@hotmeshio/long-tail 0.1.12 → 0.1.13

package/README.md

@@ -1,6 +1,6 @@
 # Long Tail
 
-Turn your PostgreSQL database into a workflow engine with identity-aware durable execution, human-in-the-loop escalation, and MCP tool orchestration.
+Long Tail turns your PostgreSQL database into a workflow engine where human and AI work share the same durable execution path. Hand off, pull back, escalate, automate — without rewriting systems or losing continuity.
 
 ```bash
 npm install @hotmeshio/long-tail

package/build/examples/seed.js

@@ -4,6 +4,7 @@ exports.seedExamples = seedExamples;
 const hotmesh_1 = require("@hotmeshio/hotmesh");
 const defaults_1 = require("../modules/defaults");
 const logger_1 = require("../lib/logger");
+const db_1 = require("../lib/db");
 const user_1 = require("../services/user");
 const roles_1 = require("../services/user/roles");
 const role_1 = require("../services/role");
@@ -211,11 +212,60 @@ async function seedEscalationChains() {
     }
     logger_1.loggerRegistry.info(`[examples] escalation chains verified (${SEED_CHAINS.length} entries)`);
 }
+/**
+ * Seed example workflow configs into lt_config_workflows.
+ * Previously done by 002_seed.sql (which ran unconditionally).
+ * Now only runs when examples: true.
+ */
+async function seedExampleConfigs() {
+    const pool = (0, db_1.getPool)();
+    await pool.query(`
+    INSERT INTO lt_config_workflows
+      (workflow_type, task_queue, default_role, invocable, description, tool_tags, envelope_schema, resolver_schema)
+    VALUES
+      ('reviewContent', 'long-tail-examples', 'reviewer', true,
+       'Content review — AI-powered moderation with human escalation for low-confidence results',
+       ARRAY['document-processing', 'vision', 'ocr', 'translation'],
+       '{"data": {"contentId": "article-001", "content": "Content to review...", "contentType": "article"}, "metadata": {"source": "dashboard"}}'::jsonb,
+       '{"approved": true, "analysis": {"confidence": 0.95, "flags": [], "summary": "Manually reviewed and approved."}}'::jsonb),
+      ('verifyDocument', 'long-tail-examples', 'reviewer', true,
+       'Document verification — AI Vision analyzes identity documents',
+       ARRAY['document-processing', 'vision', 'ocr', 'translation'],
+       '{"data": {"documentId": "doc-001", "documentUrl": "https://example.com/doc.jpg", "documentType": "drivers_license", "memberId": "member-12345"}, "metadata": {"source": "dashboard"}}'::jsonb,
+       '{"memberId": "", "extractedInfo": {}, "validationResult": "match", "confidence": 1.0}'::jsonb),
+      ('processClaim', 'long-tail-examples', 'reviewer', true,
+       'Insurance claim processing — document analysis, validation, and human review',
+       ARRAY['document-processing', 'vision', 'database', 'query'],
+       '{"data": {"claimId": "CLM-2024-001", "claimantId": "POL-5551234", "claimType": "auto_collision", "amount": 12500, "documents": ["incident_report.pdf", "photo_evidence.jpg"]}, "metadata": {"source": "dashboard"}}'::jsonb,
+       '{"approved": true, "analysis": {"confidence": 0.92, "flags": [], "summary": "Documents reviewed and verified."}, "status": "resolved"}'::jsonb),
+      ('kitchenSink', 'long-tail-examples', 'reviewer', true,
+       'Kitchen sink — demonstrates sleep, signals, parallel activities, escalation, and every durable primitive',
+       '{}',
+       '{"data": {"name": "World", "mode": "full"}, "metadata": {"source": "dashboard"}}'::jsonb,
+       NULL),
+      ('basicSignal', 'long-tail-examples', 'reviewer', true,
+       'Signal-based escalation — workflow stays running while waiting for human input via conditionLT',
+       '{}',
+       '{"data": {"message": "Deployment approval needed for v2.1.0", "role": "reviewer"}, "metadata": {"certified": false, "source": "dashboard"}}'::jsonb,
+       '{"properties": {"approved": {"type": "boolean", "default": false, "description": "Approve this deployment?"}, "notes": {"type": "string", "default": "", "description": "Reviewer notes — visible to the workflow author"}}}'::jsonb)
+    ON CONFLICT (workflow_type) DO NOTHING
+  `);
+    // Assign roles to example workflows
+    await pool.query(`
+    INSERT INTO lt_config_roles (workflow_type, role)
+    SELECT workflow_type, unnest(ARRAY['reviewer', 'engineer', 'admin'])
+    FROM lt_config_workflows
+    WHERE workflow_type IN ('reviewContent', 'verifyDocument', 'processClaim', 'kitchenSink')
+    ON CONFLICT (workflow_type, role) DO NOTHING
+  `);
+    logger_1.loggerRegistry.info('[examples] workflow configs seeded');
+}
 /**
  * Seed example workflows so the dashboard tells a story immediately.
  * Called automatically when `examples: true` is set in the start config.
  */
 async function seedExamples(client) {
+    await seedExampleConfigs();
     await seedRoles();
     await seedUsers();
     await seedEscalationChains();

package/build/lib/db/schemas/001_schema.sql

@@ -1,5 +1,5 @@
 -- Long Tail Workflows: Schema
--- Tasks track workflow executions; escalations track human interventions.
+-- All tables, indexes, triggers, and functions.
 
 -- ─── updated_at trigger ─────────────────────────────────────────────────────
 
@@ -28,28 +28,31 @@ ON CONFLICT DO NOTHING;
 -- ─── lt_tasks ────────────────────────────────────────────────────────────────
 
 CREATE TABLE IF NOT EXISTS lt_tasks (
-  id              UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-  workflow_id     TEXT NOT NULL,
-  workflow_type   TEXT NOT NULL,
-  lt_type         TEXT NOT NULL,
-  task_queue      TEXT,
-  status          TEXT NOT NULL DEFAULT 'pending',
-  priority        INTEGER NOT NULL DEFAULT 2,
-  signal_id       TEXT NOT NULL,
+  id                 UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  workflow_id        TEXT NOT NULL,
+  workflow_type      TEXT NOT NULL,
+  lt_type            TEXT NOT NULL,
+  task_queue         TEXT,
+  status             TEXT NOT NULL DEFAULT 'pending',
+  priority           INTEGER NOT NULL DEFAULT 2,
+  signal_id          TEXT NOT NULL,
   parent_workflow_id TEXT NOT NULL,
-  origin_id       TEXT,
-  parent_id       TEXT,
-  started_at      TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-  completed_at    TIMESTAMPTZ,
-  envelope        TEXT NOT NULL,
-  metadata        JSONB,
-  error           TEXT,
-  milestones      JSONB NOT NULL DEFAULT '[]'::JSONB,
-  data            TEXT,
