@agent-team-foundation/first-tree-hub 0.14.5 → 0.14.6

package/dist/drizzle/0026_saas_onboarding.sql

@@ -1,153 +0,0 @@
--- SaaS onboarding milestone — adds the data-model surface needed for
--- public GitHub-OAuth signup, per-org invitation links, and "leave team"
--- soft-delete. See proposals/hub-saas-onboarding.20260428.md for the full
--- design contract.
---
--- Three independent additions, no destructive changes to existing tables:
---
---   1. `auth_identities` — third-party / local auth identities for a user.
---      Models the "how does this user prove who they are" boundary.
---      `(provider, identifier)` is globally unique. v1 stores the credential
---      payload (password hash, webauthn pubkey) on the same row;
---      v2 splits it into `auth_credentials` if multi-factor is needed
---      (the migration is sketched in the schema file's header comment).
---
---   2. `invitations` + `invitation_redemptions` — org-level share links.
---      The "one active link per org" rule is enforced by a partial UNIQUE
---      index (Drizzle's TS DSL doesn't model partial uniques yet, so we
---      add it directly here). Rotation = revoke prior + insert new in a
---      single transaction. Redemptions are recorded for audit.
---
---   3. `members.status` — "active" | "left" soft-delete marker for the
---      "leave team" flow. Existing rows backfill to "active" via the
---      column DEFAULT. The auth middleware rejects tokens that resolve to
---      a "left" member; join-by-invite flips a "left" row back to "active".
---
--- All three changes are append-only (new tables + new column with DEFAULT).
--- ALTER TABLE on `members` takes a brief ACCESS EXCLUSIVE lock, which is
--- safe on a v1 SaaS members table (small) but should be benchmarked on a
--- large multi-tenant install before rolling.
---
--- See 0020_unified_user_token.sql header for why this file does NOT wrap in
--- BEGIN;/COMMIT; — Drizzle migrator already runs every pending migration
--- inside a single outer transaction.
-
--- ---------------------------------------------------------------------------
--- 1. auth_identities
--- ---------------------------------------------------------------------------
-CREATE TABLE IF NOT EXISTS "auth_identities" (
-	"id"                  text PRIMARY KEY NOT NULL,
-	"user_id"             text NOT NULL,
-	"provider"            text NOT NULL,
-	"identifier"          text NOT NULL,
-	"email"               text,
-	"verified_at"         timestamp with time zone,
-	"credential_type"     text,
-	"credential_payload"  jsonb,
-	"metadata"            jsonb DEFAULT '{}'::jsonb NOT NULL,
-	"created_at"          timestamp with time zone DEFAULT now() NOT NULL,
-	"updated_at"          timestamp with time zone DEFAULT now() NOT NULL,
-	CONSTRAINT "uq_auth_identities_provider_identifier" UNIQUE ("provider", "identifier")
-);
-
---> statement-breakpoint
-ALTER TABLE "auth_identities"
-	ADD CONSTRAINT "auth_identities_user_id_users_id_fk"
-	FOREIGN KEY ("user_id") REFERENCES "users"("id")
-	ON DELETE cascade ON UPDATE no action;
-
---> statement-breakpoint
-CREATE INDEX IF NOT EXISTS "idx_auth_identities_user" ON "auth_identities" ("user_id");
---> statement-breakpoint
-CREATE INDEX IF NOT EXISTS "idx_auth_identities_email" ON "auth_identities" ("email");
-
--- ---------------------------------------------------------------------------
--- 2. invitations + invitation_redemptions
--- ---------------------------------------------------------------------------
---> statement-breakpoint
-CREATE TABLE IF NOT EXISTS "invitations" (
-	"id"               text PRIMARY KEY NOT NULL,
-	"organization_id"  text NOT NULL,
-	"token"            text NOT NULL UNIQUE,
-	"role"             text DEFAULT 'member' NOT NULL,
