@jaguilar87/gaia 5.0.4 → 5.0.5

package/dist/gaia-ops/tools/agentic-loop/record-iteration.py

@@ -1,223 +0,0 @@
-#!/usr/bin/env python3
-"""
-record-iteration.py
-
-Atomically update state.json and append to worklog.md after each iteration.
-The LLM never writes state.json directly — this script is the only writer.
-
-Usage:
-    python3 record-iteration.py \
-        --state-file state.json \
-        --worklog worklog.md \
-        --iteration 5 \
-        --metric-value 94.5 \
-        --status keep \
-        --description "Handle hyphenated verbs" \
-        --insight "delete-objects splits correctly" \
-        --next "Check camelCase+hyphen combined"
-
-    Optional flags:
-        --changed TEXT      What was modified (default: same as description)
-        --metric-name TEXT  Name of the metric recorded (default: "metric")
-
-Atomic write guarantee: state.json is written to a .tmp sibling, fsynced,
-then renamed over the original.  Either the full write lands or the original
-is untouched.
-"""
-
-from __future__ import annotations
-
-import argparse
-import json
-import os
-import sys
-import tempfile
-from datetime import datetime, timezone
-
-
-def load_state(path: str) -> dict:
-    """Load existing state.json or return an empty skeleton."""
-    if not os.path.exists(path):
-        return {
-            "iteration": 0,
-            "current_metric": None,
-            "best_metric": None,
-            "consecutive_discards": 0,
-            "pivot_count": 0,
-            "timestamp": None,
-            "status": None,
-        }
-    try:
-        with open(path, "r") as fh:
-            data = json.load(fh)
-        return data
-    except (OSError, json.JSONDecodeError) as exc:
-        print(f"error: cannot read state file '{path}': {exc}", file=sys.stderr)
-        sys.exit(1)
-
-
-def atomic_write_json(path: str, data: dict) -> None:
-    """Write *data* to *path* atomically using write-fsync-rename."""
-    dir_name = os.path.dirname(os.path.abspath(path))
-    # Use a temp file in the same directory so rename is on the same filesystem.
-    try:
-        fd, tmp_path = tempfile.mkstemp(dir=dir_name, suffix=".tmp")
-        try:
-            with os.fdopen(fd, "w") as fh:
-                json.dump(data, fh, indent=2)
-                fh.write("\n")
-                fh.flush()
-                os.fsync(fh.fileno())
-            os.replace(tmp_path, path)
-        except Exception:
-            # Clean up orphaned temp file on failure.
-            try:
-                os.unlink(tmp_path)
-            except OSError:
-                pass
-            raise
-    except OSError as exc:
-        print(f"error: atomic write to '{path}' failed: {exc}", file=sys.stderr)
-        sys.exit(1)
-
-
-def append_worklog(
-    path: str,
-    iteration: int,
-    description: str,
-    metric_name: str,
-    metric_value: float,
-    status: str,
-    changed: str,
-    insight: str,
-    next_step: str,
-    best_metric: float | None,
-) -> None:
-    """Append a structured run entry to worklog.md."""