-  trace_id        TEXT,
-  span_id         TEXT,
-  created_at      TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-  updated_at      TIMESTAMPTZ NOT NULL DEFAULT NOW()
+  origin_id          TEXT,
+  parent_id          TEXT,
+  started_at         TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  completed_at       TIMESTAMPTZ,
+  envelope           TEXT NOT NULL,
+  metadata           JSONB,
+  error              TEXT,
+  milestones         JSONB NOT NULL DEFAULT '[]'::JSONB,
+  data               TEXT,
+  trace_id           TEXT,
+  span_id            TEXT,
+  initiated_by       UUID,
+  principal_type     TEXT DEFAULT 'user',
+  executing_as       TEXT,
+  created_at         TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  updated_at         TIMESTAMPTZ NOT NULL DEFAULT NOW()
 );
 
 CREATE INDEX IF NOT EXISTS idx_lt_tasks_status_type ON lt_tasks (status, workflow_type, created_at DESC);
@@ -61,39 +64,80 @@ CREATE INDEX IF NOT EXISTS idx_lt_tasks_origin ON lt_tasks (origin_id, created_a
 CREATE INDEX IF NOT EXISTS idx_lt_tasks_workflow_id ON lt_tasks (workflow_id);
 CREATE INDEX IF NOT EXISTS idx_lt_tasks_origin_id ON lt_tasks (origin_id) WHERE origin_id IS NOT NULL;
 CREATE INDEX IF NOT EXISTS idx_lt_tasks_trace ON lt_tasks (trace_id) WHERE trace_id IS NOT NULL;
+CREATE INDEX IF NOT EXISTS idx_lt_tasks_initiated_by ON lt_tasks (initiated_by) WHERE initiated_by IS NOT NULL;
 
 CREATE OR REPLACE TRIGGER trg_lt_tasks_updated_at
   BEFORE UPDATE ON lt_tasks
   FOR EACH ROW EXECUTE FUNCTION lt_set_updated_at();
 
+-- ─── lt_users ────────────────────────────────────────────────────────────────
+
+CREATE TABLE IF NOT EXISTS lt_users (
+  id               UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  external_id      TEXT UNIQUE NOT NULL,
+  email            TEXT,
+  display_name     TEXT,
+  password_hash    TEXT,
+  status           TEXT NOT NULL DEFAULT 'active' CHECK (status IN ('active', 'inactive', 'suspended')),
+  account_type     TEXT NOT NULL DEFAULT 'user' CHECK (account_type IN ('user', 'bot')),
+  oauth_provider   TEXT,
+  oauth_provider_id TEXT,
+  metadata         JSONB,
+  created_at       TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  updated_at       TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_lt_users_status ON lt_users (status);
+CREATE INDEX IF NOT EXISTS idx_lt_users_oauth
+  ON lt_users (oauth_provider, oauth_provider_id)
+  WHERE oauth_provider IS NOT NULL;
+
+CREATE TRIGGER lt_users_updated_at
+  BEFORE UPDATE ON lt_users
+  FOR EACH ROW EXECUTE FUNCTION lt_set_updated_at();
+
+-- ─── lt_user_roles ───────────────────────────────────────────────────────────
+
+CREATE TABLE IF NOT EXISTS lt_user_roles (
+  user_id    UUID NOT NULL REFERENCES lt_users(id) ON DELETE CASCADE,
+  role       TEXT NOT NULL REFERENCES lt_roles(role),
+  type       TEXT NOT NULL DEFAULT 'member' CHECK (type IN ('superadmin', 'admin', 'member')),
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  PRIMARY KEY (user_id, role)
+);
+
+CREATE INDEX IF NOT EXISTS idx_lt_user_roles_type ON lt_user_roles (type);
+CREATE INDEX IF NOT EXISTS idx_lt_user_roles_user_id ON lt_user_roles (user_id);
+
 -- ─── lt_escalations ─────────────────────────────────────────────────────────
 
 CREATE TABLE IF NOT EXISTS lt_escalations (
-  id                UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-  type              TEXT NOT NULL,
-  subtype           TEXT NOT NULL,
-  description       TEXT,
-  status            TEXT NOT NULL DEFAULT 'pending',
-  priority          INTEGER NOT NULL DEFAULT 2,
-  task_id           UUID REFERENCES lt_tasks(id),
-  origin_id         TEXT,
-  parent_id         TEXT,
-  workflow_id       TEXT,
-  task_queue        TEXT,
-  workflow_type     TEXT,
-  role              TEXT NOT NULL REFERENCES lt_roles(role),
-  assigned_to       TEXT,
-  assigned_until    TIMESTAMPTZ,
-  resolved_at       TIMESTAMPTZ,
-  claimed_at        TIMESTAMPTZ,
-  envelope          TEXT NOT NULL,
-  metadata          JSONB,
+  id                 UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  type               TEXT NOT NULL,
+  subtype            TEXT NOT NULL,
+  description        TEXT,
+  status             TEXT NOT NULL DEFAULT 'pending',
+  priority           INTEGER NOT NULL DEFAULT 2,
+  task_id            UUID REFERENCES lt_tasks(id),
+  origin_id          TEXT,
+  parent_id          TEXT,
+  workflow_id        TEXT,
+  task_queue         TEXT,
+  workflow_type      TEXT,
+  role               TEXT NOT NULL REFERENCES lt_roles(role),
+  assigned_to        TEXT,
+  assigned_until     TIMESTAMPTZ,
+  resolved_at        TIMESTAMPTZ,
+  claimed_at         TIMESTAMPTZ,
+  created_by         UUID,
+  envelope           TEXT NOT NULL,
+  metadata           JSONB,
   escalation_payload TEXT,
-  resolver_payload  TEXT,
-  trace_id          TEXT,
-  span_id           TEXT,
-  created_at        TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-  updated_at        TIMESTAMPTZ NOT NULL DEFAULT NOW()
+  resolver_payload   TEXT,
+  trace_id           TEXT,
+  span_id            TEXT,
+  created_at         TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  updated_at         TIMESTAMPTZ NOT NULL DEFAULT NOW()
 );
 
 CREATE INDEX IF NOT EXISTS idx_lt_escalations_available ON lt_escalations (status, role, assigned_until, created_at DESC);
@@ -113,44 +157,12 @@ CREATE INDEX IF NOT EXISTS idx_lt_escalations_trace ON lt_escalations (trace_id)
 CREATE INDEX IF NOT EXISTS idx_lt_escalations_created_desc ON lt_escalations (created_at DESC);
 CREATE INDEX IF NOT EXISTS idx_lt_escalations_updated_desc ON lt_escalations (updated_at DESC);
 CREATE INDEX IF NOT EXISTS idx_lt_escalations_priority_desc ON lt_escalations (priority DESC, created_at DESC);
+CREATE INDEX IF NOT EXISTS idx_lt_escalations_created_by ON lt_escalations (created_by) WHERE created_by IS NOT NULL;
 
 CREATE OR REPLACE TRIGGER trg_lt_escalations_updated_at
   BEFORE UPDATE ON lt_escalations
   FOR EACH ROW EXECUTE FUNCTION lt_set_updated_at();
 
--- ─── lt_users ────────────────────────────────────────────────────────────────
-
-CREATE TABLE IF NOT EXISTS lt_users (
-  id            UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-  external_id   TEXT UNIQUE NOT NULL,
-  email         TEXT,
-  display_name  TEXT,
-  password_hash TEXT,
