Built for the way analysts actually work.

A multi-agent pipeline turns your question into a query. The schema selector picks the minimum set of tables and fields; the planner (Opus 4.7 with adaptive thinking) writes the SQL; the validator gates it through deterministic and semantic checks; the executor runs it; the interpreter picks the right chart.

• Multi-agent pipeline: schema selector → planner → validator → executor → interpreter
• Auto-replans on validation failure (up to 2 retries)
• Plan is returned with every answer so users can audit how it was produced
• KPI / line / bar / pie / table picked by result shape

After you scope an integration, AnalystIQ samples rows and prompts Claude to produce a semantic layer: 'revenue_cents is currency in cents', 'this table joins to users on user_id_str', 'common question: monthly active users last 90 days'. You edit anything; your edits ride on top of every regenerated draft.

• Auto-drafted on first scope save
• Per-column semantic types beyond raw SQL types
• Suggested join paths between tables
• Versioned — re-introspection preserves your edits as patches
• Example questions surfaced as quick-start prompts

Most teams ask the same handful of questions every week. Save a query, set a refresh cadence (hourly / daily / weekly), and AnalystIQ runs it on schedule. Delivery goes to a Slack channel, an email digest, or both. Optionally: only notify when the result meaningfully changes.

• Save any query with a name and tags
• Hourly / daily / weekly / cron schedules
• Slack channel or email delivery
• Change-detection: only ping on meaningful deltas
• Personal vs shared (org-wide) saves

Categories are sidebar-navigated, names + descriptions are searchable, and every connector carries connection-method tags (Credentials, OAuth, MCP). The catalog itself lives in the database so adding a provider is an admin action, not a code deploy.

• Live mosaic on the home page + filterable directory inside the app
• Search across name, description, provider id
• Connection-method tags: Credentials / OAuth / MCP
• DB-backed — new providers ship by DB write

Every connector ships with scope=nothing by default. You opt in to specific tables and specific fields per table. The scope is re-checked at three points (metadata, planner, validator) so even if the LLM hallucinated a different table name, the request is rejected.

• Default-deny — nothing accessible until you pick
• Per-field selection with partial / full table modes
• Re-checked at metadata, planner, and validator layers
• Scope changes invalidate cached query results

REST/OAuth adapters share the same form-spec and connector-registry pattern as the SQL providers. Auth flow handles token refresh; per-provider API clients translate query plans into provider API calls.

• OAuth start → consent → callback → encrypted token storage
• Token refresh handled by the orchestration layer
• Per-provider adapter implements introspect / sample / execute
• Same scope picker UX as SQL connectors

Roles are enforced at every protected route through a `require_membership` dependency with a minimum-role argument. Authentication is JWT-based with httpOnly cookies; access tokens are short-lived with refresh-token rotation (in flight).

• Four roles with strict ordering: viewer < analyst < admin < owner
• Per-route minimum-role enforcement
• JWT access + refresh tokens via httpOnly cookies
• Org-scoped — every Algoscale-owned row carries org_id

A `/app/settings/members` page lists every member with their role and last activity. Owners and admins can invite by email (with a role at invite time), change a member's role, transfer ownership, or revoke access.

• Email invites with role pre-selected
• Member list with last-active timestamp
• Role picker (owner / admin / analyst / viewer)
• Transfer ownership flow
• Revoke access without deleting historical activity

Plans live in the DB. Subscribe runs through Stripe Checkout; the customer portal handles payment methods, plan changes, and cancellations. Webhooks keep the local subscription state in sync. Manual-billing mode is a per-org flag flipped by superadmins.

• Stripe Checkout for self-serve subscriptions
• Stripe Customer Portal for billing changes
• Webhook-driven subscription sync
• Manual billing mode for enterprise (per-org flag)
• metadata.app=analystiq tagging for shared-account isolation

Drawn from query_history. Users see their own usage against plan limits in `/app/billing`. Superadmins see per-org rollups in `/app/admin`. Foundation for usage-based billing tiers when those land.

• Queries this month vs plan cap
• Token spend (Claude input + output + cache hits) per org
• Active integrations + recent query mix
• p50 / p95 query latency over time
• Exportable as CSV for finance

Long-lived API keys scoped to a workspace. Same pipeline, same scope enforcement, same plan/visualization output. Useful for embedding answers in internal tools, dashboards, or scheduled jobs that want to ask AnalystIQ instead of writing SQL.

• Workspace-scoped API keys with rotate / revoke
• POST /v1/ask with question + integration_id
• Same response shape as the UI — columns, rows, plan, viz hint
• Per-key rate limit + usage attribution
• OpenAPI spec for easy client generation

Heavy work happens out-of-band. Metadata generation kicks off after scope save. OAuth tokens refresh before they expire. Saved queries fire on their schedules. Stripe and other webhooks dispatch through a queue with retries.

• Celery worker pool with Redis broker
• Cron-style schedules per saved query
• Per-job retry with exponential backoff
• Dead-letter queue for failed runs