@lobu/cli 6.0.1 → 7.0.0

package/dist/db/migrations/20260501000000_drop_cli_sessions.sql

@@ -0,0 +1,27 @@
+-- migrate:up
+
+-- The bespoke `lobu login` device-code flow that backed `cli_sessions` has
+-- been replaced with standard OAuth 2.0 device-code (issued by the existing
+-- Lobu IdP). The CLI now mints OAuth bearer tokens, so `cli_sessions` is
+-- dead.
+DROP INDEX IF EXISTS public.cli_sessions_user_id_idx;
+DROP INDEX IF EXISTS public.cli_sessions_expires_at_idx;
+DROP TABLE IF EXISTS public.cli_sessions;
+
+-- migrate:down
+
+CREATE TABLE IF NOT EXISTS public.cli_sessions (
+    session_id text PRIMARY KEY,
+    user_id text NOT NULL,
+    email text,
+    name text,
+    refresh_token_id text NOT NULL,
+    expires_at timestamptz NOT NULL,
+    created_at timestamptz NOT NULL DEFAULT now()
+);
+
+CREATE INDEX IF NOT EXISTS cli_sessions_user_id_idx
+    ON public.cli_sessions (user_id);
+
+CREATE INDEX IF NOT EXISTS cli_sessions_expires_at_idx
+    ON public.cli_sessions (expires_at);