-  status        TEXT NOT NULL DEFAULT 'active' CHECK (status IN ('active', 'inactive', 'suspended')),
-  metadata      JSONB,
-  created_at    TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-  updated_at    TIMESTAMPTZ NOT NULL DEFAULT NOW()
-);
-
-CREATE TRIGGER lt_users_updated_at
-  BEFORE UPDATE ON lt_users
-  FOR EACH ROW EXECUTE FUNCTION lt_set_updated_at();
-
-CREATE INDEX IF NOT EXISTS idx_lt_users_status ON lt_users (status);
-
--- ─── lt_user_roles ───────────────────────────────────────────────────────────
-
-CREATE TABLE IF NOT EXISTS lt_user_roles (
-  user_id    UUID NOT NULL REFERENCES lt_users(id) ON DELETE CASCADE,
-  role       TEXT NOT NULL REFERENCES lt_roles(role),
-  type       TEXT NOT NULL DEFAULT 'member' CHECK (type IN ('superadmin', 'admin', 'member')),
-  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-  PRIMARY KEY (user_id, role)
-);
-
-CREATE INDEX IF NOT EXISTS idx_lt_user_roles_type ON lt_user_roles (type);
-CREATE INDEX IF NOT EXISTS idx_lt_user_roles_user_id ON lt_user_roles (user_id);
-
 -- ─── lt_config_workflows ────────────────────────────────────────────────────
 
 CREATE TABLE IF NOT EXISTS lt_config_workflows (
@@ -193,24 +205,38 @@ CREATE TABLE IF NOT EXISTS lt_config_invocation_roles (
   UNIQUE(workflow_type, role)
 );
 
+-- ─── lt_config_role_escalations ─────────────────────────────────────────────
+
+CREATE TABLE IF NOT EXISTS lt_config_role_escalations (
+  source_role TEXT NOT NULL REFERENCES lt_roles(role),
+  target_role TEXT NOT NULL REFERENCES lt_roles(role),
+  created_at  TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  PRIMARY KEY (source_role, target_role)
+);
+
+CREATE INDEX IF NOT EXISTS idx_lt_config_role_escalations_source
+  ON lt_config_role_escalations (source_role);
+
 -- ─── lt_mcp_servers ─────────────────────────────────────────────────────────
 
 CREATE TABLE IF NOT EXISTS lt_mcp_servers (
-  id                UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-  name              TEXT UNIQUE NOT NULL,
-  description       TEXT,
-  transport_type    TEXT NOT NULL CHECK (transport_type IN ('stdio', 'sse')),
-  transport_config  JSONB NOT NULL DEFAULT '{}'::JSONB,
-  auto_connect      BOOLEAN NOT NULL DEFAULT false,
-  tool_manifest     JSONB,
-  status            TEXT NOT NULL DEFAULT 'registered'
-                      CHECK (status IN ('registered', 'connected', 'error', 'disconnected')),
-  last_connected_at TIMESTAMPTZ,
-  metadata          JSONB,
-  tags              TEXT[] NOT NULL DEFAULT '{}',
-  compile_hints     TEXT,
-  created_at        TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-  updated_at        TIMESTAMPTZ NOT NULL DEFAULT NOW()
+  id                   UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  name                 TEXT UNIQUE NOT NULL,
+  description          TEXT,
+  transport_type       TEXT NOT NULL CHECK (transport_type IN ('stdio', 'sse', 'streamable-http')),
+  transport_config     JSONB NOT NULL DEFAULT '{}'::JSONB,
+  auto_connect         BOOLEAN NOT NULL DEFAULT false,
+  tool_manifest        JSONB,
+  status               TEXT NOT NULL DEFAULT 'registered'
+                         CHECK (status IN ('registered', 'connected', 'error', 'disconnected')),
+  last_connected_at    TIMESTAMPTZ,
+  metadata             JSONB,
+  tags                 TEXT[] NOT NULL DEFAULT '{}',
+  compile_hints        TEXT,
+  required_scopes      TEXT[] NOT NULL DEFAULT '{}',
+  credential_providers TEXT[] NOT NULL DEFAULT '{}',
+  created_at           TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  updated_at           TIMESTAMPTZ NOT NULL DEFAULT NOW()
 );
 
 CREATE INDEX IF NOT EXISTS idx_lt_mcp_servers_name ON lt_mcp_servers (name);
@@ -222,18 +248,6 @@ CREATE OR REPLACE TRIGGER trg_lt_mcp_servers_updated_at
   BEFORE UPDATE ON lt_mcp_servers
   FOR EACH ROW EXECUTE FUNCTION lt_set_updated_at();
 
--- ─── lt_config_role_escalations ─────────────────────────────────────────────
-
-CREATE TABLE IF NOT EXISTS lt_config_role_escalations (
-  source_role TEXT NOT NULL REFERENCES lt_roles(role),
-  target_role TEXT NOT NULL REFERENCES lt_roles(role),
-  created_at  TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-  PRIMARY KEY (source_role, target_role)
-);
-
-CREATE INDEX IF NOT EXISTS idx_lt_config_role_escalations_source
-  ON lt_config_role_escalations (source_role);
-
 -- ─── lt_yaml_workflows ──────────────────────────────────────────────────────
 
 CREATE TABLE IF NOT EXISTS lt_yaml_workflows (
@@ -261,6 +275,12 @@ CREATE TABLE IF NOT EXISTS lt_yaml_workflows (
   cron_schedule            TEXT,
   cron_envelope            JSONB,
   execute_as               TEXT,
+  original_prompt          TEXT,
+  category                 TEXT,
+  search_vector            TSVECTOR,
+  set_id                   UUID,
+  set_role                 TEXT CHECK (set_role IN ('leaf', 'composition', 'router')),
+  set_build_order          INTEGER,
   created_at               TIMESTAMPTZ NOT NULL DEFAULT NOW(),
   updated_at               TIMESTAMPTZ NOT NULL DEFAULT NOW()
 );
@@ -268,11 +288,36 @@ CREATE TABLE IF NOT EXISTS lt_yaml_workflows (
 CREATE INDEX IF NOT EXISTS idx_lt_yaml_workflows_status ON lt_yaml_workflows (status);
 CREATE INDEX IF NOT EXISTS idx_lt_yaml_workflows_app_id ON lt_yaml_workflows (app_id);
 CREATE INDEX IF NOT EXISTS idx_lt_yaml_workflows_tags ON lt_yaml_workflows USING GIN (tags);
+CREATE INDEX IF NOT EXISTS idx_lt_yaml_workflows_search ON lt_yaml_workflows USING GIN (search_vector);
+CREATE INDEX IF NOT EXISTS idx_lt_yaml_workflows_category ON lt_yaml_workflows (category) WHERE category IS NOT NULL;
+CREATE INDEX IF NOT EXISTS idx_lt_yaml_workflows_set_id ON lt_yaml_workflows (set_id) WHERE set_id IS NOT NULL;
+
+CREATE UNIQUE INDEX IF NOT EXISTS idx_lt_yaml_workflows_app_topic_unique
+  ON lt_yaml_workflows (app_id, graph_topic)
+  WHERE status != 'archived';
 
 CREATE OR REPLACE TRIGGER trg_lt_yaml_workflows_updated_at
   BEFORE UPDATE ON lt_yaml_workflows
   FOR EACH ROW EXECUTE FUNCTION lt_set_updated_at();
 
+-- Full-text search trigger
+CREATE OR REPLACE FUNCTION lt_yaml_workflows_search_vector_update()
+RETURNS TRIGGER AS $$
+BEGIN
+  NEW.search_vector :=
+    setweight(to_tsvector('english', coalesce(NEW.name, '')), 'A') ||
+    setweight(to_tsvector('english', coalesce(NEW.original_prompt, '')), 'A') ||
+    setweight(to_tsvector('english', coalesce(NEW.description, '')), 'B') ||
