@hogsend/cli 0.21.1 → 0.23.0

package/dist/bin.js

@@ -472,7 +472,7 @@ var campaignsCommand = {
 
 // src/commands/connect.ts
 import { parseArgs as parseArgs2 } from "util";
-import { confirm, select, text } from "@clack/prompts";
+import { confirm, password, select, text } from "@clack/prompts";
 
 // src/lib/browser.ts
 import { spawn } from "child_process";
@@ -491,6 +491,202 @@ function openBrowser(url) {
   }
 }
 
+// src/lib/connect-discord-flow.ts
+var ConnectDiscordError = class extends Error {
+  verdict;
+  hint;
+  constructor(verdict, message, hint) {
+    super(message);
+    this.name = "ConnectDiscordError";
+    this.verdict = verdict;
+    this.hint = hint;
+  }
+};
+var HINT_NOT_CONFIGURED = "Run `hogsend connect discord` interactively (in a terminal) to paste the four Discord portal values. To only read the current state, re-run with --status (which never prompts).";
+var HINT_LOOPBACK = "Discord validates the interactions endpoint by PINGing it synchronously, so it must be publicly reachable. Run this against your DEPLOYED instance (point --url at it); the secrets are stored either way.";
+function isLoopbackUrl(publicUrl) {
+  try {
+    const host = new URL(publicUrl).hostname.toLowerCase();
+    return host === "localhost" || host === "127.0.0.1" || host === "0.0.0.0" || host === "[::1]" || host === "::1" || host.endsWith(".localhost");
+  } catch {
+    return false;
+  }
+}
+var errMsg = (err) => err instanceof Error ? err.message : String(err);
+function portalSteps(info) {
+  return [
+    "One-time Discord developer portal setup:",
+    "",
+    "  1. https://discord.com/developers/applications -> New Application",
+    "  2. Bot tab -> Reset Token -> copy the BOT TOKEN. Enable the privileged",
+    "     gateway intents: SERVER MEMBERS, MESSAGE CONTENT, PRESENCE.",
+    "  3. OAuth2 tab -> copy the CLIENT ID (= application id) and CLIENT",
+    "     SECRET. Add this exact redirect URL:",
+    `       ${info.redirectUri}`,
+    "  4. General Information tab -> copy the PUBLIC KEY.",
+    "",
+    "The interactions endpoint is wired for you (you do NOT paste it):",
+    `  ${info.interactionsUrl}`
+  ].join("\n");
+}
+async function runConnectDiscord(deps, opts) {
+  const base = deps.http.cfg.baseUrl;
+  const info = await deps.out.step(
+    `GET ${base}/v1/admin/connectors/discord/connect-info`,
+    () => deps.http.get(
+      "/v1/admin/connectors/discord/connect-info"
+    )
+  );
+  if (opts.statusOnly) {
+    deps.out.note(
+      [
+        "Discord connection status",
+        `  instance        ${base}`,
+        `  secrets stored  ${info.credentialStored ? "yes" : "no"}`,
+        `  interactions    ${info.botInstalled ? "wired" : "not wired"}`,
+        `  guild id        ${info.guildId ?? "(not yet captured)"}`,
+        `  ingress secret  ${info.ingressSecretConfigured ? "set" : "unset"}`,
+        `  install url     ${info.installUrl ?? "(stored secrets first)"}`
+      ].join("\n")
+    );
+    return {
+      verdict: info.botInstalled ? "connected" : "secrets_stored_not_wired",
+      providerId: "discord",
+      instance: base,
+      secretsStored: info.credentialStored,
+      wired: info.botInstalled,
+      // The SERVER-MINTED install URL (carries a valid signed state). Null until
+      // the secrets are stored — there's nothing for the operator to open yet.
+      botInstallUrl: info.installUrl,
+      guildId: info.guildId
+    };
+  }
+  deps.out.note(portalSteps(info), "Discord portal");
+  if (!deps.interactive) {
+    throw new ConnectDiscordError(
+      "not_configured",
+      "Discord connect needs the four portal values pasted interactively",
+      HINT_NOT_CONFIGURED
+    );
+  }
+  const secrets = await deps.promptSecrets();
+  if (!secrets.appId.trim() || !secrets.publicKey.trim() || !secrets.botToken.trim() || !secrets.clientSecret.trim()) {
+    throw new ConnectDiscordError(
