@lobu/cli 6.0.1 → 6.1.1

package/dist/db/migrations/20260405193000_add_mcp_sessions.sql

@@ -0,0 +1,33 @@
+-- migrate:up
+
+CREATE TABLE public.mcp_sessions (
+    session_id text PRIMARY KEY,
+    user_id text,
+    client_id text,
+    organization_id text,
+    member_role text,
+    requested_agent_id text,
+    is_authenticated boolean DEFAULT false NOT NULL,
+    scoped_to_org boolean DEFAULT false NOT NULL,
+    last_accessed_at timestamp with time zone DEFAULT now() NOT NULL,
+    expires_at timestamp with time zone NOT NULL
+);
+
+CREATE INDEX mcp_sessions_client_id_idx ON public.mcp_sessions USING btree (client_id);
+CREATE INDEX mcp_sessions_expires_at_idx ON public.mcp_sessions USING btree (expires_at);
+CREATE INDEX mcp_sessions_user_id_idx ON public.mcp_sessions USING btree (user_id);
+
+ALTER TABLE ONLY public.mcp_sessions
+    ADD CONSTRAINT mcp_sessions_client_id_fkey FOREIGN KEY (client_id) REFERENCES public.oauth_clients(id) ON DELETE CASCADE;
+
+ALTER TABLE ONLY public.mcp_sessions
+    ADD CONSTRAINT mcp_sessions_organization_id_fkey FOREIGN KEY (organization_id) REFERENCES public.organization(id) ON DELETE CASCADE;
+
+ALTER TABLE ONLY public.mcp_sessions
+    ADD CONSTRAINT mcp_sessions_user_id_fkey FOREIGN KEY (user_id) REFERENCES public."user"(id) ON DELETE CASCADE;
+
+COMMENT ON TABLE public.mcp_sessions IS 'Persisted MCP streamable HTTP sessions for restart and cross-replica recovery';
+
+-- migrate:down
+
+DROP TABLE IF EXISTS public.mcp_sessions;

package/dist/db/migrations/20260408120000_remove_system_connectors.sql

@@ -0,0 +1,48 @@
+-- migrate:up
+
+-- Migrate system connector definitions to org-scoped.
+-- For every org, copy each active system connector definition that
+-- the org doesn't already have (regardless of whether connections exist).
+
+INSERT INTO connector_definitions (
+  organization_id, key, name, description, version,
+  auth_schema, feeds_schema, actions_schema, options_schema,
+  mcp_config, openapi_config, favicon_domain, status, login_enabled
+)
+SELECT
+  o.id,
+  cd.key,
+  cd.name,
+  cd.description,
+  cd.version,
+  cd.auth_schema,
+  cd.feeds_schema,
+  cd.actions_schema,
+  cd.options_schema,
+  cd.mcp_config,
+  cd.openapi_config,
+  cd.favicon_domain,
+  cd.status,
+  cd.login_enabled
+FROM connector_definitions cd
+CROSS JOIN "organization" o
+WHERE cd.organization_id IS NULL
+  AND cd.status = 'active'
+  AND NOT EXISTS (
+    SELECT 1
+    FROM connector_definitions existing
+    WHERE existing.organization_id = o.id
+      AND existing.key = cd.key
+      AND existing.status = 'active'
+  );
+
+-- Archive all system-level connector definitions
+UPDATE connector_definitions
+SET status = 'archived', updated_at = NOW()
+WHERE organization_id IS NULL
+  AND status = 'active';
+
+-- Drop orphaned index that only covered system-level (org IS NULL) definitions
+DROP INDEX IF EXISTS idx_connector_defs_system_key;
+
+-- migrate:down

package/dist/db/migrations/20260408120001_optional_compiled_code.sql

@@ -0,0 +1,6 @@
+-- migrate:up
+ALTER TABLE connector_versions ALTER COLUMN compiled_code DROP NOT NULL;
+
+-- migrate:down
+UPDATE connector_versions SET compiled_code = '' WHERE compiled_code IS NULL;
+ALTER TABLE connector_versions ALTER COLUMN compiled_code SET NOT NULL;