package/dist/db/migrations/20260501133000_lobu_memory_mcp_id.sql

@@ -0,0 +1,117 @@
+-- migrate:up
+
+UPDATE public.agents
+SET mcp_servers = (mcp_servers - 'lobu') || jsonb_build_object('lobu-memory', mcp_servers->'lobu'),
+    updated_at = now()
+WHERE mcp_servers ? 'lobu'
+  AND NOT (mcp_servers ? 'lobu-memory');
+
+UPDATE public.agents
+SET mcp_servers = mcp_servers - 'lobu',
+    updated_at = now()
+WHERE mcp_servers ? 'lobu';
+
+UPDATE public.agents a
+SET pre_approved_tools = COALESCE((
+  SELECT jsonb_agg(DISTINCT mapped.value)
+  FROM (
+    SELECT CASE
+      WHEN tool.value #>> '{}' LIKE '/mcp/lobu/tools/%'
+        OR tool.value #>> '{}' LIKE '/mcp/lobu-memory/tools/%'
+        THEN to_jsonb('/mcp/lobu-memory/tools/*'::text)
+      ELSE tool.value
+    END AS value
+    FROM jsonb_array_elements(COALESCE(a.pre_approved_tools, '[]'::jsonb)) AS tool(value)
+
+    UNION ALL
+
+    SELECT to_jsonb('/mcp/lobu-memory/tools/*'::text) AS value
+    WHERE a.mcp_servers ? 'lobu-memory'
+  ) AS mapped
+), '[]'::jsonb),
+    updated_at = now()
+WHERE a.mcp_servers ? 'lobu-memory'
+   OR EXISTS (
+     SELECT 1
+     FROM jsonb_array_elements(COALESCE(a.pre_approved_tools, '[]'::jsonb)) AS tool(value)
+     WHERE tool.value #>> '{}' LIKE '/mcp/lobu/tools/%'
+        OR tool.value #>> '{}' LIKE '/mcp/lobu-memory/tools/%'
+   );
+
+INSERT INTO public.grants (agent_id, kind, pattern, expires_at, granted_at, denied)
+SELECT g.agent_id,
+       g.kind,
+       '/mcp/lobu-memory/tools/*',
+       CASE
+         WHEN bool_or(g.expires_at IS NULL) THEN NULL::timestamptz
+         ELSE max(g.expires_at)
+       END,
+       now(),
+       bool_or(g.denied)
+FROM public.grants g
+WHERE g.kind = 'mcp_tool'
+  AND (g.pattern LIKE '/mcp/lobu/tools/%' OR g.pattern LIKE '/mcp/lobu-memory/tools/%')
+GROUP BY g.agent_id, g.kind
+ON CONFLICT (agent_id, kind, pattern) DO UPDATE SET
+  expires_at = CASE
+    WHEN public.grants.expires_at IS NULL THEN EXCLUDED.expires_at
+    WHEN EXCLUDED.expires_at IS NULL THEN public.grants.expires_at
+    ELSE LEAST(public.grants.expires_at, EXCLUDED.expires_at)
+  END,
+  granted_at = EXCLUDED.granted_at,
+  denied = public.grants.denied OR EXCLUDED.denied;
+
+DELETE FROM public.grants
+WHERE kind = 'mcp_tool'
+  AND pattern LIKE '/mcp/lobu/tools/%';
+
+-- migrate:down
+
+UPDATE public.agents
+SET mcp_servers = (mcp_servers - 'lobu-memory') || jsonb_build_object('lobu', mcp_servers->'lobu-memory'),
+    updated_at = now()
+WHERE mcp_servers ? 'lobu-memory'
+  AND NOT (mcp_servers ? 'lobu');
+
+UPDATE public.agents a
+SET pre_approved_tools = COALESCE((
+  SELECT jsonb_agg(DISTINCT CASE
+    WHEN tool.value #>> '{}' LIKE '/mcp/lobu-memory/tools/%'
+      THEN to_jsonb('/mcp/lobu/tools/*'::text)
+    ELSE tool.value
+  END)
+  FROM jsonb_array_elements(COALESCE(a.pre_approved_tools, '[]'::jsonb)) AS tool(value)
+), '[]'::jsonb),
+    updated_at = now()
+WHERE EXISTS (
+  SELECT 1
+  FROM jsonb_array_elements(COALESCE(a.pre_approved_tools, '[]'::jsonb)) AS tool(value)
+  WHERE tool.value #>> '{}' LIKE '/mcp/lobu-memory/tools/%'
+);
+
+INSERT INTO public.grants (agent_id, kind, pattern, expires_at, granted_at, denied)
+SELECT g.agent_id,
+       g.kind,
+       '/mcp/lobu/tools/*',
+       CASE
+         WHEN bool_or(g.expires_at IS NULL) THEN NULL::timestamptz
+         ELSE max(g.expires_at)
+       END,
+       now(),
+       bool_or(g.denied)
+FROM public.grants g
+WHERE g.kind = 'mcp_tool'
+  AND g.pattern LIKE '/mcp/lobu-memory/tools/%'
+GROUP BY g.agent_id, g.kind
+ON CONFLICT (agent_id, kind, pattern) DO UPDATE SET
+  expires_at = CASE
+    WHEN public.grants.expires_at IS NULL THEN EXCLUDED.expires_at
+    WHEN EXCLUDED.expires_at IS NULL THEN public.grants.expires_at
+    ELSE LEAST(public.grants.expires_at, EXCLUDED.expires_at)
+  END,
+  granted_at = EXCLUDED.granted_at,
+  denied = public.grants.denied OR EXCLUDED.denied;
+
+DELETE FROM public.grants
+WHERE kind = 'mcp_tool'
+  AND pattern LIKE '/mcp/lobu-memory/tools/%';