+      "paste_aborted",
+      "all four values (application id, public key, bot token, client secret) are required"
+    );
+  }
+  try {
+    await deps.out.step(
+      `PUT ${base}/v1/admin/connectors/discord/secrets`,
+      () => deps.http.put("/v1/admin/connectors/discord/secrets", {
+        appId: secrets.appId.trim(),
+        publicKey: secrets.publicKey.trim(),
+        botToken: secrets.botToken.trim(),
+        clientSecret: secrets.clientSecret.trim()
+      })
+    );
+  } catch (err) {
+    throw new ConnectDiscordError("store_failed", errMsg(err));
+  }
+  const stored = await deps.out.step(
+    "Reading the server-minted install URL",
+    () => deps.http.get(
+      "/v1/admin/connectors/discord/connect-info"
+    )
+  );
+  const botInstallUrl = stored.installUrl;
+  if (isLoopbackUrl(info.apiPublicUrl)) {
+    deps.out.note(
+      `Secrets stored, but this instance's API_PUBLIC_URL is ${info.apiPublicUrl} (a loopback address). Discord cannot reach the interactions endpoint, so wiring was skipped.
+
+Wire it against your deployed instance:
+
+  hogsend connect discord --url https://your-instance`,
+      "Instance not publicly reachable"
+    );
+    return {
+      verdict: "secrets_stored_not_wired",
+      providerId: "discord",
+      instance: base,
+      secretsStored: true,
+      wired: false,
+      botInstallUrl,
+      guildId: info.guildId
+    };
+  }
+  try {
+    await deps.out.step(
+      `POST ${base}/v1/admin/connectors/discord/wire`,
+      () => deps.http.post("/v1/admin/connectors/discord/wire", {})
+    );
+  } catch (err) {
+    if (isHttpError(err) && err.status === 409 && httpErrorBody(err) === "api_public_url_unreachable") {
+      throw new ConnectDiscordError(
+        "api_public_url_unreachable",
+        `API_PUBLIC_URL is ${info.apiPublicUrl} \u2014 Discord cannot PING the interactions endpoint`,
+        HINT_LOOPBACK
+      );
+    }
+    throw new ConnectDiscordError("wire_failed", errMsg(err));
+  }
+  let opened = false;
+  if (botInstallUrl) {
+    deps.out.note(
+      ["Add the bot to your server", `  ${botInstallUrl}`].join("\n")
+    );
+    opened = opts.noBrowser ? false : deps.openBrowser(botInstallUrl);
+    deps.out.log(
+      opened ? "Opening your browser to install the bot. Approve the install in your server, then this command finishes capturing the guild id." : "Open this URL in a browser to install the bot into your server:"
+    );
+    deps.out.log(`  ${botInstallUrl}`);
+  } else {
+    deps.out.log(
+      "Secrets stored, but the server returned no install URL. Re-run `hogsend connect discord --status` to read it."
+    );
+  }
+  let guildId = stored.guildId;
+  if (!guildId && !opts.noBrowser) {
+    const proceed = await deps.confirm(
+      "Once you've approved the bot install in your browser, press Enter to capture the guild id (or skip and re-run with --status later)"
+    );
+    if (proceed) {
+      try {
+        const refreshed = await deps.out.step(
+          "Capturing the installed guild id",
+          () => deps.http.get(
+            "/v1/admin/connectors/discord/connect-info"
+          )
+        );
+        guildId = refreshed.guildId;
+      } catch {
+      }
+    }
+  }
+  if (!guildId) {
+    deps.out.log(
+      "Bot install not yet detected. Complete it in your browser, then run `hogsend connect discord --status` to capture the guild id."
+    );
+  }
+  return {
+    verdict: "connected",
+    providerId: "discord",
+    instance: base,
+    secretsStored: true,
+    wired: true,
+    botInstallUrl,
+    guildId
+  };
+}
+var httpErrorBody = (err) => {
+  if (!isHttpError(err)) return void 0;
+  const body = err.body;
+  if (body && typeof body === "object" && "error" in body && typeof body.error === "string") {
+    return body.error;
+  }
+  return void 0;
+};
+
 // src/lib/loopback.ts
 import { createServer } from "http";
 
