npm - @lobu/cli - Versions diffs - 6.0.1 → 7.0.0 - Mend

@lobu/cli 6.0.1 → 7.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (265) hide show

package/README.md +20 -27
package/dist/bundled-skills/lobu/SKILL.md +11 -11
package/dist/commands/_lib/apply/apply-cmd.d.ts +38 -0
package/dist/commands/_lib/apply/apply-cmd.d.ts.map +1 -1
package/dist/commands/_lib/apply/apply-cmd.js +574 -40
package/dist/commands/_lib/apply/apply-cmd.js.map +1 -1
package/dist/commands/_lib/apply/client.d.ts +180 -1
package/dist/commands/_lib/apply/client.d.ts.map +1 -1
package/dist/commands/_lib/apply/client.js +308 -28
package/dist/commands/_lib/apply/client.js.map +1 -1
package/dist/commands/_lib/apply/desired-state.d.ts +134 -3
package/dist/commands/_lib/apply/desired-state.d.ts.map +1 -1
package/dist/commands/_lib/apply/desired-state.js +703 -89
package/dist/commands/_lib/apply/desired-state.js.map +1 -1
package/dist/commands/_lib/apply/diff.d.ts +61 -3
package/dist/commands/_lib/apply/diff.d.ts.map +1 -1
package/dist/commands/_lib/apply/diff.js +382 -92
package/dist/commands/_lib/apply/diff.js.map +1 -1
package/dist/commands/_lib/apply/prompt.d.ts +6 -0
package/dist/commands/_lib/apply/prompt.d.ts.map +1 -1
package/dist/commands/_lib/apply/prompt.js +16 -0
package/dist/commands/_lib/apply/prompt.js.map +1 -1
package/dist/commands/_lib/apply/render.d.ts +9 -0
package/dist/commands/_lib/apply/render.d.ts.map +1 -1
package/dist/commands/_lib/apply/render.js +80 -3
package/dist/commands/_lib/apply/render.js.map +1 -1
package/dist/commands/agent.d.ts +7 -0
package/dist/commands/agent.d.ts.map +1 -1
package/dist/commands/agent.js +65 -1
package/dist/commands/agent.js.map +1 -1
package/dist/commands/chat.d.ts +12 -9
package/dist/commands/chat.d.ts.map +1 -1
package/dist/commands/chat.js +125 -57
package/dist/commands/chat.js.map +1 -1
package/dist/commands/dev.d.ts +23 -7
package/dist/commands/dev.d.ts.map +1 -1
package/dist/commands/dev.js +197 -49
package/dist/commands/dev.js.map +1 -1
package/dist/commands/doctor.d.ts +1 -0
package/dist/commands/doctor.d.ts.map +1 -1
package/dist/commands/doctor.js +136 -0
package/dist/commands/doctor.js.map +1 -1
package/dist/commands/eval.d.ts +8 -0
package/dist/commands/eval.d.ts.map +1 -1
package/dist/commands/eval.js +72 -6
package/dist/commands/eval.js.map +1 -1
package/dist/commands/init.d.ts +22 -5
package/dist/commands/init.d.ts.map +1 -1
package/dist/commands/init.js +355 -182
package/dist/commands/init.js.map +1 -1
package/dist/commands/link.d.ts +11 -0
package/dist/commands/link.d.ts.map +1 -0
package/dist/commands/link.js +28 -0
package/dist/commands/link.js.map +1 -0
package/dist/commands/login.d.ts.map +1 -1
package/dist/commands/login.js +14 -2
package/dist/commands/login.js.map +1 -1
package/dist/commands/memory/_lib/browser-auth-cmd.d.ts.map +1 -1
package/dist/commands/memory/_lib/browser-auth-cmd.js +3 -3
package/dist/commands/memory/_lib/browser-auth-cmd.js.map +1 -1
package/dist/commands/memory/_lib/mcp.d.ts +2 -2
package/dist/commands/memory/_lib/mcp.d.ts.map +1 -1
package/dist/commands/memory/_lib/mcp.js +24 -12
package/dist/commands/memory/_lib/mcp.js.map +1 -1
package/dist/commands/memory/_lib/openclaw-auth.d.ts +1 -0
package/dist/commands/memory/_lib/openclaw-auth.d.ts.map +1 -1
package/dist/commands/memory/_lib/openclaw-auth.js +14 -3
package/dist/commands/memory/_lib/openclaw-auth.js.map +1 -1
package/dist/commands/memory/_lib/openclaw-cmd.js +1 -1
package/dist/commands/memory/_lib/openclaw-cmd.js.map +1 -1
package/dist/commands/memory/_lib/schema.d.ts +29 -2
package/dist/commands/memory/_lib/schema.d.ts.map +1 -1
package/dist/commands/memory/_lib/schema.js +121 -5
package/dist/commands/memory/_lib/schema.js.map +1 -1
package/dist/commands/memory/_lib/seed-cmd.d.ts.map +1 -1
package/dist/commands/memory/_lib/seed-cmd.js +46 -24
package/dist/commands/memory/_lib/seed-cmd.js.map +1 -1
package/dist/commands/memory/run.d.ts.map +1 -1
package/dist/commands/memory/run.js +2 -2
package/dist/commands/memory/run.js.map +1 -1
package/dist/commands/org.d.ts +4 -0
package/dist/commands/org.d.ts.map +1 -1
package/dist/commands/org.js +10 -0
package/dist/commands/org.js.map +1 -1
package/dist/commands/platforms/platform-prompts.d.ts +0 -1
package/dist/commands/platforms/platform-prompts.d.ts.map +1 -1
package/dist/commands/platforms/platform-prompts.js +54 -8
package/dist/commands/platforms/platform-prompts.js.map +1 -1
package/dist/commands/telemetry.d.ts +10 -0
package/dist/commands/telemetry.d.ts.map +1 -0
package/dist/commands/telemetry.js +68 -0
package/dist/commands/telemetry.js.map +1 -0
package/dist/commands/token.d.ts +9 -0
package/dist/commands/token.d.ts.map +1 -1
package/dist/commands/token.js +54 -0
package/dist/commands/token.js.map +1 -1
package/dist/commands/whoami.d.ts.map +1 -1
package/dist/commands/whoami.js +1 -1
package/dist/commands/whoami.js.map +1 -1
