@hotmeshio/long-tail 0.1.0 → 0.1.2

package/build/routes/oauth.js

@@ -51,7 +51,7 @@ router.get('/connections', auth_1.requireAuth, async (req, res) => {
  * GET /api/auth/oauth/:provider
  * Initiate the OAuth flow — redirects the browser to the provider.
  */
-router.get('/:provider', (req, res) => {
+router.get('/:provider', async (req, res) => {
     const { provider } = req.params;
     const handler = (0, oauth_1.getProvider)(provider);
     if (!handler) {
@@ -65,7 +65,7 @@ router.get('/:provider', (req, res) => {
     if (!handler.config.redirectUri) {
         handler.config.redirectUri = `${baseUrl}/api/auth/oauth/${provider}/callback`;
     }
-    const url = handler.createAuthorizationURL(state, codeVerifier);
+    const url = await handler.createAuthorizationURL(state, codeVerifier);
     res.redirect(url.toString());
 });
 /**
@@ -178,7 +178,7 @@ router.get('/connect/:provider', (req, res, next) => {
         req.headers.authorization = `Bearer ${token}`;
     }
     next();
-}, auth_1.requireAuth, (req, res) => {
+}, auth_1.requireAuth, async (req, res) => {
     const userId = req.auth.userId;
     const provider = req.params.provider;
     const handler = (0, oauth_1.getProvider)(provider);
@@ -197,7 +197,7 @@ router.get('/connect/:provider', (req, res, next) => {
     if (!handler.config.redirectUri) {
         handler.config.redirectUri = `${baseUrl}/api/auth/oauth/${provider}/callback`;
     }
-    const url = handler.createAuthorizationURL(state, codeVerifier);
+    const url = await handler.createAuthorizationURL(state, codeVerifier);
     res.redirect(url.toString());
 });
 /**

package/build/services/db/migrate.js

@@ -38,7 +38,12 @@ const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const index_1 = require("./index");
 const logger_1 = require("../logger");
-const SCHEMAS_DIR = path.join(__dirname, 'schemas');
+// In dev: __dirname = services/db → schemas is ./schemas
+// In built/published: __dirname = build/services/db → schemas is ../../../services/db/schemas
+const devPath = path.join(__dirname, 'schemas');
+const SCHEMAS_DIR = fs.existsSync(devPath)
+    ? devPath
+    : path.join(__dirname, '..', '..', '..', 'services', 'db', 'schemas');
 async function migrate() {
     const pool = (0, index_1.getPool)();
     // ensure migration tracking table

package/build/services/oauth/providers/github.js

@@ -1,17 +1,58 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.createGitHubHandler = createGitHubHandler;
-const arctic_1 = require("arctic");
 function createGitHubHandler(cfg) {
     const redirectUri = cfg.redirectUri || null;
-    const github = new arctic_1.GitHub(cfg.clientId, cfg.clientSecret, redirectUri);
+    let _github;
+    async function getClient() {
+        if (!_github) {
+            const { GitHub } = await Promise.resolve().then(() => __importStar(require('arctic')));
+            _github = new GitHub(cfg.clientId, cfg.clientSecret, redirectUri);
+        }
+        return _github;
+    }
     return {
         config: cfg,
-        createAuthorizationURL(state, _codeVerifier) {
+        async createAuthorizationURL(state, _codeVerifier) {
+            const github = await getClient();
             const scopes = cfg.scopes.length > 0 ? cfg.scopes : ['read:user', 'user:email'];
             return github.createAuthorizationURL(state, scopes);
         },
         async validateAuthorizationCode(code, _codeVerifier) {
+            const github = await getClient();
             const tokens = await github.validateAuthorizationCode(code);
             return {
                 accessToken: tokens.accessToken(),

package/build/services/oauth/providers/google.js

@@ -1,17 +1,58 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.createGoogleHandler = createGoogleHandler;
-const arctic_1 = require("arctic");
 function createGoogleHandler(cfg) {
     const redirectUri = cfg.redirectUri || '';
-    const google = new arctic_1.Google(cfg.clientId, cfg.clientSecret, redirectUri);
+    let _google;
+    async function getClient() {
+        if (!_google) {
+            const { Google } = await Promise.resolve().then(() => __importStar(require('arctic')));
+            _google = new Google(cfg.clientId, cfg.clientSecret, redirectUri);
+        }
+        return _google;
+    }
     return {
         config: cfg,
-        createAuthorizationURL(state, codeVerifier) {
+        async createAuthorizationURL(state, codeVerifier) {
+            const google = await getClient();
             const scopes = cfg.scopes.length > 0 ? cfg.scopes : ['openid', 'email', 'profile'];
             return google.createAuthorizationURL(state, codeVerifier, scopes);
         },
         async validateAuthorizationCode(code, codeVerifier) {
+            const google = await getClient();
             const tokens = await google.validateAuthorizationCode(code, codeVerifier);
             return {
                 accessToken: tokens.accessToken(),
@@ -20,6 +61,7 @@ function createGoogleHandler(cfg) {
             };
         },
         async refreshAccessToken(refreshToken) {
+            const google = await getClient();
             const tokens = await google.refreshAccessToken(refreshToken);
             return {
                 accessToken: tokens.accessToken(),