package/dist/db/migrations/20260502000000_drop_chat_connections.sql

@@ -0,0 +1,60 @@
+-- migrate:up
+-- Drop chat_connections table. Connection state is now unified in
+-- agent_connections, which ChatInstanceManager reads/writes directly.
+-- Secret fields (botToken, signingSecret, etc.) live as `secret://`
+-- refs inside the row's `config` JSON and resolve at runtime through
+-- SecretStoreRegistry — backed by Postgres by default, pluggable to
+-- AWS Secrets Manager / Vault / k8s for ops who need it.
+
+-- Copy any existing chat_connections rows into agent_connections so a
+-- live deployment with provisioned chat bots doesn't lose them. Configs
+-- carrying the legacy `enc:v1:` ciphertext are handled at read time by
+-- decryptLegacyEncryptedConfig in postgres-stores.ts; refs pass through
+-- unchanged. ON CONFLICT DO NOTHING covers the case where rows have
+-- already been mirrored by an in-flight write through the manager.
+-- agent_connections.agent_id is NOT NULL, but chat_connections.template_agent_id
+-- was nullable. Skip orphaned rows (no parent agent) — they could not start
+-- in the current model anyway.
+-- Guarded by to_regclass: deployments that never had chat_connections
+-- (table created with IF NOT EXISTS in 20260429140000 and never used) skip
+-- the copy entirely instead of erroring on the missing relation.
+DO $$
+BEGIN
+    IF to_regclass('public.chat_connections') IS NOT NULL THEN
+        INSERT INTO public.agent_connections (
+            id, agent_id, platform, config, settings, metadata,
+            status, error_message, created_at, updated_at
+        )
+        SELECT
+            id, template_agent_id, platform, config, settings, metadata,
+            status, error_message, created_at, updated_at
+        FROM public.chat_connections
+        WHERE template_agent_id IS NOT NULL
+        ON CONFLICT (id) DO NOTHING;
+    END IF;
+END $$;
+
+DROP TABLE IF EXISTS public.chat_connections;
+
+-- migrate:down
+-- Recreate chat_connections for rollback. Data would need to be re-seeded.
+
+CREATE TABLE IF NOT EXISTS public.chat_connections (
+    id text PRIMARY KEY,
+    platform text NOT NULL,
+    template_agent_id text REFERENCES public.agents(id) ON DELETE CASCADE,
+    config jsonb NOT NULL,
+    settings jsonb NOT NULL DEFAULT '{}'::jsonb,
+    metadata jsonb NOT NULL DEFAULT '{}'::jsonb,
+    status text NOT NULL DEFAULT 'active',
+    error_message text,
+    created_at timestamptz NOT NULL DEFAULT now(),
+    updated_at timestamptz NOT NULL DEFAULT now()
+);
+
+CREATE INDEX IF NOT EXISTS chat_connections_template_agent_id_idx
+    ON public.chat_connections (template_agent_id)
+    WHERE template_agent_id IS NOT NULL;
+
+CREATE INDEX IF NOT EXISTS chat_connections_platform_idx
+    ON public.chat_connections (platform);

package/dist/db/migrations/20260503000000_agent_secrets_org_scope.sql

@@ -0,0 +1,56 @@
+-- migrate:up
+
+-- agent_secrets used a global `(name)` namespace, so two organizations
+-- storing the same key (e.g. `ANTHROPIC_API_KEY`) would silently overwrite
+-- each other. Scope rows by organization while keeping legacy rows
+-- addressable: empty-string organization_id means "global" (used by
+-- system env-store and any pre-existing rows from the global era).
+--
+-- ROLLOUT NOTE: this migration replaces the primary key on `(name)` with
+-- `(organization_id, name)` non-atomically. Lobu's deployment model is a
+-- single embedded Node process with atomic swap (see "Embedded-only
+-- deployment" in AGENTS.md), so old + new processes never run concurrently
+-- against the same database. If you're running Lobu under a rolling-deploy
+-- supervisor, stop traffic before applying this migration — old pods using
+-- `ON CONFLICT (name)` will fail writes against the new schema.
+
+ALTER TABLE public.agent_secrets
+    ADD COLUMN IF NOT EXISTS organization_id text NOT NULL DEFAULT '';
+
+ALTER TABLE public.agent_secrets
+    DROP CONSTRAINT IF EXISTS agent_secrets_pkey;
+
+ALTER TABLE public.agent_secrets
+    ADD CONSTRAINT agent_secrets_pkey PRIMARY KEY (organization_id, name);
+
+CREATE INDEX IF NOT EXISTS agent_secrets_org_id_idx
+    ON public.agent_secrets (organization_id);
+
+-- migrate:down
+
+ALTER TABLE public.agent_secrets
+    DROP CONSTRAINT IF EXISTS agent_secrets_pkey;
+
+DROP INDEX IF EXISTS public.agent_secrets_org_id_idx;
+
+-- Down-step is destructive by design: collapses per-org rows back to the
+-- global namespace. The two DELETEs below pick a survivor non-deterministically
+-- when multiple orgs hold the same name (global wins first; otherwise the
+-- lexicographically-smaller org_id survives). Acceptable because rollback
+-- after multi-org writes is already lossy — there is no "right" winner.
+DELETE FROM public.agent_secrets a
+USING public.agent_secrets b
+WHERE a.name = b.name
+  AND a.organization_id <> ''
+  AND b.organization_id = '';
+
+DELETE FROM public.agent_secrets a
+USING public.agent_secrets b
+WHERE a.name = b.name
+  AND a.organization_id > b.organization_id;
+
+ALTER TABLE public.agent_secrets
+    ADD CONSTRAINT agent_secrets_pkey PRIMARY KEY (name);
+
+ALTER TABLE public.agent_secrets
+    DROP COLUMN IF EXISTS organization_id;

