return db.integrationOAuthApp.create({
+      data: {
+        providerSlug: data.providerSlug,
+        organizationId: data.organizationId,
+        encryptedClientId: data.encryptedClientId,
+        encryptedClientSecret: data.encryptedClientSecret,
+        customScopes: data.customScopes || [],
+        isActive: true,
+      },
+    });
+  }
+
+  async update(
+    providerSlug: string,
+    organizationId: string,
+    data: UpdateOAuthAppDto,
+  ): Promise<IntegrationOAuthApp> {
+    return db.integrationOAuthApp.update({
+      where: {
+        providerSlug_organizationId: {
+          providerSlug,
+          organizationId,
+        },
+      },
+      data: {
+        encryptedClientId: data.encryptedClientId,
+        encryptedClientSecret: data.encryptedClientSecret,
+        customScopes: data.customScopes,
+        customSettings: data.customSettings,
+        isActive: data.isActive,
+      },
+    });
+  }
+
+  async upsert(data: CreateOAuthAppDto): Promise<IntegrationOAuthApp> {
+    return db.integrationOAuthApp.upsert({
+      where: {
+        providerSlug_organizationId: {
+          providerSlug: data.providerSlug,
+          organizationId: data.organizationId,
+        },
+      },
+      create: {
+        providerSlug: data.providerSlug,
+        organizationId: data.organizationId,
+        encryptedClientId: data.encryptedClientId,
+        encryptedClientSecret: data.encryptedClientSecret,
+        customScopes: data.customScopes || [],
+        customSettings: data.customSettings || undefined,
+        isActive: true,
+      },
+      update: {
+        encryptedClientId: data.encryptedClientId,
+        encryptedClientSecret: data.encryptedClientSecret,
+        customScopes: data.customScopes || [],
+        customSettings: data.customSettings || undefined,
+        isActive: true,
+      },
+    });
+  }
+
+  async delete(providerSlug: string, organizationId: string): Promise<void> {
+    await db.integrationOAuthApp.delete({
+      where: {
+        providerSlug_organizationId: {
+          providerSlug,
+          organizationId,
+        },
+      },
+    });
+  }
+
+  async setActive(
+    providerSlug: string,
+    organizationId: string,
+    isActive: boolean,
+  ): Promise<IntegrationOAuthApp> {
+    return db.integrationOAuthApp.update({
+      where: {
+        providerSlug_organizationId: {
+          providerSlug,
+          organizationId,
+        },
+      },
+      data: { isActive },
+    });
+  }
+}
diff --git a/apps/api/src/integration-platform/repositories/oauth-state.repository.ts b/apps/api/src/integration-platform/repositories/oauth-state.repository.ts
new file mode 100644
index 000000000..ebce5d1ae
--- /dev/null
+++ b/apps/api/src/integration-platform/repositories/oauth-state.repository.ts
@@ -0,0 +1,70 @@
+import { Injectable } from '@nestjs/common';
+import { db } from '@db';
+import type { IntegrationOAuthState } from '@prisma/client';
+import { randomBytes } from 'crypto';
+
+export interface CreateOAuthStateDto {
+  providerSlug: string;
+  organizationId: string;
+  userId: string;
+  codeVerifier?: string;
+  redirectUrl?: string;
+  /** Expiration time in minutes (default: 10) */
+  expiresInMinutes?: number;
+}
+
+@Injectable()
+export class OAuthStateRepository {
+  async findByState(state: string): Promise<IntegrationOAuthState | null> {
+    return db.integrationOAuthState.findUnique({
+      where: { state },
+    });
+  }
+
+  async create(data: CreateOAuthStateDto): Promise<IntegrationOAuthState> {
+    const state = randomBytes(32).toString('hex');
+    const expiresAt = new Date();
+    expiresAt.setMinutes(
+      expiresAt.getMinutes() + (data.expiresInMinutes ?? 10),
+    );
+
+    return db.integrationOAuthState.create({
+      data: {
+        state,
+        providerSlug: data.providerSlug,
+        organizationId: data.organizationId,
+        userId: data.userId,
+        codeVerifier: data.codeVerifier,
+        redirectUrl: data.redirectUrl,
+        expiresAt,
+      },
+    });
+  }
+
+  async delete(state: string): Promise<void> {
+    await db.integrationOAuthState.delete({
+      where: { state },
+    });
+  }
+
+  async deleteById(id: string): Promise<void> {
+    await db.integrationOAuthState.delete({
+      where: { id },
+    });
+  }
+
+  async deleteExpired(): Promise<number> {
+    const result = await db.integrationOAuthState.deleteMany({
+      where: {
+        expiresAt: { lt: new Date() },
+      },
+    });
+    return result.count;
+  }
+
+  async isValid(state: string): Promise<boolean> {
+    const oauthState = await this.findByState(state);
+    if (!oauthState) return false;
+    return oauthState.expiresAt > new Date();
+  }
+}
diff --git a/apps/api/src/integration-platform/repositories/platform-credential.repository.ts b/apps/api/src/integration-platform/repositories/platform-credential.repository.ts
new file mode 100644
index 000000000..922a9cae7
--- /dev/null
+++ b/apps/api/src/integration-platform/repositories/platform-credential.repository.ts
@@ -0,0 +1,105 @@
+import { Injectable } from '@nestjs/common';
+import { db } from '@db';
+import type { Prisma } from '@prisma/client';
+
+export interface CreatePlatformCredentialDto {
+  providerSlug: string;
+  encryptedClientId: Prisma.InputJsonValue;
+  encryptedClientSecret: Prisma.InputJsonValue;
+  customScopes?: string[];
+  customSettings?: Prisma.InputJsonValue;
+  createdById?: string;
+}
+
+export interface UpdatePlatformCredentialDto {
+  encryptedClientId?: Prisma.InputJsonValue;
+  encryptedClientSecret?: Prisma.InputJsonValue;
+  customScopes?: string[];
+  customSettings?: Prisma.InputJsonValue;
+  isActive?: boolean;
+  updatedById?: string;
+}
+
+@Injectable()
+export class PlatformCredentialRepository {
+  async findByProviderSlug(providerSlug: string) {
+    return db.integrationPlatformCredential.findUnique({
+      where: { providerSlug },
+    });
+  }
+
+  async findActiveByProviderSlug(providerSlug: string) {
+    return db.integrationPlatformCredential.findFirst({
+      where: {
+        providerSlug,
+        isActive: true,
+      },
+    });
+  }
+
+  async findAll() {
+    return db.integrationPlatformCredential.findMany({
+      orderBy: { providerSlug: 'asc' },
+    });
+  }
+
+  async create(data: CreatePlatformCredentialDto) {
+    return db.integrationPlatformCredential.create({
+      data: {
+        providerSlug: data.providerSlug,
+        encryptedClientId: data.encryptedClientId,
+        encryptedClientSecret: data.encryptedClientSecret,
+        customScopes: data.customScopes || [],
+        createdById: data.createdById,
+        updatedById: data.createdById,
+      },
+    });
+  }
+
+  async update(providerSlug: string, data: UpdatePlatformCredentialDto) {
+    return db.integrationPlatformCredential.update({
+      where: { providerSlug },
+      data: {
+        ...(data.encryptedClientId && {
+          encryptedClientId: data.encryptedClientId,
+        }),
+        ...(data.encryptedClientSecret && {
+          encryptedClientSecret: data.encryptedClientSecret,
+        }),
+        ...(data.customScopes !== undefined && {
+          customScopes: data.customScopes,
+        }),
+        ...(data.isActive !== undefined && { isActive: data.isActive }),
+        ...(data.updatedById && { updatedById: data.updatedById }),
+      },
+    });
+  }
+
+  async upsert(data: CreatePlatformCredentialDto) {
+    return db.integrationPlatformCredential.upsert({
+      where: { providerSlug: data.providerSlug },
+      create: {
+        providerSlug: data.providerSlug,
+        encryptedClientId: data.encryptedClientId,
+        encryptedClientSecret: data.encryptedClientSecret,
+        customScopes: data.customScopes || [],
+        customSettings: data.customSettings,
+        createdById: data.createdById,
+        updatedById: data.createdById,
+      },
+      update: {
+        encryptedClientId: data.encryptedClientId,
+        encryptedClientSecret: data.encryptedClientSecret,
+        customScopes: data.customScopes || [],
+        customSettings: data.customSettings,
+        updatedById: data.createdById,
+      },
+    });
+  }
+
+  async delete(providerSlug: string) {
+    return db.integrationPlatformCredential.delete({
+      where: { providerSlug },
+    });
+  }
+}
diff --git a/apps/api/src/integration-platform/repositories/provider.repository.ts b/apps/api/src/integration-platform/repositories/provider.repository.ts
new file mode 100644
index 000000000..620e79566
--- /dev/null
+++ b/apps/api/src/integration-platform/repositories/provider.repository.ts
@@ -0,0 +1,88 @@
+import { Injectable } from '@nestjs/common';
+import { db } from '@db';
+import type { IntegrationProvider } from '@prisma/client';
+
+export interface CreateProviderDto {
+  slug: string;
+  name: string;
+  category: string;
+  manifestHash?: string;
+  capabilities: string[];
+  isActive: boolean;
+}
+
+@Injectable()
+export class ProviderRepository {
+  async findBySlug(slug: string): Promise<IntegrationProvider | null> {
+    return db.integrationProvider.findUnique({
+      where: { slug },
+    });
+  }
+
+  async findById(id: string): Promise<IntegrationProvider | null> {
+    return db.integrationProvider.findUnique({
+      where: { id },
+    });
+  }
+
+  async findAll(): Promise<IntegrationProvider[]> {
+    return db.integrationProvider.findMany({
+      orderBy: { name: 'asc' },
+    });
+  }
+
+  async findActive(): Promise<IntegrationProvider[]> {
+    return db.integrationProvider.findMany({
+      where: { isActive: true },
+      orderBy: { name: 'asc' },
+    });
+  }
+
+  async findByCategory(category: string): Promise<IntegrationProvider[]> {
+    return db.integrationProvider.findMany({
+      where: { category },
+      orderBy: { name: 'asc' },
+    });
+  }
+
+  async upsert(data: CreateProviderDto): Promise<IntegrationProvider> {
+    return db.integrationProvider.upsert({
+      where: { slug: data.slug },
+      create: {
+        slug: data.slug,
+        name: data.name,
+        category: data.category,
+        manifestHash: data.manifestHash,
+        capabilities: data.capabilities,
+        isActive: data.isActive,
+      },
+      update: {
+        name: data.name,
+        category: data.category,
+        manifestHash: data.manifestHash,
+        capabilities: data.capabilities,
+        isActive: data.isActive,
+      },
+    });
+  }
+
+  async updateManifestHash(
+    slug: string,
+    manifestHash: string,
+  ): Promise<IntegrationProvider> {
+    return db.integrationProvider.update({
+      where: { slug },
+      data: { manifestHash },
+    });
+  }
+
+  async setActive(
+    slug: string,
+    isActive: boolean,
+  ): Promise<IntegrationProvider> {
+    return db.integrationProvider.update({
+      where: { slug },
+      data: { isActive },
+    });
+  }
+}
diff --git a/apps/api/src/integration-platform/services/auto-check-runner.service.ts b/apps/api/src/integration-platform/services/auto-check-runner.service.ts
new file mode 100644
index 000000000..acae83e9f
--- /dev/null
+++ b/apps/api/src/integration-platform/services/auto-check-runner.service.ts
@@ -0,0 +1,135 @@
+import { Injectable, Logger } from '@nestjs/common';
+import { tasks } from '@trigger.dev/sdk';
+import { getManifest } from '@comp/integration-platform';
+import { ConnectionRepository } from '../repositories/connection.repository';
+import { ProviderRepository } from '../repositories/provider.repository';
+
+@Injectable()
+export class AutoCheckRunnerService {
+  private readonly logger = new Logger(AutoCheckRunnerService.name);
+
+  constructor(
+    private readonly connectionRepository: ConnectionRepository,
+    private readonly providerRepository: ProviderRepository,
+  ) {}
+
+  /**
+   * Determine if a connection can auto-run checks based on:
+   * 1. The provider has checks defined
+   * 2. All required variables are configured (or there are no required variables)
+   */
+  async canAutoRunChecks(connectionId: string): Promise<{
+    canRun: boolean;
+    reason?: string;
+  }> {
+    const connection = await this.connectionRepository.findById(connectionId);
+    if (!connection) {
+      return { canRun: false, reason: 'Connection not found' };
+    }
+
+    const provider = await this.providerRepository.findById(
+      connection.providerId,
+    );
+    if (!provider) {
+      return { canRun: false, reason: 'Provider not found' };
+    }
+
+    const manifest = getManifest(provider.slug);
+    if (!manifest) {
+      return { canRun: false, reason: 'Manifest not found' };
+    }
+
+    // Check if the provider has any checks
+    if (!manifest.checks || manifest.checks.length === 0) {
+      return { canRun: false, reason: 'No checks defined for this provider' };
+    }
+
+    // Collect all required variables from all checks
+    const requiredVariables = new Set<string>();
+    for (const check of manifest.checks) {
+      if (check.variables) {
+        for (const variable of check.variables) {
+          if (variable.required) {
+            requiredVariables.add(variable.id);
+          }
+        }
+      }
+    }
+
+    // Check if all required variables are configured
+    const configuredVariables =
+      (connection.variables as Record<string, unknown>) || {};
+    const missingVariables: string[] = [];
+
+    for (const requiredVar of requiredVariables) {
+      const value = configuredVariables[requiredVar];
+      // Check for empty values
+      if (value === undefined || value === null || value === '') {
+        missingVariables.push(requiredVar);
+      }
+      // Check for empty arrays
+      if (Array.isArray(value) && value.length === 0) {
+        missingVariables.push(requiredVar);
+      }
+    }
+
+    if (missingVariables.length > 0) {
+      return {
+        canRun: false,
+        reason: `Missing required variables: ${missingVariables.join(', ')}`,
+      };
+    }
+
+    return { canRun: true };
+  }
+
+  /**
+   * Auto-run checks for a connection if conditions are met.
+   * Triggers a Trigger.dev task for reliable background execution.
+   * Returns true if the task was triggered, false otherwise.
+   */
+  async tryAutoRunChecks(connectionId: string): Promise<boolean> {
+    const connection = await this.connectionRepository.findById(connectionId);
+    if (!connection) {
+      this.logger.warn(`Connection ${connectionId} not found`);
+      return false;
+    }
+
+    const provider = await this.providerRepository.findById(
+      connection.providerId,
+    );
+    if (!provider) {
+      this.logger.warn(`Provider not found for connection ${connectionId}`);
+      return false;
+    }
+
+    const { canRun, reason } = await this.canAutoRunChecks(connectionId);
+
+    if (!canRun) {
+      this.logger.log(
+        `Skipping auto-run for connection ${connectionId}: ${reason}`,
+      );
+      return false;
+    }
+
+    try {
+      // Trigger the Trigger.dev task for reliable background execution
+      const handle = await tasks.trigger('run-connection-checks', {
+        connectionId,
+        organizationId: connection.organizationId,
+        providerSlug: provider.slug,
+      });
+
+      this.logger.log(
+        `Triggered auto-run checks for ${provider.slug} (task: ${handle.id})`,
+      );
+      return true;
+    } catch (error) {
+      this.logger.error(
+        `Failed to trigger auto-run checks for ${connectionId}`,
+        error,
+      );
+      return false;
+    }
+  }
+}
diff --git a/apps/api/src/integration-platform/services/connection.service.ts b/apps/api/src/integration-platform/services/connection.service.ts
new file mode 100644
index 000000000..5f2022978
--- /dev/null
+++ b/apps/api/src/integration-platform/services/connection.service.ts
@@ -0,0 +1,151 @@
+import {
+  Injectable,
+  NotFoundException,
+  ConflictException,
+} from '@nestjs/common';
+import { ConnectionRepository } from '../repositories/connection.repository';
+import { ProviderRepository } from '../repositories/provider.repository';
+import type {
+  IntegrationConnection,
+  IntegrationConnectionStatus,
+} from '@prisma/client';
+
+export interface CreateConnectionInput {
+  providerSlug: string;
+  organizationId: string;
+  authStrategy: string;
+  metadata?: Record<string, unknown>;
+}
+
+@Injectable()
+export class ConnectionService {
+  constructor(
+    private readonly connectionRepository: ConnectionRepository,
+    private readonly providerRepository: ProviderRepository,
+  ) {}
+
+  async getConnection(connectionId: string): Promise<IntegrationConnection> {
+    const connection = await this.connectionRepository.findById(connectionId);
+    if (!connection) {
+      throw new NotFoundException(`Connection ${connectionId} not found`);
+    }
+    return connection;
+  }
+
+  async getConnectionByProviderSlug(
+    providerSlug: string,
+    organizationId: string,
+  ): Promise<IntegrationConnection | null> {
+    return this.connectionRepository.findBySlugAndOrg(
+      providerSlug,
+      organizationId,
+    );
+  }
+
+  async getOrganizationConnections(
+    organizationId: string,
+  ): Promise<IntegrationConnection[]> {
+    return this.connectionRepository.findByOrganization(organizationId);
+  }
+
+  async getActiveConnections(
+    organizationId: string,
+  ): Promise<IntegrationConnection[]> {
+    return this.connectionRepository.findActiveByOrganization(organizationId);
+  }
+
+  async createConnection(
+    input: CreateConnectionInput,
+  ): Promise<IntegrationConnection> {
+    // Verify provider exists
+    const provider = await this.providerRepository.findBySlug(
+      input.providerSlug,
+    );
+    if (!provider) {
+      throw new NotFoundException(`Provider ${input.providerSlug} not found`);
+    }
+
+    // Check if connection already exists
+    const existing = await this.connectionRepository.findByProviderAndOrg(
+      provider.id,
+      input.organizationId,
+    );
+    if (existing) {
+      throw new ConflictException(
+        `Connection to ${input.providerSlug} already exists for this organization`,
+      );
+    }
+
+    return this.connectionRepository.create({
+      providerId: provider.id,
+      organizationId: input.organizationId,
+      authStrategy: input.authStrategy,
+      metadata: input.metadata,
+    });
+  }
+
+  async updateConnectionStatus(
+    connectionId: string,
+    status: IntegrationConnectionStatus,
+    errorMessage?: string,
+  ): Promise<IntegrationConnection> {
+    await this.getConnection(connectionId); // Verify exists
+    return this.connectionRepository.updateStatus(
+      connectionId,
+      status,
+      errorMessage,
+    );
+  }
+
+  async activateConnection(
+    connectionId: string,
+  ): Promise<IntegrationConnection> {
+    return this.updateConnectionStatus(connectionId, 'active');
+  }
+
+  async pauseConnection(connectionId: string): Promise<IntegrationConnection> {
+    return this.updateConnectionStatus(connectionId, 'paused');
+  }
+
+  async setConnectionError(
+    connectionId: string,
+    errorMessage: string,
+  ): Promise<IntegrationConnection> {
+    return this.updateConnectionStatus(connectionId, 'error', errorMessage);
+  }
+
+  async disconnectConnection(
+    connectionId: string,
+  ): Promise<IntegrationConnection> {
+    return this.updateConnectionStatus(connectionId, 'disconnected');
+  }
+
+  async deleteConnection(connectionId: string): Promise<void> {
+    await this.getConnection(connectionId); // Verify exists
+    await this.connectionRepository.delete(connectionId);
+  }
+
+  async updateLastSync(connectionId: string): Promise<IntegrationConnection> {
+    return this.connectionRepository.update(connectionId, {
+      lastSyncAt: new Date(),
+    });
+  }
+
+  async updateNextSync(
+    connectionId: string,
+    nextSyncAt: Date,
+  ): Promise<IntegrationConnection> {
+    return this.connectionRepository.update(connectionId, {
+      nextSyncAt,
+    });
+  }
+
+  async updateSyncCadence(
+    connectionId: string,
+    syncCadence: string | null,
+  ): Promise<IntegrationConnection> {
+    return this.connectionRepository.update(connectionId, {
+      syncCadence,
+    });
+  }
+}
diff --git a/apps/api/src/integration-platform/services/credential-vault.service.ts b/apps/api/src/integration-platform/services/credential-vault.service.ts
new file mode 100644
index 000000000..62a35df18
--- /dev/null
+++ b/apps/api/src/integration-platform/services/credential-vault.service.ts
@@ -0,0 +1,398 @@
+import { Injectable, Logger } from '@nestjs/common';
+import {
+  createCipheriv,
+  createDecipheriv,
+  randomBytes,
+  scryptSync,
+} from 'crypto';
+import { CredentialRepository } from '../repositories/credential.repository';
+import { ConnectionRepository } from '../repositories/connection.repository';
+
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 12;
+const SALT_LENGTH = 16;
+const KEY_LENGTH = 32;
+
+// Refresh tokens 5 minutes before expiry to avoid race conditions
+const REFRESH_BUFFER_SECONDS = 300;
+
+export interface EncryptedData {
+  encrypted: string;
+  iv: string;
+  tag: string;
+  salt: string;
+  [key: string]: string; // Index signature for Prisma JSON compatibility
+}
+
+export interface OAuthTokens {
+  access_token: string;
+  refresh_token?: string;
+  token_type?: string;
+  expires_in?: number;
+  scope?: string;
+}
+
+export interface TokenRefreshConfig {
+  tokenUrl: string;
+  clientId: string;
+  clientSecret: string;
+  clientAuthMethod?: 'body' | 'header';
+  /** If provider has a separate refresh URL (rare) */
+  refreshUrl?: string;
+}
+
+@Injectable()
+export class CredentialVaultService {
+  private readonly logger = new Logger(CredentialVaultService.name);
+
+  constructor(
+    private readonly credentialRepository: CredentialRepository,
+    private readonly connectionRepository: ConnectionRepository,
+  ) {}
+
+  private getSecretKey(): string {
+    const secretKey = process.env.SECRET_KEY;
+    if (!secretKey) {
+      throw new Error('SECRET_KEY environment variable is not set');
+    }
+    return secretKey;
+  }
+
+  private deriveKey(secret: string, salt: Buffer): Buffer {
+    return scryptSync(secret, salt, KEY_LENGTH, {
+      N: 16384,
+      r: 8,
+      p: 1,
+    });
+  }
+
+  async encrypt(text: string): Promise<EncryptedData> {
+    const secretKey = this.getSecretKey();
+    const salt = randomBytes(SALT_LENGTH);
+    const iv = randomBytes(IV_LENGTH);
+    const key = this.deriveKey(secretKey, salt);
+    const cipher = createCipheriv(ALGORITHM, key, iv);
+
+    const encrypted = Buffer.concat([
+      cipher.update(text, 'utf8'),
+      cipher.final(),
+    ]);
+    const tag = cipher.getAuthTag();
+
+    return {
+      encrypted: encrypted.toString('base64'),
+      iv: iv.toString('base64'),
+      tag: tag.toString('base64'),
+      salt: salt.toString('base64'),
+    };
+  }
+
+  async decrypt(encryptedData: EncryptedData): Promise<string> {
+    const secretKey = this.getSecretKey();
+    const encrypted = Buffer.from(encryptedData.encrypted, 'base64');
+    const iv = Buffer.from(encryptedData.iv, 'base64');
+    const tag = Buffer.from(encryptedData.tag, 'base64');
+    const salt = Buffer.from(encryptedData.salt, 'base64');
+
+    const key = this.deriveKey(secretKey, salt);
+    const decipher = createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(tag);
+
+    const decrypted = Buffer.concat([
+      decipher.update(encrypted),
+      decipher.final(),
+    ]);
+    return decrypted.toString('utf8');
+  }
+
+  /**
+   * Store OAuth tokens for a connection
+   */
+  async storeOAuthTokens(
+    connectionId: string,
+    tokens: OAuthTokens,
+  ): Promise<void> {
+    // Encrypt each token field
+    const encryptedPayload: Record<string, unknown> = {};
+
+    if (tokens.access_token) {
+      encryptedPayload.access_token = await this.encrypt(tokens.access_token);
+    }
+    if (tokens.refresh_token) {
+      encryptedPayload.refresh_token = await this.encrypt(tokens.refresh_token);
+    }
+    if (tokens.token_type) {
+      encryptedPayload.token_type = tokens.token_type;
+    }
+    if (tokens.scope) {
+      encryptedPayload.scope = tokens.scope;
+    }
+
+    // Calculate expiration
+    let expiresAt: Date | undefined;
+    if (tokens.expires_in) {
+      expiresAt = new Date();
+      expiresAt.setSeconds(expiresAt.getSeconds() + tokens.expires_in);
+      encryptedPayload.expires_at = expiresAt.toISOString();
+    }
+
+    // Create new credential version
+    const credentialVersion = await this.credentialRepository.create({
+      connectionId,
+      encryptedPayload,
+      expiresAt,
+    });
+
+    // Update connection with active credential version
+    await this.connectionRepository.update(connectionId, {
+      activeCredentialVersionId: credentialVersion.id,
+      status: 'active',
+      errorMessage: null,
+    });
+
+    // Clean up old versions (keep last 5)
+    await this.credentialRepository.deleteOldVersions(connectionId, 5);
+  }
+
+  /**
+   * Store API key credentials for a connection
+   */
+  async storeApiKeyCredentials(
+    connectionId: string,
+    credentials: Record<string, string>,
+  ): Promise<void> {
+    const encryptedPayload: Record<string, unknown> = {};
+
+    for (const [key, value] of Object.entries(credentials)) {
+      if (typeof value === 'string') {
+        encryptedPayload[key] = await this.encrypt(value);
+      } else {
+        encryptedPayload[key] = value;
+      }
+    }
+
+    const credentialVersion = await this.credentialRepository.create({
+      connectionId,
+      encryptedPayload,
+    });
+
+    await this.connectionRepository.update(connectionId, {
+      activeCredentialVersionId: credentialVersion.id,
+      status: 'active',
+      errorMessage: null,
+    });
+
+    await this.credentialRepository.deleteOldVersions(connectionId, 5);
+  }
+
+  /**
+   * Get decrypted credentials for a connection
+   */
+  async getDecryptedCredentials(
+    connectionId: string,
+  ): Promise<Record<string, string> | null> {
+    const latestVersion =
+      await this.credentialRepository.findLatestByConnection(connectionId);
+    if (!latestVersion) return null;
+
+    const encryptedPayload = latestVersion.encryptedPayload as Record<
+      string,
+      unknown
+    >;
+    const decrypted: Record<string, string> = {};
+
+    for (const [key, value] of Object.entries(encryptedPayload)) {
+      if (this.isEncryptedData(value)) {
+        decrypted[key] = await this.decrypt(value);
+      } else if (typeof value === 'string') {
+        decrypted[key] = value;
+      }
+    }
+
+    return decrypted;
+  }
+
+  /**
+   * Check if credentials are expired
+   */
+  async areCredentialsExpired(connectionId: string): Promise<boolean> {
+    const latestVersion =
+      await this.credentialRepository.findLatestByConnection(connectionId);
+    if (!latestVersion) return true;
+    if (!latestVersion.expiresAt) return false;
+    return latestVersion.expiresAt < new Date();
+  }
+
+  /**
+   * Rotate credentials (mark current as rotated, store new)
+   */
+  async rotateCredentials(
+    connectionId: string,
+    newCredentials: Record<string, string>,
+  ): Promise<void> {
+    const latestVersion =
+      await this.credentialRepository.findLatestByConnection(connectionId);
+    if (latestVersion) {
+      await this.credentialRepository.markRotated(latestVersion.id);
+    }
+
+    await this.storeApiKeyCredentials(connectionId, newCredentials);
+  }
+
+  private isEncryptedData(value: unknown): value is EncryptedData {
+    return (
+      value !== null &&
+      typeof value === 'object' &&
+      'encrypted' in value &&
+      'iv' in value &&
+      'tag' in value &&
+      'salt' in value
+    );
+  }
+
+  /**
+   * Check if credentials need to be refreshed (expired or expiring soon)
+   */
+  async needsRefresh(connectionId: string): Promise<boolean> {
+    const latestVersion =
+      await this.credentialRepository.findLatestByConnection(connectionId);
+    if (!latestVersion) return false;
+    if (!latestVersion.expiresAt) return false; // No expiry = no refresh needed (e.g., GitHub)
+
+    const now = new Date();
+    const bufferTime = new Date(now.getTime() + REFRESH_BUFFER_SECONDS * 1000);
+
+    return latestVersion.expiresAt <= bufferTime;
+  }
+
+  /**
+   * Get the refresh token for a connection (if available)
+   */
+  async getRefreshToken(connectionId: string): Promise<string | null> {
+    const credentials = await this.getDecryptedCredentials(connectionId);
+    return credentials?.refresh_token || null;
+  }
+
+  /**
+   * Refresh OAuth tokens using the refresh token
+   * Returns the new access token, or null if refresh failed
+   */
+  async refreshOAuthTokens(
+    connectionId: string,
+    config: TokenRefreshConfig,
+  ): Promise<string | null> {
+    const refreshToken = await this.getRefreshToken(connectionId);
+    if (!refreshToken) {
+      this.logger.warn(
+        `No refresh token available for connection ${connectionId}`,
+      );
+      return null;
+    }
+
+    try {
+      this.logger.log(`Refreshing OAuth tokens for connection ${connectionId}`);
+
+      // Build the token request
+      const body = new URLSearchParams({
+        grant_type: 'refresh_token',
+        refresh_token: refreshToken,
+      });
+
+      const headers: Record<string, string> = {
+        'Content-Type': 'application/x-www-form-urlencoded',
+        Accept: 'application/json',
+      };
+
+      // Add client credentials based on auth method
+      if (config.clientAuthMethod === 'header') {
+        const credentials = Buffer.from(
+          `${config.clientId}:${config.clientSecret}`,
+        ).toString('base64');
+        headers['Authorization'] = `Basic ${credentials}`;
+      } else {
+        // Default: send in body
+        body.set('client_id', config.clientId);
+        body.set('client_secret', config.clientSecret);
+      }
+
+      // Use refreshUrl if provided, otherwise fall back to tokenUrl
+      const refreshEndpoint = config.refreshUrl || config.tokenUrl;
+
+      const response = await fetch(refreshEndpoint, {
+        method: 'POST',
+        headers,
+        body: body.toString(),
+      });
+
+      if (!response.ok) {
+        await response.text(); // consume body
+        this.logger.error(
+          `Token refresh failed for connection ${connectionId}: ${response.status}`,
+        );
+
+        // If refresh token is invalid/expired, mark connection as error
+        if (response.status === 400 || response.status === 401) {
+          await this.connectionRepository.update(connectionId, {
+            status: 'error',
+            errorMessage:
+              'OAuth token expired. Please reconnect the integration.',
+          });
+        }
+
+        return null;
+      }
+
+      const tokens: OAuthTokens = await response.json();
+
+      // Store the new tokens
+      // Note: Some providers return a new refresh token, some don't
+      const tokensToStore: OAuthTokens = {
+        access_token: tokens.access_token,
+        refresh_token: tokens.refresh_token || refreshToken, // Keep old refresh token if not provided
+        token_type: tokens.token_type,
+        expires_in: tokens.expires_in,
+        scope: tokens.scope,
+      };
+
+      await this.storeOAuthTokens(connectionId, tokensToStore);
+
+      this.logger.log(
+        `Successfully refreshed OAuth tokens for connection ${connectionId}`,
+      );
+      return tokens.access_token;
+    } catch (error) {
+      this.logger.error(
+        `Error refreshing tokens for connection ${connectionId}:`,
+        error,
+      );
+      return null;
+    }
+  }
+
+  /**
+   * Get a valid access token, refreshing if necessary.
+   * This is the main method to use when making API calls.
+   */
+  async getValidAccessToken(
+    connectionId: string,
+    refreshConfig?: TokenRefreshConfig,
+  ): Promise<string | null> {
+    // Check if we need to refresh
+    const needsRefresh = await this.needsRefresh(connectionId);
+
+    if (needsRefresh && refreshConfig) {
+      const newToken = await this.refreshOAuthTokens(
+        connectionId,
+        refreshConfig,
+      );
+      if (newToken) {
+        return newToken;
+      }
+      // If refresh failed, try to use existing token (might still work briefly)
+    }
+
+    // Get current credentials
+    const credentials = await this.getDecryptedCredentials(connectionId);
+    return credentials?.access_token || null;
+  }
+}
diff --git a/apps/api/src/integration-platform/services/oauth-credentials.service.ts b/apps/api/src/integration-platform/services/oauth-credentials.service.ts
new file mode 100644
index 000000000..c3c20c845
--- /dev/null
+++ b/apps/api/src/integration-platform/services/oauth-credentials.service.ts
@@ -0,0 +1,298 @@
+import { Injectable, Logger } from '@nestjs/common';
+import { OAuthAppRepository } from '../repositories/oauth-app.repository';
+import { PlatformCredentialRepository } from '../repositories/platform-credential.repository';
+import {
+  CredentialVaultService,
+  EncryptedData,
+} from './credential-vault.service';
+import { getManifest, type OAuthConfig } from '@comp/integration-platform';
+import type { Prisma } from '@prisma/client';
+
+export interface OAuthCredentials {
+  clientId: string;
+  clientSecret: string;
+  scopes: string[];
+  /** Where the credentials came from */
+  source: 'organization' | 'platform';
+  /** Provider-specific custom settings (e.g., Rippling app name) */
+  customSettings?: Record<string, unknown>;
+}
+
+export interface OAuthCredentialsAvailability {
+  /** Whether credentials are available (from any source) */
+  available: boolean;
+  /** Whether org has custom credentials configured */
+  hasOrgCredentials: boolean;
+  /** Whether platform has credentials configured */
+  hasPlatformCredentials: boolean;
+  /** Instructions for setting up custom OAuth app (if no credentials available) */
+  setupInstructions?: string;
+  /** URL to create OAuth app */
+  createAppUrl?: string;
+}
+
+@Injectable()
+export class OAuthCredentialsService {
+  private readonly logger = new Logger(OAuthCredentialsService.name);
+
+  constructor(
+    private readonly oauthAppRepository: OAuthAppRepository,
+    private readonly platformCredentialRepository: PlatformCredentialRepository,
+    private readonly credentialVaultService: CredentialVaultService,
+  ) {}
+
+  /**
+   * Get OAuth credentials for a provider, checking org-level first, then platform-level
+   */
+  async getCredentials(
+    providerSlug: string,
+    organizationId: string,
+  ): Promise<OAuthCredentials | null> {
+    const manifest = getManifest(providerSlug);
+    if (!manifest || manifest.auth.type !== 'oauth2') {
+      return null;
+    }
+
+    const oauthConfig = manifest.auth.config;
+
+    // 1. Check for org-level custom credentials first
+    const orgCredentials = await this.getOrgCredentials(
+      providerSlug,
+      organizationId,
+      oauthConfig,
+    );
+    if (orgCredentials) {
+      return orgCredentials;
+    }
+
+    // 2. Fall back to platform-level credentials (from database)
+    const platformCredentials = await this.getPlatformCredentials(
+      providerSlug,
+      oauthConfig,
+    );
+    if (platformCredentials) {
+      return platformCredentials;
+    }
+
+    return null;
+  }
+
+  /**
+   * Check what credentials are available for a provider
+   */
+  async checkAvailability(
+    providerSlug: string,
+    organizationId: string,
+  ): Promise<OAuthCredentialsAvailability> {
+    const manifest = getManifest(providerSlug);
+    if (!manifest || manifest.auth.type !== 'oauth2') {
+      return {
+        available: false,
+        hasOrgCredentials: false,
+        hasPlatformCredentials: false,
+      };
+    }
+
+    const oauthConfig = manifest.auth.config;
+
+    // Check org credentials
+    const orgApp = await this.oauthAppRepository.findActiveByProviderAndOrg(
+      providerSlug,
+      organizationId,
+    );
+    const hasOrgCredentials = !!orgApp;
+
+    // Check platform credentials (from database)
+    const platformCred =
+      await this.platformCredentialRepository.findActiveByProviderSlug(
+        providerSlug,
+      );
+    const hasPlatformCredentials = !!platformCred;
+
+    return {
+      available: hasOrgCredentials || hasPlatformCredentials,
+      hasOrgCredentials,
+      hasPlatformCredentials,
+      setupInstructions: oauthConfig.setupInstructions,
+      createAppUrl: oauthConfig.createAppUrl,
+    };
+  }
+
+  /**
+   * Save custom OAuth app credentials for an organization
+   */
+  async saveOrgCredentials(
+    providerSlug: string,
+    organizationId: string,
+    clientId: string,
+    clientSecret: string,
+    customScopes?: string[],
+    customSettings?: Prisma.InputJsonValue,
+  ): Promise<void> {
+    const encryptedClientId =
+      await this.credentialVaultService.encrypt(clientId);
+    const encryptedClientSecret =
+      await this.credentialVaultService.encrypt(clientSecret);
+
+    await this.oauthAppRepository.upsert({
+      providerSlug,
+      organizationId,
+      encryptedClientId,
+      encryptedClientSecret,
+      customScopes,
+      customSettings: customSettings,
+    });
+
+    this.logger.log(
+      `Saved custom OAuth credentials for ${providerSlug}, org: ${organizationId}`,
+    );
+  }
+
+  /**
+   * Delete custom OAuth app credentials for an organization
+   */
+  async deleteOrgCredentials(
+    providerSlug: string,
+    organizationId: string,
+  ): Promise<void> {
+    await this.oauthAppRepository.delete(providerSlug, organizationId);
+    this.logger.log(
+      `Deleted custom OAuth credentials for ${providerSlug}, org: ${organizationId}`,
+    );
+  }
+
+  /**
+   * Save platform-wide OAuth credentials (admin only)
+   */
+  async savePlatformCredentials(
+    providerSlug: string,
+    clientId: string,
+    clientSecret: string,
+    customScopes?: string[],
+    customSettings?: Record<string, unknown>,
+    userId?: string,
+  ): Promise<void> {
+    const encryptedClientId =
+      await this.credentialVaultService.encrypt(clientId);
+    const encryptedClientSecret =
+      await this.credentialVaultService.encrypt(clientSecret);
+
+    await this.platformCredentialRepository.upsert({
+      providerSlug,
+      encryptedClientId,
+      encryptedClientSecret,
+      customScopes,
+      customSettings: customSettings as Prisma.InputJsonValue | undefined,
+      createdById: userId,
+    });
+
+    this.logger.log(`Saved platform OAuth credentials for ${providerSlug}`);
+  }
+
+  /**
+   * Delete platform-wide OAuth credentials (admin only)
+   */
+  async deletePlatformCredentials(providerSlug: string): Promise<void> {
+    await this.platformCredentialRepository.delete(providerSlug);
+    this.logger.log(`Deleted platform OAuth credentials for ${providerSlug}`);
+  }
+
+  /**
+   * Get all platform credentials (for admin UI)
+   */
+  async getAllPlatformCredentials() {
+    return this.platformCredentialRepository.findAll();
+  }
+
+  /**
+   * Get org-level OAuth credentials
+   */
+  private async getOrgCredentials(
+    providerSlug: string,
+    organizationId: string,
+    oauthConfig: OAuthConfig,
+  ): Promise<OAuthCredentials | null> {
+    const orgApp = await this.oauthAppRepository.findActiveByProviderAndOrg(
+      providerSlug,
+      organizationId,
+    );
+
+    if (!orgApp) {
+      return null;
+    }
+
+    try {
+      const clientId = await this.credentialVaultService.decrypt(
+        orgApp.encryptedClientId as unknown as EncryptedData,
+      );
+      const clientSecret = await this.credentialVaultService.decrypt(
+        orgApp.encryptedClientSecret as unknown as EncryptedData,
+      );
+
+      // Use custom scopes if provided, otherwise fall back to manifest defaults
+      const scopes =
+        orgApp.customScopes.length > 0
+          ? orgApp.customScopes
+          : oauthConfig.scopes;
+
+      return {
+        clientId,
+        clientSecret,
+        scopes,
+        source: 'organization',
+        customSettings:
+          (orgApp.customSettings as Record<string, unknown>) || undefined,
+      };
+    } catch (error) {
+      this.logger.error(`Failed to decrypt org OAuth credentials: ${error}`);
+      return null;
+    }
+  }
+
+  /**
+   * Get platform-level OAuth credentials from database
+   */
+  private async getPlatformCredentials(
+    providerSlug: string,
+    oauthConfig: OAuthConfig,
+  ): Promise<OAuthCredentials | null> {
+    const platformCred =
+      await this.platformCredentialRepository.findActiveByProviderSlug(
+        providerSlug,
+      );
+
+    if (!platformCred) {
+      return null;
+    }
+
+    try {
+      const clientId = await this.credentialVaultService.decrypt(
+        platformCred.encryptedClientId as unknown as EncryptedData,
+      );
+      const clientSecret = await this.credentialVaultService.decrypt(
+        platformCred.encryptedClientSecret as unknown as EncryptedData,
+      );
+
+      // Use custom scopes if provided, otherwise fall back to manifest defaults
+      const scopes =
+        platformCred.customScopes.length > 0
+          ? platformCred.customScopes
+          : oauthConfig.scopes;
+
+      return {
+        clientId,
+        clientSecret,
+        scopes,
+        source: 'platform',
+        customSettings: (
+          platformCred as { customSettings?: Record<string, unknown> }
+        ).customSettings,
+      };
+    } catch (error) {
+      this.logger.error(
+        `Failed to decrypt platform OAuth credentials: ${error}`,
+      );
+      return null;
+    }
+  }
+}
diff --git a/apps/api/src/knowledge-base/knowledge-base.controller.ts b/apps/api/src/knowledge-base/knowledge-base.controller.ts
index f23c7a7f9..050757f7f 100644
--- a/apps/api/src/knowledge-base/knowledge-base.controller.ts
+++ b/apps/api/src/knowledge-base/knowledge-base.controller.ts
@@ -173,7 +173,9 @@ export class KnowledgeBaseController {
   }
 
   @Post('runs/:runId/token')
-  @ApiOperation({ summary: 'Create a public access token for a Trigger.dev run' })
+  @ApiOperation({
+    summary: 'Create a public access token for a Trigger.dev run',
+  })
   @ApiConsumes('application/json')
   @ApiOkResponse({
     description: 'Public access token created',
diff --git a/apps/api/src/knowledge-base/knowledge-base.service.ts b/apps/api/src/knowledge-base/knowledge-base.service.ts
index cebd047ec..245530fc6 100644
--- a/apps/api/src/knowledge-base/knowledge-base.service.ts
+++ b/apps/api/src/knowledge-base/knowledge-base.service.ts
@@ -7,11 +7,11 @@ import { GetDocumentUrlDto } from './dto/get-document-url.dto';
 import { ProcessDocumentsDto } from './dto/process-documents.dto';
 import { DeleteManualAnswerDto } from './dto/delete-manual-answer.dto';
 import { DeleteAllManualAnswersDto } from './dto/delete-all-manual-answers.dto';
-import { processKnowledgeBaseDocumentTask } from '@/vector-store/jobs/process-knowledge-base-document';
-import { processKnowledgeBaseDocumentsOrchestratorTask } from '@/vector-store/jobs/process-knowledge-base-documents-orchestrator';
-import { deleteKnowledgeBaseDocumentTask } from '@/vector-store/jobs/delete-knowledge-base-document';
-import { deleteManualAnswerTask } from '@/vector-store/jobs/delete-manual-answer';
-import { deleteAllManualAnswersOrchestratorTask } from '@/vector-store/jobs/delete-all-manual-answers-orchestrator';
+import { processKnowledgeBaseDocumentTask } from '@/trigger/vector-store/process-knowledge-base-document';
+import { processKnowledgeBaseDocumentsOrchestratorTask } from '@/trigger/vector-store/process-knowledge-base-documents-orchestrator';
+import { deleteKnowledgeBaseDocumentTask } from '@/trigger/vector-store/delete-knowledge-base-document';
+import { deleteManualAnswerTask } from '@/trigger/vector-store/delete-manual-answer';
+import { deleteAllManualAnswersOrchestratorTask } from '@/trigger/vector-store/delete-all-manual-answers-orchestrator';
 import { isViewableInBrowser } from './utils/constants';
 import {
   uploadToS3,
@@ -72,9 +72,15 @@ export class KnowledgeBaseService {
   }
 
   async getDownloadUrl(dto: GetDocumentUrlDto) {
-    const document = await this.findDocument(dto.documentId, dto.organizationId);
+    const document = await this.findDocument(
+      dto.documentId,
+      dto.organizationId,
+    );
 
-    const { signedUrl } = await generateDownloadUrl(document.s3Key, document.name);
+    const { signedUrl } = await generateDownloadUrl(
+      document.s3Key,
+      document.name,
+    );
 
     return {
       signedUrl,
@@ -83,7 +89,10 @@ export class KnowledgeBaseService {
   }
 
   async getViewUrl(dto: GetDocumentUrlDto) {
-    const document = await this.findDocument(dto.documentId, dto.organizationId);
+    const document = await this.findDocument(
+      dto.documentId,
+      dto.organizationId,
+    );
 
     const { signedUrl } = await generateViewUrl(
       document.s3Key,
@@ -125,7 +134,9 @@ export class KnowledgeBaseService {
     // Delete from S3 (non-blocking)
     const s3Deleted = await deleteFromS3(document.s3Key);
     if (!s3Deleted) {
-      this.logger.warn('Error deleting file from S3', { documentId: document.id });
+      this.logger.warn('Error deleting file from S3', {
+        documentId: document.id,
+      });
     }
 
     // Delete from database
@@ -246,7 +257,7 @@ export class KnowledgeBaseService {
       await this.triggerBatchManualAnswerDeletion(
         dto.organizationId,
         manualAnswers.map((ma) => ma.id),
-        );
+      );
     } else {
       this.logger.log('No manual answers to delete', {
         organizationId: dto.organizationId,
diff --git a/apps/api/src/knowledge-base/utils/constants.ts b/apps/api/src/knowledge-base/utils/constants.ts
index d0f76da60..b62a2b1cf 100644
--- a/apps/api/src/knowledge-base/utils/constants.ts
+++ b/apps/api/src/knowledge-base/utils/constants.ts
@@ -60,4 +60,3 @@ export function generateS3Key(
   const timestamp = Date.now();
   return `${organizationId}/knowledge-base-documents/${timestamp}-${fileId}-${sanitizedFileName}`;
 }
-
diff --git a/apps/api/src/knowledge-base/utils/s3-operations.ts b/apps/api/src/knowledge-base/utils/s3-operations.ts
index 221a281a6..8acfe99c9 100644
--- a/apps/api/src/knowledge-base/utils/s3-operations.ts
+++ b/apps/api/src/knowledge-base/utils/s3-operations.ts
@@ -149,4 +149,3 @@ export async function deleteFromS3(s3Key: string): Promise<boolean> {
     return false;
   }
 }
-
diff --git a/apps/api/src/main.ts b/apps/api/src/main.ts
index 25783220f..6a884f13c 100644
--- a/apps/api/src/main.ts
+++ b/apps/api/src/main.ts
@@ -2,17 +2,84 @@ import './config/load-env';
 import type { INestApplication } from '@nestjs/common';
 import { ValidationPipe, VersioningType } from '@nestjs/common';
 import { NestFactory } from '@nestjs/core';
+import { CorsExceptionFilter } from './common/filters/cors-exception.filter';
 import type { OpenAPIObject } from '@nestjs/swagger';
 import { DocumentBuilder, SwaggerModule } from '@nestjs/swagger';
 import * as express from 'express';
+import helmet from 'helmet';
 import path from 'path';
 import { AppModule } from './app.module';
 import { mkdirSync, writeFileSync, existsSync } from 'fs';
 
+let app: INestApplication | null = null;
+
 async function bootstrap(): Promise<void> {
-  const app: INestApplication = await NestFactory.create(AppModule);
+  app = await NestFactory.create(AppModule);
+
+  // STEP 1: Enable CORS FIRST - critical for preflight requests
+  const isDevelopment = process.env.NODE_ENV !== 'production';
+
+  const allowedOrigins = [
+    'http://localhost:3000',
+    'http://localhost:3001',
+    'http://127.0.0.1:3000',
+    'https://app.trycomp.ai',
+    'https://trycomp.ai',
+    process.env.APP_URL,
+  ].filter(Boolean) as string[];
+
+  app.enableCors({
+    origin: (origin, callback) => {
+      // Same-origin (no origin header)
+      if (!origin) {
+        return callback(null, false); // false for same-origin
+      }
+
+      // Check whitelist
+      if (allowedOrigins.includes(origin)) {
+        return callback(null, origin); // Return the origin string
+      }
+
+      // Dev mode: localhost and ngrok
+      if (isDevelopment) {
+        if (
+          origin.includes('localhost') ||
+          origin.includes('127.0.0.1') ||
+          origin.includes('ngrok')
+        ) {
+          return callback(null, origin); // Return the origin string
+        }
+      }
+
+      // Reject
+      callback(new Error('Not allowed by CORS'));
+    },
+    credentials: true,
+    preflightContinue: false,
+    optionsSuccessStatus: 204,
+  });
+
+  // STEP 2: Security headers
+  app.use(
+    helmet({
+      contentSecurityPolicy: {
+        directives: {
+          defaultSrc: ["'self'"],
+          styleSrc: ["'self'", "'unsafe-inline'"], // Swagger needs inline styles
+          scriptSrc: ["'self'", "'unsafe-inline'"], // Swagger needs inline scripts
+          imgSrc: ["'self'", 'data:', 'https:'],
+          connectSrc: ["'self'"],
+        },
+      },
+      crossOriginEmbedderPolicy: false, // Allow embedding
+    }),
+  );
+
+  // STEP 3: Configure body parser
+  app.use(express.json({ limit: '70mb' }));
+  app.use(express.urlencoded({ limit: '70mb', extended: true }));
 
-  // Enable global validation pipe
+  // STEP 4: Enable global pipes and filters
   app.useGlobalPipes(
     new ValidationPipe({
       whitelist: true,
@@ -24,23 +91,7 @@ async function bootstrap(): Promise<void> {
     }),
   );
 
-  // Configure body parser limits for file uploads (base64 encoded files)
-  // 70mb allows for ~50mb actual file size after base64 encoding overhead (~33%)
-  app.use(express.json({ limit: '70mb' }));
-  app.use(express.urlencoded({ limit: '70mb', extended: true }));
-
-  // Enable CORS for cross-origin requests
-  app.enableCors({
-    origin: true, // Allow requests from any origin
-    credentials: true, // Allow cookies to be sent cross-origin (for auth)
-    methods: ['GET', 'POST', 'PUT', 'DELETE', 'PATCH', 'OPTIONS'],
-    allowedHeaders: [
-      'Content-Type',
-      'Authorization',
-      'X-API-Key',
-      'X-Organization-Id',
-    ],
-  });
+  app.useGlobalFilters(new CorsExceptionFilter());
 
   // Enable API versioning
   app.enableVersioning({
@@ -103,6 +154,20 @@ async function bootstrap(): Promise<void> {
   }
 }
 
+// Graceful shutdown handler
+async function shutdown(signal: string): Promise<void> {
+  console.log(`\n${signal} received, shutting down gracefully...`);
+  if (app) {
+    await app.close();
+    console.log('Application closed');
+  }
+  process.exit(0);
+}
+
+// Handle shutdown signals (important for hot reload)
+process.on('SIGTERM', () => void shutdown('SIGTERM'));
+process.on('SIGINT', () => void shutdown('SIGINT'));
+
 // Handle bootstrap errors properly
 void bootstrap().catch((error: unknown) => {
   console.error('Error starting application:', error);
diff --git a/apps/api/src/questionnaire/questionnaire.controller.ts b/apps/api/src/questionnaire/questionnaire.controller.ts
index 3eba0981e..f8986c5b6 100644
--- a/apps/api/src/questionnaire/questionnaire.controller.ts
+++ b/apps/api/src/questionnaire/questionnaire.controller.ts
@@ -31,8 +31,11 @@ import {
   QuestionnaireService,
   type ParsedQuestionnaireResult,
 } from './questionnaire.service';
-import { syncOrganizationEmbeddings, findSimilarContentBatch } from '@/vector-store/lib';
-import { generateAnswerFromContent } from './vendors/answer-question-helpers';
+import {
+  syncOrganizationEmbeddings,
+  findSimilarContentBatch,
+} from '@/vector-store/lib';
+import { generateAnswerFromContent } from '@/trigger/questionnaire/answer-question-helpers';
 import { TrustAccessService } from '../trust-portal/trust-access.service';
 import {
   createSafeSSESender,
@@ -548,7 +551,7 @@ export class QuestionnaireController {
 
       this.logger.log(
         `Batch search completed in ${searchTime}ms for ${questionsToAnswer.length} questions`,
-        );
+      );
 
       send({
         type: 'progress',
@@ -582,13 +585,13 @@ export class QuestionnaireController {
               try {
                 await this.questionnaireService.saveGeneratedAnswerPublic({
                   questionnaireId: dto.questionnaireId,
-                questionIndex: qa.index,
+                  questionIndex: qa.index,
                   answer: result.answer,
                   sources: result.sources,
                 });
               } catch (saveError) {
                 this.logger.warn('Failed to save answer to database', {
-                questionnaireId: dto.questionnaireId,
+                  questionnaireId: dto.questionnaireId,
                   questionIndex: qa.index,
                   error:
                     saveError instanceof Error
diff --git a/apps/api/src/questionnaire/questionnaire.service.ts b/apps/api/src/questionnaire/questionnaire.service.ts
index a4a799498..e4c9e8382 100644
--- a/apps/api/src/questionnaire/questionnaire.service.ts
+++ b/apps/api/src/questionnaire/questionnaire.service.ts
@@ -1,7 +1,7 @@
 import { Injectable, Logger } from '@nestjs/common';
-import type { AnswerQuestionResult } from './vendors/answer-question';
-import { answerQuestion } from './vendors/answer-question';
-import { generateAnswerWithRAGBatch } from './vendors/answer-question-helpers';
+import type { AnswerQuestionResult } from '@/trigger/questionnaire/answer-question';
+import { answerQuestion } from '@/trigger/questionnaire/answer-question';
+import { generateAnswerWithRAGBatch } from '@/trigger/questionnaire/answer-question-helpers';
 import { ParseQuestionnaireDto } from './dto/parse-questionnaire.dto';
 import {
   ExportQuestionnaireDto,
@@ -13,12 +13,25 @@ import { DeleteAnswerDto } from './dto/delete-answer.dto';
 import { UploadAndParseDto } from './dto/upload-and-parse.dto';
 import { ExportByIdDto } from './dto/export-by-id.dto';
 import { db, Prisma } from '@db';
-import { syncManualAnswerToVector, syncOrganizationEmbeddings } from '@/vector-store/lib';
+import {
+  syncManualAnswerToVector,
+  syncOrganizationEmbeddings,
+} from '@/vector-store/lib';
 
 // Import shared utilities
-import { extractContentFromFile, extractQuestionsWithAI, type ContentExtractionLogger } from './utils/content-extractor';
-import { parseQuestionsAndAnswers, type QuestionAnswer as ParsedQA } from './utils/question-parser';
-import { generateExportFile, type ExportFormat } from './utils/export-generator';
+import {
+  extractContentFromFile,
+  extractQuestionsWithAI,
+  type ContentExtractionLogger,
+} from './utils/content-extractor';
+import {
+  parseQuestionsAndAnswers,
+  type QuestionAnswer as ParsedQA,
+} from './utils/question-parser';
+import {
+  generateExportFile,
+  type ExportFormat,
+} from './utils/export-generator';
 import {
   updateAnsweredCount,
   persistQuestionnaireResult,
@@ -74,13 +87,17 @@ export class QuestionnaireService {
       dto.fileType,
       this.contentLogger,
     );
-    const questionsAndAnswers = await parseQuestionsAndAnswers(content, this.contentLogger);
+    const questionsAndAnswers = await parseQuestionsAndAnswers(
+      content,
+      this.contentLogger,
+    );
 
     return {
       vendorName: dto.vendorName,
       fileName: dto.fileName,
       totalQuestions: questionsAndAnswers.length,
-      questionsAndAnswers: this.convertParsedToQuestionnaireAnswers(questionsAndAnswers),
+      questionsAndAnswers:
+        this.convertParsedToQuestionnaireAnswers(questionsAndAnswers),
     };
   }
 
@@ -119,15 +136,15 @@ export class QuestionnaireService {
 
     await persistQuestionnaireResult(
       {
-      organizationId: dto.organizationId,
-      fileName: dto.fileName || vendorName,
-      fileType: dto.fileType,
-      fileSize:
-        uploadInfo?.fileSize ??
-        (dto.fileData ? Buffer.from(dto.fileData, 'base64').length : 0),
-      s3Key: uploadInfo?.s3Key ?? null,
-      questionsAndAnswers: answered,
-      source: dto.source || 'internal',
+        organizationId: dto.organizationId,
+        fileName: dto.fileName || vendorName,
+        fileType: dto.fileType,
+        fileSize:
+          uploadInfo?.fileSize ??
+          (dto.fileData ? Buffer.from(dto.fileData, 'base64').length : 0),
+        s3Key: uploadInfo?.s3Key ?? null,
+        questionsAndAnswers: answered,
+        source: dto.source || 'internal',
       },
       this.storageLogger,
     );
@@ -158,17 +175,18 @@ export class QuestionnaireService {
 
     const questionnaireId = await persistQuestionnaireResult(
       {
-      organizationId: dto.organizationId,
-      fileName: dto.fileName,
-      fileType: dto.fileType,
-        fileSize: uploadInfo?.fileSize ?? Buffer.from(dto.fileData, 'base64').length,
-      s3Key: uploadInfo?.s3Key ?? null,
-      questionsAndAnswers: questionsAndAnswers.map((qa) => ({
-        question: qa.question,
+        organizationId: dto.organizationId,
+        fileName: dto.fileName,
+        fileType: dto.fileType,
+        fileSize:
+          uploadInfo?.fileSize ?? Buffer.from(dto.fileData, 'base64').length,
+        s3Key: uploadInfo?.s3Key ?? null,
+        questionsAndAnswers: questionsAndAnswers.map((qa) => ({
+          question: qa.question,
           answer: null,
-        sources: undefined,
-      })),
-      source: dto.source || 'internal',
+          sources: undefined,
+        })),
+        source: dto.source || 'internal',
       },
       this.storageLogger,
     );
@@ -351,9 +369,9 @@ export class QuestionnaireService {
     }
 
     const questionsAndAnswers = questionnaire.questions.map((q) => ({
-        question: q.question,
-        answer: q.answer,
-      }));
+      question: q.question,
+      answer: q.answer,
+    }));
 
     this.logger.log('Exporting questionnaire', {
       questionnaireId: dto.questionnaireId,
@@ -448,7 +466,7 @@ export class QuestionnaireService {
     this.logger.log(
       `Generating answers for ${questionsNeedingAnswers.length} of ${questionsAndAnswers.length} questions`,
     );
-    
+
     // Sync organization embeddings before generating answers
     try {
       await syncOrganizationEmbeddings(organizationId);
@@ -458,22 +476,22 @@ export class QuestionnaireService {
         error: error instanceof Error ? error.message : 'Unknown error',
       });
     }
-    
+
     // Use batch processing for efficiency
     const startTime = Date.now();
     const questionsToAnswer = questionsNeedingAnswers.map((qa) => qa.question);
-    
+
     const batchResults = await generateAnswerWithRAGBatch(
       questionsToAnswer,
-              organizationId,
+      organizationId,
     );
 
     // Map batch results
     const results: AnswerQuestionResult[] = questionsNeedingAnswers.map(
       ({ question, index }, i) => ({
         success: batchResults[i]?.answer !== null,
-            questionIndex: index,
-            question,
+        questionIndex: index,
+        question,
         answer: batchResults[i]?.answer ?? null,
         sources: batchResults[i]?.sources ?? [],
       }),
@@ -481,7 +499,7 @@ export class QuestionnaireService {
 
     const answeredCount = results.filter((r) => r.answer !== null).length;
     const totalTime = Date.now() - startTime;
-    
+
     this.logger.log(
       `Batch answer generation completed: ${answeredCount}/${questionsNeedingAnswers.length} answered in ${totalTime}ms`,
     );
diff --git a/apps/api/src/questionnaire/utils/constants.ts b/apps/api/src/questionnaire/utils/constants.ts
index 1b201c61d..fa280c6d7 100644
--- a/apps/api/src/questionnaire/utils/constants.ts
+++ b/apps/api/src/questionnaire/utils/constants.ts
@@ -64,4 +64,3 @@ For each question found:
 - If no answer is provided, note it as empty
 
 Preserve the order of questions as they appear. Return Question → Answer pairs in a structured format.`;
-
diff --git a/apps/api/src/questionnaire/utils/content-extractor.ts b/apps/api/src/questionnaire/utils/content-extractor.ts
index fc69f6cde..67ba6e709 100644
--- a/apps/api/src/questionnaire/utils/content-extractor.ts
+++ b/apps/api/src/questionnaire/utils/content-extractor.ts
@@ -99,34 +99,34 @@ export async function extractQuestionsWithAI(
   logger: ContentExtractionLogger = defaultLogger,
 ): Promise<{ question: string; answer: string | null }[]> {
   const startTime = Date.now();
-  
+
   try {
     // For Excel files - use simple library extraction then AI parsing
     if (isExcelFile(fileType)) {
       const fileBuffer = Buffer.from(fileData, 'base64');
       const rawContent = extractExcelRawContent(fileBuffer, logger);
-      
-      logger.info('Extracted raw Excel content', { 
+
+      logger.info('Extracted raw Excel content', {
         contentLength: rawContent.length,
         extractionMs: Date.now() - startTime,
       });
-      
+
       // Use Groq for ultra-fast AI parsing (~5-10 seconds)
       return await parseQuestionsWithGroq(rawContent, logger);
     }
-    
+
     // For CSV - simple text parsing
     if (isCsvFile(fileType)) {
       const fileBuffer = Buffer.from(fileData, 'base64');
       const content = fileBuffer.toString('utf-8');
       return await parseQuestionsWithGroq(content, logger);
     }
-    
+
     // For PDF/images - use vision
     if (isImageOrPdf(fileType)) {
       return await parseQuestionsWithVision(fileData, fileType, logger);
     }
-    
+
     throw new Error(`Unsupported file type for AI extraction: ${fileType}`);
   } catch (error) {
     logger.error('AI extraction failed', {
@@ -155,13 +155,13 @@ function extractExcelRawContent(
     for (let sheetIdx = 0; sheetIdx < workbook.SheetNames.length; sheetIdx++) {
       const sheetName = workbook.SheetNames[sheetIdx];
       const rows = extractSheetData(zip, sheetIdx, sharedStrings);
-      
+
       if (rows.length === 0) continue;
 
       allContent.push(`\n--- ${sheetName} ---`);
-      
+
       for (const row of rows) {
-        const nonEmpty = row.filter(cell => cell.trim());
+        const nonEmpty = row.filter((cell) => cell.trim());
         if (nonEmpty.length > 0) {
           allContent.push(nonEmpty.join(' | '));
         }
@@ -169,14 +169,14 @@ function extractExcelRawContent(
     }
 
     const result = allContent.join('\n');
-    
+
     // If custom parser got content, use it
     if (result.length > 100) {
       return result;
     }
   } catch (error) {
-    logger.warn('Custom XML parser failed', { 
-      error: error instanceof Error ? error.message : 'Unknown' 
+    logger.warn('Custom XML parser failed', {
+      error: error instanceof Error ? error.message : 'Unknown',
     });
   }
 
@@ -186,12 +186,16 @@ function extractExcelRawContent(
 
   for (const sheetName of workbook.SheetNames) {
     const worksheet = workbook.Sheets[sheetName];
-    const data = XLSX.utils.sheet_to_json(worksheet, { header: 1, defval: '' }) as string[][];
-    
+    const data = XLSX.utils.sheet_to_json(worksheet, {
+      header: 1,
+      defval: '',
+    });
+
     allContent.push(`\n--- ${sheetName} ---`);
-    
+
     for (const row of data) {
-      const nonEmpty = row.map(c => String(c).trim()).filter(c => c);
+      const cells = row as unknown[];
+      const nonEmpty = cells.map((c) => String(c).trim()).filter((c) => c);
       if (nonEmpty.length > 0) {
         allContent.push(nonEmpty.join(' | '));
       }
@@ -227,46 +231,48 @@ async function parseQuestionsWithGroq(
 ): Promise<{ question: string; answer: string | null }[]> {
   const startTime = Date.now();
   const CHUNK_SIZE = 25000; // Leave room for prompt in 32k context
-  
+
   try {
     // If content fits in one chunk, process directly
     if (content.length <= CHUNK_SIZE) {
-      logger.info('Starting Groq parsing (single chunk)...', { contentLength: content.length });
+      logger.info('Starting Groq parsing (single chunk)...', {
+        contentLength: content.length,
+      });
       return await parseChunkWithGroq(content, logger);
     }
-    
+
     // Split content into chunks for parallel processing
     const chunks = splitIntoChunks(content, CHUNK_SIZE);
-    logger.info('Starting Groq parsing (chunked)...', { 
+    logger.info('Starting Groq parsing (chunked)...', {
       contentLength: content.length,
       chunkCount: chunks.length,
     });
-    
+
     // Process all chunks in parallel
     const chunkResults = await Promise.all(
       chunks.map((chunk, idx) => {
         logger.info(`Processing chunk ${idx + 1}/${chunks.length}...`);
         return parseChunkWithGroq(chunk, logger);
-      })
+      }),
     );
-    
+
     // Merge and deduplicate results
     const allQuestions = chunkResults.flat();
     const uniqueQuestions = deduplicateQuestions(allQuestions);
-    
+
     logger.info('Groq chunked parsing complete', {
       totalQuestions: uniqueQuestions.length,
       chunksProcessed: chunks.length,
       durationMs: Date.now() - startTime,
     });
-    
+
     return uniqueQuestions;
   } catch (error) {
     logger.error('Groq parsing failed, trying Claude', {
       error: error instanceof Error ? error.message : 'Unknown',
       durationMs: Date.now() - startTime,
     });
-    
+
     // Fallback to Claude (has 200k context, no chunking needed)
     return parseQuestionsWithClaude(content, logger);
   }
@@ -286,12 +292,16 @@ async function parseChunkWithGroq(
     prompt: QUESTION_PROMPT + content,
   });
 
-  const result = object as { questions: { question: string; answer: string | null }[] };
-  
-  return (result.questions || []).map(q => ({
-    question: q.question?.trim() || '',
-    answer: q.answer?.trim() || null,
-  })).filter(q => q.question);
+  const result = object as {
+    questions: { question: string; answer: string | null }[];
+  };
+
+  return (result.questions || [])
+    .map((q) => ({
+      question: q.question?.trim() || '',
+      answer: q.answer?.trim() || null,
+    }))
+    .filter((q) => q.question);
 }
 
 /**
@@ -302,26 +312,26 @@ function splitIntoChunks(content: string, maxChunkSize: number): string[] {
   const lines = content.split('\n');
   let currentChunk: string[] = [];
   let currentSize = 0;
-  
+
   for (const line of lines) {
     const lineSize = line.length + 1; // +1 for newline
-    
+
     // If adding this line would exceed limit, start new chunk
     if (currentSize + lineSize > maxChunkSize && currentChunk.length > 0) {
       chunks.push(currentChunk.join('\n'));
       currentChunk = [];
       currentSize = 0;
     }
-    
+
     currentChunk.push(line);
     currentSize += lineSize;
   }
-  
+
   // Don't forget the last chunk
   if (currentChunk.length > 0) {
     chunks.push(currentChunk.join('\n'));
   }
-  
+
   return chunks;
 }
 
@@ -329,11 +339,11 @@ function splitIntoChunks(content: string, maxChunkSize: number): string[] {
  * Deduplicate questions by comparing normalized text
  */
 function deduplicateQuestions(
-  questions: { question: string; answer: string | null }[]
+  questions: { question: string; answer: string | null }[],
 ): { question: string; answer: string | null }[] {
   const seen = new Set<string>();
   const unique: { question: string; answer: string | null }[] = [];
-  
+
   for (const q of questions) {
     // Normalize: lowercase, remove extra spaces, remove numbering prefix
     const normalized = q.question
@@ -341,13 +351,13 @@ function deduplicateQuestions(
       .replace(/^\d+\.\d+\s*/, '') // Remove "1.1 " prefix
       .replace(/\s+/g, ' ')
       .trim();
-    
+
     if (!seen.has(normalized)) {
       seen.add(normalized);
       unique.push(q);
     }
   }
-  
+
   return unique;
 }
 
@@ -359,10 +369,12 @@ async function parseQuestionsWithClaude(
   logger: ContentExtractionLogger,
 ): Promise<{ question: string; answer: string | null }[]> {
   const startTime = Date.now();
-  
+
   try {
-    logger.info('Starting Claude parsing...', { contentLength: content.length });
-    
+    logger.info('Starting Claude parsing...', {
+      contentLength: content.length,
+    });
+
     const { object } = await generateObject({
       model: anthropic('claude-3-5-sonnet-latest'),
       schema: questionExtractionSchema,
@@ -370,24 +382,28 @@ async function parseQuestionsWithClaude(
       prompt: QUESTION_PROMPT + content.substring(0, 80000),
     });
 
-    const result = object as { questions: { question: string; answer: string | null }[] };
-    
+    const result = object as {
+      questions: { question: string; answer: string | null }[];
+    };
+
     logger.info('Claude parsing complete', {
       questionCount: result.questions?.length || 0,
       durationMs: Date.now() - startTime,
       model: 'claude-3-5-sonnet',
     });
 
-    return (result.questions || []).map(q => ({
-      question: q.question?.trim() || '',
-      answer: q.answer?.trim() || null,
-    })).filter(q => q.question);
+    return (result.questions || [])
+      .map((q) => ({
+        question: q.question?.trim() || '',
+        answer: q.answer?.trim() || null,
+      }))
+      .filter((q) => q.question);
   } catch (error) {
     logger.error('Claude parsing failed, trying OpenAI', {
       error: error instanceof Error ? error.message : 'Unknown',
       durationMs: Date.now() - startTime,
     });
-    
+
     // Fallback to OpenAI
     return parseQuestionsWithOpenAI(content, logger);
   }
@@ -401,7 +417,7 @@ async function parseQuestionsWithOpenAI(
   logger: ContentExtractionLogger,
 ): Promise<{ question: string; answer: string | null }[]> {
   const startTime = Date.now();
-  
+
   const { object } = await generateObject({
     model: openai('gpt-4o-mini'),
     schema: questionExtractionSchema,
@@ -419,17 +435,21 @@ Match each to its response if provided. Set answer to null if empty.
 ${content.substring(0, 80000)}`,
   });
 
-  const result = object as { questions: { question: string; answer: string | null }[] };
+  const result = object as {
+    questions: { question: string; answer: string | null }[];
+  };
 
   logger.info('OpenAI parsing complete', {
     questionCount: result.questions?.length || 0,
     durationMs: Date.now() - startTime,
   });
 
-  return (result.questions || []).map(q => ({
-    question: q.question?.trim() || '',
-    answer: q.answer?.trim() || null,
-  })).filter(q => q.question);
+  return (result.questions || [])
+    .map((q) => ({
+      question: q.question?.trim() || '',
+      answer: q.answer?.trim() || null,
+    }))
+    .filter((q) => q.question);
 }
 
 /**
@@ -441,7 +461,7 @@ async function parseQuestionsWithVision(
   logger: ContentExtractionLogger,
 ): Promise<{ question: string; answer: string | null }[]> {
   const startTime = Date.now();
-  
+
   const { object } = await generateObject({
     model: openai('gpt-4o'),
     schema: questionExtractionSchema,
@@ -471,17 +491,21 @@ Match each to its response if provided. Set answer to null if empty.`,
     ],
   });
 
-  const result = object as { questions: { question: string; answer: string | null }[] };
+  const result = object as {
+    questions: { question: string; answer: string | null }[];
+  };
 
   logger.info('Vision parsing complete', {
     questionCount: result.questions?.length || 0,
     durationMs: Date.now() - startTime,
   });
 
-  return (result.questions || []).map(q => ({
-    question: q.question?.trim() || '',
-    answer: q.answer?.trim() || null,
-  })).filter(q => q.question);
+  return (result.questions || [])
+    .map((q) => ({
+      question: q.question?.trim() || '',
+      answer: q.answer?.trim() || null,
+    }))
+    .filter((q) => q.question);
 }
 
 // File type detection helpers
@@ -522,31 +546,31 @@ function extractSharedStrings(fileBuffer: Buffer): string[] {
   try {
     const zip = new AdmZip(fileBuffer);
     const sharedStringsEntry = zip.getEntry('xl/sharedStrings.xml');
-    
+
     if (!sharedStringsEntry) {
       return [];
     }
-    
+
     const content = sharedStringsEntry.getData().toString('utf8');
     const strings: string[] = [];
-    
+
     // Match all <si>...</si> (string item) elements
     const siMatches = content.match(/<si>[\s\S]*?<\/si>/g) || [];
-    
+
     for (const si of siMatches) {
       // Extract text from both <t>...</t> and <d:t>...</d:t> (or any namespace:t)
       const textMatches = si.match(/<[^>]*:?t[^>]*>([^<]*)<\/[^>]*:?t>/g) || [];
-      
+
       let fullText = '';
       for (const match of textMatches) {
         // Extract just the text content between tags
         const textContent = match.replace(/<[^>]*>/g, '');
         fullText += textContent;
       }
-      
+
       strings.push(fullText.trim());
     }
-    
+
     return strings;
   } catch {
     return [];
@@ -589,11 +613,11 @@ function extractSheetData(
 
     // Check if this is a shared string cell (t="s")
     const isSharedString = /t="s"/.test(cellXml);
-    
+
     // Extract value
     let value = '';
     const vMatch = cellXml.match(/<v>([^<]*)<\/v>/);
-    
+
     if (vMatch) {
       if (isSharedString) {
         // Shared string reference - look up in our extracted strings
@@ -613,7 +637,7 @@ function extractSheetData(
   // Convert to 2D array
   const maxRow = Math.max(...Array.from(rows.keys()), 0);
   const result: string[][] = [];
-  
+
   for (let r = 0; r <= maxRow; r++) {
     const row: string[] = [];
     const rowData = rows.get(r);
@@ -641,7 +665,7 @@ function extractFromExcelStandard(
     const jsonData = XLSX.utils.sheet_to_json(worksheet, {
       header: 1,
       defval: '',
-    }) as unknown[][];
+    });
 
     if (jsonData.length === 0) continue;
 
@@ -654,9 +678,15 @@ function extractFromExcelStandard(
       const row = jsonData[i];
       if (!Array.isArray(row)) continue;
       const rowLower = row.map((cell) => String(cell).toLowerCase().trim());
-      const headerKeywords = ['question', 'response', 'answer', 'comment', 'attachment'];
+      const headerKeywords = [
+        'question',
+        'response',
+        'answer',
+        'comment',
+        'attachment',
+      ];
       const matchCount = headerKeywords.filter((kw) =>
-        rowLower.some((cell) => cell.includes(kw))
+        rowLower.some((cell) => cell.includes(kw)),
       ).length;
 
       if (matchCount >= 2) {
@@ -672,7 +702,7 @@ function extractFromExcelStandard(
       if (!Array.isArray(row)) continue;
 
       const cells = row.map((cell) =>
-        cell !== null && cell !== undefined ? String(cell).trim() : ''
+        cell !== null && cell !== undefined ? String(cell).trim() : '',
       );
       const hasContent = cells.some((cell) => cell !== '');
       if (!hasContent) continue;
@@ -722,13 +752,13 @@ function extractFromExcel(
   logger.info('Processing Excel file', { fileType, fileSizeMB });
 
   let result = '';
-  
+
   try {
     // First try: Custom XML parser (handles rich text with namespace prefixes)
     const zip = new AdmZip(fileBuffer);
     const sharedStrings = extractSharedStrings(fileBuffer);
-    
-    logger.info('Extracted shared strings', { 
+
+    logger.info('Extracted shared strings', {
       count: sharedStrings.length,
     });
 
@@ -738,7 +768,7 @@ function extractFromExcel(
     for (let sheetIdx = 0; sheetIdx < workbook.SheetNames.length; sheetIdx++) {
       const sheetName = workbook.SheetNames[sheetIdx];
       const rows = extractSheetData(zip, sheetIdx, sharedStrings);
-      
+
       if (rows.length === 0) continue;
 
       const formattedRows: string[] = [];
@@ -748,9 +778,15 @@ function extractFromExcel(
       // Find header row
       for (let i = 0; i < Math.min(10, rows.length); i++) {
         const rowLower = rows[i].map((cell) => cell.toLowerCase());
-        const headerKeywords = ['question', 'response', 'answer', 'comment', 'attachment'];
+        const headerKeywords = [
+          'question',
+          'response',
+          'answer',
+          'comment',
+          'attachment',
+        ];
         const matchCount = headerKeywords.filter((kw) =>
-          rowLower.some((cell) => cell.includes(kw))
+          rowLower.some((cell) => cell.includes(kw)),
         ).length;
 
         if (matchCount >= 2) {
@@ -800,7 +836,9 @@ function extractFromExcel(
 
     // If custom parser returned empty/minimal content, try standard library
     if (result.length < 100) {
-      logger.info('Custom parser returned minimal content, trying standard library');
+      logger.info(
+        'Custom parser returned minimal content, trying standard library',
+      );
       result = extractFromExcelStandard(fileBuffer, logger);
     }
   } catch (error) {
@@ -881,4 +919,3 @@ async function extractFromVision(
     );
   }
 }
-
diff --git a/apps/api/src/questionnaire/utils/export-generator.ts b/apps/api/src/questionnaire/utils/export-generator.ts
index f5d27b7fc..9485cc638 100644
--- a/apps/api/src/questionnaire/utils/export-generator.ts
+++ b/apps/api/src/questionnaire/utils/export-generator.ts
@@ -139,4 +139,3 @@ export function generatePDF(
 
   return Buffer.from(doc.output('arraybuffer'));
 }
-
diff --git a/apps/api/src/questionnaire/utils/question-parser.ts b/apps/api/src/questionnaire/utils/question-parser.ts
index e2cb4bc18..b90972772 100644
--- a/apps/api/src/questionnaire/utils/question-parser.ts
+++ b/apps/api/src/questionnaire/utils/question-parser.ts
@@ -58,11 +58,14 @@ export async function parseQuestionsAndAnswers(
     return parseChunkQuestionsAndAnswers(chunkInfos[0].content, 0, 1);
   }
 
-  logger.info('Chunking content by individual questions for parallel processing', {
-    contentLength: content.length,
-    totalChunks: chunkInfos.length,
-    questionsPerChunk: 1,
-  });
+  logger.info(
+    'Chunking content by individual questions for parallel processing',
+    {
+      contentLength: content.length,
+      totalChunks: chunkInfos.length,
+      questionsPerChunk: 1,
+    },
+  );
 
   // Process all chunks in parallel for maximum speed
   const parseStartTime = Date.now();
@@ -129,7 +132,8 @@ export async function parseChunkQuestionsAndAnswers(
                 question: { type: 'string', description: 'The question text' },
                 answer: {
                   anyOf: [{ type: 'string' }, { type: 'null' }],
-                  description: 'The answer to the question. Use null if no answer is provided.',
+                  description:
+                    'The answer to the question. Use null if no answer is provided.',
                 },
               },
               required: ['question'],
@@ -152,16 +156,22 @@ export async function parseChunkQuestionsAndAnswers(
 
     // Post-process to ensure empty strings are converted to null
     return parsed
-      .filter((qa) => qa && typeof qa.question === 'string' && qa.question.trim())
+      .filter(
+        (qa) => qa && typeof qa.question === 'string' && qa.question.trim(),
+      )
       .map((qa) => ({
         question: qa.question.trim(),
-        answer: qa.answer && typeof qa.answer === 'string' && qa.answer.trim() !== '' 
-          ? qa.answer.trim() 
-          : null,
+        answer:
+          qa.answer && typeof qa.answer === 'string' && qa.answer.trim() !== ''
+            ? qa.answer.trim()
+            : null,
       }));
   } catch (error) {
     // Log error but don't fail the entire parsing
-    console.error(`Error parsing chunk ${chunkIndex + 1}/${totalChunks}:`, error);
+    console.error(
+      `Error parsing chunk ${chunkIndex + 1}/${totalChunks}:`,
+      error,
+    );
     return [];
   }
 }
@@ -324,4 +334,3 @@ export function estimateQuestionCount(text: string): number {
   // Fallback heuristic: assume roughly one question per 1200 chars
   return Math.max(1, Math.floor(text.length / 1200));
 }
-
diff --git a/apps/api/src/questionnaire/utils/questionnaire-storage.ts b/apps/api/src/questionnaire/utils/questionnaire-storage.ts
index 846595011..cd547b57e 100644
--- a/apps/api/src/questionnaire/utils/questionnaire-storage.ts
+++ b/apps/api/src/questionnaire/utils/questionnaire-storage.ts
@@ -27,7 +27,9 @@ const defaultLogger: StorageLogger = {
 /**
  * Updates the answered questions count for a questionnaire
  */
-export async function updateAnsweredCount(questionnaireId: string): Promise<void> {
+export async function updateAnsweredCount(
+  questionnaireId: string,
+): Promise<void> {
   const answeredCount = await db.questionnaireQuestionAnswer.count({
     where: {
       questionnaireId,
@@ -119,7 +121,7 @@ export async function uploadQuestionnaireFile(params: {
   if (!s3Client) {
     throw new Error('S3 client not configured for questionnaire uploads');
   }
-  
+
   const bucket = APP_AWS_QUESTIONNAIRE_UPLOAD_BUCKET || BUCKET_NAME;
   if (!bucket) {
     throw new Error(
@@ -206,4 +208,3 @@ export async function saveGeneratedAnswer(params: {
 
   await updateAnsweredCount(params.questionnaireId);
 }
-
diff --git a/apps/api/src/soa/soa.service.ts b/apps/api/src/soa/soa.service.ts
index c61f6f205..828e18940 100644
--- a/apps/api/src/soa/soa.service.ts
+++ b/apps/api/src/soa/soa.service.ts
@@ -145,27 +145,27 @@ export class SOAService {
     if (!configuration) return;
 
     const questions = configuration.questions as unknown as SOAQuestion[];
-      const updatedQuestions = questions.map((q) => {
+    const updatedQuestions = questions.map((q) => {
       if (q.id === questionId) {
-          return {
-            ...q,
-            columnMapping: {
-              ...q.columnMapping,
-              isApplicable:
+        return {
+          ...q,
+          columnMapping: {
+            ...q.columnMapping,
+            isApplicable:
               isApplicable !== undefined
                 ? isApplicable
-                  : q.columnMapping.isApplicable,
-              justification:
+                : q.columnMapping.isApplicable,
+            justification:
               justification !== undefined
                 ? justification
-                  : q.columnMapping.justification,
-            },
-          };
-        }
-        return q;
-      });
+                : q.columnMapping.justification,
+          },
+        };
+      }
+      return q;
+    });
 
-      await db.sOAFrameworkConfiguration.update({
+    await db.sOAFrameworkConfiguration.update({
       where: { id: configurationId },
       data: { questions: JSON.parse(JSON.stringify(updatedQuestions)) },
     });
@@ -483,7 +483,11 @@ export class SOAService {
     totalQuestions: number,
     answeredCount: number,
   ): Promise<void> {
-    return updateDocumentAfterAutoFill(documentId, totalQuestions, answeredCount);
+    return updateDocumentAfterAutoFill(
+      documentId,
+      totalQuestions,
+      answeredCount,
+    );
   }
 
   // Private helper methods
diff --git a/apps/api/src/soa/utils/constants.ts b/apps/api/src/soa/utils/constants.ts
index 91487b2e1..5fa5db876 100644
--- a/apps/api/src/soa/utils/constants.ts
+++ b/apps/api/src/soa/utils/constants.ts
@@ -69,10 +69,7 @@ CRITICAL RULES - YOU MUST FOLLOW THESE STRICTLY:
 /**
  * Builds the SOA question prompt for a given control
  */
-export function buildSOAQuestionPrompt(
-  title: string,
-  text: string,
-): string {
+export function buildSOAQuestionPrompt(title: string, text: string): string {
   return `Analyze the control "${title}" (${text}) for our organization.
 
 Based EXCLUSIVELY on our organization's policies, documentation, business context, and operations, determine:
@@ -124,4 +121,3 @@ export function isInsufficientDataAnswer(answer: string): boolean {
     upperAnswer.includes(indicator),
   );
 }
-
diff --git a/apps/api/src/soa/utils/soa-answer-generator.ts b/apps/api/src/soa/utils/soa-answer-generator.ts
index 306bdfe36..da75ff3c5 100644
--- a/apps/api/src/soa/utils/soa-answer-generator.ts
+++ b/apps/api/src/soa/utils/soa-answer-generator.ts
@@ -1,8 +1,14 @@
-import { findSimilarContent, findSimilarContentBatch } from '@/vector-store/lib';
+import {
+  findSimilarContent,
+  findSimilarContentBatch,
+} from '@/vector-store/lib';
 import type { SimilarContentResult } from '@/vector-store/lib';
 import { openai } from '@ai-sdk/openai';
 import { generateText } from 'ai';
-import { deduplicateSources, type Source } from '@/questionnaire/utils/deduplicate-sources';
+import {
+  deduplicateSources,
+  type Source,
+} from '@/questionnaire/utils/deduplicate-sources';
 import {
   SOA_RAG_MODEL,
   SOA_BATCH_MODEL,
@@ -32,9 +38,11 @@ const defaultLogger: SOAAnswerLogger = {
 /**
  * Extracts source information from similar content results and deduplicates them
  */
-function extractAndDeduplicateSources(similarContent: SimilarContentResult[]): Source[] {
+function extractAndDeduplicateSources(
+  similarContent: SimilarContentResult[],
+): Source[] {
   const sourcesBeforeDedup = similarContent.map((result) => {
-    const r = result as SimilarContentResult;
+    const r = result;
     let sourceName: string | undefined;
 
     if (r.policyName) {
@@ -62,9 +70,11 @@ function extractAndDeduplicateSources(similarContent: SimilarContentResult[]): S
 /**
  * Builds context string from similar content for LLM prompt
  */
-function buildContextFromContent(similarContent: SimilarContentResult[]): string {
+function buildContextFromContent(
+  similarContent: SimilarContentResult[],
+): string {
   const contextParts = similarContent.map((result, index) => {
-    const r = result as SimilarContentResult;
+    const r = result;
     let sourceInfo = '';
 
     if (r.policyName) {
@@ -266,4 +276,3 @@ export async function batchSearchSOAQuestions(
 
   return contentMap;
 }
-
diff --git a/apps/api/src/soa/utils/soa-answer-parser.ts b/apps/api/src/soa/utils/soa-answer-parser.ts
index ab85e77e4..bd3e57aee 100644
--- a/apps/api/src/soa/utils/soa-answer-parser.ts
+++ b/apps/api/src/soa/utils/soa-answer-parser.ts
@@ -1,4 +1,7 @@
-import { isInsufficientDataAnswer, FULLY_REMOTE_JUSTIFICATION } from './constants';
+import {
+  isInsufficientDataAnswer,
+  FULLY_REMOTE_JUSTIFICATION,
+} from './constants';
 
 export interface SOAQuestionResult {
   questionId: string;
@@ -148,8 +151,7 @@ export function parseAndProcessSOAAnswer(
   // Parse isApplicable
   const isApplicableText = parsedAnswer.isApplicable.toUpperCase();
   const isApplicable =
-    isApplicableText.includes('YES') ||
-    isApplicableText.includes('APPLICABLE');
+    isApplicableText.includes('YES') || isApplicableText.includes('APPLICABLE');
   const isNotApplicable =
     isApplicableText.includes('NO') ||
     isApplicableText.includes('NOT APPLICABLE');
@@ -186,4 +188,3 @@ export function parseAndProcessSOAAnswer(
     insufficientData: false,
   };
 }
-
diff --git a/apps/api/src/soa/utils/soa-storage.ts b/apps/api/src/soa/utils/soa-storage.ts
index 5fbcde573..f36fa621d 100644
--- a/apps/api/src/soa/utils/soa-storage.ts
+++ b/apps/api/src/soa/utils/soa-storage.ts
@@ -42,9 +42,7 @@ export async function saveAnswersToDatabase(
         },
       });
 
-      const nextVersion = existingAnswer
-        ? existingAnswer.answerVersion + 1
-        : 1;
+      const nextVersion = existingAnswer ? existingAnswer.answerVersion + 1 : 1;
 
       // Mark existing answer as not latest if it exists
       if (existingAnswer) {
@@ -219,4 +217,3 @@ export async function checkIfFullyRemote(
     return false;
   }
 }
-
diff --git a/apps/api/src/trigger/integration-platform/run-connection-checks.ts b/apps/api/src/trigger/integration-platform/run-connection-checks.ts
new file mode 100644
index 000000000..e99904bd6
--- /dev/null
+++ b/apps/api/src/trigger/integration-platform/run-connection-checks.ts
@@ -0,0 +1,263 @@
+import { getManifest, runAllChecks } from '@comp/integration-platform';
+import { db } from '@db';
+import { logger, task } from '@trigger.dev/sdk';
+
+/**
+ * Trigger task that runs all checks for a connection.
+ * Used for auto-running checks after a connection is established.
+ */
+export const runConnectionChecks = task({
+  id: 'run-connection-checks',
+  maxDuration: 1000 * 60 * 15, // 15 minutes
+  retry: {
+    maxAttempts: 3,
+    factor: 2,
+    minTimeoutInMs: 1000,
+    maxTimeoutInMs: 30_000,
+  },
+  run: async (payload: {
+    connectionId: string;
+    organizationId: string;
+    providerSlug: string;
+  }) => {
+    const { connectionId, organizationId, providerSlug } = payload;
+
+    logger.info(`Auto-running checks for connection ${connectionId}`, {
+      provider: providerSlug,
+      organizationId,
+    });
+
+    const manifest = getManifest(providerSlug);
+
+    if (!manifest) {
+      logger.error(`Manifest not found for provider: ${providerSlug}`);
+      return { success: false, error: `Manifest not found: ${providerSlug}` };
+    }
+
+    if (!manifest.checks || manifest.checks.length === 0) {
+      logger.info(`No checks defined for provider: ${providerSlug}`);
+      return { success: true, reason: 'No checks defined' };
+    }
+
+    // Get connection
+    const connection = await db.integrationConnection.findUnique({
+      where: { id: connectionId },
+    });
+
+    if (!connection || connection.status !== 'active') {
+      logger.error(`Connection not found or inactive: ${connectionId}`);
+      return { success: false, error: 'Connection not found or inactive' };
+    }
+
+    // Check if all required variables are configured
+    const requiredVariables = new Set<string>();
+    for (const check of manifest.checks) {
+      if (check.variables) {
+        for (const variable of check.variables) {
+          if (variable.required) {
+            requiredVariables.add(variable.id);
+          }
+        }
+      }
+    }
+
+    const configuredVariables =
+      (connection.variables as Record<string, unknown>) || {};
+    const missingVariables: string[] = [];
+
+    for (const requiredVar of requiredVariables) {
+      const value = configuredVariables[requiredVar];
+      if (value === undefined || value === null || value === '') {
+        missingVariables.push(requiredVar);
+      }
+      if (Array.isArray(value) && value.length === 0) {
+        missingVariables.push(requiredVar);
+      }
+    }
+
+    if (missingVariables.length > 0) {
+      logger.info(
+        `Skipping auto-run: missing required variables: ${missingVariables.join(', ')}`,
+      );
+      return {
+        success: true,
+        reason: `Missing required variables: ${missingVariables.join(', ')}`,
+      };
+    }
+
+    // Ensure we have valid credentials
+    const apiUrl = process.env.BASE_URL || 'http://localhost:3333';
+    let credentials: Record<string, string>;
+
+    try {
+      logger.info('Ensuring valid credentials...');
+      const response = await fetch(
+        `${apiUrl}/v1/integrations/connections/${connectionId}/ensure-valid-credentials?organizationId=${organizationId}`,
+        {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+        },
+      );
+
+      if (!response.ok) {
+        const errorData = await response.json().catch(() => ({}));
+        const errorMessage =
+          (errorData as { message?: string }).message ||
+          `Failed to get valid credentials: ${response.status}`;
+        logger.error(errorMessage);
+        return { success: false, error: errorMessage };
+      }
+
+      const result = (await response.json()) as {
+        success: boolean;
+        credentials: Record<string, string>;
+      };
+      credentials = result.credentials;
+    } catch (error) {
+      logger.error('Failed to ensure valid credentials', {
+        error: error instanceof Error ? error.message : String(error),
+      });
+      return { success: false, error: 'Failed to validate credentials' };
+    }
+
+    // Validate credentials based on auth type
+    if (manifest.auth.type === 'oauth2' && !credentials.access_token) {
+      logger.error(
+        `No OAuth access token found for connection: ${connectionId}`,
+      );
+      return { success: false, error: 'No OAuth access token found' };
+    }
+
+    if (
+      manifest.auth.type === 'custom' &&
+      Object.keys(credentials).length === 0
+    ) {
+      logger.error(
+        `No credentials found for custom integration: ${connectionId}`,
+      );
+      return { success: false, error: 'No credentials found' };
+    }
+
+    const variables =
+      (connection.variables as Record<
+        string,
+        string | number | boolean | string[] | undefined
+      >) || {};
+
+    // Create a check run record
+    const checkRun = await db.integrationCheckRun.create({
+      data: {
+        connectionId,
+        checkId: 'all',
+        checkName: 'All Checks (Auto)',
+        status: 'running',
+        startedAt: new Date(),
+      },
+    });
+
+    let totalFindings = 0;
+    let totalPassing = 0;
+
+    try {
+      // Run all checks
+      const result = await runAllChecks({
+        manifest,
+        accessToken: credentials.access_token ?? undefined,
+        credentials,
+        variables,
+        connectionId,
+        organizationId,
+        logger: {
+          info: (msg, data) => logger.info(msg, data),
+          warn: (msg, data) => logger.warn(msg, data),
+          error: (msg, data) => logger.error(msg, data),
+        },
+      });
+
+      totalFindings = result.totalFindings;
+      totalPassing = result.totalPassing;
+
+      logger.info(
+        `Checks completed: ${totalFindings} findings, ${totalPassing} passing`,
+      );
+
+      // Store results
+      const resultsToStore = result.results.flatMap((checkResult) => [
+        ...checkResult.result.findings.map((finding) => ({
+          checkRunId: checkRun.id,
+          passed: false,
+          title: finding.title,
+          description: finding.description || '',
+          resourceType: finding.resourceType,
+          resourceId: finding.resourceId,
+          severity: finding.severity,
+          remediation: finding.remediation,
+          evidence: JSON.parse(JSON.stringify(finding.evidence || {})),
+        })),
+        ...checkResult.result.passingResults.map((passing) => ({
+          checkRunId: checkRun.id,
+          passed: true,
+          title: passing.title,
+          description: passing.description || '',
+          resourceType: passing.resourceType,
+          resourceId: passing.resourceId,
+          severity: 'info' as const,
+          remediation: undefined,
+          evidence: JSON.parse(JSON.stringify(passing.evidence || {})),
+        })),
+      ]);
+
+      if (resultsToStore.length > 0) {
+        await db.integrationCheckResult.createMany({ data: resultsToStore });
+      }
+
+      // Update check run status
+      const startTime = checkRun.startedAt?.getTime() ?? Date.now();
+      await db.integrationCheckRun.update({
+        where: { id: checkRun.id },
+        data: {
+          status: totalFindings > 0 ? 'failed' : 'success',
+          completedAt: new Date(),
+          durationMs: Date.now() - startTime,
+          totalChecked: result.results.length,
+          passedCount: totalPassing,
+          failedCount: totalFindings,
+        },
+      });
+
+      // Update connection's lastSyncAt
+      await db.integrationConnection.update({
+        where: { id: connectionId },
+        data: { lastSyncAt: new Date() },
+      });
+
+      return {
+        success: true,
+        checkRunId: checkRun.id,
+        totalPassing,
+        totalFindings,
+      };
+    } catch (error) {
+      logger.error('Check execution failed', {
+        error: error instanceof Error ? error.message : String(error),
+      });
+
+      // Mark check run as failed
+      const errorStartTime = checkRun.startedAt?.getTime() ?? Date.now();
+      await db.integrationCheckRun.update({
+        where: { id: checkRun.id },
+        data: {
+          status: 'failed',
+          completedAt: new Date(),
+          durationMs: Date.now() - errorStartTime,
+          errorMessage: error instanceof Error ? error.message : String(error),
+        },
+      });
+
+      return {
+        success: false,
+        error: error instanceof Error ? error.message : String(error),
+      };
+    }
+  },
+});
diff --git a/apps/api/src/trigger/integration-platform/run-integration-checks-schedule.ts b/apps/api/src/trigger/integration-platform/run-integration-checks-schedule.ts
new file mode 100644
index 000000000..4751b3ca7
--- /dev/null
+++ b/apps/api/src/trigger/integration-platform/run-integration-checks-schedule.ts
@@ -0,0 +1,140 @@
+import { getManifest } from '@comp/integration-platform';
+import { db } from '@db';
+import { logger, schedules } from '@trigger.dev/sdk';
+import { runTaskIntegrationChecks } from './run-task-integration-checks';
+
+/**
+ * Daily scheduled task (orchestrator) that finds all tasks with integration checks
+ * and triggers individual check runs for each.
+ */
+export const integrationChecksSchedule = schedules.task({
+  id: 'integration-checks-schedule',
+  cron: '0 6 * * *', // Daily at 6:00 AM UTC
+  maxDuration: 1000 * 60 * 60, // 1 hour
+  run: async (payload) => {
+    logger.info('Starting daily integration checks orchestrator', {
+      scheduledAt: payload.timestamp,
+      lastRun: payload.lastTimestamp,
+    });
+
+    // Get all active integration connections
+    const activeConnections = await db.integrationConnection.findMany({
+      where: { status: 'active' },
+      include: {
+        provider: true,
+        organization: {
+          select: { id: true, name: true },
+        },
+      },
+    });
+
+    if (activeConnections.length === 0) {
+      logger.info('No active integration connections found');
+      return { success: true, tasksTriggered: 0 };
+    }
+
+    logger.info(`Found ${activeConnections.length} active connections`);
+
+    // For each connection, find tasks that have checks mapped to them
+    const tasksToRun: Array<{
+      taskId: string;
+      taskTitle: string;
+      connectionId: string;
+      providerSlug: string;
+      organizationId: string;
+      checkIds: string[];
+    }> = [];
+
+    for (const connection of activeConnections) {
+      const manifest = getManifest(connection.provider.slug);
+
+      if (!manifest?.checks || manifest.checks.length === 0) {
+        continue;
+      }
+
+      // Get task template IDs that this integration's checks map to
+      const taskTemplateIds = manifest.checks
+        .map((c) => c.taskMapping)
+        .filter((id): id is NonNullable<typeof id> => !!id);
+
+      if (taskTemplateIds.length === 0) {
+        continue;
+      }
+
+      // Find tasks in this org that match these templates
+      const tasks = await db.task.findMany({
+        where: {
+          organizationId: connection.organizationId,
+          taskTemplateId: { in: taskTemplateIds as string[] },
+        },
+        select: {
+          id: true,
+          title: true,
+          taskTemplateId: true,
+        },
+      });
+
+      for (const t of tasks) {
+        // Find which checks apply to this task
+        const checksForTask = manifest.checks
+          .filter((c) => c.taskMapping === t.taskTemplateId)
+          .map((c) => c.id);
+
+        if (checksForTask.length > 0) {
+          tasksToRun.push({
+            taskId: t.id,
+            taskTitle: t.title,
+            connectionId: connection.id,
+            providerSlug: connection.provider.slug,
+            organizationId: connection.organizationId,
+            checkIds: checksForTask,
+          });
+        }
+      }
+    }
+
+    if (tasksToRun.length === 0) {
+      logger.info('No tasks with mapped integration checks found');
+      return { success: true, tasksTriggered: 0 };
+    }
+
+    logger.info(
+      `Found ${tasksToRun.length} tasks with integration checks to run`,
+    );
+
+    // Trigger in batches of 500
+    const BATCH_SIZE = 500;
+    const triggerPayloads = tasksToRun.map((t) => ({ payload: t }));
+    let totalTriggered = 0;
+
+    try {
+      for (let i = 0; i < triggerPayloads.length; i += BATCH_SIZE) {
+        const batch = triggerPayloads.slice(i, i + BATCH_SIZE);
+        await runTaskIntegrationChecks.batchTrigger(batch);
+        totalTriggered += batch.length;
+
+        logger.info(
+          `Triggered batch ${Math.floor(i / BATCH_SIZE) + 1}: ${batch.length} tasks`,
+        );
+      }
+
+      logger.info(`Triggered ${totalTriggered} task integration check runs`);
+
+      return {
+        success: true,
+        tasksTriggered: totalTriggered,
+      };
+    } catch (error) {
+      logger.error('Failed to trigger task integration checks', {
+        error: error instanceof Error ? error.message : String(error),
+        triggeredBeforeError: totalTriggered,
+      });
+
+      return {
+        success: false,
+        tasksTriggered: totalTriggered,
+        error: error instanceof Error ? error.message : String(error),
+      };
+    }
+  },
+});
diff --git a/apps/api/src/trigger/integration-platform/run-task-integration-checks.ts b/apps/api/src/trigger/integration-platform/run-task-integration-checks.ts
new file mode 100644
index 000000000..c9945b617
--- /dev/null
+++ b/apps/api/src/trigger/integration-platform/run-task-integration-checks.ts
@@ -0,0 +1,299 @@
+import { getManifest, runAllChecks } from '@comp/integration-platform';
+import { db } from '@db';
+import { logger, task } from '@trigger.dev/sdk';
+
+/**
+ * Worker task that runs integration checks for a single task.
+ * Triggered by the orchestrator (integration-checks-schedule).
+ */
+export const runTaskIntegrationChecks = task({
+  id: 'run-task-integration-checks',
+  maxDuration: 1000 * 60 * 15, // 15 minutes per task
+  run: async (payload: {
+    taskId: string;
+    taskTitle: string;
+    connectionId: string;
+    providerSlug: string;
+    organizationId: string;
+    checkIds: string[];
+  }) => {
+    const {
+      taskId,
+      taskTitle,
+      connectionId,
+      providerSlug,
+      organizationId,
+      checkIds,
+    } = payload;
+
+    logger.info(`Running integration checks for task "${taskTitle}"`, {
+      taskId,
+      connectionId,
+      provider: providerSlug,
+      checkCount: checkIds.length,
+    });
+
+    const manifest = getManifest(providerSlug);
+
+    if (!manifest) {
+      logger.error(`Manifest not found for provider: ${providerSlug}`);
+      return { success: false, error: `Manifest not found: ${providerSlug}` };
+    }
+
+    // Get connection
+    const connection = await db.integrationConnection.findUnique({
+      where: { id: connectionId },
+    });
+
+    if (!connection || connection.status !== 'active') {
+      logger.error(`Connection not found or inactive: ${connectionId}`);
+      return { success: false, error: 'Connection not found or inactive' };
+    }
+
+    // Ensure we have valid credentials (refresh OAuth tokens if needed)
+    const apiUrl = process.env.BASE_URL || 'http://localhost:3333';
+    let credentials: Record<string, string>;
+
+    try {
+      logger.info('Ensuring valid credentials (refreshing if needed)...');
+      const response = await fetch(
+        `${apiUrl}/v1/integrations/connections/${connectionId}/ensure-valid-credentials?organizationId=${organizationId}`,
+        {
+          method: 'POST',
+          headers: {
+            'Content-Type': 'application/json',
+          },
+        },
+      );
+
+      if (!response.ok) {
+        const errorData = await response.json().catch(() => ({}));
+        const errorMessage =
+          (errorData as { message?: string }).message ||
+          `Failed to get valid credentials: ${response.status}`;
+        logger.error(errorMessage);
+
+        // If unauthorized, mark connection as error
+        if (response.status === 401) {
+          await db.integrationConnection.update({
+            where: { id: connectionId },
+            data: {
+              status: 'error',
+              errorMessage:
+                'OAuth token expired. Please reconnect the integration.',
+            },
+          });
+        }
+
+        return { success: false, error: errorMessage };
+      }
+
+      const result = (await response.json()) as {
+        success: boolean;
+        credentials: Record<string, string>;
+      };
+      credentials = result.credentials;
+      logger.info('Credentials validated successfully');
+    } catch (error) {
+      logger.error('Failed to ensure valid credentials', {
+        error: error instanceof Error ? error.message : String(error),
+      });
+      return { success: false, error: 'Failed to validate credentials' };
+    }
+
+    // Validate credentials based on auth type
+    if (manifest.auth.type === 'oauth2' && !credentials.access_token) {
+      logger.error(
+        `No OAuth access token found for connection: ${connectionId}`,
+      );
+      return {
+        success: false,
+        error: 'No OAuth access token found. Please reconnect.',
+      };
+    }
+
+    if (
+      manifest.auth.type === 'custom' &&
+      Object.keys(credentials).length === 0
+    ) {
+      logger.error(
+        `No credentials found for custom integration: ${connectionId}`,
+      );
+      return {
+        success: false,
+        error: 'No credentials found for custom integration',
+      };
+    }
+
+    const variables =
+      (connection.variables as Record<
+        string,
+        string | number | boolean | string[] | undefined
+      >) || {};
+
+    // Track overall results across all checks for this task
+    let totalFindings = 0;
+    let totalPassing = 0;
+
+    // Run only the checks that apply to this task
+    try {
+      for (const checkId of checkIds) {
+        const result = await runAllChecks({
+          manifest,
+          accessToken: credentials.access_token ?? undefined,
+          credentials,
+          variables,
+          connectionId,
+          organizationId,
+          checkId, // Run specific check
+          logger: {
+            info: (msg, data) => logger.info(msg, data),
+            warn: (msg, data) => logger.warn(msg, data),
+            error: (msg, data) => logger.error(msg, data),
+          },
+        });
+
+        const checkResult = result.results[0];
+        if (!checkResult) continue;
+
+        // Accumulate results
+        totalFindings += checkResult.result.findings.length;
+        totalPassing += checkResult.result.passingResults.length;
+
+        // Store check run
+        const checkRun = await db.integrationCheckRun.create({
+          data: {
+            connectionId,
+            taskId,
+            checkId: checkResult.checkId,
+            checkName: checkResult.checkName,
+            status:
+              checkResult.status === 'error' ? 'failed' : checkResult.status,
+            startedAt: new Date(),
+            completedAt: new Date(),
+            durationMs: checkResult.durationMs,
+            totalChecked:
+              checkResult.result.summary?.totalChecked ||
+              checkResult.result.passingResults.length +
+                checkResult.result.findings.length,
+            passedCount: checkResult.result.passingResults.length,
+            failedCount: checkResult.result.findings.length,
+            errorMessage: checkResult.error,
+            logs: JSON.parse(JSON.stringify(checkResult.result.logs)),
+          },
+        });
+
+        // Store individual results
+        const resultsToStore = [
+          ...checkResult.result.passingResults.map((r) => ({
+            checkRunId: checkRun.id,
+            passed: true,
+            resourceType: r.resourceType,
+            resourceId: r.resourceId,
+            title: r.title,
+            description: r.description,
+            evidence: r.evidence
+              ? JSON.parse(JSON.stringify(r.evidence))
+              : undefined,
+          })),
+          ...checkResult.result.findings.map((f) => ({
+            checkRunId: checkRun.id,
+            passed: false,
+            resourceType: f.resourceType,
+            resourceId: f.resourceId,
+            title: f.title,
+            description: f.description,
+            severity: f.severity,
+            remediation: f.remediation,
+            evidence: f.evidence
+              ? JSON.parse(JSON.stringify(f.evidence))
+              : undefined,
+          })),
+        ];
+
+        if (resultsToStore.length > 0) {
+          await db.integrationCheckResult.createMany({ data: resultsToStore });
+        }
+
+        logger.info(`Completed check ${checkId} for task ${taskId}`, {
+          passed: checkResult.result.passingResults.length,
+          findings: checkResult.result.findings.length,
+        });
+      }
+
+      // Update connection's lastSyncAt
+      await db.integrationConnection.update({
+        where: { id: connectionId },
+        data: { lastSyncAt: new Date() },
+      });
+
+      // Update task status based on check results
+      // If any findings (failures), mark as failed
+      // If all passing and no findings, mark as done (only if not already done)
+      if (totalFindings > 0) {
+        await db.task.update({
+          where: { id: taskId },
+          data: { status: 'failed' },
+        });
+        logger.info(
+          `Task ${taskId} marked as failed due to ${totalFindings} findings`,
+        );
+      } else if (totalPassing > 0) {
+        // Only update to done if not already done
+        const currentTask = await db.task.findUnique({
+          where: { id: taskId },
+          select: { status: true, frequency: true },
+        });
+        if (currentTask && currentTask.status !== 'done') {
+          // Calculate next review date based on frequency
+          let reviewDate: Date | undefined;
+          if (currentTask.frequency) {
+            reviewDate = new Date();
+            switch (currentTask.frequency) {
+              case 'monthly':
+                reviewDate.setMonth(reviewDate.getMonth() + 1);
+                break;
+              case 'quarterly':
+                reviewDate.setMonth(reviewDate.getMonth() + 3);
+                break;
+              case 'yearly':
+                reviewDate.setFullYear(reviewDate.getFullYear() + 1);
+                break;
+            }
+          }
+
+          await db.task.update({
+            where: { id: taskId },
+            data: {
+              status: 'done',
+              ...(reviewDate ? { reviewDate } : {}),
+            },
+          });
+          logger.info(
+            `Task ${taskId} marked as done - all ${totalPassing} checks passed${reviewDate ? `, next review: ${reviewDate.toISOString()}` : ''}`,
+          );
+        }
+      }
+
+      return {
+        success: true,
+        taskId,
+        checksRun: checkIds.length,
+        totalPassing,
+        totalFindings,
+        taskStatus:
+          totalFindings > 0 ? 'failed' : totalPassing > 0 ? 'done' : null,
+      };
+    } catch (error) {
+      logger.error(`Failed to run checks for task ${taskId}`, {
+        error: error instanceof Error ? error.message : String(error),
+      });
+
+      return {
+        success: false,
+        taskId,
+        error: error instanceof Error ? error.message : String(error),
+      };
+    }
+  },
+});
diff --git a/apps/api/src/trigger/integration-platform/sync-employees-schedule.ts b/apps/api/src/trigger/integration-platform/sync-employees-schedule.ts
new file mode 100644
index 000000000..a4f63c803
--- /dev/null
+++ b/apps/api/src/trigger/integration-platform/sync-employees-schedule.ts
@@ -0,0 +1,274 @@
+import { getManifest } from '@comp/integration-platform';
+import { db } from '@db';
+import { logger, schedules } from '@trigger.dev/sdk';
+
+const API_BASE_URL = process.env.BASE_URL || 'http://localhost:3333';
+
+/**
+ * Scheduled task that syncs employees from connected integrations.
+ * Runs daily at 7 AM UTC.
+ */
+export const syncEmployeesSchedule = schedules.task({
+  id: 'sync-employees-schedule',
+  cron: '0 7 * * *', // Daily at 7:00 AM UTC
+  maxDuration: 1000 * 60 * 30, // 30 minutes
+  run: async (payload) => {
+    logger.info('Starting scheduled employee sync', {
+      scheduledAt: payload.timestamp,
+      lastRun: payload.lastTimestamp,
+    });
+
+    // Find all organizations that have selected an employee sync provider
+    const orgsWithSyncProvider = await db.organization.findMany({
+      where: {
+        employeeSyncProvider: { not: null },
+      },
+      select: {
+        id: true,
+        name: true,
+        employeeSyncProvider: true,
+      },
+    });
+
+    if (orgsWithSyncProvider.length === 0) {
+      logger.info('No organizations have selected an employee sync provider');
+      return { success: true, syncsTriggered: 0, results: [] };
+    }
+
+    // Find the matching active connections for each org's selected provider
+    const syncConnections: Array<{
+      id: string;
+      organizationId: string;
+      provider: { slug: string };
+      organization: { id: string; name: string };
+    }> = [];
+
+    for (const org of orgsWithSyncProvider) {
+      const connection = await db.integrationConnection.findFirst({
+        where: {
+          organizationId: org.id,
+          status: 'active',
+          provider: {
+            slug: org.employeeSyncProvider!,
+          },
+        },
+        include: {
+          provider: true,
+          organization: {
+            select: { id: true, name: true },
+          },
+        },
+      });
+
+      if (connection) {
+        const manifest = getManifest(connection.provider.slug);
+        if (manifest?.capabilities?.includes('sync')) {
+          syncConnections.push(connection);
+        }
+      } else {
+        logger.warn(
+          `Organization ${org.name} has sync provider ${org.employeeSyncProvider} but no active connection`,
+        );
+      }
+    }
+
+    if (syncConnections.length === 0) {
+      logger.info('No valid sync connections found for selected providers');
+      return { success: true, syncsTriggered: 0, results: [] };
+    }
+
+    logger.info(
+      `Found ${syncConnections.length} organizations with valid sync connections`,
+    );
+
+    const results: Array<{
+      connectionId: string;
+      providerSlug: string;
+      organizationId: string;
+      organizationName: string;
+      success: boolean;
+      imported?: number;
+      reactivated?: number;
+      deactivated?: number;
+      skipped?: number;
+      error?: string;
+    }> = [];
+
+    // Process each sync connection
+    for (const conn of syncConnections) {
+      const providerSlug = conn.provider.slug;
+
+      logger.info(`Syncing ${providerSlug} for org ${conn.organization.name}`, {
+        connectionId: conn.id,
+        organizationId: conn.organizationId,
+      });
+
+      try {
+        // Call the appropriate sync endpoint based on provider
+        const syncResult = await syncProvider({
+          providerSlug,
+          connectionId: conn.id,
+          organizationId: conn.organizationId,
+        });
+
+        results.push({
+          connectionId: conn.id,
+          providerSlug,
+          organizationId: conn.organizationId,
+          organizationName: conn.organization.name,
+          success: true,
+          imported: syncResult.imported,
+          reactivated: syncResult.reactivated,
+          deactivated: syncResult.deactivated,
+          skipped: syncResult.skipped,
+        });
+
+        logger.info(`Sync completed for ${providerSlug}`, {
+          connectionId: conn.id,
+          imported: syncResult.imported,
+          reactivated: syncResult.reactivated,
+          deactivated: syncResult.deactivated,
+        });
+      } catch (error) {
+        const errorMessage =
+          error instanceof Error ? error.message : String(error);
+
+        results.push({
+          connectionId: conn.id,
+          providerSlug,
+          organizationId: conn.organizationId,
+          organizationName: conn.organization.name,
+          success: false,
+          error: errorMessage,
+        });
+
+        logger.error(`Sync failed for ${providerSlug}`, {
+          connectionId: conn.id,
+          error: errorMessage,
+        });
+      }
+    }
+
+    const successCount = results.filter((r) => r.success).length;
+    const failureCount = results.filter((r) => !r.success).length;
+
+    logger.info('Employee sync schedule completed', {
+      total: results.length,
+      success: successCount,
+      failed: failureCount,
+    });
+
+    return {
+      success: failureCount === 0,
+      syncsTriggered: results.length,
+      successCount,
+      failureCount,
+      results,
+    };
+  },
+});
+
+interface SyncProviderParams {
+  providerSlug: string;
+  connectionId: string;
+  organizationId: string;
+}
+
+interface SyncResult {
+  success: boolean;
+  imported: number;
+  reactivated: number;
+  deactivated: number;
+  skipped: number;
+  errors: number;
+}
+
+async function syncProvider(params: SyncProviderParams): Promise<SyncResult> {
+  const { providerSlug, connectionId, organizationId } = params;
+
+  // Route to appropriate sync endpoint based on provider
+  switch (providerSlug) {
+    case 'google-workspace':
+      return syncGoogleWorkspace({ connectionId, organizationId });
+
+    case 'rippling':
+      return syncRippling({ connectionId, organizationId });
+
+    default:
+      throw new Error(`No sync handler for provider: ${providerSlug}`);
+  }
+}
+
+async function syncGoogleWorkspace({
+  connectionId,
+  organizationId,
+}: {
+  connectionId: string;
+  organizationId: string;
+}): Promise<SyncResult> {
+  const url = new URL(
+    `${API_BASE_URL}/v1/integrations/sync/google-workspace/employees`,
+  );
+  url.searchParams.set('organizationId', organizationId);
+  url.searchParams.set('connectionId', connectionId);
+
+  const response = await fetch(url.toString(), {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+    },
+  });
+
+  if (!response.ok) {
+    const errorBody = await response.text();
+    throw new Error(
+      `Google Workspace sync failed: ${response.status} - ${errorBody}`,
+    );
+  }
+
+  const data = await response.json();
+  return {
+    success: data.success,
+    imported: data.imported || 0,
+    reactivated: data.reactivated || 0,
+    deactivated: data.deactivated || 0,
+    skipped: data.skipped || 0,
+    errors: data.errors || 0,
+  };
+}
+
+async function syncRippling({
+  connectionId,
+  organizationId,
+}: {
+  connectionId: string;
+  organizationId: string;
+}): Promise<SyncResult> {
+  const url = new URL(
+    `${API_BASE_URL}/v1/integrations/sync/rippling/employees`,
+  );
+  url.searchParams.set('organizationId', organizationId);
+  url.searchParams.set('connectionId', connectionId);
+
+  const response = await fetch(url.toString(), {
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+    },
+  });
+
+  if (!response.ok) {
+    const errorBody = await response.text();
+    throw new Error(`Rippling sync failed: ${response.status} - ${errorBody}`);
+  }
+
+  const data = await response.json();
+  return {
+    success: data.success,
+    imported: data.imported || 0,
+    reactivated: data.reactivated || 0,
+    deactivated: data.deactivated || 0,
+    skipped: data.skipped || 0,
+    errors: data.errors || 0,
+  };
+}
diff --git a/apps/api/src/questionnaire/vendors/answer-question-helpers.ts b/apps/api/src/trigger/questionnaire/answer-question-helpers.ts
similarity index 93%
rename from apps/api/src/questionnaire/vendors/answer-question-helpers.ts
rename to apps/api/src/trigger/questionnaire/answer-question-helpers.ts
index 05f437e1c..87323fb8d 100644
--- a/apps/api/src/questionnaire/vendors/answer-question-helpers.ts
+++ b/apps/api/src/trigger/questionnaire/answer-question-helpers.ts
@@ -1,10 +1,19 @@
-import { findSimilarContent, findSimilarContentBatch } from '@/vector-store/lib';
+import {
+  findSimilarContent,
+  findSimilarContentBatch,
+} from '@/vector-store/lib';
 import type { SimilarContentResult } from '@/vector-store/lib';
 import { openai } from '@ai-sdk/openai';
 import { logger } from '@trigger.dev/sdk';
 import { generateText } from 'ai';
-import { deduplicateSources, type Source } from '@/questionnaire/utils/deduplicate-sources';
-import { ANSWER_MODEL, ANSWER_SYSTEM_PROMPT } from '@/questionnaire/utils/constants';
+import {
+  deduplicateSources,
+  type Source,
+} from '@/questionnaire/utils/deduplicate-sources';
+import {
+  ANSWER_MODEL,
+  ANSWER_SYSTEM_PROMPT,
+} from '@/questionnaire/utils/constants';
 
 export interface AnswerWithSources {
   answer: string | null;
@@ -18,11 +27,13 @@ export interface AnswerWithSources {
 /**
  * Extracts source information from similar content results and deduplicates them
  */
-function extractAndDeduplicateSources(similarContent: SimilarContentResult[]): Source[] {
+function extractAndDeduplicateSources(
+  similarContent: SimilarContentResult[],
+): Source[] {
   const sourcesBeforeDedup = similarContent.map((result) => {
-    const r = result as SimilarContentResult;
+    const r = result;
     let sourceName: string | undefined;
-    
+
     if (r.policyName) {
       sourceName = `Policy: ${r.policyName}`;
     } else if (r.contextQuestion) {
@@ -50,11 +61,13 @@ function extractAndDeduplicateSources(similarContent: SimilarContentResult[]): S
 /**
  * Builds context string from similar content for LLM prompt
  */
-function buildContextFromContent(similarContent: SimilarContentResult[]): string {
+function buildContextFromContent(
+  similarContent: SimilarContentResult[],
+): string {
   const contextParts = similarContent.map((result, index) => {
-    const r = result as SimilarContentResult;
+    const r = result;
     let sourceInfo = '';
-    
+
     if (r.policyName) {
       sourceInfo = `Source: Policy "${r.policyName}"`;
     } else if (r.contextQuestion) {
@@ -216,7 +229,10 @@ export async function generateAnswerWithRAGBatch(
 
     // Step 1: Find similar content for ALL questions at once (batch embeddings)
     const searchStartTime = Date.now();
-    const allSimilarContent = await findSimilarContentBatch(questions, organizationId);
+    const allSimilarContent = await findSimilarContentBatch(
+      questions,
+      organizationId,
+    );
     const searchTime = Date.now() - searchStartTime;
 
     logger.info('Batch search completed', {
diff --git a/apps/api/src/questionnaire/vendors/answer-question.ts b/apps/api/src/trigger/questionnaire/answer-question.ts
similarity index 100%
rename from apps/api/src/questionnaire/vendors/answer-question.ts
rename to apps/api/src/trigger/questionnaire/answer-question.ts
diff --git a/apps/api/src/questionnaire/vendors/parse-questionnaire.ts b/apps/api/src/trigger/questionnaire/parse-questionnaire.ts
similarity index 92%
rename from apps/api/src/questionnaire/vendors/parse-questionnaire.ts
rename to apps/api/src/trigger/questionnaire/parse-questionnaire.ts
index 82ab04808..fe2b2a552 100644
--- a/apps/api/src/questionnaire/vendors/parse-questionnaire.ts
+++ b/apps/api/src/trigger/questionnaire/parse-questionnaire.ts
@@ -4,8 +4,14 @@ import { db } from '@db';
 import { logger, task } from '@trigger.dev/sdk';
 
 // Import shared utilities
-import { extractContentFromFile, type ContentExtractionLogger } from '@/questionnaire/utils/content-extractor';
-import { parseQuestionsAndAnswers, type QuestionAnswer } from '@/questionnaire/utils/question-parser';
+import {
+  extractContentFromFile,
+  type ContentExtractionLogger,
+} from '@/questionnaire/utils/content-extractor';
+import {
+  parseQuestionsAndAnswers,
+  type QuestionAnswer,
+} from '@/questionnaire/utils/question-parser';
 
 // Adapter to convert Trigger.dev logger to ContentExtractionLogger interface
 const triggerLogger: ContentExtractionLogger = {
@@ -172,7 +178,11 @@ async function extractContentFromAttachment(
     response.ContentType ||
     (attachment.type === 'image' ? 'image/png' : 'application/pdf');
 
-  const content = await extractContentFromFile(base64Data, fileType, triggerLogger);
+  const content = await extractContentFromFile(
+    base64Data,
+    fileType,
+    triggerLogger,
+  );
 
   return { content, fileType };
 }
@@ -215,7 +225,11 @@ async function extractContentFromS3Key(
   const detectedFileType =
     response.ContentType || fileType || 'application/octet-stream';
 