package/build/services/oauth/providers/microsoft.js

@@ -1,18 +1,59 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.createMicrosoftHandler = createMicrosoftHandler;
-const arctic_1 = require("arctic");
 function createMicrosoftHandler(cfg) {
     const redirectUri = cfg.redirectUri || '';
     const tenantId = process.env.OAUTH_MICROSOFT_TENANT_ID || 'common';
-    const ms = new arctic_1.MicrosoftEntraId(tenantId, cfg.clientId, cfg.clientSecret, redirectUri);
+    let _ms;
+    async function getClient() {
+        if (!_ms) {
+            const { MicrosoftEntraId } = await Promise.resolve().then(() => __importStar(require('arctic')));
+            _ms = new MicrosoftEntraId(tenantId, cfg.clientId, cfg.clientSecret, redirectUri);
+        }
+        return _ms;
+    }
     return {
         config: cfg,
-        createAuthorizationURL(state, codeVerifier) {
+        async createAuthorizationURL(state, codeVerifier) {
+            const ms = await getClient();
             const scopes = cfg.scopes.length > 0 ? cfg.scopes : ['openid', 'email', 'profile'];
             return ms.createAuthorizationURL(state, codeVerifier, scopes);
         },
         async validateAuthorizationCode(code, codeVerifier) {
+            const ms = await getClient();
             const tokens = await ms.validateAuthorizationCode(code, codeVerifier);
             return {
                 accessToken: tokens.accessToken(),
@@ -21,6 +62,7 @@ function createMicrosoftHandler(cfg) {
             };
         },
         async refreshAccessToken(refreshToken) {
+            const ms = await getClient();
             const scopes = cfg.scopes.length > 0 ? cfg.scopes : ['openid', 'email', 'profile'];
             const tokens = await ms.refreshAccessToken(refreshToken, scopes);
             return {

package/build/services/oauth/providers/types.d.ts

@@ -6,7 +6,7 @@ export interface OAuthTokens {
 }
 export interface ProviderHandler {
     config: LTOAuthProviderConfig;
-    createAuthorizationURL(state: string, codeVerifier: string): URL;
+    createAuthorizationURL(state: string, codeVerifier: string): URL | Promise<URL>;
     validateAuthorizationCode(code: string, codeVerifier: string): Promise<OAuthTokens>;
     refreshAccessToken(refreshToken: string): Promise<OAuthTokens>;
     fetchUserInfo(accessToken: string): Promise<LTOAuthUserInfo>;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hotmeshio/long-tail",
-  "version": "0.1.0",
+  "version": "0.1.2",
   "description": "Long Tail Workflows — Durable AI workflows with human-in-the-loop escalation. Powered by PostgreSQL.",
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
@@ -10,6 +10,7 @@
   },
   "files": [
     "build/",
+    "services/db/schemas/",
     "dashboard/dist/",
     "LICENSE",
     "README.md"
@@ -57,7 +58,7 @@
   "author": "luke.birdeau@gmail.com",
   "license": "SEE LICENSE IN LICENSE",
   "dependencies": {
-    "@anthropic-ai/sdk": "^0.80.0",
+    "@anthropic-ai/sdk": "^0.82.0",
     "@aws-sdk/client-s3": "^3.1017.0",
     "@hotmeshio/hotmesh": "^0.13.0",
     "@modelcontextprotocol/sdk": "^1.27.1",
@@ -91,6 +92,6 @@
     "ts-node": "^10.9.1",
     "ts-node-dev": "^2.0.0",
     "typescript": "^5.0.4",
-    "vitest": "^2.1.9"
+    "vitest": "^4.1.2"
   }
 }

package/services/db/README.md

@@ -0,0 +1,8 @@
+PostgreSQL connection pool and migration runner. Provides the shared `pg.Pool` singleton used by all services and a sequential SQL migration system.
+
+Key files:
+- `index.ts` — `getPool()` (lazy singleton) and `closePool()` for the shared `pg.Pool`
+- `migrate.ts` — Reads `.sql` files from `schemas/`, tracks applied migrations in `lt_migrations`, applies new ones in sort order
+- `schemas/` — Numbered SQL migration files (001_schema.sql, 002_seed.sql, etc.)
+
+The `migrate.ts` file contains inline SQL for creating the `lt_migrations` tracking table and querying/inserting migration records. This is intentional — the migration runner bootstraps itself before any `sql.ts` infrastructure exists, so externalizing these queries would add complexity without benefit.

