@lobu/cli 6.0.1 → 6.1.1

package/dist/db/migrations/20260427170000_market_founder_to_member.sql

@@ -0,0 +1,364 @@
+-- migrate:up
+
+-- Migrate `founder` entities in the `market` org to `$member` entities so
+-- the identity engine can adopt them on OAuth sign-in.
+--
+-- Rationale: the engine binds a signing-in user to an existing `$member` by
+-- multi-namespace identity lookup (email, linkedin_url, github_username,
+-- etc.). Pre-curated founders need to BE `$member` rows for that adoption
+-- to fire. Keeping `founder` as a separate type means the engine can never
+-- bind a user to their pre-curated profile.
+--
+-- The post-migration shape:
+--   - `$member` entities in market carry the founder's metadata, including
+--     `metadata.role='founder'` so the public browse route in
+--     `lobu-ai/lobu-web` can filter `$member` rows on role.
+--   - `entity_identities` rows are written for every namespace value the
+--     migration can extract (email, linkedin_url, twitter_handle).
+--   - Existing relationship rows (`works_at`, `founded`, `previously_at`,
+--     `educated_at`, etc.) are re-pointed from founder.id to the new
+--     $member.id.
+--   - Relationship-type rules are widened to accept `$member` as the
+--     source slug for the relationships that pointed at founders.
+--   - Source `founder` rows are soft-deleted (deleted_at=NOW()) — kept for
+--     audit history; the application path filters them out.
+--
+-- Idempotent: each step uses ON CONFLICT / WHERE NOT EXISTS, so a re-run
+-- on a partially-migrated DB completes the unfinished work without
+-- duplicating rows. Safe to run on a fresh DB (no founders yet) — every
+-- query returns the empty set.
+
+DO $$
+DECLARE
+    v_market_org_id text;
+    v_market_org_slug text;
+    v_member_type_id integer;
+    v_founder_type_id integer;
+BEGIN
+    FOR v_market_org_id, v_market_org_slug IN
+        SELECT id, slug
+        FROM public.organization
+        WHERE slug IN ('market', 'venture-capital')
+        ORDER BY CASE slug WHEN 'market' THEN 0 ELSE 1 END
+    LOOP
+        RAISE NOTICE 'running founder→$member migration for org %', v_market_org_slug;
+
+    SELECT id INTO v_member_type_id
+    FROM public.entity_types
+    WHERE organization_id = v_market_org_id AND slug = '$member' AND deleted_at IS NULL
+    LIMIT 1;
+    IF v_member_type_id IS NULL THEN
+        INSERT INTO public.entity_types (organization_id, slug, name, created_at, updated_at)
+        VALUES (v_market_org_id, '$member', 'Member', NOW(), NOW())
+        RETURNING id INTO v_member_type_id;
+    END IF;
+
+    SELECT id INTO v_founder_type_id
+    FROM public.entity_types
+    WHERE organization_id = v_market_org_id AND slug = 'founder' AND deleted_at IS NULL
+    LIMIT 1;
+
+    IF v_founder_type_id IS NULL THEN
+        RAISE NOTICE 'no founder entity_type in % — nothing to migrate', v_market_org_slug;
+        CONTINUE;
+    END IF;
+
+    -- 1. Create $member rows for each founder. Idempotent via slug uniqueness:
+    --    we generate a deterministic slug derived from the founder id so a
+    --    re-run without source data still produces the same slug.
+    INSERT INTO public.entities (
+        name, slug, entity_type_id, organization_id, parent_id,
+        metadata, created_by, created_at, updated_at
+    )
+    SELECT
+        f.name,
+        'member-from-founder-' || f.id::text AS slug,
+        v_member_type_id,
+        v_market_org_id,
+        NULL,
+        COALESCE(f.metadata, '{}'::jsonb) || jsonb_build_object('role', 'founder', 'migrated_from_founder_id', f.id),
+        COALESCE(f.created_by, 'system'),
+        NOW(),
+        NOW()
+    FROM public.entities f
+    WHERE f.organization_id = v_market_org_id
+      AND f.entity_type_id = v_founder_type_id
+      AND f.deleted_at IS NULL
+      AND NOT EXISTS (
+          SELECT 1 FROM public.entities m
+          WHERE m.organization_id = v_market_org_id
+            AND m.entity_type_id = v_member_type_id
+            AND m.metadata->>'migrated_from_founder_id' = f.id::text
+            AND m.deleted_at IS NULL
+      );
+
+    -- 2. Write entity_identities rows for any namespace values present on
+    -- the founder metadata. Limited to the namespaces the engine consults.
