@desplega.ai/agent-swarm 1.80.2 → 1.81.0

package/src/be/db.ts

@@ -8733,13 +8733,13 @@ type UserRow = {
   email: string | null;
   role: string | null;
   notes: string | null;
-  slackUserId: string | null;
-  linearUserId: string | null;
-  githubUsername: string | null;
-  gitlabUsername: string | null;
   emailAliases: string | null;
   preferredChannel: string | null;
   timezone: string | null;
+  // Phase 064 columns
+  metadata: string | null;
+  dailyBudgetUsd: number | null;
+  status: string;
   createdAt: string;
   lastUpdatedAt: string;
 };
@@ -8751,86 +8751,17 @@ function rowToUser(row: UserRow): User {
     email: row.email ?? undefined,
     role: row.role ?? undefined,
     notes: row.notes ?? undefined,
-    slackUserId: row.slackUserId ?? undefined,
-    linearUserId: row.linearUserId ?? undefined,
-    githubUsername: row.githubUsername ?? undefined,
-    gitlabUsername: row.gitlabUsername ?? undefined,
     emailAliases: row.emailAliases ? JSON.parse(row.emailAliases) : [],
     preferredChannel: row.preferredChannel ?? "slack",
     timezone: row.timezone ?? undefined,
+    metadata: row.metadata ? (JSON.parse(row.metadata) as Record<string, unknown>) : undefined,
+    dailyBudgetUsd: row.dailyBudgetUsd ?? null,
+    status: (row.status as "invited" | "active" | "suspended") ?? "active",
     createdAt: row.createdAt,
     lastUpdatedAt: row.lastUpdatedAt,
   };
 }
 