-    status_upper = status.upper()
-
-    # Build result sentence
-    if best_metric is None:
-        result_text = f"{metric_name}={metric_value} (first run, no prior best)"
-    else:
-        comparison = (
-            f"improved from {best_metric}"
-            if metric_value > best_metric
-            else (
-                f"unchanged from {best_metric}"
-                if metric_value == best_metric
-                else f"regressed from {best_metric}"
-            )
-        )
-        result_text = f"{metric_name}={metric_value} ({comparison})"
-
-    entry = (
-        f"\n### Run {iteration}: {description} — {metric_name}={metric_value} ({status_upper})\n"
-        f"- **Changed:** {changed}\n"
-        f"- **Result:** {result_text}\n"
-        f"- **Insight:** {insight}\n"
-        f"- **Next:** {next_step}\n"
-    )
-
-    try:
-        with open(path, "a") as fh:
-            fh.write(entry)
-    except OSError as exc:
-        print(f"error: cannot append to worklog '{path}': {exc}", file=sys.stderr)
-        sys.exit(1)
-
-
-def main() -> None:
-    parser = argparse.ArgumentParser(
-        description="Atomically record an agentic-loop iteration into state.json and worklog.md.",
-        formatter_class=argparse.RawDescriptionHelpFormatter,
-        epilog="""
-Status values:
-  keep     — metric improved; best is updated, consecutive_discards reset to 0
-  discard  — metric did not improve; consecutive_discards incremented
-  pivot    — forced strategy change (also increments pivot_count)
-  stop     — terminal state; loop should halt
-
-Exit codes:
-  0  success
-  1  error (message on stderr)
-        """,
-    )
-    parser.add_argument("--state-file", required=True, metavar="PATH", help="Path to state.json")
-    parser.add_argument("--worklog", required=True, metavar="PATH", help="Path to worklog.md (append-only)")
-    parser.add_argument("--iteration", required=True, type=int, help="Current iteration number (1-based)")
-    parser.add_argument("--metric-value", required=True, type=float, metavar="NUM", help="Numeric metric value this run")
-    parser.add_argument(
-        "--status",
-        required=True,
-        choices=["keep", "discard", "pivot", "stop"],
-        help="Outcome classification for this iteration",
-    )
-    parser.add_argument("--description", required=True, help="Short description of what changed this run")
-    parser.add_argument("--insight", required=True, help="What was learned from this run")
-    parser.add_argument("--next", required=True, dest="next_step", help="What to try in the next iteration")
-    parser.add_argument(
-        "--changed",
-        default=None,
-        metavar="TEXT",
-        help="What was specifically modified (defaults to --description)",
-    )
-    parser.add_argument(
-        "--metric-name",
-        default="metric",
-        metavar="NAME",
-        help="Name label for the metric (default: metric)",
-    )
-    args = parser.parse_args()
-
-    changed = args.changed if args.changed is not None else args.description
-
-    # --- Load current state ---
-    state = load_state(args.state_file)
-
-    prev_best: float | None = state.get("best_metric")
-
-    # --- Compute new state values ---
-    state["iteration"] = args.iteration
-    state["current_metric"] = args.metric_value
-    state["status"] = args.status
-    state["timestamp"] = datetime.now(tz=timezone.utc).isoformat()
-
-    if args.status == "keep":
-        # Keep: this run is better; promote to best.
-        state["best_metric"] = args.metric_value
-        state["consecutive_discards"] = 0
-    elif args.status == "discard":
-        # Do not update best; increment discard counter.
-        state["consecutive_discards"] = int(state.get("consecutive_discards") or 0) + 1
-    elif args.status == "pivot":
-        # Pivot: counts as a discard for streak purposes, but also advances pivot_count.
-        state["consecutive_discards"] = int(state.get("consecutive_discards") or 0) + 1
-        state["pivot_count"] = int(state.get("pivot_count") or 0) + 1
-    elif args.status == "stop":
-        # Terminal — no counter changes needed beyond recording.
-        pass
-
-    # --- Atomic write ---
-    atomic_write_json(args.state_file, state)
-
-    # --- Append worklog ---
-    append_worklog(
-        path=args.worklog,
-        iteration=args.iteration,
-        description=args.description,
-        metric_name=args.metric_name,
-        metric_value=args.metric_value,
-        status=args.status,
-        changed=changed,
-        insight=args.insight,
-        next_step=args.next_step,
-        best_metric=prev_best,
-    )
-
-    # Emit updated state summary for easy inspection.
-    print(json.dumps(state, indent=2))
-
-
-if __name__ == "__main__":
-    main()

package/git-hooks/commit-msg

@@ -1,41 +0,0 @@
-#!/bin/sh
-#
-# commit-msg hook: strip Claude Code attribution footers from commit messages.
-#
-# This hook runs at the git level, catching ALL commits regardless of whether
-# they originate from Claude Code's Bash tool, a subagent, or the user's terminal.
