@automagik/omni 2.260520.10 → 2.260520.11

package/dist/index.js

@@ -22772,7 +22772,7 @@ var require_node_transport = __commonJS((exports) => {
   var util_1 = require_util();
   var tls_1 = __require("tls");
   var { resolve: resolve2 } = __require("path");
-  var { readFile, existsSync: existsSync11 } = __require("fs");
+  var { readFile, existsSync: existsSync12 } = __require("fs");
   var dns = __require("dns");
   var VERSION2 = "2.29.3";
   var LANG = "nats.js";
@@ -22888,7 +22888,7 @@ var require_node_transport = __commonJS((exports) => {
       const d = (0, nats_base_client_1.deferred)();
       try {
         fn = resolve2(fn);
-        if (!existsSync11(fn)) {
+        if (!existsSync12(fn)) {
           d.reject(new Error(`${fn} doesn't exist`));
         }
         readFile(fn, (err, data2) => {
@@ -61931,8 +61931,8 @@ var init_a2a_provider = __esm(() => {
 
 // ../core/src/providers/nats-genie-provider.ts
 import { mkdir, writeFile } from "fs/promises";
-import { homedir as homedir8 } from "os";
-import { join as join14 } from "path";
+import { homedir as homedir9 } from "os";
+import { join as join15 } from "path";
 
 class NatsGenieProvider {
   id;
@@ -62122,10 +62122,10 @@ class NatsGenieProvider {
   }
   async writeDeadLetter(payload, error2) {
     try {
-      const dlDir = join14(homedir8(), ".omni", "dead-letters");
+      const dlDir = join15(homedir9(), ".omni", "dead-letters");
       await mkdir(dlDir, { recursive: true });
       const filename = `nats-genie-${Date.now()}-${payload.chatId}.json`;
-      await writeFile(join14(dlDir, filename), JSON.stringify({
+      await writeFile(join15(dlDir, filename), JSON.stringify({
         payload,
         error: error2 instanceof Error ? error2.message : String(error2),
         timestamp: new Date().toISOString()
@@ -64004,7 +64004,7 @@ var init_sql = __esm(() => {
       return new SQL([new StringChunk(str)]);
     }
     sql2.raw = raw2;
-    function join15(chunks, separator) {
+    function join16(chunks, separator) {
       const result = [];
       for (const [i6, chunk] of chunks.entries()) {
         if (i6 > 0 && separator !== undefined) {
@@ -64014,7 +64014,7 @@ var init_sql = __esm(() => {
       }
       return new SQL(result);
     }
-    sql2.join = join15;
+    sql2.join = join16;
     function identifier(value) {
       return new Name(value);
     }
@@ -67241,7 +67241,7 @@ var init_select2 = __esm(() => {
       return (table2, on) => {
         const baseTableName = this.tableName;
         const tableName = getTableLikeName(table2);
-        if (typeof tableName === "string" && this.config.joins?.some((join15) => join15.alias === tableName)) {
+        if (typeof tableName === "string" && this.config.joins?.some((join16) => join16.alias === tableName)) {
           throw new Error(`Alias "${tableName}" is already used in this query`);
         }
         if (!this.isPartialSelect) {
@@ -67752,7 +67752,7 @@ var init_update = __esm(() => {
     createJoin(joinType) {
       return (table2, on) => {
         const tableName = getTableLikeName(table2);
-        if (typeof tableName === "string" && this.config.joins.some((join15) => join15.alias === tableName)) {
+        if (typeof tableName === "string" && this.config.joins.some((join16) => join16.alias === tableName)) {
           throw new Error(`Alias "${tableName}" is already used in this query`);
         }
         if (typeof on === "function") {
@@ -67802,10 +67802,10 @@ var init_update = __esm(() => {
             const fromFields = this.getTableLikeFields(this.config.from);
             fields[tableName] = fromFields;
           }
-          for (const join15 of this.config.joins) {
-            const tableName2 = getTableLikeName(join15.table);
-            if (typeof tableName2 === "string" && !is(join15.table, SQL)) {
-              const fromFields = this.getTableLikeFields(join15.table);
+          for (const join16 of this.config.joins) {
+            const tableName2 = getTableLikeName(join16.table);
+            if (typeof tableName2 === "string" && !is(join16.table, SQL)) {
+              const fromFields = this.getTableLikeFields(join16.table);
               fields[tableName2] = fromFields;
             }
           }
@@ -82474,7 +82474,7 @@ var require_path = __commonJS((exports) => {
   function isAbsolute(path) {
     return path.charAt(0) === "/";
   }
-  function join19(...args) {
+  function join20(...args) {
     return normalizePath(args.join("/"));
   }
   function dirname6(path) {
@@ -82499,7 +82499,7 @@ var require_path = __commonJS((exports) => {
   exports.basename = basename6;
   exports.dirname = dirname6;
   exports.isAbsolute = isAbsolute;
-  exports.join = join19;
+  exports.join = join20;
   exports.normalizePath = normalizePath;
   exports.relative = relative;
   exports.resolve = resolve4;
@@ -124067,7 +124067,7 @@ import { fileURLToPath } from "url";
 // package.json
 var package_default = {
   name: "@automagik/omni",
-  version: "2.260520.10",
+  version: "2.260520.11",
   description: "LLM-optimized CLI for Omni",
   type: "module",
   bin: {
@@ -125268,7 +125268,7 @@ function pm2NotFoundError() {
 }
 
 // src/runtime-env.ts
-import { join as join6 } from "path";
+import { join as join7 } from "path";
 
 // src/lib/pgserve-transport.ts
 import { existsSync as existsSync4 } from "fs";
@@ -125335,6 +125335,182 @@ function buildDatabaseUrlForTransport(transport, database, options = {}) {
   return `postgresql://${auth}@${transport.host}:${transport.port}/${encodeURIComponent(database)}`;
 }
 