-	"expires_at"       timestamp with time zone,
-	"revoked_at"       timestamp with time zone,
-	"created_by"       text NOT NULL,
-	"created_at"       timestamp with time zone DEFAULT now() NOT NULL
-);
-
---> statement-breakpoint
-ALTER TABLE "invitations"
-	ADD CONSTRAINT "invitations_organization_id_organizations_id_fk"
-	FOREIGN KEY ("organization_id") REFERENCES "organizations"("id")
-	ON DELETE cascade ON UPDATE no action;
---> statement-breakpoint
-ALTER TABLE "invitations"
-	ADD CONSTRAINT "invitations_created_by_users_id_fk"
-	FOREIGN KEY ("created_by") REFERENCES "users"("id")
-	ON DELETE no action ON UPDATE no action;
-
---> statement-breakpoint
-CREATE INDEX IF NOT EXISTS "idx_invitations_token" ON "invitations" ("token");
---> statement-breakpoint
-CREATE INDEX IF NOT EXISTS "idx_invitations_org" ON "invitations" ("organization_id");
-
---> statement-breakpoint
--- v1 enforced rule: each org may have at most one non-revoked invitation.
--- The predicate is intentionally `revoked_at IS NULL` only — Postgres rejects
--- `now()` in an index predicate (must be IMMUTABLE), and conflating "expired"
--- with "no longer the active link" matches the v1 service contract anyway.
--- The runtime "is this still usable" filter (which DOES check `expires_at`)
--- lives in services/invitation.ts. Future "multiple links per org" relaxes by
--- dropping this index.
-CREATE UNIQUE INDEX IF NOT EXISTS "uq_invitations_active_per_org"
-	ON "invitations" ("organization_id")
-	WHERE "revoked_at" IS NULL;
-
---> statement-breakpoint
-CREATE TABLE IF NOT EXISTS "invitation_redemptions" (
-	"id"             text PRIMARY KEY NOT NULL,
-	"invitation_id"  text NOT NULL,
-	"user_id"        text NOT NULL,
-	"redeemed_at"    timestamp with time zone DEFAULT now() NOT NULL,
-	"ip"             text,
-	"user_agent"     text
-);
-
---> statement-breakpoint
-ALTER TABLE "invitation_redemptions"
-	ADD CONSTRAINT "invitation_redemptions_invitation_id_invitations_id_fk"
-	FOREIGN KEY ("invitation_id") REFERENCES "invitations"("id")
-	ON DELETE cascade ON UPDATE no action;
---> statement-breakpoint
-ALTER TABLE "invitation_redemptions"
-	ADD CONSTRAINT "invitation_redemptions_user_id_users_id_fk"
-	FOREIGN KEY ("user_id") REFERENCES "users"("id")
-	ON DELETE cascade ON UPDATE no action;
-
---> statement-breakpoint
-CREATE INDEX IF NOT EXISTS "idx_invitation_redemptions_invitation"
-	ON "invitation_redemptions" ("invitation_id");
---> statement-breakpoint
-CREATE INDEX IF NOT EXISTS "idx_invitation_redemptions_user"
-	ON "invitation_redemptions" ("user_id");
-
--- ---------------------------------------------------------------------------
--- 3. members.status — soft-delete marker for "leave team"
--- ---------------------------------------------------------------------------
---
--- No partial index on `status='active'` is created in v1. Filter sites are:
---   - middleware/member-auth.ts: lookup by members.id (already PK-indexed)
---   - services/auth.ts (password login): WHERE user_id = ? AND status='active'
---   - services/membership.ts (listActiveMemberships): same filter
--- The existing `idx_members_user (user_id)` already collapses each user's
--- members rows to ~1-5 typical, so the in-page status check is essentially
--- free at the v1 SaaS scale (low six-digit users × low single-digit teams).
--- A partial unique-eligible index becomes worth adding when:
---   - members > ~100k rows AND
---   - average rows-per-user > ~50
--- whichever comes first. At that point the migration is a single
--- `CREATE INDEX CONCURRENTLY ... WHERE status='active'`.
---> statement-breakpoint
-ALTER TABLE "members"
-	ADD COLUMN IF NOT EXISTS "status" text DEFAULT 'active' NOT NULL;