package/dist/db/migrations/20260504000000_flatten_agents_drop_sandbox_model.sql

@@ -0,0 +1,48 @@
+-- migrate:up
+
+-- Flatten the agents table: there is no longer a template/sandbox split.
+-- One agents row = one logical agent. Definitions, providers, settings all
+-- live on this row and are agent-only (not per-user).
+--
+-- Per-user state has its own homes:
+--   - user_auth_profiles (per-user-per-agent OAuth tokens) — already canonical
+--   - agent_channel_bindings (where the agent operates)
+--   - agent_users (who has interacted)
+--
+-- ROLLOUT NOTE: this migration deletes every sandbox row. There is no
+-- pre-cutover production data to preserve (per buremba). If that ever
+-- changes, the rollback below restores the columns but NOT the deleted
+-- rows.
+
+-- 1. Drop sandbox rows. Anything with template_agent_id or parent_connection_id
+--    set was a per-user / per-connection sandbox.
+DELETE FROM public.agents
+WHERE template_agent_id IS NOT NULL
+   OR parent_connection_id IS NOT NULL;
+
+-- 2. Drop indexes on the going-away columns.
+DROP INDEX IF EXISTS public.agents_template_agent_id_idx;
+DROP INDEX IF EXISTS public.agents_parent_connection_id_idx;
+
+-- 3. Drop the columns themselves.
+ALTER TABLE public.agents DROP COLUMN IF EXISTS template_agent_id;
+ALTER TABLE public.agents DROP COLUMN IF EXISTS parent_connection_id;
+
+-- 4. Drop legacy / dead-code columns.
+--    auth_profiles: superseded by user_auth_profiles table (per-user-per-agent).
+--    mcp_install_notified: per-user UI dismissal state, never used at runtime.
+ALTER TABLE public.agents DROP COLUMN IF EXISTS auth_profiles;
+ALTER TABLE public.agents DROP COLUMN IF EXISTS mcp_install_notified;
+
+-- migrate:down
+
+-- Restore columns (data is gone — the DELETE is irreversible).
+ALTER TABLE public.agents ADD COLUMN IF NOT EXISTS template_agent_id text;
+ALTER TABLE public.agents ADD COLUMN IF NOT EXISTS parent_connection_id text;
+ALTER TABLE public.agents ADD COLUMN IF NOT EXISTS auth_profiles jsonb DEFAULT '[]'::jsonb;
+ALTER TABLE public.agents ADD COLUMN IF NOT EXISTS mcp_install_notified jsonb DEFAULT '{}'::jsonb;
+
+CREATE INDEX IF NOT EXISTS agents_template_agent_id_idx
+    ON public.agents (template_agent_id);
+CREATE INDEX IF NOT EXISTS agents_parent_connection_id_idx
+    ON public.agents (parent_connection_id);