-  const content = await extractContentFromFile(base64Data, detectedFileType, triggerLogger);
+  const content = await extractContentFromFile(
+    base64Data,
+    detectedFileType,
+    triggerLogger,
+  );
 
   return { content, fileType: detectedFileType };
 }
@@ -249,7 +263,9 @@ export const parseQuestionnaireTask = task({
       switch (payload.inputType) {
         case 'file': {
           if (!payload.fileData || !payload.fileType) {
-            throw new Error('File data and file type are required for file input');
+            throw new Error(
+              'File data and file type are required for file input',
+            );
           }
           extractedContent = await extractContentFromFile(
             payload.fileData,
@@ -342,12 +358,14 @@ export const parseQuestionnaireTask = task({
             totalQuestions: questionsAndAnswers.length,
             answeredQuestions: 0,
             questions: {
-              create: questionsAndAnswers.map((qa: QuestionAnswer, index: number) => ({
-                question: qa.question,
-                answer: qa.answer || null,
-                questionIndex: index,
-                status: qa.answer ? 'generated' : 'untouched',
-              })),
+              create: questionsAndAnswers.map(
+                (qa: QuestionAnswer, index: number) => ({
+                  question: qa.question,
+                  answer: qa.answer || null,
+                  questionIndex: index,
+                  status: qa.answer ? 'generated' : 'untouched',
+                }),
+              ),
             },
           },
         });
diff --git a/apps/api/src/vector-store/jobs/delete-all-manual-answers-orchestrator.ts b/apps/api/src/trigger/vector-store/delete-all-manual-answers-orchestrator.ts
similarity index 100%
rename from apps/api/src/vector-store/jobs/delete-all-manual-answers-orchestrator.ts
rename to apps/api/src/trigger/vector-store/delete-all-manual-answers-orchestrator.ts
diff --git a/apps/api/src/vector-store/jobs/delete-knowledge-base-document.ts b/apps/api/src/trigger/vector-store/delete-knowledge-base-document.ts
similarity index 100%
rename from apps/api/src/vector-store/jobs/delete-knowledge-base-document.ts
rename to apps/api/src/trigger/vector-store/delete-knowledge-base-document.ts
diff --git a/apps/api/src/vector-store/jobs/delete-manual-answer.ts b/apps/api/src/trigger/vector-store/delete-manual-answer.ts
similarity index 100%
rename from apps/api/src/vector-store/jobs/delete-manual-answer.ts
rename to apps/api/src/trigger/vector-store/delete-manual-answer.ts
diff --git a/apps/api/src/vector-store/jobs/helpers/extract-content-from-file.ts b/apps/api/src/trigger/vector-store/helpers/extract-content-from-file.ts
similarity index 99%
rename from apps/api/src/vector-store/jobs/helpers/extract-content-from-file.ts
rename to apps/api/src/trigger/vector-store/helpers/extract-content-from-file.ts
index 9565b5ebd..6c8784a11 100644
--- a/apps/api/src/vector-store/jobs/helpers/extract-content-from-file.ts
+++ b/apps/api/src/trigger/vector-store/helpers/extract-content-from-file.ts
@@ -1,4 +1,4 @@
-import { logger } from '../../logger';
+import { logger } from '@/vector-store/logger';
 import { openai } from '@ai-sdk/openai';
 import { generateText } from 'ai';
 import * as XLSX from 'xlsx';
diff --git a/apps/api/src/vector-store/jobs/process-knowledge-base-document.ts b/apps/api/src/trigger/vector-store/process-knowledge-base-document.ts
similarity index 100%
rename from apps/api/src/vector-store/jobs/process-knowledge-base-document.ts
rename to apps/api/src/trigger/vector-store/process-knowledge-base-document.ts
diff --git a/apps/api/src/vector-store/jobs/process-knowledge-base-documents-orchestrator.ts b/apps/api/src/trigger/vector-store/process-knowledge-base-documents-orchestrator.ts
similarity index 100%
rename from apps/api/src/vector-store/jobs/process-knowledge-base-documents-orchestrator.ts
rename to apps/api/src/trigger/vector-store/process-knowledge-base-documents-orchestrator.ts
diff --git a/apps/api/src/trust-portal/trust-access.controller.ts b/apps/api/src/trust-portal/trust-access.controller.ts
index 7e4afec7a..38e752685 100644
--- a/apps/api/src/trust-portal/trust-access.controller.ts
+++ b/apps/api/src/trust-portal/trust-access.controller.ts
@@ -380,7 +380,8 @@ export class TrustAccessController {
   @ApiQuery({
     name: 'query',
     required: false,
-    description: 'Query parameter to append to the access link (e.g., security-questionnaire)',
+    description:
+      'Query parameter to append to the access link (e.g., security-questionnaire)',
     example: 'security-questionnaire',
   })
   @ApiResponse({
@@ -443,7 +444,8 @@ export class TrustAccessController {
   @HttpCode(HttpStatus.OK)
   @ApiOperation({
     summary: 'List compliance resources by access token',
-    description: 'Get list of uploaded compliance certificates for the organization',
+    description:
+      'Get list of uploaded compliance certificates for the organization',
   })
   @ApiResponse({
     status: HttpStatus.OK,
@@ -457,7 +459,8 @@ export class TrustAccessController {
   @HttpCode(HttpStatus.OK)
   @ApiOperation({
     summary: 'Download compliance resource by access token',
-    description: 'Get signed URL to download a specific compliance certificate file',
+    description:
+      'Get signed URL to download a specific compliance certificate file',
   })
   @ApiParam({
     name: 'framework',
diff --git a/apps/api/src/trust-portal/trust-access.service.ts b/apps/api/src/trust-portal/trust-access.service.ts
index 7311b2c8f..7280ccc29 100644
--- a/apps/api/src/trust-portal/trust-access.service.ts
+++ b/apps/api/src/trust-portal/trust-access.service.ts
@@ -964,7 +964,9 @@ export class TrustAccessService {
     };
   }
 
-  async validateAccessTokenAndGetOrganizationId(token: string): Promise<string> {
+  async validateAccessTokenAndGetOrganizationId(
+    token: string,
+  ): Promise<string> {
     const grant = await this.validateAccessToken(token);
     return grant.accessRequest.organizationId;
   }
diff --git a/apps/api/src/utils/sse-utils.ts b/apps/api/src/utils/sse-utils.ts
index 42c11fe22..3e0d10ad8 100644
--- a/apps/api/src/utils/sse-utils.ts
+++ b/apps/api/src/utils/sse-utils.ts
@@ -58,4 +58,3 @@ export function setupSSEHeaders(res: Response): void {
   res.setHeader('X-Content-Type-Options', 'nosniff');
   (res as Response & { flushHeaders?: () => void }).flushHeaders?.();
 }
-
diff --git a/apps/api/src/vector-store/lib/core/find-existing-embeddings.ts b/apps/api/src/vector-store/lib/core/find-existing-embeddings.ts
index 705c689bc..1976fcb6f 100644
--- a/apps/api/src/vector-store/lib/core/find-existing-embeddings.ts
+++ b/apps/api/src/vector-store/lib/core/find-existing-embeddings.ts
@@ -38,7 +38,11 @@ export async function findEmbeddingsForSource(
 
     // Strategy 4: Query with documentName (for knowledge_base_document only)
     if (sourceType === 'knowledge_base_document' && documentName) {
-      const results = await executeVectorQuery(documentName, filter, 'documentName');
+      const results = await executeVectorQuery(
+        documentName,
+        filter,
+        'documentName',
+      );
       addToResultsMap(allResults, results);
     }
 
@@ -83,7 +87,10 @@ async function runBasicQueryStrategies(
   const queries = [
     { text: filter.organizationId, strategyName: 'organizationId' },
     { text: filter.sourceId, strategyName: 'sourceId' },
-    { text: `${filter.organizationId} ${filter.sourceId}`, strategyName: 'combined' },
+    {
+      text: `${filter.organizationId} ${filter.sourceId}`,
+      strategyName: 'combined',
+    },
   ];
 
   for (const { text, strategyName } of queries) {
@@ -108,13 +115,21 @@ async function runChunkContentQueryStrategy(
     // Query with chunk content
     if (chunkData.content && chunkData.content.length > 50) {
       const contentQuery = chunkData.content.substring(0, 200);
-      const results = await executeVectorQuery(contentQuery, filter, 'chunkContent');
+      const results = await executeVectorQuery(
+        contentQuery,
+        filter,
+        'chunkContent',
+      );
       addToResultsMap(resultsMap, results);
     }
 
     // Query with filename from chunk metadata
     if (chunkData.documentName && chunkData.documentName.length > 0) {
-      const results = await executeVectorQuery(chunkData.documentName, filter, 'chunkFilename');
+      const results = await executeVectorQuery(
+        chunkData.documentName,
+        filter,
+        'chunkFilename',
+      );
       addToResultsMap(resultsMap, results);
     }
   }
@@ -158,7 +173,12 @@ export async function findAllOrganizationEmbeddings(
     });
 
     // Filter by organizationId and valid source types
-    const validSourceTypes = ['policy', 'context', 'manual_answer', 'knowledge_base_document'];
+    const validSourceTypes = [
+      'policy',
+      'context',
+      'manual_answer',
+      'knowledge_base_document',
+    ];
     const orgResults = results
       .filter((result) => {
         const metadata = result.metadata as Record<string, unknown> | undefined;
diff --git a/apps/api/src/vector-store/lib/core/find-similar.ts b/apps/api/src/vector-store/lib/core/find-similar.ts
index 6d8c889a2..ff4d7d9af 100644
--- a/apps/api/src/vector-store/lib/core/find-similar.ts
+++ b/apps/api/src/vector-store/lib/core/find-similar.ts
@@ -1,5 +1,8 @@
 import { vectorIndex } from './client';
-import { generateEmbedding, batchGenerateEmbeddings } from './generate-embedding';
+import {
+  generateEmbedding,
+  batchGenerateEmbeddings,
+} from './generate-embedding';
 import { logger } from '../../logger';
 
 export interface SimilarContentResult {
@@ -90,9 +93,13 @@ export async function findSimilarContent(
       topK: MAX_TOP_K,
       totalResults: results.length,
       filteredResults: filteredResults.length,
-      scoreRange: filteredResults.length > 0
-        ? { min: filteredResults[filteredResults.length - 1]?.score, max: filteredResults[0]?.score }
-        : null,
+      scoreRange:
+        filteredResults.length > 0
+          ? {
+              min: filteredResults[filteredResults.length - 1]?.score,
+              max: filteredResults[0]?.score,
+            }
+          : null,
     });
 
     return filteredResults;
@@ -179,7 +186,9 @@ export async function findSimilarContentBatch(
     const queryTime = Date.now() - queryStartTime;
 
     // Step 3: Filter and map results for each question
-    const allFilteredResults: SimilarContentResult[][] = questions.map(() => []);
+    const allFilteredResults: SimilarContentResult[][] = questions.map(
+      () => [],
+    );
 
     for (const { index, results } of queryResults) {
       const filtered = results
diff --git a/apps/api/src/vector-store/lib/core/query-helpers.ts b/apps/api/src/vector-store/lib/core/query-helpers.ts
index afdc1a9a9..ba938ccd1 100644
--- a/apps/api/src/vector-store/lib/core/query-helpers.ts
+++ b/apps/api/src/vector-store/lib/core/query-helpers.ts
@@ -71,7 +71,7 @@ export function filterAndMapResults(
     ) {
       filtered.push({
         id: String(result.id),
-        sourceId: (metadata?.sourceId as string) || '',
+        sourceId: metadata?.sourceId || '',
         sourceType: metadata?.sourceType as SourceType,
         updatedAt: metadata?.updatedAt as string | undefined,
       });
@@ -149,4 +149,3 @@ export const GENERIC_DOCUMENT_QUERIES = [
   'knowledge base document',
   'file content text',
 ];
-
diff --git a/apps/api/src/vector-store/lib/index.ts b/apps/api/src/vector-store/lib/index.ts
index 1f0243d20..8d9837d45 100644
--- a/apps/api/src/vector-store/lib/index.ts
+++ b/apps/api/src/vector-store/lib/index.ts
@@ -1,6 +1,9 @@
 // Core functionality
 export { vectorIndex } from './core/client';
-export { generateEmbedding, batchGenerateEmbeddings } from './core/generate-embedding';
+export {
+  generateEmbedding,
+  batchGenerateEmbeddings,
+} from './core/generate-embedding';
 export {
   findSimilarContent,
   findSimilarContentBatch,
diff --git a/apps/api/src/vector-store/lib/sync/sync-context.ts b/apps/api/src/vector-store/lib/sync/sync-context.ts
index 7adcc462f..375723a30 100644
--- a/apps/api/src/vector-store/lib/sync/sync-context.ts
+++ b/apps/api/src/vector-store/lib/sync/sync-context.ts
@@ -23,7 +23,9 @@ interface ContextData {
 /**
  * Fetch all context entries for an organization
  */
-export async function fetchContextEntries(organizationId: string): Promise<ContextData[]> {
+export async function fetchContextEntries(
+  organizationId: string,
+): Promise<ContextData[]> {
   return db.context.findMany({
     where: { organizationId },
     select: {
@@ -107,7 +109,11 @@ export async function syncContextEntries(
       batch.map(async (context) => {
         try {
           const contextEmbeddings = existingEmbeddingsMap.get(context.id) || [];
-          const result = await syncSingleContext(context, contextEmbeddings, organizationId);
+          const result = await syncSingleContext(
+            context,
+            contextEmbeddings,
+            organizationId,
+          );
 
           if (result === 'created') stats.created++;
           else if (result === 'updated') stats.updated++;
@@ -130,4 +136,3 @@ export async function syncContextEntries(
 
   return stats;
 }
-
diff --git a/apps/api/src/vector-store/lib/sync/sync-knowledge-base.ts b/apps/api/src/vector-store/lib/sync/sync-knowledge-base.ts
index b70471e3a..9284fbcbb 100644
--- a/apps/api/src/vector-store/lib/sync/sync-knowledge-base.ts
+++ b/apps/api/src/vector-store/lib/sync/sync-knowledge-base.ts
@@ -1,6 +1,9 @@
 import { db } from '@db';
 import { vectorIndex } from '../core/client';
-import { findEmbeddingsForSource, type ExistingEmbedding } from '../core/find-existing-embeddings';
+import {
+  findEmbeddingsForSource,
+  type ExistingEmbedding,
+} from '../core/find-existing-embeddings';
 import { logger } from '../../logger';
 import {
   extractContentFromS3Document,
@@ -53,7 +56,9 @@ async function updateDocumentStatus(
       where: { id: documentId },
       data: {
         processingStatus: status,
-        ...(status === 'completed' || status === 'failed' ? { processedAt: new Date() } : {}),
+        ...(status === 'completed' || status === 'failed'
+          ? { processedAt: new Date() }
+          : {}),
       },
     });
   } catch (error) {
@@ -113,10 +118,15 @@ async function processSingleDocument(
   await updateDocumentStatus(document.id, 'processing');
 
   // Extract content from S3
-  const content = await extractContentFromS3Document(document.s3Key, document.fileType);
+  const content = await extractContentFromS3Document(
+    document.s3Key,
+    document.fileType,
+  );
 
   if (!content || content.trim().length === 0) {
-    logger.warn('No content extracted from document', { documentId: document.id });
+    logger.warn('No content extracted from document', {
+      documentId: document.id,
+    });
     await updateDocumentStatus(document.id, 'failed');
     return 'failed';
   }
@@ -184,7 +194,10 @@ export async function syncKnowledgeBaseDocuments(
     count: allDocuments.length,
   });
 
-  const documentsToProcess = filterDocumentsToProcess(allDocuments, existingEmbeddingsMap);
+  const documentsToProcess = filterDocumentsToProcess(
+    allDocuments,
+    existingEmbeddingsMap,
+  );
 
   const stats = initSyncStats(allDocuments.length);
   stats.skipped = allDocuments.length - documentsToProcess.length;
@@ -223,4 +236,3 @@ export async function syncKnowledgeBaseDocuments(
 
   return stats;
 }
-
diff --git a/apps/api/src/vector-store/lib/sync/sync-organization.ts b/apps/api/src/vector-store/lib/sync/sync-organization.ts
index 0e42a669b..fd6521470 100644
--- a/apps/api/src/vector-store/lib/sync/sync-organization.ts
+++ b/apps/api/src/vector-store/lib/sync/sync-organization.ts
@@ -8,7 +8,10 @@ import { batchUpsertEmbeddings } from '../core/upsert-embedding';
 import { logger } from '../../logger';
 import { syncPolicies, fetchPolicies } from './sync-policies';
 import { syncContextEntries, fetchContextEntries } from './sync-context';
-import { syncKnowledgeBaseDocuments, fetchKnowledgeBaseDocuments } from './sync-knowledge-base';
+import {
+  syncKnowledgeBaseDocuments,
+  fetchKnowledgeBaseDocuments,
+} from './sync-knowledge-base';
 
 /**
  * Lock map to prevent concurrent syncs for the same organization
@@ -19,7 +22,9 @@ const syncLocks = new Map<string, Promise<void>>();
  * Full resync of organization embeddings
  * Uses a lock mechanism to prevent concurrent syncs for the same organization.
  */
-export async function syncOrganizationEmbeddings(organizationId: string): Promise<void> {
+export async function syncOrganizationEmbeddings(
+  organizationId: string,
+): Promise<void> {
   if (!organizationId || organizationId.trim().length === 0) {
     logger.warn('Invalid organizationId provided for sync');
     return;
@@ -28,7 +33,9 @@ export async function syncOrganizationEmbeddings(organizationId: string): Promis
   // Check if sync is already in progress
   const existingSync = syncLocks.get(organizationId);
   if (existingSync) {
-    logger.info('Sync already in progress, waiting for completion', { organizationId });
+    logger.info('Sync already in progress, waiting for completion', {
+      organizationId,
+    });
     return existingSync;
   }
 
@@ -53,11 +60,14 @@ export async function syncOrganizationEmbeddings(organizationId: string): Promis
  * Internal function that performs the actual sync operation
  */
 async function performSync(organizationId: string): Promise<void> {
-  logger.info('Starting incremental organization embeddings sync', { organizationId });
+  logger.info('Starting incremental organization embeddings sync', {
+    organizationId,
+  });
 
   try {
     // Step 1: Fetch all existing embeddings once
-    const existingEmbeddings = await findAllOrganizationEmbeddings(organizationId);
+    const existingEmbeddings =
+      await findAllOrganizationEmbeddings(organizationId);
     logger.info('Fetched existing embeddings', {
       organizationId,
       totalSources: existingEmbeddings.size,
@@ -67,16 +77,28 @@ async function performSync(organizationId: string): Promise<void> {
     const policyStats = await syncPolicies(organizationId, existingEmbeddings);
 
     // Step 3: Sync context entries
-    const contextStats = await syncContextEntries(organizationId, existingEmbeddings);
+    const contextStats = await syncContextEntries(
+      organizationId,
+      existingEmbeddings,
+    );
 
     // Step 4: Sync manual answers
-    const manualAnswerStats = await syncManualAnswers(organizationId, existingEmbeddings);
+    const manualAnswerStats = await syncManualAnswers(
+      organizationId,
+      existingEmbeddings,
+    );
 
     // Step 5: Sync Knowledge Base documents
-    const kbDocStats = await syncKnowledgeBaseDocuments(organizationId, existingEmbeddings);
+    const kbDocStats = await syncKnowledgeBaseDocuments(
+      organizationId,
+      existingEmbeddings,
+    );
 
     // Step 6: Delete orphaned embeddings
-    const orphanedDeleted = await deleteOrphanedEmbeddings(organizationId, existingEmbeddings);
+    const orphanedDeleted = await deleteOrphanedEmbeddings(
+      organizationId,
+      existingEmbeddings,
+    );
 
     logger.info('Incremental organization embeddings sync completed', {
       organizationId,
@@ -86,15 +108,15 @@ async function performSync(organizationId: string): Promise<void> {
       knowledgeBaseDocuments: kbDocStats,
       orphanedDeleted,
     });
-              } catch (error) {
+  } catch (error) {
     logger.error('Failed to sync organization embeddings', {
       organizationId,
       error: error instanceof Error ? error.message : 'Unknown error',
       errorStack: error instanceof Error ? error.stack : undefined,
     });
     throw error;
-              }
-            }
+  }
+}
 
 /**
  * Sync manual answers for an organization
@@ -102,72 +124,77 @@ async function performSync(organizationId: string): Promise<void> {
 async function syncManualAnswers(
   organizationId: string,
   existingEmbeddings: Map<string, ExistingEmbedding[]>,
-): Promise<{ created: number; updated: number; skipped: number; total: number }> {
-    const manualAnswers = await db.securityQuestionnaireManualAnswer.findMany({
-      where: { organizationId },
-      select: {
-        id: true,
-        question: true,
-        answer: true,
-        updatedAt: true,
-      },
-    });
-
-    logger.info('Syncing manual answers', {
-      organizationId,
-      count: manualAnswers.length,
-    });
+): Promise<{
+  created: number;
+  updated: number;
+  skipped: number;
+  total: number;
+}> {
+  const manualAnswers = await db.securityQuestionnaireManualAnswer.findMany({
+    where: { organizationId },
+    select: {
+      id: true,
+      question: true,
+      answer: true,
+      updatedAt: true,
+    },
+  });
+
+  logger.info('Syncing manual answers', {
+    organizationId,
+    count: manualAnswers.length,
+  });
 
   let created = 0;
   let updated = 0;
   let skipped = 0;
 
-    if (manualAnswers.length > 0) {
+  if (manualAnswers.length > 0) {
     const itemsToUpsert = manualAnswers
-        .map((ma) => {
-          const embeddingId = `manual_answer_${ma.id}`;
-          const text = `${ma.question}\n\n${ma.answer}`;
-          const updatedAt = ma.updatedAt.toISOString();
+      .map((ma) => {
+        const embeddingId = `manual_answer_${ma.id}`;
+        const text = `${ma.question}\n\n${ma.answer}`;
+        const updatedAt = ma.updatedAt.toISOString();
 
         const existing = existingEmbeddings.get(ma.id) || [];
-          const needsUpdate =
+        const needsUpdate =
           existing.length === 0 || existing[0]?.updatedAt !== updatedAt;
 
-          if (!needsUpdate) {
+        if (!needsUpdate) {
           skipped++;
           return null;
-          }
+        }
 
         if (existing.length === 0) created++;
         else updated++;
 
-          return {
-            id: embeddingId,
-            text,
-            metadata: {
-              organizationId,
-              sourceType: 'manual_answer' as const,
-              sourceId: ma.id,
-              content: text,
+        return {
+          id: embeddingId,
+          text,
+          metadata: {
+            organizationId,
+            sourceType: 'manual_answer' as const,
+            sourceId: ma.id,
+            content: text,
             manualAnswerQuestion: ma.question,
-              updatedAt,
-            },
-          };
-        })
-        .filter((item): item is NonNullable<typeof item> => item !== null);
+            updatedAt,
+          },
+        };
+      })
+      .filter((item): item is NonNullable<typeof item> => item !== null);
 
     if (itemsToUpsert.length > 0) {
       await batchUpsertEmbeddings(itemsToUpsert);
-      }
     }
+  }
 
-    logger.info('Manual answers sync completed', {
-      organizationId,
+  logger.info('Manual answers sync completed', {
+    organizationId,
     created,
     updated,
     skipped,
-      total: manualAnswers.length,
-    });
+    total: manualAnswers.length,
+  });
 
   return { created, updated, skipped, total: manualAnswers.length };
 }
@@ -180,51 +207,52 @@ async function deleteOrphanedEmbeddings(
   existingEmbeddings: Map<string, ExistingEmbedding[]>,
 ): Promise<number> {
   // Fetch current DB IDs
-  const [policies, contextEntries, manualAnswers, kbDocuments] = await Promise.all([
-    fetchPolicies(organizationId),
-    fetchContextEntries(organizationId),
-    db.securityQuestionnaireManualAnswer.findMany({
-      where: { organizationId },
-      select: { id: true },
-    }),
-    fetchKnowledgeBaseDocuments(organizationId),
-  ]);
-
-    const dbPolicyIds = new Set(policies.map((p) => p.id));
-    const dbContextIds = new Set(contextEntries.map((c) => c.id));
-    const dbManualAnswerIds = new Set(manualAnswers.map((ma) => ma.id));
+  const [policies, contextEntries, manualAnswers, kbDocuments] =
+    await Promise.all([
+      fetchPolicies(organizationId),
+      fetchContextEntries(organizationId),
+      db.securityQuestionnaireManualAnswer.findMany({
+        where: { organizationId },
+        select: { id: true },
+      }),
+      fetchKnowledgeBaseDocuments(organizationId),
+    ]);
+
+  const dbPolicyIds = new Set(policies.map((p) => p.id));
+  const dbContextIds = new Set(contextEntries.map((c) => c.id));
+  const dbManualAnswerIds = new Set(manualAnswers.map((ma) => ma.id));
   const dbKbDocIds = new Set(kbDocuments.map((d) => d.id));
 
-    let orphanedDeleted = 0;
+  let orphanedDeleted = 0;
 
-      for (const [sourceId, embeddings] of existingEmbeddings.entries()) {
+  for (const [sourceId, embeddings] of existingEmbeddings.entries()) {
     const sourceType = embeddings[0]?.sourceType;
     if (!sourceType) continue;
 
-        const shouldExist =
+    const shouldExist =
       (sourceType === 'policy' && dbPolicyIds.has(sourceId)) ||
       (sourceType === 'context' && dbContextIds.has(sourceId)) ||
       (sourceType === 'manual_answer' && dbManualAnswerIds.has(sourceId)) ||
       (sourceType === 'knowledge_base_document' && dbKbDocIds.has(sourceId));
 
-        if (!shouldExist && vectorIndex) {
+    if (!shouldExist && vectorIndex) {
       const idsToDelete = embeddings.map((e) => e.id);
-          try {
-            await vectorIndex.delete(idsToDelete);
-            orphanedDeleted += idsToDelete.length;
-            logger.info('Deleted orphaned embeddings', {
-              sourceId,
+      try {
+        await vectorIndex.delete(idsToDelete);
+        orphanedDeleted += idsToDelete.length;
+        logger.info('Deleted orphaned embeddings', {
+          sourceId,
           sourceType,
-              deletedCount: idsToDelete.length,
-            });
-          } catch (error) {
-            logger.warn('Failed to delete orphaned embeddings', {
-              sourceId,
-              error: error instanceof Error ? error.message : 'Unknown error',
-            });
-          }
-        }
+          deletedCount: idsToDelete.length,
+        });
+      } catch (error) {
+        logger.warn('Failed to delete orphaned embeddings', {
+          sourceId,
+          error: error instanceof Error ? error.message : 'Unknown error',
+        });
       }
+    }
+  }
 
   return orphanedDeleted;
 }
diff --git a/apps/api/src/vector-store/lib/sync/sync-policies.ts b/apps/api/src/vector-store/lib/sync/sync-policies.ts
index 2b51805d3..b3ec15169 100644
--- a/apps/api/src/vector-store/lib/sync/sync-policies.ts
+++ b/apps/api/src/vector-store/lib/sync/sync-policies.ts
@@ -25,7 +25,9 @@ interface PolicyData {
 /**
  * Fetch all published policies for an organization
  */
-export async function fetchPolicies(organizationId: string): Promise<PolicyData[]> {
+export async function fetchPolicies(
+  organizationId: string,
+): Promise<PolicyData[]> {
   return db.policy.findMany({
     where: {
       organizationId,
@@ -61,7 +63,9 @@ async function syncSinglePolicy(
   await deleteOldEmbeddings(existingEmbeddings, { policyId: policy.id });
 
   // Create new embeddings
-  const policyText = extractTextFromPolicy(policy as Parameters<typeof extractTextFromPolicy>[0]);
+  const policyText = extractTextFromPolicy(
+    policy as Parameters<typeof extractTextFromPolicy>[0],
+  );
 
   if (!policyText || policyText.trim().length === 0) {
     return 'skipped';
@@ -110,7 +114,11 @@ export async function syncPolicies(
       batch.map(async (policy) => {
         try {
           const policyEmbeddings = existingEmbeddingsMap.get(policy.id) || [];
-          const result = await syncSinglePolicy(policy, policyEmbeddings, organizationId);
+          const result = await syncSinglePolicy(
+            policy,
+            policyEmbeddings,
+            organizationId,
+          );
 
           if (result === 'created') stats.created++;
           else if (result === 'updated') stats.updated++;
@@ -133,4 +141,3 @@ export async function syncPolicies(
 
   return stats;
 }
-
diff --git a/apps/api/src/vector-store/lib/sync/sync-utils.ts b/apps/api/src/vector-store/lib/sync/sync-utils.ts
index 75e16864f..c04265fc0 100644
--- a/apps/api/src/vector-store/lib/sync/sync-utils.ts
+++ b/apps/api/src/vector-store/lib/sync/sync-utils.ts
@@ -1,12 +1,16 @@
 import { GetObjectCommand, S3Client } from '@aws-sdk/client-s3';
-import { extractContentFromFile } from '@/vector-store/jobs/helpers/extract-content-from-file';
+import { extractContentFromFile } from '@/trigger/vector-store/helpers/extract-content-from-file';
 import { vectorIndex } from '../core/client';
 import { batchUpsertEmbeddings } from '../core/upsert-embedding';
 import { chunkText } from '../utils/chunk-text';
 import { logger } from '../../logger';
 import type { ExistingEmbedding } from '../core/find-existing-embeddings';
 
-export type SourceType = 'policy' | 'context' | 'manual_answer' | 'knowledge_base_document';
+export type SourceType =
+  | 'policy'
+  | 'context'
+  | 'manual_answer'
+  | 'knowledge_base_document';
 
 export interface SyncStats {
   created: number;
@@ -88,7 +92,8 @@ export async function extractContentFromS3Document(
   const buffer = Buffer.concat(chunks);
   const base64Data = buffer.toString('base64');
 
-  const detectedFileType = response.ContentType || fileType || 'application/octet-stream';
+  const detectedFileType =
+    response.ContentType || fileType || 'application/octet-stream';
   return extractContentFromFile(base64Data, detectedFileType);
 }
 
@@ -180,4 +185,3 @@ export function initSyncStats(total: number): SyncStats {
     total,
   };
 }
-
diff --git a/apps/api/src/vector-store/logger.ts b/apps/api/src/vector-store/logger.ts
index 371800220..6b0cec9d5 100644
--- a/apps/api/src/vector-store/logger.ts
+++ b/apps/api/src/vector-store/logger.ts
@@ -1,9 +1,9 @@
 /**
  * Universal logger that works in both NestJS and Trigger.dev runtime environments
- * 
+ *
  * In Trigger.dev tasks, we use console.log with structured output
  * In NestJS services, we use the NestJS Logger
- * 
+ *
  * This allows shared lib files to be imported by both Trigger.dev tasks and NestJS services
  */
 
@@ -61,16 +61,16 @@ const createLogger = () => {
     const baseLogger = new Logger('VectorStore');
 
     return {
-  info: (message: string, payload?: LogPayload): void => {
-    baseLogger.log(formatMessage(message, payload));
-  },
-  warn: (message: string, payload?: LogPayload): void => {
-    baseLogger.warn(formatMessage(message, payload));
-  },
-  error: (message: string, payload?: LogPayload): void => {
-    baseLogger.error(formatMessage(message, payload));
-  },
-};
+      info: (message: string, payload?: LogPayload): void => {
+        baseLogger.log(formatMessage(message, payload));
+      },
+      warn: (message: string, payload?: LogPayload): void => {
+        baseLogger.warn(formatMessage(message, payload));
+      },
+      error: (message: string, payload?: LogPayload): void => {
+        baseLogger.error(formatMessage(message, payload));
+      },
+    };
   } catch {
     // Fallback to console if NestJS is not available
     return {
diff --git a/apps/api/trigger.config.ts b/apps/api/trigger.config.ts
index 29d31d7d5..39dd5e306 100644
--- a/apps/api/trigger.config.ts
+++ b/apps/api/trigger.config.ts
@@ -27,7 +27,5 @@ export default defineConfig({
       randomize: true,
     },
   },
-  dirs: ['./src/vector-store/jobs', './src/questionnaire/vendors'],
+  dirs: ['./src/trigger'],
 });
-
-
diff --git a/apps/app/package.json b/apps/app/package.json
index 0c6536257..608234028 100644
--- a/apps/app/package.json
+++ b/apps/app/package.json
@@ -1,10 +1,11 @@
 {
   "name": "@comp/app",
   "version": "0.1.0",
+  "type": "module",
   "dependencies": {
     "@ai-sdk/anthropic": "^2.0.0",
     "@ai-sdk/groq": "^2.0.0",
-    "@ai-sdk/openai": "^2.0.65",
+    "@ai-sdk/openai": "^2.0.80",
     "@ai-sdk/provider": "^2.0.0",
     "@ai-sdk/react": "^2.0.60",
     "@ai-sdk/rsc": "^1.0.0",
@@ -17,6 +18,7 @@
     "@browserbasehq/sdk": "^2.5.0",
     "@calcom/atoms": "^1.0.102-framer",
     "@calcom/embed-react": "^1.5.3",
+    "@comp/integration-platform": "workspace:*",
     "@date-fns/tz": "^1.2.0",
     "@dnd-kit/core": "^6.3.1",
     "@dnd-kit/modifiers": "^9.0.0",
@@ -62,7 +64,7 @@
     "@vercel/analytics": "^1.5.0",
     "@vercel/sandbox": "^0.0.21",
     "@vercel/sdk": "^1.7.1",
-    "ai": "^5.0.60",
+    "ai": "^5.0.108",
     "ai-elements": "^1.6.1",
     "axios": "^1.9.0",
     "better-auth": "^1.3.27",
@@ -78,7 +80,7 @@
     "lucide-react": "^0.544.0",
     "mammoth": "^1.11.0",
     "motion": "^12.9.2",
-    "next": "^15.4.6",
+    "next": "^16.0.8",
     "next-safe-action": "^8.0.3",
     "next-themes": "^0.4.4",
     "nuqs": "^2.4.3",
@@ -88,8 +90,8 @@
     "posthog-node": "^5.8.2",
     "prisma": "^6.13.0",
     "puppeteer-core": "^24.7.2",
-    "react": "^19.1.1",
-    "react-dom": "^19.1.0",
+    "react": "^19.2.1",
+    "react-dom": "^19.2.1",
     "react-email": "^4.0.15",
     "react-hook-form": "^7.61.1",
     "react-hotkeys-hook": "^5.1.0",
diff --git a/apps/app/scripts/backfill-training-videos.ts b/apps/app/scripts/backfill-training-videos.ts
index ee1960403..67b6e6a51 100644
--- a/apps/app/scripts/backfill-training-videos.ts
+++ b/apps/app/scripts/backfill-training-videos.ts
@@ -16,8 +16,8 @@
  * - Running on-demand backfills for specific organizations
  */
 
-import { backfillTrainingVideosForAllOrgs } from '@/jobs/tasks/onboarding/backfill-training-videos-for-all-orgs';
-import { backfillTrainingVideosForOrg } from '@/jobs/tasks/onboarding/backfill-training-videos-for-org';
+import { backfillTrainingVideosForAllOrgs } from '@/trigger/tasks/onboarding/backfill-training-videos-for-all-orgs';
+import { backfillTrainingVideosForOrg } from '@/trigger/tasks/onboarding/backfill-training-videos-for-org';
 
 async function main() {
   const args = process.argv.slice(2);
diff --git a/apps/app/src/actions/organization/accept-invitation.ts b/apps/app/src/actions/organization/accept-invitation.ts
index 21bc214a6..5b907f49e 100644
--- a/apps/app/src/actions/organization/accept-invitation.ts
+++ b/apps/app/src/actions/organization/accept-invitation.ts
@@ -139,7 +139,7 @@ export const completeInvitation = authActionClientWithoutOrg
 
         revalidatePath(`/${invitation.organization.id}`);
         revalidatePath(`/${invitation.organization.id}/settings/users`);
-        revalidateTag(`user_${user.id}`);
+        revalidateTag(`user_${user.id}`, 'max');
 
         // Server redirect to the organization's root
         redirect(`/${invitation.organizationId}/`);
diff --git a/apps/app/src/actions/organization/invite-employee.ts b/apps/app/src/actions/organization/invite-employee.ts
index 241fa7d24..d17e33fe9 100644
--- a/apps/app/src/actions/organization/invite-employee.ts
+++ b/apps/app/src/actions/organization/invite-employee.ts
@@ -40,7 +40,7 @@ export const inviteEmployee = authActionClient
 
       // Revalidate the employees list page
       revalidatePath(`/${organizationId}/people/all`);
-      revalidateTag(`user_${ctx.user.id}`); // Keep user tag revalidation
+      revalidateTag(`user_${ctx.user.id}`, 'max'); // Keep user tag revalidation
 
       return {
         success: true,
diff --git a/apps/app/src/actions/organization/invite-member.ts b/apps/app/src/actions/organization/invite-member.ts
index ea826671d..44c51e9b9 100644
--- a/apps/app/src/actions/organization/invite-member.ts
+++ b/apps/app/src/actions/organization/invite-member.ts
@@ -39,7 +39,7 @@ export const inviteMember = authActionClient
       });
 
       revalidatePath(`/${organizationId}/settings/users`);
-      revalidateTag(`user_${ctx.user.id}`);
+      revalidateTag(`user_${ctx.user.id}`, 'max');
 
       return {
         success: true,
diff --git a/apps/app/src/actions/organization/remove-employee.ts b/apps/app/src/actions/organization/remove-employee.ts
index 602648a11..893202a43 100644
--- a/apps/app/src/actions/organization/remove-employee.ts
+++ b/apps/app/src/actions/organization/remove-employee.ts
@@ -104,7 +104,7 @@ export const removeEmployeeRoleOrMember = authActionClient
 
           // Revalidate
           revalidatePath(`/${organizationId}/people/all`);
-          revalidateTag(`user_${currentUserId}`);
+          revalidateTag(`user_${currentUserId}`, 'max');
 
           return { success: true, data: { removed: true } };
         } else {
@@ -118,7 +118,7 @@ export const removeEmployeeRoleOrMember = authActionClient
 
           // Revalidate
           revalidatePath(`/${organizationId}/people/all`);
-          revalidateTag(`user_${currentUserId}`);
+          revalidateTag(`user_${currentUserId}`, 'max');
 
           return {
             success: true,
diff --git a/apps/app/src/actions/organization/update-organization-advanced-mode-action.ts b/apps/app/src/actions/organization/update-organization-advanced-mode-action.ts
index 0044f1a30..817b58314 100644
--- a/apps/app/src/actions/organization/update-organization-advanced-mode-action.ts
+++ b/apps/app/src/actions/organization/update-organization-advanced-mode-action.ts
@@ -36,7 +36,7 @@ export const updateOrganizationAdvancedModeAction = authActionClient
       path = path.replace(/\/[a-z]{2}\//, '/');
 
       revalidatePath(path);
-      revalidateTag(`organization_${activeOrganizationId}`);
+      revalidateTag(`organization_${activeOrganizationId}`, 'max');
 
       return {
         success: true,
diff --git a/apps/app/src/actions/organization/update-organization-name-action.ts b/apps/app/src/actions/organization/update-organization-name-action.ts
index 24b402f0c..92625899c 100644
--- a/apps/app/src/actions/organization/update-organization-name-action.ts
+++ b/apps/app/src/actions/organization/update-organization-name-action.ts
@@ -37,7 +37,7 @@ export const updateOrganizationNameAction = authActionClient
       });
 
       revalidatePath('/settings');
-      revalidateTag(`organization_${activeOrganizationId}`);
+      revalidateTag(`organization_${activeOrganizationId}`, 'max');
 
       return {
         success: true,
diff --git a/apps/app/src/actions/organization/update-organization-website-action.ts b/apps/app/src/actions/organization/update-organization-website-action.ts
index fbcf37869..bb0fbfc4a 100644
--- a/apps/app/src/actions/organization/update-organization-website-action.ts
+++ b/apps/app/src/actions/organization/update-organization-website-action.ts
@@ -37,7 +37,7 @@ export const updateOrganizationWebsiteAction = authActionClient
       });
 
       revalidatePath('/settings');
-      revalidateTag(`organization_${activeOrganizationId}`);
+      revalidateTag(`organization_${activeOrganizationId}`, 'max');
 
       return {
         success: true,
diff --git a/apps/app/src/actions/policies/accept-requested-policy-changes.ts b/apps/app/src/actions/policies/accept-requested-policy-changes.ts
index a3d716756..a1d271bde 100644
--- a/apps/app/src/actions/policies/accept-requested-policy-changes.ts
+++ b/apps/app/src/actions/policies/accept-requested-policy-changes.ts
@@ -1,6 +1,6 @@
 'use server';
 
-import { sendNewPolicyEmail } from '@/jobs/tasks/email/new-policy-email';
+import { sendNewPolicyEmail } from '@/trigger/tasks/email/new-policy-email';
 import { db, PolicyStatus } from '@db';
 import { tasks } from '@trigger.dev/sdk';
 import { revalidatePath, revalidateTag } from 'next/cache';
@@ -151,7 +151,7 @@ export const acceptRequestedPolicyChangesAction = authActionClient
 
       revalidatePath(`/${session.activeOrganizationId}/policies`);
       revalidatePath(`/${session.activeOrganizationId}/policies/${id}`);
-      revalidateTag('policies');
+      revalidateTag('policies', 'max');
 
       return {
         success: true,
diff --git a/apps/app/src/actions/policies/archive-policy.ts b/apps/app/src/actions/policies/archive-policy.ts
index 48dd1bf26..cc2b0ab01 100644
--- a/apps/app/src/actions/policies/archive-policy.ts
+++ b/apps/app/src/actions/policies/archive-policy.ts
@@ -60,7 +60,7 @@ export const archivePolicyAction = authActionClient
       revalidatePath(`/${activeOrganizationId}/policies/${id}`);
       revalidatePath(`/${activeOrganizationId}/policies/all`);
       revalidatePath(`/${activeOrganizationId}/policies`);
-      revalidateTag('policies');
+      revalidateTag('policies', 'max');
 
       return {
         success: true,
diff --git a/apps/app/src/actions/policies/create-new-policy.ts b/apps/app/src/actions/policies/create-new-policy.ts
index 146528fb6..419543af4 100644
--- a/apps/app/src/actions/policies/create-new-policy.ts
+++ b/apps/app/src/actions/policies/create-new-policy.ts
@@ -106,7 +106,7 @@ export const createPolicyAction = authActionClient
 
       revalidatePath(`/${activeOrganizationId}/policies/all`);
       revalidatePath(`/${activeOrganizationId}/policies`);
-      revalidateTag('policies');
+      revalidateTag('policies', 'max');
 
       return {
         success: true,
diff --git a/apps/app/src/actions/policies/delete-policy.ts b/apps/app/src/actions/policies/delete-policy.ts
index b836aa26f..ed4d9a179 100644
--- a/apps/app/src/actions/policies/delete-policy.ts
+++ b/apps/app/src/actions/policies/delete-policy.ts
@@ -53,7 +53,7 @@ export const deletePolicyAction = authActionClient
 
       // Revalidate paths to update UI
       revalidatePath(`/${activeOrganizationId}/policies/all`);
-      revalidateTag('policies');
+      revalidateTag('policies', 'max');
     } catch (error) {
       console.error(error);
       return {
diff --git a/apps/app/src/actions/policies/deny-requested-policy-changes.ts b/apps/app/src/actions/policies/deny-requested-policy-changes.ts
index a61dcec38..e5cc4450f 100644
--- a/apps/app/src/actions/policies/deny-requested-policy-changes.ts
+++ b/apps/app/src/actions/policies/deny-requested-policy-changes.ts
@@ -87,7 +87,7 @@ export const denyRequestedPolicyChangesAction = authActionClient
 
       revalidatePath(`/${session.activeOrganizationId}/policies`);
       revalidatePath(`/${session.activeOrganizationId}/policies/${id}`);
-      revalidateTag('policies');
+      revalidateTag('policies', 'max');
 
       return {
         success: true,
diff --git a/apps/app/src/actions/policies/publish-all.ts b/apps/app/src/actions/policies/publish-all.ts
index 8a17e6c51..a7302fd11 100644
--- a/apps/app/src/actions/policies/publish-all.ts
+++ b/apps/app/src/actions/policies/publish-all.ts
@@ -1,6 +1,6 @@
 'use server';
 
-import { sendPublishAllPoliciesEmail } from '@/jobs/tasks/email/publish-all-policies-email';
+import { sendPublishAllPoliciesEmail } from '@/trigger/tasks/email/publish-all-policies-email';
 import { db, PolicyStatus, Role } from '@db';
 import { revalidatePath } from 'next/cache';
 import { z } from 'zod';
@@ -105,11 +105,8 @@ export const publishAllPoliciesAction = authActionClient
         where: {
           organizationId: parsedInput.organizationId,
           isActive: true,
-          deactivated: false,          
-          OR: [
-            { role: { contains: Role.employee } },
-            { role: { contains: Role.contractor } },
-          ],
+          deactivated: false,
+          OR: [{ role: { contains: Role.employee } }, { role: { contains: Role.contractor } }],
         },
         include: {
           user: {
diff --git a/apps/app/src/actions/policies/update-policy-action.ts b/apps/app/src/actions/policies/update-policy-action.ts
index 41deb66a0..2bb9fde25 100644
--- a/apps/app/src/actions/policies/update-policy-action.ts
+++ b/apps/app/src/actions/policies/update-policy-action.ts
@@ -102,7 +102,7 @@ export const updatePolicyAction = authActionClient
 
       revalidatePath(`/${activeOrganizationId}/policies/${id}`);
       revalidatePath(`/${activeOrganizationId}/policies`);
-      revalidateTag(`user_${user.id}`);
+      revalidateTag(`user_${user.id}`, 'max');
 
       return {
         success: true,
diff --git a/apps/app/src/actions/policies/update-policy-form-action.ts b/apps/app/src/actions/policies/update-policy-form-action.ts
index 3edac74d0..d4681e081 100644
--- a/apps/app/src/actions/policies/update-policy-form-action.ts
+++ b/apps/app/src/actions/policies/update-policy-form-action.ts
@@ -86,7 +86,7 @@ export const updatePolicyFormAction = authActionClient
 
       revalidatePath(`/${session.activeOrganizationId}/policies`);
       revalidatePath(`/${session.activeOrganizationId}/policies/${id}`);
-      revalidateTag('policies');
+      revalidateTag('policies', 'max');
 
       return {
         success: true,
diff --git a/apps/app/src/actions/research-vendor.ts b/apps/app/src/actions/research-vendor.ts
index 8ac04c87c..6441b40a5 100644
--- a/apps/app/src/actions/research-vendor.ts
+++ b/apps/app/src/actions/research-vendor.ts
@@ -1,6 +1,6 @@
 'use server';
 
-import { researchVendor } from '@/jobs/tasks/scrape/research';
+import { researchVendor } from '@/trigger/tasks/scrape/research';
 import { tasks } from '@trigger.dev/sdk';
 import { z } from 'zod';
 import { authActionClient } from './safe-action';
diff --git a/apps/app/src/actions/risk/create-risk-action.ts b/apps/app/src/actions/risk/create-risk-action.ts
index 29eb5a03c..fabd325c1 100644
--- a/apps/app/src/actions/risk/create-risk-action.ts
+++ b/apps/app/src/actions/risk/create-risk-action.ts
@@ -40,7 +40,7 @@ export const createRiskAction = authActionClient
 
       revalidatePath(`/${session.activeOrganizationId}/risk`);
       revalidatePath(`/${session.activeOrganizationId}/risk/register`);
-      revalidateTag(`risk_${session.activeOrganizationId}`);
+      revalidateTag(`risk_${session.activeOrganizationId}`, 'max');
 
       return {
         success: true,
diff --git a/apps/app/src/actions/risk/task/revalidate-upload.ts b/apps/app/src/actions/risk/task/revalidate-upload.ts
index f25f3a5fc..ffa15a24f 100644
--- a/apps/app/src/actions/risk/task/revalidate-upload.ts
+++ b/apps/app/src/actions/risk/task/revalidate-upload.ts
@@ -23,7 +23,7 @@ export const revalidateUpload = authActionClient
 
     revalidatePath(`/${session.activeOrganizationId}/risk/${riskId}`);
     revalidatePath(`/${session.activeOrganizationId}/risk/${riskId}/tasks/${taskId}`);
-    revalidateTag('risk-cache');
+    revalidateTag('risk-cache', 'max');
 
     return {
       riskId,
diff --git a/apps/app/src/actions/risk/task/update-task-action.ts b/apps/app/src/actions/risk/task/update-task-action.ts
index dd185312a..dce1627b3 100644
--- a/apps/app/src/actions/risk/task/update-task-action.ts
+++ b/apps/app/src/actions/risk/task/update-task-action.ts
@@ -53,7 +53,7 @@ export const updateTaskAction = authActionClient
       revalidatePath(`/${session.activeOrganizationId}/risk`);
       revalidatePath(`/${session.activeOrganizationId}/risk/${id}`);
       revalidatePath(`/${session.activeOrganizationId}/risk/${id}/tasks/${id}`);
-      revalidateTag('risks');
+      revalidateTag('risks', 'max');
 
       return { success: true };
     } catch (error) {
diff --git a/apps/app/src/actions/risk/update-inherent-risk-action.ts b/apps/app/src/actions/risk/update-inherent-risk-action.ts
index b21f5f27e..800a35350 100644
--- a/apps/app/src/actions/risk/update-inherent-risk-action.ts
+++ b/apps/app/src/actions/risk/update-inherent-risk-action.ts
@@ -37,7 +37,7 @@ export const updateInherentRiskAction = authActionClient
       revalidatePath(`/${session.activeOrganizationId}/risk`);
       revalidatePath(`/${session.activeOrganizationId}/risk/register`);
       revalidatePath(`/${session.activeOrganizationId}/risk/${id}`);
-      revalidateTag('risks');
+      revalidateTag('risks', 'max');
 
       return {
         success: true,
diff --git a/apps/app/src/actions/risk/update-residual-risk-action.ts b/apps/app/src/actions/risk/update-residual-risk-action.ts
index d7b8101db..de2e601a5 100644
--- a/apps/app/src/actions/risk/update-residual-risk-action.ts
+++ b/apps/app/src/actions/risk/update-residual-risk-action.ts
@@ -53,7 +53,7 @@ export const updateResidualRiskAction = authActionClient
       revalidatePath(`/${session.activeOrganizationId}/risk`);
       revalidatePath(`/${session.activeOrganizationId}/risk/register`);
       revalidatePath(`/${session.activeOrganizationId}/risk/${id}`);
-      revalidateTag('risks');
+      revalidateTag('risks', 'max');
 
       return {
         success: true,
diff --git a/apps/app/src/actions/risk/update-residual-risk-enum-action.ts b/apps/app/src/actions/risk/update-residual-risk-enum-action.ts
index 12adc136d..f45904c38 100644
--- a/apps/app/src/actions/risk/update-residual-risk-enum-action.ts
+++ b/apps/app/src/actions/risk/update-residual-risk-enum-action.ts
@@ -37,7 +37,7 @@ export const updateResidualRiskEnumAction = authActionClient
       revalidatePath(`/${session.activeOrganizationId}/risk`);
       revalidatePath(`/${session.activeOrganizationId}/risk/register`);
       revalidatePath(`/${session.activeOrganizationId}/risk/${id}`);
-      revalidateTag('risks');
+      revalidateTag('risks', 'max');
 
       return {
         success: true,
diff --git a/apps/app/src/actions/risk/update-risk-action.ts b/apps/app/src/actions/risk/update-risk-action.ts
index 69809efef..fb4015f3e 100644
--- a/apps/app/src/actions/risk/update-risk-action.ts
+++ b/apps/app/src/actions/risk/update-risk-action.ts
@@ -43,7 +43,7 @@ export const updateRiskAction = authActionClient
       revalidatePath(`/${session.activeOrganizationId}/risk`);
       revalidatePath(`/${session.activeOrganizationId}/risk/register`);
       revalidatePath(`/${session.activeOrganizationId}/risk/${id}`);
-      revalidateTag('risks');
+      revalidateTag('risks', 'max');
 
       return {
         success: true,
diff --git a/apps/app/src/app/(app)/[orgId]/cloud-tests/actions/run-tests.ts b/apps/app/src/app/(app)/[orgId]/cloud-tests/actions/run-tests.ts
index 6d73e7095..9b62c1c78 100644
--- a/apps/app/src/app/(app)/[orgId]/cloud-tests/actions/run-tests.ts
+++ b/apps/app/src/app/(app)/[orgId]/cloud-tests/actions/run-tests.ts
@@ -1,6 +1,6 @@
 'use server';
 
-import { runIntegrationTests } from '@/jobs/tasks/integration/run-integration-tests';
+import { runIntegrationTests } from '@/trigger/tasks/integration/run-integration-tests';
 import { auth } from '@/utils/auth';
 import { tasks } from '@trigger.dev/sdk';
 import { revalidatePath } from 'next/cache';
diff --git a/apps/app/src/app/(app)/[orgId]/cloud-tests/components/CloudSettingsModal.tsx b/apps/app/src/app/(app)/[orgId]/cloud-tests/components/CloudSettingsModal.tsx
index 555ab169a..444d62040 100644
--- a/apps/app/src/app/(app)/[orgId]/cloud-tests/components/CloudSettingsModal.tsx
+++ b/apps/app/src/app/(app)/[orgId]/cloud-tests/components/CloudSettingsModal.tsx
@@ -1,5 +1,6 @@
 'use client';
 
+import { useIntegrationMutations } from '@/hooks/use-integration-platform';
 import { Button } from '@comp/ui/button';
 import {
   Dialog,
@@ -9,22 +10,15 @@ import {
   DialogHeader,
   DialogTitle,
 } from '@comp/ui/dialog';
-import { Input } from '@comp/ui/input';
-import { Label } from '@comp/ui/label';
 import { Tabs, TabsContent, TabsList, TabsTrigger } from '@comp/ui/tabs';
-import { Edit2, Loader2, Trash2, X } from 'lucide-react';
+import { Loader2, Trash2 } from 'lucide-react';
 import { useState } from 'react';
 import { toast } from 'sonner';
-import { disconnectCloudAction } from '../actions/disconnect-cloud';
-import { updateCloudCredentialsAction } from '../actions/update-cloud-credentials';
 
 interface CloudProvider {
-  id: 'aws' | 'gcp' | 'azure';
+  id: string; // Provider slug (aws, gcp, azure)
+  connectionId: string; // The actual connection ID
   name: string;
-  fields: {
-    id: string;
-    label: string;
-  }[];
 }
 
 interface CloudSettingsModalProps {
@@ -41,49 +35,10 @@ export function CloudSettingsModal({
   onUpdate,
 }: CloudSettingsModalProps) {
   const [activeTab, setActiveTab] = useState<string>(connectedProviders[0]?.id || 'aws');
-  const [isUpdating, setIsUpdating] = useState(false);
   const [isDeleting, setIsDeleting] = useState(false);
-  const [credentials, setCredentials] = useState<Record<string, Record<string, string>>>({});
-  const [editingFields, setEditingFields] = useState<Record<string, Set<string>>>({});
+  const { disconnectConnection } = useIntegrationMutations();
 
-  const handleUpdateCredentials = async (providerId: 'aws' | 'gcp' | 'azure') => {
-    const providerCredentials = credentials[providerId] || {};
-
-    // Filter out empty values
-    const filledCredentials = Object.entries(providerCredentials)
-      .filter(([_, value]) => value.trim() !== '')
-      .reduce((acc, [key, value]) => ({ ...acc, [key]: value }), {});
-
-    if (Object.keys(filledCredentials).length === 0) {
-      toast.error('Please fill in at least one field to update');
-      return;
-    }
-
-    try {
-      setIsUpdating(true);
-      const result = await updateCloudCredentialsAction({
-        cloudProvider: providerId,
-        credentials: filledCredentials,
-      });
-
-      if (result?.data?.success) {
-        toast.success('Credentials updated successfully');
-        setCredentials({});
-        setEditingFields({});
-        onUpdate();
-        onOpenChange(false);
-      } else {
-        toast.error(result?.data?.error || 'Failed to update credentials');
-      }
-    } catch (error) {
-      console.error('Update error:', error);
-      toast.error('An unexpected error occurred');
-    } finally {
-      setIsUpdating(false);
-    }
-  };
-
-  const handleDisconnect = async (providerId: 'aws' | 'gcp' | 'azure') => {
+  const handleDisconnect = async (provider: CloudProvider) => {
     if (
       !confirm(
         'Are you sure you want to disconnect this cloud provider? All scan results will be deleted.',
@@ -94,16 +49,14 @@ export function CloudSettingsModal({
 
     try {
       setIsDeleting(true);
-      const result = await disconnectCloudAction({
-        cloudProvider: providerId,
-      });
+      const result = await disconnectConnection(provider.connectionId);
 
-      if (result?.data?.success) {
+      if (result.success) {
         toast.success('Cloud provider disconnected');
         onUpdate();
         onOpenChange(false);
       } else {
-        toast.error(result?.data?.error || 'Failed to disconnect');
+        toast.error(result.error || 'Failed to disconnect');
       }
     } catch (error) {
       console.error('Disconnect error:', error);
@@ -113,40 +66,6 @@ export function CloudSettingsModal({
     }
   };
 
-  const toggleFieldEditing = (providerId: string, fieldId: string) => {
-    setEditingFields((prev) => {
-      const providerFields = new Set(prev[providerId] || []);
-      if (providerFields.has(fieldId)) {
-        providerFields.delete(fieldId);
-      } else {
-        providerFields.add(fieldId);
-      }
-      return {
-        ...prev,
-        [providerId]: providerFields,
-      };
-    });
-  };
-
-  const handleFieldChange = (providerId: string, fieldId: string, value: string) => {
-    setCredentials((prev) => ({
-      ...prev,
-      [providerId]: {
-        ...(prev[providerId] || {}),
-        [fieldId]: value,
-      },
-    }));
-  };
-
-  const isFieldEditing = (providerId: string, fieldId: string) => {
-    return editingFields[providerId]?.has(fieldId) || false;
-  };
-
-  const hasChanges = (providerId: string) => {
-    const providerCreds = credentials[providerId] || {};
-    return Object.values(providerCreds).some((val) => val.trim() !== '');
-  };
-
   if (connectedProviders.length === 0) {
     return null;
   }
@@ -156,7 +75,9 @@ export function CloudSettingsModal({
       <DialogContent className="max-w-2xl">
         <DialogHeader>
           <DialogTitle>Manage Cloud Connections</DialogTitle>
-          <DialogDescription>Update credentials or disconnect cloud providers</DialogDescription>
+          <DialogDescription>
+            Manage your cloud provider connections. To update credentials, disconnect and reconnect.
+          </DialogDescription>
         </DialogHeader>
 
         <Tabs value={activeTab} onValueChange={setActiveTab}>
@@ -175,74 +96,25 @@ export function CloudSettingsModal({
             <TabsContent key={provider.id} value={provider.id} className="space-y-4">
               <div className="bg-muted/50 rounded-lg border p-4">
                 <p className="text-muted-foreground text-sm">
-                  Credentials are securely stored. Click the edit icon to change a specific field.
+                  {provider.name} is connected. Credentials are securely stored using IAM Role assumption.
                 </p>
               </div>
 
-              <div className="space-y-4">
-                {provider.fields.map((field) => {
-                  const isEditing = isFieldEditing(provider.id, field.id);
-                  return (
-                    <div key={field.id} className="space-y-2">
-                      <Label htmlFor={`${provider.id}-${field.id}`}>{field.label}</Label>
-                      <div className="flex gap-2">
-                        {isEditing ? (
-                          <>
-                            <Input
-                              id={`${provider.id}-${field.id}`}
-                              type="password"
-                              placeholder={`Enter new ${field.label.toLowerCase()}`}
-                              value={credentials[provider.id]?.[field.id] || ''}
-                              onChange={(e) =>
-                                handleFieldChange(provider.id, field.id, e.target.value)
-                              }
-                              disabled={isUpdating || isDeleting}
-                              className="flex-1"
-                              autoFocus
-                            />
-                            <Button
-                              variant="ghost"
-                              size="icon"
-                              onClick={() => {
-                                toggleFieldEditing(provider.id, field.id);
-                                // Clear the value when canceling
-                                handleFieldChange(provider.id, field.id, '');
-                              }}
-                              disabled={isUpdating || isDeleting}
-                            >
-                              <X className="h-4 w-4" />
-                            </Button>
-                          </>
-                        ) : (
-                          <>
-                            <Input
-                              id={`${provider.id}-${field.id}`}
-                              type="password"
-                              value="••••••••••••••••"
-                              disabled
-                              className="flex-1"
-                            />
-                            <Button
-                              variant="outline"
-                              size="icon"
-                              onClick={() => toggleFieldEditing(provider.id, field.id)}
-                              disabled={isUpdating || isDeleting}
-                            >
-                              <Edit2 className="h-4 w-4" />
-                            </Button>
-                          </>
-                        )}
-                      </div>
-                    </div>
-                  );
-                })}
+              <div className="rounded-lg border p-4 space-y-2">
+                <div className="flex items-center justify-between">
+                  <span className="text-sm font-medium">Connection Status</span>
+                  <span className="text-sm text-green-600 dark:text-green-400">Active</span>
+                </div>
+                <p className="text-xs text-muted-foreground">
+                  To update credentials, disconnect this provider and reconnect with new IAM role settings.
+                </p>
               </div>
 
-              <DialogFooter className="flex justify-between sm:justify-between">
+              <DialogFooter className="flex justify-end">
                 <Button
                   variant="destructive"
-                  onClick={() => handleDisconnect(provider.id)}
-                  disabled={isUpdating || isDeleting}
+                  onClick={() => handleDisconnect(provider)}
+                  disabled={isDeleting}
                 >
                   {isDeleting ? (
                     <>
@@ -256,19 +128,6 @@ export function CloudSettingsModal({
                     </>
                   )}
                 </Button>
-                <Button
-                  onClick={() => handleUpdateCredentials(provider.id)}
-                  disabled={isUpdating || isDeleting || !hasChanges(provider.id)}
-                >
-                  {isUpdating ? (
-                    <>
-                      <Loader2 className="mr-2 h-4 w-4 animate-spin" />
-                      Updating...
-                    </>
-                  ) : (
-                    'Save Changes'
-                  )}
-                </Button>
               </DialogFooter>
             </TabsContent>
           ))}
diff --git a/apps/app/src/app/(app)/[orgId]/cloud-tests/components/EmptyState.tsx b/apps/app/src/app/(app)/[orgId]/cloud-tests/components/EmptyState.tsx
index 8f6651b6f..759e6cd66 100644
--- a/apps/app/src/app/(app)/[orgId]/cloud-tests/components/EmptyState.tsx
+++ b/apps/app/src/app/(app)/[orgId]/cloud-tests/components/EmptyState.tsx
@@ -49,7 +49,6 @@ interface ProviderFieldBase {
   label: string;
   helpText: string;
   placeholder?: string;
-  example?: string;
 }
 
 interface ProviderFieldWithOptions extends ProviderFieldBase {
@@ -128,7 +127,7 @@ interface EmptyStateProps {
   onConnected?: (trigger?: TriggerInfo) => void;
 }
 
-export function EmptyState({ onBack, connectedProviders = [], onConnected }: EmptyStateProps = {}) {
+export function EmptyState({ onBack, connectedProviders = [], onConnected }: EmptyStateProps) {
   const [step, setStep] = useState<Step>('choose');
   const [selectedProvider, setSelectedProvider] = useState<CloudProvider>(null);
   const [credentials, setCredentials] = useState<Record<string, string>>({});
@@ -145,7 +144,7 @@ export function EmptyState({ onBack, connectedProviders = [], onConnected }: Emp
   };
 
   const handleBack = () => {
-    if (step === 'connect') {
+    if (step === 'connect' || step === 'validate-aws') {
       setStep('choose');
       setSelectedProvider(null);
       setCredentials({});
@@ -182,7 +181,6 @@ export function EmptyState({ onBack, connectedProviders = [], onConnected }: Emp
   };
 
   const handleValidateAws = async () => {
-    // For AWS, validate credentials first
     if (!credentials.access_key_id || !credentials.secret_access_key) {
       setErrors({
         access_key_id: !credentials.access_key_id ? 'Required' : '',
@@ -236,7 +234,6 @@ export function EmptyState({ onBack, connectedProviders = [], onConnected }: Emp
         if (result.data?.runErrors && result.data.runErrors.length > 0) {
           toast.error(result.data.runErrors[0] || 'Initial scan reported an issue');
         }
-        // If user already has clouds, automatically return to results after 2 seconds
         if (onBack) {
           setTimeout(() => {
             onBack();
@@ -348,7 +345,7 @@ export function EmptyState({ onBack, connectedProviders = [], onConnected }: Emp
             </Button>
           </div>
         )}
-        <div className="flex flex-col items-center gap-6 text-center max-w-2xl mx-auto">
+        <div className="mx-auto flex max-w-2xl flex-col items-center gap-6 text-center">
           <div className="relative">
             <div className="absolute inset-0 rounded-full" />
             <div className="relative rounded-2xl p-4">
@@ -360,13 +357,13 @@ export function EmptyState({ onBack, connectedProviders = [], onConnected }: Emp
               {onBack ? 'Add Another Cloud' : 'Continuous Cloud Scanning'}
             </h1>
             <div className="space-y-3">
-              <p className="text-muted-foreground text-lg leading-relaxed max-w-lg mx-auto">
+              <p className="text-muted-foreground mx-auto max-w-lg text-lg leading-relaxed">
                 Automatically monitor your cloud infrastructure for security vulnerabilities and
                 compliance issues.
               </p>
-              <div className="inline-flex items-center gap-2 px-4 py-2 rounded-full bg-primary/10 border border-primary/20">
-                <div className="w-1.5 h-1.5 rounded-full bg-primary animate-pulse" />
-                <span className="text-xs font-medium text-primary">Always-on monitoring</span>
+              <div className="inline-flex items-center gap-2 rounded-full border border-primary/20 bg-primary/10 px-4 py-2">
+                <div className="h-1.5 w-1.5 animate-pulse rounded-full bg-primary" />
+                <span className="text-primary text-xs font-medium">Always-on monitoring</span>
               </div>
             </div>
           </div>
@@ -413,7 +410,7 @@ export function EmptyState({ onBack, connectedProviders = [], onConnected }: Emp
     const fields = PROVIDER_FIELDS[provider.id];
 
     return (
-      <div className="mx-auto max-w-7xl flex min-h-[600px] w-full flex-col gap-6 py-4 md:py-6 lg:py-8">
+      <div className="mx-auto flex min-h-[600px] w-full max-w-7xl flex-col gap-6 py-4 md:py-6 lg:py-8">
         <div className="flex items-center gap-4">
           <Button variant="ghost" size="sm" onClick={handleBack}>
             <ArrowLeft className="mr-2 h-4 w-4" />
@@ -543,7 +540,7 @@ export function EmptyState({ onBack, connectedProviders = [], onConnected }: Emp
     return (
       <div className="container mx-auto flex min-h-[600px] w-full flex-col items-center justify-center gap-8 p-4 md:p-6 lg:p-8">
         <div className="flex flex-col items-center gap-6 text-center">
-          <div className="bg-primary/10 rounded-full p-6">
+          <div className="rounded-full bg-primary/10 p-6">
             <CheckCircle2 className="text-primary h-16 w-16" />
           </div>
           <div className="space-y-2">
diff --git a/apps/app/src/app/(app)/[orgId]/cloud-tests/components/FindingsTable.tsx b/apps/app/src/app/(app)/[orgId]/cloud-tests/components/FindingsTable.tsx
index 4f203cdd3..d77cf796c 100644
--- a/apps/app/src/app/(app)/[orgId]/cloud-tests/components/FindingsTable.tsx
+++ b/apps/app/src/app/(app)/[orgId]/cloud-tests/components/FindingsTable.tsx
@@ -30,9 +30,12 @@ const severityVariant = {
 
 const statusVariant = {
   failed: 'destructive',
-  passed: 'default',
+  passed: 'success',
   new: 'warning',
   active: 'warning',
+  open: 'destructive',
+  success: 'success',
+  resolved: 'default',
 } as const;
 
 export function FindingsTable({ findings }: FindingsTableProps) {
@@ -67,7 +70,7 @@ export function FindingsTable({ findings }: FindingsTableProps) {
             <TableHead className="w-[120px]">Severity</TableHead>
             <TableHead>Title</TableHead>
             <TableHead className="w-[150px]">Status</TableHead>
-            <TableHead className="w-[180px]">Last Checked</TableHead>
+            <TableHead className="w-[180px]">Detected At</TableHead>
           </TableRow>
         </TableHeader>
         <TableBody>
@@ -102,7 +105,7 @@ export function FindingsTable({ findings }: FindingsTableProps) {
                   </TableCell>
                   <TableCell>
                     <Badge variant={statusVariant[statusKey] || 'secondary'}>
-                      {finding.status || 'Unknown'}
+                      {finding.status === 'success' ? 'Passed' : finding.status || 'Unknown'}
                     </Badge>
                   </TableCell>
                   <TableCell className="text-muted-foreground text-sm">
diff --git a/apps/app/src/app/(app)/[orgId]/cloud-tests/components/ResultsView.tsx b/apps/app/src/app/(app)/[orgId]/cloud-tests/components/ResultsView.tsx
index d8a5c301e..b00052eb3 100644
--- a/apps/app/src/app/(app)/[orgId]/cloud-tests/components/ResultsView.tsx
+++ b/apps/app/src/app/(app)/[orgId]/cloud-tests/components/ResultsView.tsx
@@ -2,8 +2,7 @@
 
 import { Button } from '@comp/ui/button';
 import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from '@comp/ui/select';
-import type { AnyRealtimeRun } from '@trigger.dev/sdk';
-import { AlertTriangle, CheckCircle2, Info, Loader2, RefreshCw, X } from 'lucide-react';
+import { AlertCircle, CheckCircle2, Loader2, RefreshCw, Settings } from 'lucide-react';
 import { useMemo, useState } from 'react';
 import { FindingsTable } from './FindingsTable';
 
@@ -21,36 +20,22 @@ interface ResultsViewProps {
   findings: Finding[];
   onRunScan: () => Promise<string | null>;
   isScanning: boolean;
-  run: AnyRealtimeRun | undefined;
+  needsConfiguration?: boolean;
+  onConfigure?: () => void;
 }
 
 const severityOrder = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
 
-export function ResultsView({ findings, onRunScan, isScanning, run }: ResultsViewProps) {
+export function ResultsView({
+  findings,
+  onRunScan,
+  isScanning,
+  needsConfiguration,
+  onConfigure,
+}: ResultsViewProps) {
   const [selectedStatus, setSelectedStatus] = useState<string>('all');
   const [selectedSeverity, setSelectedSeverity] = useState<string>('all');
-
-  const isCompleted = run?.status === 'COMPLETED';
-  const isFailed =
-    run?.status === 'FAILED' ||
-    run?.status === 'CRASHED' ||
-    run?.status === 'SYSTEM_FAILURE' ||
-    run?.status === 'TIMED_OUT' ||
-    run?.status === 'CANCELED';
-
-  const runOutput =
-    run?.output && typeof run.output === 'object' && 'success' in run.output
-      ? (run.output as {
-          success: boolean;
-          errors?: string[];
-          failedIntegrations?: Array<{ name: string; error: string }>;
-        })
-      : null;
-
-  const hasOutputErrors = runOutput && !runOutput.success;
-  const outputErrorMessages = hasOutputErrors
-    ? (runOutput.errors ?? runOutput.failedIntegrations?.map((i) => `${i.name}: ${i.error}`) ?? [])
-    : [];
+  const [scanCompleted, setScanCompleted] = useState(false);
 
   const uniqueStatuses = Array.from(
     new Set(findings.map((f) => f.status).filter(Boolean) as string[]),
@@ -79,8 +64,39 @@ export function ResultsView({ findings, onRunScan, isScanning, run }: ResultsVie
     [filteredFindings],
   );
 
+  const handleRunScan = async () => {
+    setScanCompleted(false);
+    const result = await onRunScan();
+    if (result) {
+      setScanCompleted(true);
+      // Hide the success message after 5 seconds
+      setTimeout(() => setScanCompleted(false), 5000);
+    }
+  };
+
   return (
     <div className="flex flex-col gap-6">
+      {needsConfiguration && onConfigure && (
+        <div className="bg-warning/10 rounded-lg border border-warning/30 p-4">
+          <div className="flex items-start gap-3">
+            <AlertCircle className="h-5 w-5 text-warning shrink-0 mt-0.5" />
+            <div>
+              <p className="text-sm font-medium text-warning-foreground">Configuration Required</p>
+              <p className="text-sm text-warning-foreground/80 mt-1">
+                Please configure the required variables (like region or organization ID) to enable
+                security scans.
+              </p>
+            </div>
+          </div>
+          <div className="mt-3 ml-8">
+            <Button size="sm" variant="outline" onClick={onConfigure}>
+              <Settings className="h-4 w-4 mr-2" />
+              Configure
+            </Button>
+          </div>
+        </div>
+      )}
+
       {isScanning && (
         <div className="bg-primary/10 flex items-center gap-3 rounded-lg border border-primary/20 p-4">
           <Loader2 className="text-primary h-5 w-5 animate-spin flex-shrink-0" />
@@ -93,7 +109,7 @@ export function ResultsView({ findings, onRunScan, isScanning, run }: ResultsVie
         </div>
       )}
 
-      {isCompleted && !isScanning && !hasOutputErrors && (
+      {scanCompleted && !isScanning && (
         <div className="bg-primary/10 flex items-center gap-3 rounded-lg border border-primary/20 p-4">
           <CheckCircle2 className="text-primary h-5 w-5 flex-shrink-0" />
           <div className="flex-1">
@@ -103,52 +119,6 @@ export function ResultsView({ findings, onRunScan, isScanning, run }: ResultsVie
         </div>
       )}
 
-      {hasOutputErrors && !isScanning && (
-        <div className="bg-destructive/10 flex items-start gap-3 rounded-lg border border-destructive/20 p-4">
-          <AlertTriangle className="text-destructive h-5 w-5 flex-shrink-0" />
-          <div className="flex-1 space-y-1">
-            <p className="text-destructive text-sm font-medium">Scan completed with errors</p>
-            <ul className="text-muted-foreground text-xs leading-relaxed">
-              {outputErrorMessages.slice(0, 5).map((message, index) => (
-                <li key={index}>• {message}</li>
-              ))}
-              {outputErrorMessages.length === 0 && (
-                <li>Encountered an unknown error while processing integration results.</li>
-              )}
-            </ul>
-          </div>
-        </div>
-      )}
-
-      {isFailed && !isScanning && (
-        <div className="bg-destructive/10 flex items-center gap-3 rounded-lg border border-destructive/20 p-4">
-          <X className="text-destructive h-5 w-5 flex-shrink-0" />
-          <div className="flex-1">
-            <p className="text-destructive text-sm font-medium">Scan failed</p>
-            <p className="text-muted-foreground text-xs">
-              {typeof run?.error === 'object' && run.error && 'message' in run.error
-                ? String(run.error.message)
-                : 'An error occurred during the scan. Please try again.'}
-            </p>
-          </div>
-        </div>
-      )}
-
-      {isCompleted && findings.length === 0 && !isScanning && !hasOutputErrors && (
-        <div className="bg-blue-50 dark:bg-blue-950/20 flex items-center gap-3 rounded-lg border border-blue-200 dark:border-blue-900 p-4">
-          <Info className="text-blue-600 dark:text-blue-400 h-5 w-5 flex-shrink-0" />
-          <div className="flex-1">
-            <p className="text-blue-900 dark:text-blue-100 text-sm font-medium">
-              Initial scan complete
-            </p>
-            <p className="text-muted-foreground text-xs">
-              Security findings may take 24-48 hours to appear after enabling cloud security
-              services. Check back later.
-            </p>
-          </div>
-        </div>
-      )}
-
       <div className="flex items-center justify-between">
         {findings.length > 0 ? (
           <div className="flex flex-wrap items-center gap-2">
@@ -190,9 +160,9 @@ export function ResultsView({ findings, onRunScan, isScanning, run }: ResultsVie
           <div />
         )}
 
-        <Button onClick={onRunScan} disabled={isScanning} className="gap-2 rounded-lg">
-          <RefreshCw className="h-4 w-4" />
-          Run Scan
+        <Button onClick={handleRunScan} disabled={isScanning} className="gap-2 rounded-lg">
+          <RefreshCw className={`h-4 w-4 ${isScanning ? 'animate-spin' : ''}`} />
+          {isScanning ? 'Scanning...' : 'Run Scan'}
         </Button>
       </div>
 
diff --git a/apps/app/src/app/(app)/[orgId]/cloud-tests/components/TestsLayout.tsx b/apps/app/src/app/(app)/[orgId]/cloud-tests/components/TestsLayout.tsx
index d3f090c58..8e3f7d579 100644
--- a/apps/app/src/app/(app)/[orgId]/cloud-tests/components/TestsLayout.tsx
+++ b/apps/app/src/app/(app)/[orgId]/cloud-tests/components/TestsLayout.tsx
@@ -1,15 +1,14 @@
 'use client';
 
-import type { runIntegrationTests } from '@/jobs/tasks/integration/run-integration-tests';
+import { ManageIntegrationDialog } from '@/components/integrations/ManageIntegrationDialog';
+import { useIntegrationMutations } from '@/hooks/use-integration-platform';
+import { api } from '@/lib/api-client';
 import { Button } from '@comp/ui/button';
 import { Tabs, TabsContent, TabsList, TabsTrigger } from '@comp/ui/tabs';
-import { Integration } from '@db';
-import { useRealtimeTaskTrigger } from '@trigger.dev/react-hooks';
 import { Plus, Settings } from 'lucide-react';
-import { useEffect, useState } from 'react';
+import { useState } from 'react';
 import { toast } from 'sonner';
 import useSWR from 'swr';
-import type { IntegrationRunOutput } from '../types';
 import { CloudSettingsModal } from './CloudSettingsModal';
 import { EmptyState } from './EmptyState';
 import { ResultsView } from './ResultsView';
@@ -27,36 +26,53 @@ interface Finding {
   };
 }
 
+interface Provider {
+  id: string;
+  integrationId: string;
+  name: string;
+  organizationId: string;
+  lastRunAt: Date | null;
+  status: string;
+  createdAt: Date;
+  updatedAt: Date;
+  isLegacy?: boolean;
+  variables?: Record<string, unknown> | null;
+  requiredVariables?: string[];
+}
+
 interface TestsLayoutProps {
   initialFindings: Finding[];
-  initialProviders: Integration[];
-  triggerToken: string;
+  initialProviders: Provider[];
   orgId: string;
 }
 
 type SupportedProviderId = 'aws' | 'gcp' | 'azure';
-type SupportedIntegration = Integration & { integrationId: SupportedProviderId };
 
 const SUPPORTED_PROVIDER_IDS: readonly SupportedProviderId[] = ['aws', 'gcp', 'azure'];
 
-const isSupportedProviderId = (id: string): id is SupportedProviderId =>
-  SUPPORTED_PROVIDER_IDS.includes(id as SupportedProviderId);
+// Check if a provider needs configuration (has required variables that aren't set)
+const needsVariableConfiguration = (provider: Provider): boolean => {
+  // Legacy providers use old system - no variable config needed here
+  if (provider.isLegacy) return false;
 
-const isIntegrationRunOutput = (value: unknown): value is IntegrationRunOutput => {
-  if (typeof value !== 'object' || value === null) {
-    return false;
-  }
-  return typeof (value as { success?: unknown }).success === 'boolean';
+  const requiredVars = provider.requiredVariables || [];
+  if (requiredVars.length === 0) return false;
+
+  const currentVars = provider.variables || {};
+  return requiredVars.some((varId) => !currentVars[varId]);
 };
 
-export function TestsLayout({
-  initialFindings,
-  initialProviders,
-  triggerToken,
-  orgId,
-}: TestsLayoutProps) {
+const isSupportedProviderId = (id: string): id is SupportedProviderId =>
+  SUPPORTED_PROVIDER_IDS.includes(id as SupportedProviderId);
+
+export function TestsLayout({ initialFindings, initialProviders, orgId }: TestsLayoutProps) {
   const [showSettings, setShowSettings] = useState(false);
   const [viewingResults, setViewingResults] = useState(true);
+  const [isScanning, setIsScanning] = useState(false);
+  const [activeTab, setActiveTab] = useState<string | null>(null);
+  const [configureDialogOpen, setConfigureDialogOpen] = useState(false);
+  const [configureProvider, setConfigureProvider] = useState<Provider | null>(null);
+  const { disconnectConnection } = useIntegrationMutations();
 
   const { data: findings = initialFindings, mutate: mutateFindings } = useSWR<Finding[]>(
     '/api/cloud-tests/findings',
@@ -72,7 +88,7 @@ export function TestsLayout({
     },
   );
 
-  const { data: providers = initialProviders, mutate: mutateProviders } = useSWR<Integration[]>(
+  const { data: providers = initialProviders, mutate: mutateProviders } = useSWR<Provider[]>(
     '/api/cloud-tests/providers',
     async (url) => {
       const res = await fetch(url);
@@ -85,77 +101,57 @@ export function TestsLayout({
     },
   );
 
-  const connectedProviders = providers.filter((p): p is SupportedIntegration =>
-    isSupportedProviderId(p.integrationId),
-  );
+  const connectedProviders = providers.filter((p) => isSupportedProviderId(p.integrationId));
 
-  const { submit, run, error, isLoading } = useRealtimeTaskTrigger<typeof runIntegrationTests>(
-    'run-integration-tests',
-    {
-      accessToken: triggerToken,
-    },
-  );
-
-  const isCompleted = run?.status === 'COMPLETED';
-  const isFailed =
-    run?.status === 'FAILED' ||
-    run?.status === 'CRASHED' ||
-    run?.status === 'SYSTEM_FAILURE' ||
-    run?.status === 'TIMED_OUT' ||
-    run?.status === 'CANCELED' ||
-    run?.status === 'EXPIRED';
-
-  const isTerminal = isCompleted || isFailed;
-  const isScanning = Boolean(run && !isTerminal) || isLoading;
+  // Get the current active provider (use activeTab state or default to first provider)
+  const currentProviderId = activeTab || connectedProviders[0]?.integrationId;
 
-  const runOutput = isCompleted && isIntegrationRunOutput(run?.output) ? run.output : null;
-
-  useEffect(() => {
-    if (!run || !isTerminal) {
-      return;
-    }
-
-    void mutateFindings();
-
-    if (runOutput && !runOutput.success) {
-      const errorMessage =
-        runOutput.errors?.[0] ??
-        runOutput.failedIntegrations?.[0]?.error ??
-        'Scan completed with errors';
-      toast.error(errorMessage);
-      return;
-    }
-
-    if (isFailed || run.error) {
-      const errorMessage =
-        typeof run.error === 'object' && run.error && 'message' in run.error
-          ? String(run.error.message)
-          : typeof run.error === 'string'
-            ? run.error
-            : 'Scan failed. Please try again.';
-      toast.error(errorMessage);
-      return;
+  const handleRunScan = async (providerId?: string): Promise<string | null> => {
+    if (!orgId) {
+      toast.error('No active organization');
+      return null;
     }
 
-    if (isCompleted) {
-      toast.success('Scan completed! Results updated.');
-    }
-  }, [run, isTerminal, isFailed, isCompleted, runOutput, mutateFindings]);
+    // Use the passed providerId, or fall back to the current active tab
+    const targetProviderId = providerId || currentProviderId;
+    const targetProvider = connectedProviders.find((p) => p.integrationId === targetProviderId);
 
-  const handleRunScan = async (): Promise<string | null> => {
-    if (!orgId) {
-      toast.error('No active organization');
+    if (!targetProvider) {
+      toast.error('No provider selected');
       return null;
     }
 
+    setIsScanning(true);
+    toast.message(`Starting ${targetProvider.name} security scan...`);
+
     try {
-      await submit({ organizationId: orgId });
-      toast.message('Scan started. Checking your cloud infrastructure...');
-      return run?.id || null;
+      if (targetProvider.isLegacy) {
+        // Run legacy check for this specific provider
+        const { runTests } = await import('../actions/run-tests');
+        const result = await runTests();
+        if (!result.success) {
+          console.error('Legacy scan error:', result.errors);
+        }
+      } else {
+        // Use dedicated cloud security endpoint
+        const response = await api.post(`/v1/cloud-security/scan/${targetProvider.id}`, {}, orgId);
+        if (response.error) {
+          console.error(`Error scanning ${targetProvider.name}:`, response.error);
+          toast.error(`Failed to scan ${targetProvider.name}`);
+          return null;
+        }
+      }
+
+      toast.success('Scan completed! Results updated.');
+      await mutateProviders(); // Refresh to get updated lastRunAt
+      await mutateFindings();
+      return 'completed';
     } catch (error) {
-      console.error('🚀 Submit error:', error);
-      toast.error('Failed to start scan. Please try again.');
+      console.error('Scan error:', error);
+      toast.error('Failed to complete scan. Please try again.');
       return null;
+    } finally {
+      setIsScanning(false);
     }
   };
 
@@ -168,12 +164,6 @@ export function TestsLayout({
   const handleCloudConnected = async () => {
     mutateProviders();
     mutateFindings();
-
-    if (orgId) {
-      await submit({ organizationId: orgId });
-      toast.message('Scan started. Checking your cloud infrastructure...');
-    }
-
     setViewingResults(true);
   };
 
@@ -228,9 +218,13 @@ export function TestsLayout({
 
         <ResultsView
           findings={providerFindings}
-          onRunScan={handleRunScan}
+          onRunScan={() => handleRunScan(provider.integrationId)}
           isScanning={isScanning}
-          run={run}
+          needsConfiguration={needsVariableConfiguration(provider)}
+          onConfigure={() => {
+            setConfigureProvider(provider);
+            setConfigureDialogOpen(true);
+          }}
         />
 
         <CloudSettingsModal
@@ -238,11 +232,41 @@ export function TestsLayout({
           onOpenChange={setShowSettings}
           connectedProviders={connectedProviders.map((p) => ({
             id: p.integrationId,
+            connectionId: p.id,
             name: p.name,
-            fields: getProviderFields(p.integrationId),
           }))}
           onUpdate={handleProvidersUpdate}
         />
+
+        {/* Configure dialog for setting variables */}
+        {configureProvider && (
+          <ManageIntegrationDialog
+            open={configureDialogOpen}
+            onOpenChange={setConfigureDialogOpen}
+            connectionId={configureProvider.id}
+            integrationId={configureProvider.integrationId}
+            integrationName={configureProvider.name}
+            integrationLogoUrl={`https://img.logo.dev/${
+              configureProvider.integrationId === 'aws'
+                ? 'aws.amazon.com'
+                : configureProvider.integrationId === 'gcp'
+                  ? 'cloud.google.com'
+                  : 'azure.com'
+            }?token=pk_AZatYxV5QDSfWpRDaBxzRQ`}
+            configureOnly={true}
+            onSaved={async () => {
+              const savedProvider = configureProvider;
+              setConfigureDialogOpen(false);
+              setConfigureProvider(null);
+              await mutateProviders();
+              // Run scan after saving variables
+              if (savedProvider) {
+                toast.message('Configuration saved! Running security scan...');
+                await handleRunScan(savedProvider.integrationId);
+              }
+            }}
+          />
+        )}
       </div>
     );
   }
@@ -276,7 +300,7 @@ export function TestsLayout({
         </div>
       </div>
 
-      <Tabs defaultValue={defaultTab}>
+      <Tabs defaultValue={defaultTab} onValueChange={setActiveTab}>
         <TabsList>
           {connectedProviders.map((provider) => (
             <TabsTrigger key={provider.integrationId} value={provider.integrationId}>
@@ -296,9 +320,13 @@ export function TestsLayout({
             >
               <ResultsView
                 findings={providerFindings}
-                onRunScan={handleRunScan}
+                onRunScan={() => handleRunScan(provider.integrationId)}
                 isScanning={isScanning}
-                run={run}
+                needsConfiguration={needsVariableConfiguration(provider)}
+                onConfigure={() => {
+                  setConfigureProvider(provider);
+                  setConfigureDialogOpen(true);
+                }}
               />
             </TabsContent>
           );
@@ -310,34 +338,41 @@ export function TestsLayout({
         onOpenChange={setShowSettings}
         connectedProviders={connectedProviders.map((p) => ({
           id: p.integrationId,
+          connectionId: p.id,
           name: p.name,
-          fields: getProviderFields(p.integrationId),
         }))}
         onUpdate={handleProvidersUpdate}
       />
+
+      {/* Configure dialog for setting variables */}
+      {configureProvider && (
+        <ManageIntegrationDialog
+          open={configureDialogOpen}
+          onOpenChange={setConfigureDialogOpen}
+          connectionId={configureProvider.id}
+          integrationId={configureProvider.integrationId}
+          integrationName={configureProvider.name}
+          integrationLogoUrl={`https://img.logo.dev/${
+            configureProvider.integrationId === 'aws'
+              ? 'aws.amazon.com'
+              : configureProvider.integrationId === 'gcp'
+                ? 'cloud.google.com'
+                : 'azure.com'
+          }?token=pk_AZatYxV5QDSfWpRDaBxzRQ`}
+          configureOnly={true}
+          onSaved={async () => {
+            const savedProvider = configureProvider;
+            setConfigureDialogOpen(false);
+            setConfigureProvider(null);
+            await mutateProviders();
+            // Run scan after saving variables
+            if (savedProvider) {
+              toast.message('Configuration saved! Running security scan...');
+              await handleRunScan(savedProvider.integrationId);
+            }
+          }}
+        />
+      )}
     </div>
   );
 }
-
-function getProviderFields(providerId: SupportedProviderId) {
-  switch (providerId) {
-    case 'aws':
-      return [
-        { id: 'region', label: 'AWS Region' },
-        { id: 'access_key_id', label: 'Access Key ID' },
-        { id: 'secret_access_key', label: 'Secret Access Key' },
-      ];
-    case 'gcp':
-      return [
-        { id: 'organization_id', label: 'Organization ID' },
-        { id: 'service_account_key', label: 'Service Account Key' },
-      ];
-    case 'azure':
-      return [
-        { id: 'AZURE_CLIENT_ID', label: 'Client ID' },
-        { id: 'AZURE_TENANT_ID', label: 'Tenant ID' },
-        { id: 'AZURE_CLIENT_SECRET', label: 'Client Secret' },
-        { id: 'AZURE_SUBSCRIPTION_ID', label: 'Subscription ID' },
-      ];
-  }
-}
diff --git a/apps/app/src/app/(app)/[orgId]/cloud-tests/page.tsx b/apps/app/src/app/(app)/[orgId]/cloud-tests/page.tsx
index 41fc245d1..43ebf5d26 100644
--- a/apps/app/src/app/(app)/[orgId]/cloud-tests/page.tsx
+++ b/apps/app/src/app/(app)/[orgId]/cloud-tests/page.tsx
@@ -1,76 +1,248 @@
 import { auth as betterAuth } from '@/utils/auth';
-import { auth } from '@trigger.dev/sdk';
+import { getManifest } from '@comp/integration-platform';
 import { db } from '@db';
 import { headers } from 'next/headers';
 import { redirect } from 'next/navigation';
 import { TestsLayout } from './components/TestsLayout';
 
+const CLOUD_PROVIDER_SLUGS = ['aws', 'gcp', 'azure'];
+
+// Get required variables from manifest
+const getRequiredVariables = (providerSlug: string): string[] => {
+  const manifest = getManifest(providerSlug);
+  if (!manifest?.checks) return [];
+
+  const requiredVars = new Set<string>();
+  for (const check of manifest.checks) {
+    if (check.variables) {
+      for (const variable of check.variables) {
+        if (variable.required) {
+          requiredVars.add(variable.id);
+        }
+      }
+    }
+  }
+  return Array.from(requiredVars);
+};
+
 export default async function CloudTestsPage({ params }: { params: Promise<{ orgId: string }> }) {
   const { orgId } = await params;
   const session = await betterAuth.api.getSession({
     headers: await headers(),
   });
 
-  if (!session?.session.activeOrganizationId) {
-    redirect('/');
-  }
+  // Check person belongs to organization
+  const member = await db.member.findFirst({
+    where: {
+      userId: session?.user.id,
+      organizationId: orgId,
+    },
+  });
 
-  if (session.session.activeOrganizationId !== orgId) {
-    redirect(`/${session.session.activeOrganizationId}/cloud-tests`);
+  if (!member) {
+    redirect('/');
   }
 
-  // Fetch cloud providers
-  const providers =
-    (await db.integration.findMany({
-      where: {
-        organizationId: orgId,
-        integrationId: {
-          in: ['aws', 'gcp', 'azure'],
+  // ====================================================================
+  // Fetch from NEW integration platform (IntegrationConnection)
+  // ====================================================================
+  const newConnections = await db.integrationConnection.findMany({
+    where: {
+      organizationId: orgId,
+      status: 'active',
+      provider: {
+        slug: {
+          in: CLOUD_PROVIDER_SLUGS,
         },
       },
-    })) || [];
-
-  // Fetch findings
-  const findings =
-    (await db.integrationResult.findMany({
-      where: {
-        organizationId: orgId,
-        integration: {
-          integrationId: {
-            in: ['aws', 'gcp', 'azure'],
-          },
-        },
+    },
+    include: {
+      provider: true,
+    },
+  });
+
+  // ====================================================================
+  // Fetch from OLD integration table (Integration) - for backward compat
+  // ====================================================================
+  const legacyIntegrations = await db.integration.findMany({
+    where: {
+      organizationId: orgId,
+      integrationId: {
+        in: CLOUD_PROVIDER_SLUGS,
       },
-      select: {
-        id: true,
-        title: true,
-        description: true,
-        remediation: true,
-        status: true,
-        severity: true,
-        completedAt: true,
-        integration: {
+    },
+  });
+
+  // Filter out legacy integrations that have been migrated to new platform
+  const newConnectionSlugs = new Set(newConnections.map((c) => c.provider.slug));
+  const activeLegacyIntegrations = legacyIntegrations.filter(
+    (i) => !newConnectionSlugs.has(i.integrationId),
+  );
+
+  // ====================================================================
+  // Merge providers from both sources
+  // ====================================================================
+  type Provider = {
+    id: string;
+    integrationId: string;
+    name: string;
+    organizationId: string;
+    lastRunAt: Date | null;
+    status: string;
+    createdAt: Date;
+    updatedAt: Date;
+    isLegacy: boolean;
+    variables: Record<string, unknown> | null;
+    requiredVariables: string[];
+  };
+
+  const newProviders: Provider[] = newConnections.map((conn) => ({
+    id: conn.id,
+    integrationId: conn.provider.slug,
+    name: conn.provider.name,
+    organizationId: conn.organizationId,
+    lastRunAt: conn.lastSyncAt,
+    status: conn.status,
+    createdAt: conn.createdAt,
+    updatedAt: conn.updatedAt,
+    isLegacy: false,
+    variables: (conn.variables as Record<string, unknown>) ?? null,
+    requiredVariables: getRequiredVariables(conn.provider.slug),
+  }));
+
+  const legacyProviders: Provider[] = activeLegacyIntegrations.map((integration) => ({
+    id: integration.id,
+    integrationId: integration.integrationId,
+    name: integration.name,
+    organizationId: integration.organizationId,
+    lastRunAt: integration.lastRunAt,
+    status: 'active',
+    createdAt: new Date(),
+    updatedAt: new Date(),
+    isLegacy: true,
+    variables: null,
+    requiredVariables: getRequiredVariables(integration.integrationId),
+  }));
+
+  const providers: Provider[] = [...newProviders, ...legacyProviders];
+
+  // ====================================================================
+  // Fetch findings from NEW platform (IntegrationCheckResult)
+  // ====================================================================
+  const newConnectionIds = newConnections.map((c) => c.id);
+  const connectionToSlug = Object.fromEntries(newConnections.map((c) => [c.id, c.provider.slug]));
+
+  // Get the latest check run for each connection
+  const latestRuns =
+    newConnectionIds.length > 0
+      ? await db.integrationCheckRun.findMany({
+          where: {
+            connectionId: { in: newConnectionIds },
+            status: { in: ['success', 'failed'] },
+          },
+          orderBy: { completedAt: 'desc' },
+          distinct: ['connectionId'],
+          select: { id: true, connectionId: true, status: true },
+        })
+      : [];
+
+  const latestRunIds = latestRuns.map((r) => r.id);
+  const checkRunMap = Object.fromEntries(latestRuns.map((cr) => [cr.id, cr]));
+
+  // Fetch results only from the latest runs (both passed and failed)
+  const newResults =
+    latestRunIds.length > 0
+      ? await db.integrationCheckResult.findMany({
+          where: {
+            checkRunId: { in: latestRunIds },
+          },
           select: {
-            integrationId: true,
+            id: true,
+            title: true,
+            description: true,
+            remediation: true,
+            severity: true,
+            collectedAt: true,
+            checkRunId: true,
+            passed: true,
           },
-        },
-      },
-      orderBy: {
-        completedAt: 'desc',
+          orderBy: {
+            collectedAt: 'desc',
+          },
+        })
+      : [];
+
+  const newFindings = newResults.map((result) => {
+    const checkRun = checkRunMap[result.checkRunId];
+    return {
+      id: result.id,
+      title: result.title,
+      description: result.description,
+      remediation: result.remediation,
+      status: result.passed ? 'passed' : 'failed',
+      severity: result.severity,
+      completedAt: result.collectedAt,
+      integration: {
+        integrationId: checkRun ? connectionToSlug[checkRun.connectionId] || 'unknown' : 'unknown',
       },
-    })) || [];
+    };
+  });
+
+  // ====================================================================
+  // Fetch findings from OLD platform (IntegrationResult)
+  // ====================================================================
+  const legacyIntegrationIds = activeLegacyIntegrations.map((i) => i.id);
 
-  const triggerToken = await auth.createTriggerPublicToken('run-integration-tests', {
-    multipleUse: true,
-    expirationTime: '1hr',
+  const legacyResults =
+    legacyIntegrationIds.length > 0
+      ? await db.integrationResult.findMany({
+          where: {
+            integrationId: {
+              in: legacyIntegrationIds,
+            },
+          },
+          select: {
+            id: true,
+            title: true,
+            description: true,
+            remediation: true,
+            status: true,
+            severity: true,
+            completedAt: true,
+            integration: {
+              select: {
+                integrationId: true,
+              },
+            },
+          },
+          orderBy: {
+            completedAt: 'desc',
+          },
+          take: 500,
+        })
+      : [];
+
+  const legacyFindings = legacyResults.map((result) => ({
+    id: result.id,
+    title: result.title,
+    description: result.description,
+    remediation: result.remediation,
+    status: result.status,
+    severity: result.severity,
+    completedAt: result.completedAt,
+    integration: {
+      integrationId: result.integration.integrationId,
+    },
+  }));
+
+  // ====================================================================
+  // Merge all findings and sort by date
+  // ====================================================================
+  const findings = [...newFindings, ...legacyFindings].sort((a, b) => {
+    const dateA = a.completedAt ? new Date(a.completedAt).getTime() : 0;
+    const dateB = b.completedAt ? new Date(b.completedAt).getTime() : 0;
+    return dateB - dateA;
   });
 
-  return (
-    <TestsLayout
-      initialFindings={findings}
-      initialProviders={providers}
-      triggerToken={triggerToken}
-      orgId={orgId}
-    />
-  );
+  return <TestsLayout initialFindings={findings} initialProviders={providers} orgId={orgId} />;
 }
diff --git a/apps/app/src/app/(app)/[orgId]/controls/[controlId]/actions/delete-control.ts b/apps/app/src/app/(app)/[orgId]/controls/[controlId]/actions/delete-control.ts
index fd92bd9cd..18831eda5 100644
--- a/apps/app/src/app/(app)/[orgId]/controls/[controlId]/actions/delete-control.ts
+++ b/apps/app/src/app/(app)/[orgId]/controls/[controlId]/actions/delete-control.ts
@@ -54,7 +54,7 @@ export const deleteControlAction = authActionClient
       // Revalidate paths to update UI
       revalidatePath(`/${activeOrganizationId}/controls/all`);
       revalidatePath(`/${activeOrganizationId}/controls`);
-      revalidateTag('controls');
+      revalidateTag('controls', 'max');
 
       return {
         success: true,
diff --git a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/actions/delete-framework.ts b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/actions/delete-framework.ts
index fb12ad4cc..4dfad3b0d 100644
--- a/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/actions/delete-framework.ts
+++ b/apps/app/src/app/(app)/[orgId]/frameworks/[frameworkInstanceId]/actions/delete-framework.ts
@@ -53,7 +53,7 @@ export const deleteFrameworkAction = authActionClient
 
       // Revalidate paths to update UI
       revalidatePath(`/${activeOrganizationId}/frameworks`);
-      revalidateTag('frameworks');
+      revalidateTag('frameworks', 'max');
 