@@ -776,7 +972,7 @@ var ConnectError = class extends Error {
     this.hint = hint;
   }
 };
-var HINT_NOT_CONFIGURED = "Pass --posthog-host https://eu.posthog.com (or https://us.posthog.com, or your self-hosted app URL) to pick the region to authorize against. Alternatively set POSTHOG_HOST on the instance, redeploy, then re-run.";
+var HINT_NOT_CONFIGURED2 = "Pass --posthog-host https://eu.posthog.com (or https://us.posthog.com, or your self-hosted app URL) to pick the region to authorize against. Alternatively set POSTHOG_HOST on the instance, redeploy, then re-run.";
 var POSTHOG_EU_HOST = "https://eu.posthog.com";
 var POSTHOG_US_HOST = "https://us.posthog.com";
 var normalizeHost = (host) => host.replace(/\/+$/, "");
@@ -792,7 +988,7 @@ var SSH_NOTE = `The consent page must open in a browser on THIS machine \u2014 t
 returns to 127.0.0.1 here. On a remote/SSH session this cannot complete: run
 the command from your laptop instead and point --url at the instance (the CLI
 never needs to run on the server).`;
-function isLoopbackUrl(publicUrl) {
+function isLoopbackUrl2(publicUrl) {
   try {
     const host = new URL(publicUrl).hostname.toLowerCase();
     return host === "localhost" || host === "127.0.0.1" || host === "0.0.0.0" || host === "[::1]" || host === "::1" || host.endsWith(".localhost");
@@ -807,8 +1003,8 @@ skipped (a destination pointing at localhost would be unreachable).
 Once deployed, wire the loop against the real instance:
 