+    setweight(to_tsvector('english', coalesce(NEW.category, '')), 'C') ||
+    setweight(to_tsvector('english', coalesce(array_to_string(NEW.tags, ' '), '')), 'C');
+  RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+CREATE OR REPLACE TRIGGER trg_lt_yaml_workflows_search_vector
+  BEFORE INSERT OR UPDATE ON lt_yaml_workflows
+  FOR EACH ROW EXECUTE FUNCTION lt_yaml_workflows_search_vector_update();
+
 -- ─── lt_yaml_workflow_versions ──────────────────────────────────────────────
 
 CREATE TABLE IF NOT EXISTS lt_yaml_workflow_versions (
@@ -292,6 +337,136 @@ CREATE TABLE IF NOT EXISTS lt_yaml_workflow_versions (
 CREATE INDEX IF NOT EXISTS idx_lt_yaml_wf_versions_workflow
   ON lt_yaml_workflow_versions (workflow_id, version DESC);
 
+-- ─── lt_workflow_sets ───────────────────────────────────────────────────────
+
+CREATE TABLE IF NOT EXISTS lt_workflow_sets (
+  id                 UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  name               TEXT UNIQUE NOT NULL,
+  description        TEXT,
+  specification      TEXT NOT NULL,
+  plan               JSONB NOT NULL DEFAULT '[]'::JSONB,
+  namespaces         TEXT[] NOT NULL DEFAULT '{}',
+  status             TEXT NOT NULL DEFAULT 'planning'
+                       CHECK (status IN ('planning','planned','building','deploying','completed','failed')),
+  source_workflow_id TEXT,
+  created_at         TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  updated_at         TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE OR REPLACE TRIGGER trg_lt_workflow_sets_updated_at
+  BEFORE UPDATE ON lt_workflow_sets
+  FOR EACH ROW EXECUTE FUNCTION lt_set_updated_at();
+
+-- Add FK for lt_yaml_workflows.set_id (table already exists, add constraint)
+DO $$ BEGIN
+  ALTER TABLE lt_yaml_workflows ADD CONSTRAINT fk_lt_yaml_workflows_set_id
+    FOREIGN KEY (set_id) REFERENCES lt_workflow_sets(id) ON DELETE SET NULL;
+EXCEPTION
+  WHEN duplicate_object THEN NULL;
+END $$;
+
+-- ─── lt_oauth_tokens ────────────────────────────────────────────────────────
+
+CREATE TABLE IF NOT EXISTS lt_oauth_tokens (
+  id                UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  user_id           UUID NOT NULL REFERENCES lt_users(id) ON DELETE CASCADE,
+  provider          TEXT NOT NULL,
+  label             TEXT NOT NULL DEFAULT 'default',
+  access_token_enc  TEXT NOT NULL,
+  refresh_token_enc TEXT,
+  token_type        TEXT NOT NULL DEFAULT 'bearer',
+  scopes            TEXT[] NOT NULL DEFAULT '{}',
+  expires_at        TIMESTAMPTZ,
+  provider_user_id  TEXT NOT NULL,
+  provider_email    TEXT,
+  metadata          JSONB,
+  created_at        TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  updated_at        TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  UNIQUE (user_id, provider, label)
+);
+
+CREATE INDEX IF NOT EXISTS idx_lt_oauth_tokens_provider
+  ON lt_oauth_tokens (provider, user_id);
+
+CREATE OR REPLACE TRIGGER trg_lt_oauth_tokens_updated_at
+  BEFORE UPDATE ON lt_oauth_tokens
+  FOR EACH ROW EXECUTE FUNCTION lt_set_updated_at();
+
+-- ─── lt_service_tokens ──────────────────────────────────────────────────────
+
+CREATE TABLE IF NOT EXISTS lt_service_tokens (
+  id           UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  name         TEXT UNIQUE NOT NULL,
+  token_hash   TEXT NOT NULL,
+  server_id    UUID REFERENCES lt_mcp_servers(id) ON DELETE CASCADE,
+  scopes       TEXT[] NOT NULL DEFAULT '{}',
+  expires_at   TIMESTAMPTZ,
+  last_used_at TIMESTAMPTZ,
+  created_at   TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  updated_at   TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_lt_service_tokens_server
+  ON lt_service_tokens (server_id);
+
+CREATE OR REPLACE TRIGGER trg_lt_service_tokens_updated_at
+  BEFORE UPDATE ON lt_service_tokens
+  FOR EACH ROW EXECUTE FUNCTION lt_set_updated_at();
+
+-- ─── lt_bot_api_keys ────────────────────────────────────────────────────────
+
+CREATE TABLE IF NOT EXISTS lt_bot_api_keys (
+  id           UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  name         TEXT NOT NULL,
+  user_id      UUID NOT NULL REFERENCES lt_users(id) ON DELETE CASCADE,
+  key_hash     TEXT NOT NULL,
+  scopes       TEXT[] NOT NULL DEFAULT '{}',
+  expires_at   TIMESTAMPTZ,
+  last_used_at TIMESTAMPTZ,
+  created_at   TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  updated_at   TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  UNIQUE (user_id, name)
+);
+
+CREATE INDEX IF NOT EXISTS idx_bot_api_keys_user_id ON lt_bot_api_keys (user_id);
+
+-- ─── lt_ephemeral_credentials ───────────────────────────────────────────────
+
+CREATE TABLE IF NOT EXISTS lt_ephemeral_credentials (
+  token       UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  value       BYTEA NOT NULL,
+  label       TEXT,
+  max_uses    INTEGER NOT NULL DEFAULT 0,
+  use_count   INTEGER NOT NULL DEFAULT 0,
+  expires_at  TIMESTAMPTZ,
+  created_at  TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_lt_ephemeral_expiry
+  ON lt_ephemeral_credentials (expires_at)
+  WHERE expires_at IS NOT NULL;
+
+-- ─── lt_knowledge ───────────────────────────────────────────────────────────
+
+CREATE TABLE IF NOT EXISTS lt_knowledge (
+  id          UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  domain      TEXT NOT NULL,
+  key         TEXT NOT NULL,
+  data        JSONB NOT NULL DEFAULT '{}',
+  tags        TEXT[] NOT NULL DEFAULT '{}',
+  created_at  TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  updated_at  TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  UNIQUE(domain, key)
+);
+
+CREATE INDEX IF NOT EXISTS idx_lt_knowledge_domain ON lt_knowledge (domain);
+CREATE INDEX IF NOT EXISTS idx_lt_knowledge_tags ON lt_knowledge USING GIN (tags);
+CREATE INDEX IF NOT EXISTS idx_lt_knowledge_data ON lt_knowledge USING GIN (data);
+
+CREATE TRIGGER lt_knowledge_updated_at
+  BEFORE UPDATE ON lt_knowledge
+  FOR EACH ROW EXECUTE FUNCTION lt_set_updated_at();
+
 -- ─── lt_namespaces ──────────────────────────────────────────────────────────
 
 CREATE TABLE IF NOT EXISTS lt_namespaces (

package/build/lib/db/schemas/002_seed.sql

@@ -1,6 +1,7 @@
--- Seed data: workflow configs, MCP servers, escalation chains.
+-- System seed data: built-in MCP server, system workflow configs, escalation chains.
+-- Example workflow configs are seeded at runtime when examples: true.