package/dist/drizzle/0027_runtime_provider.sql

@@ -1,10 +0,0 @@
--- Add runtime_provider to agents.
---
--- Tags each agent with the runtime that drives it (e.g. "claude-code", "codex").
--- DEFAULT 'claude-code' backfills every existing row so the NOT NULL constraint
--- is safe to land in a single step. Hub deploys are stop-migrate-restart, not
--- rolling, so we don't need a two-phase add (nullable → backfill → not null).
---
--- Capabilities reporting reuses the existing `clients.metadata` jsonb column
--- under the `capabilities` subkey (Option C); no SQL change for clients.
-ALTER TABLE "agents" ADD COLUMN "runtime_provider" text DEFAULT 'claude-code' NOT NULL;

package/dist/drizzle/0028_auth_identity_user_github_unique.sql

@@ -1,12 +0,0 @@
--- Partial unique index: each user can hold at most one github identity.
---
--- Defense-in-depth. The (provider, identifier) UNIQUE catches duplicates
--- of the SAME githubId, but does not stop a single user from collecting
--- multiple DIFFERENT githubIds (e.g. a future "merge accounts" or
--- "rebind" flow that misfires, or a one-off SQL migration that errs).
--- This index makes any such double-bind fail atomically with a
--- unique-violation at the storage layer.
-
-CREATE UNIQUE INDEX IF NOT EXISTS "uq_auth_identities_user_github"
-  ON "auth_identities" ("user_id")
-  WHERE "provider" = 'github';

package/dist/drizzle/0029_direct_agent_only_mention_only.sql

@@ -1,28 +0,0 @@
--- Backfill: in any direct chat with no human participant, flip both agents to
--- `mention_only`. New direct chats created by `findOrCreateDirectChat` and
--- `createChat` already encode this rule at insert time; this migration patches
--- chats created before the rule existed.
---
--- Why: `full` mode in agent↔agent direct chats causes a reply loop. Every
--- message wakes the other party unconditionally, so a courtesy "thanks" or
--- a duplicated "已回复" tool echo gets treated as a fresh prompt and the two
--- agents chat forever. `mention_only` makes engagement opt-in via `@` so
--- conversations naturally end. Human↔agent direct stays `full` because in a
--- 1:1 with a person the agent must respond on every turn — the human
--- participant is what flips the rule off.
---
--- Group chats are intentionally untouched. Existing rule
--- (`maybeUpgradeDirectToGroup`) already enforces mention_only for non-human
--- participants there.
-
-UPDATE "chat_participants"
-SET "mode" = 'mention_only'
-WHERE "chat_id" IN (
-	SELECT c."id" FROM "chats" c
-	WHERE c."type" = 'direct'
-	  AND NOT EXISTS (
-	    SELECT 1 FROM "chat_participants" cp
-	    INNER JOIN "agents" a ON a."uuid" = cp."agent_id"
-	    WHERE cp."chat_id" = c."id" AND a."type" = 'human'
-	  )
-);