       return {
         success: true,
diff --git a/apps/app/src/app/(app)/[orgId]/integrations/components/IntegrationsGrid.tsx b/apps/app/src/app/(app)/[orgId]/integrations/components/IntegrationsGrid.tsx
deleted file mode 100644
index eb9cb771d..000000000
--- a/apps/app/src/app/(app)/[orgId]/integrations/components/IntegrationsGrid.tsx
+++ /dev/null
@@ -1,488 +0,0 @@
-'use client';
-
-import { api } from '@/lib/api-client';
-import { Badge } from '@comp/ui/badge';
-import { Button } from '@comp/ui/button';
-import { Card, CardContent, CardDescription, CardHeader, CardTitle } from '@comp/ui/card';
-import {
-  Dialog,
-  DialogContent,
-  DialogDescription,
-  DialogHeader,
-  DialogTitle,
-} from '@comp/ui/dialog';
-import { Skeleton } from '@comp/ui/skeleton';
-import { ArrowRight, CheckCircle2, Loader2, Plug, Sparkles, Zap } from 'lucide-react';
-import Image from 'next/image';
-import Link from 'next/link';
-import { useParams, useRouter } from 'next/navigation';
-import { useEffect, useMemo, useState } from 'react';
-import { toast } from 'sonner';
-import { getRelevantTasksForIntegration } from '../actions/get-relevant-tasks';
-import {
-  CATEGORIES,
-  INTEGRATIONS,
-  type Integration,
-  type IntegrationCategory,
-} from '../data/integrations';
-import { SearchInput } from './SearchInput';
-
-const LOGO_TOKEN = 'pk_AZatYxV5QDSfWpRDaBxzRQ';
-
-interface RelevantTask {
-  taskTemplateId: string;
-  taskName: string;
-  reason: string;
-  prompt: string;
-}
-
-function TaskCard({ task, orgId }: { task: RelevantTask; orgId: string }) {
-  const [isNavigating, setIsNavigating] = useState(false);
-  const router = useRouter();
-
-  const handleCardClick = async () => {
-    setIsNavigating(true);
-    toast.loading('Opening task automation...', { id: 'navigating' });
-
-    try {
-      // Fetch all tasks and find one with matching template ID
-      const response = await api.get<Array<{ id: string; taskTemplateId: string | null }>>(
-        '/v1/tasks',
-        orgId,
-      );
-
-      if (response.error || !response.data) {
-        throw new Error(response.error || 'Failed to fetch tasks');
-      }
-
-      // Debug logging
-      console.log('Looking for taskTemplateId:', task.taskTemplateId);
-      console.log(
-        'Available tasks:',
-        response.data.map((t) => ({ id: t.id, taskTemplateId: t.taskTemplateId })),
-      );
-
-      const matchingTask = response.data.find(
-        (t) => t.taskTemplateId && t.taskTemplateId === task.taskTemplateId,
-      );
-
-      if (!matchingTask) {
-        toast.dismiss('navigating');
-        toast.error(`Task "${task.taskName}" not found. Please create it first.`);
-        setIsNavigating(false);
-        await router.push(`/${orgId}/tasks`);
-        return;
-      }
-
-      const url = `/${orgId}/tasks/${matchingTask.id}/automation/new?prompt=${encodeURIComponent(task.prompt)}`;
-      toast.dismiss('navigating');
-      toast.success('Redirecting...', { duration: 1000 });
-
-      // Use window.location for immediate navigation
-      window.location.href = url;
-    } catch (error) {
-      console.error('Error finding task:', error);
-      toast.dismiss('navigating');
-      toast.error('Failed to find task');
-      setIsNavigating(false);
-    }
-  };
-
-  return (
-    <div
-      onClick={handleCardClick}
-      className="group/task relative block p-5 rounded-xl bg-gradient-to-br from-background to-muted/20 border border-border/60 hover:border-primary/40 hover:shadow-md transition-all duration-200 h-full overflow-hidden cursor-pointer"
-    >
-      {isNavigating && (
-        <div className="absolute inset-0 bg-background/80 backdrop-blur-sm z-10 flex flex-col items-center justify-center gap-3 rounded-xl">
-          <Loader2 className="w-6 h-6 animate-spin text-primary" />
-          <div className="text-center space-y-1">
-            <p className="text-sm font-medium text-foreground">Opening task...</p>
-            <p className="text-xs text-muted-foreground">
-              Redirecting to automation with prompt pre-filled
-            </p>
-          </div>
-        </div>
-      )}
-      <div className="absolute inset-0 bg-gradient-to-br from-primary/0 via-primary/0 to-primary/5 opacity-0 group-hover/task:opacity-100 transition-opacity duration-200" />
-      <div className="relative flex flex-col h-full">
-        <div className="flex items-start justify-between gap-3">
-          <div className="flex-1 min-w-0">
-            <div className="flex items-start gap-2 mb-2">
-              <div className="w-1.5 h-1.5 rounded-full bg-primary/40 mt-1.5 flex-shrink-0 group-hover/task:bg-primary transition-colors" />
-              <p className="text-sm font-semibold text-foreground group-hover/task:text-primary transition-colors">
-                {task.taskName}
-              </p>
-            </div>
-            <p className="text-xs text-muted-foreground leading-relaxed line-clamp-2 pl-3.5">
-              {task.reason}
-            </p>
-          </div>
-          <ArrowRight className="w-4 h-4 text-muted-foreground group-hover/task:text-primary group-hover/task:translate-x-0.5 transition-all flex-shrink-0 mt-0.5" />
-        </div>
-      </div>
-    </div>
-  );
-}
-
-export function IntegrationsGrid({
-  taskTemplates,
-}: {
-  taskTemplates: Array<{ id: string; name: string; description: string }>;
-}) {
-  const { orgId } = useParams<{ orgId: string }>();
-  const [searchQuery, setSearchQuery] = useState('');
-  const [selectedCategory, setSelectedCategory] = useState<IntegrationCategory | 'All'>('All');
-  const [selectedIntegration, setSelectedIntegration] = useState<Integration | null>(null);
-  const [relevantTasks, setRelevantTasks] = useState<RelevantTask[]>([]);
-  const [isLoadingTasks, setIsLoadingTasks] = useState(false);
-
-  // Filter integrations with fuzzy search
-  const filteredIntegrations = useMemo(() => {
-    let filtered = INTEGRATIONS;
-
-    // Filter by category
-    if (selectedCategory !== 'All') {
-      filtered = filtered.filter((i) => i.category === selectedCategory);
-    }
-
-    // Fuzzy search - more flexible matching
-    if (searchQuery.trim()) {
-      const query = searchQuery.toLowerCase().trim();
-      const terms = query.split(' ').filter(Boolean);
-
-      filtered = filtered.filter((i) => {
-        const searchText =
-          `${i.name} ${i.description} ${i.category} ${i.examplePrompts.join(' ')}`.toLowerCase();
-        // Match if ANY search term is found
-        return terms.some((term) => searchText.includes(term));
-      });
-    }
-
-    return filtered;
-  }, [searchQuery, selectedCategory]);
-
-  const handleCopyPrompt = (prompt: string) => {
-    navigator.clipboard.writeText(prompt);
-    toast.success('Prompt copied to clipboard!');
-  };
-
-  useEffect(() => {
-    if (selectedIntegration && orgId && taskTemplates.length > 0) {
-      setIsLoadingTasks(true);
-      getRelevantTasksForIntegration(
-        selectedIntegration.name,
-        selectedIntegration.description,
-        taskTemplates,
-      )
-        .then((tasks) => {
-          setRelevantTasks(tasks);
-        })
-        .catch((error) => {
-          console.error('Error fetching relevant tasks:', error);
-          setRelevantTasks([]);
-        })
-        .finally(() => {
-          setIsLoadingTasks(false);
-        });
-    } else {
-      setRelevantTasks([]);
-    }
-  }, [selectedIntegration, orgId, taskTemplates]);
-
-  return (
-    <div className="space-y-4">
-      {/* Search and Filters */}
-      <div className="flex flex-col gap-3">
-        {/* Search Bar */}
-        <SearchInput
-          value={searchQuery}
-          onChange={setSearchQuery}
-          placeholder="Search integrations..."
-          className="w-full"
-        />
-
-        {/* Category Filters - Horizontal scroll on mobile */}
-        <div className="flex gap-2 overflow-x-auto pb-2 -mx-1 px-1 sm:overflow-x-visible sm:flex-wrap sm:pb-0 sm:mx-0 sm:px-0 scrollbar-hide [&::-webkit-scrollbar]:hidden [-ms-overflow-style:none] [scrollbar-width:none]">
-          <Button
-            size="sm"
-            variant={selectedCategory === 'All' ? 'default' : 'outline'}
-            onClick={() => setSelectedCategory('All')}
-            className="flex-shrink-0 whitespace-nowrap min-w-fit px-4"
-          >
-            All
-          </Button>
-          {CATEGORIES.map((category) => (
-            <Button
-              key={category}
-              size="sm"
-              variant={selectedCategory === category ? 'default' : 'outline'}
-              onClick={() => setSelectedCategory(category)}
-              className="flex-shrink-0 whitespace-nowrap min-w-fit px-4"
-            >
-              {category}
-            </Button>
-          ))}
-        </div>
-      </div>
-
-      <div className="space-y-2">
-        {/* Integration Cards */}
-        {(searchQuery || selectedCategory !== 'All') && filteredIntegrations.length > 0 && (
-          <div className="text-sm text-muted-foreground">
-            Showing {filteredIntegrations.length}{' '}
-            {filteredIntegrations.length === 1 ? 'match' : 'matches'}
-          </div>
-        )}
-        <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-4">
-          {/* Results info - only show when filtering */}
-          {filteredIntegrations.map((integration) => (
-            <Card
-              key={integration.id}
-              className="group relative overflow-hidden hover:shadow-md transition-all hover:border-primary/30 cursor-pointer"
-              onClick={() => setSelectedIntegration(integration)}
-            >
-              <CardHeader className="pb-3">
-                <div className="flex items-start justify-between">
-                  <div className="flex items-center gap-3">
-                    <div className="w-12 h-12 rounded-xl bg-background border border-border flex items-center justify-center overflow-hidden">
-                      <Image
-                        src={`https://img.logo.dev/${integration.domain}?token=${LOGO_TOKEN}`}
-                        alt={`${integration.name} logo`}
-                        width={32}
-                        height={32}
-                        unoptimized
-                        className="object-contain rounded-md"
-                      />
-                    </div>
-                    <div>
-                      <CardTitle className="text-base font-semibold flex items-center gap-2">
-                        {integration.name}
-                        {integration.popular && (
-                          <Badge variant="secondary" className="text-[10px] px-1.5 py-0">
-                            Popular
-                          </Badge>
-                        )}
-                      </CardTitle>
-                      <p className="text-xs text-muted-foreground mt-0.5">{integration.category}</p>
-                    </div>
-                  </div>
-                </div>
-              </CardHeader>
-              <CardContent>
-                <CardDescription className="text-sm leading-relaxed line-clamp-2">
-                  {integration.description}
-                </CardDescription>
-              </CardContent>
-
-              {/* Hover overlay */}
-              <div className="absolute inset-0 bg-primary/5 opacity-0 group-hover:opacity-100 transition-opacity pointer-events-none" />
-            </Card>
-          ))}
-        </div>
-      </div>
-
-      {/* Empty state - opportunity, not limitation */}
-      {filteredIntegrations.length === 0 && (
-        <div className="text-center py-16">
-          <div className="max-w-xl mx-auto space-y-6">
-            <div className="space-y-3">
-              <div className="inline-flex items-center justify-center w-16 h-16 rounded-2xl bg-primary/10">
-                <Sparkles className="w-8 h-8 text-primary" />
-              </div>
-              <div className="space-y-2">
-                <h3 className="text-xl font-semibold text-foreground">Just ask the agent</h3>
-                <p className="text-sm text-muted-foreground leading-relaxed max-w-md mx-auto">
-                  {searchQuery ? (
-                    <>
-                      "{searchQuery}" isn't in our directory, but the agent can connect to it
-                      anyway. Describe what you need in natural language.
-                    </>
-                  ) : (
-                    <>
-                      The agent can integrate with any system—you're not limited to this directory.
-                    </>
-                  )}
-                </p>
-              </div>
-            </div>
-
-            <div className="p-5 rounded-xl bg-background border border-border text-left space-y-3">
-              <p className="text-sm font-medium text-foreground">Example for your search:</p>
-              <div className="space-y-2">
-                <button
-                  onClick={() =>
-                    handleCopyPrompt(
-                      `Connect to ${searchQuery || 'our system'} and check security settings`,
-                    )
-                  }
-                  className="w-full p-3 rounded-lg bg-muted/50 border border-border hover:border-primary/30 transition-colors text-left group"
-                >
-                  <p className="text-sm text-foreground/80 group-hover:text-foreground">
-                    "Connect to {searchQuery || 'our system'} and check security settings"
-                  </p>
-                </button>
-                <button
-                  onClick={() =>
-                    handleCopyPrompt(
-                      `Pull compliance data from ${searchQuery || 'our internal tool'}`,
-                    )
-                  }
-                  className="w-full p-3 rounded-lg bg-muted/50 border border-border hover:border-primary/30 transition-colors text-left group"
-                >
-                  <p className="text-sm text-foreground/80 group-hover:text-foreground">
-                    "Pull compliance data from {searchQuery || 'our internal tool'}"
-                  </p>
-                </button>
-              </div>
-              <Link
-                href={`/${orgId}/tasks`}
-                className="flex items-center justify-center gap-2 text-sm text-primary hover:text-primary/80 font-medium pt-2"
-              >
-                Go to Tasks to get started
-                <ArrowRight className="w-3.5 h-3.5" />
-              </Link>
-            </div>
-
-            {searchQuery && (
-              <button
-                onClick={() => {
-                  setSearchQuery('');
-                  setSelectedCategory('All');
-                }}
-                className="text-sm text-muted-foreground hover:text-foreground font-medium"
-              >
-                ← Browse common integrations
-              </button>
-            )}
-          </div>
-        </div>
-      )}
-
-      {/* Integration Detail Modal */}
-      {selectedIntegration && (
-        <Dialog open={!!selectedIntegration} onOpenChange={() => setSelectedIntegration(null)}>
-          <DialogContent className="sm:max-w-4xl max-h-[90vh] overflow-y-auto p-0">
-            <div className="relative overflow-hidden">
-              {/* Header with gradient background */}
-              <div className="bg-gradient-to-br from-primary/5 via-primary/3 to-background border-b border-border/50 p-6">
-                <DialogHeader className="pb-0">
-                  <div className="flex items-start gap-4 mb-3">
-                    <div className="w-14 h-14 rounded-2xl bg-background border-2 border-border shadow-sm flex items-center justify-center overflow-hidden ring-2 ring-primary/10">
-                      <Image
-                        src={`https://img.logo.dev/${selectedIntegration.domain}?token=${LOGO_TOKEN}`}
-                        alt={`${selectedIntegration.name} logo`}
-                        width={36}
-                        height={36}
-                        unoptimized
-                        className="object-contain"
-                      />
-                    </div>
-                    <div className="flex-1">
-                      <div className="flex items-center gap-2 mb-1">
-                        <DialogTitle className="text-2xl font-bold">
-                          {selectedIntegration.name}
-                        </DialogTitle>
-                        {selectedIntegration.popular && (
-                          <Badge variant="secondary" className="text-[10px] px-2 py-0.5">
-                            Popular
-                          </Badge>
-                        )}
-                      </div>
-                      <div className="flex items-center gap-2">
-                        <span className="text-xs font-medium text-primary">
-                          {selectedIntegration.category}
-                        </span>
-                        <span className="text-xs text-muted-foreground">•</span>
-                        <span className="text-xs text-muted-foreground">Integration</span>
-                      </div>
-                    </div>
-                  </div>
-                  <DialogDescription className="text-sm leading-relaxed text-foreground/80 mt-2">
-                    {selectedIntegration.description}
-                  </DialogDescription>
-                </DialogHeader>
-              </div>
-
-              <div className="p-6 space-y-8">
-                {/* Setup Instructions */}
-                <div className="space-y-3">
-                  <div className="flex items-center gap-2">
-                    <div className="w-8 h-8 rounded-lg bg-primary/10 flex items-center justify-center">
-                      <Plug className="w-4 h-4 text-primary" />
-                    </div>
-                    <h4 className="text-base font-semibold text-foreground">How to Connect</h4>
-                  </div>
-                  <div className="p-5 rounded-xl bg-gradient-to-br from-muted/80 to-muted/40 border border-border/50 shadow-sm space-y-3">
-                    <p className="text-sm text-foreground leading-relaxed">
-                      Click on any relevant task below to create an automation with{' '}
-                      {selectedIntegration.name}. The automation will be pre-configured with a
-                      prompt tailored to that task. The agent will ask you for the necessary
-                      permissions and API keys if required.
-                    </p>
-                    {selectedIntegration.setupHint && (
-                      <div className="flex items-start gap-2 pt-2 border-t border-border/50">
-                        <CheckCircle2 className="w-4 h-4 text-muted-foreground mt-0.5 flex-shrink-0" />
-                        <p className="text-xs text-muted-foreground">
-                          <span className="font-medium text-foreground">Typically requires:</span>{' '}
-                          {selectedIntegration.setupHint}
-                        </p>
-                      </div>
-                    )}
-                  </div>
-                </div>
-
-                {/* Relevant Tasks */}
-                <div className="space-y-3">
-                  <div className="flex items-center gap-2">
-                    <div className="w-8 h-8 rounded-lg bg-primary/10 flex items-center justify-center">
-                      <Zap className="w-4 h-4 text-primary" />
-                    </div>
-                    <h4 className="text-base font-semibold text-foreground">Relevant Tasks</h4>
-                  </div>
-                  {isLoadingTasks ? (
-                    <div className="grid grid-cols-1 md:grid-cols-2 gap-3">
-                      {[...Array(4)].map((_, index) => (
-                        <div
-                          key={index}
-                          className="p-5 rounded-xl bg-gradient-to-br from-muted/40 to-muted/20 border-2 border-dashed border-muted-foreground/20 h-full animate-pulse"
-                        >
-                          <div className="flex items-start justify-between gap-3 h-full">
-                            <div className="flex-1 min-w-0">
-                              <div className="flex items-start gap-2 mb-3">
-                                <Skeleton className="w-2 h-2 rounded-full mt-1.5 flex-shrink-0 bg-muted-foreground/30" />
-                                <Skeleton className="h-4 w-32 bg-muted-foreground/30" />
-                              </div>
-                              <div className="pl-4 space-y-2.5">
-                                <Skeleton className="h-3 w-full bg-muted-foreground/25" />
-                                <Skeleton className="h-3 w-5/6 bg-muted-foreground/25" />
-                                <Skeleton className="h-3 w-4/6 bg-muted-foreground/25" />
-                              </div>
-                            </div>
-                            <Skeleton className="w-4 h-4 rounded-full bg-muted-foreground/30 mt-0.5 flex-shrink-0" />
-                          </div>
-                        </div>
-                      ))}
-                    </div>
-                  ) : relevantTasks.length > 0 ? (
-                    <div className="grid grid-cols-1 md:grid-cols-2 gap-3">
-                      {relevantTasks.map((task) => (
-                        <TaskCard key={task.taskTemplateId} task={task} orgId={orgId} />
-                      ))}
-                    </div>
-                  ) : (
-                    <div className="p-5 rounded-xl bg-muted/50 border border-border/50">
-                      <p className="text-sm text-muted-foreground text-center">
-                        No relevant tasks found for this integration.
-                      </p>
-                    </div>
-                  )}
-                </div>
-              </div>
-            </div>
-          </DialogContent>
-        </Dialog>
-      )}
-    </div>
-  );
-}
diff --git a/apps/app/src/app/(app)/[orgId]/integrations/components/PlatformIntegrations.tsx b/apps/app/src/app/(app)/[orgId]/integrations/components/PlatformIntegrations.tsx
new file mode 100644
index 000000000..ac9eaf0b3
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/integrations/components/PlatformIntegrations.tsx
@@ -0,0 +1,827 @@
+'use client';
+
+import { ConnectIntegrationDialog } from '@/components/integrations/ConnectIntegrationDialog';
+import { ManageIntegrationDialog } from '@/components/integrations/ManageIntegrationDialog';
+import {
+  ConnectionListItem,
+  IntegrationProvider,
+  useIntegrationConnections,
+  useIntegrationMutations,
+  useIntegrationProviders,
+} from '@/hooks/use-integration-platform';
+import { Badge } from '@comp/ui/badge';
+import { Button } from '@comp/ui/button';
+import { Card, CardContent, CardDescription, CardHeader, CardTitle } from '@comp/ui/card';
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogHeader,
+  DialogTitle,
+} from '@comp/ui/dialog';
+import { Skeleton } from '@comp/ui/skeleton';
+import {
+  AlertCircle,
+  AlertTriangle,
+  ArrowRight,
+  CheckCircle2,
+  Loader2,
+  Plug,
+  Settings2,
+  Sparkles,
+  Zap,
+} from 'lucide-react';
+import Image from 'next/image';
+import Link from 'next/link';
+import { useParams, useSearchParams } from 'next/navigation';
+import { useEffect, useMemo, useRef, useState } from 'react';
+import { toast } from 'sonner';
+import { getRelevantTasksForIntegration } from '../actions/get-relevant-tasks';
+import {
+  CATEGORIES,
+  INTEGRATIONS,
+  type Integration,
+  type IntegrationCategory,
+} from '../data/integrations';
+import { SearchInput } from './SearchInput';
+import { TaskCard, TaskCardSkeleton } from './TaskCard';
+
+const LOGO_TOKEN = 'pk_AZatYxV5QDSfWpRDaBxzRQ';
+
+// Check if a provider needs variable configuration based on manifest's required variables
+const providerNeedsConfiguration = (
+  requiredVariables: string[] | undefined,
+  variables: Record<string, unknown> | null | undefined,
+): boolean => {
+  if (!requiredVariables || requiredVariables.length === 0) return false;
+
+  const currentVars = variables || {};
+  return requiredVariables.some((varId) => !currentVars[varId]);
+};
+
+interface RelevantTask {
+  taskTemplateId: string;
+  taskName: string;
+  reason: string;
+  prompt: string;
+}
+
+type UnifiedIntegration =
+  | { type: 'platform'; provider: IntegrationProvider; connection?: ConnectionListItem }
+  | { type: 'custom'; integration: Integration };
+
+interface PlatformIntegrationsProps {
+  className?: string;
+  taskTemplates: Array<{ id: string; name: string; description: string }>;
+}
+
+export function PlatformIntegrations({ className, taskTemplates }: PlatformIntegrationsProps) {
+  const { orgId } = useParams<{ orgId: string }>();
+  const searchParams = useSearchParams();
+  const { providers, isLoading: loadingProviders } = useIntegrationProviders(true);
+  const {
+    connections,
+    isLoading: loadingConnections,
+    refresh: refreshConnections,
+  } = useIntegrationConnections();
+  const { startOAuth } = useIntegrationMutations();
+
+  const [searchQuery, setSearchQuery] = useState('');
+  const [selectedCategory, setSelectedCategory] = useState<IntegrationCategory | 'All'>('All');
+  const [connectingProvider, setConnectingProvider] = useState<string | null>(null);
+  const hasHandledOAuthRef = useRef(false);
+
+  // Management dialog state
+  const [manageDialogOpen, setManageDialogOpen] = useState(false);
+  const [selectedConnection, setSelectedConnection] = useState<ConnectionListItem | null>(null);
+  const [selectedProvider, setSelectedProvider] = useState<IntegrationProvider | null>(null);
+
+  // Connect dialog state (for non-OAuth)
+  const [connectDialogOpen, setConnectDialogOpen] = useState(false);
+  const [connectingProviderInfo, setConnectingProviderInfo] = useState<IntegrationProvider | null>(
+    null,
+  );
+
+  // Custom integration dialog state
+  const [selectedCustomIntegration, setSelectedCustomIntegration] = useState<Integration | null>(
+    null,
+  );
+  const [relevantTasks, setRelevantTasks] = useState<RelevantTask[]>([]);
+  const [isLoadingTasks, setIsLoadingTasks] = useState(false);
+
+  const handleConnect = async (provider: IntegrationProvider) => {
+    // For OAuth, redirect to authorization URL
+    if (provider.authType === 'oauth2') {
+      setConnectingProvider(provider.id);
+      try {
+        const redirectUrl = window.location.href;
+        const result = await startOAuth(provider.id, redirectUrl);
+        if (result.authorizationUrl) {
+          window.location.href = result.authorizationUrl;
+        } else {
+          toast.error(result.error || 'Failed to start connection');
+          setConnectingProvider(null);
+        }
+      } catch {
+        toast.error('Failed to start connection');
+        setConnectingProvider(null);
+      }
+      return;
+    }
+
+    // For non-OAuth (api_key, basic, custom), open the connect dialog
+    setConnectingProviderInfo(provider);
+    setConnectDialogOpen(true);
+  };
+
+  const handleConnectDialogSuccess = () => {
+    refreshConnections();
+    setConnectDialogOpen(false);
+    setConnectingProviderInfo(null);
+  };
+
+  const handleOpenManageDialog = (
+    connection: ConnectionListItem,
+    provider: IntegrationProvider,
+  ) => {
+    setSelectedConnection(connection);
+    setSelectedProvider(provider);
+    setManageDialogOpen(true);
+  };
+
+  const handleCloseManageDialog = () => {
+    setManageDialogOpen(false);
+    setSelectedConnection(null);
+    setSelectedProvider(null);
+  };
+
+  // Map connections by provider slug
+  const connectionsByProvider = useMemo(
+    () => new Map(connections?.map((c) => [c.providerSlug, c]) || []),
+    [connections],
+  );
+
+  // Merge and sort: platform first (warnings, then connected, then disconnected), then custom
+  const unifiedIntegrations = useMemo<UnifiedIntegration[]>(() => {
+    const platformIntegrations: UnifiedIntegration[] = (providers?.filter((p) => p.isActive) || [])
+      .map((provider) => ({
+        type: 'platform' as const,
+        provider,
+        connection: connectionsByProvider.get(provider.id),
+      }))
+      .sort((a, b) => {
+        const aConnected = a.connection?.status === 'active';
+        const bConnected = b.connection?.status === 'active';
+        const aNeedsConfig = aConnected && a.connection?.variables === null;
+        const bNeedsConfig = bConnected && b.connection?.variables === null;
+
+        // Warnings first
+        if (aNeedsConfig && !bNeedsConfig) return -1;
+        if (!aNeedsConfig && bNeedsConfig) return 1;
+
+        // Then connected
+        if (aConnected && !bConnected) return -1;
+        if (!aConnected && bConnected) return 1;
+
+        // Then alphabetical
+        return a.provider.name.localeCompare(b.provider.name);
+      });
+
+    const customIntegrations: UnifiedIntegration[] = INTEGRATIONS.map((integration) => ({
+      type: 'custom' as const,
+      integration,
+    }));
+
+    return [...platformIntegrations, ...customIntegrations];
+  }, [providers, connectionsByProvider]);
+
+  // Get all unique categories
+  const allCategories = useMemo(() => {
+    const platformCategories = new Set(providers?.map((p) => p.category) || []);
+    const customCategories = new Set(CATEGORIES);
+    return Array.from(new Set([...platformCategories, ...customCategories])).sort();
+  }, [providers]);
+
+  // Filter integrations
+  const filteredIntegrations = useMemo(() => {
+    let filtered = unifiedIntegrations;
+
+    // Filter by category
+    if (selectedCategory !== 'All') {
+      filtered = filtered.filter((item) => {
+        if (item.type === 'platform') {
+          return item.provider.category === selectedCategory;
+        }
+        return item.integration.category === selectedCategory;
+      });
+    }
+
+    // Search filter
+    if (searchQuery.trim()) {
+      const query = searchQuery.toLowerCase().trim();
+      const terms = query.split(' ').filter(Boolean);
+
+      filtered = filtered.filter((item) => {
+        if (item.type === 'platform') {
+          const searchText =
+            `${item.provider.name} ${item.provider.description} ${item.provider.category}`.toLowerCase();
+          return terms.some((term) => searchText.includes(term));
+        }
+        const searchText =
+          `${item.integration.name} ${item.integration.description} ${item.integration.category} ${item.integration.examplePrompts.join(' ')}`.toLowerCase();
+        return terms.some((term) => searchText.includes(term));
+      });
+    }
+
+    return filtered;
+  }, [unifiedIntegrations, searchQuery, selectedCategory]);
+
+  // Handle OAuth callback - auto-open config dialog for newly connected provider
+  useEffect(() => {
+    // Only handle once
+    if (hasHandledOAuthRef.current) return;
+
+    const success = searchParams.get('success');
+    const providerSlug = searchParams.get('provider');
+
+    // Check if this is an OAuth callback
+    if (success !== 'true' || !providerSlug) return;
+
+    // Wait for data to load
+    if (!connections || !providers || loadingConnections || loadingProviders) {
+      console.log('[OAuth] Waiting for data to load...');
+      return;
+    }
+
+    // Mark as handled
+    hasHandledOAuthRef.current = true;
+    console.log('[OAuth] Handling callback for', providerSlug);
+
+    const connection = connections.find((c) => c.providerSlug === providerSlug);
+    const provider = providers.find((p) => p.id === providerSlug);
+
+    if (connection && provider) {
+      console.log('[OAuth] Found connection and provider, opening dialog');
+      toast.success(`${provider.name} connected successfully!`);
+
+      // Set state first
+      setSelectedConnection(connection);
+      setSelectedProvider(provider);
+
+      // Open dialog after a tick to ensure state is updated
+      setTimeout(() => {
+        console.log('[OAuth] Opening manage dialog');
+        setManageDialogOpen(true);
+      }, 150);
+    } else {
+      console.warn('[OAuth] Connection or provider not found:', {
+        hasConnection: !!connection,
+        hasProvider: !!provider,
+        connectionsCount: connections.length,
+        providersCount: providers.length,
+      });
+    }
+
+    // Clean up URL parameters
+    const url = new URL(window.location.href);
+    url.searchParams.delete('success');
+    url.searchParams.delete('provider');
+    window.history.replaceState({}, '', url.toString());
+  }, [searchParams, connections, providers, loadingConnections, loadingProviders]);
+
+  // Custom integration task loading
+  useEffect(() => {
+    if (selectedCustomIntegration && orgId && taskTemplates.length > 0) {
+      setIsLoadingTasks(true);
+      getRelevantTasksForIntegration(
+        selectedCustomIntegration.name,
+        selectedCustomIntegration.description,
+        taskTemplates,
+      )
+        .then((tasks) => setRelevantTasks(tasks))
+        .catch((error) => {
+          console.error('Error fetching relevant tasks:', error);
+          setRelevantTasks([]);
+        })
+        .finally(() => setIsLoadingTasks(false));
+    } else {
+      setRelevantTasks([]);
+    }
+  }, [selectedCustomIntegration, orgId, taskTemplates]);
+
+  const handleCopyPrompt = (prompt: string) => {
+    navigator.clipboard.writeText(prompt);
+    toast.success('Prompt copied to clipboard!');
+  };
+
+  if (loadingProviders || loadingConnections) {
+    return (
+      <div className={className}>
+        <div className="space-y-4">
+          <Skeleton className="h-10 w-full max-w-md" />
+          <div className="flex gap-2">
+            {[1, 2, 3, 4].map((i) => (
+              <Skeleton key={i} className="h-8 w-20" />
+            ))}
+          </div>
+          <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-4">
+            {[1, 2, 3, 4, 5, 6].map((i) => (
+              <Card key={i}>
+                <CardHeader className="pb-3">
+                  <Skeleton className="h-12 w-12 rounded-xl" />
+                  <Skeleton className="h-5 w-32 mt-2" />
+                  <Skeleton className="h-4 w-24" />
+                </CardHeader>
+                <CardContent>
+                  <Skeleton className="h-4 w-full" />
+                  <Skeleton className="h-4 w-3/4 mt-2" />
+                </CardContent>
+              </Card>
+            ))}
+          </div>
+        </div>
+      </div>
+    );
+  }
+
+  return (
+    <div className={className}>
+      <div className="space-y-4">
+        {/* Search and Filters */}
+        <div className="flex flex-col gap-3">
+          <SearchInput
+            value={searchQuery}
+            onChange={setSearchQuery}
+            placeholder="Search integrations..."
+            className="w-full max-w-md"
+          />
+
+          <div className="flex gap-2 overflow-x-auto pb-2 -mx-1 px-1 sm:overflow-x-visible sm:flex-wrap sm:pb-0 sm:mx-0 sm:px-0 scrollbar-hide [&::-webkit-scrollbar]:hidden [-ms-overflow-style:none] [scrollbar-width:none]">
+            <Button
+              size="sm"
+              variant={selectedCategory === 'All' ? 'default' : 'outline'}
+              onClick={() => setSelectedCategory('All')}
+              className="flex-shrink-0 whitespace-nowrap min-w-fit px-4"
+            >
+              All
+            </Button>
+            {allCategories.map((category) => (
+              <Button
+                key={category}
+                size="sm"
+                variant={selectedCategory === category ? 'default' : 'outline'}
+                onClick={() => setSelectedCategory(category as IntegrationCategory)}
+                className="flex-shrink-0 whitespace-nowrap min-w-fit px-4"
+              >
+                {category}
+              </Button>
+            ))}
+          </div>
+        </div>
+
+        {/* Results info */}
+        {(searchQuery || selectedCategory !== 'All') && filteredIntegrations.length > 0 && (
+          <div className="text-sm text-muted-foreground">
+            Showing {filteredIntegrations.length}{' '}
+            {filteredIntegrations.length === 1 ? 'integration' : 'integrations'}
+          </div>
+        )}
+
+        {/* Integration Cards Grid */}
+        {filteredIntegrations.length > 0 ? (
+          <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-4">
+            {filteredIntegrations.map((item) => {
+              if (item.type === 'platform') {
+                const { provider, connection } = item;
+                const isConnected = connection?.status === 'active';
+                const isConnecting = connectingProvider === provider.id;
+                const hasError = connection?.status === 'error';
+
+                // Check if connected but missing required configuration
+                const needsConfiguration =
+                  isConnected &&
+                  providerNeedsConfiguration(
+                    provider.requiredVariables,
+                    connection?.variables as Record<string, unknown> | null,
+                  );
+
+                return (
+                  <Card
+                    key={`platform-${provider.id}`}
+                    className={`relative overflow-hidden transition-all flex flex-col ${
+                      needsConfiguration
+                        ? 'border-warning/30 bg-warning/5'
+                        : isConnected
+                          ? 'border-primary/30 bg-primary/5'
+                          : 'hover:border-primary/20 hover:shadow-sm'
+                    }`}
+                  >
+                    <CardHeader className="pb-3">
+                      <div className="flex items-start justify-between">
+                        <div className="flex items-center gap-3">
+                          <div className="w-12 h-12 rounded-xl bg-background border border-border flex items-center justify-center overflow-hidden">
+                            <Image
+                              src={provider.logoUrl}
+                              alt={`${provider.name} logo`}
+                              width={32}
+                              height={32}
+                              className="object-contain"
+                            />
+                          </div>
+                          <div>
+                            <CardTitle className="text-base font-semibold flex items-center gap-2">
+                              {provider.name}
+                              {isConnected && !needsConfiguration && (
+                                <CheckCircle2 className="h-4 w-4 text-primary" />
+                              )}
+                              {needsConfiguration && (
+                                <AlertTriangle className="h-4 w-4 text-warning" />
+                              )}
+                              {hasError && <AlertCircle className="h-4 w-4 text-destructive" />}
+                            </CardTitle>
+                            <div className="flex items-center gap-2 mt-0.5">
+                              <p className="text-xs text-muted-foreground">{provider.category}</p>
+                              <Badge variant="secondary" className="text-[10px] px-1.5 py-0">
+                                Platform
+                              </Badge>
+                            </div>
+                          </div>
+                        </div>
+                        {isConnected && (
+                          <Button
+                            variant="ghost"
+                            size="sm"
+                            className="h-8 w-8 p-0"
+                            onClick={() => handleOpenManageDialog(connection, provider)}
+                          >
+                            <Settings2 className="h-4 w-4" />
+                          </Button>
+                        )}
+                      </div>
+                    </CardHeader>
+                    <CardContent className="flex flex-col h-full">
+                      <div className="flex-1 space-y-4">
+                        <CardDescription className="text-sm leading-relaxed line-clamp-2">
+                          {provider.description}
+                        </CardDescription>
+
+                        {/* Mapped tasks */}
+                        {provider.mappedTasks && provider.mappedTasks.length > 0 && (
+                          <div className="flex flex-wrap gap-1.5">
+                            {provider.mappedTasks.slice(0, 3).map((task) => (
+                              <Badge
+                                key={task.id}
+                                variant="secondary"
+                                className="text-[10px] px-1.5 py-0.5 font-normal"
+                              >
+                                {task.name}
+                              </Badge>
+                            ))}
+                            {provider.mappedTasks.length > 3 && (
+                              <Badge
+                                variant="outline"
+                                className="text-[10px] px-1.5 py-0.5 font-normal"
+                              >
+                                +{provider.mappedTasks.length - 3} more
+                              </Badge>
+                            )}
+                          </div>
+                        )}
+                      </div>
+
+                      <div className="mt-auto pt-4">
+                        {needsConfiguration ? (
+                          <Button
+                            size="sm"
+                            variant="outline"
+                            className="w-full"
+                            onClick={() => handleOpenManageDialog(connection, provider)}
+                          >
+                            Configure Variables
+                          </Button>
+                        ) : isConnected ? null : hasError ? (
+                          <div className="space-y-2 pt-2 border-t border-border/50">
+                            <p className="text-xs text-destructive line-clamp-1">
+                              {connection?.errorMessage || 'Connection error'}
+                            </p>
+                            <Button
+                              size="sm"
+                              variant="outline"
+                              className="w-full"
+                              onClick={() => handleConnect(provider)}
+                              disabled={isConnecting}
+                            >
+                              {isConnecting ? (
+                                <>
+                                  <Loader2 className="h-3 w-3 mr-2 animate-spin" />
+                                  Reconnecting...
+                                </>
+                              ) : (
+                                'Reconnect'
+                              )}
+                            </Button>
+                          </div>
+                        ) : provider.authType === 'oauth2' && provider.oauthConfigured === false ? (
+                          <Button size="sm" variant="outline" className="w-full" disabled>
+                            Coming Soon
+                          </Button>
+                        ) : (
+                          <Button
+                            size="sm"
+                            className="w-full"
+                            onClick={() => handleConnect(provider)}
+                            disabled={isConnecting}
+                          >
+                            {isConnecting ? (
+                              <>
+                                <Loader2 className="h-3 w-3 mr-2 animate-spin" />
+                                Connecting...
+                              </>
+                            ) : (
+                              'Connect'
+                            )}
+                          </Button>
+                        )}
+                      </div>
+                    </CardContent>
+                  </Card>
+                );
+              }
+
+              // Custom integration card
+              const { integration } = item;
+              return (
+                <Card
+                  key={`custom-${integration.id}`}
+                  className="group relative overflow-hidden hover:shadow-md transition-all hover:border-primary/30 cursor-pointer"
+                  onClick={() => setSelectedCustomIntegration(integration)}
+                >
+                  <CardHeader className="pb-3">
+                    <div className="flex items-start justify-between">
+                      <div className="flex items-center gap-3">
+                        <div className="w-12 h-12 rounded-xl bg-background border border-border flex items-center justify-center overflow-hidden">
+                          <Image
+                            src={`https://img.logo.dev/${integration.domain}?token=${LOGO_TOKEN}`}
+                            alt={`${integration.name} logo`}
+                            width={32}
+                            height={32}
+                            unoptimized
+                            className="object-contain rounded-md"
+                          />
+                        </div>
+                        <div>
+                          <CardTitle className="text-base font-semibold flex items-center gap-2">
+                            {integration.name}
+                            {integration.popular && (
+                              <Badge variant="outline" className="text-[10px] px-1.5 py-0">
+                                Popular
+                              </Badge>
+                            )}
+                          </CardTitle>
+                          <div className="flex items-center gap-2 mt-0.5">
+                            <p className="text-xs text-muted-foreground">{integration.category}</p>
+                            <Badge
+                              variant="outline"
+                              className="text-[10px] px-1.5 py-0 border-dashed"
+                            >
+                              AI Agent
+                            </Badge>
+                          </div>
+                        </div>
+                      </div>
+                    </div>
+                  </CardHeader>
+                  <CardContent>
+                    <CardDescription className="text-sm leading-relaxed line-clamp-2">
+                      {integration.description}
+                    </CardDescription>
+                  </CardContent>
+                  <div className="absolute inset-0 bg-primary/5 opacity-0 group-hover:opacity-100 transition-opacity pointer-events-none" />
+                </Card>
+              );
+            })}
+          </div>
+        ) : (
+          // Empty state
+          <div className="text-center py-16">
+            <div className="max-w-xl mx-auto space-y-6">
+              <div className="space-y-3">
+                <div className="inline-flex items-center justify-center w-16 h-16 rounded-2xl bg-primary/10">
+                  <Sparkles className="w-8 h-8 text-primary" />
+                </div>
+                <div className="space-y-2">
+                  <h3 className="text-xl font-semibold text-foreground">Just ask the agent</h3>
+                  <p className="text-sm text-muted-foreground leading-relaxed max-w-md mx-auto">
+                    {searchQuery ? (
+                      <>
+                        "{searchQuery}" isn't in our directory, but the agent can connect to it
+                        anyway. Describe what you need in natural language.
+                      </>
+                    ) : (
+                      <>
+                        The agent can integrate with any system—you're not limited to this
+                        directory.
+                      </>
+                    )}
+                  </p>
+                </div>
+              </div>
+
+              <div className="p-5 rounded-xl bg-background border border-border text-left space-y-3">
+                <p className="text-sm font-medium text-foreground">Example for your search:</p>
+                <div className="space-y-2">
+                  <button
+                    onClick={() =>
+                      handleCopyPrompt(
+                        `Connect to ${searchQuery || 'our system'} and check security settings`,
+                      )
+                    }
+                    className="w-full p-3 rounded-lg bg-muted/50 border border-border hover:border-primary/30 transition-colors text-left group"
+                  >
+                    <p className="text-sm text-foreground/80 group-hover:text-foreground">
+                      "Connect to {searchQuery || 'our system'} and check security settings"
+                    </p>
+                  </button>
+                  <button
+                    onClick={() =>
+                      handleCopyPrompt(
+                        `Pull compliance data from ${searchQuery || 'our internal tool'}`,
+                      )
+                    }
+                    className="w-full p-3 rounded-lg bg-muted/50 border border-border hover:border-primary/30 transition-colors text-left group"
+                  >
+                    <p className="text-sm text-foreground/80 group-hover:text-foreground">
+                      "Pull compliance data from {searchQuery || 'our internal tool'}"
+                    </p>
+                  </button>
+                </div>
+                <Link
+                  href={`/${orgId}/tasks`}
+                  className="flex items-center justify-center gap-2 text-sm text-primary hover:text-primary/80 font-medium pt-2"
+                >
+                  Go to Tasks to get started
+                  <ArrowRight className="w-3.5 h-3.5" />
+                </Link>
+              </div>
+
+              {searchQuery && (
+                <button
+                  onClick={() => {
+                    setSearchQuery('');
+                    setSelectedCategory('All');
+                  }}
+                  className="text-sm text-muted-foreground hover:text-foreground font-medium"
+                >
+                  ← Browse all integrations
+                </button>
+              )}
+            </div>
+          </div>
+        )}
+      </div>
+
+      {/* Manage Connection Dialog */}
+      {selectedConnection && selectedProvider && (
+        <ManageIntegrationDialog
+          open={manageDialogOpen}
+          onOpenChange={(open) => {
+            if (!open) handleCloseManageDialog();
+            else setManageDialogOpen(open);
+          }}
+          connectionId={selectedConnection.id}
+          integrationId={selectedProvider.id}
+          integrationName={selectedProvider.name}
+          integrationLogoUrl={selectedProvider.logoUrl}
+          onDisconnected={refreshConnections}
+          onDeleted={refreshConnections}
+          onSaved={refreshConnections}
+        />
+      )}
+
+      {/* Connect Dialog (for non-OAuth integrations) */}
+      {connectingProviderInfo && (
+        <ConnectIntegrationDialog
+          open={connectDialogOpen}
+          onOpenChange={(open) => {
+            if (!open) {
+              setConnectDialogOpen(false);
+              setConnectingProviderInfo(null);
+            }
+          }}
+          integrationId={connectingProviderInfo.id}
+          integrationName={connectingProviderInfo.name}
+          integrationLogoUrl={connectingProviderInfo.logoUrl}
+          onConnected={handleConnectDialogSuccess}
+        />
+      )}
+
+      {/* Custom Integration Detail Modal */}
+      {selectedCustomIntegration && (
+        <Dialog
+          open={!!selectedCustomIntegration}
+          onOpenChange={() => setSelectedCustomIntegration(null)}
+        >
+          <DialogContent className="sm:max-w-4xl max-h-[90vh] overflow-y-auto p-0">
+            <div className="relative overflow-hidden">
+              <div className="bg-gradient-to-br from-primary/5 via-primary/3 to-background border-b border-border/50 p-6">
+                <DialogHeader className="pb-0">
+                  <div className="flex items-start gap-4 mb-3">
+                    <div className="w-14 h-14 rounded-2xl bg-background border-2 border-border shadow-sm flex items-center justify-center overflow-hidden ring-2 ring-primary/10">
+                      <Image
+                        src={`https://img.logo.dev/${selectedCustomIntegration.domain}?token=${LOGO_TOKEN}`}
+                        alt={`${selectedCustomIntegration.name} logo`}
+                        width={36}
+                        height={36}
+                        unoptimized
+                        className="object-contain"
+                      />
+                    </div>
+                    <div className="flex-1">
+                      <div className="flex items-center gap-2 mb-1">
+                        <DialogTitle className="text-2xl font-bold">
+                          {selectedCustomIntegration.name}
+                        </DialogTitle>
+                        {selectedCustomIntegration.popular && (
+                          <Badge variant="secondary" className="text-[10px] px-2 py-0.5">
+                            Popular
+                          </Badge>
+                        )}
+                        <Badge variant="outline" className="text-[10px] px-2 py-0.5 border-dashed">
+                          AI Agent
+                        </Badge>
+                      </div>
+                      <div className="flex items-center gap-2">
+                        <span className="text-xs font-medium text-primary">
+                          {selectedCustomIntegration.category}
+                        </span>
+                      </div>
+                    </div>
+                  </div>
+                  <DialogDescription className="text-sm leading-relaxed text-foreground/80 mt-2">
+                    {selectedCustomIntegration.description}
+                  </DialogDescription>
+                </DialogHeader>
+              </div>
+
+              <div className="p-6 space-y-8">
+                <div className="space-y-3">
+                  <div className="flex items-center gap-2">
+                    <div className="w-8 h-8 rounded-lg bg-primary/10 flex items-center justify-center">
+                      <Plug className="w-4 h-4 text-primary" />
+                    </div>
+                    <h4 className="text-base font-semibold text-foreground">How to Connect</h4>
+                  </div>
+                  <div className="p-5 rounded-xl bg-gradient-to-br from-muted/80 to-muted/40 border border-border/50 shadow-sm space-y-3">
+                    <p className="text-sm text-foreground leading-relaxed">
+                      Click on any relevant task below to create an automation with{' '}
+                      {selectedCustomIntegration.name}. The automation will be pre-configured with a
+                      prompt tailored to that task. The agent will ask you for the necessary
+                      permissions and API keys if required.
+                    </p>
+                    {selectedCustomIntegration.setupHint && (
+                      <div className="flex items-start gap-2 pt-2 border-t border-border/50">
+                        <CheckCircle2 className="w-4 h-4 text-muted-foreground mt-0.5 flex-shrink-0" />
+                        <p className="text-xs text-muted-foreground">
+                          <span className="font-medium text-foreground">Typically requires:</span>{' '}
+                          {selectedCustomIntegration.setupHint}
+                        </p>
+                      </div>
+                    )}
+                  </div>
+                </div>
+
+                <div className="space-y-3">
+                  <div className="flex items-center gap-2">
+                    <div className="w-8 h-8 rounded-lg bg-primary/10 flex items-center justify-center">
+                      <Zap className="w-4 h-4 text-primary" />
+                    </div>
+                    <h4 className="text-base font-semibold text-foreground">Relevant Tasks</h4>
+                  </div>
+                  {isLoadingTasks ? (
+                    <div className="grid grid-cols-1 md:grid-cols-2 gap-3">
+                      {[...Array(4)].map((_, index) => (
+                        <TaskCardSkeleton key={index} />
+                      ))}
+                    </div>
+                  ) : relevantTasks.length > 0 ? (
+                    <div className="grid grid-cols-1 md:grid-cols-2 gap-3">
+                      {relevantTasks.map((task) => (
+                        <TaskCard key={task.taskTemplateId} task={task} orgId={orgId} />
+                      ))}
+                    </div>
+                  ) : (
+                    <div className="p-5 rounded-xl bg-muted/50 border border-border/50">
+                      <p className="text-sm text-muted-foreground text-center">
+                        No relevant tasks found for this integration.
+                      </p>
+                    </div>
+                  )}
+                </div>
+              </div>
+            </div>
+          </DialogContent>
+        </Dialog>
+      )}
+    </div>
+  );
+}
diff --git a/apps/app/src/app/(app)/[orgId]/integrations/components/TaskCard.tsx b/apps/app/src/app/(app)/[orgId]/integrations/components/TaskCard.tsx
new file mode 100644
index 000000000..6991b903e
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/integrations/components/TaskCard.tsx
@@ -0,0 +1,117 @@
+'use client';
+
+import { api } from '@/lib/api-client';
+import { Skeleton } from '@comp/ui/skeleton';
+import { ArrowRight, Loader2 } from 'lucide-react';
+import { useRouter } from 'next/navigation';
+import { useState } from 'react';
+import { toast } from 'sonner';
+
+interface RelevantTask {
+  taskTemplateId: string;
+  taskName: string;
+  reason: string;
+  prompt: string;
+}
+
+export function TaskCard({ task, orgId }: { task: RelevantTask; orgId: string }) {
+  const [isNavigating, setIsNavigating] = useState(false);
+  const router = useRouter();
+
+  const handleCardClick = async () => {
+    setIsNavigating(true);
+    toast.loading('Opening task automation...', { id: 'navigating' });
+
+    try {
+      const response = await api.get<Array<{ id: string; taskTemplateId: string | null }>>(
+        '/v1/tasks',
+        orgId,
+      );
+
+      if (response.error || !response.data) {
+        throw new Error(response.error || 'Failed to fetch tasks');
+      }
+
+      const matchingTask = response.data.find(
+        (t) => t.taskTemplateId && t.taskTemplateId === task.taskTemplateId,
+      );
+
+      if (!matchingTask) {
+        toast.dismiss('navigating');
+        toast.error(`Task "${task.taskName}" not found. Please create it first.`);
+        setIsNavigating(false);
+        await router.push(`/${orgId}/tasks`);
+        return;
+      }
+
+      const url = `/${orgId}/tasks/${matchingTask.id}/automation/new?prompt=${encodeURIComponent(task.prompt)}`;
+      toast.dismiss('navigating');
+      toast.success('Redirecting...', { duration: 1000 });
+
+      window.location.href = url;
+    } catch (error) {
+      console.error('Error finding task:', error);
+      toast.dismiss('navigating');
+      toast.error('Failed to find task');
+      setIsNavigating(false);
+    }
+  };
+
+  return (
+    <div
+      onClick={handleCardClick}
+      className="group/task relative block p-5 rounded-xl bg-gradient-to-br from-background to-muted/20 border border-border/60 hover:border-primary/40 hover:shadow-md transition-all duration-200 h-full overflow-hidden cursor-pointer"
+    >
+      {isNavigating && (
+        <div className="absolute inset-0 bg-background/80 backdrop-blur-sm z-10 flex flex-col items-center justify-center gap-3 rounded-xl">
+          <Loader2 className="w-6 h-6 animate-spin text-primary" />
+          <div className="text-center space-y-1">
+            <p className="text-sm font-medium text-foreground">Opening task...</p>
+            <p className="text-xs text-muted-foreground">
+              Redirecting to automation with prompt pre-filled
+            </p>
+          </div>
+        </div>
+      )}
+      <div className="absolute inset-0 bg-gradient-to-br from-primary/0 via-primary/0 to-primary/5 opacity-0 group-hover/task:opacity-100 transition-opacity duration-200" />
+      <div className="relative flex flex-col h-full">
+        <div className="flex items-start justify-between gap-3">
+          <div className="flex-1 min-w-0">
+            <div className="flex items-start gap-2 mb-2">
+              <div className="w-1.5 h-1.5 rounded-full bg-primary/40 mt-1.5 flex-shrink-0 group-hover/task:bg-primary transition-colors" />
+              <p className="text-sm font-semibold text-foreground group-hover/task:text-primary transition-colors">
+                {task.taskName}
+              </p>
+            </div>
+            <p className="text-xs text-muted-foreground leading-relaxed line-clamp-2 pl-3.5">
+              {task.reason}
+            </p>
+          </div>
+          <ArrowRight className="w-4 h-4 text-muted-foreground group-hover/task:text-primary group-hover/task:translate-x-0.5 transition-all flex-shrink-0 mt-0.5" />
+        </div>
+      </div>
+    </div>
+  );
+}
+
+export function TaskCardSkeleton() {
+  return (
+    <div className="p-5 rounded-xl bg-gradient-to-br from-muted/40 to-muted/20 border-2 border-dashed border-muted-foreground/20 h-full animate-pulse">
+      <div className="flex items-start justify-between gap-3 h-full">
+        <div className="flex-1 min-w-0">
+          <div className="flex items-start gap-2 mb-3">
+            <Skeleton className="w-2 h-2 rounded-full mt-1.5 flex-shrink-0 bg-muted-foreground/30" />
+            <Skeleton className="h-4 w-32 bg-muted-foreground/30" />
+          </div>
+          <div className="pl-4 space-y-2.5">
+            <Skeleton className="h-3 w-full bg-muted-foreground/25" />
+            <Skeleton className="h-3 w-5/6 bg-muted-foreground/25" />
+            <Skeleton className="h-3 w-4/6 bg-muted-foreground/25" />
+          </div>
+        </div>
+        <Skeleton className="w-4 h-4 rounded-full bg-muted-foreground/30 mt-0.5 flex-shrink-0" />
+      </div>
+    </div>
+  );
+}
+
diff --git a/apps/app/src/app/(app)/[orgId]/integrations/page.tsx b/apps/app/src/app/(app)/[orgId]/integrations/page.tsx
index 267b10c06..fd70dd3b2 100644
--- a/apps/app/src/app/(app)/[orgId]/integrations/page.tsx
+++ b/apps/app/src/app/(app)/[orgId]/integrations/page.tsx
@@ -1,5 +1,5 @@
 import { db } from '@db';
-import { IntegrationsGrid } from './components/IntegrationsGrid';
+import { PlatformIntegrations } from './components/PlatformIntegrations';
 
 export default async function IntegrationsPage() {
   // Fetch task templates server-side
@@ -15,7 +15,7 @@ export default async function IntegrationsPage() {
   });
 
   return (
-    <div className="mx-auto max-w-7xl space-y-10 py-8">
+    <div className="mx-auto max-w-7xl space-y-8 py-8">
       {/* Header */}
       <div className="space-y-2">
         <div className="flex items-baseline gap-3">
@@ -23,13 +23,12 @@ export default async function IntegrationsPage() {
           <span className="text-2xl text-muted-foreground/40 font-light">∞</span>
         </div>
         <p className="text-muted-foreground text-base leading-relaxed">
-          Connect to any system through the AI agent. This directory shows common patterns—the
-          agent can integrate with anything that has an API or web interface.
+          Connect your tools to automate compliance checks and evidence collection.
         </p>
       </div>
 
-      {/* Integrations Grid */}
-      <IntegrationsGrid taskTemplates={taskTemplates} />
+      {/* Unified Integrations List */}
+      <PlatformIntegrations taskTemplates={taskTemplates} />
     </div>
   );
 }
diff --git a/apps/app/src/app/(app)/[orgId]/integrations/platform-test/page.tsx b/apps/app/src/app/(app)/[orgId]/integrations/platform-test/page.tsx
new file mode 100644
index 000000000..14cbfcccd
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/integrations/platform-test/page.tsx
@@ -0,0 +1,1444 @@
+'use client';
+
+import {
+  useIntegrationConnections,
+  useIntegrationMutations,
+  useIntegrationProviders,
+  type OAuthAvailability,
+} from '@/hooks/use-integration-platform';
+import { api } from '@/lib/api-client';
+import { Badge } from '@comp/ui/badge';
+import { Button } from '@comp/ui/button';
+import { Card, CardContent, CardHeader, CardTitle } from '@comp/ui/card';
+import { Input } from '@comp/ui/input';
+import { Label } from '@comp/ui/label';
+import {
+  AlertCircle,
+  CheckCircle2,
+  ExternalLink,
+  Key,
+  Loader2,
+  Pause,
+  Play,
+  RefreshCw,
+  Settings,
+  Trash2,
+  XCircle,
+  Zap,
+} from 'lucide-react';
+import { useParams } from 'next/navigation';
+import { useCallback, useEffect, useState } from 'react';
+
+interface CheckLog {
+  level: 'info' | 'warn' | 'error';
+  message: string;
+  data?: Record<string, unknown>;
+  timestamp: string;
+}
+
+interface CheckFinding {
+  resourceType: string;
+  resourceId: string;
+  title: string;
+  description?: string;
+  severity: string;
+  remediation?: string;
+}
+
+interface CheckPassingResult {
+  resourceType: string;
+  resourceId: string;
+  title: string;
+  description?: string;
+  evidence?: Record<string, unknown>;
+  collectedAt?: string;
+}
+
+interface CheckResultSummary {
+  totalChecked: number;
+  passed: number;
+  failed: number;
+}
+
+interface CheckRunResponse {
+  connectionId: string;
+  providerSlug: string;
+  results: Array<{
+    checkId: string;
+    checkName: string;
+    status: 'success' | 'failed' | 'error';
+    result: {
+      findings: CheckFinding[];
+      passingResults: CheckPassingResult[];
+      logs: CheckLog[];
+      summary?: CheckResultSummary;
+    };
+    error?: string;
+    durationMs: number;
+  }>;
+  totalFindings: number;
+  totalPassing: number;
+  durationMs: number;
+}
+
+interface VariableDefinition {
+  id: string;
+  label: string;
+  type: 'text' | 'number' | 'boolean' | 'select' | 'multi-select';
+  required: boolean;
+  default?: string | number | boolean | string[];
+  helpText?: string;
+  placeholder?: string;
+  options?: Array<{ value: string; label: string }>;
+  hasDynamicOptions: boolean;
+  currentValue?: string | number | boolean | string[];
+}
+
+interface ConnectionVariablesResponse {
+  connectionId: string;
+  providerSlug: string;
+  variables: VariableDefinition[];
+}
+
+interface CheckDefinition {
+  id: string;
+  name: string;
+  description: string;
+  defaultSeverity: string;
+  taskMapping?: string;
+  variableIds: string[];
+}
+
+interface ConnectionChecksResponse {
+  connectionId: string;
+  providerSlug: string;
+  checks: CheckDefinition[];
+}
+
+function StatusBadge({ status }: { status: string }) {
+  const variants: Record<string, { color: string; icon: React.ReactNode }> = {
+    active: {
+      color: 'bg-green-500/10 text-green-500',
+      icon: <CheckCircle2 className="h-3 w-3" />,
+    },
+    pending: {
+      color: 'bg-yellow-500/10 text-yellow-500',
+      icon: <AlertCircle className="h-3 w-3" />,
+    },
+    error: {
+      color: 'bg-red-500/10 text-red-500',
+      icon: <XCircle className="h-3 w-3" />,
+    },
+    paused: {
+      color: 'bg-gray-500/10 text-gray-500',
+      icon: <Pause className="h-3 w-3" />,
+    },
+    disconnected: {
+      color: 'bg-gray-500/10 text-gray-500',
+      icon: <XCircle className="h-3 w-3" />,
+    },
+  };
+
+  const variant = variants[status] || variants.pending;
+
+  return (
+    <Badge className={`${variant.color} gap-1`}>
+      {variant.icon}
+      {status}
+    </Badge>
+  );
+}
+
+function DebugSection({ title, children }: { title: string; children: React.ReactNode }) {
+  return (
+    <Card className="mb-4">
+      <CardHeader className="pb-2">
+        <CardTitle className="text-sm font-mono">{title}</CardTitle>
+      </CardHeader>
+      <CardContent>{children}</CardContent>
+    </Card>
+  );
+}
+
+function JsonDisplay({ data }: { data: unknown }) {
+  return (
+    <pre className="bg-muted p-3 rounded-md text-xs overflow-auto max-h-64 font-mono">
+      {JSON.stringify(data, null, 2)}
+    </pre>
+  );
+}
+
+function OAuthAvailabilityCard({
+  providerSlug,
+  providerName,
+  onLog,
+}: {
+  providerSlug: string;
+  providerName: string;
+  onLog: (message: string) => void;
+}) {
+  const params = useParams<{ orgId: string }>();
+  const orgId = params?.orgId;
+
+  const [availability, setAvailability] = useState<OAuthAvailability | null>(null);
+  const [isLoading, setIsLoading] = useState(false);
+  const [error, setError] = useState<string | null>(null);
+  const [showConfig, setShowConfig] = useState(false);
+  const [clientId, setClientId] = useState('');
+  const [clientSecret, setClientSecret] = useState('');
+  const [isSaving, setIsSaving] = useState(false);
+
+  const checkAvailability = useCallback(async () => {
+    if (!orgId) return;
+
+    setIsLoading(true);
+    setError(null);
+    onLog(`Checking OAuth availability for ${providerSlug}...`);
+
+    const response = await api.get<OAuthAvailability>(
+      `/v1/integrations/oauth/availability?providerSlug=${providerSlug}&organizationId=${orgId}`,
+    );
+
+    if (response.error) {
+      setError(response.error);
+      onLog(`❌ ${response.error}`);
+    } else {
+      setAvailability(response.data || null);
+      const data = response.data;
+      if (data?.available) {
+        onLog(
+          `✅ OAuth available (org: ${data.hasOrgCredentials}, platform: ${data.hasPlatformCredentials})`,
+        );
+      } else {
+        onLog(`⚠️ OAuth not available - credentials need to be configured`);
+      }
+    }
+
+    setIsLoading(false);
+  }, [orgId, providerSlug, onLog]);
+
+  useEffect(() => {
+    checkAvailability();
+  }, [checkAvailability]);
+
+  const handleSaveCredentials = async () => {
+    if (!orgId || !clientId || !clientSecret) return;
+
+    setIsSaving(true);
+    onLog(`Saving OAuth credentials for ${providerSlug}...`);
+
+    const response = await api.post('/v1/integrations/oauth-apps', {
+      providerSlug,
+      organizationId: orgId,
+      clientId,
+      clientSecret,
+    });
+
+    if (response.error) {
+      onLog(`❌ ${response.error}`);
+    } else {
+      onLog(`✅ OAuth credentials saved`);
+      setClientId('');
+      setClientSecret('');
+      setShowConfig(false);
+      checkAvailability();
+    }
+
+    setIsSaving(false);
+  };
+
+  const handleDeleteCredentials = async () => {
+    if (!orgId) return;
+    if (!confirm('Delete custom OAuth credentials?')) return;
+
+    onLog(`Deleting OAuth credentials for ${providerSlug}...`);
+
+    const response = await api.delete(
+      `/v1/integrations/oauth-apps/${providerSlug}?organizationId=${orgId}`,
+      orgId,
+    );
+
+    if (response.error) {
+      onLog(`❌ ${response.error}`);
+    } else {
+      onLog(`✅ OAuth credentials deleted`);
+      checkAvailability();
+    }
+  };
+
+  return (
+    <div className="p-3 bg-muted/30 rounded-md border">
+      <div className="flex items-center justify-between mb-2">
+        <div className="font-medium text-sm">{providerName}</div>
+        <div className="flex items-center gap-2">
+          <Button size="sm" variant="ghost" onClick={checkAvailability} disabled={isLoading}>
+            <RefreshCw className={`h-3 w-3 ${isLoading ? 'animate-spin' : ''}`} />
+          </Button>
+          <Button size="sm" variant="ghost" onClick={() => setShowConfig(!showConfig)}>
+            <Settings className="h-3 w-3" />
+          </Button>
+        </div>
+      </div>
+
+      {error && <div className="text-xs text-red-500 mb-2 p-2 bg-red-500/10 rounded">{error}</div>}
+
+      {availability && (
+        <div className="space-y-2">
+          <div className="flex items-center gap-4 text-xs">
+            <div className="flex items-center gap-1">
+              {availability.available ? (
+                <CheckCircle2 className="h-3 w-3 text-green-500" />
+              ) : (
+                <XCircle className="h-3 w-3 text-red-500" />
+              )}
+              <span>Available</span>
+            </div>
+            <div className="flex items-center gap-1">
+              {availability.hasOrgCredentials ? (
+                <CheckCircle2 className="h-3 w-3 text-green-500" />
+              ) : (
+                <XCircle className="h-3 w-3 text-gray-400" />
+              )}
+              <span>Org Creds</span>
+            </div>
+            <div className="flex items-center gap-1">
+              {availability.hasPlatformCredentials ? (
+                <CheckCircle2 className="h-3 w-3 text-green-500" />
+              ) : (
+                <XCircle className="h-3 w-3 text-gray-400" />
+              )}
+              <span>Platform Creds</span>
+            </div>
+          </div>
+
+          {!availability.available && availability.setupInstructions && (
+            <details className="text-xs">
+              <summary className="cursor-pointer text-muted-foreground">Setup Instructions</summary>
+              <pre className="mt-2 p-2 bg-muted rounded text-xs whitespace-pre-wrap">
+                {availability.setupInstructions}
+              </pre>
+            </details>
+          )}
+
+          {availability.createAppUrl && (
+            <a
+              href={availability.createAppUrl}
+              target="_blank"
+              rel="noopener noreferrer"
+              className="text-xs text-blue-500 hover:underline flex items-center gap-1"
+            >
+              <ExternalLink className="h-3 w-3" />
+              Create OAuth App
+            </a>
+          )}
+        </div>
+      )}
+
+      {showConfig && (
+        <div className="mt-3 pt-3 border-t space-y-3">
+          <div className="text-xs font-medium flex items-center gap-1">
+            <Key className="h-3 w-3" />
+            Configure Custom OAuth App
+          </div>
+
+          <div className="space-y-2">
+            <div>
+              <Label className="text-xs">Client ID</Label>
+              <Input
+                size={1}
+                className="h-8 text-xs font-mono"
+                placeholder="Your OAuth App Client ID"
+                value={clientId}
+                onChange={(e) => setClientId(e.target.value)}
+              />
+            </div>
+            <div>
+              <Label className="text-xs">Client Secret</Label>
+              <Input
+                size={1}
+                type="password"
+                className="h-8 text-xs font-mono"
+                placeholder="Your OAuth App Client Secret"
+                value={clientSecret}
+                onChange={(e) => setClientSecret(e.target.value)}
+              />
+            </div>
+          </div>
+
+          <div className="flex gap-2">
+            <Button
+              size="sm"
+              onClick={handleSaveCredentials}
+              disabled={!clientId || !clientSecret || isSaving}
+            >
+              {isSaving ? <Loader2 className="h-3 w-3 animate-spin mr-1" /> : null}
+              Save Credentials
+            </Button>
+
+            {availability?.hasOrgCredentials && (
+              <Button size="sm" variant="destructive" onClick={handleDeleteCredentials}>
+                <Trash2 className="h-3 w-3 mr-1" />
+                Delete
+              </Button>
+            )}
+          </div>
+        </div>
+      )}
+    </div>
+  );
+}
+
+// ============================================================================
+// Connection Variables Configuration
+// ============================================================================
+
+function ConnectionVariablesConfig({
+  connectionId,
+  providerSlug,
+  onLog,
+  onSaved,
+}: {
+  connectionId: string;
+  providerSlug: string;
+  onLog: (message: string) => void;
+  onSaved: () => void;
+}) {
+  const [variables, setVariables] = useState<VariableDefinition[]>([]);
+  const [values, setValues] = useState<Record<string, string | number | boolean | string[]>>({});
+  const [loading, setLoading] = useState(true);
+  const [saving, setSaving] = useState(false);
+  const [fetchingOptions, setFetchingOptions] = useState<string | null>(null);
+
+  // Load variables on mount
+  useEffect(() => {
+    const fetchVariables = async () => {
+      setLoading(true);
+      try {
+        onLog(`Fetching variables for connection ${connectionId}...`);
+        const response = await api.get<ConnectionVariablesResponse>(
+          `/v1/integrations/variables/connections/${connectionId}`,
+        );
+
+        if (response.data?.variables) {
+          setVariables(response.data.variables);
+
+          // Initialize values with current or default values
+          const initialValues: Record<string, string | number | boolean | string[]> = {};
+          for (const v of response.data.variables) {
+            if (v.currentValue !== undefined) {
+              initialValues[v.id] = v.currentValue;
+            } else if (v.default !== undefined) {
+              initialValues[v.id] = v.default;
+            }
+          }
+          setValues(initialValues);
+          onLog(`Loaded ${response.data.variables.length} variables`);
+        }
+      } catch (error) {
+        onLog(`Error fetching variables: ${error}`);
+      } finally {
+        setLoading(false);
+      }
+    };
+
+    fetchVariables();
+  }, [connectionId, onLog]);
+
+  const handleFetchOptions = async (variableId: string) => {
+    setFetchingOptions(variableId);
+    try {
+      onLog(`Fetching options for ${variableId}...`);
+      const response = await api.get<{ options: Array<{ value: string; label: string }> }>(
+        `/v1/integrations/variables/connections/${connectionId}/options/${variableId}`,
+      );
+
+      const options = response.data?.options;
+      if (options) {
+        setVariables((prev) => prev.map((v) => (v.id === variableId ? { ...v, options } : v)));
+        onLog(`Loaded ${options.length} options for ${variableId}`);
+      }
+    } catch (error) {
+      onLog(`Error fetching options: ${error}`);
+    } finally {
+      setFetchingOptions(null);
+    }
+  };
+
+  const handleSave = async () => {
+    setSaving(true);
+    try {
+      onLog(`Saving variables for connection ${connectionId}...`);
+      await api.post(`/v1/integrations/variables/connections/${connectionId}`, {
+        variables: values,
+      });
+      onLog('Variables saved successfully');
+      onSaved();
+    } catch (error) {
+      onLog(`Error saving variables: ${error}`);
+    } finally {
+      setSaving(false);
+    }
+  };
+
+  const updateValue = (variableId: string, value: string | number | boolean | string[]) => {
+    setValues((prev) => ({ ...prev, [variableId]: value }));
+  };
+
+  if (loading) {
+    return (
+      <div className="p-3 bg-blue-500/10 border border-blue-500/20 rounded-md">
+        <div className="flex items-center gap-2 text-sm text-blue-500">
+          <Loader2 className="h-4 w-4 animate-spin" />
+          Loading variables...
+        </div>
+      </div>
+    );
+  }
+
+  if (variables.length === 0) {
+    return null;
+  }
+
+  return (
+    <div className="p-3 bg-amber-500/10 border border-amber-500/30 rounded-md space-y-3">
+      <div className="flex items-center gap-2 text-sm font-medium text-amber-600">
+        <Settings className="h-4 w-4" />
+        Configure Check Variables
+      </div>
+
+      <div className="space-y-3">
+        {variables.map((variable) => (
+          <div key={variable.id} className="space-y-1">
+            <div className="flex items-center justify-between">
+              <Label className="text-xs">
+                {variable.label}
+                {variable.required && <span className="text-red-500 ml-1">*</span>}
+              </Label>
+              {variable.hasDynamicOptions && (
+                <Button
+                  size="sm"
+                  variant="ghost"
+                  className="h-6 text-xs"
+                  onClick={() => handleFetchOptions(variable.id)}
+                  disabled={fetchingOptions === variable.id}
+                >
+                  {fetchingOptions === variable.id ? (
+                    <Loader2 className="h-3 w-3 animate-spin" />
+                  ) : (
+                    <>
+                      <RefreshCw className="h-3 w-3 mr-1" />
+                      Load Options
+                    </>
+                  )}
+                </Button>
+              )}
+            </div>
+
+            {variable.type === 'text' && (
+              <Input
+                size={1}
+                className="h-8 text-xs"
+                placeholder={variable.placeholder}
+                value={(values[variable.id] as string) || ''}
+                onChange={(e) => updateValue(variable.id, e.target.value)}
+              />
+            )}
+
+            {variable.type === 'number' && (
+              <Input
+                size={1}
+                type="number"
+                className="h-8 text-xs"
+                placeholder={variable.placeholder}
+                value={(values[variable.id] as number) || ''}
+                onChange={(e) => updateValue(variable.id, Number(e.target.value))}
+              />
+            )}
+
+            {variable.type === 'boolean' && (
+              <div className="flex items-center gap-2">
+                <input
+                  type="checkbox"
+                  checked={(values[variable.id] as boolean) || false}
+                  onChange={(e) => updateValue(variable.id, e.target.checked)}
+                />
+                <span className="text-xs text-muted-foreground">{variable.helpText}</span>
+              </div>
+            )}
+
+            {variable.type === 'select' && (
+              <select
+                className="w-full h-8 text-xs px-2 border rounded-md bg-background"
+                value={(values[variable.id] as string) || ''}
+                onChange={(e) => updateValue(variable.id, e.target.value)}
+              >
+                <option value="">Select...</option>
+                {variable.options?.map((opt) => (
+                  <option key={opt.value} value={opt.value}>
+                    {opt.label}
+                  </option>
+                ))}
+              </select>
+            )}
+
+            {variable.type === 'multi-select' && (
+              <div className="space-y-1">
+                {variable.options && variable.options.length > 0 ? (
+                  <div className="max-h-32 overflow-y-auto border rounded-md p-2 space-y-1">
+                    {variable.options.map((opt) => (
+                      <label key={opt.value} className="flex items-center gap-2 text-xs">
+                        <input
+                          type="checkbox"
+                          checked={((values[variable.id] as string[]) || []).includes(opt.value)}
+                          onChange={(e) => {
+                            const current = (values[variable.id] as string[]) || [];
+                            if (e.target.checked) {
+                              updateValue(variable.id, [...current, opt.value]);
+                            } else {
+                              updateValue(
+                                variable.id,
+                                current.filter((v) => v !== opt.value),
+                              );
+                            }
+                          }}
+                        />
+                        {opt.label}
+                      </label>
+                    ))}
+                  </div>
+                ) : (
+                  <div className="text-xs text-muted-foreground p-2 border rounded-md">
+                    Click "Load Options" to fetch available choices
+                  </div>
+                )}
+              </div>
+            )}
+
+            {variable.helpText && variable.type !== 'boolean' && (
+              <p className="text-xs text-muted-foreground">{variable.helpText}</p>
+            )}
+          </div>
+        ))}
+      </div>
+
+      <Button size="sm" onClick={handleSave} disabled={saving}>
+        {saving ? <Loader2 className="h-3 w-3 animate-spin mr-1" /> : null}
+        Save Variables
+      </Button>
+    </div>
+  );
+}
+
+// ============================================================================
+// Individual Check Testing Component
+// ============================================================================
+
+function ConnectionChecksTester({
+  connectionId,
+  providerSlug,
+  onLog,
+}: {
+  connectionId: string;
+  providerSlug: string;
+  onLog: (message: string) => void;
+}) {
+  const [checks, setChecks] = useState<CheckDefinition[]>([]);
+  const [loading, setLoading] = useState(true);
+  const [runningCheck, setRunningCheck] = useState<string | null>(null);
+  const [checkResults, setCheckResults] = useState<Record<string, CheckRunResponse['results'][0]>>(
+    {},
+  );
+
+  // Load checks on mount
+  useEffect(() => {
+    const fetchChecks = async () => {
+      setLoading(true);
+      try {
+        onLog(`Fetching available checks for ${providerSlug}...`);
+        const response = await api.get<ConnectionChecksResponse>(
+          `/v1/integrations/checks/connections/${connectionId}`,
+        );
+
+        if (response.data?.checks) {
+          setChecks(response.data.checks);
+          onLog(`Found ${response.data.checks.length} checks`);
+        }
+      } catch (error) {
+        onLog(`Error fetching checks: ${error}`);
+      } finally {
+        setLoading(false);
+      }
+    };
+
+    fetchChecks();
+  }, [connectionId, providerSlug, onLog]);
+
+  const handleRunCheck = async (checkId: string) => {
+    setRunningCheck(checkId);
+    onLog(`Running check: ${checkId}...`);
+
+    try {
+      const response = await api.post<CheckRunResponse>(
+        `/v1/integrations/checks/connections/${connectionId}/run`,
+        { checkId },
+      );
+
+      if (response.data?.results?.[0]) {
+        const result = response.data.results[0];
+        setCheckResults((prev) => ({ ...prev, [checkId]: result }));
+        onLog(
+          `Check ${checkId} completed: ${result.result.findings.length} findings, ${result.result.passingResults.length} passing (${result.durationMs}ms)`,
+        );
+      }
+    } catch (error) {
+      onLog(`Error running check ${checkId}: ${error}`);
+    } finally {
+      setRunningCheck(null);
+    }
+  };
+
+  const handleRunAll = async () => {
+    setRunningCheck('all');
+    onLog(`Running all checks...`);
+
+    try {
+      const response = await api.post<CheckRunResponse>(
+        `/v1/integrations/checks/connections/${connectionId}/run`,
+        {},
+      );
+
+      if (response.data?.results) {
+        const newResults: Record<string, CheckRunResponse['results'][0]> = {};
+        for (const result of response.data.results) {
+          newResults[result.checkId] = result;
+        }
+        setCheckResults(newResults);
+        onLog(
+          `All checks completed: ${response.data.totalFindings} total findings, ${response.data.totalPassing} passing (${response.data.durationMs}ms)`,
+        );
+      }
+    } catch (error) {
+      onLog(`Error running checks: ${error}`);
+    } finally {
+      setRunningCheck(null);
+    }
+  };
+
+  if (loading) {
+    return (
+      <div className="p-3 bg-muted/50 rounded-md">
+        <div className="flex items-center gap-2 text-sm text-muted-foreground">
+          <Loader2 className="h-4 w-4 animate-spin" />
+          Loading checks...
+        </div>
+      </div>
+    );
+  }
+
+  if (checks.length === 0) {
+    return (
+      <div className="p-3 bg-muted/50 rounded-md text-sm text-muted-foreground">
+        No checks defined for this integration
+      </div>
+    );
+  }
+
+  return (
+    <div className="space-y-3">
+      <div className="flex items-center justify-between">
+        <div className="text-sm font-medium flex items-center gap-2">
+          <Zap className="h-4 w-4" />
+          Available Checks ({checks.length})
+        </div>
+        <Button size="sm" variant="default" onClick={handleRunAll} disabled={runningCheck !== null}>
+          {runningCheck === 'all' ? (
+            <Loader2 className="h-3 w-3 animate-spin mr-1" />
+          ) : (
+            <Play className="h-3 w-3 mr-1" />
+          )}
+          Run All
+        </Button>
+      </div>
+
+      <div className="space-y-2">
+        {checks.map((check) => {
+          const result = checkResults[check.id];
+
+          return (
+            <div key={check.id} className="p-3 bg-muted/30 rounded-md border">
+              <div className="flex items-start justify-between gap-2 mb-2">
+                <div className="flex-1">
+                  <div className="font-medium text-sm">{check.name}</div>
+                  <div className="text-xs text-muted-foreground">{check.description}</div>
+                  <div className="text-xs text-muted-foreground mt-1 font-mono">
+                    ID: {check.id} • Severity: {check.defaultSeverity}
+                    {check.taskMapping && ` • Task: ${check.taskMapping}`}
+                  </div>
+                </div>
+                <Button
+                  size="sm"
+                  variant="outline"
+                  onClick={() => handleRunCheck(check.id)}
+                  disabled={runningCheck !== null}
+                >
+                  {runningCheck === check.id ? (
+                    <Loader2 className="h-3 w-3 animate-spin" />
+                  ) : (
+                    <Play className="h-3 w-3" />
+                  )}
+                </Button>
+              </div>
+
+              {result && (
+                <div className="mt-2 pt-2 border-t space-y-2">
+                  <div className="flex items-center gap-3 text-xs">
+                    <span
+                      className={`px-2 py-0.5 rounded ${
+                        result.status === 'success'
+                          ? 'bg-green-500/20 text-green-600'
+                          : result.status === 'error'
+                            ? 'bg-red-500/20 text-red-600'
+                            : 'bg-yellow-500/20 text-yellow-600'
+                      }`}
+                    >
+                      {result.status}
+                    </span>
+                    <span className="text-muted-foreground">{result.durationMs}ms</span>
+                    {result.result.summary && (
+                      <span className="text-muted-foreground">
+                        {result.result.summary.totalChecked} checked
+                      </span>
+                    )}
+                    <span className="text-green-600">
+                      ✓ {result.result.passingResults.length} passing
+                    </span>
+                    <span className="text-red-600">✗ {result.result.findings.length} findings</span>
+                  </div>
+
+                  {result.error && (
+                    <div className="text-xs text-red-500 p-2 bg-red-500/10 rounded">
+                      {result.error}
+                    </div>
+                  )}
+
+                  {result.result.findings.length > 0 && (
+                    <details className="text-xs">
+                      <summary className="cursor-pointer text-red-600 font-medium">
+                        ✗ Findings ({result.result.findings.length})
+                      </summary>
+                      <div className="mt-1 space-y-1 max-h-60 overflow-y-auto">
+                        {result.result.findings.map((finding, i) => (
+                          <div
+                            key={i}
+                            className="p-2 bg-red-500/10 rounded border border-red-500/20"
+                          >
+                            <div className="font-medium">{finding.title}</div>
+                            {finding.description && (
+                              <div className="text-muted-foreground mt-1">
+                                {finding.description}
+                              </div>
+                            )}
+                            <div className="text-muted-foreground mt-1">
+                              <span className="font-mono">
+                                {finding.resourceType}: {finding.resourceId}
+                              </span>{' '}
+                              •{' '}
+                              <span
+                                className={
+                                  finding.severity === 'critical' || finding.severity === 'high'
+                                    ? 'text-red-500'
+                                    : finding.severity === 'medium'
+                                      ? 'text-yellow-500'
+                                      : 'text-muted-foreground'
+                                }
+                              >
+                                {finding.severity}
+                              </span>
+                            </div>
+                            {finding.remediation && (
+                              <div className="mt-2 p-2 bg-blue-500/10 rounded text-blue-600">
+                                <span className="font-medium">Remediation:</span>{' '}
+                                {finding.remediation}
+                              </div>
+                            )}
+                          </div>
+                        ))}
+                      </div>
+                    </details>
+                  )}
+
+                  {result.result.passingResults.length > 0 && (
+                    <details className="text-xs">
+                      <summary className="cursor-pointer text-green-600 font-medium">
+                        ✓ Passing ({result.result.passingResults.length})
+                      </summary>
+                      <div className="mt-1 space-y-1 max-h-60 overflow-y-auto">
+                        {result.result.passingResults.map((pass, i) => (
+                          <div
+                            key={i}
+                            className="p-2 bg-green-500/10 rounded border border-green-500/20"
+                          >
+                            <div className="font-medium">{pass.title}</div>
+                            {pass.description && (
+                              <div className="text-muted-foreground mt-1">{pass.description}</div>
+                            )}
+                            <div className="text-muted-foreground mt-1 font-mono">
+                              {pass.resourceType}: {pass.resourceId}
+                            </div>
+                            {pass.evidence && Object.keys(pass.evidence).length > 0 && (
+                              <details className="mt-2">
+                                <summary className="cursor-pointer text-blue-600 font-medium">
+                                  Evidence (click to expand)
+                                </summary>
+                                <pre className="mt-1 p-2 bg-black/50 text-green-400 rounded overflow-x-auto text-[10px]">
+                                  {JSON.stringify(pass.evidence, null, 2)}
+                                </pre>
+                              </details>
+                            )}
+                          </div>
+                        ))}
+                      </div>
+                    </details>
+                  )}
+
+                  {/* Execution Logs */}
+                  {result.result.logs && result.result.logs.length > 0 && (
+                    <details className="text-xs">
+                      <summary className="cursor-pointer text-muted-foreground font-medium">
+                        📋 Execution Log ({result.result.logs.length} entries)
+                      </summary>
+                      <div className="mt-1 p-2 bg-black rounded max-h-60 overflow-y-auto font-mono text-[10px]">
+                        {result.result.logs.map((log, i) => (
+                          <div
+                            key={i}
+                            className={`py-0.5 ${
+                              log.level === 'error'
+                                ? 'text-red-400'
+                                : log.level === 'warn'
+                                  ? 'text-yellow-400'
+                                  : 'text-green-400'
+                            }`}
+                          >
+                            <span className="text-gray-500">
+                              [{new Date(log.timestamp).toLocaleTimeString()}]
+                            </span>{' '}
+                            <span
+                              className={`uppercase ${
+                                log.level === 'error'
+                                  ? 'text-red-500'
+                                  : log.level === 'warn'
+                                    ? 'text-yellow-500'
+                                    : 'text-blue-500'
+                              }`}
+                            >
+                              [{log.level}]
+                            </span>{' '}
+                            {log.message}
+                            {log.data && (
+                              <span className="text-gray-400"> {JSON.stringify(log.data)}</span>
+                            )}
+                          </div>
+                        ))}
+                      </div>
+                    </details>
+                  )}
+                </div>
+              )}
+            </div>
+          );
+        })}
+      </div>
+    </div>
+  );
+}
+
+export default function IntegrationPlatformTestPage() {
+  const [actionLog, setActionLog] = useState<string[]>([]);
+  const [isLoading, setIsLoading] = useState<string | null>(null);
+
+  const {
+    providers,
+    isLoading: providersLoading,
+    error: providersError,
+    refresh: refreshProviders,
+  } = useIntegrationProviders();
+
+  const {
+    connections,
+    isLoading: connectionsLoading,
+    error: connectionsError,
+    refresh: refreshConnections,
+  } = useIntegrationConnections();
+
+  const {
+    startOAuth,
+    testConnection,
+    pauseConnection,
+    resumeConnection,
+    disconnectConnection,
+    deleteConnection,
+  } = useIntegrationMutations();
+
+  const log = useCallback((message: string) => {
+    const timestamp = new Date().toISOString().split('T')[1].split('.')[0];
+    setActionLog((prev) => [`[${timestamp}] ${message}`, ...prev.slice(0, 49)]);
+  }, []);
+
+  const handleStartOAuth = async (providerSlug: string) => {
+    setIsLoading(`oauth-${providerSlug}`);
+    log(`Starting OAuth for ${providerSlug}...`);
+
+    const result = await startOAuth(providerSlug);
+
+    if (result.success && result.authorizationUrl) {
+      log(`✅ Got authorization URL, redirecting...`);
+      window.location.href = result.authorizationUrl;
+    } else {
+      log(`❌ OAuth failed: ${result.error}`);
+    }
+
+    setIsLoading(null);
+  };
+
+  const handleTestConnection = async (connectionId: string, providerSlug: string) => {
+    setIsLoading(`test-${connectionId}`);
+    log(`Testing connection ${connectionId} (${providerSlug})...`);
+
+    const result = await testConnection(connectionId);
+    log(result.success ? `✅ ${result.message}` : `❌ ${result.message}`);
+
+    setIsLoading(null);
+    refreshConnections();
+  };
+
+  const handlePause = async (connectionId: string) => {
+    setIsLoading(`pause-${connectionId}`);
+    log(`Pausing connection ${connectionId}...`);
+
+    const result = await pauseConnection(connectionId);
+    log(result.success ? '✅ Connection paused' : `❌ ${result.error}`);
+
+    setIsLoading(null);
+    refreshConnections();
+  };
+
+  const handleResume = async (connectionId: string) => {
+    setIsLoading(`resume-${connectionId}`);
+    log(`Resuming connection ${connectionId}...`);
+
+    const result = await resumeConnection(connectionId);
+    log(result.success ? '✅ Connection resumed' : `❌ ${result.error}`);
+
+    setIsLoading(null);
+    refreshConnections();
+  };
+
+  const handleDisconnect = async (connectionId: string) => {
+    setIsLoading(`disconnect-${connectionId}`);
+    log(`Disconnecting ${connectionId}...`);
+
+    const result = await disconnectConnection(connectionId);
+    log(result.success ? '✅ Disconnected' : `❌ ${result.error}`);
+
+    setIsLoading(null);
+    refreshConnections();
+  };
+
+  const handleDelete = async (connectionId: string) => {
+    if (!confirm('Are you sure you want to delete this connection?')) return;
+
+    setIsLoading(`delete-${connectionId}`);
+    log(`Deleting connection ${connectionId}...`);
+
+    const result = await deleteConnection(connectionId);
+    log(result.success ? '✅ Deleted' : `❌ ${result.error}`);
+
+    setIsLoading(null);
+    refreshConnections();
+  };
+
+  const handleRunChecks = async (connectionId: string, providerSlug: string, checkId?: string) => {
+    const loadingKey = checkId ? `check-${connectionId}-${checkId}` : `checks-${connectionId}`;
+    setIsLoading(loadingKey);
+    log(`Running ${checkId || 'all'} checks for ${providerSlug}...`);
+
+    try {
+      const response = await api.post<CheckRunResponse>(
+        `/v1/integrations/checks/connections/${connectionId}/run`,
+        checkId ? { checkId } : {},
+      );
+
+      if (response.error) {
+        log(`❌ Check run failed: ${response.error}`);
+      } else if (response.data) {
+        const { totalFindings, totalPassing, durationMs, results } = response.data;
+        log(`✅ Checks completed in ${durationMs}ms`);
+        log(`   📊 ${totalFindings} findings, ${totalPassing} passing`);
+
+        for (const result of results || []) {
+          const icon = result.status === 'success' ? '✅' : result.status === 'error' ? '❌' : '⚠️';
+          log(`   ${icon} ${result.checkName}: ${result.result.findings.length} findings`);
+        }
+      }
+    } catch (error) {
+      log(`❌ Error running checks: ${error}`);
+    }
+
+    setIsLoading(null);
+  };
+
+  const oauthProviders = providers.filter((p) => p.authType === 'oauth2');
+
+  return (
+    <div className="container mx-auto p-6 max-w-7xl">
+      <div className="mb-6">
+        <h1 className="text-2xl font-bold mb-2">Integration Platform Test Page</h1>
+        <p className="text-muted-foreground text-sm">
+          Debug page for testing the integration platform API and OAuth flows.
+        </p>
+      </div>
+
+      <div className="grid grid-cols-1 lg:grid-cols-3 gap-6">
+        {/* Left Column - Providers */}
+        <div>
+          <DebugSection title="Available Providers">
+            <div className="flex items-center gap-2 mb-3">
+              <Button
+                size="sm"
+                variant="outline"
+                onClick={() => refreshProviders()}
+                disabled={providersLoading}
+              >
+                <RefreshCw className={`h-3 w-3 mr-1 ${providersLoading ? 'animate-spin' : ''}`} />
+                Refresh
+              </Button>
+              {providersLoading && (
+                <span className="text-xs text-muted-foreground">Loading...</span>
+              )}
+              {providersError && <span className="text-xs text-red-500">{providersError}</span>}
+            </div>
+
+            {providers.length === 0 && !providersLoading ? (
+              <p className="text-sm text-muted-foreground">No providers found</p>
+            ) : (
+              <div className="space-y-2">
+                {providers.map((provider) => (
+                  <div
+                    key={provider.id}
+                    className="flex items-center justify-between p-3 bg-muted/50 rounded-md"
+                  >
+                    <div>
+                      <div className="font-medium text-sm">{provider.name}</div>
+                      <div className="text-xs text-muted-foreground">
+                        {provider.id} • {provider.authType} • {provider.category}
+                      </div>
+                    </div>
+                    <div className="flex items-center gap-2">
+                      <Badge variant={provider.isActive ? 'default' : 'secondary'}>
+                        {provider.isActive ? 'Active' : 'Inactive'}
+                      </Badge>
+                      {provider.authType === 'oauth2' && (
+                        <Button
+                          size="sm"
+                          onClick={() => handleStartOAuth(provider.id)}
+                          disabled={isLoading === `oauth-${provider.id}`}
+                        >
+                          {isLoading === `oauth-${provider.id}` ? (
+                            <Loader2 className="h-3 w-3 animate-spin" />
+                          ) : (
+                            <>
+                              <ExternalLink className="h-3 w-3 mr-1" />
+                              Connect
+                            </>
+                          )}
+                        </Button>
+                      )}
+                    </div>
+                  </div>
+                ))}
+              </div>
+            )}
+
+            <details className="mt-3">
+              <summary className="text-xs text-muted-foreground cursor-pointer">
+                Raw Response
+              </summary>
+              <JsonDisplay data={providers} />
+            </details>
+          </DebugSection>
+
+          {/* OAuth Availability */}
+          {oauthProviders.length > 0 && (
+            <DebugSection title="OAuth Credentials Status">
+              <div className="space-y-3">
+                {oauthProviders.map((provider) => (
+                  <OAuthAvailabilityCard
+                    key={provider.id}
+                    providerSlug={provider.id}
+                    providerName={provider.name}
+                    onLog={log}
+                  />
+                ))}
+              </div>
+            </DebugSection>
+          )}
+        </div>
+
+        {/* Middle Column - Connections */}
+        <div>
+          <DebugSection title="Connections">
+            <div className="flex items-center gap-2 mb-3">
+              <Button
+                size="sm"
+                variant="outline"
+                onClick={() => refreshConnections()}
+                disabled={connectionsLoading}
+              >
+                <RefreshCw className={`h-3 w-3 mr-1 ${connectionsLoading ? 'animate-spin' : ''}`} />
+                Refresh
+              </Button>
+              {connectionsLoading && (
+                <span className="text-xs text-muted-foreground">Loading...</span>
+              )}
+              {connectionsError && <span className="text-xs text-red-500">{connectionsError}</span>}
+            </div>
+
+            {connections.length === 0 && !connectionsLoading ? (
+              <p className="text-sm text-muted-foreground">No connections found</p>
+            ) : (
+              <div className="space-y-2">
+                {connections.map((conn) => (
+                  <div key={conn.id} className="p-3 bg-muted/50 rounded-md">
+                    <div className="flex items-center justify-between mb-2">
+                      <div>
+                        <div className="font-medium text-sm">
+                          {conn.providerName || conn.providerSlug}
+                        </div>
+                        <div className="text-xs text-muted-foreground font-mono">{conn.id}</div>
+                      </div>
+                      <StatusBadge status={conn.status} />
+                    </div>
+
+                    <div className="text-xs text-muted-foreground mb-2">
+                      Auth: {conn.authStrategy} • Last sync:{' '}
+                      {conn.lastSyncAt ? new Date(conn.lastSyncAt).toLocaleString() : 'Never'}
+                    </div>
+
+                    {conn.variables && Object.keys(conn.variables).length > 0 && (
+                      <div className="text-xs mb-2 p-2 bg-green-500/10 border border-green-500/20 rounded">
+                        <div className="font-medium text-green-600 mb-1">Configured Variables:</div>
+                        <div className="space-y-0.5 font-mono">
+                          {Object.entries(conn.variables).map(([key, value]) => (
+                            <div key={key} className="flex gap-2">
+                              <span className="text-muted-foreground">{key}:</span>
+                              <span className="text-foreground">
+                                {Array.isArray(value)
+                                  ? value.length > 0
+                                    ? value.join(', ')
+                                    : '(empty)'
+                                  : String(value)}
+                              </span>
+                            </div>
+                          ))}
+                        </div>
+                      </div>
+                    )}
+
+                    {conn.errorMessage && (
+                      <div className="text-xs text-red-500 mb-2 p-2 bg-red-500/10 rounded">
+                        {conn.errorMessage}
+                      </div>
+                    )}
+
+                    <div className="flex gap-1 flex-wrap">
+                      <Button
+                        size="sm"
+                        variant="outline"
+                        onClick={() => handleTestConnection(conn.id, conn.providerSlug)}
+                        disabled={isLoading === `test-${conn.id}`}
+                      >
+                        {isLoading === `test-${conn.id}` ? (
+                          <Loader2 className="h-3 w-3 animate-spin" />
+                        ) : (
+                          <>
+                            <Play className="h-3 w-3 mr-1" />
+                            Test
+                          </>
+                        )}
+                      </Button>
+
+                      {conn.status === 'active' && (
+                        <Button
+                          size="sm"
+                          variant="outline"
+                          onClick={() => handlePause(conn.id)}
+                          disabled={isLoading === `pause-${conn.id}`}
+                        >
+                          <Pause className="h-3 w-3 mr-1" />
+                          Pause
+                        </Button>
+                      )}
+
+                      {conn.status === 'paused' && (
+                        <Button
+                          size="sm"
+                          variant="outline"
+                          onClick={() => handleResume(conn.id)}
+                          disabled={isLoading === `resume-${conn.id}`}
+                        >
+                          <Play className="h-3 w-3 mr-1" />
+                          Resume
+                        </Button>
+                      )}
+
+                      <Button
+                        size="sm"
+                        variant="outline"
+                        onClick={() => handleDisconnect(conn.id)}
+                        disabled={isLoading === `disconnect-${conn.id}`}
+                      >
+                        Disconnect
+                      </Button>
+
+                      <Button
+                        size="sm"
+                        variant="destructive"
+                        onClick={() => handleDelete(conn.id)}
+                        disabled={isLoading === `delete-${conn.id}`}
+                      >
+                        <Trash2 className="h-3 w-3" />
+                      </Button>
+                    </div>
+
+                    {/* Variables Configuration */}
+                    {conn.status === 'active' && (
+                      <div className="mt-3">
+                        <ConnectionVariablesConfig
+                          connectionId={conn.id}
+                          providerSlug={conn.providerSlug}
+                          onLog={log}
+                          onSaved={() => {
+                            log(`Variables saved for ${conn.providerSlug}`);
+                            refreshConnections();
+                          }}
+                        />
+                      </div>
+                    )}
+
+                    {/* Individual Check Testing */}
+                    {conn.status === 'active' && (
+                      <div className="mt-3 pt-3 border-t">
+                        <ConnectionChecksTester
+                          connectionId={conn.id}
+                          providerSlug={conn.providerSlug}
+                          onLog={log}
+                        />
+                      </div>
+                    )}
+                  </div>
+                ))}
+              </div>
+            )}
+
+            <details className="mt-3">
+              <summary className="text-xs text-muted-foreground cursor-pointer">
+                Raw Response
+              </summary>
+              <JsonDisplay data={connections} />
+            </details>
+          </DebugSection>
+        </div>
+
+        {/* Right Column - Logs & Status */}
+        <div>
+          <DebugSection title="Action Log">
+            <div className="bg-black text-green-400 p-3 rounded-md font-mono text-xs h-80 overflow-auto">
+              {actionLog.length === 0 ? (
+                <span className="text-gray-500">No actions yet...</span>
+              ) : (
+                actionLog.map((entry, i) => (
+                  <div key={i} className="mb-1">
+                    {entry}
+                  </div>
+                ))
+              )}
+            </div>
+          </DebugSection>
+
+          <DebugSection title="API Status">
+            <div className="space-y-2 text-sm">
+              <div className="flex items-center justify-between">
+                <span>Providers API</span>
+                {providersLoading ? (
+                  <Loader2 className="h-4 w-4 animate-spin text-yellow-500" />
+                ) : providersError ? (
+                  <XCircle className="h-4 w-4 text-red-500" />
+                ) : (
+                  <CheckCircle2 className="h-4 w-4 text-green-500" />
+                )}
+              </div>
+              <div className="flex items-center justify-between">
+                <span>Connections API</span>
+                {connectionsLoading ? (
+                  <Loader2 className="h-4 w-4 animate-spin text-yellow-500" />
+                ) : connectionsError ? (
+                  <XCircle className="h-4 w-4 text-red-500" />
+                ) : (
+                  <CheckCircle2 className="h-4 w-4 text-green-500" />
+                )}
+              </div>
+              <div className="flex items-center justify-between">
+                <span>Providers Count</span>
+                <Badge variant="outline">{providers.length}</Badge>
+              </div>
+              <div className="flex items-center justify-between">
+                <span>Connections Count</span>
+                <Badge variant="outline">{connections.length}</Badge>
+              </div>
+            </div>
+          </DebugSection>
+
+          <DebugSection title="Environment">
+            <div className="text-xs font-mono space-y-1">
+              <div>
+                <span className="text-muted-foreground">API_URL: </span>
+                {process.env.NEXT_PUBLIC_API_URL || 'not set'}
+              </div>
+              <div>
+                <span className="text-muted-foreground">Current URL: </span>
+                {typeof window !== 'undefined' ? window.location.href : 'SSR'}
+              </div>
+            </div>
+          </DebugSection>
+
+          <DebugSection title="Quick Actions">
+            <div className="space-y-2">
+              <Button
+                size="sm"
+                variant="outline"
+                className="w-full justify-start"
+                onClick={() => {
+                  refreshProviders();
+                  refreshConnections();
+                  log('Refreshed all data');
+                }}
+              >
+                <RefreshCw className="h-3 w-3 mr-2" />
+                Refresh All
+              </Button>
+              <Button
+                size="sm"
+                variant="outline"
+                className="w-full justify-start"
+                onClick={() => setActionLog([])}
+              >
+                <Trash2 className="h-3 w-3 mr-2" />
+                Clear Log
+              </Button>
+            </div>
+          </DebugSection>
+        </div>
+      </div>
+    </div>
+  );
+}
diff --git a/apps/app/src/app/(app)/[orgId]/people/all/actions/removeMember.ts b/apps/app/src/app/(app)/[orgId]/people/all/actions/removeMember.ts
index 012e36de1..104bcba8d 100644
--- a/apps/app/src/app/(app)/[orgId]/people/all/actions/removeMember.ts
+++ b/apps/app/src/app/(app)/[orgId]/people/all/actions/removeMember.ts
@@ -278,7 +278,7 @@ export const removeMember = authActionClient
       }
 
       revalidatePath(`/${ctx.session.activeOrganizationId}/settings/users`);
-      revalidateTag(`user_${ctx.user.id}`);
+      revalidateTag(`user_${ctx.user.id}`, 'max');
 
       return {
         success: true,
diff --git a/apps/app/src/app/(app)/[orgId]/people/all/actions/revokeInvitation.ts b/apps/app/src/app/(app)/[orgId]/people/all/actions/revokeInvitation.ts
index d826135a4..39793afa9 100644
--- a/apps/app/src/app/(app)/[orgId]/people/all/actions/revokeInvitation.ts
+++ b/apps/app/src/app/(app)/[orgId]/people/all/actions/revokeInvitation.ts
@@ -75,7 +75,7 @@ export const revokeInvitation = authActionClient
       });
 
       revalidatePath(`/${ctx.session.activeOrganizationId}/settings/users`);
-      revalidateTag(`user_${ctx.user.id}`);
+      revalidateTag(`user_${ctx.user.id}`, 'max');
 
       return {
         success: true,
diff --git a/apps/app/src/app/(app)/[orgId]/people/all/actions/updateMemberRole.ts b/apps/app/src/app/(app)/[orgId]/people/all/actions/updateMemberRole.ts
index cc6ce1e9a..25d337577 100644
--- a/apps/app/src/app/(app)/[orgId]/people/all/actions/updateMemberRole.ts
+++ b/apps/app/src/app/(app)/[orgId]/people/all/actions/updateMemberRole.ts
@@ -149,7 +149,7 @@ export const updateMemberRole = authActionClient
       }
 
       revalidatePath(`/${orgId}/settings/users`);
-      revalidateTag(`user_${requestingUserId}`);
+      revalidateTag(`user_${requestingUserId}`, 'max');
 
       return {
         success: true,
diff --git a/apps/app/src/app/(app)/[orgId]/people/all/components/MemberRow.tsx b/apps/app/src/app/(app)/[orgId]/people/all/components/MemberRow.tsx
index cfc421958..598702f50 100644
--- a/apps/app/src/app/(app)/[orgId]/people/all/components/MemberRow.tsx
+++ b/apps/app/src/app/(app)/[orgId]/people/all/components/MemberRow.tsx
@@ -132,18 +132,27 @@ export function MemberRow({ member, onRemove, onUpdateRole, canEdit }: MemberRow
     setIsRemoveAlertOpen(false);
   };
 
+  const isDeactivated = member.deactivated;
+
   return (
     <>
-      <div className="hover:bg-muted/50 flex items-center justify-between p-4">
+      <div className={`hover:bg-muted/50 flex items-center justify-between p-4 ${isDeactivated ? 'opacity-60' : ''}`}>
         <div className="flex items-center gap-3 min-w-0 flex-1">
-          <Avatar className="flex-shrink-0">
+          <Avatar className={`flex-shrink-0 ${isDeactivated ? 'grayscale' : ''}`}>
             <AvatarImage src={memberAvatar || undefined} />
             <AvatarFallback>{getInitials(member.user.name, member.user.email)}</AvatarFallback>
           </Avatar>
           <div className="min-w-0 flex-1 gap-2">
             <div className="flex items-center flex-wrap gap-1.5">
-              <span className="truncate text-sm font-medium">{memberName}</span>
-              {(isEmployee || isContractor) && (
+              <span className={`truncate text-sm font-medium ${isDeactivated ? 'line-through text-muted-foreground' : ''}`}>
+                {memberName}
+              </span>
+              {isDeactivated && (
+                <Badge variant="outline" className="text-xs text-orange-600 border-orange-300 bg-orange-50">
+                  Deactivated
+                </Badge>
+              )}
+              {!isDeactivated && (isEmployee || isContractor) && (
                 <Link
                   href={`/${orgId}/people/${memberId}`}
                   className="text-xs text-blue-600 hover:underline flex-shrink-0"
@@ -158,7 +167,7 @@ export function MemberRow({ member, onRemove, onUpdateRole, canEdit }: MemberRow
         <div className="flex items-center gap-2 flex-shrink-0">
           <div className="flex flex-wrap gap-1 max-w-[120px] sm:max-w-none">
             {currentRoles.map((role) => (
-              <Badge key={role} variant="secondary" className="text-xs whitespace-nowrap">
+              <Badge key={role} variant="secondary" className={`text-xs whitespace-nowrap ${isDeactivated ? 'opacity-50' : ''}`}>
                 {(() => {
                   switch (role) {
                     case 'owner':
@@ -179,6 +188,7 @@ export function MemberRow({ member, onRemove, onUpdateRole, canEdit }: MemberRow
             ))}
           </div>
 
+          {!isDeactivated && (
           <DropdownMenu open={dropdownOpen} onOpenChange={setDropdownOpen}>
             <DropdownMenuTrigger asChild>
               <Button
@@ -266,6 +276,7 @@ export function MemberRow({ member, onRemove, onUpdateRole, canEdit }: MemberRow
               )}
             </DropdownMenuContent>
           </DropdownMenu>
+          )}
         </div>
       </div>
 
diff --git a/apps/app/src/app/(app)/[orgId]/people/all/components/TeamMembers.tsx b/apps/app/src/app/(app)/[orgId]/people/all/components/TeamMembers.tsx
index ed20bda8b..12c9173e4 100644
--- a/apps/app/src/app/(app)/[orgId]/people/all/components/TeamMembers.tsx
+++ b/apps/app/src/app/(app)/[orgId]/people/all/components/TeamMembers.tsx
@@ -6,6 +6,7 @@ import { db } from '@db';
 import { headers } from 'next/headers';
 import { removeMember } from '../actions/removeMember';
 import { revokeInvitation } from '../actions/revokeInvitation';
+import { getEmployeeSyncConnections } from '../data/queries';
 import { TeamMembersClient } from './TeamMembersClient';
 
 export interface MemberWithUser extends Member {
@@ -42,19 +43,18 @@ export async function TeamMembers() {
   let pendingInvitations: Invitation[] = [];
 
   if (organizationId) {
+    // Fetch all members including deactivated ones
     const fetchedMembers = await db.member.findMany({
       where: {
         organizationId: organizationId,
-        deactivated: false,
       },
       include: {
         user: true,
       },
-      orderBy: {
-        user: {
-          email: 'asc',
-        },
-      },
+      orderBy: [
+        { deactivated: 'asc' }, // Active members first
+        { user: { email: 'asc' } },
+      ],
     });
 
     members = fetchedMembers;
@@ -75,6 +75,9 @@ export async function TeamMembers() {
     pendingInvitations: pendingInvitations,
   };
 
+  // Fetch employee sync connections server-side
+  const employeeSyncData = await getEmployeeSyncConnections(organizationId);
+
   return (
     <TeamMembersClient
       data={data}
@@ -82,6 +85,7 @@ export async function TeamMembers() {
       removeMemberAction={removeMember}
       revokeInvitationAction={revokeInvitation}
       canManageMembers={canManageMembers}
+      employeeSyncData={employeeSyncData}
     />
   );
 }
diff --git a/apps/app/src/app/(app)/[orgId]/people/all/components/TeamMembersClient.tsx b/apps/app/src/app/(app)/[orgId]/people/all/components/TeamMembersClient.tsx
index 545542d8f..590a34230 100644
--- a/apps/app/src/app/(app)/[orgId]/people/all/components/TeamMembersClient.tsx
+++ b/apps/app/src/app/(app)/[orgId]/people/all/components/TeamMembersClient.tsx
@@ -1,6 +1,7 @@
 'use client';
 
-import { Mail, Search, UserPlus, X } from 'lucide-react';
+import { Loader2, Mail, Search, UserPlus, X } from 'lucide-react';
+import Image from 'next/image';
 import { useRouter } from 'next/navigation';
 import { parseAsString, useQueryState } from 'nuqs';
 import { useState } from 'react';
@@ -22,6 +23,8 @@ import type { MemberWithUser, TeamMembersData } from './TeamMembers';
 import type { removeMember } from '../actions/removeMember';
 import type { revokeInvitation } from '../actions/revokeInvitation';
 
+import type { EmployeeSyncConnectionsData } from '../data/queries';
+import { useEmployeeSync } from '../hooks/useEmployeeSync';
 import { InviteMembersModal } from './InviteMembersModal';
 
 // Define prop types using typeof for the actions still used
@@ -31,6 +34,7 @@ interface TeamMembersClientProps {
   removeMemberAction: typeof removeMember;
   revokeInvitationAction: typeof revokeInvitation;
   canManageMembers: boolean;
+  employeeSyncData: EmployeeSyncConnectionsData;
 }
 
 // Define a simplified type for merged list items
@@ -39,9 +43,10 @@ interface DisplayItem extends Partial<MemberWithUser>, Partial<Invitation> {
   displayName: string;
   displayEmail: string;
   displayRole: string | string[]; // Simplified role display, could be comma-separated
-  displayStatus: 'active' | 'pending';
+  displayStatus: 'active' | 'pending' | 'deactivated';
   displayId: string; // Use member.id or invitation.id
   processedRoles: Role[];
+  isDeactivated?: boolean;
 }
 
 export function TeamMembersClient({
@@ -50,14 +55,38 @@ export function TeamMembersClient({
   removeMemberAction,
   revokeInvitationAction,
   canManageMembers,
+  employeeSyncData,
 }: TeamMembersClientProps) {
   const router = useRouter();
   const [searchQuery, setSearchQuery] = useQueryState('search', parseAsString.withDefault(''));
   const [roleFilter, setRoleFilter] = useQueryState('role', parseAsString.withDefault('all'));
+  const [statusFilter, setStatusFilter] = useQueryState('status', parseAsString.withDefault('all'));
 
   // Add state for the modal
   const [isInviteModalOpen, setIsInviteModalOpen] = useState(false);
 
+  // Employee sync hook with server-fetched initial data
+  const {
+    googleWorkspaceConnectionId,
+    ripplingConnectionId,
+    selectedProvider,
+    isSyncing,
+    syncEmployees,
+    hasAnyConnection,
+    getProviderName,
+    getProviderLogo,
+  } = useEmployeeSync({ organizationId, initialData: employeeSyncData });
+
+  const lastSyncAt = employeeSyncData.lastSyncAt;
+  const nextSyncAt = employeeSyncData.nextSyncAt;
+
+  const handleEmployeeSync = async (provider: 'google-workspace' | 'rippling') => {
+    const result = await syncEmployees(provider);
+    if (result?.success) {
+      router.refresh();
+    }
+  };
+
   // Combine and type members and invitations for filtering/display
   const allItems: DisplayItem[] = [
     ...data.members.map((member) => {
@@ -75,10 +104,11 @@ export function TeamMembersClient({
         displayName: member.user.name || member.user.email || '',
         displayEmail: member.user.email || '',
         displayRole: member.role, // Keep original for filtering
-        displayStatus: 'active' as const,
+        displayStatus: member.deactivated ? ('deactivated' as const) : ('active' as const),
         displayId: member.id,
         // Add processed roles for rendering
         processedRoles: roles,
+        isDeactivated: member.deactivated,
       };
     }),
     ...data.pendingInvitations.map((invitation) => {
@@ -109,12 +139,18 @@ export function TeamMembersClient({
       item.displayName.toLowerCase().includes(searchQuery.toLowerCase()) ||
       item.displayEmail.toLowerCase().includes(searchQuery.toLowerCase());
 
-    const matchesRole =
-      roleFilter === 'all' ||
-      (item.type === 'member' && item.role === roleFilter) ||
-      (item.type === 'invitation' && item.role === roleFilter);
+    // Check if the role filter matches any of the member's roles
+    const matchesRole = roleFilter === 'all' || item.processedRoles.includes(roleFilter as Role);
+
+    // Status filter: 'active' shows non-deactivated members + pending invitations
+    // 'deactivated' shows only deactivated members
+    // 'all' shows everything
+    const matchesStatus =
+      statusFilter === 'all' ||
+      (statusFilter === 'active' && item.displayStatus !== 'deactivated') ||
+      (statusFilter === 'deactivated' && item.displayStatus === 'deactivated');
 
-    return matchesSearch && matchesRole;
+    return matchesSearch && matchesRole && matchesStatus;
   });
 
   const activeMembers = filteredItems.filter((item) => item.type === 'member');
@@ -158,7 +194,7 @@ export function TeamMembersClient({
     const member = data.members.find((m) => m.id === memberId);
 
     // Client-side check (optional, robust check should be server-side in authClient)
-    const memberRoles = member?.role?.split(',').map(r => r.trim()) ?? [];
+    const memberRoles = member?.role?.split(',').map((r) => r.trim()) ?? [];
     if (member && memberRoles.includes('owner') && !rolesArray.includes('owner')) {
       // Show toast error directly, no need to return an error object
       toast.error('The Owner role cannot be removed.');
@@ -219,6 +255,20 @@ export function TeamMembersClient({
             </Button>
           )}
         </div>
+        {/* Status Filter Select */}
+        <Select
+          value={statusFilter}
+          onValueChange={(value) => setStatusFilter(value === 'all' ? null : value)}
+        >
+          <SelectTrigger className="hidden w-[140px] sm:flex">
+            <SelectValue placeholder={'All People'} />
+          </SelectTrigger>
+          <SelectContent>
+            <SelectItem value="all">{'All People'}</SelectItem>
+            <SelectItem value="active">{'Active'}</SelectItem>
+            <SelectItem value="deactivated">{'Deactivated'}</SelectItem>
+          </SelectContent>
+        </Select>
         {/* Role Filter Select: Hidden on mobile, block on sm+ */}
         <Select
           value={roleFilter}
@@ -235,6 +285,97 @@ export function TeamMembersClient({
             <SelectItem value="employee">{'Employee'}</SelectItem>
           </SelectContent>
         </Select>
+        {hasAnyConnection && (
+          <div className="flex items-center gap-2">
+            <Select
+              onValueChange={(value) =>
+                handleEmployeeSync(value as 'google-workspace' | 'rippling')
+              }
+              disabled={isSyncing || !canManageMembers}
+            >
+              <SelectTrigger className="w-[200px]">
+                {isSyncing ? (
+                  <>
+                    <Loader2 className="mr-2 h-4 w-4 animate-spin" />
+                    Syncing...
+                  </>
+                ) : selectedProvider ? (
+                  <div className="flex items-center gap-2">
+                    <Image
+                      src={getProviderLogo(selectedProvider)}
+                      alt={getProviderName(selectedProvider)}
+                      width={16}
+                      height={16}
+                      className="rounded-sm"
+                      unoptimized
+                    />
+                    <span className="truncate">{getProviderName(selectedProvider)}</span>
+                  </div>
+                ) : (
+                  <SelectValue placeholder="Select sync source" />
+                )}
+              </SelectTrigger>
+              <SelectContent>
+                <div className="px-2 py-1.5 text-xs text-muted-foreground space-y-1">
+                  {selectedProvider ? (
+                    <>
+                      <div>Auto-syncs daily at 7 AM UTC</div>
+                      {lastSyncAt && (
+                        <div className="text-xs text-muted-foreground/80">
+                          Last sync: {new Date(lastSyncAt).toLocaleString()}
+                        </div>
+                      )}
+                      {nextSyncAt && (
+                        <div className="text-xs text-muted-foreground/80">
+                          Next sync: {new Date(nextSyncAt).toLocaleString()}
+                        </div>
+                      )}
+                    </>
+                  ) : (
+                    'Select a provider to enable auto-sync'
+                  )}
+                </div>
+                <Separator className="my-1" />
+                {googleWorkspaceConnectionId && (
+                  <SelectItem value="google-workspace">
+                    <div className="flex items-center gap-2">
+                      <Image
+                        src={getProviderLogo('google-workspace')}
+                        alt="Google"
+                        width={16}
+                        height={16}
+                        className="rounded-sm"
+                        unoptimized
+                      />
+                      Google Workspace
+                      {selectedProvider === 'google-workspace' && (
+                        <span className="ml-auto text-xs text-muted-foreground">Active</span>
+                      )}
+                    </div>
+                  </SelectItem>
+                )}
+                {ripplingConnectionId && (
+                  <SelectItem value="rippling">
+                    <div className="flex items-center gap-2">
+                      <Image
+                        src={getProviderLogo('rippling')}
+                        alt="Rippling"
+                        width={16}
+                        height={16}
+                        className="rounded-sm"
+                        unoptimized
+                      />
+                      Rippling
+                      {selectedProvider === 'rippling' && (
+                        <span className="ml-auto text-xs text-muted-foreground">Active</span>
+                      )}
+                    </div>
+                  </SelectItem>
+                )}
+              </SelectContent>
+            </Select>
+          </div>
+        )}
         <Button onClick={() => setIsInviteModalOpen(true)} disabled={!canManageMembers}>
           <UserPlus className="h-4 w-4" />
           {'Add User'}
diff --git a/apps/app/src/app/(app)/[orgId]/people/all/data/queries.ts b/apps/app/src/app/(app)/[orgId]/people/all/data/queries.ts
new file mode 100644
index 000000000..4bf48380c
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/people/all/data/queries.ts
@@ -0,0 +1,55 @@
+import { serverApi } from '@/lib/server-api-client';
+
+export interface EmployeeSyncConnectionsData {
+  googleWorkspaceConnectionId: string | null;
+  ripplingConnectionId: string | null;
+  selectedProvider: 'google-workspace' | 'rippling' | null | undefined;
+  lastSyncAt: Date | null;
+  nextSyncAt: Date | null;
+}
+
+interface ConnectionStatus {
+  connected: boolean;
+  connectionId: string | null;
+  lastSyncAt?: string | null;
+  nextSyncAt?: string | null;
+}
+
+export async function getEmployeeSyncConnections(
+  organizationId: string,
+): Promise<EmployeeSyncConnectionsData> {
+  const [gwResponse, ripplingResponse, providerResponse] = await Promise.all([
+    serverApi.post<ConnectionStatus>(
+      `/v1/integrations/sync/google-workspace/status?organizationId=${organizationId}`,
+    ),
+    serverApi.post<ConnectionStatus>(
+      `/v1/integrations/sync/rippling/status?organizationId=${organizationId}`,
+    ),
+    serverApi.get<{ provider: 'google-workspace' | 'rippling' | null }>(
+      `/v1/integrations/sync/employee-sync-provider?organizationId=${organizationId}`,
+    ),
+  ]);
+
+  // Get sync times from the selected provider's connection
+  const selectedProviderSlug = providerResponse.data?.provider;
+  const selectedConnection =
+    selectedProviderSlug === 'google-workspace'
+      ? gwResponse.data
+      : selectedProviderSlug === 'rippling'
+        ? ripplingResponse.data
+        : null;
+
+  return {
+    googleWorkspaceConnectionId:
+      gwResponse.data?.connected && gwResponse.data.connectionId
+        ? gwResponse.data.connectionId
+        : null,
+    ripplingConnectionId:
+      ripplingResponse.data?.connected && ripplingResponse.data.connectionId
+        ? ripplingResponse.data.connectionId
+        : null,
+    selectedProvider: selectedProviderSlug,
+    lastSyncAt: selectedConnection?.lastSyncAt ? new Date(selectedConnection.lastSyncAt) : null,
+    nextSyncAt: selectedConnection?.nextSyncAt ? new Date(selectedConnection.nextSyncAt) : null,
+  };
+}
diff --git a/apps/app/src/app/(app)/[orgId]/people/all/hooks/useEmployeeSync.ts b/apps/app/src/app/(app)/[orgId]/people/all/hooks/useEmployeeSync.ts
new file mode 100644
index 000000000..cc0e76321
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/people/all/hooks/useEmployeeSync.ts
@@ -0,0 +1,160 @@
+'use client';
+
+import { apiClient } from '@/lib/api-client';
+import { useState } from 'react';
+import { toast } from 'sonner';
+import useSWR from 'swr';
+
+import type { EmployeeSyncConnectionsData } from '../data/queries';
+
+type SyncProvider = 'google-workspace' | 'rippling';
+
+interface SyncResult {
+  success: boolean;
+  totalFound: number;
+  imported: number;
+  reactivated: number;
+  deactivated: number;
+  skipped: number;
+  errors: number;
+}
+
+interface UseEmployeeSyncOptions {
+  organizationId: string;
+  initialData: EmployeeSyncConnectionsData;
+}
+
+interface UseEmployeeSyncReturn {
+  googleWorkspaceConnectionId: string | null;
+  ripplingConnectionId: string | null;
+  selectedProvider: SyncProvider | null;
+  isSyncing: boolean;
+  syncEmployees: (provider: SyncProvider) => Promise<SyncResult | null>;
+  setSyncProvider: (provider: SyncProvider | null) => Promise<void>;
+  hasAnyConnection: boolean;
+  getProviderName: (provider: SyncProvider) => string;
+  getProviderLogo: (provider: SyncProvider) => string;
+}
+
+const PROVIDER_CONFIG = {
+  'google-workspace': {
+    name: 'Google Workspace',
+    shortName: 'Google',
+    logo: 'https://img.logo.dev/google.com?token=pk_AZatYxV5QDSfWpRDaBxzRQ&format=png&retina=true',
+  },
+  rippling: {
+    name: 'Rippling',
+    shortName: 'Rippling',
+    logo: 'https://img.logo.dev/rippling.com?token=pk_AZatYxV5QDSfWpRDaBxzRQ&format=png&retina=true',
+  },
+} as const;
+
+export const useEmployeeSync = ({
+  organizationId,
+  initialData,
+}: UseEmployeeSyncOptions): UseEmployeeSyncReturn => {
+  const [isSyncing, setIsSyncing] = useState(false);
+
+  const { data, mutate } = useSWR<EmployeeSyncConnectionsData>(
+    ['employee-sync-connections', organizationId],
+    null, // No fetcher - we only update via mutate
+    { fallbackData: initialData, revalidateOnFocus: false, revalidateOnMount: false },
+  );
+
+  const googleWorkspaceConnectionId = data?.googleWorkspaceConnectionId ?? null;
+  const ripplingConnectionId = data?.ripplingConnectionId ?? null;
+  const selectedProvider = data?.selectedProvider ?? null;
+
+  const setSyncProvider = async (provider: SyncProvider | null) => {
+    try {
+      await apiClient.post(
+        `/v1/integrations/sync/employee-sync-provider?organizationId=${organizationId}`,
+        { provider },
+      );
+
+      // Update cache optimistically
+      mutate({ ...data!, selectedProvider: provider }, false);
+
+      if (provider) {
+        toast.success(`${PROVIDER_CONFIG[provider].name} set as your employee sync provider`);
+      }
+    } catch (error) {
+      toast.error('Failed to set sync provider');
+      throw error;
+    }
+  };
+
+  const syncEmployees = async (provider: SyncProvider): Promise<SyncResult | null> => {
+    const connectionId =
+      provider === 'google-workspace' ? googleWorkspaceConnectionId : ripplingConnectionId;
+
+    if (!connectionId) {
+      toast.error(`${PROVIDER_CONFIG[provider].name} is not connected`);
+      return null;
+    }
+
+    setIsSyncing(true);
+    const config = PROVIDER_CONFIG[provider];
+
+    try {
+      // Set as sync provider if not already
+      if (selectedProvider !== provider) {
+        await setSyncProvider(provider);
+      }
+
+      const response = await apiClient.post<SyncResult>(
+        `/v1/integrations/sync/${provider}/employees?organizationId=${organizationId}&connectionId=${connectionId}`,
+      );
+
+      if (response.data?.success) {
+        const { imported, reactivated, deactivated, skipped, errors } = response.data;
+
+        if (imported > 0) {
+          toast.success(`Imported ${imported} new employee${imported > 1 ? 's' : ''}`);
+        }
+        if (reactivated > 0) {
+          toast.success(`Reactivated ${reactivated} employee${reactivated > 1 ? 's' : ''}`);
+        }
+        if (deactivated > 0) {
+          toast.info(
+            `Deactivated ${deactivated} employee${deactivated > 1 ? 's' : ''} (no longer in ${config.name})`,
+          );
+        }
+        if (imported === 0 && reactivated === 0 && deactivated === 0 && skipped > 0) {
+          toast.info('All employees are already synced');
+        }
+        if (errors > 0) {
+          toast.warning(`${errors} employee${errors > 1 ? 's' : ''} failed to sync`);
+        }
+
+        return response.data;
+      }
+
+      if (response.error) {
+        toast.error(response.error);
+      }
+
+      return null;
+    } catch (error) {
+      toast.error(`Failed to sync employees from ${config.name}`);
+      return null;
+    } finally {
+      setIsSyncing(false);
+    }
+  };
+
+  const getProviderName = (provider: SyncProvider) => PROVIDER_CONFIG[provider].shortName;
+  const getProviderLogo = (provider: SyncProvider) => PROVIDER_CONFIG[provider].logo;
+
+  return {
+    googleWorkspaceConnectionId,
+    ripplingConnectionId,
+    selectedProvider,
+    isSyncing,
+    syncEmployees,
+    setSyncProvider,
+    hasAnyConnection: !!(googleWorkspaceConnectionId || ripplingConnectionId),
+    getProviderName,
+    getProviderLogo,
+  };
+};
diff --git a/apps/app/src/app/(app)/[orgId]/policies/[policyId]/actions/regenerate-policy.ts b/apps/app/src/app/(app)/[orgId]/policies/[policyId]/actions/regenerate-policy.ts
index 9f98bcd28..3e5b70f4e 100644
--- a/apps/app/src/app/(app)/[orgId]/policies/[policyId]/actions/regenerate-policy.ts
+++ b/apps/app/src/app/(app)/[orgId]/policies/[policyId]/actions/regenerate-policy.ts
@@ -1,7 +1,7 @@
 'use server';
 
 import { authActionClient } from '@/actions/safe-action';
-import { updatePolicy } from '@/jobs/tasks/onboarding/update-policy';
+import { updatePolicy } from '@/trigger/tasks/onboarding/update-policy';
 import { db } from '@db';
 import { tasks } from '@trigger.dev/sdk';
 import { z } from 'zod';
diff --git a/apps/app/src/app/(app)/[orgId]/policies/all/actions/regenerate-full-policies.ts b/apps/app/src/app/(app)/[orgId]/policies/all/actions/regenerate-full-policies.ts
index bf50ef88b..0498cfb42 100644
--- a/apps/app/src/app/(app)/[orgId]/policies/all/actions/regenerate-full-policies.ts
+++ b/apps/app/src/app/(app)/[orgId]/policies/all/actions/regenerate-full-policies.ts
@@ -1,7 +1,7 @@
 'use server';
 
 import { authActionClient } from '@/actions/safe-action';
-import { generateFullPolicies } from '@/jobs/tasks/onboarding/generate-full-policies';
+import { generateFullPolicies } from '@/trigger/tasks/onboarding/generate-full-policies';
 import { tasks } from '@trigger.dev/sdk';
 import { z } from 'zod';
 
diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/hooks/useQuestionnaireParse.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/hooks/useQuestionnaireParse.ts
index 1c680072e..da6d9d28b 100644
--- a/apps/app/src/app/(app)/[orgId]/questionnaire/hooks/useQuestionnaireParse.ts
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/hooks/useQuestionnaireParse.ts
@@ -53,7 +53,12 @@ export function useQuestionnaireParse({
   }, [autoAnswerToken, setAutoAnswerToken]);
 
   const executeUploadAndParse = useCallback(
-    async (input: { fileName: string; fileType: string; fileData: string; organizationId: string }) => {
+    async (input: {
+      fileName: string;
+      fileType: string;
+      fileData: string;
+      organizationId: string;
+    }) => {
       // Cancel any previous request
       if (abortControllerRef.current) {
         abortControllerRef.current.abort();
@@ -74,13 +79,13 @@ export function useQuestionnaireParse({
             source: 'internal',
           },
           input.organizationId,
-  );
+        );
 
         if (response.error || !response.data) {
-      setIsParseProcessStarted(false);
+          setIsParseProcessStarted(false);
           toast.error(response.error || 'Failed to parse questionnaire');
-        return;
-      }
+          return;
+        }
 
         const { questionnaireId, totalQuestions } = response.data;
         setQuestionnaireId(questionnaireId);
@@ -113,7 +118,12 @@ export function useQuestionnaireParse({
   // Simulated action objects to maintain compatibility with existing code
   const uploadFileAction = {
     status: uploadStatus,
-    execute: (input: { fileName: string; fileType: string; fileData: string; organizationId: string }) => {
+    execute: (input: {
+      fileName: string;
+      fileType: string;
+      fileData: string;
+      organizationId: string;
+    }) => {
       executeUploadAndParse(input);
     },
   };
diff --git a/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/additional-documents/hooks/useDocumentProcessing.ts b/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/additional-documents/hooks/useDocumentProcessing.ts
index 4347ba491..97ad02a88 100644
--- a/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/additional-documents/hooks/useDocumentProcessing.ts
+++ b/apps/app/src/app/(app)/[orgId]/questionnaire/knowledge-base/additional-documents/hooks/useDocumentProcessing.ts
@@ -1,7 +1,7 @@
 'use client';
 
 import { useRealtimeRun } from '@trigger.dev/react-hooks';
-import { useCallback, useRef, useEffect } from 'react';
+import { useCallback, useEffect, useRef } from 'react';
 
 interface UseDocumentProcessingOptions {
   processingRunId?: string | null;
@@ -14,7 +14,7 @@ interface UseDocumentProcessingOptions {
 
 /**
  * Hook to track document processing and deletion runs using Trigger.dev realtime
- * 
+ *
  * The tokens should be obtained from the API response (e.g., from processDocuments or deleteDocument endpoints)
  * which return `publicAccessToken` along with the `runId`.
  */
@@ -43,7 +43,7 @@ export function useDocumentProcessing({
   const handleProcessingComplete = useCallback(() => {
     onProcessingCompleteRef.current?.();
   }, []);
-  
+
   const handleDeletionComplete = useCallback(() => {
     onDeletionCompleteRef.current?.();
   }, []);
@@ -63,10 +63,10 @@ export function useDocumentProcessing({
   });
 
   // Check if processing is active (handle orchestrator child tasks)
-  const isProcessing = processingRun 
+  const isProcessing = processingRun
     ? ['EXECUTING', 'QUEUED', 'PENDING', 'WAITING'].includes(processingRun.status)
     : false;
-    
+
   const isDeleting = deletionRun
     ? ['EXECUTING', 'QUEUED', 'PENDING', 'WAITING'].includes(deletionRun.status)
     : false;
diff --git a/apps/app/src/app/(app)/[orgId]/risk/[riskId]/actions/regenerate-risk-mitigation.ts b/apps/app/src/app/(app)/[orgId]/risk/[riskId]/actions/regenerate-risk-mitigation.ts
index 0c5565b14..6868c1bb8 100644
--- a/apps/app/src/app/(app)/[orgId]/risk/[riskId]/actions/regenerate-risk-mitigation.ts
+++ b/apps/app/src/app/(app)/[orgId]/risk/[riskId]/actions/regenerate-risk-mitigation.ts
@@ -1,11 +1,11 @@
 'use server';
 
 import { authActionClient } from '@/actions/safe-action';
-import { generateRiskMitigation } from '@/jobs/tasks/onboarding/generate-risk-mitigation';
+import { generateRiskMitigation } from '@/trigger/tasks/onboarding/generate-risk-mitigation';
 import {
   findCommentAuthor,
   type PolicyContext,
-} from '@/jobs/tasks/onboarding/onboard-organization-helpers';
+} from '@/trigger/tasks/onboarding/onboard-organization-helpers';
 import { db } from '@db';
 import { tasks } from '@trigger.dev/sdk';
 import { z } from 'zod';
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/actions/delete-task.ts b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/actions/delete-task.ts
index c5950816b..622041b72 100644
--- a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/actions/delete-task.ts
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/actions/delete-task.ts
@@ -54,7 +54,7 @@ export const deleteTaskAction = authActionClient
       // Revalidate paths to update UI
       revalidatePath(`/${activeOrganizationId}/tasks`);
       revalidatePath(`/${activeOrganizationId}/tasks/all`);
-      revalidateTag('tasks');
+      revalidateTag('tasks', 'max');
 
       return {
         success: true,
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/SingleTask.tsx b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/SingleTask.tsx
index 68fe52095..9cc3afeb8 100644
--- a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/SingleTask.tsx
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/SingleTask.tsx
@@ -36,8 +36,10 @@ import { Comments } from '../../../../../../components/comments/Comments';
 import { updateTask } from '../../actions/updateTask';
 import { useTask } from '../hooks/use-task';
 import { useTaskAutomations } from '../hooks/use-task-automations';
+import { useTaskIntegrationChecks } from '../hooks/use-task-integration-checks';
 import { TaskAutomations } from './TaskAutomations';
 import { TaskDeleteDialog } from './TaskDeleteDialog';
+import { TaskIntegrationChecks } from './TaskIntegrationChecks';
 import { TaskMainContent } from './TaskMainContent';
 import { TaskPropertiesSidebar } from './TaskPropertiesSidebar';
 
@@ -66,6 +68,7 @@ export function SingleTask({ initialTask, initialAutomations }: SingleTaskProps)
   const { automations } = useTaskAutomations({
     initialData: initialAutomations,
   });
+  const { hasMappedChecks } = useTaskIntegrationChecks();
 
   const [deleteDialogOpen, setDeleteDialogOpen] = useState(false);
   const [isRegenerateConfirmOpen, setRegenerateConfirmOpen] = useState(false);
@@ -185,16 +188,17 @@ export function SingleTask({ initialTask, initialAutomations }: SingleTaskProps)
             </div>
           </div>
 
-          {/* Automations Section - Front & Center */}
-          <div>
-            <TaskAutomations automations={automations || []} />
-          </div>
-
-          {/* Attachments - De-emphasized */}
+          {/* Attachments */}
           <div className="space-y-3">
             <TaskMainContent task={task} showComments={false} />
           </div>
 
+          {/* Integration Checks Section */}
+          <TaskIntegrationChecks taskId={task.id} onTaskUpdated={() => mutateTask()} />
+
+          {/* Custom Automations Section - only show if no mapped integration checks available */}
+          {!hasMappedChecks && <TaskAutomations automations={automations || []} />}
+
           {/* Comments Section */}
           <div>
             <Comments
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/TaskAutomations.tsx b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/TaskAutomations.tsx
index 139a9448f..59b9a2ef2 100644
--- a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/TaskAutomations.tsx
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/TaskAutomations.tsx
@@ -1,21 +1,23 @@
 'use client';
 
 import { cn } from '@/lib/utils';
-import { Button } from '@comp/ui/button';
-import { Separator } from '@comp/ui/separator';
 import { EvidenceAutomation, EvidenceAutomationRun } from '@db';
 import { formatDistanceToNow } from 'date-fns';
 import { ArrowRight, Brain, CheckCircle2, Loader2, Plus, TrendingUp, XCircle } from 'lucide-react';
 import Link from 'next/link';
 import { useParams, useRouter } from 'next/navigation';
-import { useEffect, useRef, useState } from 'react';
+import { useState } from 'react';
 import { useTaskAutomations } from '../hooks/use-task-automations';
 
 type AutomationWithLatestRun = EvidenceAutomation & {
   runs: EvidenceAutomationRun[];
 };
 
-export const TaskAutomations = ({ automations }: { automations: AutomationWithLatestRun[] }) => {
+interface TaskAutomationsProps {
+  automations: AutomationWithLatestRun[];
+}
+
+export const TaskAutomations = ({ automations }: TaskAutomationsProps) => {
   const { orgId, taskId } = useParams<{ orgId: string; taskId: string }>();
   const router = useRouter();
   const [isCreating, setIsCreating] = useState(false);
@@ -27,340 +29,238 @@ export const TaskAutomations = ({ automations }: { automations: AutomationWithLa
     router.push(`/${orgId}/tasks/${taskId}/automation/new`);
   };
 
-  return (
-    <div className="space-y-5">
-      <div className="flex items-center gap-2">
-        <Brain className="h-3.5 w-3.5 text-primary" />
-        <h3 className="text-[10px] font-semibold text-foreground uppercase tracking-[0.15em]">
-          Automated Evidence Collection
-        </h3>
+  // If there are no automations, show a prominent empty state card
+  if (automations.length === 0) {
+    return (
+      <div className="rounded-lg border border-border bg-card overflow-hidden">
+        <div className="px-5 py-4 border-b border-border">
+          <div className="flex items-center gap-2.5">
+            <div className="p-1.5 rounded-md bg-muted">
+              <Brain className="h-4 w-4 text-primary" />
+            </div>
+            <div>
+              <h3 className="text-sm font-semibold text-foreground">Custom Automations</h3>
+              <p className="text-xs text-muted-foreground">Build AI-powered automations for this task</p>
+            </div>
+          </div>
+        </div>
+        <div className="p-5">
+          <button
+            onClick={handleCreateAutomation}
+            className="w-full flex items-center gap-4 p-4 rounded-lg border border-dashed border-border hover:border-primary/50 hover:bg-primary/5 transition-all group text-left"
+          >
+            <div className="w-10 h-10 rounded-lg bg-primary/10 flex items-center justify-center group-hover:bg-primary/20 transition-colors shrink-0">
+              <Plus className="w-5 h-5 text-primary" />
+            </div>
+            <div className="flex-1 min-w-0">
+              <p className="text-sm font-medium text-foreground group-hover:text-primary transition-colors">
+                Create Custom Automation
+              </p>
+              <p className="text-xs text-muted-foreground mt-0.5">
+                Use AI to build automated evidence collection tailored to your needs
+              </p>
+            </div>
+            <ArrowRight className="w-5 h-5 text-muted-foreground group-hover:text-primary transition-colors shrink-0" />
+          </button>
+        </div>
       </div>
+    );
+  }
 
-      <div>
-        {automations.length === 0 ? (
-          <AutomationEmptyState onCreate={handleCreateAutomation} isCreating={isCreating} />
-        ) : (
-          <div className="space-y-4">
-            {/* Automation Metrics Summary */}
-            {(() => {
-              const enabledAutomations = automations.filter((a) => a.isEnabled);
-              const allRuns = automations.flatMap((a) => a.runs.filter((r) => r.version !== null));
+  // Calculate next scheduled run (daily at 9 AM UTC)
+  const getNextScheduledRun = () => {
+    const now = new Date();
+    let nextRun = new Date();
+    nextRun.setUTCHours(9, 0, 0, 0); // 9:00 AM UTC
 
-              const totalRuns = allRuns.length;
-              const successfulRuns = allRuns.filter(
-                (r) => r.status === 'completed' && r.success && r.evaluationStatus !== 'fail',
-              ).length;
-              const failedRuns = allRuns.filter(
-                (r) => r.status === 'failed' || r.evaluationStatus === 'fail',
-              ).length;
-              const runningRuns = allRuns.filter((r) => r.status === 'running').length;
+    // If we're past 9 AM UTC today, schedule for tomorrow
+    if (nextRun <= now) {
+      nextRun.setDate(nextRun.getDate() + 1);
+    }
 
-              const successRate =
-                totalRuns > 0 ? Math.round((successfulRuns / totalRuns) * 100) : 0;
+    return nextRun;
+  };
 
-              const latestRun = allRuns.sort(
-                (a, b) => new Date(b.createdAt).getTime() - new Date(a.createdAt).getTime(),
-              )[0];
+  const enabledAutomations = automations.filter((a) => a.isEnabled);
+  const nextRun = enabledAutomations.length > 0 ? getNextScheduledRun() : null;
 
-              const healthyCount = automations.filter((a) => {
-                if (!a.isEnabled) return false;
-                const run = a.runs.find((r) => r.version !== null);
-                return (
-                  run &&
-                  run.status === 'completed' &&
-                  run.success &&
-                  run.evaluationStatus !== 'fail'
-                );
-              }).length;
+  // If there are automations, show the full card
+  return (
+    <div className="rounded-lg border border-border bg-card overflow-hidden">
+      {/* Card Header */}
+      <div className="px-5 py-4 border-b border-border">
+        <div className="flex items-center justify-between">
+          <div className="flex items-center gap-2.5">
+            <div className="p-1.5 rounded-md bg-muted">
+              <Brain className="h-4 w-4 text-primary" />
+            </div>
+            <div>
+              <h3 className="text-sm font-semibold text-foreground">Custom Automations</h3>
+              <p className="text-xs text-muted-foreground">Created with the help of an AI agent</p>
+            </div>
+          </div>
+          {nextRun && (
+            <div className="text-right">
+              <div className="text-[10px] text-muted-foreground uppercase tracking-wide">
+                Next run
+              </div>
+              <div className="text-sm font-medium text-foreground">
+                {formatDistanceToNow(nextRun, { addSuffix: true })}
+              </div>
+            </div>
+          )}
+        </div>
+      </div>
 
-              const errorCount = automations.filter((a) => {
-                if (!a.isEnabled) return false;
-                const run = a.runs.find((r) => r.version !== null);
-                return run && (run.status === 'failed' || run.evaluationStatus === 'fail');
-              }).length;
+      {/* Card Content */}
+      <div className="p-5">
+        <div className="space-y-4">
+          {/* Automation Metrics Summary */}
+          {(() => {
+            const allRuns = automations.flatMap((a) => a.runs.filter((r) => r.version !== null));
+
+            const totalRuns = allRuns.length;
+            const successfulRuns = allRuns.filter(
+              (r) => r.status === 'completed' && r.success && r.evaluationStatus !== 'fail',
+            ).length;
+            const failedRuns = allRuns.filter(
+              (r) => r.status === 'failed' || r.evaluationStatus === 'fail',
+            ).length;
+
+            const successRate = totalRuns > 0 ? Math.round((successfulRuns / totalRuns) * 100) : 0;
+
+            if (totalRuns === 0) return null;
+
+            return (
+              <div className="grid grid-cols-2 lg:grid-cols-3 gap-4">
+                {/* Total Runs */}
+                <div className="space-y-1.5">
+                  <div className="flex items-center gap-2">
+                    <TrendingUp className="h-3.5 w-3.5 text-muted-foreground" />
+                    <span className="text-[9px] text-muted-foreground uppercase tracking-[0.1em] font-medium">
+                      Total Runs
+                    </span>
+                  </div>
+                  <div className="text-xl font-semibold text-foreground tabular-nums">
+                    {totalRuns}
+                  </div>
+                </div>
 
-              return (
-                <div className="border-t border-border/50 pt-4">
-                  <div className="grid grid-cols-2 lg:grid-cols-4 gap-4">
-                    {/* Total Runs */}
-                    <div className="space-y-1.5">
-                      <div className="flex items-center gap-2">
-                        <TrendingUp className="h-3.5 w-3.5 text-muted-foreground" />
-                        <span className="text-[9px] text-muted-foreground uppercase tracking-[0.1em] font-medium">
-                          Total Runs
-                        </span>
-                      </div>
-                      <div className="text-xl font-semibold text-foreground tabular-nums">
-                        {totalRuns}
-                      </div>
+                {/* Success Rate */}
+                <div className="space-y-1.5">
+                  <div className="flex items-center gap-2">
+                    <CheckCircle2 className="h-3.5 w-3.5 text-primary" />
+                    <span className="text-[9px] text-muted-foreground uppercase tracking-[0.1em] font-medium">
+                      Success Rate
+                    </span>
+                  </div>
+                  <div className="flex items-baseline gap-2">
+                    <div className="text-xl font-semibold text-foreground tabular-nums">
+                      {successRate}%
                     </div>
-
-                    {/* Success Rate */}
-                    {totalRuns > 0 && (
-                      <div className="space-y-1.5">
-                        <div className="flex items-center gap-2">
-                          <CheckCircle2 className="h-3.5 w-3.5 text-primary" />
-                          <span className="text-[9px] text-muted-foreground uppercase tracking-[0.1em] font-medium">
-                            Success Rate
-                          </span>
-                        </div>
-                        <div className="flex items-baseline gap-2">
-                          <div className="text-xl font-semibold text-foreground tabular-nums">
-                            {successRate}%
-                          </div>
-                          <div className="flex-1 max-w-[60px] bg-muted/50 h-1 rounded-full overflow-hidden">
-                            <div
-                              className="bg-primary h-full transition-all duration-500"
-                              style={{ width: `${successRate}%` }}
-                            />
-                          </div>
-                        </div>
-                      </div>
-                    )}
-
-                    {/* Running */}
-                    {runningRuns > 0 && (
-                      <div className="space-y-1.5">
-                        <div className="flex items-center gap-2">
-                          <Loader2 className="h-3.5 w-3.5 text-blue-500 animate-spin" />
-                          <span className="text-[9px] text-muted-foreground uppercase tracking-[0.1em] font-medium">
-                            Active
-                          </span>
-                        </div>
-                        <div className="text-xl font-semibold text-blue-500 tabular-nums">
-                          {runningRuns}
-                        </div>
-                      </div>
-                    )}
-
-                    {/* Health Status */}
-                    <div className="space-y-1.5">
-                      <div className="flex items-center gap-2">
-                        {errorCount > 0 ? (
-                          <XCircle className="h-3.5 w-3.5 text-destructive" />
-                        ) : healthyCount > 0 ? (
-                          <CheckCircle2 className="h-3.5 w-3.5 text-primary" />
-                        ) : (
-                          <div className="h-3.5 w-3.5 rounded-full bg-muted-foreground/30" />
-                        )}
-                        <span className="text-[9px] text-muted-foreground uppercase tracking-[0.1em] font-medium">
-                          Health
-                        </span>
-                      </div>
-                      <div className="text-xl font-semibold text-foreground tabular-nums">
-                        {healthyCount > 0 && <span className="text-primary">{healthyCount}</span>}
-                        {healthyCount > 0 && errorCount > 0 && (
-                          <span className="text-muted-foreground/50 mx-1">/</span>
-                        )}
-                        {errorCount > 0 && <span className="text-destructive">{errorCount}</span>}
-                        {healthyCount === 0 && errorCount === 0 && (
-                          <span className="text-muted-foreground/50">—</span>
-                        )}
-                      </div>
+                    <div className="flex-1 max-w-[60px] bg-muted/50 h-1 rounded-full overflow-hidden">
+                      <div
+                        className="bg-primary h-full transition-all duration-500"
+                        style={{ width: `${successRate}%` }}
+                      />
                     </div>
                   </div>
                 </div>
-              );
-            })()}
 
-            <div className="space-y-1">
-              {automations.map((automation, idx) => {
-                // Show only the latest version run (ignore draft runs)
-                const latestVersionRun = automation.runs.find((run) => run.version !== null);
-
-                const runStatus = latestVersionRun?.status;
-                const lastRan = latestVersionRun?.createdAt
-                  ? formatDistanceToNow(new Date(latestVersionRun.createdAt), { addSuffix: true })
-                  : null;
-                const runVersion = latestVersionRun?.version;
-
-                // Determine dot color: red if failed, primary if enabled, gray if disabled
-                const hasFailed =
-                  latestVersionRun &&
-                  (runStatus === 'failed' || latestVersionRun.evaluationStatus === 'fail');
-                const dotColor = hasFailed
-                  ? 'bg-destructive'
-                  : automation.isEnabled
-                    ? 'bg-primary'
-                    : 'bg-muted-foreground';
-
-                return (
-                  <div key={automation.id}>
-                    {idx > 0 && <Separator className="my-2" />}
-                    <Link
-                      href={`/${orgId}/tasks/${taskId}/automations/${automation.id}/overview`}
-                      className={cn(
-                        'flex flex-row items-center justify-between py-2.5 px-1',
-                        'hover:bg-muted/30 transition-colors',
-                        'cursor-pointer group',
-                      )}
-                    >
-                      <div className="flex-1 min-w-0">
-                        <div className="flex items-center gap-3">
-                          <div
-                            className={`h-2 w-2 rounded-full flex-shrink-0 ${dotColor} ${automation.isEnabled && !hasFailed ? 'animate-pulse' : ''}`}
-                          />
-                          <p className="font-semibold text-foreground text-sm tracking-tight">
-                            {automation.name}
-                          </p>
-                        </div>
-                        {latestVersionRun && lastRan ? (
-                          <p className="text-xs text-muted-foreground/80 mt-1 ml-5 font-mono tabular-nums">
-                            Last ran {lastRan} (v{runVersion})
-                          </p>
-                        ) : (
-                          <p className="text-xs text-muted-foreground/80 mt-1 ml-5">
-                            No published runs yet
-                          </p>
-                        )}
-                      </div>
-                      <ArrowRight className="w-4 h-4 flex-shrink-0 text-muted-foreground group-hover:text-foreground transition-colors" />
-                    </Link>
+                {/* Issues */}
+                {failedRuns > 0 && (
+                  <div className="space-y-1.5">
+                    <div className="flex items-center gap-2">
+                      <XCircle className="h-3.5 w-3.5 text-destructive" />
+                      <span className="text-[9px] text-muted-foreground uppercase tracking-[0.1em] font-medium">
+                        Issues
+                      </span>
+                    </div>
+                    <div className="text-xl font-semibold text-destructive tabular-nums">
+                      {failedRuns}
+                    </div>
                   </div>
-                );
-              })}
-            </div>
-
-            {automations.length > 0 && <Separator className="my-3" />}
-
-            <Button
-              variant="ghost"
-              size="sm"
-              className="w-full text-xs"
-              onClick={handleCreateAutomation}
-              disabled={isCreating}
-            >
-              {isCreating ? (
-                <>
-                  <Loader2 className="w-3.5 h-3.5 mr-2 animate-spin" />
-                  Creating...
-                </>
-              ) : (
-                <>
-                  <Plus className="w-3.5 h-3.5 mr-2" />
-                  Create Another
-                </>
-              )}
-            </Button>
-          </div>
-        )}
-      </div>
-    </div>
-  );
-};
-
-// Animated empty state component
-function AutomationEmptyState({
-  onCreate,
-  isCreating,
-}: {
-  onCreate: () => void;
-  isCreating: boolean;
-}) {
-  const canvasRef = useRef<HTMLCanvasElement>(null);
-  const animationFrameRef = useRef<number | undefined>(undefined);
-
-  useEffect(() => {
-    const canvas = canvasRef.current;
-    if (!canvas) return;
-
-    const ctx = canvas.getContext('2d');
-    if (!ctx) return;
-
-    // Set canvas size
-    const resizeCanvas = () => {
-      const rect = canvas.parentElement?.getBoundingClientRect();
-      if (rect) {
-        canvas.width = rect.width;
-        canvas.height = rect.height;
-      }
-    };
-    resizeCanvas();
-    window.addEventListener('resize', resizeCanvas);
-
-    let time = 0;
-    const animate = () => {
-      time += 0.005;
-      ctx.clearRect(0, 0, canvas.width, canvas.height);
-
-      // Primary color: hsl(165, 100%, 15%) = rgb(0, 77, 64)
-      const primaryR = 0;
-      const primaryG = 77;
-      const primaryB = 64;
+                )}
+              </div>
+            );
+          })()}
+
+          <div className="space-y-2">
+            {automations.map((automation) => {
+              // Show only the latest version run (ignore draft runs)
+              const latestVersionRun = automation.runs.find((run) => run.version !== null);
+
+              const runStatus = latestVersionRun?.status;
+              const lastRan = latestVersionRun?.createdAt
+                ? formatDistanceToNow(new Date(latestVersionRun.createdAt), { addSuffix: true })
+                : null;
+              const runVersion = latestVersionRun?.version;
+
+              // Determine dot color and glow
+              const hasFailed =
+                latestVersionRun &&
+                (runStatus === 'failed' || latestVersionRun.evaluationStatus === 'fail');
+              const dotColor = hasFailed
+                ? 'bg-destructive shadow-[0_0_8px_rgba(255,0,0,0.3)]'
+                : automation.isEnabled
+                  ? 'bg-primary shadow-[0_0_8px_rgba(0,77,64,0.4)]'
+                  : 'bg-muted-foreground';
 