+    --    email, linkedin_url, twitter_handle.
+    INSERT INTO public.entity_identities (
+        organization_id, entity_id, namespace, identifier, source_connector
+    )
+    SELECT
+        v_market_org_id,
+        m.id,
+        'email',
+        LOWER(f.metadata->>'email'),
+        'migration:founder_to_member'
+    FROM public.entities m
+    JOIN public.entities f
+      ON f.id = (m.metadata->>'migrated_from_founder_id')::bigint
+    WHERE m.organization_id = v_market_org_id
+      AND m.entity_type_id = v_member_type_id
+      AND m.deleted_at IS NULL
+      AND f.metadata ? 'email'
+      AND f.metadata->>'email' IS NOT NULL
+      AND f.metadata->>'email' <> ''
+    ON CONFLICT (organization_id, namespace, identifier) WHERE deleted_at IS NULL
+    DO NOTHING;
+
+    INSERT INTO public.entity_identities (
+        organization_id, entity_id, namespace, identifier, source_connector
+    )
+    SELECT
+        v_market_org_id,
+        m.id,
+        'linkedin_url',
+        f.metadata->>'linkedin_url',
+        'migration:founder_to_member'
+    FROM public.entities m
+    JOIN public.entities f
+      ON f.id = (m.metadata->>'migrated_from_founder_id')::bigint
+    WHERE m.organization_id = v_market_org_id
+      AND m.entity_type_id = v_member_type_id
+      AND m.deleted_at IS NULL
+      AND f.metadata ? 'linkedin_url'
+      AND f.metadata->>'linkedin_url' IS NOT NULL
+      AND f.metadata->>'linkedin_url' <> ''
+    ON CONFLICT (organization_id, namespace, identifier) WHERE deleted_at IS NULL
+    DO NOTHING;
+
+    INSERT INTO public.entity_identities (
+        organization_id, entity_id, namespace, identifier, source_connector
+    )
+    SELECT
+        v_market_org_id,
+        m.id,
+        'twitter_handle',
+        LOWER(REPLACE(f.metadata->>'twitter_handle', '@', '')),
+        'migration:founder_to_member'
+    FROM public.entities m
+    JOIN public.entities f
+      ON f.id = (m.metadata->>'migrated_from_founder_id')::bigint
+    WHERE m.organization_id = v_market_org_id
+      AND m.entity_type_id = v_member_type_id
+      AND m.deleted_at IS NULL
+      AND f.metadata ? 'twitter_handle'
+      AND f.metadata->>'twitter_handle' IS NOT NULL
+      AND f.metadata->>'twitter_handle' <> ''
+    ON CONFLICT (organization_id, namespace, identifier) WHERE deleted_at IS NULL
+    DO NOTHING;
+
+    -- 3. Re-point existing relationships pointing FROM the founder rows to
+    -- point FROM the new $member rows. The reverse direction (relationships
+    -- pointing AT founders) is handled symmetrically. If the destination edge
+    -- already exists, archive the founder edge first so the live-triple unique
+    -- index remains satisfied.