-/**
- * Resolve a user by any platform-specific identifier.
- * Priority: exact match on platform ID, then email (including aliases), then name substring.
- */
-export function resolveUser(opts: {
-  slackUserId?: string;
-  linearUserId?: string;
-  githubUsername?: string;
-  gitlabUsername?: string;
-  email?: string;
-  name?: string;
-}): User | null {
-  const db = getDb();
-
-  // Try exact platform ID matches first
-  if (opts.slackUserId) {
-    const row = db
-      .prepare<UserRow, string>("SELECT * FROM users WHERE slackUserId = ?")
-      .get(opts.slackUserId);
-    if (row) return rowToUser(row);
-  }
-  if (opts.linearUserId) {
-    const row = db
-      .prepare<UserRow, string>("SELECT * FROM users WHERE linearUserId = ?")
-      .get(opts.linearUserId);
-    if (row) return rowToUser(row);
-  }
-  if (opts.githubUsername) {
-    const row = db
-      .prepare<UserRow, string>("SELECT * FROM users WHERE githubUsername = ?")
-      .get(opts.githubUsername);
-    if (row) return rowToUser(row);
-  }
-  if (opts.gitlabUsername) {
-    const row = db
-      .prepare<UserRow, string>("SELECT * FROM users WHERE gitlabUsername = ?")
-      .get(opts.gitlabUsername);
-    if (row) return rowToUser(row);
-  }
-
-  // Try email match (primary email)
-  if (opts.email) {
-    const row = db.prepare<UserRow, string>("SELECT * FROM users WHERE email = ?").get(opts.email);
-    if (row) return rowToUser(row);
-
-    // Check emailAliases (JSON array search)
-    const aliasRows = db
-      .prepare<UserRow, []>("SELECT * FROM users WHERE emailAliases != '[]'")
-      .all();
-    for (const r of aliasRows) {
-      const aliases: string[] = r.emailAliases ? JSON.parse(r.emailAliases) : [];
-      if (aliases.some((a) => a.toLowerCase() === opts.email!.toLowerCase())) {
-        return rowToUser(r);
-      }
-    }
-  }
-
-  // Try name substring match (case-insensitive)
-  if (opts.name) {
-    const row = db
-      .prepare<UserRow, string>("SELECT * FROM users WHERE LOWER(name) LIKE '%' || LOWER(?) || '%'")
-      .get(opts.name);
-    if (row) return rowToUser(row);
-  }
-
-  return null;
-}
-
 export function getUserById(id: string): User | null {
   const row = getDb().prepare<UserRow, string>("SELECT * FROM users WHERE id = ?").get(id);
   return row ? rowToUser(row) : null;
@@ -8845,20 +8776,19 @@ export function createUser(data: {
   email?: string;
   role?: string;
   notes?: string;
-  slackUserId?: string;
-  linearUserId?: string;
-  githubUsername?: string;
-  gitlabUsername?: string;
   emailAliases?: string[];
   preferredChannel?: string;
   timezone?: string;
+  metadata?: Record<string, unknown>;
+  dailyBudgetUsd?: number | null;
+  status?: "invited" | "active" | "suspended";
 }): User {
   const id = crypto.randomUUID().replace(/-/g, "");
   const now = new Date().toISOString();
   const row = getDb()
-    .prepare<UserRow, (string | null)[]>(
-      `INSERT INTO users (id, name, email, role, notes, slackUserId, linearUserId, githubUsername, gitlabUsername, emailAliases, preferredChannel, timezone, createdAt, lastUpdatedAt)
-       VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) RETURNING *`,
+    .prepare<UserRow, (string | number | null)[]>(
+      `INSERT INTO users (id, name, email, role, notes, emailAliases, preferredChannel, timezone, metadata, dailyBudgetUsd, status, createdAt, lastUpdatedAt)
+       VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) RETURNING *`,
     )
     .get(
       id,
@@ -8866,13 +8796,12 @@ export function createUser(data: {
       data.email ?? null,
       data.role ?? null,
       data.notes ?? null,
-      data.slackUserId ?? null,
-      data.linearUserId ?? null,
-      data.githubUsername ?? null,
-      data.gitlabUsername ?? null,
       JSON.stringify(data.emailAliases ?? []),
       data.preferredChannel ?? "slack",
       data.timezone ?? null,
+      data.metadata !== undefined ? JSON.stringify(data.metadata) : null,
+      data.dailyBudgetUsd ?? null,
+      data.status ?? "active",
       now,
       now,
     );
@@ -8887,17 +8816,16 @@ export function updateUser(
     email: string;
     role: string;
     notes: string;
-    slackUserId: string;
-    linearUserId: string;
-    githubUsername: string;
-    gitlabUsername: string;
     emailAliases: string[];
     preferredChannel: string;
     timezone: string;
+    metadata: Record<string, unknown> | null;
+    dailyBudgetUsd: number | null;
+    status: "invited" | "active" | "suspended";
   }>,
 ): User | null {
   const sets: string[] = [];
-  const params: (string | null)[] = [];
+  const params: (string | number | null)[] = [];
 
   if (data.name !== undefined) {
     sets.push("name = ?");
@@ -8915,22 +8843,6 @@ export function updateUser(
     sets.push("notes = ?");
     params.push(data.notes);
   }
-  if (data.slackUserId !== undefined) {
-    sets.push("slackUserId = ?");
-    params.push(data.slackUserId);
-  }
-  if (data.linearUserId !== undefined) {
-    sets.push("linearUserId = ?");
-    params.push(data.linearUserId);
-  }
-  if (data.githubUsername !== undefined) {
-    sets.push("githubUsername = ?");
-    params.push(data.githubUsername);
-  }
-  if (data.gitlabUsername !== undefined) {
-    sets.push("gitlabUsername = ?");
-    params.push(data.gitlabUsername);
-  }
   if (data.emailAliases !== undefined) {
     sets.push("emailAliases = ?");
     params.push(JSON.stringify(data.emailAliases));
@@ -8943,6 +8855,18 @@ export function updateUser(
     sets.push("timezone = ?");
     params.push(data.timezone);
   }
+  if (data.metadata !== undefined) {
+    sets.push("metadata = ?");
+    params.push(data.metadata === null ? null : JSON.stringify(data.metadata));
+  }
+  if (data.dailyBudgetUsd !== undefined) {
+    sets.push("dailyBudgetUsd = ?");
+    params.push(data.dailyBudgetUsd);
+  }
+  if (data.status !== undefined) {
+    sets.push("status = ?");
+    params.push(data.status);
+  }
 
   if (sets.length === 0) return getUserById(id);
 