package/dist/db/migrations/20260409110000_add_active_watcher_run_index.sql

@@ -0,0 +1,9 @@
+-- migrate:up
+CREATE UNIQUE INDEX IF NOT EXISTS idx_runs_active_watcher_per_watcher
+  ON runs (watcher_id)
+  WHERE run_type = 'watcher'
+    AND watcher_id IS NOT NULL
+    AND status IN ('pending', 'claimed', 'running');
+
+-- migrate:down
+DROP INDEX IF EXISTS idx_runs_active_watcher_per_watcher;

package/dist/db/migrations/20260409130000_connector_default_config.sql

@@ -0,0 +1,5 @@
+-- migrate:up
+ALTER TABLE connector_definitions ADD COLUMN IF NOT EXISTS default_connection_config jsonb;
+
+-- migrate:down
+ALTER TABLE connector_definitions DROP COLUMN IF EXISTS default_connection_config;

package/dist/db/migrations/20260410120000_add_agent_secrets.sql

@@ -0,0 +1,25 @@
+-- migrate:up
+
+CREATE TABLE public.agent_secrets (
+    name text PRIMARY KEY,
+    ciphertext text NOT NULL,
+    expires_at timestamp with time zone,
+    created_at timestamp with time zone DEFAULT now() NOT NULL,
+    updated_at timestamp with time zone DEFAULT now() NOT NULL
+);
+
+-- text_pattern_ops index enables efficient prefix scans used by list(prefix)
+-- to support cascade deletes (deleteSecretsByPrefix in @lobu/gateway).
+CREATE INDEX agent_secrets_name_prefix_idx
+    ON public.agent_secrets USING btree (name text_pattern_ops);
+
+CREATE INDEX agent_secrets_expires_at_idx
+    ON public.agent_secrets USING btree (expires_at)
+    WHERE expires_at IS NOT NULL;
+
+COMMENT ON TABLE public.agent_secrets IS
+    'Encrypted secret values referenced via secret:// refs. Backs the PostgresSecretStore implementation of @lobu/gateway WritableSecretStore.';
+
+-- migrate:down
+
+DROP TABLE IF EXISTS public.agent_secrets;

package/dist/db/migrations/20260413170000_add_watcher_group_id.sql

@@ -0,0 +1,67 @@
+-- migrate:up
+
+ALTER TABLE public.watchers
+  ADD COLUMN IF NOT EXISTS source_watcher_id integer,
+  ADD COLUMN IF NOT EXISTS watcher_group_id integer;
+
+-- Backfill source watcher links from cloned watcher versions.
+WITH derived_source AS (
+  SELECT DISTINCT ON (w.id)
+    w.id AS watcher_id,
+    source_versions.watcher_id AS source_watcher_id
+  FROM public.watchers w
+  JOIN public.watcher_versions wv ON wv.watcher_id = w.id
+  JOIN public.watcher_versions source_versions
+    ON source_versions.id = substring(wv.change_notes FROM 'Created from version ([0-9]+)')::integer
+  WHERE wv.change_notes ~ 'Created from version [0-9]+'
+  ORDER BY w.id, wv.version ASC, wv.id ASC
+)
+UPDATE public.watchers w
+SET source_watcher_id = ds.source_watcher_id
+FROM derived_source ds
+WHERE w.id = ds.watcher_id
+  AND w.source_watcher_id IS NULL;
+
+-- Build stable watcher group ids by walking source watcher ancestry to the root.
+WITH RECURSIVE roots AS (
+  SELECT w.id AS watcher_id, w.source_watcher_id, w.id AS root_id
+  FROM public.watchers w
+  WHERE w.source_watcher_id IS NULL
+
+  UNION ALL
+
+  SELECT child.id AS watcher_id, child.source_watcher_id, roots.root_id
+  FROM public.watchers child
+  JOIN roots ON child.source_watcher_id = roots.watcher_id
+)
+UPDATE public.watchers w
+SET watcher_group_id = roots.root_id
+FROM roots
+WHERE w.id = roots.watcher_id;
+
+-- Fallback for any rows that did not match the recursive backfill.
+UPDATE public.watchers
+SET watcher_group_id = id
+WHERE watcher_group_id IS NULL;
+
+-- `watchers.current_version_id` has a DEFERRABLE FK. The backfill updates above queue
+-- deferred trigger events, and PostgreSQL refuses ALTER TABLE while those are pending.
+SET CONSTRAINTS ALL IMMEDIATE;
+
+ALTER TABLE public.watchers
+  ALTER COLUMN watcher_group_id SET NOT NULL;
+
+CREATE INDEX IF NOT EXISTS idx_watchers_watcher_group_id
+  ON public.watchers USING btree (watcher_group_id);
+
+CREATE INDEX IF NOT EXISTS idx_watchers_org_group
+  ON public.watchers USING btree (organization_id, watcher_group_id);
+
+-- migrate:down
+
+DROP INDEX IF EXISTS idx_watchers_org_group;
+DROP INDEX IF EXISTS idx_watchers_watcher_group_id;
+
+ALTER TABLE public.watchers
+  DROP COLUMN IF EXISTS watcher_group_id,
+  DROP COLUMN IF EXISTS source_watcher_id;