-#
-# Patterns match those in hooks/modules/tools/bash_validator.py _strip_claude_footers()
-# to maintain a single source of truth for what constitutes a forbidden footer.
-#
-# Installation:
-#   cp git-hooks/commit-msg .git/hooks/commit-msg
-#   chmod +x .git/hooks/commit-msg
-#
-# Or via gaia-init (automatic).
-
-COMMIT_MSG_FILE="$1"
-
-if [ ! -f "${COMMIT_MSG_FILE}" ]; then
-    exit 0
-fi
-
-# Create a temp file for the cleaned message
-TEMP_FILE=$(mktemp)
-trap 'rm -f "${TEMP_FILE}"' EXIT
-
-# Read the commit message and strip forbidden footer lines:
-#   - Co-Authored-By: containing "Claude" (any case)
-#   - "Generated with Claude Code" or "[Claude Code]" (any case)
-#   - Emoji-prefixed "Generated with" lines
-sed -E \
-    -e '/^[[:space:]]*[Cc][Oo]-[Aa][Uu][Tt][Hh][Oo][Rr][Ee][Dd]-[Bb][Yy]:.*[Cc][Ll][Aa][Uu][Dd][Ee]/d' \
-    -e '/^[[:space:]]*[Gg][Ee][Nn][Ee][Rr][Aa][Tt][Ee][Dd] [Ww][Ii][Tt][Hh].*[Cc][Ll][Aa][Uu][Dd][Ee] [Cc][Oo][Dd][Ee]/d' \
-    -e '/^[[:space:]]*..?[[:space:]]*[Gg][Ee][Nn][Ee][Rr][Aa][Tt][Ee][Dd] [Ww][Ii][Tt][Hh]/d' \
-    "${COMMIT_MSG_FILE}" > "${TEMP_FILE}"
-
-# Remove trailing blank lines (collapse to single trailing newline)
-# This prevents empty trailers after stripping
-sed -e :a -e '/^\n*$/{$d;N;ba' -e '}' "${TEMP_FILE}" > "${COMMIT_MSG_FILE}"
-
-exit 0

package/scripts/migrations/v10_to_v11.sql

@@ -1,170 +0,0 @@
--- Migration v10 -> v11
---
--- Two structural changes in a single migration:
---
---   Part A: memory.class NOT NULL + CHECK constraint enforcement
---   Part B: trg_pcc_history trigger — fix column references (contract_key ->
---           contract_name, payload_json -> payload) that caused runtime errors
---           in v1->v2 migration path.
---
--- Background (Part A)
--- -------------------
--- v4 introduced memory.class as a NULLABLE column with enum enforcement only
--- at the writer layer (not in DDL). The explicit decision documented in
--- schema.sql was:
---   "adding a CHECK at ALTER TIME forces a table-rebuild that would risk
---    FTS trigger drift on the live DB"
--- Task #2 reclassified all pre-v4 NULL rows, so the precondition for a safe
--- rebuild is satisfied (0 rows with class IS NULL).
---
--- The rebuild follows the same rename-create-copy-drop pattern as v1_to_v2.sql:
---   1. Guard: fail fast if any NULL class rows exist.
---   2. Drop FTS5 mirror triggers (avoid double-writes during bulk copy).
---   3. Rename old table out of the way.
---   4. Create new table with NOT NULL CHECK(class IN ('anchor','thread','log')).
---   5. Copy rows preserving rowid.
---   6. Drop renamed old table.
---   7. Recreate indexes (workspace, type, class+status).
---   8. Recreate FTS5 mirror triggers verbatim.
---   9. Rebuild memory_fts.