package/dist/drizzle/0030_chat_first_workspace.sql

@@ -1,129 +0,0 @@
--- Chat-first workspace foundation. See docs/chat-first-workspace-product-design.md
--- for the contract this migration implements.
---
--- Three structural changes + one data backfill:
---   1. chats: add last_message_at + last_message_preview projection columns
---      and (organization_id, last_message_at DESC) index. Powers GET /me/chats
---      cursor pagination + sort.
---   2. chat_participants: add last_read_at + unread_mention_count columns.
---      The chat-first workspace per-user read cursor and red-dot counter
---      live with the participation row that owns them; no separate read-state
---      table.
---   3. chat_subscriptions (NEW): non-speaking observers ("watchers"). Stays
---      strictly disjoint from chat_participants — invariant 1 in the design.
---      ON DELETE CASCADE so dropping a chat tears down its watchers too.
---   4. Backfill (single statement each):
---      - chats projection from messages, using DISTINCT ON to avoid the
---        per-row correlated subquery that would lock messages for minutes
---        on large tables.
---      - chat_subscriptions for every active manager whose managed non-human
---        agent already participates in a chat the manager themselves does
---        not speak in. Exactly the rows recomputeChatWatchers would create
---        on first run, but in one bulk INSERT.
---
--- chat_participants.last_read_at + unread_mention_count default to NULL/0,
--- which is the desired "treat all existing chats as already read" behavior
--- on the workspace upgrade.
-
-ALTER TABLE "chats"
-  ADD COLUMN IF NOT EXISTS "last_message_at" timestamp with time zone,
-  ADD COLUMN IF NOT EXISTS "last_message_preview" text;
-
---> statement-breakpoint
-CREATE INDEX IF NOT EXISTS "idx_chats_org_last_message"
-  ON "chats" ("organization_id", "last_message_at" DESC);
-
---> statement-breakpoint
-ALTER TABLE "chat_participants"
-  ADD COLUMN IF NOT EXISTS "last_read_at" timestamp with time zone,
-  ADD COLUMN IF NOT EXISTS "unread_mention_count" integer NOT NULL DEFAULT 0;
-
---> statement-breakpoint
-CREATE TABLE IF NOT EXISTS "chat_subscriptions" (
-  "chat_id" text NOT NULL,
-  "agent_id" text NOT NULL,
-  "kind" text NOT NULL DEFAULT 'watching',
-  "last_read_at" timestamp with time zone,
-  "unread_mention_count" integer NOT NULL DEFAULT 0,
-  "created_at" timestamp with time zone NOT NULL DEFAULT now(),
-  CONSTRAINT "chat_subscriptions_chat_id_fkey"
-    FOREIGN KEY ("chat_id") REFERENCES "chats"("id") ON DELETE CASCADE,
-  -- Intentionally NO ON DELETE clause on the agent FK. `services/agent.ts:
-  -- deleteAgent` is soft-only (UPDATE status='deleted', name=NULL — never
-  -- DELETE), so the row stays. Adding CASCADE would be dead code today and
-  -- silently legitimise a future hard-delete path; default RESTRICT instead
-  -- pins the soft-delete convention at the schema layer — any future caller
-  -- that tries a hard DELETE FROM agents will be forced to clean up
-  -- subscriptions explicitly. (asymmetry with chat_id FK is intentional —
-  -- chats can be hard-deleted by admin, agents cannot.)
-  CONSTRAINT "chat_subscriptions_agent_id_fkey"
-    FOREIGN KEY ("agent_id") REFERENCES "agents"("uuid"),
-  CONSTRAINT "chat_subscriptions_pkey"
-    PRIMARY KEY ("chat_id", "agent_id")
-);
-
---> statement-breakpoint
-CREATE INDEX IF NOT EXISTS "idx_chat_subscriptions_agent"
-  ON "chat_subscriptions" ("agent_id");
-
---> statement-breakpoint
--- Backfill projection: one INSERT-shaped UPDATE driven by a DISTINCT ON
--- subquery so messages is touched once. Avoids the correlated subquery
--- variant that runs two scans per chat row.
---
--- Preview must match `chat-projection.ts:applyAfterFanOut`'s live-write
--- semantics: a clean unquoted string for text messages, NULL for
--- structured content (file / image / etc.). `content::text` would
--- serialize JSONB to wire form (with quotes for strings, `{...}` for
--- objects), producing visible inconsistency between backfilled and
--- live-written rows. `jsonb_typeof` + `#>> '{}'` extracts the bare
--- string only when content is a JSON string; otherwise NULL (B3 in
--- PR review). `trim()` mirrors `outboundContent.trim()` in
--- `chat-projection.ts:applyAfterFanOut` so leading whitespace doesn't
--- visually jump on the first live overwrite.
-WITH last_msg AS (
-  SELECT DISTINCT ON ("chat_id")
-    "chat_id",
-    "created_at",
-    CASE
-      WHEN jsonb_typeof("content") = 'string'
-        THEN LEFT(trim("content" #>> '{}'), 200)
-      ELSE NULL
-    END AS "preview"
-  FROM "messages"
-  ORDER BY "chat_id", "created_at" DESC
-)
-UPDATE "chats" c
-   SET "last_message_at" = lm."created_at",
-       "last_message_preview" = lm."preview"
-  FROM last_msg lm
- WHERE c."id" = lm."chat_id";
-
---> statement-breakpoint
--- Watcher backfill: every active member whose managed (non-human) agent
--- participates in a chat where the member's own human agent is NOT a
--- speaking participant. Idempotent via ON CONFLICT.
---
--- The explicit NULL casts are required: PostgreSQL infers a bare NULL in a
--- VALUES/SELECT list as `text`, which then fails to coerce to the target
--- columns (timestamptz / integer respectively).
-INSERT INTO "chat_subscriptions"
-  ("chat_id", "agent_id", "kind", "last_read_at", "unread_mention_count", "created_at")
-SELECT DISTINCT
-       cp."chat_id",
-       m."agent_id",
-       'watching',
-       NULL::timestamp with time zone,
-       0,
-       now()
-  FROM "chat_participants" cp
-  JOIN "agents"  a ON a."uuid" = cp."agent_id"
-  JOIN "members" m ON m."id"   = a."manager_id"
- WHERE m."status" = 'active'
-   AND a."type" <> 'human'
-   AND NOT EXISTS (
-     SELECT 1 FROM "chat_participants" cp2
-      WHERE cp2."chat_id" = cp."chat_id"
-        AND cp2."agent_id" = m."agent_id"
-   )
-ON CONFLICT ("chat_id", "agent_id") DO NOTHING;