package/dist/connectors/README.md +534 -0
package/dist/connectors/__tests__/browser-scraper-utils.test.ts +186 -0
package/dist/connectors/apple_health.ts +138 -0
package/dist/connectors/apple_screen_time.ts +82 -0
package/dist/connectors/browser-scraper-utils.ts +246 -0
package/dist/connectors/capterra.ts +277 -0
package/dist/connectors/g2.ts +290 -0
package/dist/connectors/github.ts +1530 -0
package/dist/connectors/glassdoor.ts +295 -0
package/dist/connectors/gmaps.ts +197 -0
package/dist/connectors/google_calendar.ts +641 -0
package/dist/connectors/google_gmail.ts +754 -0
package/dist/connectors/google_photos.ts +776 -0
package/dist/connectors/google_play.ts +349 -0
package/dist/connectors/hackernews.ts +471 -0
package/dist/connectors/index.ts +28 -0
package/dist/connectors/ios_appstore.ts +226 -0
package/dist/connectors/linkedin.ts +494 -0
package/dist/connectors/local_directory.ts +91 -0
package/dist/connectors/microsoft_outlook.ts +410 -0
package/dist/connectors/producthunt.ts +471 -0
package/dist/connectors/reddit.ts +600 -0
package/dist/connectors/revolut.ts +572 -0
package/dist/connectors/rss.ts +448 -0
package/dist/connectors/spotify.ts +590 -0
package/dist/connectors/trustpilot.ts +203 -0
package/dist/connectors/website.ts +629 -0
package/dist/connectors/whatsapp.ts +1081 -0
package/dist/connectors/whatsapp_local.ts +125 -0
package/dist/connectors/x.ts +536 -0
package/dist/connectors/youtube.ts +666 -0
package/dist/db/migrations/00000000000000_baseline.sql +4867 -0
package/dist/db/migrations/20260405193000_add_mcp_sessions.sql +33 -0
package/dist/db/migrations/20260408120000_remove_system_connectors.sql +48 -0
package/dist/db/migrations/20260408120001_optional_compiled_code.sql +6 -0
package/dist/db/migrations/20260409110000_add_active_watcher_run_index.sql +9 -0
package/dist/db/migrations/20260409130000_connector_default_config.sql +5 -0
package/dist/db/migrations/20260410120000_add_agent_secrets.sql +25 -0
package/dist/db/migrations/20260413170000_add_watcher_group_id.sql +67 -0
package/dist/db/migrations/20260416120000_add_entity_wa_jid_index.sql +14 -0
package/dist/db/migrations/20260417100000_add_entity_identities.sql +77 -0
package/dist/db/migrations/20260418100000_add_auth_runs.sql +83 -0
package/dist/db/migrations/20260418110000_add_runs_created_by_user.sql +18 -0
package/dist/db/migrations/20260419120000_add_event_identity_indexes.sql +56 -0
package/dist/db/migrations/20260420120000_extend_reserved_org_slugs.sql +56 -0
package/dist/db/migrations/20260424030000_add_watcher_run_correlation.sql +52 -0
package/dist/db/migrations/20260424130000_relax_events_client_id_fk.sql +47 -0
package/dist/db/migrations/20260425100000_normalize_watcher_feedback.sql +91 -0
package/dist/db/migrations/20260425120000_add_run_diagnostics.sql +20 -0
package/dist/db/migrations/20260425130000_add_repair_agent_plumbing.sql +46 -0
package/dist/db/migrations/20260426120000_entities_entity_type_fk.sql +101 -0
package/dist/db/migrations/20260426130000_db_integrity_cleanup.sql +104 -0
package/dist/db/migrations/20260426130001_db_integrity_cleanup_concurrent.sql +187 -0
package/dist/db/migrations/20260427133000_events_created_by_nullable.sql +74 -0
package/dist/db/migrations/20260427140000_identity_engine_indexes.sql +140 -0
package/dist/db/migrations/20260427150000_drop_events_source_id.sql +177 -0
package/dist/db/migrations/20260427160000_drop_dead_schema.sql +76 -0
package/dist/db/migrations/20260427170000_market_founder_to_member.sql +364 -0
package/dist/db/migrations/20260428040000_cascade_events_watchers_org_fk.sql +66 -0
package/dist/db/migrations/20260428050000_add_runs_approved_input.sql +9 -0
package/dist/db/migrations/20260429010000_auth_profile_tenant_scoped_fk.sql +79 -0
package/dist/db/migrations/20260429060000_extend_runs_for_lobu_queue.sql +108 -0
package/dist/db/migrations/20260429120000_agent_changed_notify.sql +97 -0
package/dist/db/migrations/20260429120100_user_auth_profiles_and_model_prefs.sql +36 -0
package/dist/db/migrations/20260429120200_fix_notify_old_keys.sql +130 -0
package/dist/db/migrations/20260429130000_oauth_states_cli_sessions_rate_limits.sql +83 -0
package/dist/db/migrations/20260429140000_phase8_grants_chat_connections_mcp_sessions.sql +84 -0
package/dist/db/migrations/20260429140100_runs_priority_expires_at_retry_delay.sql +44 -0
package/dist/db/migrations/20260429180000_drop_invalidatable_cache_triggers.sql +25 -0
package/dist/db/migrations/20260430005614_agents_apply_fields.sql +21 -0
package/dist/db/migrations/20260430022231_fix_connection_config_encryption.sql +69 -0
package/dist/db/migrations/20260430151215_add_task_run_type.sql +77 -0
package/dist/db/migrations/20260501000000_drop_cli_sessions.sql +27 -0
package/dist/db/migrations/20260501133000_lobu_memory_mcp_id.sql +117 -0
package/dist/db/migrations/20260502000000_drop_chat_connections.sql +60 -0