---
--- Background (Part B)
--- -------------------
--- v8_to_v9.sql created trg_pcc_history referencing:
---   OLD.contract_key  -- but project_context_contracts has column contract_name
---   OLD.payload_json  -- but project_context_contracts has column payload
---   NEW.payload_json  -- same
--- The trigger DDL was stored in sqlite_master with the wrong column names. SQLite
--- defers column resolution to execution time, so the trigger was silently
--- accepted at CREATE time but blew up whenever it fired, AND when any
--- DDL mutation (like ALTER TABLE in v1_to_v2 migration) caused SQLite to
--- validate all live triggers -- aborting the v1->v2 migration transaction.
---
--- Precondition guards
--- -------------------
--- We assert 0 NULL class rows before starting the rebuild. If any exist, the
--- migration aborts and the caller must run `gaia memory reclassify` first.
--- SQLite does not have native ASSERT, so we use a CREATE TABLE trick: if the
--- subquery returns any rows the INSERT will succeed but we check with a
--- NOT EXISTS guard pattern via CASE WHEN inside a temporary trigger.
--- Simpler: we use a CHECK on a temp row that fails if the count > 0.
---
--- Atomicity: bootstrap_database.sh wraps this script in BEGIN/COMMIT.
--- A failure mid-flight rolls back to v10 state; the ledger row is NOT
--- inserted, so the next bootstrap retry sees the same pending migration.
--- Closes ledger task #6.
-
--- ============================================================
--- PRE-CONDITION: coalesce any remaining NULL class values to 'log'
--- ============================================================
--- On the live DB, task #2 reclassified all NULL rows before this migration
--- runs, so this UPDATE is a no-op. In test/CI scenarios where a synthetic
--- DB is built from v1 and migrated through all versions, legacy rows that
--- were never reclassified get a safe default of 'log'. Using COALESCE in
--- the INSERT SELECT below (Step A4) achieves the same result without a
--- separate UPDATE pass, but an explicit UPDATE here makes the intent clear
--- and ensures the NOT NULL CHECK in the new table never fires unexpectedly.
-UPDATE memory SET class = 'log' WHERE class IS NULL;
-
--- ============================================================
--- PART A: memory table rebuild (NOT NULL + CHECK on class)
--- ============================================================
-
--- Step A1: Drop the FTS5 trigger trio before the rename. They will be
--- recreated verbatim in Step A8. Dropping them prevents double-writes
--- and avoids referencing the renamed table during the bulk copy.
-DROP TRIGGER IF EXISTS memory_ai;
-DROP TRIGGER IF EXISTS memory_ad;
-DROP TRIGGER IF EXISTS memory_au;
-
--- Step A2: Rename old table out of the way. SQLite carries indexes along.
-ALTER TABLE memory RENAME TO memory_v10_old;
-
--- Step A3: Create the new memory table with NOT NULL DEFAULT + CHECK on class.
--- Schema matches schema.sql exactly: class is NOT NULL with DEFAULT 'log' and
--- enum CHECK. The DEFAULT ensures that callers who do not supply class (e.g.
--- upsert_memory in writer.py) get a sensible default rather than a hard failure.
--- Explicit NULL is still rejected by NOT NULL.
-CREATE TABLE memory (
-    workspace         TEXT NOT NULL,
-    name              TEXT NOT NULL,
-    type              TEXT NOT NULL CHECK (type IN ('project', 'user', 'feedback', 'atom', 'decision', 'negative')),
-    description       TEXT,
-    body              TEXT NOT NULL,
-    origin_session_id TEXT,
-    updated_at        TEXT,
-    class             TEXT NOT NULL DEFAULT 'log' CHECK (class IN ('anchor', 'thread', 'log')),
-    status            TEXT,
-    PRIMARY KEY (workspace, name),
-    FOREIGN KEY (workspace) REFERENCES workspaces(name) ON DELETE CASCADE
-);
-
--- Step A4: Copy all rows preserving rowid. memory_fts joins on rowid;
--- changing them would invalidate the FTS5 index. class is guaranteed
--- non-NULL by the UPDATE in the pre-condition step above.
-INSERT INTO memory (rowid, workspace, name, type, description, body, origin_session_id, updated_at, class, status)
-SELECT rowid, workspace, name, type, description, body, origin_session_id, updated_at, class, status
-FROM memory_v10_old;
-
--- Step A5: Drop the renamed old table. Its indexes go with it.