package/dist/db/migrations/20260416120000_add_entity_wa_jid_index.sql

@@ -0,0 +1,14 @@
+-- migrate:up
+
+-- Speeds up the event↔entity join declared by the WhatsApp connector's
+-- early entityLinks rule: events JOIN entities ON
+--   entities.metadata->>'wa_jid' = events.metadata->>'chat_jid'.
+-- Superseded by the entity_identities table (2026-04-17 migration) which
+-- drops this index; this file is kept so dbmate's history is preserved.
+CREATE INDEX IF NOT EXISTS idx_entities_wa_jid
+  ON public.entities (entity_type, (metadata->>'wa_jid'))
+  WHERE metadata ? 'wa_jid' AND deleted_at IS NULL;
+
+-- migrate:down
+
+DROP INDEX IF EXISTS public.idx_entities_wa_jid;

package/dist/db/migrations/20260417100000_add_entity_identities.sql

@@ -0,0 +1,77 @@
+-- migrate:up
+
+-- Normalized identifier store. One row per (organization_id, namespace, identifier).
+-- Replaces the earlier scheme of storing identifiers inside entities.metadata JSONB
+-- arrays. The UNIQUE constraint is the foundation of the whole design:
+--   * creation races collapse on the UNIQUE (one batch wins, the other links)
+--   * cross-entity contamination is constraint-blocked
+--   * accrete is just INSERT ... ON CONFLICT DO NOTHING
+--   * lookup is a plain BTREE seek (no GIN-on-jsonb)
+CREATE TABLE public.entity_identities (
+    id bigserial PRIMARY KEY,
+    organization_id text NOT NULL REFERENCES public.organization(id) ON DELETE CASCADE,
+    entity_id bigint NOT NULL REFERENCES public.entities(id) ON DELETE CASCADE,
+    namespace text NOT NULL,
+    identifier text NOT NULL,
+    source_connector text,
+    created_at timestamp with time zone DEFAULT now() NOT NULL,
+    updated_at timestamp with time zone DEFAULT now() NOT NULL,
+    deleted_at timestamp with time zone
+);
+
+-- Relaxed uniqueness: only live rows are constrained, so soft-delete + re-claim
+-- is a supported repair path (mis-attribution recovery).
+CREATE UNIQUE INDEX idx_entity_identities_live_unique
+    ON public.entity_identities (organization_id, namespace, identifier)
+    WHERE deleted_at IS NULL;
+
+-- Primary ingestion lookup path: "does anyone in this org own this identifier?"
+CREATE INDEX idx_entity_identities_lookup
+    ON public.entity_identities (organization_id, namespace, identifier)
+    WHERE deleted_at IS NULL;
+
+-- Reverse lookup: "what identifiers does this entity have?"