package/dist/drizzle/0031_drop_system_configs.sql

@@ -1,11 +0,0 @@
--- Drop the `system_configs` table — replaced by deployment-level env
--- vars (FIRST_TREE_HUB_INBOX_TIMEOUT_SECONDS, FIRST_TREE_HUB_MAX_RETRY_COUNT,
--- FIRST_TREE_HUB_POLLING_INTERVAL_SECONDS, FIRST_TREE_HUB_PRESENCE_CLEANUP_SECONDS,
--- FIRST_TREE_HUB_NOTIFICATION_WEBHOOK_URL).
---
--- See proposals/hub-strip-jwt-ambient-scope.20260508.md §3.5 + §6.3.
--- The table held tunables that were never customer-configurable; promoting
--- them to env vars closes the multi-tenant security gap where any org admin
--- could mutate cross-org runtime behavior.
-
-DROP TABLE IF EXISTS "system_configs";

package/dist/drizzle/0032_organization_settings.sql

@@ -1,36 +0,0 @@
--- Per-organization settings, keyed by (organization_id, namespace).
---
--- Each row holds an entire group of related config as a JSONB blob; the
--- schema for each namespace lives in @agent-team-foundation/first-tree-hub-shared
--- (ORG_SETTINGS_NAMESPACES) and is enforced by the service layer on every
--- read/write. Adding a new config group means registering a new namespace +
--- Zod schema in shared — the DB does not change.
---
--- `version` is reserved for future optimistic locking (PUT with If-Match).
--- We keep the column from day one so tightening to compare-and-swap later
--- is a code-only change with no migration.
---
--- Sensitive fields inside `value` (e.g. github_integration.webhookSecret)
--- are AES-256-GCM-encrypted at the service layer using crypto.ts's
--- encryptValue / decryptValue — same pattern as adapter_configs.
---
--- ON DELETE CASCADE on organization_id: settings have no independent
--- lifecycle, deleting an org must drop them. updated_by is SET NULL so a
--- user deletion does not cascade-clobber unrelated config rows.
-
-CREATE TABLE IF NOT EXISTS "organization_settings" (
-  "organization_id" text NOT NULL,
-  "namespace"       text NOT NULL,
-  "value"           jsonb NOT NULL DEFAULT '{}'::jsonb,
-  "version"         integer NOT NULL DEFAULT 0,
-  "updated_by"      text,
-  "updated_at"      timestamp with time zone NOT NULL DEFAULT now(),
-  CONSTRAINT "organization_settings_pkey" PRIMARY KEY ("organization_id", "namespace"),
-  CONSTRAINT "organization_settings_organization_id_organizations_id_fk"
-    FOREIGN KEY ("organization_id") REFERENCES "organizations"("id") ON DELETE CASCADE,
-  CONSTRAINT "organization_settings_updated_by_users_id_fk"
-    FOREIGN KEY ("updated_by") REFERENCES "users"("id") ON DELETE SET NULL
-);
-
-CREATE INDEX IF NOT EXISTS "idx_org_settings_namespace"
-  ON "organization_settings" ("namespace");