-      // Subtle flowing lines - reduced intensity
-      ctx.strokeStyle = `rgba(${primaryR}, ${primaryG}, ${primaryB}, 0.06)`;
-      ctx.lineWidth = 0.5;
-      for (let i = 0; i < 3; i++) {
-        ctx.beginPath();
-        const y = (canvas.height / 4) * (i + 1);
-        const wave = Math.sin(time + i) * 10;
-        ctx.moveTo(0, y + wave);
-        for (let x = 0; x < canvas.width; x += 15) {
-          const waveY = Math.sin((x / canvas.width) * Math.PI * 2 + time + i) * 8;
-          ctx.lineTo(x, y + wave + waveY);
-        }
-        ctx.stroke();
-      }
-
-      animationFrameRef.current = requestAnimationFrame(animate);
-    };
-
-    animate();
-
-    return () => {
-      window.removeEventListener('resize', resizeCanvas);
-      if (animationFrameRef.current) {
-        cancelAnimationFrame(animationFrameRef.current);
-      }
-    };
-  }, []);
-
-  return (
-    <div
-      className="relative overflow-hidden border-t-2 border-t-primary/20 bg-primary/2 py-8 px-6 group hover:border-t-primary/30 hover:bg-primary/4 transition-all cursor-pointer"
-      onClick={onCreate}
-    >
-      {/* Very subtle animated background */}
-      <canvas
-        ref={canvasRef}
-        className="absolute inset-0 w-full h-full opacity-10"
-        style={{ mixBlendMode: 'multiply' }}
-      />
+              return (
+                <Link
+                  key={automation.id}
+                  href={`/${orgId}/tasks/${taskId}/automations/${automation.id}/overview`}
+                  className={cn(
+                    'block rounded-lg border transition-all duration-300',
+                    'border-border/50 hover:border-border hover:shadow-sm',
+                    'group',
+                  )}
+                >
+                  <div className="flex items-center gap-3 px-4 py-3">
+                    <div className={cn('h-2.5 w-2.5 rounded-full shrink-0', dotColor)} />
+
+                    <div className="flex-1 min-w-0">
+                      <p className="font-semibold text-foreground text-sm tracking-tight">
+                        {automation.name}
+                      </p>
+                      {latestVersionRun && lastRan ? (
+                        <p className="text-xs text-muted-foreground mt-0.5">
+                          Last ran {lastRan}
+                          <span className="ml-2">• v{runVersion}</span>
+                        </p>
+                      ) : (
+                        <p className="text-xs text-muted-foreground mt-0.5">
+                          No published runs yet
+                        </p>
+                      )}
+                    </div>
 
-      <div className="relative z-10 text-center space-y-3">
-        {/* Icon - Brain for agentic AI */}
-        <div className="inline-flex">
-          <div className="w-12 h-12 rounded-md bg-primary/8 flex items-center justify-center mx-auto group-hover:bg-primary/12 transition-colors">
-            <Brain className="w-6 h-6 text-primary" />
+                    <ArrowRight className="w-4 h-4 shrink-0 text-muted-foreground group-hover:text-foreground transition-colors" />
+                  </div>
+                </Link>
+              );
+            })}
           </div>
-        </div>
 
-        <div className="space-y-1.5">
-          <h4 className="text-base font-semibold text-foreground tracking-tight">
-            Automate This Task
-          </h4>
-          <p className="text-xs text-muted-foreground max-w-sm mx-auto leading-relaxed">
-            Launch an AI agent that continuously collects, verifies, and refreshes evidence for this
-            requirement
-          </p>
+          <button
+            onClick={handleCreateAutomation}
+            disabled={isCreating}
+            className="w-full flex items-center justify-center gap-2 py-2.5 rounded-lg border border-dashed border-border/60 hover:border-border hover:bg-muted/30 transition-all text-xs text-muted-foreground hover:text-foreground"
+          >
+            {isCreating ? (
+              <>
+                <Loader2 className="w-3.5 h-3.5 animate-spin" />
+                Creating...
+              </>
+            ) : (
+              <>
+                <Plus className="w-3.5 h-3.5" />
+                Create Another
+              </>
+            )}
+          </button>
         </div>
-
-        <Button
-          onClick={onCreate}
-          disabled={isCreating}
-          className="bg-primary text-primary-foreground hover:bg-primary/90 font-medium px-5 py-4"
-        >
-          {isCreating ? (
-            <>
-              <Loader2 className="w-4 h-4 mr-2 animate-spin" />
-              Launching...
-            </>
-          ) : (
-            'Continue'
-          )}
-        </Button>
       </div>
     </div>
   );
-}
+};
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/TaskIntegrationChecks.tsx b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/TaskIntegrationChecks.tsx
new file mode 100644
index 000000000..8aa90326a
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/TaskIntegrationChecks.tsx
@@ -0,0 +1,1219 @@
+'use client';
+
+import { ConnectIntegrationDialog } from '@/components/integrations/ConnectIntegrationDialog';
+import { ManageIntegrationDialog } from '@/components/integrations/ManageIntegrationDialog';
+import { api } from '@/lib/api-client';
+import { cn } from '@/lib/utils';
+import { Badge } from '@comp/ui/badge';
+import { Button } from '@comp/ui/button';
+import { addDays, formatDistanceToNow, isBefore, setHours, setMinutes } from 'date-fns';
+import {
+  AlertCircle,
+  AlertTriangle,
+  ArrowRight,
+  Bot,
+  CheckCircle2,
+  ChevronDown,
+  ExternalLink,
+  Loader2,
+  Play,
+  PlugZap,
+  Settings2,
+  TrendingUp,
+  XCircle,
+} from 'lucide-react';
+import Image from 'next/image';
+import Link from 'next/link';
+import { useParams, useRouter, useSearchParams } from 'next/navigation';
+import { useCallback, useEffect, useMemo, useRef, useState } from 'react';
+import { toast } from 'sonner';
+
+interface TaskIntegrationCheck {
+  integrationId: string;
+  integrationName: string;
+  integrationLogoUrl: string;
+  checkId: string;
+  checkName: string;
+  checkDescription: string;
+  isConnected: boolean;
+  needsConfiguration: boolean;
+  connectionId?: string;
+  connectionStatus?: string;
+  authType?: 'oauth2' | 'custom' | 'api_key' | 'basic' | 'jwt';
+  oauthConfigured?: boolean;
+}
+
+interface StoredCheckRun {
+  id: string;
+  checkId: string;
+  checkName: string;
+  status: string;
+  startedAt: string;
+  completedAt: string;
+  durationMs: number;
+  totalChecked: number;
+  passedCount: number;
+  failedCount: number;
+  errorMessage?: string;
+  logs?: Array<{
+    level: string;
+    message: string;
+    data?: Record<string, unknown>;
+    timestamp: string;
+  }>;
+  provider: {
+    slug: string;
+    name: string;
+  };
+  results: Array<{
+    id: string;
+    passed: boolean;
+    resourceType: string;
+    resourceId: string;
+    title: string;
+    description?: string;
+    severity?: string;
+    remediation?: string;
+    evidence?: Record<string, unknown>;
+    collectedAt: string;
+  }>;
+  createdAt: string;
+}
+
+interface TaskIntegrationChecksProps {
+  taskId: string;
+  onTaskUpdated?: () => void;
+}
+
+export function TaskIntegrationChecks({ taskId, onTaskUpdated }: TaskIntegrationChecksProps) {
+  const params = useParams();
+  const searchParams = useSearchParams();
+  const orgId = params.orgId as string;
+
+  const [checks, setChecks] = useState<TaskIntegrationCheck[]>([]);
+  const [storedRuns, setStoredRuns] = useState<StoredCheckRun[]>([]);
+  const [loading, setLoading] = useState(true);
+  const [runningCheck, setRunningCheck] = useState<string | null>(null);
+  const [expandedCheck, setExpandedCheck] = useState<string | null>(null);
+  const [error, setError] = useState<string | null>(null);
+
+  // OAuth success handling - open config dialog after successful connection
+  const [configureDialogOpen, setConfigureDialogOpen] = useState(false);
+  const [configureConnection, setConfigureConnection] = useState<{
+    connectionId: string;
+    integrationId: string;
+    integrationName: string;
+    integrationLogoUrl: string;
+    checkName?: string;
+    checkDescription?: string;
+  } | null>(null);
+  const hasHandledOAuthRef = useRef(false);
+
+  // Handle OAuth callback success - find the newly connected integration and open config dialog
+  useEffect(() => {
+    if (hasHandledOAuthRef.current || loading) return;
+
+    const success = searchParams.get('success');
+    const providerSlug = searchParams.get('provider');
+
+    if (success === 'true' && providerSlug && checks.length > 0) {
+      hasHandledOAuthRef.current = true;
+
+      // Find the connected check for this provider
+      const connectedCheck = checks.find(
+        (c) => c.integrationId === providerSlug && c.isConnected && c.connectionId,
+      );
+
+      if (connectedCheck) {
+        // Open the configure dialog
+        setConfigureConnection({
+          connectionId: connectedCheck.connectionId!,
+          integrationId: connectedCheck.integrationId,
+          integrationName: connectedCheck.integrationName,
+          integrationLogoUrl: connectedCheck.integrationLogoUrl,
+        });
+        setConfigureDialogOpen(true);
+        toast.success(
+          `${connectedCheck.integrationName} connected! Configure it to start automated checks.`,
+        );
+      }
+
+      // Clean up URL params
+      const url = new URL(window.location.href);
+      url.searchParams.delete('success');
+      url.searchParams.delete('provider');
+      window.history.replaceState({}, '', url.toString());
+    }
+  }, [searchParams, checks, loading]);
+
+  // Fetch checks and historical runs for this task
+  useEffect(() => {
+    const fetchData = async () => {
+      setLoading(true);
+      setError(null);
+      try {
+        const [checksResponse, runsResponse] = await Promise.all([
+          api.get<{
+            checks: TaskIntegrationCheck[];
+            task: { id: string; title: string; templateId: string | null };
+          }>(`/v1/integrations/tasks/${taskId}/checks?organizationId=${orgId}`),
+          api.get<{ runs: StoredCheckRun[] }>(
+            `/v1/integrations/tasks/${taskId}/runs?organizationId=${orgId}`,
+          ),
+        ]);
+
+        if (checksResponse.data?.checks) {
+          setChecks(checksResponse.data.checks);
+        }
+        if (runsResponse.data?.runs) {
+          setStoredRuns(runsResponse.data.runs);
+        }
+      } catch (err) {
+        console.error('Failed to fetch app automations:', err);
+        setError('Failed to load app automations');
+      } finally {
+        setLoading(false);
+      }
+    };
+
+    fetchData();
+  }, [taskId, orgId]);
+
+  const refreshRuns = useCallback(async () => {
+    try {
+      const runsResponse = await api.get<{ runs: StoredCheckRun[] }>(
+        `/v1/integrations/tasks/${taskId}/runs?organizationId=${orgId}`,
+      );
+      if (runsResponse.data?.runs) {
+        setStoredRuns(runsResponse.data.runs);
+      }
+    } catch (err) {
+      console.error('Failed to refresh runs:', err);
+    }
+  }, [taskId, orgId]);
+
+  const refreshChecks = useCallback(async () => {
+    try {
+      const checksResponse = await api.get<{
+        checks: TaskIntegrationCheck[];
+        task: { id: string; title: string; templateId: string | null };
+      }>(`/v1/integrations/tasks/${taskId}/checks?organizationId=${orgId}`);
+      if (checksResponse.data?.checks) {
+        setChecks(checksResponse.data.checks);
+      }
+    } catch (err) {
+      console.error('Failed to refresh checks:', err);
+    }
+  }, [taskId, orgId]);
+
+  const handleRunCheck = useCallback(
+    async (connectionId: string, checkId: string) => {
+      setRunningCheck(checkId);
+      setExpandedCheck(checkId); // Auto-expand when running
+      setError(null);
+      try {
+        const response = await api.post<{
+          success: boolean;
+          error?: string;
+          checkRunId?: string;
+          taskStatus?: string | null;
+        }>(`/v1/integrations/tasks/${taskId}/run-check?organizationId=${orgId}`, {
+          connectionId,
+          checkId,
+        });
+
+        const data = response.data;
+        if (data?.success) {
+          await refreshRuns();
+          // Refresh task data if status was updated
+          if (data.taskStatus && onTaskUpdated) {
+            onTaskUpdated();
+          }
+        } else if (data?.error) {
+          setError(data.error);
+        }
+      } catch (err) {
+        console.error('Failed to run check:', err);
+        setError('Failed to run check');
+      } finally {
+        setRunningCheck(null);
+      }
+    },
+    [taskId, orgId, refreshRuns, onTaskUpdated],
+  );
+
+  if (loading) {
+    return (
+      <div className="space-y-5">
+        <div className="flex items-center gap-2">
+          <PlugZap className="h-3.5 w-3.5 text-primary" />
+          <h3 className="text-[10px] font-semibold text-foreground uppercase tracking-[0.15em]">
+            App Automations
+          </h3>
+        </div>
+        <div className="flex items-center gap-2 text-sm text-muted-foreground py-4">
+          <Loader2 className="h-4 w-4 animate-spin" />
+          Loading...
+        </div>
+      </div>
+    );
+  }
+
+  const connectedChecks = checks.filter((c) => c.isConnected);
+  const disconnectedChecks = checks.filter((c) => !c.isConnected);
+
+  // If there are no checks at all for this task, don't render anything
+  if (checks.length === 0) {
+    return null;
+  }
+
+  // Group runs by check
+  const runsByCheck = storedRuns.reduce(
+    (acc, run) => {
+      if (!acc[run.checkId]) {
+        acc[run.checkId] = [];
+      }
+      acc[run.checkId].push(run);
+      return acc;
+    },
+    {} as Record<string, StoredCheckRun[]>,
+  );
+
+  // Calculate overall metrics
+  const totalRuns = storedRuns.length;
+  const successfulRuns = storedRuns.filter(
+    (r) => r.status === 'success' && r.failedCount === 0,
+  ).length;
+  const failedRuns = storedRuns.filter((r) => r.status === 'failed' || r.failedCount > 0).length;
+  const successRate = totalRuns > 0 ? Math.round((successfulRuns / totalRuns) * 100) : 0;
+
+  // Calculate next scheduled run (daily at 6 AM UTC)
+  const getNextScheduledRun = () => {
+    const now = new Date();
+    let nextRun = setMinutes(setHours(new Date(), 6), 0); // 6:00 AM UTC today
+
+    // If we're past 6 AM UTC today, schedule for tomorrow
+    if (isBefore(nextRun, now)) {
+      nextRun = addDays(nextRun, 1);
+    }
+
+    return nextRun;
+  };
+
+  const nextRun = connectedChecks.length > 0 ? getNextScheduledRun() : null;
+
+  return (
+    <div className="rounded-lg border border-border bg-card overflow-hidden">
+      {/* Card Header */}
+      <div className="px-5 py-4 border-b border-border">
+        <div className="flex items-center justify-between">
+          <div className="flex items-center gap-2.5">
+            <div className="p-1.5 rounded-md bg-muted">
+              <PlugZap className="h-4 w-4 text-primary" />
+            </div>
+            <div>
+              <h3 className="text-sm font-semibold text-foreground">App Automations</h3>
+              <p className="text-xs text-muted-foreground">
+                Pre-built automations from connected integrations
+              </p>
+            </div>
+          </div>
+          {connectedChecks.length > 0 && nextRun && (
+            <div className="text-right">
+              <div className="text-[10px] text-muted-foreground uppercase tracking-wide">
+                Next run
+              </div>
+              <div className="text-sm font-medium text-foreground">
+                {formatDistanceToNow(nextRun, { addSuffix: true })}
+              </div>
+            </div>
+          )}
+        </div>
+      </div>
+
+      {/* Card Content */}
+      <div className="p-5">
+        {connectedChecks.length === 0 && disconnectedChecks.length === 0 ? (
+          <IntegrationEmptyState
+            disconnectedChecks={disconnectedChecks}
+            hasNoMappedChecks={true}
+            orgId={orgId}
+            taskId={taskId}
+          />
+        ) : connectedChecks.length === 0 ? (
+          <IntegrationEmptyState
+            disconnectedChecks={disconnectedChecks}
+            hasNoMappedChecks={false}
+            orgId={orgId}
+            taskId={taskId}
+          />
+        ) : (
+          <div className="space-y-5">
+            {/* Metrics Summary */}
+            {totalRuns > 0 && (
+              <div className="border-b border-border/40 pb-4">
+                <div className="grid grid-cols-2 lg:grid-cols-4 gap-4">
+                  {/* Total Runs */}
+                  <div className="space-y-1.5">
+                    <div className="flex items-center gap-2">
+                      <TrendingUp className="h-3.5 w-3.5 text-muted-foreground" />
+                      <span className="text-[9px] text-muted-foreground uppercase tracking-[0.1em] font-medium">
+                        Total Runs
+                      </span>
+                    </div>
+                    <div className="text-xl font-semibold text-foreground tabular-nums">
+                      {totalRuns}
+                    </div>
+                  </div>
+
+                  {/* Success Rate */}
+                  <div className="space-y-1.5">
+                    <div className="flex items-center gap-2">
+                      <CheckCircle2 className="h-3.5 w-3.5 text-primary" />
+                      <span className="text-[9px] text-muted-foreground uppercase tracking-[0.1em] font-medium">
+                        Success Rate
+                      </span>
+                    </div>
+                    <div className="flex items-baseline gap-2">
+                      <div className="text-xl font-semibold text-foreground tabular-nums">
+                        {successRate}%
+                      </div>
+                      <div className="flex-1 max-w-[60px] bg-muted/50 h-1 rounded-full overflow-hidden">
+                        <div
+                          className="bg-primary h-full transition-all duration-500"
+                          style={{ width: `${successRate}%` }}
+                        />
+                      </div>
+                    </div>
+                  </div>
+
+                  {/* Failed */}
+                  {failedRuns > 0 && (
+                    <div className="space-y-1.5">
+                      <div className="flex items-center gap-2">
+                        <XCircle className="h-3.5 w-3.5 text-destructive" />
+                        <span className="text-[9px] text-muted-foreground uppercase tracking-[0.1em] font-medium">
+                          Issues
+                        </span>
+                      </div>
+                      <div className="text-xl font-semibold text-destructive tabular-nums">
+                        {failedRuns}
+                      </div>
+                    </div>
+                  )}
+                </div>
+              </div>
+            )}
+
+            {error && (
+              <div className="text-sm text-destructive p-3 bg-destructive/10 rounded-md flex items-center gap-2">
+                <AlertCircle className="h-4 w-4" />
+                {error}
+              </div>
+            )}
+
+            {/* Connected Checks List */}
+            <div className="space-y-2">
+              {connectedChecks.map((check) => {
+                const checkRuns = runsByCheck[check.checkId] || [];
+                const latestRun = checkRuns[0]; // Already sorted by createdAt desc
+                const isRunning = runningCheck === check.checkId;
+                const isExpanded = expandedCheck === check.checkId;
+                const needsConfig = check.needsConfiguration;
+
+                // Determine status from latest run
+                const hasFailed = latestRun
+                  ? latestRun.status === 'failed' || latestRun.failedCount > 0
+                  : false;
+                const hasSucceeded = latestRun
+                  ? latestRun.status === 'success' && latestRun.failedCount === 0
+                  : false;
+
+                const dotColor = needsConfig
+                  ? 'bg-warning shadow-[0_0_8px_hsl(var(--warning)/0.4)]'
+                  : hasFailed
+                    ? 'bg-destructive shadow-[0_0_8px_rgba(255,0,0,0.3)]'
+                    : hasSucceeded
+                      ? 'bg-primary shadow-[0_0_8px_rgba(0,77,64,0.4)]'
+                      : 'bg-muted-foreground';
+
+                const lastRan = latestRun
+                  ? formatDistanceToNow(new Date(latestRun.completedAt || latestRun.createdAt), {
+                      addSuffix: true,
+                    })
+                  : null;
+
+                return (
+                  <div
+                    key={`${check.integrationId}-${check.checkId}`}
+                    className={cn(
+                      'rounded-lg border transition-all duration-300',
+                      needsConfig
+                        ? 'border-warning/30 bg-warning/5'
+                        : isExpanded
+                          ? 'border-primary/30 shadow-sm bg-primary/[0.02]'
+                          : 'border-border/50 hover:border-border',
+                    )}
+                  >
+                    {/* Needs Configuration Banner */}
+                    {needsConfig && (
+                      <button
+                        onClick={() => {
+                          setConfigureConnection({
+                            connectionId: check.connectionId!,
+                            integrationId: check.integrationId,
+                            integrationName: check.integrationName,
+                            integrationLogoUrl: check.integrationLogoUrl,
+                          });
+                          setConfigureDialogOpen(true);
+                        }}
+                        className="w-full flex items-center gap-2 px-4 py-2 bg-warning/10 border-b border-warning/20 text-left hover:bg-warning/15 transition-colors"
+                      >
+                        <AlertTriangle className="h-3.5 w-3.5 text-warning shrink-0" />
+                        <span className="text-xs text-warning-foreground font-medium">
+                          Configuration required
+                        </span>
+                        <Settings2 className="h-3 w-3 text-warning ml-auto shrink-0" />
+                      </button>
+                    )}
+
+                    {/* Check Header Row */}
+                    <div className="flex items-center gap-3 px-4 py-3">
+                      <div className="relative shrink-0">
+                        <Image
+                          src={check.integrationLogoUrl}
+                          alt={check.integrationName}
+                          width={24}
+                          height={24}
+                          className="rounded"
+                        />
+                        <div
+                          className={cn(
+                            'absolute -bottom-0.5 -right-0.5 h-2.5 w-2.5 rounded-full border-2 border-background',
+                            dotColor,
+                            isRunning && 'animate-pulse',
+                          )}
+                        />
+                      </div>
+
+                      <div className="flex-1 min-w-0">
+                        <div className="flex items-center gap-2">
+                          <p className="font-semibold text-foreground text-sm tracking-tight">
+                            {check.checkName}
+                          </p>
+                        </div>
+                        {needsConfig ? (
+                          <p className="text-xs text-muted-foreground mt-0.5">
+                            Configure required settings to enable this check
+                          </p>
+                        ) : lastRan ? (
+                          <p className="text-xs text-muted-foreground mt-0.5">
+                            Last ran {lastRan}
+                            {latestRun && (
+                              <span className="ml-2">
+                                • {latestRun.passedCount} passed
+                                {latestRun.failedCount > 0 && (
+                                  <span className="text-destructive">
+                                    , {latestRun.failedCount} issues
+                                  </span>
+                                )}
+                              </span>
+                            )}
+                          </p>
+                        ) : (
+                          <p className="text-xs text-muted-foreground mt-0.5">Not run yet</p>
+                        )}
+                      </div>
+
+                      <div className="flex items-center gap-2">
+                        {needsConfig ? (
+                          <Button
+                            size="sm"
+                            variant="outline"
+                            className="h-8 px-3 border-warning/30 text-warning hover:bg-warning/10"
+                            onClick={() => {
+                              setConfigureConnection({
+                                connectionId: check.connectionId!,
+                                integrationId: check.integrationId,
+                                integrationName: check.integrationName,
+                                integrationLogoUrl: check.integrationLogoUrl,
+                                checkName: check.checkName,
+                                checkDescription: check.checkDescription,
+                              });
+                              setConfigureDialogOpen(true);
+                            }}
+                          >
+                            <Settings2 className="h-3.5 w-3.5" />
+                            <span className="ml-1.5 text-xs">Configure</span>
+                          </Button>
+                        ) : (
+                          <>
+                            <Button
+                              size="sm"
+                              variant="ghost"
+                              className="h-8 px-3"
+                              disabled={isRunning}
+                              onClick={(e) => {
+                                e.stopPropagation();
+                                handleRunCheck(check.connectionId!, check.checkId);
+                              }}
+                            >
+                              {isRunning ? (
+                                <Loader2 className="h-3.5 w-3.5 animate-spin" />
+                              ) : (
+                                <Play className="h-3.5 w-3.5" />
+                              )}
+                              <span className="ml-1.5 text-xs">Run</span>
+                            </Button>
+                            <Button
+                              size="sm"
+                              variant="ghost"
+                              className="h-8 w-8 p-0"
+                              onClick={() => {
+                                setConfigureConnection({
+                                  connectionId: check.connectionId!,
+                                  integrationId: check.integrationId,
+                                  integrationName: check.integrationName,
+                                  integrationLogoUrl: check.integrationLogoUrl,
+                                  checkName: check.checkName,
+                                  checkDescription: check.checkDescription,
+                                });
+                                setConfigureDialogOpen(true);
+                              }}
+                            >
+                              <Settings2 className="h-4 w-4" />
+                            </Button>
+                          </>
+                        )}
+
+                        {checkRuns.length > 0 && (
+                          <Button
+                            size="sm"
+                            variant="ghost"
+                            className="h-8 w-8 p-0"
+                            onClick={() => setExpandedCheck(isExpanded ? null : check.checkId)}
+                          >
+                            <ChevronDown
+                              className={cn(
+                                'h-4 w-4 transition-transform duration-300',
+                                isExpanded && 'rotate-180',
+                              )}
+                            />
+                          </Button>
+                        )}
+                      </div>
+                    </div>
+
+                    {/* Expandable Run History */}
+                    <div
+                      className={cn(
+                        'grid transition-all duration-500 ease-in-out',
+                        isExpanded ? 'grid-rows-[1fr]' : 'grid-rows-[0fr]',
+                      )}
+                    >
+                      <div className="overflow-hidden">
+                        <div className="px-4 pb-4 pt-2 border-t border-border/50 space-y-4">
+                          <GroupedCheckRuns runs={checkRuns} maxRuns={5} />
+                        </div>
+                      </div>
+                    </div>
+                  </div>
+                );
+              })}
+            </div>
+
+            {/* Disconnected Checks as Suggestions */}
+            {disconnectedChecks.length > 0 && (
+              <div className="pt-4 border-t border-border/40">
+                <p className="text-xs font-medium text-muted-foreground mb-3">
+                  More integrations available
+                </p>
+                <div className="space-y-1">
+                  {disconnectedChecks.map((check) => (
+                    <Link
+                      key={`${check.integrationId}-${check.checkId}`}
+                      href={`/${orgId}/integrations`}
+                      className={cn(
+                        'flex flex-row items-center justify-between py-2 px-3 rounded-md',
+                        'hover:bg-muted/50 transition-colors',
+                        'cursor-pointer group',
+                      )}
+                    >
+                      <div className="flex items-center gap-3">
+                        <Image
+                          src={check.integrationLogoUrl}
+                          alt={check.integrationName}
+                          width={20}
+                          height={20}
+                          className="rounded opacity-50 group-hover:opacity-100 transition-opacity"
+                        />
+                        <div>
+                          <p className="text-sm text-muted-foreground group-hover:text-foreground transition-colors">
+                            {check.checkName}
+                          </p>
+                        </div>
+                      </div>
+                      <ExternalLink className="w-3.5 h-3.5 shrink-0 text-muted-foreground/50 group-hover:text-muted-foreground transition-colors" />
+                    </Link>
+                  ))}
+                </div>
+              </div>
+            )}
+          </div>
+        )}
+      </div>
+
+      {/* Configure Integration Dialog - opens after OAuth success or when clicking Configure */}
+      {configureConnection && (
+        <ManageIntegrationDialog
+          open={configureDialogOpen}
+          onOpenChange={setConfigureDialogOpen}
+          connectionId={configureConnection.connectionId}
+          integrationId={configureConnection.integrationId}
+          integrationName={configureConnection.integrationName}
+          integrationLogoUrl={configureConnection.integrationLogoUrl}
+          configureOnly={true}
+          checkContext={
+            configureConnection.checkName
+              ? {
+                  checkName: configureConnection.checkName,
+                  checkDescription: configureConnection.checkDescription,
+                }
+              : undefined
+          }
+          onSaved={() => {
+            // Refresh the checks data after saving to update needsConfiguration status
+            refreshChecks();
+            setConfigureDialogOpen(false);
+            setConfigureConnection(null);
+          }}
+        />
+      )}
+    </div>
+  );
+}
+
+// Group runs by date for display
+function GroupedCheckRuns({ runs, maxRuns = 5 }: { runs: StoredCheckRun[]; maxRuns?: number }) {
+  const [showAll, setShowAll] = useState(false);
+
+  // Group runs by date
+  const groupedRuns = useMemo(() => {
+    const groups: Record<string, StoredCheckRun[]> = {};
+
+    runs.forEach((run) => {
+      const date = new Date(run.createdAt).toLocaleDateString('en-US', {
+        month: 'short',
+        day: 'numeric',
+        year: 'numeric',
+      });
+      if (!groups[date]) {
+        groups[date] = [];
+      }
+      groups[date].push(run);
+    });
+
+    return groups;
+  }, [runs]);
+
+  // Get the runs to display (limited or all)
+  const displayRuns = showAll ? runs : runs.slice(0, maxRuns);
+  const hasMore = runs.length > maxRuns;
+
+  // Build grouped display from displayRuns
+  const displayGrouped = useMemo((): Record<string, StoredCheckRun[]> => {
+    const groups: Record<string, StoredCheckRun[]> = {};
+
+    displayRuns.forEach((run) => {
+      const date = new Date(run.createdAt).toLocaleDateString('en-US', {
+        month: 'short',
+        day: 'numeric',
+        year: 'numeric',
+      });
+      if (!groups[date]) {
+        groups[date] = [];
+      }
+      groups[date].push(run);
+    });
+
+    return groups;
+  }, [displayRuns]);
+
+  if (runs.length === 0) {
+    return <p className="text-xs text-muted-foreground text-center py-2">No runs yet</p>;
+  }
+
+  let runIndex = 0;
+
+  return (
+    <div className="space-y-4">
+      {Object.entries(displayGrouped).map(([date, dateRuns]) => (
+        <div key={date} className="space-y-2">
+          <p className="text-[10px] font-medium text-muted-foreground uppercase tracking-wide">
+            {date}
+          </p>
+          <div className="space-y-2">
+            {dateRuns.map((run: StoredCheckRun) => {
+              const isLatest = runIndex === 0;
+              runIndex++;
+              return <CheckRunItem key={run.id} run={run} isLatest={isLatest} />;
+            })}
+          </div>
+        </div>
+      ))}
+
+      {hasMore && (
+        <button
+          onClick={() => setShowAll(!showAll)}
+          className="w-full text-xs text-muted-foreground hover:text-foreground transition-colors py-1"
+        >
+          {showAll ? 'Show less' : `Show ${runs.length - maxRuns} more runs`}
+        </button>
+      )}
+    </div>
+  );
+}
+
+// Individual check run item with expandable details
+function CheckRunItem({ run, isLatest }: { run: StoredCheckRun; isLatest: boolean }) {
+  const [expanded, setExpanded] = useState(isLatest);
+
+  const timeAgo = formatDistanceToNow(new Date(run.createdAt), { addSuffix: true });
+  const hasFailed = run.status === 'failed' || run.failedCount > 0;
+  const hasError = run.status === 'failed' && run.errorMessage;
+
+  const findings = run.results.filter((r) => !r.passed);
+  const passing = run.results.filter((r) => r.passed);
+
+  const statusColor = hasError ? 'text-destructive' : hasFailed ? 'text-warning' : 'text-primary';
+
+  const statusText = hasError ? 'Error' : hasFailed ? 'Issues Found' : 'Passed';
+
+  return (
+    <div
+      className={cn(
+        'rounded-md border transition-all',
+        isLatest ? 'border-primary/20 bg-primary/[0.02]' : 'border-border/30 bg-muted/20',
+      )}
+    >
+      <button
+        onClick={() => setExpanded(!expanded)}
+        className="w-full text-left px-3 py-2.5 flex items-center gap-3"
+      >
+        <div
+          className={cn(
+            'h-1.5 w-1.5 rounded-full flex-shrink-0',
+            hasError ? 'bg-destructive' : hasFailed ? 'bg-warning' : 'bg-primary',
+          )}
+        />
+
+        <div className="flex-1 min-w-0">
+          <div className="flex items-center gap-2 text-xs">
+            <span className={cn('font-medium', statusColor)}>{statusText}</span>
+            <span className="text-muted-foreground">•</span>
+            <span className="text-muted-foreground">{timeAgo}</span>
+            {run.failedCount > 0 && (
+              <>
+                <span className="text-muted-foreground">•</span>
+                <span className="text-destructive">{run.failedCount} failed</span>
+              </>
+            )}
+          </div>
+        </div>
+
+        <ChevronDown
+          className={cn(
+            'h-3.5 w-3.5 text-muted-foreground transition-transform duration-300',
+            expanded && 'rotate-180',
+          )}
+        />
+      </button>
+
+      <div
+        className={cn(
+          'grid transition-all duration-300 ease-in-out',
+          expanded ? 'grid-rows-[1fr]' : 'grid-rows-[0fr]',
+        )}
+      >
+        <div className="overflow-hidden">
+          <div className="px-3 pb-3 pt-1 space-y-3 border-t border-border/30">
+            {/* Error */}
+            {run.errorMessage && (
+              <div className="p-2 rounded-md bg-destructive/10 border border-destructive/20">
+                <p className="text-xs text-destructive">{run.errorMessage}</p>
+              </div>
+            )}
+
+            {/* Findings */}
+            {findings.length > 0 && (
+              <div className="space-y-2">
+                {findings.slice(0, 3).map((finding) => (
+                  <div key={finding.id} className="space-y-2">
+                    <div>
+                      <p className="text-sm font-medium text-foreground">{finding.title}</p>
+                      {finding.description && (
+                        <p className="text-sm text-muted-foreground mt-1">{finding.description}</p>
+                      )}
+                      {finding.remediation && (
+                        <p className="text-sm text-primary mt-2">{finding.remediation}</p>
+                      )}
+                      <div className="flex items-center gap-2 mt-2">
+                        <Badge variant="secondary" className="font-mono text-xs">
+                          {finding.resourceId}
+                        </Badge>
+                        {finding.severity && (
+                          <Badge variant="outline" className="text-xs">
+                            {finding.severity}
+                          </Badge>
+                        )}
+                      </div>
+                    </div>
+                  </div>
+                ))}
+                {findings.length > 3 && (
+                  <p className="text-sm text-muted-foreground">
+                    +{findings.length - 3} more issues
+                  </p>
+                )}
+              </div>
+            )}
+
+            {/* Passing Results */}
+            {passing.length > 0 && findings.length === 0 && (
+              <div className="space-y-2">
+                {passing.slice(0, 2).map((result) => (
+                  <div key={result.id} className="space-y-2">
+                    <div>
+                      <p className="text-sm font-medium text-foreground">{result.title}</p>
+                      {result.description && (
+                        <p className="text-sm text-muted-foreground mt-1">{result.description}</p>
+                      )}
+                      <Badge variant="secondary" className="mt-2 font-mono text-xs">
+                        {result.resourceId}
+                      </Badge>
+                    </div>
+                    {result.evidence && Object.keys(result.evidence).length > 0 && (
+                      <details className="text-xs">
+                        <summary className="text-muted-foreground cursor-pointer">
+                          View Evidence
+                        </summary>
+                        <pre className="mt-2 p-2 bg-muted rounded text-xs overflow-auto">
+                          {JSON.stringify(result.evidence, null, 2)}
+                        </pre>
+                      </details>
+                    )}
+                  </div>
+                ))}
+                {passing.length > 2 && (
+                  <p className="text-sm text-muted-foreground">+{passing.length - 2} more passed</p>
+                )}
+              </div>
+            )}
+
+            {/* Logs */}
+            {run.logs && run.logs.length > 0 && (
+              <details className="text-xs">
+                <summary className="text-muted-foreground cursor-pointer">Logs</summary>
+                <pre className="mt-2 p-2 bg-muted rounded text-xs overflow-auto">
+                  {run.logs.map((log, i) => (
+                    <div
+                      key={i}
+                      className={cn(
+                        log.level === 'error' && 'text-destructive',
+                        log.level === 'warn' && 'text-warning',
+                      )}
+                    >
+                      <span className="opacity-50">
+                        [{new Date(log.timestamp).toLocaleTimeString()}]
+                      </span>{' '}
+                      {log.message}
+                    </div>
+                  ))}
+                </pre>
+              </details>
+            )}
+          </div>
+        </div>
+      </div>
+    </div>
+  );
+}
+
+// Empty state when no integrations are connected - matches AutomationEmptyState style
+function IntegrationEmptyState({
+  disconnectedChecks,
+  hasNoMappedChecks,
+  orgId,
+  taskId,
+}: {
+  disconnectedChecks: TaskIntegrationCheck[];
+  hasNoMappedChecks: boolean;
+  orgId: string;
+  taskId?: string;
+}) {
+  const params = useParams();
+  const router = useRouter();
+  const currentTaskId = taskId || (params.taskId as string);
+  const canvasRef = useRef<HTMLCanvasElement>(null);
+  const animationFrameRef = useRef<number | undefined>(undefined);
+
+  // Dialog state for connecting integrations
+  const [connectDialogOpen, setConnectDialogOpen] = useState(false);
+  const [selectedIntegration, setSelectedIntegration] = useState<TaskIntegrationCheck | null>(null);
+
+  useEffect(() => {
+    const canvas = canvasRef.current;
+    if (!canvas) return;
+
+    const ctx = canvas.getContext('2d');
+    if (!ctx) return;
+
+    const resizeCanvas = () => {
+      const rect = canvas.parentElement?.getBoundingClientRect();
+      if (rect) {
+        canvas.width = rect.width;
+        canvas.height = rect.height;
+      }
+    };
+    resizeCanvas();
+    window.addEventListener('resize', resizeCanvas);
+
+    let time = 0;
+    const animate = () => {
+      time += 0.005;
+      ctx.clearRect(0, 0, canvas.width, canvas.height);
+
+      // Primary color: hsl(165, 100%, 15%) = rgb(0, 77, 64)
+      const primaryR = 0;
+      const primaryG = 77;
+      const primaryB = 64;
+
+      ctx.strokeStyle = `rgba(${primaryR}, ${primaryG}, ${primaryB}, 0.06)`;
+      ctx.lineWidth = 0.5;
+      for (let i = 0; i < 3; i++) {
+        ctx.beginPath();
+        const y = (canvas.height / 4) * (i + 1);
+        const wave = Math.sin(time + i) * 10;
+        ctx.moveTo(0, y + wave);
+        for (let x = 0; x < canvas.width; x += 15) {
+          const waveY = Math.sin((x / canvas.width) * Math.PI * 2 + time + i) * 8;
+          ctx.lineTo(x, y + wave + waveY);
+        }
+        ctx.stroke();
+      }
+
+      animationFrameRef.current = requestAnimationFrame(animate);
+    };
+
+    animate();
+
+    return () => {
+      window.removeEventListener('resize', resizeCanvas);
+      if (animationFrameRef.current) {
+        cancelAnimationFrame(animationFrameRef.current);
+      }
+    };
+  }, []);
+
+  // Get unique integrations from disconnected checks
+  const uniqueIntegrations = Array.from(
+    new Map(disconnectedChecks.map((c) => [c.integrationId, c])).values(),
+  );
+
+  const handleConnectClick = (integration: TaskIntegrationCheck) => {
+    setSelectedIntegration(integration);
+    setConnectDialogOpen(true);
+  };
+
+  const handleAutomationClick = () => {
+    router.push(`/${orgId}/tasks/${currentTaskId}/automation/new`);
+  };
+
+  // If no mapped checks, show simple automation CTA
+  if (hasNoMappedChecks) {
+    return (
+      <div
+        className="relative overflow-hidden border-t-2 border-t-primary/20 bg-primary/2 py-8 px-6 group hover:border-t-primary/30 hover:bg-primary/4 transition-all cursor-pointer"
+        onClick={handleAutomationClick}
+      >
+        <canvas
+          ref={canvasRef}
+          className="absolute inset-0 w-full h-full opacity-10"
+          style={{ mixBlendMode: 'multiply' }}
+        />
+
+        <div className="relative z-10 text-center space-y-3">
+          <div className="inline-flex">
+            <div className="w-12 h-12 rounded-md bg-primary/8 flex items-center justify-center mx-auto group-hover:bg-primary/12 transition-colors">
+              <Bot className="w-6 h-6 text-primary" />
+            </div>
+          </div>
+
+          <div className="space-y-1.5">
+            <h4 className="text-base font-semibold text-foreground tracking-tight">
+              Automate This Task
+            </h4>
+            <p className="text-xs text-muted-foreground max-w-sm mx-auto leading-relaxed">
+              No pre-built integrations are available. Launch an AI agent that continuously
+              collects, verifies, and refreshes evidence for this requirement.
+            </p>
+          </div>
+
+          <Button className="bg-primary text-primary-foreground hover:bg-primary/90 font-medium px-5 py-4">
+            Continue
+          </Button>
+        </div>
+      </div>
+    );
+  }
+
+  // Has disconnected integrations available
+  return (
+    <>
+      <div className="relative overflow-hidden border-t-2 border-t-primary/20 bg-primary/2 group hover:border-t-primary/30 hover:bg-primary/4 transition-all">
+        <canvas
+          ref={canvasRef}
+          className="absolute inset-0 w-full h-full opacity-10"
+          style={{ mixBlendMode: 'multiply' }}
+        />
+
+        <div className="relative z-10">
+          {/* Header */}
+          <div className="text-center py-6 px-6">
+            <div className="inline-flex mb-3 gap-2">
+              {uniqueIntegrations.slice(0, 3).map((integration) => (
+                <div
+                  key={integration.integrationId}
+                  className="w-10 h-10 rounded-lg bg-background border border-border flex items-center justify-center overflow-hidden"
+                >
+                  <Image
+                    src={integration.integrationLogoUrl}
+                    alt={integration.integrationName}
+                    width={24}
+                    height={24}
+                    className="object-contain"
+                  />
+                </div>
+              ))}
+              {uniqueIntegrations.length > 3 && (
+                <div className="w-10 h-10 rounded-lg bg-muted/50 flex items-center justify-center text-xs font-medium text-muted-foreground">
+                  +{uniqueIntegrations.length - 3}
+                </div>
+              )}
+            </div>
+
+            <h4 className="text-base font-semibold text-foreground tracking-tight">
+              Automate This Task
+            </h4>
+            <p className="text-xs text-muted-foreground max-w-sm mx-auto leading-relaxed mt-1.5">
+              Connect an integration to automatically verify compliance, or build a custom
+              automation
+            </p>
+          </div>
+
+          {/* Options */}
+          <div className="border-t border-primary/10 divide-y divide-primary/10">
+            {/* Pre-built integrations */}
+            {uniqueIntegrations.map((integration) => {
+              const checksForIntegration = disconnectedChecks.filter(
+                (c) => c.integrationId === integration.integrationId,
+              );
+              // Check if OAuth integration is not yet configured by platform admin
+              const isComingSoon =
+                integration.authType === 'oauth2' && integration.oauthConfigured === false;
+
+              if (isComingSoon) {
+                return (
+                  <div
+                    key={integration.integrationId}
+                    className="w-full flex items-center gap-4 px-6 py-3 opacity-60 cursor-not-allowed"
+                  >
+                    <div className="w-9 h-9 rounded-lg bg-background border border-border flex items-center justify-center shrink-0 overflow-hidden">
+                      <Image
+                        src={integration.integrationLogoUrl}
+                        alt={integration.integrationName}
+                        width={20}
+                        height={20}
+                        className="object-contain grayscale"
+                      />
+                    </div>
+                    <div className="flex-1 min-w-0">
+                      <p className="text-sm font-medium text-muted-foreground">
+                        {integration.integrationName}
+                      </p>
+                      <p className="text-[10px] text-muted-foreground mt-0.5">
+                        {checksForIntegration.length} automated check
+                        {checksForIntegration.length > 1 ? 's' : ''} available
+                      </p>
+                    </div>
+                    <Badge variant="secondary" className="text-[10px] shrink-0">
+                      Coming Soon
+                    </Badge>
+                  </div>
+                );
+              }
+
+              return (
+                <button
+                  key={integration.integrationId}
+                  onClick={() => handleConnectClick(integration)}
+                  className="w-full flex items-center gap-4 px-6 py-3 hover:bg-primary/5 transition-colors group/item text-left"
+                >
+                  <div className="w-9 h-9 rounded-lg bg-background border border-border flex items-center justify-center shrink-0 overflow-hidden">
+                    <Image
+                      src={integration.integrationLogoUrl}
+                      alt={integration.integrationName}
+                      width={20}
+                      height={20}
+                      className="object-contain"
+                    />
+                  </div>
+                  <div className="flex-1 min-w-0">
+                    <p className="text-sm font-medium text-foreground group-hover/item:text-primary transition-colors">
+                      Connect {integration.integrationName}
+                    </p>
+                    <p className="text-[10px] text-muted-foreground mt-0.5">
+                      {checksForIntegration.length} automated check
+                      {checksForIntegration.length > 1 ? 's' : ''} available
+                    </p>
+                  </div>
+                  <ArrowRight className="w-4 h-4 text-muted-foreground group-hover/item:text-primary transition-colors shrink-0" />
+                </button>
+              );
+            })}
+
+            {/* Custom automation option */}
+            <Link
+              href={`/${orgId}/tasks/${currentTaskId}/automation/new`}
+              className="flex items-center gap-4 px-6 py-3 hover:bg-primary/5 transition-colors group/item"
+            >
+              <div className="w-9 h-9 rounded-lg bg-muted/50 flex items-center justify-center shrink-0 group-hover/item:bg-muted transition-colors">
+                <Bot className="w-4 h-4 text-muted-foreground" />
+              </div>
+              <div className="flex-1 min-w-0">
+                <p className="text-sm font-medium text-foreground group-hover/item:text-foreground/80 transition-colors">
+                  Build Custom Automation
+                </p>
+                <p className="text-[10px] text-muted-foreground mt-0.5">
+                  Use the AI agent to create a tailored automation
+                </p>
+              </div>
+              <ArrowRight className="w-4 h-4 text-muted-foreground group-hover/item:text-foreground/80 transition-colors shrink-0" />
+            </Link>
+          </div>
+        </div>
+      </div>
+
+      {/* Connect Integration Dialog */}
+      {selectedIntegration && (
+        <ConnectIntegrationDialog
+          open={connectDialogOpen}
+          onOpenChange={setConnectDialogOpen}
+          integrationId={selectedIntegration.integrationId}
+          integrationName={selectedIntegration.integrationName}
+          integrationLogoUrl={selectedIntegration.integrationLogoUrl}
+        />
+      )}
+    </>
+  );
+}
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/hooks/use-task-integration-checks.ts b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/hooks/use-task-integration-checks.ts
new file mode 100644
index 000000000..1ddd9baff
--- /dev/null
+++ b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/hooks/use-task-integration-checks.ts
@@ -0,0 +1,67 @@
+import { api } from '@/lib/api-client';
+import { useParams } from 'next/navigation';
+import useSWR from 'swr';
+
+interface TaskIntegrationCheck {
+  integrationId: string;
+  integrationName: string;
+  integrationLogoUrl: string;
+  checkId: string;
+  checkName: string;
+  checkDescription: string;
+  isConnected: boolean;
+  needsConfiguration: boolean;
+  connectionId?: string;
+  connectionStatus?: string;
+}
+
+interface UseTaskIntegrationChecksReturn {
+  checks: TaskIntegrationCheck[];
+  connectedChecks: TaskIntegrationCheck[];
+  disconnectedChecks: TaskIntegrationCheck[];
+  hasConnectedChecks: boolean;
+  hasMappedChecks: boolean;
+  isLoading: boolean;
+  isError: boolean;
+}
+
+export function useTaskIntegrationChecks(): UseTaskIntegrationChecksReturn {
+  const { orgId, taskId } = useParams<{
+    orgId: string;
+    taskId: string;
+  }>();
+
+  const { data, error, isLoading } = useSWR(
+    taskId && orgId ? [`task-integration-checks-${taskId}`, orgId, taskId] : null,
+    async () => {
+      const response = await api.get<{
+        checks: TaskIntegrationCheck[];
+        task: { id: string; title: string; templateId: string | null };
+      }>(`/v1/integrations/tasks/${taskId}/checks?organizationId=${orgId}`);
+
+      if (response.error) {
+        throw new Error(response.error);
+      }
+
+      return response.data?.checks || [];
+    },
+    {
+      revalidateOnFocus: false,
+      dedupingInterval: 30000,
+    },
+  );
+
+  const checks = data || [];
+  const connectedChecks = checks.filter((c) => c.isConnected);
+  const disconnectedChecks = checks.filter((c) => !c.isConnected);
+
+  return {
+    checks,
+    connectedChecks,
+    disconnectedChecks,
+    hasConnectedChecks: connectedChecks.length > 0,
+    hasMappedChecks: checks.length > 0,
+    isLoading,
+    isError: !!error,
+  };
+}
diff --git a/apps/app/src/app/(app)/[orgId]/trust/portal-settings/actions/check-dns-record.ts b/apps/app/src/app/(app)/[orgId]/trust/portal-settings/actions/check-dns-record.ts
index a07b9310e..70b4dbfdd 100644
--- a/apps/app/src/app/(app)/[orgId]/trust/portal-settings/actions/check-dns-record.ts
+++ b/apps/app/src/app/(app)/[orgId]/trust/portal-settings/actions/check-dns-record.ts
@@ -164,7 +164,7 @@ export const checkDnsRecordAction = authActionClient
 
     revalidatePath(`/${activeOrgId}/trust`);
     revalidatePath(`/${activeOrgId}/trust/portal-settings`);
-    revalidateTag(`organization_${activeOrgId}`);
+    revalidateTag(`organization_${activeOrgId}`, 'max');
 
     return {
       success: true,
diff --git a/apps/app/src/app/(app)/[orgId]/trust/portal-settings/actions/custom-domain.ts b/apps/app/src/app/(app)/[orgId]/trust/portal-settings/actions/custom-domain.ts
index 8ed7589bb..574a1663c 100644
--- a/apps/app/src/app/(app)/[orgId]/trust/portal-settings/actions/custom-domain.ts
+++ b/apps/app/src/app/(app)/[orgId]/trust/portal-settings/actions/custom-domain.ts
@@ -102,7 +102,7 @@ export const customDomainAction = authActionClient
 
       revalidatePath(`/${activeOrganizationId}/trust`);
       revalidatePath(`/${activeOrganizationId}/trust/portal-settings`);
-      revalidateTag(`organization_${activeOrganizationId}`);
+      revalidateTag(`organization_${activeOrganizationId}`, 'max');
 
       return {
         success: true,
diff --git a/apps/app/src/app/(app)/[orgId]/trust/portal-settings/actions/trust-portal-switch.ts b/apps/app/src/app/(app)/[orgId]/trust/portal-settings/actions/trust-portal-switch.ts
index 384e8ff57..ad08e7c3d 100644
--- a/apps/app/src/app/(app)/[orgId]/trust/portal-settings/actions/trust-portal-switch.ts
+++ b/apps/app/src/app/(app)/[orgId]/trust/portal-settings/actions/trust-portal-switch.ts
@@ -50,7 +50,7 @@ export const trustPortalSwitchAction = authActionClient
 
       revalidatePath(`/${activeOrganizationId}/trust`);
       revalidatePath(`/${activeOrganizationId}/trust/portal-settings`);
-      revalidateTag(`organization_${activeOrganizationId}`);
+      revalidateTag(`organization_${activeOrganizationId}`, 'max');
 
       return {
         success: true,
diff --git a/apps/app/src/app/(app)/[orgId]/trust/portal-settings/actions/update-trust-portal-frameworks.ts b/apps/app/src/app/(app)/[orgId]/trust/portal-settings/actions/update-trust-portal-frameworks.ts
index bd5b8957e..569013906 100644
--- a/apps/app/src/app/(app)/[orgId]/trust/portal-settings/actions/update-trust-portal-frameworks.ts
+++ b/apps/app/src/app/(app)/[orgId]/trust/portal-settings/actions/update-trust-portal-frameworks.ts
@@ -96,5 +96,5 @@ export async function updateTrustPortalFrameworks({
 
   revalidatePath(`/${orgId}/trust`);
   revalidatePath(`/${orgId}/trust/portal-settings`);
-  revalidateTag(`organization_${orgId}`);
+  revalidateTag(`organization_${orgId}`, 'max');
 }
diff --git a/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/actions/regenerate-vendor-mitigation.ts b/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/actions/regenerate-vendor-mitigation.ts
index eb21d3d0e..113f742f8 100644
--- a/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/actions/regenerate-vendor-mitigation.ts
+++ b/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/actions/regenerate-vendor-mitigation.ts
@@ -1,11 +1,11 @@
 'use server';
 
 import { authActionClient } from '@/actions/safe-action';
-import { generateVendorMitigation } from '@/jobs/tasks/onboarding/generate-vendor-mitigation';
+import { generateVendorMitigation } from '@/trigger/tasks/onboarding/generate-vendor-mitigation';
 import {
   findCommentAuthor,
   type PolicyContext,
-} from '@/jobs/tasks/onboarding/onboard-organization-helpers';
+} from '@/trigger/tasks/onboarding/onboard-organization-helpers';
 import { db } from '@db';
 import { tasks } from '@trigger.dev/sdk';
 import { z } from 'zod';
diff --git a/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/actions/task/create-task-action.ts b/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/actions/task/create-task-action.ts
index 18039c216..68bd0827a 100644
--- a/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/actions/task/create-task-action.ts
+++ b/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/actions/task/create-task-action.ts
@@ -43,7 +43,7 @@ export const createVendorTaskAction = authActionClient
       });
 
       revalidatePath(`/${activeOrganizationId}/vendor/${vendorId}`);
-      revalidateTag(`vendor_${activeOrganizationId}`);
+      revalidateTag(`vendor_${activeOrganizationId}`, 'max');
 
       return {
         success: true,
diff --git a/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/actions/task/revalidate-upload.ts b/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/actions/task/revalidate-upload.ts
index d3dd6fc69..7d56e39b7 100644
--- a/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/actions/task/revalidate-upload.ts
+++ b/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/actions/task/revalidate-upload.ts
@@ -23,7 +23,7 @@ export const revalidateUpload = authActionClient
 
     revalidatePath(`/${session.activeOrganizationId}/risk/${riskId}`);
     revalidatePath(`/${session.activeOrganizationId}/risk/${riskId}/tasks/${taskId}`);
-    revalidateTag('risk-cache');
+    revalidateTag('risk-cache', 'max');
 
     return {
       riskId,
diff --git a/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/actions/task/update-task-action.ts b/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/actions/task/update-task-action.ts
index 9cb1ebd8d..2773efd2b 100644
--- a/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/actions/task/update-task-action.ts
+++ b/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/actions/task/update-task-action.ts
@@ -61,7 +61,7 @@ export const updateVendorTaskAction = authActionClient
 
       revalidatePath(`/${session.activeOrganizationId}/vendors/${task.vendors[0].id}`);
       revalidatePath(`/${session.activeOrganizationId}/vendors/${task.vendors[0].id}/tasks/${id}`);
-      revalidateTag(`vendor_${session.activeOrganizationId}`);
+      revalidateTag(`vendor_${session.activeOrganizationId}`, 'max');
 
       return { success: true };
     } catch (error) {
diff --git a/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/actions/update-vendor-action.ts b/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/actions/update-vendor-action.ts
index b7336da7c..1bcf0c572 100644
--- a/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/actions/update-vendor-action.ts
+++ b/apps/app/src/app/(app)/[orgId]/vendors/[vendorId]/actions/update-vendor-action.ts
@@ -42,7 +42,7 @@ export const updateVendorAction = authActionClient
       revalidatePath(`/${session.activeOrganizationId}/vendors`);
       revalidatePath(`/${session.activeOrganizationId}/vendors/register`);
       revalidatePath(`/${session.activeOrganizationId}/vendors/${id}`);
-      revalidateTag('vendors');
+      revalidateTag('vendors', 'max');
 
       return {
         success: true,
diff --git a/apps/app/src/app/(app)/admin/integrations/page.tsx b/apps/app/src/app/(app)/admin/integrations/page.tsx
new file mode 100644
index 000000000..d8f60fcc4
--- /dev/null
+++ b/apps/app/src/app/(app)/admin/integrations/page.tsx
@@ -0,0 +1,400 @@
+'use client';
+
+import { api } from '@/lib/api-client';
+import { Badge } from '@comp/ui/badge';
+import { Button } from '@comp/ui/button';
+import { Card, CardContent } from '@comp/ui/card';
+import { Input } from '@comp/ui/input';
+import { Label } from '@comp/ui/label';
+import {
+  AlertCircle,
+  CheckCircle2,
+  ExternalLink,
+  Key,
+  Loader2,
+  RefreshCw,
+  Search,
+  Settings,
+  Trash2,
+} from 'lucide-react';
+import Image from 'next/image';
+import { useState } from 'react';
+import useSWR from 'swr';
+
+interface Integration {
+  id: string;
+  name: string;
+  description: string;
+  category: string;
+  logoUrl: string;
+  authType: string;
+  capabilities: string[];
+  isActive: boolean;
+  docsUrl?: string;
+  hasCredentials: boolean;
+  credentialConfiguredAt?: string;
+  credentialUpdatedAt?: string;
+  setupInstructions?: string;
+  createAppUrl?: string;
+  requiredScopes?: string[];
+  authorizeUrl?: string;
+}
+
+function IntegrationCard({
+  integration,
+  onRefresh,
+}: {
+  integration: Integration;
+  onRefresh: () => void;
+}) {
+  const [showConfig, setShowConfig] = useState(false);
+  const [clientId, setClientId] = useState('');
+  const [clientSecret, setClientSecret] = useState('');
+  const [appName, setAppName] = useState('');
+  const [isSaving, setIsSaving] = useState(false);
+  const [isDeleting, setIsDeleting] = useState(false);
+  const [error, setError] = useState<string | null>(null);
+
+  // Check if this integration needs an app name (has {APP_NAME} placeholder in authorize URL)
+  const needsAppName = integration.authorizeUrl?.includes('{APP_NAME}');
+
+  const handleSave = async () => {
+    if (!clientId || !clientSecret) return;
+    if (needsAppName && !appName) return;
+
+    setIsSaving(true);
+    setError(null);
+
+    const response = await api.post('/v1/admin/integrations/credentials', {
+      providerSlug: integration.id,
+      clientId,
+      clientSecret,
+      customSettings: needsAppName ? { appName } : undefined,
+    });
+
+    if (response.error) {
+      setError(response.error);
+    } else {
+      setClientId('');
+      setClientSecret('');
+      setShowConfig(false);
+      onRefresh();
+    }
+
+    setIsSaving(false);
+  };
+
+  const handleDelete = async () => {
+    if (!confirm(`Delete credentials for ${integration.name}?`)) return;
+
+    setIsDeleting(true);
+    setError(null);
+
+    const response = await api.delete(`/v1/admin/integrations/credentials/${integration.id}`);
+
+    if (response.error) {
+      setError(response.error);
+    } else {
+      onRefresh();
+    }
+
+    setIsDeleting(false);
+  };
+
+  return (
+    <Card className="overflow-hidden">
+      <CardContent className="p-4">
+        <div className="space-y-4">
+          {/* Header with logo */}
+          <div className="flex items-start gap-3">
+            <div className="relative h-10 w-10 shrink-0 rounded-lg border bg-muted/50 p-1.5">
+              <Image
+                src={integration.logoUrl}
+                alt={integration.name}
+                fill
+                className="object-contain p-1"
+                unoptimized
+              />
+              {integration.hasCredentials && (
+                <div className="absolute -bottom-1 -right-1 h-4 w-4 rounded-full bg-green-500 border-2 border-background flex items-center justify-center">
+                  <CheckCircle2 className="h-2.5 w-2.5 text-white" />
+                </div>
+              )}
+            </div>
+            <div className="flex-1 min-w-0">
+              <div className="flex items-center gap-2">
+                <h3 className="font-semibold text-sm truncate">{integration.name}</h3>
+                {!integration.hasCredentials && (
+                  <Badge variant="secondary" className="text-[10px] px-1.5 py-0">
+                    Not configured
+                  </Badge>
+                )}
+              </div>
+              <p className="text-xs text-muted-foreground line-clamp-2 mt-0.5">
+                {integration.description}
+              </p>
+            </div>
+          </div>
+
+          {/* Meta info */}
+          <div className="flex items-center gap-3 text-[10px] text-muted-foreground">
+            <Badge variant="outline" className="text-[10px] px-1.5 py-0 font-normal">
+              {integration.category}
+            </Badge>
+            <span className="uppercase tracking-wide">{integration.authType}</span>
+            {integration.hasCredentials && integration.credentialUpdatedAt && (
+              <span>Updated {new Date(integration.credentialUpdatedAt).toLocaleDateString()}</span>
+            )}
+          </div>
+
+          {integration.authType === 'oauth2' && (
+            <>
+              <div className="flex gap-2">
+                <Button size="sm" variant="outline" onClick={() => setShowConfig(!showConfig)}>
+                  <Settings className="h-3 w-3 mr-1" />
+                  {showConfig ? 'Hide' : 'Configure'}
+                </Button>
+
+                {integration.hasCredentials && (
+                  <Button
+                    size="sm"
+                    variant="destructive"
+                    onClick={handleDelete}
+                    disabled={isDeleting}
+                  >
+                    {isDeleting ? (
+                      <Loader2 className="h-3 w-3 animate-spin" />
+                    ) : (
+                      <Trash2 className="h-3 w-3 mr-1" />
+                    )}
+                    Delete
+                  </Button>
+                )}
+
+                {integration.createAppUrl && (
+                  <a href={integration.createAppUrl} target="_blank" rel="noopener noreferrer">
+                    <Button size="sm" variant="ghost">
+                      <ExternalLink className="h-3 w-3 mr-1" />
+                      Create OAuth App
+                    </Button>
+                  </a>
+                )}
+              </div>
+
+              {showConfig && (
+                <div className="border rounded-lg p-4 space-y-4 bg-muted/30">
+                  {error && (
+                    <div className="text-sm text-red-500 p-2 bg-red-500/10 rounded">{error}</div>
+                  )}
+
+                  {integration.setupInstructions && (
+                    <details className="text-sm">
+                      <summary className="cursor-pointer text-muted-foreground font-medium">
+                        Setup Instructions
+                      </summary>
+                      <pre className="mt-2 p-3 bg-muted rounded text-xs whitespace-pre-wrap">
+                        {integration.setupInstructions}
+                      </pre>
+                    </details>
+                  )}
+
+                  {integration.requiredScopes && integration.requiredScopes.length > 0 && (
+                    <div className="text-sm">
+                      <span className="font-medium">Required Scopes: </span>
+                      <code className="text-xs bg-muted px-1 py-0.5 rounded">
+                        {integration.requiredScopes.join(', ')}
+                      </code>
+                    </div>
+                  )}
+
+                  <div className="grid gap-3">
+                    <div>
+                      <Label className="text-sm">Client ID</Label>
+                      <Input
+                        className="font-mono text-sm"
+                        placeholder="Enter OAuth Client ID"
+                        value={clientId}
+                        onChange={(e) => setClientId(e.target.value)}
+                      />
+                    </div>
+                    <div>
+                      <Label className="text-sm">Client Secret</Label>
+                      <Input
+                        type="password"
+                        className="font-mono text-sm"
+                        placeholder="Enter OAuth Client Secret"
+                        value={clientSecret}
+                        onChange={(e) => setClientSecret(e.target.value)}
+                      />
+                    </div>
+                    {needsAppName && (
+                      <div>
+                        <Label className="text-sm">App Name</Label>
+                        <Input
+                          className="font-mono text-sm"
+                          placeholder="e.g., compai533c"
+                          value={appName}
+                          onChange={(e) => setAppName(e.target.value)}
+                        />
+                        <p className="text-xs text-muted-foreground mt-1">
+                          The app name from your Rippling developer portal (used in the authorize
+                          URL)
+                        </p>
+                      </div>
+                    )}
+                  </div>
+
+                  <Button
+                    onClick={handleSave}
+                    disabled={!clientId || !clientSecret || (needsAppName && !appName) || isSaving}
+                  >
+                    {isSaving ? (
+                      <Loader2 className="h-4 w-4 animate-spin mr-2" />
+                    ) : (
+                      <Key className="h-4 w-4 mr-2" />
+                    )}
+                    Save Credentials
+                  </Button>
+                </div>
+              )}
+            </>
+          )}
+        </div>
+      </CardContent>
+    </Card>
+  );
+}
+
+export default function AdminIntegrationsPage() {
+  const [searchQuery, setSearchQuery] = useState('');
+
+  const {
+    data: integrations,
+    error,
+    isLoading,
+    mutate,
+  } = useSWR<Integration[]>('admin-integrations', async () => {
+    const response = await api.get<Integration[]>('/v1/admin/integrations');
+    if (response.error) throw new Error(response.error);
+    return response.data || [];
+  });
+
+  const filteredIntegrations = integrations?.filter((i) => {
+    if (!searchQuery) return true;
+    const query = searchQuery.toLowerCase();
+    return (
+      i.name.toLowerCase().includes(query) ||
+      i.description.toLowerCase().includes(query) ||
+      i.category.toLowerCase().includes(query)
+    );
+  });
+
+  const oauthIntegrations = filteredIntegrations?.filter((i) => i.authType === 'oauth2') || [];
+  const otherIntegrations = filteredIntegrations?.filter((i) => i.authType !== 'oauth2') || [];
+
+  const configuredCount = integrations?.filter((i) => i.hasCredentials).length || 0;
+  const totalOAuth = oauthIntegrations.length;
+
+  return (
+    <div className="space-y-8">
+      <div>
+        <h2 className="text-2xl font-bold">Integration Credentials</h2>
+        <p className="text-muted-foreground mt-1">
+          Configure platform-wide OAuth credentials for integrations. These credentials will be used
+          as the default for all organizations.
+        </p>
+      </div>
+
+      {/* Stats */}
+      <div className="grid grid-cols-3 gap-4">
+        <Card>
+          <CardContent className="pt-6">
+            <div className="text-2xl font-bold">{integrations?.length || 0}</div>
+            <div className="text-sm text-muted-foreground">Total Integrations</div>
+          </CardContent>
+        </Card>
+        <Card>
+          <CardContent className="pt-6">
+            <div className="text-2xl font-bold text-green-600">{configuredCount}</div>
+            <div className="text-sm text-muted-foreground">Configured</div>
+          </CardContent>
+        </Card>
+        <Card>
+          <CardContent className="pt-6">
+            <div className="text-2xl font-bold text-yellow-600">{totalOAuth - configuredCount}</div>
+            <div className="text-sm text-muted-foreground">OAuth Pending Setup</div>
+          </CardContent>
+        </Card>
+      </div>
+
+      {/* Search and Refresh */}
+      <div className="flex items-center gap-4">
+        <div className="relative flex-1 max-w-sm">
+          <Search className="absolute left-3 top-1/2 -translate-y-1/2 h-4 w-4 text-muted-foreground" />
+          <Input
+            placeholder="Search integrations..."
+            value={searchQuery}
+            onChange={(e) => setSearchQuery(e.target.value)}
+            className="pl-9"
+          />
+        </div>
+        <Button variant="outline" onClick={() => mutate()} disabled={isLoading}>
+          <RefreshCw className={`h-4 w-4 mr-2 ${isLoading ? 'animate-spin' : ''}`} />
+          Refresh
+        </Button>
+      </div>
+
+      {error && (
+        <div className="p-4 bg-red-500/10 text-red-500 rounded-lg">
+          Failed to load integrations: {error.message}
+        </div>
+      )}
+
+      {isLoading && (
+        <div className="flex items-center justify-center py-12">
+          <Loader2 className="h-8 w-8 animate-spin text-muted-foreground" />
+        </div>
+      )}
+
+      {!isLoading && integrations && (
+        <div className="space-y-8">
+          {/* OAuth Integrations */}
+          {oauthIntegrations.length > 0 && (
+            <div>
+              <h3 className="text-lg font-semibold mb-4">
+                OAuth Integrations ({oauthIntegrations.length})
+              </h3>
+              <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-4">
+                {oauthIntegrations.map((integration) => (
+                  <IntegrationCard
+                    key={integration.id}
+                    integration={integration}
+                    onRefresh={() => mutate()}
+                  />
+                ))}
+              </div>
+            </div>
+          )}
+
+          {/* Other Integrations */}
+          {otherIntegrations.length > 0 && (
+            <div>
+              <h3 className="text-lg font-semibold mb-4">
+                Other Integrations ({otherIntegrations.length})
+              </h3>
+              <div className="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-4">
+                {otherIntegrations.map((integration) => (
+                  <IntegrationCard
+                    key={integration.id}
+                    integration={integration}
+                    onRefresh={() => mutate()}
+                  />
+                ))}
+              </div>
+            </div>
+          )}
+        </div>
+      )}
+    </div>
+  );
+}
diff --git a/apps/app/src/app/(app)/admin/layout.tsx b/apps/app/src/app/(app)/admin/layout.tsx
new file mode 100644
index 000000000..9ad86469b
--- /dev/null
+++ b/apps/app/src/app/(app)/admin/layout.tsx
@@ -0,0 +1,53 @@
+import { auth } from '@/utils/auth';
+import { db } from '@db';
+import { headers } from 'next/headers';
+import { redirect } from 'next/navigation';
+
+export default async function AdminLayout({ children }: { children: React.ReactNode }) {
+  const session = await auth.api.getSession({
+    headers: await headers(),
+  });
+
+  if (!session?.user?.id) {
+    redirect('/');
+  }
+
+  // Check if user is platform admin
+  const user = await db.user.findUnique({
+    where: { id: session.user.id },
+    select: { isPlatformAdmin: true },
+  });
+
+  if (!user?.isPlatformAdmin) {
+    redirect('/');
+  }
+
+  return (
+    <div className="min-h-screen bg-background">
+      <div className="border-b bg-muted/30">
+        <div className="container mx-auto px-6 py-4">
+          <div className="flex items-center justify-between">
+            <div className="flex items-center gap-4">
+              <h1 className="text-lg font-semibold">Platform Admin</h1>
+              <nav className="flex items-center gap-4 text-sm">
+                <a
+                  href="/admin/integrations"
+                  className="text-muted-foreground hover:text-foreground transition-colors"
+                >
+                  Integrations
+                </a>
+              </nav>
+            </div>
+            <a
+              href="/"
+              className="text-sm text-muted-foreground hover:text-foreground transition-colors"
+            >
+              ← Back to Dashboard
+            </a>
+          </div>
+        </div>
+      </div>
+      <main className="container mx-auto px-6 py-8">{children}</main>
+    </div>
+  );
+}
diff --git a/apps/app/src/app/(app)/admin/page.tsx b/apps/app/src/app/(app)/admin/page.tsx
new file mode 100644
index 000000000..c1140da19
--- /dev/null
+++ b/apps/app/src/app/(app)/admin/page.tsx
@@ -0,0 +1,7 @@
+import { redirect } from 'next/navigation';
+
+export default function AdminPage() {
+  // Redirect to integrations by default
+  redirect('/admin/integrations');
+}
+
diff --git a/apps/app/src/app/(app)/onboarding/actions/complete-onboarding.ts b/apps/app/src/app/(app)/onboarding/actions/complete-onboarding.ts
index 7419445f6..8863450db 100644
--- a/apps/app/src/app/(app)/onboarding/actions/complete-onboarding.ts
+++ b/apps/app/src/app/(app)/onboarding/actions/complete-onboarding.ts
@@ -2,8 +2,8 @@
 
 import { authActionClient } from '@/actions/safe-action';
 import { steps } from '@/app/(app)/setup/lib/constants';
-import { createFleetLabelForOrg } from '@/jobs/tasks/device/create-fleet-label-for-org';
-import { onboardOrganization as onboardOrganizationTask } from '@/jobs/tasks/onboarding/onboard-organization';
+import { createFleetLabelForOrg } from '@/trigger/tasks/device/create-fleet-label-for-org';
+import { onboardOrganization as onboardOrganizationTask } from '@/trigger/tasks/onboarding/onboard-organization';
 import { db } from '@db';
 import { tasks } from '@trigger.dev/sdk';
 import { revalidatePath } from 'next/cache';
diff --git a/apps/app/src/app/(app)/setup/actions/create-organization.ts b/apps/app/src/app/(app)/setup/actions/create-organization.ts
index 9df1720c2..ab24c1f9b 100644
--- a/apps/app/src/app/(app)/setup/actions/create-organization.ts
+++ b/apps/app/src/app/(app)/setup/actions/create-organization.ts
@@ -2,9 +2,9 @@
 
 import { initializeOrganization } from '@/actions/organization/lib/initialize-organization';
 import { authActionClientWithoutOrg } from '@/actions/safe-action';
-import { createFleetLabelForOrg } from '@/jobs/tasks/device/create-fleet-label-for-org';
-import { onboardOrganization as onboardOrganizationTask } from '@/jobs/tasks/onboarding/onboard-organization';
 import { createTrainingVideoEntries } from '@/lib/db/employee';
+import { createFleetLabelForOrg } from '@/trigger/tasks/device/create-fleet-label-for-org';
+import { onboardOrganization as onboardOrganizationTask } from '@/trigger/tasks/onboarding/onboard-organization';
 import { auth } from '@/utils/auth';
 import { db } from '@db';
 import { tasks } from '@trigger.dev/sdk';
diff --git a/apps/app/src/app/(app)/setup/go/[id]/components/onboarding-status.tsx b/apps/app/src/app/(app)/setup/go/[id]/components/onboarding-status.tsx
index b8a84d19a..e2aaf4f39 100644
--- a/apps/app/src/app/(app)/setup/go/[id]/components/onboarding-status.tsx
+++ b/apps/app/src/app/(app)/setup/go/[id]/components/onboarding-status.tsx
@@ -1,6 +1,6 @@
 'use client';
 
-import type { onboardOrganization } from '@/jobs/tasks/onboarding/onboard-organization';
+import type { onboardOrganization } from '@/trigger/tasks/onboarding/onboard-organization';
 import { useRun } from '@trigger.dev/react-hooks';
 import { CheckCircle } from 'lucide-react';
 import { useRouter } from 'next/navigation';
diff --git a/apps/app/src/app/api/cloud-tests/findings/route.ts b/apps/app/src/app/api/cloud-tests/findings/route.ts
index 4428b6c44..8bdbfe918 100644
--- a/apps/app/src/app/api/cloud-tests/findings/route.ts
+++ b/apps/app/src/app/api/cloud-tests/findings/route.ts
@@ -3,6 +3,8 @@ import { db } from '@db';
 import { headers } from 'next/headers';
 import { NextResponse } from 'next/server';
 
+const CLOUD_PROVIDER_SLUGS = ['aws', 'gcp', 'azure'];
+
 export async function GET() {
   try {
     const session = await auth.api.getSession({
@@ -15,34 +17,149 @@ export async function GET() {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
     }
 
-    const findings =
-      (await db.integrationResult.findMany({
-        where: {
-          organizationId: orgId,
-          integration: {
-            integrationId: {
-              in: ['aws', 'gcp', 'azure'],
-            },
+    // ====================================================================
+    // Fetch from NEW integration platform
+    // ====================================================================
+    const newConnections = await db.integrationConnection.findMany({
+      where: {
+        organizationId: orgId,
+        provider: {
+          slug: {
+            in: CLOUD_PROVIDER_SLUGS,
           },
         },
-        select: {
-          id: true,
-          title: true,
-          description: true,
-          remediation: true,
-          status: true,
-          severity: true,
-          completedAt: true,
-          integration: {
-            select: {
-              integrationId: true,
-            },
+      },
+      select: {
+        id: true,
+        provider: {
+          select: {
+            slug: true,
           },
         },
-        orderBy: {
-          completedAt: 'desc',
+      },
+    });
+
+    const newConnectionIds = newConnections.map((c) => c.id);
+    const connectionToSlug = Object.fromEntries(newConnections.map((c) => [c.id, c.provider.slug]));
+
+    // Get the latest check run for each connection
+    const latestRuns =
+      newConnectionIds.length > 0
+        ? await db.integrationCheckRun.findMany({
+            where: {
+              connectionId: { in: newConnectionIds },
+              status: { in: ['success', 'failed'] },
+            },
+            orderBy: { completedAt: 'desc' },
+            distinct: ['connectionId'],
+            select: { id: true, connectionId: true, status: true },
+          })
+        : [];
+
+    const latestRunIds = latestRuns.map((r) => r.id);
+    const checkRunMap = Object.fromEntries(latestRuns.map((cr) => [cr.id, cr]));
+
+    // Fetch only failed results from the latest runs (findings only, no passing results)
+    const newResults =
+      latestRunIds.length > 0
+        ? await db.integrationCheckResult.findMany({
+            where: {
+              checkRunId: { in: latestRunIds },
+              passed: false,
+            },
+            select: {
+              id: true,
+              title: true,
+              description: true,
+              remediation: true,
+              severity: true,
+              collectedAt: true,
+              checkRunId: true,
+            },
+            orderBy: {
+              collectedAt: 'desc',
+            },
+          })
+        : [];
+
+    const newFindings = newResults.map((result) => {
+      const checkRun = checkRunMap[result.checkRunId];
+      return {
+        id: result.id,
+        title: result.title,
+        description: result.description,
+        remediation: result.remediation,
+        status: 'failed',
+        severity: result.severity,
+        completedAt: result.collectedAt,
+        integration: {
+          integrationId: checkRun
+            ? connectionToSlug[checkRun.connectionId] || 'unknown'
+            : 'unknown',
         },
-      })) || [];
+      };
+    });
+
+    // ====================================================================
+    // Fetch from OLD integration platform
+    // ====================================================================
+    // Filter out cloud providers that have migrated to new platform
+    const newConnectionSlugs = new Set(newConnections.map((c) => c.provider.slug));
+    const legacySlugs = CLOUD_PROVIDER_SLUGS.filter((s) => !newConnectionSlugs.has(s));
+
+    const legacyResults =
+      legacySlugs.length > 0
+        ? await db.integrationResult.findMany({
+            where: {
+              organizationId: orgId,
+              integration: {
+                integrationId: {
+                  in: legacySlugs,
+                },
+              },
+            },
+            select: {
+              id: true,
+              title: true,
+              description: true,
+              remediation: true,
+              status: true,
+              severity: true,
+              completedAt: true,
+              integration: {
+                select: {
+                  integrationId: true,
+                },
+              },
+            },
+            orderBy: {
+              completedAt: 'desc',
+            },
+            take: 500,
+          })
+        : [];
+
+    const legacyFindings = legacyResults.map((result) => ({
+      id: result.id,
+      title: result.title,
+      description: result.description,
+      remediation: result.remediation,
+      status: result.status,
+      severity: result.severity,
+      completedAt: result.completedAt,
+      integration: {
+        integrationId: result.integration.integrationId,
+      },
+    }));
+
+    // ====================================================================
+    // Merge and sort by date
+    // ====================================================================
+    const findings = [...newFindings, ...legacyFindings].sort((a, b) => {
+      const dateA = a.completedAt ? new Date(a.completedAt).getTime() : 0;
+      const dateB = b.completedAt ? new Date(b.completedAt).getTime() : 0;
+      return dateB - dateA;
+    });
 
     return NextResponse.json(findings);
   } catch (error) {
diff --git a/apps/app/src/app/api/cloud-tests/providers/route.ts b/apps/app/src/app/api/cloud-tests/providers/route.ts
index 167ef757b..d486f3438 100644
--- a/apps/app/src/app/api/cloud-tests/providers/route.ts
+++ b/apps/app/src/app/api/cloud-tests/providers/route.ts
@@ -1,8 +1,29 @@
 import { auth } from '@/utils/auth';
+import { getManifest } from '@comp/integration-platform';
 import { db } from '@db';
 import { headers } from 'next/headers';
 import { NextResponse } from 'next/server';
 
+const CLOUD_PROVIDER_SLUGS = ['aws', 'gcp', 'azure'];
+
+// Get required variables from manifest
+const getRequiredVariables = (providerSlug: string): string[] => {
+  const manifest = getManifest(providerSlug);
+  if (!manifest?.checks) return [];
+
+  const requiredVars = new Set<string>();
+  for (const check of manifest.checks) {
+    if (check.variables) {
+      for (const variable of check.variables) {
+        if (variable.required) {
+          requiredVars.add(variable.id);
+        }
+      }
+    }
+  }
+  return Array.from(requiredVars);
+};
+
 export async function GET() {
   try {
     const session = await auth.api.getSession({
@@ -15,17 +36,69 @@ export async function GET() {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
     }
 
-    const providers =
-      (await db.integration.findMany({
-        where: {
-          organizationId: orgId,
-          integrationId: {
-            in: ['aws', 'gcp', 'azure'],
+    // Fetch from NEW integration platform (IntegrationConnection)
+    const newConnections = await db.integrationConnection.findMany({
+      where: {
+        organizationId: orgId,
+        status: 'active',
+        provider: {
+          slug: {
+            in: CLOUD_PROVIDER_SLUGS,
           },
         },
-      })) || [];
+      },
+      include: {
+        provider: true,
+      },
+    });
+
+    // Fetch from OLD integration table (Integration) - for backward compat
+    const legacyIntegrations = await db.integration.findMany({
+      where: {
+        organizationId: orgId,
+        integrationId: {
+          in: CLOUD_PROVIDER_SLUGS,
+        },
+      },
+    });
+
+    // Filter out legacy integrations that have been migrated to new platform
+    const newConnectionSlugs = new Set(newConnections.map((c) => c.provider.slug));
+    const activeLegacyIntegrations = legacyIntegrations.filter(
+      (i) => !newConnectionSlugs.has(i.integrationId),
+    );
+
+    // Map new connections
+    const newProviders = newConnections.map((conn) => ({
+      id: conn.id,
+      integrationId: conn.provider.slug,
+      name: conn.provider.name,
+      organizationId: conn.organizationId,
+      lastRunAt: conn.lastSyncAt,
+      status: conn.status,
+      createdAt: conn.createdAt,
+      updatedAt: conn.updatedAt,
+      isLegacy: false,
+      variables: conn.variables,
+      requiredVariables: getRequiredVariables(conn.provider.slug),
+    }));
+
+    // Map legacy integrations
+    const legacyProviders = activeLegacyIntegrations.map((integration) => ({
+      id: integration.id,
+      integrationId: integration.integrationId,
+      name: integration.name,
+      organizationId: integration.organizationId,
+      lastRunAt: integration.lastRunAt,
+      status: 'active',
+      createdAt: new Date(),
+      updatedAt: new Date(),
+      isLegacy: true,
+      variables: null,
+      requiredVariables: getRequiredVariables(integration.integrationId),
+    }));
 
-    return NextResponse.json(providers);
+    return NextResponse.json([...newProviders, ...legacyProviders]);
   } catch (error) {
     console.error('Error fetching providers:', error);
     return NextResponse.json({ error: 'Failed to fetch providers' }, { status: 500 });
diff --git a/apps/app/src/components/integrations/ConnectIntegrationDialog.tsx b/apps/app/src/components/integrations/ConnectIntegrationDialog.tsx
new file mode 100644
index 000000000..a4eb1da15
--- /dev/null
+++ b/apps/app/src/components/integrations/ConnectIntegrationDialog.tsx
@@ -0,0 +1,445 @@
+'use client';
+
+import {
+  CredentialField,
+  useIntegrationMutations,
+  useIntegrationProviders,
+} from '@/hooks/use-integration-platform';
+import { Button } from '@comp/ui/button';
+import { ComboboxDropdown } from '@comp/ui/combobox-dropdown';
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogHeader,
+  DialogTitle,
+} from '@comp/ui/dialog';
+import { Input } from '@comp/ui/input';
+import { Label } from '@comp/ui/label';
+import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from '@comp/ui/select';
+import { Textarea } from '@comp/ui/textarea';
+import { Eye, EyeOff, Loader2 } from 'lucide-react';
+import Image from 'next/image';
+import { useCallback, useState } from 'react';
+import { toast } from 'sonner';
+
+interface ConnectIntegrationDialogProps {
+  open: boolean;
+  onOpenChange: (open: boolean) => void;
+  integrationId: string;
+  integrationName: string;
+  integrationLogoUrl: string;
+  onConnected?: () => void;
+}
+
+function CredentialInput({
+  field,
+  value,
+  onChange,
+}: {
+  field: CredentialField;
+  value: string;
+  onChange: (value: string) => void;
+}) {
+  const [showPassword, setShowPassword] = useState(false);
+  const handleChange = (e: React.ChangeEvent<HTMLInputElement | HTMLTextAreaElement>) =>
+    onChange(e.target.value);
+
+  if (field.type === 'password') {
+    return (
+      <div className="relative">
+        <Input
+          type={showPassword ? 'text' : 'password'}
+          value={value}
+          onChange={handleChange}
+          placeholder={field.placeholder}
+          className="pr-10"
+        />
+        <button
+          type="button"
+          onClick={() => setShowPassword((s) => !s)}
+          className="absolute right-3 top-1/2 -translate-y-1/2 text-muted-foreground hover:text-foreground"
+        >
+          {showPassword ? <EyeOff className="h-4 w-4" /> : <Eye className="h-4 w-4" />}
+        </button>
+      </div>
+    );
+  }
+
+  if (field.type === 'textarea') {
+    return (
+      <Textarea value={value} onChange={handleChange} placeholder={field.placeholder} rows={4} />
+    );
+  }
+
+  if (field.type === 'select') {
+    return (
+      <Select value={value} onValueChange={onChange}>
+        <SelectTrigger>
+          <SelectValue placeholder={field.placeholder || 'Select...'} />
+        </SelectTrigger>
+        <SelectContent>
+          {field.options?.map((opt) => (
+            <SelectItem key={opt.value} value={opt.value}>
+              {opt.label}
+            </SelectItem>
+          ))}
+        </SelectContent>
+      </Select>
+    );
+  }
+
+  if (field.type === 'combobox') {
+    const items =
+      field.options?.map((opt) => ({
+        id: opt.value,
+        label: opt.label,
+      })) || [];
+
+    const selectedItem = items.find((item) => item.id === value);
+
+    return (
+      <ComboboxDropdown
+        items={items}
+        selectedItem={selectedItem}
+        onSelect={(item) => onChange(item.id)}
+        onCreate={(customValue) => onChange(customValue)}
+        placeholder={field.placeholder || 'Select or type...'}
+        searchPlaceholder="Search or type custom value..."
+        renderOnCreate={(customValue) => (
+          <div className="flex items-center gap-2">
+            <span className="text-sm">Use custom value:</span>
+            <span className="font-medium">{customValue}</span>
+          </div>
+        )}
+      />
+    );
+  }
+
+  const inputType = field.type === 'url' ? 'url' : field.type === 'number' ? 'number' : 'text';
+  const placeholder = field.type === 'url' ? field.placeholder || 'https://...' : field.placeholder;
+
+  return <Input type={inputType} value={value} onChange={handleChange} placeholder={placeholder} />;
+}
+
+export function ConnectIntegrationDialog({
+  open,
+  onOpenChange,
+  integrationId,
+  integrationName,
+  integrationLogoUrl,
+  onConnected,
+}: ConnectIntegrationDialogProps) {
+  const { startOAuth, createConnection, testConnection } = useIntegrationMutations();
+  const { providers } = useIntegrationProviders(true);
+  const [connecting, setConnecting] = useState(false);
+  const [credentials, setCredentials] = useState<Record<string, string>>({});
+  const [errors, setErrors] = useState<Record<string, string>>({});
+
+  const provider = providers?.find((p) => p.id === integrationId);
+  const authType = provider?.authType;
+  const credentialFields = provider?.credentialFields ?? [];
+
+  const allFields = (() => {
+    if (authType === 'basic') {
+      return [
+        {
+          id: 'username',
+          label: 'Username',
+          type: 'text' as const,
+          required: true,
+          placeholder: 'Enter username',
+        },
+        {
+          id: 'password',
+          label: 'Password',
+          type: 'password' as const,
+          required: true,
+          placeholder: 'Enter password',
+        },
+      ];
+    }
+    if (authType === 'api_key' && credentialFields.length === 0) {
+      return [
+        {
+          id: 'api_key',
+          label: 'API Key',
+          type: 'password' as const,
+          required: true,
+          placeholder: 'Enter your API key',
+        },
+      ];
+    }
+    // For custom auth, use the credential fields from the manifest
+    if (authType === 'custom' && credentialFields.length > 0) {
+      return credentialFields;
+    }
+    return credentialFields;
+  })();
+
+  const handleOAuthConnect = useCallback(async () => {
+    setConnecting(true);
+    try {
+      const redirectUrl = window.location.href;
+      const result = await startOAuth(integrationId, redirectUrl);
+      if (result.authorizationUrl) {
+        window.location.href = result.authorizationUrl;
+      } else {
+        toast.error(result.error || 'Failed to start connection');
+        setConnecting(false);
+      }
+    } catch {
+      toast.error('Failed to start connection');
+      setConnecting(false);
+    }
+  }, [integrationId, startOAuth]);
+
+  const handleCredentialConnect = useCallback(async () => {
+    // Validate required fields
+    const newErrors: Record<string, string> = {};
+    for (const field of allFields) {
+      if (field.required && !credentials[field.id]?.trim()) {
+        newErrors[field.id] = `${field.label} is required`;
+      }
+    }
+
+    if (Object.keys(newErrors).length > 0) {
+      setErrors(newErrors);
+      return;
+    }
+
+    setConnecting(true);
+    setErrors({});
+
+    try {
+      const result = await createConnection(integrationId, credentials);
+
+      if (!result.success) {
+        toast.error(result.error || 'Failed to create connection');
+        setConnecting(false);
+        return;
+      }
+
+      // Test the connection (optional - some integrations don't support testing)
+      if (result.connectionId) {
+        try {
+          const testResult = await testConnection(result.connectionId);
+          if (!testResult.success) {
+            // Check if it's just "not supported" vs actual failure
+            if (testResult.message?.includes('does not support')) {
+              toast.success(`${integrationName} connected! Credentials saved.`);
+            } else {
+              toast.warning(`${integrationName} connected but test failed: ${testResult.message}`);
+            }
+          } else {
+            toast.success(`${integrationName} connected and verified!`);
+          }
+        } catch {
+          // Test failed but connection was created
+          toast.success(`${integrationName} connected! Credentials saved.`);
+        }
+      } else {
+        toast.success(`${integrationName} connected!`);
+      }
+
+      onConnected?.();
+      onOpenChange(false);
+      setCredentials({});
+    } catch {
+      toast.error('Failed to create connection');
+    } finally {
+      setConnecting(false);
+    }
+  }, [
+    allFields,
+    credentials,
+    createConnection,
+    integrationId,
+    integrationName,
+    onConnected,
+    onOpenChange,
+    testConnection,
+  ]);
+
+  const updateCredential = (fieldId: string, value: string) => {
+    setCredentials((prev) => ({ ...prev, [fieldId]: value }));
+    // Clear error when user types
+    if (errors[fieldId]) {
+      setErrors((prev) => {
+        const newErrors = { ...prev };
+        delete newErrors[fieldId];
+        return newErrors;
+      });
+    }
+  };
+
+  const renderAuthForm = () => {
+    switch (authType) {
+      case 'oauth2':
+        return (
+          <div className="space-y-3">
+            <p className="text-sm text-muted-foreground">
+              This integration uses OAuth to securely connect to your {integrationName} account.
+              You'll be asked to authorize access to the required permissions.
+            </p>
+            <Button onClick={handleOAuthConnect} disabled={connecting} className="w-full">
+              {connecting ? (
+                <>
+                  <Loader2 className="h-4 w-4 mr-2 animate-spin" />
+                  Connecting...
+                </>
+              ) : (
+                <>Continue with {integrationName}</>
+              )}
+            </Button>
+          </div>
+        );
+
+      case 'api_key':
+      case 'basic':
+        return (
+          <div className="space-y-4">
+            {allFields.map((field) => (
+              <div key={field.id} className="space-y-2">
+                <Label htmlFor={field.id}>
+                  {field.label}
+                  {field.required && <span className="text-destructive ml-1">*</span>}
+                </Label>
+                <CredentialInput
+                  field={field}
+                  value={credentials[field.id] || ''}
+                  onChange={(value) => updateCredential(field.id, value)}
+                />
+                {field.helpText && (
+                  <p className="text-xs text-muted-foreground">{field.helpText}</p>
+                )}
+                {errors[field.id] && <p className="text-xs text-destructive">{errors[field.id]}</p>}
+              </div>
+            ))}
+            <Button onClick={handleCredentialConnect} disabled={connecting} className="w-full">
+              {connecting ? (
+                <>
+                  <Loader2 className="h-4 w-4 mr-2 animate-spin" />
+                  Connecting...
+                </>
+              ) : (
+                'Connect'
+              )}
+            </Button>
+          </div>
+        );
+
+      case 'jwt':
+        return (
+          <div className="space-y-3">
+            <p className="text-sm text-muted-foreground">
+              This integration requires a service account with JWT authentication. Please contact
+              your administrator to configure this integration.
+            </p>
+          </div>
+        );
+
+      case 'custom':
+        // If custom auth has credential fields, show a form
+        if (allFields.length > 0) {
+          return (
+            <div className="space-y-4">
+              {provider?.setupInstructions && (
+                <div className="text-sm text-muted-foreground bg-muted/50 p-3 rounded-md max-h-48 overflow-y-auto prose prose-sm dark:prose-invert">
+                  <p className="whitespace-pre-wrap text-xs">{provider.setupInstructions}</p>
+                </div>
+              )}
+              {allFields.map((field) => (
+                <div key={field.id} className="space-y-2">
+                  <Label htmlFor={field.id}>
+                    {field.label}
+                    {field.required && <span className="text-destructive ml-1">*</span>}
+                  </Label>
+                  <CredentialInput
+                    field={field}
+                    value={credentials[field.id] || ''}
+                    onChange={(value) => updateCredential(field.id, value)}
+                  />
+                  {field.helpText && (
+                    <p className="text-xs text-muted-foreground">{field.helpText}</p>
+                  )}
+                  {errors[field.id] && (
+                    <p className="text-xs text-destructive">{errors[field.id]}</p>
+                  )}
+                </div>
+              ))}
+              <Button onClick={handleCredentialConnect} disabled={connecting} className="w-full">
+                {connecting ? (
+                  <>
+                    <Loader2 className="h-4 w-4 mr-2 animate-spin" />
+                    Connecting...
+                  </>
+                ) : (
+                  'Connect'
+                )}
+              </Button>
+            </div>
+          );
+        }
+        // Fallback if no credential fields
+        return (
+          <div className="space-y-3">
+            <p className="text-sm text-muted-foreground">
+              This integration requires custom configuration. Please refer to the documentation for
+              setup instructions.
+            </p>
+            {provider?.docsUrl && (
+              <Button variant="outline" className="w-full" asChild>
+                <a href={provider.docsUrl} target="_blank" rel="noopener noreferrer">
+                  View Documentation
+                </a>
+              </Button>
+            )}
+          </div>
+        );
+
+      default:
+        return (
+          <p className="text-sm text-muted-foreground">
+            Unable to determine authentication method for this integration.
+          </p>
+        );
+    }
+  };
+
+  const descriptions: Record<string, string> = {
+    oauth2: `You'll be redirected to ${integrationName} to authorize the connection.`,
+    api_key: `Enter your ${integrationName} API key to connect.`,
+    basic: `Enter your ${integrationName} credentials to connect.`,
+    jwt: 'This integration requires service account authentication.',
+    custom:
+      allFields.length > 0
+        ? `Configure your ${integrationName} connection.`
+        : 'This integration requires custom configuration.',
+  };
+  const description = (authType && descriptions[authType]) || 'Configure your connection settings.';
+
+  return (
+    <Dialog open={open} onOpenChange={onOpenChange}>
+      <DialogContent className="max-w-md">
+        <DialogHeader>
+          <DialogTitle className="flex items-center gap-3">
+            <div className="w-10 h-10 rounded-lg bg-background border border-border flex items-center justify-center overflow-hidden">
+              <Image
+                src={integrationLogoUrl}
+                alt={integrationName}
+                width={28}
+                height={28}
+                className="object-contain"
+              />
+            </div>
+            Connect {integrationName}
+          </DialogTitle>
+          <DialogDescription>{description}</DialogDescription>
+        </DialogHeader>
+
+        <div className="pt-2">{renderAuthForm()}</div>
+      </DialogContent>
+    </Dialog>
+  );
+}
diff --git a/apps/app/src/components/integrations/ManageIntegrationDialog.tsx b/apps/app/src/components/integrations/ManageIntegrationDialog.tsx
new file mode 100644
index 000000000..9baf56b5e
--- /dev/null
+++ b/apps/app/src/components/integrations/ManageIntegrationDialog.tsx
@@ -0,0 +1,781 @@
+'use client';
+
+import {
+  useIntegrationConnections,
+  useIntegrationMutations,
+} from '@/hooks/use-integration-platform';
+import { api } from '@/lib/api-client';
+import { Button } from '@comp/ui/button';
+import { ComboboxDropdown } from '@comp/ui/combobox-dropdown';
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+} from '@comp/ui/dialog';
+import { Input } from '@comp/ui/input';
+import { Label } from '@comp/ui/label';
+import MultipleSelector from '@comp/ui/multiple-selector';
+import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from '@comp/ui/select';
+import { Tabs, TabsContent, TabsList, TabsTrigger } from '@comp/ui/tabs';
+import { Key, Loader2, Settings, Trash2, Unplug } from 'lucide-react';
+import Image from 'next/image';
+import { useParams } from 'next/navigation';
+import { useCallback, useEffect, useRef, useState } from 'react';
+import { toast } from 'sonner';
+
+interface CheckVariable {
+  id: string;
+  label: string;
+  description?: string;
+  helpText?: string;
+  placeholder?: string;
+  type: 'string' | 'number' | 'boolean' | 'select' | 'multi-select';
+  required: boolean;
+  default?: string | number | boolean | string[];
+  options?: { value: string; label: string }[];
+  hasDynamicOptions?: boolean;
+}
+
+interface VariableWithValue extends CheckVariable {
+  currentValue?: string | number | boolean | string[];
+}
+
+interface VariablesResponse {
+  connectionId: string;
+  providerSlug: string;
+  variables: VariableWithValue[];
+}
+
+interface CredentialField {
+  id: string;
+  label: string;
+  type: 'text' | 'password' | 'textarea' | 'select' | 'combobox' | 'number' | 'url';
+  required: boolean;
+  placeholder?: string;
+  helpText?: string;
+  options?: { value: string; label: string }[];
+}
+
+interface ConnectionDetailsResponse {
+  id: string;
+  providerId: string;
+  providerSlug: string;
+  providerName: string;
+  authStrategy: string;
+  credentialFields?: CredentialField[];
+}
+
+interface ManageIntegrationDialogProps {
+  open: boolean;
+  onOpenChange: (open: boolean) => void;
+  connectionId: string;
+  integrationId: string;
+  integrationName: string;
+  integrationLogoUrl: string;
+  /** If true, shows only configuration without disconnect/delete options */
+  configureOnly?: boolean;
+  /** Context about the specific check being configured */
+  checkContext?: {
+    checkName: string;
+    checkDescription?: string;
+  };
+  onDisconnected?: () => void;
+  onDeleted?: () => void;
+  onSaved?: () => void;
+}
+
+export function ManageIntegrationDialog({
+  open,
+  onOpenChange,
+  connectionId,
+  integrationId,
+  integrationName,
+  integrationLogoUrl,
+  configureOnly = false,
+  checkContext,
+  onDisconnected,
+  onDeleted,
+  onSaved,
+}: ManageIntegrationDialogProps) {
+  const { orgId } = useParams<{ orgId: string }>();
+  const { disconnectConnection, deleteConnection } = useIntegrationMutations();
+  const { refresh: refreshConnections } = useIntegrationConnections();
+
+  // Variables state
+  const [variables, setVariables] = useState<CheckVariable[]>([]);
+  const [variableValues, setVariableValues] = useState<
+    Record<string, string | number | boolean | string[]>
+  >({});
+  const [loadingVariables, setLoadingVariables] = useState(false);
+  const [savingVariables, setSavingVariables] = useState(false);
+  const [dynamicOptions, setDynamicOptions] = useState<
+    Record<string, { value: string; label: string }[]>
+  >({});
+  const [loadingDynamicOptions, setLoadingDynamicOptions] = useState<Record<string, boolean>>({});
+
+  // Credentials state (for custom auth integrations)
+  const [credentialFields, setCredentialFields] = useState<CredentialField[]>([]);
+  const [credentialValues, setCredentialValues] = useState<Record<string, string>>({});
+  const [savingCredentials, setSavingCredentials] = useState(false);
+  const [authStrategy, setAuthStrategy] = useState<string>('');
+
+  // Tab state
+  const [activeTab, setActiveTab] = useState<'variables' | 'credentials'>('variables');
+
+  // Action states
+  const [disconnecting, setDisconnecting] = useState(false);
+  const [deleting, setDeleting] = useState(false);
+
+  // Fetch connection details (for credential fields)
+  const loadConnectionDetails = useCallback(async () => {
+    if (!connectionId || !orgId) return;
+
+    try {
+      const response = await api.get<ConnectionDetailsResponse>(
+        `/v1/integrations/connections/${connectionId}?organizationId=${orgId}`,
+      );
+      if (response.data) {
+        setAuthStrategy(response.data.authStrategy || '');
+        setCredentialFields(response.data.credentialFields || []);
+        // Initialize empty credential values (we don't show existing values for security)
+        const initialValues: Record<string, string> = {};
+        for (const field of response.data.credentialFields || []) {
+          initialValues[field.id] = '';
+        }
+        setCredentialValues(initialValues);
+      }
+    } catch {
+      // Silently fail - credential editing may not be available
+    }
+  }, [connectionId, orgId]);
+
+  // Fetch variables when dialog opens
+  const loadVariables = useCallback(async () => {
+    if (!connectionId || !orgId) return;
+
+    setLoadingVariables(true);
+    setDynamicOptions({});
+    try {
+      const response = await api.get<VariablesResponse>(
+        `/v1/integrations/variables/connections/${connectionId}?organizationId=${orgId}`,
+      );
+      if (response.data) {
+        const vars = response.data.variables || [];
+        setVariables(vars);
+        // Extract current values from each variable
+        const values: Record<string, string | number | boolean | string[]> = {};
+        for (const v of vars) {
+          if (v.currentValue !== undefined) {
+            values[v.id] = v.currentValue;
+          }
+        }
+        setVariableValues(values);
+      }
+    } catch {
+      toast.error('Failed to load configuration');
+    } finally {
+      setLoadingVariables(false);
+    }
+  }, [connectionId, orgId]);
+
+  useEffect(() => {
+    if (open && connectionId) {
+      loadVariables();
+      loadConnectionDetails();
+      // Set initial tab based on what's available
+      setActiveTab('variables');
+    }
+  }, [open, connectionId, loadVariables, loadConnectionDetails]);
+
+  const fetchDynamicOptions = useCallback(
+    async (variableId: string) => {
+      if (!connectionId || !orgId) return;
+
+      setLoadingDynamicOptions((prev) => ({ ...prev, [variableId]: true }));
+      try {
+        const response = await api.get<{ options: { value: string; label: string }[] }>(
+          `/v1/integrations/variables/connections/${connectionId}/options/${variableId}?organizationId=${orgId}`,
+        );
+        if (response.data?.options) {
+          setDynamicOptions((prev) => ({ ...prev, [variableId]: response.data!.options }));
+        }
+      } catch {
+        toast.error('Failed to load options');
+      } finally {
+        setLoadingDynamicOptions((prev) => ({ ...prev, [variableId]: false }));
+      }
+    },
+    [connectionId, orgId],
+  );
+
+  const handleSaveVariables = async () => {
+    if (!connectionId || !orgId) return;
+
+    setSavingVariables(true);
+    try {
+      await api.post(
+        `/v1/integrations/variables/connections/${connectionId}?organizationId=${orgId}`,
+        { variables: variableValues },
+      );
+      toast.success('Configuration saved');
+      refreshConnections();
+      onSaved?.();
+    } catch {
+      toast.error('Failed to save configuration');
+    } finally {
+      setSavingVariables(false);
+    }
+  };
+
+  const handleSaveCredentials = async () => {
+    if (!connectionId || !orgId) return;
+
+    // Check if any credentials were actually entered
+    const hasValues = Object.values(credentialValues).some((v) => v.trim() !== '');
+    if (!hasValues) {
+      toast.error('Please enter at least one credential value to update');
+      return;
+    }
+
+    // Only send non-empty values
+    const credentialsToSave: Record<string, string> = {};
+    for (const [key, value] of Object.entries(credentialValues)) {
+      if (value.trim()) {
+        credentialsToSave[key] = value.trim();
+      }
+    }
+
+    setSavingCredentials(true);
+    try {
+      await api.put(
+        `/v1/integrations/connections/${connectionId}/credentials?organizationId=${orgId}`,
+        { credentials: credentialsToSave },
+      );
+      toast.success('Credentials updated');
+      refreshConnections();
+      // Clear the form
+      setCredentialValues((prev) => {
+        const cleared: Record<string, string> = {};
+        for (const key of Object.keys(prev)) {
+          cleared[key] = '';
+        }
+        return cleared;
+      });
+      onSaved?.();
+    } catch {
+      toast.error('Failed to update credentials');
+    } finally {
+      setSavingCredentials(false);
+    }
+  };
+
+  const handleDisconnect = async () => {
+    if (!connectionId) return;
+
+    setDisconnecting(true);
+    try {
+      const result = await disconnectConnection(connectionId);
+      if (result.success) {
+        toast.success('Integration disconnected');
+        onOpenChange(false);
+        refreshConnections();
+        onDisconnected?.();
+      } else {
+        toast.error(result.error || 'Failed to disconnect');
+      }
+    } catch {
+      toast.error('Failed to disconnect');
+    } finally {
+      setDisconnecting(false);
+    }
+  };
+
+  const handleDelete = async () => {
+    if (!connectionId) return;
+
+    setDeleting(true);
+    try {
+      const result = await deleteConnection(connectionId);
+      if (result.success) {
+        toast.success('Integration removed');
+        onOpenChange(false);
+        refreshConnections();
+        onDeleted?.();
+      } else {
+        toast.error(result.error || 'Failed to remove');
+      }
+    } catch {
+      toast.error('Failed to remove');
+    } finally {
+      setDeleting(false);
+    }
+  };
+
+  const handleClose = () => {
+    onOpenChange(false);
+    // Reset state
+    setVariables([]);
+    setVariableValues({});
+    setDynamicOptions({});
+  };
+
+  return (
+    <Dialog open={open} onOpenChange={handleClose}>
+      <DialogContent className="max-w-lg">
+        <DialogHeader>
+          <DialogTitle className="flex items-center gap-3">
+            <div className="w-8 h-8 rounded-lg bg-background border border-border flex items-center justify-center overflow-hidden">
+              <Image
+                src={integrationLogoUrl}
+                alt={integrationName}
+                width={20}
+                height={20}
+                className="object-contain"
+              />
+            </div>
+            {checkContext
+              ? `Configure ${checkContext.checkName}`
+              : configureOnly
+                ? `Configure ${integrationName}`
+                : `Manage ${integrationName}`}
+          </DialogTitle>
+          <DialogDescription>
+            {checkContext?.checkDescription ||
+              (configureOnly
+                ? 'Set up your integration to start automated checks.'
+                : 'Configure your integration settings or disconnect.')}
+          </DialogDescription>
+        </DialogHeader>
+
+        {loadingVariables ? (
+          <div className="py-8 flex items-center justify-center">
+            <Loader2 className="h-6 w-6 animate-spin text-muted-foreground" />
+          </div>
+        ) : (
+          <ConfigurationContent
+            variables={variables}
+            variableValues={variableValues}
+            setVariableValues={setVariableValues}
+            dynamicOptions={dynamicOptions}
+            loadingDynamicOptions={loadingDynamicOptions}
+            fetchDynamicOptions={fetchDynamicOptions}
+            savingVariables={savingVariables}
+            handleSaveVariables={handleSaveVariables}
+            credentialFields={credentialFields}
+            credentialValues={credentialValues}
+            setCredentialValues={setCredentialValues}
+            savingCredentials={savingCredentials}
+            handleSaveCredentials={handleSaveCredentials}
+            authStrategy={authStrategy}
+            activeTab={activeTab}
+            setActiveTab={setActiveTab}
+          />
+        )}
+
+        {!configureOnly && (
+          <DialogFooter className="flex-col sm:flex-row gap-2 border-t pt-4">
+            <Button
+              variant="outline"
+              onClick={handleDisconnect}
+              disabled={disconnecting || deleting}
+              className="flex-1"
+            >
+              {disconnecting ? (
+                <>
+                  <Loader2 className="h-4 w-4 mr-2 animate-spin" />
+                  Disconnecting...
+                </>
+              ) : (
+                <>
+                  <Unplug className="h-4 w-4 mr-2" />
+                  Disconnect
+                </>
+              )}
+            </Button>
+            <Button
+              variant="destructive"
+              onClick={handleDelete}
+              disabled={disconnecting || deleting}
+              className="flex-1"
+            >
+              {deleting ? (
+                <>
+                  <Loader2 className="h-4 w-4 mr-2 animate-spin" />
+                  Removing...
+                </>
+              ) : (
+                <>
+                  <Trash2 className="h-4 w-4 mr-2" />
+                  Remove
+                </>
+              )}
+            </Button>
+          </DialogFooter>
+        )}
+      </DialogContent>
+    </Dialog>
+  );
+}
+
+// Configuration content with tabs for variables and credentials
+function ConfigurationContent({
+  variables,
+  variableValues,
+  setVariableValues,
+  dynamicOptions,
+  loadingDynamicOptions,
+  fetchDynamicOptions,
+  savingVariables,
+  handleSaveVariables,
+  credentialFields,
+  credentialValues,
+  setCredentialValues,
+  savingCredentials,
+  handleSaveCredentials,
+  authStrategy,
+  activeTab,
+  setActiveTab,
+}: {
+  variables: CheckVariable[];
+  variableValues: Record<string, string | number | boolean | string[]>;
+  setVariableValues: React.Dispatch<
+    React.SetStateAction<Record<string, string | number | boolean | string[]>>
+  >;
+  dynamicOptions: Record<string, { value: string; label: string }[]>;
+  loadingDynamicOptions: Record<string, boolean>;
+  fetchDynamicOptions: (variableId: string) => void;
+  savingVariables: boolean;
+  handleSaveVariables: () => void;
+  credentialFields: CredentialField[];
+  credentialValues: Record<string, string>;
+  setCredentialValues: React.Dispatch<React.SetStateAction<Record<string, string>>>;
+  savingCredentials: boolean;
+  handleSaveCredentials: () => void;
+  authStrategy: string;
+  activeTab: 'variables' | 'credentials';
+  setActiveTab: (tab: 'variables' | 'credentials') => void;
+}) {
+  const hasVariables = variables.length > 0;
+  const hasCredentials = authStrategy === 'custom' && credentialFields.length > 0;
+  const showTabs = hasVariables && hasCredentials;
+
+  // If neither available, show empty state
+  if (!hasVariables && !hasCredentials) {
+    return (
+      <p className="text-sm text-muted-foreground text-center py-4">
+        This integration is fully configured and ready to use.
+      </p>
+    );
+  }
+
+  const variablesContent = hasVariables && (
+    <div className="space-y-4">
+      {!showTabs && <h4 className="text-sm font-medium">Configuration</h4>}
+      {variables.map((variable) => {
+        const options = dynamicOptions[variable.id] || variable.options || [];
+        const isLoadingOptions = loadingDynamicOptions[variable.id];
+
+        return (
+          <div key={variable.id} className="space-y-2">
+            <Label htmlFor={variable.id}>
+              {variable.label}
+              {variable.required && <span className="text-destructive ml-1">*</span>}
+            </Label>
+            {variable.description && (
+              <p className="text-xs text-muted-foreground">{variable.description}</p>
+            )}
+            {variable.helpText && (
+              <p className="text-xs text-muted-foreground">{variable.helpText}</p>
+            )}
+            {variable.placeholder && !variable.description && !variable.helpText && (
+              <p className="text-xs text-muted-foreground">Example: {variable.placeholder}</p>
+            )}
+
+            {variable.type === 'multi-select' ? (
+              <MultiSelectVariable
+                variable={variable}
+                options={options}
+                isLoadingOptions={isLoadingOptions}
+                value={variableValues[variable.id]}
+                onChange={(val) =>
+                  setVariableValues((prev) => ({
+                    ...prev,
+                    [variable.id]: val,
+                  }))
+                }
+                onLoadOptions={() => fetchDynamicOptions(variable.id)}
+              />
+            ) : variable.type === 'select' ? (
+              <Select
+                value={String(variableValues[variable.id] || '')}
+                onValueChange={(val) =>
+                  setVariableValues((prev) => ({ ...prev, [variable.id]: val }))
+                }
+                onOpenChange={(isOpen) => {
+                  if (isOpen && variable.hasDynamicOptions && !options.length) {
+                    fetchDynamicOptions(variable.id);
+                  }
+                }}
+              >
+                <SelectTrigger>
+                  <SelectValue placeholder={`Select ${variable.label.toLowerCase()}`} />
+                </SelectTrigger>
+                <SelectContent>
+                  {isLoadingOptions ? (
+                    <div className="py-2 px-3 text-sm text-muted-foreground flex items-center gap-2">
+                      <Loader2 className="h-3 w-3 animate-spin" />
+                      Loading options...
+                    </div>
+                  ) : options.length === 0 ? (
+                    <div className="py-2 px-3 text-sm text-muted-foreground">
+                      No options available
+                    </div>
+                  ) : (
+                    options.map((opt) => (
+                      <SelectItem key={opt.value} value={opt.value}>
+                        {opt.label}
+                      </SelectItem>
+                    ))
+                  )}
+                </SelectContent>
+              </Select>
+            ) : variable.type === 'boolean' ? (
+              <Select
+                value={String(variableValues[variable.id] ?? variable.default ?? 'false')}
+                onValueChange={(val) =>
+                  setVariableValues((prev) => ({
+                    ...prev,
+                    [variable.id]: val === 'true',
+                  }))
+                }
+              >
+                <SelectTrigger>
+                  <SelectValue />
+                </SelectTrigger>
+                <SelectContent>
+                  <SelectItem value="true">Yes</SelectItem>
+                  <SelectItem value="false">No</SelectItem>
+                </SelectContent>
+              </Select>
+            ) : (
+              <Input
+                id={variable.id}
+                type={variable.type === 'number' ? 'number' : 'text'}
+                value={String(variableValues[variable.id] || '')}
+                onChange={(e) =>
+                  setVariableValues((prev) => ({
+                    ...prev,
+                    [variable.id]:
+                      variable.type === 'number' ? Number(e.target.value) : e.target.value,
+                  }))
+                }
+                placeholder={`Enter ${variable.label.toLowerCase()}`}
+              />
+            )}
+          </div>
+        );
+      })}
+
+      <Button onClick={handleSaveVariables} disabled={savingVariables} className="w-full">
+        {savingVariables ? (
+          <>
+            <Loader2 className="h-4 w-4 mr-2 animate-spin" />
+            Saving...
+          </>
+        ) : (
+          'Save Configuration'
+        )}
+      </Button>
+    </div>
+  );
+
+  const credentialsContent = hasCredentials && (
+    <div className="space-y-4">
+      {!showTabs && <h4 className="text-sm font-medium">Update Credentials</h4>}
+      <div className="rounded-md bg-muted/50 border border-border p-3 space-y-1">
+        <p className="text-xs text-muted-foreground">
+          Leave fields empty to keep existing values. Only fill in fields you want to update.
+        </p>
+        <p className="text-xs text-muted-foreground flex items-center gap-1.5">
+          <svg
+            xmlns="http://www.w3.org/2000/svg"
+            viewBox="0 0 16 16"
+            fill="currentColor"
+            className="h-3 w-3 text-green-600 dark:text-green-500"
+          >
+            <path
+              fillRule="evenodd"
+              d="M8 1a3.5 3.5 0 0 0-3.5 3.5V7A1.5 1.5 0 0 0 3 8.5v5A1.5 1.5 0 0 0 4.5 15h7a1.5 1.5 0 0 0 1.5-1.5v-5A1.5 1.5 0 0 0 11.5 7V4.5A3.5 3.5 0 0 0 8 1Zm2 6V4.5a2 2 0 1 0-4 0V7h4Z"
+              clipRule="evenodd"
+            />
+          </svg>
+          <span>Your credentials are encrypted at rest using AES-256-GCM encryption.</span>
+        </p>
+      </div>
+      {credentialFields.map((field) => (
+        <div key={field.id} className="space-y-2">
+          <Label htmlFor={`cred-${field.id}`}>
+            {field.label}
+            {field.required && <span className="text-muted-foreground ml-1">(required)</span>}
+          </Label>
+          {field.helpText && <p className="text-xs text-muted-foreground">{field.helpText}</p>}
+          {field.type === 'textarea' ? (
+            <textarea
+              id={`cred-${field.id}`}
+              placeholder={field.placeholder || `Enter new ${field.label.toLowerCase()}`}
+              value={credentialValues[field.id] || ''}
+              onChange={(e) =>
+                setCredentialValues((prev) => ({ ...prev, [field.id]: e.target.value }))
+              }
+              className="bg-background border-input ring-offset-background placeholder:text-muted-foreground focus-visible:ring-ring flex min-h-[80px] w-full rounded-md border px-3 py-2 text-sm focus-visible:outline-none focus-visible:ring-2 focus-visible:ring-offset-2"
+            />
+          ) : field.type === 'combobox' && field.options ? (
+            <ComboboxDropdown
+              items={field.options.map((opt) => ({
+                id: opt.value,
+                label: opt.label,
+              }))}
+              selectedItem={field.options
+                .map((opt) => ({ id: opt.value, label: opt.label }))
+                .find((item) => item.id === credentialValues[field.id])}
+              onSelect={(item) => setCredentialValues((prev) => ({ ...prev, [field.id]: item.id }))}
+              onCreate={(customValue) =>
+                setCredentialValues((prev) => ({ ...prev, [field.id]: customValue }))
+              }
+              placeholder={field.placeholder || `Select ${field.label.toLowerCase()}...`}
+              searchPlaceholder="Search or type custom value..."
+              renderOnCreate={(customValue) => (
+                <div className="flex items-center gap-2">
+                  <span className="text-sm">Use custom value:</span>
+                  <span className="font-medium">{customValue}</span>
+                </div>
+              )}
+            />
+          ) : field.type === 'select' && field.options ? (
+            <Select
+              value={credentialValues[field.id] || ''}
+              onValueChange={(val) => setCredentialValues((prev) => ({ ...prev, [field.id]: val }))}
+            >
+              <SelectTrigger>
+                <SelectValue placeholder={`Select ${field.label.toLowerCase()}`} />
+              </SelectTrigger>
+              <SelectContent>
+                {field.options.map((opt) => (
+                  <SelectItem key={opt.value} value={opt.value}>
+                    {opt.label}
+                  </SelectItem>
+                ))}
+              </SelectContent>
+            </Select>
+          ) : (
+            <Input
+              id={`cred-${field.id}`}
+              type={field.type === 'password' ? 'password' : 'text'}
+              placeholder={field.placeholder || `Enter new ${field.label.toLowerCase()}`}
+              value={credentialValues[field.id] || ''}
+              onChange={(e) =>
+                setCredentialValues((prev) => ({ ...prev, [field.id]: e.target.value }))
+              }
+            />
+          )}
+        </div>
+      ))}
+
+      <Button onClick={handleSaveCredentials} disabled={savingCredentials} className="w-full">
+        {savingCredentials ? (
+          <>
+            <Loader2 className="h-4 w-4 mr-2 animate-spin" />
+            Updating...
+          </>
+        ) : (
+          'Update Credentials'
+        )}
+      </Button>
+    </div>
+  );
+
+  // Show tabs if both are available
+  if (showTabs) {
+    return (
+      <Tabs value={activeTab} onValueChange={(v) => setActiveTab(v as 'variables' | 'credentials')}>
+        <TabsList className="grid w-full grid-cols-2">
+          <TabsTrigger value="variables" className="gap-2">
+            <Settings className="h-4 w-4" />
+            Settings
+          </TabsTrigger>
+          <TabsTrigger value="credentials" className="gap-2">
+            <Key className="h-4 w-4" />
+            Credentials
+          </TabsTrigger>
+        </TabsList>
+        <TabsContent value="variables" className="mt-4">
+          {variablesContent}
+        </TabsContent>
+        <TabsContent value="credentials" className="mt-4">
+          {credentialsContent}
+        </TabsContent>
+      </Tabs>
+    );
+  }
+
+  // Show only what's available
+  return <div className="space-y-4">{variablesContent || credentialsContent}</div>;
+}
+
+// Helper component for multi-select variables with lazy loading
+function MultiSelectVariable({
+  variable,
+  options,
+  isLoadingOptions,
+  value,
+  onChange,
+  onLoadOptions,
+}: {
+  variable: CheckVariable;
+  options: { value: string; label: string }[];
+  isLoadingOptions: boolean;
+  value: string | number | boolean | string[] | undefined;
+  onChange: (val: string[]) => void;
+  onLoadOptions: () => void;
+}) {
+  const selectedValues = Array.isArray(value) ? value : [];
+  const hasLoadedRef = useRef(false);
+
+  useEffect(() => {
+    if (
+      variable.hasDynamicOptions &&
+      options.length === 0 &&
+      !hasLoadedRef.current &&
+      !isLoadingOptions
+    ) {
+      hasLoadedRef.current = true;
+      onLoadOptions();
+    }
+  }, []);
+
+  return (
+    <MultipleSelector
+      value={selectedValues.map((v) => ({
+        value: v,
+        label: options.find((o) => o.value === v)?.label || v,
+      }))}
+      onChange={(selected) => onChange(selected.map((s) => s.value))}
+      defaultOptions={options.map((o) => ({ value: o.value, label: o.label }))}
+      options={options.map((o) => ({ value: o.value, label: o.label }))}
+      placeholder={`Select ${variable.label.toLowerCase()}...`}
+      emptyIndicator={
+        isLoadingOptions ? (
+          <div className="py-2 px-3 text-sm text-muted-foreground flex items-center gap-2">
+            <Loader2 className="h-3 w-3 animate-spin" />
+            Loading options...
+          </div>
+        ) : (
+          <p className="text-center text-sm text-muted-foreground">No options available</p>
+        )
+      }
+    />
+  );
+}
diff --git a/apps/app/src/hooks/use-integration-platform.ts b/apps/app/src/hooks/use-integration-platform.ts
new file mode 100644
index 000000000..d91a633c3
--- /dev/null
+++ b/apps/app/src/hooks/use-integration-platform.ts
@@ -0,0 +1,434 @@
+'use client';
+
+import { api } from '@/lib/api-client';
+import type {
+  ConnectionListItemResponse,
+  CredentialField,
+  IntegrationConnectionResponse,
+  IntegrationProviderResponse,
+  OAuthAvailabilityResponse,
+  OAuthStartResponse,
+  TestConnectionResponse,
+} from '@comp/integration-platform';
+import { useParams } from 'next/navigation';
+import { useCallback } from 'react';
+import useSWR, { mutate as globalMutate } from 'swr';
+
+// ============================================================================
+// Type aliases for internal use and re-export for consumers
+// ============================================================================
+
+// Internal aliases (keep existing names for backwards compatibility)
+type IntegrationProvider = IntegrationProviderResponse;
+type IntegrationConnection = IntegrationConnectionResponse;
+type ConnectionListItem = ConnectionListItemResponse;
+type OAuthAvailability = OAuthAvailabilityResponse;
+
+// Re-export for consumers using the familiar names
+export type {
+  ConnectionListItem,
+  CredentialField,
+  IntegrationConnection,
+  IntegrationProvider,
+  OAuthAvailability,
+  OAuthStartResponse,
+  TestConnectionResponse,
+};
+
+// ============================================================================
+// Hooks
+// ============================================================================
+
+/**
+ * Hook to fetch all available integration providers
+ */
+export function useIntegrationProviders(activeOnly = false) {
+  const endpoint = `/v1/integrations/connections/providers${activeOnly ? '?activeOnly=true' : ''}`;
+
+  const { data, error, isLoading, mutate } = useSWR<IntegrationProvider[]>(
+    ['integration-providers', activeOnly],
+    async () => {
+      const response = await api.get<IntegrationProvider[]>(endpoint);
+      if (response.error) {
+        throw new Error(response.error);
+      }
+      // Add slug alias for id
+      return (response.data || []).map((p) => ({ ...p, slug: p.id }));
+    },
+    {
+      revalidateOnFocus: false,
+      dedupingInterval: 60000, // 1 minute - providers don't change often
+    },
+  );
+
+  return {
+    providers: data || [],
+    isLoading,
+    error: error?.message,
+    refresh: mutate,
+  };
+}
+
+/**
+ * Hook to fetch a specific provider's details
+ */
+export function useIntegrationProvider(slug: string | null) {
+  const { data, error, isLoading, mutate } = useSWR<IntegrationProvider>(
+    slug ? ['integration-provider', slug] : null,
+    async () => {
+      const response = await api.get<IntegrationProvider>(
+        `/v1/integrations/connections/providers/${slug}`,
+      );
+      if (response.error) {
+        throw new Error(response.error);
+      }
+      return response.data!;
+    },
+    {
+      revalidateOnFocus: false,
+      dedupingInterval: 60000,
+    },
+  );
+
+  return {
+    provider: data,
+    isLoading,
+    error: error?.message,
+    refresh: mutate,
+  };
+}
+
+/**
+ * Hook to fetch connections for the current organization
+ */
+export function useIntegrationConnections() {
+  const params = useParams<{ orgId: string }>();
+  const orgId = params?.orgId;
+
+  const { data, error, isLoading, mutate } = useSWR<ConnectionListItem[]>(
+    orgId ? ['integration-connections', orgId] : null,
+    async () => {
+      const response = await api.get<ConnectionListItem[]>(
+        `/v1/integrations/connections?organizationId=${orgId}`,
+        orgId,
+      );
+      if (response.error) {
+        throw new Error(response.error);
+      }
+      return response.data || [];
+    },
+    {
+      revalidateOnFocus: true,
+      dedupingInterval: 5000,
+    },
+  );
+
+  return {
+    connections: data || [],
+    isLoading,
+    error: error?.message,
+    refresh: mutate,
+  };
+}
+
+/**
+ * Hook to fetch a specific connection
+ */
+export function useIntegrationConnection(connectionId: string | null) {
+  const params = useParams<{ orgId: string }>();
+  const orgId = params?.orgId;
+
+  const { data, error, isLoading, mutate } = useSWR<IntegrationConnection>(
+    connectionId && orgId ? ['integration-connection', connectionId, orgId] : null,
+    async () => {
+      const response = await api.get<IntegrationConnection>(
+        `/v1/integrations/connections/${connectionId}`,
+        orgId,
+      );
+      if (response.error) {
+        throw new Error(response.error);
+      }
+      return response.data!;
+    },
+    {
+      revalidateOnFocus: true,
+      dedupingInterval: 5000,
+    },
+  );
+
+  return {
+    connection: data,
+    isLoading,
+    error: error?.message,
+    refresh: mutate,
+  };
+}
+
+/**
+ * Hook to check OAuth availability for a provider
+ */
+export function useOAuthAvailability(providerSlug: string | null) {
+  const params = useParams<{ orgId: string }>();
+  const orgId = params?.orgId;
+
+  const { data, error, isLoading, mutate } = useSWR<OAuthAvailability>(
+    providerSlug && orgId ? ['oauth-availability', providerSlug, orgId] : null,
+    async () => {
+      const response = await api.get<OAuthAvailability>(
+        `/v1/integrations/oauth/availability?providerSlug=${providerSlug}&organizationId=${orgId}`,
+      );
+      if (response.error) {
+        throw new Error(response.error);
+      }
+      return response.data!;
+    },
+    {
+      revalidateOnFocus: false,
+      dedupingInterval: 30000,
+    },
+  );
+
+  return {
+    availability: data,
+    isLoading,
+    error: error?.message,
+    refresh: mutate,
+  };
+}
+
+/**
+ * Hook for integration platform mutations (connect, disconnect, etc.)
+ */
+export function useIntegrationMutations() {
+  const params = useParams<{ orgId: string }>();
+  const orgId = params?.orgId;
+
+  /**
+   * Start OAuth flow for a provider
+   */
+  const startOAuth = useCallback(
+    async (
+      providerSlug: string,
+      redirectUrl?: string,
+    ): Promise<{ success: boolean; authorizationUrl?: string; error?: string }> => {
+      if (!orgId) {
+        return { success: false, error: 'No organization selected' };
+      }
+
+      const response = await api.post<OAuthStartResponse>('/v1/integrations/oauth/start', {
+        providerSlug,
+        organizationId: orgId,
+        userId: '', // Will be filled by API from auth context
+        redirectUrl,
+      });
+
+      if (response.error) {
+        return { success: false, error: response.error };
+      }
+
+      return { success: true, authorizationUrl: response.data?.authorizationUrl };
+    },
+    [orgId],
+  );
+
+  /**
+   * Create a connection with API key credentials
+   */
+  const createConnection = useCallback(
+    async (
+      providerSlug: string,
+      credentials?: Record<string, string>,
+    ): Promise<{ success: boolean; connectionId?: string; error?: string }> => {
+      if (!orgId) {
+        return { success: false, error: 'No organization selected' };
+      }
+
+      const response = await api.post<{ id: string }>(
+        '/v1/integrations/connections',
+        {
+          providerSlug,
+          organizationId: orgId,
+          credentials,
+        },
+        orgId,
+      );
+
+      if (response.error) {
+        return { success: false, error: response.error };
+      }
+
+      // Invalidate connections cache
+      globalMutate(['integration-connections', orgId]);
+
+      return { success: true, connectionId: response.data?.id };
+    },
+    [orgId],
+  );
+
+  /**
+   * Test a connection
+   */
+  const testConnection = useCallback(
+    async (connectionId: string): Promise<TestConnectionResponse> => {
+      const response = await api.post<TestConnectionResponse>(
+        `/v1/integrations/connections/${connectionId}/test`,
+        undefined,
+        orgId,
+      );
+
+      if (response.error) {
+        return { success: false, message: response.error };
+      }
+
+      // Invalidate connection cache
+      globalMutate(['integration-connection', connectionId, orgId]);
+      globalMutate(['integration-connections', orgId]);
+
+      return response.data || { success: false, message: 'Unknown error' };
+    },
+    [orgId],
+  );
+
+  /**
+   * Pause a connection
+   */
+  const pauseConnection = useCallback(
+    async (connectionId: string): Promise<{ success: boolean; error?: string }> => {
+      const response = await api.post(
+        `/v1/integrations/connections/${connectionId}/pause`,
+        undefined,
+        orgId,
+      );
+
+      if (response.error) {
+        return { success: false, error: response.error };
+      }
+
+      globalMutate(['integration-connection', connectionId, orgId]);
+      globalMutate(['integration-connections', orgId]);
+
+      return { success: true };
+    },
+    [orgId],
+  );
+
+  /**
+   * Resume a paused connection
+   */
+  const resumeConnection = useCallback(
+    async (connectionId: string): Promise<{ success: boolean; error?: string }> => {
+      const response = await api.post(
+        `/v1/integrations/connections/${connectionId}/resume`,
+        undefined,
+        orgId,
+      );
+
+      if (response.error) {
+        return { success: false, error: response.error };
+      }
+
+      globalMutate(['integration-connection', connectionId, orgId]);
+      globalMutate(['integration-connections', orgId]);
+
+      return { success: true };
+    },
+    [orgId],
+  );
+
+  /**
+   * Disconnect (soft delete) a connection
+   */
+  const disconnectConnection = useCallback(
+    async (connectionId: string): Promise<{ success: boolean; error?: string }> => {
+      const response = await api.post(
+        `/v1/integrations/connections/${connectionId}/disconnect`,
+        undefined,
+        orgId,
+      );
+
+      if (response.error) {
+        return { success: false, error: response.error };
+      }
+
+      globalMutate(['integration-connection', connectionId, orgId]);
+      globalMutate(['integration-connections', orgId]);
+
+      return { success: true };
+    },
+    [orgId],
+  );
+
+  /**
+   * Delete a connection permanently
+   */
+  const deleteConnection = useCallback(
+    async (connectionId: string): Promise<{ success: boolean; error?: string }> => {
+      const response = await api.delete(`/v1/integrations/connections/${connectionId}`, orgId);
+
+      if (response.error) {
+        return { success: false, error: response.error };
+      }
+
+      globalMutate(['integration-connections', orgId]);
+
+      return { success: true };
+    },
+    [orgId],
+  );
+
+  return {
+    startOAuth,
+    createConnection,
+    testConnection,
+    pauseConnection,
+    resumeConnection,
+    disconnectConnection,
+    deleteConnection,
+  };
+}
+
+/**
+ * Combined hook for common integration platform operations
+ */
+export function useIntegrationPlatform() {
+  const {
+    providers,
+    isLoading: providersLoading,
+    error: providersError,
+    refresh: refreshProviders,
+  } = useIntegrationProviders(true);
+  const {
+    connections,
+    isLoading: connectionsLoading,
+    error: connectionsError,
+    refresh: refreshConnections,
+  } = useIntegrationConnections();
+  const mutations = useIntegrationMutations();
+
+  return {
+    // Data
+    providers,
+    connections,
+
+    // Loading states
+    isLoading: providersLoading || connectionsLoading,
+    providersLoading,
+    connectionsLoading,
+
+    // Errors
+    error: providersError || connectionsError,
+    providersError,
+    connectionsError,
+
+    // Refresh functions
+    refreshProviders,
+    refreshConnections,
+    refresh: () => {
+      refreshProviders();
+      refreshConnections();
+    },
+
+    // Mutations
+    ...mutations,
+  };
+}
diff --git a/apps/app/src/lib/server-api-client.ts b/apps/app/src/lib/server-api-client.ts
new file mode 100644
index 000000000..41b4fbbb8
--- /dev/null
+++ b/apps/app/src/lib/server-api-client.ts
@@ -0,0 +1,82 @@
+import { headers } from 'next/headers';
+
+const API_BASE_URL = process.env.NEXT_PUBLIC_API_URL || 'http://localhost:3333';
+
+interface ApiResponse<T = unknown> {
+  data?: T;
+  error?: string;
+  status: number;
+}
+
+interface CallOptions {
+  method?: 'GET' | 'POST' | 'PUT' | 'PATCH' | 'DELETE';
+  body?: unknown;
+}
+
+/**
+ * Server-side API client for calling our internal NestJS API from server components
+ * Forwards cookies for authentication - API handles auth via better-auth
+ */
+async function call<T = unknown>(
+  endpoint: string,
+  options: CallOptions = {},
+): Promise<ApiResponse<T>> {
+  const { method = 'GET', body } = options;
+
+  const requestHeaders: Record<string, string> = {
+    'Content-Type': 'application/json',
+  };
+
+  // Forward cookies for auth - better-auth handles session validation
+  const cookieHeader = (await headers()).get('cookie');
+  if (cookieHeader) {
+    requestHeaders['Cookie'] = cookieHeader;
+  }
+
+  try {
+    const response = await fetch(`${API_BASE_URL}${endpoint}`, {
+      method,
+      headers: requestHeaders,
+      body: body ? JSON.stringify(body) : undefined,
+      cache: 'no-store',
+    });
+
+    let data = null;
+    if (response.status !== 204) {
+      const text = await response.text();
+      if (text) {
+        try {
+          data = JSON.parse(text);
+        } catch {
+          data = { message: text };
+        }
+      }
+    }
+
+    return {
+      data: response.ok ? data : undefined,
+      error: !response.ok ? data?.message || `HTTP ${response.status}` : undefined,
+      status: response.status,
+    };
+  } catch (error) {
+    return {
+      error: error instanceof Error ? error.message : 'Network error',
+      status: 0,
+    };
+  }
+}
+
+export const serverApi = {
+  get: <T = unknown>(endpoint: string) => call<T>(endpoint, { method: 'GET' }),
+
+  post: <T = unknown>(endpoint: string, body?: unknown) =>
+    call<T>(endpoint, { method: 'POST', body }),
+
+  put: <T = unknown>(endpoint: string, body?: unknown) =>
+    call<T>(endpoint, { method: 'PUT', body }),
+
+  patch: <T = unknown>(endpoint: string, body?: unknown) =>
+    call<T>(endpoint, { method: 'PATCH', body }),
+
+  delete: <T = unknown>(endpoint: string) => call<T>(endpoint, { method: 'DELETE' }),
+};
diff --git a/apps/app/src/lib/vector/sync/sync-organization.ts b/apps/app/src/lib/vector/sync/sync-organization.ts
index ead4d6cfb..25e5ef1bb 100644
--- a/apps/app/src/lib/vector/sync/sync-organization.ts
+++ b/apps/app/src/lib/vector/sync/sync-organization.ts
@@ -1,13 +1,15 @@
 import 'server-only';
 