 
--- ─── MCP servers ────────────────────────────────────────────────────────────
+-- ─── Built-in MCP server ───────────────────────────────────────────────────
 
 INSERT INTO lt_mcp_servers (name, description, transport_type, transport_config, auto_connect, status)
 VALUES (
@@ -24,52 +25,68 @@ INSERT INTO lt_config_role_escalations (source_role, target_role) VALUES
   ('admin',     'superadmin')
 ON CONFLICT DO NOTHING;
 
--- ─── Example workflows (all directly invocable) ────────────────────────────
+-- ─── System workflow configs ────────────────────────────────────────────────
 
 INSERT INTO lt_config_workflows
-  (workflow_type, task_queue, default_role, invocable, description, tool_tags, envelope_schema, resolver_schema)
+  (workflow_type, task_queue, default_role, invocable, description, tool_tags)
 VALUES
-  -- Review content
-  ('reviewContent', 'long-tail-examples', 'reviewer', true,
-   'Content review — AI-powered moderation with human escalation for low-confidence results',
-   ARRAY['document-processing', 'vision', 'ocr', 'translation'],
-   '{"data": {"contentId": "article-001", "content": "Content to review...", "contentType": "article"}, "metadata": {"source": "dashboard"}}'::jsonb,
-   '{"approved": true, "analysis": {"confidence": 0.95, "flags": [], "summary": "Manually reviewed and approved."}}'::jsonb),
+  ('mcpQuery', 'long-tail-system', 'engineer', false,
+   'Dynamic MCP tool orchestration — LLM agentic loop with raw MCP tools',
+   '{}'),
+  ('mcpTriage', 'long-tail-system', 'engineer', false,
+   'Dynamic MCP triage — LLM agentic loop for escalation remediation',
+   '{}'),
+  ('mcpWorkflowBuilder', 'long-tail-system', 'engineer', false,
+   'Direct pipeline builder — LLM constructs DAG from tool schemas',
+   '{}'),
+  ('mcpWorkflowPlanner', 'long-tail-system', 'engineer', false,
+   'Plan mode — decomposes specifications into multi-workflow sets',
+   '{}')
+ON CONFLICT (workflow_type) DO NOTHING;
 
-  -- Verify document
-  ('verifyDocument', 'long-tail-examples', 'reviewer', true,
-   'Document verification — AI Vision analyzes identity documents',
-   ARRAY['document-processing', 'vision', 'ocr', 'translation'],
-   '{"data": {"documentId": "doc-001", "documentUrl": "https://example.com/doc.jpg", "documentType": "drivers_license", "memberId": "member-12345"}, "metadata": {"source": "dashboard"}}'::jsonb,
-   '{"memberId": "", "extractedInfo": {}, "validationResult": "match", "confidence": 1.0}'::jsonb),
+-- Query router (orchestrator entry point)
+INSERT INTO lt_config_workflows
+  (workflow_type, task_queue, default_role, invocable, description, tool_tags, envelope_schema)
+VALUES
+  ('mcpQueryRouter', 'long-tail-system', 'engineer', true,
+   'Do anything with tools — browser automation, file operations, HTTP requests, database queries, document processing, and more',
+   '{}',
+   '{"data": {"prompt": "Describe what you want to accomplish using available tools..."}, "metadata": {"source": "dashboard"}}'::jsonb)
+ON CONFLICT (workflow_type) DO NOTHING;
 
-  -- Process claim
-  ('processClaim', 'long-tail-examples', 'reviewer', true,
-   'Insurance claim processing — document analysis, validation, and human review',
-   ARRAY['document-processing', 'vision', 'database', 'query'],
-   '{"data": {"claimId": "CLM-2024-001", "claimantId": "POL-5551234", "claimType": "auto_collision", "amount": 12500, "documents": ["incident_report.pdf", "photo_evidence.jpg"]}, "metadata": {"source": "dashboard"}}'::jsonb,
-   '{"approved": true, "analysis": {"confidence": 0.92, "flags": [], "summary": "Documents reviewed and verified."}, "status": "resolved"}'::jsonb),
+-- Deterministic execution (compiled YAML workflows)
+INSERT INTO lt_config_workflows
+  (workflow_type, task_queue, default_role, invocable, description, tool_tags)
+VALUES
+  ('mcpDeterministic', 'long-tail-system', 'engineer', false,
+   'Deterministic execution — invokes matched compiled YAML workflows with extracted inputs',
+   '{}')
+ON CONFLICT (workflow_type) DO NOTHING;
 
-  -- Kitchen sink
-  ('kitchenSink', 'long-tail-examples', 'reviewer', true,
-   'Kitchen sink — demonstrates sleep, signals, parallel activities, escalation, and every durable primitive',
-   '{}',
-   '{"data": {"name": "World", "mode": "full"}, "metadata": {"source": "dashboard"}}'::jsonb,
-   NULL),
+-- Triage router
+INSERT INTO lt_config_workflows
+  (workflow_type, task_queue, default_role, invocable, description, tool_tags)
+VALUES
+  ('mcpTriageRouter', 'long-tail-system', 'engineer', false,
+   'Triage router — discovers compiled workflows for remediation, routes to deterministic or dynamic triage',
+   '{}')
+ON CONFLICT (workflow_type) DO NOTHING;
 
-  -- Basic signal (configured, NOT certified — no escalation roles)
-  ('basicSignal', 'long-tail-examples', 'reviewer', true,
-   'Signal-based escalation — workflow stays running while waiting for human input via conditionLT',
-   '{}',
-   '{"data": {"message": "Deployment approval needed for v2.1.0", "role": "reviewer"}, "metadata": {"certified": false, "source": "dashboard"}}'::jsonb,
-   '{"properties": {"approved": {"type": "boolean", "default": false, "description": "Approve this deployment?"}, "notes": {"type": "string", "default": "", "description": "Reviewer notes — visible to the workflow author"}}}'::jsonb)
+-- Triage deterministic
+INSERT INTO lt_config_workflows
+  (workflow_type, task_queue, default_role, invocable, description, tool_tags)
+VALUES
+  ('mcpTriageDeterministic', 'long-tail-system', 'engineer', false,
+   'Deterministic triage — invokes matched compiled workflows for escalation remediation',
+   '{}')
 ON CONFLICT (workflow_type) DO NOTHING;
 
--- ─── Assign roles to all workflows ──────────────────────────────────────────
+-- ─── Assign roles to all system workflows ──────────────────────────────────
 
 INSERT INTO lt_config_roles (workflow_type, role)
-SELECT workflow_type, unnest(ARRAY['reviewer', 'engineer', 'admin'])
-FROM lt_config_workflows
-WHERE workflow_type != 'basicSignal'
+SELECT wt, unnest(ARRAY['reviewer', 'engineer', 'admin'])
+FROM unnest(ARRAY[
+  'mcpQuery', 'mcpTriage', 'mcpWorkflowBuilder', 'mcpWorkflowPlanner',
+  'mcpQueryRouter', 'mcpDeterministic', 'mcpTriageRouter', 'mcpTriageDeterministic'
+]) AS wt
 ON CONFLICT (workflow_type, role) DO NOTHING;
-

package/build/services/mcp/server.js

@@ -64,6 +64,10 @@ const claimAndResolveSchema = zod_1.z.object({
     resolver_id: zod_1.z.string().describe('Identifier for who/what is resolving'),
     payload: zod_1.z.record(zod_1.z.any()).describe('Resolution payload data'),
 });
+const resolveEscalationSchema = zod_1.z.object({
+    escalation_id: zod_1.z.string().describe('The escalation ID to resolve'),
+    payload: zod_1.z.record(zod_1.z.any()).describe('Resolution payload data'),
+});
 const escalateAndWaitSchema = zod_1.z.object({
     role: zod_1.z.string().describe('Target role for the escalation (e.g., "reviewer")'),
     message: zod_1.z.string().describe('Description of what input is needed from the human'),
@@ -218,6 +222,33 @@ async function createHumanQueueServer(options) {
                 }],
         };
     });
+    // ── resolve_escalation ──────────────────────────────────────────────
+    server.registerTool('resolve_escalation', {
+        title: 'Resolve Escalation',
+        description: 'Resolve an already-claimed escalation with a payload. Use when the claim happened externally (e.g. via API).',
+        inputSchema: resolveEscalationSchema,
+    }, async (args) => {
+        const resolved = await escalationService.resolveEscalation(args.escalation_id, args.payload);
+        if (!resolved) {
+            return {
+                content: [{
+                        type: 'text',
+                        text: JSON.stringify({ error: 'Failed to resolve escalation' }),
+                    }],
+                isError: true,
+            };
+        }
+        return {
+            content: [{
+                    type: 'text',
+                    text: JSON.stringify({
+                        escalation_id: resolved.id,
+                        status: resolved.status,
+                        resolved_at: resolved.resolved_at,
+                    }),
+                }],
+        };
+    });
     // ── escalate_and_wait ──────────────────────────────────────────────
     server.registerTool('escalate_and_wait', {
         title: 'Escalate and Wait',

package/build/system/mcp-servers/human-queue.js

@@ -64,6 +64,10 @@ const claimAndResolveSchema = zod_1.z.object({
     resolver_id: zod_1.z.string().describe('Identifier for who/what is resolving'),
     payload: zod_1.z.record(zod_1.z.any()).describe('Resolution payload data'),
 });
+const resolveEscalationSchema = zod_1.z.object({
+    escalation_id: zod_1.z.string().describe('The escalation ID to resolve'),
+    payload: zod_1.z.record(zod_1.z.any()).describe('Resolution payload data'),
+});
 const escalateAndWaitSchema = zod_1.z.object({
     role: zod_1.z.string().describe('Target role for the escalation (e.g., "reviewer")'),
     message: zod_1.z.string().describe('Description of what input is needed from the human'),
@@ -218,6 +222,33 @@ async function createHumanQueueServer(options) {
                 }],
         };
     });
+    // ── resolve_escalation ──────────────────────────────────────────────
+    server.registerTool('resolve_escalation', {
+        title: 'Resolve Escalation',
+        description: 'Resolve an already-claimed escalation with a payload. Use when the claim happened externally (e.g. via API).',
+        inputSchema: resolveEscalationSchema,
+    }, async (args) => {
+        const resolved = await escalationService.resolveEscalation(args.escalation_id, args.payload);
+        if (!resolved) {
+            return {
+                content: [{
+                        type: 'text',
+                        text: JSON.stringify({ error: 'Failed to resolve escalation' }),
+                    }],
+                isError: true,
+            };
+        }
+        return {
+            content: [{
+                    type: 'text',
+                    text: JSON.stringify({
+                        escalation_id: resolved.id,
+                        status: resolved.status,
+                        resolved_at: resolved.resolved_at,
+                    }),
+                }],
+        };
+    });
     // ── escalate_and_wait ──────────────────────────────────────────────
     server.registerTool('escalate_and_wait', {
         title: 'Escalate and Wait',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hotmeshio/long-tail",
-  "version": "0.1.12",
+  "version": "0.1.13",
   "description": "Long Tail Workflows — Durable AI workflows with human-in-the-loop escalation. Powered by PostgreSQL.",
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
@@ -61,7 +61,7 @@
   "dependencies": {
     "@anthropic-ai/sdk": "^0.92.0",
     "@aws-sdk/client-s3": "^3.1017.0",
-    "@hotmeshio/hotmesh": "^0.14.4",
+    "@hotmeshio/hotmesh": "^0.14.7",
     "@modelcontextprotocol/sdk": "^1.27.1",
     "@opentelemetry/exporter-trace-otlp-proto": "^0.215.0",
     "@opentelemetry/resources": "^2.5.1",

package/build/lib/db/schemas/003_workflow_discovery.sql

@@ -1,39 +0,0 @@
--- Workflow discovery: full-text search, original prompt, and category.