+    UPDATE public.entity_relationships r
+    SET deleted_at = NOW(), updated_at = NOW()
+    FROM public.entities f
+    JOIN public.entities m
+      ON m.organization_id = f.organization_id
+     AND m.entity_type_id = v_member_type_id
+     AND m.metadata->>'migrated_from_founder_id' = f.id::text
+     AND m.deleted_at IS NULL
+    WHERE r.from_entity_id = f.id
+      AND r.deleted_at IS NULL
+      AND f.organization_id = v_market_org_id
+      AND f.entity_type_id = v_founder_type_id
+      AND f.deleted_at IS NULL
+      AND EXISTS (
+          SELECT 1
+          FROM public.entity_relationships existing
+          WHERE existing.from_entity_id = m.id
+            AND existing.to_entity_id = r.to_entity_id
+            AND existing.relationship_type_id = r.relationship_type_id
+            AND existing.deleted_at IS NULL
+            AND existing.id <> r.id
+      );
+
+    UPDATE public.entity_relationships r
+    SET from_entity_id = m.id, updated_at = NOW()
+    FROM public.entities f
+    JOIN public.entities m
+      ON m.organization_id = f.organization_id
+     AND m.entity_type_id = v_member_type_id
+     AND m.metadata->>'migrated_from_founder_id' = f.id::text
+     AND m.deleted_at IS NULL
+    WHERE r.from_entity_id = f.id
+      AND r.deleted_at IS NULL
+      AND f.organization_id = v_market_org_id
+      AND f.entity_type_id = v_founder_type_id
+      AND f.deleted_at IS NULL;
+
+    UPDATE public.entity_relationships r
+    SET deleted_at = NOW(), updated_at = NOW()
+    FROM public.entities f
+    JOIN public.entities m
+      ON m.organization_id = f.organization_id
+     AND m.entity_type_id = v_member_type_id
+     AND m.metadata->>'migrated_from_founder_id' = f.id::text
+     AND m.deleted_at IS NULL
+    WHERE r.to_entity_id = f.id
+      AND r.deleted_at IS NULL
+      AND f.organization_id = v_market_org_id
+      AND f.entity_type_id = v_founder_type_id
+      AND f.deleted_at IS NULL
+      AND EXISTS (
+          SELECT 1
+          FROM public.entity_relationships existing
+          WHERE existing.from_entity_id = r.from_entity_id
+            AND existing.to_entity_id = m.id
+            AND existing.relationship_type_id = r.relationship_type_id
+            AND existing.deleted_at IS NULL
+            AND existing.id <> r.id
+      );
+
+    UPDATE public.entity_relationships r
+    SET to_entity_id = m.id, updated_at = NOW()
+    FROM public.entities f
+    JOIN public.entities m
+      ON m.organization_id = f.organization_id
+     AND m.entity_type_id = v_member_type_id
+     AND m.metadata->>'migrated_from_founder_id' = f.id::text
+     AND m.deleted_at IS NULL
+    WHERE r.to_entity_id = f.id
+      AND r.deleted_at IS NULL
+      AND f.organization_id = v_market_org_id
+      AND f.entity_type_id = v_founder_type_id
+      AND f.deleted_at IS NULL;
+
+    -- 4. Widen relationship_type rules to accept `$member` as a source
+    -- where they previously accepted `founder`. Keep both slugs for now —
+    -- if the founder slug ever resurrects (e.g. for catalog imports that
+    -- still emit the old type), the rules tolerate it.
+    INSERT INTO public.entity_relationship_type_rules (
+        relationship_type_id, source_entity_type_slug, target_entity_type_slug, created_at
+    )
+    SELECT DISTINCT r.relationship_type_id, '$member', r.target_entity_type_slug, NOW()
+    FROM public.entity_relationship_type_rules r
+    JOIN public.entity_relationship_types rt ON rt.id = r.relationship_type_id
+    WHERE r.source_entity_type_slug = 'founder'
+      AND rt.organization_id = v_market_org_id
+      AND NOT EXISTS (
+          SELECT 1 FROM public.entity_relationship_type_rules existing
+          WHERE existing.relationship_type_id = r.relationship_type_id
+            AND existing.source_entity_type_slug = '$member'
+            AND existing.target_entity_type_slug = r.target_entity_type_slug
+      );
+
+    INSERT INTO public.entity_relationship_type_rules (
+        relationship_type_id, source_entity_type_slug, target_entity_type_slug, created_at
+    )
+    SELECT DISTINCT r.relationship_type_id, r.source_entity_type_slug, '$member', NOW()
+    FROM public.entity_relationship_type_rules r
+    JOIN public.entity_relationship_types rt ON rt.id = r.relationship_type_id
+    WHERE r.target_entity_type_slug = 'founder'
+      AND rt.organization_id = v_market_org_id
+      AND NOT EXISTS (
+          SELECT 1 FROM public.entity_relationship_type_rules existing
+          WHERE existing.relationship_type_id = r.relationship_type_id
+            AND existing.source_entity_type_slug = r.source_entity_type_slug
+            AND existing.target_entity_type_slug = '$member'
+      );
+
+    -- 5. Repoint any pre-existing entity_identities rows that pointed at
+    -- a founder. Step 2 wrote *new* identity rows for the $member, but if
+    -- some other path had already written identity rows on the founder
+    -- (e.g. an earlier provisioning script), those would dangle once the
+    -- founder is soft-deleted in step 7 — entity-identity lookups join on
+    -- entities.deleted_at IS NULL and silently miss the binding.