package/services/db/schemas/001_schema.sql

@@ -0,0 +1,307 @@
+-- Long Tail Workflows: Schema
+-- Tasks track workflow executions; escalations track human interventions.
+
+-- ─── updated_at trigger ─────────────────────────────────────────────────────
+
+CREATE OR REPLACE FUNCTION lt_set_updated_at()
+RETURNS TRIGGER AS $$
+BEGIN
+  NEW.updated_at = NOW();
+  RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+-- ─── lt_roles (canonical role registry) ────────────────────────────────────
+
+CREATE TABLE IF NOT EXISTS lt_roles (
+  role       TEXT PRIMARY KEY,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+INSERT INTO lt_roles (role) VALUES
+  ('reviewer'),
+  ('engineer'),
+  ('admin'),
+  ('superadmin')
+ON CONFLICT DO NOTHING;
+
+-- ─── lt_tasks ────────────────────────────────────────────────────────────────
+
+CREATE TABLE IF NOT EXISTS lt_tasks (
+  id              UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  workflow_id     TEXT NOT NULL,
+  workflow_type   TEXT NOT NULL,
+  lt_type         TEXT NOT NULL,
+  task_queue      TEXT,
+  status          TEXT NOT NULL DEFAULT 'pending',
+  priority        INTEGER NOT NULL DEFAULT 2,
+  signal_id       TEXT NOT NULL,
+  parent_workflow_id TEXT NOT NULL,
+  origin_id       TEXT,
+  parent_id       TEXT,
+  started_at      TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  completed_at    TIMESTAMPTZ,
+  envelope        TEXT NOT NULL,
+  metadata        JSONB,
+  error           TEXT,
+  milestones      JSONB NOT NULL DEFAULT '[]'::JSONB,
+  data            TEXT,
+  trace_id        TEXT,
+  span_id         TEXT,
+  created_at      TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  updated_at      TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_lt_tasks_status_type ON lt_tasks (status, workflow_type, created_at DESC);
+CREATE INDEX IF NOT EXISTS idx_lt_tasks_parent ON lt_tasks (parent_workflow_id, created_at DESC);
+CREATE INDEX IF NOT EXISTS idx_lt_tasks_lt_type ON lt_tasks (lt_type, status, created_at DESC);
+CREATE INDEX IF NOT EXISTS idx_lt_tasks_completed ON lt_tasks (completed_at, status);
+CREATE INDEX IF NOT EXISTS idx_lt_tasks_signal ON lt_tasks (signal_id);
+CREATE INDEX IF NOT EXISTS idx_lt_tasks_origin ON lt_tasks (origin_id, created_at DESC);
+CREATE INDEX IF NOT EXISTS idx_lt_tasks_workflow_id ON lt_tasks (workflow_id);
+CREATE INDEX IF NOT EXISTS idx_lt_tasks_origin_id ON lt_tasks (origin_id) WHERE origin_id IS NOT NULL;
+CREATE INDEX IF NOT EXISTS idx_lt_tasks_trace ON lt_tasks (trace_id) WHERE trace_id IS NOT NULL;
+
+CREATE OR REPLACE TRIGGER trg_lt_tasks_updated_at
+  BEFORE UPDATE ON lt_tasks
+  FOR EACH ROW EXECUTE FUNCTION lt_set_updated_at();
+
+-- ─── lt_escalations ─────────────────────────────────────────────────────────
+
+CREATE TABLE IF NOT EXISTS lt_escalations (
+  id                UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  type              TEXT NOT NULL,
+  subtype           TEXT NOT NULL,
+  description       TEXT,
+  status            TEXT NOT NULL DEFAULT 'pending',
+  priority          INTEGER NOT NULL DEFAULT 2,
+  task_id           UUID REFERENCES lt_tasks(id),
+  origin_id         TEXT,
+  parent_id         TEXT,
+  workflow_id       TEXT,
+  task_queue        TEXT,
+  workflow_type     TEXT,
+  role              TEXT NOT NULL REFERENCES lt_roles(role),
+  assigned_to       TEXT,
+  assigned_until    TIMESTAMPTZ,
+  resolved_at       TIMESTAMPTZ,
+  claimed_at        TIMESTAMPTZ,
+  envelope          TEXT NOT NULL,
+  metadata          JSONB,
+  escalation_payload TEXT,
+  resolver_payload  TEXT,
+  trace_id          TEXT,
+  span_id           TEXT,
+  created_at        TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  updated_at        TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_lt_escalations_available ON lt_escalations (status, role, assigned_until, created_at DESC);
+CREATE INDEX IF NOT EXISTS idx_lt_escalations_available_v2 ON lt_escalations (role, priority, created_at DESC) WHERE status = 'pending';
+CREATE INDEX IF NOT EXISTS idx_lt_escalations_assigned ON lt_escalations (assigned_to, assigned_until, created_at DESC);
+CREATE INDEX IF NOT EXISTS idx_lt_escalations_expiry ON lt_escalations (assigned_until, assigned_to);
+CREATE INDEX IF NOT EXISTS idx_lt_escalations_role_type ON lt_escalations (role, status, type, created_at DESC);
+CREATE INDEX IF NOT EXISTS idx_lt_escalations_role_subtype ON lt_escalations (role, status, type, subtype, created_at DESC);
+CREATE INDEX IF NOT EXISTS idx_lt_escalations_status ON lt_escalations (status, created_at DESC);
+CREATE INDEX IF NOT EXISTS idx_lt_escalations_task ON lt_escalations (task_id);
+CREATE INDEX IF NOT EXISTS idx_lt_escalations_origin ON lt_escalations (origin_id, created_at DESC);
+CREATE INDEX IF NOT EXISTS idx_lt_escalations_workflow ON lt_escalations (workflow_id);
+CREATE INDEX IF NOT EXISTS idx_lt_escalations_type ON lt_escalations (type);
+CREATE INDEX IF NOT EXISTS idx_lt_escalations_pending_sort ON lt_escalations (priority ASC, created_at ASC) WHERE status = 'pending';
+CREATE INDEX IF NOT EXISTS idx_lt_escalations_origin_id ON lt_escalations (origin_id) WHERE origin_id IS NOT NULL;
+CREATE INDEX IF NOT EXISTS idx_lt_escalations_trace ON lt_escalations (trace_id) WHERE trace_id IS NOT NULL;
+CREATE INDEX IF NOT EXISTS idx_lt_escalations_created_desc ON lt_escalations (created_at DESC);
+CREATE INDEX IF NOT EXISTS idx_lt_escalations_updated_desc ON lt_escalations (updated_at DESC);
+CREATE INDEX IF NOT EXISTS idx_lt_escalations_priority_desc ON lt_escalations (priority DESC, created_at DESC);
+
+CREATE OR REPLACE TRIGGER trg_lt_escalations_updated_at
+  BEFORE UPDATE ON lt_escalations
+  FOR EACH ROW EXECUTE FUNCTION lt_set_updated_at();
+
+-- ─── lt_users ────────────────────────────────────────────────────────────────
+
+CREATE TABLE IF NOT EXISTS lt_users (
+  id            UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  external_id   TEXT UNIQUE NOT NULL,
+  email         TEXT,
+  display_name  TEXT,
+  password_hash TEXT,
+  status        TEXT NOT NULL DEFAULT 'active' CHECK (status IN ('active', 'inactive', 'suspended')),
+  metadata      JSONB,
+  created_at    TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  updated_at    TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE TRIGGER lt_users_updated_at
+  BEFORE UPDATE ON lt_users
+  FOR EACH ROW EXECUTE FUNCTION lt_set_updated_at();
+
+CREATE INDEX IF NOT EXISTS idx_lt_users_status ON lt_users (status);
+
+-- ─── lt_user_roles ───────────────────────────────────────────────────────────
+
+CREATE TABLE IF NOT EXISTS lt_user_roles (
+  user_id    UUID NOT NULL REFERENCES lt_users(id) ON DELETE CASCADE,
+  role       TEXT NOT NULL REFERENCES lt_roles(role),
+  type       TEXT NOT NULL DEFAULT 'member' CHECK (type IN ('superadmin', 'admin', 'member')),
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  PRIMARY KEY (user_id, role)
+);
+
+CREATE INDEX IF NOT EXISTS idx_lt_user_roles_type ON lt_user_roles (type);