package/dist/db/migrations/20260503000000_agent_secrets_org_scope.sql +56 -0
package/dist/db/migrations/20260504000000_flatten_agents_drop_sandbox_model.sql +48 -0
package/dist/db/migrations/20260510220000_connector_required_capability.sql +47 -0
package/dist/db/migrations/20260512000000_device_worker_connection_binding.sql +113 -0
package/dist/db/migrations/20260512131703_connections_slug.sql +131 -0
package/dist/db/migrations/20260513000000_chat_user_identities.sql +24 -0
package/dist/db/migrations/20260513120000_auth_profiles_device_binding.sql +50 -0
package/dist/db/migrations/20260513150000_auth_profiles_cdp_url.sql +43 -0
package/dist/db/migrations/20260513200000_notifications_as_events.sql +86 -0
package/dist/db/migrations/20260514000000_scheduled_jobs.sql +97 -0
package/dist/db/migrations/20260514120000_auth_profiles_connector_key_nullable.sql +42 -0
package/dist/eval/types.d.ts +2 -0
package/dist/eval/types.d.ts.map +1 -1
package/dist/index.d.ts +11 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +210 -132
package/dist/index.js.map +1 -1
package/dist/internal/api-client.d.ts +4 -8
package/dist/internal/api-client.d.ts.map +1 -1
package/dist/internal/api-client.js +1 -1
package/dist/internal/api-client.js.map +1 -1
package/dist/internal/context.js +2 -2
package/dist/internal/context.js.map +1 -1
package/dist/internal/credentials.d.ts.map +1 -1
package/dist/internal/credentials.js +6 -1
package/dist/internal/credentials.js.map +1 -1
package/dist/internal/gateway-url.d.ts +14 -0
package/dist/internal/gateway-url.d.ts.map +1 -1
package/dist/internal/gateway-url.js +19 -0
package/dist/internal/gateway-url.js.map +1 -1
package/dist/internal/index.d.ts +3 -4
package/dist/internal/index.d.ts.map +1 -1
package/dist/internal/index.js +3 -3
package/dist/internal/index.js.map +1 -1
package/dist/internal/oauth.d.ts +6 -5
package/dist/internal/oauth.d.ts.map +1 -1
package/dist/internal/oauth.js +2 -2
package/dist/internal/project-link.d.ts +10 -0
package/dist/internal/project-link.d.ts.map +1 -0
package/dist/internal/project-link.js +48 -0
package/dist/internal/project-link.js.map +1 -0
package/dist/providers.json +2 -2
package/dist/server.bundle.mjs +31654 -30866
package/dist/start-local.bundle.mjs +74409 -0
package/dist/templates/README.md.tmpl +10 -11
package/dist/templates/TESTING.md.tmpl +9 -9
package/package.json +15 -13
package/dist/__tests__/chat.integration.test.d.ts +0 -2
package/dist/__tests__/chat.integration.test.d.ts.map +0 -1
package/dist/__tests__/chat.integration.test.js +0 -337
package/dist/__tests__/chat.integration.test.js.map +0 -1
package/dist/__tests__/dev.test.d.ts +0 -2
package/dist/__tests__/dev.test.d.ts.map +0 -1
package/dist/__tests__/dev.test.js +0 -25
package/dist/__tests__/dev.test.js.map +0 -1
package/dist/__tests__/init-memory.test.d.ts +0 -2
package/dist/__tests__/init-memory.test.d.ts.map +0 -1
package/dist/__tests__/init-memory.test.js +0 -45
package/dist/__tests__/init-memory.test.js.map +0 -1
package/dist/__tests__/token.test.d.ts +0 -2
package/dist/__tests__/token.test.d.ts.map +0 -1
package/dist/__tests__/token.test.js +0 -52
package/dist/__tests__/token.test.js.map +0 -1
package/dist/commands/_lib/apply/__tests__/client.test.d.ts +0 -2
package/dist/commands/_lib/apply/__tests__/client.test.d.ts.map +0 -1
package/dist/commands/_lib/apply/__tests__/client.test.js +0 -23
package/dist/commands/_lib/apply/__tests__/client.test.js.map +0 -1
package/dist/commands/_lib/apply/__tests__/desired-state.test.d.ts +0 -2
package/dist/commands/_lib/apply/__tests__/desired-state.test.d.ts.map +0 -1
package/dist/commands/_lib/apply/__tests__/desired-state.test.js +0 -140
package/dist/commands/_lib/apply/__tests__/desired-state.test.js.map +0 -1
package/dist/commands/_lib/apply/__tests__/diff.test.d.ts +0 -2
package/dist/commands/_lib/apply/__tests__/diff.test.d.ts.map +0 -1
package/dist/commands/_lib/apply/__tests__/diff.test.js +0 -378
package/dist/commands/_lib/apply/__tests__/diff.test.js.map +0 -1
package/dist/commands/apply.d.ts +0 -3
package/dist/commands/apply.d.ts.map +0 -1
package/dist/commands/apply.js +0 -5
package/dist/commands/apply.js.map +0 -1
package/dist/commands/memory/_lib/openclaw-auth.test.d.ts +0 -2
package/dist/commands/memory/_lib/openclaw-auth.test.d.ts.map +0 -1
package/dist/commands/memory/_lib/openclaw-auth.test.js +0 -9
package/dist/commands/memory/_lib/openclaw-auth.test.js.map +0 -1
package/dist/internal/__tests__/api-client.test.d.ts +0 -2
package/dist/internal/__tests__/api-client.test.d.ts.map +0 -1
package/dist/internal/__tests__/api-client.test.js +0 -95
package/dist/internal/__tests__/api-client.test.js.map +0 -1
package/dist/internal/__tests__/context.test.d.ts +0 -2
package/dist/internal/__tests__/context.test.d.ts.map +0 -1
package/dist/internal/__tests__/context.test.js +0 -77
package/dist/internal/__tests__/context.test.js.map +0 -1