+import { logger } from '@/utils/logger';
 import { db } from '@db';
+import { vectorIndex } from '../core/client';
+import {
+  findAllOrganizationEmbeddings,
+  type ExistingEmbedding,
+} from '../core/find-existing-embeddings';
 import { batchUpsertEmbeddings } from '../core/upsert-embedding';
 import { chunkText } from '../utils/chunk-text';
 import { extractTextFromPolicy } from '../utils/extract-policy-text';
-import { deleteOrganizationEmbeddings } from '../core/delete-embeddings';
-import { findAllOrganizationEmbeddings, type ExistingEmbedding } from '../core/find-existing-embeddings';
-import { vectorIndex } from '../core/client';
-import { logger } from '@/utils/logger';
 
 /**
  * Lock map to prevent concurrent syncs for the same organization
@@ -19,7 +21,7 @@ const syncLocks = new Map<string, Promise<void>>();
  * Full resync of organization embeddings: deletes all old embeddings and creates new ones
  * Simple approach that guarantees data freshness
  * Optimized for small to medium volumes (100-200 policies)
- * 
+ *
  * Uses a lock mechanism to prevent concurrent syncs for the same organization.
  * If a sync is already in progress, subsequent calls will wait for it to complete.
  */
@@ -100,10 +102,10 @@ async function performSync(organizationId: string): Promise<void> {
 
     // Process policies in parallel batches for better performance
     const POLICY_BATCH_SIZE = 100; // Process 100 policies in parallel (increased from 10 for better performance)
-    
+
     for (let i = 0; i < policies.length; i += POLICY_BATCH_SIZE) {
       const batch = policies.slice(i, i + POLICY_BATCH_SIZE);
-      
+
       // Process batch in parallel
       await Promise.all(
         batch.map(async (policy) => {
@@ -111,10 +113,13 @@ async function performSync(organizationId: string): Promise<void> {
             // Get embeddings from our pre-fetched map (fast - no API call)
             const policyEmbeddings = existingEmbeddings.get(policy.id) || [];
             const policyUpdatedAt = policy.updatedAt.toISOString();
-            
+
             // Check if policy needs update
-            const needsUpdate = policyEmbeddings.length === 0 || 
-              policyEmbeddings.some((e: ExistingEmbedding) => !e.updatedAt || e.updatedAt < policyUpdatedAt);
+            const needsUpdate =
+              policyEmbeddings.length === 0 ||
+              policyEmbeddings.some(
+                (e: ExistingEmbedding) => !e.updatedAt || e.updatedAt < policyUpdatedAt,
+              );
 
             if (!needsUpdate) {
               policiesSkipped++;
@@ -136,13 +141,13 @@ async function performSync(organizationId: string): Promise<void> {
 
             // Create new embeddings
             const policyText = extractTextFromPolicy(policy as any);
-            
+
             if (!policyText || policyText.trim().length === 0) {
               return; // Skip empty policy
             }
 
             const chunks = chunkText(policyText, 500, 50);
-            
+
             if (chunks.length === 0) {
               return; // Skip if no chunks
             }
@@ -179,7 +184,7 @@ async function performSync(organizationId: string): Promise<void> {
             });
             // Continue with other policies
           }
-        })
+        }),
       );
     }
 
@@ -216,10 +221,10 @@ async function performSync(organizationId: string): Promise<void> {
 
     // Process context entries in parallel batches for better performance
     const CONTEXT_BATCH_SIZE = 100; // Process 100 context entries in parallel (increased from 10 for better performance)
-    
+
     for (let i = 0; i < contextEntries.length; i += CONTEXT_BATCH_SIZE) {
       const batch = contextEntries.slice(i, i + CONTEXT_BATCH_SIZE);
-      
+
       // Process batch in parallel
       await Promise.all(
         batch.map(async (context) => {
@@ -227,10 +232,13 @@ async function performSync(organizationId: string): Promise<void> {
             // Get embeddings from our pre-fetched map (fast - no API call)
             const contextEmbeddings = existingEmbeddings.get(context.id) || [];
             const contextUpdatedAt = context.updatedAt.toISOString();
-            
+
             // Check if context needs update
-            const needsUpdate = contextEmbeddings.length === 0 || 
-              contextEmbeddings.some((e: ExistingEmbedding) => !e.updatedAt || e.updatedAt < contextUpdatedAt);
+            const needsUpdate =
+              contextEmbeddings.length === 0 ||
+              contextEmbeddings.some(
+                (e: ExistingEmbedding) => !e.updatedAt || e.updatedAt < contextUpdatedAt,
+              );
 
             if (!needsUpdate) {
               contextSkipped++;
@@ -252,13 +260,13 @@ async function performSync(organizationId: string): Promise<void> {
 
             // Create new embeddings
             const contextText = `Question: ${context.question}\n\nAnswer: ${context.answer}`;
-            
+
             if (!contextText || contextText.trim().length === 0) {
               return; // Skip empty context
             }
 
             const chunks = chunkText(contextText, 8000, 50);
-            
+
             if (chunks.length === 0) {
               return; // Skip if no chunks
             }
@@ -295,7 +303,7 @@ async function performSync(organizationId: string): Promise<void> {
             });
             // Continue with other context entries
           }
-        })
+        }),
       );
     }
 
@@ -332,10 +340,11 @@ async function performSync(organizationId: string): Promise<void> {
         const embeddingId = `manual_answer_${ma.id}`;
         const text = `${ma.question}\n\n${ma.answer}`;
         const updatedAt = ma.updatedAt.toISOString();
-        
+
         // Check if embedding exists and needs update
         const existingManualAnswerEmbeddings = existingEmbeddings.get(ma.id) || [];
-        const needsUpdate = existingManualAnswerEmbeddings.length === 0 || 
+        const needsUpdate =
+          existingManualAnswerEmbeddings.length === 0 ||
           existingManualAnswerEmbeddings[0]?.updatedAt !== updatedAt;
 
         if (needsUpdate) {
@@ -423,8 +432,8 @@ async function performSync(organizationId: string): Promise<void> {
     //     // Check if embeddings exist and are up-to-date
     //     const documentEmbeddings = existingEmbeddings.get(document.id) || [];
     //     const documentUpdatedAt = document.updatedAt.toISOString();
-        
-    //     const needsUpdate = documentEmbeddings.length === 0 || 
+
+    //     const needsUpdate = documentEmbeddings.length === 0 ||
     //       documentEmbeddings.some((e: ExistingEmbedding) => !e.updatedAt || e.updatedAt < documentUpdatedAt);
 
     //     if (needsUpdate) {
@@ -463,10 +472,10 @@ async function performSync(organizationId: string): Promise<void> {
 
     // Step 8: Delete orphaned embeddings (policies/context/manual_answers/knowledge_base_documents that no longer exist in DB)
     // Use the embeddings we already fetched (no additional API call needed)
-    const dbPolicyIds = new Set(policies.map(p => p.id));
-    const dbContextIds = new Set(contextEntries.map(c => c.id));
-    const dbManualAnswerIds = new Set(manualAnswers.map(ma => ma.id));
-    const dbKnowledgeBaseDocumentIds = new Set(knowledgeBaseDocuments.map(d => d.id));
+    const dbPolicyIds = new Set(policies.map((p) => p.id));
+    const dbContextIds = new Set(contextEntries.map((c) => c.id));
+    const dbManualAnswerIds = new Set(manualAnswers.map((ma) => ma.id));
+    const dbKnowledgeBaseDocumentIds = new Set(knowledgeBaseDocuments.map((d) => d.id));
     let orphanedDeleted = 0;
 
     // Check for orphaned embeddings using the pre-fetched map
@@ -476,11 +485,12 @@ async function performSync(organizationId: string): Promise<void> {
         const isContext = embeddings[0]?.sourceType === 'context';
         const isManualAnswer = embeddings[0]?.sourceType === 'manual_answer';
         const isKnowledgeBaseDocument = embeddings[0]?.sourceType === 'knowledge_base_document';
-        
-        const shouldExist = (isPolicy && dbPolicyIds.has(sourceId)) || 
-                            (isContext && dbContextIds.has(sourceId)) ||
-                            (isManualAnswer && dbManualAnswerIds.has(sourceId)) ||
-                            (isKnowledgeBaseDocument && dbKnowledgeBaseDocumentIds.has(sourceId));
+
+        const shouldExist =
+          (isPolicy && dbPolicyIds.has(sourceId)) ||
+          (isContext && dbContextIds.has(sourceId)) ||
+          (isManualAnswer && dbManualAnswerIds.has(sourceId)) ||
+          (isKnowledgeBaseDocument && dbKnowledgeBaseDocumentIds.has(sourceId));
 
         if (!shouldExist && vectorIndex) {
           // Delete orphaned embeddings
@@ -490,7 +500,13 @@ async function performSync(organizationId: string): Promise<void> {
             orphanedDeleted += idsToDelete.length;
             logger.info('Deleted orphaned embeddings', {
               sourceId,
-              sourceType: isPolicy ? 'policy' : isContext ? 'context' : isManualAnswer ? 'manual_answer' : 'knowledge_base_document',
+              sourceType: isPolicy
+                ? 'policy'
+                : isContext
+                  ? 'context'
+                  : isManualAnswer
+                    ? 'manual_answer'
+                    : 'knowledge_base_document',
               deletedCount: idsToDelete.length,
             });
           } catch (error) {
@@ -546,4 +562,3 @@ async function performSync(organizationId: string): Promise<void> {
     throw error;
   }
 }
-
diff --git a/apps/app/src/test-utils/mocks/auth.ts b/apps/app/src/test-utils/mocks/auth.ts
index 4d3157ec0..dbc2307bd 100644
--- a/apps/app/src/test-utils/mocks/auth.ts
+++ b/apps/app/src/test-utils/mocks/auth.ts
@@ -58,6 +58,7 @@ export const createMockUser = (overrides?: Partial<User>): User => ({
   updatedAt: new Date(),
   emailNotificationsUnsubscribed: false,
   emailPreferences: DEFAULT_EMAIL_PREFERENCES,
+  isPlatformAdmin: false,
   ...overrides,
 });
 
diff --git a/apps/app/src/jobs/lib/prompts.ts b/apps/app/src/trigger/lib/prompts.ts
similarity index 100%
rename from apps/app/src/jobs/lib/prompts.ts
rename to apps/app/src/trigger/lib/prompts.ts
diff --git a/apps/app/src/jobs/lib/research.ts b/apps/app/src/trigger/lib/research.ts
similarity index 100%
rename from apps/app/src/jobs/lib/research.ts
rename to apps/app/src/trigger/lib/research.ts
diff --git a/apps/app/src/jobs/tasks/auditor/generate-auditor-content.ts b/apps/app/src/trigger/tasks/auditor/generate-auditor-content.ts
similarity index 99%
rename from apps/app/src/jobs/tasks/auditor/generate-auditor-content.ts
rename to apps/app/src/trigger/tasks/auditor/generate-auditor-content.ts
index f0e87dabc..88b230fe2 100644
--- a/apps/app/src/jobs/tasks/auditor/generate-auditor-content.ts
+++ b/apps/app/src/trigger/tasks/auditor/generate-auditor-content.ts
@@ -1,4 +1,4 @@
-import { getOrganizationContext } from '@/jobs/tasks/onboarding/onboard-organization-helpers';
+import { getOrganizationContext } from '@/trigger/tasks/onboarding/onboard-organization-helpers';
 import { groq } from '@ai-sdk/groq';
 import { db } from '@db';
 import { logger, metadata, schemaTask } from '@trigger.dev/sdk';
diff --git a/apps/app/src/jobs/tasks/device/create-fleet-label-for-all-orgs.ts b/apps/app/src/trigger/tasks/device/create-fleet-label-for-all-orgs.ts
similarity index 100%
rename from apps/app/src/jobs/tasks/device/create-fleet-label-for-all-orgs.ts
rename to apps/app/src/trigger/tasks/device/create-fleet-label-for-all-orgs.ts
diff --git a/apps/app/src/jobs/tasks/device/create-fleet-label-for-org.ts b/apps/app/src/trigger/tasks/device/create-fleet-label-for-org.ts
similarity index 100%
rename from apps/app/src/jobs/tasks/device/create-fleet-label-for-org.ts
rename to apps/app/src/trigger/tasks/device/create-fleet-label-for-org.ts
diff --git a/apps/app/src/jobs/tasks/email/new-policy-email.ts b/apps/app/src/trigger/tasks/email/new-policy-email.ts
similarity index 100%
rename from apps/app/src/jobs/tasks/email/new-policy-email.ts
rename to apps/app/src/trigger/tasks/email/new-policy-email.ts
diff --git a/apps/app/src/jobs/tasks/email/publish-all-policies-email.ts b/apps/app/src/trigger/tasks/email/publish-all-policies-email.ts
similarity index 100%
rename from apps/app/src/jobs/tasks/email/publish-all-policies-email.ts
rename to apps/app/src/trigger/tasks/email/publish-all-policies-email.ts
diff --git a/apps/app/src/jobs/tasks/email/weekly-task-digest-email.ts b/apps/app/src/trigger/tasks/email/weekly-task-digest-email.ts
similarity index 100%
rename from apps/app/src/jobs/tasks/email/weekly-task-digest-email.ts
rename to apps/app/src/trigger/tasks/email/weekly-task-digest-email.ts
diff --git a/apps/app/src/jobs/tasks/integration/integration-results.ts b/apps/app/src/trigger/tasks/integration/integration-results.ts
similarity index 100%
rename from apps/app/src/jobs/tasks/integration/integration-results.ts
rename to apps/app/src/trigger/tasks/integration/integration-results.ts
diff --git a/apps/app/src/jobs/tasks/integration/integration-schedule.ts b/apps/app/src/trigger/tasks/integration/integration-schedule.ts
similarity index 100%
rename from apps/app/src/jobs/tasks/integration/integration-schedule.ts
rename to apps/app/src/trigger/tasks/integration/integration-schedule.ts
diff --git a/apps/app/src/jobs/tasks/integration/run-integration-tests.ts b/apps/app/src/trigger/tasks/integration/run-integration-tests.ts
similarity index 100%
rename from apps/app/src/jobs/tasks/integration/run-integration-tests.ts
rename to apps/app/src/trigger/tasks/integration/run-integration-tests.ts
diff --git a/apps/app/src/jobs/tasks/onboarding/backfill-executive-context-all-orgs.ts b/apps/app/src/trigger/tasks/onboarding/backfill-executive-context-all-orgs.ts
similarity index 100%
rename from apps/app/src/jobs/tasks/onboarding/backfill-executive-context-all-orgs.ts
rename to apps/app/src/trigger/tasks/onboarding/backfill-executive-context-all-orgs.ts
diff --git a/apps/app/src/jobs/tasks/onboarding/backfill-executive-context-single-org.ts b/apps/app/src/trigger/tasks/onboarding/backfill-executive-context-single-org.ts
similarity index 100%
rename from apps/app/src/jobs/tasks/onboarding/backfill-executive-context-single-org.ts
rename to apps/app/src/trigger/tasks/onboarding/backfill-executive-context-single-org.ts
diff --git a/apps/app/src/jobs/tasks/onboarding/backfill-training-videos-for-all-orgs.ts b/apps/app/src/trigger/tasks/onboarding/backfill-training-videos-for-all-orgs.ts
similarity index 100%
rename from apps/app/src/jobs/tasks/onboarding/backfill-training-videos-for-all-orgs.ts
rename to apps/app/src/trigger/tasks/onboarding/backfill-training-videos-for-all-orgs.ts
diff --git a/apps/app/src/jobs/tasks/onboarding/backfill-training-videos-for-org.ts b/apps/app/src/trigger/tasks/onboarding/backfill-training-videos-for-org.ts
similarity index 100%
rename from apps/app/src/jobs/tasks/onboarding/backfill-training-videos-for-org.ts
rename to apps/app/src/trigger/tasks/onboarding/backfill-training-videos-for-org.ts
diff --git a/apps/app/src/jobs/tasks/onboarding/generate-full-policies.ts b/apps/app/src/trigger/tasks/onboarding/generate-full-policies.ts
similarity index 100%
rename from apps/app/src/jobs/tasks/onboarding/generate-full-policies.ts
rename to apps/app/src/trigger/tasks/onboarding/generate-full-policies.ts
diff --git a/apps/app/src/jobs/tasks/onboarding/generate-risk-mitigation.ts b/apps/app/src/trigger/tasks/onboarding/generate-risk-mitigation.ts
similarity index 100%
rename from apps/app/src/jobs/tasks/onboarding/generate-risk-mitigation.ts
rename to apps/app/src/trigger/tasks/onboarding/generate-risk-mitigation.ts
diff --git a/apps/app/src/jobs/tasks/onboarding/generate-vendor-mitigation.ts b/apps/app/src/trigger/tasks/onboarding/generate-vendor-mitigation.ts
similarity index 100%
rename from apps/app/src/jobs/tasks/onboarding/generate-vendor-mitigation.ts
rename to apps/app/src/trigger/tasks/onboarding/generate-vendor-mitigation.ts
diff --git a/apps/app/src/jobs/tasks/onboarding/onboard-organization-helpers.ts b/apps/app/src/trigger/tasks/onboarding/onboard-organization-helpers.ts
similarity index 99%
rename from apps/app/src/jobs/tasks/onboarding/onboard-organization-helpers.ts
rename to apps/app/src/trigger/tasks/onboarding/onboard-organization-helpers.ts
index 0253120d5..9627eb701 100644
--- a/apps/app/src/jobs/tasks/onboarding/onboard-organization-helpers.ts
+++ b/apps/app/src/trigger/tasks/onboarding/onboard-organization-helpers.ts
@@ -184,7 +184,6 @@ export async function extractVendorsFromContext(
 ): Promise<VendorData[]> {
   const { object } = await generateObject({
     model: openai('gpt-4.1-mini'),
-    mode: 'json',
     schema: jsonSchema({
       type: 'object',
       properties: {
@@ -447,7 +446,6 @@ export async function extractRisksFromContext(
 ): Promise<RiskData[]> {
   const { object } = await generateObject({
     model: openai('gpt-4.1-mini'),
-    mode: 'json',
     schema: jsonSchema({
       type: 'object',
       properties: {
diff --git a/apps/app/src/jobs/tasks/onboarding/onboard-organization.ts b/apps/app/src/trigger/tasks/onboarding/onboard-organization.ts
similarity index 100%
rename from apps/app/src/jobs/tasks/onboarding/onboard-organization.ts
rename to apps/app/src/trigger/tasks/onboarding/onboard-organization.ts
diff --git a/apps/app/src/jobs/tasks/onboarding/prompts/risk-mitigation.ts b/apps/app/src/trigger/tasks/onboarding/prompts/risk-mitigation.ts
similarity index 100%
rename from apps/app/src/jobs/tasks/onboarding/prompts/risk-mitigation.ts
rename to apps/app/src/trigger/tasks/onboarding/prompts/risk-mitigation.ts
diff --git a/apps/app/src/jobs/tasks/onboarding/prompts/vendor-risk-assessment.ts b/apps/app/src/trigger/tasks/onboarding/prompts/vendor-risk-assessment.ts
similarity index 100%
rename from apps/app/src/jobs/tasks/onboarding/prompts/vendor-risk-assessment.ts
rename to apps/app/src/trigger/tasks/onboarding/prompts/vendor-risk-assessment.ts
diff --git a/apps/app/src/jobs/tasks/onboarding/update-policies-helpers.ts b/apps/app/src/trigger/tasks/onboarding/update-policies-helpers.ts
similarity index 99%
rename from apps/app/src/jobs/tasks/onboarding/update-policies-helpers.ts
rename to apps/app/src/trigger/tasks/onboarding/update-policies-helpers.ts
index b89896a87..c53f6115f 100644
--- a/apps/app/src/jobs/tasks/onboarding/update-policies-helpers.ts
+++ b/apps/app/src/trigger/tasks/onboarding/update-policies-helpers.ts
@@ -195,7 +195,6 @@ export async function reconcileFormatWithTemplate(
   try {
     const { object } = await generateObject({
       model: openai('gpt-5-mini'),
-      mode: 'json',
       system: `You are an expert policy editor.
 Given an ORIGINAL policy TipTap JSON and a DRAFT TipTap JSON, produce a FINAL TipTap JSON that:
 - Preserves the ORIGINAL top-level section structure (order and presence of titles) and visual presentation of titles.
@@ -233,7 +232,6 @@ export async function aiCheckFormatWithTemplate(
   try {
     const { object } = await generateObject({
       model: openai('gpt-5-mini'),
-      mode: 'json',
       system: `You are validating policy layout.
 Compare ORIGINAL vs DRAFT (TipTap JSON). Determine if DRAFT conforms to ORIGINAL format:
 - Same top-level section titles present and in the same order
@@ -458,7 +456,6 @@ export async function generatePolicyContent(prompt: string): Promise<{
   try {
     const { object } = await generateObject({
       model: openai('gpt-5-mini'),
-      mode: 'json',
       system: `You are an expert at writing security policies. Generate content directly as TipTap JSON format.
 
 TipTap JSON structure:
diff --git a/apps/app/src/jobs/tasks/onboarding/update-policy.ts b/apps/app/src/trigger/tasks/onboarding/update-policy.ts
similarity index 100%
rename from apps/app/src/jobs/tasks/onboarding/update-policy.ts
rename to apps/app/src/trigger/tasks/onboarding/update-policy.ts
diff --git a/apps/app/src/jobs/tasks/scrape/research.ts b/apps/app/src/trigger/tasks/scrape/research.ts
similarity index 98%
rename from apps/app/src/jobs/tasks/scrape/research.ts
rename to apps/app/src/trigger/tasks/scrape/research.ts
index 1665fb964..c6722bf5a 100644
--- a/apps/app/src/jobs/tasks/scrape/research.ts
+++ b/apps/app/src/trigger/tasks/scrape/research.ts
@@ -1,4 +1,4 @@
-import { researchJobCore } from '@/jobs/lib/research';
+import { researchJobCore } from '@/trigger/lib/research';
 import { db } from '@db';
 import { schemaTask } from '@trigger.dev/sdk';
 import { z } from 'zod';
diff --git a/apps/app/src/jobs/tasks/task/policy-schedule.ts b/apps/app/src/trigger/tasks/task/policy-schedule.ts
similarity index 100%
rename from apps/app/src/jobs/tasks/task/policy-schedule.ts
rename to apps/app/src/trigger/tasks/task/policy-schedule.ts
diff --git a/apps/app/src/jobs/tasks/task/task-schedule.ts b/apps/app/src/trigger/tasks/task/task-schedule.ts
similarity index 100%
rename from apps/app/src/jobs/tasks/task/task-schedule.ts
rename to apps/app/src/trigger/tasks/task/task-schedule.ts
diff --git a/apps/app/src/jobs/tasks/task/weekly-task-reminder.ts b/apps/app/src/trigger/tasks/task/weekly-task-reminder.ts
similarity index 100%
rename from apps/app/src/jobs/tasks/task/weekly-task-reminder.ts
rename to apps/app/src/trigger/tasks/task/weekly-task-reminder.ts
diff --git a/apps/app/tsconfig.json b/apps/app/tsconfig.json
index 28d862825..982b58bbd 100644
--- a/apps/app/tsconfig.json
+++ b/apps/app/tsconfig.json
@@ -15,7 +15,7 @@
     "moduleResolution": "bundler",
     "resolveJsonModule": true,
     "isolatedModules": true,
-    "jsx": "preserve",
+    "jsx": "react-jsx",
     "incremental": true,
     "plugins": [
       {
@@ -29,11 +29,11 @@
       "@db": [
         "./prisma"
       ],
-      "@/jobs": [
-        "./src/jobs"
+      "@/trigger": [
+        "./src/trigger"
       ],
-      "@/jobs/*": [
-        "./src/jobs/*"
+      "@/trigger/*": [
+        "./src/trigger/*"
       ],
       "@comp/email": [
         "../../packages/email/index.ts"
@@ -53,6 +53,12 @@
       "@comp/integrations/*": [
         "../../packages/integrations/src/*"
       ],
+      "@comp/integration-platform": [
+        "../../packages/integration-platform/src/index.ts"
+      ],
+      "@comp/integration-platform/*": [
+        "../../packages/integration-platform/src/*"
+      ],
       "@comp/analytics": [
         "../../packages/analytics/src/index.ts"
       ],
diff --git a/apps/portal/package.json b/apps/portal/package.json
index 718deb34b..4c2dda188 100644
--- a/apps/portal/package.json
+++ b/apps/portal/package.json
@@ -20,12 +20,12 @@
     "class-variance-authority": "^0.7.1",
     "geist": "^1.3.1",
     "jszip": "^3.10.1",
-    "next": "^15.4.6",
+    "next": "^16.0.8",
     "next-safe-action": "^8.0.3",
     "next-themes": "^0.4.4",
     "prisma": "^6.13.0",
-    "react": "^19.1.1",
-    "react-dom": "^19.1.0",
+    "react": "^19.2.1",
+    "react-dom": "^19.2.1",
     "react-email": "^4.0.15",
     "sonner": "^2.0.5"
   },
diff --git a/apps/portal/src/middleware.ts b/apps/portal/src/proxy.ts
similarity index 78%
rename from apps/portal/src/middleware.ts
rename to apps/portal/src/proxy.ts
index 53896e8cc..7a16a8577 100644
--- a/apps/portal/src/middleware.ts
+++ b/apps/portal/src/proxy.ts
@@ -1,6 +1,6 @@
 import { type NextRequest, NextResponse } from 'next/server';
 
-export async function middleware(request: NextRequest) {
+export async function proxy(request: NextRequest) {
   return NextResponse.next();
 }
 
diff --git a/apps/portal/tsconfig.json b/apps/portal/tsconfig.json
index babcc8908..e3283a6b7 100644
--- a/apps/portal/tsconfig.json
+++ b/apps/portal/tsconfig.json
@@ -15,7 +15,7 @@
     "moduleResolution": "bundler",
     "resolveJsonModule": true,
     "isolatedModules": true,
-    "jsx": "preserve",
+    "jsx": "react-jsx",
     "incremental": true,
     "plugins": [
       {
diff --git a/bun.lock b/bun.lock
index b77387511..f007ce160 100644
--- a/bun.lock
+++ b/bun.lock
@@ -74,11 +74,13 @@
         "@ai-sdk/openai": "^2.0.65",
         "@aws-sdk/client-s3": "^3.859.0",
         "@aws-sdk/s3-request-presigner": "^3.859.0",
+        "@comp/integration-platform": "workspace:*",
         "@nestjs/common": "^11.0.1",
         "@nestjs/config": "^4.0.2",
         "@nestjs/core": "^11.0.1",
         "@nestjs/platform-express": "^11.1.5",
         "@nestjs/swagger": "^11.2.0",
+        "@nestjs/throttler": "^6.5.0",
         "@prisma/client": "^6.13.0",
         "@prisma/instrumentation": "^6.13.0",
         "@react-email/components": "^0.0.41",
@@ -95,6 +97,7 @@
         "class-validator": "^0.14.2",
         "dotenv": "^17.2.3",
         "exceljs": "^4.4.0",
+        "helmet": "^8.1.0",
         "jose": "^6.0.12",
         "jspdf": "^3.0.3",
         "mammoth": "^1.8.0",
@@ -146,7 +149,7 @@
       "dependencies": {
         "@ai-sdk/anthropic": "^2.0.0",
         "@ai-sdk/groq": "^2.0.0",
-        "@ai-sdk/openai": "^2.0.65",
+        "@ai-sdk/openai": "^2.0.80",
         "@ai-sdk/provider": "^2.0.0",
         "@ai-sdk/react": "^2.0.60",
         "@ai-sdk/rsc": "^1.0.0",
@@ -159,6 +162,7 @@
         "@browserbasehq/sdk": "^2.5.0",
         "@calcom/atoms": "^1.0.102-framer",
         "@calcom/embed-react": "^1.5.3",
+        "@comp/integration-platform": "workspace:*",
         "@date-fns/tz": "^1.2.0",
         "@dnd-kit/core": "^6.3.1",
         "@dnd-kit/modifiers": "^9.0.0",
@@ -204,7 +208,7 @@
         "@vercel/analytics": "^1.5.0",
         "@vercel/sandbox": "^0.0.21",
         "@vercel/sdk": "^1.7.1",
-        "ai": "^5.0.60",
+        "ai": "^5.0.108",
         "ai-elements": "^1.6.1",
         "axios": "^1.9.0",
         "better-auth": "^1.3.27",
@@ -220,7 +224,7 @@
         "lucide-react": "^0.544.0",
         "mammoth": "^1.11.0",
         "motion": "^12.9.2",
-        "next": "^15.4.6",
+        "next": "^16.0.8",
         "next-safe-action": "^8.0.3",
         "next-themes": "^0.4.4",
         "nuqs": "^2.4.3",
@@ -230,8 +234,8 @@
         "posthog-node": "^5.8.2",
         "prisma": "^6.13.0",
         "puppeteer-core": "^24.7.2",
-        "react": "^19.1.1",
-        "react-dom": "^19.1.0",
+        "react": "^19.2.1",
+        "react-dom": "^19.2.1",
         "react-email": "^4.0.15",
         "react-hook-form": "^7.61.1",
         "react-hotkeys-hook": "^5.1.0",
@@ -311,12 +315,12 @@
         "class-variance-authority": "^0.7.1",
         "geist": "^1.3.1",
         "jszip": "^3.10.1",
-        "next": "^15.4.6",
+        "next": "^16.0.8",
         "next-safe-action": "^8.0.3",
         "next-themes": "^0.4.4",
         "prisma": "^6.13.0",
-        "react": "^19.1.1",
-        "react-dom": "^19.1.0",
+        "react": "^19.2.1",
+        "react-dom": "^19.2.1",
         "react-email": "^4.0.15",
         "sonner": "^2.0.5",
       },
@@ -391,6 +395,26 @@
         "react-dom": "^19.1.0",
       },
     },
+    "packages/integration-platform": {
+      "name": "@comp/integration-platform",
+      "version": "1.0.0",
+      "dependencies": {
+        "@aws-sdk/client-cloudtrail": "^3.943.0",
+        "@aws-sdk/client-iam": "^3.943.0",
+        "@aws-sdk/client-securityhub": "^3.943.0",
+        "@aws-sdk/client-sts": "^3.943.0",
+        "zod": "^3.25.76",
+      },
+      "devDependencies": {
+        "@types/node": "^24.0.3",
+        "@types/react": "^19.1.6",
+        "react": "^19.0.0",
+        "typescript": "^5.8.3",
+      },
+      "peerDependencies": {
+        "react": "^19.0.0",
+      },
+    },
     "packages/integrations": {
       "name": "@trycompai/integrations",
       "version": "1.0.0",
@@ -569,9 +593,9 @@
 
     "@ai-sdk/provider-utils": ["@ai-sdk/provider-utils@3.0.18", "", { "dependencies": { "@ai-sdk/provider": "2.0.0", "@standard-schema/spec": "^1.0.0", "eventsource-parser": "^3.0.6" }, "peerDependencies": { "zod": "^3.25.76 || ^4.1.8" } }, "sha512-ypv1xXMsgGcNKUP+hglKqtdDuMg68nWHucPPAhIENrbFAI+xCHiqPVN8Zllxyv1TNZwGWUghPxJXU+Mqps0YRQ=="],
 
-    "@ai-sdk/react": ["@ai-sdk/react@2.0.106", "", { "dependencies": { "@ai-sdk/provider-utils": "3.0.18", "ai": "5.0.106", "swr": "^2.2.5", "throttleit": "2.1.0" }, "peerDependencies": { "react": "^18 || ^19 || ^19.0.0-rc", "zod": "^3.25.76 || ^4.1.8" }, "optionalPeers": ["zod"] }, "sha512-TU8ONNhm64GI7O60UDCcOz9CdyCp3emQwSYrSnq+QWBNgS8vDlRQ3ZwXyPNAJQdXyBTafVS2iyS0kvV+KXaPAQ=="],
+    "@ai-sdk/react": ["@ai-sdk/react@2.0.107", "", { "dependencies": { "@ai-sdk/provider-utils": "3.0.18", "ai": "5.0.107", "swr": "^2.2.5", "throttleit": "2.1.0" }, "peerDependencies": { "react": "^18 || ^19 || ^19.0.0-rc", "zod": "^3.25.76 || ^4.1.8" }, "optionalPeers": ["zod"] }, "sha512-rv0u+tAi2r2zJu2uSLXcC3TBgGrkQIWXRM+i6us6qcGmYQ2kOu2VYg+lxviOSGPhL9PVebvTlN5x8mf3rDqX+w=="],
 
-    "@ai-sdk/rsc": ["@ai-sdk/rsc@1.0.107", "", { "dependencies": { "@ai-sdk/provider": "2.0.0", "@ai-sdk/provider-utils": "3.0.18", "ai": "5.0.106", "jsondiffpatch": "0.7.3" }, "peerDependencies": { "react": "^18 || ^19 || ^19.0.0-rc", "zod": "^3.25.76 || ^4.1.8" }, "optionalPeers": ["zod"] }, "sha512-wBoQ8YIlAsMpI+IyiBXpD85frx3RML5P7TmNoPyLi5BlQ5YnSlKPQ69nSthtOd6q1iLX4RaoivpG1QG25F5Iag=="],
+    "@ai-sdk/rsc": ["@ai-sdk/rsc@1.0.108", "", { "dependencies": { "@ai-sdk/provider": "2.0.0", "@ai-sdk/provider-utils": "3.0.18", "ai": "5.0.107", "jsondiffpatch": "0.7.3" }, "peerDependencies": { "react": "^18 || ^19 || ^19.0.0-rc", "zod": "^3.25.76 || ^4.1.8" }, "optionalPeers": ["zod"] }, "sha512-1YYAS3GBYFNEy/kioRRl39VygEvH2Wd/9sBZ4WrH9QC1uJ0QpqXxRnLJVP7E8WQzvrFU0pjYFlU9JlfsCtOijA=="],
 
     "@alloc/quick-lru": ["@alloc/quick-lru@5.2.0", "", {}, "sha512-UrcABB+4bUrFABwbluTIBErXwvbsU/V7TZWfmbgJfbkwiBuziS9gxdODUyuiecfdGQ85jglMW6juS3+z5TsKLw=="],
 
@@ -599,8 +623,12 @@
 
     "@aws-crypto/util": ["@aws-crypto/util@5.2.0", "", { "dependencies": { "@aws-sdk/types": "^3.222.0", "@smithy/util-utf8": "^2.0.0", "tslib": "^2.6.2" } }, "sha512-4RkU9EsI6ZpBve5fseQlGNUWKMa1RLPQ1dnjnQoe07ldfIzcsGb5hC5W0Dm7u423KWzawlrpbjXBrXCEv9zazQ=="],
 
+    "@aws-sdk/client-cloudtrail": ["@aws-sdk/client-cloudtrail@3.943.0", "", { "dependencies": { "@aws-crypto/sha256-browser": "5.2.0", "@aws-crypto/sha256-js": "5.2.0", "@aws-sdk/core": "3.943.0", "@aws-sdk/credential-provider-node": "3.943.0", "@aws-sdk/middleware-host-header": "3.936.0", "@aws-sdk/middleware-logger": "3.936.0", "@aws-sdk/middleware-recursion-detection": "3.936.0", "@aws-sdk/middleware-user-agent": "3.943.0", "@aws-sdk/region-config-resolver": "3.936.0", "@aws-sdk/types": "3.936.0", "@aws-sdk/util-endpoints": "3.936.0", "@aws-sdk/util-user-agent-browser": "3.936.0", "@aws-sdk/util-user-agent-node": "3.943.0", "@smithy/config-resolver": "^4.4.3", "@smithy/core": "^3.18.5", "@smithy/fetch-http-handler": "^5.3.6", "@smithy/hash-node": "^4.2.5", "@smithy/invalid-dependency": "^4.2.5", "@smithy/middleware-content-length": "^4.2.5", "@smithy/middleware-endpoint": "^4.3.12", "@smithy/middleware-retry": "^4.4.12", "@smithy/middleware-serde": "^4.2.6", "@smithy/middleware-stack": "^4.2.5", "@smithy/node-config-provider": "^4.3.5", "@smithy/node-http-handler": "^4.4.5", "@smithy/protocol-http": "^5.3.5", "@smithy/smithy-client": "^4.9.8", "@smithy/types": "^4.9.0", "@smithy/url-parser": "^4.2.5", "@smithy/util-base64": "^4.3.0", "@smithy/util-body-length-browser": "^4.2.0", "@smithy/util-body-length-node": "^4.2.1", "@smithy/util-defaults-mode-browser": "^4.3.11", "@smithy/util-defaults-mode-node": "^4.2.14", "@smithy/util-endpoints": "^3.2.5", "@smithy/util-middleware": "^4.2.5", "@smithy/util-retry": "^4.2.5", "@smithy/util-utf8": "^4.2.0", "tslib": "^2.6.2" } }, "sha512-HOs/yqjUBK4lyl+iGtDbwHlL6lzKyu5kG1CsBgeqlQq9w8lDnu5+KGLfwUjYlUiE31xf6+NL3pIStB8GIQiQJw=="],
+
     "@aws-sdk/client-ec2": ["@aws-sdk/client-ec2@3.943.0", "", { "dependencies": { "@aws-crypto/sha256-browser": "5.2.0", "@aws-crypto/sha256-js": "5.2.0", "@aws-sdk/core": "3.943.0", "@aws-sdk/credential-provider-node": "3.943.0", "@aws-sdk/middleware-host-header": "3.936.0", "@aws-sdk/middleware-logger": "3.936.0", "@aws-sdk/middleware-recursion-detection": "3.936.0", "@aws-sdk/middleware-sdk-ec2": "3.936.0", "@aws-sdk/middleware-user-agent": "3.943.0", "@aws-sdk/region-config-resolver": "3.936.0", "@aws-sdk/types": "3.936.0", "@aws-sdk/util-endpoints": "3.936.0", "@aws-sdk/util-user-agent-browser": "3.936.0", "@aws-sdk/util-user-agent-node": "3.943.0", "@smithy/config-resolver": "^4.4.3", "@smithy/core": "^3.18.5", "@smithy/fetch-http-handler": "^5.3.6", "@smithy/hash-node": "^4.2.5", "@smithy/invalid-dependency": "^4.2.5", "@smithy/middleware-content-length": "^4.2.5", "@smithy/middleware-endpoint": "^4.3.12", "@smithy/middleware-retry": "^4.4.12", "@smithy/middleware-serde": "^4.2.6", "@smithy/middleware-stack": "^4.2.5", "@smithy/node-config-provider": "^4.3.5", "@smithy/node-http-handler": "^4.4.5", "@smithy/protocol-http": "^5.3.5", "@smithy/smithy-client": "^4.9.8", "@smithy/types": "^4.9.0", "@smithy/url-parser": "^4.2.5", "@smithy/util-base64": "^4.3.0", "@smithy/util-body-length-browser": "^4.2.0", "@smithy/util-body-length-node": "^4.2.1", "@smithy/util-defaults-mode-browser": "^4.3.11", "@smithy/util-defaults-mode-node": "^4.2.14", "@smithy/util-endpoints": "^3.2.5", "@smithy/util-middleware": "^4.2.5", "@smithy/util-retry": "^4.2.5", "@smithy/util-utf8": "^4.2.0", "@smithy/util-waiter": "^4.2.5", "tslib": "^2.6.2" } }, "sha512-YdbGMwqUkNqXyq5plwgrz1Lw7dI7mmSwDooTpYBfEOA/zXMXi5OMgWral8fCqvfafnpxaAGnRpH1gppmldgQQg=="],
 
+    "@aws-sdk/client-iam": ["@aws-sdk/client-iam@3.943.0", "", { "dependencies": { "@aws-crypto/sha256-browser": "5.2.0", "@aws-crypto/sha256-js": "5.2.0", "@aws-sdk/core": "3.943.0", "@aws-sdk/credential-provider-node": "3.943.0", "@aws-sdk/middleware-host-header": "3.936.0", "@aws-sdk/middleware-logger": "3.936.0", "@aws-sdk/middleware-recursion-detection": "3.936.0", "@aws-sdk/middleware-user-agent": "3.943.0", "@aws-sdk/region-config-resolver": "3.936.0", "@aws-sdk/types": "3.936.0", "@aws-sdk/util-endpoints": "3.936.0", "@aws-sdk/util-user-agent-browser": "3.936.0", "@aws-sdk/util-user-agent-node": "3.943.0", "@smithy/config-resolver": "^4.4.3", "@smithy/core": "^3.18.5", "@smithy/fetch-http-handler": "^5.3.6", "@smithy/hash-node": "^4.2.5", "@smithy/invalid-dependency": "^4.2.5", "@smithy/middleware-content-length": "^4.2.5", "@smithy/middleware-endpoint": "^4.3.12", "@smithy/middleware-retry": "^4.4.12", "@smithy/middleware-serde": "^4.2.6", "@smithy/middleware-stack": "^4.2.5", "@smithy/node-config-provider": "^4.3.5", "@smithy/node-http-handler": "^4.4.5", "@smithy/protocol-http": "^5.3.5", "@smithy/smithy-client": "^4.9.8", "@smithy/types": "^4.9.0", "@smithy/url-parser": "^4.2.5", "@smithy/util-base64": "^4.3.0", "@smithy/util-body-length-browser": "^4.2.0", "@smithy/util-body-length-node": "^4.2.1", "@smithy/util-defaults-mode-browser": "^4.3.11", "@smithy/util-defaults-mode-node": "^4.2.14", "@smithy/util-endpoints": "^3.2.5", "@smithy/util-middleware": "^4.2.5", "@smithy/util-retry": "^4.2.5", "@smithy/util-utf8": "^4.2.0", "@smithy/util-waiter": "^4.2.5", "tslib": "^2.6.2" } }, "sha512-ybGYDpZXa1PhowSh2F7uQlM0Y5C8sbtAfaQ04G3w+04KxbgaIo6GfKvGSIltwgbwS4AohjIAl93whwdagqhEng=="],
+
     "@aws-sdk/client-lambda": ["@aws-sdk/client-lambda@3.945.0", "", { "dependencies": { "@aws-crypto/sha256-browser": "5.2.0", "@aws-crypto/sha256-js": "5.2.0", "@aws-sdk/core": "3.943.0", "@aws-sdk/credential-provider-node": "3.943.0", "@aws-sdk/middleware-host-header": "3.936.0", "@aws-sdk/middleware-logger": "3.936.0", "@aws-sdk/middleware-recursion-detection": "3.936.0", "@aws-sdk/middleware-user-agent": "3.943.0", "@aws-sdk/region-config-resolver": "3.936.0", "@aws-sdk/types": "3.936.0", "@aws-sdk/util-endpoints": "3.936.0", "@aws-sdk/util-user-agent-browser": "3.936.0", "@aws-sdk/util-user-agent-node": "3.943.0", "@smithy/config-resolver": "^4.4.3", "@smithy/core": "^3.18.5", "@smithy/eventstream-serde-browser": "^4.2.5", "@smithy/eventstream-serde-config-resolver": "^4.3.5", "@smithy/eventstream-serde-node": "^4.2.5", "@smithy/fetch-http-handler": "^5.3.6", "@smithy/hash-node": "^4.2.5", "@smithy/invalid-dependency": "^4.2.5", "@smithy/middleware-content-length": "^4.2.5", "@smithy/middleware-endpoint": "^4.3.12", "@smithy/middleware-retry": "^4.4.12", "@smithy/middleware-serde": "^4.2.6", "@smithy/middleware-stack": "^4.2.5", "@smithy/node-config-provider": "^4.3.5", "@smithy/node-http-handler": "^4.4.5", "@smithy/protocol-http": "^5.3.5", "@smithy/smithy-client": "^4.9.8", "@smithy/types": "^4.9.0", "@smithy/url-parser": "^4.2.5", "@smithy/util-base64": "^4.3.0", "@smithy/util-body-length-browser": "^4.2.0", "@smithy/util-body-length-node": "^4.2.1", "@smithy/util-defaults-mode-browser": "^4.3.11", "@smithy/util-defaults-mode-node": "^4.2.14", "@smithy/util-endpoints": "^3.2.5", "@smithy/util-middleware": "^4.2.5", "@smithy/util-retry": "^4.2.5", "@smithy/util-stream": "^4.5.6", "@smithy/util-utf8": "^4.2.0", "@smithy/util-waiter": "^4.2.5", "tslib": "^2.6.2" } }, "sha512-HTQbeazCUPoojJ6skSecos6Z+s9hq7VLlQP+M5jKIKBVx9VQ8TVJiaEjllAT88+g04h763i4m2xSiIYPTQTbzA=="],
 
     "@aws-sdk/client-s3": ["@aws-sdk/client-s3@3.943.0", "", { "dependencies": { "@aws-crypto/sha1-browser": "5.2.0", "@aws-crypto/sha256-browser": "5.2.0", "@aws-crypto/sha256-js": "5.2.0", "@aws-sdk/core": "3.943.0", "@aws-sdk/credential-provider-node": "3.943.0", "@aws-sdk/middleware-bucket-endpoint": "3.936.0", "@aws-sdk/middleware-expect-continue": "3.936.0", "@aws-sdk/middleware-flexible-checksums": "3.943.0", "@aws-sdk/middleware-host-header": "3.936.0", "@aws-sdk/middleware-location-constraint": "3.936.0", "@aws-sdk/middleware-logger": "3.936.0", "@aws-sdk/middleware-recursion-detection": "3.936.0", "@aws-sdk/middleware-sdk-s3": "3.943.0", "@aws-sdk/middleware-ssec": "3.936.0", "@aws-sdk/middleware-user-agent": "3.943.0", "@aws-sdk/region-config-resolver": "3.936.0", "@aws-sdk/signature-v4-multi-region": "3.943.0", "@aws-sdk/types": "3.936.0", "@aws-sdk/util-endpoints": "3.936.0", "@aws-sdk/util-user-agent-browser": "3.936.0", "@aws-sdk/util-user-agent-node": "3.943.0", "@smithy/config-resolver": "^4.4.3", "@smithy/core": "^3.18.5", "@smithy/eventstream-serde-browser": "^4.2.5", "@smithy/eventstream-serde-config-resolver": "^4.3.5", "@smithy/eventstream-serde-node": "^4.2.5", "@smithy/fetch-http-handler": "^5.3.6", "@smithy/hash-blob-browser": "^4.2.6", "@smithy/hash-node": "^4.2.5", "@smithy/hash-stream-node": "^4.2.5", "@smithy/invalid-dependency": "^4.2.5", "@smithy/md5-js": "^4.2.5", "@smithy/middleware-content-length": "^4.2.5", "@smithy/middleware-endpoint": "^4.3.12", "@smithy/middleware-retry": "^4.4.12", "@smithy/middleware-serde": "^4.2.6", "@smithy/middleware-stack": "^4.2.5", "@smithy/node-config-provider": "^4.3.5", "@smithy/node-http-handler": "^4.4.5", "@smithy/protocol-http": "^5.3.5", "@smithy/smithy-client": "^4.9.8", "@smithy/types": "^4.9.0", "@smithy/url-parser": "^4.2.5", "@smithy/util-base64": "^4.3.0", "@smithy/util-body-length-browser": "^4.2.0", "@smithy/util-body-length-node": "^4.2.1", "@smithy/util-defaults-mode-browser": "^4.3.11", "@smithy/util-defaults-mode-node": "^4.2.14", "@smithy/util-endpoints": "^3.2.5", "@smithy/util-middleware": "^4.2.5", "@smithy/util-retry": "^4.2.5", "@smithy/util-stream": "^4.5.6", "@smithy/util-utf8": "^4.2.0", "@smithy/util-waiter": "^4.2.5", "tslib": "^2.6.2" } }, "sha512-UOX8/1mmNaRmEkxoIVP2+gxd5joPJqz+fygRqlIXON1cETLGoctinMwQs7qU8g8hghm76TU2G6ZV6sLH8cySMw=="],
@@ -853,6 +881,8 @@
 
     "@comp/app": ["@comp/app@workspace:apps/app"],
 
+    "@comp/integration-platform": ["@comp/integration-platform@workspace:packages/integration-platform"],
+
     "@comp/portal": ["@comp/portal@workspace:apps/portal"],
 
     "@corvu/utils": ["@corvu/utils@0.4.2", "", { "dependencies": { "@floating-ui/dom": "^1.6.11" }, "peerDependencies": { "solid-js": "^1.8" } }, "sha512-Ox2kYyxy7NoXdKWdHeDEjZxClwzO4SKM8plAaVwmAJPxHMqA0rLOoAsa+hBDwRLpctf+ZRnAd/ykguuJidnaTA=="],
@@ -1257,25 +1287,27 @@
 
     "@nestjs/testing": ["@nestjs/testing@11.1.9", "", { "dependencies": { "tslib": "2.8.1" }, "peerDependencies": { "@nestjs/common": "^11.0.0", "@nestjs/core": "^11.0.0", "@nestjs/microservices": "^11.0.0", "@nestjs/platform-express": "^11.0.0" }, "optionalPeers": ["@nestjs/microservices", "@nestjs/platform-express"] }, "sha512-UFxerBDdb0RUNxQNj25pvkvNE7/vxKhXYWBt3QuwBFnYISzRIzhVlyIqLfoV5YI3zV0m0Nn4QAn1KM0zzwfEng=="],
 
-    "@next/env": ["@next/env@15.5.7", "", {}, "sha512-4h6Y2NyEkIEN7Z8YxkA27pq6zTkS09bUSYC0xjd0NpwFxjnIKeZEeH591o5WECSmjpUhLn3H2QLJcDye3Uzcvg=="],
+    "@nestjs/throttler": ["@nestjs/throttler@6.5.0", "", { "peerDependencies": { "@nestjs/common": "^7.0.0 || ^8.0.0 || ^9.0.0 || ^10.0.0 || ^11.0.0", "@nestjs/core": "^7.0.0 || ^8.0.0 || ^9.0.0 || ^10.0.0 || ^11.0.0", "reflect-metadata": "^0.1.13 || ^0.2.0" } }, "sha512-9j0ZRfH0QE1qyrj9JjIRDz5gQLPqq9yVC2nHsrosDVAfI5HHw08/aUAWx9DZLSdQf4HDkmhTTEGLrRFHENvchQ=="],
+
+    "@next/env": ["@next/env@16.0.8", "", {}, "sha512-xP4WrQZuj9MdmLJy3eWFHepo+R3vznsMSS8Dy3wdA7FKpjCiesQ6DxZvdGziQisj0tEtCgBKJzjcAc4yZOgLEQ=="],
 
     "@next/eslint-plugin-next": ["@next/eslint-plugin-next@15.5.2", "", { "dependencies": { "fast-glob": "3.3.1" } }, "sha512-lkLrRVxcftuOsJNhWatf1P2hNVfh98k/omQHrCEPPriUypR6RcS13IvLdIrEvkm9AH2Nu2YpR5vLqBuy6twH3Q=="],
 
-    "@next/swc-darwin-arm64": ["@next/swc-darwin-arm64@15.5.7", "", { "os": "darwin", "cpu": "arm64" }, "sha512-IZwtxCEpI91HVU/rAUOOobWSZv4P2DeTtNaCdHqLcTJU4wdNXgAySvKa/qJCgR5m6KI8UsKDXtO2B31jcaw1Yw=="],
+    "@next/swc-darwin-arm64": ["@next/swc-darwin-arm64@16.0.8", "", { "os": "darwin", "cpu": "arm64" }, "sha512-yjVMvTQN21ZHOclQnhSFbjBTEizle+1uo4NV6L4rtS9WO3nfjaeJYw+H91G+nEf3Ef43TaEZvY5mPWfB/De7tA=="],
 
-    "@next/swc-darwin-x64": ["@next/swc-darwin-x64@15.5.7", "", { "os": "darwin", "cpu": "x64" }, "sha512-UP6CaDBcqaCBuiq/gfCEJw7sPEoX1aIjZHnBWN9v9qYHQdMKvCKcAVs4OX1vIjeE+tC5EIuwDTVIoXpUes29lg=="],
+    "@next/swc-darwin-x64": ["@next/swc-darwin-x64@16.0.8", "", { "os": "darwin", "cpu": "x64" }, "sha512-+zu2N3QQ0ZOb6RyqQKfcu/pn0UPGmg+mUDqpAAEviAcEVEYgDckemOpiMRsBP3IsEKpcoKuNzekDcPczEeEIzA=="],
 
-    "@next/swc-linux-arm64-gnu": ["@next/swc-linux-arm64-gnu@15.5.7", "", { "os": "linux", "cpu": "arm64" }, "sha512-NCslw3GrNIw7OgmRBxHtdWFQYhexoUCq+0oS2ccjyYLtcn1SzGzeM54jpTFonIMUjNbHmpKpziXnpxhSWLcmBA=="],
+    "@next/swc-linux-arm64-gnu": ["@next/swc-linux-arm64-gnu@16.0.8", "", { "os": "linux", "cpu": "arm64" }, "sha512-LConttk+BeD0e6RG0jGEP9GfvdaBVMYsLJ5aDDweKiJVVCu6sGvo+Ohz9nQhvj7EQDVVRJMCGhl19DmJwGr6bQ=="],
 
-    "@next/swc-linux-arm64-musl": ["@next/swc-linux-arm64-musl@15.5.7", "", { "os": "linux", "cpu": "arm64" }, "sha512-nfymt+SE5cvtTrG9u1wdoxBr9bVB7mtKTcj0ltRn6gkP/2Nu1zM5ei8rwP9qKQP0Y//umK+TtkKgNtfboBxRrw=="],
+    "@next/swc-linux-arm64-musl": ["@next/swc-linux-arm64-musl@16.0.8", "", { "os": "linux", "cpu": "arm64" }, "sha512-JaXFAlqn8fJV+GhhA9lpg6da/NCN/v9ub98n3HoayoUSPOVdoxEEt86iT58jXqQCs/R3dv5ZnxGkW8aF4obMrQ=="],
 
-    "@next/swc-linux-x64-gnu": ["@next/swc-linux-x64-gnu@15.5.7", "", { "os": "linux", "cpu": "x64" }, "sha512-hvXcZvCaaEbCZcVzcY7E1uXN9xWZfFvkNHwbe/n4OkRhFWrs1J1QV+4U1BN06tXLdaS4DazEGXwgqnu/VMcmqw=="],
+    "@next/swc-linux-x64-gnu": ["@next/swc-linux-x64-gnu@16.0.8", "", { "os": "linux", "cpu": "x64" }, "sha512-O7M9it6HyNhsJp3HNAsJoHk5BUsfj7hRshfptpGcVsPZ1u0KQ/oVy8oxF7tlwxA5tR43VUP0yRmAGm1us514ng=="],
 
-    "@next/swc-linux-x64-musl": ["@next/swc-linux-x64-musl@15.5.7", "", { "os": "linux", "cpu": "x64" }, "sha512-4IUO539b8FmF0odY6/SqANJdgwn1xs1GkPO5doZugwZ3ETF6JUdckk7RGmsfSf7ws8Qb2YB5It33mvNL/0acqA=="],
+    "@next/swc-linux-x64-musl": ["@next/swc-linux-x64-musl@16.0.8", "", { "os": "linux", "cpu": "x64" }, "sha512-8+KClEC/GLI2dLYcrWwHu5JyC5cZYCFnccVIvmxpo6K+XQt4qzqM5L4coofNDZYkct/VCCyJWGbZZDsg6w6LFA=="],
 
-    "@next/swc-win32-arm64-msvc": ["@next/swc-win32-arm64-msvc@15.5.7", "", { "os": "win32", "cpu": "arm64" }, "sha512-CpJVTkYI3ZajQkC5vajM7/ApKJUOlm6uP4BknM3XKvJ7VXAvCqSjSLmM0LKdYzn6nBJVSjdclx8nYJSa3xlTgQ=="],
+    "@next/swc-win32-arm64-msvc": ["@next/swc-win32-arm64-msvc@16.0.8", "", { "os": "win32", "cpu": "arm64" }, "sha512-rpQ/PgTEgH68SiXmhu/cJ2hk9aZ6YgFvspzQWe2I9HufY6g7V02DXRr/xrVqOaKm2lenBFPNQ+KAaeveywqV+A=="],
 
-    "@next/swc-win32-x64-msvc": ["@next/swc-win32-x64-msvc@15.5.7", "", { "os": "win32", "cpu": "x64" }, "sha512-gMzgBX164I6DN+9/PGA+9dQiwmTkE4TloBNx8Kv9UiGARsr9Nba7IpcBRA1iTV9vwlYnrE3Uy6I7Aj6qLjQuqw=="],
+    "@next/swc-win32-x64-msvc": ["@next/swc-win32-x64-msvc@16.0.8", "", { "os": "win32", "cpu": "x64" }, "sha512-jWpWjWcMQu2iZz4pEK2IktcfR+OA9+cCG8zenyLpcW8rN4rzjfOzH4yj/b1FiEAZHKS+5Vq8+bZyHi+2yqHbFA=="],
 
     "@next/third-parties": ["@next/third-parties@15.5.7", "", { "dependencies": { "third-party-capital": "1.0.20" }, "peerDependencies": { "next": "^13.0.0 || ^14.0.0 || ^15.0.0", "react": "^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0" } }, "sha512-xIahs2sBMwYBtI0CLSUCMtKXen6T8G23Cq1WogA8BMRSIDqkhHutHpu+nrdzSNVg4yA59B8oU8DFdcGz4WHWtw=="],
 
@@ -1987,13 +2019,13 @@
 
     "@tiptap/extension-strike": ["@tiptap/extension-strike@2.27.1", "", { "peerDependencies": { "@tiptap/core": "^2.7.0" } }, "sha512-S9I//K8KPgfFTC5I5lorClzXk0g4lrAv9y5qHzHO5EOWt7AFl0YTg2oN8NKSIBK4bHRnPIrjJJKv+dDFnUp5jQ=="],
 
-    "@tiptap/extension-table": ["@tiptap/extension-table@3.12.1", "", { "peerDependencies": { "@tiptap/core": "^3.12.1", "@tiptap/pm": "^3.12.1" } }, "sha512-c/KkAtA2z7zo6Ity62kbnw75cUeh2c6JfTS4Yqi/wF4Ckr5S6QV/2v8OcHOSu+EamSKFU1jJBq8HrjGV8WwmGQ=="],
+    "@tiptap/extension-table": ["@tiptap/extension-table@3.13.0", "", { "peerDependencies": { "@tiptap/core": "^3.13.0", "@tiptap/pm": "^3.13.0" } }, "sha512-LcH9KE4QBUJ6IPwt1Uo5iU7zatFjUUvXbctIu2fKQ9nqJ7nNSFxRhkNyporVFkTWYH7/rb0qMoF1VxSUGefG5w=="],
 
-    "@tiptap/extension-table-cell": ["@tiptap/extension-table-cell@3.12.1", "", { "peerDependencies": { "@tiptap/extension-table": "^3.12.1" } }, "sha512-LoMuOuLyIuXpKHPNbYwUnNFLb5mDOZu0dgCHPBDptQ5R2psWKZkPok/uYKOnk2OeOJOvEUNbdPGxW4T2iCq1gA=="],
+    "@tiptap/extension-table-cell": ["@tiptap/extension-table-cell@3.13.0", "", { "peerDependencies": { "@tiptap/extension-table": "^3.13.0" } }, "sha512-dBOPeLe2NqymZI8reS2yZRIcgfIYHudCq4lDWZBJ5NiMvoy0b/fVe1qYSP4EcfBQMpfgAP0E05bMB3C7p1kmkw=="],
 
-    "@tiptap/extension-table-header": ["@tiptap/extension-table-header@3.12.1", "", { "peerDependencies": { "@tiptap/extension-table": "^3.12.1" } }, "sha512-yAgO4NmW2XTOBFesSJAfPnXEVfhZyU5zSKRWEMdjvQmfxnshamxDTyk3e/A4iMmBcRZFi20WUheGgWe6snkjzw=="],
+    "@tiptap/extension-table-header": ["@tiptap/extension-table-header@3.13.0", "", { "peerDependencies": { "@tiptap/extension-table": "^3.13.0" } }, "sha512-ZA5lhcek0VlKupqj3WFgE6bj5vNRmxcpDqjYc6RWaxuva4dYfEQSqdlG+3a53Sr53le0grfBpolM8zJFCVYrcw=="],
 
-    "@tiptap/extension-table-row": ["@tiptap/extension-table-row@3.12.1", "", { "peerDependencies": { "@tiptap/extension-table": "^3.12.1" } }, "sha512-3rxe5jpJAZYfPcaFxJRTpYK1I410bCrd/m9vr1S2C7CfHj6UJBJIbTUuOy7enujkL02G/PvPKiLGOofr7dzEoQ=="],
+    "@tiptap/extension-table-row": ["@tiptap/extension-table-row@3.13.0", "", { "peerDependencies": { "@tiptap/extension-table": "^3.13.0" } }, "sha512-FdsMTIBNleZtWJEhXE/PBxkB8L9YJtnKs7YZNesLKqLn6/sWZl+X5e5SAAN/N3DLOEAwNCa/m0C3A1DWGNz/tw=="],
 
     "@tiptap/extension-task-item": ["@tiptap/extension-task-item@2.22.3", "", { "peerDependencies": { "@tiptap/core": "^2.7.0", "@tiptap/pm": "^2.7.0" } }, "sha512-aVfSa2dLF77bfXpAlrsfPUNdhiHJhw3VJ/pnCTxrEnBXYilDuH59AhtU6DygSNhMZWUgzI4OPqf3crF+yzrHag=="],
 
@@ -2261,7 +2293,7 @@
 
     "@types/retry": ["@types/retry@0.12.0", "", {}, "sha512-wWKOClTTiizcZhXnPY4wikVAwmdYHp8q6DmC+EJUzAMsycb7HB32Kh9RN4+0gExjmPmZSAQjgURXIGATPegAvA=="],
 
-    "@types/send": ["@types/send@0.17.6", "", { "dependencies": { "@types/mime": "^1", "@types/node": "*" } }, "sha512-Uqt8rPBE8SY0RK8JB1EzVOIZ32uqy8HwdxCnoCOsYrvnswqmFZ/k+9Ikidlk/ImhsdvBsloHbAlewb2IEBV/Og=="],
+    "@types/send": ["@types/send@1.2.1", "", { "dependencies": { "@types/node": "*" } }, "sha512-arsCikDvlU99zl1g69TcAB3mzZPpxgw0UQnaHeC1Nwb015xp8bknZv5rIfri9xTOcMuaVgvabfIRA7PSZVuZIQ=="],
 
     "@types/serve-static": ["@types/serve-static@2.2.0", "", { "dependencies": { "@types/http-errors": "*", "@types/node": "*" } }, "sha512-8mam4H1NHLtu7nmtalF7eyBH14QyOASmcxHhSfEoRyr0nP/YdoesEtU+uSRvMe96TW/HPTtkoKqQLl53N7UXMQ=="],
 
@@ -2483,7 +2515,7 @@
 
     "aggregate-error": ["aggregate-error@3.1.0", "", { "dependencies": { "clean-stack": "^2.0.0", "indent-string": "^4.0.0" } }, "sha512-4I7Td01quW/RpocfNayFdFVk1qSuoh0E7JrbRJ16nH01HhKFQ88INq9Sd+nd72zqRySlr9BmDA8xlEJ6vJMrYA=="],
 
-    "ai": ["ai@5.0.106", "", { "dependencies": { "@ai-sdk/gateway": "2.0.18", "@ai-sdk/provider": "2.0.0", "@ai-sdk/provider-utils": "3.0.18", "@opentelemetry/api": "1.9.0" }, "peerDependencies": { "zod": "^3.25.76 || ^4.1.8" } }, "sha512-M5obwavxSJJ3tGlAFqI6eltYNJB0D20X6gIBCFx/KVorb/X1fxVVfiZZpZb+Gslu4340droSOjT0aKQFCarNVg=="],
+    "ai": ["ai@5.0.107", "", { "dependencies": { "@ai-sdk/gateway": "2.0.18", "@ai-sdk/provider": "2.0.0", "@ai-sdk/provider-utils": "3.0.18", "@opentelemetry/api": "1.9.0" }, "peerDependencies": { "zod": "^3.25.76 || ^4.1.8" } }, "sha512-laZlS9ZC/DZfSaxPgrBqI4mM+kxRvTPBBQfa74ceBFskkunZKEsaGVFNEs4cfyGa3nCCCl1WO/fjxixp4V8Zag=="],
 
     "ai-elements": ["ai-elements@1.6.3", "", { "bin": { "elements": "index.js" } }, "sha512-M0A5NrUqCMV2w9hJV+kOuFi+XKo1BjlawheaqfrG+jovWsyXyCalOOH2dM4w/BwjABwje5yZX5MnMIUwnFmqzg=="],
 
@@ -3127,7 +3159,7 @@
 
     "effect": ["effect@3.19.8", "", { "dependencies": { "@standard-schema/spec": "^1.0.0", "fast-check": "^3.23.1" } }, "sha512-OmLw8EfH02vdmyU2fO4uY9He/wepwKI5E/JNpE2pseaWWUbaYOK9UlxIiKP20ZEqQr+S/jSqRDGmpiqD/2DeCQ=="],
 
-    "electron-to-chromium": ["electron-to-chromium@1.5.265", "", {}, "sha512-B7IkLR1/AE+9jR2LtVF/1/6PFhY5TlnEHnlrKmGk7PvkJibg5jr+mLXLLzq3QYl6PA1T/vLDthQPqIPAlS/PPA=="],
+    "electron-to-chromium": ["electron-to-chromium@1.5.266", "", {}, "sha512-kgWEglXvkEfMH7rxP5OSZZwnaDWT7J9EoZCujhnpLbfi0bbNtRkgdX2E3gt0Uer11c61qCYktB3hwkAS325sJg=="],
 
     "embla-carousel": ["embla-carousel@8.6.0", "", {}, "sha512-SjWyZBHJPbqxHOzckOfo8lHisEaJWmwd23XppYFYVh10bU66/Pn5tkVkbkCMZVdbUE5eTCI2nD8OyIP4Z+uwkA=="],
 
@@ -3539,6 +3571,8 @@
 
     "hastscript": ["hastscript@9.0.1", "", { "dependencies": { "@types/hast": "^3.0.0", "comma-separated-tokens": "^2.0.0", "hast-util-parse-selector": "^4.0.0", "property-information": "^7.0.0", "space-separated-tokens": "^2.0.0" } }, "sha512-g7df9rMFX/SPi34tyGCyUBREQoKkapwdY/T04Qn9TDWfHhAYt4/I0gMVirzK5wEzeUqIjEB+LXC/ypb7Aqno5w=="],
 
+    "helmet": ["helmet@8.1.0", "", {}, "sha512-jOiHyAZsmnr8LqoPGmCjYAaiuWwjAPLgY8ZX2XrmHawt99/u1y6RgrZMTeoPfpUbV96HOalYgz1qzkRbw54Pmg=="],
+
     "hey-listen": ["hey-listen@1.0.8", "", {}, "sha512-COpmrF2NOg4TBWUJ5UVyaCU2A88wEMkUPK4hNqyCkqHbxT92BbvfjoSozkAIIm6XhicGlJHhFdullInrdhwU8Q=="],
 
     "highlight.js": ["highlight.js@10.7.3", "", {}, "sha512-tzcUFauisWKNHaRkN4Wjl/ZA07gENAjFl3J/c480dprkGTg5EQstgaNFqBfUqCq54kZRIEcreTsAgF/m2quD7A=="],
@@ -4259,7 +4293,7 @@
 
     "netmask": ["netmask@2.0.2", "", {}, "sha512-dBpDMdxv9Irdq66304OLfEmQ9tbNRFnFTuZiLo+bD+r332bBmMJ8GBLXklIXXgxd3+v9+KUnZaUR5PJMa75Gsg=="],
 
-    "next": ["next@15.5.7", "", { "dependencies": { "@next/env": "15.5.7", "@swc/helpers": "0.5.15", "caniuse-lite": "^1.0.30001579", "postcss": "8.4.31", "styled-jsx": "5.1.6" }, "optionalDependencies": { "@next/swc-darwin-arm64": "15.5.7", "@next/swc-darwin-x64": "15.5.7", "@next/swc-linux-arm64-gnu": "15.5.7", "@next/swc-linux-arm64-musl": "15.5.7", "@next/swc-linux-x64-gnu": "15.5.7", "@next/swc-linux-x64-musl": "15.5.7", "@next/swc-win32-arm64-msvc": "15.5.7", "@next/swc-win32-x64-msvc": "15.5.7", "sharp": "^0.34.3" }, "peerDependencies": { "@opentelemetry/api": "^1.1.0", "@playwright/test": "^1.51.1", "babel-plugin-react-compiler": "*", "react": "^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0", "react-dom": "^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0", "sass": "^1.3.0" }, "optionalPeers": ["@opentelemetry/api", "@playwright/test", "babel-plugin-react-compiler", "sass"], "bin": { "next": "dist/bin/next" } }, "sha512-+t2/0jIJ48kUpGKkdlhgkv+zPTEOoXyr60qXe68eB/pl3CMJaLeIGjzp5D6Oqt25hCBiBTt8wEeeAzfJvUKnPQ=="],
+    "next": ["next@16.0.8", "", { "dependencies": { "@next/env": "16.0.8", "@swc/helpers": "0.5.15", "caniuse-lite": "^1.0.30001579", "postcss": "8.4.31", "styled-jsx": "5.1.6" }, "optionalDependencies": { "@next/swc-darwin-arm64": "16.0.8", "@next/swc-darwin-x64": "16.0.8", "@next/swc-linux-arm64-gnu": "16.0.8", "@next/swc-linux-arm64-musl": "16.0.8", "@next/swc-linux-x64-gnu": "16.0.8", "@next/swc-linux-x64-musl": "16.0.8", "@next/swc-win32-arm64-msvc": "16.0.8", "@next/swc-win32-x64-msvc": "16.0.8", "sharp": "^0.34.4" }, "peerDependencies": { "@opentelemetry/api": "^1.1.0", "@playwright/test": "^1.51.1", "babel-plugin-react-compiler": "*", "react": "^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0", "react-dom": "^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0", "sass": "^1.3.0" }, "optionalPeers": ["@opentelemetry/api", "@playwright/test", "babel-plugin-react-compiler", "sass"], "bin": { "next": "dist/bin/next" } }, "sha512-LmcZzG04JuzNXi48s5P+TnJBsTGPJunViNKV/iE4uM6kstjTQsQhvsAv+xF6MJxU2Pr26tl15eVbp0jQnsv6/g=="],
 
     "next-safe-action": ["next-safe-action@8.0.11", "", { "peerDependencies": { "next": ">= 14.0.0", "react": ">= 18.2.0", "react-dom": ">= 18.2.0" } }, "sha512-gqJLmnQLAoFCq1kRBopN46New+vx1n9J9Y/qDQLXpv/VqU40AWxDakvshwwnWAt8R0kLvlakNYNLX5PqlXWSMg=="],
 
@@ -4309,7 +4343,7 @@
 
     "number-is-nan": ["number-is-nan@1.0.1", "", {}, "sha512-4jbtZXNAsfZbAHiiqjLPBiCl16dES1zI4Hpzzxw61Tk+loF+sBDBKx1ICKKKwIqQ7M0mFn1TmkN7euSncWgHiQ=="],
 
-    "nuqs": ["nuqs@2.8.2", "", { "dependencies": { "@standard-schema/spec": "1.0.0" }, "peerDependencies": { "@remix-run/react": ">=2", "@tanstack/react-router": "^1", "next": ">=14.2.0", "react": ">=18.2.0 || ^19.0.0-0", "react-router": "^5 || ^6 || ^7", "react-router-dom": "^5 || ^6 || ^7" }, "optionalPeers": ["@remix-run/react", "@tanstack/react-router", "next", "react-router", "react-router-dom"] }, "sha512-KMb6gmUJaLVRw+SbKUmBTo0IWLGU2s1Z4Iz/N64+EIDcu6Iw51CuppgKmxZR2EW3iXaOz5LF4avGKD2wq45eqg=="],
+    "nuqs": ["nuqs@2.8.3", "", { "dependencies": { "@standard-schema/spec": "1.0.0" }, "peerDependencies": { "@remix-run/react": ">=2", "@tanstack/react-router": "^1", "next": ">=14.2.0", "react": ">=18.2.0 || ^19.0.0-0", "react-router": "^5 || ^6 || ^7", "react-router-dom": "^5 || ^6 || ^7" }, "optionalPeers": ["@remix-run/react", "@tanstack/react-router", "next", "react-router", "react-router-dom"] }, "sha512-ZSLiAw0uDYE3JpmV3Yot7aGP4mfyj7vYCPrM7r7qUo9Bx00Vf/7eHOp4iC9LtgV1PVVdqLkvMf/8qN79BP1Jkg=="],
 
     "nwsapi": ["nwsapi@2.2.22", "", {}, "sha512-ujSMe1OWVn55euT1ihwCI1ZcAaAU3nxUiDwfDQldc51ZXaB9m2AyOn6/jh1BLe2t/G8xd6uKG1UBF2aZJeg2SQ=="],
 
@@ -4521,7 +4555,7 @@
 
     "postgres-interval": ["postgres-interval@1.2.0", "", { "dependencies": { "xtend": "^4.0.0" } }, "sha512-9ZhXKM/rw350N1ovuWHbGxnGh/SNJ4cnxHiM0rxE4VN41wsg8P8zWn9hv/buK00RP4WvlOyr/RBDiptyxVbkZQ=="],
 
-    "posthog-js": ["posthog-js@1.302.0", "", { "dependencies": { "@posthog/core": "1.7.1", "core-js": "^3.38.1", "fflate": "^0.4.8", "preact": "^10.19.3", "web-vitals": "^4.2.4" } }, "sha512-cBvxnAyKgcoXnikFJROCSqN8i1x9bm+szj7HOQ92mw3anlW7LK7vZ8hrQ4VNUGNIMu0ogP8djvXW5W8AlWbFcQ=="],
+    "posthog-js": ["posthog-js@1.302.1", "", { "dependencies": { "@posthog/core": "1.7.1", "core-js": "^3.38.1", "fflate": "^0.4.8", "preact": "^10.19.3", "web-vitals": "^4.2.4" } }, "sha512-dSxAOaIN9ElR7NUa+q0kvZOyzxyskTqsttEzMGTIDbE8ou/D0TJxJwWtRF011qaS1dJnE601n38Y905JEDUwDg=="],
 
     "posthog-node": ["posthog-node@5.17.2", "", { "dependencies": { "@posthog/core": "1.7.1" } }, "sha512-lz3YJOr0Nmiz0yHASaINEDHqoV+0bC3eD8aZAG+Ky292dAnVYul+ga/dMX8KCBXg8hHfKdxw0SztYD5j6dgUqQ=="],
 
@@ -5135,7 +5169,7 @@
 
     "terser": ["terser@5.44.1", "", { "dependencies": { "@jridgewell/source-map": "^0.3.3", "acorn": "^8.15.0", "commander": "^2.20.0", "source-map-support": "~0.5.20" }, "bin": { "terser": "bin/terser" } }, "sha512-t/R3R/n0MSwnnazuPpPNVO60LX0SKL45pyl9YlvxIdkH0Of7D5qM2EVe+yASRIlY5pZ73nclYJfNANGWPwFDZw=="],
 
-    "terser-webpack-plugin": ["terser-webpack-plugin@5.3.14", "", { "dependencies": { "@jridgewell/trace-mapping": "^0.3.25", "jest-worker": "^27.4.5", "schema-utils": "^4.3.0", "serialize-javascript": "^6.0.2", "terser": "^5.31.1" }, "peerDependencies": { "webpack": "^5.1.0" } }, "sha512-vkZjpUjb6OMS7dhV+tILUW6BhpDR7P2L/aQSAv+Uwk+m8KATX9EccViHTJR2qDtACKPIYndLGCyl3FMo+r2LMw=="],
+    "terser-webpack-plugin": ["terser-webpack-plugin@5.3.15", "", { "dependencies": { "@jridgewell/trace-mapping": "^0.3.25", "jest-worker": "^27.4.5", "schema-utils": "^4.3.0", "serialize-javascript": "^6.0.2", "terser": "^5.31.1" }, "peerDependencies": { "webpack": "^5.1.0" } }, "sha512-PGkOdpRFK+rb1TzVz+msVhw4YMRT9txLF4kRqvJhGhCM324xuR3REBSHALN+l+sAhKUmz0aotnjp5D+P83mLhQ=="],
 
     "test-exclude": ["test-exclude@6.0.0", "", { "dependencies": { "@istanbuljs/schema": "^0.1.2", "glob": "^7.1.4", "minimatch": "^3.0.4" } }, "sha512-cAGWPIyOHU6zlmg88jwm7VRyXnMN7iV68OGAbYDk/Mh/xC/pzVPlQtY6ngoIH/5/tciuhGfvESU8GrHrcxD56w=="],
 
@@ -5637,8 +5671,12 @@
 
     "@comp/api/zod": ["zod@4.1.13", "", {}, "sha512-AvvthqfqrAhNH9dnfmrfKzX5upOdjUVJYFqNSlkmGf64gRaTzlPwz99IHYnVs28qYAybvAlBV+H7pn0saFY4Ig=="],
 
+    "@comp/app/@ai-sdk/openai": ["@ai-sdk/openai@2.0.80", "", { "dependencies": { "@ai-sdk/provider": "2.0.0", "@ai-sdk/provider-utils": "3.0.18" }, "peerDependencies": { "zod": "^3.25.76 || ^4.1.8" } }, "sha512-tNHuraF11db+8xJEDBoU9E3vMcpnHFKRhnLQ3DQX2LnEzfPB9DksZ8rE+yVuDN1WRW9cm2OWAhgHFgVKs7ICuw=="],
+
     "@comp/app/@prisma/instrumentation": ["@prisma/instrumentation@6.6.0", "", { "dependencies": { "@opentelemetry/instrumentation": "^0.52.0 || ^0.53.0 || ^0.54.0 || ^0.55.0 || ^0.56.0 || ^0.57.0" }, "peerDependencies": { "@opentelemetry/api": "^1.8" } }, "sha512-M/a6njz3hbf2oucwdbjNKrSMLuyMCwgDrmTtkF1pm4Nm7CU45J/Hd6lauF2CDACTUYzu3ymcV7P0ZAhIoj6WRw=="],
 
+    "@comp/app/ai": ["ai@5.0.108", "", { "dependencies": { "@ai-sdk/gateway": "2.0.18", "@ai-sdk/provider": "2.0.0", "@ai-sdk/provider-utils": "3.0.18", "@opentelemetry/api": "1.9.0" }, "peerDependencies": { "zod": "^3.25.76 || ^4.1.8" } }, "sha512-Jex3Lb7V41NNpuqJHKgrwoU6BCLHdI1Pg4qb4GJH4jRIDRXUBySJErHjyN4oTCwbiYCeb/8II9EnqSRPq9EifA=="],
+
     "@comp/app/resend": ["resend@4.8.0", "", { "dependencies": { "@react-email/render": "1.1.2" } }, "sha512-R8eBOFQDO6dzRTDmaMEdpqrkmgSjPpVXt4nGfWsZdYOet0kqra0xgbvTES6HmCriZEXbmGk3e0DiGIaLFTFSHA=="],
 
     "@cspotcode/source-map-support/@jridgewell/trace-mapping": ["@jridgewell/trace-mapping@0.3.9", "", { "dependencies": { "@jridgewell/resolve-uri": "^3.0.3", "@jridgewell/sourcemap-codec": "^1.4.10" } }, "sha512-3Belt6tdc8bPgAtbcmdtNJlirVoTmEb5e2gC94PnkwEW9jI6CAHUeoG85tjWP5WquqfavoMtMwiG4P926ZKKuQ=="],
@@ -5715,6 +5753,8 @@
 
     "@next/eslint-plugin-next/fast-glob": ["fast-glob@3.3.1", "", { "dependencies": { "@nodelib/fs.stat": "^2.0.2", "@nodelib/fs.walk": "^1.2.3", "glob-parent": "^5.1.2", "merge2": "^1.3.0", "micromatch": "^4.0.4" } }, "sha512-kNFPyjhh5cKjrUltxs+wFx+ZkbRaxxmZ+X0ZU31SOsxCEtP9VPgtq2teZw1DebupL5GmDaNQ6yKMMVcM41iqDg=="],
 
+    "@next/third-parties/next": ["next@15.5.7", "", { "dependencies": { "@next/env": "15.5.7", "@swc/helpers": "0.5.15", "caniuse-lite": "^1.0.30001579", "postcss": "8.4.31", "styled-jsx": "5.1.6" }, "optionalDependencies": { "@next/swc-darwin-arm64": "15.5.7", "@next/swc-darwin-x64": "15.5.7", "@next/swc-linux-arm64-gnu": "15.5.7", "@next/swc-linux-arm64-musl": "15.5.7", "@next/swc-linux-x64-gnu": "15.5.7", "@next/swc-linux-x64-musl": "15.5.7", "@next/swc-win32-arm64-msvc": "15.5.7", "@next/swc-win32-x64-msvc": "15.5.7", "sharp": "^0.34.3" }, "peerDependencies": { "@opentelemetry/api": "^1.1.0", "@playwright/test": "^1.51.1", "babel-plugin-react-compiler": "*", "react": "^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0", "react-dom": "^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0", "sass": "^1.3.0" }, "optionalPeers": ["@opentelemetry/api", "@playwright/test", "babel-plugin-react-compiler", "sass"], "bin": { "next": "dist/bin/next" } }, "sha512-+t2/0jIJ48kUpGKkdlhgkv+zPTEOoXyr60qXe68eB/pl3CMJaLeIGjzp5D6Oqt25hCBiBTt8wEeeAzfJvUKnPQ=="],
+
     "@novu/api/zod": ["zod@4.1.13", "", {}, "sha512-AvvthqfqrAhNH9dnfmrfKzX5upOdjUVJYFqNSlkmGf64gRaTzlPwz99IHYnVs28qYAybvAlBV+H7pn0saFY4Ig=="],
 
     "@novu/js/socket.io-client": ["socket.io-client@4.7.2", "", { "dependencies": { "@socket.io/component-emitter": "~3.1.0", "debug": "~4.3.2", "engine.io-client": "~6.5.2", "socket.io-parser": "~4.2.4" } }, "sha512-vtA0uD4ibrYD793SOIAwlo8cj6haOeMHrGvwPxJsxH7CeIksqJ+3Zc06RvWTIFgiSqx4A3sOnTXpfAEE2Zyz6w=="],
@@ -5899,10 +5939,14 @@
 
     "@trycompai/db/zod": ["zod@4.1.13", "", {}, "sha512-AvvthqfqrAhNH9dnfmrfKzX5upOdjUVJYFqNSlkmGf64gRaTzlPwz99IHYnVs28qYAybvAlBV+H7pn0saFY4Ig=="],
 
+    "@trycompai/email/next": ["next@15.5.7", "", { "dependencies": { "@next/env": "15.5.7", "@swc/helpers": "0.5.15", "caniuse-lite": "^1.0.30001579", "postcss": "8.4.31", "styled-jsx": "5.1.6" }, "optionalDependencies": { "@next/swc-darwin-arm64": "15.5.7", "@next/swc-darwin-x64": "15.5.7", "@next/swc-linux-arm64-gnu": "15.5.7", "@next/swc-linux-arm64-musl": "15.5.7", "@next/swc-linux-x64-gnu": "15.5.7", "@next/swc-linux-x64-musl": "15.5.7", "@next/swc-win32-arm64-msvc": "15.5.7", "@next/swc-win32-x64-msvc": "15.5.7", "sharp": "^0.34.3" }, "peerDependencies": { "@opentelemetry/api": "^1.1.0", "@playwright/test": "^1.51.1", "babel-plugin-react-compiler": "*", "react": "^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0", "react-dom": "^18.2.0 || 19.0.0-rc-de68d2f4-20241204 || ^19.0.0", "sass": "^1.3.0" }, "optionalPeers": ["@opentelemetry/api", "@playwright/test", "babel-plugin-react-compiler", "sass"], "bin": { "next": "dist/bin/next" } }, "sha512-+t2/0jIJ48kUpGKkdlhgkv+zPTEOoXyr60qXe68eB/pl3CMJaLeIGjzp5D6Oqt25hCBiBTt8wEeeAzfJvUKnPQ=="],
+
     "@trycompai/email/resend": ["resend@4.8.0", "", { "dependencies": { "@react-email/render": "1.1.2" } }, "sha512-R8eBOFQDO6dzRTDmaMEdpqrkmgSjPpVXt4nGfWsZdYOet0kqra0xgbvTES6HmCriZEXbmGk3e0DiGIaLFTFSHA=="],
 
     "@trycompai/integrations/zod": ["zod@4.1.13", "", {}, "sha512-AvvthqfqrAhNH9dnfmrfKzX5upOdjUVJYFqNSlkmGf64gRaTzlPwz99IHYnVs28qYAybvAlBV+H7pn0saFY4Ig=="],
 
+    "@trycompai/ui/ai": ["ai@5.0.108", "", { "dependencies": { "@ai-sdk/gateway": "2.0.18", "@ai-sdk/provider": "2.0.0", "@ai-sdk/provider-utils": "3.0.18", "@opentelemetry/api": "1.9.0" }, "peerDependencies": { "zod": "^3.25.76 || ^4.1.8" } }, "sha512-Jex3Lb7V41NNpuqJHKgrwoU6BCLHdI1Pg4qb4GJH4jRIDRXUBySJErHjyN4oTCwbiYCeb/8II9EnqSRPq9EifA=="],
+
     "@trycompai/ui/lucide-react": ["lucide-react@0.554.0", "", { "peerDependencies": { "react": "^16.5.1 || ^17.0.0 || ^18.0.0 || ^19.0.0" } }, "sha512-St+z29uthEJVx0Is7ellNkgTEhaeSoA42I7JjOCBCrc5X6LYMGSv0P/2uS5HDLTExP5tpiqRD2PyUEOS6s9UXA=="],
 
     "@typescript-eslint/eslint-plugin/ignore": ["ignore@7.0.5", "", {}, "sha512-Hs59xBNfUIunMFgWAbGX5cq6893IbWg4KnrjbYwX3tx0ztorVgTDA6B2sxf8ejHJ4wz8BqGUMYlnzNBer5NvGg=="],
@@ -5965,6 +6009,8 @@
 
     "cliui/strip-ansi": ["strip-ansi@6.0.1", "", { "dependencies": { "ansi-regex": "^5.0.1" } }, "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A=="],
 
+    "cmdk/@radix-ui/react-primitive": ["@radix-ui/react-primitive@2.1.4", "", { "dependencies": { "@radix-ui/react-slot": "1.2.4" }, "peerDependencies": { "@types/react": "*", "@types/react-dom": "*", "react": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc", "react-dom": "^16.8 || ^17.0 || ^18.0 || ^19.0 || ^19.0.0-rc" }, "optionalPeers": ["@types/react", "@types/react-dom"] }, "sha512-9hQc4+GNVtJAIEPEqlYqW5RiYdrr8ea5XQ0ZOnD6fgru+83kqT15mq2OCcbe8KnjRZl5vF3ks69AKz3kh1jrhg=="],
+
     "compress-commons/is-stream": ["is-stream@2.0.1", "", {}, "sha512-hFoiJiTl63nn+kstHGBtewWSKnQLpyb155KHheA1l39uvtO9nWIop1p3udqPcUd/xbF1VLMO4n7OI6p7RbngDg=="],
 
     "concat-stream/readable-stream": ["readable-stream@3.6.2", "", { "dependencies": { "inherits": "^2.0.3", "string_decoder": "^1.1.1", "util-deprecate": "^1.0.1" } }, "sha512-9u/sniCrY3D5WdsERHzHE4G2YCXqoG5FTHUiCC4SIbr6XcLZBY05ya9EKjYek9O5xOAwjGq+1JdGBAS7Q9ScoA=="],
@@ -6861,6 +6907,26 @@
 
     "@next/eslint-plugin-next/fast-glob/glob-parent": ["glob-parent@5.1.2", "", { "dependencies": { "is-glob": "^4.0.1" } }, "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow=="],
 
+    "@next/third-parties/next/@next/env": ["@next/env@15.5.7", "", {}, "sha512-4h6Y2NyEkIEN7Z8YxkA27pq6zTkS09bUSYC0xjd0NpwFxjnIKeZEeH591o5WECSmjpUhLn3H2QLJcDye3Uzcvg=="],
+
+    "@next/third-parties/next/@next/swc-darwin-arm64": ["@next/swc-darwin-arm64@15.5.7", "", { "os": "darwin", "cpu": "arm64" }, "sha512-IZwtxCEpI91HVU/rAUOOobWSZv4P2DeTtNaCdHqLcTJU4wdNXgAySvKa/qJCgR5m6KI8UsKDXtO2B31jcaw1Yw=="],
+
+    "@next/third-parties/next/@next/swc-darwin-x64": ["@next/swc-darwin-x64@15.5.7", "", { "os": "darwin", "cpu": "x64" }, "sha512-UP6CaDBcqaCBuiq/gfCEJw7sPEoX1aIjZHnBWN9v9qYHQdMKvCKcAVs4OX1vIjeE+tC5EIuwDTVIoXpUes29lg=="],
+
+    "@next/third-parties/next/@next/swc-linux-arm64-gnu": ["@next/swc-linux-arm64-gnu@15.5.7", "", { "os": "linux", "cpu": "arm64" }, "sha512-NCslw3GrNIw7OgmRBxHtdWFQYhexoUCq+0oS2ccjyYLtcn1SzGzeM54jpTFonIMUjNbHmpKpziXnpxhSWLcmBA=="],
+
+    "@next/third-parties/next/@next/swc-linux-arm64-musl": ["@next/swc-linux-arm64-musl@15.5.7", "", { "os": "linux", "cpu": "arm64" }, "sha512-nfymt+SE5cvtTrG9u1wdoxBr9bVB7mtKTcj0ltRn6gkP/2Nu1zM5ei8rwP9qKQP0Y//umK+TtkKgNtfboBxRrw=="],
+
+    "@next/third-parties/next/@next/swc-linux-x64-gnu": ["@next/swc-linux-x64-gnu@15.5.7", "", { "os": "linux", "cpu": "x64" }, "sha512-hvXcZvCaaEbCZcVzcY7E1uXN9xWZfFvkNHwbe/n4OkRhFWrs1J1QV+4U1BN06tXLdaS4DazEGXwgqnu/VMcmqw=="],
+
+    "@next/third-parties/next/@next/swc-linux-x64-musl": ["@next/swc-linux-x64-musl@15.5.7", "", { "os": "linux", "cpu": "x64" }, "sha512-4IUO539b8FmF0odY6/SqANJdgwn1xs1GkPO5doZugwZ3ETF6JUdckk7RGmsfSf7ws8Qb2YB5It33mvNL/0acqA=="],
+
+    "@next/third-parties/next/@next/swc-win32-arm64-msvc": ["@next/swc-win32-arm64-msvc@15.5.7", "", { "os": "win32", "cpu": "arm64" }, "sha512-CpJVTkYI3ZajQkC5vajM7/ApKJUOlm6uP4BknM3XKvJ7VXAvCqSjSLmM0LKdYzn6nBJVSjdclx8nYJSa3xlTgQ=="],
+
+    "@next/third-parties/next/@next/swc-win32-x64-msvc": ["@next/swc-win32-x64-msvc@15.5.7", "", { "os": "win32", "cpu": "x64" }, "sha512-gMzgBX164I6DN+9/PGA+9dQiwmTkE4TloBNx8Kv9UiGARsr9Nba7IpcBRA1iTV9vwlYnrE3Uy6I7Aj6qLjQuqw=="],
+
+    "@next/third-parties/next/postcss": ["postcss@8.4.31", "", { "dependencies": { "nanoid": "^3.3.6", "picocolors": "^1.0.0", "source-map-js": "^1.0.2" } }, "sha512-PS08Iboia9mts/2ygV3eLpY5ghnUcfLV/EXTOW1E2qYxJKGGBUtNjN76FYHnMs36RmARn41bC0AZmn+rR0OVpQ=="],
+
     "@novu/js/socket.io-client/debug": ["debug@4.3.7", "", { "dependencies": { "ms": "^2.1.3" } }, "sha512-Er2nc/H7RrMXZBFCEim6TCmMk02Z8vLC2Rbi1KEBggpo0fS6l0S1nnapwmIi3yW/+GOJap1Krg4w0Hg80oCqgQ=="],
 
     "@octokit/plugin-paginate-rest/@octokit/types/@octokit/openapi-types": ["@octokit/openapi-types@26.0.0", "", {}, "sha512-7AtcfKtpo77j7Ts73b4OWhOZHTKo/gGY8bB3bNBQz4H+GRSWqx2yvj8TXRsbdTE0eRmYmXOEY66jM7mJ7LzfsA=="],
@@ -6969,6 +7035,26 @@
 
     "@trigger.dev/core/socket.io/engine.io": ["engine.io@6.5.5", "", { "dependencies": { "@types/cookie": "^0.4.1", "@types/cors": "^2.8.12", "@types/node": ">=10.0.0", "accepts": "~1.3.4", "base64id": "2.0.0", "cookie": "~0.4.1", "cors": "~2.8.5", "debug": "~4.3.1", "engine.io-parser": "~5.2.1", "ws": "~8.17.1" } }, "sha512-C5Pn8Wk+1vKBoHghJODM63yk8MvrO9EWZUfkAt5HAqIgPE4/8FF0PEGHXtEd40l223+cE5ABWuPzm38PHFXfMA=="],
 
+    "@trycompai/email/next/@next/env": ["@next/env@15.5.7", "", {}, "sha512-4h6Y2NyEkIEN7Z8YxkA27pq6zTkS09bUSYC0xjd0NpwFxjnIKeZEeH591o5WECSmjpUhLn3H2QLJcDye3Uzcvg=="],
+
+    "@trycompai/email/next/@next/swc-darwin-arm64": ["@next/swc-darwin-arm64@15.5.7", "", { "os": "darwin", "cpu": "arm64" }, "sha512-IZwtxCEpI91HVU/rAUOOobWSZv4P2DeTtNaCdHqLcTJU4wdNXgAySvKa/qJCgR5m6KI8UsKDXtO2B31jcaw1Yw=="],
+
+    "@trycompai/email/next/@next/swc-darwin-x64": ["@next/swc-darwin-x64@15.5.7", "", { "os": "darwin", "cpu": "x64" }, "sha512-UP6CaDBcqaCBuiq/gfCEJw7sPEoX1aIjZHnBWN9v9qYHQdMKvCKcAVs4OX1vIjeE+tC5EIuwDTVIoXpUes29lg=="],
+
+    "@trycompai/email/next/@next/swc-linux-arm64-gnu": ["@next/swc-linux-arm64-gnu@15.5.7", "", { "os": "linux", "cpu": "arm64" }, "sha512-NCslw3GrNIw7OgmRBxHtdWFQYhexoUCq+0oS2ccjyYLtcn1SzGzeM54jpTFonIMUjNbHmpKpziXnpxhSWLcmBA=="],
+
+    "@trycompai/email/next/@next/swc-linux-arm64-musl": ["@next/swc-linux-arm64-musl@15.5.7", "", { "os": "linux", "cpu": "arm64" }, "sha512-nfymt+SE5cvtTrG9u1wdoxBr9bVB7mtKTcj0ltRn6gkP/2Nu1zM5ei8rwP9qKQP0Y//umK+TtkKgNtfboBxRrw=="],
+
+    "@trycompai/email/next/@next/swc-linux-x64-gnu": ["@next/swc-linux-x64-gnu@15.5.7", "", { "os": "linux", "cpu": "x64" }, "sha512-hvXcZvCaaEbCZcVzcY7E1uXN9xWZfFvkNHwbe/n4OkRhFWrs1J1QV+4U1BN06tXLdaS4DazEGXwgqnu/VMcmqw=="],
+
+    "@trycompai/email/next/@next/swc-linux-x64-musl": ["@next/swc-linux-x64-musl@15.5.7", "", { "os": "linux", "cpu": "x64" }, "sha512-4IUO539b8FmF0odY6/SqANJdgwn1xs1GkPO5doZugwZ3ETF6JUdckk7RGmsfSf7ws8Qb2YB5It33mvNL/0acqA=="],
+
+    "@trycompai/email/next/@next/swc-win32-arm64-msvc": ["@next/swc-win32-arm64-msvc@15.5.7", "", { "os": "win32", "cpu": "arm64" }, "sha512-CpJVTkYI3ZajQkC5vajM7/ApKJUOlm6uP4BknM3XKvJ7VXAvCqSjSLmM0LKdYzn6nBJVSjdclx8nYJSa3xlTgQ=="],
+
+    "@trycompai/email/next/@next/swc-win32-x64-msvc": ["@next/swc-win32-x64-msvc@15.5.7", "", { "os": "win32", "cpu": "x64" }, "sha512-gMzgBX164I6DN+9/PGA+9dQiwmTkE4TloBNx8Kv9UiGARsr9Nba7IpcBRA1iTV9vwlYnrE3Uy6I7Aj6qLjQuqw=="],
+
+    "@trycompai/email/next/postcss": ["postcss@8.4.31", "", { "dependencies": { "nanoid": "^3.3.6", "picocolors": "^1.0.0", "source-map-js": "^1.0.2" } }, "sha512-PS08Iboia9mts/2ygV3eLpY5ghnUcfLV/EXTOW1E2qYxJKGGBUtNjN76FYHnMs36RmARn41bC0AZmn+rR0OVpQ=="],
+
     "@trycompai/email/resend/@react-email/render": ["@react-email/render@1.1.2", "", { "dependencies": { "html-to-text": "^9.0.5", "prettier": "^3.5.3", "react-promise-suspense": "^0.3.4" }, "peerDependencies": { "react": "^18.0 || ^19.0 || ^19.0.0-rc", "react-dom": "^18.0 || ^19.0 || ^19.0.0-rc" } }, "sha512-RnRehYN3v9gVlNMehHPHhyp2RQo7+pSkHDtXPvg3s0GbzM9SQMW4Qrf8GRNvtpLC4gsI+Wt0VatNRUFqjvevbw=="],
 
     "accepts/mime-types/mime-db": ["mime-db@1.52.0", "", {}, "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg=="],
@@ -7105,7 +7191,7 @@
 
     "npm/@npmcli/metavuln-calculator/pacote": ["pacote@20.0.0", "", { "dependencies": { "@npmcli/git": "^6.0.0", "@npmcli/installed-package-contents": "^3.0.0", "@npmcli/package-json": "^6.0.0", "@npmcli/promise-spawn": "^8.0.0", "@npmcli/run-script": "^9.0.0", "cacache": "^19.0.0", "fs-minipass": "^3.0.0", "minipass": "^7.0.2", "npm-package-arg": "^12.0.0", "npm-packlist": "^9.0.0", "npm-pick-manifest": "^10.0.0", "npm-registry-fetch": "^18.0.0", "proc-log": "^5.0.0", "promise-retry": "^2.0.1", "sigstore": "^3.0.0", "ssri": "^12.0.0", "tar": "^6.1.11" }, "bin": { "pacote": "bin/index.js" } }, "sha512-pRjC5UFwZCgx9kUFDVM9YEahv4guZ1nSLqwmWiLUnDbGsjs+U5w7z6Uc8HNR1a6x8qnu5y9xtGE6D1uAuYz+0A=="],
 
-    "npm/cacache/tar": ["tar@7.5.2", "", { "dependencies": { "@isaacs/fs-minipass": "^4.0.0", "chownr": "^3.0.0", "minipass": "^7.1.2", "minizlib": "^3.1.0", "yallist": "^5.0.0" } }, "sha512-7NyxrTE4Anh8km8iEy7o0QYPs+0JKBTj5ZaqHg6B39erLg0qYXN3BijtShwbsNSvQ+LN75+KV+C4QR/f6Gwnpg=="],
+    "npm/cacache/tar": ["tar@7.4.3", "", { "dependencies": { "@isaacs/fs-minipass": "^4.0.0", "chownr": "^3.0.0", "minipass": "^7.1.2", "minizlib": "^3.0.1", "mkdirp": "^3.0.1", "yallist": "^5.0.0" } }, "sha512-5S7Va8hKfV7W5U6g3aYxXmlPoZVAwUMy9AOKyF2fVuZa2UD3qZjg578OrLRt8PcNN1PleVaL/5/yYATNL0ICUw=="],
 
     "npm/cross-spawn/which": ["which@2.0.2", "", { "dependencies": { "isexe": "^2.0.0" }, "bin": { "node-which": "./bin/node-which" } }, "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA=="],
 
@@ -7115,7 +7201,7 @@
 
     "npm/minipass-sized/minipass": ["minipass@3.3.6", "", { "dependencies": { "yallist": "^4.0.0" } }, "sha512-DxiNidxSEK+tHG6zOIklvNOwm3hvCrbUrdtzY74U6HKTJxvIDfOUL5W5P2Ghd3DTkhhKPYGqeNUIh5qcM4YBfw=="],
 
-    "npm/node-gyp/tar": ["tar@7.5.2", "", { "dependencies": { "@isaacs/fs-minipass": "^4.0.0", "chownr": "^3.0.0", "minipass": "^7.1.2", "minizlib": "^3.1.0", "yallist": "^5.0.0" } }, "sha512-7NyxrTE4Anh8km8iEy7o0QYPs+0JKBTj5ZaqHg6B39erLg0qYXN3BijtShwbsNSvQ+LN75+KV+C4QR/f6Gwnpg=="],
+    "npm/node-gyp/tar": ["tar@7.4.3", "", { "dependencies": { "@isaacs/fs-minipass": "^4.0.0", "chownr": "^3.0.0", "minipass": "^7.1.2", "minizlib": "^3.0.1", "mkdirp": "^3.0.1", "yallist": "^5.0.0" } }, "sha512-5S7Va8hKfV7W5U6g3aYxXmlPoZVAwUMy9AOKyF2fVuZa2UD3qZjg578OrLRt8PcNN1PleVaL/5/yYATNL0ICUw=="],
 
     "npm/spdx-correct/spdx-expression-parse": ["spdx-expression-parse@3.0.1", "", { "dependencies": { "spdx-exceptions": "^2.1.0", "spdx-license-ids": "^3.0.0" } }, "sha512-cbqHunsQWnJNE6KhVSMsMeH5H/L9EpymbzqTQ3uLwNCLZ1Q481oWaofqH7nO6V07xlXwY6PhQdQ2IedWx/ZK4Q=="],
 
@@ -7369,6 +7455,8 @@
 
     "@nestjs/schematics/@angular-devkit/schematics/ora/strip-ansi": ["strip-ansi@6.0.1", "", { "dependencies": { "ansi-regex": "^5.0.1" } }, "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A=="],
 
+    "@next/third-parties/next/postcss/nanoid": ["nanoid@3.3.11", "", { "bin": { "nanoid": "bin/nanoid.cjs" } }, "sha512-N8SpfPUnUp1bK+PMYW8qSWdl9U+wwNWI4QKxOYDy9JAro3WMX7p2OeVRF9v+347pnakNevPmiHhNmZ2HbFA76w=="],
+
     "@novu/js/socket.io-client/debug/ms": ["ms@2.1.3", "", {}, "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA=="],
 
     "@semantic-release/github/aggregate-error/clean-stack/escape-string-regexp": ["escape-string-regexp@5.0.0", "", {}, "sha512-/veY75JbMK4j1yjvuUxuVsiS/hr/4iHs9FTT6cgTexxdE0Ly/glccBAkloH/DofkjRbZU3bnoj38mOmhkZ0lHw=="],
@@ -7379,6 +7467,8 @@
 
     "@slack/bolt/@slack/web-api/form-data/safe-buffer": ["safe-buffer@5.2.1", "", {}, "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ=="],
 
+    "@slack/bolt/@types/express/@types/serve-static/@types/send": ["@types/send@0.17.6", "", { "dependencies": { "@types/mime": "^1", "@types/node": "*" } }, "sha512-Uqt8rPBE8SY0RK8JB1EzVOIZ32uqy8HwdxCnoCOsYrvnswqmFZ/k+9Ikidlk/ImhsdvBsloHbAlewb2IEBV/Og=="],
+
     "@slack/bolt/express/body-parser/iconv-lite": ["iconv-lite@0.4.24", "", { "dependencies": { "safer-buffer": ">= 2.1.2 < 3" } }, "sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA=="],
 
     "@slack/bolt/express/debug/ms": ["ms@2.0.0", "", {}, "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A=="],
@@ -7417,6 +7507,8 @@
 
     "@trigger.dev/core/socket.io/engine.io/ws": ["ws@8.17.1", "", { "peerDependencies": { "bufferutil": "^4.0.1", "utf-8-validate": ">=5.0.2" }, "optionalPeers": ["bufferutil", "utf-8-validate"] }, "sha512-6XQFvXTkbfUOZOKKILFG1PDK2NDQs4azKQl26T0YS5CxqWLgXajbPZ+h4gZekJyRqFU8pvnbAbbs/3TgRPy+GQ=="],
 
+    "@trycompai/email/next/postcss/nanoid": ["nanoid@3.3.11", "", { "bin": { "nanoid": "bin/nanoid.cjs" } }, "sha512-N8SpfPUnUp1bK+PMYW8qSWdl9U+wwNWI4QKxOYDy9JAro3WMX7p2OeVRF9v+347pnakNevPmiHhNmZ2HbFA76w=="],
+
     "cli-highlight/yargs/cliui/strip-ansi": ["strip-ansi@6.0.1", "", { "dependencies": { "ansi-regex": "^5.0.1" } }, "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A=="],
 
     "env-ci/execa/npm-run-path/path-key": ["path-key@4.0.0", "", {}, "sha512-haREypq7xkM7ErfgIyA0z+Bj4AGKlMSdlQE2jvJo6huWD1EdkKYV+G/T4nq0YEF2vgTT8kqMFKo1uHn950r4SQ=="],
@@ -7445,12 +7537,16 @@
 
     "npm/cacache/tar/chownr": ["chownr@3.0.0", "", {}, "sha512-+IxzY9BZOQd/XuYPRmrvEVjF/nqj5kgT4kEq7VofrDoM1MxoRjEWkrCC3EtLi59TVawxTAn+orJwFQcrqEN1+g=="],
 
+    "npm/cacache/tar/mkdirp": ["mkdirp@3.0.1", "", { "bin": { "mkdirp": "dist/cjs/src/bin.js" } }, "sha512-+NsyUUAZDmo6YVHzL/stxSu3t9YS1iljliy3BSDrXJ/dkn1KYdmtZODGGjLcc9XLgVVpH4KshHB8XmZgMhaBXg=="],
+
     "npm/cacache/tar/yallist": ["yallist@5.0.0", "", {}, "sha512-YgvUTfwqyc7UXVMrB+SImsVYSmTS8X/tSrtdNZMImM+n7+QTriRXyXim0mBrTXNeqzVF0KWGgHPeiyViFFrNDw=="],
 
     "npm/cross-spawn/which/isexe": ["isexe@2.0.0", "", {}, "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw=="],
 
     "npm/node-gyp/tar/chownr": ["chownr@3.0.0", "", {}, "sha512-+IxzY9BZOQd/XuYPRmrvEVjF/nqj5kgT4kEq7VofrDoM1MxoRjEWkrCC3EtLi59TVawxTAn+orJwFQcrqEN1+g=="],
 
+    "npm/node-gyp/tar/mkdirp": ["mkdirp@3.0.1", "", { "bin": { "mkdirp": "dist/cjs/src/bin.js" } }, "sha512-+NsyUUAZDmo6YVHzL/stxSu3t9YS1iljliy3BSDrXJ/dkn1KYdmtZODGGjLcc9XLgVVpH4KshHB8XmZgMhaBXg=="],
+
     "npm/node-gyp/tar/yallist": ["yallist@5.0.0", "", {}, "sha512-YgvUTfwqyc7UXVMrB+SImsVYSmTS8X/tSrtdNZMImM+n7+QTriRXyXim0mBrTXNeqzVF0KWGgHPeiyViFFrNDw=="],
 