   hogsend connect posthog --provision-only --url https://your-instance`;
-var errMsg = (err) => err instanceof Error ? err.message : String(err);
-var httpErrorBody = (err) => {
+var errMsg2 = (err) => err instanceof Error ? err.message : String(err);
+var httpErrorBody2 = (err) => {
   if (!isHttpError(err)) return void 0;
   const body = err.body;
   if (body && typeof body === "object" && "error" in body && typeof body.error === "string") {
@@ -840,7 +1036,7 @@ function fromLoopbackError(err) {
   }
 }
 async function runProvisionOnly(deps, info, base) {
-  if (isLoopbackUrl(info.apiPublicUrl)) {
+  if (isLoopbackUrl2(info.apiPublicUrl)) {
     deps.out.note(LOOPBACK_URL_NOTE, "Instance not publicly reachable");
     throw new ConnectError(
       "api_public_url_unreachable",
@@ -857,14 +1053,14 @@ async function runProvisionOnly(deps, info, base) {
       )
     );
   } catch (err) {
-    if (isHttpError(err) && err.status === 409 && httpErrorBody(err) === "no_posthog_credential") {
+    if (isHttpError(err) && err.status === 409 && httpErrorBody2(err) === "no_posthog_credential") {
       throw new ConnectError(
         "no_credential",
         "no PostHog credential is stored on this instance",
         "run `hogsend connect posthog` first"
       );
     }
-    throw new ConnectError("provision_failed", errMsg(err));
+    throw new ConnectError("provision_failed", errMsg2(err));
   }
   printProvisioned(deps.out, result);
   return {
@@ -911,7 +1107,7 @@ async function resolvePrivateHost(deps, info, opts) {
   throw new ConnectError(
     "not_configured",
     "this instance has no PostHog configuration",
-    HINT_NOT_CONFIGURED
+    HINT_NOT_CONFIGURED2
   );
 }
 async function runConnectPosthog(deps, opts) {
@@ -1033,7 +1229,7 @@ async function runConnectPosthog(deps, opts) {
       })
     );
   } catch (err) {
-    throw new ConnectError("exchange_failed", errMsg(err));
+    throw new ConnectError("exchange_failed", errMsg2(err));
   }
   const expiresAt = new Date(
     deps.now().getTime() + tokens.expires_in * 1e3
@@ -1059,7 +1255,7 @@ async function runConnectPosthog(deps, opts) {
       })
     );
   } catch (err) {
-    throw new ConnectError("store_failed", errMsg(err));
+    throw new ConnectError("store_failed", errMsg2(err));
   }
   const stored = {
     providerId: "posthog",
@@ -1087,7 +1283,7 @@ async function runConnectPosthog(deps, opts) {
       provision: { attempted: false, skipped: "no_provision_flag" }
     };
   }
-  if (isLoopbackUrl(info.apiPublicUrl)) {
+  if (isLoopbackUrl2(info.apiPublicUrl)) {
     deps.out.note(LOOPBACK_URL_NOTE, "Instance not publicly reachable");
     return {
       verdict: "connected_no_provision",
@@ -1116,7 +1312,7 @@ async function runConnectPosthog(deps, opts) {
       }
     };
   } catch (err) {
-    const message = errMsg(err);
+    const message = errMsg2(err);
     deps.out.log(
       `The credential is stored, but provisioning the event loop failed: ${message}. Re-run with: hogsend connect posthog --provision-only`
     );
@@ -1139,20 +1335,26 @@ function bail(value) {
 }
 
 // src/commands/connect.ts
-var usage2 = `hogsend connect <provider> [--posthog-host <url>] [--provision-only] [--no-provision] [--no-browser] [--json]
+var usage2 = `hogsend connect <provider> [options] [--no-browser] [--json]
 
-Connect this Hogsend instance to an analytics provider via OAuth. Providers:
+Connect this Hogsend instance to a provider. Providers:
 
   posthog    Authorize Hogsend against your PostHog region (PKCE, loopback
              callback on 127.0.0.1), store the refresh token on the instance,
              then provision the PostHog -> Hogsend event loop (a PostHog
              destination posting to /v1/webhooks/posthog).
 
-The browser consent must happen on THIS machine (the OAuth callback lands on
-127.0.0.1). The target instance can be anywhere \u2014 point --url at it and run
-this command from your laptop, not from an SSH session on the server.
+  discord    One-time Discord developer-portal setup: paste the four portal
+             values (application id, public key, bot token, client secret),
+             store them on the instance, wire the interactions endpoint
+             (PATCH /applications/@me) server-side, then open the one-click
+             bot-install link and capture the guild id.
 
-Options:
+For posthog, the browser consent must happen on THIS machine (the OAuth
+callback lands on 127.0.0.1). The target instance can be anywhere \u2014 point --url
+at it and run this command from your laptop, not from an SSH session.
+
+posthog options:
   --posthog-host     PostHog app/private host to authorize against, e.g.
                      https://eu.posthog.com or https://us.posthog.com (NOT the
                      i. ingestion host). Required when the instance has no
@@ -1160,11 +1362,17 @@ Options:
   --provision-only   Skip OAuth; (re-)provision the event loop using the
                      already-stored credential.
   --no-provision     Stop after storing the credential.
-  --no-browser       Don't spawn a browser; just print the authorize URL.
+
+discord options:
+  --status           Read-only: report what's stored/wired and the captured
+                     guild id. Never prompts or stores anything.
+
+Shared options:
+  --no-browser       Don't spawn a browser; just print the URL(s).
   --url, --admin-key, --json, -h, --help   Global flags as usual.
 