package/dist/drizzle/0033_onboarding_dismissed_at.sql

@@ -1,13 +0,0 @@
--- Onboarding stepper dismissal flag. Decoupled from the server-side
--- `onboardingStep` enum so the stepper keeps rendering across all three
--- UI steps (server-side onboardingStep flips to `completed` at the end of
--- Step 2; Step 3 is purely client-driven and the stepper must keep
--- showing during the tree-init chat).
---
--- See docs/new-user-onboarding-design.md §8.
---
--- NULL  → stepper renders
--- value → user clicked the `✕`; stepper unmounts. Irreversible from UI v1.
-
-ALTER TABLE "users"
-  ADD COLUMN IF NOT EXISTS "onboarding_dismissed_at" timestamp with time zone;

package/dist/drizzle/0034_pending_questions.sql

@@ -1,34 +0,0 @@
--- Pending ask-user question lifecycle. See packages/server/src/db/schema/pending-questions.ts
--- and services/questions.ts for the read / write paths.
---
--- One row per `format=question` message. Rows are written inside the same
--- transaction as the message INSERT (services/message.ts step 3b) so a
--- rollback drops both. Status flips to `answered` when the user posts an
--- answer, or to `superseded` when the chat session is archived
--- (services/session.ts archiveSession) or the owning client is claimed
--- away (services/client.ts claimClient).
---
--- Per the team's "integrity in service layer" convention, NO foreign-key
--- constraints — referential integrity is enforced by the question service.
--- A correlationId reuses the SDK `tool_use_id` so a single id flows from
--- the Claude Agent SDK callback through to the answer message.
-
-CREATE TABLE IF NOT EXISTS "pending_questions" (
-  "id" text PRIMARY KEY NOT NULL,
-  "agent_id" text NOT NULL,
-  "chat_id" text NOT NULL,
-  "message_id" text NOT NULL,
-  "status" text NOT NULL DEFAULT 'pending',
-  "created_at" timestamp with time zone NOT NULL DEFAULT now(),
-  "answered_at" timestamp with time zone,
-  "superseded_at" timestamp with time zone,
-  "superseded_reason" text
-);
-
---> statement-breakpoint
-CREATE INDEX IF NOT EXISTS "idx_pending_questions_agent_status"
-  ON "pending_questions" ("agent_id", "status");
-
---> statement-breakpoint
-CREATE INDEX IF NOT EXISTS "idx_pending_questions_chat_status"
-  ON "pending_questions" ("chat_id", "status");

package/dist/drizzle/0035_drop_hub_tasks.sql

@@ -1,7 +0,0 @@
--- Drop the Hub Task subsystem. The product no longer uses tasks; the
--- chat-first workspace covers every flow that previously needed task rows.
--- Order matches the historical service-layer dependency; DB-level FKs were
--- already removed in 0014_drop_task_fks so either order would technically work.
-
-DROP TABLE IF EXISTS "task_chats";--> statement-breakpoint
-DROP TABLE IF EXISTS "tasks";

package/dist/drizzle/0036_github_entity_chat_mappings.sql

@@ -1,47 +0,0 @@
--- GitHub webhook → chat clustering (Phase 0).
--- Maps every (organization, human_agent, delegate_agent, entity) tuple to a
--- single chat. Replaces the legacy "one (human, delegate) chat absorbs every
--- GitHub event" behaviour — see docs webhook-routing-design.md §4 for the
--- background and §4.3 for the data-model decision.
---
--- The composite primary key is also the uniqueness constraint we rely on for
--- concurrent webhook safety: two near-simultaneous events for a brand-new
--- entity hit ON CONFLICT DO NOTHING and the second deliverer falls back to a
--- re-SELECT, so the pair never spawns duplicate chats.
---
--- ON DELETE CASCADE on agent / chat columns: a deleted agent or chat must
--- drop its mapping rows. We do NOT cascade from organizations because that
--- relationship is enforced via the agent FKs already.
---
--- This table is GitHub-specific. Future external sources (Linear, Slack
--- channel events, …) get their own table — their entity models differ
--- enough that a generic table would slide back into untyped jsonb.
---
--- Migration 0036 is hand-written to match the team's recent migration
--- workflow — drizzle-kit generate's snapshot metadata is incomplete pre-0019
--- and refuses to diff (same constraint that 0032's commit message called out).
-
-CREATE TABLE IF NOT EXISTS "github_entity_chat_mappings" (
-  "organization_id"    text NOT NULL,
-  "human_agent_id"     text NOT NULL,
-  "delegate_agent_id"  text NOT NULL,
-  "entity_type"        text NOT NULL,
-  "entity_key"         text NOT NULL,
-  "chat_id"            text NOT NULL,
-  "bound_at"           timestamp with time zone NOT NULL DEFAULT now(),
-  "bound_via"          text NOT NULL,
-  CONSTRAINT "github_entity_chat_mappings_pkey"
-    PRIMARY KEY ("organization_id", "human_agent_id", "delegate_agent_id", "entity_type", "entity_key"),
-  CONSTRAINT "github_entity_chat_mappings_organization_id_organizations_id_fk"
-    FOREIGN KEY ("organization_id") REFERENCES "organizations"("id"),
-  CONSTRAINT "github_entity_chat_mappings_human_agent_id_agents_uuid_fk"
-    FOREIGN KEY ("human_agent_id") REFERENCES "agents"("uuid") ON DELETE CASCADE,
-  CONSTRAINT "github_entity_chat_mappings_delegate_agent_id_agents_uuid_fk"
-    FOREIGN KEY ("delegate_agent_id") REFERENCES "agents"("uuid") ON DELETE CASCADE,
-  CONSTRAINT "github_entity_chat_mappings_chat_id_chats_id_fk"
-    FOREIGN KEY ("chat_id") REFERENCES "chats"("id") ON DELETE CASCADE
-);
-
---> statement-breakpoint
-CREATE INDEX IF NOT EXISTS "idx_github_entity_chat_mappings_chat"
-  ON "github_entity_chat_mappings" ("chat_id");