+CREATE INDEX IF NOT EXISTS idx_lt_user_roles_user_id ON lt_user_roles (user_id);
+
+-- ─── lt_config_workflows ────────────────────────────────────────────────────
+
+CREATE TABLE IF NOT EXISTS lt_config_workflows (
+  id               UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  workflow_type    TEXT UNIQUE NOT NULL,
+  invocable        BOOLEAN NOT NULL DEFAULT false,
+  task_queue       TEXT,
+  default_role     TEXT NOT NULL DEFAULT 'reviewer' REFERENCES lt_roles(role),
+  description      TEXT,
+  consumes         TEXT[] NOT NULL DEFAULT '{}',
+  tool_tags        TEXT[] NOT NULL DEFAULT '{}',
+  envelope_schema  JSONB,
+  resolver_schema  JSONB,
+  cron_schedule    TEXT,
+  execute_as       TEXT,
+  created_at       TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  updated_at       TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE TRIGGER lt_config_workflows_updated_at
+  BEFORE UPDATE ON lt_config_workflows
+  FOR EACH ROW EXECUTE FUNCTION lt_set_updated_at();
+
+CREATE INDEX IF NOT EXISTS idx_config_workflows_tool_tags
+  ON lt_config_workflows USING GIN (tool_tags);
+
+CREATE TABLE IF NOT EXISTS lt_config_roles (
+  id            UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  workflow_type TEXT NOT NULL REFERENCES lt_config_workflows(workflow_type) ON DELETE CASCADE,
+  role          TEXT NOT NULL REFERENCES lt_roles(role),
+  created_at    TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  UNIQUE(workflow_type, role)
+);
+
+CREATE TABLE IF NOT EXISTS lt_config_invocation_roles (
+  id            UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  workflow_type TEXT NOT NULL REFERENCES lt_config_workflows(workflow_type) ON DELETE CASCADE,
+  role          TEXT NOT NULL REFERENCES lt_roles(role),
+  created_at    TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  UNIQUE(workflow_type, role)
+);
+
+-- ─── lt_mcp_servers ─────────────────────────────────────────────────────────
+
+CREATE TABLE IF NOT EXISTS lt_mcp_servers (
+  id                UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  name              TEXT UNIQUE NOT NULL,
+  description       TEXT,
+  transport_type    TEXT NOT NULL CHECK (transport_type IN ('stdio', 'sse')),
+  transport_config  JSONB NOT NULL DEFAULT '{}'::JSONB,
+  auto_connect      BOOLEAN NOT NULL DEFAULT false,
+  tool_manifest     JSONB,
+  status            TEXT NOT NULL DEFAULT 'registered'
+                      CHECK (status IN ('registered', 'connected', 'error', 'disconnected')),
+  last_connected_at TIMESTAMPTZ,
+  metadata          JSONB,
+  tags              TEXT[] NOT NULL DEFAULT '{}',
+  compile_hints     TEXT,
+  created_at        TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  updated_at        TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_lt_mcp_servers_name ON lt_mcp_servers (name);
+CREATE INDEX IF NOT EXISTS idx_lt_mcp_servers_status ON lt_mcp_servers (status);
+CREATE INDEX IF NOT EXISTS idx_lt_mcp_servers_auto_connect ON lt_mcp_servers (auto_connect) WHERE auto_connect = true;
+CREATE INDEX IF NOT EXISTS idx_lt_mcp_servers_tags ON lt_mcp_servers USING GIN (tags);
+
+CREATE OR REPLACE TRIGGER trg_lt_mcp_servers_updated_at
+  BEFORE UPDATE ON lt_mcp_servers
+  FOR EACH ROW EXECUTE FUNCTION lt_set_updated_at();
+
+-- ─── lt_config_role_escalations ─────────────────────────────────────────────
+
+CREATE TABLE IF NOT EXISTS lt_config_role_escalations (
+  source_role TEXT NOT NULL REFERENCES lt_roles(role),
+  target_role TEXT NOT NULL REFERENCES lt_roles(role),
+  created_at  TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  PRIMARY KEY (source_role, target_role)
+);
+
+CREATE INDEX IF NOT EXISTS idx_lt_config_role_escalations_source
+  ON lt_config_role_escalations (source_role);
+
+-- ─── lt_yaml_workflows ──────────────────────────────────────────────────────
+
+CREATE TABLE IF NOT EXISTS lt_yaml_workflows (
+  id                       UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  name                     TEXT UNIQUE NOT NULL,
+  description              TEXT,
+  app_id                   TEXT NOT NULL,
+  app_version              TEXT NOT NULL DEFAULT '1',
+  source_workflow_id       TEXT,
+  source_workflow_type     TEXT,
+  yaml_content             TEXT NOT NULL,
+  graph_topic              TEXT NOT NULL,
+  input_schema             JSONB NOT NULL DEFAULT '{}'::JSONB,
+  output_schema            JSONB NOT NULL DEFAULT '{}'::JSONB,
+  activity_manifest        JSONB NOT NULL DEFAULT '[]'::JSONB,
+  status                   TEXT NOT NULL DEFAULT 'draft'
+                             CHECK (status IN ('draft', 'deployed', 'active', 'archived')),
+  deployed_at              TIMESTAMPTZ,
+  activated_at             TIMESTAMPTZ,
+  content_version          INTEGER NOT NULL DEFAULT 1,
+  deployed_content_version INTEGER,
+  tags                     TEXT[] NOT NULL DEFAULT '{}',
+  input_field_meta         JSONB NOT NULL DEFAULT '[]'::JSONB,
+  metadata                 JSONB,
+  created_at               TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  updated_at               TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_lt_yaml_workflows_status ON lt_yaml_workflows (status);
+CREATE INDEX IF NOT EXISTS idx_lt_yaml_workflows_app_id ON lt_yaml_workflows (app_id);
+CREATE INDEX IF NOT EXISTS idx_lt_yaml_workflows_tags ON lt_yaml_workflows USING GIN (tags);
+
+CREATE OR REPLACE TRIGGER trg_lt_yaml_workflows_updated_at
+  BEFORE UPDATE ON lt_yaml_workflows
+  FOR EACH ROW EXECUTE FUNCTION lt_set_updated_at();
+
+-- ─── lt_yaml_workflow_versions ──────────────────────────────────────────────
+
+CREATE TABLE IF NOT EXISTS lt_yaml_workflow_versions (
+  id                UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  workflow_id       UUID NOT NULL REFERENCES lt_yaml_workflows(id) ON DELETE CASCADE,
+  version           INTEGER NOT NULL,
+  yaml_content      TEXT NOT NULL,
+  activity_manifest JSONB NOT NULL DEFAULT '[]'::JSONB,
+  input_schema      JSONB NOT NULL DEFAULT '{}'::JSONB,
+  output_schema     JSONB NOT NULL DEFAULT '{}'::JSONB,
+  input_field_meta  JSONB NOT NULL DEFAULT '[]'::JSONB,
+  change_summary    TEXT,
+  created_at        TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  UNIQUE (workflow_id, version)
+);
+
+CREATE INDEX IF NOT EXISTS idx_lt_yaml_wf_versions_workflow
+  ON lt_yaml_workflow_versions (workflow_id, version DESC);
+
+-- ─── lt_namespaces ──────────────────────────────────────────────────────────
+
+CREATE TABLE IF NOT EXISTS lt_namespaces (
+  id          UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  name        TEXT UNIQUE NOT NULL,
+  description TEXT,
+  schema_name TEXT NOT NULL,
+  is_default  BOOLEAN NOT NULL DEFAULT false,
+  metadata    JSONB,
+  created_at  TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  updated_at  TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+INSERT INTO lt_namespaces (name, schema_name, is_default, description)
+VALUES ('longtail', 'longtail', true, 'Default Long Tail namespace')
+ON CONFLICT (name) DO NOTHING;