     "npm/tar/fs-minipass/minipass": ["minipass@3.3.6", "", { "dependencies": { "yallist": "^4.0.0" } }, "sha512-DxiNidxSEK+tHG6zOIklvNOwm3hvCrbUrdtzY74U6HKTJxvIDfOUL5W5P2Ghd3DTkhhKPYGqeNUIh5qcM4YBfw=="],
diff --git a/packages/db/prisma.config.ts b/packages/db/prisma.config.ts
index 265d14d52..48ff0a0e7 100644
--- a/packages/db/prisma.config.ts
+++ b/packages/db/prisma.config.ts
@@ -3,7 +3,11 @@ import path from 'node:path';
 import { defineConfig } from 'prisma/config';
 
 export default defineConfig({
+  earlyAccess: true,
   schema: path.join('prisma'),
+  migrate: {
+    url: process.env.DATABASE_URL!,
+  },
   migrations: {
     path: path.join('prisma', 'migrations'),
     seed: 'ts-node prisma/seed/seed.ts',
diff --git a/packages/db/prisma/migrations/20251203212921_add_employee_sync_provider/migration.sql b/packages/db/prisma/migrations/20251203212921_add_employee_sync_provider/migration.sql
new file mode 100644
index 000000000..45d8ff364
--- /dev/null
+++ b/packages/db/prisma/migrations/20251203212921_add_employee_sync_provider/migration.sql
@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "public"."Organization" ADD COLUMN     "employeeSyncProvider" TEXT;
diff --git a/packages/db/prisma/migrations/20251206100000_add_integrations_tables/migration.sql b/packages/db/prisma/migrations/20251206100000_add_integrations_tables/migration.sql
new file mode 100644
index 000000000..7cc34f771
--- /dev/null
+++ b/packages/db/prisma/migrations/20251206100000_add_integrations_tables/migration.sql
@@ -0,0 +1,190 @@
+-- CreateEnum
+CREATE TYPE "public"."IntegrationConnectionStatus" AS ENUM ('pending', 'active', 'error', 'paused', 'disconnected');
+
+-- CreateEnum
+CREATE TYPE "public"."IntegrationRunJobType" AS ENUM ('full_sync', 'delta_sync', 'webhook', 'manual', 'test_connection');
+
+-- CreateEnum
+CREATE TYPE "public"."IntegrationRunStatus" AS ENUM ('pending', 'running', 'success', 'failed', 'cancelled');
+
+-- CreateEnum
+CREATE TYPE "public"."IntegrationFindingSeverity" AS ENUM ('info', 'low', 'medium', 'high', 'critical');
+
+-- CreateEnum
+CREATE TYPE "public"."IntegrationFindingStatus" AS ENUM ('open', 'resolved', 'ignored');
+
+-- CreateTable
+CREATE TABLE "public"."IntegrationProvider" (
+    "id" TEXT NOT NULL DEFAULT generate_prefixed_cuid('prv'::text),
+    "slug" TEXT NOT NULL,
+    "name" TEXT NOT NULL,
+    "category" TEXT NOT NULL,
+    "manifestHash" TEXT,
+    "capabilities" JSONB NOT NULL DEFAULT '[]',
+    "isActive" BOOLEAN NOT NULL DEFAULT true,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "IntegrationProvider_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "public"."IntegrationConnection" (
+    "id" TEXT NOT NULL DEFAULT generate_prefixed_cuid('icn'::text),
+    "providerId" TEXT NOT NULL,
+    "organizationId" TEXT NOT NULL,
+    "status" "public"."IntegrationConnectionStatus" NOT NULL DEFAULT 'pending',
+    "authStrategy" TEXT NOT NULL,
+    "activeCredentialVersionId" TEXT,
+    "lastSyncAt" TIMESTAMP(3),
+    "nextSyncAt" TIMESTAMP(3),
+    "syncCadence" TEXT,
+    "metadata" JSONB,
+    "errorMessage" TEXT,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "IntegrationConnection_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "public"."IntegrationCredentialVersion" (
+    "id" TEXT NOT NULL DEFAULT generate_prefixed_cuid('icv'::text),
+    "connectionId" TEXT NOT NULL,
+    "encryptedPayload" JSONB NOT NULL,
+    "version" INTEGER NOT NULL,
+    "expiresAt" TIMESTAMP(3),
+    "rotatedAt" TIMESTAMP(3),
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "IntegrationCredentialVersion_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "public"."IntegrationRun" (
+    "id" TEXT NOT NULL DEFAULT generate_prefixed_cuid('irn'::text),
+    "connectionId" TEXT NOT NULL,
+    "jobType" "public"."IntegrationRunJobType" NOT NULL,
+    "status" "public"."IntegrationRunStatus" NOT NULL DEFAULT 'pending',
+    "startedAt" TIMESTAMP(3),
+    "completedAt" TIMESTAMP(3),
+    "durationMs" INTEGER,
+    "findingsCount" INTEGER NOT NULL DEFAULT 0,
+    "error" JSONB,
+    "metadata" JSONB,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "IntegrationRun_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "public"."IntegrationPlatformFinding" (
+    "id" TEXT NOT NULL DEFAULT generate_prefixed_cuid('ipf'::text),
+    "runId" TEXT,
+    "connectionId" TEXT NOT NULL,
+    "resourceType" TEXT NOT NULL,
+    "resourceId" TEXT NOT NULL,
+    "title" TEXT NOT NULL,
+    "description" TEXT,
+    "severity" "public"."IntegrationFindingSeverity" NOT NULL DEFAULT 'info',
+    "status" "public"."IntegrationFindingStatus" NOT NULL DEFAULT 'open',
+    "remediation" TEXT,
+    "rawPayload" JSONB,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "IntegrationPlatformFinding_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "public"."IntegrationOAuthState" (
+    "id" TEXT NOT NULL DEFAULT generate_prefixed_cuid('ios'::text),
+    "state" TEXT NOT NULL,
+    "providerSlug" TEXT NOT NULL,
+    "organizationId" TEXT NOT NULL,
+    "userId" TEXT NOT NULL,
+    "codeVerifier" TEXT,
+    "redirectUrl" TEXT,
+    "expiresAt" TIMESTAMP(3) NOT NULL,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "IntegrationOAuthState_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "IntegrationProvider_slug_key" ON "public"."IntegrationProvider"("slug");
+
+-- CreateIndex
+CREATE INDEX "IntegrationProvider_slug_idx" ON "public"."IntegrationProvider"("slug");
+
+-- CreateIndex
+CREATE INDEX "IntegrationProvider_category_idx" ON "public"."IntegrationProvider"("category");
+
+-- CreateIndex
+CREATE INDEX "IntegrationConnection_organizationId_idx" ON "public"."IntegrationConnection"("organizationId");
+
+-- CreateIndex
+CREATE INDEX "IntegrationConnection_providerId_idx" ON "public"."IntegrationConnection"("providerId");
+
+-- CreateIndex
+CREATE INDEX "IntegrationConnection_status_idx" ON "public"."IntegrationConnection"("status");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "IntegrationConnection_providerId_organizationId_key" ON "public"."IntegrationConnection"("providerId", "organizationId");
+
+-- CreateIndex
+CREATE INDEX "IntegrationCredentialVersion_connectionId_idx" ON "public"."IntegrationCredentialVersion"("connectionId");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "IntegrationCredentialVersion_connectionId_version_key" ON "public"."IntegrationCredentialVersion"("connectionId", "version");
+
+-- CreateIndex
+CREATE INDEX "IntegrationRun_connectionId_idx" ON "public"."IntegrationRun"("connectionId");
+
+-- CreateIndex
+CREATE INDEX "IntegrationRun_status_idx" ON "public"."IntegrationRun"("status");
+
+-- CreateIndex
+CREATE INDEX "IntegrationRun_createdAt_idx" ON "public"."IntegrationRun"("createdAt");
+
+-- CreateIndex
+CREATE INDEX "IntegrationPlatformFinding_connectionId_idx" ON "public"."IntegrationPlatformFinding"("connectionId");
+
+-- CreateIndex
+CREATE INDEX "IntegrationPlatformFinding_runId_idx" ON "public"."IntegrationPlatformFinding"("runId");
+
+-- CreateIndex
+CREATE INDEX "IntegrationPlatformFinding_resourceType_resourceId_idx" ON "public"."IntegrationPlatformFinding"("resourceType", "resourceId");
+
+-- CreateIndex
+CREATE INDEX "IntegrationPlatformFinding_severity_idx" ON "public"."IntegrationPlatformFinding"("severity");
+
+-- CreateIndex
+CREATE INDEX "IntegrationPlatformFinding_status_idx" ON "public"."IntegrationPlatformFinding"("status");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "IntegrationOAuthState_state_key" ON "public"."IntegrationOAuthState"("state");
+
+-- CreateIndex
+CREATE INDEX "IntegrationOAuthState_state_idx" ON "public"."IntegrationOAuthState"("state");
+
+-- CreateIndex
+CREATE INDEX "IntegrationOAuthState_expiresAt_idx" ON "public"."IntegrationOAuthState"("expiresAt");
+
+-- AddForeignKey
+ALTER TABLE "public"."IntegrationConnection" ADD CONSTRAINT "IntegrationConnection_providerId_fkey" FOREIGN KEY ("providerId") REFERENCES "public"."IntegrationProvider"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "public"."IntegrationConnection" ADD CONSTRAINT "IntegrationConnection_organizationId_fkey" FOREIGN KEY ("organizationId") REFERENCES "public"."Organization"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "public"."IntegrationCredentialVersion" ADD CONSTRAINT "IntegrationCredentialVersion_connectionId_fkey" FOREIGN KEY ("connectionId") REFERENCES "public"."IntegrationConnection"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "public"."IntegrationRun" ADD CONSTRAINT "IntegrationRun_connectionId_fkey" FOREIGN KEY ("connectionId") REFERENCES "public"."IntegrationConnection"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "public"."IntegrationPlatformFinding" ADD CONSTRAINT "IntegrationPlatformFinding_runId_fkey" FOREIGN KEY ("runId") REFERENCES "public"."IntegrationRun"("id") ON DELETE SET NULL ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "public"."IntegrationPlatformFinding" ADD CONSTRAINT "IntegrationPlatformFinding_connectionId_fkey" FOREIGN KEY ("connectionId") REFERENCES "public"."IntegrationConnection"("id") ON DELETE CASCADE ON UPDATE CASCADE;
diff --git a/packages/db/prisma/migrations/20251206101000_add_oauth_table/migration.sql b/packages/db/prisma/migrations/20251206101000_add_oauth_table/migration.sql
new file mode 100644
index 000000000..ccefa9bfa
--- /dev/null
+++ b/packages/db/prisma/migrations/20251206101000_add_oauth_table/migration.sql
@@ -0,0 +1,26 @@
+-- CreateTable
+CREATE TABLE "public"."IntegrationOAuthApp" (
+    "id" TEXT NOT NULL DEFAULT generate_prefixed_cuid('ioa'::text),
+    "providerSlug" TEXT NOT NULL,
+    "organizationId" TEXT NOT NULL,
+    "encryptedClientId" JSONB NOT NULL,
+    "encryptedClientSecret" JSONB NOT NULL,
+    "customScopes" TEXT[],
+    "isActive" BOOLEAN NOT NULL DEFAULT true,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "IntegrationOAuthApp_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE INDEX "IntegrationOAuthApp_organizationId_idx" ON "public"."IntegrationOAuthApp"("organizationId");
+
+-- CreateIndex
+CREATE INDEX "IntegrationOAuthApp_providerSlug_idx" ON "public"."IntegrationOAuthApp"("providerSlug");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "IntegrationOAuthApp_providerSlug_organizationId_key" ON "public"."IntegrationOAuthApp"("providerSlug", "organizationId");
+
+-- AddForeignKey
+ALTER TABLE "public"."IntegrationOAuthApp" ADD CONSTRAINT "IntegrationOAuthApp_organizationId_fkey" FOREIGN KEY ("organizationId") REFERENCES "public"."Organization"("id") ON DELETE CASCADE ON UPDATE CASCADE;
diff --git a/packages/db/prisma/migrations/20251206102000_add_platform_credentials/migration.sql b/packages/db/prisma/migrations/20251206102000_add_platform_credentials/migration.sql
new file mode 100644
index 000000000..1af731bfe
--- /dev/null
+++ b/packages/db/prisma/migrations/20251206102000_add_platform_credentials/migration.sql
@@ -0,0 +1,24 @@
+-- AlterTable
+ALTER TABLE "public"."User" ADD COLUMN     "isPlatformAdmin" BOOLEAN NOT NULL DEFAULT false;
+
+-- CreateTable
+CREATE TABLE "public"."IntegrationPlatformCredential" (
+    "id" TEXT NOT NULL DEFAULT generate_prefixed_cuid('ipc'::text),
+    "providerSlug" TEXT NOT NULL,
+    "encryptedClientId" JSONB NOT NULL,
+    "encryptedClientSecret" JSONB NOT NULL,
+    "customScopes" TEXT[],
+    "isActive" BOOLEAN NOT NULL DEFAULT true,
+    "createdById" TEXT,
+    "updatedById" TEXT,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "IntegrationPlatformCredential_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "IntegrationPlatformCredential_providerSlug_key" ON "public"."IntegrationPlatformCredential"("providerSlug");
+
+-- CreateIndex
+CREATE INDEX "IntegrationPlatformCredential_providerSlug_idx" ON "public"."IntegrationPlatformCredential"("providerSlug");
diff --git a/packages/db/prisma/migrations/20251206103000_add_variables_to_providers/migration.sql b/packages/db/prisma/migrations/20251206103000_add_variables_to_providers/migration.sql
new file mode 100644
index 000000000..039a43f97
--- /dev/null
+++ b/packages/db/prisma/migrations/20251206103000_add_variables_to_providers/migration.sql
@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "public"."IntegrationConnection" ADD COLUMN     "variables" JSONB;
diff --git a/packages/db/prisma/migrations/20251206104000_add_runs_to_integrations/migration.sql b/packages/db/prisma/migrations/20251206104000_add_runs_to_integrations/migration.sql
new file mode 100644
index 000000000..7707138f5
--- /dev/null
+++ b/packages/db/prisma/migrations/20251206104000_add_runs_to_integrations/migration.sql
@@ -0,0 +1,70 @@
+-- CreateTable
+CREATE TABLE "public"."IntegrationCheckRun" (
+    "id" TEXT NOT NULL DEFAULT generate_prefixed_cuid('icr'::text),
+    "connectionId" TEXT NOT NULL,
+    "taskId" TEXT,
+    "checkId" TEXT NOT NULL,
+    "checkName" TEXT NOT NULL,
+    "status" "public"."IntegrationRunStatus" NOT NULL DEFAULT 'pending',
+    "startedAt" TIMESTAMP(3),
+    "completedAt" TIMESTAMP(3),
+    "durationMs" INTEGER,
+    "totalChecked" INTEGER NOT NULL DEFAULT 0,
+    "passedCount" INTEGER NOT NULL DEFAULT 0,
+    "failedCount" INTEGER NOT NULL DEFAULT 0,
+    "errorMessage" TEXT,
+    "logs" JSONB,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "IntegrationCheckRun_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "public"."IntegrationCheckResult" (
+    "id" TEXT NOT NULL DEFAULT generate_prefixed_cuid('icx'::text),
+    "checkRunId" TEXT NOT NULL,
+    "passed" BOOLEAN NOT NULL,
+    "resourceType" TEXT NOT NULL,
+    "resourceId" TEXT NOT NULL,
+    "title" TEXT NOT NULL,
+    "description" TEXT,
+    "severity" "public"."IntegrationFindingSeverity",
+    "remediation" TEXT,
+    "evidence" JSONB,
+    "collectedAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "IntegrationCheckResult_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE INDEX "IntegrationCheckRun_connectionId_idx" ON "public"."IntegrationCheckRun"("connectionId");
+
+-- CreateIndex
+CREATE INDEX "IntegrationCheckRun_taskId_idx" ON "public"."IntegrationCheckRun"("taskId");
+
+-- CreateIndex
+CREATE INDEX "IntegrationCheckRun_checkId_idx" ON "public"."IntegrationCheckRun"("checkId");
+
+-- CreateIndex
+CREATE INDEX "IntegrationCheckRun_status_idx" ON "public"."IntegrationCheckRun"("status");
+
+-- CreateIndex
+CREATE INDEX "IntegrationCheckRun_createdAt_idx" ON "public"."IntegrationCheckRun"("createdAt");
+
+-- CreateIndex
+CREATE INDEX "IntegrationCheckResult_checkRunId_idx" ON "public"."IntegrationCheckResult"("checkRunId");
+
+-- CreateIndex
+CREATE INDEX "IntegrationCheckResult_passed_idx" ON "public"."IntegrationCheckResult"("passed");
+
+-- CreateIndex
+CREATE INDEX "IntegrationCheckResult_resourceType_resourceId_idx" ON "public"."IntegrationCheckResult"("resourceType", "resourceId");
+
+-- AddForeignKey
+ALTER TABLE "public"."IntegrationCheckRun" ADD CONSTRAINT "IntegrationCheckRun_connectionId_fkey" FOREIGN KEY ("connectionId") REFERENCES "public"."IntegrationConnection"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "public"."IntegrationCheckRun" ADD CONSTRAINT "IntegrationCheckRun_taskId_fkey" FOREIGN KEY ("taskId") REFERENCES "public"."Task"("id") ON DELETE SET NULL ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "public"."IntegrationCheckResult" ADD CONSTRAINT "IntegrationCheckResult_checkRunId_fkey" FOREIGN KEY ("checkRunId") REFERENCES "public"."IntegrationCheckRun"("id") ON DELETE CASCADE ON UPDATE CASCADE;
diff --git a/packages/db/prisma/migrations/20251206105000_add_custom_settings_to_oauth_app/migration.sql b/packages/db/prisma/migrations/20251206105000_add_custom_settings_to_oauth_app/migration.sql
new file mode 100644
index 000000000..bb381bb0b
--- /dev/null
+++ b/packages/db/prisma/migrations/20251206105000_add_custom_settings_to_oauth_app/migration.sql
@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "public"."IntegrationOAuthApp" ADD COLUMN     "customSettings" JSONB;
diff --git a/packages/db/prisma/migrations/20251206106000_add_custom_settings_to_platform_credential/migration.sql b/packages/db/prisma/migrations/20251206106000_add_custom_settings_to_platform_credential/migration.sql
new file mode 100644
index 000000000..788309e6c
--- /dev/null
+++ b/packages/db/prisma/migrations/20251206106000_add_custom_settings_to_platform_credential/migration.sql
@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "public"."IntegrationPlatformCredential" ADD COLUMN     "customSettings" JSONB;
diff --git a/packages/db/prisma/schema.prisma b/packages/db/prisma/schema.prisma
index 0c58ddb92..be799d7b8 100644
--- a/packages/db/prisma/schema.prisma
+++ b/packages/db/prisma/schema.prisma
@@ -7,6 +7,5 @@ generator client {
 datasource db {
   provider   = "postgresql"
   url        = env("DATABASE_URL")
-  directUrl  = env("DATABASE_URL")
   extensions = [pgcrypto]
 }
diff --git a/packages/db/prisma/schema/auth.prisma b/packages/db/prisma/schema/auth.prisma
index 68f559b3d..f53ab2e76 100644
--- a/packages/db/prisma/schema/auth.prisma
+++ b/packages/db/prisma/schema/auth.prisma
@@ -9,6 +9,7 @@ model User {
   lastLogin                      DateTime?
   emailNotificationsUnsubscribed Boolean   @default(false)
   emailPreferences               Json?     @default("{\"policyNotifications\":true,\"taskReminders\":true,\"weeklyTaskDigest\":true,\"unassignedItemsNotifications\":true}")
+  isPlatformAdmin                Boolean   @default(false)
 
   accounts           Account[]
   auditLog           AuditLog[]
diff --git a/packages/db/prisma/schema/integration-platform.prisma b/packages/db/prisma/schema/integration-platform.prisma
new file mode 100644
index 000000000..3ce5e9072
--- /dev/null
+++ b/packages/db/prisma/schema/integration-platform.prisma
@@ -0,0 +1,415 @@
+// ===== Integration Platform =====
+// New integration platform models for scalable, config-driven integrations
+
+/// Stores metadata about available integration providers (synced from code manifests)
+model IntegrationProvider {
+    id           String  @id @default(dbgenerated("generate_prefixed_cuid('prv'::text)"))
+    /// Unique slug matching manifest ID (e.g., "github", "slack")
+    slug         String  @unique
+    /// Display name
+    name         String
+    /// Category for grouping
+    category     String
+    /// Hash of manifest for detecting changes
+    manifestHash String?
+    /// Capabilities JSON array
+    capabilities Json    @default("[]")
+    /// Whether provider is active
+    isActive     Boolean @default(true)
+
+    createdAt DateTime @default(now())
+    updatedAt DateTime @updatedAt
+
+    connections IntegrationConnection[]
+
+    @@index([slug])
+    @@index([category])
+}
+
+/// Represents an organization's connection to an integration provider
+model IntegrationConnection {
+    id String @id @default(dbgenerated("generate_prefixed_cuid('icn'::text)"))
+
+    /// Reference to the provider
+    providerId String
+    provider   IntegrationProvider @relation(fields: [providerId], references: [id], onDelete: Cascade)
+
+    /// Organization that owns this connection
+    organizationId String
+    organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+
+    /// Connection status
+    status IntegrationConnectionStatus @default(pending)
+
+    /// Auth strategy used (oauth2, api_key, basic, jwt, custom)
+    authStrategy String
+
+    /// Reference to active credential version
+    activeCredentialVersionId String?
+
+    /// Last successful sync timestamp
+    lastSyncAt DateTime?
+
+    /// Next scheduled sync timestamp
+    nextSyncAt DateTime?
+
+    /// Custom sync cadence (cron expression), null = use default
+    syncCadence String?
+
+    /// Additional metadata (e.g., connected account info)
+    metadata Json?
+
+    /// User-configured variables for checks (collected after OAuth)
+    variables Json?
+
+    /// Error message if status is error
+    errorMessage String?
+
+    createdAt DateTime @default(now())
+    updatedAt DateTime @updatedAt
+
+    credentialVersions IntegrationCredentialVersion[]
+    runs               IntegrationRun[]
+    findings           IntegrationPlatformFinding[]
+    checkRuns          IntegrationCheckRun[]
+
+    @@unique([providerId, organizationId])
+    @@index([organizationId])
+    @@index([providerId])
+    @@index([status])
+}
+
+enum IntegrationConnectionStatus {
+    pending // Awaiting credential setup
+    active // Connected and operational
+    error // Connection has errors
+    paused // Manually paused by user
+    disconnected // User disconnected
+}
+
+/// Stores encrypted credentials with versioning for audit trail
+model IntegrationCredentialVersion {
+    id String @id @default(dbgenerated("generate_prefixed_cuid('icv'::text)"))
+
+    /// Parent connection
+    connectionId String
+    connection   IntegrationConnection @relation(fields: [connectionId], references: [id], onDelete: Cascade)
+
+    /// Encrypted credential payload (JSON with encrypted fields)
+    encryptedPayload Json
+
+    /// Version number (auto-increment per connection)
+    version Int
+
+    /// Token expiration (for OAuth tokens)
+    expiresAt DateTime?
+
+    /// When this version was rotated/replaced
+    rotatedAt DateTime?
+
+    createdAt DateTime @default(now())
+
+    @@unique([connectionId, version])
+    @@index([connectionId])
+}
+
+/// Records each sync/job execution for audit and debugging
+model IntegrationRun {
+    id String @id @default(dbgenerated("generate_prefixed_cuid('irn'::text)"))
+
+    /// Parent connection
+    connectionId String
+    connection   IntegrationConnection @relation(fields: [connectionId], references: [id], onDelete: Cascade)
+
+    /// Type of job
+    jobType IntegrationRunJobType
+
+    /// Execution status
+    status IntegrationRunStatus @default(pending)
+
+    /// Timestamps
+    startedAt   DateTime?
+    completedAt DateTime?
+
+    /// Duration in milliseconds
+    durationMs Int?
+
+    /// Number of findings from this run
+    findingsCount Int @default(0)
+
+    /// Error details if failed
+    error Json?
+
+    /// Additional metadata (trigger source, cursor, etc.)
+    metadata Json?
+
+    createdAt DateTime @default(now())
+
+    findings IntegrationPlatformFinding[]
+
+    @@index([connectionId])
+    @@index([status])
+    @@index([createdAt])
+}
+
+enum IntegrationRunJobType {
+    full_sync
+    delta_sync
+    webhook
+    manual
+    test_connection
+}
+
+enum IntegrationRunStatus {
+    pending
+    running
+    success
+    failed
+    cancelled
+}
+
+/// Stores findings/results from integration syncs
+model IntegrationPlatformFinding {
+    id String @id @default(dbgenerated("generate_prefixed_cuid('ipf'::text)"))
+
+    /// Parent run (optional - webhooks may not have runs)
+    runId String?
+    run   IntegrationRun? @relation(fields: [runId], references: [id], onDelete: SetNull)
+
+    /// Parent connection
+    connectionId String
+    connection   IntegrationConnection @relation(fields: [connectionId], references: [id], onDelete: Cascade)
+
+    /// Resource classification
+    resourceType String
+    resourceId   String
+
+    /// Finding details
+    title       String
+    description String?
+
+    /// Severity level
+    severity IntegrationFindingSeverity @default(info)
+
+    /// Finding status
+    status IntegrationFindingStatus @default(open)
+
+    /// Remediation guidance
+    remediation String?
+
+    /// Raw payload from provider
+    rawPayload Json?
+
+    createdAt DateTime @default(now())
+    updatedAt DateTime @updatedAt
+
+    @@index([connectionId])
+    @@index([runId])
+    @@index([resourceType, resourceId])
+    @@index([severity])
+    @@index([status])
+}
+
+enum IntegrationFindingSeverity {
+    info
+    low
+    medium
+    high
+    critical
+}
+
+enum IntegrationFindingStatus {
+    open
+    resolved
+    ignored
+}
+
+/// Stores OAuth state for CSRF protection during OAuth flow
+model IntegrationOAuthState {
+    id String @id @default(dbgenerated("generate_prefixed_cuid('ios'::text)"))
+
+    /// Random state parameter
+    state String @unique
+
+    /// Provider slug
+    providerSlug String
+
+    /// Organization initiating the OAuth
+    organizationId String
+
+    /// User initiating the OAuth
+    userId String
+
+    /// PKCE code verifier (if using PKCE)
+    codeVerifier String?
+
+    /// Redirect URL after OAuth completes
+    redirectUrl String?
+
+    /// Expiration timestamp
+    expiresAt DateTime
+
+    createdAt DateTime @default(now())
+
+    @@index([state])
+    @@index([expiresAt])
+}
+
+/// Stores organization-level OAuth app credentials
+/// Allows orgs (especially self-hosters) to use their own OAuth apps
+model IntegrationOAuthApp {
+    id String @id @default(dbgenerated("generate_prefixed_cuid('ioa'::text)"))
+
+    /// Provider slug (e.g., "github", "slack")
+    providerSlug String
+
+    /// Organization that owns this OAuth app config
+    organizationId String
+    organization   Organization @relation(fields: [organizationId], references: [id], onDelete: Cascade)
+
+    /// Encrypted client ID
+    encryptedClientId Json
+
+    /// Encrypted client secret
+    encryptedClientSecret Json
+
+    /// Optional: custom scopes (overrides manifest defaults)
+    customScopes String[]
+
+    /// Provider-specific settings (e.g., Rippling app name for authorize URL)
+    /// Stored as JSON: { "appName": "compai533c" }
+    customSettings Json?
+
+    /// Whether this config is active
+    isActive Boolean @default(true)
+
+    createdAt DateTime @default(now())
+    updatedAt DateTime @updatedAt
+
+    @@unique([providerSlug, organizationId])
+    @@index([organizationId])
+    @@index([providerSlug])
+}
+
+/// Records check runs linked to tasks for compliance verification
+model IntegrationCheckRun {
+    id String @id @default(dbgenerated("generate_prefixed_cuid('icr'::text)"))
+
+    /// Parent connection
+    connectionId String
+    connection   IntegrationConnection @relation(fields: [connectionId], references: [id], onDelete: Cascade)
+
+    /// Task being verified (optional - checks can run without a task)
+    taskId String?
+    task   Task?   @relation(fields: [taskId], references: [id], onDelete: SetNull)
+
+    /// Check ID from the manifest
+    checkId String
+
+    /// Check name (denormalized for display)
+    checkName String
+
+    /// Execution status
+    status IntegrationRunStatus @default(pending)
+
+    /// Timestamps
+    startedAt   DateTime?
+    completedAt DateTime?
+
+    /// Duration in milliseconds
+    durationMs Int?
+
+    /// Summary counts
+    totalChecked Int @default(0)
+    passedCount  Int @default(0)
+    failedCount  Int @default(0)
+
+    /// Error message if failed
+    errorMessage String?
+
+    /// Full execution logs (JSON array)
+    logs Json?
+
+    createdAt DateTime @default(now())
+
+    /// Results from this check run
+    results IntegrationCheckResult[]
+
+    @@index([connectionId])
+    @@index([taskId])
+    @@index([checkId])
+    @@index([status])
+    @@index([createdAt])
+}
+
+/// Stores individual results (pass/fail) from check runs
+model IntegrationCheckResult {
+    id String @id @default(dbgenerated("generate_prefixed_cuid('icx'::text)"))
+
+    /// Parent check run
+    checkRunId String
+    checkRun   IntegrationCheckRun @relation(fields: [checkRunId], references: [id], onDelete: Cascade)
+
+    /// Whether this result is a pass or fail
+    passed Boolean
+
+    /// Resource classification
+    resourceType String
+    resourceId   String
+
+    /// Result details
+    title       String
+    description String?
+
+    /// Severity (for failures)
+    severity IntegrationFindingSeverity?
+
+    /// Remediation guidance (for failures)
+    remediation String?
+
+    /// Evidence/proof (JSON - API response data)
+    evidence Json?
+
+    /// When this evidence was collected
+    collectedAt DateTime @default(now())
+
+    @@index([checkRunId])
+    @@index([passed])
+    @@index([resourceType, resourceId])
+}
+
+/// Stores platform-wide OAuth app credentials
+/// Used by platform operators to provide default OAuth apps for all users
+model IntegrationPlatformCredential {
+    id String @id @default(dbgenerated("generate_prefixed_cuid('ipc'::text)"))
+
+    /// Provider slug (e.g., "github", "slack") - unique per platform
+    providerSlug String @unique
+
+    /// Encrypted client ID
+    encryptedClientId Json
+
+    /// Encrypted client secret
+    encryptedClientSecret Json
+
+    /// Optional: custom scopes (overrides manifest defaults)
+    customScopes String[]
+
+    /// Provider-specific settings (e.g., Rippling app name for authorize URL)
+    /// Stored as JSON: { "appName": "compai533c" }
+    customSettings Json?
+
+    /// Whether this credential is active
+    isActive Boolean @default(true)
+
+    /// Who created this credential
+    createdById String?
+
+    /// Who last updated this credential
+    updatedById String?
+
+    createdAt DateTime @default(now())
+    updatedAt DateTime @updatedAt
+
+    @@index([providerSlug])
+}
diff --git a/packages/db/prisma/schema/organization.prisma b/packages/db/prisma/schema/organization.prisma
index 3558e064d..63c345cd9 100644
--- a/packages/db/prisma/schema/organization.prisma
+++ b/packages/db/prisma/schema/organization.prisma
@@ -15,6 +15,10 @@ model Organization {
   fleetDmLabelId        Int?
   isFleetSetupCompleted Boolean @default(false)
 
+  // Employee sync provider (e.g., 'google-workspace', 'rippling')
+  // When set, the scheduled sync will only use this provider
+  employeeSyncProvider  String?
+
   apiKeys                            ApiKey[]
   auditLog                           AuditLog[]
   controls                           Control[]
@@ -40,5 +44,9 @@ model Organization {
   securityQuestionnaireManualAnswers SecurityQuestionnaireManualAnswer[]
   soaDocuments                       SOADocument[]
 
+  // Integration Platform
+  integrationConnections IntegrationConnection[]
+  integrationOAuthApps   IntegrationOAuthApp[]
+
   @@index([slug])
 }
diff --git a/packages/db/prisma/schema/task.prisma b/packages/db/prisma/schema/task.prisma
index 25f4b2923..a5372b455 100644
--- a/packages/db/prisma/schema/task.prisma
+++ b/packages/db/prisma/schema/task.prisma
@@ -26,7 +26,8 @@ model Task {
   risks               Risk[]
   evidenceAutomations EvidenceAutomation[]
 
-  EvidenceAutomationRun EvidenceAutomationRun[]
+  EvidenceAutomationRun   EvidenceAutomationRun[]
+  integrationCheckRuns    IntegrationCheckRun[]
 }
 
 enum TaskStatus {
diff --git a/packages/db/prisma/seed/seed.ts b/packages/db/prisma/seed/seed.ts
index 12f0d3045..1fe869495 100644
--- a/packages/db/prisma/seed/seed.ts
+++ b/packages/db/prisma/seed/seed.ts
@@ -3,7 +3,9 @@ import fs from 'node:fs/promises';
 import path from 'node:path';
 import { frameworkEditorModelSchemas } from './frameworkEditorSchemas';
 
-const prisma = new PrismaClient();
+const prisma = new PrismaClient({
+  datasourceUrl: process.env.DATABASE_URL,
+});
 
 async function seedJsonFiles(subDirectory: string) {
   const directoryPath = path.join(__dirname, subDirectory);
diff --git a/packages/db/src/client.ts b/packages/db/src/client.ts
index a696328be..d4c299dd2 100644
--- a/packages/db/src/client.ts
+++ b/packages/db/src/client.ts
@@ -2,6 +2,10 @@ import { PrismaClient } from '@prisma/client';
 
 const globalForPrisma = global as unknown as { prisma: PrismaClient };
 
-export const db = globalForPrisma.prisma || new PrismaClient();
+export const db =
+  globalForPrisma.prisma ||
+  new PrismaClient({
+    datasourceUrl: process.env.DATABASE_URL,
+  });
 