package/dist/db/migrations/20260510220000_connector_required_capability.sql

@@ -0,0 +1,47 @@
+-- migrate:up
+
+-- Add a per-connector capability gate for worker dispatch. Workers advertise
+-- their capabilities on poll; the runs scheduler only assigns connector runs
+-- to workers whose capabilities include the connector's required_capability.
+-- NULL means "no special capability required" (the default for API/browser
+-- connectors that the existing fleet can run).
+--
+-- `runtime` carries platform metadata for device-bound connectors (e.g.
+-- `{"platforms": ["macos"]}` for apple.screen_time / local.directory, which
+-- only run inside Lobu for Mac — that data is unreachable from a server-side
+-- worker). NULL = cloud connector.
+--
+-- Initial use case: apple.screen_time and local.directory, served by Lobu for
+-- Mac polling /api/workers/* as a user-scoped device worker.
+
+ALTER TABLE public.connector_definitions
+    ADD COLUMN IF NOT EXISTS required_capability text,
+    ADD COLUMN IF NOT EXISTS runtime jsonb;
+
+CREATE INDEX IF NOT EXISTS connector_definitions_required_capability_idx
+    ON public.connector_definitions (required_capability)
+    WHERE required_capability IS NOT NULL;
+
+CREATE TABLE IF NOT EXISTS public.device_workers (
+    user_id text NOT NULL,
+    worker_id text NOT NULL,
+    platform text,
+    app_version text,
+    capabilities jsonb NOT NULL DEFAULT '[]'::jsonb,
+    label text,
+    first_seen_at timestamptz NOT NULL DEFAULT now(),
+    last_seen_at timestamptz NOT NULL DEFAULT now(),
+    PRIMARY KEY (user_id, worker_id)
+);
+
+CREATE INDEX IF NOT EXISTS device_workers_user_id_idx
+    ON public.device_workers (user_id);
+
+-- migrate:down
+
+DROP INDEX IF EXISTS public.device_workers_user_id_idx;
+DROP TABLE IF EXISTS public.device_workers;
+DROP INDEX IF EXISTS public.connector_definitions_required_capability_idx;
+ALTER TABLE public.connector_definitions
+    DROP COLUMN IF EXISTS runtime,
+    DROP COLUMN IF EXISTS required_capability;