-Exit code: 0 when a credential is stored (even if provisioning was skipped),
-1 otherwise.`;
+Exit code: 0 when the connection is stored (even if a follow-up step was
+skipped), 1 otherwise.`;
 async function run2(ctx) {
   const { values: values2, positionals } = parseArgs2({
     args: ctx.argv,
@@ -1175,6 +1383,7 @@ async function run2(ctx) {
       "provision-only": { type: "boolean", default: false },
       "no-provision": { type: "boolean", default: false },
       "no-browser": { type: "boolean", default: false },
+      status: { type: "boolean", default: false },
       help: { type: "boolean", short: "h", default: false }
     }
   });
@@ -1186,22 +1395,27 @@ async function run2(ctx) {
   if (!provider) {
     ctx.out.fail("missing provider \u2014 try: hogsend connect posthog");
   }
+  if (provider === "discord") {
+    await runDiscord(ctx, {
+      noBrowser: Boolean(values2["no-browser"]),
+      statusOnly: Boolean(values2.status)
+    });
+    return;
+  }
   if (provider !== "posthog") {
-    ctx.out.fail(`unknown provider "${provider}" \u2014 supported: posthog`);
+    ctx.out.fail(
+      `unknown provider "${provider}" \u2014 supported: posthog, discord`
+    );
   }
   if (values2["provision-only"] && values2["no-provision"]) {
     ctx.out.fail("--provision-only and --no-provision are mutually exclusive");
   }
-  try {
-    const target = new URL(ctx.cfg.baseUrl);
-    if (target.protocol === "http:" && target.hostname !== "localhost" && target.hostname !== "127.0.0.1") {
-      ctx.out.log(
-        color.yellow(
-          `warning: ${ctx.cfg.baseUrl} is plain http \u2014 OAuth tokens will be sent to it unencrypted; use https for remote instances.`
-        )
-      );
-    }
-  } catch {
+  if (isPlainHttpRemote(ctx.cfg.baseUrl)) {
+    ctx.out.log(
+      color.yellow(
+        `warning: ${ctx.cfg.baseUrl} is plain http \u2014 OAuth tokens will be sent to it unencrypted; use https for remote instances.`
+      )
+    );
   }
   ctx.out.intro(`${color.bgMagenta(color.black(" hogsend "))} connect`);
   const deps = {
@@ -1274,6 +1488,88 @@ async function run2(ctx) {
       ctx.out.note(
         error.hint ? `${error.message}
 