 if (process.env.NODE_ENV !== 'production') globalForPrisma.prisma = db;
diff --git a/packages/docs/docs.json b/packages/docs/docs.json
index 16c6a7c4e..8a9d6b147 100644
--- a/packages/docs/docs.json
+++ b/packages/docs/docs.json
@@ -46,6 +46,33 @@
           }
         ]
       },
+      {
+        "tab": "Integrations",
+        "groups": [
+          {
+            "group": "Platform Overview",
+            "pages": [
+              "integrations/index"
+            ]
+          },
+          {
+            "group": "Developer Guides",
+            "pages": [
+              "integrations/writing-integrations",
+              "integrations/authentication",
+              "integrations/variables",
+              "integrations/checks",
+              "integrations/contributing"
+            ]
+          },
+          {
+            "group": "Self-Hosting",
+            "pages": [
+              "integrations/oauth-setup"
+            ]
+          }
+        ]
+      },
       {
         "tab": "API",
         "openapi": { "source": "./openapi.json" }
diff --git a/packages/docs/integrations/authentication.mdx b/packages/docs/integrations/authentication.mdx
new file mode 100644
index 000000000..6237c96e4
--- /dev/null
+++ b/packages/docs/integrations/authentication.mdx
@@ -0,0 +1,641 @@
+---
+title: 'Authentication Reference'
+description: 'Complete guide to all authentication types supported by the integration platform'
+---
+
+## Overview
+
+The integration platform supports **4 authentication strategies**. Choose based on what the third-party service offers.
+
+## Quick Comparison
+
+| Type           | When to Use                    | User Setup                  | Platform Setup             | Token Refresh           |
+| -------------- | ------------------------------ | --------------------------- | -------------------------- | ----------------------- |
+| **OAuth 2.0**  | Service has OAuth              | 1-click connect             | Admin configures OAuth app | Auto                 |
+| **API Key**    | Service uses API keys          | User enters key             | None                       | N/A (keys don't expire) |
+| **Basic Auth** | Service uses username/password | User enters creds           | None                       | N/A                     |
+| **Custom**     | Complex multi-field auth       | User enters multiple fields | None                       | N/A                     |
+
+---
+
+## OAuth 2.0
+
+**Best for:** GitHub, Google, Linear, Vercel, most modern SaaS
+
+### Configuration
+
+```typescript
+auth: {
+  type: 'oauth2',
+  config: {
+    // Required
+    authorizeUrl: 'https://provider.com/oauth/authorize',
+    tokenUrl: 'https://provider.com/oauth/token',
+    scopes: ['read:user', 'read:org'],
+
+    // Optional
+    pkce: false,                    // Use PKCE flow? (default: false)
+    clientAuthMethod: 'body',       // 'body' or 'header' (default: 'body')
+    supportsRefreshToken: true,     // Can tokens be refreshed? (default: true)
+
+    // Additional params sent during authorization
+    authorizationParams: {
+      access_type: 'offline',      // Request refresh token
+      prompt: 'consent',           // Force consent screen
+    },
+
+    // Additional params sent during token exchange
+    tokenParams: {
+      grant_type: 'authorization_code',
+    },
+
+    // Admin setup instructions (Markdown)
+    setupInstructions: `...`,
+
+    // URL to create OAuth app
+    createAppUrl: 'https://provider.com/apps/new',
+
+    // Custom settings (advanced)
+    customSettings: [
+      {
+        id: 'app_name',
+        label: 'App Name',
+        type: 'text',
+        required: true,
+        token: '{APP_NAME}', // Replaces in authorizeUrl
+      },
+    ],
+  },
+},
+```
+
+### Key Options Explained
+
+#### `pkce` (Proof Key for Code Exchange)
+
+**When to use:** Some providers require it (GitHub does NOT, Auth0 does)
+
+```typescript
+pkce: true; // Generates code_verifier and code_challenge
+```
+
+#### `clientAuthMethod`
+
+**How to send client credentials during token exchange:**
+
+- `'body'` (default): Send as form fields
+
+  ```
+  POST /token
+  client_id=...&client_secret=...
+  ```
+
+- `'header'`: Send as Basic Auth header
+  ```
+  POST /token
+  Authorization: Basic base64(client_id:client_secret)
+  ```
+
+**Use `header` for:** OAuth providers that require Basic Auth (some enterprise providers)
+
+#### `supportsRefreshToken`
+
+**Controls token refresh behavior:**
+
+- `true` (default): Platform auto-refreshes tokens before expiry
+- `false`: Tokens are long-lived (e.g., GitHub Personal Access Tokens)
+
+**Set to `false` if:** Provider doesn't support refresh tokens or tokens never expire
+
+#### `customSettings`
+
+**For providers with non-standard OAuth requirements:**
+
+**Example:** Rippling needs app name in authorize URL:
+
+```typescript
+authorizeUrl: 'https://api.rippling.com/connect/authorize/{APP_NAME}',
+customSettings: [
+  {
+    id: 'app_name',
+    label: 'Rippling App Name',
+    type: 'text',
+    required: true,
+    token: '{APP_NAME}',
+  },
+],
+```
+
+Platform admin enters `app_name` → Platform replaces `{APP_NAME}` in URL.
+
+### Access Token in Checks
+
+```typescript
+run: async (ctx: CheckContext) => {
+  // Access token is automatically available
+  const token = ctx.accessToken;
+
+  // ctx.fetch() automatically adds Bearer token
+  const data = await ctx.fetch('/api/endpoint');
+
+  // For custom headers
+  const response = await fetch(url, {
+    headers: {
+      Authorization: `Bearer ${ctx.accessToken}`,
+    },
+  });
+};
+```
+
+---
+
+## API Key
+
+**Best for:** Simple REST APIs with static API keys (e.g., Stripe, SendGrid)
+
+### Configuration
+
+```typescript
+auth: {
+  type: 'api_key',
+  config: {
+    in: 'header',           // or 'query'
+    name: 'X-API-Key',      // Header name or query param name
+    prefix: 'Bearer ',      // Optional prefix (e.g., "Bearer ", "Token ")
+  },
+},
+```
+
+### Key Options
+
+#### `in` - Where to send the API key
+
+**Header (recommended):**
+
+```typescript
+in: 'header',
+name: 'X-API-Key',
+
+// Results in:
+// X-API-Key: your-api-key-value
+```
+
+**Query parameter:**
+
+```typescript
+in: 'query',
+name: 'api_key',
+
+// Results in:
+// GET /endpoint?api_key=your-api-key-value
+```
+
+**Use query for:** APIs that don't accept custom headers (rare)
+
+#### `prefix` - Add a prefix to the key
+
+```typescript
+prefix: 'Bearer ',   // Common for tokens
+prefix: 'Token ',    // Some APIs use this
+prefix: '',          // No prefix (default)
+
+// Example with Bearer:
+// Authorization: Bearer sk_live_abc123...
+```
+
+### Credential Field
+
+User will see a form field to enter the API key:
+
+```typescript
+// Automatically generated credential field
+{
+  id: 'api_key',
+  label: 'API Key',
+  type: 'password',
+  required: true,
+  placeholder: 'sk_live_...',
+  helpText: 'Found in Settings → API Keys',
+}
+```
+
+### Access in Checks
+
+```typescript
+run: async (ctx: CheckContext) => {
+  // API key is automatically added to requests
+  const data = await ctx.fetch('/endpoint');
+
+  // Or access it directly
+  const apiKey = ctx.credentials.api_key;
+};
+```
+
+---
+
+## Basic Auth
+
+**Best for:** APIs using username/password authentication (e.g., some internal tools)
+
+### Configuration
+
+```typescript
+auth: {
+  type: 'basic',
+  config: {
+    usernameField: 'username',  // Default, can customize
+    passwordField: 'password',  // Default, can customize
+  },
+},
+```
+
+### Credential Fields
+
+Users will see two fields:
+
+```typescript
+// Automatically generated
+[
+  {
+    id: 'username',
+    label: 'Username',
+    type: 'text',
+    required: true,
+  },
+  {
+    id: 'password',
+    label: 'Password',
+    type: 'password',
+    required: true,
+  },
+];
+```
+
+### Custom Field Names
+
+```typescript
+auth: {
+  type: 'basic',
+  config: {
+    usernameField: 'email',      // Use 'email' instead of 'username'
+    passwordField: 'api_token',  // Use 'api_token' instead of 'password'
+  },
+},
+```
+
+### Access in Checks
+
+```typescript
+run: async (ctx: CheckContext) => {
+  // Basic Auth header is automatically added
+  // Authorization: Basic base64(username:password)
+  const data = await ctx.fetch('/endpoint');
+
+  // Or access credentials directly
+  const username = ctx.credentials.username;
+  const password = ctx.credentials.password;
+};
+```
+
+---
+
+## Custom Auth
+
+**Best for:** Complex authentication requiring multiple fields (AWS IAM Role, Azure Service Principal, GCP Service Account)
+
+### Configuration
+
+```typescript
+auth: {
+  type: 'custom',
+  config: {
+    description: 'AWS IAM Role for cross-account access',
+
+    credentialFields: [
+      {
+        id: 'roleArn',
+        label: 'IAM Role ARN',
+        type: 'text',
+        required: true,
+        placeholder: 'arn:aws:iam::123456789012:role/MyRole',
+        helpText: 'The ARN of the IAM role to assume',
+      },
+      {
+        id: 'externalId',
+        label: 'External ID',
+        type: 'password',
+        required: true,
+        helpText: 'Unique identifier for security',
+      },
+      {
+        id: 'region',
+        label: 'AWS Region',
+        type: 'combobox',
+        required: true,
+        placeholder: 'Select or type...',
+        helpText: 'Primary region for API calls',
+        options: [
+          { value: 'us-east-1', label: 'US East (N. Virginia)' },
+          { value: 'eu-west-1', label: 'Europe (Ireland)' },
+        ],
+      },
+    ],
+
+    setupInstructions: `## Setup Guide
+
+1. Create IAM role in AWS
+2. Copy the Role ARN
+3. Generate External ID
+4. Enter credentials below`,
+  },
+},
+```
+
+### Field Types
+
+| Type       | UI Component                | When to Use      | Example                   |
+| ---------- | --------------------------- | ---------------- | ------------------------- |
+| `text`     | Text input                  | Single-line text | Project ID, Account ID    |
+| `password` | Password input (hidden)     | Secrets, tokens  | API keys, passwords       |
+| `textarea` | Multi-line textarea         | Long text, JSON  | Service account JSON key  |
+| `select`   | Dropdown (fixed options)    | Choose from list | Environment (prod/dev)    |
+| `combobox` | Dropdown + custom input     | Choose or type   | AWS region, timezone      |
+| `number`   | Number input                | Numeric values   | Port, timeout             |
+| `url`      | URL input (with validation) | Web addresses    | Webhook URL, API endpoint |
+
+### Field Options
+
+```typescript
+{
+  id: 'field_name',           // Unique identifier (snake_case)
+  label: 'Field Label',       // Shown to user
+  type: 'text',              // See table above
+  required: true,            // Is this field mandatory?
+  placeholder: 'example...',  // Placeholder text
+  helpText: 'Explain where to find this', // Help text below field
+
+  // For select/combobox only:
+  options: [
+    { value: 'val1', label: 'Option 1' },
+    { value: 'val2', label: 'Option 2' },
+  ],
+}
+```
+
+### Access in Checks
+
+```typescript
+run: async (ctx: CheckContext) => {
+  // All fields available as key-value pairs
+  const roleArn = ctx.credentials.roleArn;
+  const externalId = ctx.credentials.externalId;
+  const region = ctx.credentials.region;
+
+  // Custom authentication logic
+  const client = await createCustomClient({
+    roleArn,
+    externalId,
+    region,
+  });
+};
+```
+
+---
+
+## Choosing an Auth Type
+
+### Decision Tree
+
+```
+Does the service have OAuth?
+├─ YES → Use OAuth 2.0
+│   └─ Best UX, auto token refresh, secure
+│
+└─ NO
+    │
+    Does it use a single API key?
+    ├─ YES → Use API Key
+    │   └─ Simple, user just pastes key
+    │
+    └─ NO
+        │
+        Does it use username + password?
+        ├─ YES → Use Basic Auth
+        │   └─ Two fields, encoded automatically
+        │
+        └─ NO → Use Custom Auth
+            └─ Multiple fields, full control
+```
+
+### Comparison: OAuth vs API Key
+
+| Aspect              | OAuth 2.0                       | API Key                      |
+| ------------------- | ------------------------------- | ---------------------------- |
+| **User Experience** | Best (1-click)               | OK (find & paste key)     |
+| **Security**        | Tokens expire & refresh      | Long-lived secrets        |
+| **Platform Setup**  | Admin must configure         | None needed               |
+| **Revocation**      | User revokes in provider     | User must regenerate key  |
+| **Scope Control**   | Request specific permissions | Key has fixed permissions |
+
+**Recommendation:** Use OAuth if the service supports it.
+
+### Comparison: Basic Auth vs Custom
+
+| Aspect       | Basic Auth            | Custom Auth               |
+| ------------ | --------------------- | ------------------------- |
+| **Fields**   | 2 (username/password) | Any number                |
+| **Encoding** | Auto (Base64)      | Manual in check code      |
+| **Use Case** | Simple APIs           | Complex auth (AWS, Azure) |
+| **Setup**    | Minimal config        | Define all fields         |
+
+**Use Basic Auth for:** Simple username/password APIs  
+**Use Custom Auth for:** Multi-field credentials, service accounts, IAM roles
+
+---
+
+## Examples by Service Type
+
+### Cloud Providers (AWS, Azure, GCP)
+
+**Use:** Custom Auth (service accounts, IAM roles)
+
+**Why:** These services use multi-field credentials that need custom authentication logic. OAuth is possible but service accounts are the recommended approach for programmatic access.
+
+### SaaS Tools (GitHub, Linear, Notion)
+
+**Use:** OAuth 2.0
+
+**Why:** Best user experience, tokens auto-refresh, users can revoke access easily.
+
+### Internal Tools / Legacy APIs
+
+**Use:** Basic Auth or API Key
+
+**Why:** Simpler services often use these methods. Choose based on what the API supports.
+
+---
+
+## Advanced OAuth Options
+
+### PKCE (Proof Key for Code Exchange)
+
+**What it is:** Extra security for OAuth (prevents authorization code interception)
+
+**When to enable:**
+
+```typescript
+pkce: true; // Enable for: Auth0, Okta, some enterprise providers
+pkce: false; // Default for: GitHub, Google, Linear
+```
+
+**How it works:** Platform generates a random `code_verifier`, hashes it to create `code_challenge`, sends challenge during authorization, sends verifier during token exchange.
+
+### Client Authentication Method
+
+**How platform authenticates itself to the provider:**
+
+**Body (default):**
+
+```http
+POST /token
+Content-Type: application/x-www-form-urlencoded
+
+grant_type=authorization_code&code=...&client_id=...&client_secret=...
+```
+
+**Header (Basic Auth):**
+
+```http
+POST /token
+Authorization: Basic base64(client_id:client_secret)
+Content-Type: application/x-www-form-urlencoded
+
+grant_type=authorization_code&code=...
+```
+
+**Use `header` when:** Provider documentation explicitly requires Basic Auth for client authentication.
+
+### Custom Authorization Parameters
+
+**Add extra params to the authorization URL:**
+
+```typescript
+authorizationParams: {
+  access_type: 'offline',    // Google: Request refresh token
+  prompt: 'consent',         // Force consent screen (always request scopes)
+  response_mode: 'query',    // How to return auth code
+}
+```
+
+**Common use cases:**
+
+- `access_type: 'offline'` - Google APIs (get refresh token)
+- `prompt: 'consent'` - Always show consent screen (good for testing)
+- Custom provider-specific params
+
+---
+
+## Security Best Practices
+
+### API Keys
+
+- Use `type: 'password'` for sensitive fields (hidden input)
+- Store in credential vault (auto-encrypted)
+- Never log API keys
+- Add help text explaining where to find/generate the key
+
+### OAuth
+
+- Request minimum scopes needed
+- Use `access_type: 'offline'` for refresh tokens
+- Set `supportsRefreshToken: true` to auto-refresh
+- Explain scope requirements in setup instructions
+
+### Basic Auth
+
+- Both username and password are required
+- Password field is auto-hidden
+- Credentials are auto-encoded to Base64
+- Never log passwords
+
+### Custom Auth
+
+- Mark sensitive fields as `type: 'password'`
+- Validate all required fields in checks
+- Handle missing fields gracefully
+- Don't expose credential values in logs/errors
+
+---
+
+## Complete OAuth Example
+
+```typescript
+auth: {
+  type: 'oauth2',
+  config: {
+    authorizeUrl: 'https://github.com/login/oauth/authorize',
+    tokenUrl: 'https://github.com/login/oauth/access_token',
+    scopes: ['repo', 'read:org', 'read:user'],
+    pkce: false,
+    clientAuthMethod: 'body',
+    supportsRefreshToken: false, // GitHub tokens don't expire
+    authorizationParams: {
+      allow_signup: 'false', // Don't show sign-up on consent
+    },
+    setupInstructions: `## Create GitHub OAuth App
+
+1. Go to https://github.com/settings/developers
+2. Click "New OAuth App"
+3. Enter:
+   - Application name: Your app name
+   - Homepage URL: https://yourapp.com
+   - Callback URL: [shown below]
+4. Click "Register application"
+5. Copy Client ID and generate Client Secret
+6. Paste both below`,
+    createAppUrl: 'https://github.com/settings/apps/new',
+  },
+},
+```
+
+---
+
+## Testing Your Auth
+
+### OAuth
+
+1. Configure platform credentials in `/admin/integrations`
+2. Go to `/integrations` and click Connect
+3. Should redirect to provider OAuth screen
+4. Authorize → Should redirect back successfully
+5. Check connection is active
+
+### API Key / Basic / Custom
+
+1. Go to `/integrations` and click Connect
+2. Form should show your credential fields
+3. Enter test credentials
+4. Connection should be created successfully
+5. Run a check to verify credentials work
+
+### Debug OAuth Issues
+
+Check API logs for:
+
+- `OAuth completed for [provider]` - Success
+- `OAuth callback error` - Authorization failed
+- `Token exchange failed` - Bad client credentials
+- `Invalid state` - State mismatch (check callback URL)
+
+---
+
+## Summary
+
+**Choose your auth type:**
+
+- **Service has OAuth?** → Use OAuth 2.0
+- **Single API key?** → Use API Key
+- **Username/password?** → Use Basic Auth
+- **Multiple fields or complex?** → Use Custom Auth
+
+**OAuth is best when available** - better UX, security, and user control.
diff --git a/packages/docs/integrations/checks.mdx b/packages/docs/integrations/checks.mdx
new file mode 100644
index 000000000..c6cd5f384
--- /dev/null
+++ b/packages/docs/integrations/checks.mdx
@@ -0,0 +1,794 @@
+---
+title: 'Writing Checks Reference'
+description: 'Complete guide to writing compliance checks'
+---
+
+## Overview
+
+Checks are the core of integrations - they validate compliance against external services and report findings.
+
+**A check:**
+- Fetches data from the service API
+- Analyzes it for compliance issues
+- Reports findings (failures) or passing results (successes)
+- Can map to compliance tasks for auto-completion
+
+---
+
+## Check Structure
+
+```typescript
+export const yourCheck: IntegrationCheck = {
+  // Metadata
+  id: 'unique-check-id',
+  name: 'Human-Readable Check Name',
+  description: 'What this check validates',
+  
+  // Optional: Map to a task template
+  taskMapping: TASK_TEMPLATES.twoFactorAuth,
+  
+  // Default severity for findings (can override per finding)
+  defaultSeverity: 'medium',
+  
+  // User-configurable variables
+  variables: [],
+  
+  // The check logic
+  run: async (ctx: CheckContext) => {
+    // Your code here
+  },
+};
+```
+
+---
+
+## CheckContext API Reference
+
+### HTTP Methods
+
+```typescript
+// GET request
+const data = await ctx.fetch<ResponseType>('/endpoint');
+
+// POST request
+const result = await ctx.post<ResponseType>('/endpoint', { body: 'data' });
+
+// PUT request
+const updated = await ctx.put<ResponseType>('/endpoint/:id', { updates });
+
+// PATCH request
+const patched = await ctx.patch<ResponseType>('/endpoint/:id', { partial });
+
+// DELETE request
+await ctx.delete('/endpoint/:id');
+```
+
+### Pagination
+
+**Auto-pagination** (for standardized APIs):
+```typescript
+// Fetches all pages automatically
+const allItems = await ctx.fetchAllPages<Item>('/items');
+```
+
+**Page number pagination:**
+```typescript
+const allItems = await ctx.fetchWithPageNumbers<Item>({
+  path: '/items',
+  maxPages: 100,
+  pageParam: 'page',
+  perPageParam: 'per_page',
+  perPage: 100,
+});
+```
+
+**Cursor pagination:**
+```typescript
+const allItems = await ctx.fetchWithCursor<Item>({
+  path: '/items',
+  maxPages: 100,
+  cursorParam: 'cursor',
+  dataPath: 'data.items',
+  cursorPath: 'data.nextCursor',
+});
+```
+
+**Link header pagination:**
+```typescript
+const allItems = await ctx.fetchWithLinkHeader<Item>('/items', {
+  maxPages: 100,
+});
+```
+
+### GraphQL
+
+```typescript
+const data = await ctx.graphql<QueryResult>(
+  `query {
+    users {
+      id
+      email
+      twoFactorEnabled
+    }
+  }`,
+  { limit: 100 } // Optional variables
+);
+```
+
+### Logging
+
+```typescript
+ctx.log('Info message', { optional: 'metadata' });
+ctx.warn('Warning message', { data });
+```
+
+**Logs appear in:**
+- API console during development
+- Trigger.dev dashboard for background jobs
+- Check run logs in database
+
+### State Storage
+
+**For checks that need to remember data between runs:**
+
+```typescript
+// Save state
+await ctx.state.set('last_check_time', new Date().toISOString());
+
+// Retrieve state
+const lastCheck = await ctx.state.get<string>('last_check_time');
+```
+
+**Use for:** Incremental checks, rate limit tracking, caching
+
+### Available Data
+
+```typescript
+ctx.accessToken;      // OAuth access token (if OAuth)
+ctx.credentials;      // All credentials as object
+ctx.variables;        // User-configured variables
+ctx.connectionId;     // Current connection ID
+ctx.organizationId;   // Current organization ID
+ctx.metadata;         // Connection metadata (e.g., OAuth team info)
+```
+
+---
+
+## Reporting Findings
+
+### ctx.fail() - Report an Issue
+
+```typescript
+ctx.fail({
+  title: 'Issue Title (shown in UI)',
+  resourceType: 'repository',        // Type of resource
+  resourceId: 'org/repo-name',      // Unique resource ID
+  severity: 'high',                 // critical | high | medium | low | info
+  description: 'What is wrong',
+  remediation: 'How to fix it',
+  evidence: {                       // Supporting data
+    currentValue: false,
+    expectedValue: true,
+    checkedAt: new Date(),
+  },
+});
+```
+
+**Required fields:**
+- `title` - Short summary
+- `resourceType` - Category of resource
+- `resourceId` - Unique identifier
+- `severity` - How serious is this?
+- `description` - What's wrong
+- `remediation` - How to fix
+
+**Optional fields:**
+- `evidence` - Any relevant data (stored as JSON)
+
+### ctx.pass() - Report Success
+
+```typescript
+ctx.pass({
+  title: 'Check Passed',
+  resourceType: 'repository',
+  resourceId: 'org/repo-name',
+  description: 'What was validated successfully',
+  evidence: {
+    checkedItems: 10,
+    allPassed: true,
+  },
+});
+```
+
+**When to use:**
+- Check completed successfully
+- Informational results (not just absence of findings)
+- Evidence for auditors
+
+**When NOT to use:**
+- Just because no issues found (that's implied if no `fail()` calls)
+- For intermediate steps (use `ctx.log()` instead)
+
+---
+
+## Severity Levels
+
+| Level | When to Use | Example |
+|-------|-------------|---------|
+| `critical` | Immediate security risk, compliance violation | No encryption, public S3 buckets |
+| `high` | Serious issue, needs urgent fix | 2FA disabled, admin without MFA |
+| `medium` | Important but not urgent | Outdated dependencies, missing alerts |
+| `low` | Minor issue, best practice | Naming conventions, documentation |
+| `info` | Informational, no action needed | Configuration review, statistics |
+
+**Default severity** can be overridden per finding:
+
+```typescript
+export const check: IntegrationCheck = {
+  defaultSeverity: 'medium',  // Default for this check
+  
+  run: async (ctx) => {
+    ctx.fail({
+      severity: 'critical',  // Override for this specific finding
+      // ...
+    });
+  },
+};
+```
+
+---
+
+## Task Mapping
+
+**Auto-complete compliance tasks when checks pass:**
+
+```typescript
+import { TASK_TEMPLATES } from '../../../task-mappings';
+
+export const twoFactorCheck: IntegrationCheck = {
+  id: 'two-factor-auth',
+  taskMapping: TASK_TEMPLATES['2fa'],  // Maps to "2FA" task
+  
+  run: async (ctx) => {
+    // Check 2FA status
+    const allUsersHave2FA = checkTwoFactor();
+    
+    if (allUsersHave2FA) {
+      // When this passes, the "2FA" task is auto-marked as done
+      ctx.pass({
+        title: 'All Users Have 2FA',
+        // ...
+      });
+    }
+  },
+};
+```
+
+**Available task templates:** See `packages/integration-platform/src/task-mappings.ts` for the full list.
+
+**Benefits:**
+- Automatic task completion
+- Reduces manual work
+- Keeps tasks in sync with real state
+
+**When to use:** When the check directly validates what a task requires.
+
+---
+
+## Error Handling
+
+### User-Friendly Errors
+
+**Bad:**
+```typescript
+catch (error) {
+  ctx.fail({
+    title: 'Error',
+    description: error.message,  // Raw API error
+    remediation: 'Fix it',       // Vague
+  });
+}
+```
+
+**Good:**
+```typescript
+catch (error) {
+  const errorMessage = error instanceof Error ? error.message : String(error);
+  ctx.log(`API Error: ${errorMessage}`);  // Log full error
+  
+  if (errorMessage.includes('403') || errorMessage.includes('PERMISSION_DENIED')) {
+    ctx.fail({
+      title: 'Permission Denied',
+      description: 'Your account lacks necessary permissions',
+      remediation: 'Grant the "Security Viewer" role in provider settings → IAM → Add Role',
+      evidence: { error: errorMessage },  // Raw error in evidence (not description)
+    });
+    return;
+  }
+  
+  // Generic fallback
+  ctx.fail({
+    title: 'Failed to Fetch Data',
+    description: 'An error occurred while checking your account',
+    remediation: 'Verify your connection is active and try reconnecting',
+    evidence: { error: errorMessage },
+  });
+}
+```
+
+### Common Error Patterns
+
+**Permission denied:**
+```typescript
+if (errorMessage.includes('403') || errorMessage.includes('PERMISSION_DENIED')) {
+  ctx.fail({
+    title: 'Permission Denied',
+    description: 'Your account does not have access to this resource',
+    remediation: 'Grant [specific role] in provider settings',
+    severity: 'high',
+  });
+  return;
+}
+```
+
+**Resource not found:**
+```typescript
+if (errorMessage.includes('404') || errorMessage.includes('NOT_FOUND')) {
+  ctx.log(`Resource not found: ${resourceId}`);
+  // Don't fail - just skip it
+  return;
+}
+```
+
+**Rate limited:**
+```typescript
+if (errorMessage.includes('429') || errorMessage.includes('rate limit')) {
+  ctx.fail({
+    title: 'Rate Limited',
+    description: 'API rate limit exceeded',
+    remediation: 'Wait a few minutes and try again',
+    severity: 'low',
+  });
+  return;
+}
+```
+
+**Service not enabled:**
+```typescript
+if (errorMessage.includes('not enabled') || errorMessage.includes('not subscribed')) {
+  ctx.pass({  // Use pass() for informational, not fail()
+    title: 'Service Not Enabled',
+    description: 'Security Hub is not enabled in your account',
+    evidence: { note: 'Enable Security Hub to get findings' },
+  });
+  return;
+}
+```
+
+---
+
+## Performance Tips
+
+### Batch API Calls
+
+**Bad:**
+```typescript
+for (const repo of repos) {
+  const details = await ctx.fetch(`/repos/${repo}`);  // N API calls
+}
+```
+
+**Good:**
+```typescript
+// Fetch all at once if API supports it
+const details = await ctx.post('/repos/batch', { repos: repos.map(r => r.id) });
+
+// Or use Promise.all (but be careful with rate limits)
+const details = await Promise.all(
+  repos.slice(0, 10).map(r => ctx.fetch(`/repos/${r}`))
+);
+```
+
+### Cache Results
+
+```typescript
+run: async (ctx) => {
+  // Check if we fetched recently
+  const lastFetch = await ctx.state.get<string>('last_users_fetch');
+  const cacheValid = lastFetch && 
+    Date.now() - new Date(lastFetch).getTime() < 3600000; // 1 hour
+  
+  let users;
+  if (cacheValid) {
+    users = await ctx.state.get<User[]>('cached_users');
+  } else {
+    users = await ctx.fetch<User[]>('/users');
+    await ctx.state.set('cached_users', users);
+    await ctx.state.set('last_users_fetch', new Date().toISOString());
+  }
+  
+  // Use cached users
+}
+```
+
+---
+
+## Testing Checks
+
+### Manual Testing
+
+1. Connect the integration with real credentials
+2. Run the check from Cloud Tests or a task
+3. Verify:
+   - No errors in API logs
+   - Findings appear correctly
+   - Remediation steps are clear
+   - Evidence contains useful data
+
+### Error Case Testing
+
+Test that your check handles:
+- Missing permissions (403 errors)
+- Invalid credentials (401 errors)
+- Resource not found (404 errors)
+- Rate limiting (429 errors)
+- Empty datasets (no resources to check)
+- Malformed responses
+
+### Edge Cases
+
+- User has no resources (empty org)
+- All resources are compliant (no findings)
+- Variables not configured (required variables missing)
+- Dynamic options return empty list
+
+---
+
+## Examples
+
+### Simple Check (No External Data)
+
+```typescript
+export const configCheck: IntegrationCheck = {
+  id: 'config-check',
+  name: 'Configuration Review',
+  defaultSeverity: 'low',
+  variables: [],
+  
+  run: async (ctx) => {
+    ctx.pass({
+      title: 'Configuration Reviewed',
+      resourceType: 'integration',
+      resourceId: ctx.connectionId,
+      description: 'Integration configuration has been reviewed',
+      evidence: { reviewedAt: new Date() },
+    });
+  },
+};
+```
+
+### Data Fetching Check
+
+```typescript
+export const securityCheck: IntegrationCheck = {
+  id: 'security-check',
+  name: 'Security Settings',
+  defaultSeverity: 'high',
+  variables: [],
+  
+  run: async (ctx) => {
+    const settings = await ctx.fetch<SecuritySettings>('/security');
+    
+    if (!settings.twoFactorRequired) {
+      ctx.fail({
+        title: '2FA Not Required',
+        resourceType: 'security-setting',
+        resourceId: 'two-factor',
+        severity: 'high',
+        description: '2FA is not enforced for all users',
+        remediation: 'Enable 2FA requirement in Settings → Security → Require 2FA',
+        evidence: { currentSetting: settings.twoFactorRequired },
+      });
+    } else {
+      ctx.pass({
+        title: '2FA Required',
+        resourceType: 'security-setting',
+        resourceId: 'two-factor',
+        description: '2FA is enforced for all users',
+        evidence: { setting: settings.twoFactorRequired },
+      });
+    }
+  },
+};
+```
+
+### Iterating Over Resources
+
+```typescript
+export const repoCheck: IntegrationCheck = {
+  id: 'repo-security',
+  name: 'Repository Security',
+  variables: [targetReposVariable],
+  
+  run: async (ctx) => {
+    const targetRepos = ctx.variables.target_repos as string[];
+    
+    if (!targetRepos?.length) {
+      ctx.fail({
+        title: 'No Repositories Selected',
+        description: 'Select repositories to monitor in integration settings',
+        resourceType: 'configuration',
+        resourceId: 'target_repos',
+        severity: 'medium',
+        remediation: 'Go to Manage → Settings → Select Repositories',
+        evidence: {},
+      });
+      return;
+    }
+    
+    ctx.log(`Checking ${targetRepos.length} repositories`);
+    
+    for (const repoName of targetRepos) {
+      try {
+        const repo = await ctx.fetch<Repo>(`/repos/${repoName}`);
+        
+        if (!repo.branchProtectionEnabled) {
+          ctx.fail({
+            title: `No Branch Protection on ${repoName}`,
+            resourceType: 'repository',
+            resourceId: repoName,
+            severity: 'high',
+            description: 'Main branch has no protection rules',
+            remediation: `Go to ${repoName} → Settings → Branches → Add Protection`,
+            evidence: { repo: repoName, protected: false },
+          });
+        } else {
+          ctx.pass({
+            title: `Branch Protection on ${repoName}`,
+            resourceType: 'repository',
+            resourceId: repoName,
+            description: 'Main branch is protected',
+            evidence: { repo: repoName, rules: repo.protectionRules },
+          });
+        }
+      } catch (error) {
+        ctx.log(`Skipping ${repoName}: ${error}`);
+        // Don't fail the whole check if one repo is inaccessible
+      }
+    }
+  },
+};
+```
+
+---
+
+## Best Practices
+
+### Findings vs Passing Results
+
+**Only create findings for actual issues:**
+
+```typescript
+// Good
+if (hasIssue) {
+  ctx.fail({ ... });
+}
+// No else - absence of findings implies success
+
+// Bad
+if (hasIssue) {
+  ctx.fail({ ... });
+} else {
+  ctx.pass({ ... });  // Don't create passing results for every check
+}
+```
+
+**When to use `ctx.pass()`:**
+- Summary results (e.g., "100 users checked, all have 2FA")
+- Evidence for auditors (e.g., "Access review completed on 2024-12-08")
+- Don't use for absence of findings
+
+**For cloud tests:** Only `fail()` results are shown. Passing results are filtered out.
+
+### Resource Types
+
+Use consistent resource types:
+
+| Type | Examples |
+|------|----------|
+| `repository` | GitHub/GitLab repos |
+| `user` | Users, accounts, members |
+| `team` | Teams, groups, org units |
+| `project` | Projects, workspaces |
+| `deployment` | Deployments, releases |
+| `security-setting` | Security configs |
+| `iam-policy` | Access policies |
+| `alert` | Monitoring alerts |
+| `configuration` | Integration settings |
+
+### Evidence
+
+**Include useful data for auditors:**
+
+```typescript
+evidence: {
+  // Good
+  userId: user.id,
+  userEmail: user.email,
+  twoFactorEnabled: user.twoFactorEnabled,
+  lastLogin: user.lastLoginAt,
+  checkedAt: new Date().toISOString(),
+  
+  // Avoid
+  rawResponse: entireApiResponse,  // Too much data
+  password: user.password,         // Never include secrets
+}
+```
+
+### Remediation Steps
+
+**Be specific and actionable:**
+
+```typescript
+// Vague
+remediation: 'Fix the security settings'
+
+// Specific
+remediation: 'Go to Settings → Security → Enable 2FA → Click "Require for all users"'
+
+// With link
+remediation: 'Enable branch protection: https://github.com/org/repo/settings/branch_protection_rules/new'
+```
+
+---
+
+## Performance Considerations
+
+### Don't Over-Fetch
+
+```typescript
+// Bad - Fetch all repos even if user only selected a few
+const allRepos = await ctx.fetchAllPages('/repos');
+const selectedRepos = allRepos.filter(r => targetRepos.includes(r.name));
+
+// Good - Only fetch what's needed
+const selectedRepos = await Promise.all(
+  targetRepos.map(name => ctx.fetch(`/repos/${name}`))
+);
+```
+
+### Rate Limits
+
+The platform handles retries automatically, but you can help:
+
+```typescript
+// Batch requests when possible
+const results = await ctx.post('/batch', { ids: [1, 2, 3, 4, 5] });
+
+// Sequential requests are slower but safer
+for (const id of ids) {
+  const result = await ctx.fetch(`/item/${id}`);
+  // Process one at a time
+}
+```
+
+### Timeouts
+
+Checks have a **15-minute timeout** (Trigger.dev default). For long-running checks:
+
+```typescript
+// Process in batches
+const BATCH_SIZE = 50;
+for (let i = 0; i < items.length; i += BATCH_SIZE) {
+  const batch = items.slice(i, i + BATCH_SIZE);
+  await processBatch(batch);
+  ctx.log(`Processed batch ${i / BATCH_SIZE + 1}`);
+}
+```
+
+---
+
+## Examples from Built-in Integrations
+
+### GitHub: Secret Scanning
+
+```typescript
+export const secretScanningCheck: IntegrationCheck = {
+  id: 'secret-scanning',
+  name: 'Secret Scanning Alerts',
+  taskMapping: TASK_TEMPLATES.secureSecrets,
+  variables: [targetReposVariable],
+  
+  run: async (ctx) => {
+    const targetRepos = ctx.variables.target_repos as string[];
+    
+    for (const repoName of targetRepos) {
+      const alerts = await ctx.fetch<Alert[]>(
+        `/repos/${repoName}/secret-scanning/alerts`,
+      );
+      
+      for (const alert of alerts) {
+        if (alert.state === 'open') {
+          ctx.fail({
+            title: `Secret Exposed in ${repoName}`,
+            resourceType: 'secret-alert',
+            resourceId: alert.number.toString(),
+            severity: 'critical',
+            description: `${alert.secret_type} secret detected in repository`,
+            remediation: 'Rotate the exposed secret and remove it from git history',
+            evidence: {
+              secretType: alert.secret_type,
+              createdAt: alert.created_at,
+              url: alert.html_url,
+            },
+          });
+        }
+      }
+    }
+  },
+};
+```
+
+### AWS: Security Hub Findings
+
+```typescript
+export const securityHubCheck: IntegrationCheck = {
+  id: 'security-hub-findings',
+  name: 'Security Hub Findings',
+  variables: [],
+  
+  run: async (ctx) => {
+    // Custom AWS auth - create client manually
+    const aws = await createAWSClient(ctx.credentials);
+    
+    const findings = await getSecurityHubFindings(aws.securityHub);
+    
+    for (const finding of findings) {
+      ctx.fail({
+        title: finding.Title,
+        resourceType: finding.ResourceType,
+        resourceId: finding.ResourceId,
+        severity: mapSeverity(finding.Severity),
+        description: finding.Description,
+        remediation: finding.Remediation?.Recommendation?.Text || 'See AWS Console',
+        evidence: {
+          awsAccountId: finding.AwsAccountId,
+          region: finding.Region,
+          findingId: finding.Id,
+        },
+      });
+    }
+  },
+};
+```
+
+---
+
+## Checklist for a Good Check
+
+- [ ] Clear, descriptive ID (kebab-case)
+- [ ] User-friendly name
+- [ ] Helpful description
+- [ ] Proper error handling for common cases
+- [ ] Meaningful resource types and IDs
+- [ ] Specific remediation steps
+- [ ] Useful evidence (not too much, not too little)
+- [ ] Appropriate severity levels
+- [ ] Task mapping (if applicable)
+- [ ] Variables for user configuration (if needed)
+- [ ] Tested with real API credentials
+- [ ] Handles edge cases (empty data, missing resources)
+
+---
+
+## Summary
+
+**Checks are the heart of integrations.** Write them to be:
+- **Focused**: One check = one compliance validation
+- 🧑‍💻 **User-friendly**: Clear errors, actionable remediation
+- 🔒 **Secure**: Handle credentials properly, never log secrets
+- ⚡ **Efficient**: Batch requests, handle pagination
+- 🧪 **Tested**: Verify with real credentials and edge cases
+
+Great checks = happy users = successful integration!
+
diff --git a/packages/docs/integrations/contributing.mdx b/packages/docs/integrations/contributing.mdx
new file mode 100644
index 000000000..8ef6d0f94
--- /dev/null
+++ b/packages/docs/integrations/contributing.mdx
@@ -0,0 +1,236 @@
+---
+title: 'Contributing Integrations'
+description: 'Guidelines for contributing new integrations to the platform'
+---
+
+## Before You Start
+
+**Check if the integration already exists** by looking in `packages/integration-platform/src/manifests/`.
+
+**Good integration candidates:**
+- Service has a public API
+- Service provides compliance/security data
+- Maps to existing compliance tasks
+- Widely used in B2B/enterprise
+
+**Not a good fit:**
+- Service requires paid enterprise plan for API access
+- No security/compliance data available via API
+- Consumer-focused service with no business use case
+
+## Contribution Checklist
+
+Your PR should include:
+
+### 1. Integration Manifest
+
+**Required:**
+- [ ] Manifest file (`manifests/your-service/index.ts`)
+- [ ] Valid integration ID (kebab-case, unique)
+- [ ] Clear name and description
+- [ ] Working logo URL
+- [ ] Documentation URL
+- [ ] Correct category
+- [ ] Proper auth configuration
+
+### 2. At Least One Check
+
+**Required:**
+- [ ] Check file(s) in `checks/` folder
+- [ ] Descriptive check IDs
+- [ ] Clear error messages
+- [ ] Proper error handling
+- [ ] Task mapping (if applicable)
+- [ ] Evidence includes useful data
+
+### 3. Types
+
+**Required:**
+- [ ] TypeScript types file (`types.ts`)
+- [ ] Types for API responses
+- [ ] Types for credentials
+- [ ] No `any` types
+
+### 4. Testing
+
+**Required:**
+- [ ] Tested with real credentials
+- [ ] OAuth flow works (if OAuth)
+- [ ] Checks run successfully
+- [ ] Error cases handled gracefully
+- [ ] Variables work (if using variables)
+
+**Include in PR description:**
+- Screenshot of successful connection
+- Screenshot of check results
+- Test account details (if applicable)
+
+### 5. Documentation
+
+**Required:**
+- [ ] Setup instructions in manifest (for OAuth)
+- [ ] Clear credential field labels and help text
+- [ ] Variable help text explains what they do
+- [ ] Remediation steps are actionable
+
+**Nice to have:**
+- [ ] MDX doc in `packages/docs/integrations/your-service.mdx`
+- [ ] Examples in PR description
+
+### 6. Code Quality
+
+**Required:**
+- [ ] TypeScript with no errors
+- [ ] ESLint passes
+- [ ] Follows existing code patterns
+- [ ] No hardcoded values
+- [ ] Proper error handling
+
+## PR Template
+
+```markdown
+## Integration: [Service Name]
+
+### Overview
+- **Service**: [Service Name]
+- **Auth Type**: OAuth 2.0 / API Key / Custom
+- **Category**: Cloud / Identity & Access / Developer Tools
+- **Checks**: [List check names]
+
+### What This Integration Does
+[Brief description of what checks are included and what they validate]
+
+### Testing
+- [x] Connected successfully with OAuth/credentials
+- [x] All checks run without errors
+- [x] Error handling works for common failure cases
+- [x] Variables configured and working (if applicable)
+
+**Screenshots:**
+[Add screenshots of connection flow and check results]
+
+### Task Mapping
+- Check: [Check Name] → Task: [Task Template Name]
+- Check: [Check Name] → Task: [Task Template Name]
+
+### Breaking Changes
+None / [Describe any breaking changes]
+
+### Notes
+[Any additional context, limitations, or future improvements]
+```
+
+## Review Criteria
+
+Reviewers will check for:
+
+### Functionality
+- Integration connects successfully
+- Checks run and produce expected results
+- OAuth flow works (if OAuth)
+- Error states are handled
+
+### Code Quality
+- TypeScript types are correct
+- No `any` types
+- Follows existing patterns
+- Proper error handling
+- Code is readable and maintainable
+
+### User Experience
+- Clear, friendly error messages
+- Helpful remediation steps
+- Good variable labels and help text
+- Reasonable defaults
+
+### Security
+- Credentials handled securely
+- API calls use HTTPS
+- No secrets in code
+- Proper scope requests (OAuth)
+
+## Common Review Feedback
+
+### "Add error handling for X"
+
+**Before:**
+```typescript
+const data = await ctx.fetch('/endpoint');
+// Process data
+```
+
+**After:**
+```typescript
+try {
+  const data = await ctx.fetch('/endpoint');
+  // Process data
+} catch (error) {
+  ctx.fail({
+    title: 'Failed to Fetch Data',
+    // ... proper error handling
+  });
+}
+```
+
+### "Make error messages user-friendly"
+
+**Before:**
+```typescript
+description: `API error: ${error.message}` // Raw error
+```
+
+**After:**
+```typescript
+description: 'Your account does not have permission to access this resource',
+remediation: 'Grant the "Admin" role in Service Settings → Users',
+evidence: { error: errorMessage }, // Store raw error in evidence
+```
+
+### "Add task mapping"
+
+**Before:**
+```typescript
+export const check: IntegrationCheck = {
+  id: 'two-factor',
+  // No task mapping
+};
+```
+
+**After:**
+```typescript
+import { TASK_TEMPLATES } from '../../../task-mappings';
+
+export const check: IntegrationCheck = {
+  id: 'two-factor',
+  taskMapping: TASK_TEMPLATES['2fa'], // Maps to 2FA task
+};
+```
+
+## Getting Your PR Merged
+
+1. **Create a draft PR early** - Get feedback before spending too much time
+2. **Test thoroughly** - Include test results in PR
+3. **Follow the template** - Makes review faster
+4. **Respond to feedback** - Reviewers are trying to help
+5. **Keep it focused** - One integration per PR
+
+## After Your PR is Merged
+
+**For OAuth integrations:**
+- Platform admins need to configure OAuth credentials
+- Your integration will show "Coming Soon" until configured
+- Update documentation with OAuth setup steps
+
+**For all integrations:**
+- Integration appears in the integrations page
+- Users can connect and start using it
+- Checks run automatically or on-demand
+
+## Questions?
+
+- Check existing integrations for patterns
+- Ask in discussions/issues
+- Tag maintainers for help
+
+Thank you for contributing!
+
diff --git a/packages/docs/integrations/index.mdx b/packages/docs/integrations/index.mdx
new file mode 100644
index 000000000..85dcabdf7
--- /dev/null
+++ b/packages/docs/integrations/index.mdx
@@ -0,0 +1,113 @@
+---
+title: 'Integrations'
+description: 'Extensible platform for building compliance check integrations'
+---
+
+## Overview
+
+Integrations let you connect third-party services (GitHub, AWS, Google Cloud, etc.) to automatically run compliance checks and collect evidence.
+
+**Key Features:**
+- Extensible architecture for adding new integrations
+- Multiple auth strategies (OAuth, API keys, custom credentials)
+- Automated compliance checks that map to tasks
+- Background execution via Trigger.dev
+- Type-safe with full TypeScript support
+
+## How It Works
+
+### 1. Integration Manifests
+
+Each integration is defined by a **manifest** that describes:
+- Authentication method (OAuth, API key, custom)
+- Available compliance checks
+- User-configurable variables
+- API endpoints and headers
+
+### 2. Checks
+
+Checks are compliance validations that run against the external service. For example:
+- GitHub: "Are all repos using branch protection?"
+- AWS: "Are there any high-severity findings in Security Hub?"
+- Google Workspace: "Do all users have 2FA enabled?"
+
+### 3. Task Mapping
+
+Checks can map to compliance task templates. When a check passes, the associated task is auto-completed.
+
+Example: The GitHub "Branch Protection" check maps to the "Code Changes" task. When the check passes, the "Code Changes" task is automatically marked as done.
+
+### 4. Connection Flow
+
+**OAuth integrations:**
+1. User clicks "Connect"
+2. Redirected to provider's OAuth screen
+3. User authorizes
+4. Token stored securely (encrypted at rest)
+5. Checks run automatically (if no variables needed) or after user configures variables
+
+**Custom auth integrations:**
+1. User clicks "Connect"
+2. User enters credentials (API keys, service account, etc.)
+3. Credentials stored securely (encrypted at rest)
+4. Checks run automatically (if no variables needed) or after user configures variables
+
+### 5. Auto-Run Logic
+
+After connecting an integration:
+- If all required variables are configured → Checks run automatically via Trigger.dev
+- If variables needed → User configures them → Checks run
+- Checks also run daily via scheduled Trigger.dev task
+
+## Architecture
+
+```
+Integrations
+├── Manifests (define integrations)
+│   ├── Auth config (OAuth, API key, custom)
+│   ├── Checks (compliance validations)
+│   └── Variables (user configuration)
+├── Runtime (execute checks)
+│   ├── Check context (API, logging, reporting)
+│   └── Check runner (orchestration)
+├── API (NestJS backend)
+│   ├── Connections (manage user connections)
+│   ├── OAuth (handle OAuth flow)
+│   ├── Checks (run checks)
+│   └── Variables (manage user settings)
+└── Trigger Tasks (background execution)
+    ├── run-connection-checks (auto-run after connect)
+    ├── run-task-integration-checks (daily scheduled)
+    └── sync-employees-schedule (daily employee sync)
+```
+
+## Built-in Integrations
+
+### Cloud Providers
+- **AWS** - Security Hub findings
+- **Azure** - Microsoft Defender for Cloud
+- **GCP** - Security Command Center
+
+### Identity & Access
+- **Google Workspace** - User compliance, 2FA checks
+- **Rippling** - Employee sync
+
+### Developer Tools
+- **GitHub** - Code security, branch protection, Dependabot
+- **Vercel** - Deployment monitoring
+- **Linear** - Team privacy, SSO checks
+
+## Next Steps
+
+<Card title="Writing Integrations" icon="code" href="/integrations/writing-integrations">
+  Learn how to create your own integration
+</Card>
+
+<Card title="Contributing" icon="git-pull-request" href="/integrations/contributing">
+  Contribute integrations to the platform
+</Card>
+
+<Card title="Self-Hosting OAuth" icon="server" href="/integrations/oauth-setup">
+  Configure OAuth for self-hosted deployments
+</Card>
+
diff --git a/packages/docs/integrations/oauth-setup.mdx b/packages/docs/integrations/oauth-setup.mdx
new file mode 100644
index 000000000..17a3d814a
--- /dev/null
+++ b/packages/docs/integrations/oauth-setup.mdx
@@ -0,0 +1,351 @@
+---
+title: 'OAuth Configuration for Self-Hosters'
+description: 'Platform admin guide to enabling OAuth integrations'
+---
+
+<Warning>
+This guide is for **platform administrators** self-hosting the application. If you're a regular user trying to connect an integration, this doesn't apply to you - just click "Connect" and follow the prompts.
+</Warning>
+
+## Overview
+
+OAuth integrations require **platform-level credentials** that you (the admin) configure once in your deployment. After that, all users can connect their accounts with a single click.
+
+**Without OAuth configured:** Integration shows "Coming Soon" (disabled)  
+**With OAuth configured:** Users click "Connect" → OAuth flow → Done!
+
+## Quick Start
+
+For each OAuth integration you want to enable:
+
+1. Create OAuth app with the provider
+2. Copy Client ID and Client Secret
+3. Go to `/admin/integrations` in your deployment
+4. Find the integration → Click "Configure"
+5. Paste credentials → Save
+
+That's it! Users can now connect.
+
+---
+
+## Provider Setup Guides
+
+### GitHub
+
+<Steps>
+  <Step title="Create OAuth App">
+    1. Go to [GitHub Developer Settings](https://github.com/settings/developers)
+    2. Click **New OAuth App**
+    3. Fill in:
+       - **Application name**: Your app name (e.g., "Comp AI at Acme Corp")
+       - **Homepage URL**: `https://yourapp.com`
+       - **Authorization callback URL**: `https://yourapp.com/v1/integrations/oauth/callback`
+    4. Click **Register application**
+    5. Copy the **Client ID**
+    6. Click **Generate a new client secret** → Copy it
+  </Step>
+  
+  <Step title="Add to Platform">
+    1. Go to `/admin/integrations` in your deployment
+    2. Find **GitHub** in the list
+    3. Click **Configure OAuth**
+    4. Paste **Client ID** and **Client Secret**
+    5. Click **Save**
+  </Step>
+  
+  <Step title="Test">
+    1. Go to `/integrations`
+    2. Find GitHub
+    3. Click **Connect** (should no longer say "Coming Soon")
+    4. Authorize with your GitHub account
+    5. Connection successful!
+  </Step>
+</Steps>
+
+**Important:** The callback URL must exactly match what you enter in your deployment.
+
+---
+
+### Google (Workspace & Cloud Platform)
+
+<Tip>
+Google Workspace and Google Cloud Platform can **share the same OAuth app**. Create it once, use it for both!
+</Tip>
+
+<Steps>
+  <Step title="Create Google Cloud Project">
+    1. Go to [Google Cloud Console](https://console.cloud.google.com)
+    2. Create a new project (or select existing)
+    3. Name it something like "Comp AI OAuth"
+  </Step>
+  
+  <Step title="Configure OAuth Consent Screen">
+    1. Go to **APIs & Services** → **OAuth consent screen**
+    2. Select **Internal** (if using Google Workspace) or **External**
+    3. Fill in:
+       - **App name**: Your app name
+       - **User support email**: Your email
+       - **Developer contact**: Your email
+    4. Don't add scopes manually - we request them dynamically
+    5. Save and continue
+  </Step>
+  
+  <Step title="Create OAuth Credentials">
+    1. Go to **APIs & Services** → **Credentials**
+    2. Click **Create Credentials** → **OAuth client ID**
+    3. Select **Web application**
+    4. Name: "Comp AI Web"
+    5. **Authorized redirect URIs**: `https://yourapp.com/v1/integrations/oauth/callback`
+    6. Click **Create**
+    7. Copy **Client ID** and **Client Secret**
+  </Step>
+  
+  <Step title="Enable Required APIs">
+    In the same GCP project, enable these APIs:
+    - **Admin SDK API** (for Google Workspace)
+    - **Cloud Resource Manager API** (for GCP)
+    - **Security Command Center API** (for GCP)
+    
+    Go to **APIs & Services** → **Library** and search for each.
+  </Step>
+  
+  <Step title="Add to Platform (Google Workspace)">
+    1. Go to `/admin/integrations`
+    2. Find **Google Workspace**
+    3. Click **Configure OAuth**
+    4. Paste Client ID and Client Secret
+    5. Save
+  </Step>
+  
+  <Step title="Add to Platform (GCP) - Optional">
+    1. In the same admin page
+    2. Find **Google Cloud Platform**
+    3. Click **Configure OAuth**
+    4. Paste the **same** Client ID and Client Secret
+    5. Save
+  </Step>
+</Steps>
+
+**User Requirements:**
+- **Google Workspace**: User must be a Workspace admin
+- **GCP**: User must have Viewer + Security Center Findings Viewer roles at org level
+
+---
+
+### Linear
+
+<Steps>
+  <Step title="Create OAuth App">
+    1. Go to [Linear API Settings](https://linear.app/settings/api)
+    2. Click **Create new OAuth application**
+    3. Fill in:
+       - **Name**: Your app name
+       - **Callback URLs**: `https://yourapp.com/v1/integrations/oauth/callback`
+    4. Click **Create**
+    5. Copy **Client ID** and **Client Secret**
+  </Step>
+  
+  <Step title="Add to Platform">
+    1. Go to `/admin/integrations`
+    2. Find **Linear** → **Configure OAuth**
+    3. Paste credentials → Save
+  </Step>
+</Steps>
+
+---
+
+### Vercel
+
+<Steps>
+  <Step title="Create Integration">
+    1. Go to [Vercel Integrations Console](https://vercel.com/dashboard/integrations/console)
+    2. Click **Create Integration**
+    3. Fill in:
+       - **Name**: Your app name
+       - **Redirect URL**: `https://yourapp.com/v1/integrations/oauth/callback`
+    4. Create → Copy **Client ID**, **Client Secret**, and **Integration Slug**
+  </Step>
+  
+  <Step title="Add to Platform">
+    1. Go to `/admin/integrations`
+    2. Find **Vercel** → **Configure OAuth**
+    3. Paste Client ID and Client Secret
+    4. In **Custom Settings**, add the **Integration Slug**
+    5. Save
+  </Step>
+</Steps>
+
+**Note:** Vercel requires an integration slug as a custom setting.
+
+---
+
+### Rippling
+
+<Warning>
+Rippling requires marketplace approval and takes 1-2 weeks.
+</Warning>
+
+<Steps>
+  <Step title="Request Marketplace App">
+    1. Contact Rippling support or your account manager
+    2. Request a marketplace integration
+    3. Provide:
+       - App name
+       - Callback URL: `https://yourapp.com/v1/integrations/oauth/callback`
+       - App description
+    4. Wait for approval (1-2 weeks)
+  </Step>
+  
+  <Step title="Receive Credentials">
+    Rippling will provide:
+    - Client ID
+    - Client Secret
+    - App Name (your marketplace app identifier)
+  </Step>
+  
+  <Step title="Add to Platform">
+    1. Go to `/admin/integrations`
+    2. Find **Rippling** → **Configure OAuth**
+    3. Paste Client ID and Client Secret
+    4. In **Custom Settings**, add the **App Name** provided by Rippling
+    5. Save
+  </Step>
+</Steps>
+
+---
+
+## Non-OAuth Integrations
+
+These integrations don't require platform-level OAuth setup:
+
+### AWS, Azure, GCP (Service Accounts)
+
+**No platform configuration needed!**
+
+Users provide their own:
+- **AWS**: IAM Role ARN, External ID
+- **Azure**: Service Principal credentials
+- **GCP**: OAuth (but users connect with their own Google account)
+
+---
+
+## Troubleshooting
+
+### Integration Shows "Coming Soon"
+
+**Cause:** OAuth credentials not configured  
+**Fix:** Go to `/admin/integrations` → Configure Client ID/Secret
+
+### OAuth Callback Error
+
+**Cause:** Callback URL mismatch  
+**Fix:** Ensure the URL in the OAuth app exactly matches your deployment:
+- OAuth app: `https://yourapp.com/v1/integrations/oauth/callback`
+- Your deployment URL: `https://yourapp.com`
+
+They must match!
+
+### "Invalid Client" Error
+
+**Cause:** Wrong Client ID or Secret  
+**Fix:** Double-check you copied both correctly, no extra spaces
+
+### Users Can't Authorize (Google)
+
+**Cause:** APIs not enabled in your GCP project  
+**Fix:** Enable Admin SDK API (Workspace) or Cloud APIs (GCP)
+
+### "Access Denied" After Connecting
+
+**Cause:** User lacks required permissions in their account  
+**Fix:** User needs to grant IAM roles in the provider (check integration docs for required roles)
+
+---
+
+## Security Notes
+
+### Where Credentials are Stored
+
+OAuth Client IDs and Secrets are stored in the **database**, encrypted at rest using AES-256-GCM.
+
+**Not in environment variables** - This allows:
+- Multiple deployments with different credentials
+- Easy credential rotation via UI
+- Secure encryption
+- Multi-tenancy support
+
+### Callback URL Security
+
+Always use **HTTPS** in production:
+- `https://yourapp.com/v1/integrations/oauth/callback`
+- `http://yourapp.com/...` (insecure, OAuth will reject)
+
+For local development:
+- `http://localhost:3000/v1/integrations/oauth/callback`
+- `http://127.0.0.1:3000/v1/integrations/oauth/callback`
+
+### OAuth Scopes
+
+We request the **minimum scopes** needed for each integration:
+- GitHub: `repo`, `read:org`, `read:user`
+- Google Workspace: `admin.directory.user.readonly`, etc.
+- GCP: `cloud-platform` (required for Security Command Center - no read-only alternative available)
+
+### User Data
+
+We **never** store user passwords. OAuth flow:
+1. User authorizes → Provider gives us an access token
+2. We store the token (encrypted)
+3. We use token to call APIs
+4. User can revoke access anytime in the provider's settings
+
+---
+
+## Production Considerations
+
+### Google OAuth Verification
+
+If using Google integrations (Workspace, GCP) in production with external users, you'll need to submit your app for **Google's verification process**.
+
+**Required for:**
+- External user consent screen
+- Requesting sensitive scopes (like `cloud-platform`)
+
+**Process:**
+1. Complete OAuth consent screen configuration
+2. Submit for verification at https://support.google.com/code/contact/oauth_app_verification
+3. Provide privacy policy, terms of service
+4. May take 2-6 weeks
+
+**For internal use:** No verification needed if using "Internal" consent screen.
+
+### Rate Limiting
+
+OAuth providers have rate limits. The integration platform handles this by:
+- Caching API responses where appropriate
+- Running checks via background jobs (Trigger.dev)
+- Implementing exponential backoff on retries
+
+### Token Refresh
+
+OAuth tokens expire. The platform automatically:
+- Stores refresh tokens (when provider supports it)
+- Refreshes access tokens before they expire
+- Re-prompts user to reconnect if refresh fails
+
+No manual intervention needed!
+
+---
+
+## Summary
+
+**Time investment:** ~30 minutes to configure all OAuth providers
+
+**Benefit:** Users connect with 1 click instead of hunting for API keys
+
+**Maintenance:** Minimal - credentials rotate via UI, no code deployments needed
+
+**Security:** All credentials encrypted at rest, HTTPS required for callbacks
+
+Configure once, benefit forever!
+
diff --git a/packages/docs/integrations/variables.mdx b/packages/docs/integrations/variables.mdx
new file mode 100644
index 000000000..629ddeb5a
--- /dev/null
+++ b/packages/docs/integrations/variables.mdx
@@ -0,0 +1,531 @@
+---
+title: 'Variables Reference'
+description: 'Complete guide to user-configurable variables in checks'
+---
+
+## Overview
+
+Variables let users configure check behavior without changing code. For example:
+
+- Which repositories to monitor
+- Which teams to check
+- Severity thresholds
+- Include/exclude flags
+
+## Variable Types
+
+| Type           | UI Component          | Best For          | Example                       |
+| -------------- | --------------------- | ----------------- | ----------------------------- |
+| `text`         | Text input            | Free-form text    | Organization ID, project name |
+| `number`       | Number input          | Numeric values    | Threshold, limit, count       |
+| `boolean`      | Yes/No dropdown       | Toggle flags      | Include inactive, strict mode |
+| `select`       | Single dropdown       | Choose one option | Environment, priority         |
+| `multi-select` | Multi-select dropdown | Choose multiple   | Repositories, teams, users    |
+
+---
+
+## Text Variables
+
+**For:** Free-form text input (IDs, names, etc.)
+
+```typescript
+{
+  id: 'organization_id',
+  label: 'Organization ID',
+  type: 'text',
+  required: true,
+  placeholder: '123456789012',
+  helpText: 'Your org ID from Settings → Organization',
+  default: '', // Optional default value
+}
+```
+
+**Access in check:**
+
+```typescript
+const orgId = ctx.variables.organization_id as string;
+```
+
+---
+
+## Number Variables
+
+**For:** Numeric values (thresholds, limits, counts)
+
+```typescript
+{
+  id: 'max_days',
+  label: 'Maximum Days',
+  type: 'number',
+  required: false,
+  default: 90,
+  placeholder: '90',
+  helpText: 'Maximum age in days before flagging',
+}
+```
+
+**Access in check:**
+
+```typescript
+const maxDays = ctx.variables.max_days as number;
+// or with default
+const maxDays = (ctx.variables.max_days as number) || 90;
+```
+
+---
+
+## Boolean Variables
+
+**For:** Yes/No flags, enable/disable options
+
+```typescript
+{
+  id: 'include_inactive',
+  label: 'Include Inactive Resources',
+  type: 'boolean',
+  required: false,
+  default: false,
+  helpText: 'Also check resources that are disabled',
+}
+```
+
+**Renders as:** Dropdown with "Yes" / "No" options
+
+**Access in check:**
+
+```typescript
+const includeInactive = ctx.variables.include_inactive === true;
+// or as string from select
+const includeInactive = ctx.variables.include_inactive === 'true';
+```
+
+---
+
+## Select Variables
+
+**For:** Choose one option from a predefined list
+
+### Static Options
+
+```typescript
+{
+  id: 'environment',
+  label: 'Environment',
+  type: 'select',
+  required: true,
+  default: 'production',
+  options: [
+    { value: 'production', label: 'Production' },
+    { value: 'staging', label: 'Staging' },
+    { value: 'development', label: 'Development' },
+  ],
+  helpText: 'Which environment to check',
+}
+```
+
+### Dynamic Options (Fetched from API)
+
+```typescript
+{
+  id: 'project_id',
+  label: 'Project',
+  type: 'select',
+  required: true,
+  helpText: 'Select the project to monitor',
+
+  fetchOptions: async (ctx) => {
+    // Fetch projects from API
+    const projects = await ctx.fetch<Project[]>('/projects');
+
+    return projects.map((p) => ({
+      value: p.id,
+      label: p.name,
+    }));
+  },
+}
+```
+
+**When dynamic options are used:**
+
+1. User connects integration
+2. Platform fetches options using the connection's credentials
+3. User sees dropdown populated with real data from their account
+
+**Access in check:**
+
+```typescript
+const selectedEnv = ctx.variables.environment as string;
+```
+
+---
+
+## Multi-Select Variables
+
+**For:** Choose multiple items from a list (most common for selecting resources)
+
+### Static Options
+
+```typescript
+{
+  id: 'alert_types',
+  label: 'Alert Types to Monitor',
+  type: 'multi-select',
+  required: true,
+  default: ['critical', 'high'],
+  options: [
+    { value: 'critical', label: 'Critical' },
+    { value: 'high', label: 'High' },
+    { value: 'medium', label: 'Medium' },
+    { value: 'low', label: 'Low' },
+  ],
+}
+```
+
+### Dynamic Options (Most Common)
+
+**Example:** Select which GitHub repositories to monitor
+
+```typescript
+{
+  id: 'target_repos',
+  label: 'Repositories to Monitor',
+  type: 'multi-select',
+  required: true,
+  helpText: 'Select repositories to check for compliance',
+
+  fetchOptions: async (ctx) => {
+    // Fetch all accessible repos
+    const repos = await ctx.fetchAllPages<Repo>('/user/repos');
+
+    return repos.map((r) => ({
+      value: r.full_name,  // org/repo-name
+      label: `${r.full_name}${r.private ? ' (private)' : ''}`,
+    }));
+  },
+}
+```
+
+**Renders as:** Multi-select dropdown with search
+
+**Access in check:**
+
+```typescript
+const targetRepos = ctx.variables.target_repos as string[];
+
+if (!targetRepos || targetRepos.length === 0) {
+  ctx.fail({
+    title: 'No Repositories Selected',
+    description: 'Select at least one repository in integration settings',
+    // ...
+  });
+  return;
+}
+
+// Only check selected repos
+for (const repoName of targetRepos) {
+  const repo = await ctx.fetch<Repo>(`/repos/${repoName}`);
+  // Check the repo
+}
+```
+
+---
+
+## Default Values
+
+```typescript
+{
+  id: 'max_results',
+  type: 'number',
+  default: 100,  // Used if user doesn't configure
+}
+
+// In check
+const maxResults = (ctx.variables.max_results as number) || 100;
+```
+
+**Use defaults for:**
+
+- Optional settings with sensible defaults
+- Advanced options most users don't change
+- Don't use for required fields
+
+---
+
+## Required vs Optional Variables
+
+### Required Variables
+
+```typescript
+{
+  id: 'organization_id',
+  required: true,  // User MUST provide this
+}
+```
+
+**Behavior:**
+
+- User can't save without filling this
+- Checks won't auto-run until provided
+- Validation error shown if empty
+
+**Use for:** Essential configuration (IDs, critical settings)
+
+### Optional Variables
+
+```typescript
+{
+  id: 'include_archived',
+  required: false,  // User can leave empty
+  default: false,
+}
+```
+
+**Behavior:**
+
+- User can skip this
+- Checks use default value if not set
+- Checks auto-run even if not configured
+
+**Use for:** Advanced settings, filters, optional features
+
+---
+
+## Variable Fetching Context
+
+When using `fetchOptions`, you get a limited context:
+
+```typescript
+fetchOptions: async (ctx) => {
+  // Available:
+  ctx.accessToken; // OAuth token
+  ctx.fetch<T>(); // HTTP GET with auth
+  ctx.fetchAllPages<T>(); // Paginated GET
+  ctx.graphql<T>(); // GraphQL query
+
+  // Not available:
+  ctx.log(); // No logging during option fetch
+  ctx.fail(); // Can't create findings
+  ctx.variables; // No other variables (circular dependency)
+};
+```
+
+**Keep it simple:**
+
+- Fetch a list of resources
+- Map to `{ value, label }` format
+- Don't fetch large datasets (use pagination)
+- Don't perform complex logic
+
+---
+
+## Validation
+
+### In the Manifest
+
+```typescript
+{
+  id: 'api_url',
+  type: 'url',  // Auto-validates URL format
+  required: true,
+}
+```
+
+**Built-in validation:**
+
+- `required: true` - Can't be empty
+- `type: 'url'` - Must be valid URL
+- `type: 'number'` - Must be numeric
+
+### In the Check
+
+```typescript
+run: async (ctx) => {
+  const orgId = ctx.variables.organization_id as string;
+
+  if (!orgId || orgId.trim() === '') {
+    ctx.fail({
+      title: 'Organization ID Required',
+      description: 'Configure the Organization ID in integration settings',
+      resourceType: 'configuration',
+      resourceId: 'organization_id',
+      severity: 'critical',
+      remediation: 'Go to Manage → Settings → Enter Organization ID',
+      evidence: {},
+    });
+    return;
+  }
+
+  // Continue with check
+};
+```
+
+---
+
+## Reusable Variables
+
+**Define once, use in multiple checks:**
+
+```typescript
+// variables.ts
+export const targetReposVariable: CheckVariable = {
+  id: 'target_repos',
+  label: 'Repositories to Monitor',
+  type: 'multi-select',
+  required: true,
+  fetchOptions: async (ctx) => {
+    // Fetch logic
+  },
+};
+
+export const protectedBranchVariable: CheckVariable = {
+  id: 'protected_branch',
+  label: 'Branch to Check',
+  type: 'text',
+  required: true,
+  default: 'main',
+};
+```
+
+```typescript
+// checks/check-1.ts
+import { targetReposVariable } from '../variables';
+
+export const check1: IntegrationCheck = {
+  variables: [targetReposVariable],
+  // ...
+};
+
+// checks/check-2.ts
+export const check2: IntegrationCheck = {
+  variables: [targetReposVariable, protectedBranchVariable],
+  // ...
+};
+```
+
+**Benefits:**
+
+- Consistent variable definitions
+- Centralized option fetching
+- Easier maintenance
+
+---
+
+## Auto-Run Behavior
+
+**Checks auto-run after connection when:**
+
+- All required variables are configured
+- Connection is active
+- Integration has checks defined
+
+**Checks DON'T auto-run when:**
+
+- Required variables are missing → User must configure them
+- All variables are optional → Still auto-runs (uses defaults)
+
+**After saving variables:**
+
+- Platform checks if all required variables are now set
+- If yes → Auto-triggers check run via Trigger.dev
+- If no → Waits for remaining variables
+
+---
+
+## Best Practices
+
+### Do's
+
+- **Clear labels**: "Organization ID" not "Org ID" not "id"
+- **Helpful help text**: Explain where to find the value
+- **Good placeholders**: Show format/example
+- **Sensible defaults**: For optional settings
+- **Required only when truly needed**: Don't over-require
+
+### Don'ts
+
+- **Don't use vague labels**: "Setting 1"
+- **Don't skip help text**: Users need guidance
+- **Don't make everything required**: Only essentials
+- **Don't fetch huge option lists**: Paginate or filter
+- **Don't use technical jargon**: User-friendly language
+
+---
+
+## Examples from Built-in Integrations
+
+### GitHub: Target Repositories
+
+```typescript
+{
+  id: 'target_repos',
+  label: 'Repositories to Monitor',
+  type: 'multi-select',
+  required: true,
+  fetchOptions: async (ctx) => {
+    const orgs = await ctx.fetch<Org[]>('/user/orgs');
+    const allRepos = [];
+    for (const org of orgs) {
+      const repos = await ctx.fetchAllPages<Repo>(`/orgs/${org.login}/repos`);
+      allRepos.push(...repos.map(r => ({
+        value: r.full_name,
+        label: `${r.full_name}${r.private ? ' (private)' : ''}`,
+      })));
+    }
+    return allRepos;
+  },
+}
+```
+
+### GCP: Organization ID
+
+```typescript
+{
+  id: 'organization_id',
+  label: 'GCP Organization ID',
+  type: 'text',
+  required: true,
+  placeholder: '123456789012',
+  helpText: 'Numeric org ID from GCP Console → IAM & Admin → Settings',
+}
+```
+
+### Linear: Target Teams
+
+```typescript
+{
+  id: 'target_teams',
+  label: 'Teams to Monitor',
+  type: 'multi-select',
+  required: false, // Check all teams if not specified
+  fetchOptions: async (ctx) => {
+    const teams = await ctx.graphql<{ teams: { nodes: Team[] } }>(`
+      query {
+        teams {
+          nodes {
+            id
+            name
+            private
+          }
+        }
+      }
+    `);
+    return teams.teams.nodes.map(t => ({
+      value: t.id,
+      label: `${t.name}${t.private ? ' (private)' : ''}`,
+    }));
+  },
+}
+```
+
+---
+
+## Summary
+
+Variables make integrations flexible and user-friendly. Use them to:
+
+- Let users scope checks to specific resources
+- Configure thresholds and limits
+- Enable/disable features
+- Provide organization-specific context
+
+**Keep it simple** - only add variables when truly needed for configuration.
diff --git a/packages/docs/integrations/writing-integrations.mdx b/packages/docs/integrations/writing-integrations.mdx
new file mode 100644
index 000000000..5f202b3a3
--- /dev/null
+++ b/packages/docs/integrations/writing-integrations.mdx
@@ -0,0 +1,336 @@
+---
+title: 'Writing Integrations'
+description: 'Step-by-step guide to creating integration manifests and checks'
+---
+
+## Prerequisites
+
+- TypeScript knowledge
+- Understanding of the service you're integrating
+- API documentation for the service
+
+## Step 1: Create Integration Folder
+
+Create a new folder in `packages/integration-platform/src/manifests/`:
+
+```bash
+mkdir -p packages/integration-platform/src/manifests/your-service
+cd packages/integration-platform/src/manifests/your-service
+```
+
+**File structure:**
+```
+your-service/
+├── index.ts           # Manifest definition
+├── types.ts           # TypeScript types
+├── checks/
+│   ├── index.ts       # Export all checks
+│   └── your-check.ts  # Individual checks
+└── helpers/           # Optional: API client helpers
+    └── api-client.ts
+```
+
+## Step 2: Define Types
+
+Create `types.ts` for the integration's data structures:
+
+```typescript
+// Service-specific types
+export interface YourServiceUser {
+  id: string;
+  email: string;
+  twoFactorEnabled: boolean;
+}
+
+export interface YourServiceCredentials {
+  access_token?: string; // For OAuth
+  api_key?: string;      // For API key auth
+}
+```
+
+## Step 3: Create the Manifest
+
+Create `index.ts`:
+
+```typescript
+import type { IntegrationManifest } from '../../types';
+import { yourCheck } from './checks';
+
+export const yourServiceManifest: IntegrationManifest = {
+  id: 'your-service',
+  name: 'Your Service',
+  description: 'Monitor compliance in Your Service',
+  category: 'Developer Tools',
+  logoUrl: 'https://img.logo.dev/yourservice.com?token=pk_TOKEN',
+  docsUrl: 'https://docs.yourservice.com/api',
+  isActive: true,
+
+  auth: {
+    type: 'oauth2',
+    config: {
+      authorizeUrl: 'https://yourservice.com/oauth/authorize',
+      tokenUrl: 'https://yourservice.com/oauth/token',
+      scopes: ['read:users', 'read:security'],
+      pkce: false,
+      clientAuthMethod: 'body',
+      supportsRefreshToken: true,
+      authorizationParams: {
+        access_type: 'offline',
+      },
+      setupInstructions: `Create an OAuth app at https://yourservice.com/apps`,
+      createAppUrl: 'https://yourservice.com/apps/new',
+    },
+  },
+
+  baseUrl: 'https://api.yourservice.com',
+  defaultHeaders: {
+    'Content-Type': 'application/json',
+  },
+
+  capabilities: ['checks'],
+
+  checks: [yourCheck],
+};
+```
+
+## Step 4: Write a Check
+
+Create `checks/your-check.ts`:
+
+```typescript
+import type { CheckContext, IntegrationCheck } from '../../../types';
+import { TASK_TEMPLATES } from '../../../task-mappings';
+import type { YourServiceUser } from '../types';
+
+export const twoFactorCheck: IntegrationCheck = {
+  id: 'two-factor-auth',
+  name: '2FA Enabled',
+  description: 'Verify all users have 2FA enabled',
+  taskMapping: TASK_TEMPLATES['2fa'],
+  defaultSeverity: 'high',
+  variables: [],
+
+  run: async (ctx: CheckContext) => {
+    ctx.log('Checking 2FA status for all users');
+
+    // Fetch users from API
+    const users = await ctx.fetch<YourServiceUser[]>('/users');
+
+    ctx.log(`Found ${users.length} users`);
+
+    // Check each user
+    for (const user of users) {
+      if (!user.twoFactorEnabled) {
+        ctx.fail({
+          title: `2FA Disabled for ${user.email}`,
+          resourceType: 'user',
+          resourceId: user.id,
+          severity: 'high',
+          description: `User ${user.email} does not have 2FA enabled`,
+          remediation: 'Enable 2FA in account settings',
+          evidence: {
+            userId: user.id,
+            email: user.email,
+            twoFactorEnabled: false,
+          },
+        });
+      }
+    }
+
+    const usersWithout2FA = users.filter((u) => !u.twoFactorEnabled).length;
+
+    if (usersWithout2FA === 0) {
+      ctx.pass({
+        title: 'All Users Have 2FA',
+        resourceType: 'users',
+        resourceId: 'all',
+        description: `All ${users.length} users have 2FA enabled`,
+        evidence: { totalUsers: users.length },
+      });
+    }
+
+    ctx.log(`Check complete: ${usersWithout2FA} users without 2FA`);
+  },
+};
+```
+
+## Step 5: Add Variables (Optional)
+
+If your check needs user configuration:
+
+```typescript
+const targetReposVariable: CheckVariable = {
+  id: 'target_repos',
+  label: 'Repositories to Monitor',
+  type: 'multi-select',
+  required: true,
+  helpText: 'Select which repositories to check',
+  
+  // Dynamic options from API
+  fetchOptions: async (ctx) => {
+    const repos = await ctx.fetch<Repo[]>('/repos');
+    return repos.map((r) => ({
+      value: r.name,
+      label: r.full_name,
+    }));
+  },
+};
+
+export const yourCheck: IntegrationCheck = {
+  id: 'repo-check',
+  variables: [targetReposVariable],
+  
+  run: async (ctx) => {
+    const targetRepos = ctx.variables.target_repos as string[];
+    // Only check selected repos
+  },
+};
+```
+
+## Step 6: Register the Manifest
+
+Add to `packages/integration-platform/src/registry/index.ts`:
+
+```typescript
+import { yourServiceManifest } from '../manifests/your-service';
+
+export const registry: IntegrationRegistry = {
+  // ... existing integrations
+  'your-service': yourServiceManifest,
+};
+```
+
+## Step 7: Test It
+
+1. **Start dev servers:**
+   ```bash
+   bun run dev
+   ```
+
+2. **Configure OAuth** (if using OAuth):
+   - Go to `/admin/integrations`
+   - Find your integration → Configure OAuth
+   - Add Client ID/Secret
+
+3. **Connect the integration:**
+   - Go to `/integrations`
+   - Find your integration
+   - Click "Connect"
+   - Authorize (if OAuth) or enter credentials
+
+4. **Run checks:**
+   - Go to `/cloud-tests` (if it's a cloud provider)
+   - Or go to a task page and run the integration check
+   - Verify findings appear correctly
+
+5. **Check logs:**
+   - Look at API terminal for check execution logs
+   - Verify no errors
+
+## Common Patterns
+
+### Pagination
+
+```typescript
+// Auto-pagination (OAuth with standardized pagination)
+const allItems = await ctx.fetchAllPages<Item>('/items');
+
+// Manual pagination
+let items: Item[] = [];
+let page = 1;
+
+while (true) {
+  const response = await ctx.fetch<{ data: Item[]; hasMore: boolean }>(
+    `/items?page=${page}`
+  );
+  items.push(...response.data);
+  if (!response.hasMore) break;
+  page++;
+}
+```
+
+### Error Handling
+
+```typescript
+try {
+  const data = await ctx.fetch('/endpoint');
+  // Process data
+} catch (error) {
+  const errorMessage = error instanceof Error ? error.message : String(error);
+  
+  // Handle specific errors
+  if (errorMessage.includes('PERMISSION_DENIED')) {
+    ctx.fail({
+      title: 'Permission Denied',
+      resourceType: 'api',
+      resourceId: 'access',
+      severity: 'high',
+      description: 'Your account lacks necessary permissions',
+      remediation: 'Grant [specific role] in provider settings',
+      evidence: { error: errorMessage },
+    });
+    return;
+  }
+  
+  // Generic error
+  ctx.log(`Error: ${errorMessage}`);
+}
+```
+
+### Multiple Checks
+
+```typescript
+// checks/index.ts
+export { check1 } from './check-1';
+export { check2 } from './check-2';
+export { check3 } from './check-3';
+
+// index.ts
+import { check1, check2, check3 } from './checks';
+
+export const manifest: IntegrationManifest = {
+  // ...
+  checks: [check1, check2, check3],
+};
+```
+
+## Best Practices
+
+### Do's
+
+- **Use descriptive IDs**: `branch-protection`, not `check1`
+- **Map to tasks**: Use `taskMapping` to auto-complete tasks
+- **Friendly errors**: Convert API errors to user-friendly messages
+- **Log liberally**: Use `ctx.log()` for debugging
+- **Handle missing data**: Not all orgs have all resources
+- **Paginate when needed**: Don't assume small datasets
+- **Type everything**: Use TypeScript types for API responses
+
+### Don'ts
+
+- **Don't expose raw API errors** to users in descriptions
+- **Don't assume variables exist**: Check for undefined
+- **Don't use `console.log`**: Use `ctx.log()` instead
+- **Don't create findings for missing resources**: Just log it
+- **Don't hardcode URLs**: Use `baseUrl` in manifest
+- **Don't skip error handling**: Wrap API calls in try/catch
+
+## Examples to Reference
+
+| Integration | Type | Good for learning |
+|-------------|------|-------------------|
+| **GitHub** | OAuth | Dynamic variables, pagination, multiple checks |
+| **Google Workspace** | OAuth | User iteration, domain-scoped checks |
+| **AWS** | Custom | Complex credentials, error handling |
+| **Azure** | Custom | Multi-field credentials, API error mapping |
+| **Linear** | OAuth | Simple OAuth, GraphQL |
+| **Vercel** | OAuth | Project scoping, deployment checks |
+
+All integration source code is in `packages/integration-platform/src/manifests/`.
+
+## Need Help?
+
+- Check existing integration manifests for patterns
+- Review type definitions in `src/types.ts`
+- See the [Contributing Guide](/integrations/contributing) for PR requirements
+
diff --git a/packages/docs/openapi.json b/packages/docs/openapi.json
index 225a038f0..14a6f3047 100644
--- a/packages/docs/openapi.json
+++ b/packages/docs/openapi.json
@@ -9517,6 +9517,1016 @@
           "SOA"
         ]
       }
+    },
+    "/v1/integrations/oauth/availability": {
+      "get": {
+        "operationId": "OAuthController_checkAvailability_v1",
+        "parameters": [
+          {
+            "name": "providerSlug",
+            "required": true,
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "organizationId",
+            "required": true,
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "OAuth"
+        ]
+      }
+    },
+    "/v1/integrations/oauth/start": {
+      "post": {
+        "operationId": "OAuthController_startOAuth_v1",
+        "parameters": [],
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "OAuth"
+        ]
+      }
+    },
+    "/v1/integrations/oauth/callback": {
+      "get": {
+        "operationId": "OAuthController_oauthCallback_v1",
+        "parameters": [],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "OAuth"
+        ]
+      }
+    },
+    "/v1/integrations/oauth-apps": {
+      "get": {
+        "operationId": "OAuthAppsController_listOAuthApps_v1",
+        "parameters": [
+          {
+            "name": "organizationId",
+            "required": true,
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "OAuthApps"
+        ]
+      },
+      "post": {
+        "operationId": "OAuthAppsController_saveOAuthApp_v1",
+        "parameters": [],
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "OAuthApps"
+        ]
+      }
+    },
+    "/v1/integrations/oauth-apps/setup/{providerSlug}": {
+      "get": {
+        "operationId": "OAuthAppsController_getSetupInfo_v1",
+        "parameters": [
+          {
+            "name": "providerSlug",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "organizationId",
+            "required": true,
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "OAuthApps"
+        ]
+      }
+    },
+    "/v1/integrations/oauth-apps/{providerSlug}": {
+      "delete": {
+        "operationId": "OAuthAppsController_deleteOAuthApp_v1",
+        "parameters": [
+          {
+            "name": "providerSlug",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "organizationId",
+            "required": true,
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "OAuthApps"
+        ]
+      }
+    },
+    "/v1/integrations/connections/providers": {
+      "get": {
+        "operationId": "ConnectionsController_listProviders_v1",
+        "parameters": [
+          {
+            "name": "activeOnly",
+            "required": true,
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Connections"
+        ]
+      }
+    },
+    "/v1/integrations/connections/providers/{slug}": {
+      "get": {
+        "operationId": "ConnectionsController_getProvider_v1",
+        "parameters": [
+          {
+            "name": "slug",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Connections"
+        ]
+      }
+    },
+    "/v1/integrations/connections": {
+      "get": {
+        "operationId": "ConnectionsController_listConnections_v1",
+        "parameters": [],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Connections"
+        ]
+      },
+      "post": {
+        "operationId": "ConnectionsController_createConnection_v1",
+        "parameters": [],
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Connections"
+        ]
+      }
+    },
+    "/v1/integrations/connections/{id}": {
+      "get": {
+        "operationId": "ConnectionsController_getConnection_v1",
+        "parameters": [
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Connections"
+        ]
+      },
+      "delete": {
+        "operationId": "ConnectionsController_deleteConnection_v1",
+        "parameters": [
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Connections"
+        ]
+      }
+    },
+    "/v1/integrations/connections/{id}/test": {
+      "post": {
+        "operationId": "ConnectionsController_testConnection_v1",
+        "parameters": [
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Connections"
+        ]
+      }
+    },
+    "/v1/integrations/connections/{id}/pause": {
+      "post": {
+        "operationId": "ConnectionsController_pauseConnection_v1",
+        "parameters": [
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Connections"
+        ]
+      }
+    },
+    "/v1/integrations/connections/{id}/resume": {
+      "post": {
+        "operationId": "ConnectionsController_resumeConnection_v1",
+        "parameters": [
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Connections"
+        ]
+      }
+    },
+    "/v1/integrations/connections/{id}/disconnect": {
+      "post": {
+        "operationId": "ConnectionsController_disconnectConnection_v1",
+        "parameters": [
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Connections"
+        ]
+      }
+    },
+    "/v1/integrations/connections/{id}/ensure-valid-credentials": {
+      "post": {
+        "operationId": "ConnectionsController_ensureValidCredentials_v1",
+        "parameters": [
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "organizationId",
+            "required": true,
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Connections"
+        ]
+      }
+    },
+    "/v1/integrations/connections/{id}/credentials": {
+      "put": {
+        "operationId": "ConnectionsController_updateCredentials_v1",
+        "parameters": [
+          {
+            "name": "id",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "organizationId",
+            "required": true,
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Connections"
+        ]
+      }
+    },
+    "/v1/admin/integrations": {
+      "get": {
+        "operationId": "AdminIntegrationsController_listIntegrations_v1",
+        "parameters": [],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "AdminIntegrations"
+        ]
+      }
+    },
+    "/v1/admin/integrations/{providerSlug}": {
+      "get": {
+        "operationId": "AdminIntegrationsController_getIntegration_v1",
+        "parameters": [
+          {
+            "name": "providerSlug",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "AdminIntegrations"
+        ]
+      }
+    },
+    "/v1/admin/integrations/credentials": {
+      "post": {
+        "operationId": "AdminIntegrationsController_savePlatformCredentials_v1",
+        "parameters": [],
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "AdminIntegrations"
+        ]
+      }
+    },
+    "/v1/admin/integrations/credentials/{providerSlug}": {
+      "delete": {
+        "operationId": "AdminIntegrationsController_deletePlatformCredentials_v1",
+        "parameters": [
+          {
+            "name": "providerSlug",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "AdminIntegrations"
+        ]
+      }
+    },
+    "/v1/integrations/checks/providers/{providerSlug}": {
+      "get": {
+        "operationId": "ChecksController_listProviderChecks_v1",
+        "parameters": [
+          {
+            "name": "providerSlug",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Checks"
+        ]
+      }
+    },
+    "/v1/integrations/checks/connections/{connectionId}": {
+      "get": {
+        "operationId": "ChecksController_listConnectionChecks_v1",
+        "parameters": [
+          {
+            "name": "connectionId",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Checks"
+        ]
+      }
+    },
+    "/v1/integrations/checks/connections/{connectionId}/run": {
+      "post": {
+        "operationId": "ChecksController_runConnectionChecks_v1",
+        "parameters": [
+          {
+            "name": "connectionId",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Checks"
+        ]
+      }
+    },
+    "/v1/integrations/checks/connections/{connectionId}/run/{checkId}": {
+      "post": {
+        "operationId": "ChecksController_runSingleCheck_v1",
+        "parameters": [
+          {
+            "name": "connectionId",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "checkId",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Checks"
+        ]
+      }
+    },
+    "/v1/integrations/variables/providers/{providerSlug}": {
+      "get": {
+        "operationId": "VariablesController_getProviderVariables_v1",
+        "parameters": [
+          {
+            "name": "providerSlug",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Variables"
+        ]
+      }
+    },
+    "/v1/integrations/variables/connections/{connectionId}": {
+      "get": {
+        "operationId": "VariablesController_getConnectionVariables_v1",
+        "parameters": [
+          {
+            "name": "connectionId",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Variables"
+        ]
+      },
+      "post": {
+        "operationId": "VariablesController_saveConnectionVariables_v1",
+        "parameters": [
+          {
+            "name": "connectionId",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Variables"
+        ]
+      }
+    },
+    "/v1/integrations/variables/connections/{connectionId}/options/{variableId}": {
+      "get": {
+        "operationId": "VariablesController_fetchVariableOptions_v1",
+        "parameters": [
+          {
+            "name": "connectionId",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "variableId",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Variables"
+        ]
+      }
+    },
+    "/v1/integrations/tasks/template/{templateId}/checks": {
+      "get": {
+        "operationId": "TaskIntegrationsController_getChecksForTaskTemplate_v1",
+        "parameters": [
+          {
+            "name": "templateId",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "organizationId",
+            "required": true,
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "TaskIntegrations"
+        ]
+      }
+    },
+    "/v1/integrations/tasks/{taskId}/checks": {
+      "get": {
+        "operationId": "TaskIntegrationsController_getChecksForTask_v1",
+        "parameters": [
+          {
+            "name": "taskId",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "organizationId",
+            "required": true,
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "TaskIntegrations"
+        ]
+      }
+    },
+    "/v1/integrations/tasks/{taskId}/run-check": {
+      "post": {
+        "operationId": "TaskIntegrationsController_runCheckForTask_v1",
+        "parameters": [
+          {
+            "name": "taskId",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "organizationId",
+            "required": true,
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "TaskIntegrations"
+        ]
+      }
+    },
+    "/v1/integrations/tasks/{taskId}/runs": {
+      "get": {
+        "operationId": "TaskIntegrationsController_getTaskCheckRuns_v1",
+        "parameters": [
+          {
+            "name": "taskId",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "organizationId",
+            "required": true,
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "limit",
+            "required": true,
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "TaskIntegrations"
+        ]
+      }
+    },
+    "/v1/integrations/webhooks/{providerSlug}/{connectionId}": {
+      "post": {
+        "operationId": "WebhookController_handleWebhook_v1",
+        "parameters": [
+          {
+            "name": "providerSlug",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "connectionId",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Webhook"
+        ]
+      }
+    },
+    "/v1/integrations/sync/google-workspace/employees": {
+      "post": {
+        "operationId": "SyncController_syncGoogleWorkspaceEmployees_v1",
+        "parameters": [],
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Sync"
+        ]
+      }
+    },
+    "/v1/integrations/sync/google-workspace/status": {
+      "post": {
+        "operationId": "SyncController_getGoogleWorkspaceStatus_v1",
+        "parameters": [
+          {
+            "name": "organizationId",
+            "required": true,
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Sync"
+        ]
+      }
+    },
+    "/v1/integrations/sync/rippling/employees": {
+      "post": {
+        "operationId": "SyncController_syncRipplingEmployees_v1",
+        "parameters": [],
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Sync"
+        ]
+      }
+    },
+    "/v1/integrations/sync/rippling/status": {
+      "post": {
+        "operationId": "SyncController_getRipplingStatus_v1",
+        "parameters": [
+          {
+            "name": "organizationId",
+            "required": true,
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Sync"
+        ]
+      }
+    },
+    "/v1/integrations/sync/employee-sync-provider": {
+      "get": {
+        "operationId": "SyncController_getEmployeeSyncProvider_v1",
+        "parameters": [
+          {
+            "name": "organizationId",
+            "required": true,
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Sync"
+        ]
+      },
+      "post": {
+        "operationId": "SyncController_setEmployeeSyncProvider_v1",
+        "parameters": [
+          {
+            "name": "organizationId",
+            "required": true,
+            "in": "query",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "Sync"
+        ]
+      }
+    },
+    "/v1/cloud-security/scan/{connectionId}": {
+      "post": {
+        "operationId": "CloudSecurityController_scan_v1",
+        "parameters": [
+          {
+            "name": "connectionId",
+            "required": true,
+            "in": "path",
+            "schema": {
+              "type": "string"
+            }
+          },
+          {
+            "name": "x-organization-id",
+            "required": true,
+            "in": "header",
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "tags": [
+          "CloudSecurity"
+        ]
+      }
     }
   },
   "info": {
diff --git a/packages/integration-platform/README.md b/packages/integration-platform/README.md
new file mode 100644
index 000000000..55c8f8ab6
--- /dev/null
+++ b/packages/integration-platform/README.md
@@ -0,0 +1,773 @@
+# Integrations
+
+Extensible platform for building integrations that run compliance checks and sync data from third-party services.
+
+## Table of Contents
+
+- [Integration Platform](#integration-platform)
+  - [Table of Contents](#table-of-contents)
+  - [For Developers: Writing Integrations](#for-developers-writing-integrations)
+    - [Quick Start](#quick-start)
+    - [Integration Manifest](#integration-manifest)
+    - [Authentication Types](#authentication-types)
+      - [OAuth 2.0](#oauth-20)
+      - [API Key](#api-key)
+      - [Custom Auth](#custom-auth)
+    - [Writing Checks](#writing-checks)
+      - [CheckContext API](#checkcontext-api)
+    - [Variables](#variables)
+    - [Testing](#testing)
+  - [For Self-Hosters: OAuth Configuration](#for-self-hosters-oauth-configuration)
+    - [Required Setup](#required-setup)
+    - [How OAuth Works](#how-oauth-works)
+    - [Provider-Specific Instructions](#provider-specific-instructions)
+      - [GitHub](#github)
+      - [Google Workspace](#google-workspace)
+      - [Google Cloud Platform (GCP)](#google-cloud-platform-gcp)
+      - [Linear](#linear)
+      - [Rippling](#rippling)
+      - [Vercel](#vercel)
+    - [What Happens if OAuth Isn't Configured?](#what-happens-if-oauth-isnt-configured)
+    - [Environment Variables](#environment-variables)
+  - [Non-OAuth Integrations](#non-oauth-integrations)
+    - [AWS](#aws)
+    - [Azure](#azure)
+  - [Advanced Topics](#advanced-topics)
+    - [Custom Settings for OAuth Apps](#custom-settings-for-oauth-apps)
+    - [Task Mapping](#task-mapping)
+    - [Pagination](#pagination)
+    - [Error Handling](#error-handling)
+  - [File Structure](#file-structure)
+  - [Examples](#examples)
+  - [Deployment Checklist](#deployment-checklist)
+  - [Support](#support)
+
+---
+
+## For Developers: Writing Integrations
+
+### Quick Start
+
+**Create a new integration in 5 steps:**
+
+1. Create a folder in `src/manifests/your-integration/`
+2. Define your manifest (`index.ts`)
+3. Write checks (`checks/your-check.ts`)
+4. Register the manifest (`src/registry/index.ts`)
+5. Test it
+
+### Integration Manifest
+
+The manifest defines your integration's metadata, authentication, and available checks.
+
+**Minimal example (`src/manifests/your-integration/index.ts`):**
+
+```typescript
+import type { IntegrationManifest } from '../../types';
+import { yourCheck } from './checks';
+
+export const yourIntegrationManifest: IntegrationManifest = {
+  // Basic info
+  id: 'your-integration',
+  name: 'Your Integration',
+  description: 'Monitor security and compliance in Your Service',
+  category: 'Cloud', // or 'Identity & Access', 'Developer Tools', etc.
+  logoUrl: 'https://img.logo.dev/your-service.com?token=YOUR_TOKEN',
+  docsUrl: 'https://docs.your-service.com',
+  isActive: true,
+
+  // Authentication (see Authentication Types below)
+  auth: {
+    type: 'oauth2', // or 'api_key', 'basic', 'custom'
+    config: {
+      // Auth-specific config
+    },
+  },
+
+  // API configuration
+  baseUrl: 'https://api.your-service.com',
+  defaultHeaders: {
+    'Content-Type': 'application/json',
+  },
+
+  // What this integration can do
+  capabilities: ['checks'], // 'checks', 'webhook', 'sync'
+
+  // Compliance checks this integration provides
+  checks: [yourCheck],
+};
+```
+
+### Authentication Types
+
+#### OAuth 2.0
+
+For services with OAuth support (GitHub, Google, etc.):
+
+```typescript
+auth: {
+  type: 'oauth2',
+  config: {
+    authorizeUrl: 'https://provider.com/oauth/authorize',
+    tokenUrl: 'https://provider.com/oauth/token',
+    scopes: ['read:user', 'read:org'],
+    pkce: false, // Set true if provider requires PKCE
+    clientAuthMethod: 'body', // or 'header' for Basic Auth
+    supportsRefreshToken: true, // Most OAuth providers support refresh
+
+    // Optional: Additional OAuth params
+    authorizationParams: {
+      access_type: 'offline',
+      prompt: 'consent',
+    },
+
+    // Admin setup instructions (shown in admin UI)
+    setupInstructions: `## Platform Admin: Enable OAuth
+1. Go to provider developer console
+2. Create OAuth application
+3. Add callback URL
+4. Copy Client ID and Secret`,
+
+    createAppUrl: 'https://provider.com/apps/new',
+  },
+},
+```
+
+**Access the token in checks:**
+
+```typescript
+run: async (ctx: CheckContext) => {
+  const accessToken = ctx.accessToken; // Available for OAuth integrations
+  // Use ctx.fetch() which automatically adds the Bearer token
+  const data = await ctx.fetch('/api/endpoint');
+};
+```
+
+#### API Key
+
+For services with API key authentication:
+
+```typescript
+auth: {
+  type: 'api_key',
+  config: {
+    in: 'header', // or 'query'
+    name: 'X-API-Key', // Header name or query param name
+    prefix: 'Bearer ', // Optional prefix
+  },
+},
+```
+
+#### Custom Auth
+
+For complex authentication (service accounts, multi-field credentials):
+
+```typescript
+auth: {
+  type: 'custom',
+  config: {
+    description: 'Service Account credentials',
+    credentialFields: [
+      {
+        id: 'project_id',
+        label: 'Project ID',
+        type: 'text',
+        required: true,
+        placeholder: 'my-project-123',
+        helpText: 'Your project identifier',
+      },
+      {
+        id: 'api_key',
+        label: 'API Key',
+        type: 'password',
+        required: true,
+      },
+      {
+        id: 'region',
+        label: 'Region',
+        type: 'combobox', // Dropdown with custom value support
+        required: true,
+        options: [
+          { value: 'us-east-1', label: 'US East' },
+          { value: 'eu-west-1', label: 'EU West' },
+        ],
+      },
+    ],
+    setupInstructions: `## Setup Instructions
+1. Go to provider settings
+2. Create API credentials
+3. Copy the values below`,
+  },
+},
+```
+
+**Field types:** `'text'`, `'password'`, `'textarea'`, `'select'`, `'combobox'`, `'number'`, `'url'`
+
+**Access credentials in checks:**
+
+```typescript
+run: async (ctx: CheckContext) => {
+  const projectId = ctx.credentials.project_id;
+  const apiKey = ctx.credentials.api_key;
+  const region = ctx.credentials.region;
+};
+```
+
+### Writing Checks
+
+Checks are compliance validations that run against the external service.
+
+**Basic check structure (`checks/your-check.ts`):**
+
+```typescript
+import type { IntegrationCheck, CheckContext } from '../../../types';
+import { TASK_TEMPLATES } from '../../../task-mappings';
+
+export const yourCheck: IntegrationCheck = {
+  // Unique ID (kebab-case)
+  id: 'your-check',
+
+  // Display name
+  name: 'Your Security Check',
+
+  // What this check does
+  description: 'Verifies security settings in Your Service',
+
+  // Map to a compliance task template (optional)
+  taskMapping: TASK_TEMPLATES.twoFactorAuth,
+
+  // Default severity for findings
+  defaultSeverity: 'medium',
+
+  // User-configurable variables (see Variables section)
+  variables: [],
+
+  // The check logic
+  run: async (ctx: CheckContext) => {
+    ctx.log('Starting your check...');
+
+    try {
+      // Fetch data from the service
+      const data = await ctx.fetch<YourDataType>('/api/endpoint');
+
+      // Analyze and report findings
+      if (data.securityEnabled) {
+        ctx.pass({
+          title: 'Security Enabled',
+          resourceType: 'security-setting',
+          resourceId: data.id,
+          description: 'Security is properly configured',
+          evidence: { setting: data.securitySetting },
+        });
+      } else {
+        ctx.fail({
+          title: 'Security Disabled',
+          resourceType: 'security-setting',
+          resourceId: data.id,
+          severity: 'high',
+          description: 'Security setting is not enabled',
+          remediation: 'Enable security in Settings → Security → Enable Protection',
+          evidence: { currentSetting: data.securitySetting },
+        });
+      }
+
+      ctx.log('Check complete');
+    } catch (error) {
+      ctx.fail({
+        title: 'Failed to Check Security Settings',
+        resourceType: 'api-error',
+        resourceId: 'unknown',
+        severity: 'medium',
+        description: `Could not fetch security settings: ${error.message}`,
+        remediation: 'Verify your API credentials and try again',
+        evidence: { error: String(error) },
+      });
+    }
+  },
+};
+```
+
+#### CheckContext API
+
+**Available methods:**
+
+```typescript
+// Logging
+ctx.log('Info message', { optional: 'metadata' });
+ctx.warn('Warning message');
+
+// HTTP requests (OAuth only - auto-adds Bearer token)
+await ctx.fetch<T>('/path');
+await ctx.fetchAllPages<T>('/path'); // Auto-paginate
+
+// GraphQL (if provider supports it)
+await ctx.graphql<T>(query, variables);
+
+// Report findings
+ctx.fail({
+  title: 'Issue Title',
+  resourceType: 'resource-type',
+  resourceId: 'resource-123',
+  severity: 'high', // 'critical' | 'high' | 'medium' | 'low' | 'info'
+  description: 'What is wrong',
+  remediation: 'How to fix it',
+  evidence: { any: 'data' },
+});
+
+ctx.pass({
+  title: 'Check Passed',
+  resourceType: 'resource-type',
+  resourceId: 'resource-123',
+  description: 'What was checked',
+  evidence: { any: 'data' },
+});
+
+// Access data
+ctx.accessToken; // OAuth access token (if OAuth)
+ctx.credentials; // All credentials as key-value object
+ctx.variables; // User-configured variables
+ctx.connectionId; // Current connection ID
+ctx.organizationId; // Current organization ID
+```
+
+### Variables
+
+Variables let users configure check behavior (e.g., which repos to monitor).
+
+**Define variables:**
+
+```typescript
+import type { CheckVariable } from '../../../types';
+
+const targetReposVariable: CheckVariable = {
+  id: 'target_repos',
+  label: 'Repositories to Monitor',
+  type: 'multi-select',
+  required: true,
+  helpText: 'Select which repositories to check',
+
+  // Static options
+  options: [
+    { value: 'repo1', label: 'Main Repository' },
+    { value: 'repo2', label: 'API Repository' },
+  ],
+
+  // OR dynamic options (fetched from API)
+  fetchOptions: async (ctx) => {
+    const repos = await ctx.fetch<Repo[]>('/repos');
+    return repos.map((r) => ({
+      value: r.name,
+      label: r.full_name,
+    }));
+  },
+};
+
+// Use in check
+export const yourCheck: IntegrationCheck = {
+  id: 'your-check',
+  variables: [targetReposVariable],
+
+  run: async (ctx) => {
+    const targetRepos = ctx.variables.target_repos as string[];
+    // Use the user-selected repos
+  },
+};
+```
+
+**Variable types:** `'text'`, `'number'`, `'boolean'`, `'select'`, `'multi-select'`
+
+### Testing
+
+**1. Register your manifest:**
+
+```typescript
+// src/registry/index.ts
+import { yourIntegrationManifest } from '../manifests/your-integration';
+
+export const registry: IntegrationRegistry = {
+  // ... existing
+  'your-integration': yourIntegrationManifest,
+};
+```
+
+**2. Create OAuth app (if using OAuth):**
+
+In the admin UI, go to **Admin** → **Integrations** → **OAuth Apps** and configure your Client ID/Secret.
+
+**3. Connect and test:**
+
+1. Go to **Integrations** page
+2. Find your integration
+3. Click **Connect**
+4. Configure any required variables
+5. Go to **Cloud Tests** or a mapped task
+6. Click **Run Scan** or trigger the check
+
+**4. View logs:**
+
+Check logs show up in:
+
+- Cloud Tests page (for security findings)
+- Task automation results (for task-mapped checks)
+- API logs (in your terminal or log aggregator)
+
+---
+
+## For Self-Hosters: OAuth Configuration
+
+### Required Setup
+
+**OAuth integrations require platform-level credentials** that you (the platform admin) configure in your deployment. Users then connect their accounts via OAuth without needing to know your credentials.
+
+### How OAuth Works
+
+1. **Platform admin** (you): Create OAuth app with the provider, configure Client ID/Secret in your deployment
+2. **End users**: Click "Connect" → Sign in with provider → Authorize → Done
+
+### Provider-Specific Instructions
+
+#### GitHub
+
+**1. Create OAuth App:**
+
+- Go to https://github.com/settings/developers
+- Click **New OAuth App**
+- **Application name**: Your App Name
+- **Homepage URL**: Your app URL (e.g., `https://yourapp.com`)
+- **Authorization callback URL**: `https://yourapp.com/v1/integrations/oauth/callback`
+- Copy **Client ID** and **Client Secret**
+
+**2. Configure in Admin UI:**
+
+- Go to `/admin/integrations` in your deployment
+- Find **GitHub** → **Configure OAuth**
+- Paste Client ID and Client Secret
+- Save
+
+**3. Users can now connect GitHub** via OAuth!
+
+---
+
+#### Google Workspace
+
+**1. Create OAuth App:**
+
+- Go to https://console.cloud.google.com
+- Create or select a project
+- Navigate to **APIs & Services** → **OAuth consent screen**
+- Configure consent screen (internal or external)
+- Go to **Credentials** → **Create Credentials** → **OAuth client ID**
+- Select **Web application**
+- Add redirect URI: `https://yourapp.com/v1/integrations/oauth/callback`
+- Copy **Client ID** and **Client Secret**
+
+**2. Enable APIs:**
+In the same GCP project, enable:
+
+- Admin SDK API
+
+**3. Configure in Admin UI:**
+
+- Go to `/admin/integrations`
+- Find **Google Workspace** → **Configure OAuth**
+- Paste Client ID and Client Secret
+- Save
+
+**Note:** Users connecting must be Google Workspace admins.
+
+---
+
+#### Google Cloud Platform (GCP)
+
+**1. Create OAuth App:**
+
+- Go to https://console.cloud.google.com
+- Create or select a project (can reuse the same one as Google Workspace)
+- Navigate to **APIs & Services** → **OAuth consent screen** (if not done already)
+- Go to **Credentials** → **Create Credentials** → **OAuth client ID**
+- Select **Web application**
+- Add redirect URI: `https://yourapp.com/v1/integrations/oauth/callback`
+- Copy **Client ID** and **Client Secret**
+
+**2. Configure in Admin UI:**
+
+- Go to `/admin/integrations`
+- Find **Google Cloud Platform** → **Configure OAuth**
+- Paste Client ID and Client Secret
+- Save
+
+**Important:** GCP and Google Workspace can share the same OAuth app (same Client ID/Secret). The platform will request different scopes for each.
+
+**Note:** Users connecting must have GCP IAM roles like Viewer, Security Center Findings Viewer at the organization level.
+
+---
+
+#### Linear
+
+**1. Create OAuth App:**
+
+- Go to https://linear.app/settings/api
+- Click **Create OAuth application**
+- **Application name**: Your App Name
+- **Callback URLs**: `https://yourapp.com/v1/integrations/oauth/callback`
+- Copy **Client ID** and **Client Secret**
+
+**2. Configure in Admin UI:**
+
+- Go to `/admin/integrations`
+- Find **Linear** → **Configure OAuth**
+- Paste Client ID and Client Secret
+- Save
+
+---
+
+#### Rippling
+
+**1. Request OAuth App:**
+
+- Contact Rippling support to create a marketplace app
+- Provide your callback URL: `https://yourapp.com/v1/integrations/oauth/callback`
+- Rippling will provide Client ID and Client Secret
+
+**2. Configure in Admin UI:**
+
+- Go to `/admin/integrations`
+- Find **Rippling** → **Configure OAuth**
+- Paste Client ID and Client Secret
+- In **Custom Settings**, add:
+  - **App Name**: Your Rippling app name (provided by Rippling)
+- Save
+
+**Note:** Rippling uses a custom `{APP_NAME}` placeholder in the authorize URL.
+
+---
+
+#### Vercel
+
+**1. Create Integration:**
+
+- Go to https://vercel.com/dashboard/integrations/console
+- Click **Create Integration**
+- **Integration name**: Your integration name
+- **Redirect URLs**: `https://yourapp.com/v1/integrations/oauth/callback`
+- Copy **Client ID** and **Client Secret**
+- Copy your **Integration Slug** (e.g., `comp-compliance`)
+
+**2. Configure in Admin UI:**
+
+- Go to `/admin/integrations`
+- Find **Vercel** → **Configure OAuth**
+- Paste Client ID and Client Secret
+- In **Custom Settings**, add:
+  - **Integration Slug**: Your Vercel integration slug
+- Save
+
+---
+
+### What Happens if OAuth Isn't Configured?
+
+**For end users:**
+
+- Integration shows **"Coming Soon"** button (disabled)
+- Can't connect until platform admin configures OAuth
+
+**For platform admins:**
+
+- Integration works normally in admin UI
+- Can test with your own accounts
+- Must configure OAuth before users can connect
+
+### Environment Variables
+
+OAuth credentials are stored in the database, NOT environment variables. This allows:
+
+- Multi-tenancy (different orgs can have different OAuth apps)
+- Easy credential rotation via UI
+- Secure encryption at rest
+
+No `.env` configuration needed for OAuth!
+
+---
+
+## Non-OAuth Integrations
+
+Some integrations use custom auth (AWS, Azure) and don't require platform-level OAuth setup. Users provide their own credentials:
+
+### AWS
+
+- **Auth type**: Custom (IAM Role)
+- **User provides**: Role ARN, External ID, Region
+- **No platform setup needed**
+
+### Azure
+
+- **Auth type**: Custom (Service Principal)
+- **User provides**: Tenant ID, Client ID, Client Secret, Subscription ID
+- **No platform setup needed**
+
+---
+
+## Advanced Topics
+
+### Custom Settings for OAuth Apps
+
+Some OAuth providers need additional configuration beyond Client ID/Secret:
+
+```typescript
+// In manifest
+auth: {
+  type: 'oauth2',
+  config: {
+    // ...
+    customSettings: [
+      {
+        id: 'app_name',
+        label: 'App Name',
+        type: 'text',
+        required: true,
+        helpText: 'Your app name from the provider',
+        token: '{APP_NAME}', // Replaces this in authorizeUrl
+      },
+    ],
+  },
+},
+```
+
+**Example:** Rippling uses `{APP_NAME}` in the authorize URL.
+
+### Task Mapping
+
+Map checks to compliance task templates so they auto-complete tasks:
+
+```typescript
+import { TASK_TEMPLATES } from '../../../task-mappings';
+
+export const yourCheck: IntegrationCheck = {
+  id: 'security-check',
+  taskMapping: TASK_TEMPLATES.twoFactorAuth, // Maps to 2FA task
+  // ...
+};
+```
+
+When this check passes, the "2FA" task is automatically marked as done.
+
+### Pagination
+
+For APIs with pagination:
+
+```typescript
+// Auto-paginate (OAuth only)
+const allItems = await ctx.fetchAllPages<Item>('/items');
+
+// Manual pagination
+let pageToken: string | undefined;
+const allItems: Item[] = [];
+
+do {
+  const response = await ctx.fetch<{ items: Item[]; nextPage?: string }>(
+    `/items?page=${pageToken || 1}`,
+  );
+  allItems.push(...response.items);
+  pageToken = response.nextPage;
+} while (pageToken);
+```
+
+### Error Handling
+
+**Best practices:**
+
+```typescript
+try {
+  const data = await ctx.fetch('/endpoint');
+
+  if (data.items.length === 0) {
+    // Log, don't fail - absence of items isn't always an error
+    ctx.log('No items found');
+    return;
+  }
+
+  // Process data...
+} catch (error) {
+  const errorMessage = error instanceof Error ? error.message : String(error);
+  ctx.log(`API Error: ${errorMessage}`);
+
+  // Check for specific error types
+  if (errorMessage.includes('403') || errorMessage.includes('PERMISSION_DENIED')) {
+    ctx.fail({
+      title: 'Permission Denied',
+      resourceType: 'api-access',
+      resourceId: 'credentials',
+      severity: 'high',
+      description: 'Your account does not have permission to access this resource',
+      remediation: 'Grant the [specific role] to your account in the provider console',
+      evidence: { error: errorMessage },
+    });
+    return;
+  }
+
+  // Generic error
+  ctx.fail({
+    title: 'Failed to Fetch Data',
+    resourceType: 'api-error',
+    resourceId: 'unknown',
+    severity: 'medium',
+    description: 'An error occurred while fetching data from the provider',
+    remediation: 'Verify your connection is active and try again',
+    evidence: { error: errorMessage },
+  });
+}
+```
+
+**Don't show raw API errors to users** - extract meaningful info and provide actionable remediation.
+
+---
+
+## File Structure
+
+```
+manifests/your-integration/
+├── index.ts              # Manifest definition
+├── types.ts              # TypeScript types for this integration
+├── checks/
+│   ├── index.ts          # Export all checks
+│   ├── check-one.ts      # Individual check
+│   └── check-two.ts      # Another check
+├── helpers/
+│   ├── index.ts          # Export helpers
+│   └── api-client.ts     # API client helpers
+└── variables.ts          # Shared variables (optional)
+```
+
+## Examples
+
+Check existing integrations for reference:
+
+- **OAuth**: `manifests/github/`, `manifests/google-workspace/`
+- **Custom Auth**: `manifests/aws/`, `manifests/azure/`, `manifests/gcp/`
+- **Simple**: `manifests/linear/`, `manifests/vercel/`
+
+---
+
+## Deployment Checklist
+
+Before shipping a new integration:
+
+- [ ] Manifest complete with all required fields
+- [ ] All checks tested with real credentials
+- [ ] Error handling for common failure cases
+- [ ] Task mappings configured (if applicable)
+- [ ] Documentation in setup instructions
+- [ ] Registered in `src/registry/index.ts`
+- [ ] OAuth credentials configured (if OAuth)
+- [ ] Logo URL working
+- [ ] Integration tested end-to-end
+
+---
+
+## Support
+
+Questions? Check:
+
+- Existing integration manifests for examples
+- Type definitions in `src/types.ts`
+- Integration platform API in `apps/api/src/integration-platform/`
diff --git a/packages/integration-platform/SELF_HOSTING.md b/packages/integration-platform/SELF_HOSTING.md
new file mode 100644
index 000000000..33fdb6e7a
--- /dev/null
+++ b/packages/integration-platform/SELF_HOSTING.md
@@ -0,0 +1,240 @@
+# Self-Hosting: OAuth Configuration
+
+Quick guide for platform admins self-hosting the application.
+
+## Overview
+
+OAuth integrations (GitHub, Google Workspace, GCP, etc.) require **platform-level OAuth credentials**. You create one OAuth app per provider, and all your users share it.
+
+**You configure once → Users connect easily**
+
+## Quick Setup Flow
+
+1. Create OAuth app with the provider
+2. Get Client ID and Client Secret
+3. Add them in Admin UI (`/admin/integrations`)
+4. Users can now connect via OAuth
+
+---
+
+## Provider Setup
+
+### GitHub
+
+**Time: 5 minutes**
+
+1. Go to https://github.com/settings/developers
+2. Click **New OAuth App**
+3. Fill in:
+   - **Application name**: `Comp AI` (or your deployment name)
+   - **Homepage URL**: `https://yourapp.com`
+   - **Authorization callback URL**: `https://yourapp.com/v1/integrations/oauth/callback`
+4. Click **Register application**
+5. Copy **Client ID**
+6. Click **Generate a new client secret** → Copy it
+
+**Add to platform:**
+- Go to `/admin/integrations` in your deployment
+- Find **GitHub** → Click **Configure**
+- Paste Client ID and Client Secret → Save
+
+✅ Users can now connect GitHub!
+
+---
+
+### Google Workspace & GCP (Shared Setup)
+
+**Time: 10 minutes**
+
+**Tip:** Both integrations can use the **same OAuth app**.
+
+1. Go to https://console.cloud.google.com
+2. Create or select a project
+3. **OAuth Consent Screen:**
+   - Go to **APIs & Services** → **OAuth consent screen**
+   - Select **Internal** (if you're using Google Workspace) or **External**
+   - Fill in app name, support email, etc.
+   - Add scopes (the platform will request them dynamically)
+   - Save
+
+4. **Create Credentials:**
+   - Go to **APIs & Services** → **Credentials**
+   - Click **Create Credentials** → **OAuth client ID**
+   - Select **Web application**
+   - Name: `Comp AI`
+   - **Authorized redirect URIs**: `https://yourapp.com/v1/integrations/oauth/callback`
+   - Create → Copy **Client ID** and **Client Secret**
+
+5. **Enable Required APIs:**
+   - Admin SDK API (for Google Workspace)
+   - Cloud Resource Manager API (for GCP)
+   - Security Command Center API (for GCP)
+
+**Add to platform:**
+
+**For Google Workspace:**
+- Go to `/admin/integrations`
+- Find **Google Workspace** → **Configure**
+- Paste Client ID and Client Secret → Save
+
+**For GCP (use same credentials):**
+- Find **Google Cloud Platform** → **Configure**
+- Paste the **same** Client ID and Client Secret → Save
+
+✅ Users can now connect both integrations with one OAuth app!
+
+---
+
+### Linear
+
+**Time: 5 minutes**
+
+1. Go to https://linear.app/settings/api
+2. Click **Create new OAuth application**
+3. Fill in:
+   - **Name**: `Comp AI`
+   - **Callback URLs**: `https://yourapp.com/v1/integrations/oauth/callback`
+4. Create → Copy **Client ID** and **Client Secret**
+
+**Add to platform:**
+- Go to `/admin/integrations`
+- Find **Linear** → **Configure**
+- Paste Client ID and Client Secret → Save
+
+---
+
+### Vercel
+
+**Time: 5 minutes**
+
+1. Go to https://vercel.com/dashboard/integrations/console
+2. Click **Create Integration**
+3. Fill in:
+   - **Name**: `Comp AI`
+   - **Redirect URL**: `https://yourapp.com/v1/integrations/oauth/callback`
+4. Create → Copy **Client ID**, **Client Secret**, and **Integration Slug**
+
+**Add to platform:**
+- Go to `/admin/integrations`
+- Find **Vercel** → **Configure**
+- Paste Client ID and Client Secret
+- In **Custom Settings** → add **Integration Slug**
+- Save
+
+---
+
+### Rippling
+
+**Time: 15-30 minutes (requires Rippling approval)**
+
+1. Contact Rippling support to create a marketplace integration
+2. Provide your callback URL: `https://yourapp.com/v1/integrations/oauth/callback`
+3. Wait for Rippling to approve and provide:
+   - Client ID
+   - Client Secret
+   - App Name (your Rippling app identifier)
+
+**Add to platform:**
+- Go to `/admin/integrations`
+- Find **Rippling** → **Configure**
+- Paste Client ID and Client Secret
+- In **Custom Settings** → add **App Name**
+- Save
+
+---
+
+## Non-OAuth Integrations
+
+These don't require platform setup - users provide their own credentials:
+
+### AWS
+- **Auth**: IAM Role (users create their own role)
+- **No platform setup needed**
+
+### Azure
+- **Auth**: Service Principal (users create their own)
+- **No platform setup needed**
+
+---
+
+## Troubleshooting
+
+### "Coming Soon" Button Shows
+
+**Problem:** Integration shows "Coming Soon" instead of "Connect"
+
+**Solution:** OAuth credentials not configured. Go to `/admin/integrations` and configure Client ID/Secret for that provider.
+
+---
+
+### OAuth Callback Fails
+
+**Problem:** Users get redirected to an error page after OAuth
+
+**Possible causes:**
+1. **Callback URL mismatch**: Make sure the redirect URI in the OAuth app matches your deployment URL exactly
+2. **Wrong client secret**: Double-check you copied the secret correctly
+3. **API not enabled**: Some providers require enabling APIs (Google Workspace, GCP)
+
+**Debug:**
+Check API logs for the OAuth callback error message.
+
+---
+
+### Users See "Unverified App" Warning (Google)
+
+**Problem:** Google shows a warning screen during OAuth
+
+**This is normal** for:
+- Development/testing
+- Before Google verification
+
+**For production:**
+Submit your app for Google's verification process. Required for the `cloud-platform` scope (GCP integration).
+
+**For testing:**
+Users can click **Advanced** → **Go to [app name] (unsafe)** to proceed.
+
+---
+
+## Security Best Practices
+
+### Protect OAuth Credentials
+
+- ✅ Credentials are encrypted at rest in the database
+- ✅ Never commit credentials to git
+- ✅ Use environment variables for sensitive config (though OAuth credentials are in DB)
+- ✅ Rotate credentials if compromised
+
+### Principle of Least Privilege
+
+OAuth credentials grant broad access, but:
+- We only request the minimum scopes needed
+- Checks only perform read operations
+- User IAM roles further limit actual access
+
+### Callback URL
+
+Always use **HTTPS** in production:
+- ✅ `https://yourapp.com/v1/integrations/oauth/callback`
+- ❌ `http://yourapp.com/...` (insecure)
+
+For local dev:
+- `http://localhost:3000/v1/integrations/oauth/callback` is fine
+
+---
+
+## Summary
+
+**Platform Admin (you) does:**
+1. Create OAuth apps with each provider (one-time, ~5-10 min each)
+2. Add Client ID/Secret to `/admin/integrations`
+3. That's it!
+
+**End Users do:**
+1. Click "Connect"
+2. Sign in with their account
+3. Done!
+
+**No environment variables, no secret management, no complexity.** All credentials are encrypted in the database and managed via the admin UI.
+
diff --git a/packages/integration-platform/package.json b/packages/integration-platform/package.json
new file mode 100644
index 000000000..94a6abd8a
--- /dev/null
+++ b/packages/integration-platform/package.json
@@ -0,0 +1,56 @@
+{
+  "name": "@comp/integration-platform",
+  "version": "1.0.0",
+  "private": true,
+  "sideEffects": false,
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "require": "./dist/index.js",
+      "import": "./dist/index.js"
+    },
+    "./types": {
+      "types": "./dist/types.d.ts",
+      "require": "./dist/types.js",
+      "import": "./dist/types.js"
+    },
+    "./registry": {
+      "types": "./dist/registry/index.d.ts",
+      "require": "./dist/registry/index.js",
+      "import": "./dist/registry/index.js"
+    },
+    "./runtime": {
+      "types": "./dist/runtime/index.d.ts",
+      "require": "./dist/runtime/index.js",
+      "import": "./dist/runtime/index.js"
+    }
+  },
+  "scripts": {
+    "build": "tsc",
+    "clean": "rm -rf .turbo node_modules dist",
+    "dev": "tsc --watch",
+    "format": "prettier --write .",
+    "lint": "prettier --check .",
+    "typecheck": "tsc --noEmit",
+    "verify": "bun run src/validators/manifest-validator.ts",
+    "generate:tasks": "bun run scripts/generate-task-types.ts"
+  },
+  "dependencies": {
+    "@aws-sdk/client-cloudtrail": "^3.943.0",
+    "@aws-sdk/client-iam": "^3.943.0",
+    "@aws-sdk/client-securityhub": "^3.943.0",
+    "@aws-sdk/client-sts": "^3.943.0",
+    "zod": "^3.25.76"
+  },
+  "devDependencies": {
+    "@types/node": "^24.0.3",
+    "@types/react": "^19.1.6",
+    "react": "^19.0.0",
+    "typescript": "^5.8.3"
+  },
+  "peerDependencies": {
+    "react": "^19.0.0"
+  }
+}
diff --git a/packages/integration-platform/scripts/generate-task-types.ts b/packages/integration-platform/scripts/generate-task-types.ts
new file mode 100644
index 000000000..1efe8d16f
--- /dev/null
+++ b/packages/integration-platform/scripts/generate-task-types.ts
@@ -0,0 +1,115 @@
+/**
+ * Script to generate TaskTemplateId type from the task templates JSON.
+ * Run with: bun run scripts/generate-task-types.ts
+ */
+
+import { readFileSync, writeFileSync } from 'fs';
+import { join } from 'path';
+
+interface TaskTemplate {
+  id: string;
+  name: string;
+  description: string;
+  frequency: string;
+  department: string;
+}
+
+const TASK_TEMPLATES_PATH = join(
+  __dirname,
+  '../../../packages/db/prisma/seed/primitives/FrameworkEditorTaskTemplate.json',
+);
+
+const OUTPUT_PATH = join(__dirname, '../src/task-mappings.ts');
+
+function generateTaskTypes() {
+  // Read the JSON file
+  const jsonContent = readFileSync(TASK_TEMPLATES_PATH, 'utf-8');
+  const tasks: TaskTemplate[] = JSON.parse(jsonContent);
+
+  // Generate the TypeScript file
+  const lines: string[] = [
+    '// ============================================================================',
+    '// AUTO-GENERATED FILE - DO NOT EDIT DIRECTLY',
+    '// Generated by: bun run scripts/generate-task-types.ts',
+    '// ============================================================================',
+    '',
+    '/**',
+    ' * All available task template IDs that can be used for task mapping.',
+    ' * These are derived from the FrameworkEditorTaskTemplate seed data.',
+    ' */',
+    'export const TASK_TEMPLATE_IDS = [',
+  ];
+
+  // Add each task ID as a const
+  for (const task of tasks) {
+    lines.push(`  '${task.id}', // ${task.name}`);
+  }
+
+  lines.push('] as const;');
+  lines.push('');
+  lines.push('/**');
+  lines.push(' * Union type of all valid task template IDs.');
+  lines.push(' * Use this for type-safe task mapping in integration checks.');
+  lines.push(' */');
+  lines.push('export type TaskTemplateId = (typeof TASK_TEMPLATE_IDS)[number];');
+  lines.push('');
+
+  // Add a mapping object for easy lookup by name
+  lines.push('/**');
+  lines.push(' * Mapping of task names to their IDs for easier reference.');
+  lines.push(' * Use this when you know the task name but need the ID.');
+  lines.push(' */');
+  lines.push('export const TASK_TEMPLATES = {');
+
+  for (const task of tasks) {
+    // Convert name to a valid JS identifier (camelCase, no special chars)
+    const key = task.name
+      .replace(/[^a-zA-Z0-9\s]/g, '')
+      .split(/\s+/)
+      .map((word, i) =>
+        i === 0 ? word.toLowerCase() : word.charAt(0).toUpperCase() + word.slice(1).toLowerCase(),
+      )
+      .join('');
+
+    lines.push(`  /** ${task.name} */`);
+    lines.push(`  ${key}: '${task.id}',`);
+  }
+
+  lines.push('} as const;');
+  lines.push('');
+
+  // Add a reverse mapping for getting task info by ID
+  lines.push('/**');
+  lines.push(' * Task template metadata for reference.');
+  lines.push(' */');
+  lines.push('export const TASK_TEMPLATE_INFO: Record<');
+  lines.push('  TaskTemplateId,');
+  lines.push('  { name: string; description: string; department: string; frequency: string }');
+  lines.push('> = {');
+
+  for (const task of tasks) {
+    // Escape description for use in template literal
+    const escapedDesc = task.description
+      .replace(/\\/g, '\\\\')
+      .replace(/`/g, '\\`')
+      .replace(/\$/g, '\\$')
+      .substring(0, 100); // Truncate for readability
+
+    lines.push(`  '${task.id}': {`);
+    lines.push(`    name: '${task.name.replace(/'/g, "\\'")}',`);
+    lines.push(`    description: \`${escapedDesc}...\`,`);
+    lines.push(`    department: '${task.department}',`);
+    lines.push(`    frequency: '${task.frequency}',`);
+    lines.push('  },');
+  }
+
+  lines.push('};');
+  lines.push('');
+
+  // Write the output file
+  writeFileSync(OUTPUT_PATH, lines.join('\n'));
+  console.log(`✅ Generated ${OUTPUT_PATH}`);
+  console.log(`   ${tasks.length} task templates`);
+}
+
+generateTaskTypes();
diff --git a/packages/integration-platform/src/api-types.ts b/packages/integration-platform/src/api-types.ts
new file mode 100644
index 000000000..ab69d7431
--- /dev/null
+++ b/packages/integration-platform/src/api-types.ts
@@ -0,0 +1,181 @@
+/**
+ * API Response Types
+ *
+ * These types represent the shape of data returned by API endpoints.
+ * Used by both the API (for response typing) and frontend (for request typing).
+ */
+
+import type { CredentialField } from './types';
+
+// Re-export CredentialField for convenience
+export type { CredentialField };
+
+/**
+ * Integration provider as returned by the API
+ */
+export interface IntegrationProviderResponse {
+  id: string;
+  slug: string;
+  name: string;
+  description: string;
+  category: string;
+  logoUrl: string;
+  authType: 'oauth2' | 'api_key' | 'basic' | 'jwt' | 'custom';
+  capabilities: string[];
+  isActive: boolean;
+  docsUrl?: string;
+  credentialFields?: CredentialField[];
+  setupInstructions?: string;
+  /** For OAuth providers: whether platform admin has configured credentials */
+  oauthConfigured?: boolean;
+  /** Tasks that will be auto-satisfied when this integration is connected */
+  mappedTasks?: Array<{ id: string; name: string }>;
+  /** Required variables that must be configured after connection */
+  requiredVariables?: string[];
+}
+
+/**
+ * Connection status values
+ */
+export type ConnectionStatusValue = 'pending' | 'active' | 'error' | 'paused' | 'disconnected';
+
+/**
+ * Integration connection as returned by the API
+ */
+export interface IntegrationConnectionResponse {
+  id: string;
+  providerId: string;
+  providerSlug: string;
+  providerName: string;
+  status: ConnectionStatusValue;
+  authStrategy: string;
+  lastSyncAt: string | null;
+  nextSyncAt: string | null;
+  syncCadence: string | null;
+  metadata: Record<string, unknown> | null;
+  errorMessage: string | null;
+  createdAt: string;
+  updatedAt: string;
+}
+
+/**
+ * Connection list item (lighter version for lists)
+ */
+export interface ConnectionListItemResponse {
+  id: string;
+  providerId: string;
+  providerSlug: string;
+  providerName: string;
+  status: ConnectionStatusValue;
+  authStrategy: string;
+  lastSyncAt: string | null;
+  nextSyncAt: string | null;
+  errorMessage: string | null;
+  variables: Record<string, string | number | boolean | string[]> | null;
+  createdAt: string;
+}
+
+/**
+ * OAuth start response
+ */
+export interface OAuthStartResponse {
+  authorizationUrl: string;
+}
+
+/**
+ * OAuth availability check response
+ */
+export interface OAuthAvailabilityResponse {
+  available: boolean;
+  hasOrgCredentials: boolean;
+  hasPlatformCredentials: boolean;
+  setupInstructions?: string;
+  createAppUrl?: string;
+}
+
+/**
+ * Test connection response
+ */
+export interface TestConnectionResponse {
+  success: boolean;
+  message: string;
+}
+
+/**
+ * Create connection response
+ */
+export interface CreateConnectionResponse {
+  success: boolean;
+  connectionId?: string;
+  error?: string;
+}
+
+/**
+ * Variable option for dynamic selects
+ */
+export interface VariableOptionResponse {
+  value: string;
+  label: string;
+}
+
+/**
+ * Integration check for a task
+ */
+export interface TaskIntegrationCheckResponse {
+  taskId: string;
+  checkId: string;
+  checkName: string;
+  integrationId: string;
+  integrationName: string;
+  integrationLogoUrl: string;
+  connectionId: string | null;
+  connectionStatus: ConnectionStatusValue | null;
+  lastRunAt: string | null;
+  lastRunStatus: 'passed' | 'failed' | 'error' | null;
+  needsConfiguration: boolean;
+}
+
+/**
+ * Check run history item
+ */
+export interface CheckRunHistoryItemResponse {
+  id: string;
+  checkId: string;
+  checkName: string;
+  status: 'passed' | 'failed' | 'error' | 'running';
+  startedAt: string;
+  completedAt: string | null;
+  durationMs: number | null;
+  totalChecked: number;
+  passedCount: number;
+  failedCount: number;
+  errorMessage: string | null;
+  findings: CheckRunFindingResponse[];
+  passingResults: CheckRunPassingResponse[];
+}
+
+/**
+ * Check run finding
+ */
+export interface CheckRunFindingResponse {
+  id: string;
+  title: string;
+  description: string;
+  resourceType: string;
+  resourceId: string;
+  severity: 'info' | 'low' | 'medium' | 'high' | 'critical';
+  remediation: string | null;
+  evidence: Record<string, unknown>;
+}
+
+/**
+ * Check run passing result
+ */
+export interface CheckRunPassingResponse {
+  id: string;
+  title: string;
+  description: string;
+  resourceType: string;
+  resourceId: string;
+  evidence: Record<string, unknown>;
+}
diff --git a/packages/integration-platform/src/index.ts b/packages/integration-platform/src/index.ts
new file mode 100644
index 000000000..7ac5fc91f
--- /dev/null
+++ b/packages/integration-platform/src/index.ts
@@ -0,0 +1,114 @@
+// ============================================================================
+// Integration Platform - Main Exports
+// ============================================================================
+
+// Types
+export type {
+  // Auth types
+  ApiKeyConfig,
+  AuthStrategy,
+  AuthStrategyType,
+  BasicAuthConfig,
+  // Check types
+  CheckContext,
+  CheckEvidence,
+  CheckFindingResult,
+  CheckPassingResult,
+  CheckVariable,
+  CheckVariableType,
+  CheckVariableValues,
+  // Connection & Run types
+  ConnectionStatus,
+  // Credential types
+  CredentialField,
+  CustomAuthConfig,
+  // Finding types
+  FindingSeverity,
+  FindingStatus,
+  // Capability types
+  IntegrationCapability,
+  // Category type
+  IntegrationCategory,
+  IntegrationCheck,
+  // Handler types
+  IntegrationCredentials,
+  IntegrationFinding,
+  IntegrationHandler,
+  // Manifest type
+  IntegrationManifest,
+  // Registry type
+  IntegrationRegistry,
+  JwtConfig,
+  OAuthConfig,
+  RunJobType,
+  RunStatus,
+  VariableFetchContext,
+  // Webhook types
+  WebhookConfig,
+} from './types';
+
+// Zod schemas for validation
+export {
+  ApiKeyConfigSchema,
+  BasicAuthConfigSchema,
+  CredentialFieldSchema,
+  CustomAuthConfigSchema,
+  JwtConfigSchema,
+  OAuthConfigSchema,
+  WebhookConfigSchema,
+} from './types';
+
+// Registry
+export {
+  getActiveManifests,
+  getAllManifests,
+  getByCategory,
+  getCategoriesWithCounts,
+  getHandler,
+  getIntegrationIds,
+  getManifest,
+  getOAuthConfig,
+  registry,
+  requiresOAuth,
+} from './registry';
+
+// Runtime (check execution)
+export {
+  createCheckContext,
+  getAvailableChecks,
+  runAllChecks,
+  runCheck,
+  type CheckContextOptions,
+  type CheckResult,
+  type CheckRunResult,
+  type RunAllChecksResult,
+  type RunCheckOptions,
+} from './runtime';
+
+// Task mappings (for type-safe task mapping in checks)
+export {
+  TASK_TEMPLATES,
+  TASK_TEMPLATE_IDS,
+  TASK_TEMPLATE_INFO,
+  type TaskTemplateId,
+} from './task-mappings';
+
+// Individual manifests (for direct import if needed)
+export { manifest as githubManifest } from './manifests/github';
+
+// API Response types (for frontend and API type sharing)
+export type {
+  CheckRunFindingResponse,
+  CheckRunHistoryItemResponse,
+  CheckRunPassingResponse,
+  ConnectionListItemResponse,
+  ConnectionStatusValue,
+  CreateConnectionResponse,
+  IntegrationConnectionResponse,
+  IntegrationProviderResponse,
+  OAuthAvailabilityResponse,
+  OAuthStartResponse,
+  TaskIntegrationCheckResponse,
+  TestConnectionResponse,
+  VariableOptionResponse,
+} from './api-types';
diff --git a/packages/integration-platform/src/manifests/_template/checks/example-check.ts b/packages/integration-platform/src/manifests/_template/checks/example-check.ts
new file mode 100644
index 000000000..670d15f26
--- /dev/null
+++ b/packages/integration-platform/src/manifests/_template/checks/example-check.ts
@@ -0,0 +1,56 @@
+import { TASK_TEMPLATES } from '../../../task-mappings';
+import type { IntegrationCheck } from '../../../types';
+import type { ExampleResource } from '../types';
+import { targetResourcesVariable } from '../variables';
+
+export const exampleCheck: IntegrationCheck = {
+  id: 'example_check',
+  name: 'Example Security Check',
+  description: 'Verify that resources have proper security configuration',
+  taskMapping: TASK_TEMPLATES.secureCode,
+  defaultSeverity: 'medium',
+  variables: [targetResourcesVariable],
+
+  run: async (ctx) => {
+    const targetResources = ctx.variables.target_resources as string[] | undefined;
+
+    let resources: ExampleResource[];
+    if (targetResources?.length) {
+      resources = [];
+      for (const id of targetResources) {
+        try {
+          resources.push(await ctx.fetch<ExampleResource>(`/resources/${id}`));
+        } catch {
+          ctx.warn(`Could not fetch resource ${id}`);
+        }
+      }
+    } else {
+      resources = await ctx.fetch<ExampleResource[]>('/resources');
+    }
+
+    ctx.log(`Checking ${resources.length} resources`);
+
+    for (const resource of resources) {
+      const isCompliant = resource.status === 'active';
+
+      if (isCompliant) {
+        ctx.pass({
+          title: `${resource.name} is compliant`,
+          description: 'Resource has correct security configuration.',
+          resourceType: 'resource',
+          resourceId: resource.id,
+          evidence: { status: resource.status, raw: resource },
+        });
+      } else {
+        ctx.fail({
+          title: `${resource.name} is not compliant`,
+          description: 'Resource lacks required security configuration.',
+          resourceType: 'resource',
+          resourceId: resource.id,
+          severity: 'medium',
+          remediation: '1. Go to resource settings\n2. Enable security feature\n3. Save',
+        });
+      }
+    }
+  },
+};
diff --git a/packages/integration-platform/src/manifests/_template/checks/index.ts b/packages/integration-platform/src/manifests/_template/checks/index.ts
new file mode 100644
index 000000000..34f1c3f1d
--- /dev/null
+++ b/packages/integration-platform/src/manifests/_template/checks/index.ts
@@ -0,0 +1,8 @@
+/**
+ * Check Exports
+ *
+ * Export all checks from this folder for use in the manifest.
+ * Add new exports here as you create more checks.
+ */
+
+export { exampleCheck } from './example-check';
diff --git a/packages/integration-platform/src/manifests/_template/index.ts b/packages/integration-platform/src/manifests/_template/index.ts
new file mode 100644
index 000000000..9d06e585f
--- /dev/null
+++ b/packages/integration-platform/src/manifests/_template/index.ts
@@ -0,0 +1,67 @@
+/**
+ * Integration Manifest Template
+ *
+ * Steps to create a new integration:
+ * 1. Copy this folder to src/manifests/your-integration/
+ * 2. Update manifest details below
+ * 3. Implement checks in checks/
+ * 4. Register in src/registry/index.ts
+ * 5. Run `bun run verify` then `bun run build`
+ */
+
+import type { IntegrationManifest } from '../../types';
+import { exampleCheck } from './checks';
+
+export const manifest: IntegrationManifest = {
+  id: 'your-integration',
+  name: 'Your Integration',
+  description: 'Connect Your Integration to monitor security compliance.',
+  category: 'Development',
+  logoUrl: 'https://img.logo.dev/example.com?token=pk_AZatYxV5QDSfWpRDaBxzRQ',
+  docsUrl: 'https://docs.trycomp.ai/integrations/your-integration',
+
+  baseUrl: 'https://api.example.com',
+  defaultHeaders: {
+    Accept: 'application/json',
+  },
+
+  auth: {
+    type: 'oauth2',
+    config: {
+      authorizeUrl: 'https://example.com/oauth/authorize',
+      tokenUrl: 'https://example.com/oauth/token',
+      scopes: ['read', 'write'],
+      pkce: false,
+      clientAuthMethod: 'body',
+      supportsRefreshToken: true,
+      setupInstructions: `1. Create OAuth app at provider's developer settings
+2. Set callback URL to: {CALLBACK_URL}
+3. Copy Client ID and Secret`,
+      createAppUrl: 'https://example.com/developers',
+    },
+  },
+
+  /*
+  // API Key auth:
+  auth: {
+    type: 'api_key',
+    config: { in: 'header', name: 'Authorization', prefix: 'Bearer ' },
+  },
+  credentialFields: [
+    { id: 'api_key', label: 'API Key', type: 'password', required: true },
+  ],
+
+  // Basic auth:
+  auth: {
+    type: 'basic',
+    config: { usernameField: 'username', passwordField: 'password' },
+  },
+  */
+
+  capabilities: ['checks'],
+  checks: [exampleCheck],
+  isActive: false,
+};
+
+export default manifest;
+export * from './types';
diff --git a/packages/integration-platform/src/manifests/_template/types.ts b/packages/integration-platform/src/manifests/_template/types.ts
new file mode 100644
index 000000000..ed268ce59
--- /dev/null
+++ b/packages/integration-platform/src/manifests/_template/types.ts
@@ -0,0 +1,20 @@
+/**
+ * API Types for Your Integration
+ *
+ * Define types that match the external API responses.
+ * These provide type safety when making API calls in checks.
+ */
+
+// Example: Define types for your API responses
+export interface ExampleResource {
+  id: string;
+  name: string;
+  status: 'active' | 'inactive';
+  createdAt: string;
+}
+
+export interface ExampleUser {
+  id: string;
+  email: string;
+  role: string;
+}
diff --git a/packages/integration-platform/src/manifests/_template/variables.ts b/packages/integration-platform/src/manifests/_template/variables.ts
new file mode 100644
index 000000000..d8cc7d66f
--- /dev/null
+++ b/packages/integration-platform/src/manifests/_template/variables.ts
@@ -0,0 +1,43 @@
+/**
+ * Shared Variables for Your Integration
+ *
+ * Define variables that can be reused across multiple checks.
+ * Variables allow users to configure how checks run.
+ */
+
+import type { CheckVariable } from '../../types';
+import type { ExampleResource } from './types';
+
+/**
+ * Example: Variable for selecting which resources to monitor.
+ * This dynamically fetches options from the API.
+ */
+export const targetResourcesVariable: CheckVariable = {
+  id: 'target_resources',
+  label: 'Resources to monitor',
+  type: 'multi-select',
+  required: false,
+  helpText: 'Leave empty to check all resources',
+  fetchOptions: async (ctx) => {
+    // Fetch resources from the API
+    const resources = await ctx.fetch<ExampleResource[]>('/resources');
+
+    return resources.map((r) => ({
+      value: r.id,
+      label: `${r.name} (${r.status})`,
+    }));
+  },
+};
+
+/**
+ * Example: Simple text variable
+ */
+export const thresholdVariable: CheckVariable = {
+  id: 'threshold',
+  label: 'Alert threshold',
+  type: 'text',
+  required: false,
+  default: '10',
+  placeholder: '10',
+  helpText: 'Minimum number before alerting',
+};
diff --git a/packages/integration-platform/src/manifests/aws/credentials.ts b/packages/integration-platform/src/manifests/aws/credentials.ts
new file mode 100644
index 000000000..33fc7ad93
--- /dev/null
+++ b/packages/integration-platform/src/manifests/aws/credentials.ts
@@ -0,0 +1,214 @@
+import { z } from 'zod';
+
+/**
+ * AWS credential fields for the connection form
+ */
+export const awsCredentialFields = [
+  {
+    id: 'roleArn',
+    label: 'IAM Role ARN',
+    type: 'text' as const,
+    required: true,
+    placeholder: 'arn:aws:iam::123456789012:role/ComplianceAuditRole',
+    helpText: 'The ARN of the IAM role you created for Comp to assume',
+  },
+  {
+    id: 'externalId',
+    label: 'External ID',
+    type: 'text' as const,
+    required: true,
+    placeholder: 'Use your organization ID (e.g., org_abc123)',
+    helpText:
+      'A unique identifier you choose. Use the same value here AND in your IAM trust policy. Your organization ID works well for this.',
+  },
+  {
+    id: 'region',
+    label: 'Primary AWS Region',
+    type: 'combobox' as const,
+    required: true,
+    placeholder: 'Select or type a region...',
+    helpText: 'Select a common region or type your own (e.g., us-east-1, eu-west-1)',
+    options: [
+      { value: 'us-east-1', label: 'US East (N. Virginia)' },
+      { value: 'us-east-2', label: 'US East (Ohio)' },
+      { value: 'us-west-1', label: 'US West (N. California)' },
+      { value: 'us-west-2', label: 'US West (Oregon)' },
+      { value: 'eu-west-1', label: 'Europe (Ireland)' },
+      { value: 'eu-west-2', label: 'Europe (London)' },
+      { value: 'eu-central-1', label: 'Europe (Frankfurt)' },
+      { value: 'ap-northeast-1', label: 'Asia Pacific (Tokyo)' },
+      { value: 'ap-southeast-1', label: 'Asia Pacific (Singapore)' },
+      { value: 'ap-southeast-2', label: 'Asia Pacific (Sydney)' },
+    ],
+  },
+];
+
+/**
+ * Validation schema for AWS credentials
+ */
+export const awsCredentialSchema = z.object({
+  roleArn: z
+    .string()
+    .regex(
+      /^arn:aws:iam::\d{12}:role\/.+$/,
+      'Must be a valid IAM Role ARN (arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME)',
+    ),
+  externalId: z.string().min(1),
+  region: z.string().min(1),
+});
+
+/**
+ * Minimal IAM policy - only what's needed for Security Hub checks
+ */
+export const awsMinimalPolicy = {
+  Version: '2012-10-17',
+  Statement: [
+    {
+      Sid: 'SecurityHubReadOnly',
+      Effect: 'Allow',
+      Action: ['securityhub:GetFindings', 'securityhub:DescribeHub'],
+      Resource: '*',
+    },
+  ],
+};
+
+/**
+ * Comprehensive IAM policy for additional future compliance checks
+ * (Not required if you only want Security Hub findings)
+ */
+export const awsRecommendedPolicy = {
+  Version: '2012-10-17',
+  Statement: [
+    {
+      Sid: 'AccessReviewAndRBAC',
+      Effect: 'Allow',
+      Action: [
+        'iam:ListUsers',
+        'iam:ListRoles',
+        'iam:ListGroups',
+        'iam:ListPolicies',
+        'iam:GetUser',
+        'iam:GetRole',
+        'iam:GetGroup',
+        'iam:GetPolicy',
+        'iam:GetPolicyVersion',
+        'iam:ListAttachedUserPolicies',
+        'iam:ListAttachedRolePolicies',
+        'iam:ListAttachedGroupPolicies',
+        'iam:ListUserPolicies',
+        'iam:ListRolePolicies',
+        'iam:ListGroupPolicies',
+        'iam:GetAccountAuthorizationDetails',
+        'iam:ListMFADevices',
+        'iam:GetLoginProfile',
+        'iam:ListAccessKeys',
+        'iam:GetAccessKeyLastUsed',
+        'cloudtrail:DescribeTrails',
+        'cloudtrail:GetTrailStatus',
+        'cloudtrail:LookupEvents',
+      ],
+      Resource: '*',
+    },
+    {
+      Sid: 'MonitoringAndAlerting',
+      Effect: 'Allow',
+      Action: [
+        'cloudwatch:DescribeAlarms',
+        'cloudwatch:DescribeAlarmsForMetric',
+        'cloudwatch:ListMetrics',
+        'sns:ListTopics',
+        'sns:ListSubscriptions',
+        'sns:GetTopicAttributes',
+        'events:ListRules',
+        'events:DescribeRule',
+        'logs:DescribeLogGroups',
+        'logs:DescribeMetricFilters',
+      ],
+      Resource: '*',
+    },
+    {
+      Sid: 'AutoscalingAndAvailability',
+      Effect: 'Allow',
+      Action: [
+        'autoscaling:DescribeAutoScalingGroups',
+        'autoscaling:DescribeLaunchConfigurations',
+        'autoscaling:DescribePolicies',
+        'elasticloadbalancing:DescribeLoadBalancers',
+        'elasticloadbalancing:DescribeTargetGroups',
+        'elasticloadbalancing:DescribeTargetHealth',
+        'ec2:DescribeInstances',
+        'ec2:DescribeAvailabilityZones',
+        'ec2:DescribeRegions',
+      ],
+      Resource: '*',
+    },
+    {
+      Sid: 'EncryptionAtRest',
+      Effect: 'Allow',
+      Action: [
+        's3:ListAllMyBuckets',
+        's3:GetBucketEncryption',
+        's3:GetBucketPublicAccessBlock',
+        'ec2:DescribeVolumes',
+        'rds:DescribeDBInstances',
+        'rds:DescribeDBClusters',
+        'dynamodb:ListTables',
+        'dynamodb:DescribeTable',
+        'kms:ListKeys',
+        'kms:DescribeKey',
+        'kms:GetKeyRotationStatus',
+      ],
+      Resource: '*',
+    },
+    {
+      Sid: 'BackupAndRecovery',
+      Effect: 'Allow',
+      Action: [
+        'backup:ListBackupPlans',
+        'backup:GetBackupPlan',
+        'backup:ListBackupVaults',
+        'backup:ListRecoveryPointsByBackupVault',
+        'rds:DescribeDBSnapshots',
+        'rds:DescribeDBClusterSnapshots',
+        'dynamodb:DescribeContinuousBackups',
+        'ec2:DescribeSnapshots',
+        's3:GetBucketVersioning',
+      ],
+      Resource: '*',
+    },
+  ],
+};
+
+/**
+ * Setup instructions for AWS IAM Role
+ */
+export const awsSetupInstructions = `## Quick Setup
+
+### 1. Create IAM Role
+IAM Console → Roles → Create role → Custom trust policy
+
+**Trust Policy** (replace YOUR_EXTERNAL_ID with your organization ID):
+\`\`\`json
+{
+  "Version": "2012-10-17",
+  "Statement": [{
+    "Effect": "Allow",
+    "Principal": { "AWS": "*" },
+    "Action": "sts:AssumeRole",
+    "Condition": {
+      "StringEquals": { "sts:ExternalId": "YOUR_EXTERNAL_ID" }
+    }
+  }]
+}
+\`\`\`
+
+### 2. Attach Permissions
+Select **SecurityAudit** managed policy.
+
+### 3. Name the Role
+• **Name**: CompSecurityAudit
+• **Description**: Read-only access for Comp AI compliance monitoring
+
+### 4. Copy ARN
+After creating, copy the Role ARN (looks like \`arn:aws:iam::123456789012:role/CompSecurityAudit\`)
+`;
diff --git a/packages/integration-platform/src/manifests/aws/helpers/aws-client.ts b/packages/integration-platform/src/manifests/aws/helpers/aws-client.ts
new file mode 100644
index 000000000..25b0690e4
--- /dev/null
+++ b/packages/integration-platform/src/manifests/aws/helpers/aws-client.ts
@@ -0,0 +1,275 @@
+/**
+ * AWS Client Helper
+ *
+ * Shared helper for AWS checks. Handles STS AssumeRole and creates
+ * authenticated clients for AWS services.
+ *
+ * Usage in a check:
+ * ```ts
+ * import { createAWSClients } from '../helpers/aws-client';
+ *
+ * const aws = await createAWSClients(ctx.credentials, ctx.log);
+ * const users = await aws.iam.send(new ListUsersCommand({}));
+ * ```
+ */
+
+import {
+  CloudTrailClient,
+  LookupEventsCommand,
+  type LookupEventsCommandOutput,
+} from '@aws-sdk/client-cloudtrail';
+import {
+  GetAccessKeyLastUsedCommand,
+  IAMClient,
+  ListAccessKeysCommand,
+  ListGroupsForUserCommand,
+  ListMFADevicesCommand,
+  ListUsersCommand,
+  type ListAccessKeysCommandOutput,
+  type ListGroupsForUserCommandOutput,
+  type ListMFADevicesCommandOutput,
+  type ListUsersCommandOutput,
+} from '@aws-sdk/client-iam';
+import { SecurityHubClient } from '@aws-sdk/client-securityhub';
+import { AssumeRoleCommand, STSClient } from '@aws-sdk/client-sts';
+
+/**
+ * IAM Role credentials (new method - more secure)
+ */
+export interface AWSRoleCredentials {
+  roleArn: string;
+  externalId: string;
+  region: string;
+}
+
+/**
+ * Access Key credentials (legacy method)
+ */
+export interface AWSAccessKeyCredentials {
+  access_key_id: string;
+  secret_access_key: string;
+  region: string;
+}
+
+/**
+ * Union type for all supported AWS credential types
+ */
+export type AWSCredentials = AWSRoleCredentials | AWSAccessKeyCredentials;
+
+/**
+ * Type guard to check if credentials are IAM Role based
+ */
+export function isRoleCredentials(creds: AWSCredentials): creds is AWSRoleCredentials {
+  return 'roleArn' in creds && 'externalId' in creds;
+}
+
+/**
+ * Type guard to check if credentials are Access Key based (legacy)
+ */
+export function isAccessKeyCredentials(creds: AWSCredentials): creds is AWSAccessKeyCredentials {
+  return 'access_key_id' in creds && 'secret_access_key' in creds;
+}
+
+export interface AWSClients {
+  iam: IAMClient;
+  cloudtrail: CloudTrailClient;
+  securityHub: SecurityHubClient;
+  region: string;
+}
+
+/**
+ * Creates authenticated AWS clients.
+ * Supports both IAM Role assumption (new) and direct access keys (legacy).
+ *
+ * @param credentials - The AWS credentials from the integration connection
+ * @param log - Logger function from check context
+ * @returns Authenticated AWS service clients
+ */
+export async function createAWSClients(
+  credentials: AWSCredentials,
+  log: (message: string) => void,
+): Promise<AWSClients> {
+  let awsCredentials: {
+    accessKeyId: string;
+    secretAccessKey: string;
+    sessionToken?: string;
+  };
+  let region: string;
+
+  if (isRoleCredentials(credentials)) {
+    // New method: IAM Role assumption
+    const { roleArn, externalId, region: credRegion } = credentials;
+    region = credRegion;
+
+    log(`Assuming role ${roleArn} in region ${region}`);
+
+    const sts = new STSClient({ region });
+    const assumeRoleResponse = await sts.send(
+      new AssumeRoleCommand({
+        RoleArn: roleArn,
+        ExternalId: externalId,
+        RoleSessionName: 'CompSecurityAudit',
+        DurationSeconds: 3600,
+      }),
+    );
+
+    if (!assumeRoleResponse.Credentials) {
+      throw new Error('Failed to assume role - no credentials returned');
+    }
+
+    awsCredentials = {
+      accessKeyId: assumeRoleResponse.Credentials.AccessKeyId!,
+      secretAccessKey: assumeRoleResponse.Credentials.SecretAccessKey!,
+      sessionToken: assumeRoleResponse.Credentials.SessionToken!,
+    };
+
+    log('Successfully assumed role, creating service clients');
+  } else if (isAccessKeyCredentials(credentials)) {
+    // Legacy method: Direct access keys
+    const { access_key_id, secret_access_key, region: credRegion } = credentials;
+    region = credRegion;
+
+    log(`Using direct access keys in region ${region}`);
+
+    awsCredentials = {
+      accessKeyId: access_key_id,
+      secretAccessKey: secret_access_key,
+    };
+
+    log('Using access key credentials, creating service clients');
+  } else {
+    throw new Error('Invalid AWS credentials - must provide either roleArn or access_key_id');
+  }
+
+  // Create authenticated clients
+  return {
+    iam: new IAMClient({ region, credentials: awsCredentials }),
+    cloudtrail: new CloudTrailClient({ region, credentials: awsCredentials }),
+    securityHub: new SecurityHubClient({ region, credentials: awsCredentials }),
+    region,
+  };
+}
+
+// ============================================================================
+// Convenience functions for common operations
+// ============================================================================
+
+/**
+ * List all IAM users with pagination
+ */
+export async function listAllUsers(iam: IAMClient): Promise<ListUsersCommandOutput['Users']> {
+  const users: NonNullable<ListUsersCommandOutput['Users']> = [];
+  let marker: string | undefined;
+
+  do {
+    const response = await iam.send(new ListUsersCommand({ Marker: marker }));
+    if (response.Users) {
+      users.push(...response.Users);
+    }
+    marker = response.Marker;
+  } while (marker);
+
+  return users;
+}
+
+/**
+ * List groups that a user belongs to
+ */
+export async function listUserGroups(
+  iam: IAMClient,
+  userName: string,
+): Promise<ListGroupsForUserCommandOutput['Groups']> {
+  const response = await iam.send(new ListGroupsForUserCommand({ UserName: userName }));
+  return response.Groups || [];
+}
+
+/**
+ * Get MFA devices for a user
+ */
+export async function getUserMFADevices(
+  iam: IAMClient,
+  userName: string,
+): Promise<ListMFADevicesCommandOutput['MFADevices']> {
+  const response = await iam.send(new ListMFADevicesCommand({ UserName: userName }));
+  return response.MFADevices || [];
+}
+
+/**
+ * Get access keys for a user
+ */
+export async function getUserAccessKeys(
+  iam: IAMClient,
+  userName: string,
+): Promise<ListAccessKeysCommandOutput['AccessKeyMetadata']> {
+  const response = await iam.send(new ListAccessKeysCommand({ UserName: userName }));
+  return response.AccessKeyMetadata || [];
+}
+
+/**
+ * Get last used info for an access key
+ */
+export async function getAccessKeyLastUsed(
+  iam: IAMClient,
+  accessKeyId: string,
+): Promise<{ lastUsedDate?: Date; serviceName?: string; region?: string }> {
+  const response = await iam.send(new GetAccessKeyLastUsedCommand({ AccessKeyId: accessKeyId }));
+  return {
+    lastUsedDate: response.AccessKeyLastUsed?.LastUsedDate,
+    serviceName: response.AccessKeyLastUsed?.ServiceName,
+    region: response.AccessKeyLastUsed?.Region,
+  };
+}
+
+/**
+ * Lookup recent IAM events in CloudTrail
+ */
+export async function lookupIAMEvents(
+  cloudtrail: CloudTrailClient,
+  options: {
+    startTime?: Date;
+    endTime?: Date;
+    maxResults?: number;
+  } = {},
+): Promise<LookupEventsCommandOutput['Events']> {
+  const { startTime, endTime, maxResults = 50 } = options;
+
+  // Default to last 7 days if not specified
+  const defaultStartTime = new Date();
+  defaultStartTime.setDate(defaultStartTime.getDate() - 7);
+
+  const response = await cloudtrail.send(
+    new LookupEventsCommand({
+      LookupAttributes: [
+        {
+          AttributeKey: 'EventSource',
+          AttributeValue: 'iam.amazonaws.com',
+        },
+      ],
+      StartTime: startTime || defaultStartTime,
+      EndTime: endTime || new Date(),
+      MaxResults: maxResults,
+    }),
+  );
+
+  return response.Events || [];
+}
+
+/**
+ * Security Hub finding as returned by the API
+ */
+export interface SecurityHubFinding {
+  id: string;
+  title: string;
+  description: string;
+  remediation: string;
+  status: string;
+  severity: string;
+  resourceType: string;
+  resourceId: string;
+  awsAccountId: string;
+  region: string;
+  complianceStatus: string;
+  generatorId: string;
+  createdAt: string;
+  updatedAt: string;
+}
diff --git a/packages/integration-platform/src/manifests/aws/helpers/index.ts b/packages/integration-platform/src/manifests/aws/helpers/index.ts
new file mode 100644
index 000000000..011d5ff37
--- /dev/null
+++ b/packages/integration-platform/src/manifests/aws/helpers/index.ts
@@ -0,0 +1,26 @@
+/**
+ * AWS Helpers
+ *
+ * Shared utilities for AWS checks. Import these in your checks:
+ *
+ * ```ts
+ * import { createAWSClients, listAllUsers } from '../helpers';
+ * ```
+ */
+
+export {
+  createAWSClients,
+  getAccessKeyLastUsed,
+  getUserAccessKeys,
+  getUserMFADevices,
+  isAccessKeyCredentials,
+  isRoleCredentials,
+  listAllUsers,
+  listUserGroups,
+  lookupIAMEvents,
+  type AWSAccessKeyCredentials,
+  type AWSClients,
+  type AWSCredentials,
+  type AWSRoleCredentials,
+  type SecurityHubFinding,
+} from './aws-client';
diff --git a/packages/integration-platform/src/manifests/aws/index.ts b/packages/integration-platform/src/manifests/aws/index.ts
new file mode 100644
index 000000000..db68860ab
--- /dev/null
+++ b/packages/integration-platform/src/manifests/aws/index.ts
@@ -0,0 +1,28 @@
+import type { IntegrationManifest } from '../../types';
+import { awsCredentialFields, awsCredentialSchema, awsSetupInstructions } from './credentials';
+
+export const awsManifest: IntegrationManifest = {
+  id: 'aws',
+  name: 'Amazon Web Services',
+  description: 'Monitor security configurations and compliance across your AWS infrastructure',
+  category: 'Cloud',
+  logoUrl: 'https://img.logo.dev/aws.amazon.com?token=pk_AZatYxV5QDSfWpRDaBxzRQ',
+  docsUrl:
+    'https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html',
+  isActive: true,
+
+  auth: {
+    type: 'custom',
+    config: {
+      description: 'AWS IAM Role Assumption - secure cross-account access',
+      credentialFields: awsCredentialFields,
+      validationSchema: awsCredentialSchema,
+      setupInstructions: awsSetupInstructions,
+    },
+  },
+
+  baseUrl: '',
+
+  capabilities: ['checks'],
+  checks: [],
+};
diff --git a/packages/integration-platform/src/manifests/aws/types.ts b/packages/integration-platform/src/manifests/aws/types.ts
new file mode 100644
index 000000000..47d2b3608
--- /dev/null
+++ b/packages/integration-platform/src/manifests/aws/types.ts
@@ -0,0 +1,92 @@
+/**
+ * AWS IAM Types
+ */
+export interface IAMUser {
+  UserName: string;
+  UserId: string;
+  Arn: string;
+  Path: string;
+  CreateDate: string;
+  PasswordLastUsed?: string;
+  Tags?: Array<{ Key: string; Value: string }>;
+}
+
+export interface IAMUserDetail {
+  UserName: string;
+  UserId: string;
+  Arn: string;
+  CreateDate: string;
+  PasswordLastUsed?: string;
+  GroupList?: string[];
+  AttachedManagedPolicies?: Array<{ PolicyName: string; PolicyArn: string }>;
+  UserPolicyList?: Array<{ PolicyName: string }>;
+  Tags?: Array<{ Key: string; Value: string }>;
+}
+
+export interface IAMRole {
+  RoleName: string;
+  RoleId: string;
+  Arn: string;
+  Path: string;
+  CreateDate: string;
+  AssumeRolePolicyDocument: string;
+  Description?: string;
+  MaxSessionDuration?: number;
+  Tags?: Array<{ Key: string; Value: string }>;
+}
+
+export interface MFADevice {
+  UserName: string;
+  SerialNumber: string;
+  EnableDate: string;
+}
+
+export interface AccessKeyMetadata {
+  UserName: string;
+  AccessKeyId: string;
+  Status: 'Active' | 'Inactive';
+  CreateDate: string;
+}
+
+export interface AccessKeyLastUsed {
+  LastUsedDate?: string;
+  ServiceName?: string;
+  Region?: string;
+}
+
+/**
+ * CloudTrail Types
+ */
+export interface CloudTrailEvent {
+  EventId: string;
+  EventName: string;
+  EventTime: string;
+  EventSource: string;
+  Username?: string;
+  Resources?: Array<{
+    ResourceType: string;
+    ResourceName: string;
+  }>;
+  CloudTrailEvent: string; // JSON string with full event details
+}
+
+export interface CloudTrailLookupResponse {
+  Events?: CloudTrailEvent[];
+  NextToken?: string;
+}
+
+/**
+ * STS Types
+ */
+export interface AssumeRoleResponse {
+  Credentials: {
+    AccessKeyId: string;
+    SecretAccessKey: string;
+    SessionToken: string;
+    Expiration: string;
+  };
+  AssumedRoleUser: {
+    AssumedRoleId: string;
+    Arn: string;
+  };
+}
diff --git a/packages/integration-platform/src/manifests/azure/credentials.ts b/packages/integration-platform/src/manifests/azure/credentials.ts
new file mode 100644
index 000000000..ae30faba9
--- /dev/null
+++ b/packages/integration-platform/src/manifests/azure/credentials.ts
@@ -0,0 +1,108 @@
+import { z } from 'zod';
+
+/**
+ * Azure credential fields for the connection form
+ */
+export const azureCredentialFields = [
+  {
+    id: 'tenantId',
+    label: 'Tenant ID (Directory ID)',
+    type: 'text' as const,
+    required: true,
+    placeholder: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
+    helpText: 'Your tenant ID. Found in Azure Portal → Microsoft Entra ID → Overview',
+  },
+  {
+    id: 'clientId',
+    label: 'Client ID (Application ID)',
+    type: 'text' as const,
+    required: true,
+    placeholder: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
+    helpText: 'The Application (client) ID of your App Registration',
+  },
+  {
+    id: 'clientSecret',
+    label: 'Client Secret',
+    type: 'password' as const,
+    required: true,
+    placeholder: 'Your client secret value',
+    helpText: 'A client secret created for the App Registration',
+  },
+  {
+    id: 'subscriptionId',
+    label: 'Subscription ID',
+    type: 'text' as const,
+    required: true,
+    placeholder: 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
+    helpText: 'The Azure subscription to monitor',
+  },
+];
+
+/**
+ * Validation schema for Azure credentials
+ */
+export const azureCredentialSchema = z.object({
+  tenantId: z
+    .string()
+    .uuid('Must be a valid UUID')
+    .or(z.string().regex(/^[a-f0-9-]{36}$/i, 'Must be a valid Azure tenant ID')),
+  clientId: z
+    .string()
+    .uuid('Must be a valid UUID')
+    .or(z.string().regex(/^[a-f0-9-]{36}$/i, 'Must be a valid Application ID')),
+  clientSecret: z.string().min(1, 'Client secret is required'),
+  subscriptionId: z
+    .string()
+    .uuid('Must be a valid UUID')
+    .or(z.string().regex(/^[a-f0-9-]{36}$/i, 'Must be a valid Subscription ID')),
+});
+
+/**
+ * Setup instructions for Azure Service Principal
+ */
+export const azureSetupInstructions = `## Setting up Azure Service Principal
+
+### Step 1: Create an App Registration
+1. Go to [Azure Portal](https://portal.azure.com)
+2. Navigate to **Microsoft Entra ID** → **App registrations**
+3. Click **+ New registration**
+4. Enter a name like \`comp-security-audit\`
+5. Leave the default settings and click **Register**
+
+### Step 2: Create a Client Secret
+1. In your new App Registration, go to **Certificates & secrets**
+2. Click **New client secret**
+3. Add a description and select expiry (recommended: 12-24 months)
+4. Click **Add** and **copy the secret value immediately** (you won't see it again)
+
+### Step 3: Grant Required Permissions
+
+You need to assign 3 roles to your App Registration. Repeat these steps for each role:
+
+1. Go to **Subscriptions** → Select your subscription (e.g., "Subscription 1")
+2. Click **Access control (IAM)** in the left sidebar
+3. Click the **+ Add** button → **Add role assignment**
+4. In the **Role** tab, search for and select one of these roles:
+   - **Reader** - For general resource access
+   - **Security Reader** - For Microsoft Defender for Cloud  
+   - **Monitoring Reader** - For alerts and metrics
+5. Click **Next**
+6. In the **Members** tab:
+   - Select **"User, group, or service principal"**
+   - Click **+ Select members**
+   - Search for your App Registration name (e.g., "comp-security-audit")
+   - Select it and click **Select**
+7. Click **Review + assign**
+
+> **Important:** Repeat steps 3-7 for all three roles (Reader, Security Reader, Monitoring Reader)
+
+### Step 4: Get Your IDs
+From the Azure Portal, collect:
+- **Tenant ID**: Microsoft Entra ID → Overview → Tenant ID
+- **Client ID**: Microsoft Entra ID → App registrations → Your app → Application (client) ID
+- **Subscription ID**: Subscriptions → Your subscription → Subscription ID
+
+### Step 5: Enter Credentials
+Paste the Tenant ID, Client ID, Client Secret, and Subscription ID in the fields below.
+
+> **Security Note:** The service principal should have read-only access. Never grant write permissions for compliance monitoring.`;
diff --git a/packages/integration-platform/src/manifests/azure/helpers/azure-client.ts b/packages/integration-platform/src/manifests/azure/helpers/azure-client.ts
new file mode 100644
index 000000000..b409e17f4
--- /dev/null
+++ b/packages/integration-platform/src/manifests/azure/helpers/azure-client.ts
@@ -0,0 +1,162 @@
+/**
+ * Azure API Client Helper
+ * Handles authentication and API calls to Azure REST APIs
+ */
+
+import type {
+  AzureActionGroup,
+  AzureAlertRule,
+  AzureListResponse,
+  AzureRoleAssignment,
+  AzureRoleDefinition,
+  AzureSecurityAlert,
+  AzureSecurityAssessment,
+} from '../types';
+
+interface AzureCredentials {
+  tenantId: string;
+  clientId: string;
+  clientSecret: string;
+  subscriptionId: string;
+}
+
+interface TokenResponse {