+CREATE INDEX idx_entity_identities_by_entity
+    ON public.entity_identities (entity_id)
+    WHERE deleted_at IS NULL;
+
+COMMENT ON TABLE public.entity_identities IS
+    'Normalized identifier claims per entity. See docs/identity-linking.md for the full pattern.';
+COMMENT ON COLUMN public.entity_identities.namespace IS
+    'Identifier kind. Standard values: phone, email, wa_jid, slack_user_id, github_login, auth_user_id, google_contact_id. Custom namespaces allowed but connectors sharing a namespace must agree on its format.';
+COMMENT ON COLUMN public.entity_identities.identifier IS
+    'Normalized identifier value (E.164 digits for phone, lowercase for email, etc.). Normalizers in @lobu/connector-sdk own the canonical form.';
+COMMENT ON COLUMN public.entity_identities.source_connector IS
+    'Who claimed this identifier: "connector:whatsapp", "manual", or null when seeded by migration.';
+
+
+-- Per-install override surface. A JSONB keyed by entityType; shallow-merged
+-- onto the connector's declared entityLinks at rule-resolve time. Lets an
+-- org retarget, disable rules, flip autoCreate, or mask specific identities
+-- without forking the connector. Null column = use connector defaults verbatim.
+ALTER TABLE public.connector_definitions
+    ADD COLUMN IF NOT EXISTS entity_link_overrides jsonb;
+
+COMMENT ON COLUMN public.connector_definitions.entity_link_overrides IS
+    'Per-install override of connector entityLinks rules. See resolveEntityLinkRules() for merge semantics.';
+
+
+-- The old scalar-JSONB index was built for a shape (entities.metadata->>wa_jid)
+-- we no longer use — identifiers now live in entity_identities. Drop to avoid
+-- carrying an unused index and a misleading comment on future reads.
+DROP INDEX IF EXISTS public.idx_entities_wa_jid;
+
+
+-- migrate:down
+
+DROP INDEX IF EXISTS public.idx_entity_identities_by_entity;
+DROP INDEX IF EXISTS public.idx_entity_identities_lookup;
+DROP INDEX IF EXISTS public.idx_entity_identities_live_unique;
+DROP TABLE IF EXISTS public.entity_identities;
+
+ALTER TABLE public.connector_definitions
+    DROP COLUMN IF EXISTS entity_link_overrides;
+
+CREATE INDEX IF NOT EXISTS idx_entities_wa_jid
+    ON public.entities (entity_type, (metadata->>'wa_jid'))
+    WHERE metadata ? 'wa_jid' AND deleted_at IS NULL;