@@ -8951,7 +8875,7 @@ export function updateUser(
   params.push(id);
 
   const row = getDb()
-    .prepare<UserRow, (string | null)[]>(
+    .prepare<UserRow, (string | number | null)[]>(
       `UPDATE users SET ${sets.join(", ")} WHERE id = ? RETURNING *`,
     )
     .get(...params);

package/src/be/migrations/067_users_first_class.sql

@@ -0,0 +1,185 @@
+-- 064_users_first_class.sql
+-- "Humans as first-class users" — foundation migration.
+--
+-- Normalizes platform identities into a join table and lands the supporting
+-- tables/columns the rest of the refactor (plan: 2026-05-18-users-first-class-refactor)
+-- needs. The four previously-denormalized identity columns on `users`
+-- (slackUserId / linearUserId / githubUsername / gitlabUsername — added in
+-- migration 031) are backfilled into `user_external_ids` and then dropped.
+--
+-- Q-research refs (brainstorm 2026-05-18-humans-as-first-class-users):
+--   * Q8  — `user_external_ids` schema (PK = (kind, externalId))
+--   * Q15 — no-soak, same-PR DROP COLUMNs
+--   * Q17.D — `unmapped` integration kv shape lives in kv_entries (no schema needed)
+--   * Q19 — full event-type CHECK enum (10 types)
+--   * Q20 — `user_tokens.tokenPreview` (last 4 chars of plaintext)
+--
+-- ORDER MATTERS:
+--   1) DDL: new tables + new user columns (no FKs from drop targets)
+--   2) Backfill: copy the four identity columns into user_external_ids
+--   3) DROP COLUMN: remove the four identity columns from users
+--
+-- SQLite drops dependent UNIQUE indexes automatically when their parent
+-- column is dropped (verified in CI by Automated Verification §1 in step-1).
+
+-- ---------------------------------------------------------------------------
+-- 1. user_external_ids — canonical join table for platform identities.
+-- ---------------------------------------------------------------------------
+--
+-- PK is (kind, externalId): one external account maps to at most one swarm
+-- user. Multiple identities of the same kind (e.g. two Slack workspaces) are
+-- handled by the externalId prefix being workspace-scoped at the caller.
+--
+-- userId FK has ON DELETE CASCADE so removing a user cleans up their identity
+-- mappings without manual fan-out. Mirrors `user_tokens.userId` behaviour.
+
+CREATE TABLE IF NOT EXISTS user_external_ids (
+  kind TEXT NOT NULL,
+  externalId TEXT NOT NULL,
+  userId TEXT NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+  createdAt TEXT NOT NULL DEFAULT (datetime('now')),
+  PRIMARY KEY (kind, externalId)
+);
+
+CREATE INDEX IF NOT EXISTS idx_user_external_ids_userId
+  ON user_external_ids(userId);
+
+-- ---------------------------------------------------------------------------
+-- 2. users — new columns.
+-- ---------------------------------------------------------------------------
+-- metadata    : free-form JSON (operator notes, integration hints, …)
+-- dailyBudgetUsd : NULL = unlimited, REAL value = soft cap in USD/day
+-- status      : invited → active → suspended (operator lifecycle)
+
+ALTER TABLE users ADD COLUMN metadata TEXT;
+ALTER TABLE users ADD COLUMN dailyBudgetUsd REAL;
+ALTER TABLE users ADD COLUMN status TEXT NOT NULL DEFAULT 'active'
+  CHECK (status IN ('invited', 'active', 'suspended'));
+
+-- ---------------------------------------------------------------------------
+-- 3. user_tokens — schema lands here (Q20). Mint/revoke endpoints + UI dialog
+-- ship with a separate MCP-token plan; this table is created so the scrubber
+-- rule + future endpoints have a place to write.
+-- ---------------------------------------------------------------------------
+-- tokenHash    : sha256 of the plaintext (only thing we can search by).
+-- tokenPreview : last 4 chars of the plaintext for UI display ("…ax7b").
+
+CREATE TABLE IF NOT EXISTS user_tokens (
+  id TEXT PRIMARY KEY,
+  userId TEXT NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+  label TEXT,
+  tokenHash TEXT NOT NULL UNIQUE,
+  tokenPreview TEXT NOT NULL,
+  createdAt TEXT NOT NULL DEFAULT (datetime('now')),
+  lastUsedAt TEXT,
+  revokedAt TEXT
+);
+
+CREATE INDEX IF NOT EXISTS idx_user_tokens_userId