+${error.hint}` : error.message
+      );
+      ctx.out.outro(color.red(`connect: ${error.verdict}`));
+      process.exit(1);
+    }
+    throw error;
+  }
+}
+function isPlainHttpRemote(baseUrl) {
+  try {
+    const target = new URL(baseUrl);
+    return target.protocol === "http:" && target.hostname !== "localhost" && target.hostname !== "127.0.0.1";
+  } catch {
+    return false;
+  }
+}
+async function runDiscord(ctx, opts) {
+  if (!opts.statusOnly && isPlainHttpRemote(ctx.cfg.baseUrl)) {
+    ctx.out.fail(
+      `${ctx.cfg.baseUrl} is plain http \u2014 refusing to send the Discord bot token + client secret to a remote instance unencrypted. Use https, or run --status (which sends no secrets).`
+    );
+  }
+  ctx.out.intro(`${color.bgMagenta(color.black(" hogsend "))} connect`);
+  const deps = {
+    http: ctx.http,
+    out: ctx.out,
+    interactive: ctx.out.interactive,
+    confirm: async (message) => bail(await confirm({ message })),
+    openBrowser,
+    promptSecrets: async () => {
+      const appId = bail(
+        await text({
+          message: "Discord Application ID (OAuth2 -> Client ID)",
+          placeholder: "1234567890123456789"
+        })
+      );
+      const publicKey = bail(
+        await text({
+          message: "Public Key (General Information -> Public Key)",
+          placeholder: "abc123..."
+        })
+      );
+      const botToken = bail(
+        await password({ message: "Bot Token (Bot -> Reset Token)" })
+      );
+      const clientSecret = bail(
+        await password({
+          message: "Client Secret (OAuth2 -> Client Secret)"
+        })
+      );
+      return { appId, publicKey, botToken, clientSecret };
+    },
+    now: () => /* @__PURE__ */ new Date()
+  };
+  try {
+    const result = await runConnectDiscord(deps, {
+      noBrowser: opts.noBrowser,
+      statusOnly: opts.statusOnly
+    });
+    if (ctx.json) {
+      ctx.out.json({ ok: true, ...result });
+      return;
+    }
+    ctx.out.outro(
+      color.green(
+        `connect: discord ${result.verdict === "connected" ? "connected" : "secrets stored (interactions not wired)"}`
+      )
+    );
+  } catch (error) {
+    if (error instanceof ConnectDiscordError) {
+      if (ctx.json) {
+        ctx.out.json({
+          ok: false,
+          verdict: error.verdict,
+          error: error.message,
+          hint: error.hint
+        });
+        process.exit(1);
+      }
+      ctx.out.note(
+        error.hint ? `${error.message}
+
 ${error.hint}` : error.message
       );
       ctx.out.outro(color.red(`connect: ${error.verdict}`));
@@ -1284,7 +1580,7 @@ ${error.hint}` : error.message
 }
 var connectCommand = {
   name: "connect",
-  summary: "Connect an analytics provider via OAuth (posthog)",
+  summary: "Connect a provider (posthog OAuth, discord bot)",
   usage: usage2,
   run: run2
 };
@@ -4195,12 +4491,12 @@ async function runToken(ctx, argv) {
   const flags = parseTokenFlags(argv);
   const url = flags.url ?? (ctx.cfg.urlExplicit ? ctx.cfg.baseUrl : void 0) ?? process.env.HATCHET_URL;
   const email = flags.email ?? process.env.HATCHET_ADMIN_EMAIL;
-  const password = flags.password ?? process.env.HATCHET_ADMIN_PASSWORD;
+  const password2 = flags.password ?? process.env.HATCHET_ADMIN_PASSWORD;
   const missing = [];
   if (!url) missing.push("--url (or HATCHET_URL)");
   if (!email) missing.push("--email (or HATCHET_ADMIN_EMAIL)");
-  if (!password) missing.push("--password (or HATCHET_ADMIN_PASSWORD)");
-  if (missing.length > 0 || !url || !email || !password) {
+  if (!password2) missing.push("--password (or HATCHET_ADMIN_PASSWORD)");
+  if (missing.length > 0 || !url || !email || !password2) {
     failToStderr(ctx, `missing ${missing.join(", ")}`);
   }
   const onProgress = ctx.json ? void 0 : (msg) => process.stderr.write(`${color.dim(msg)}
@@ -4210,7 +4506,7 @@ async function runToken(ctx, argv) {
     const result = await mintHatchetToken({
       url,
       email,
-      password,
+      password: password2,
       tenantSlug: flags.tenant,
       tokenName: flags.tokenName,
       onProgress
@@ -14124,6 +14420,7 @@ __export(schema_exports, {
   bucketMemberships: () => bucketMemberships,
   bucketMembershipsRelations: () => bucketMembershipsRelations,
   campaigns: () => campaigns,
+  connectorLinkCodes: () => connectorLinkCodes,
   contactAliases: () => contactAliases,
   contactAliasesRelations: () => contactAliasesRelations,
   contacts: () => contacts,
@@ -14536,6 +14833,50 @@ var campaigns = pgTable(
   ]
 );
 