package/dist/db/migrations/20260405193000_add_mcp_sessions.sql ADDED Viewed

@@ -0,0 +1,33 @@
+-- migrate:up
+CREATE TABLE public.mcp_sessions (
+    session_id text PRIMARY KEY,
+    user_id text,
+    client_id text,
+    organization_id text,
+    member_role text,
+    requested_agent_id text,
+    is_authenticated boolean DEFAULT false NOT NULL,
+    scoped_to_org boolean DEFAULT false NOT NULL,
+    last_accessed_at timestamp with time zone DEFAULT now() NOT NULL,
+    expires_at timestamp with time zone NOT NULL
+);
+CREATE INDEX mcp_sessions_client_id_idx ON public.mcp_sessions USING btree (client_id);
+CREATE INDEX mcp_sessions_expires_at_idx ON public.mcp_sessions USING btree (expires_at);
+CREATE INDEX mcp_sessions_user_id_idx ON public.mcp_sessions USING btree (user_id);
+ALTER TABLE ONLY public.mcp_sessions
+    ADD CONSTRAINT mcp_sessions_client_id_fkey FOREIGN KEY (client_id) REFERENCES public.oauth_clients(id) ON DELETE CASCADE;
+ALTER TABLE ONLY public.mcp_sessions
+    ADD CONSTRAINT mcp_sessions_organization_id_fkey FOREIGN KEY (organization_id) REFERENCES public.organization(id) ON DELETE CASCADE;
+ALTER TABLE ONLY public.mcp_sessions
+    ADD CONSTRAINT mcp_sessions_user_id_fkey FOREIGN KEY (user_id) REFERENCES public."user"(id) ON DELETE CASCADE;
+COMMENT ON TABLE public.mcp_sessions IS 'Persisted MCP streamable HTTP sessions for restart and cross-replica recovery';
+-- migrate:down
+DROP TABLE IF EXISTS public.mcp_sessions;

package/dist/db/migrations/20260408120000_remove_system_connectors.sql ADDED Viewed

@@ -0,0 +1,48 @@
+-- migrate:up
+-- Migrate system connector definitions to org-scoped.
+-- For every org, copy each active system connector definition that
+-- the org doesn't already have (regardless of whether connections exist).
+INSERT INTO connector_definitions (
+  organization_id, key, name, description, version,
+  auth_schema, feeds_schema, actions_schema, options_schema,
+  mcp_config, openapi_config, favicon_domain, status, login_enabled
+)
+SELECT
+  o.id,
+  cd.key,
+  cd.name,
+  cd.description,
+  cd.version,
+  cd.auth_schema,
+  cd.feeds_schema,
+  cd.actions_schema,
+  cd.options_schema,
+  cd.mcp_config,
+  cd.openapi_config,
+  cd.favicon_domain,
+  cd.status,
+  cd.login_enabled
+FROM connector_definitions cd
+CROSS JOIN "organization" o
+WHERE cd.organization_id IS NULL
+  AND cd.status = 'active'
+  AND NOT EXISTS (
+    SELECT 1
+    FROM connector_definitions existing
+    WHERE existing.organization_id = o.id
+      AND existing.key = cd.key
+      AND existing.status = 'active'
+  );
+-- Archive all system-level connector definitions
+UPDATE connector_definitions
+SET status = 'archived', updated_at = NOW()
+WHERE organization_id IS NULL
+  AND status = 'active';
+-- Drop orphaned index that only covered system-level (org IS NULL) definitions
+DROP INDEX IF EXISTS idx_connector_defs_system_key;
+-- migrate:down

package/dist/db/migrations/20260408120001_optional_compiled_code.sql ADDED Viewed

@@ -0,0 +1,6 @@
+-- migrate:up
+ALTER TABLE connector_versions ALTER COLUMN compiled_code DROP NOT NULL;
+-- migrate:down
+UPDATE connector_versions SET compiled_code = '' WHERE compiled_code IS NULL;
+ALTER TABLE connector_versions ALTER COLUMN compiled_code SET NOT NULL;

package/dist/db/migrations/20260409110000_add_active_watcher_run_index.sql ADDED Viewed

@@ -0,0 +1,9 @@
+-- migrate:up
+CREATE UNIQUE INDEX IF NOT EXISTS idx_runs_active_watcher_per_watcher
+  ON runs (watcher_id)
+  WHERE run_type = 'watcher'
+    AND watcher_id IS NOT NULL
+    AND status IN ('pending', 'claimed', 'running');
+-- migrate:down
+DROP INDEX IF EXISTS idx_runs_active_watcher_per_watcher;

package/dist/db/migrations/20260409130000_connector_default_config.sql ADDED Viewed