+  ON user_tokens(userId);
+
+-- ---------------------------------------------------------------------------
+-- 4. user_identity_events — append-only audit log of identity mutations.
+-- ---------------------------------------------------------------------------
+-- CHECK enum mirrors `IdentityEventTypeSchema` in src/types.ts (Q19).
+-- Keep these in lockstep — drift breaks helper INSERTs at runtime.
+--
+-- actor : free-form identifier of the caller, e.g.
+--           'system:slack-webhook'  — automatic webhook path
+--           'op:<sha256-16>'        — operator (fingerprintApiKey output)
+--           'user:<userId>'         — end-user action (future MCP token)
+
+CREATE TABLE IF NOT EXISTS user_identity_events (
+  id TEXT PRIMARY KEY,
+  userId TEXT NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+  eventType TEXT NOT NULL CHECK (eventType IN (
+    'auto_merge',
+    'manual_merge',
+    'identity_added',
+    'identity_removed',
+    'email_added',
+    'email_removed',
+    'token_minted',
+    'token_revoked',
+    'budget_changed',
+    'status_changed'
+  )),
+  actor TEXT NOT NULL,
+  beforeJson TEXT,
+  afterJson TEXT,
+  createdAt TEXT NOT NULL DEFAULT (datetime('now'))
+);
+
+CREATE INDEX IF NOT EXISTS idx_user_identity_events_userId_createdAt
+  ON user_identity_events(userId, createdAt DESC);
+
+-- ---------------------------------------------------------------------------
+-- 5. Backfill: copy the four existing identity columns into user_external_ids.
+-- Must run BEFORE the DROP COLUMNs below.
+-- ---------------------------------------------------------------------------
+
+INSERT OR IGNORE INTO user_external_ids (userId, kind, externalId)
+SELECT id, 'slack', slackUserId FROM users WHERE slackUserId IS NOT NULL
+UNION ALL
+SELECT id, 'linear', linearUserId FROM users WHERE linearUserId IS NOT NULL
+UNION ALL
+SELECT id, 'github', githubUsername FROM users WHERE githubUsername IS NOT NULL
+UNION ALL
+SELECT id, 'gitlab', gitlabUsername FROM users WHERE gitlabUsername IS NOT NULL;
+
+-- ---------------------------------------------------------------------------
+-- 6. Drop the four deprecated identity columns.
+--
+-- Migration 031 declared each of these with inline `UNIQUE` on the column
+-- itself (separate from the partial unique indexes). SQLite refuses to
+-- `DROP COLUMN` when an inline UNIQUE constraint is attached, so we do the
+-- standard create-new / copy / drop / rename dance — same pattern as
+-- migration 063's `pricing` and `session_costs` rewrites.
+--
+-- We also explicitly drop the four partial unique indexes (`idx_users_*`)
+-- first; SQLite would auto-drop them with the table swap, but listing them
+-- here keeps the intent obvious.
+-- ---------------------------------------------------------------------------
+
+DROP INDEX IF EXISTS idx_users_slack;
+DROP INDEX IF EXISTS idx_users_linear;
+DROP INDEX IF EXISTS idx_users_github;
+DROP INDEX IF EXISTS idx_users_gitlab;
+
+CREATE TABLE users_new (
+  id TEXT PRIMARY KEY DEFAULT (lower(hex(randomblob(16)))),
+  name TEXT NOT NULL,
+  email TEXT,
+  role TEXT,
+  notes TEXT,
+  emailAliases TEXT DEFAULT '[]',
+  preferredChannel TEXT DEFAULT 'slack',
+  timezone TEXT,
+  metadata TEXT,
+  dailyBudgetUsd REAL,
+  status TEXT NOT NULL DEFAULT 'active'
+    CHECK (status IN ('invited', 'active', 'suspended')),
+  createdAt TEXT NOT NULL DEFAULT (datetime('now')),
+  lastUpdatedAt TEXT NOT NULL DEFAULT (datetime('now'))
+);
+
+INSERT INTO users_new (
+  id, name, email, role, notes,
+  emailAliases, preferredChannel, timezone,
+  metadata, dailyBudgetUsd, status,
+  createdAt, lastUpdatedAt
+)
+SELECT
+  id, name, email, role, notes,
+  emailAliases, preferredChannel, timezone,
+  metadata, dailyBudgetUsd, status,
+  createdAt, lastUpdatedAt
+FROM users;
+
+DROP TABLE users;
+ALTER TABLE users_new RENAME TO users;
+
+-- Recreate the email index that migration 031 set up (still relevant —
+-- aliases-lookup goes through the JSON path).
+CREATE UNIQUE INDEX IF NOT EXISTS idx_users_email
+  ON users(email) WHERE email IS NOT NULL;