package/services/db/schemas/002_seed.sql

@@ -0,0 +1,67 @@
+-- Seed data: workflow configs, MCP servers, escalation chains.
+
+-- ─── MCP servers ────────────────────────────────────────────────────────────
+
+INSERT INTO lt_mcp_servers (name, description, transport_type, transport_config, auto_connect, status)
+VALUES (
+  'long-tail-db-query',
+  'Built-in read-only query server for tasks, escalations, processes, and system health',
+  'stdio',
+  '{"builtin": true}'::jsonb,
+  false,
+  'connected'
+)
+ON CONFLICT (name) DO NOTHING;
+
+-- ─── Escalation chains ─────────────────────────────────────────────────────
+
+INSERT INTO lt_config_role_escalations (source_role, target_role) VALUES
+  ('reviewer',  'engineer'),
+  ('reviewer',  'admin'),
+  ('engineer',  'admin'),
+  ('engineer',  'superadmin'),
+  ('admin',     'engineer'),
+  ('admin',     'superadmin')
+ON CONFLICT DO NOTHING;
+
+-- ─── Example workflows (all directly invocable) ────────────────────────────
+
+INSERT INTO lt_config_workflows
+  (workflow_type, task_queue, default_role, invocable, description, tool_tags, envelope_schema, resolver_schema)
+VALUES
+  -- Review content
+  ('reviewContent', 'long-tail-examples', 'reviewer', true,
+   'Content review — AI-powered moderation with human escalation for low-confidence results',
+   ARRAY['document-processing', 'vision', 'ocr', 'translation'],
+   '{"data": {"contentId": "article-001", "content": "Content to review...", "contentType": "article"}, "metadata": {"source": "dashboard"}}'::jsonb,
+   '{"approved": true, "analysis": {"confidence": 0.95, "flags": [], "summary": "Manually reviewed and approved."}}'::jsonb),
+
+  -- Verify document
+  ('verifyDocument', 'long-tail-examples', 'reviewer', true,
+   'Document verification — AI Vision analyzes identity documents',
+   ARRAY['document-processing', 'vision', 'ocr', 'translation'],
+   '{"data": {"documentId": "doc-001", "documentUrl": "https://example.com/doc.jpg", "documentType": "drivers_license", "memberId": "member-12345"}, "metadata": {"source": "dashboard"}}'::jsonb,
+   '{"memberId": "", "extractedInfo": {}, "validationResult": "match", "confidence": 1.0}'::jsonb),
+
+  -- Process claim
+  ('processClaim', 'long-tail-examples', 'reviewer', true,
+   'Insurance claim processing — document analysis, validation, and human review',
+   ARRAY['document-processing', 'vision', 'database', 'query'],
+   '{"data": {"claimId": "CLM-2024-001", "claimantId": "POL-5551234", "claimType": "auto_collision", "amount": 12500, "documents": ["incident_report.pdf", "photo_evidence.jpg"]}, "metadata": {"source": "dashboard"}}'::jsonb,
+   '{"approved": true, "analysis": {"confidence": 0.92, "flags": [], "summary": "Documents reviewed and verified."}, "status": "resolved"}'::jsonb),
+
+  -- Kitchen sink
+  ('kitchenSink', 'long-tail-examples', 'reviewer', true,
+   'Kitchen sink — demonstrates sleep, signals, parallel activities, escalation, and every durable primitive',
+   '{}',
+   '{"data": {"name": "World", "mode": "full"}, "metadata": {"source": "dashboard"}}'::jsonb,
+   NULL)
+ON CONFLICT (workflow_type) DO NOTHING;
+
+-- ─── Assign roles to all workflows ──────────────────────────────────────────
+
+INSERT INTO lt_config_roles (workflow_type, role)
+SELECT workflow_type, unnest(ARRAY['reviewer', 'engineer', 'admin'])
+FROM lt_config_workflows
+ON CONFLICT (workflow_type, role) DO NOTHING;
+