+    UPDATE public.entity_identities ei
+    SET deleted_at = NOW(), updated_at = NOW()
+    FROM public.entities f
+    JOIN public.entities m
+      ON m.organization_id = f.organization_id
+     AND m.entity_type_id = v_member_type_id
+     AND m.metadata->>'migrated_from_founder_id' = f.id::text
+     AND m.deleted_at IS NULL
+    WHERE ei.entity_id = f.id
+      AND ei.organization_id = v_market_org_id
+      AND ei.deleted_at IS NULL
+      AND f.organization_id = v_market_org_id
+      AND f.entity_type_id = v_founder_type_id
+      AND EXISTS (
+          SELECT 1
+          FROM public.entity_identities existing
+          WHERE existing.organization_id = ei.organization_id
+            AND existing.namespace = ei.namespace
+            AND existing.identifier = ei.identifier
+            AND existing.entity_id = m.id
+            AND existing.deleted_at IS NULL
+            AND existing.id <> ei.id
+      );
+
+    UPDATE public.entity_identities ei
+    SET entity_id = m.id, updated_at = NOW()
+    FROM public.entities f
+    JOIN public.entities m
+      ON m.organization_id = f.organization_id
+     AND m.entity_type_id = v_member_type_id
+     AND m.metadata->>'migrated_from_founder_id' = f.id::text
+     AND m.deleted_at IS NULL
+    WHERE ei.entity_id = f.id
+      AND ei.organization_id = v_market_org_id
+      AND ei.deleted_at IS NULL
+      AND f.organization_id = v_market_org_id
+      AND f.entity_type_id = v_founder_type_id;
+
+    -- 6. Rewrite event.entity_ids arrays so historical events on founder
+    -- rows resolve to the corresponding $member going forward. array_replace
+    -- is a no-op on a re-run because after the first pass the founder id is
+    -- gone from the array and the WHERE filter excludes the row.
+    UPDATE public.events e
+    SET entity_ids = array_replace(e.entity_ids, f.id, m.id)
+    FROM public.entities f
+    JOIN public.entities m
+      ON m.organization_id = f.organization_id
+     AND m.entity_type_id = v_member_type_id
+     AND m.metadata->>'migrated_from_founder_id' = f.id::text
+     AND m.deleted_at IS NULL
+    WHERE e.entity_ids @> ARRAY[f.id]
+      AND e.organization_id = v_market_org_id
+      AND f.organization_id = v_market_org_id
+      AND f.entity_type_id = v_founder_type_id;
+
+    -- 7. Soft-delete the source founder rows. Audit trail survives in the
+    -- entities table itself; queries already filter `deleted_at IS NULL`.
+    UPDATE public.entities f
+    SET deleted_at = NOW(), updated_at = NOW()
+    WHERE f.organization_id = v_market_org_id
+      AND f.entity_type_id = v_founder_type_id
+      AND f.deleted_at IS NULL
+      AND EXISTS (
+          SELECT 1 FROM public.entities m
+          WHERE m.organization_id = v_market_org_id
+            AND m.entity_type_id = v_member_type_id
+            AND m.metadata->>'migrated_from_founder_id' = f.id::text
+            AND m.deleted_at IS NULL
+      );
+    END LOOP;
+END $$;
+
+
+-- migrate:down
+
+-- Fail loudly. A bare `SELECT 1` would let an automatic rollback (CI,
+-- incident response, dbmate down) succeed silently while leaving the DB
+-- in the migrated state, masking the irreversibility. Operators wanting
+-- to revert run a manual playbook: clear deleted_at on the founder rows,
+-- re-point relationships using `metadata.migrated_from_founder_id`, then
+-- delete the new $member rows.