package/dist/db/migrations/20260512000000_device_worker_connection_binding.sql

@@ -0,0 +1,113 @@
+-- migrate:up
+
+-- Make a connection's execution target explicit, and give every device worker
+-- a home organization.
+--
+-- connections.device_worker_id (nullable) is the binding:
+--   NULL  -> runs on the cloud connector-worker pool (today's behavior)
+--   set   -> runs are pinned to that device worker
+-- For device-type connectors the binding is mandatory; for cloud connectors
+-- it's an optional override. A connection can only be pinned to a device that
+-- is attached to that connection's organization.
+--
+-- device_workers.organization_id is the device's home org — chosen at setup,
+-- defaulting to the owner's personal workspace. The device's connectors live
+-- there; re-attaching the device to a different org (a member of which the
+-- owner must be) is the only knob. There is no per-connection device→org grant.
+
+-- Surrogate key for device_workers so connections / UI can reference a device
+-- by a single stable id. The (user_id, worker_id) primary key stays.
+ALTER TABLE public.device_workers
+    ADD COLUMN IF NOT EXISTS id uuid NOT NULL DEFAULT gen_random_uuid(),
+    ADD COLUMN IF NOT EXISTS organization_id text;
+
+CREATE UNIQUE INDEX IF NOT EXISTS device_workers_id_key
+    ON public.device_workers (id);
+
+CREATE INDEX IF NOT EXISTS idx_device_workers_organization_id
+    ON public.device_workers (organization_id)
+    WHERE organization_id IS NOT NULL;
+
+ALTER TABLE public.connections
+    ADD COLUMN IF NOT EXISTS device_worker_id uuid;
+
+DO $$
+BEGIN
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'connections_device_worker_id_fkey'
+    ) THEN
+        ALTER TABLE public.connections
+            ADD CONSTRAINT connections_device_worker_id_fkey
+            FOREIGN KEY (device_worker_id)
+            REFERENCES public.device_workers (id)
+            ON DELETE SET NULL;
+    END IF;
+END$$;
+
+CREATE INDEX IF NOT EXISTS idx_connections_device_worker_id
+    ON public.connections (device_worker_id)
+    WHERE device_worker_id IS NOT NULL;
+
+-- Attach existing devices to their owner's personal workspace (no-op on a
+-- fresh database — there are no users yet; the device heartbeat sets this for
+-- new devices either way).
+UPDATE public.device_workers dw
+SET organization_id = (
+    SELECT o.id FROM public.organization o
+    WHERE (o.metadata::jsonb)->>'personal_org_for_user_id' = dw.user_id
+    LIMIT 1
+)
+WHERE dw.organization_id IS NULL;
+
+-- Backfill: existing auto-wired personal-org device connections (created_by
+-- set, no auth profile) whose owner has exactly one device get pinned to that
+-- device — but at most one per (org, connector_key, owner) so the unique index
+-- created below can never be violated. Ambiguous ones stay NULL and the UI
+-- prompts for a device.
+UPDATE public.connections c
+SET device_worker_id = dw.id
+FROM (
+    -- Users with exactly one device worker (no min(uuid) needed — and Postgres
+    -- has no aggregate for uuid anyway).
+    SELECT dw1.user_id, dw1.id
+    FROM public.device_workers dw1
+    WHERE NOT EXISTS (
+        SELECT 1 FROM public.device_workers dw2
+        WHERE dw2.user_id = dw1.user_id AND dw2.id <> dw1.id
+    )
+) dw
+WHERE c.created_by = dw.user_id
+  AND c.device_worker_id IS NULL
+  AND c.deleted_at IS NULL
+  AND c.auth_profile_id IS NULL
+  AND c.connector_key IN (
+      SELECT key FROM public.connector_definitions WHERE required_capability IS NOT NULL
+  )
+  AND c.id = (
+      SELECT min(c2.id) FROM public.connections c2
+      WHERE c2.organization_id = c.organization_id
+        AND c2.connector_key = c.connector_key
+        AND c2.created_by = c.created_by
+        AND c2.deleted_at IS NULL
+  );
+
+-- One active connection per (org, connector, device). A second device backing
+-- the same connector is a second connection. Doubles as DB-level idempotency
+-- for the create-vs-auto-wire race. Created AFTER the backfill above.
+DROP INDEX IF EXISTS public.idx_connections_org_connector_device_live;
+CREATE UNIQUE INDEX idx_connections_org_connector_device_live
+    ON public.connections (organization_id, connector_key, device_worker_id)
+    WHERE deleted_at IS NULL AND device_worker_id IS NOT NULL;
+
+-- migrate:down
+
+DROP INDEX IF EXISTS public.idx_connections_org_connector_device_live;
+DROP INDEX IF EXISTS public.idx_connections_device_worker_id;
+ALTER TABLE public.connections
+    DROP CONSTRAINT IF EXISTS connections_device_worker_id_fkey,
+    DROP COLUMN IF EXISTS device_worker_id;
+DROP INDEX IF EXISTS public.device_workers_id_key;
+DROP INDEX IF EXISTS public.idx_device_workers_organization_id;
+ALTER TABLE public.device_workers
+    DROP COLUMN IF EXISTS id,
+    DROP COLUMN IF EXISTS organization_id;