package/services/db/schemas/003_workflow_discovery.sql

@@ -0,0 +1,39 @@
+-- Workflow discovery: full-text search, original prompt, and category.
+
+-- Original prompt that spawned this workflow (richest semantic signal)
+ALTER TABLE lt_yaml_workflows ADD COLUMN IF NOT EXISTS original_prompt TEXT;
+
+-- Capability category derived from tool usage patterns
+ALTER TABLE lt_yaml_workflows ADD COLUMN IF NOT EXISTS category TEXT;
+
+-- Full-text search vector, auto-maintained by trigger
+ALTER TABLE lt_yaml_workflows ADD COLUMN IF NOT EXISTS search_vector TSVECTOR;
+
+-- GIN index on search_vector for fast full-text search
+CREATE INDEX IF NOT EXISTS idx_lt_yaml_workflows_search
+  ON lt_yaml_workflows USING GIN (search_vector);
+
+-- Index on category for filtered queries
+CREATE INDEX IF NOT EXISTS idx_lt_yaml_workflows_category
+  ON lt_yaml_workflows (category) WHERE category IS NOT NULL;
+
+-- Trigger: rebuild search_vector from name, description, tags, original_prompt, category
+CREATE OR REPLACE FUNCTION lt_yaml_workflows_search_vector_update()
+RETURNS TRIGGER AS $$
+BEGIN
+  NEW.search_vector :=
+    setweight(to_tsvector('english', coalesce(NEW.name, '')), 'A') ||
+    setweight(to_tsvector('english', coalesce(NEW.original_prompt, '')), 'A') ||
+    setweight(to_tsvector('english', coalesce(NEW.description, '')), 'B') ||
+    setweight(to_tsvector('english', coalesce(NEW.category, '')), 'C') ||
+    setweight(to_tsvector('english', coalesce(array_to_string(NEW.tags, ' '), '')), 'C');
+  RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+CREATE OR REPLACE TRIGGER trg_lt_yaml_workflows_search_vector
+  BEFORE INSERT OR UPDATE ON lt_yaml_workflows
+  FOR EACH ROW EXECUTE FUNCTION lt_yaml_workflows_search_vector_update();
+
+-- Backfill search_vector for existing rows
+UPDATE lt_yaml_workflows SET updated_at = NOW();

package/services/db/schemas/004_query_router.sql

@@ -0,0 +1,38 @@
+-- Split mcpQuery into router + dynamic + deterministic workflows.
+-- mcpQueryRouter is the new entry point (orchestrator).
+-- mcpQuery becomes dynamic-only (leaf).
+-- mcpDeterministic invokes compiled YAML workflows (leaf).
+
+-- Update existing mcpQuery: no longer directly invocable (called via router)
+UPDATE lt_config_workflows
+SET invocable = false,
+    description = 'Dynamic MCP tool orchestration — LLM agentic loop with raw MCP tools'
+WHERE workflow_type = 'mcpQuery';
+
+-- Add mcpQueryRouter (orchestrator — the new entry point)
+INSERT INTO lt_config_workflows
+  (workflow_type, task_queue, default_role, invocable, description, tool_tags, envelope_schema)
+VALUES
+  ('mcpQueryRouter', 'long-tail-system', 'engineer', true,
+   'Do anything with tools — browser automation, file operations, HTTP requests, database queries, document processing, and more',
+   '{}',
+   '{"data": {"prompt": "Describe what you want to accomplish using available tools..."}, "metadata": {"source": "dashboard"}}'::jsonb)
+ON CONFLICT (workflow_type) DO NOTHING;
+
+-- Add mcpDeterministic (leaf — invokes compiled YAML workflows)
+INSERT INTO lt_config_workflows
+  (workflow_type, task_queue, default_role, invocable, description, tool_tags)
+VALUES
+  ('mcpDeterministic', 'long-tail-system', 'engineer', false,
+   'Deterministic execution — invokes matched compiled YAML workflows with extracted inputs',
+   '{}')
+ON CONFLICT (workflow_type) DO NOTHING;
+
+-- Assign roles
+INSERT INTO lt_config_roles (workflow_type, role)
+SELECT 'mcpQueryRouter', unnest(ARRAY['reviewer', 'engineer', 'admin'])
+ON CONFLICT (workflow_type, role) DO NOTHING;
+
+INSERT INTO lt_config_roles (workflow_type, role)
+SELECT 'mcpDeterministic', unnest(ARRAY['reviewer', 'engineer', 'admin'])
+ON CONFLICT (workflow_type, role) DO NOTHING;