@@ -0,0 +1,5 @@
+-- migrate:up
+ALTER TABLE connector_definitions ADD COLUMN IF NOT EXISTS default_connection_config jsonb;
+-- migrate:down
+ALTER TABLE connector_definitions DROP COLUMN IF EXISTS default_connection_config;

package/dist/db/migrations/20260410120000_add_agent_secrets.sql ADDED Viewed

@@ -0,0 +1,25 @@
+-- migrate:up
+CREATE TABLE public.agent_secrets (
+    name text PRIMARY KEY,
+    ciphertext text NOT NULL,
+    expires_at timestamp with time zone,
+    created_at timestamp with time zone DEFAULT now() NOT NULL,
+    updated_at timestamp with time zone DEFAULT now() NOT NULL
+);
+-- text_pattern_ops index enables efficient prefix scans used by list(prefix)
+-- to support cascade deletes (deleteSecretsByPrefix in @lobu/gateway).
+CREATE INDEX agent_secrets_name_prefix_idx
+    ON public.agent_secrets USING btree (name text_pattern_ops);
+CREATE INDEX agent_secrets_expires_at_idx
+    ON public.agent_secrets USING btree (expires_at)
+    WHERE expires_at IS NOT NULL;
+COMMENT ON TABLE public.agent_secrets IS
+    'Encrypted secret values referenced via secret:// refs. Backs the PostgresSecretStore implementation of @lobu/gateway WritableSecretStore.';
+-- migrate:down
+DROP TABLE IF EXISTS public.agent_secrets;

package/dist/db/migrations/20260413170000_add_watcher_group_id.sql ADDED Viewed

@@ -0,0 +1,67 @@
+-- migrate:up
+ALTER TABLE public.watchers
+  ADD COLUMN IF NOT EXISTS source_watcher_id integer,
+  ADD COLUMN IF NOT EXISTS watcher_group_id integer;
+-- Backfill source watcher links from cloned watcher versions.
+WITH derived_source AS (
+  SELECT DISTINCT ON (w.id)
+    w.id AS watcher_id,
+    source_versions.watcher_id AS source_watcher_id
+  FROM public.watchers w
+  JOIN public.watcher_versions wv ON wv.watcher_id = w.id
+  JOIN public.watcher_versions source_versions
+    ON source_versions.id = substring(wv.change_notes FROM 'Created from version ([0-9]+)')::integer
+  WHERE wv.change_notes ~ 'Created from version [0-9]+'
+  ORDER BY w.id, wv.version ASC, wv.id ASC
+)
+UPDATE public.watchers w
+SET source_watcher_id = ds.source_watcher_id
+FROM derived_source ds
+WHERE w.id = ds.watcher_id
+  AND w.source_watcher_id IS NULL;
+-- Build stable watcher group ids by walking source watcher ancestry to the root.
+WITH RECURSIVE roots AS (
+  SELECT w.id AS watcher_id, w.source_watcher_id, w.id AS root_id
+  FROM public.watchers w
+  WHERE w.source_watcher_id IS NULL
+  UNION ALL
+  SELECT child.id AS watcher_id, child.source_watcher_id, roots.root_id
+  FROM public.watchers child
+  JOIN roots ON child.source_watcher_id = roots.watcher_id
+)
+UPDATE public.watchers w
+SET watcher_group_id = roots.root_id
+FROM roots
+WHERE w.id = roots.watcher_id;
+-- Fallback for any rows that did not match the recursive backfill.
+UPDATE public.watchers
+SET watcher_group_id = id
+WHERE watcher_group_id IS NULL;
+-- `watchers.current_version_id` has a DEFERRABLE FK. The backfill updates above queue
+-- deferred trigger events, and PostgreSQL refuses ALTER TABLE while those are pending.
+SET CONSTRAINTS ALL IMMEDIATE;
+ALTER TABLE public.watchers
+  ALTER COLUMN watcher_group_id SET NOT NULL;
+CREATE INDEX IF NOT EXISTS idx_watchers_watcher_group_id
+  ON public.watchers USING btree (watcher_group_id);
+CREATE INDEX IF NOT EXISTS idx_watchers_org_group
+  ON public.watchers USING btree (organization_id, watcher_group_id);
+-- migrate:down
+DROP INDEX IF EXISTS idx_watchers_org_group;
+DROP INDEX IF EXISTS idx_watchers_watcher_group_id;
+ALTER TABLE public.watchers
+  DROP COLUMN IF EXISTS watcher_group_id,
+  DROP COLUMN IF EXISTS source_watcher_id;

package/dist/db/migrations/20260416120000_add_entity_wa_jid_index.sql ADDED Viewed

@@ -0,0 +1,14 @@
+-- migrate:up
+-- Speeds up the event↔entity join declared by the WhatsApp connector's
+-- early entityLinks rule: events JOIN entities ON
+--   entities.metadata->>'wa_jid' = events.metadata->>'chat_jid'.
+-- Superseded by the entity_identities table (2026-04-17 migration) which
+-- drops this index; this file is kept so dbmate's history is preserved.
+CREATE INDEX IF NOT EXISTS idx_entities_wa_jid
+  ON public.entities (entity_type, (metadata->>'wa_jid'))
+  WHERE metadata ? 'wa_jid' AND deleted_at IS NULL;
+-- migrate:down
+DROP INDEX IF EXISTS public.idx_entities_wa_jid;