+// src/lib/role-cutover.ts
+import { createHash as createHash2, randomBytes } from "crypto";
+import { existsSync as existsSync5, mkdirSync as mkdirSync3, readFileSync as readFileSync4, unlinkSync, writeFileSync as writeFileSync3 } from "fs";
+import { homedir as homedir3 } from "os";
+import { join as join6 } from "path";
+var NAME_PREFIX = "pgserve_";
+var ROLE_SUFFIX = "_role";
+var POSTGRES_MAX_IDENT = 63;
+var FINGERPRINT_HEX_LEN = 12;
+var OMNI_PUBLISHER = "omni";
+var SAFE_IDENT = /^[a-z_][a-z0-9_]*$/;
+function sha256Hex(input) {
+  return createHash2("sha256").update(input, "utf8").digest("hex");
+}
+function sanitizeSlug(input) {
+  return input.toLowerCase().replace(/[^a-z0-9_]/g, "_").replace(/^_+|_+$/g, "").replace(/__+/g, "_");
+}
+function deriveOmniScopedRoleName() {
+  const fp = sha256Hex("@automagik/omni").slice(0, FINGERPRINT_HEX_LEN);
+  const slug = sanitizeSlug(OMNI_PUBLISHER);
+  const budget = POSTGRES_MAX_IDENT - NAME_PREFIX.length - 1 - fp.length - ROLE_SUFFIX.length;
+  const truncated = slug.slice(0, Math.max(0, budget));
+  return `${NAME_PREFIX}${truncated}_${fp}${ROLE_SUFFIX}`;
+}
+function assertSafeIdent(label, value) {
+  if (!SAFE_IDENT.test(value)) {
+    throw new Error(`role-cutover: unsafe ${label} identifier: ${JSON.stringify(value)}`);
+  }
+}
+function assertSafePassword(value) {
+  if (!/^[A-Za-z0-9_-]+$/.test(value)) {
+    throw new Error("role-cutover: generated password contains unsafe characters");
+  }
+}
+function sentinelDir() {
+  return join6(homedir3(), ".omni");
+}
+function sentinelPath() {
+  return join6(sentinelDir(), "scoped-role.json");
+}
+function readOmniCutoverSentinel() {
+  const path = sentinelPath();
+  if (!existsSync5(path))
+    return null;
+  try {
+    const raw2 = readFileSync4(path, "utf-8");
+    const parsed = JSON.parse(raw2);
+    if (typeof parsed.roleName === "string" && typeof parsed.database === "string" && typeof parsed.password === "string" && typeof parsed.provisionedAt === "string") {
+      return parsed;
+    }
+  } catch {}
+  return null;
+}
+function writeOmniCutoverSentinel(data2) {
+  const dir = sentinelDir();
+  if (!existsSync5(dir))
+    mkdirSync3(dir, { recursive: true, mode: 448 });
+  const path = sentinelPath();
+  writeFileSync3(path, `${JSON.stringify(data2, null, 2)}
+`, { mode: 384 });
+}
+function isOmniRoleCutoverEnabled() {
+  return process.env.OMNI_ROLE_CUTOVER !== "0";
+}
+function generatePassword() {
+  return randomBytes(32).toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+async function ensureOmniScopedRole(opts) {
+  const enabled = opts.enabled ?? isOmniRoleCutoverEnabled();
+  if (!enabled) {
+    return { status: "skipped", reason: "disabled" };
+  }
+  const database = opts.database ?? "omni";
+  const port = opts.port ?? 5432;
+  const roleName = deriveOmniScopedRoleName();
+  try {
+    assertSafeIdent("role", roleName);
+    assertSafeIdent("database", database);
+  } catch (err) {
+    return { status: "skipped", reason: err.message };
+  }
+  const existing = readOmniCutoverSentinel();
+  const password = existing && existing.roleName === roleName && existing.database === database ? existing.password : generatePassword();
+  try {
+    assertSafePassword(password);
+  } catch (err) {
+    return { status: "skipped", reason: err.message };
+  }
+  const sqlScript = [
+    `DO $$
+BEGIN
+  IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '${roleName}') THEN
+    CREATE ROLE "${roleName}" WITH LOGIN PASSWORD '${password}'
+      NOSUPERUSER NOCREATEDB NOCREATEROLE NOREPLICATION NOBYPASSRLS;
+  ELSE
+    ALTER ROLE "${roleName}" WITH LOGIN PASSWORD '${password}'
+      NOSUPERUSER NOCREATEDB NOCREATEROLE NOREPLICATION NOBYPASSRLS;
+  END IF;
+END
+$$;`,
+    `GRANT CONNECT, TEMPORARY ON DATABASE "${database}" TO "${roleName}";`
+  ];
+  const dbCreateOk = await runPsql(sqlScript.join(`
+`), { socketDir: opts.socketDir, port, database: "postgres" });
+  if (!dbCreateOk) {
+    return { status: "skipped", reason: "psql role provisioning failed" };
+  }
+  const grantsScript = [
+    `GRANT USAGE, CREATE ON SCHEMA public TO "${roleName}";`,
+    `GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO "${roleName}";`,
+    `GRANT USAGE, SELECT, UPDATE ON ALL SEQUENCES IN SCHEMA public TO "${roleName}";`,
+    `ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO "${roleName}";`,
+    `ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT USAGE, SELECT, UPDATE ON SEQUENCES TO "${roleName}";`,
+    `ALTER DEFAULT PRIVILEGES FOR ROLE "${roleName}" IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO "${roleName}";`,
+    `ALTER DEFAULT PRIVILEGES FOR ROLE "${roleName}" IN SCHEMA public GRANT USAGE, SELECT, UPDATE ON SEQUENCES TO "${roleName}";`
+  ].join(`
+`);
+  const grantsOk = await runPsql(grantsScript, { socketDir: opts.socketDir, port, database });
+  if (!grantsOk) {
+    return { status: "skipped", reason: "psql grant step failed" };
+  }
+  writeOmniCutoverSentinel({
+    roleName,
+    database,
+    password,
+    provisionedAt: new Date().toISOString()
+  });
+  return existing && existing.roleName === roleName ? { status: "refreshed", roleName } : { status: "provisioned", roleName };
+}
+async function runPsql(sql, opts) {
+  const proc = Bun.spawn({
+    cmd: [
+      "psql",
+      "-h",
+      opts.socketDir,
+      "-p",
+      String(opts.port),
+      "-U",
+      "postgres",
+      "-d",
+      opts.database,
+      "-v",
+      "ON_ERROR_STOP=1",
+      "-c",
+      sql
+    ],
+    stdout: "pipe",
+    stderr: "pipe",
+    env: { ...process.env, PGPASSWORD: "postgres" }
+  });
+  const stderr = await new Response(proc.stderr).text();
+  const code = await proc.exited;
+  if (code !== 0) {
+    process.stderr.write(`role-cutover: psql exited ${code}: ${stderr.trim()}
+`);
+    return false;
+  }
+  return true;
+}
+function resolveOmniScopedCredentials() {
+  if (!isOmniRoleCutoverEnabled())
+    return null;
+  const sentinel = readOmniCutoverSentinel();
+  if (!sentinel)
+    return null;
+  const expected = deriveOmniScopedRoleName();
+  if (sentinel.roleName !== expected) {
+    return null;
+  }
+  return {
+    username: sentinel.roleName,
+    password: sentinel.password,
+    roleName: sentinel.roleName
+  };
+}
+
 // src/runtime-env.ts
 var LEGACY_DEFAULT_DATABASE_URL = "postgresql://postgres:postgres@localhost:5432/omni";
 var LEGACY_PHASE2_DATABASE_URL = "postgresql://postgres:postgres@localhost:8432/omni";
@@ -125363,21 +125539,34 @@ function resolveDatabaseUrl(serverConfig) {
   }
   return buildEmbeddedDatabaseUrl(resolvePgservePort(serverConfig));
 }
+function applyScopedCredentials(url, creds) {
+  if (!creds)
+    return url;
+  try {
+    const parsed = new URL(url);
+    parsed.username = encodeURIComponent(creds.username);
+    parsed.password = encodeURIComponent(creds.password);
+    return parsed.toString();
+  } catch {
+    return url;
+  }
+}
 function buildRuntimeEnv(serverConfig, cliConfig) {
   const pgservePort = resolvePgservePort(serverConfig);
   const udsActive = probeCanonicalSocketSync();
   const pgHost = udsActive ? resolvePgserveSocketDir() : "";
   const pgPort = udsActive ? String(CANONICAL_PG_PORT) : "";
+  const scopedCreds = resolveOmniScopedCredentials();
   return {
     API_PORT: String(serverConfig.port),
-    DATABASE_URL: resolveDatabaseUrl(serverConfig),
+    DATABASE_URL: applyScopedCredentials(resolveDatabaseUrl(serverConfig), scopedCreds),
     PGHOST: pgHost,
     PGPORT: pgPort,
     OMNI_API_KEY: cliConfig.apiKey ?? "",
-    MEDIA_STORAGE_PATH: join6(serverConfig.dataDir, "media"),
-    OMNI_PACKAGES_DIR: join6(serverConfig.dataDir, "packages"),
+    MEDIA_STORAGE_PATH: join7(serverConfig.dataDir, "media"),
+    OMNI_PACKAGES_DIR: join7(serverConfig.dataDir, "packages"),
     PGSERVE_EMBEDDED: "false",
-    PGSERVE_DATA: join6(serverConfig.dataDir, "pgserve"),
+    PGSERVE_DATA: join7(serverConfig.dataDir, "pgserve"),
     PGSERVE_PORT: String(pgservePort),
     NATS_URL: "nats://localhost:4222",
     NODE_ENV: serverConfig.nodeEnv,
@@ -127691,9 +127880,9 @@ function createDeadLettersCommand() {
 }
 
 // src/commands/doctor.ts
-import { existsSync as existsSync8, readdirSync as readdirSync2, statSync as statSync2 } from "fs";
-import { homedir as homedir6 } from "os";
-import { join as join11, resolve } from "path";
+import { existsSync as existsSync9, readdirSync as readdirSync2, statSync as statSync2 } from "fs";
+import { homedir as homedir7 } from "os";
+import { join as join12, resolve } from "path";
 init_config();
 
 // src/health.ts
@@ -127719,14 +127908,14 @@ async function waitForHealth(port, timeoutMs = HEALTH_TIMEOUT_MS) {
 