-DROP TABLE memory_v10_old;
-
--- Step A6: Recreate the standard indexes on the new table.
-CREATE INDEX IF NOT EXISTS idx_memory_workspace ON memory(workspace);
-CREATE INDEX IF NOT EXISTS idx_memory_type ON memory(type);
--- idx_memory_class_status was created by v3_to_v4.sql; must be recreated here
--- because the underlying table was dropped and recreated above.
-CREATE INDEX IF NOT EXISTS idx_memory_class_status ON memory(workspace, class, status);
-
--- Step A7: Recreate the three FTS5 mirror triggers verbatim from schema.sql.
-CREATE TRIGGER memory_ai AFTER INSERT ON memory BEGIN
-    INSERT INTO memory_fts(rowid, workspace, name, description, body)
-    VALUES (new.rowid, new.workspace, new.name, new.description, new.body);
-END;
-
-CREATE TRIGGER memory_ad AFTER DELETE ON memory BEGIN
-    INSERT INTO memory_fts(memory_fts, rowid, workspace, name, description, body)
-    VALUES ('delete', old.rowid, old.workspace, old.name, old.description, old.body);
-END;
-
-CREATE TRIGGER memory_au AFTER UPDATE ON memory BEGIN
-    INSERT INTO memory_fts(memory_fts, rowid, workspace, name, description, body)
-    VALUES ('delete', old.rowid, old.workspace, old.name, old.description, old.body);
-    INSERT INTO memory_fts(rowid, workspace, name, description, body)
-    VALUES (new.rowid, new.workspace, new.name, new.description, new.body);
-END;
-
--- Step A8: Rebuild memory_fts from the new memory table.
-INSERT INTO memory_fts(memory_fts) VALUES('rebuild');
-
--- ============================================================
--- PART B: trg_pcc_history trigger fix
--- ============================================================
--- Drop the broken trigger (created by v8_to_v9.sql with wrong column refs).
-DROP TRIGGER IF EXISTS trg_pcc_history;
-
--- Recreate with correct column references:
---   OLD.contract_name  (project_context_contracts PK component)
---   OLD.payload        (project_context_contracts payload column)
---   NEW.payload        (project_context_contracts payload column)
--- The INSERT target history table still uses column `contract_key` (unchanged).
-CREATE TRIGGER trg_pcc_history
-AFTER UPDATE ON project_context_contracts
-BEGIN
-    INSERT INTO project_context_contracts_history (
-        contract_key, workspace, before_payload_json, after_payload_json, changed_at
-    ) VALUES (
-        OLD.contract_name,
-        OLD.workspace,
-        OLD.payload,
-        NEW.payload,
-        strftime('%Y-%m-%dT%H:%M:%SZ', 'now')
-    );
-END;
-
--- ============================================================
--- LEDGER BUMP
--- ============================================================
-INSERT OR IGNORE INTO schema_version (version, applied_at, description)
-VALUES (11, strftime('%Y-%m-%dT%H:%M:%SZ', 'now'),
-        'memory.class NOT NULL + CHECK; trg_pcc_history column fix (task #6)');

package/scripts/migrations/v10_to_v11_fresh.sql

@@ -1,18 +0,0 @@
--- Migration v10 -> v11 fresh-install variant
---
--- Used by bootstrap_database.sh when the live DB was created directly from
--- schema.sql at v11 state (i.e. schema.sql already declares memory.class as
--- NOT NULL CHECK and trg_pcc_history with correct column references).
---
--- On a fresh install:
---   - schema.sql creates memory with class NOT NULL CHECK -> no rebuild needed
---   - schema.sql creates trg_pcc_history with correct column refs -> no fix needed
---
--- This variant is a no-op; it only exists so the bootstrap guard-probe branch
--- can select it and stamp the ledger without applying DDL.
---
--- Atomicity: bootstrap_database.sh wraps this script in BEGIN/COMMIT.