+DO $$
+BEGIN
+    RAISE EXCEPTION 'irreversible: founder→$member is a one-way data migration. Reverse by manual playbook only.';
+END $$;

package/dist/db/migrations/20260428040000_cascade_events_watchers_org_fk.sql

@@ -0,0 +1,66 @@
+-- migrate:up transaction:false
+
+-- Add ON DELETE CASCADE FK on events.organization_id and watchers.organization_id.
+--
+-- These two columns were declared as `text NOT NULL` with no FK to organization,
+-- so dropping an org left orphaned events/watchers behind that had to be DELETE'd
+-- separately. Every other org-scoped table has a CASCADE FK; these two were
+-- oversights. Add them so future org deletes are atomic with their event/watcher
+-- data.
+--
+-- Lock-window strategy: ADD CONSTRAINT NOT VALID adds the catalog row under
+-- a brief ACCESS EXCLUSIVE without scanning the table. VALIDATE then takes
+-- only SHARE UPDATE EXCLUSIVE so concurrent reads and writes are unaffected.
+-- Running with `transaction:false` lets each ALTER release its lock on
+-- completion — keeping ADD + VALIDATE in a single transaction would hold
+-- ACCESS EXCLUSIVE through the validate scan and block writers on the
+-- 575k-row events table.
+--
+-- Idempotency: each ADD is gated on `pg_constraint`. If the FK already
+-- exists (e.g. it was applied out-of-band before this migration was
+-- recorded), the ADD is skipped; VALIDATE on a constraint that's already
+-- validated is a no-op.
+
+SET lock_timeout = '5s';
+
+-- 1. events.organization_id → organization(id) ON DELETE CASCADE.
+DO $$
+BEGIN
+    IF NOT EXISTS (
+        SELECT 1
+          FROM pg_constraint
+         WHERE conrelid = 'public.events'::regclass
+           AND conname  = 'events_organization_id_fkey'
+    ) THEN
+        ALTER TABLE public.events
+            ADD CONSTRAINT events_organization_id_fkey
+            FOREIGN KEY (organization_id) REFERENCES public.organization(id) ON DELETE CASCADE
+            NOT VALID;
+    END IF;
+END$$;
+
+ALTER TABLE public.events VALIDATE CONSTRAINT events_organization_id_fkey;
+
+-- 2. watchers.organization_id → organization(id) ON DELETE CASCADE.
+DO $$
+BEGIN
+    IF NOT EXISTS (
+        SELECT 1
+          FROM pg_constraint
+         WHERE conrelid = 'public.watchers'::regclass
+           AND conname  = 'watchers_organization_id_fkey'
+    ) THEN
+        ALTER TABLE public.watchers
+            ADD CONSTRAINT watchers_organization_id_fkey
+            FOREIGN KEY (organization_id) REFERENCES public.organization(id) ON DELETE CASCADE
+            NOT VALID;
+    END IF;
+END$$;
+
+ALTER TABLE public.watchers VALIDATE CONSTRAINT watchers_organization_id_fkey;
+
+
+-- migrate:down transaction:false
+
+ALTER TABLE public.events    DROP CONSTRAINT IF EXISTS events_organization_id_fkey;
+ALTER TABLE public.watchers  DROP CONSTRAINT IF EXISTS watchers_organization_id_fkey;

package/dist/db/migrations/20260428050000_add_runs_approved_input.sql

@@ -0,0 +1,9 @@
+-- migrate:up
+
+ALTER TABLE public.runs
+    ADD COLUMN IF NOT EXISTS approved_input jsonb;
+
+-- migrate:down
+
+ALTER TABLE public.runs
+    DROP COLUMN IF EXISTS approved_input;

package/dist/db/migrations/20260429010000_auth_profile_tenant_scoped_fk.sql

@@ -0,0 +1,79 @@
+-- migrate:up
+
+-- Enforce tenant scope on connection.auth_profile FKs.
+--
+-- Background: connections.app_auth_profile_id and connections.auth_profile_id
+-- referenced auth_profiles(id) without checking that the profile belongs to
+-- the same organization as the connection. A bug in some prior create path
+-- left at least one connection (id=212, org buremba) pointing at an auth
+-- profile in a different org (id=10, org_617e78013e6ff72d). The UI correctly
+-- refused to load it ("Auth profile 'reddit-oauth-app' not found"), but the
+-- bad reference blocked setup.