package/dist/db/migrations/20260418100000_add_auth_runs.sql

@@ -0,0 +1,83 @@
+-- migrate:up
+
+-- Adds the 'auth' run lifecycle: workers run interactive connector.authenticate()
+-- flows (WhatsApp QR, OAuth redirect, credential prompt) and stream artifacts
+-- back to the UI via runs.checkpoint. The UI signals back (OAuth callback,
+-- form submit, cancel) via runs.auth_signal.
+
+ALTER TABLE public.runs DROP CONSTRAINT IF EXISTS runs_run_type_check;
+ALTER TABLE public.runs ADD CONSTRAINT runs_run_type_check CHECK (
+    run_type = ANY (ARRAY[
+        'sync'::text,
+        'action'::text,
+        'code'::text,
+        'insight'::text,
+        'watcher'::text,
+        'embed_backfill'::text,
+        'auth'::text
+    ])
+);
+
+-- Target auth profile for 'auth' runs (null for other run types).
+ALTER TABLE public.runs ADD COLUMN IF NOT EXISTS auth_profile_id bigint
+    REFERENCES public.auth_profiles(id) ON DELETE CASCADE;
+
+-- Reverse channel: UI → connector. The connector pauses on ctx.awaitSignal(name)
+-- and polls this column; the API writes here when the UI posts a signal.
+ALTER TABLE public.runs ADD COLUMN IF NOT EXISTS auth_signal jsonb;
+
+-- One active auth run per auth profile at a time.
+CREATE UNIQUE INDEX IF NOT EXISTS idx_runs_active_auth_per_profile
+    ON public.runs (auth_profile_id)
+    WHERE run_type = 'auth'
+      AND auth_profile_id IS NOT NULL
+      AND status = ANY (ARRAY['pending'::text, 'claimed'::text, 'running'::text]);
+
+-- 'interactive' profile kind: credentials produced by a connector.authenticate()
+-- run. Examples: WhatsApp Baileys session, connector-managed OAuth.
+ALTER TABLE public.auth_profiles DROP CONSTRAINT IF EXISTS auth_profiles_profile_kind_check;
+ALTER TABLE public.auth_profiles ADD CONSTRAINT auth_profiles_profile_kind_check CHECK (
+    profile_kind = ANY (ARRAY[
+        'env'::text,
+        'oauth_app'::text,
+        'oauth_account'::text,
+        'browser_session'::text,
+        'interactive'::text
+    ])
+);
+
+-- Structured display metadata produced by connector.authenticate() — account_id,
+-- display_name, paired_at, expires_at, etc. Surfaced in UI next to the connection.
+ALTER TABLE public.auth_profiles ADD COLUMN IF NOT EXISTS metadata jsonb DEFAULT '{}'::jsonb NOT NULL;
+
+
+-- migrate:down
+
+ALTER TABLE public.auth_profiles DROP COLUMN IF EXISTS metadata;
+
+ALTER TABLE public.auth_profiles DROP CONSTRAINT IF EXISTS auth_profiles_profile_kind_check;
+ALTER TABLE public.auth_profiles ADD CONSTRAINT auth_profiles_profile_kind_check CHECK (
+    profile_kind = ANY (ARRAY[
+        'env'::text,
+        'oauth_app'::text,
+        'oauth_account'::text,
+        'browser_session'::text
+    ])
+);
+
+DROP INDEX IF EXISTS public.idx_runs_active_auth_per_profile;
+
+ALTER TABLE public.runs DROP COLUMN IF EXISTS auth_signal;
+ALTER TABLE public.runs DROP COLUMN IF EXISTS auth_profile_id;
+
+ALTER TABLE public.runs DROP CONSTRAINT IF EXISTS runs_run_type_check;
+ALTER TABLE public.runs ADD CONSTRAINT runs_run_type_check CHECK (
+    run_type = ANY (ARRAY[
+        'sync'::text,
+        'action'::text,
+        'code'::text,
+        'insight'::text,
+        'watcher'::text,
+        'embed_backfill'::text
+    ])
+);

package/dist/db/migrations/20260418110000_add_runs_created_by_user.sql

@@ -0,0 +1,18 @@
+-- migrate:up
+
+-- Track which user initiated an interactive auth run so that only that user
+-- can view the QR / credential artifact. Sensitive artifacts (WhatsApp QR,
+-- OTP codes, OAuth consent URLs) must never be viewable by other org members.
+
+ALTER TABLE public.runs ADD COLUMN IF NOT EXISTS created_by_user_id text
+    REFERENCES public."user"(id) ON DELETE SET NULL;
+
+CREATE INDEX IF NOT EXISTS idx_runs_created_by_user
+    ON public.runs (created_by_user_id)
+    WHERE created_by_user_id IS NOT NULL;
+
+
+-- migrate:down
+
+DROP INDEX IF EXISTS public.idx_runs_created_by_user;
+ALTER TABLE public.runs DROP COLUMN IF EXISTS created_by_user_id;