package/src/be/migrations/068_profile_changed_event_type.sql

@@ -0,0 +1,56 @@
+-- 065_profile_changed_event_type.sql
+-- Widen the CHECK constraint on `user_identity_events.eventType` to include
+-- `profile_changed` — emitted by PATCH /api/users/:id for non-budget,
+-- non-status, non-identity, non-email-alias field edits (name, email, role,
+-- emailAliases-as-a-whole already covered by email_added/removed, timezone,
+-- preferredChannel, notes, metadata).
+--
+-- SQLite cannot ALTER a CHECK constraint in place — we follow the table-rebuild
+-- recipe from migration 056_drop_agent_tasks_source_check.sql verbatim:
+--   1) PRAGMA foreign_keys=off
+--   2) CREATE TABLE user_identity_events_new (… new CHECK …)
+--   3) INSERT … SELECT (explicit column list)
+--   4) DROP old, RENAME new
+--   5) Recreate the (userId, createdAt DESC) index from migration 064
+--   6) PRAGMA foreign_keys=on
+--
+-- Keep `IdentityEventTypeSchema` in src/types.ts in lockstep with this CHECK.
+
+PRAGMA foreign_keys=off;
+
+CREATE TABLE user_identity_events_new (
+  id TEXT PRIMARY KEY,
+  userId TEXT NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+  eventType TEXT NOT NULL CHECK (eventType IN (
+    'auto_merge',
+    'manual_merge',
+    'identity_added',
+    'identity_removed',
+    'email_added',
+    'email_removed',
+    'token_minted',
+    'token_revoked',
+    'budget_changed',
+    'status_changed',
+    'profile_changed'
+  )),
+  actor TEXT NOT NULL,
+  beforeJson TEXT,
+  afterJson TEXT,
+  createdAt TEXT NOT NULL DEFAULT (datetime('now'))
+);
+
+INSERT INTO user_identity_events_new (
+  id, userId, eventType, actor, beforeJson, afterJson, createdAt
+)
+SELECT
+  id, userId, eventType, actor, beforeJson, afterJson, createdAt
+FROM user_identity_events;
+
+DROP TABLE user_identity_events;
+ALTER TABLE user_identity_events_new RENAME TO user_identity_events;
+
+CREATE INDEX IF NOT EXISTS idx_user_identity_events_userId_createdAt
+  ON user_identity_events(userId, createdAt DESC);
+
+PRAGMA foreign_keys=on;