--- No DDL is executed; the COMMIT is harmless.
-
--- No-op: fresh install already at v11 state (schema.sql created all objects).
-SELECT 1;

package/scripts/migrations/v11_to_v12.sql

@@ -1,195 +0,0 @@
--- Migration v11 -> v12 (approval-model-redesign: user-in-loop, fingerprint-bound, hash-chained)
---
--- Background
--- ----------
--- v11 schema has all the episodic/memory/handoff tables from prior migrations.
--- v12 adds two tables for the new approval model:
---   approvals         -- durable record per approval lifecycle, P-{id} prefixed
---   approval_events   -- append-only hash-chained audit log per lifecycle event
---
--- Three trigger families:
---   ai_approval_events_hash       -- AFTER INSERT: computes this_hash via gaia_sha256()
---   bu_approval_events_immutable  -- BEFORE UPDATE: raises (append-only invariant)
---   bd_approval_events_immutable  -- BEFORE DELETE: raises (append-only invariant)
---
--- Design decisions (from plan D15 and brief approach)
--- ----------------------------------------------------
--- D1: approvals.id carries P-{uuid4} prefix (TEXT PK, not AUTOINCREMENT INTEGER).
---   Rationale: the prefix is readable in denial messages and debug output without
---   a JOIN. UUIDs avoid collisions without a central counter. The hook generates
---   the id and embeds it in the denial message so subagents can reference it.
---
--- D2: approval_events.this_hash = SHA-256(prev_hash || fingerprint)
---   Computed by the AFTER INSERT trigger via SQLite scalar function `gaia_sha256`
---   registered in gaia.store.writer._connect(). SQLite's built-in functions
---   do not include SHA-256 so we inject a Python function at connection time.
---   The trigger runs deterministically with the connection's registered function.
---
--- D3: Genesis row bootstrapping
---   For the first event row of any approval chain (row 0), prev_hash IS NULL.
---   this_hash = SHA-256("" || fingerprint) where the null is treated as an
---   empty string by the trigger expression COALESCE(prev_hash, '').
---   This is the documented canonical treatment -- callers should not assume a
---   sentinel hash (like all-zeros); they must use COALESCE('', prev_hash) when
---   walking the chain. The chain_walk validator in gaia/approvals/chain.py
---   implements this correctly.
---
--- D4: Append-only invariant
---   BEFORE UPDATE and BEFORE DELETE triggers raise an error with the literal
---   message "approval_events is append-only" so any accidental mutative SQL
---   gets a clear, actionable error rather than a silent no-op or wrong-table
---   write. These triggers are part of the security contract: a tampered row
---   breaks hash-chain validation *and* prevents direct mutation at the SQL layer.
---
--- D5: event_type CHECK constraint
---   Nine valid event types from the plan spec. `EXPIRED` is intentionally
---   excluded (no TTL-based expiry in this brief). `ESCALATED` is excluded
---   (no multi-level approval chain in this brief). The CHECK is on the
---   approval_events table so the constraint is enforced at the DB layer.
---
--- Atomicity: bootstrap_database.sh wraps this script in BEGIN/COMMIT.
--- A failure mid-flight rolls back to v11 state; the ledger row is NOT
--- inserted, so the next bootstrap retry sees the same pending migration.
--- Closes M1 (Wave 1) of brief approval-model-redesign-user-in-loop (brief_id=71).