package/services/db/schemas/005_triage_router.sql

@@ -0,0 +1,37 @@
+-- Split mcpTriage into router + dynamic + deterministic workflows.
+-- mcpTriageRouter is the new entry point (orchestrator).
+-- mcpTriage becomes dynamic-only (leaf).
+-- mcpTriageDeterministic invokes compiled YAML workflows (leaf).
+
+-- Update existing mcpTriage: no longer directly invocable (called via router)
+UPDATE lt_config_workflows
+SET invocable = false,
+    description = 'Dynamic MCP triage — LLM agentic loop for escalation remediation'
+WHERE workflow_type = 'mcpTriage';
+
+-- Add mcpTriageRouter (orchestrator — the new entry point for triage)
+INSERT INTO lt_config_workflows
+  (workflow_type, task_queue, default_role, invocable, description, tool_tags)
+VALUES
+  ('mcpTriageRouter', 'long-tail-system', 'engineer', false,
+   'Triage router — discovers compiled workflows for remediation, routes to deterministic or dynamic triage',
+   '{}')
+ON CONFLICT (workflow_type) DO NOTHING;
+
+-- Add mcpTriageDeterministic (leaf — invokes compiled triage workflows)
+INSERT INTO lt_config_workflows
+  (workflow_type, task_queue, default_role, invocable, description, tool_tags)
+VALUES
+  ('mcpTriageDeterministic', 'long-tail-system', 'engineer', false,
+   'Deterministic triage — invokes matched compiled workflows for escalation remediation',
+   '{}')
+ON CONFLICT (workflow_type) DO NOTHING;
+
+-- Assign roles
+INSERT INTO lt_config_roles (workflow_type, role)
+SELECT 'mcpTriageRouter', unnest(ARRAY['reviewer', 'engineer', 'admin'])
+ON CONFLICT (workflow_type, role) DO NOTHING;
+
+INSERT INTO lt_config_roles (workflow_type, role)
+SELECT 'mcpTriageDeterministic', unnest(ARRAY['reviewer', 'engineer', 'admin'])
+ON CONFLICT (workflow_type, role) DO NOTHING;

package/services/db/schemas/006_oauth.sql

@@ -0,0 +1,50 @@
+-- ── OAuth token storage ─────────────────────────────────────────────────────
+-- Encrypted per-user, per-provider OAuth tokens for identity and resource OAuth.
+
+CREATE TABLE IF NOT EXISTS lt_oauth_tokens (
+  id                UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  user_id           UUID NOT NULL REFERENCES lt_users(id) ON DELETE CASCADE,
+  provider          TEXT NOT NULL,
+  label             TEXT NOT NULL DEFAULT 'default',
+  access_token_enc  TEXT NOT NULL,
+  refresh_token_enc TEXT,
+  token_type        TEXT NOT NULL DEFAULT 'bearer',
+  scopes            TEXT[] NOT NULL DEFAULT '{}',
+  expires_at        TIMESTAMPTZ,
+  provider_user_id  TEXT NOT NULL,
+  provider_email    TEXT,
+  metadata          JSONB,
+  created_at        TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  updated_at        TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  UNIQUE (user_id, provider, label)
+);
+
+-- Migration: add label column for multiple credentials per provider per user.
+-- Existing rows get 'default'. The unique constraint moves from (user_id, provider)
+-- to (user_id, provider, label).
+ALTER TABLE lt_oauth_tokens ADD COLUMN IF NOT EXISTS label TEXT NOT NULL DEFAULT 'default';
+
+-- Drop old unique constraint if it exists (safe no-op if already migrated)
+DO $$ BEGIN
+  ALTER TABLE lt_oauth_tokens DROP CONSTRAINT IF EXISTS lt_oauth_tokens_user_id_provider_key;
+EXCEPTION WHEN undefined_object THEN NULL;
+END $$;
+
+-- Create the new composite unique constraint (idempotent via IF NOT EXISTS on index)
+CREATE UNIQUE INDEX IF NOT EXISTS lt_oauth_tokens_user_id_provider_label_key
+  ON lt_oauth_tokens (user_id, provider, label);
+
+CREATE INDEX IF NOT EXISTS idx_lt_oauth_tokens_provider
+  ON lt_oauth_tokens (provider, user_id);
+
+CREATE OR REPLACE TRIGGER trg_lt_oauth_tokens_updated_at
+  BEFORE UPDATE ON lt_oauth_tokens
+  FOR EACH ROW EXECUTE FUNCTION lt_set_updated_at();
+
+-- ── Identity link columns on lt_users ──────────────────────────────────────
+ALTER TABLE lt_users ADD COLUMN IF NOT EXISTS oauth_provider TEXT;
+ALTER TABLE lt_users ADD COLUMN IF NOT EXISTS oauth_provider_id TEXT;
+
+CREATE INDEX IF NOT EXISTS idx_lt_users_oauth
+  ON lt_users (oauth_provider, oauth_provider_id)
+  WHERE oauth_provider IS NOT NULL;

package/services/db/schemas/007_security.sql

@@ -0,0 +1,27 @@
+-- ── Service tokens for external MCP servers ─────────────────────────────────
+CREATE TABLE IF NOT EXISTS lt_service_tokens (
+  id           UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  name         TEXT UNIQUE NOT NULL,
+  token_hash   TEXT NOT NULL,
+  server_id    UUID REFERENCES lt_mcp_servers(id) ON DELETE CASCADE,
+  scopes       TEXT[] NOT NULL DEFAULT '{}',
+  expires_at   TIMESTAMPTZ,
+  last_used_at TIMESTAMPTZ,
+  created_at   TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  updated_at   TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_lt_service_tokens_server
+  ON lt_service_tokens (server_id);
+
+CREATE OR REPLACE TRIGGER trg_lt_service_tokens_updated_at
+  BEFORE UPDATE ON lt_service_tokens
+  FOR EACH ROW EXECUTE FUNCTION lt_set_updated_at();
+
+-- ── Audit: who initiated escalations ────────────────────────────────────────
+ALTER TABLE lt_escalations ADD COLUMN IF NOT EXISTS created_by UUID REFERENCES lt_users(id);
+CREATE INDEX IF NOT EXISTS idx_lt_escalations_created_by
+  ON lt_escalations (created_by) WHERE created_by IS NOT NULL;
+
+-- ── Scope declarations for MCP servers ──────────────────────────────────────
+ALTER TABLE lt_mcp_servers ADD COLUMN IF NOT EXISTS required_scopes TEXT[] NOT NULL DEFAULT '{}';