-
--- Original prompt that spawned this workflow (richest semantic signal)
-ALTER TABLE lt_yaml_workflows ADD COLUMN IF NOT EXISTS original_prompt TEXT;
-
--- Capability category derived from tool usage patterns
-ALTER TABLE lt_yaml_workflows ADD COLUMN IF NOT EXISTS category TEXT;
-
--- Full-text search vector, auto-maintained by trigger
-ALTER TABLE lt_yaml_workflows ADD COLUMN IF NOT EXISTS search_vector TSVECTOR;
-
--- GIN index on search_vector for fast full-text search
-CREATE INDEX IF NOT EXISTS idx_lt_yaml_workflows_search
-  ON lt_yaml_workflows USING GIN (search_vector);
-
--- Index on category for filtered queries
-CREATE INDEX IF NOT EXISTS idx_lt_yaml_workflows_category
-  ON lt_yaml_workflows (category) WHERE category IS NOT NULL;
-
--- Trigger: rebuild search_vector from name, description, tags, original_prompt, category
-CREATE OR REPLACE FUNCTION lt_yaml_workflows_search_vector_update()
-RETURNS TRIGGER AS $$
-BEGIN
-  NEW.search_vector :=
-    setweight(to_tsvector('english', coalesce(NEW.name, '')), 'A') ||
-    setweight(to_tsvector('english', coalesce(NEW.original_prompt, '')), 'A') ||
-    setweight(to_tsvector('english', coalesce(NEW.description, '')), 'B') ||
-    setweight(to_tsvector('english', coalesce(NEW.category, '')), 'C') ||
-    setweight(to_tsvector('english', coalesce(array_to_string(NEW.tags, ' '), '')), 'C');
-  RETURN NEW;
-END;
-$$ LANGUAGE plpgsql;
-
-CREATE OR REPLACE TRIGGER trg_lt_yaml_workflows_search_vector
-  BEFORE INSERT OR UPDATE ON lt_yaml_workflows
-  FOR EACH ROW EXECUTE FUNCTION lt_yaml_workflows_search_vector_update();
-
--- Backfill search_vector for existing rows
-UPDATE lt_yaml_workflows SET updated_at = NOW();

package/build/lib/db/schemas/004_query_router.sql

@@ -1,38 +0,0 @@
--- Split mcpQuery into router + dynamic + deterministic workflows.
--- mcpQueryRouter is the new entry point (orchestrator).
--- mcpQuery becomes dynamic-only (leaf).
--- mcpDeterministic invokes compiled YAML workflows (leaf).
-
--- Update existing mcpQuery: no longer directly invocable (called via router)
-UPDATE lt_config_workflows
-SET invocable = false,
-    description = 'Dynamic MCP tool orchestration — LLM agentic loop with raw MCP tools'
-WHERE workflow_type = 'mcpQuery';
-
--- Add mcpQueryRouter (orchestrator — the new entry point)
-INSERT INTO lt_config_workflows
-  (workflow_type, task_queue, default_role, invocable, description, tool_tags, envelope_schema)
-VALUES
-  ('mcpQueryRouter', 'long-tail-system', 'engineer', true,
-   'Do anything with tools — browser automation, file operations, HTTP requests, database queries, document processing, and more',
-   '{}',
-   '{"data": {"prompt": "Describe what you want to accomplish using available tools..."}, "metadata": {"source": "dashboard"}}'::jsonb)
-ON CONFLICT (workflow_type) DO NOTHING;
-
--- Add mcpDeterministic (leaf — invokes compiled YAML workflows)
-INSERT INTO lt_config_workflows
-  (workflow_type, task_queue, default_role, invocable, description, tool_tags)
-VALUES
-  ('mcpDeterministic', 'long-tail-system', 'engineer', false,
-   'Deterministic execution — invokes matched compiled YAML workflows with extracted inputs',
-   '{}')
-ON CONFLICT (workflow_type) DO NOTHING;
-
--- Assign roles
-INSERT INTO lt_config_roles (workflow_type, role)
-SELECT 'mcpQueryRouter', unnest(ARRAY['reviewer', 'engineer', 'admin'])
-ON CONFLICT (workflow_type, role) DO NOTHING;
-
-INSERT INTO lt_config_roles (workflow_type, role)
-SELECT 'mcpDeterministic', unnest(ARRAY['reviewer', 'engineer', 'admin'])
-ON CONFLICT (workflow_type, role) DO NOTHING;

package/build/lib/db/schemas/004_workflow_sets.sql

@@ -1,29 +0,0 @@
--- Workflow sets: groups of related workflows produced by plan mode.
-
-CREATE TABLE IF NOT EXISTS lt_workflow_sets (
-  id                 UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-  name               TEXT UNIQUE NOT NULL,
-  description        TEXT,
-  specification      TEXT NOT NULL,
-  plan               JSONB NOT NULL DEFAULT '[]'::JSONB,
-  namespaces         TEXT[] NOT NULL DEFAULT '{}',
-  status             TEXT NOT NULL DEFAULT 'planning'
-                       CHECK (status IN ('planning','planned','building','deploying','completed','failed')),
-  source_workflow_id TEXT,
-  created_at         TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-  updated_at         TIMESTAMPTZ NOT NULL DEFAULT NOW()
-);
-
-CREATE OR REPLACE TRIGGER trg_lt_workflow_sets_updated_at
-  BEFORE UPDATE ON lt_workflow_sets
-  FOR EACH ROW EXECUTE FUNCTION lt_set_updated_at();
-
--- Extend lt_yaml_workflows with set membership columns
-ALTER TABLE lt_yaml_workflows ADD COLUMN IF NOT EXISTS set_id UUID
-  REFERENCES lt_workflow_sets(id) ON DELETE SET NULL;
-ALTER TABLE lt_yaml_workflows ADD COLUMN IF NOT EXISTS set_role TEXT
-  CHECK (set_role IN ('leaf', 'composition', 'router'));
-ALTER TABLE lt_yaml_workflows ADD COLUMN IF NOT EXISTS set_build_order INTEGER;
-
-CREATE INDEX IF NOT EXISTS idx_lt_yaml_workflows_set_id
-  ON lt_yaml_workflows (set_id) WHERE set_id IS NOT NULL;

package/build/lib/db/schemas/005_triage_router.sql

@@ -1,37 +0,0 @@
--- Split mcpTriage into router + dynamic + deterministic workflows.