 // src/install-helpers.ts
 init_config();
-import { existsSync as existsSync6, readdirSync, writeFileSync as writeFileSync4 } from "fs";
-import { homedir as homedir4 } from "os";
-import { join as join8 } from "path";
+import { existsSync as existsSync7, readdirSync, writeFileSync as writeFileSync5 } from "fs";
+import { homedir as homedir5 } from "os";
+import { join as join9 } from "path";
 
 // src/nats-install.ts
-import { chmodSync as chmodSync2, existsSync as existsSync5, mkdirSync as mkdirSync3, writeFileSync as writeFileSync3 } from "fs";
-import { homedir as homedir3 } from "os";
-import { join as join7 } from "path";
+import { chmodSync as chmodSync2, existsSync as existsSync6, mkdirSync as mkdirSync4, writeFileSync as writeFileSync4 } from "fs";
+import { homedir as homedir4 } from "os";
+import { join as join8 } from "path";
 
 // ../../node_modules/.bun/ora@8.2.0/node_modules/ora/index.js
 init_source();
@@ -128616,8 +128805,8 @@ function ora(options) {
 
 // src/nats-install.ts
 init_output();
-var OMNI_DIR = join7(homedir3(), ".omni");
-var NATS_BINARY_PATH = join7(OMNI_DIR, "nats-server");
+var OMNI_DIR = join8(homedir4(), ".omni");
+var NATS_BINARY_PATH = join8(OMNI_DIR, "nats-server");
 var NATS_VERSION = "v2.12.4";
 function platformInfo() {
   const platform = process.platform;
@@ -128640,17 +128829,17 @@ async function downloadNats() {
   const url = `https://github.com/nats-io/nats-server/releases/download/${NATS_VERSION}/${fileName}`;
   const spinner = ora(`Downloading NATS ${NATS_VERSION} for ${info2.os}/${info2.arch}...`).start();
   try {
-    mkdirSync3(OMNI_DIR, { recursive: true, mode: 448 });
+    mkdirSync4(OMNI_DIR, { recursive: true, mode: 448 });
     const resp = await fetch(url, { signal: AbortSignal.timeout(60000) });
     if (!resp.ok) {
       spinner.fail(`NATS download failed: HTTP ${resp.status}`);
       return false;
     }
-    const tarPath = join7(OMNI_DIR, fileName);
-    writeFileSync3(tarPath, Buffer.from(await resp.arrayBuffer()));
+    const tarPath = join8(OMNI_DIR, fileName);
+    writeFileSync4(tarPath, Buffer.from(await resp.arrayBuffer()));
     spinner.text = "Extracting NATS binary...";
-    const tmpDir = join7(OMNI_DIR, "nats-tmp");
-    mkdirSync3(tmpDir, { recursive: true });
+    const tmpDir = join8(OMNI_DIR, "nats-tmp");
+    mkdirSync4(tmpDir, { recursive: true });
     const tar = Bun.spawn({ cmd: ["tar", "-xzf", tarPath, "-C", tmpDir], stdout: "pipe", stderr: "pipe" });
     const [tarCode, tarErr] = await Promise.all([tar.exited, new Response(tar.stderr).text()]);
     if (tarCode !== 0) {
@@ -128675,7 +128864,7 @@ async function downloadNats() {
   }
 }
 async function ensureNats() {
-  if (existsSync5(NATS_BINARY_PATH)) {
+  if (existsSync6(NATS_BINARY_PATH)) {
     raw(`  \u2713 NATS binary found at ${NATS_BINARY_PATH}`);
     return;
   }
@@ -128685,7 +128874,7 @@ async function ensureNats() {
 
 // src/install-helpers.ts
 init_output();
-var DEFAULT_DATA_DIR = join8(homedir4(), ".omni", "data");
+var DEFAULT_DATA_DIR = join9(homedir5(), ".omni", "data");
 async function detectReinstall(dataDirOverride) {
   const hasConfig = detectHasConfig();
   const hasPm2Process = await detectHasPm2Process();
@@ -128698,7 +128887,7 @@ async function detectReinstall(dataDirOverride) {
   };
 }
 function detectHasConfig() {
-  if (!existsSync6(getConfigPath()))
+  if (!existsSync7(getConfigPath()))
     return false;
   try {
     const parsed = loadConfig();
@@ -128720,7 +128909,7 @@ async function detectHasPm2Process() {
 }
 function detectHasDataDir(dataDirOverride) {
   const dataDir = dataDirOverride ?? DEFAULT_DATA_DIR;
-  if (!existsSync6(dataDir))
+  if (!existsSync7(dataDir))
     return false;
   try {
     return readdirSync(dataDir).filter((e) => e !== ".DS_Store").length > 0;
@@ -128774,7 +128963,7 @@ ExecStart=/usr/bin/env omni start
 ExecStop=/usr/bin/env omni stop
 ExecReload=/usr/bin/env omni restart
 Restart=on-failure
-PIDFile=${homedir4()}/.pm2/pm2.pid
+PIDFile=${homedir5()}/.pm2/pm2.pid
 
 [Install]
 WantedBy=multi-user.target
@@ -128785,7 +128974,7 @@ After=network.target
 
 [Service]
 Type=simple
-ExecStart="${NATS_BINARY_PATH}" -js -sd "${join8(dataDir, "nats")}"
+ExecStart="${NATS_BINARY_PATH}" -js -sd "${join9(dataDir, "nats")}"
 Restart=on-failure
 RestartSec=5
 