package/services/db/schemas/008_bot_accounts.sql

@@ -0,0 +1,30 @@
+-- 008_bot_accounts.sql
+-- Bot/service account support for universal IAM.
+-- Bots live in lt_users (account_type = 'bot') and authenticate via API keys.
+
+-- Add account_type column to lt_users to distinguish human vs bot accounts.
+ALTER TABLE lt_users ADD COLUMN IF NOT EXISTS account_type TEXT NOT NULL DEFAULT 'user';
+
+-- Apply check constraint (idempotent: skip if already exists).
+DO $$ BEGIN
+  ALTER TABLE lt_users ADD CONSTRAINT lt_users_account_type_check
+    CHECK (account_type IN ('user', 'bot'));
+EXCEPTION
+  WHEN duplicate_object THEN NULL;
+END $$;
+
+-- Bot API keys — similar to lt_service_tokens but scoped to a user (bot) account.
+CREATE TABLE IF NOT EXISTS lt_bot_api_keys (
+  id           UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  name         TEXT NOT NULL,
+  user_id      UUID NOT NULL REFERENCES lt_users(id) ON DELETE CASCADE,
+  key_hash     TEXT NOT NULL,
+  scopes       TEXT[] NOT NULL DEFAULT '{}',
+  expires_at   TIMESTAMPTZ,
+  last_used_at TIMESTAMPTZ,
+  created_at   TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  updated_at   TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  UNIQUE (user_id, name)
+);
+
+CREATE INDEX IF NOT EXISTS idx_bot_api_keys_user_id ON lt_bot_api_keys (user_id);

package/services/db/schemas/009_audit_trail.sql

@@ -0,0 +1,7 @@
+-- 009_audit_trail.sql
+-- Add IAM audit columns to lt_tasks for identity traceability.
+
+ALTER TABLE lt_tasks ADD COLUMN IF NOT EXISTS initiated_by UUID REFERENCES lt_users(id) ON DELETE SET NULL;
+ALTER TABLE lt_tasks ADD COLUMN IF NOT EXISTS principal_type TEXT DEFAULT 'user';
+
+CREATE INDEX IF NOT EXISTS idx_lt_tasks_initiated_by ON lt_tasks (initiated_by) WHERE initiated_by IS NOT NULL;

package/services/db/schemas/010_credential_providers.sql

@@ -0,0 +1,4 @@
+-- Add credential_providers column to lt_mcp_servers
+-- Declares which credential providers a server's tools need
+ALTER TABLE lt_mcp_servers
+  ADD COLUMN IF NOT EXISTS credential_providers TEXT[] NOT NULL DEFAULT '{}';

package/services/db/schemas/011_system_workflow_configs.sql

@@ -0,0 +1,23 @@
+-- Ensure all system leaf workflows have config entries.
+-- Migrations 004/005 tried to UPDATE these but they were never seeded —
+-- the interceptor needs config entries to wrap workflows with lifecycle events.
+
+INSERT INTO lt_config_workflows
+  (workflow_type, task_queue, default_role, invocable, description, tool_tags)
+VALUES
+  ('mcpQuery', 'long-tail-system', 'engineer', false,
+   'Dynamic MCP tool orchestration — LLM agentic loop with raw MCP tools',
+   '{}'),
+  ('mcpTriage', 'long-tail-system', 'engineer', false,
+   'Dynamic MCP triage — LLM agentic loop for escalation remediation',
+   '{}')
+ON CONFLICT (workflow_type) DO NOTHING;
+
+-- Assign roles
+INSERT INTO lt_config_roles (workflow_type, role)
+SELECT 'mcpQuery', unnest(ARRAY['reviewer', 'engineer', 'admin'])
+ON CONFLICT (workflow_type, role) DO NOTHING;
+
+INSERT INTO lt_config_roles (workflow_type, role)
+SELECT 'mcpTriage', unnest(ARRAY['reviewer', 'engineer', 'admin'])
+ON CONFLICT (workflow_type, role) DO NOTHING;

package/services/db/schemas/012_drop_modality.sql

@@ -0,0 +1,6 @@
+-- Remove delivery modality — the concept was never used for actual routing.
+-- Alpha cleanup: drop from config, escalations, and tasks tables.
+
+ALTER TABLE lt_config_workflows DROP COLUMN IF EXISTS default_modality;
+ALTER TABLE lt_escalations DROP COLUMN IF EXISTS modality;
+ALTER TABLE lt_tasks DROP COLUMN IF EXISTS modality;

package/services/db/schemas/013_execute_as.sql

@@ -0,0 +1,9 @@
+-- Add execute_as to workflow configs: proxy invocation identity.
+-- When set, workflows run as the named bot instead of the invoking user.
+
+ALTER TABLE lt_config_workflows ADD COLUMN IF NOT EXISTS execute_as TEXT;
+
+-- Add executing_as to tasks: records the actual executing principal
+-- (may differ from initiated_by when proxy invocation is used).
+
+ALTER TABLE lt_tasks ADD COLUMN IF NOT EXISTS executing_as TEXT;

package/services/db/schemas/014_ephemeral_credentials.sql

@@ -0,0 +1,16 @@
+-- Ephemeral credential store for sensitive fields in waitFor signal payloads.
+-- Supports max_uses (0 = unlimited) and TTL-based expiry.
+
+CREATE TABLE IF NOT EXISTS lt_ephemeral_credentials (
+  token       UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  value       BYTEA NOT NULL,
+  label       TEXT,
+  max_uses    INTEGER NOT NULL DEFAULT 0,
+  use_count   INTEGER NOT NULL DEFAULT 0,
+  expires_at  TIMESTAMPTZ,
+  created_at  TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_lt_ephemeral_expiry
+  ON lt_ephemeral_credentials (expires_at)
+  WHERE expires_at IS NOT NULL;