+  access_token: string;
+  expires_in: number;
+  token_type: string;
+}
+
+/**
+ * Get an access token for Azure Management API
+ */
+export async function getAzureAccessToken(credentials: AzureCredentials): Promise<string> {
+  const tokenUrl = `https://login.microsoftonline.com/${credentials.tenantId}/oauth2/v2.0/token`;
+
+  const body = new URLSearchParams({
+    client_id: credentials.clientId,
+    client_secret: credentials.clientSecret,
+    scope: 'https://management.azure.com/.default',
+    grant_type: 'client_credentials',
+  });
+
+  const response = await fetch(tokenUrl, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+    body: body.toString(),
+  });
+
+  if (!response.ok) {
+    const error = await response.text();
+    throw new Error(`Azure authentication failed: ${error}`);
+  }
+
+  const data: TokenResponse = await response.json();
+  return data.access_token;
+}
+
+/**
+ * Make an authenticated request to Azure Management API
+ */
+async function azureRequest<T>(
+  accessToken: string,
+  url: string,
+  options?: RequestInit,
+): Promise<T> {
+  const response = await fetch(url, {
+    ...options,
+    headers: {
+      Authorization: `Bearer ${accessToken}`,
+      'Content-Type': 'application/json',
+      ...options?.headers,
+    },
+  });
+
+  if (!response.ok) {
+    const error = await response.text();
+    throw new Error(`Azure API error (${response.status}): ${error}`);
+  }
+
+  return response.json();
+}
+
+/**
+ * Fetch all pages of a paginated Azure response
+ */
+async function fetchAllPages<T>(accessToken: string, initialUrl: string): Promise<T[]> {
+  const results: T[] = [];
+  let url: string | undefined = initialUrl;
+
+  while (url) {
+    const response: AzureListResponse<T> = await azureRequest(accessToken, url);
+    results.push(...response.value);
+    url = response.nextLink;
+  }
+
+  return results;
+}
+
+/**
+ * Get security alerts from Microsoft Defender for Cloud
+ */
+export async function getSecurityAlerts(
+  accessToken: string,
+  subscriptionId: string,
+): Promise<AzureSecurityAlert[]> {
+  const url = `https://management.azure.com/subscriptions/${subscriptionId}/providers/Microsoft.Security/alerts?api-version=2022-01-01`;
+  return fetchAllPages<AzureSecurityAlert>(accessToken, url);
+}
+
+/**
+ * Get security assessments from Microsoft Defender for Cloud
+ */
+export async function getSecurityAssessments(
+  accessToken: string,
+  subscriptionId: string,
+): Promise<AzureSecurityAssessment[]> {
+  const url = `https://management.azure.com/subscriptions/${subscriptionId}/providers/Microsoft.Security/assessments?api-version=2021-06-01`;
+  return fetchAllPages<AzureSecurityAssessment>(accessToken, url);
+}
+
+/**
+ * Get role assignments for a subscription
+ */
+export async function getRoleAssignments(
+  accessToken: string,
+  subscriptionId: string,
+): Promise<AzureRoleAssignment[]> {
+  const url = `https://management.azure.com/subscriptions/${subscriptionId}/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01`;
+  return fetchAllPages<AzureRoleAssignment>(accessToken, url);
+}
+
+/**
+ * Get role definitions for a subscription
+ */
+export async function getRoleDefinitions(
+  accessToken: string,
+  subscriptionId: string,
+): Promise<AzureRoleDefinition[]> {
+  const url = `https://management.azure.com/subscriptions/${subscriptionId}/providers/Microsoft.Authorization/roleDefinitions?api-version=2022-04-01`;
+  return fetchAllPages<AzureRoleDefinition>(accessToken, url);
+}
+
+/**
+ * Get metric alert rules
+ */
+export async function getAlertRules(
+  accessToken: string,
+  subscriptionId: string,
+): Promise<AzureAlertRule[]> {
+  const url = `https://management.azure.com/subscriptions/${subscriptionId}/providers/Microsoft.Insights/metricAlerts?api-version=2018-03-01`;
+  return fetchAllPages<AzureAlertRule>(accessToken, url);
+}
+
+/**
+ * Get action groups for notifications
+ */
+export async function getActionGroups(
+  accessToken: string,
+  subscriptionId: string,
+): Promise<AzureActionGroup[]> {
+  const url = `https://management.azure.com/subscriptions/${subscriptionId}/providers/Microsoft.Insights/actionGroups?api-version=2023-01-01`;
+  return fetchAllPages<AzureActionGroup>(accessToken, url);
+}
diff --git a/packages/integration-platform/src/manifests/azure/helpers/index.ts b/packages/integration-platform/src/manifests/azure/helpers/index.ts
new file mode 100644
index 000000000..7e436ec02
--- /dev/null
+++ b/packages/integration-platform/src/manifests/azure/helpers/index.ts
@@ -0,0 +1,9 @@
+export {
+  getActionGroups,
+  getAlertRules,
+  getAzureAccessToken,
+  getRoleAssignments,
+  getRoleDefinitions,
+  getSecurityAlerts,
+  getSecurityAssessments,
+} from './azure-client';
diff --git a/packages/integration-platform/src/manifests/azure/index.ts b/packages/integration-platform/src/manifests/azure/index.ts
new file mode 100644
index 000000000..069aca7dc
--- /dev/null
+++ b/packages/integration-platform/src/manifests/azure/index.ts
@@ -0,0 +1,27 @@
+import type { IntegrationManifest } from '../../types';
+import { azureCredentialFields, azureSetupInstructions } from './credentials';
+
+export const azureManifest: IntegrationManifest = {
+  id: 'azure',
+  name: 'Microsoft Azure',
+  description: 'Monitor alerting configurations in Microsoft Azure',
+  category: 'Cloud',
+  logoUrl: 'https://img.logo.dev/azure.com?token=pk_AZatYxV5QDSfWpRDaBxzRQ',
+  docsUrl: 'https://docs.microsoft.com/en-us/azure/defender-for-cloud/',
+  isActive: true,
+
+  auth: {
+    type: 'custom',
+    config: {
+      description: 'Azure Service Principal - secure application access',
+      credentialFields: azureCredentialFields,
+      setupInstructions: azureSetupInstructions,
+    },
+  },
+
+  baseUrl: 'https://management.azure.com',
+
+  capabilities: ['checks'],
+
+  checks: [],
+};
diff --git a/packages/integration-platform/src/manifests/azure/types.ts b/packages/integration-platform/src/manifests/azure/types.ts
new file mode 100644
index 000000000..a220e2405
--- /dev/null
+++ b/packages/integration-platform/src/manifests/azure/types.ts
@@ -0,0 +1,142 @@
+/**
+ * Azure API Types
+ * Types for Azure REST API responses
+ */
+
+export interface AzureResource {
+  id: string;
+  name: string;
+  type: string;
+  location?: string;
+  tags?: Record<string, string>;
+}
+
+export interface AzureListResponse<T> {
+  value: T[];
+  nextLink?: string;
+}
+
+export interface AzureSecurityAlert {
+  id: string;
+  name: string;
+  type: string;
+  properties: {
+    alertDisplayName: string;
+    alertType: string;
+    compromisedEntity: string;
+    description: string;
+    severity: 'High' | 'Medium' | 'Low' | 'Informational';
+    status: 'Active' | 'Resolved' | 'Dismissed';
+    intent: string;
+    startTimeUtc: string;
+    endTimeUtc?: string;
+    remediationSteps?: string[];
+    resourceIdentifiers?: Array<{
+      type: string;
+      azureResourceId?: string;
+    }>;
+  };
+}
+
+export interface AzureSecurityAssessment {
+  id: string;
+  name: string;
+  type: string;
+  properties: {
+    displayName: string;
+    status: {
+      code: 'Healthy' | 'Unhealthy' | 'NotApplicable';
+      cause?: string;
+      description?: string;
+    };
+    resourceDetails: {
+      source: string;
+      id?: string;
+    };
+    metadata?: {
+      severity: 'High' | 'Medium' | 'Low';
+      category?: string;
+      description?: string;
+      remediationDescription?: string;
+    };
+  };
+}
+
+export interface AzureRoleAssignment {
+  id: string;
+  name: string;
+  type: string;
+  properties: {
+    roleDefinitionId: string;
+    principalId: string;
+    principalType: 'User' | 'Group' | 'ServicePrincipal' | 'Application';
+    scope: string;
+    createdOn?: string;
+    updatedOn?: string;
+  };
+}
+
+export interface AzureRoleDefinition {
+  id: string;
+  name: string;
+  type: string;
+  properties: {
+    roleName: string;
+    description: string;
+    type: 'BuiltInRole' | 'CustomRole';
+    permissions: Array<{
+      actions: string[];
+      notActions: string[];
+      dataActions?: string[];
+      notDataActions?: string[];
+    }>;
+    assignableScopes: string[];
+  };
+}
+
+export interface AzureAdUser {
+  id: string;
+  displayName: string;
+  userPrincipalName: string;
+  mail?: string;
+  accountEnabled: boolean;
+  createdDateTime?: string;
+}
+
+export interface AzureAlertRule {
+  id: string;
+  name: string;
+  type: string;
+  location: string;
+  properties: {
+    description?: string;
+    severity: 0 | 1 | 2 | 3 | 4;
+    enabled: boolean;
+    scopes: string[];
+    evaluationFrequency?: string;
+    windowSize?: string;
+    actions?: {
+      actionGroups?: string[];
+    };
+  };
+}
+
+export interface AzureActionGroup {
+  id: string;
+  name: string;
+  type: string;
+  location: string;
+  properties: {
+    groupShortName: string;
+    enabled: boolean;
+    emailReceivers?: Array<{
+      name: string;
+      emailAddress: string;
+      status: string;
+    }>;
+    webhookReceivers?: Array<{
+      name: string;
+      serviceUri: string;
+    }>;
+  };
+}
diff --git a/packages/integration-platform/src/manifests/gcp/helpers/gcp-client.ts b/packages/integration-platform/src/manifests/gcp/helpers/gcp-client.ts
new file mode 100644
index 000000000..5493c7689
--- /dev/null
+++ b/packages/integration-platform/src/manifests/gcp/helpers/gcp-client.ts
@@ -0,0 +1,247 @@
+import type { GCPCredentials } from '../types';
+
+export interface GCPClient {
+  accessToken: string;
+  projectId: string;
+  organizationId?: string;
+}
+
+/**
+ * Create a GCP client from OAuth credentials
+ */
+export function createGCPClient(
+  credentials: GCPCredentials,
+  projectId: string,
+  log: (msg: string) => void,
+): GCPClient {
+  if (!credentials.access_token) {
+    throw new Error('Access token is required');
+  }
+
+  log(`Authenticating with OAuth token for project: ${projectId}`);
+
+  return {
+    accessToken: credentials.access_token,
+    projectId,
+  };
+}
+
+/**
+ * Make an authenticated request to a GCP API
+ */
+export async function gcpRequest<T>(
+  client: GCPClient,
+  url: string,
+  options: {
+    method?: 'GET' | 'POST' | 'PUT' | 'DELETE';
+    body?: unknown;
+    params?: Record<string, string>;
+  } = {},
+): Promise<T> {
+  const { method = 'GET', body, params } = options;
+
+  // Build URL with query params
+  const urlObj = new URL(url);
+  if (params) {
+    for (const [key, value] of Object.entries(params)) {
+      urlObj.searchParams.set(key, value);
+    }
+  }
+
+  const response = await fetch(urlObj.toString(), {
+    method,
+    headers: {
+      Authorization: `Bearer ${client.accessToken}`,
+      'Content-Type': 'application/json',
+    },
+    body: body ? JSON.stringify(body) : undefined,
+  });
+
+  if (!response.ok) {
+    const errorText = await response.text();
+    throw new Error(`GCP API error (${response.status}): ${errorText}`);
+  }
+
+  return response.json();
+}
+
+/**
+ * Get IAM policy for a project
+ */
+export async function getProjectIAMPolicy(
+  client: GCPClient,
+  projectId: string,
+): Promise<{
+  version: number;
+  bindings: Array<{
+    role: string;
+    members: string[];
+  }>;
+}> {
+  const url = `https://cloudresourcemanager.googleapis.com/v1/projects/${projectId}:getIamPolicy`;
+
+  return gcpRequest(client, url, {
+    method: 'POST',
+    body: {
+      options: {
+        requestedPolicyVersion: 3,
+      },
+    },
+  });
+}
+
+/**
+ * List service accounts in a project
+ */
+export async function listServiceAccounts(
+  client: GCPClient,
+  projectId: string,
+  pageToken?: string,
+): Promise<{
+  accounts: Array<{
+    name: string;
+    email: string;
+    displayName?: string;
+    disabled: boolean;
+  }>;
+  nextPageToken?: string;
+}> {
+  const url = `https://iam.googleapis.com/v1/projects/${projectId}/serviceAccounts`;
+
+  const params: Record<string, string> = {
+    pageSize: '100',
+  };
+
+  if (pageToken) {
+    params.pageToken = pageToken;
+  }
+
+  return gcpRequest(client, url, { params });
+}
+
+/**
+ * Alerting Policy structure
+ */
+export interface AlertingPolicy {
+  name: string;
+  displayName: string;
+  enabled: boolean;
+  conditions: Array<{
+    displayName: string;
+    conditionThreshold?: {
+      filter: string;
+      comparison: string;
+      thresholdValue?: number;
+    };
+    conditionAbsent?: {
+      filter: string;
+    };
+    conditionMatchedLog?: {
+      filter: string;
+    };
+  }>;
+  notificationChannels?: string[];
+  alertStrategy?: {
+    notificationRateLimit?: {
+      period: string;
+    };
+  };
+  creationRecord?: {
+    mutateTime: string;
+  };
+}
+
+/**
+ * List alerting policies in a project
+ */
+export async function listAlertingPolicies(
+  client: GCPClient,
+  projectId: string,
+  pageToken?: string,
+): Promise<{
+  alertPolicies: AlertingPolicy[];
+  nextPageToken?: string;
+}> {
+  const url = `https://monitoring.googleapis.com/v3/projects/${projectId}/alertPolicies`;
+
+  const params: Record<string, string> = {
+    pageSize: '100',
+  };
+
+  if (pageToken) {
+    params.pageToken = pageToken;
+  }
+
+  return gcpRequest(client, url, { params });
+}
+
+/**
+ * Log Sink structure
+ */
+export interface LogSink {
+  name: string;
+  destination: string;
+  filter?: string;
+  disabled: boolean;
+  createTime?: string;
+  updateTime?: string;
+}
+
+/**
+ * List log sinks in a project
+ */
+export async function listLogSinks(
+  client: GCPClient,
+  projectId: string,
+  pageToken?: string,
+): Promise<{
+  sinks: LogSink[];
+  nextPageToken?: string;
+}> {
+  const url = `https://logging.googleapis.com/v2/projects/${projectId}/sinks`;
+
+  const params: Record<string, string> = {
+    pageSize: '100',
+  };
+
+  if (pageToken) {
+    params.pageToken = pageToken;
+  }
+
+  return gcpRequest(client, url, { params });
+}
+
+/**
+ * Notification Channel structure
+ */
+export interface NotificationChannel {
+  name: string;
+  type: string;
+  displayName: string;
+  enabled: boolean;
+  labels?: Record<string, string>;
+}
+
+/**
+ * List notification channels in a project
+ */
+export async function listNotificationChannels(
+  client: GCPClient,
+  projectId: string,
+  pageToken?: string,
+): Promise<{
+  notificationChannels: NotificationChannel[];
+  nextPageToken?: string;
+}> {
+  const url = `https://monitoring.googleapis.com/v3/projects/${projectId}/notificationChannels`;
+
+  const params: Record<string, string> = {
+    pageSize: '100',
+  };
+
+  if (pageToken) {
+    params.pageToken = pageToken;
+  }
+
+  return gcpRequest(client, url, { params });
+}
diff --git a/packages/integration-platform/src/manifests/gcp/helpers/index.ts b/packages/integration-platform/src/manifests/gcp/helpers/index.ts
new file mode 100644
index 000000000..9533984ba
--- /dev/null
+++ b/packages/integration-platform/src/manifests/gcp/helpers/index.ts
@@ -0,0 +1,13 @@
+export {
+  createGCPClient,
+  gcpRequest,
+  getProjectIAMPolicy,
+  listAlertingPolicies,
+  listLogSinks,
+  listNotificationChannels,
+  listServiceAccounts,
+  type AlertingPolicy,
+  type GCPClient,
+  type LogSink,
+  type NotificationChannel,
+} from './gcp-client';
diff --git a/packages/integration-platform/src/manifests/gcp/index.ts b/packages/integration-platform/src/manifests/gcp/index.ts
new file mode 100644
index 000000000..7cf5ecbc5
--- /dev/null
+++ b/packages/integration-platform/src/manifests/gcp/index.ts
@@ -0,0 +1,65 @@
+import type { IntegrationManifest } from '../../types';
+
+export const gcpManifest: IntegrationManifest = {
+  id: 'gcp',
+  name: 'Google Cloud Platform',
+  description:
+    'Read-only monitoring of IAM access, alerting and cloud tests in Google Cloud Platform',
+  category: 'Cloud',
+  logoUrl:
+    'https://img.logo.dev/cloud.google.com?token=pk_AZatYxV5QDSfWpRDaBxzRQ&format=png&retina=true',
+  docsUrl: 'https://cloud.google.com/security-command-center/docs',
+  isActive: true,
+
+  auth: {
+    type: 'oauth2',
+    config: {
+      authorizeUrl: 'https://accounts.google.com/o/oauth2/v2/auth',
+      tokenUrl: 'https://oauth2.googleapis.com/token',
+      scopes: ['https://www.googleapis.com/auth/cloud-platform'],
+      pkce: false,
+      clientAuthMethod: 'body',
+      supportsRefreshToken: true,
+      authorizationParams: {
+        access_type: 'offline',
+        prompt: 'consent',
+      },
+      setupInstructions: `## Platform Admin: Enable GCP OAuth
+
+1. Go to [Google Cloud Console](https://console.cloud.google.com)
+2. Create or select a project for your OAuth app
+3. Navigate to **APIs & Services** → **OAuth consent screen** and configure it
+4. Go to **APIs & Services** → **Credentials**
+5. Click **Create Credentials** → **OAuth client ID**
+6. Select **Web application**
+7. Add the callback URL shown below to **Authorized redirect URIs**
+8. Copy the **Client ID** and **Client Secret** below
+
+---
+
+### About the Required Permissions
+
+**OAuth Scope:** This integration requires the \`cloud-platform\` scope to access Security Command Center findings.
+
+**Important:** While Google's consent screen will say "See, edit, configure and delete your Google Cloud data", this is the **only scope available** for Security Command Center API. Google does not offer a read-only alternative.
+
+**Actual Access is Limited:** The OAuth scope just allows API calls. The real permissions are controlled by **IAM roles**. Users connecting their GCP account should only grant read-only IAM roles like:
+- Security Center Findings Viewer (\`roles/securitycenter.findingsViewer\`)
+- Viewer (\`roles/viewer\`)
+
+Even with the \`cloud-platform\` OAuth scope, **users can only perform actions their IAM roles allow**. Our integration only makes read-only API calls.
+
+This is industry standard - all GCP security monitoring tools use the same scope.`,
+      createAppUrl: 'https://console.cloud.google.com/apis/credentials',
+    },
+  },
+
+  baseUrl: 'https://cloudresourcemanager.googleapis.com',
+  defaultHeaders: {
+    'Content-Type': 'application/json',
+  },
+
+  capabilities: ['checks'],
+
+  checks: [],
+};
diff --git a/packages/integration-platform/src/manifests/gcp/types.ts b/packages/integration-platform/src/manifests/gcp/types.ts
new file mode 100644
index 000000000..3d5810e19
--- /dev/null
+++ b/packages/integration-platform/src/manifests/gcp/types.ts
@@ -0,0 +1,103 @@
+// Google Cloud Platform types
+
+/**
+ * GCP OAuth credentials
+ * With OAuth, we get an access token from Google
+ */
+export interface GCPCredentials {
+  access_token: string;
+  refresh_token?: string;
+  token_type?: string;
+  expires_in?: number;
+}
+
+// Security Command Centre types
+export interface SCCFinding {
+  name: string;
+  parent: string;
+  resourceName: string;
+  state: 'ACTIVE' | 'INACTIVE';
+  category: string;
+  externalUri?: string;
+  sourceProperties: Record<string, unknown>;
+  securityMarks?: {
+    name: string;
+    marks: Record<string, string>;
+  };
+  findingClass:
+    | 'THREAT'
+    | 'VULNERABILITY'
+    | 'MISCONFIGURATION'
+    | 'OBSERVATION'
+    | 'SCC_ERROR'
+    | 'POSTURE_VIOLATION';
+  severity: 'CRITICAL' | 'HIGH' | 'MEDIUM' | 'LOW';
+  canonicalName?: string;
+  description?: string;
+  createTime: string;
+  eventTime: string;
+}
+
+export interface SCCFindingsResponse {
+  listFindingsResults: Array<{
+    finding: SCCFinding;
+    stateChange?: string;
+    resource?: {
+      name: string;
+      displayName?: string;
+      type?: string;
+    };
+  }>;
+  nextPageToken?: string;
+  totalSize?: number;
+}
+
+// IAM types
+export interface GCPIAMBinding {
+  role: string;
+  members: string[];
+  condition?: {
+    title: string;
+    description?: string;
+    expression: string;
+  };
+}
+
+export interface GCPIAMPolicy {
+  version: number;
+  bindings: GCPIAMBinding[];
+  etag: string;
+}
+
+export interface GCPServiceAccount {
+  name: string;
+  projectId: string;
+  uniqueId: string;
+  email: string;
+  displayName?: string;
+  description?: string;
+  disabled: boolean;
+}
+
+export interface GCPServiceAccountsResponse {
+  accounts: GCPServiceAccount[];
+  nextPageToken?: string;
+}
+
+// Resource Manager types
+export interface GCPProject {
+  projectNumber: string;
+  projectId: string;
+  lifecycleState: 'ACTIVE' | 'DELETE_REQUESTED' | 'DELETE_IN_PROGRESS';
+  name: string;
+  createTime: string;
+  parent?: {
+    type: string;
+    id: string;
+  };
+}
+
+export interface GCPProjectsResponse {
+  projects: GCPProject[];
+  nextPageToken?: string;
+}
diff --git a/packages/integration-platform/src/manifests/github/checks/branch-protection.ts b/packages/integration-platform/src/manifests/github/checks/branch-protection.ts
new file mode 100644
index 000000000..202359d11
--- /dev/null
+++ b/packages/integration-platform/src/manifests/github/checks/branch-protection.ts
@@ -0,0 +1,228 @@
+/**
+ * Branch Protection Check
+ * Verifies that default branches have protection rules configured
+ */
+
+import { TASK_TEMPLATES } from '../../../task-mappings';
+import type { IntegrationCheck } from '../../../types';
+import type {
+  GitHubBranchProtection,
+  GitHubBranchRule,
+  GitHubOrg,
+  GitHubRepo,
+  GitHubRuleset,
+} from '../types';
+import { protectedBranchVariable, targetReposVariable } from '../variables';
+
+export const branchProtectionCheck: IntegrationCheck = {
+  id: 'branch_protection',
+  name: 'Branch Protection Enabled',
+  description: 'Verify that default branches have protection rules configured',
+  taskMapping: TASK_TEMPLATES.codeChanges,
+  defaultSeverity: 'high',
+
+  variables: [targetReposVariable, protectedBranchVariable],
+
+  run: async (ctx) => {
+    const targetRepos = ctx.variables.target_repos as string[] | undefined;
+    const protectedBranch = ctx.variables.protected_branch as string | undefined;
+
+    ctx.log('Fetching repositories...');
+
+    let repos: GitHubRepo[];
+
+    if (targetRepos && targetRepos.length > 0) {
+      repos = [];
+      for (const repoName of targetRepos) {
+        try {
+          const repo = await ctx.fetch<GitHubRepo>(`/repos/${repoName}`);
+          repos.push(repo);
+        } catch {
+          ctx.warn(`Could not fetch repo ${repoName}`);
+        }
+      }
+    } else {
+      const orgs = await ctx.fetch<GitHubOrg[]>('/user/orgs');
+      repos = [];
+      for (const org of orgs) {
+        const orgRepos = await ctx.fetchAllPages<GitHubRepo>(`/orgs/${org.login}/repos`);
+        repos.push(...orgRepos);
+      }
+    }
+
+    ctx.log(`Checking ${repos.length} repositories`);
+
+    for (const repo of repos) {
+      const branchToCheck = protectedBranch || repo.default_branch;
+      if (!branchToCheck) continue;
+
+      ctx.log(`Checking branch "${branchToCheck}" on ${repo.full_name}`);
+
+      // Helper to check if a branch matches ruleset conditions
+      const branchMatchesRuleset = (ruleset: GitHubRuleset, branch: string): boolean => {
+        if (!ruleset.conditions?.ref_name) return true;
+        const includes = ruleset.conditions.ref_name.include || [];
+        const excludes = ruleset.conditions.ref_name.exclude || [];
+
+        for (const pattern of excludes) {
+          if (pattern === `refs/heads/${branch}` || pattern === `~DEFAULT_BRANCH`) {
+            return false;
+          }
+        }
+
+        if (includes.length === 0) return true;
+        for (const pattern of includes) {
+          if (
+            pattern === `refs/heads/${branch}` ||
+            pattern === '~ALL' ||
+            (pattern === '~DEFAULT_BRANCH' && branch === repo.default_branch)
+          ) {
+            return true;
+          }
+        }
+        return false;
+      };
+
+      let isProtected = false;
+      let protectionEvidence: Record<string, unknown> = {};
+      let protectionDescription = '';
+
+      // Strategy 1: Try the unified rules endpoint
+      ctx.log(`[Strategy 1] Trying /repos/${repo.full_name}/rules/branches/${branchToCheck}`);
+      try {
+        const rules = await ctx.fetch<GitHubBranchRule[]>(
+          `/repos/${repo.full_name}/rules/branches/${branchToCheck}`,
+        );
+
+        ctx.log(
+          `[Strategy 1] Got ${rules.length} rules: ${JSON.stringify(rules.map((r) => r.type))}`,
+        );
+
+        const hasPullRequestRule = rules.some((r) => r.type === 'pull_request');
+        const hasNonFastForward = rules.some((r) => r.type === 'non_fast_forward');
+
+        if (rules.length > 0 && (hasPullRequestRule || hasNonFastForward)) {
+          isProtected = true;
+          const protectionTypes: string[] = [];
+          if (hasPullRequestRule) protectionTypes.push('pull request reviews');
+          if (hasNonFastForward) protectionTypes.push('non-fast-forward');
+
+          const rulesetSources = [
+            ...new Set(rules.filter((r) => r.ruleset_source).map((r) => r.ruleset_source)),
+          ];
+
+          protectionDescription = `Branch "${branchToCheck}" is protected with: ${protectionTypes.join(', ')}. ${rulesetSources.length > 0 ? `Source: ${rulesetSources.join(', ')}` : ''}`;
+          protectionEvidence = {
+            source: 'rules_endpoint',
+            branch: branchToCheck,
+            rules,
+            rule_types: rules.map((r) => r.type),
+            ruleset_sources: rulesetSources,
+          };
+          ctx.log(`[Strategy 1] SUCCESS - Found protection via rules endpoint`);
+        } else {
+          ctx.log(`[Strategy 1] No PR or non-fast-forward rules found`);
+        }
+      } catch (err) {
+        const errorMsg = err instanceof Error ? err.message : String(err);
+        ctx.warn(`[Strategy 1] FAILED: ${errorMsg}`);
+      }
+
+      // Strategy 2: Check rulesets directly
+      if (!isProtected) {
+        ctx.log(`[Strategy 2] Trying /repos/${repo.full_name}/rulesets`);
+        try {
+          const rulesets = await ctx.fetch<GitHubRuleset[]>(`/repos/${repo.full_name}/rulesets`);
+
+          ctx.log(`[Strategy 2] Got ${rulesets.length} rulesets`);
+
+          const applicableRulesets = rulesets.filter(
+            (rs) =>
+              rs.enforcement === 'active' &&
+              rs.target === 'branch' &&
+              branchMatchesRuleset(rs, branchToCheck),
+          );
+
+          ctx.log(
+            `[Strategy 2] ${applicableRulesets.length} active rulesets apply to "${branchToCheck}"`,
+          );
+
+          for (const rs of applicableRulesets) {
+            ctx.log(
+              `[Strategy 2] Ruleset "${rs.name}": rules=${JSON.stringify(rs.rules?.map((r) => r.type))}`,
+            );
+          }
+
+          for (const ruleset of applicableRulesets) {
+            const hasPullRequest = ruleset.rules?.some((r) => r.type === 'pull_request');
+            if (hasPullRequest) {
+              isProtected = true;
+              const pullRequestRule = ruleset.rules?.find((r) => r.type === 'pull_request');
+              protectionDescription = `Branch "${branchToCheck}" is protected by ruleset "${ruleset.name}" requiring pull request reviews.`;
+              protectionEvidence = {
+                source: 'rulesets_endpoint',
+                branch: branchToCheck,
+                ruleset_name: ruleset.name,
+                ruleset_id: ruleset.id,
+                enforcement: ruleset.enforcement,
+                rules: ruleset.rules,
+                pull_request_params: pullRequestRule?.parameters,
+              };
+              break;
+            }
+          }
+        } catch (err) {
+          const errorMsg = err instanceof Error ? err.message : String(err);
+          ctx.warn(`[Strategy 2] FAILED: ${errorMsg}`);
+        }
+      }
+
+      // Strategy 3: Try legacy branch protection endpoint
+      if (!isProtected) {
+        ctx.log(
+          `[Strategy 3] Trying /repos/${repo.full_name}/branches/${branchToCheck}/protection`,
+        );
+        try {
+          const protection = await ctx.fetch<GitHubBranchProtection>(
+            `/repos/${repo.full_name}/branches/${branchToCheck}/protection`,
+          );
+
+          isProtected = true;
+          protectionDescription = `Branch "${branchToCheck}" requires ${protection.required_pull_request_reviews?.required_approving_review_count || 0} approving review(s) (legacy protection).`;
+          protectionEvidence = {
+            source: 'legacy_branch_protection',
+            branch: branchToCheck,
+            protection_rules: protection,
+          };
+          ctx.log(`[Strategy 3] SUCCESS - Found legacy branch protection`);
+        } catch (err) {
+          const errorMsg = err instanceof Error ? err.message : String(err);
+          ctx.warn(`[Strategy 3] FAILED: ${errorMsg}`);
+        }
+      }
+
+      // Record result
+      if (isProtected) {
+        ctx.pass({
+          title: `Branch protection enabled on ${repo.name}`,
+          description: protectionDescription,
+          resourceType: 'repository',
+          resourceId: repo.full_name,
+          evidence: {
+            ...protectionEvidence,
+            checked_at: new Date().toISOString(),
+          },
+        });
+      } else {
+        ctx.fail({
+          title: `No branch protection on ${repo.name}`,
+          description: `Branch "${branchToCheck}" has no protection rules configured, allowing direct pushes without review.`,
+          resourceType: 'repository',
+          resourceId: repo.full_name,
+          severity: 'high',
+          remediation: `1. Go to ${repo.html_url}/settings/rules\n2. Create a new ruleset targeting branch "${branchToCheck}"\n3. Enable "Require a pull request before merging"\n4. Set required approvals to at least 1`,
+        });
+      }
+    }
+  },
+};
diff --git a/packages/integration-platform/src/manifests/github/checks/dependabot.ts b/packages/integration-platform/src/manifests/github/checks/dependabot.ts
new file mode 100644
index 000000000..e85c283a1
--- /dev/null
+++ b/packages/integration-platform/src/manifests/github/checks/dependabot.ts
@@ -0,0 +1,74 @@
+/**
+ * Dependabot Check
+ * Verifies that Dependabot security updates are enabled on repositories
+ */
+
+import { TASK_TEMPLATES } from '../../../task-mappings';
+import type { IntegrationCheck } from '../../../types';
+import type { GitHubOrg, GitHubRepo } from '../types';
+import { targetReposVariable } from '../variables';
+
+export const dependabotCheck: IntegrationCheck = {
+  id: 'dependabot_enabled',
+  name: 'Dependabot Security Updates Enabled',
+  description: 'Verify that Dependabot security updates are enabled on repositories',
+  taskMapping: TASK_TEMPLATES.secureCode,
+  defaultSeverity: 'medium',
+
+  variables: [targetReposVariable],
+
+  run: async (ctx) => {
+    const targetRepos = ctx.variables.target_repos as string[] | undefined;
+
+    let repos: GitHubRepo[];
+
+    if (targetRepos && targetRepos.length > 0) {
+      repos = [];
+      for (const repoName of targetRepos) {
+        try {
+          const repo = await ctx.fetch<GitHubRepo>(`/repos/${repoName}`);
+          repos.push(repo);
+        } catch {
+          ctx.warn(`Could not fetch repo ${repoName}`);
+        }
+      }
+    } else {
+      const orgs = await ctx.fetch<GitHubOrg[]>('/user/orgs');
+      repos = [];
+      for (const org of orgs) {
+        const orgRepos = await ctx.fetchAllPages<GitHubRepo>(`/orgs/${org.login}/repos`);
+        repos.push(...orgRepos);
+      }
+    }
+
+    ctx.log(`Checking ${repos.length} repositories for Dependabot`);
+
+    for (const repo of repos) {
+      const dependabotStatus = repo.security_and_analysis?.dependabot_security_updates?.status;
+
+      if (dependabotStatus === 'enabled') {
+        ctx.pass({
+          title: `Dependabot enabled on ${repo.name}`,
+          description:
+            'Dependabot security updates are enabled and will automatically create pull requests to fix vulnerable dependencies.',
+          resourceType: 'repository',
+          resourceId: repo.full_name,
+          evidence: {
+            security_and_analysis: repo.security_and_analysis,
+            checked_at: new Date().toISOString(),
+          },
+        });
+      } else {
+        ctx.fail({
+          title: `Dependabot not enabled on ${repo.name}`,
+          description:
+            'Dependabot security updates are not enabled, leaving the repository vulnerable to known dependency exploits.',
+          resourceType: 'repository',
+          resourceId: repo.full_name,
+          severity: 'medium',
+          remediation: `1. Go to ${repo.html_url}/settings/security_analysis\n2. Enable "Dependabot security updates"\n3. Optionally enable "Dependabot version updates" for proactive updates`,
+        });
+      }
+    }
+  },
+};
diff --git a/packages/integration-platform/src/manifests/github/checks/index.ts b/packages/integration-platform/src/manifests/github/checks/index.ts
new file mode 100644
index 000000000..c8b98ae9f
--- /dev/null
+++ b/packages/integration-platform/src/manifests/github/checks/index.ts
@@ -0,0 +1,8 @@
+/**
+ * GitHub Checks
+ * Export all checks for use in the manifest
+ */
+
+export { branchProtectionCheck } from './branch-protection';
+export { dependabotCheck } from './dependabot';
+export { sanitizedInputsCheck } from './sanitized-inputs';
diff --git a/packages/integration-platform/src/manifests/github/checks/sanitized-inputs.ts b/packages/integration-platform/src/manifests/github/checks/sanitized-inputs.ts
new file mode 100644
index 000000000..3f36ef67b
--- /dev/null
+++ b/packages/integration-platform/src/manifests/github/checks/sanitized-inputs.ts
@@ -0,0 +1,193 @@
+/**
+ * Sanitized Inputs Check
+ *
+ * Ensures repositories use a modern validation/sanitization library
+ * (Zod or Pydantic) and have automated static analysis (CodeQL) enabled.
+ */
+
+import { TASK_TEMPLATES } from '../../../task-mappings';
+import type { IntegrationCheck } from '../../../types';
+import type { GitHubCodeScanningDefaultSetup, GitHubRepo } from '../types';
+import { targetReposVariable } from '../variables';
+
+const JS_VALIDATION_PACKAGES = ['zod'];
+const PY_VALIDATION_PACKAGES = ['pydantic'];
+
+interface GitHubFileResponse {
+  content: string;
+  encoding: 'base64' | 'utf-8';
+  path: string;
+}
+
+const decodeFile = (file: GitHubFileResponse): string => {
+  if (!file?.content) return '';
+  if (file.encoding === 'base64') {
+    return Buffer.from(file.content, 'base64').toString('utf-8');
+  }
+  return file.content;
+};
+
+export const sanitizedInputsCheck: IntegrationCheck = {
+  id: 'sanitized_inputs',
+  name: 'Sanitized Inputs & Code Scanning',
+  description:
+    'Verifies repositories use Zod/Pydantic for input validation and have GitHub CodeQL scanning enabled.',
+  taskMapping: TASK_TEMPLATES.sanitizedInputs,
+  defaultSeverity: 'medium',
+  variables: [targetReposVariable],
+
+  run: async (ctx) => {
+    const targetRepos = (ctx.variables.target_repos as string[] | undefined) ?? [];
+
+    if (targetRepos.length === 0) {
+      ctx.fail({
+        title: 'No repositories selected',
+        description:
+          'Select at least one repository to monitor in the integration settings so we can verify sanitized inputs.',
+        resourceType: 'integration',
+        resourceId: 'github',
+        severity: 'low',
+        remediation: 'Open the integration settings and choose repositories to monitor.',
+      });
+      return;
+    }
+
+    const fetchRepo = async (fullName: string): Promise<GitHubRepo | null> => {
+      try {
+        return await ctx.fetch<GitHubRepo>(`/repos/${fullName}`);
+      } catch (error) {
+        ctx.warn(`Failed to fetch repo ${fullName}: ${String(error)}`);
+        return null;
+      }
+    };
+
+    const fetchFile = async (repoName: string, path: string): Promise<string | null> => {
+      try {
+        const file = await ctx.fetch<GitHubFileResponse>(`/repos/${repoName}/contents/${path}`);
+        return decodeFile(file);
+      } catch {
+        return null;
+      }
+    };
+
+    const hasValidationLibrary = async (repoName: string) => {
+      // Check package.json for JS libraries
+      const packageJsonRaw = await fetchFile(repoName, 'package.json');
+      if (packageJsonRaw) {
+        try {
+          const pkg = JSON.parse(packageJsonRaw);
+          const deps = {
+            ...(pkg.dependencies || {}),
+            ...(pkg.devDependencies || {}),
+          };
+          for (const candidate of JS_VALIDATION_PACKAGES) {
+            if (deps[candidate]) {
+              return { found: true, library: candidate, file: 'package.json' };
+            }
+          }
+        } catch {
+          ctx.warn(`Unable to parse package.json for ${repoName}`);
+        }
+      }
+
+      // Check requirements.txt or pyproject.toml for Python libraries
+      const requirementsRaw = await fetchFile(repoName, 'requirements.txt');
+      if (requirementsRaw) {
+        const lower = requirementsRaw.toLowerCase();
+        const candidate = PY_VALIDATION_PACKAGES.find((pkg) => lower.includes(pkg));
+        if (candidate) {
+          return { found: true, library: candidate, file: 'requirements.txt' };
+        }
+      }
+
+      const pyprojectRaw = await fetchFile(repoName, 'pyproject.toml');
+      if (pyprojectRaw) {
+        const lower = pyprojectRaw.toLowerCase();
+        const candidate = PY_VALIDATION_PACKAGES.find((pkg) => lower.includes(pkg));
+        if (candidate) {
+          return { found: true, library: candidate, file: 'pyproject.toml' };
+        }
+      }
+
+      return { found: false };
+    };
+
+    const isCodeScanningEnabled = async (repoName: string) => {
+      try {
+        const setup = await ctx.fetch<GitHubCodeScanningDefaultSetup>(
+          `/repos/${repoName}/code-scanning/default-setup`,
+        );
+        return setup.state === 'configured'
+          ? { enabled: true, languages: setup.languages || [] }
+          : { enabled: false, languages: setup.languages || [] };
+      } catch (error) {
+        ctx.log(`Code scanning not configured for ${repoName}: ${String(error)}`);
+        return { enabled: false };
+      }
+    };
+
+    for (const repoName of targetRepos) {
+      const repo = await fetchRepo(repoName);
+      if (!repo) continue;
+
+      const validation = await hasValidationLibrary(repo.full_name);
+      const codeScanning = await isCodeScanningEnabled(repo.full_name);
+
+      if (validation.found) {
+        ctx.pass({
+          title: `Input validation enabled in ${repo.name}`,
+          description: `Detected ${validation.library} usage (${validation.file}).`,
+          resourceType: 'repository',
+          resourceId: repo.full_name,
+          evidence: {
+            repository: repo.full_name,
+            library: validation.library,
+            file: validation.file,
+            checkedAt: new Date().toISOString(),
+          },
+        });
+      } else {
+        ctx.fail({
+          title: `No input validation library found in ${repo.name}`,
+          description:
+            'Could not detect Zod or Pydantic. Implement input validation and sanitization using one of these libraries.',
+          resourceType: 'repository',
+          resourceId: repo.full_name,
+          severity: 'medium',
+          remediation:
+            'Add Zod (JavaScript/TypeScript) or Pydantic (Python) to enforce schema validation on inbound data.',
+          evidence: {
+            repository: repo.full_name,
+            checkedFiles: ['package.json', 'requirements.txt', 'pyproject.toml'],
+          },
+        });
+      }
+
+      if (codeScanning.enabled) {
+        ctx.pass({
+          title: `CodeQL scanning configured for ${repo.name}`,
+          description: 'GitHub CodeQL default setup is enabled.',
+          resourceType: 'repository',
+          resourceId: repo.full_name,
+          evidence: {
+            repository: repo.full_name,
+            codeScanning: 'CodeQL default setup',
+            languages: codeScanning.languages,
+            checkedAt: new Date().toISOString(),
+          },
+        });
+      } else {
+        ctx.fail({
+          title: `Code scanning not enabled for ${repo.name}`,
+          description:
+            'GitHub CodeQL (or an equivalent static analysis tool) is not configured. Enable it to automatically detect insecure patterns.',
+          resourceType: 'repository',
+          resourceId: repo.full_name,
+          severity: 'medium',
+          remediation:
+            'In the repository Security tab, enable CodeQL default setup (or add a custom workflow) to run on every push.',
+        });
+      }
+    }
+  },
+};
diff --git a/packages/integration-platform/src/manifests/github/index.ts b/packages/integration-platform/src/manifests/github/index.ts
new file mode 100644
index 000000000..20a6b5863
--- /dev/null
+++ b/packages/integration-platform/src/manifests/github/index.ts
@@ -0,0 +1,64 @@
+/**
+ * GitHub Integration Manifest
+ *
+ * This integration connects to GitHub to monitor repository security,
+ * branch protection, and organization settings.
+ */
+
+import type { IntegrationManifest } from '../../types';
+import { branchProtectionCheck, dependabotCheck, sanitizedInputsCheck } from './checks';
+
+export const manifest: IntegrationManifest = {
+  id: 'github',
+  name: 'GitHub',
+  description:
+    'Connect GitHub to monitor repository security, branch protection, and organization settings.',
+  category: 'Development',
+  logoUrl: 'https://img.logo.dev/github.com?token=pk_AZatYxV5QDSfWpRDaBxzRQ',
+  docsUrl: 'https://docs.trycomp.ai/integrations/github',
+
+  // API configuration for ctx.fetch helper
+  baseUrl: 'https://api.github.com',
+  defaultHeaders: {
+    Accept: 'application/vnd.github.v3+json',
+    'User-Agent': 'CompAI-Integration',
+  },
+
+  auth: {
+    type: 'oauth2',
+    config: {
+      authorizeUrl: 'https://github.com/login/oauth/authorize',
+      tokenUrl: 'https://github.com/login/oauth/access_token',
+      scopes: ['read:org', 'repo', 'read:user'],
+      pkce: false,
+      clientAuthMethod: 'body',
+      // GitHub tokens don't expire - they're valid until revoked
+      supportsRefreshToken: false,
+      authorizationParams: {
+        allow_signup: 'false',
+      },
+      setupInstructions: `To create a GitHub OAuth App:
+1. Go to GitHub Settings > Developer settings > OAuth Apps
+2. Click "New OAuth App"
+3. Set "Application name" to something descriptive (e.g., "CompAI Integration")
+4. Set "Homepage URL" to your application URL
+5. Set "Authorization callback URL" to the callback URL shown below
+6. Click "Register application"
+7. Copy the Client ID
+8. Generate and copy a Client Secret`,
+      createAppUrl: 'https://github.com/settings/developers',
+    },
+  },
+
+  capabilities: ['checks'],
+
+  // Compliance checks that run daily and can auto-complete tasks
+  checks: [branchProtectionCheck, dependabotCheck, sanitizedInputsCheck],
+
+  isActive: true,
+};
+
+export default manifest;
+
+// Re-export types for external use
+export * from './types';
diff --git a/packages/integration-platform/src/manifests/github/types.ts b/packages/integration-platform/src/manifests/github/types.ts
new file mode 100644
index 000000000..cb230c9ac
--- /dev/null
+++ b/packages/integration-platform/src/manifests/github/types.ts
@@ -0,0 +1,77 @@
+/**
+ * GitHub API Types
+ * These types are used for type safety in GitHub integration checks
+ */
+
+export interface GitHubOrg {
+  login: string;
+  id: number;
+}
+
+export interface GitHubRepo {
+  id: number;
+  name: string;
+  full_name: string;
+  html_url: string;
+  private: boolean;
+  default_branch: string;
+  owner: { login: string };
+  security_and_analysis?: {
+    dependabot_security_updates?: { status: 'enabled' | 'disabled' };
+    secret_scanning?: { status: 'enabled' | 'disabled' };
+    secret_scanning_push_protection?: { status: 'enabled' | 'disabled' };
+  };
+}
+
+export interface GitHubBranchProtection {
+  required_pull_request_reviews?: {
+    required_approving_review_count: number;
+  };
+  enforce_admins?: { enabled: boolean };
+  required_status_checks?: { strict: boolean };
+}
+
+/**
+ * Rules returned by /repos/{owner}/{repo}/rules/branches/{branch}
+ * This includes both legacy branch protection AND rulesets
+ */
+export interface GitHubBranchRule {
+  type: string; // e.g., 'pull_request', 'required_status_checks', 'non_fast_forward'
+  ruleset_source_type?: string; // 'Repository' or 'Organization'
+  ruleset_source?: string;
+  ruleset_id?: number;
+  parameters?: Record<string, unknown>;
+}
+
+/**
+ * Ruleset returned by /repos/{owner}/{repo}/rulesets
+ */
+export interface GitHubRuleset {
+  id: number;
+  name: string;
+  target: 'branch' | 'tag';
+  source_type: 'Repository' | 'Organization';
+  source: string;
+  enforcement: 'disabled' | 'active' | 'evaluate';
+  conditions?: {
+    ref_name?: {
+      include?: string[];
+      exclude?: string[];
+    };
+  };
+  rules?: Array<{
+    type: string;
+    parameters?: Record<string, unknown>;
+  }>;
+}
+
+/**
+ * Code scanning default setup response
+ * Returned by /repos/{owner}/{repo}/code-scanning/default-setup
+ */
+export interface GitHubCodeScanningDefaultSetup {
+  state: 'configured' | 'not-configured';
+  languages?: string[];
+  query_suite?: 'default' | 'extended';
+  updated_at?: string;
+}
diff --git a/packages/integration-platform/src/manifests/github/variables.ts b/packages/integration-platform/src/manifests/github/variables.ts
new file mode 100644
index 000000000..a8b862013
--- /dev/null
+++ b/packages/integration-platform/src/manifests/github/variables.ts
@@ -0,0 +1,49 @@
+/**
+ * Shared Variables for GitHub Checks
+ * These can be reused across multiple checks
+ */
+
+import type { CheckVariable } from '../../types';
+import type { GitHubOrg, GitHubRepo } from './types';
+
+/**
+ * Variable for selecting which repositories to monitor.
+ * Dynamically fetches all repos from user's organizations.
+ */
+export const targetReposVariable: CheckVariable = {
+  id: 'target_repos',
+  label: 'Repositories to monitor',
+  type: 'multi-select',
+  required: true,
+  placeholder: 'trycompai/comp',
+  helpText: 'Format: {org}/{repo} - e.g., trycompai/comp, microsoft/vscode',
+  fetchOptions: async (ctx) => {
+    const orgs = await ctx.fetch<GitHubOrg[]>('/user/orgs');
+    const allRepos: Array<{ value: string; label: string }> = [];
+
+    for (const org of orgs) {
+      const repos = await ctx.fetchAllPages<GitHubRepo>(`/orgs/${org.login}/repos`);
+      for (const repo of repos) {
+        allRepos.push({
+          value: repo.full_name,
+          label: `${repo.full_name}${repo.private ? ' (private)' : ''}`,
+        });
+      }
+    }
+
+    return allRepos;
+  },
+};
+
+/**
+ * Variable for specifying which branch to check for protection.
+ */
+export const protectedBranchVariable: CheckVariable = {
+  id: 'protected_branch',
+  label: 'Branch to check',
+  type: 'text',
+  required: true,
+  default: 'main',
+  placeholder: 'main',
+  helpText: 'Branch name to check for protection - e.g., main, master, develop',
+};
diff --git a/packages/integration-platform/src/manifests/google-workspace/checks/employee-access.ts b/packages/integration-platform/src/manifests/google-workspace/checks/employee-access.ts
new file mode 100644
index 000000000..615648e7f
--- /dev/null
+++ b/packages/integration-platform/src/manifests/google-workspace/checks/employee-access.ts
@@ -0,0 +1,193 @@
+import { TASK_TEMPLATES } from '../../../task-mappings';
+import type { CheckContext, IntegrationCheck } from '../../../types';
+import type {
+  GoogleWorkspaceRoleAssignmentsResponse,
+  GoogleWorkspaceRolesResponse,
+  GoogleWorkspaceUser,
+  GoogleWorkspaceUsersResponse,
+} from '../types';
+import { includeSuspendedVariable } from '../variables';
+
+/**
+ * Employee Access Review Check
+ * Fetches all users from Google Workspace with their roles for access review.
+ * Maps to: Access Review Log task
+ */
+export const employeeAccessCheck: IntegrationCheck = {
+  id: 'employee-access',
+  name: 'Employee Access Review',
+  description: 'Fetch all employees and their roles from Google Workspace for access review',
+  taskMapping: TASK_TEMPLATES.employeeAccess,
+  variables: [includeSuspendedVariable],
+
+  run: async (ctx: CheckContext) => {
+    ctx.log('Starting Google Workspace Employee Access check');
+
+    const includeSuspended = ctx.variables.include_suspended === 'true';
+
+    // Fetch all roles first to build a role ID -> name map
+    ctx.log('Fetching available roles...');
+    const roleMap = new Map<string, string>();
+
+    try {
+      let rolesPageToken: string | undefined;
+      do {
+        const params: Record<string, string> = { customer: 'my_customer' };
+        if (rolesPageToken) {
+          params.pageToken = rolesPageToken;
+        }
+
+        const rolesResponse = await ctx.fetch<GoogleWorkspaceRolesResponse>(
+          '/admin/directory/v1/customer/my_customer/roles',
+          { params },
+        );
+
+        if (rolesResponse.items) {
+          for (const role of rolesResponse.items) {
+            roleMap.set(role.roleId, role.roleName);
+          }
+        }
+
+        rolesPageToken = rolesResponse.nextPageToken;
+      } while (rolesPageToken);
+
+      ctx.log(`Fetched ${roleMap.size} roles`);
+    } catch (error) {
+      ctx.log(
+        'Could not fetch roles (may need additional permissions), continuing with basic info',
+      );
+    }
+
+    // Fetch role assignments to map users to their roles
+    ctx.log('Fetching role assignments...');
+    const userRolesMap = new Map<string, string[]>(); // userId -> roleNames[]
+
+    try {
+      let assignmentsPageToken: string | undefined;
+      do {
+        const params: Record<string, string> = { customer: 'my_customer' };
+        if (assignmentsPageToken) {
+          params.pageToken = assignmentsPageToken;
+        }
+
+        const assignmentsResponse = await ctx.fetch<GoogleWorkspaceRoleAssignmentsResponse>(
+          '/admin/directory/v1/customer/my_customer/roleassignments',
+          { params },
+        );
+
+        if (assignmentsResponse.items) {
+          for (const assignment of assignmentsResponse.items) {
+            const roleName = roleMap.get(assignment.roleId) || `Role ${assignment.roleId}`;
+            const existing = userRolesMap.get(assignment.assignedTo) || [];
+            existing.push(roleName);
+            userRolesMap.set(assignment.assignedTo, existing);
+          }
+        }
+
+        assignmentsPageToken = assignmentsResponse.nextPageToken;
+      } while (assignmentsPageToken);
+
+      ctx.log(`Fetched ${userRolesMap.size} user role assignments`);
+    } catch (error) {
+      ctx.log(
+        'Could not fetch role assignments (may need additional permissions), continuing with basic admin status',
+      );
+    }
+
+    // Fetch all users with pagination
+    ctx.log('Fetching users...');
+    const allUsers: GoogleWorkspaceUser[] = [];
+    let pageToken: string | undefined;
+
+    do {
+      const params: Record<string, string> = {
+        customer: 'my_customer',
+        maxResults: '500',
+        projection: 'full',
+      };
+
+      if (pageToken) {
+        params.pageToken = pageToken;
+      }
+
+      const response = await ctx.fetch<GoogleWorkspaceUsersResponse>('/admin/directory/v1/users', {
+        params,
+      });
+
+      if (response.users) {
+        allUsers.push(...response.users);
+      }
+
+      pageToken = response.nextPageToken;
+    } while (pageToken);
+
+    ctx.log(`Fetched ${allUsers.length} total users`);
+
+    // Filter users
+    const activeUsers = allUsers.filter((user) => {
+      if (user.suspended && !includeSuspended) {
+        return false;
+      }
+      if (user.archived) {
+        return false;
+      }
+      return true;
+    });
+
+    ctx.log(`Found ${activeUsers.length} active users after filtering`);
+
+    // Build the employee list with roles
+    const employeeList = activeUsers.map((user) => {
+      // Get assigned roles from the role assignments
+      const assignedRoles = userRolesMap.get(user.id) || [];
+
+      // Derive a role description
+      let role: string;
+      if (user.isAdmin) {
+        role = 'Super Admin';
+      } else if (user.isDelegatedAdmin) {
+        role = 'Delegated Admin';
+      } else if (assignedRoles.length > 0) {
+        role = assignedRoles.join(', ');
+      } else {
+        role = 'User';
+      }
+
+      return {
+        email: user.primaryEmail,
+        name: user.name.fullName,
+        role,
+        roles: assignedRoles.length > 0 ? assignedRoles : user.isAdmin ? ['Super Admin'] : ['User'],
+        isAdmin: user.isAdmin,
+        isDelegatedAdmin: user.isDelegatedAdmin,
+        orgUnit: user.orgUnitPath,
+        suspended: user.suspended,
+        creationTime: user.creationTime,
+        lastLoginTime: user.lastLoginTime,
+      };
+    });
+
+    // Group users by role for summary
+    const superAdmins = activeUsers.filter((u) => u.isAdmin);
+    const delegatedAdmins = activeUsers.filter((u) => u.isDelegatedAdmin && !u.isAdmin);
+    const regularUsers = activeUsers.filter((u) => !u.isAdmin && !u.isDelegatedAdmin);
+
+    // Pass with the full employee list as evidence
+    ctx.pass({
+      title: 'Employee Access List',
+      resourceType: 'organization',
+      resourceId: 'google-workspace',
+      description: `Retrieved ${activeUsers.length} employees from Google Workspace (${superAdmins.length} super admins, ${delegatedAdmins.length} delegated admins, ${regularUsers.length} regular users)`,
+      evidence: {
+        totalUsers: activeUsers.length,
+        superAdminCount: superAdmins.length,
+        delegatedAdminCount: delegatedAdmins.length,
+        regularUserCount: regularUsers.length,
+        reviewedAt: new Date().toISOString(),
+        employees: employeeList,
+      },
+    });
+
+    ctx.log('Google Workspace Employee Access check complete');
+  },
+};
diff --git a/packages/integration-platform/src/manifests/google-workspace/checks/index.ts b/packages/integration-platform/src/manifests/google-workspace/checks/index.ts
new file mode 100644
index 000000000..71d0bc885
--- /dev/null
+++ b/packages/integration-platform/src/manifests/google-workspace/checks/index.ts
@@ -0,0 +1,2 @@
+export { employeeAccessCheck } from './employee-access';
+export { twoFactorAuthCheck } from './two-factor-auth';
diff --git a/packages/integration-platform/src/manifests/google-workspace/checks/two-factor-auth.ts b/packages/integration-platform/src/manifests/google-workspace/checks/two-factor-auth.ts
new file mode 100644
index 000000000..0189c1abf
--- /dev/null
+++ b/packages/integration-platform/src/manifests/google-workspace/checks/two-factor-auth.ts
@@ -0,0 +1,118 @@
+import { TASK_TEMPLATES } from '../../../task-mappings';
+import type { CheckContext, IntegrationCheck } from '../../../types';
+import type { GoogleWorkspaceUser, GoogleWorkspaceUsersResponse } from '../types';
+import { includeSuspendedVariable, targetOrgUnitsVariable } from '../variables';
+
+/**
+ * Check that all users have 2-Step Verification enabled
+ * Maps to: 2FA task
+ */
+export const twoFactorAuthCheck: IntegrationCheck = {
+  id: 'two-factor-auth',
+  name: '2-Step Verification Enabled',
+  description: 'Verify all users have 2-Step Verification (2FA) enabled in Google Workspace',
+  taskMapping: TASK_TEMPLATES['2fa'],
+  variables: [targetOrgUnitsVariable, includeSuspendedVariable],
+
+  run: async (ctx: CheckContext) => {
+    ctx.log('Starting Google Workspace 2FA check');
+
+    const targetOrgUnits = ctx.variables.target_org_units as string[] | undefined;
+    const includeSuspended = ctx.variables.include_suspended === 'true';
+
+    // Fetch all users with pagination
+    const allUsers: GoogleWorkspaceUser[] = [];
+    let pageToken: string | undefined;
+
+    do {
+      const params: Record<string, string> = {
+        customer: 'my_customer',
+        maxResults: '500',
+        projection: 'full',
+      };
+
+      if (pageToken) {
+        params.pageToken = pageToken;
+      }
+
+      const response = await ctx.fetch<GoogleWorkspaceUsersResponse>('/admin/directory/v1/users', {
+        params,
+      });
+
+      if (response.users) {
+        allUsers.push(...response.users);
+      }
+
+      pageToken = response.nextPageToken;
+    } while (pageToken);
+
+    ctx.log(`Fetched ${allUsers.length} total users`);
+
+    // Filter users based on settings
+    const usersToCheck = allUsers.filter((user) => {
+      // Skip suspended users unless explicitly included
+      if (user.suspended && !includeSuspended) {
+        return false;
+      }
+
+      // Skip archived users
+      if (user.archived) {
+        return false;
+      }
+
+      // Filter by org unit if specified
+      if (targetOrgUnits && targetOrgUnits.length > 0) {
+        return targetOrgUnits.some(
+          (ou) => user.orgUnitPath === ou || user.orgUnitPath.startsWith(`${ou}/`),
+        );
+      }
+
+      return true;
+    });
+
+    ctx.log(`Checking ${usersToCheck.length} users after filtering`);
+
+    // Check each user's 2FA status
+    for (const user of usersToCheck) {
+      if (user.isEnrolledIn2Sv) {
+        ctx.pass({
+          title: '2FA Enabled',
+          resourceType: 'user',
+          resourceId: user.primaryEmail,
+          description: `User ${user.name.fullName} has 2-Step Verification enabled`,
+          evidence: {
+            email: user.primaryEmail,
+            name: user.name.fullName,
+            isEnrolledIn2Sv: user.isEnrolledIn2Sv,
+            isEnforcedIn2Sv: user.isEnforcedIn2Sv,
+            isAdmin: user.isAdmin,
+            orgUnit: user.orgUnitPath,
+            lastLogin: user.lastLoginTime,
+          },
+        });
+      } else {
+        ctx.fail({
+          title: '2FA Not Enabled',
+          resourceType: 'user',
+          resourceId: user.primaryEmail,
+          severity: user.isAdmin ? 'high' : 'medium',
+          description: `User ${user.name.fullName} does not have 2-Step Verification enabled`,
+          remediation: user.isEnforcedIn2Sv
+            ? 'User is required to enable 2FA but has not completed enrollment. Follow up with user to complete setup.'
+            : 'Enable 2FA enforcement for this user or organizational unit in Google Admin Console.',
+          evidence: {
+            email: user.primaryEmail,
+            name: user.name.fullName,
+            isEnrolledIn2Sv: user.isEnrolledIn2Sv,
+            isEnforcedIn2Sv: user.isEnforcedIn2Sv,
+            isAdmin: user.isAdmin,
+            orgUnit: user.orgUnitPath,
+            lastLogin: user.lastLoginTime,
+          },
+        });
+      }
+    }
+
+    ctx.log('Google Workspace 2FA check complete');
+  },
+};
diff --git a/packages/integration-platform/src/manifests/google-workspace/index.ts b/packages/integration-platform/src/manifests/google-workspace/index.ts
new file mode 100644
index 000000000..e5987b396
--- /dev/null
+++ b/packages/integration-platform/src/manifests/google-workspace/index.ts
@@ -0,0 +1,51 @@
+import type { IntegrationManifest } from '../../types';
+import { employeeAccessCheck, twoFactorAuthCheck } from './checks';
+
+export const googleWorkspaceManifest: IntegrationManifest = {
+  id: 'google-workspace',
+  name: 'Google Workspace',
+  description: 'Monitor security settings and user compliance in Google Workspace',
+  category: 'Identity & Access',
+  logoUrl: 'https://img.logo.dev/google.com?token=pk_AZatYxV5QDSfWpRDaBxzRQ&format=png&retina=true',
+  docsUrl: 'https://developers.google.com/admin-sdk',
+  isActive: true,
+
+  auth: {
+    type: 'oauth2',
+    config: {
+      authorizeUrl: 'https://accounts.google.com/o/oauth2/v2/auth',
+      tokenUrl: 'https://oauth2.googleapis.com/token',
+      scopes: [
+        'https://www.googleapis.com/auth/admin.directory.user.readonly',
+        'https://www.googleapis.com/auth/admin.directory.orgunit.readonly',
+        'https://www.googleapis.com/auth/admin.directory.domain.readonly',
+      ],
+      pkce: false,
+      clientAuthMethod: 'body',
+      supportsRefreshToken: true,
+      authorizationParams: {
+        access_type: 'offline',
+        prompt: 'consent',
+      },
+      setupInstructions: `To enable Google Workspace Admin SDK:
+1. Go to Google Cloud Console (console.cloud.google.com)
+2. Create or select a project
+3. Enable the Admin SDK API
+4. Create OAuth 2.0 credentials (Web application type)
+5. Add the callback URL shown below to "Authorized redirect URIs"
+6. Copy the Client ID and Client Secret
+
+Note: The user authorizing must be a Google Workspace admin.`,
+      createAppUrl: 'https://console.cloud.google.com/apis/credentials',
+    },
+  },
+
+  baseUrl: 'https://admin.googleapis.com',
+  defaultHeaders: {
+    'Content-Type': 'application/json',
+  },
+
+  capabilities: ['checks', 'sync'],
+
+  checks: [twoFactorAuthCheck, employeeAccessCheck],
+};
diff --git a/packages/integration-platform/src/manifests/google-workspace/types.ts b/packages/integration-platform/src/manifests/google-workspace/types.ts
new file mode 100644
index 000000000..f854f077c
--- /dev/null
+++ b/packages/integration-platform/src/manifests/google-workspace/types.ts
@@ -0,0 +1,81 @@
+// Google Workspace Admin SDK types
+
+export interface GoogleWorkspaceUser {
+  id: string;
+  primaryEmail: string;
+  name: {
+    givenName: string;
+    familyName: string;
+    fullName: string;
+  };
+  isAdmin: boolean;
+  isDelegatedAdmin: boolean;
+  isEnrolledIn2Sv: boolean;
+  isEnforcedIn2Sv: boolean;
+  suspended: boolean;
+  archived: boolean;
+  creationTime: string;
+  lastLoginTime: string;
+  orgUnitPath: string;
+}
+
+export interface GoogleWorkspaceUsersResponse {
+  kind: string;
+  users: GoogleWorkspaceUser[];
+  nextPageToken?: string;
+}
+
+export interface GoogleWorkspaceOrgUnit {
+  orgUnitId: string;
+  orgUnitPath: string;
+  name: string;
+  description?: string;
+  parentOrgUnitId?: string;
+  parentOrgUnitPath?: string;
+}
+
+export interface GoogleWorkspaceOrgUnitsResponse {
+  kind: string;
+  organizationUnits: GoogleWorkspaceOrgUnit[];
+}
+
+export interface GoogleWorkspaceDomain {
+  domainName: string;
+  isPrimary: boolean;
+  verified: boolean;
+  creationTime: string;
+}
+
+export interface GoogleWorkspaceDomainsResponse {
+  kind: string;
+  domains: GoogleWorkspaceDomain[];
+}
+
+// Role types
+export interface GoogleWorkspaceRole {
+  roleId: string;
+  roleName: string;
+  roleDescription?: string;
+  isSystemRole: boolean;
+  isSuperAdminRole: boolean;
+}
+
+export interface GoogleWorkspaceRolesResponse {
+  kind: string;
+  items: GoogleWorkspaceRole[];
+  nextPageToken?: string;
+}
+
+export interface GoogleWorkspaceRoleAssignment {
+  roleAssignmentId: string;
+  roleId: string;
+  assignedTo: string; // User ID
+  scopeType: 'CUSTOMER' | 'ORG_UNIT';
+  orgUnitId?: string;
+}
+
+export interface GoogleWorkspaceRoleAssignmentsResponse {
+  kind: string;
+  items: GoogleWorkspaceRoleAssignment[];
+  nextPageToken?: string;
+}
diff --git a/packages/integration-platform/src/manifests/google-workspace/variables.ts b/packages/integration-platform/src/manifests/google-workspace/variables.ts
new file mode 100644
index 000000000..850d5477a
--- /dev/null
+++ b/packages/integration-platform/src/manifests/google-workspace/variables.ts
@@ -0,0 +1,48 @@
+import type { CheckVariable } from '../../types';
+import type { GoogleWorkspaceOrgUnitsResponse } from './types';
+
+/**
+ * Target organizational units to check
+ * Allows filtering checks to specific OUs instead of entire domain
+ */
+export const targetOrgUnitsVariable: CheckVariable = {
+  id: 'target_org_units',
+  label: 'Organizational Units',
+  helpText: 'Select which organizational units to include in checks (leave empty for all)',
+  type: 'multi-select',
+  required: false,
+  fetchOptions: async (ctx) => {
+    try {
+      const response = await ctx.fetch<GoogleWorkspaceOrgUnitsResponse>(
+        '/admin/directory/v1/customer/my_customer/orgunits?type=all',
+      );
+
+      if (!response.organizationUnits) {
+        return [{ value: '/', label: '/ (Root)' }];
+      }
+
+      return response.organizationUnits.map((ou) => ({
+        value: ou.orgUnitPath,
+        label: `${ou.orgUnitPath} (${ou.name})`,
+      }));
+    } catch {
+      return [{ value: '/', label: '/ (Root)' }];
+    }
+  },
+};
+
+/**
+ * Whether to include suspended users in checks
+ */
+export const includeSuspendedVariable: CheckVariable = {
+  id: 'include_suspended',
+  label: 'Include Suspended Users',
+  helpText: 'Include suspended users in security checks',
+  type: 'select',
+  required: false,
+  default: 'false',
+  options: [
+    { value: 'false', label: 'No - Only active users' },
+    { value: 'true', label: 'Yes - Include suspended users' },
+  ],
+};
diff --git a/packages/integration-platform/src/manifests/rippling/index.ts b/packages/integration-platform/src/manifests/rippling/index.ts
new file mode 100644
index 000000000..503254a7f
--- /dev/null
+++ b/packages/integration-platform/src/manifests/rippling/index.ts
@@ -0,0 +1,59 @@
+/**
+ * Rippling Integration Manifest
+ *
+ * This integration connects to Rippling to sync employee data.
+ * It does NOT use the checks system - instead, a custom UI in the
+ * people page handles the OAuth flow and employee sync.
+ */
+
+import type { IntegrationManifest } from '../../types';
+
+export const ripplingManifest: IntegrationManifest = {
+  id: 'rippling',
+  name: 'Rippling',
+  description: 'Sync employees from Rippling to your organization members',
+  category: 'HR & People',
+  logoUrl: 'https://img.logo.dev/rippling.com?token=pk_AZatYxV5QDSfWpRDaBxzRQ',
+  docsUrl: 'https://developer.rippling.com',
+  isActive: true,
+
+  auth: {
+    type: 'oauth2',
+    config: {
+      // {APP_NAME} is replaced at runtime with customSettings.appName from IntegrationOAuthApp
+      authorizeUrl: 'https://app.rippling.com/apps/PLATFORM/{APP_NAME}/authorize',
+      tokenUrl: 'https://api.rippling.com/api/o/token/',
+      // Scopes are configured in the Rippling Developer Portal per-app
+      // User needs: "Read access to Workers" under HR information
+      scopes: [],
+      pkce: false,
+      // Rippling requires Basic Auth header with base64(client_id:client_secret)
+      clientAuthMethod: 'header',
+      supportsRefreshToken: true,
+      setupInstructions: `To create a Rippling OAuth App:
+1. Go to Rippling Developer Portal and create an app
+2. Set the Default Redirect URL to the callback URL shown below
+3. Copy the Client ID and Client Secret
+4. Enable the required scopes under HR information: "Read access to Workers"
+5. Note your app name - it's used in the authorize URL`,
+      createAppUrl: 'https://app.rippling.com/partner',
+    },
+  },
+
+  // V2 REST API base URL (different from V1 platform API)
+  baseUrl: 'https://rest.ripplingapis.com',
+  defaultHeaders: {
+    'Content-Type': 'application/json',
+  },
+
+  // Sync capability - this integration syncs employee data
+  capabilities: ['sync'],
+
+  // No checks defined - custom UI handles the sync
+  checks: [],
+};
+
+export default ripplingManifest;
+
+// Re-export types for external use
+export * from './types';
diff --git a/packages/integration-platform/src/manifests/rippling/types.ts b/packages/integration-platform/src/manifests/rippling/types.ts
new file mode 100644
index 000000000..bf9f75292
--- /dev/null
+++ b/packages/integration-platform/src/manifests/rippling/types.ts
@@ -0,0 +1,31 @@
+// Rippling API types for employee sync
+
+export interface RipplingEmployee {
+  id: string;
+  firstName: string;
+  lastName: string;
+  workEmail: string;
+  personalEmail?: string;
+  department?: {
+    id: string;
+    name: string;
+  };
+  title?: string;
+  employmentType?: string;
+  startDate?: string;
+  endDate?: string;
+  status: 'ACTIVE' | 'TERMINATED' | 'ON_LEAVE';
+  manager?: {
+    id: string;
+    name: string;
+  };
+  photoUrl?: string;
+}
+
+export interface RipplingEmployeesResponse {
+  data: RipplingEmployee[];
+  pagination?: {
+    hasMore: boolean;
+    cursor?: string;
+  };
+}
diff --git a/packages/integration-platform/src/manifests/vercel/checks/index.ts b/packages/integration-platform/src/manifests/vercel/checks/index.ts
new file mode 100644
index 000000000..9fb6ed1eb
--- /dev/null
+++ b/packages/integration-platform/src/manifests/vercel/checks/index.ts
@@ -0,0 +1 @@
+export { monitoringAlertingCheck } from './monitoring-alerting';
diff --git a/packages/integration-platform/src/manifests/vercel/checks/monitoring-alerting.ts b/packages/integration-platform/src/manifests/vercel/checks/monitoring-alerting.ts
new file mode 100644
index 000000000..88001240c
--- /dev/null
+++ b/packages/integration-platform/src/manifests/vercel/checks/monitoring-alerting.ts
@@ -0,0 +1,157 @@
+import { TASK_TEMPLATES } from '../../../task-mappings';
+import type { CheckContext, IntegrationCheck } from '../../../types';
+import type {
+  VercelDeployment,
+  VercelDeploymentsResponse,
+  VercelProject,
+  VercelProjectsResponse,
+} from '../types';
+
+/**
+ * Vercel Monitoring & Alerting Check
+ *
+ * Verifies that deployments are being monitored and webhooks/notifications
+ * are configured for deployment events.
+ * Maps to: Monitoring & Alerting task
+ */
+export const monitoringAlertingCheck: IntegrationCheck = {
+  id: 'monitoring-alerting',
+  name: 'Monitoring & Alerting Review',
+  description: 'Verify webhooks and notifications are configured for deployment monitoring',
+  taskMapping: TASK_TEMPLATES.monitoringAlerting,
+  variables: [],
+
+  run: async (ctx: CheckContext) => {
+    ctx.log('Starting Vercel Monitoring & Alerting check');
+
+    // Get team context from OAuth metadata (set during OAuth if user authorized for a team).
+    // OAuth providers can return extra context like team/user info which we store generically.
+    const oauthMeta = (ctx.metadata?.oauth || {}) as {
+      team?: { id?: string; name?: string };
+      user?: { id?: string; username?: string };
+    };
+    const teamId = oauthMeta.team?.id;
+    const teamName = oauthMeta.team?.name;
+
+    if (teamId) {
+      ctx.log(`Operating in team context: ${teamName || teamId}`);
+    } else {
+      ctx.log('Operating in personal account context');
+    }
+
+    // Fetch projects
+    ctx.log('Fetching projects...');
+    let projects: VercelProject[] = [];
+    try {
+      const projectsResponse = await ctx.fetch<VercelProjectsResponse>(
+        teamId ? `/v9/projects?teamId=${teamId}` : '/v9/projects',
+      );
+      projects = projectsResponse.projects || [];
+      ctx.log(`Found ${projects.length} projects`);
+    } catch (error) {
+      const errorMessage = error instanceof Error ? error.message : String(error);
+      ctx.fail({
+        title: 'Failed to Fetch Vercel Projects',
+        resourceType: 'vercel',
+        resourceId: 'projects',
+        severity: 'high',
+        description: `Could not fetch projects: ${errorMessage}`,
+        remediation: 'Ensure the OAuth connection has access to your projects',
+        evidence: { error: errorMessage, teamId },
+      });
+      return;
+    }
+
+    // Check recent deployments for failures
+    ctx.log('Checking recent deployments...');
+    const recentDeployments: VercelDeployment[] = [];
+    const failedDeployments: VercelDeployment[] = [];
+
+    for (const project of projects.slice(0, 10)) {
+      // Check first 10 projects
+      try {
+        const params = new URLSearchParams({ projectId: project.id, limit: '10' });
+        if (teamId) params.set('teamId', teamId);
+
+        const deploymentsResponse = await ctx.fetch<VercelDeploymentsResponse>(
+          `/v6/deployments?${params.toString()}`,
+        );
+        const deployments = deploymentsResponse.deployments || [];
+        recentDeployments.push(...deployments);
+
+        // Track failed deployments
+        const failed = deployments.filter((d) => d.state === 'ERROR' || d.state === 'CANCELED');
+        failedDeployments.push(...failed);
+      } catch (error) {
+        ctx.log(`Could not fetch deployments for project ${project.name}: ${error}`);
+      }
+    }
+
+    ctx.log(
+      `Found ${recentDeployments.length} recent deployments, ${failedDeployments.length} failed`,
+    );
+
+    if (failedDeployments.length > 0) {
+      const recentFailures = failedDeployments.slice(0, 5);
+      ctx.pass({
+        title: 'Recent Deployment Failures Recorded',
+        resourceType: 'deployment',
+        resourceId: 'recent-failures',
+        description: `${failedDeployments.length} failed or canceled deployments detected. Monitoring is capturing these events.`,
+        evidence: {
+          failedCount: failedDeployments.length,
+          recentFailures: recentFailures.map((d) => ({
+            name: d.name,
+            state: d.state,
+            url: d.url,
+            created: new Date(d.created).toISOString(),
+            target: d.target,
+          })),
+        },
+      });
+    } else {
+      ctx.pass({
+        title: 'No Recent Deployment Failures',
+        resourceType: 'deployment',
+        resourceId: 'recent-failures',
+        description: 'No failed or canceled deployments detected in the reviewed projects.',
+        evidence: {
+          reviewedProjects: projects.length,
+        },
+      });
+    }
+
+    // Always emit a pass with the full configuration summary
+    ctx.pass({
+      title: 'Vercel Monitoring Configuration',
+      resourceType: 'vercel',
+      resourceId: 'monitoring',
+      description: `Vercel${teamId ? ` (Team)` : ''}: ${projects.length} projects, ${recentDeployments.length} recent deployments`,
+      evidence: {
+        reviewedAt: new Date().toISOString(),
+        teamId,
+        teamName,
+        summary: {
+          recentFailures: failedDeployments.length,
+        },
+        projects: {
+          total: projects.length,
+          names: projects.map((p) => p.name),
+        },
+        deployments: {
+          recentTotal: recentDeployments.length,
+          failedCount: failedDeployments.length,
+          byState: {
+            ready: recentDeployments.filter((d) => d.state === 'READY').length,
+            error: recentDeployments.filter((d) => d.state === 'ERROR').length,
+            canceled: recentDeployments.filter((d) => d.state === 'CANCELED').length,
+            building: recentDeployments.filter((d) => d.state === 'BUILDING').length,
+            queued: recentDeployments.filter((d) => d.state === 'QUEUED').length,
+          },
+        },
+      },
+    });
+
+    ctx.log('Vercel Monitoring & Alerting check complete');
+  },
+};
diff --git a/packages/integration-platform/src/manifests/vercel/index.ts b/packages/integration-platform/src/manifests/vercel/index.ts
new file mode 100644
index 000000000..f103d84b6
--- /dev/null
+++ b/packages/integration-platform/src/manifests/vercel/index.ts
@@ -0,0 +1,59 @@
+import type { IntegrationManifest } from '../../types';
+import { monitoringAlertingCheck } from './checks';
+
+export const vercelManifest: IntegrationManifest = {
+  id: 'vercel',
+  name: 'Vercel',
+  description: 'Monitor deployments and alerting configuration in Vercel',
+  category: 'Cloud',
+  logoUrl: 'https://img.logo.dev/vercel.com?token=pk_AZatYxV5QDSfWpRDaBxzRQ&format=png&retina=true',
+  docsUrl: 'https://vercel.com/docs/rest-api',
+  isActive: true,
+
+  auth: {
+    type: 'oauth2',
+    config: {
+      authorizeUrl: 'https://vercel.com/integrations/{APP_SLUG}/new',
+      tokenUrl: 'https://api.vercel.com/v2/oauth/access_token',
+      scopes: [],
+      pkce: false,
+      clientAuthMethod: 'body',
+      supportsRefreshToken: false,
+      setupInstructions: `## Setting up Vercel OAuth
+
+### Step 1: Create a Vercel App
+1. Go to your [Vercel Team Settings → Apps](https://vercel.com/your-team/~/settings/apps)
+2. Click **Create**
+3. Fill in:
+   - **Name**: Comp AI Security
+   - **Redirect URL**: \`{CALLBACK_URL}\`
+4. Click **Create**
+
+### Step 2: Get Credentials
+Copy the **Client ID** and **Client Secret** (click Reveal)
+
+### Step 3: Configure in Admin
+Enter the Client ID, Secret, and the integration slug (from \`vercel.com/integrations/{slug}\`) in the admin page.
+
+> **Team Support**: When connecting, you'll choose whether to install for your personal account or a team. If you select a team, all API calls will be scoped to that team.`,
+      customSettings: [
+        {
+          id: 'appSlug',
+          label: 'Vercel Integration Slug',
+          type: 'text',
+          placeholder: 'comp-ai',
+          helpText:
+            'The slug from your Vercel integration URL (https://vercel.com/integrations/{slug}). Used to launch the correct install page.',
+          required: true,
+          token: '{APP_SLUG}',
+        },
+      ],
+    },
+  },
+
+  baseUrl: 'https://api.vercel.com',
+
+  capabilities: ['checks'],
+
+  checks: [monitoringAlertingCheck],
+};
diff --git a/packages/integration-platform/src/manifests/vercel/types.ts b/packages/integration-platform/src/manifests/vercel/types.ts
new file mode 100644
index 000000000..2d5b7e688
--- /dev/null
+++ b/packages/integration-platform/src/manifests/vercel/types.ts
@@ -0,0 +1,123 @@
+/**
+ * Vercel API Response Types
+ */
+
+export interface VercelProject {
+  id: string;
+  name: string;
+  accountId: string;
+  createdAt: number;
+  updatedAt: number;
+  framework?: string;
+  devCommand?: string;
+  buildCommand?: string;
+  outputDirectory?: string;
+  rootDirectory?: string;
+  nodeVersion?: string;
+  serverlessFunctionRegion?: string;
+}
+
+export interface VercelProjectsResponse {
+  projects: VercelProject[];
+  pagination?: {
+    count: number;
+    next: number | null;
+    prev: number | null;
+  };
+}
+
+export interface VercelDeployment {
+  uid: string;
+  name: string;
+  url: string;
+  state: 'BUILDING' | 'ERROR' | 'INITIALIZING' | 'QUEUED' | 'READY' | 'CANCELED';
+  type: 'LAMBDAS';
+  created: number;
+  createdAt: number;
+  buildingAt?: number;
+  ready?: number;
+  creator: {
+    uid: string;
+    email?: string;
+    username?: string;
+  };
+  meta?: Record<string, string>;
+  target?: 'production' | 'staging' | null;
+  aliasError?: {
+    code: string;
+    message: string;
+  };
+  aliasAssigned?: number;
+}
+
+export interface VercelDeploymentsResponse {
+  deployments: VercelDeployment[];
+  pagination?: {
+    count: number;
+    next: number | null;
+    prev: number | null;
+  };
+}
+
+export interface VercelWebhook {
+  id: string;
+  url: string;
+  events: string[];
+  projectIds?: string[];
+  createdAt: number;
+}
+
+export interface VercelWebhooksResponse {
+  webhooks?: VercelWebhook[];
+}
+
+export interface VercelIntegrationConfiguration {
+  id: string;
+  slug?: string;
+  integrationId: string;
+  ownerId: string;
+  teamId?: string;
+  projectId?: string;
+  createdAt: number;
+  updatedAt: number;
+  scopes?: string[];
+  disabledAt?: number;
+}
+
+export interface VercelNotificationChannel {
+  id: string;
+  type: 'email' | 'slack' | 'webhook';
+  name: string;
+  createdAt: number;
+}
+
+export interface VercelAlert {
+  id: string;
+  name: string;
+  enabled: boolean;
+  type: string;
+  projectId?: string;
+  notificationChannels: string[];
+  createdAt: number;
+  updatedAt: number;
+}
+
+export interface VercelUser {
+  id: string;
+  email: string;
+  name?: string;
+  username: string;
+  avatar?: string;
+}
+
+export interface VercelTeam {
+  id: string;
+  slug: string;
+  name?: string;
+  createdAt: number;
+  avatar?: string;
+}
+
+export interface VercelUserResponse {
+  user: VercelUser;
+}
diff --git a/packages/integration-platform/src/registry/index.ts b/packages/integration-platform/src/registry/index.ts
new file mode 100644
index 000000000..9b077cce2
--- /dev/null
+++ b/packages/integration-platform/src/registry/index.ts
@@ -0,0 +1,190 @@
+import type {
+  AuthStrategy,
+  IntegrationCategory,
+  IntegrationHandler,
+  IntegrationManifest,
+  IntegrationRegistry,
+} from '../types';
+
+// Import all manifests (each in its own folder)
+import { awsManifest } from '../manifests/aws';
+import { azureManifest } from '../manifests/azure';
+import { gcpManifest } from '../manifests/gcp';
+import { manifest as githubManifest } from '../manifests/github';
+import { googleWorkspaceManifest } from '../manifests/google-workspace';
+import { ripplingManifest } from '../manifests/rippling';
+import { vercelManifest } from '../manifests/vercel';
+
+// ============================================================================
+// Registry Implementation
+// ============================================================================
+
+class IntegrationRegistryImpl implements IntegrationRegistry {
+  private manifests: Map<string, IntegrationManifest> = new Map();
+
+  constructor(manifests: IntegrationManifest[]) {
+    // Validate and register manifests
+    for (const manifest of manifests) {
+      this.validateManifest(manifest);
+
+      if (this.manifests.has(manifest.id)) {
+        throw new Error(`Duplicate integration ID: ${manifest.id}`);
+      }
+
+      this.manifests.set(manifest.id, manifest);
+    }
+  }
+
+  private validateManifest(manifest: IntegrationManifest): void {
+    if (!manifest.id || typeof manifest.id !== 'string') {
+      throw new Error('Integration manifest must have a valid id');
+    }
+
+    if (!manifest.name || typeof manifest.name !== 'string') {
+      throw new Error(`Integration ${manifest.id}: must have a valid name`);
+    }
+
+    if (!manifest.auth) {
+      throw new Error(`Integration ${manifest.id}: must have an auth strategy`);
+    }
+
+    if (manifest.auth.type === 'oauth2') {
+      const config = manifest.auth.config;
+      if (!config.authorizeUrl || !config.tokenUrl) {
+        throw new Error(`Integration ${manifest.id}: OAuth2 requires authorizeUrl and tokenUrl`);
+      }
+    }
+
+    if (!manifest.capabilities || manifest.capabilities.length === 0) {
+      throw new Error(`Integration ${manifest.id}: must have at least one capability`);
+    }
+  }
+
+  getManifest(id: string): IntegrationManifest | undefined {
+    return this.manifests.get(id);
+  }
+
+  getAllManifests(): IntegrationManifest[] {
+    return Array.from(this.manifests.values());
+  }
+
+  getByCategory(category: IntegrationCategory): IntegrationManifest[] {
+    return this.getAllManifests().filter((m) => m.category === category);
+  }
+
+  getActiveManifests(): IntegrationManifest[] {
+    return this.getAllManifests().filter((m) => m.isActive);
+  }
+
+  requiresOAuth(id: string): boolean {
+    const manifest = this.manifests.get(id);
+    return manifest?.auth.type === 'oauth2';
+  }
+
+  getAuthStrategy(id: string): AuthStrategy | undefined {
+    return this.manifests.get(id)?.auth;
+  }
+
+  getHandler(id: string): IntegrationHandler | undefined {
+    return this.manifests.get(id)?.handler;
+  }
+}
+
+// ============================================================================
+// Registry Singleton
+// ============================================================================
+
+// All registered manifests
+const allManifests: IntegrationManifest[] = [
+  awsManifest,
+  azureManifest,
+  gcpManifest,
+  githubManifest,
+  googleWorkspaceManifest,
+  ripplingManifest,
+  vercelManifest,
+];
+
+// Create and export the registry singleton
+export const registry: IntegrationRegistry = new IntegrationRegistryImpl(allManifests);
+
+// ============================================================================
+// Helper Functions
+// ============================================================================
+
+/**
+ * Get a manifest by ID
+ */
+export function getManifest(id: string): IntegrationManifest | undefined {
+  return registry.getManifest(id);
+}
+
+/**
+ * Get all available manifests
+ */
+export function getAllManifests(): IntegrationManifest[] {
+  return registry.getAllManifests();
+}
+
+/**
+ * Get active manifests only
+ */
+export function getActiveManifests(): IntegrationManifest[] {
+  return registry.getActiveManifests();
+}
+
+/**
+ * Get manifests by category
+ */
+export function getByCategory(category: IntegrationCategory): IntegrationManifest[] {
+  return registry.getByCategory(category);
+}
+
+/**
+ * Check if an integration requires OAuth
+ */
+export function requiresOAuth(id: string): boolean {
+  return registry.requiresOAuth(id);
+}
+
+/**
+ * Get OAuth config for an integration
+ */
+export function getOAuthConfig(id: string) {
+  const auth = registry.getAuthStrategy(id);
+  if (auth?.type === 'oauth2') {
+    return auth.config;
+  }
+  return undefined;
+}
+
+/**
+ * Get handler for an integration
+ */
+export function getHandler(id: string): IntegrationHandler | undefined {
+  return registry.getHandler(id);
+}
+
+/**
+ * Get all integration IDs
+ */
+export function getIntegrationIds(): string[] {
+  return registry.getAllManifests().map((m) => m.id);
+}
+
+/**
+ * Get all categories with their integration counts
+ */
+export function getCategoriesWithCounts(): { category: IntegrationCategory; count: number }[] {
+  const categories = new Map<IntegrationCategory, number>();
+
+  for (const manifest of registry.getAllManifests()) {
+    const current = categories.get(manifest.category) || 0;
+    categories.set(manifest.category, current + 1);
+  }
+
+  return Array.from(categories.entries()).map(([category, count]) => ({
+    category,
+    count,
+  }));
+}
diff --git a/packages/integration-platform/src/runtime/check-context.ts b/packages/integration-platform/src/runtime/check-context.ts
new file mode 100644
index 000000000..f6d003ac3
--- /dev/null
+++ b/packages/integration-platform/src/runtime/check-context.ts
@@ -0,0 +1,507 @@
+import type {
+  CheckContext,
+  CheckFindingResult,
+  CheckPassingResult,
+  CheckVariableValues,
+  IntegrationManifest,
+} from '../types';
+
+export interface CheckContextOptions {
+  manifest: IntegrationManifest;
+  /** Access token for OAuth integrations. Optional for custom auth types (e.g., AWS IAM). */
+  accessToken?: string;
+  credentials: Record<string, string>;
+  variables?: CheckVariableValues;
+  connectionId: string;
+  organizationId: string;
+  /** Connection metadata (e.g., OAuth team/user info from token response) */
+  metadata?: Record<string, unknown>;
+  logger?: {
+    info: (message: string, data?: Record<string, unknown>) => void;
+    warn: (message: string, data?: Record<string, unknown>) => void;
+    error: (message: string, data?: Record<string, unknown>) => void;
+  };
+  stateStorage?: {
+    get: <T>(key: string) => Promise<T | null>;
+    set: <T>(key: string, value: T) => Promise<void>;
+  };
+  onTokenRefresh?: () => Promise<string | null>;
+}
+
+export interface CheckResultLog {
+  level: 'info' | 'warn' | 'error';
+  message: string;
+  data?: Record<string, unknown>;
+  timestamp: Date;
+}
+
+export interface CheckResult {
+  findings: Array<CheckFindingResult & { status: 'open' }>;
+  passingResults: Array<CheckPassingResult & { collectedAt: Date }>;
+  logs: CheckResultLog[];
+  summary: {
+    totalChecked: number;
+    passed: number;
+    failed: number;
+  };
+}
+
+const MAX_RETRIES = 3;
+const INITIAL_RETRY_DELAY_MS = 1000;
+const MAX_PAGES_DEFAULT = 100;
+const PER_PAGE_DEFAULT = 100;
+
+const sleep = (ms: number) => new Promise((resolve) => setTimeout(resolve, ms));
+
+function getNestedValue(obj: Record<string, unknown>, path: string): unknown {
+  return path.split('.').reduce((current: unknown, key) => {
+    if (current && typeof current === 'object' && key in current) {
+      return (current as Record<string, unknown>)[key];
+    }
+    return undefined;
+  }, obj);
+}
+
+function parseLinkHeader(header: string | null): { next?: string } {
+  if (!header) return {};
+  const links: { next?: string } = {};
+  for (const part of header.split(',')) {
+    const match = part.match(/<([^>]+)>;\s*rel="([^"]+)"/);
+    if (match && match[2] === 'next') {
+      links.next = match[1];
+    }
+  }
+  return links;
+}
+
+export function createCheckContext(options: CheckContextOptions): {
+  ctx: CheckContext;
+  getResults: () => CheckResult;
+} {
+  const {
+    manifest,
+    accessToken: initialAccessToken,
+    credentials,
+    variables = {},
+    connectionId,
+    organizationId,
+    metadata,
+    logger,
+    stateStorage,
+    onTokenRefresh,
+  } = options;
+
+  let currentAccessToken = initialAccessToken ?? '';
+  const findings: CheckResult['findings'] = [];
+  const passingResults: CheckResult['passingResults'] = [];
+  const logs: CheckResult['logs'] = [];
+  let totalChecked = 0;
+  const baseUrl = manifest.baseUrl || '';
+  const defaultHeaders = manifest.defaultHeaders || {};
+
+  const log = {
+    info: (message: string, data?: Record<string, unknown>) => {
+      logs.push({ level: 'info', message, data, timestamp: new Date() });
+      logger?.info(message, data);
+    },
+    warn: (message: string, data?: Record<string, unknown>) => {
+      logs.push({ level: 'warn', message, data, timestamp: new Date() });
+      logger?.warn(message, data);
+    },
+    error: (message: string, data?: Record<string, unknown>) => {
+      logs.push({ level: 'error', message, data, timestamp: new Date() });
+      logger?.error(message, data);
+    },
+  };
+
+  const inMemoryState = new Map<string, unknown>();
+  const state = stateStorage ?? {
+    get: async <T>(key: string): Promise<T | null> => (inMemoryState.get(key) as T) ?? null,
+    set: async <T>(key: string, value: T): Promise<void> => {
+      inMemoryState.set(key, value);
+    },
+  };
+
+  const buildHeaders = (extra?: Record<string, string>): Record<string, string> => {
+    const headers: Record<string, string> = {
+      ...defaultHeaders,
+      ...extra,
+    };
+
+    // OAuth: Add Bearer token
+    if (manifest.auth.type === 'oauth2' && currentAccessToken) {
+      headers['Authorization'] = `Bearer ${currentAccessToken}`;
+    }
+
+    // API Key: Add to header if configured
+    if (manifest.auth.type === 'api_key' && manifest.auth.config.in === 'header') {
+      const apiKey = credentials[manifest.auth.config.name] || credentials.api_key || '';
+      const value = manifest.auth.config.prefix
+        ? `${manifest.auth.config.prefix}${apiKey}`
+        : apiKey;
+      headers[manifest.auth.config.name] = value;
+    }
+
+    // Basic Auth: Encode username:password
+    if (manifest.auth.type === 'basic') {
+      const username = credentials[manifest.auth.config.usernameField || 'username'] || '';
+      const password = credentials[manifest.auth.config.passwordField || 'password'] || '';
+      const encoded = Buffer.from(`${username}:${password}`).toString('base64');
+      headers['Authorization'] = `Basic ${encoded}`;
+    }
+
+    return headers;
+  };
+
+  async function withRetry(requestFn: () => Promise<Response>, attempt = 0): Promise<Response> {
+    const response = await requestFn();
+
+    if (response.status === 429 && attempt < MAX_RETRIES) {
+      const retryAfter = response.headers.get('Retry-After');
+      let delayMs: number;
+      if (retryAfter) {
+        const seconds = parseInt(retryAfter, 10);
+        delayMs = isNaN(seconds)
+          ? Math.max(0, new Date(retryAfter).getTime() - Date.now())
+          : seconds * 1000;
+      } else {
+        delayMs = INITIAL_RETRY_DELAY_MS * Math.pow(2, attempt);
+      }
+      log.warn(`Rate limited, retry in ${delayMs}ms`, { attempt: attempt + 1 });
+      await sleep(delayMs);
+      return withRetry(requestFn, attempt + 1);
+    }
+
+    if (response.status >= 500 && attempt < MAX_RETRIES) {
+      const delayMs = INITIAL_RETRY_DELAY_MS * Math.pow(2, attempt);
+      log.warn(`Server error ${response.status}, retry in ${delayMs}ms`, { attempt: attempt + 1 });
+      await sleep(delayMs);
+      return withRetry(requestFn, attempt + 1);
+    }
+
+    return response;
+  }
+
+  async function executeRequest<T>(requestFn: () => Promise<Response>): Promise<T> {
+    let response = await withRetry(requestFn);
+
+    if (response.status === 401 && onTokenRefresh) {
+      log.info('Token expired, refreshing...');
+      const newToken = await onTokenRefresh();
+      if (newToken) {
+        currentAccessToken = newToken;
+        response = await withRetry(requestFn);
+      } else {
+        log.error('Token refresh failed');
+      }
+    }
+
+    if (!response.ok) {
+      const err = new Error(`HTTP ${response.status}: ${response.statusText}`);
+      (err as Error & { status: number }).status = response.status;
+      throw err;
+    }
+
+    return response.json();
+  }
+
+  function buildUrl(path: string, base?: string, params?: Record<string, string>): URL {
+    const url = new URL(path, base || baseUrl);
+
+    // Add any provided query params
+    if (params) {
+      for (const [k, v] of Object.entries(params)) {
+        url.searchParams.set(k, v);
+      }
+    }
+
+    // API Key in query param
+    if (manifest.auth.type === 'api_key' && manifest.auth.config.in === 'query') {
+      const apiKey = credentials[manifest.auth.config.name] || credentials.api_key || '';
+      const value = manifest.auth.config.prefix
+        ? `${manifest.auth.config.prefix}${apiKey}`
+        : apiKey;
+      url.searchParams.set(manifest.auth.config.name, value);
+    }
+
+    return url;
+  }
+
+  async function httpGet<T>(
+    path: string,
+    opts?: { baseUrl?: string; headers?: Record<string, string>; params?: Record<string, string> },
+  ): Promise<T> {
+    const url = buildUrl(path, opts?.baseUrl, opts?.params);
+    return executeRequest<T>(() =>
+      fetch(url.toString(), { method: 'GET', headers: buildHeaders(opts?.headers) }),
+    );
+  }
+
+  async function httpPost<T>(
+    path: string,
+    body?: unknown,
+    opts?: { baseUrl?: string; headers?: Record<string, string> },
+  ): Promise<T> {
+    const url = buildUrl(path, opts?.baseUrl);
+    return executeRequest<T>(() =>
+      fetch(url.toString(), {
+        method: 'POST',
+        headers: { ...buildHeaders(opts?.headers), 'Content-Type': 'application/json' },
+        body: body ? JSON.stringify(body) : undefined,
+      }),
+    );
+  }
+
+  async function httpPut<T>(
+    path: string,
+    body?: unknown,
+    opts?: { baseUrl?: string; headers?: Record<string, string> },
+  ): Promise<T> {
+    const url = buildUrl(path, opts?.baseUrl);
+    return executeRequest<T>(() =>
+      fetch(url.toString(), {
+        method: 'PUT',
+        headers: { ...buildHeaders(opts?.headers), 'Content-Type': 'application/json' },
+        body: body ? JSON.stringify(body) : undefined,
+      }),
+    );
+  }
+
+  async function httpPatch<T>(
+    path: string,
+    body?: unknown,
+    opts?: { baseUrl?: string; headers?: Record<string, string> },
+  ): Promise<T> {
+    const url = buildUrl(path, opts?.baseUrl);
+    return executeRequest<T>(() =>
+      fetch(url.toString(), {
+        method: 'PATCH',
+        headers: { ...buildHeaders(opts?.headers), 'Content-Type': 'application/json' },
+        body: body ? JSON.stringify(body) : undefined,
+      }),
+    );
+  }
+
+  async function httpDelete<T>(
+    path: string,
+    opts?: { baseUrl?: string; headers?: Record<string, string> },
+  ): Promise<T> {
+    const url = buildUrl(path, opts?.baseUrl);
+    return executeRequest<T>(() =>
+      fetch(url.toString(), { method: 'DELETE', headers: buildHeaders(opts?.headers) }),
+    );
+  }
+
+  async function graphql<T>(
+    query: string,
+    variables?: Record<string, unknown>,
+    opts?: { endpoint?: string; headers?: Record<string, string> },
+  ): Promise<T> {
+    const endpoint = opts?.endpoint || `${baseUrl}/graphql`;
+    const response = await executeRequest<{ data?: T; errors?: Array<{ message: string }> }>(() =>
+      fetch(endpoint, {
+        method: 'POST',
+        headers: { ...buildHeaders(opts?.headers), 'Content-Type': 'application/json' },
+        body: JSON.stringify({ query, variables }),
+      }),
+    );
+
+    if (response.errors?.length) {
+      throw new Error(`GraphQL: ${response.errors.map((e) => e.message).join(', ')}`);
+    }
+    if (!response.data) {
+      throw new Error('GraphQL response missing data');
+    }
+    return response.data;
+  }
+
+  async function fetchAllPages<T>(
+    path: string,
+    opts?: {
+      baseUrl?: string;
+      perPage?: number;
+      maxPages?: number;
+      pageParam?: string;
+      perPageParam?: string;
+    },
+  ): Promise<T[]> {
+    const perPage = opts?.perPage ?? PER_PAGE_DEFAULT;
+    const maxPages = opts?.maxPages ?? MAX_PAGES_DEFAULT;
+    const pageParam = opts?.pageParam ?? 'page';
+    const perPageParam = opts?.perPageParam ?? 'per_page';
+    const results: T[] = [];
+
+    for (let page = 1; page <= maxPages; page++) {
+      const url = buildUrl(path, opts?.baseUrl);
+      url.searchParams.set(pageParam, String(page));
+      url.searchParams.set(perPageParam, String(perPage));
+
+      const items = await executeRequest<T[]>(() =>
+        fetch(url.toString(), { method: 'GET', headers: buildHeaders() }),
+      );
+
+      if (!Array.isArray(items) || items.length === 0) break;
+      results.push(...items);
+      if (items.length < perPage) break;
+    }
+
+    return results;
+  }
+
+  async function fetchWithCursor<T>(
+    path: string,
+    opts?: {
+      baseUrl?: string;
+      cursorParam?: string;
+      cursorPath?: string;
+      dataPath?: string;
+      params?: Record<string, string>;
+      maxPages?: number;
+    },
+  ): Promise<T[]> {
+    const cursorParam = opts?.cursorParam ?? 'cursor';
+    const cursorPath = opts?.cursorPath ?? 'next_cursor';
+    const dataPath = opts?.dataPath ?? 'data';
+    const maxPages = opts?.maxPages ?? MAX_PAGES_DEFAULT;
+    const results: T[] = [];
+    let cursor: string | null = null;
+
+    for (let page = 0; page < maxPages; page++) {
+      const url = buildUrl(path, opts?.baseUrl, opts?.params);
+      if (cursor) url.searchParams.set(cursorParam, cursor);
+
+      const response = await executeRequest<Record<string, unknown>>(() =>
+        fetch(url.toString(), { method: 'GET', headers: buildHeaders() }),
+      );
+
+      const data = getNestedValue(response, dataPath);
+      if (!Array.isArray(data) || data.length === 0) break;
+
+      results.push(...(data as T[]));
+
+      const nextCursor = getNestedValue(response, cursorPath);
+      if (typeof nextCursor !== 'string' || !nextCursor) break;
+      cursor = nextCursor;
+    }
+
+    return results;
+  }
+
+  async function fetchWithLinkHeader<T>(
+    path: string,
+    opts?: { baseUrl?: string; params?: Record<string, string>; maxPages?: number },
+  ): Promise<T[]> {
+    const maxPages = opts?.maxPages ?? MAX_PAGES_DEFAULT;
+    const results: T[] = [];
+    let nextUrl: string | null = buildUrl(path, opts?.baseUrl, opts?.params).toString();
+
+    for (let page = 0; page < maxPages && nextUrl; page++) {
+      let response = await withRetry(() =>
+        fetch(nextUrl!, { method: 'GET', headers: buildHeaders() }),
+      );
+
+      if (response.status === 401 && onTokenRefresh) {
+        const newToken = await onTokenRefresh();
+        if (newToken) {
+          currentAccessToken = newToken;
+          response = await withRetry(() =>
+            fetch(nextUrl!, { method: 'GET', headers: buildHeaders() }),
+          );
+        }
+      }
+
+      if (!response.ok) {
+        throw new Error(`HTTP ${response.status}: ${response.statusText}`);
+      }
+
+      const items: T[] = await response.json();
+      if (!Array.isArray(items) || items.length === 0) break;
+
+      results.push(...items);
+      nextUrl = parseLinkHeader(response.headers.get('Link')).next ?? null;
+    }
+
+    return results;
+  }
+
+  const ctx: CheckContext = {
+    get accessToken() {
+      return currentAccessToken;
+    },
+    credentials,
+    variables,
+    connectionId,
+    organizationId,
+    metadata,
+    log: log.info,
+    warn: log.warn,
+    error: log.error,
+
+    pass(result: CheckPassingResult) {
+      totalChecked++;
+      passingResults.push({ ...result, collectedAt: new Date() });
+      log.info(`PASS: ${result.title}`, {
+        resourceType: result.resourceType,
+        resourceId: result.resourceId,
+      });
+    },
+
+    fail(finding: CheckFindingResult) {
+      totalChecked++;
+      findings.push({ ...finding, status: 'open' });
+      log.info(`FAIL: ${finding.title}`, {
+        resourceType: finding.resourceType,
+        resourceId: finding.resourceId,
+        severity: finding.severity,
+      });
+    },
+
+    addFinding(finding) {
+      totalChecked++;
+      findings.push({
+        title: finding.title,
+        description: finding.description || '',
+        resourceType: finding.resourceType,
+        resourceId: finding.resourceId,
+        severity: finding.severity,
+        remediation: finding.remediation || '',
+        evidence: finding.rawPayload,
+        status: 'open',
+      });
+    },
+
+    addPassingResult(result) {
+      totalChecked++;
+      passingResults.push({
+        title: result.title,
+        description: result.description || '',
+        resourceType: result.resourceType,
+        resourceId: result.resourceId,
+        evidence: result.evidence || {},
+        collectedAt: new Date(),
+      });
+    },
+
+    fetch: httpGet,
+    post: httpPost,
+    put: httpPut,
+    patch: httpPatch,
+    delete: httpDelete,
+    graphql,
+    fetchAllPages,
+    fetchWithCursor,
+    fetchWithLinkHeader,
+    getState: state.get,
+    setState: state.set,
+  };
+
+  return {
+    ctx,
+    getResults: () => ({
+      findings,
+      passingResults,
+      logs,
+      summary: { totalChecked, passed: passingResults.length, failed: findings.length },
+    }),
+  };
+}
diff --git a/packages/integration-platform/src/runtime/check-runner.ts b/packages/integration-platform/src/runtime/check-runner.ts
new file mode 100644
index 000000000..5141794c8
--- /dev/null
+++ b/packages/integration-platform/src/runtime/check-runner.ts
@@ -0,0 +1,127 @@
+import type { IntegrationCheck, IntegrationManifest } from '../types';
+import { createCheckContext, type CheckContextOptions, type CheckResult } from './check-context';
+
+// ============================================================================
+// Check Runner
+// ============================================================================
+
+export interface RunCheckOptions extends Omit<CheckContextOptions, 'manifest'> {
+  /** The integration manifest */
+  manifest: IntegrationManifest;
+  /** Specific check ID to run (optional - runs all if not specified) */
+  checkId?: string;
+}
+
+export interface CheckRunResult {
+  checkId: string;
+  checkName: string;
+  status: 'success' | 'failed' | 'error';
+  result: CheckResult;
+  error?: string;
+  durationMs: number;
+}
+
+export interface RunAllChecksResult {
+  results: CheckRunResult[];
+  totalFindings: number;
+  totalPassing: number;
+  durationMs: number;
+}
+
+/**
+ * Run a single check
+ */
+export async function runCheck(
+  check: IntegrationCheck,
+  options: Omit<RunCheckOptions, 'checkId'>,
+): Promise<CheckRunResult> {
+  const startTime = Date.now();
+
+  const { ctx, getResults } = createCheckContext(options);
+
+  try {
+    ctx.log(`Starting check: ${check.name}`);
+    await check.run(ctx);
+    ctx.log(`Completed check: ${check.name}`);
+
+    const result = getResults();
+    const status = result.findings.length > 0 ? 'failed' : 'success';
+
+    return {
+      checkId: check.id,
+      checkName: check.name,
+      status,
+      result,
+      durationMs: Date.now() - startTime,
+    };
+  } catch (err) {
+    const result = getResults();
+    ctx.error(`Check failed: ${check.name}`, { error: String(err) });
+
+    return {
+      checkId: check.id,
+      checkName: check.name,
+      status: 'error',
+      result,
+      error: err instanceof Error ? err.message : String(err),
+      durationMs: Date.now() - startTime,
+    };
+  }
+}
+
+/**
+ * Run all checks for an integration
+ */
+export async function runAllChecks(options: RunCheckOptions): Promise<RunAllChecksResult> {
+  const startTime = Date.now();
+  const { manifest, checkId } = options;
+
+  const checks = manifest.checks || [];
+
+  if (checks.length === 0) {
+    return {
+      results: [],
+      totalFindings: 0,
+      totalPassing: 0,
+      durationMs: Date.now() - startTime,
+    };
+  }
+
+  // Filter to specific check if requested
+  const checksToRun = checkId ? checks.filter((c) => c.id === checkId) : checks;
+
+  if (checkId && checksToRun.length === 0) {
+    throw new Error(`Check "${checkId}" not found in manifest`);
+  }
+
+  const results: CheckRunResult[] = [];
+
+  for (const check of checksToRun) {
+    const result = await runCheck(check, options);
+    results.push(result);
+  }
+
+  const totalFindings = results.reduce((sum, r) => sum + r.result.findings.length, 0);
+  const totalPassing = results.reduce((sum, r) => sum + r.result.passingResults.length, 0);
+
+  return {
+    results,
+    totalFindings,
+    totalPassing,
+    durationMs: Date.now() - startTime,
+  };
+}
+
+/**
+ * Get available checks for an integration
+ */
+export function getAvailableChecks(
+  manifest: IntegrationManifest,
+): Array<{ id: string; name: string; description: string; taskMapping?: string }> {
+  return (manifest.checks || []).map((check) => ({
+    id: check.id,
+    name: check.name,
+    description: check.description,
+    taskMapping: check.taskMapping,
+  }));
+}
diff --git a/packages/integration-platform/src/runtime/index.ts b/packages/integration-platform/src/runtime/index.ts
new file mode 100644
index 000000000..a0eb46df0
--- /dev/null
+++ b/packages/integration-platform/src/runtime/index.ts
@@ -0,0 +1,9 @@
+export { createCheckContext, type CheckContextOptions, type CheckResult } from './check-context';
+export {
+  getAvailableChecks,
+  runAllChecks,
+  runCheck,
+  type CheckRunResult,
+  type RunAllChecksResult,
+  type RunCheckOptions,
+} from './check-runner';
diff --git a/packages/integration-platform/src/task-mappings.ts b/packages/integration-platform/src/task-mappings.ts
new file mode 100644
index 000000000..0621f2d45
--- /dev/null
+++ b/packages/integration-platform/src/task-mappings.ts
@@ -0,0 +1,630 @@
+// ============================================================================
+// AUTO-GENERATED FILE - DO NOT EDIT DIRECTLY
+// Generated by: bun run scripts/generate-task-types.ts
+// ============================================================================
+
+/**
+ * All available task template IDs that can be used for task mapping.
+ * These are derived from the FrameworkEditorTaskTemplate seed data.
+ */
+export const TASK_TEMPLATE_IDS = [
+  'frk_tt_68407ae5274a64092c305104', // Secure Secrets
+  'frk_tt_6849c1a1038c3f18cfff47bf', // Utility Monitoring
+  'frk_tt_68406951bd282273ebe286cc', // Employee Verification
+  'frk_tt_68406e7abae2a9b16c2cc197', // Planning
+  'frk_tt_68406a514e90bb6e32e0b107', // Contact Information
+  'frk_tt_68406f411fe27e47a0d6d5f3', // TLS / HTTPS
+  'frk_tt_68406e353df3bc002994acef', // Secure Code
+  'frk_tt_68406af04a4acb93083413b9', // Monitoring & Alerting
+  'frk_tt_686b51339d7e9f8ef2081a70', // Data Masking
+  'frk_tt_68406d64f09f13271c14dd01', // Code Changes
+  'frk_tt_684076a02261faf3d331289d', // Publish Policies
+  'frk_tt_68406903839203801ac8041a', // Device List
+  'frk_tt_68b59e7a29bec89c57014868', // Statement of Applicability
+  'frk_tt_68406d2e86acc048d1774ea6', // App Availability
+  'frk_tt_68406eedf0f0ddd220ea19c2', // Sanitized Inputs
+  'frk_tt_6840796f77d8a0dff53f947a', // Secure Devices
+  'frk_tt_68b5ce9dd597ac7d650e4915', // Reassess Legal Basis for Processing
+  'frk_tt_68b5ce9b5393ae083c3beadf', // Appoint or Review Data Protection Officer
+  'frk_tt_68e52b2618cb9d9722c6edfd', // Internal Security Audit
+  'frk_tt_68cc327ff5d3130a1b42420b', // AI MS Communication Plan
+  'frk_tt_68c3248edf65e750909dfd07', // Attestation of Compliance
+  'frk_tt_68c332c3bc6d696bb61e7351', // Self-Assessment Questionnaires
+  'frk_tt_68b5ce9d508cacf8e4517b56', // Review International Data Transfers
+  'frk_tt_68cc25658bacb2ccff56adf9', // AI Context Register
+  'frk_tt_6840791cac0a7b780dbaf932', // Public Policies
+  'frk_tt_68cc27431d1266e3c77d7c0f', // Stakeholder Register / Interested Parties Log
+  'frk_tt_68e52b26bf0e656af9e4e9c3', // Encryption at Rest
+  'frk_tt_68b5ce9c6c1bdb171870f623', // Manage Third-party and EU Representative Relationships
+  'frk_tt_68e52a484cad0014de7a628f', // Separation of Environments
+  'frk_tt_68406b4f40c87c12ae0479ce', // Incident Response
+  'frk_tt_68c8309516fdbc514404988d', // Board Meetings & Independence
+  'frk_tt_68cc2ce9cb0d2a4774975ace', // AI MS Roles & Responsibilities Assignment
+  'frk_tt_6849aad98c50d734dd904d98', // Diagramming
+  'frk_tt_68cc2f30b51920e5515465e6', // AI System Impact Assessment Procedure
+  'frk_tt_68cc2fa423533e602e4dee25', // AI Objectives Register
+  'frk_tt_68cc301a8fd914534ab95b11', // AI System Change Log
+  'frk_tt_68cc30fbbeabb8a4c2f56082', // AI MS Resource Allocation Record
+  'frk_tt_68cc395b90e179fe3209b795', // AI MS Operational Control Procedure
+  'frk_tt_68cc3f427e309607f1ad5ba4', // AI Risk Treatment Implementation Record
+  'frk_tt_68cc3ffab3fb703917f51e19', // AI Impact Assessment Log
+  'frk_tt_68cc4190caf0b458effcee6e', // AI MS Internal Audit Program
+  'frk_tt_68cc41ad7cbd2839c0bc7104', // AI Internal Audit Reports
+  'frk_tt_68cc459ed57b70a4cb631e72', // AI MS Continual Improvement Log
+  'frk_tt_68d28f68f117d45c0adcba33', // Legal Proof of Company Registration
+  'frk_tt_68cc39efd7916e240451cae5', // AI Risk Assessment Execution (Log)
+  'frk_tt_68dc1a3a9b92bb4ffb89e334', // Systems Description
+  'frk_tt_68e1d5667f2b14a9b0c2daf8', // NEN 7510 Risk Assessments
+  'frk_tt_68e1d619944625cc1876540c', // Management Review Minutes
+  'frk_tt_68e52b274a7c38c62db08e80', // Organisation Chart
+  'frk_tt_684069a3a0dd8322b2ac3f03', // Employee Descriptions
+  'frk_tt_68406cd9dde2d8cd4c463fe0', // 2FA
+  'frk_tt_68e80544d9734e0402cfa807', // Role-based Access Controls
+  'frk_tt_68e52b27c4bdbf1b24051b8b', // Employee Performance Evaluations
+  'frk_tt_68406ca292d9fffb264991b9', // Employee Access
+  'frk_tt_68e80545a8b432bc59eb8037', // Incident Response Tabletop Exercise
+  'frk_tt_68e805457c2dcc784e72e3cc', // Access Review Log
+  'frk_tt_68e52b269db179c434734766', // Backup Restoration Test
+  'frk_tt_68e52b26b166e2c0a0d11956', // Backup logs
+  'frk_tt_6901e040a21d5e8fdc9736e8', // Building / Workplace Rules
+  'frk_tt_6901e041bb02b41fa3b7dca9', // Office Access & Door Monitoring
+  'frk_tt_6901e0aa49fb834934748c93', // Visitor Control
+  'frk_tt_6901e0aa6d3f2bbab1ea5b84', // Secure Storage
+  'frk_tt_69033a6bfeb4759be36257bc', // Infrastructure Inventory
+  'frk_tt_68fa2a852e70f757188f0c39', // Production Firewall & No-Public-Access Controls
+] as const;
+
+/**
+ * Union type of all valid task template IDs.
+ * Use this for type-safe task mapping in integration checks.
+ */
+export type TaskTemplateId = (typeof TASK_TEMPLATE_IDS)[number];
+
+/**
+ * Mapping of task names to their IDs for easier reference.
+ * Use this when you know the task name but need the ID.
+ */
+export const TASK_TEMPLATES = {
+  /** Secure Secrets */
+  secureSecrets: 'frk_tt_68407ae5274a64092c305104',
+  /** Utility Monitoring */
+  utilityMonitoring: 'frk_tt_6849c1a1038c3f18cfff47bf',
+  /** Employee Verification */
+  employeeVerification: 'frk_tt_68406951bd282273ebe286cc',
+  /** Planning */
+  planning: 'frk_tt_68406e7abae2a9b16c2cc197',
+  /** Contact Information */
+  contactInformation: 'frk_tt_68406a514e90bb6e32e0b107',
+  /** TLS / HTTPS */
+  tlsHttps: 'frk_tt_68406f411fe27e47a0d6d5f3',
+  /** Secure Code */
+  secureCode: 'frk_tt_68406e353df3bc002994acef',
+  /** Monitoring & Alerting */
+  monitoringAlerting: 'frk_tt_68406af04a4acb93083413b9',
+  /** Data Masking */
+  dataMasking: 'frk_tt_686b51339d7e9f8ef2081a70',
+  /** Code Changes */
+  codeChanges: 'frk_tt_68406d64f09f13271c14dd01',
+  /** Publish Policies */
+  publishPolicies: 'frk_tt_684076a02261faf3d331289d',
+  /** Device List */
+  deviceList: 'frk_tt_68406903839203801ac8041a',
+  /** Statement of Applicability */
+  statementOfApplicability: 'frk_tt_68b59e7a29bec89c57014868',
+  /** App Availability */
+  appAvailability: 'frk_tt_68406d2e86acc048d1774ea6',
+  /** Sanitized Inputs */
+  sanitizedInputs: 'frk_tt_68406eedf0f0ddd220ea19c2',
+  /** Secure Devices */
+  secureDevices: 'frk_tt_6840796f77d8a0dff53f947a',
+  /** Reassess Legal Basis for Processing */
+  reassessLegalBasisForProcessing: 'frk_tt_68b5ce9dd597ac7d650e4915',
+  /** Appoint or Review Data Protection Officer */
+  appointOrReviewDataProtectionOfficer: 'frk_tt_68b5ce9b5393ae083c3beadf',
+  /** Internal Security Audit */
+  internalSecurityAudit: 'frk_tt_68e52b2618cb9d9722c6edfd',
+  /** AI MS Communication Plan */
+  aiMsCommunicationPlan: 'frk_tt_68cc327ff5d3130a1b42420b',
+  /** Attestation of Compliance */
+  attestationOfCompliance: 'frk_tt_68c3248edf65e750909dfd07',
+  /** Self-Assessment Questionnaires */
+  selfassessmentQuestionnaires: 'frk_tt_68c332c3bc6d696bb61e7351',
+  /** Review International Data Transfers */
+  reviewInternationalDataTransfers: 'frk_tt_68b5ce9d508cacf8e4517b56',
+  /** AI Context Register */
+  aiContextRegister: 'frk_tt_68cc25658bacb2ccff56adf9',
+  /** Public Policies */
+  publicPolicies: 'frk_tt_6840791cac0a7b780dbaf932',
+  /** Stakeholder Register / Interested Parties Log */
+  stakeholderRegisterInterestedPartiesLog: 'frk_tt_68cc27431d1266e3c77d7c0f',
+  /** Encryption at Rest */
+  encryptionAtRest: 'frk_tt_68e52b26bf0e656af9e4e9c3',
+  /** Manage Third-party and EU Representative Relationships */
+  manageThirdpartyAndEuRepresentativeRelationships: 'frk_tt_68b5ce9c6c1bdb171870f623',
+  /** Separation of Environments */
+  separationOfEnvironments: 'frk_tt_68e52a484cad0014de7a628f',
+  /** Incident Response */
+  incidentResponse: 'frk_tt_68406b4f40c87c12ae0479ce',
+  /** Board Meetings & Independence */
+  boardMeetingsIndependence: 'frk_tt_68c8309516fdbc514404988d',
+  /** AI MS Roles & Responsibilities Assignment */
+  aiMsRolesResponsibilitiesAssignment: 'frk_tt_68cc2ce9cb0d2a4774975ace',
+  /** Diagramming */
+  diagramming: 'frk_tt_6849aad98c50d734dd904d98',
+  /** AI System Impact Assessment Procedure */
+  aiSystemImpactAssessmentProcedure: 'frk_tt_68cc2f30b51920e5515465e6',
+  /** AI Objectives Register */
+  aiObjectivesRegister: 'frk_tt_68cc2fa423533e602e4dee25',
+  /** AI System Change Log */
+  aiSystemChangeLog: 'frk_tt_68cc301a8fd914534ab95b11',
+  /** AI MS Resource Allocation Record */
+  aiMsResourceAllocationRecord: 'frk_tt_68cc30fbbeabb8a4c2f56082',
+  /** AI MS Operational Control Procedure */
+  aiMsOperationalControlProcedure: 'frk_tt_68cc395b90e179fe3209b795',
+  /** AI Risk Treatment Implementation Record */
+  aiRiskTreatmentImplementationRecord: 'frk_tt_68cc3f427e309607f1ad5ba4',
+  /** AI Impact Assessment Log */
+  aiImpactAssessmentLog: 'frk_tt_68cc3ffab3fb703917f51e19',
+  /** AI MS Internal Audit Program */
+  aiMsInternalAuditProgram: 'frk_tt_68cc4190caf0b458effcee6e',
+  /** AI Internal Audit Reports */
+  aiInternalAuditReports: 'frk_tt_68cc41ad7cbd2839c0bc7104',
+  /** AI MS Continual Improvement Log */
+  aiMsContinualImprovementLog: 'frk_tt_68cc459ed57b70a4cb631e72',
+  /** Legal Proof of Company Registration */
+  legalProofOfCompanyRegistration: 'frk_tt_68d28f68f117d45c0adcba33',
+  /** AI Risk Assessment Execution (Log) */
+  aiRiskAssessmentExecutionLog: 'frk_tt_68cc39efd7916e240451cae5',
+  /** Systems Description */
+  systemsDescription: 'frk_tt_68dc1a3a9b92bb4ffb89e334',
+  /** NEN 7510 Risk Assessments */
+  nen7510RiskAssessments: 'frk_tt_68e1d5667f2b14a9b0c2daf8',
+  /** Management Review Minutes */
+  managementReviewMinutes: 'frk_tt_68e1d619944625cc1876540c',
+  /** Organisation Chart */
+  organisationChart: 'frk_tt_68e52b274a7c38c62db08e80',
+  /** Employee Descriptions */
+  employeeDescriptions: 'frk_tt_684069a3a0dd8322b2ac3f03',
+  /** 2FA */
+  '2fa': 'frk_tt_68406cd9dde2d8cd4c463fe0',
+  /** Role-based Access Controls */
+  rolebasedAccessControls: 'frk_tt_68e80544d9734e0402cfa807',
+  /** Employee Performance Evaluations */
+  employeePerformanceEvaluations: 'frk_tt_68e52b27c4bdbf1b24051b8b',
+  /** Employee Access */
+  employeeAccess: 'frk_tt_68406ca292d9fffb264991b9',
+  /** Incident Response Tabletop Exercise */
+  incidentResponseTabletopExercise: 'frk_tt_68e80545a8b432bc59eb8037',
+  /** Access Review Log */
+  accessReviewLog: 'frk_tt_68e805457c2dcc784e72e3cc',
+  /** Backup Restoration Test */
+  backupRestorationTest: 'frk_tt_68e52b269db179c434734766',
+  /** Backup logs */
+  backupLogs: 'frk_tt_68e52b26b166e2c0a0d11956',
+  /** Building / Workplace Rules */
+  buildingWorkplaceRules: 'frk_tt_6901e040a21d5e8fdc9736e8',
+  /** Office Access & Door Monitoring */
+  officeAccessDoorMonitoring: 'frk_tt_6901e041bb02b41fa3b7dca9',
+  /** Visitor Control */
+  visitorControl: 'frk_tt_6901e0aa49fb834934748c93',
+  /** Secure Storage */
+  secureStorage: 'frk_tt_6901e0aa6d3f2bbab1ea5b84',
+  /** Infrastructure Inventory */
+  infrastructureInventory: 'frk_tt_69033a6bfeb4759be36257bc',
+  /** Production Firewall & No-Public-Access Controls */
+  productionFirewallNopublicaccessControls: 'frk_tt_68fa2a852e70f757188f0c39',
+} as const;
+
+/**
+ * Task template metadata for reference.
+ */
+export const TASK_TEMPLATE_INFO: Record<
+  TaskTemplateId,
+  { name: string; description: string; department: string; frequency: string }
+> = {
+  frk_tt_68407ae5274a64092c305104: {
+    name: 'Secure Secrets',
+    description: `Use your cloud providers default secret manager for storing secrets. Don't commit secrets to Git and...`,
+    department: 'itsm',
+    frequency: 'yearly',
+  },
+  frk_tt_6849c1a1038c3f18cfff47bf: {
+    name: 'Utility Monitoring',
+    description: `Maintain a list of approved privileged utilities (e.g. iptables, tcpdump, disk‑encryption tools)
+
+Sh...`,
+    department: 'it',
+    frequency: 'yearly',
+  },
+  frk_tt_68406951bd282273ebe286cc: {
+    name: 'Employee Verification',
+    description: `Maintain a list of reference checks you made for every new hire. Verify the identity of every new hi...`,
+    department: 'hr',
+    frequency: 'yearly',
+  },
+  frk_tt_68406e7abae2a9b16c2cc197: {
+    name: 'Planning',
+    description: `Make sure you have point in time recovery / backups enabled and that you test this works on an annua...`,
+    department: 'gov',
+    frequency: 'yearly',
+  },
+  frk_tt_68406a514e90bb6e32e0b107: {
+    name: 'Contact Information',
+    description: `You need to show what services/software you offer and provide clear instructions on how your custome...`,
+    department: 'it',
+    frequency: 'yearly',
+  },
+  frk_tt_68406f411fe27e47a0d6d5f3: {
+    name: 'TLS / HTTPS',
+    description: `Ensure TLS / HTTPS is enabled.
+
+Upload a screenshot from SSL Labs to show this is enabled....`,
+    department: 'itsm',
+    frequency: 'yearly',
+  },
+  frk_tt_68406e353df3bc002994acef: {
+    name: 'Secure Code',
+    description: `Ensure dependabot or it's equivalent is enabled to automatically identify insecure or patched depend...`,
+    department: 'itsm',
+    frequency: 'yearly',
+  },
+  frk_tt_68406af04a4acb93083413b9: {
+    name: 'Monitoring & Alerting',
+    description: `Ensure you have logging enabled in cloud environments (e.g. Google Cloud or Vercel) and review it pe...`,
+    department: 'itsm',
+    frequency: 'yearly',
+  },
+  frk_tt_686b51339d7e9f8ef2081a70: {
+    name: 'Data Masking',
+    description: `Hide Sensitive fields
+
+PCI: Mask PAN when displayed outside the secure CDE, ensuring only truncated ...`,
+    department: 'it',
+    frequency: 'yearly',
+  },
+  frk_tt_68406d64f09f13271c14dd01: {
+    name: 'Code Changes',
+    description: `Enable branch protection on your main branch to prevent direct pushes and enforce pull requests. Ens...`,
+    department: 'gov',
+    frequency: 'yearly',
+  },
+  frk_tt_684076a02261faf3d331289d: {
+    name: 'Publish Policies',
+    description: `Make sure all of the policies in Comp AI have been published and all employees have signed/agreed to...`,
+    department: 'gov',
+    frequency: 'yearly',
+  },
+  frk_tt_68406903839203801ac8041a: {
+    name: 'Device List',
+    description: `Keep and maintain a list of your devices (laptops/servers). If you install the Comp AI agent on your...`,
+    department: 'admin',
+    frequency: 'yearly',
+  },
+  frk_tt_68b59e7a29bec89c57014868: {
+    name: 'Statement of Applicability',
+    description: `The Statement of Applicability identifies relevant ISO 27001 Annex A controls, explains their inclus...`,
+    department: 'admin',
+    frequency: 'yearly',
+  },
+  frk_tt_68406d2e86acc048d1774ea6: {
+    name: 'App Availability',
+    description: `Make sure your website or app doesn't slow down or crash because too many people are using it, or if...`,
+    department: 'it',
+    frequency: 'yearly',
+  },
+  frk_tt_68406eedf0f0ddd220ea19c2: {
+    name: 'Sanitized Inputs',
+    description: `Implement input validation and sanitization using libraries such as Zod, Pydantic, or equivalent. 
+
+...`,
+    department: 'it',
+    frequency: 'yearly',
+  },
+  frk_tt_6840796f77d8a0dff53f947a: {
+    name: 'Secure Devices',
+    description: `Ensure all devices have BitLocker/FileVault enabled, screen lock enabled after 5 minutes (for mac) o...`,
+    department: 'itsm',
+    frequency: 'yearly',
+  },
+  frk_tt_68b5ce9dd597ac7d650e4915: {
+    name: 'Reassess Legal Basis for Processing',
+    description: `Review and document the lawful basis for each processing activity under GDPR Article 6 (e.g., consen...`,
+    department: 'admin',
+    frequency: 'yearly',
+  },
+  frk_tt_68b5ce9b5393ae083c3beadf: {
+    name: 'Appoint or Review Data Protection Officer',
+    description: `Assess whether your organization is required to appoint a Data Protection Officer (DPO) under GDPR (...`,
+    department: 'admin',
+    frequency: 'yearly',
+  },
+  frk_tt_68e52b2618cb9d9722c6edfd: {
+    name: 'Internal Security Audit',
+    description: `Upload evidence of a recent internal information security audit - e.g., audit plan/scope, auditor in...`,
+    department: 'itsm',
+    frequency: 'yearly',
+  },
+  frk_tt_68cc327ff5d3130a1b42420b: {
+    name: 'AI MS Communication Plan',
+    description: `Document and maintain a plan outlining internal and external communication relevant to the AI MS: wh...`,
+    department: 'hr',
+    frequency: 'yearly',
+  },
+  frk_tt_68c3248edf65e750909dfd07: {
+    name: 'Attestation of Compliance',
+    description: `Download and complete the AoC form. Once complete, upload the file here. 
+
+For Merchants - https://d...`,
+    department: 'it',
+    frequency: 'yearly',
+  },
+  frk_tt_68c332c3bc6d696bb61e7351: {
+    name: 'Self-Assessment Questionnaires',
+    description: `- SAQ A: For merchants fully outsourcing all card data functions to PCI-validated 3rd parties (you r...`,
+    department: 'it',
+    frequency: 'yearly',
+  },
+  frk_tt_68b5ce9d508cacf8e4517b56: {
+    name: 'Review International Data Transfers',
+    description: `Review and document all international data transfers to ensure compliance with GDPR Chapter V. Confi...`,
+    department: 'admin',
+    frequency: 'yearly',
+  },
+  frk_tt_68cc25658bacb2ccff56adf9: {
+    name: 'AI Context Register',
+    description: `Maintain a register of internal and external issues relevant to AI systems, including organizational...`,
+    department: 'it',
+    frequency: 'yearly',
+  },
+  frk_tt_6840791cac0a7b780dbaf932: {
+    name: 'Public Policies',
+    description: `Add a comment with links to your privacy policy / terms of service. Ensure Privacy policy has  a for...`,
+    department: 'it',
+    frequency: 'yearly',
+  },
+  frk_tt_68cc27431d1266e3c77d7c0f: {
+    name: 'Stakeholder Register / Interested Parties Log',
+    description: `Document a register of interested parties (e.g., regulators, customers, employees, partners, societa...`,
+    department: 'admin',
+    frequency: 'yearly',
+  },
+  frk_tt_68e52b26bf0e656af9e4e9c3: {
+    name: 'Encryption at Rest',
+    description: `Upload evidence that all data stores are encrypted at rest -cloud console screenshots showing encryp...`,
+    department: 'it',
+    frequency: 'yearly',
+  },
+  frk_tt_68b5ce9c6c1bdb171870f623: {
+    name: 'Manage Third-party and EU Representative Relationships',
+    description: `Ensure all third-party processors have GDPR-compliant Data Processing Agreements (DPAs) in place. If...`,
+    department: 'admin',
+    frequency: 'yearly',
+  },
+  frk_tt_68e52a484cad0014de7a628f: {
+    name: 'Separation of Environments',
+    description: `Upload proof that dev/test/staging and production are segregated - e.g., a cloud console screenshot ...`,
+    department: 'it',
+    frequency: 'yearly',
+  },
+  frk_tt_68406b4f40c87c12ae0479ce: {
+    name: 'Incident Response',
+    description: `Keep a record of all security incidents and how they were resolved. If there haven't been any, add a...`,
+    department: 'itsm',
+    frequency: 'yearly',
+  },
+  frk_tt_68c8309516fdbc514404988d: {
+    name: 'Board Meetings & Independence',
+    description: `Submit the most recent board (or management) meeting agenda and minutes covering security topics. In...`,
+    department: 'admin',
+    frequency: 'yearly',
+  },
+  frk_tt_68cc2ce9cb0d2a4774975ace: {
+    name: 'AI MS Roles & Responsibilities Assignment',
+    description: `Define and communicate responsibilities for the AI MS, including who ensures compliance with 42001 r...`,
+    department: 'hr',
+    frequency: 'yearly',
+  },
+  frk_tt_6849aad98c50d734dd904d98: {
+    name: 'Diagramming',
+    description: `Architecture Diagram: Draw a single‑page diagram (Figma, Draw.io, Lucidchart—whatever is fastest)
+
+F...`,
+    department: 'it',
+    frequency: 'yearly',
+  },
+  frk_tt_68cc2f30b51920e5515465e6: {
+    name: 'AI System Impact Assessment Procedure',
+    description: `Define a process to identify/assess potential consequences of AI system deployment, intended use, an...`,
+    department: 'it',
+    frequency: 'yearly',
+  },
+  frk_tt_68cc2fa423533e602e4dee25: {
+    name: 'AI Objectives Register',
+    description: `Define measurable AI objectives (aligned to AI Policy and compliance requirements), assign resources...`,
+    department: 'admin',
+    frequency: 'yearly',
+  },
+  frk_tt_68cc301a8fd914534ab95b11: {
+    name: 'AI System Change Log',
+    description: `Maintain a documented log of changes to the AI management system, including model retraining, policy...`,
+    department: 'it',
+    frequency: 'yearly',
+  },
+  frk_tt_68cc30fbbeabb8a4c2f56082: {
+    name: 'AI MS Resource Allocation Record',
+    description: `Maintain documented evidence of resources allocated for the AI MS, including skills, tools, infrastr...`,
+    department: 'it',
+    frequency: 'yearly',
+  },
+  frk_tt_68cc395b90e179fe3209b795: {
+    name: 'AI MS Operational Control Procedure',
+    description: `Document and implement an AI Operational Controls procedure defining process criteria, monitoring ef...`,
+    department: 'it',
+    frequency: 'yearly',
+  },
+  frk_tt_68cc3f427e309607f1ad5ba4: {
+    name: 'AI Risk Treatment Implementation Record',
+    description: `Maintain documented evidence of risk treatment implementation corresponding to the treatment plan. R...`,
+    department: 'it',
+    frequency: 'yearly',
+  },
+  frk_tt_68cc3ffab3fb703917f51e19: {
+    name: 'AI Impact Assessment Log',
+    description: `Conduct AI system impact assessments at planned intervals or when significant changes occur. Documen...`,
+    department: 'it',
+    frequency: 'yearly',
+  },
+  frk_tt_68cc4190caf0b458effcee6e: {
+    name: 'AI MS Internal Audit Program',
+    description: `Establish and maintain an internal audit program for the AI MS. Define frequency, methods, auditor r...`,
+    department: 'it',
+    frequency: 'yearly',
+  },
+  frk_tt_68cc41ad7cbd2839c0bc7104: {
+    name: 'AI Internal Audit Reports',
+    description: `Conduct AI MS audits at planned intervals. Maintain documented evidence of objectives, criteria, sco...`,
+    department: 'it',
+    frequency: 'yearly',
+  },
+  frk_tt_68cc459ed57b70a4cb631e72: {
+    name: 'AI MS Continual Improvement Log',
+    description: `Maintain a documented continual improvement log for the AI MS. Capture decisions, actions, and imple...`,
+    department: 'it',
+    frequency: 'yearly',
+  },
+  frk_tt_68d28f68f117d45c0adcba33: {
+    name: 'Legal Proof of Company Registration',
+    description: `Upload official proof of legal entity registration—e.g., a certificate of incorporation or governmen...`,
+    department: 'admin',
+    frequency: 'yearly',
+  },
+  frk_tt_68cc39efd7916e240451cae5: {
+    name: 'AI Risk Assessment Execution (Log)',
+    description: `Add AI related Risks to the risk register....`,
+    department: 'it',
+    frequency: 'yearly',
+  },
+  frk_tt_68dc1a3a9b92bb4ffb89e334: {
+    name: 'Systems Description',
+    description: `Provide a short paragraph giving a description of your app & any architecture around it.
+
+...`,
+    department: 'it',
+    frequency: 'yearly',
+  },
+  frk_tt_68e1d5667f2b14a9b0c2daf8: {
+    name: 'NEN 7510 Risk Assessments',
+    description: `Create and assess risks, in the risk register tab, that identifies and evaluates information‑securit...`,
+    department: 'hr',
+    frequency: 'yearly',
+  },
+  frk_tt_68e1d619944625cc1876540c: {
+    name: 'Management Review Minutes',
+    description: `Prove that top management reviews the performance of the ISMS - including incidents, risks, audits, ...`,
+    department: 'admin',
+    frequency: 'quarterly',
+  },
+  frk_tt_68e52b274a7c38c62db08e80: {
+    name: 'Organisation Chart',
+    description: `Upload a hierarchical organization chart showing reporting lines, with each box including the person...`,
+    department: 'hr',
+    frequency: 'yearly',
+  },
+  frk_tt_684069a3a0dd8322b2ac3f03: {
+    name: 'Employee Descriptions',
+    description: `We need to make sure every employee has a clear job description. Once a year, you'll meet with each ...`,
+    department: 'hr',
+    frequency: 'yearly',
+  },
+  frk_tt_68406cd9dde2d8cd4c463fe0: {
+    name: '2FA',
+    description: `Always enable 2FA/MFA (Two-Factor Authentication/Multi-Factor Authentication) on Google Workspace, t...`,
+    department: 'itsm',
+    frequency: 'yearly',
+  },
+  frk_tt_68e80544d9734e0402cfa807: {
+    name: 'Role-based Access Controls',
+    description: `Upload proof that access is managed by roles- RBAC matrix and role definitions or use our template:
+...`,
+    department: 'it',
+    frequency: 'yearly',
+  },
+  frk_tt_68e52b27c4bdbf1b24051b8b: {
+    name: 'Employee Performance Evaluations',
+    description: `Employee Performance Evaluations
+Upload one recent employee performance evaluation (anonymized) - ei...`,
+    department: 'hr',
+    frequency: 'yearly',
+  },
+  frk_tt_68406ca292d9fffb264991b9: {
+    name: 'Employee Access',
+    description: `Ensure you are using an identity provider like Google Workspace and upload a screenshot of a list of...`,
+    department: 'it',
+    frequency: 'yearly',
+  },
+  frk_tt_68e80545a8b432bc59eb8037: {
+    name: 'Incident Response Tabletop Exercise',
+    description: `Upload evidence of a recent incident response tabletop exercise - agenda/scenario, attendee list and...`,
+    department: 'itsm',
+    frequency: 'yearly',
+  },
+  frk_tt_68e805457c2dcc784e72e3cc: {
+    name: 'Access Review Log',
+    description: `Upload an access review log for key systems -showing review dates, reviewers/owners, users/roles rev...`,
+    department: 'it',
+    frequency: 'yearly',
+  },
+  frk_tt_68e52b269db179c434734766: {
+    name: 'Backup Restoration Test',
+    description: `Provide evidence of a recent backup restoration test - either share a link to a short screen recordi...`,
+    department: 'it',
+    frequency: 'yearly',
+  },
+  frk_tt_68e52b26b166e2c0a0d11956: {
+    name: 'Backup logs',
+    description: `Upload backup job logs covering the last 10 consecutive days (all critical systems) - e.g., exported...`,
+    department: 'it',
+    frequency: 'yearly',
+  },
+  frk_tt_6901e040a21d5e8fdc9736e8: {
+    name: 'Building / Workplace Rules',
+    description: `Email or note from your building contact (landlord, building manager, or coworking operator) that in...`,
+    department: 'admin',
+    frequency: 'yearly',
+  },
+  frk_tt_6901e041bb02b41fa3b7dca9: {
+    name: 'Office Access & Door Monitoring',
+    description: `If you use a smart lock/alarm system:
+- Access list (export or simple table): name, role, code/badge...`,
+    department: 'admin',
+    frequency: 'yearly',
+  },
+  frk_tt_6901e0aa49fb834934748c93: {
+    name: 'Visitor Control',
+    description: `Upload a Visitor log sample for a recent week (paper scan or form export).
+Photo of visitor badge/st...`,
+    department: 'admin',
+    frequency: 'yearly',
+  },
+  frk_tt_6901e0aa6d3f2bbab1ea5b84: {
+    name: 'Secure Storage',
+    description: `Physical storage (cabinet/media):
+- Photo of locked cabinet
+- Key-holder list (names/roles)
+- Shredd...`,
+    department: 'admin',
+    frequency: 'yearly',
+  },
+  frk_tt_69033a6bfeb4759be36257bc: {
+    name: 'Infrastructure Inventory',
+    description: `Upload an up-to-date inventory of infrastructure assets—cloud accounts/resources (compute, DBs, stor...`,
+    department: 'itsm',
+    frequency: 'yearly',
+  },
+  frk_tt_68fa2a852e70f757188f0c39: {
+    name: 'Production Firewall & No-Public-Access Controls',
+    description: `Upload proof that production hosts enforce a deny-by-default firewall and that production databases ...`,
+    department: 'itsm',
+    frequency: 'yearly',
+  },
+};
diff --git a/packages/integration-platform/src/types.ts b/packages/integration-platform/src/types.ts
new file mode 100644
index 000000000..f3b56c9b4
--- /dev/null
+++ b/packages/integration-platform/src/types.ts
@@ -0,0 +1,790 @@
+import { z } from 'zod';
+import type { TaskTemplateId } from './task-mappings';
+
+// ============================================================================
+// Auth Strategy Types
+// ============================================================================
+
+export type AuthStrategyType = 'oauth2' | 'api_key' | 'basic' | 'jwt' | 'custom';
+
+export const OAuthConfigSchema = z.object({
+  authorizeUrl: z.string(),
+  tokenUrl: z.string().url(),
+  scopes: z.array(z.string()),
+  pkce: z.boolean().default(false),
+  /** Additional parameters to send during authorization */
+  authorizationParams: z.record(z.string()).optional(),
+  /** Additional parameters to send during token exchange */
+  tokenParams: z.record(z.string()).optional(),
+  /** How to send client credentials: 'body' or 'header' (Basic auth) */
+  clientAuthMethod: z.enum(['body', 'header']).default('body'),
+  /**
+   * Instructions for users/admins to create their own OAuth app
+   * Displayed in admin UI when configuring credentials
+   */
+  setupInstructions: z.string().optional(),
+  /** URL to the provider's OAuth app creation page */
+  createAppUrl: z.string().url().optional(),
+  /**
+   * Whether this provider supports refresh tokens.
+   * If false, tokens are assumed to be long-lived (like GitHub).
+   * Default: true
+   */
+  supportsRefreshToken: z.boolean().default(true),
+  /**
+   * Separate URL for token refresh (if different from tokenUrl).
+   * Most providers use the same tokenUrl for both.
+   */
+  refreshUrl: z.string().url().optional(),
+  /**
+   * Custom settings that admins need to configure alongside client ID/secret.
+   * These are used for provider-specific settings like Vercel's integration slug
+   * or Rippling's app name. The `token` field replaces placeholders in authorizeUrl.
+   */
+  customSettings: z
+    .array(
+      z.object({
+        id: z.string(),
+        label: z.string(),
+        type: z.enum(['text', 'password', 'textarea', 'select', 'combobox']),
+        placeholder: z.string().optional(),
+        helpText: z.string().optional(),
+        required: z.boolean().default(false),
+        options: z.array(z.object({ value: z.string(), label: z.string() })).optional(),
+        /** Token to replace in authorizeUrl (e.g., '{APP_SLUG}') */
+        token: z.string().optional(),
+      }),
+    )
+    .optional(),
+});
+
+export type OAuthConfig = z.infer<typeof OAuthConfigSchema>;
+
+export const ApiKeyConfigSchema = z.object({
+  /** Where to send the API key */
+  in: z.enum(['header', 'query']),
+  /** Header name or query param name */
+  name: z.string(),
+  /** Optional prefix (e.g., "Bearer ", "Token ") */
+  prefix: z.string().optional(),
+});
+
+export type ApiKeyConfig = z.infer<typeof ApiKeyConfigSchema>;
+
+export const BasicAuthConfigSchema = z.object({
+  /** Field name for username in credential form */
+  usernameField: z.string().default('username'),
+  /** Field name for password in credential form */
+  passwordField: z.string().default('password'),
+});
+
+export type BasicAuthConfig = z.infer<typeof BasicAuthConfigSchema>;
+
+export const JwtConfigSchema = z.object({
+  /** JWT issuer claim */
+  issuer: z.string(),
+  /** JWT audience claim */
+  audience: z.string(),
+  /** Algorithm to use */
+  algorithm: z.enum(['RS256', 'HS256', 'ES256']),
+  /** Token expiration in seconds */
+  expiresIn: z.number().default(3600),
+});
+
+export type JwtConfig = z.infer<typeof JwtConfigSchema>;
+
+export const CustomAuthConfigSchema = z.object({
+  /** Description of what the custom auth requires */
+  description: z.string().optional(),
+  /** Credential fields for the custom auth form */
+  credentialFields: z
+    .array(
+      z.object({
+        id: z.string(),
+        label: z.string(),
+        type: z.enum(['text', 'password', 'textarea', 'select', 'combobox', 'number', 'url']),
+        required: z.boolean().default(true),
+        placeholder: z.string().optional(),
+        helpText: z.string().optional(),
+        options: z.array(z.object({ value: z.string(), label: z.string() })).optional(),
+      }),
+    )
+    .optional(),
+  /** Validation schema for credentials (optional, for runtime validation) */
+  validationSchema: z.any().optional(),
+  /** Setup instructions (markdown) */
+  setupInstructions: z.string().optional(),
+});
+
+export type CustomAuthConfig = z.infer<typeof CustomAuthConfigSchema>;
+
+export type AuthStrategy =
+  | { type: 'oauth2'; config: OAuthConfig }
+  | { type: 'api_key'; config: ApiKeyConfig }
+  | { type: 'basic'; config: BasicAuthConfig }
+  | { type: 'jwt'; config: JwtConfig }
+  | { type: 'custom'; config: CustomAuthConfig };
+
+// ============================================================================
+// Credential Field Types (for UI form generation)
+// ============================================================================
+
+export const CredentialFieldSchema = z.object({
+  id: z.string(),
+  label: z.string(),
+  type: z.enum(['text', 'password', 'textarea', 'select', 'combobox', 'number', 'url']),
+  required: z.boolean().default(true),
+  placeholder: z.string().optional(),
+  helpText: z.string().optional(),
+  /** For select type */
+  options: z
+    .array(
+      z.object({
+        value: z.string(),
+        label: z.string(),
+      }),
+    )
+    .optional(),
+  /** Validation pattern (regex string) */
+  pattern: z.string().optional(),
+  /** Default value */
+  defaultValue: z.string().optional(),
+});
+
+export type CredentialField = z.infer<typeof CredentialFieldSchema>;
+
+// ============================================================================
+// Integration Capabilities
+// ============================================================================
+
+export type IntegrationCapability = 'checks' | 'webhook' | 'sync';
+
+export const WebhookConfigSchema = z.object({
+  /** Webhook endpoint path suffix */
+  path: z.string(),
+  /** Events this integration can receive */
+  events: z.array(z.string()),
+  /** Secret header name for HMAC verification */
+  secretHeader: z.string().optional(),
+  /** Algorithm for HMAC verification */
+  signatureAlgorithm: z.enum(['sha256', 'sha1']).optional(),
+});
+
+export type WebhookConfig = z.infer<typeof WebhookConfigSchema>;
+
+// ============================================================================
+// Integration Categories
+// ============================================================================
+
+export type IntegrationCategory =
+  | 'Cloud'
+  | 'Identity & Access'
+  | 'HR & People'
+  | 'Development'
+  | 'Communication'
+  | 'Monitoring'
+  | 'Infrastructure'
+  | 'Security'
+  | 'Productivity';
+
+// ============================================================================
+// Integration Finding (result from sync/checks)
+// ============================================================================
+
+export type FindingSeverity = 'info' | 'low' | 'medium' | 'high' | 'critical';
+export type FindingStatus = 'open' | 'resolved' | 'ignored';
+
+export interface IntegrationFinding {
+  resourceType: string;
+  resourceId: string;
+  title: string;
+  description?: string;
+  severity: FindingSeverity;
+  status?: FindingStatus;
+  remediation?: string;
+  rawPayload?: Record<string, unknown>;
+}
+
+// ============================================================================
+// Check Context (passed to check run functions)
+// ============================================================================
+
+/**
+ * Context object passed to check `run` functions.
+ * Provides helper methods and access to credentials.
+ */
+export interface CheckContext {
+  /** The OAuth access token (for oauth2 auth). Empty for custom auth types like AWS. */
+  accessToken: string;
+
+  /** All credentials as key-value pairs (form fields for custom auth, or token data for OAuth) */
+  credentials: Record<string, string>;
+
+  /** User-configured variables for this integration */
+  variables: CheckVariableValues;
+
+  /** Connection ID */
+  connectionId: string;
+
+  /** Organization ID */
+  organizationId: string;
+
+  /** Connection metadata (e.g., OAuth team/user info from token response) */
+  metadata?: Record<string, unknown>;
+
+  // ==================== Logging ====================
+
+  /** Log an info message */
+  log: (message: string, data?: Record<string, unknown>) => void;
+
+  /** Log a warning */
+  warn: (message: string, data?: Record<string, unknown>) => void;
+
+  /** Log an error */
+  error: (message: string, data?: Record<string, unknown>) => void;
+
+  // ==================== Results (REQUIRED for audit trail) ====================
+
+  /**
+   * Record a passing result with evidence.
+   * REQUIRED: Every resource that passes must be recorded with evidence.
+   *
+   * @example
+   * ctx.pass({
+   *   title: 'Branch protection enabled',
+   *   description: 'Main branch requires 2 approving reviews',
+   *   resourceType: 'repository',
+   *   resourceId: 'org/repo-name',
+   *   evidence: { protection: apiResponse, checkedAt: new Date() },
+   * });
+   */
+  pass: (result: CheckPassingResult) => void;
+
+  /**
+   * Record a failing result (finding) with remediation.
+   * REQUIRED: Include actionable remediation steps.
+   *
+   * @example
+   * ctx.fail({
+   *   title: 'No branch protection',
+   *   description: 'Main branch allows direct pushes',
+   *   resourceType: 'repository',
+   *   resourceId: 'org/repo-name',
+   *   severity: 'high',
+   *   remediation: 'Enable branch protection in Settings > Branches',
+   * });
+   */
+  fail: (finding: CheckFindingResult) => void;
+
+  // Legacy aliases (deprecated, use pass/fail instead)
+  /** @deprecated Use ctx.pass() instead */
+  addPassingResult: (result: {
+    resourceType: string;
+    resourceId: string;
+    title: string;
+    description?: string;
+    evidence?: Record<string, unknown>;
+  }) => void;
+
+  /** @deprecated Use ctx.fail() instead */
+  addFinding: (finding: Omit<IntegrationFinding, 'status'>) => void;
+
+  // ==================== HTTP Helpers ====================
+
+  /**
+   * Make an authenticated GET request
+   * @example
+   * const repos = await ctx.fetch<Repo[]>('/user/repos');
+   */
+  fetch: <T = unknown>(
+    path: string,
+    options?: {
+      baseUrl?: string;
+      headers?: Record<string, string>;
+      params?: Record<string, string>;
+    },
+  ) => Promise<T>;
+
+  /**
+   * Make an authenticated POST request
+   */
+  post: <T = unknown>(
+    path: string,
+    body?: unknown,
+    options?: {
+      baseUrl?: string;
+      headers?: Record<string, string>;
+    },
+  ) => Promise<T>;
+
+  /**
+   * Make an authenticated PUT request
+   */
+  put: <T = unknown>(
+    path: string,
+    body?: unknown,
+    options?: {
+      baseUrl?: string;
+      headers?: Record<string, string>;
+    },
+  ) => Promise<T>;
+
+  /**
+   * Make an authenticated PATCH request
+   */
+  patch: <T = unknown>(
+    path: string,
+    body?: unknown,
+    options?: {
+      baseUrl?: string;
+      headers?: Record<string, string>;
+    },
+  ) => Promise<T>;
+
+  /**
+   * Make an authenticated DELETE request
+   */
+  delete: <T = unknown>(
+    path: string,
+    options?: {
+      baseUrl?: string;
+      headers?: Record<string, string>;
+    },
+  ) => Promise<T>;
+
+  /**
+   * Make an authenticated GraphQL request
+   * @example
+   * const result = await ctx.graphql<{ user: User }>(`
+   *   query GetUser($login: String!) {
+   *     user(login: $login) {
+   *       id
+   *       name
+   *     }
+   *   }
+   * `, { login: 'octocat' });
+   */
+  graphql: <T = unknown>(
+    query: string,
+    variables?: Record<string, unknown>,
+    options?: {
+      /** Override the GraphQL endpoint (defaults to baseUrl + '/graphql') */
+      endpoint?: string;
+      headers?: Record<string, string>;
+    },
+  ) => Promise<T>;
+
+  // ==================== Pagination Helpers ====================
+
+  /**
+   * Fetch all pages of a paginated endpoint (page-number based)
+   * @example
+   * const allRepos = await ctx.fetchAllPages<Repo>('/user/repos', { perPage: 100 });
+   */
+  fetchAllPages: <T = unknown>(
+    path: string,
+    options?: {
+      baseUrl?: string;
+      perPage?: number;
+      maxPages?: number;
+      pageParam?: string;
+      perPageParam?: string;
+    },
+  ) => Promise<T[]>;
+
+  /**
+   * Fetch all pages using cursor-based pagination
+   * @example
+   * // Slack-style pagination
+   * const messages = await ctx.fetchWithCursor<Message>('/conversations.history', {
+   *   cursorParam: 'cursor',
+   *   cursorPath: 'response_metadata.next_cursor',
+   *   dataPath: 'messages',
+   * });
+   *
+   * // AWS-style pagination
+   * const instances = await ctx.fetchWithCursor<Instance>('/ec2/instances', {
+   *   cursorParam: 'NextToken',
+   *   cursorPath: 'NextToken',
+   *   dataPath: 'Instances',
+   * });
+   */
+  fetchWithCursor: <T = unknown>(
+    path: string,
+    options?: {
+      baseUrl?: string;
+      /** Query param name for the cursor (e.g., 'cursor', 'NextToken', 'page_token') */
+      cursorParam?: string;
+      /** JSON path to extract next cursor from response (e.g., 'next_cursor', 'response_metadata.next_cursor') */
+      cursorPath?: string;
+      /** JSON path to extract data array from response (e.g., 'data', 'items', 'messages') */
+      dataPath?: string;
+      /** Additional query params to include */
+      params?: Record<string, string>;
+      /** Maximum pages to fetch */
+      maxPages?: number;
+    },
+  ) => Promise<T[]>;
+
+  /**
+   * Fetch all pages using Link header pagination (RFC 5988)
+   * Used by GitHub, GitLab, and other APIs that follow web linking standards.
+   * @example
+   * const allRepos = await ctx.fetchWithLinkHeader<Repo>('/user/repos');
+   * const allIssues = await ctx.fetchWithLinkHeader<Issue>('/repos/owner/repo/issues', {
+   *   params: { state: 'open' }
+   * });
+   */
+  fetchWithLinkHeader: <T = unknown>(
+    path: string,
+    options?: {
+      baseUrl?: string;
+      /** Additional query params to include */
+      params?: Record<string, string>;
+      /** Maximum pages to fetch (default: 100) */
+      maxPages?: number;
+    },
+  ) => Promise<T[]>;
+
+  // ==================== State ====================
+
+  /** Get a value from persistent state (survives between runs) */
+  getState: <T = unknown>(key: string) => Promise<T | null>;
+
+  /** Set a value in persistent state */
+  setState: <T = unknown>(key: string, value: T) => Promise<void>;
+}
+
+// ============================================================================
+// Check Variables (user-configurable inputs)
+// ============================================================================
+
+export type CheckVariableType = 'text' | 'number' | 'boolean' | 'select' | 'multi-select';
+
+/**
+ * A variable that users can configure when setting up an integration.
+ * Variables are collected after OAuth completes and stored on the connection.
+ */
+export interface CheckVariable {
+  /** Unique ID for this variable */
+  id: string;
+
+  /** Display label */
+  label: string;
+
+  /** Input type */
+  type: CheckVariableType;
+
+  /** Whether this variable is required */
+  required?: boolean;
+
+  /** Default value */
+  default?: string | number | boolean | string[];
+
+  /** Help text shown below the input */
+  helpText?: string;
+
+  /** Placeholder text for text/number inputs */
+  placeholder?: string;
+
+  /**
+   * Static options for select/multi-select types.
+   * Use this OR fetchOptions, not both.
+   */
+  options?: Array<{ value: string; label: string }>;
+
+  /**
+   * Fetch options dynamically from the integration API.
+   * Called after OAuth completes to populate select/multi-select options.
+   *
+   * @example
+   * fetchOptions: async (ctx) => {
+   *   const repos = await ctx.fetch<{full_name: string}[]>('/user/repos');
+   *   return repos.map(r => ({ value: r.full_name, label: r.full_name }));
+   * }
+   */
+  fetchOptions?: (ctx: VariableFetchContext) => Promise<Array<{ value: string; label: string }>>;
+}
+
+/**
+ * Minimal context for fetching variable options.
+ * Available after OAuth but before full check context.
+ */
+export interface VariableFetchContext {
+  /** OAuth access token */
+  accessToken: string;
+
+  /** Make an authenticated GET request */
+  fetch: <T = unknown>(path: string) => Promise<T>;
+
+  /** Fetch all pages of a paginated endpoint */
+  fetchAllPages: <T = unknown>(path: string) => Promise<T[]>;
+
+  /** Make a GraphQL request */
+  graphql: <T = unknown>(query: string, variables?: Record<string, unknown>) => Promise<T>;
+}
+
+/**
+ * Resolved variable values stored on the connection.
+ */
+export type CheckVariableValues = Record<string, string | number | boolean | string[] | undefined>;
+
+// ============================================================================
+// Check Output Types (for structured results)
+// ============================================================================
+
+/**
+ * Evidence that proves a check passed or failed.
+ * This is shown to auditors as proof of compliance.
+ */
+export interface CheckEvidence {
+  /** What was checked (e.g., "repository", "user", "policy") */
+  resourceType: string;
+  /** Identifier for the resource (e.g., "org/repo-name") */
+  resourceId: string;
+  /** Raw API response or relevant data snapshot */
+  data: Record<string, unknown>;
+  /** When this evidence was collected */
+  collectedAt?: Date;
+}
+
+/**
+ * A passing result with evidence for auditors.
+ * REQUIRED: Every passing check must provide evidence.
+ */
+export interface CheckPassingResult {
+  /** Short title describing what passed */
+  title: string;
+  /** Detailed explanation of why this passed (shown to auditors) */
+  description: string;
+  /** The resource that was checked */
+  resourceType: string;
+  /** Identifier for the resource */
+  resourceId: string;
+  /** Evidence proving this passed - REQUIRED for audit trail */
+  evidence: Record<string, unknown>;
+}
+
+/**
+ * A finding (issue) discovered during the check.
+ */
+export interface CheckFindingResult {
+  /** Short title describing the issue */
+  title: string;
+  /** Detailed explanation of the issue */
+  description: string;
+  /** The resource that has the issue */
+  resourceType: string;
+  /** Identifier for the resource */
+  resourceId: string;
+  /** Severity of the finding */
+  severity: FindingSeverity;
+  /** How to fix this issue - REQUIRED for actionable findings */
+  remediation: string;
+  /** Additional evidence/context */
+  evidence?: Record<string, unknown>;
+}
+
+// ============================================================================
+// Integration Check Definition
+// ============================================================================
+
+export interface IntegrationCheck {
+  /** Unique ID for this check */
+  id: string;
+
+  /** Human-readable name */
+  name: string;
+
+  /** Description of what this check does */
+  description: string;
+
+  /**
+   * Task template ID this check can auto-complete.
+   * When check passes, linked tasks of this type are marked complete.
+   * Use TASK_TEMPLATES helper for autocomplete.
+   *
+   * @example
+   * import { TASK_TEMPLATES } from '@comp/integration-platform';
+   * taskMapping: TASK_TEMPLATES.codeChanges, // Branch protection
+   * taskMapping: TASK_TEMPLATES.secureCode,  // Dependabot
+   */
+  taskMapping?: TaskTemplateId;
+
+  /** Default severity for findings from this check */
+  defaultSeverity?: FindingSeverity;
+
+  /**
+   * Variables that users configure when setting up this integration.
+   * Collected after OAuth completes and stored on the connection.
+   *
+   * @example
+   * variables: [
+   *   {
+   *     id: 'target_repos',
+   *     label: 'Repositories to monitor',
+   *     type: 'multi-select',
+   *     required: false,
+   *     helpText: 'Leave empty to check all repositories',
+   *     fetchOptions: async (ctx) => {
+   *       const repos = await ctx.fetch<{full_name: string}[]>('/user/repos');
+   *       return repos.map(r => ({ value: r.full_name, label: r.full_name }));
+   *     },
+   *   },
+   * ]
+   */
+  variables?: CheckVariable[];
+
+  /**
+   * The check implementation.
+   *
+   * REQUIREMENTS for check authors:
+   * 1. Use ctx.log() to document what you're checking (for audit trail)
+   * 2. Call ctx.pass() for each resource that passes with evidence
+   * 3. Call ctx.fail() for each resource that fails with remediation
+   *
+   * @example
+   * run: async (ctx) => {
+   *   ctx.log('Fetching repositories to check');
+   *   const repos = await ctx.fetchAllPages('/user/repos');
+   *   ctx.log(`Checking ${repos.length} repositories`);
+   *
+   *   for (const repo of repos) {
+   *     try {
+   *       const protection = await ctx.fetch(`/repos/${repo.full_name}/branches/main/protection`);
+   *
+   *       // PASS: Include evidence for auditors
+   *       ctx.pass({
+   *         title: `Branch protection enabled on ${repo.name}`,
+   *         description: 'Main branch requires PR reviews before merging',
+   *         resourceType: 'repository',
+   *         resourceId: repo.full_name,
+   *         evidence: { protection, checkedAt: new Date().toISOString() },
+   *       });
+   *     } catch {
+   *       // FAIL: Include remediation steps
+   *       ctx.fail({
+   *         title: `No branch protection on ${repo.name}`,
+   *         description: 'Main branch has no protection rules',
+   *         resourceType: 'repository',
+   *         resourceId: repo.full_name,
+   *         severity: 'high',
+   *         remediation: 'Go to Settings > Branches > Add rule for "main"',
+   *       });
+   *     }
+   *   }
+   * }
+   */
+  run: (ctx: CheckContext) => Promise<void>;
+}
+
+// ============================================================================
+// Integration Handler (for webhook processing)
+// ============================================================================
+
+export interface IntegrationCredentials {
+  [key: string]: string | undefined;
+}
+
+export interface IntegrationHandler {
+  /** Test if credentials are valid */
+  testConnection?: (credentials: IntegrationCredentials) => Promise<boolean>;
+
+  /** Process incoming webhook */
+  handleWebhook?: (
+    payload: unknown,
+    headers: Record<string, string>,
+  ) => Promise<IntegrationFinding[]>;
+}
+
+// ============================================================================
+// Integration Manifest (the main contract)
+// ============================================================================
+
+export interface IntegrationManifest {
+  /** Unique identifier (e.g., "github", "slack") */
+  id: string;
+
+  /** Display name */
+  name: string;
+
+  /** Short description for catalog */
+  description: string;
+
+  /** Category for grouping */
+  category: IntegrationCategory;
+
+  /** Logo URL (use logo.dev, e.g., 'https://img.logo.dev/github.com?token=pk_AZatYxV5QDSfWpRDaBxzRQ') */
+  logoUrl: string;
+
+  /** URL to documentation */
+  docsUrl?: string;
+
+  /** Authentication strategy */
+  auth: AuthStrategy;
+
+  /** Base URL for API requests (used by ctx.fetch) */
+  baseUrl?: string;
+
+  /** Default headers to include in API requests */
+  defaultHeaders?: Record<string, string>;
+
+  /** Additional credential fields (beyond what auth strategy provides) */
+  credentialFields?: CredentialField[];
+
+  /** Capabilities this integration supports */
+  capabilities: IntegrationCapability[];
+
+  /**
+   * Compliance checks this integration can run.
+   * Each check can auto-complete linked tasks when passing.
+   * Checks run daily via a scheduled Trigger.dev task.
+   */
+  checks?: IntegrationCheck[];
+
+  /** Webhook configuration (optional) */
+  webhook?: WebhookConfig;
+
+  /** Runtime handler for webhooks */
+  handler?: IntegrationHandler;
+
+  /** Whether this integration is active/available */
+  isActive: boolean;
+}
+
+// ============================================================================
+// Connection & Run Types (for persistence layer)
+// ============================================================================
+
+export type ConnectionStatus = 'pending' | 'active' | 'error' | 'paused' | 'disconnected';
+
+export type RunStatus = 'pending' | 'running' | 'success' | 'failed' | 'cancelled';
+
+export type RunJobType = 'full_sync' | 'delta_sync' | 'webhook' | 'manual';
+
+// ============================================================================
+// Registry Types
+// ============================================================================
+
+export interface IntegrationRegistry {
+  /** Get manifest by ID */
+  getManifest(id: string): IntegrationManifest | undefined;
+
+  /** Get all manifests */
+  getAllManifests(): IntegrationManifest[];
+
+  /** Get manifests by category */
+  getByCategory(category: IntegrationCategory): IntegrationManifest[];
+
+  /** Get active manifests only */
+  getActiveManifests(): IntegrationManifest[];
+
+  /** Check if integration requires OAuth */
+  requiresOAuth(id: string): boolean;
+
+  /** Get auth strategy for integration */
+  getAuthStrategy(id: string): AuthStrategy | undefined;
+
+  /** Get handler for integration */
+  getHandler(id: string): IntegrationHandler | undefined;
+}
diff --git a/packages/integration-platform/src/validators/manifest-validator.ts b/packages/integration-platform/src/validators/manifest-validator.ts
new file mode 100644
index 000000000..6bc4d949d
--- /dev/null
+++ b/packages/integration-platform/src/validators/manifest-validator.ts
@@ -0,0 +1,156 @@
+#!/usr/bin/env bun
+/**
+ * Manifest Validator CLI
+ *
+ * Validates all integration manifests in the registry.
+ * Run with: bun run src/validators/manifest-validator.ts
+ */
+
+import { registry } from '../registry';
+import type { IntegrationManifest } from '../types';
+
+interface ValidationResult {
+  id: string;
+  valid: boolean;
+  errors: string[];
+  warnings: string[];
+}
+
+function validateManifest(manifest: IntegrationManifest): ValidationResult {
+  const errors: string[] = [];
+  const warnings: string[] = [];
+
+  // Required fields
+  if (!manifest.id) errors.push('Missing required field: id');
+  if (!manifest.name) errors.push('Missing required field: name');
+  if (!manifest.description) errors.push('Missing required field: description');
+  if (!manifest.category) errors.push('Missing required field: category');
+  if (!manifest.logoUrl) errors.push('Missing required field: logoUrl');
+  if (!manifest.auth) errors.push('Missing required field: auth');
+
+  // ID format
+  if (manifest.id && !/^[a-z][a-z0-9-]*$/.test(manifest.id)) {
+    errors.push('ID must be lowercase alphanumeric with hyphens, starting with a letter');
+  }
+
+  // Auth validation
+  if (manifest.auth) {
+    switch (manifest.auth.type) {
+      case 'oauth2': {
+        const config = manifest.auth.config;
+        if (!config.authorizeUrl) errors.push('OAuth2: Missing authorizeUrl');
+        if (!config.tokenUrl) errors.push('OAuth2: Missing tokenUrl');
+        if (!config.scopes || config.scopes.length === 0) {
+          warnings.push('OAuth2: No scopes defined');
+        }
+        if (!config.setupInstructions) {
+          warnings.push('OAuth2: Consider adding setupInstructions for admins');
+        }
+        break;
+      }
+      case 'api_key': {
+        const config = manifest.auth.config;
+        if (!config.in) errors.push('API Key: Missing "in" field (header or query)');
+        if (!config.name) errors.push('API Key: Missing "name" field');
+        break;
+      }
+      case 'basic': {
+        // Basic auth has sensible defaults
+        break;
+      }
+      case 'jwt': {
+        const config = manifest.auth.config;
+        if (!config.issuer) errors.push('JWT: Missing issuer');
+        if (!config.audience) errors.push('JWT: Missing audience');
+        if (!config.algorithm) errors.push('JWT: Missing algorithm');
+        break;
+      }
+    }
+  }
+
+  // Capabilities validation
+  if (!manifest.capabilities || manifest.capabilities.length === 0) {
+    errors.push('Must have at least one capability');
+  }
+
+  // Checks validation
+  if (manifest.capabilities?.includes('checks')) {
+    if (!manifest.checks || manifest.checks.length === 0) {
+      warnings.push('Has checks capability but no checks defined');
+    } else {
+      // Validate each check
+      for (const check of manifest.checks) {
+        if (!check.id) errors.push(`Check missing id`);
+        if (!check.name) errors.push(`Check ${check.id}: missing name`);
+        if (!check.description) warnings.push(`Check ${check.id}: missing description`);
+        if (!check.run) errors.push(`Check ${check.id}: missing run function`);
+        if (!check.taskMapping) {
+          warnings.push(`Check ${check.id}: no taskMapping - won't auto-complete tasks`);
+        }
+      }
+    }
+  }
+
+  // Webhook config validation
+  if (manifest.capabilities?.includes('webhook') && !manifest.webhook) {
+    warnings.push('Has webhook capability but no webhook config defined');
+  }
+
+  // Inactive warning
+  if (!manifest.isActive) {
+    warnings.push('Integration is marked as inactive');
+  }
+
+  return {
+    id: manifest.id || 'unknown',
+    valid: errors.length === 0,
+    errors,
+    warnings,
+  };
+}
+
+function main() {
+  console.log('🔍 Validating integration manifests...\n');
+
+  const manifests = registry.getAllManifests();
+  const results: ValidationResult[] = [];
+
+  for (const manifest of manifests) {
+    results.push(validateManifest(manifest));
+  }
+
+  let hasErrors = false;
+
+  for (const result of results) {
+    const status = result.valid ? '✅' : '❌';
+    console.log(`${status} ${result.id}`);
+
+    if (result.errors.length > 0) {
+      hasErrors = true;
+      for (const error of result.errors) {
+        console.log(`   ❌ ERROR: ${error}`);
+      }
+    }
+
+    if (result.warnings.length > 0) {
+      for (const warning of result.warnings) {
+        console.log(`   ⚠️  WARNING: ${warning}`);
+      }
+    }
+  }
+
+  console.log('\n' + '='.repeat(50));
+  console.log(`Total: ${manifests.length} manifests`);
+  console.log(`Valid: ${results.filter((r) => r.valid).length}`);
+  console.log(`Invalid: ${results.filter((r) => !r.valid).length}`);
+
+  if (hasErrors) {
+    console.log('\n❌ Validation failed');
+    process.exit(1);
+  } else {
+    console.log('\n✅ All manifests valid');
+    process.exit(0);
+  }
+}
+
+main();
diff --git a/packages/integration-platform/tsconfig.json b/packages/integration-platform/tsconfig.json
new file mode 100644
index 000000000..d10592765
--- /dev/null
+++ b/packages/integration-platform/tsconfig.json
@@ -0,0 +1,20 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "lib": ["ES2022", "DOM"],
+    "module": "CommonJS",
+    "moduleResolution": "node",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "declaration": true,
+    "declarationMap": true,
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "jsx": "react-jsx",
+    "jsxImportSource": "react",
+    "resolveJsonModule": true
+  },
+  "include": ["src/**/*"],
+  "exclude": ["node_modules", "dist"]
+}
diff --git a/packages/ui/src/components/badge.tsx b/packages/ui/src/components/badge.tsx
index 34b858c18..dae14a069 100644
--- a/packages/ui/src/components/badge.tsx
+++ b/packages/ui/src/components/badge.tsx
@@ -16,7 +16,8 @@ const badgeVariants = cva(
         tag: 'font-mono text-muted-foreground bg-accent text-[10px] dark:bg-accent border-none rounded-sm hover:bg-accent/70',
         marketing:
           "flex items-center opacity-80 px-3 font-mono gap-2 whitespace-nowrap border border bg-primary/10 text-primary hover:bg-primary/5 before:content-[''] before:absolute before:left-0 before:top-0 before:bottom-0 before:w-0.5 before:bg-primary",
-        warning: 'border-transparent bg-warning hover:bg-warning/80',
+        warning: 'border-transparent bg-warning text-white hover:bg-warning/80',
+        success: 'border-transparent bg-green-600 text-white hover:bg-green-600/80 dark:bg-green-600 dark:text-white',
       },
     },
     defaultVariants: {
diff --git a/packages/ui/src/globals.css b/packages/ui/src/globals.css
index a7d85bcc0..4c53e9662 100644
--- a/packages/ui/src/globals.css
+++ b/packages/ui/src/globals.css
@@ -19,6 +19,8 @@
     --accent-foreground: 0 0% 9%;
     --destructive: 0 84.2% 60.2%;
     --destructive-foreground: 0 0% 98%;
+    --warning: 45 93% 47%;
+    --warning-foreground: 26 83% 14%;
     --border: 0 0% 89.8%;
     --input: 0 0% 89.8%;
     --ring: 165 100% 15%;
@@ -55,6 +57,8 @@
     --accent-foreground: 0 0% 9%;
     --destructive: 0 84.2% 60.2%;
     --destructive-foreground: 0 0% 98%;
+    --warning: 45 93% 47%;
+    --warning-foreground: 26 83% 14%;
     --border: 0 0% 89.8%;
     --input: 0 0% 89.8%;
     --ring: 165 100% 15%;