package/dist/db/migrations/20260419120000_add_event_identity_indexes.sql

@@ -0,0 +1,56 @@
+-- migrate:up
+
+-- Read-time JOIN support for the entity_identities graph.
+--
+-- applyEntityLinks (src/utils/entity-link-upsert.ts) stamps normalized
+-- identifiers into events.metadata under the namespace key (metadata.email,
+-- metadata.wa_jid, metadata.phone, …). Entity-scoped content queries then
+-- JOIN:
+--
+--   events f
+--   EXISTS (SELECT 1 FROM entity_identities ei
+--           WHERE ei.entity_id = $X
+--             AND ei.deleted_at IS NULL
+--             AND f.metadata ? ei.namespace
+--             AND f.metadata->>ei.namespace = ei.identifier)
+--
+-- Without these indexes, the plan degenerates into a seq scan of events for
+-- every entity-scoped content listing. One partial BTREE per namespace in use
+-- keeps the JOIN on an index.
+CREATE INDEX IF NOT EXISTS idx_events_metadata_email
+    ON public.events ((metadata->>'email'))
+    WHERE metadata ? 'email';
+
+CREATE INDEX IF NOT EXISTS idx_events_metadata_wa_jid
+    ON public.events ((metadata->>'wa_jid'))
+    WHERE metadata ? 'wa_jid';
+
+CREATE INDEX IF NOT EXISTS idx_events_metadata_phone
+    ON public.events ((metadata->>'phone'))
+    WHERE metadata ? 'phone';
+
+CREATE INDEX IF NOT EXISTS idx_events_metadata_slack_user_id
+    ON public.events ((metadata->>'slack_user_id'))
+    WHERE metadata ? 'slack_user_id';
+
+CREATE INDEX IF NOT EXISTS idx_events_metadata_github_login
+    ON public.events ((metadata->>'github_login'))
+    WHERE metadata ? 'github_login';
+
+CREATE INDEX IF NOT EXISTS idx_events_metadata_auth_user_id
+    ON public.events ((metadata->>'auth_user_id'))
+    WHERE metadata ? 'auth_user_id';
+
+CREATE INDEX IF NOT EXISTS idx_events_metadata_google_contact_id
+    ON public.events ((metadata->>'google_contact_id'))
+    WHERE metadata ? 'google_contact_id';
+
+-- migrate:down
+
+DROP INDEX IF EXISTS public.idx_events_metadata_google_contact_id;
+DROP INDEX IF EXISTS public.idx_events_metadata_auth_user_id;
+DROP INDEX IF EXISTS public.idx_events_metadata_github_login;
+DROP INDEX IF EXISTS public.idx_events_metadata_slack_user_id;
+DROP INDEX IF EXISTS public.idx_events_metadata_phone;
+DROP INDEX IF EXISTS public.idx_events_metadata_wa_jid;
+DROP INDEX IF EXISTS public.idx_events_metadata_email;

package/dist/db/migrations/20260420120000_extend_reserved_org_slugs.sql

@@ -0,0 +1,56 @@
+-- migrate:up
+
+-- Extend reserved org slugs to cover infrastructure subdomains.
+-- RESERVED_SUBDOMAINS in packages/server/src/index.ts already
+-- treats www/mcp/static/cdn/... as non-org at the routing layer; this
+-- mirrors it at the DB layer so those names can never be claimed.
+--
+-- `app` is intentionally NOT reserved — `app.lobu.ai` hosts the auth
+-- org itself, whose DB row uses slug='app'.
+
+ALTER TABLE public.organization DROP CONSTRAINT IF EXISTS org_slug_not_reserved;
+
+ALTER TABLE public.organization ADD CONSTRAINT org_slug_not_reserved CHECK (
+    slug <> ALL (ARRAY[
+        'settings',
+        'auth',
+        'api',
+        'templates',
+        'help',
+        'account',
+        'admin',
+        'health',
+        'login',
+        'logout',
+        'signup',
+        'register',
+        'www',
+        'mcp',
+        'static',
+        'assets',
+        'cdn',
+        'docs',
+        'mail'
+    ]::text[])
+);
+
+-- migrate:down
+
+ALTER TABLE public.organization DROP CONSTRAINT IF EXISTS org_slug_not_reserved;
+
+ALTER TABLE public.organization ADD CONSTRAINT org_slug_not_reserved CHECK (
+    slug <> ALL (ARRAY[
+        'settings',
+        'auth',
+        'api',
+        'templates',
+        'help',
+        'account',
+        'admin',
+        'health',
+        'login',
+        'logout',
+        'signup',
+        'register'
+    ]::text[])
+);