package/dist/db/migrations/20260417100000_add_entity_identities.sql ADDED Viewed

@@ -0,0 +1,77 @@
+-- migrate:up
+-- Normalized identifier store. One row per (organization_id, namespace, identifier).
+-- Replaces the earlier scheme of storing identifiers inside entities.metadata JSONB
+-- arrays. The UNIQUE constraint is the foundation of the whole design:
+--   * creation races collapse on the UNIQUE (one batch wins, the other links)
+--   * cross-entity contamination is constraint-blocked
+--   * accrete is just INSERT ... ON CONFLICT DO NOTHING
+--   * lookup is a plain BTREE seek (no GIN-on-jsonb)
+CREATE TABLE public.entity_identities (
+    id bigserial PRIMARY KEY,
+    organization_id text NOT NULL REFERENCES public.organization(id) ON DELETE CASCADE,
+    entity_id bigint NOT NULL REFERENCES public.entities(id) ON DELETE CASCADE,
+    namespace text NOT NULL,
+    identifier text NOT NULL,
+    source_connector text,
+    created_at timestamp with time zone DEFAULT now() NOT NULL,
+    updated_at timestamp with time zone DEFAULT now() NOT NULL,
+    deleted_at timestamp with time zone
+);
+-- Relaxed uniqueness: only live rows are constrained, so soft-delete + re-claim
+-- is a supported repair path (mis-attribution recovery).
+CREATE UNIQUE INDEX idx_entity_identities_live_unique
+    ON public.entity_identities (organization_id, namespace, identifier)
+    WHERE deleted_at IS NULL;
+-- Primary ingestion lookup path: "does anyone in this org own this identifier?"
+CREATE INDEX idx_entity_identities_lookup
+    ON public.entity_identities (organization_id, namespace, identifier)
+    WHERE deleted_at IS NULL;
+-- Reverse lookup: "what identifiers does this entity have?"
+CREATE INDEX idx_entity_identities_by_entity
+    ON public.entity_identities (entity_id)
+    WHERE deleted_at IS NULL;
+COMMENT ON TABLE public.entity_identities IS
+    'Normalized identifier claims per entity. See docs/identity-linking.md for the full pattern.';
+COMMENT ON COLUMN public.entity_identities.namespace IS
+    'Identifier kind. Standard values: phone, email, wa_jid, slack_user_id, github_login, auth_user_id, google_contact_id. Custom namespaces allowed but connectors sharing a namespace must agree on its format.';
+COMMENT ON COLUMN public.entity_identities.identifier IS
+    'Normalized identifier value (E.164 digits for phone, lowercase for email, etc.). Normalizers in @lobu/connector-sdk own the canonical form.';
+COMMENT ON COLUMN public.entity_identities.source_connector IS
+    'Who claimed this identifier: "connector:whatsapp", "manual", or null when seeded by migration.';
+-- Per-install override surface. A JSONB keyed by entityType; shallow-merged
+-- onto the connector's declared entityLinks at rule-resolve time. Lets an
+-- org retarget, disable rules, flip autoCreate, or mask specific identities
+-- without forking the connector. Null column = use connector defaults verbatim.
+ALTER TABLE public.connector_definitions
+    ADD COLUMN IF NOT EXISTS entity_link_overrides jsonb;
+COMMENT ON COLUMN public.connector_definitions.entity_link_overrides IS
+    'Per-install override of connector entityLinks rules. See resolveEntityLinkRules() for merge semantics.';
+-- The old scalar-JSONB index was built for a shape (entities.metadata->>wa_jid)
+-- we no longer use — identifiers now live in entity_identities. Drop to avoid
+-- carrying an unused index and a misleading comment on future reads.
+DROP INDEX IF EXISTS public.idx_entities_wa_jid;
+-- migrate:down
+DROP INDEX IF EXISTS public.idx_entity_identities_by_entity;
+DROP INDEX IF EXISTS public.idx_entity_identities_lookup;
+DROP INDEX IF EXISTS public.idx_entity_identities_live_unique;
+DROP TABLE IF EXISTS public.entity_identities;
+ALTER TABLE public.connector_definitions
+    DROP COLUMN IF EXISTS entity_link_overrides;
+CREATE INDEX IF NOT EXISTS idx_entities_wa_jid
+    ON public.entities (entity_type, (metadata->>'wa_jid'))
+    WHERE metadata ? 'wa_jid' AND deleted_at IS NULL;

package/dist/db/migrations/20260418100000_add_auth_runs.sql ADDED Viewed

@@ -0,0 +1,83 @@
+-- migrate:up
+-- Adds the 'auth' run lifecycle: workers run interactive connector.authenticate()
+-- flows (WhatsApp QR, OAuth redirect, credential prompt) and stream artifacts
+-- back to the UI via runs.checkpoint. The UI signals back (OAuth callback,
+-- form submit, cancel) via runs.auth_signal.
+ALTER TABLE public.runs DROP CONSTRAINT IF EXISTS runs_run_type_check;
+ALTER TABLE public.runs ADD CONSTRAINT runs_run_type_check CHECK (
+    run_type = ANY (ARRAY[
+        'sync'::text,
+        'action'::text,
+        'code'::text,
+        'insight'::text,
+        'watcher'::text,
+        'embed_backfill'::text,
+        'auth'::text
+    ])
+);
+-- Target auth profile for 'auth' runs (null for other run types).
+ALTER TABLE public.runs ADD COLUMN IF NOT EXISTS auth_profile_id bigint
+    REFERENCES public.auth_profiles(id) ON DELETE CASCADE;
+-- Reverse channel: UI → connector. The connector pauses on ctx.awaitSignal(name)
+-- and polls this column; the API writes here when the UI posts a signal.
+ALTER TABLE public.runs ADD COLUMN IF NOT EXISTS auth_signal jsonb;
+-- One active auth run per auth profile at a time.
+CREATE UNIQUE INDEX IF NOT EXISTS idx_runs_active_auth_per_profile
+    ON public.runs (auth_profile_id)
+    WHERE run_type = 'auth'
+      AND auth_profile_id IS NOT NULL
+      AND status = ANY (ARRAY['pending'::text, 'claimed'::text, 'running'::text]);
+-- 'interactive' profile kind: credentials produced by a connector.authenticate()
+-- run. Examples: WhatsApp Baileys session, connector-managed OAuth.
+ALTER TABLE public.auth_profiles DROP CONSTRAINT IF EXISTS auth_profiles_profile_kind_check;
+ALTER TABLE public.auth_profiles ADD CONSTRAINT auth_profiles_profile_kind_check CHECK (
+    profile_kind = ANY (ARRAY[
+        'env'::text,
+        'oauth_app'::text,
+        'oauth_account'::text,
+        'browser_session'::text,
+        'interactive'::text
+    ])
+);
+-- Structured display metadata produced by connector.authenticate() — account_id,
+-- display_name, paired_at, expires_at, etc. Surfaced in UI next to the connection.
+ALTER TABLE public.auth_profiles ADD COLUMN IF NOT EXISTS metadata jsonb DEFAULT '{}'::jsonb NOT NULL;
+-- migrate:down
+ALTER TABLE public.auth_profiles DROP COLUMN IF EXISTS metadata;
+ALTER TABLE public.auth_profiles DROP CONSTRAINT IF EXISTS auth_profiles_profile_kind_check;
+ALTER TABLE public.auth_profiles ADD CONSTRAINT auth_profiles_profile_kind_check CHECK (
+    profile_kind = ANY (ARRAY[
+        'env'::text,
+        'oauth_app'::text,
+        'oauth_account'::text,
+        'browser_session'::text
+    ])
+);
+DROP INDEX IF EXISTS public.idx_runs_active_auth_per_profile;
+ALTER TABLE public.runs DROP COLUMN IF EXISTS auth_signal;
+ALTER TABLE public.runs DROP COLUMN IF EXISTS auth_profile_id;
+ALTER TABLE public.runs DROP CONSTRAINT IF EXISTS runs_run_type_check;
+ALTER TABLE public.runs ADD CONSTRAINT runs_run_type_check CHECK (
+    run_type = ANY (ARRAY[
+        'sync'::text,
+        'action'::text,
+        'code'::text,
+        'insight'::text,
+        'watcher'::text,
+        'embed_backfill'::text
+    ])
+);