@@ -128793,8 +128982,8 @@ RestartSec=5
 WantedBy=multi-user.target
 `;
   try {
-    writeFileSync4("/etc/systemd/system/omni-nats.service", natsUnit, { mode: 420 });
-    writeFileSync4("/etc/systemd/system/omni-api.service", apiUnit, { mode: 420 });
+    writeFileSync5("/etc/systemd/system/omni-nats.service", natsUnit, { mode: 420 });
+    writeFileSync5("/etc/systemd/system/omni-api.service", apiUnit, { mode: 420 });
     success("Systemd units written to /etc/systemd/system/");
     raw(`
   Enable with: sudo systemctl enable --now omni-nats omni-api
@@ -128808,9 +128997,9 @@ WantedBy=multi-user.target
 init_config();
 init_output();
 import { spawnSync } from "child_process";
-import { existsSync as existsSync7, mkdirSync as mkdirSync4, readFileSync as readFileSync4, renameSync, statSync, writeFileSync as writeFileSync5 } from "fs";
-import { homedir as homedir5 } from "os";
-import { join as join9 } from "path";
+import { existsSync as existsSync8, mkdirSync as mkdirSync5, readFileSync as readFileSync5, renameSync, statSync, writeFileSync as writeFileSync6 } from "fs";
+import { homedir as homedir6 } from "os";
+import { join as join10 } from "path";
 import { gunzipSync, gzipSync } from "zlib";
 async function isPgserveInstalled() {
   const bin = resolvePgserveBinary();
@@ -128928,6 +129117,16 @@ async function setupCanonicalPgserve() {
   if (port === null)
     return null;
   await ensureOmniDatabaseExists(port);
+  const cutover = await ensureOmniScopedRole({
+    socketDir: resolvePgserveSocketDir(),
+    port,
+    database: OMNI_DATABASE_NAME
+  });
+  if (cutover.status === "provisioned" || cutover.status === "refreshed") {
+    raw(`  Scoped role \`${cutover.roleName}\` ${cutover.status} \u2014 omni-api will connect as non-superuser.`);
+  } else if (cutover.status === "skipped" && cutover.reason !== "disabled") {
+    warn(`Scoped-role cutover skipped: ${cutover.reason} \u2014 omni-api falls back to postgres superuser.`);
+  }
   return buildOmniDatabaseUrl(port);
 }
 async function resolveCanonicalPgservePreference(isReinstall, cfg) {
@@ -128959,18 +129158,18 @@ async function resolveCanonicalPgservePreference(isReinstall, cfg) {
   raw("");
   return true;
 }
-var OMNI_EMBEDDED_PGSERVE_DATA_DIR = join9(homedir5(), ".omni", "data", "pgserve");
-var PGSERVE_DEFAULT_DATA_DIR = join9(homedir5(), ".pgserve", "data");
-var PGSERVE_CONFIG_PATH = join9(homedir5(), ".pgserve", "config.json");
-var OMNI_BACKUPS_DIR = join9(homedir5(), ".omni", "backups");
+var OMNI_EMBEDDED_PGSERVE_DATA_DIR = join10(homedir6(), ".omni", "data", "pgserve");
+var PGSERVE_DEFAULT_DATA_DIR = join10(homedir6(), ".pgserve", "data");
+var PGSERVE_CONFIG_PATH = join10(homedir6(), ".pgserve", "config.json");
+var OMNI_BACKUPS_DIR = join10(homedir6(), ".omni", "backups");
 function getEmbeddedPgserveDataDir() {
   return OMNI_EMBEDDED_PGSERVE_DATA_DIR;
 }
 function getCanonicalPgserveDataDir() {
-  if (!existsSync7(PGSERVE_CONFIG_PATH))
+  if (!existsSync8(PGSERVE_CONFIG_PATH))
     return PGSERVE_DEFAULT_DATA_DIR;
   try {
-    const raw2 = readFileSync4(PGSERVE_CONFIG_PATH, "utf8");
+    const raw2 = readFileSync5(PGSERVE_CONFIG_PATH, "utf8");
     const parsed = JSON.parse(raw2);
     return typeof parsed.dataDir === "string" && parsed.dataDir.length > 0 ? parsed.dataDir : PGSERVE_DEFAULT_DATA_DIR;
   } catch {
@@ -128978,11 +129177,11 @@ function getCanonicalPgserveDataDir() {
   }
 }
 function looksLikePgDataDir(path) {
-  return existsSync7(join9(path, "PG_VERSION")) && existsSync7(join9(path, "base"));
+  return existsSync8(join10(path, "PG_VERSION")) && existsSync8(join10(path, "base"));
 }
 function getSnapshotPath(timestamp = new Date) {
   const ts = timestamp.toISOString().replace(/[:.]/g, "-");
-  return join9(OMNI_BACKUPS_DIR, `embedded-migration-${ts}.sql.gz`);
+  return join10(OMNI_BACKUPS_DIR, `embedded-migration-${ts}.sql.gz`);
 }
 function commandIsAvailable(cmd) {
   try {
@@ -129007,7 +129206,7 @@ function pgEnvFromUrl(url) {
 }
 async function dumpEmbeddedDb(currentDatabaseUrl) {
   const embeddedDir = getEmbeddedPgserveDataDir();
-  if (!existsSync7(embeddedDir)) {
+  if (!existsSync8(embeddedDir)) {
     return { status: "no-embedded-data", embeddedDir };
   }
   if (!looksLikePgDataDir(embeddedDir)) {
@@ -129018,7 +129217,7 @@ async function dumpEmbeddedDb(currentDatabaseUrl) {
     throw new Error("pg_dump not found in PATH \u2014 install postgresql-client (apt install postgresql-client / brew install postgresql) and retry");
   }
   const snapshotPath = getSnapshotPath();
-  mkdirSync4(OMNI_BACKUPS_DIR, { recursive: true, mode: 448 });
+  mkdirSync5(OMNI_BACKUPS_DIR, { recursive: true, mode: 448 });
   raw("  Dumping embedded database via pg_dump...");
   raw(`    source data dir: ${embeddedDir}`);
   raw(`    snapshot:        ${snapshotPath}`);
@@ -129034,7 +129233,7 @@ async function dumpEmbeddedDb(currentDatabaseUrl) {
   }
   const compressed = gzipSync(result.stdout);
   const tmpPath = `${snapshotPath}.tmp`;
-  writeFileSync5(tmpPath, compressed, { mode: 384 });
+  writeFileSync6(tmpPath, compressed, { mode: 384 });
   renameSync(tmpPath, snapshotPath);
   const bytes = statSync(snapshotPath).size;
   raw(`    snapshot size:   ${formatBytes(bytes)}`);
@@ -129052,7 +129251,7 @@ async function restoreSnapshotToCanonical(dump, canonicalDatabaseUrl) {
   raw(`    snapshot:           ${dump.snapshotPath}`);
   raw(`    canonical data dir: ${getCanonicalPgserveDataDir()}`);
   raw(`    canonical URL:      ${canonicalDatabaseUrl}`);
-  const compressed = readFileSync4(dump.snapshotPath);
+  const compressed = readFileSync5(dump.snapshotPath);
   const sql = gunzipSync(compressed);
   const result = spawnSync("psql", ["-v", "ON_ERROR_STOP=1"], {
     env: { ...process.env, ...pgEnvFromUrl(canonicalDatabaseUrl) },
@@ -129083,24 +129282,24 @@ init_output();
 
 // src/server-bundle.ts
 init_output();
-import { dirname as dirname2, join as join10 } from "path";
+import { dirname as dirname2, join as join11 } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 function getServerBundlePath() {
   try {
     const thisFile = fileURLToPath2(import.meta.url);
     const distDir = dirname2(thisFile);
-    return join10(distDir, "server", "index.js");
+    return join11(distDir, "server", "index.js");
   } catch {
-    return join10(process.cwd(), "dist", "server", "index.js");
+    return join11(process.cwd(), "dist", "server", "index.js");
   }
 }
 function getServerLauncherPath() {
   try {
     const thisFile = fileURLToPath2(import.meta.url);
     const distDir = dirname2(thisFile);
-    return join10(distDir, "..", "bin", "omni-server");
+    return join11(distDir, "..", "bin", "omni-server");
   } catch {
-    return join10(process.cwd(), "bin", "omni-server");
+    return join11(process.cwd(), "bin", "omni-server");
   }
 }
 function bundleNotFoundError(bundlePath) {
@@ -129165,10 +129364,10 @@ function productionDeps() {
       }
     },
     findOrphanedDataDirs: () => {
-      const roots = [process.cwd(), join11(homedir6(), "workspace"), join11(homedir6(), "repos")];
+      const roots = [process.cwd(), join12(homedir7(), "workspace"), join12(homedir7(), "repos")];
       const found = [];
       for (const root of roots) {
-        if (!existsSync8(root))
+        if (!existsSync9(root))
           continue;
         try {
           scanForOrphans(root, found, 0);
@@ -129276,7 +129475,7 @@ function scanForOrphans(dir, acc, depth, maxDepth = 4) {
   for (const name of entries) {
     if (name === "node_modules" || name === ".git")
       continue;
-    const full = join11(dir, name);
+    const full = join12(dir, name);
     let stats;
     try {
       stats = statSync2(full);
@@ -129899,7 +130098,7 @@ Safety:
 }
 
 // src/commands/done.ts
-import { existsSync as existsSync9, readFileSync as readFileSync5 } from "fs";
+import { existsSync as existsSync10, readFileSync as readFileSync6 } from "fs";
 import { basename, extname } from "path";
 
 // src/context.ts
@@ -130008,12 +130207,12 @@ async function handleReact(client, ctx, emoji) {
   await closeTurn(client, "react", `Reacted ${emoji} + turn closed`);
 }
 async function handleMedia(client, ctx, mediaPath, caption) {
-  if (!existsSync9(mediaPath)) {
+  if (!existsSync10(mediaPath)) {
     return error(`File not found: ${mediaPath}`);
   }
   try {
     const mediaType = getMediaType(mediaPath);
-    const buffer = readFileSync5(mediaPath);
+    const buffer = readFileSync6(mediaPath);
     const base64 = buffer.toString("base64");
     const filename = basename(mediaPath);
     await client.messages.sendMedia({
@@ -130445,7 +130644,7 @@ function createEventsCommand() {
 }
 
 // src/commands/film.ts
-import { writeFileSync as writeFileSync6 } from "fs";
+import { writeFileSync as writeFileSync7 } from "fs";
 import { resolve as resolvePath } from "path";
 init_output();
 function createFilmCommand() {
@@ -130509,7 +130708,7 @@ function createFilmCommand() {
       const videoBuffer = Buffer.from(result.videoBase64, "base64");
       if (options.output) {
         const outPath = resolvePath(options.output);
-        writeFileSync6(outPath, videoBuffer);
+        writeFileSync7(outPath, videoBuffer);
         success("Video saved", { path: outPath, sizeBytes: videoBuffer.length });
         return;
       }
@@ -130533,7 +130732,7 @@ function createFilmCommand() {
 }
 