package/dist/db/migrations/20260424030000_add_watcher_run_correlation.sql

@@ -0,0 +1,52 @@
+-- migrate:up
+
+-- Durable correlation between a dispatched watcher run and the agent message
+-- that executes it, and between a completed watcher window and the run that
+-- produced it. Replaces payload-based matching in reconcileWatcherRuns.
+
+ALTER TABLE public.runs
+    ADD COLUMN IF NOT EXISTS dispatched_message_id text;
+
+CREATE UNIQUE INDEX IF NOT EXISTS idx_runs_dispatched_message_id
+    ON public.runs (dispatched_message_id)
+    WHERE dispatched_message_id IS NOT NULL;
+
+ALTER TABLE public.watcher_windows
+    ADD COLUMN IF NOT EXISTS run_id bigint
+    REFERENCES public.runs(id) ON DELETE SET NULL;
+
+-- Rollout backfill: older windows already stored watcher_run_id in run_metadata,
+-- but pre-migration rows have NULL run_id. Populate the durable FK before the
+-- new reconciler/reset path runs so successful pre-deploy executions are not
+-- re-dispatched on first tick.
+WITH correlated_windows AS (
+    SELECT ww.id,
+           (btrim(ww.run_metadata->>'watcher_run_id'))::bigint AS correlated_run_id
+    FROM public.watcher_windows ww
+    WHERE ww.run_id IS NULL
+      AND ww.run_metadata ? 'watcher_run_id'
+      AND jsonb_typeof(ww.run_metadata->'watcher_run_id') IN ('number', 'string')
+      AND btrim(ww.run_metadata->>'watcher_run_id') ~ '^[0-9]+$'
+)
+UPDATE public.watcher_windows ww
+SET run_id = cw.correlated_run_id
+FROM correlated_windows cw
+WHERE ww.id = cw.id
+  AND EXISTS (
+      SELECT 1
+      FROM public.runs r
+      WHERE r.id = cw.correlated_run_id
+        AND r.run_type = 'watcher'
+  );
+
+CREATE INDEX IF NOT EXISTS idx_watcher_windows_run_id
+    ON public.watcher_windows (run_id)
+    WHERE run_id IS NOT NULL;
+
+
+-- migrate:down
+
+DROP INDEX IF EXISTS public.idx_watcher_windows_run_id;
+ALTER TABLE public.watcher_windows DROP COLUMN IF EXISTS run_id;
+DROP INDEX IF EXISTS public.idx_runs_dispatched_message_id;
+ALTER TABLE public.runs DROP COLUMN IF EXISTS dispatched_message_id;

package/dist/db/migrations/20260424130000_relax_events_client_id_fk.sql

@@ -0,0 +1,47 @@
+-- migrate:up
+
+-- The events table tags each row with the OAuth client that produced it via
+-- `events.client_id -> oauth_clients.id`. The original FK had no ON DELETE
+-- behaviour, so when an oauth_client row was removed (manual cleanup, e2e
+-- teardown, expired registration) any in-flight token still issuing inserts
+-- failed with `events_client_id_fkey` violations (Sentry: LOBU-34).
+--
+-- Match the relaxation already applied to other event-side FKs
+-- (connection_id, feed_id, run_id) and let stale client references reset
+-- to NULL instead of breaking inserts.
+--
+-- Add and validate the replacement constraint before the quick final swap so
+-- existing traffic stays protected and the ACCESS EXCLUSIVE window is short.
+
+ALTER TABLE public.events
+    ADD CONSTRAINT events_client_id_fkey_v2
+    FOREIGN KEY (client_id)
+    REFERENCES public.oauth_clients(id)
+    ON DELETE SET NULL
+    NOT VALID;
+
+ALTER TABLE public.events
+    VALIDATE CONSTRAINT events_client_id_fkey_v2;
+
+ALTER TABLE public.events
+    DROP CONSTRAINT IF EXISTS events_client_id_fkey;
+
+ALTER TABLE public.events
+    RENAME CONSTRAINT events_client_id_fkey_v2 TO events_client_id_fkey;
+
+-- migrate:down
+
+ALTER TABLE public.events
+    ADD CONSTRAINT events_client_id_fkey_v2
+    FOREIGN KEY (client_id)
+    REFERENCES public.oauth_clients(id)
+    NOT VALID;
+
+ALTER TABLE public.events
+    VALIDATE CONSTRAINT events_client_id_fkey_v2;
+
+ALTER TABLE public.events
+    DROP CONSTRAINT IF EXISTS events_client_id_fkey;
+
+ALTER TABLE public.events
+    RENAME CONSTRAINT events_client_id_fkey_v2 TO events_client_id_fkey;