+--
+-- Fix: switch both FKs to multi-column (organization_id, profile_id) so
+-- references can't escape their tenant. MATCH SIMPLE (the default) keeps
+-- profile_id-NULL satisfying the constraint, which is what we want — the
+-- column stays nullable.
+
+-- 1. Clean up any cross-org or dangling references in existing data.
+--    Idempotent: 0 rows once applied; safe to re-run.
+UPDATE connections c
+SET app_auth_profile_id = NULL, updated_at = NOW()
+WHERE app_auth_profile_id IS NOT NULL
+  AND NOT EXISTS (
+    SELECT 1 FROM auth_profiles ap
+    WHERE ap.id = c.app_auth_profile_id
+      AND ap.organization_id = c.organization_id
+  );
+
+UPDATE connections c
+SET auth_profile_id = NULL, updated_at = NOW()
+WHERE auth_profile_id IS NOT NULL
+  AND NOT EXISTS (
+    SELECT 1 FROM auth_profiles ap
+    WHERE ap.id = c.auth_profile_id
+      AND ap.organization_id = c.organization_id
+  );
+
+-- 2. Add (organization_id, id) UNIQUE on auth_profiles to give the new FK a
+--    target. Cheap on the existing 31-row table.
+ALTER TABLE auth_profiles
+    ADD CONSTRAINT auth_profiles_org_id_unique UNIQUE (organization_id, id);
+
+-- 3. Replace single-column FKs with tenant-scoped multi-column FKs.
+ALTER TABLE connections
+    DROP CONSTRAINT connections_app_auth_profile_id_fkey;
+ALTER TABLE connections
+    ADD CONSTRAINT connections_app_auth_profile_id_fkey
+    FOREIGN KEY (organization_id, app_auth_profile_id)
+    REFERENCES auth_profiles (organization_id, id)
+    ON DELETE SET NULL;
+
+ALTER TABLE connections
+    DROP CONSTRAINT connections_auth_profile_id_fkey;
+ALTER TABLE connections
+    ADD CONSTRAINT connections_auth_profile_id_fkey
+    FOREIGN KEY (organization_id, auth_profile_id)
+    REFERENCES auth_profiles (organization_id, id)
+    ON DELETE SET NULL;
+
+-- migrate:down
+
+ALTER TABLE connections
+    DROP CONSTRAINT connections_app_auth_profile_id_fkey;
+ALTER TABLE connections
+    ADD CONSTRAINT connections_app_auth_profile_id_fkey
+    FOREIGN KEY (app_auth_profile_id)
+    REFERENCES auth_profiles (id)
+    ON DELETE SET NULL;
+
+ALTER TABLE connections
+    DROP CONSTRAINT connections_auth_profile_id_fkey;
+ALTER TABLE connections
+    ADD CONSTRAINT connections_auth_profile_id_fkey
+    FOREIGN KEY (auth_profile_id)
+    REFERENCES auth_profiles (id)
+    ON DELETE SET NULL;
+
+ALTER TABLE auth_profiles
+    DROP CONSTRAINT auth_profiles_org_id_unique;

package/dist/db/migrations/20260429060000_extend_runs_for_lobu_queue.sql

@@ -0,0 +1,108 @@
+-- migrate:up
+
+-- Phase 5 of Redis -> Postgres migration: route the lobu queue (chat_message,
+-- thread_message_*, thread_response, schedule, agent_run) through the runs
+-- table instead of BullMQ.
+--
+-- 1. Extend the run_type CHECK to allow the new lobu-queue lanes alongside
+--    the existing connector/auth/embed lanes.
+-- 2. Allow organization_id to be NULL for lobu-queue runs (chat_message,
+--    schedule, etc.). The original lanes still require it via the partial
+--    CHECK below.
+-- 3. Add columns required for in-process claim + retry:
+--      queue_name      — distinguishes thread_message_* sub-queues that all
+--                        share run_type='chat_message'.
+--      idempotency_key — singletonKey dedup; partial unique index below.
+--      attempts        — current retry count.
+--      max_attempts    — cap for retries before DLQ/failed.
+--      run_at          — when the row becomes claimable; supports delayMs.