package/dist/db/migrations/20260418110000_add_runs_created_by_user.sql ADDED Viewed

@@ -0,0 +1,18 @@
+-- migrate:up
+-- Track which user initiated an interactive auth run so that only that user
+-- can view the QR / credential artifact. Sensitive artifacts (WhatsApp QR,
+-- OTP codes, OAuth consent URLs) must never be viewable by other org members.
+ALTER TABLE public.runs ADD COLUMN IF NOT EXISTS created_by_user_id text
+    REFERENCES public."user"(id) ON DELETE SET NULL;
+CREATE INDEX IF NOT EXISTS idx_runs_created_by_user
+    ON public.runs (created_by_user_id)
+    WHERE created_by_user_id IS NOT NULL;
+-- migrate:down
+DROP INDEX IF EXISTS public.idx_runs_created_by_user;
+ALTER TABLE public.runs DROP COLUMN IF EXISTS created_by_user_id;

package/dist/db/migrations/20260419120000_add_event_identity_indexes.sql ADDED Viewed

@@ -0,0 +1,56 @@
+-- migrate:up
+-- Read-time JOIN support for the entity_identities graph.
+--
+-- applyEntityLinks (src/utils/entity-link-upsert.ts) stamps normalized
+-- identifiers into events.metadata under the namespace key (metadata.email,
+-- metadata.wa_jid, metadata.phone, …). Entity-scoped content queries then
+-- JOIN:
+--
+--   events f
+--   EXISTS (SELECT 1 FROM entity_identities ei
+--           WHERE ei.entity_id = $X
+--             AND ei.deleted_at IS NULL
+--             AND f.metadata ? ei.namespace
+--             AND f.metadata->>ei.namespace = ei.identifier)
+--
+-- Without these indexes, the plan degenerates into a seq scan of events for
+-- every entity-scoped content listing. One partial BTREE per namespace in use
+-- keeps the JOIN on an index.
+CREATE INDEX IF NOT EXISTS idx_events_metadata_email
+    ON public.events ((metadata->>'email'))
+    WHERE metadata ? 'email';
+CREATE INDEX IF NOT EXISTS idx_events_metadata_wa_jid
+    ON public.events ((metadata->>'wa_jid'))
+    WHERE metadata ? 'wa_jid';
+CREATE INDEX IF NOT EXISTS idx_events_metadata_phone
+    ON public.events ((metadata->>'phone'))
+    WHERE metadata ? 'phone';
+CREATE INDEX IF NOT EXISTS idx_events_metadata_slack_user_id
+    ON public.events ((metadata->>'slack_user_id'))
+    WHERE metadata ? 'slack_user_id';
+CREATE INDEX IF NOT EXISTS idx_events_metadata_github_login
+    ON public.events ((metadata->>'github_login'))
+    WHERE metadata ? 'github_login';
+CREATE INDEX IF NOT EXISTS idx_events_metadata_auth_user_id
+    ON public.events ((metadata->>'auth_user_id'))
+    WHERE metadata ? 'auth_user_id';
+CREATE INDEX IF NOT EXISTS idx_events_metadata_google_contact_id
+    ON public.events ((metadata->>'google_contact_id'))
+    WHERE metadata ? 'google_contact_id';
+-- migrate:down
+DROP INDEX IF EXISTS public.idx_events_metadata_google_contact_id;
+DROP INDEX IF EXISTS public.idx_events_metadata_auth_user_id;
+DROP INDEX IF EXISTS public.idx_events_metadata_github_login;
+DROP INDEX IF EXISTS public.idx_events_metadata_slack_user_id;
+DROP INDEX IF EXISTS public.idx_events_metadata_phone;
+DROP INDEX IF EXISTS public.idx_events_metadata_wa_jid;
+DROP INDEX IF EXISTS public.idx_events_metadata_email;

package/dist/db/migrations/20260420120000_extend_reserved_org_slugs.sql ADDED Viewed