--- mcpTriageRouter is the new entry point (orchestrator).
--- mcpTriage becomes dynamic-only (leaf).
--- mcpTriageDeterministic invokes compiled YAML workflows (leaf).
-
--- Update existing mcpTriage: no longer directly invocable (called via router)
-UPDATE lt_config_workflows
-SET invocable = false,
-    description = 'Dynamic MCP triage — LLM agentic loop for escalation remediation'
-WHERE workflow_type = 'mcpTriage';
-
--- Add mcpTriageRouter (orchestrator — the new entry point for triage)
-INSERT INTO lt_config_workflows
-  (workflow_type, task_queue, default_role, invocable, description, tool_tags)
-VALUES
-  ('mcpTriageRouter', 'long-tail-system', 'engineer', false,
-   'Triage router — discovers compiled workflows for remediation, routes to deterministic or dynamic triage',
-   '{}')
-ON CONFLICT (workflow_type) DO NOTHING;
-
--- Add mcpTriageDeterministic (leaf — invokes compiled triage workflows)
-INSERT INTO lt_config_workflows
-  (workflow_type, task_queue, default_role, invocable, description, tool_tags)
-VALUES
-  ('mcpTriageDeterministic', 'long-tail-system', 'engineer', false,
-   'Deterministic triage — invokes matched compiled workflows for escalation remediation',
-   '{}')
-ON CONFLICT (workflow_type) DO NOTHING;
-
--- Assign roles
-INSERT INTO lt_config_roles (workflow_type, role)
-SELECT 'mcpTriageRouter', unnest(ARRAY['reviewer', 'engineer', 'admin'])
-ON CONFLICT (workflow_type, role) DO NOTHING;
-
-INSERT INTO lt_config_roles (workflow_type, role)
-SELECT 'mcpTriageDeterministic', unnest(ARRAY['reviewer', 'engineer', 'admin'])
-ON CONFLICT (workflow_type, role) DO NOTHING;

package/build/lib/db/schemas/005_unique_graph_topic.sql

@@ -1,7 +0,0 @@
--- Enforce unique graph_topic per app_id for non-archived workflows.
--- Two active/deployed/draft workflows in the same namespace must not
--- share a subscribes topic — deploying them would cause routing collisions.
-
-CREATE UNIQUE INDEX IF NOT EXISTS idx_lt_yaml_workflows_app_topic_unique
-  ON lt_yaml_workflows (app_id, graph_topic)
-  WHERE status != 'archived';

package/build/lib/db/schemas/006_oauth.sql

@@ -1,50 +0,0 @@
--- ── OAuth token storage ─────────────────────────────────────────────────────
--- Encrypted per-user, per-provider OAuth tokens for identity and resource OAuth.
-
-CREATE TABLE IF NOT EXISTS lt_oauth_tokens (
-  id                UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-  user_id           UUID NOT NULL REFERENCES lt_users(id) ON DELETE CASCADE,
-  provider          TEXT NOT NULL,
-  label             TEXT NOT NULL DEFAULT 'default',
-  access_token_enc  TEXT NOT NULL,
-  refresh_token_enc TEXT,
-  token_type        TEXT NOT NULL DEFAULT 'bearer',
-  scopes            TEXT[] NOT NULL DEFAULT '{}',
-  expires_at        TIMESTAMPTZ,
-  provider_user_id  TEXT NOT NULL,
-  provider_email    TEXT,
-  metadata          JSONB,
-  created_at        TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-  updated_at        TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-  UNIQUE (user_id, provider, label)
-);
-
--- Migration: add label column for multiple credentials per provider per user.
--- Existing rows get 'default'. The unique constraint moves from (user_id, provider)
--- to (user_id, provider, label).
-ALTER TABLE lt_oauth_tokens ADD COLUMN IF NOT EXISTS label TEXT NOT NULL DEFAULT 'default';
-
--- Drop old unique constraint if it exists (safe no-op if already migrated)
-DO $$ BEGIN
-  ALTER TABLE lt_oauth_tokens DROP CONSTRAINT IF EXISTS lt_oauth_tokens_user_id_provider_key;
-EXCEPTION WHEN undefined_object THEN NULL;
-END $$;
-
--- Create the new composite unique constraint (idempotent via IF NOT EXISTS on index)
-CREATE UNIQUE INDEX IF NOT EXISTS lt_oauth_tokens_user_id_provider_label_key
-  ON lt_oauth_tokens (user_id, provider, label);
-
-CREATE INDEX IF NOT EXISTS idx_lt_oauth_tokens_provider
-  ON lt_oauth_tokens (provider, user_id);
-
-CREATE OR REPLACE TRIGGER trg_lt_oauth_tokens_updated_at
-  BEFORE UPDATE ON lt_oauth_tokens
-  FOR EACH ROW EXECUTE FUNCTION lt_set_updated_at();
-
--- ── Identity link columns on lt_users ──────────────────────────────────────
-ALTER TABLE lt_users ADD COLUMN IF NOT EXISTS oauth_provider TEXT;
-ALTER TABLE lt_users ADD COLUMN IF NOT EXISTS oauth_provider_id TEXT;
-
-CREATE INDEX IF NOT EXISTS idx_lt_users_oauth
-  ON lt_users (oauth_provider, oauth_provider_id)
-  WHERE oauth_provider IS NOT NULL;

package/build/lib/db/schemas/007_security.sql

@@ -1,27 +0,0 @@
--- ── Service tokens for external MCP servers ─────────────────────────────────
-CREATE TABLE IF NOT EXISTS lt_service_tokens (
-  id           UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-  name         TEXT UNIQUE NOT NULL,
-  token_hash   TEXT NOT NULL,
-  server_id    UUID REFERENCES lt_mcp_servers(id) ON DELETE CASCADE,
-  scopes       TEXT[] NOT NULL DEFAULT '{}',
-  expires_at   TIMESTAMPTZ,
-  last_used_at TIMESTAMPTZ,
-  created_at   TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-  updated_at   TIMESTAMPTZ NOT NULL DEFAULT NOW()
-);
-
-CREATE INDEX IF NOT EXISTS idx_lt_service_tokens_server
-  ON lt_service_tokens (server_id);
-
-CREATE OR REPLACE TRIGGER trg_lt_service_tokens_updated_at
-  BEFORE UPDATE ON lt_service_tokens
-  FOR EACH ROW EXECUTE FUNCTION lt_set_updated_at();
-
--- ── Audit: who initiated escalations ────────────────────────────────────────
-ALTER TABLE lt_escalations ADD COLUMN IF NOT EXISTS created_by UUID REFERENCES lt_users(id);
-CREATE INDEX IF NOT EXISTS idx_lt_escalations_created_by
-  ON lt_escalations (created_by) WHERE created_by IS NOT NULL;
-
--- ── Scope declarations for MCP servers ──────────────────────────────────────
-ALTER TABLE lt_mcp_servers ADD COLUMN IF NOT EXISTS required_scopes TEXT[] NOT NULL DEFAULT '{}';

package/build/lib/db/schemas/008_bot_accounts.sql

@@ -1,30 +0,0 @@
--- 008_bot_accounts.sql
--- Bot/service account support for universal IAM.
--- Bots live in lt_users (account_type = 'bot') and authenticate via API keys.
-
--- Add account_type column to lt_users to distinguish human vs bot accounts.
-ALTER TABLE lt_users ADD COLUMN IF NOT EXISTS account_type TEXT NOT NULL DEFAULT 'user';
-
--- Apply check constraint (idempotent: skip if already exists).
-DO $$ BEGIN
-  ALTER TABLE lt_users ADD CONSTRAINT lt_users_account_type_check
-    CHECK (account_type IN ('user', 'bot'));
-EXCEPTION
-  WHEN duplicate_object THEN NULL;
-END $$;
-
--- Bot API keys — similar to lt_service_tokens but scoped to a user (bot) account.