package/dist/drizzle/0037_github_app_installations.sql

@@ -1,52 +0,0 @@
--- GitHub App installation registry. See packages/server/src/db/schema/github-app-installations.ts
--- for the Drizzle types, and docs/github-app-design-zh.md for the design rationale.
---
--- One row per (GitHub account ↔ Hub team) binding. Replaces the per-repo
--- OAuth + webhook-secret model that lived in
--- `organization_settings.github_integration.webhookSecretCipher` — both
--- coexist during the transition, the old path is dropped in a later PR
--- (D3 hard cut, design doc §7 step 7).
---
--- Per the team's "integrity in service layer" convention, NO foreign-key
--- constraints on hub_organization_id beyond the optional reference — the
--- 1:1 binding (D2 / §8 Q1) is enforced by a UNIQUE INDEX rather than by
--- ON DELETE CASCADE so deleting a Hub org doesn't tombstone the
--- GitHub-side record (which still exists upstream).
-
-CREATE TABLE IF NOT EXISTS "github_app_installations" (
-  "id" text PRIMARY KEY NOT NULL,
-  "installation_id" bigint NOT NULL,
-  "account_type" text NOT NULL,
-  "account_login" text NOT NULL,
-  "account_github_id" bigint NOT NULL,
-  "hub_organization_id" text,
-  "permissions" jsonb NOT NULL,
-  "events" jsonb NOT NULL,
-  "suspended_at" timestamp with time zone,
-  "created_at" timestamp with time zone NOT NULL DEFAULT now(),
-  "updated_at" timestamp with time zone NOT NULL DEFAULT now(),
-  CONSTRAINT "ck_github_app_installations_account_type"
-    CHECK ("account_type" IN ('User', 'Organization'))
-);
-
---> statement-breakpoint
-DO $$ BEGIN
-  ALTER TABLE "github_app_installations"
-    ADD CONSTRAINT "github_app_installations_hub_organization_id_organizations_id_fk"
-    FOREIGN KEY ("hub_organization_id") REFERENCES "organizations"("id")
-    ON DELETE SET NULL ON UPDATE NO ACTION;
-EXCEPTION
-  WHEN duplicate_object THEN null;
-END $$;
-
---> statement-breakpoint
-CREATE UNIQUE INDEX IF NOT EXISTS "uq_github_app_installations_installation_id"
-  ON "github_app_installations" ("installation_id");
-
---> statement-breakpoint
-CREATE UNIQUE INDEX IF NOT EXISTS "uq_github_app_installations_hub_org"
-  ON "github_app_installations" ("hub_organization_id");
-
---> statement-breakpoint
-CREATE INDEX IF NOT EXISTS "idx_github_app_installations_account"
-  ON "github_app_installations" ("account_github_id");