@@ -0,0 +1,56 @@
+-- migrate:up
+-- Extend reserved org slugs to cover infrastructure subdomains.
+-- RESERVED_SUBDOMAINS in packages/server/src/index.ts already
+-- treats www/mcp/static/cdn/... as non-org at the routing layer; this
+-- mirrors it at the DB layer so those names can never be claimed.
+--
+-- `app` is intentionally NOT reserved — `app.lobu.ai` hosts the auth
+-- org itself, whose DB row uses slug='app'.
+ALTER TABLE public.organization DROP CONSTRAINT IF EXISTS org_slug_not_reserved;
+ALTER TABLE public.organization ADD CONSTRAINT org_slug_not_reserved CHECK (
+    slug <> ALL (ARRAY[
+        'settings',
+        'auth',
+        'api',
+        'templates',
+        'help',
+        'account',
+        'admin',
+        'health',
+        'login',
+        'logout',
+        'signup',
+        'register',
+        'www',
+        'mcp',
+        'static',
+        'assets',
+        'cdn',
+        'docs',
+        'mail'
+    ]::text[])
+);
+-- migrate:down
+ALTER TABLE public.organization DROP CONSTRAINT IF EXISTS org_slug_not_reserved;
+ALTER TABLE public.organization ADD CONSTRAINT org_slug_not_reserved CHECK (
+    slug <> ALL (ARRAY[
+        'settings',
+        'auth',
+        'api',
+        'templates',
+        'help',
+        'account',
+        'admin',
+        'health',
+        'login',
+        'logout',
+        'signup',
+        'register'
+    ]::text[])
+);

package/dist/db/migrations/20260424030000_add_watcher_run_correlation.sql ADDED Viewed

@@ -0,0 +1,52 @@
+-- migrate:up
+-- Durable correlation between a dispatched watcher run and the agent message
+-- that executes it, and between a completed watcher window and the run that
+-- produced it. Replaces payload-based matching in reconcileWatcherRuns.
+ALTER TABLE public.runs
+    ADD COLUMN IF NOT EXISTS dispatched_message_id text;
+CREATE UNIQUE INDEX IF NOT EXISTS idx_runs_dispatched_message_id
+    ON public.runs (dispatched_message_id)
+    WHERE dispatched_message_id IS NOT NULL;
+ALTER TABLE public.watcher_windows
+    ADD COLUMN IF NOT EXISTS run_id bigint
+    REFERENCES public.runs(id) ON DELETE SET NULL;
+-- Rollout backfill: older windows already stored watcher_run_id in run_metadata,
+-- but pre-migration rows have NULL run_id. Populate the durable FK before the
+-- new reconciler/reset path runs so successful pre-deploy executions are not
+-- re-dispatched on first tick.
+WITH correlated_windows AS (
+    SELECT ww.id,
+           (btrim(ww.run_metadata->>'watcher_run_id'))::bigint AS correlated_run_id
+    FROM public.watcher_windows ww
+    WHERE ww.run_id IS NULL
+      AND ww.run_metadata ? 'watcher_run_id'
+      AND jsonb_typeof(ww.run_metadata->'watcher_run_id') IN ('number', 'string')
+      AND btrim(ww.run_metadata->>'watcher_run_id') ~ '^[0-9]+$'
+)
+UPDATE public.watcher_windows ww
+SET run_id = cw.correlated_run_id
+FROM correlated_windows cw
+WHERE ww.id = cw.id
+  AND EXISTS (
+      SELECT 1
+      FROM public.runs r
+      WHERE r.id = cw.correlated_run_id
+        AND r.run_type = 'watcher'
+  );
+CREATE INDEX IF NOT EXISTS idx_watcher_windows_run_id
+    ON public.watcher_windows (run_id)
+    WHERE run_id IS NOT NULL;
+-- migrate:down
+DROP INDEX IF EXISTS public.idx_watcher_windows_run_id;
+ALTER TABLE public.watcher_windows DROP COLUMN IF EXISTS run_id;
+DROP INDEX IF EXISTS public.idx_runs_dispatched_message_id;
+ALTER TABLE public.runs DROP COLUMN IF EXISTS dispatched_message_id;

package/dist/db/migrations/20260424130000_relax_events_client_id_fk.sql ADDED Viewed

@@ -0,0 +1,47 @@
+-- migrate:up
+-- The events table tags each row with the OAuth client that produced it via
+-- `events.client_id -> oauth_clients.id`. The original FK had no ON DELETE
+-- behaviour, so when an oauth_client row was removed (manual cleanup, e2e
+-- teardown, expired registration) any in-flight token still issuing inserts
+-- failed with `events_client_id_fkey` violations (Sentry: LOBU-34).
+--
+-- Match the relaxation already applied to other event-side FKs
+-- (connection_id, feed_id, run_id) and let stale client references reset
+-- to NULL instead of breaking inserts.
+--
+-- Add and validate the replacement constraint before the quick final swap so
+-- existing traffic stays protected and the ACCESS EXCLUSIVE window is short.
+ALTER TABLE public.events
+    ADD CONSTRAINT events_client_id_fkey_v2
+    FOREIGN KEY (client_id)
+    REFERENCES public.oauth_clients(id)
+    ON DELETE SET NULL
+    NOT VALID;
+ALTER TABLE public.events
+    VALIDATE CONSTRAINT events_client_id_fkey_v2;
+ALTER TABLE public.events
+    DROP CONSTRAINT IF EXISTS events_client_id_fkey;
+ALTER TABLE public.events
+    RENAME CONSTRAINT events_client_id_fkey_v2 TO events_client_id_fkey;
+-- migrate:down
+ALTER TABLE public.events
+    ADD CONSTRAINT events_client_id_fkey_v2
+    FOREIGN KEY (client_id)
+    REFERENCES public.oauth_clients(id)
+    NOT VALID;
+ALTER TABLE public.events
+    VALIDATE CONSTRAINT events_client_id_fkey_v2;
+ALTER TABLE public.events
+    DROP CONSTRAINT IF EXISTS events_client_id_fkey;
+ALTER TABLE public.events
+    RENAME CONSTRAINT events_client_id_fkey_v2 TO events_client_id_fkey;