package/dist/db/migrations/20260512131703_connections_slug.sql

@@ -0,0 +1,131 @@
+-- migrate:up
+
+-- Add a stable `slug` identity to `connections` so `lobu apply` can diff
+-- connections by an immutable key instead of the mutable `display_name`.
+--
+-- Mirrors the existing `auth_profiles.slug` design: text slug, unique per org
+-- among live rows (partial index on `deleted_at IS NULL`), generated from the
+-- display name when not supplied explicitly.
+--
+-- Backfill MUST produce exactly what `ensureUniqueConnectionSlug` /
+-- `slugifyConnectionName` in packages/server/src/utils/connections.ts would
+-- generate (that file is the source of truth):
+--   1. base = slugify(display_name); if empty, slugify(connector_key); if still
+--      empty, the literal 'connection'. slugify = lowercase, every run of
+--      non-alphanumerics -> '-', trim leading/trailing '-'.
+--   2. Collisions per (organization_id) among live (`deleted_at IS NULL`) rows
+--      are resolved with a deterministic numeric suffix loop: base, base-2,
+--      base-3, ... assigned in ascending id order. Soft-deleted rows do not
+--      participate in the unique index, so they keep their base slug freely.
+
+ALTER TABLE public.connections
+    ADD COLUMN IF NOT EXISTS slug text;
+
+-- slugify(display_name) -> slugify(connector_key) -> 'connection'
+WITH base AS (
+    SELECT
+        c.id,
+        coalesce(
+            NULLIF(
+                regexp_replace(
+                    regexp_replace(lower(coalesce(c.display_name, '')), '[^a-z0-9]+', '-', 'g'),
+                    '(^-+|-+$)', '', 'g'
+                ),
+                ''
+            ),
+            NULLIF(
+                regexp_replace(
+                    regexp_replace(lower(coalesce(c.connector_key, '')), '[^a-z0-9]+', '-', 'g'),
+                    '(^-+|-+$)', '', 'g'
+                ),
+                ''
+            ),
+            'connection'
+        ) AS base_slug
+    FROM public.connections c
+)
+UPDATE public.connections c
+SET slug = b.base_slug
+FROM base b
+WHERE b.id = c.id
+  AND c.slug IS NULL;
+
+-- Resolve collisions to base / base-2 / base-3 / ... in ascending id order.
+-- Loops until no live (deleted_at IS NULL) duplicates remain — a re-assigned
+-- `base-N` could itself collide with another row whose base slug is already
+-- `base-N`, so a single pass is not enough.
+--
+-- This produces a deterministic, collision-free assignment with the same
+-- semantics as the runtime (slugified connector_key fallback, numeric `-N`
+-- suffixing). It is NOT guaranteed to be byte-identical to what
+-- `ensureUniqueConnectionSlug` would pick for pathological mixed-name sets
+-- (the runtime resolves in row-creation order against live DB state, which
+-- pure SQL can't replay) — `packages/server/src/utils/connections.ts` is the
+-- source of truth for new rows.
+DO $$
+DECLARE
+    v_changed integer;
+BEGIN
+    LOOP
+        WITH ranked AS (
+            SELECT
+                id,
+                organization_id,
+                slug,
+                -- strip any suffix we may have appended on a prior pass so the
+                -- base groups stay stable across iterations
+                regexp_replace(slug, '-[0-9]+$', '') AS base_slug,
+                row_number() OVER (
+                    PARTITION BY organization_id, regexp_replace(slug, '-[0-9]+$', '')
+                    ORDER BY id
+                ) AS rn
+            FROM public.connections
+            WHERE deleted_at IS NULL
+        ),
+        target AS (
+            SELECT
+                id,
+                CASE WHEN rn = 1 THEN base_slug ELSE base_slug || '-' || rn::text END AS desired_slug
+            FROM ranked
+        )
+        UPDATE public.connections c
+        SET slug = t.desired_slug
+        FROM target t
+        WHERE t.id = c.id
+          AND c.slug IS DISTINCT FROM t.desired_slug;
+
+        GET DIAGNOSTICS v_changed = ROW_COUNT;
+        EXIT WHEN v_changed = 0;
+    END LOOP;
+END $$;
+
+-- Guard: there must be no live-slug duplicate per org before the unique index.
+DO $$
+DECLARE
+    v_dups integer;
+BEGIN
+    SELECT count(*) INTO v_dups
+    FROM (
+        SELECT organization_id, slug
+        FROM public.connections
+        WHERE deleted_at IS NULL
+        GROUP BY organization_id, slug
+        HAVING count(*) > 1
+    ) d;
+    IF v_dups > 0 THEN
+        RAISE EXCEPTION 'connections.slug backfill left % duplicate (organization_id, slug) group(s) among live rows', v_dups;
+    END IF;
+END $$;
+
+ALTER TABLE public.connections
+    ALTER COLUMN slug SET NOT NULL;
+
+CREATE UNIQUE INDEX IF NOT EXISTS connections_org_slug_unique
+    ON public.connections (organization_id, slug)
+    WHERE deleted_at IS NULL;
+
+-- migrate:down
+
+DROP INDEX IF EXISTS public.connections_org_slug_unique;
+ALTER TABLE public.connections
+    DROP COLUMN IF EXISTS slug;