 // src/commands/follow-up.ts
-import { readFileSync as readFileSync6 } from "fs";
+import { readFileSync as readFileSync7 } from "fs";
 init_output();
 var VALID_SCOPES = ["agents", "instances", "chats"];
 function assertScope(scope) {
@@ -130551,9 +130750,9 @@ async function resolveScopedId(scope, id) {
 function readJsonArg(raw2) {
   let body = raw2;
   if (body === "-") {
-    body = readFileSync6(0, "utf8");
+    body = readFileSync7(0, "utf8");
   } else if (body.startsWith("@")) {
-    body = readFileSync6(body.slice(1), "utf8");
+    body = readFileSync7(body.slice(1), "utf8");
   }
   try {
     return JSON.parse(body);
@@ -130705,8 +130904,8 @@ function createHistoryCommand() {
 }
 
 // src/commands/imagine.ts
-import { writeFileSync as writeFileSync7 } from "fs";
-import { basename as basename2, dirname as dirname3, extname as extname2, join as join12 } from "path";
+import { writeFileSync as writeFileSync8 } from "fs";
+import { basename as basename2, dirname as dirname3, extname as extname2, join as join13 } from "path";
 init_output();
 var ALLOWED_ASPECT_RATIOS = ["1:1", "4:3", "3:4", "16:9", "9:16", "3:2", "2:3"];
 function extensionForMime(mimeType) {
@@ -130721,9 +130920,9 @@ function buildOutputPath(outputBase, index, total, mimeType) {
   const ext = extname2(outputBase) || extensionForMime(mimeType);
   const stem = basename2(outputBase, extname2(outputBase));
   if (total <= 1) {
-    return join12(dir, `${stem}${ext}`);
+    return join13(dir, `${stem}${ext}`);
   }
-  return join12(dir, `${stem}-${index + 1}${ext}`);
+  return join13(dir, `${stem}-${index + 1}${ext}`);
 }
 function parseAspectRatio(value) {
   if (!value)
@@ -130796,7 +130995,7 @@ function createImagineCommand() {
           continue;
         const path = buildOutputPath(options.output, i, result.images.length, image.mimeType);
         try {
-          writeFileSync7(path, Buffer.from(image.base64, "base64"));
+          writeFileSync8(path, Buffer.from(image.base64, "base64"));
           savedPaths.push(path);
         } catch (err) {
           const message = err instanceof Error ? err.message : "Unknown error";
@@ -130841,12 +131040,12 @@ function createImagineCommand() {
 }
 
 // src/commands/install.ts
-import { existsSync as existsSync10, mkdirSync as mkdirSync5 } from "fs";
-import { homedir as homedir7 } from "os";
-import { join as join13 } from "path";
+import { existsSync as existsSync11, mkdirSync as mkdirSync6 } from "fs";
+import { homedir as homedir8 } from "os";
+import { join as join14 } from "path";
 init_config();
 init_output();
-var DEFAULT_DATA_DIR2 = join13(homedir7(), ".omni", "data");
+var DEFAULT_DATA_DIR2 = join14(homedir8(), ".omni", "data");
 function computeDefaultDatabaseUrl() {
   return buildEmbeddedDatabaseUrl();
 }
@@ -130945,13 +131144,13 @@ async function startServices(cfg, forceCleanup, forceSystemd, useCanonicalPgserv
     return false;
   }
   const bundlePath = getServerBundlePath();
-  if (!existsSync10(bundlePath)) {
+  if (!existsSync11(bundlePath)) {
     warn(`Server bundle not found at: ${bundlePath}
   Install @automagik/omni from npm: bun add -g @automagik/omni
   Or build locally: make cli-build-full`);
     return false;
   }
-  mkdirSync5(getPm2LogDir(), { recursive: true });
+  mkdirSync6(getPm2LogDir(), { recursive: true });
   await installPm2Logrotate();
   const runtimeEnv = buildInstallRuntimeEnv(cfg, forceCleanup, useCanonicalPgserve);
   await runPm2(["delete", PM2_PROCESSES.api]);
@@ -130969,10 +131168,10 @@ async function startServices(cfg, forceCleanup, forceSystemd, useCanonicalPgserv
     return false;
   }
   apiSpinner.succeed(`${PM2_PROCESSES.api} started`);
-  if (existsSync10(NATS_BINARY_PATH)) {
+  if (existsSync11(NATS_BINARY_PATH)) {
     const natsSpinner = ora(`Starting ${PM2_PROCESSES.nats}...`).start();
-    const natsDataDir = join13(cfg.dataDir, "nats");
-    mkdirSync5(natsDataDir, { recursive: true });
+    const natsDataDir = join14(cfg.dataDir, "nats");
+    mkdirSync6(natsDataDir, { recursive: true });
     const natsArgs = buildPm2StartArgs({
       kind: "nats",
       script: NATS_BINARY_PATH,
@@ -132648,7 +132847,7 @@ function createLogsCommand() {
 }
 
 // src/commands/media.ts
-import { createWriteStream as createWriteStream2, existsSync as existsSync12, mkdirSync as mkdirSync7, statSync as statSync4 } from "fs";
+import { createWriteStream as createWriteStream2, existsSync as existsSync13, mkdirSync as mkdirSync8, statSync as statSync4 } from "fs";
 import { basename as basename4, dirname as dirname4, resolve as resolve2 } from "path";
 import { Readable } from "stream";
 import { pipeline } from "stream/promises";
@@ -132711,14 +132910,14 @@ function resolveOutputPath(outputPath, result) {
   const resolved = resolve2(outputPath);
   if (isDirHint)
     return resolve2(resolved, filename);
-  if (existsSync12(resolved) && statSync4(resolved).isDirectory())
+  if (existsSync13(resolved) && statSync4(resolved).isDirectory())
     return resolve2(resolved, filename);
   return resolved;
 }
 async function downloadToFile(url, apiKey, destinationPath) {
   const destDir = dirname4(destinationPath);
-  if (!existsSync12(destDir))
-    mkdirSync7(destDir, { recursive: true });
+  if (!existsSync13(destDir))
+    mkdirSync8(destDir, { recursive: true });
   const resp = await fetch(url, {
     method: "GET",
     headers: apiKey ? { "x-api-key": apiKey } : undefined
@@ -133671,8 +133870,8 @@ init_output();
 init_src();
 import { execFileSync as execFileSync3, execSync } from "child_process";
 import * as nodeCrypto2 from "crypto";
-import { existsSync as existsSync13, mkdirSync as mkdirSync8, readFileSync as readFileSync8, writeFileSync as writeFileSync8 } from "fs";
-import { homedir as homedir9 } from "os";
+import { existsSync as existsSync14, mkdirSync as mkdirSync9, readFileSync as readFileSync9, writeFileSync as writeFileSync9 } from "fs";
+import { homedir as homedir10 } from "os";
 import { dirname as dirname5, resolve as resolve3 } from "path";
 import { createInterface as createInterface2 } from "readline";
 init_config();
@@ -133899,19 +134098,19 @@ async function pairDevice(gatewayUrl, gatewayToken, keypair, spinner) {
     ws.close(1000, "pairing complete");
   }
 }
-var OPENCLAW_CONFIG_PATH = resolve3(homedir9(), ".openclaw", "openclaw.json");
+var OPENCLAW_CONFIG_PATH = resolve3(homedir10(), ".openclaw", "openclaw.json");
 var PLUGIN_MARKER = "plugin-openclaw/omni.ts";
 function readOpenClawConfig(configPath) {
-  if (!existsSync13(configPath))
+  if (!existsSync14(configPath))
     return {};
-  const raw2 = readFileSync8(configPath, "utf-8").trim();
+  const raw2 = readFileSync9(configPath, "utf-8").trim();
   if (!raw2)
     return {};
   return JSON.parse(raw2);
 }
 function writeOpenClawConfig(configPath, config2) {
-  mkdirSync8(dirname5(configPath), { recursive: true, mode: 448 });
-  writeFileSync8(configPath, `${JSON.stringify(config2, null, 2)}
+  mkdirSync9(dirname5(configPath), { recursive: true, mode: 448 });
+  writeFileSync9(configPath, `${JSON.stringify(config2, null, 2)}
 `, { mode: 384 });
 }
 function isPluginRegistered(config2, marker, pluginPath) {
@@ -133943,10 +134142,10 @@ function isValidUuid2(value) {
 }
 function resolvePluginPath(explicit) {
   if (explicit) {
-    return existsSync13(explicit) ? resolve3(explicit) : null;
+    return existsSync14(explicit) ? resolve3(explicit) : null;
   }
   const cwdCandidate = resolve3(process.cwd(), "packages/plugin-openclaw/omni.ts");
-  return existsSync13(cwdCandidate) ? cwdCandidate : null;
+  return existsSync14(cwdCandidate) ? cwdCandidate : null;
 }
 function registerPlugin(config2, pluginPath, configPath) {
   if (hasOpenClawCli()) {
@@ -134996,7 +135195,7 @@ function createSayCommand() {
 }
 