package/src/be/unmapped-identities.ts

@@ -0,0 +1,98 @@
+/**
+ * Kv-backed tracker for external identities that hit a webhook handler but
+ * couldn't be auto-linked to a `users` row (no email available + no existing
+ * mapping in `user_external_ids`). Operators triage these via the People-page
+ * Unmapped tab (Q17.D / Q14).
+ *
+ * Storage layout — two rows per `(kind, externalId)`:
+ *   * `<externalId>:meta`  → JSON `UnmappedMeta`, upserted on each sighting
+ *                            with a refreshed 30-day TTL.
+ *   * `<externalId>:count` → integer, atomically incremented via `incrKv`.
+ *
+ * Namespace shape: `integration:unmapped:<kind>` (e.g. `integration:unmapped:slack`).
+ *
+ * TTL: The `:meta` row carries the canonical 30-day expiry, refreshed on every
+ * sighting. The `:count` row inherits the same TTL when first minted; the
+ * operator UI reads `:meta` rows and joins to `:count`, so a stale `:count`
+ * without a matching `:meta` is treated as gone (and naturally expires after
+ * 30 days of inactivity).
+ *
+ * API-side only — uses `getDb`-backed helpers via `src/be/db`. The DB-boundary
+ * checker enforces that worker-side paths don't import this file.
+ */
+
+import { getKv, incrKv, upsertKv } from "./db";
+
+const TTL_MS = 30 * 24 * 60 * 60 * 1000; // 30 days
+
+/** Metadata stored under `<externalId>:meta`. */
+export interface UnmappedMeta {
+  /** ISO timestamp of the most recent sighting. */
+  lastSeenAt: string;
+  /** Coarse event-type label (e.g. `message`, `assistant_message`, `block_actions`). */
+  sampleEventType: string;
+  /** ≤100 char excerpt of the trigger payload so operators have triage context. */
+  sampleContext: string;
+}
+
+function namespace(kind: string): string {
+  return `integration:unmapped:${kind}`;
+}
+
+/**
+ * Record one sighting of an unmapped external identity. Emits exactly two
+ * kv writes:
+ *   1. `<externalId>:meta` — JSON upsert with a refreshed 30-day TTL.
+ *   2. `<externalId>:count` — atomic integer increment. On the first sighting
+ *      the counter row is created without a TTL by `incrKv`, so we patch it
+ *      to inherit the 30-day window. Concurrent increments are safe — the
+ *      patch is a no-op once the row already has a TTL.
+ *
+ * The writes are NOT bundled in a single transaction — the tracker is
+ * best-effort audit, not a primary store. A partial failure is acceptable;
+ * the next sighting reconciles.
+ */
+export function recordUnmappedIdentity(
+  kind: string,
+  externalId: string,
+  meta: { sampleEventType: string; sampleContext: string },
+): void {
+  const ns = namespace(kind);
+  const now = new Date().toISOString();
+  const expiresAt = Date.now() + TTL_MS;
+  const countKey = `${externalId}:count`;
+
+  // Snapshot count-row existence BEFORE incrementing so we know whether to
+  // patch the TTL. Reads are race-tolerant: worst case two callers both see
+  // "no row" and both patch — the second patch is idempotent.
+  const countBefore = getKv(ns, countKey);
+
+  upsertKv({
+    namespace: ns,
+    key: `${externalId}:meta`,
+    value: {
+      lastSeenAt: now,
+      sampleEventType: meta.sampleEventType,
+      sampleContext: meta.sampleContext.slice(0, 100),
+    } satisfies UnmappedMeta,
+    valueType: "json",
+    expiresAt,
+  });
+
+  const incremented = incrKv(ns, countKey, 1);
+
+  // First-mint TTL patch. Only patch when:
+  //   * The pre-incr snapshot showed no row (or expired)
+  //   * AND the post-incr value is the count we just established
+  // Reading the post-incr value back keeps us from clobbering a concurrent
+  // increment that already bumped past 1.
+  if (countBefore === null) {
+    upsertKv({
+      namespace: ns,
+      key: countKey,
+      value: Number(incremented.value),
+      valueType: "integer",
+      expiresAt,
+    });
+  }
+}