package/dist/db/migrations/20260513000000_chat_user_identities.sql

@@ -0,0 +1,24 @@
+-- migrate:up
+
+-- Maps a chat-platform user (Slack `U…`, …) to a Lobu account. Recorded as a
+-- side effect of `/lobu link <code>` — the code is minted by an authenticated
+-- `lobu run`, so `oauth_states.payload.createdBy` is the Lobu user. Once a user
+-- is linked here, they can re-bind any chat to an agent they can manage via
+-- `/lobu link <agentId>` without minting a fresh code.
+
+CREATE TABLE IF NOT EXISTS public.chat_user_identities (
+    platform          text NOT NULL,
+    team_id           text NOT NULL DEFAULT '',  -- workspace id; '' for platforms without one
+    platform_user_id  text NOT NULL,
+    lobu_user_id      text NOT NULL REFERENCES public."user"(id) ON DELETE CASCADE,
+    created_at        timestamptz NOT NULL DEFAULT now(),
+    updated_at        timestamptz NOT NULL DEFAULT now(),
+    PRIMARY KEY (platform, team_id, platform_user_id)
+);
+
+CREATE INDEX IF NOT EXISTS chat_user_identities_lobu_user_idx
+    ON public.chat_user_identities (lobu_user_id);
+
+-- migrate:down
+
+DROP TABLE IF EXISTS public.chat_user_identities;

package/dist/db/migrations/20260513120000_auth_profiles_device_binding.sql

@@ -0,0 +1,50 @@
+-- migrate:up
+
+-- Let an auth_profile of kind 'browser_session' live on a specific device worker
+-- instead of holding cookies in auth_data. When device_worker_id is set, cookies
+-- live on disk inside the Mac app's managed --user-data-dir at user_data_dir;
+-- the server never sees them. Cloud/fleet path (device_worker_id NULL,
+-- auth_data populated) is unchanged.
+
+ALTER TABLE public.auth_profiles
+    ADD COLUMN IF NOT EXISTS device_worker_id uuid,
+    ADD COLUMN IF NOT EXISTS browser_kind text,
+    ADD COLUMN IF NOT EXISTS user_data_dir text;
+
+DO $$
+BEGIN
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'auth_profiles_device_worker_id_fkey'
+    ) THEN
+        ALTER TABLE public.auth_profiles
+            ADD CONSTRAINT auth_profiles_device_worker_id_fkey
+            FOREIGN KEY (device_worker_id)
+            REFERENCES public.device_workers (id)
+            ON DELETE CASCADE;
+    END IF;
+END$$;
+
+DO $$
+BEGIN
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'auth_profiles_browser_kind_check'
+    ) THEN
+        ALTER TABLE public.auth_profiles
+            ADD CONSTRAINT auth_profiles_browser_kind_check
+            CHECK (browser_kind IS NULL OR browser_kind = ANY (ARRAY['chrome','brave','arc','edge']));
+    END IF;
+END$$;
+
+CREATE INDEX IF NOT EXISTS auth_profiles_device_worker_idx
+    ON public.auth_profiles (device_worker_id)
+    WHERE device_worker_id IS NOT NULL;
+
+-- migrate:down
+
+DROP INDEX IF EXISTS public.auth_profiles_device_worker_idx;
+ALTER TABLE public.auth_profiles
+    DROP CONSTRAINT IF EXISTS auth_profiles_browser_kind_check,
+    DROP CONSTRAINT IF EXISTS auth_profiles_device_worker_id_fkey,
+    DROP COLUMN IF EXISTS user_data_dir,
+    DROP COLUMN IF EXISTS browser_kind,
+    DROP COLUMN IF EXISTS device_worker_id;