+// ../db/src/schema/connector-link-codes.ts
+var connectorLinkCodes = pgTable(
+  "connector_link_codes",
+  {
+    id: uuid("id").defaultRandom().primaryKey(),
+    // The connector this code belongs to (e.g. "discord"). Scopes throttle
+    // counts + lets one engine serve multiple connectors' link loops.
+    connectorId: text2("connector_id").notNull(),
+    // sha256(code) as lowercase hex — the lookup key. The plaintext code is
+    // NEVER stored; it exists only in the emailed message.
+    codeHash: text2("code_hash").notNull(),
+    // The invoking platform user the code is BOUND to (Discord snowflake). A
+    // redeem must present the SAME platform user id or it is rejected.
+    platformUserId: text2("platform_user_id").notNull(),
+    // The authoritative email the code was issued for (the resolution key the
+    // redeem attaches to the platform identity). Stored normalized
+    // (trim + toLowerCase) by the caller.
+    targetEmail: text2("target_email").notNull(),
+    // Absolute expiry. A redeem after this instant is rejected as expired.
+    expiresAt: timestamp("expires_at", { withTimezone: true }).notNull(),
+    // Single-use marker: NULL until redeemed, set to the redemption instant by
+    // the atomic `UPDATE ... WHERE used_at IS NULL`. A second redeem misses.
+    usedAt: timestamp("used_at", { withTimezone: true }),
+    ...timestamps
+  },
+  (table) => [
+    // Redeem looks the row up by hash. Unique: a hash collision (or a duplicate
+    // mint of the identical code) must never produce two redeemable rows.
+    uniqueIndex("connector_link_codes_code_hash_idx").on(table.codeHash),
+    // Serves the per-invoking-user throttle COUNT (connector + user + recency).
+    index("connector_link_codes_throttle_user_idx").on(
+      table.connectorId,
+      table.platformUserId,
+      table.createdAt
+    ),
+    // Serves the per-target-email throttle COUNT (connector + email + recency).
+    index("connector_link_codes_throttle_email_idx").on(
+      table.connectorId,
+      table.targetEmail,
+      table.createdAt
+    )
+  ]
+);
+
 // ../db/src/schema/contacts.ts
 var contacts = pgTable(
   "contacts",
@@ -14558,6 +14899,16 @@ var contacts = pgTable(
      * index scoped to live, non-deleted rows.
      */
     anonymousId: text2("anonymous_id"),
+    /**
+     * Nullable Discord user id (snowflake) attached to an email-keyed contact
+     * when a member completes the per-member OAuth link. Like external_id it is
+     * a RESOLVABLE identity key (a fourth `Kind`), NOT a property — but it is
+     * NEVER the canonical text key (`external_id ?? anonymous_id ?? id`), so it
+     * does not participate in the history re-point. Uniqueness is the
+     * partial-unique live-row index below, identical to
+     * contacts_external_id_unique_idx.
+     */
+    discordId: text2("discord_id"),
     /**
      * Opportunistic IANA-timezone cache (e.g. "America/New_York"). Populated
      * best-effort when a tz is resolved from PostHog person props. PostHog and
@@ -14583,7 +14934,8 @@ var contacts = pgTable(
     // resolvable identity key. Emails are stored already-normalized (trim +
     // toLowerCase), so lower() here is belt-and-suspenders.
     uniqueIndex("contacts_email_unique_idx").on(sql`lower(email)`).where(sql`email IS NOT NULL AND deleted_at IS NULL`),
-    uniqueIndex("contacts_anonymous_id_unique_idx").on(table.anonymousId).where(sql`anonymous_id IS NOT NULL AND deleted_at IS NULL`)
+    uniqueIndex("contacts_anonymous_id_unique_idx").on(table.anonymousId).where(sql`anonymous_id IS NOT NULL AND deleted_at IS NULL`),
+    uniqueIndex("contacts_discord_id_unique_idx").on(table.discordId).where(sql`discord_id IS NOT NULL AND deleted_at IS NULL`)
   ]
 );
 