-CREATE TABLE IF NOT EXISTS lt_bot_api_keys (
-  id           UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-  name         TEXT NOT NULL,
-  user_id      UUID NOT NULL REFERENCES lt_users(id) ON DELETE CASCADE,
-  key_hash     TEXT NOT NULL,
-  scopes       TEXT[] NOT NULL DEFAULT '{}',
-  expires_at   TIMESTAMPTZ,
-  last_used_at TIMESTAMPTZ,
-  created_at   TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-  updated_at   TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-  UNIQUE (user_id, name)
-);
-
-CREATE INDEX IF NOT EXISTS idx_bot_api_keys_user_id ON lt_bot_api_keys (user_id);

package/build/lib/db/schemas/009_audit_trail.sql

@@ -1,7 +0,0 @@
--- 009_audit_trail.sql
--- Add IAM audit columns to lt_tasks for identity traceability.
-
-ALTER TABLE lt_tasks ADD COLUMN IF NOT EXISTS initiated_by UUID REFERENCES lt_users(id) ON DELETE SET NULL;
-ALTER TABLE lt_tasks ADD COLUMN IF NOT EXISTS principal_type TEXT DEFAULT 'user';
-
-CREATE INDEX IF NOT EXISTS idx_lt_tasks_initiated_by ON lt_tasks (initiated_by) WHERE initiated_by IS NOT NULL;

package/build/lib/db/schemas/010_credential_providers.sql

@@ -1,4 +0,0 @@
--- Add credential_providers column to lt_mcp_servers
--- Declares which credential providers a server's tools need
-ALTER TABLE lt_mcp_servers
-  ADD COLUMN IF NOT EXISTS credential_providers TEXT[] NOT NULL DEFAULT '{}';

package/build/lib/db/schemas/011_system_workflow_configs.sql

@@ -1,37 +0,0 @@
--- Ensure all system leaf workflows have config entries.
--- Migrations 004/005 tried to UPDATE these but they were never seeded —
--- the interceptor needs config entries to wrap workflows with lifecycle events.
-
-INSERT INTO lt_config_workflows
-  (workflow_type, task_queue, default_role, invocable, description, tool_tags)
-VALUES
-  ('mcpQuery', 'long-tail-system', 'engineer', false,
-   'Dynamic MCP tool orchestration — LLM agentic loop with raw MCP tools',
-   '{}'),
-  ('mcpTriage', 'long-tail-system', 'engineer', false,
-   'Dynamic MCP triage — LLM agentic loop for escalation remediation',
-   '{}'),
-  ('mcpWorkflowBuilder', 'long-tail-system', 'engineer', false,
-   'Direct pipeline builder — LLM constructs DAG from tool schemas',
-   '{}'),
-  ('mcpWorkflowPlanner', 'long-tail-system', 'engineer', false,
-   'Plan mode — decomposes specifications into multi-workflow sets',
-   '{}')
-ON CONFLICT (workflow_type) DO NOTHING;
-
--- Assign roles
-INSERT INTO lt_config_roles (workflow_type, role)
-SELECT 'mcpQuery', unnest(ARRAY['reviewer', 'engineer', 'admin'])
-ON CONFLICT (workflow_type, role) DO NOTHING;
-
-INSERT INTO lt_config_roles (workflow_type, role)
-SELECT 'mcpTriage', unnest(ARRAY['reviewer', 'engineer', 'admin'])
-ON CONFLICT (workflow_type, role) DO NOTHING;
-
-INSERT INTO lt_config_roles (workflow_type, role)
-SELECT 'mcpWorkflowBuilder', unnest(ARRAY['reviewer', 'engineer', 'admin'])
-ON CONFLICT (workflow_type, role) DO NOTHING;
-
-INSERT INTO lt_config_roles (workflow_type, role)
-SELECT 'mcpWorkflowPlanner', unnest(ARRAY['reviewer', 'engineer', 'admin'])
-ON CONFLICT (workflow_type, role) DO NOTHING;

package/build/lib/db/schemas/012_drop_modality.sql

@@ -1,6 +0,0 @@
--- Remove delivery modality — the concept was never used for actual routing.
--- Alpha cleanup: drop from config, escalations, and tasks tables.
-
-ALTER TABLE lt_config_workflows DROP COLUMN IF EXISTS default_modality;
-ALTER TABLE lt_escalations DROP COLUMN IF EXISTS modality;
-ALTER TABLE lt_tasks DROP COLUMN IF EXISTS modality;

package/build/lib/db/schemas/013_execute_as.sql

@@ -1,9 +0,0 @@
--- Add execute_as to workflow configs: proxy invocation identity.
--- When set, workflows run as the named bot instead of the invoking user.
-
-ALTER TABLE lt_config_workflows ADD COLUMN IF NOT EXISTS execute_as TEXT;
-
--- Add executing_as to tasks: records the actual executing principal
--- (may differ from initiated_by when proxy invocation is used).
-
-ALTER TABLE lt_tasks ADD COLUMN IF NOT EXISTS executing_as TEXT;

package/build/lib/db/schemas/014_ephemeral_credentials.sql

@@ -1,16 +0,0 @@
--- Ephemeral credential store for sensitive fields in waitFor signal payloads.
--- Supports max_uses (0 = unlimited) and TTL-based expiry.
-
-CREATE TABLE IF NOT EXISTS lt_ephemeral_credentials (
-  token       UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-  value       BYTEA NOT NULL,
-  label       TEXT,
-  max_uses    INTEGER NOT NULL DEFAULT 0,
-  use_count   INTEGER NOT NULL DEFAULT 0,
-  expires_at  TIMESTAMPTZ,
-  created_at  TIMESTAMPTZ NOT NULL DEFAULT NOW()
-);
-
-CREATE INDEX IF NOT EXISTS idx_lt_ephemeral_expiry
-  ON lt_ephemeral_credentials (expires_at)
-  WHERE expires_at IS NOT NULL;

package/build/lib/db/schemas/015_knowledge.sql

@@ -1,23 +0,0 @@
--- Long Tail Knowledge Store
--- Persistent JSONB memory for autonomous agents. Each entry lives in a domain
--- (lightweight namespace) and is keyed by a human-readable string.
-
-CREATE TABLE IF NOT EXISTS lt_knowledge (
-  id          UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-  domain      TEXT NOT NULL,
-  key         TEXT NOT NULL,
-  data        JSONB NOT NULL DEFAULT '{}',
-  tags        TEXT[] NOT NULL DEFAULT '{}',
-  created_at  TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-  updated_at  TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-  UNIQUE(domain, key)
-);
-
-CREATE INDEX IF NOT EXISTS idx_lt_knowledge_domain ON lt_knowledge (domain);
-CREATE INDEX IF NOT EXISTS idx_lt_knowledge_tags ON lt_knowledge USING GIN (tags);
-CREATE INDEX IF NOT EXISTS idx_lt_knowledge_data ON lt_knowledge USING GIN (data);
-
-DROP TRIGGER IF EXISTS lt_knowledge_updated_at ON lt_knowledge;
-CREATE TRIGGER lt_knowledge_updated_at
-  BEFORE UPDATE ON lt_knowledge
-  FOR EACH ROW EXECUTE FUNCTION lt_set_updated_at();

package/build/lib/db/schemas/016_streamable_http.sql

@@ -1,7 +0,0 @@
--- Allow 'streamable-http' as a transport type for MCP servers
-ALTER TABLE lt_mcp_servers
-  DROP CONSTRAINT IF EXISTS lt_mcp_servers_transport_type_check;
-
-ALTER TABLE lt_mcp_servers
-  ADD CONSTRAINT lt_mcp_servers_transport_type_check
-  CHECK (transport_type IN ('stdio', 'sse', 'streamable-http'));