 // src/commands/see.ts
-import { existsSync as existsSync14, readFileSync as readFileSync9, statSync as statSync5 } from "fs";
+import { existsSync as existsSync15, readFileSync as readFileSync10, statSync as statSync5 } from "fs";
 import { extname as extname4 } from "path";
 init_output();
 var MIME_BY_EXT = {
@@ -135028,7 +135227,7 @@ function parseMaxTokens(value) {
   return n2;
 }
 function loadMedia(file) {
-  if (!existsSync14(file)) {
+  if (!existsSync15(file)) {
     error(`File not found: ${file}`);
   }
   const stat = statSync5(file);
@@ -135039,7 +135238,7 @@ function loadMedia(file) {
     error(`File is empty: ${file}`);
   }
   try {
-    return { buffer: readFileSync9(file), mimeType: guessMimeType(file) };
+    return { buffer: readFileSync10(file), mimeType: guessMimeType(file) };
   } catch (err2) {
     const message2 = err2 instanceof Error ? err2.message : "Unknown error";
     return error(`Failed to read ${file}: ${message2}`);
@@ -135114,7 +135313,7 @@ function createSeeCommand() {
 }
 
 // src/commands/send.ts
-import { existsSync as existsSync15, readFileSync as readFileSync10 } from "fs";
+import { existsSync as existsSync16, readFileSync as readFileSync11 } from "fs";
 import { basename as basename5, extname as extname5 } from "path";
 init_source();
 init_config();
@@ -135134,7 +135333,7 @@ function getMediaType2(path) {
   return "document";
 }
 function readFileAsBase64(path) {
-  const buffer3 = readFileSync10(path);
+  const buffer3 = readFileSync11(path);
   return buffer3.toString("base64");
 }
 var messageSenders = {
@@ -135155,7 +135354,7 @@ var messageSenders = {
     const { to, media } = options3;
     if (!to || !media)
       return;
-    if (!existsSync15(media)) {
+    if (!existsSync16(media)) {
       error(`File not found: ${media}`);
       return;
     }
@@ -135687,9 +135886,9 @@ function pickFilename(mimeType, provider) {
 }
 
 // src/commands/start.ts
-import { existsSync as existsSync16, mkdirSync as mkdirSync9 } from "fs";
-import { homedir as homedir10 } from "os";
-import { join as join15 } from "path";
+import { existsSync as existsSync17, mkdirSync as mkdirSync10 } from "fs";
+import { homedir as homedir11 } from "os";
+import { join as join16 } from "path";
 init_config();
 init_output();
 var START_HEALTH_TIMEOUT_MS = 1e4;
@@ -135698,12 +135897,12 @@ async function runStart() {
     pm2NotFoundError();
   }
   const bundlePath = getServerBundlePath();
-  if (!existsSync16(bundlePath)) {
+  if (!existsSync17(bundlePath)) {
     bundleNotFoundError(bundlePath);
   }
   const serverConfig = loadServerConfig();
   const apiPort = serverConfig.port;
-  mkdirSync9(getPm2LogDir(), { recursive: true });
+  mkdirSync10(getPm2LogDir(), { recursive: true });
   info(`Starting ${PM2_PROCESSES.api} (port ${apiPort})...`);
   const cliConfig = loadConfig();
   const env2 = buildRuntimeEnv(serverConfig, cliConfig);
@@ -135719,11 +135918,11 @@ async function runStart() {
     error(`Failed to start ${PM2_PROCESSES.api} (pm2 exit code ${apiCode})`, undefined, 1);
     return;
   }
-  const natsPath = join15(homedir10(), ".omni", "nats-server");
-  if (existsSync16(natsPath)) {
+  const natsPath = join16(homedir11(), ".omni", "nats-server");
+  if (existsSync17(natsPath)) {
     info(`Starting ${PM2_PROCESSES.nats}...`);
-    const natsDataDir = join15(serverConfig.dataDir, "nats");
-    mkdirSync9(natsDataDir, { recursive: true });
+    const natsDataDir = join16(serverConfig.dataDir, "nats");
+    mkdirSync10(natsDataDir, { recursive: true });
     const natsArgs = buildPm2StartArgs({
       kind: "nats",
       script: natsPath,
@@ -136143,8 +136342,8 @@ function createTurnsCommand() {
 }
 
 // src/commands/update.ts
-import { existsSync as existsSync18 } from "fs";
-import { join as join17 } from "path";
+import { existsSync as existsSync19 } from "fs";
+import { join as join18 } from "path";
 import { createInterface as createInterface3 } from "readline";
 init_source();
 init_config();
@@ -136426,9 +136625,9 @@ async function cleanupLegacyArtifacts(skipList) {
 init_output();
 
 // src/update-diagnostics.ts
-import { existsSync as existsSync17, mkdirSync as mkdirSync10, readFileSync as readFileSync11, writeFileSync as writeFileSync9 } from "fs";
-import { homedir as homedir11 } from "os";
-import { join as join16 } from "path";
+import { existsSync as existsSync18, mkdirSync as mkdirSync11, readFileSync as readFileSync12, writeFileSync as writeFileSync10 } from "fs";
+import { homedir as homedir12 } from "os";
+import { join as join17 } from "path";
 var UPDATE_DIAGNOSTICS_SCHEMA_VERSION = 1;
 function createDiagnostics(args) {
   const startedAt = new Date().toISOString();
@@ -136450,18 +136649,18 @@ function createDiagnostics(args) {
   };
 }
 function getDiagnosticsDir() {
-  const base = process.env.OMNI_CONFIG_DIR ?? join16(homedir11(), ".omni");
-  return join16(base, "logs");
+  const base = process.env.OMNI_CONFIG_DIR ?? join17(homedir12(), ".omni");
+  return join17(base, "logs");
 }
 function getDiagnosticsPath(startedAt) {
   const safe = startedAt.replace(/:/g, "-");
-  return join16(getDiagnosticsDir(), `update-diagnostics-${safe}.json`);
+  return join17(getDiagnosticsDir(), `update-diagnostics-${safe}.json`);
 }
 function tailFileLines(path, maxLines) {
-  if (!existsSync17(path))
+  if (!existsSync18(path))
     return [];
   try {
-    const raw2 = readFileSync11(path, "utf8");
+    const raw2 = readFileSync12(path, "utf8");
     const lines = raw2.split(/\r?\n/);
     if (lines.length > 0 && lines[lines.length - 1] === "")
       lines.pop();
@@ -136494,10 +136693,10 @@ function writeDiagnostics(state, exitCode) {
   const dir = getDiagnosticsDir();
   const path = getDiagnosticsPath(state.startedAt);
   try {
-    if (!existsSync17(dir)) {
-      mkdirSync10(dir, { recursive: true, mode: 448 });
+    if (!existsSync18(dir)) {
+      mkdirSync11(dir, { recursive: true, mode: 448 });
     }
-    writeFileSync9(path, `${JSON.stringify(state, null, 2)}
+    writeFileSync10(path, `${JSON.stringify(state, null, 2)}
 `, { mode: 384 });
     return path;
   } catch {
@@ -136668,7 +136867,7 @@ function printVerifySkippedBanner(latest) {
 }
 function detectParallelNpmGlobalInstall(deps) {
   const npmRootFn = deps?.npmRoot ?? defaultNpmRoot;
-  const existsFn = deps?.exists ?? existsSync18;
+  const existsFn = deps?.exists ?? existsSync19;
   let root;
   try {
     root = npmRootFn();
@@ -136678,7 +136877,7 @@ function detectParallelNpmGlobalInstall(deps) {
   if (root === null || root.length === 0) {
     return { detected: false, skipped: "npm-not-on-path" };
   }
-  const candidate = join17(root, "@automagik", "omni");
+  const candidate = join18(root, "@automagik", "omni");
   if (existsFn(candidate)) {
     return { detected: true, path: candidate };
   }
@@ -137075,9 +137274,9 @@ function createVoiceCommand() {
     const startTime = Date.now();
     let saveDir = "";
     if (opts.save) {
-      const { mkdirSync: mkdirSync11 } = await import("fs");
+      const { mkdirSync: mkdirSync12 } = await import("fs");
       saveDir = opts.save;
-      mkdirSync11(saveDir, { recursive: true });
+      mkdirSync12(saveDir, { recursive: true });
       info(`Saving audio to: ${saveDir}`);
     }
     ws.onopen = () => {
@@ -137301,17 +137500,17 @@ init_config();
 init_output();
 