+-- 4. Add the claim index used by the in-process polling loop. Filter to the
+--    new run types so the connector worker (run_type IN ('sync','action',...))
+--    is never woken by lobu-queue inserts and vice versa.
+
+-- Drop the old run_type CHECK and re-add with the new lobu-queue lanes.
+ALTER TABLE public.runs
+    DROP CONSTRAINT IF EXISTS runs_run_type_check;
+
+ALTER TABLE public.runs
+    ADD CONSTRAINT runs_run_type_check CHECK (run_type = ANY (ARRAY[
+        'sync'::text,
+        'action'::text,
+        'embed_backfill'::text,
+        'watcher'::text,
+        'auth'::text,
+        'chat_message'::text,
+        'schedule'::text,
+        'agent_run'::text,
+        'internal'::text
+    ]));
+
+-- organization_id is required for connector lanes (sync/action/embed/watcher/
+-- auth) but optional for lobu-queue lanes. Drop NOT NULL and enforce per-lane.
+ALTER TABLE public.runs
+    ALTER COLUMN organization_id DROP NOT NULL;
+
+ALTER TABLE public.runs
+    ADD CONSTRAINT runs_legacy_org_required CHECK (
+        run_type NOT IN (
+            'sync', 'action', 'embed_backfill', 'watcher', 'auth'
+        )
+        OR organization_id IS NOT NULL
+    );
+
+-- Lobu queue columns.
+ALTER TABLE public.runs
+    ADD COLUMN IF NOT EXISTS queue_name text,
+    ADD COLUMN IF NOT EXISTS idempotency_key text,
+    ADD COLUMN IF NOT EXISTS attempts integer NOT NULL DEFAULT 0,
+    ADD COLUMN IF NOT EXISTS max_attempts integer NOT NULL DEFAULT 3,
+    ADD COLUMN IF NOT EXISTS run_at timestamp with time zone NOT NULL DEFAULT now();
+
+-- Idempotency: partial unique on (idempotency_key) for runs that are still in
+-- a non-terminal state. Once a run completes / fails / cancels / times out it
+-- no longer participates in dedup, so a future enqueue with the same singleton
+-- key (e.g. a Slack retry that lands minutes after the first attempt
+-- finished) can insert a fresh row. Connector lanes never set this column.
+CREATE UNIQUE INDEX IF NOT EXISTS runs_idempotency_key_uniq
+    ON public.runs (idempotency_key)
+    WHERE idempotency_key IS NOT NULL
+      AND status IN ('pending', 'claimed', 'running');
+
+-- Claim index for the in-process poll loop. Limited to lobu-queue run types
+-- so the connector worker's HTTP-poll claim stays on its own indexes.
+CREATE INDEX IF NOT EXISTS runs_lobu_claim_idx
+    ON public.runs (run_type, queue_name, run_at)
+    WHERE status = 'pending'
+      AND run_type IN ('chat_message', 'schedule', 'agent_run', 'internal');
+
+-- migrate:down
+
+DROP INDEX IF EXISTS public.runs_lobu_claim_idx;
+DROP INDEX IF EXISTS public.runs_idempotency_key_uniq;
+
+ALTER TABLE public.runs
+    DROP COLUMN IF EXISTS run_at,
+    DROP COLUMN IF EXISTS max_attempts,
+    DROP COLUMN IF EXISTS attempts,
+    DROP COLUMN IF EXISTS idempotency_key,
+    DROP COLUMN IF EXISTS queue_name;
+
+ALTER TABLE public.runs
+    DROP CONSTRAINT IF EXISTS runs_legacy_org_required;
+
+-- Restoring NOT NULL would fail if any lobu-queue rows still exist. Operators
+-- running `migrate:down` are expected to truncate or migrate those first.
+ALTER TABLE public.runs
+    ALTER COLUMN organization_id SET NOT NULL;
+
+ALTER TABLE public.runs
+    DROP CONSTRAINT IF EXISTS runs_run_type_check;
+
+ALTER TABLE public.runs
+    ADD CONSTRAINT runs_run_type_check CHECK (run_type = ANY (ARRAY[
+        'sync'::text,
+        'action'::text,
+        'embed_backfill'::text,
+        'watcher'::text,
+        'auth'::text
+    ]));