@@ -14594,7 +14946,7 @@ var contactAliases = pgTable(
     id: uuid("id").defaultRandom().primaryKey(),
     // The SURVIVOR a stale key resolves TO.
     contactId: uuid("contact_id").notNull().references(() => contacts.id, { onDelete: "cascade" }),
-    // 'email' | 'external' | 'anonymous'
+    // 'email' | 'external' | 'anonymous' | 'discord'
     aliasKind: text2("alias_kind").notNull(),
     // The stale key value (the loser's old external_id / normalized email /
     // anonymous_id).
@@ -14822,7 +15174,23 @@ var trackedLinks = pgTable(
   "tracked_links",
   {
     id: uuid("id").defaultRandom().primaryKey(),
-    emailSendId: uuid("email_send_id").notNull().references(() => emailSends.id, { onDelete: "cascade" }),
+    // NULLABLE since the identity-stitching minor: a tracked link no longer has
+    // to belong to an email send. Broadcast/non-email links (Discord, referral,
+    // ad-hoc `createTrackedLink`) carry NULL here. Email-link inserts keep
+    // populating it; the FK + index are unchanged.
+    emailSendId: uuid("email_send_id").references(() => emailSends.id, {
+      onDelete: "cascade"
+    }),
+    // Subject of a stitch-bearing NON-email link: the canonical contact key the
+    // click should fold the visitor's anon session into. NULL for broadcast
+    // links (Discord/referral default) — broadcast links are tracked for click
+    // counts but carry no identity. Email links resolve their subject from the
+    // `email_sends` row instead, so this stays NULL for them too.
+    distinctId: text2("distinct_id"),
+    // Where the link originated: "email" | "discord" | "link". Drives the click
+    // route's per-hit outbound emit (email links emit `email.clicked`; non-email
+    // links emit `link.clicked`). NULL on legacy/email rows.
+    source: text2("source"),
     originalUrl: text2("original_url").notNull(),
     clickCount: integer("click_count").notNull().default(0),
     // Semantic link metadata, lifted from the template's data-hs-* attributes
@@ -15233,14 +15601,14 @@ var AdminAlreadyExistsError = class extends Error {
   email;
 };
 async function createAdminUser(opts) {
-  const { auth, email, password } = opts;
+  const { auth, email, password: password2 } = opts;
   const displayName = opts.name ?? email.split("@")[0] ?? email;
   const ctx = await auth.$context;
   const existing = await ctx.internalAdapter.findUserByEmail(email);
   if (existing) {
     throw new AdminAlreadyExistsError(email);
   }
-  const hashed = await ctx.password.hash(password);
+  const hashed = await ctx.password.hash(password2);
   const created = await ctx.internalAdapter.createUser({
     email,
     name: displayName,
@@ -15282,9 +15650,9 @@ function createAdminRecovery(opts) {
     baseURL: opts.baseURL ?? "http://localhost:3002"
   });
   return {
-    async create({ email, password, name }) {
+    async create({ email, password: password2, name }) {
       try {
-        return await createAdminUser({ auth, email, name, password });
+        return await createAdminUser({ auth, email, name, password: password2 });
       } catch (err) {
         if (err instanceof AdminAlreadyExistsError) {
           throw new Error(err.message);
@@ -15295,7 +15663,7 @@ function createAdminRecovery(opts) {
         throw err;
       }
     },
-    async reset({ email, password, revokeSessions }) {
+    async reset({ email, password: password2, revokeSessions }) {
       const ctx = await auth.$context;
       const found = await ctx.internalAdapter.findUserByEmail(email, {
         includeAccounts: true
@@ -15305,7 +15673,7 @@ function createAdminRecovery(opts) {
           `No admin with email "${email}". Use \`hogsend studio admin create\` to create one.`
         );
       }
-      const hashed = await ctx.password.hash(password);
+      const hashed = await ctx.password.hash(password2);
       const hasCredential = found.accounts?.some(
         (a) => a.providerId === "credential"
       );
@@ -15963,6 +16331,7 @@ var WEBHOOK_EVENT_TYPES = [
   "email.action",
   "email.bounced",
   "email.complained",
+  "link.clicked",
   "journey.completed",
   "bucket.entered",
   "bucket.left"