 // src/manifest-pin.ts
-import { existsSync as existsSync19, readFileSync as readFileSync12, renameSync as renameSync3, writeFileSync as writeFileSync10 } from "fs";
-import { homedir as homedir12 } from "os";
-import { join as join18 } from "path";
+import { existsSync as existsSync20, readFileSync as readFileSync13, renameSync as renameSync3, writeFileSync as writeFileSync11 } from "fs";
+import { homedir as homedir13 } from "os";
+import { join as join19 } from "path";
 var PACKAGE_NAME2 = "@automagik/omni";
-var BUN_GLOBAL_MANIFEST = join18(homedir12(), ".bun", "install", "global", "package.json");
+var BUN_GLOBAL_MANIFEST = join19(homedir13(), ".bun", "install", "global", "package.json");
 function pinManifestEntry(manifestPath, exactVersion) {
-  if (!existsSync19(manifestPath))
+  if (!existsSync20(manifestPath))
     return false;
   let manifest;
   try {
-    manifest = JSON.parse(readFileSync12(manifestPath, "utf-8"));
+    manifest = JSON.parse(readFileSync13(manifestPath, "utf-8"));
   } catch {
     return false;
   }
@@ -137337,7 +137536,7 @@ function pinManifestEntry(manifestPath, exactVersion) {
     return false;
   const tmp = `${manifestPath}.tmp.${process.pid}`;
   try {
-    writeFileSync10(tmp, `${JSON.stringify(manifest, null, 2)}
+    writeFileSync11(tmp, `${JSON.stringify(manifest, null, 2)}
 `, { mode: 420 });
     renameSync3(tmp, manifestPath);
   } catch {

package/dist/lib/canonical-pgserve.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"canonical-pgserve.d.ts","sourceRoot":"","sources":["../../src/lib/canonical-pgserve.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AA4OH;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,qBAAqB,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAepE;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,iCAAiC,CACrD,WAAW,EAAE,OAAO,EACpB,GAAG,EAAE;IAAE,WAAW,EAAE,MAAM,CAAA;CAAE,GAC3B,OAAO,CAAC,OAAO,CAAC,CA6BlB;AAwDD;;;;;;;;;GASG;AACH,wBAAgB,0BAA0B,IAAI,MAAM,CASnD;AAuCD;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAC1B;IAAE,MAAM,EAAE,kBAAkB,CAAC;IAAC,WAAW,EAAE,MAAM,CAAA;CAAE,GACnD;IAAE,MAAM,EAAE,uBAAuB,CAAC;IAAC,WAAW,EAAE,MAAM,CAAA;CAAE,GACxD;IAAE,MAAM,EAAE,QAAQ,CAAC;IAAC,WAAW,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC;AAEnF;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,cAAc,CAAC,kBAAkB,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC,CA6D5F;AAED;;;;;;;;GAQG;AACH,wBAAsB,0BAA0B,CAC9C,IAAI,EAAE,kBAAkB,EACxB,oBAAoB,EAAE,MAAM,GAC3B,OAAO,CAAC;IAAE,MAAM,EAAE,UAAU,GAAG,SAAS,CAAC;IAAC,YAAY,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAoCpE"}
+{"version":3,"file":"canonical-pgserve.d.ts","sourceRoot":"","sources":["../../src/lib/canonical-pgserve.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AA8OH;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,qBAAqB,IAAI,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CA6BpE;AAED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,iCAAiC,CACrD,WAAW,EAAE,OAAO,EACpB,GAAG,EAAE;IAAE,WAAW,EAAE,MAAM,CAAA;CAAE,GAC3B,OAAO,CAAC,OAAO,CAAC,CA6BlB;AAwDD;;;;;;;;;GASG;AACH,wBAAgB,0BAA0B,IAAI,MAAM,CASnD;AAuCD;;GAEG;AACH,MAAM,MAAM,kBAAkB,GAC1B;IAAE,MAAM,EAAE,kBAAkB,CAAC;IAAC,WAAW,EAAE,MAAM,CAAA;CAAE,GACnD;IAAE,MAAM,EAAE,uBAAuB,CAAC;IAAC,WAAW,EAAE,MAAM,CAAA;CAAE,GACxD;IAAE,MAAM,EAAE,QAAQ,CAAC;IAAC,WAAW,EAAE,MAAM,CAAC;IAAC,YAAY,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAAC;AAEnF;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,cAAc,CAAC,kBAAkB,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC,CA6D5F;AAED;;;;;;;;GAQG;AACH,wBAAsB,0BAA0B,CAC9C,IAAI,EAAE,kBAAkB,EACxB,oBAAoB,EAAE,MAAM,GAC3B,OAAO,CAAC;IAAE,MAAM,EAAE,UAAU,GAAG,SAAS,CAAC;IAAC,YAAY,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC,CAoCpE"}