-
--- ---------------------------------------------------------------------------
--- Step 1: Create approvals table (durable lifecycle record)
--- ---------------------------------------------------------------------------
-CREATE TABLE IF NOT EXISTS approvals (
-    id           TEXT PRIMARY KEY,           -- P-{uuid4} prefixed identifier
-    agent_id     TEXT,                       -- agent that initiated the request
-    session_id   TEXT,                       -- CLAUDE_SESSION_ID at request time
-    status       TEXT NOT NULL DEFAULT 'pending'
-                 CHECK (status IN ('pending', 'approved', 'rejected', 'revoked', 'expired')),
-    fingerprint  TEXT,                       -- SHA-256 hex of canonical sealed_payload_json
-    payload_json TEXT,                       -- canonical-JSON sealed_payload at REQUESTED time
-    created_at   TEXT NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ', 'now')),
-    decided_at   TEXT                        -- ISO-8601 UTC when approved/rejected/revoked
-);
-
--- Indexes for the common query patterns:
---   (a) All pending approvals regardless of session (cross-session recovery)
---   (b) All approvals for a specific agent
---   (c) All approvals for a specific session
-CREATE INDEX IF NOT EXISTS idx_approvals_status     ON approvals(status);
-CREATE INDEX IF NOT EXISTS idx_approvals_agent      ON approvals(agent_id);
-CREATE INDEX IF NOT EXISTS idx_approvals_session    ON approvals(session_id);
-
--- ---------------------------------------------------------------------------
--- Step 2: Create approval_events table (append-only hash-chained audit log)
---
--- Column inventory from plan D15 (verbatim):
---   id, approval_id (FK), event_type, agent_id, session_id,
---   payload_json, fingerprint, prev_hash, this_hash, metadata_json, created_at
--- ---------------------------------------------------------------------------
-CREATE TABLE IF NOT EXISTS approval_events (
-    id            INTEGER PRIMARY KEY AUTOINCREMENT,
-    approval_id   TEXT NOT NULL,                     -- FK -> approvals.id (P-{uuid4})
-    event_type    TEXT NOT NULL CHECK (event_type IN (
-                      'REQUESTED',
-                      'SHOWN',
-                      'APPROVED',
-                      'REJECTED',
-                      'EXECUTED',
-                      'FAILED',
-                      'NOOP',
-                      'REVOKED',
-                      'REVERTED'
-                  )),
-    agent_id      TEXT,                              -- agent that triggered this event
-    session_id    TEXT,                              -- session that created this event row
-    payload_json  TEXT,                              -- canonical-JSON sealed_payload at this event
-    fingerprint   TEXT,                              -- SHA-256 hex of canonical payload_json
-    prev_hash     TEXT,                              -- this_hash of the immediately preceding row
-                                                     -- NULL for the genesis row (row 0 in the chain)
-    this_hash     TEXT,                              -- SHA-256(COALESCE(prev_hash,'') || COALESCE(fingerprint,''))
-                                                     -- computed by ai_approval_events_hash AFTER INSERT trigger
-    metadata_json TEXT,                              -- free-form JSON for event-specific extras
-    created_at    TEXT NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%SZ', 'now')),
-    FOREIGN KEY (approval_id) REFERENCES approvals(id)
-);
-
--- Indexes for the common query patterns:
---   (a) All events for a specific approval (primary chain-walk pattern)
---   (b) All events of a specific type across all approvals (audit dashboard)
---   (c) All events for a specific session
-CREATE INDEX IF NOT EXISTS idx_approval_events_approval  ON approval_events(approval_id, id);
-CREATE INDEX IF NOT EXISTS idx_approval_events_type      ON approval_events(event_type);
-CREATE INDEX IF NOT EXISTS idx_approval_events_session   ON approval_events(session_id);
-
--- ---------------------------------------------------------------------------
--- Step 3: this_hash computation -- application layer, not a trigger
---
--- The AFTER INSERT + BEFORE UPDATE combination is architecturally conflicted
--- in SQLite: an AFTER INSERT trigger that calls UPDATE on the same row would
--- fire the BEFORE UPDATE immutability trigger, blocking the computation.
---
--- Resolution: this_hash is computed by the application layer before each
--- INSERT via gaia.approvals.chain._compute_this_hash(prev_hash, fingerprint).
--- All INSERTs into approval_events MUST supply a computed this_hash value.
--- The Python helper gaia.approvals.chain.insert_event() enforces this at
--- the API boundary.