package/dist/lib/role-cutover.d.ts

@@ -0,0 +1,92 @@
+/**
+ * Dedicated-role cutover — omni-side scoped non-superuser identity.
+ *
+ * Wish parity: mirrors genie's `src/lib/role-cutover.ts` (the
+ * `genie-dedicated-role-cutover` wish). Omni historically connected to
+ * canonical pgserve/autopg as the cluster superuser `postgres:postgres`.
+ * A bad omni migration or a compromised omni-api could therefore
+ * `DROP DATABASE genie`, exhaust the cluster, create roles, etc. —
+ * the same blast-radius problem genie solved with role-cutover.
+ *
+ * This module provisions a dedicated NON-superuser role scoped to omni's
+ * own `omni` database, persists the credential in a sentinel file, and
+ * is consumed by `buildRuntimeEnv` to rewrite `DATABASE_URL` to the
+ * scoped role at omni-api startup.
+ *
+ * Scope (MVP):
+ *   - Provision `pgserve_omni_<fp12>_role` with grants scoped to `omni` DB
+ *   - Generate a random password at provisioning, persist in sentinel
+ *   - Idempotent: existing role → refresh grants, regenerate sentinel from
+ *     password (preserves the operator-visible role identifier)
+ *   - Kill switch: `OMNI_ROLE_CUTOVER=0` forces legacy `postgres`/`postgres`
+ *   - Best-effort: any failure logs a warning and falls back to legacy creds
+ *
+ * Out of scope (deferred to a follow-up wish, matching genie's groups):
+ *   - Advisory-lock concurrency guards (multi-host simultaneous installs)
+ *   - Full event sink with audit log + sentinel rotation
+ *   - Per-tenant fingerprint stability handling beyond package.json
+ *   - doctor.ts validation that the scoped role is in active use
+ *   - Migration of pre-cutover objects' ownership to the scoped role
+ */
+/**
+ * Compute the scoped role name for an omni install. Deterministic — same
+ * install always produces the same role name across reruns.
+ */
+export declare function deriveOmniScopedRoleName(): string;
+export interface OmniRoleCutoverSentinel {
+    /** The provisioned role name (matches deriveOmniScopedRoleName output). */
+    roleName: string;
+    /** Database the role is scoped to (always `omni`). */
+    database: string;
+    /** Generated password (alphanumeric). */
+    password: string;
+    /** ISO timestamp of provisioning. */
+    provisionedAt: string;
+}
+export declare function readOmniCutoverSentinel(): OmniRoleCutoverSentinel | null;
+export declare function clearOmniCutoverSentinel(): void;
+export declare function isOmniRoleCutoverEnabled(): boolean;
+export interface EnsureOmniScopedRoleOptions {
+    /** Path to autopg's canonical Unix socket dir (e.g. /run/user/1000/pgserve). */
+    socketDir: string;
+    /** Canonical port (default 5432). */
+    port?: number;
+    /** Database to scope grants to (default 'omni'). */
+    database?: string;
+    /** Force-enable bypassing the OMNI_ROLE_CUTOVER kill switch (tests). */
+    enabled?: boolean;
+}
+export type EnsureOmniScopedRoleResult = {
+    status: 'provisioned' | 'refreshed';
+    roleName: string;
+} | {
+    status: 'skipped';
+    reason: string;
+};
+/**
+ * Idempotently provision omni's scoped role + grants on canonical pgserve.
+ *
+ * Side effects:
+ *   - CREATE ROLE if not exists (or ALTER PASSWORD if exists to keep sentinel in sync)
+ *   - GRANTs scoped to the omni database
+ *   - Sentinel written at ~/.omni/scoped-role.json
+ *
+ * Failure mode: best-effort. Any psql / spawn failure returns
+ * `{ status: 'skipped', reason }` and emits a stderr warn. omni-api
+ * continues with the legacy `postgres:postgres` path.
+ */
+export declare function ensureOmniScopedRole(opts: EnsureOmniScopedRoleOptions): Promise<EnsureOmniScopedRoleResult>;
+export interface ScopedCredentialOverride {
+    username: string;
+    password: string;
+    roleName: string;
+}
+/**
+ * Returns the scoped-role credentials to override `postgres:postgres` with
+ * at runtime, or null when cutover is disabled / sentinel missing / kill
+ * switch active. Pure: no DB roundtrip.
+ *
+ * Consumed by buildRuntimeEnv when constructing DATABASE_URL.
+ */
+export declare function resolveOmniScopedCredentials(): ScopedCredentialOverride | null;
+//# sourceMappingURL=role-cutover.d.ts.map

package/dist/lib/role-cutover.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"role-cutover.d.ts","sourceRoot":"","sources":["../../src/lib/role-cutover.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AA+BH;;;GAGG;AACH,wBAAgB,wBAAwB,IAAI,MAAM,CAUjD;AAqBD,MAAM,WAAW,uBAAuB;IACtC,2EAA2E;IAC3E,QAAQ,EAAE,MAAM,CAAC;IACjB,sDAAsD;IACtD,QAAQ,EAAE,MAAM,CAAC;IACjB,yCAAyC;IACzC,QAAQ,EAAE,MAAM,CAAC;IACjB,qCAAqC;IACrC,aAAa,EAAE,MAAM,CAAC;CACvB;AAUD,wBAAgB,uBAAuB,IAAI,uBAAuB,GAAG,IAAI,CAkBxE;AASD,wBAAgB,wBAAwB,IAAI,IAAI,CAM/C;AAMD,wBAAgB,wBAAwB,IAAI,OAAO,CAElD;AAWD,MAAM,WAAW,2BAA2B;IAC1C,gFAAgF;IAChF,SAAS,EAAE,MAAM,CAAC;IAClB,qCAAqC;IACrC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,oDAAoD;IACpD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,wEAAwE;IACxE,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,MAAM,MAAM,0BAA0B,GAClC;IAAE,MAAM,EAAE,aAAa,GAAG,WAAW,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GACzD;IAAE,MAAM,EAAE,SAAS,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAE,CAAC;AAE1C;;;;;;;;;;;GAWG;AACH,wBAAsB,oBAAoB,CAAC,IAAI,EAAE,2BAA2B,GAAG,OAAO,CAAC,0BAA0B,CAAC,CAyEjH;AA0CD,MAAM,WAAW,wBAAwB;IACvC,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CAClB;AAED;;;;;;GAMG;AACH,wBAAgB,4BAA4B,IAAI,wBAAwB,GAAG,IAAI,CAc9E"}

package/dist/runtime-env.d.ts

@@ -101,6 +101,15 @@ export declare function resolvePgservePort(serverConfig: ServerConfig): number;
  * This function never reads `process.env.DATABASE_URL`.
  */
 export declare function resolveDatabaseUrl(serverConfig: ServerConfig): string;
+/**
+ * Replace the userinfo in a postgresql:// URL with the scoped-role
+ * credentials. Returns the URL unchanged when `creds` is null. Pure;
+ * URL-safe via WHATWG URL.
+ */
+export declare function applyScopedCredentials(url: string, creds: {
+    username: string;
+    password: string;
+} | null): string;
 /**
  * Build the complete runtime env for the omni-api process.
  *

package/dist/runtime-env.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"runtime-env.d.ts","sourceRoot":"","sources":["../src/runtime-env.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAGH,OAAO,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAQxD;;;GAGG;AACH,MAAM,MAAM,UAAU,GAAG;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IAQrB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,gBAAgB,EAAE,MAAM,CAAC;IACzB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAQF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,oBAAoB,OAAO,CAAC;AAEzC,0EAA0E;AAC1E,OAAO,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAC;AAE/D;;;;GAIG;AACH,wBAAgB,wBAAwB,CAAC,WAAW,GAAE,MAA6B,GAAG,MAAM,CAE3F;AAED;;;;;GAKG;AACH,wBAAgB,+BAA+B,IAAI,MAAM,CAKxD;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,YAAY,EAAE,YAAY,GAAG,MAAM,CAMrE;AAgBD;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,kBAAkB,CAAC,YAAY,EAAE,YAAY,GAAG,MAAM,CAiBrE;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,eAAe,CAAC,YAAY,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,GAAG,UAAU,CA+BzF"}
+{"version":3,"file":"runtime-env.d.ts","sourceRoot":"","sources":["../src/runtime-env.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAGH,OAAO,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AASxD;;;GAGG;AACH,MAAM,MAAM,UAAU,GAAG;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IAQrB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,YAAY,EAAE,MAAM,CAAC;IACrB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,gBAAgB,EAAE,MAAM,CAAC;IACzB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;CACnB,CAAC;AAQF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,oBAAoB,OAAO,CAAC;AAEzC,0EAA0E;AAC1E,OAAO,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAC;AAE/D;;;;GAIG;AACH,wBAAgB,wBAAwB,CAAC,WAAW,GAAE,MAA6B,GAAG,MAAM,CAE3F;AAED;;;;;GAKG;AACH,wBAAgB,+BAA+B,IAAI,MAAM,CAKxD;AAED;;;;;GAKG;AACH,wBAAgB,kBAAkB,CAAC,YAAY,EAAE,YAAY,GAAG,MAAM,CAMrE;AAgBD;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,kBAAkB,CAAC,YAAY,EAAE,YAAY,GAAG,MAAM,CAiBrE;AAED;;;;GAIG;AACH,wBAAgB,sBAAsB,CAAC,GAAG,EAAE,MAAM,EAAE,KAAK,EAAE;IAAE,QAAQ,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAE,GAAG,IAAI,GAAG,MAAM,CAWhH;AAED;;;;;;;;;;;;;;;GAeG;AACH,wBAAgB,eAAe,CAAC,YAAY,EAAE,YAAY,EAAE,SAAS,EAAE,MAAM,GAAG,UAAU,CAqCzF"}

package/dist/server/index.js

@@ -230137,7 +230137,7 @@ var init_sentry_scrub = __esm(() => {
 var require_package8 = __commonJS((exports, module) => {
   module.exports = {
     name: "@omni/api",
-    version: "2.260520.10",
+    version: "2.260520.11",
     type: "module",
     exports: {
       ".": {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@automagik/omni",
-  "version": "2.260520.10",
+  "version": "2.260520.11",
   "description": "LLM-optimized CLI for Omni",
   "type": "module",
   "bin": {