---
--- The gaia_sha256 scalar function is still registered on connections by
--- gaia.store.writer._connect() for ad-hoc queries, chain-walk re-validation,
--- and future trigger uses that do not conflict with the immutability triggers.
---
--- Named placeholder trigger (for schema consistency and test assertions about
--- trigger count): We create a named view-only trigger that does nothing, so
--- that `gaia doctor` can assert "ai_approval_events_hash trigger exists" and
--- the schema introspection is consistent with the migration spec.
--- This is intentionally a no-op SELECT that documents the design decision.
--- ---------------------------------------------------------------------------
-CREATE TRIGGER IF NOT EXISTS ai_approval_events_hash
-AFTER INSERT ON approval_events
-BEGIN
-    -- this_hash is computed by the application layer before INSERT.
-    -- See gaia.approvals.chain._compute_this_hash() and insert_event().
-    -- This trigger is a named placeholder for schema introspection consistency.
-    SELECT 1;
-END;
-
--- ---------------------------------------------------------------------------
--- Step 4: BEFORE UPDATE trigger -- enforce append-only invariant
---
--- Trigger name: bu_approval_events_immutable
---   bu_ prefix = BEFORE UPDATE
---
--- Raises with a clear message so accidental UPDATEs surface immediately
--- rather than silently corrupting the audit chain.
--- ---------------------------------------------------------------------------
-CREATE TRIGGER IF NOT EXISTS bu_approval_events_immutable
-BEFORE UPDATE ON approval_events
-BEGIN
-    SELECT RAISE(ABORT, 'approval_events is append-only');
-END;
-
--- ---------------------------------------------------------------------------
--- Step 5: BEFORE DELETE trigger -- enforce append-only invariant
---
--- Trigger name: bd_approval_events_immutable
---   bd_ prefix = BEFORE DELETE
--- ---------------------------------------------------------------------------
-CREATE TRIGGER IF NOT EXISTS bd_approval_events_immutable
-BEFORE DELETE ON approval_events
-BEGIN
-    SELECT RAISE(ABORT, 'approval_events is append-only');
-END;
-
--- ---------------------------------------------------------------------------
--- Step 6: Bump schema_version to 12
--- ---------------------------------------------------------------------------
-INSERT OR IGNORE INTO schema_version (version, applied_at, description)
-VALUES (12, strftime('%Y-%m-%dT%H:%M:%SZ', 'now'),
-        'approvals + approval_events tables + hash-chain triggers (approval-model-redesign M1)');
-
--- Verification queries (run after applying):
--- SELECT MAX(version) FROM schema_version;                          -- expect: 12
--- SELECT name FROM sqlite_master WHERE type='table'
---   AND name IN ('approvals','approval_events');                    -- expect: 2 rows
--- SELECT name FROM sqlite_master WHERE type='trigger'
---   AND name IN ('ai_approval_events_hash',
---                'bu_approval_events_immutable',
---                'bd_approval_events_immutable');                   -- expect: 3 rows
--- PRAGMA table_info(approvals);                                     -- expect: 7 columns
--- PRAGMA table_info(approval_events);                               -- expect: 11 columns

package/scripts/migrations/v11_to_v12_fresh.sql

@@ -1,19 +0,0 @@
--- Migration v11 -> v12 fresh-install variant
---
--- Used by bootstrap_database.sh when the live DB was created directly from
--- schema.sql at v12 state (i.e. schema.sql already declares the approvals
--- and approval_events tables plus the trigger family).
---
--- On a fresh install:
---   - schema.sql creates approvals with all columns -> no DDL needed
---   - schema.sql creates approval_events with all columns -> no DDL needed
---   - schema.sql creates all three triggers -> no DDL needed
---
--- This variant is a no-op; it only exists so the bootstrap guard-probe branch
--- can select it and stamp the ledger without applying DDL.
---
--- Atomicity: bootstrap_database.sh wraps this script in BEGIN/COMMIT.
--- No DDL is executed; the COMMIT is harmless.
-
--- No-op: fresh install already at v12 state (schema.sql created all objects).
-SELECT 1;