@lobu/cli 6.1.1 → 7.0.0

package/dist/connectors/whatsapp_local.ts

@@ -0,0 +1,125 @@
+/**
+ * WhatsApp (local) Connector — Lobu for Mac only.
+ *
+ * Reads messages directly from the WhatsApp Desktop app's local SQLite store
+ * at `~/Library/Group Containers/group.net.whatsapp.WhatsApp.shared/
+ * ChatStorage.sqlite`. Lobu for Mac snapshots the DB read-only, walks new
+ * rows since the last `Z_PK` checkpoint, and emits events that share the
+ * `whatsapp` connector's metadata shape so downstream entity links work
+ * identically.
+ *
+ * Differences from the QR-paired `whatsapp` connector:
+ *   - No Baileys, no socket, no phone-offline auto-unlink (WA Desktop itself
+ *     is the linked device).
+ *   - Ciphertext never leaves the Mac.
+ *   - Bound to one specific Mac; requires WhatsApp Desktop installed.
+ */
+
+import {
+  type ActionResult,
+  type ConnectorDefinition,
+  ConnectorRuntime,
+  IDENTITY,
+  type SyncContext,
+  type SyncResult,
+} from '@lobu/connector-sdk';
+
+const BRIDGE_ONLY =
+  'WhatsApp (local) runs only on a worker advertising capability "whatsapp_local" (Lobu for Mac with WhatsApp Desktop installed).';
+
+export default class WhatsAppLocalConnector extends ConnectorRuntime {
+  readonly definition: ConnectorDefinition = {
+    key: 'whatsapp.local',
+    name: 'WhatsApp (this Mac)',
+    description:
+      "Reads messages from the WhatsApp Desktop app's local archive on this Mac. No QR pairing, no phone-offline auto-unlink — the desktop app is itself the linked device.",
+    version: '0.1.0',
+    faviconDomain: 'whatsapp.com',
+    requiredCapability: 'whatsapp_local',
+    runtime: { platforms: ['macos'] },
+    authSchema: { methods: [{ type: 'none' }] },
+    feeds: {
+      messages: {
+        key: 'messages',
+        name: 'Messages',
+        description:
+          'Personal WhatsApp messages from 1:1 and group chats, sourced from WhatsApp Desktop.',
+        configSchema: {
+          type: 'object',
+          properties: {
+            chat_filter: {
+              type: 'string',
+              enum: ['all', 'individual', 'group'],
+              default: 'all',
+              description: 'Which chats to include.',
+            },
+            max_messages_per_sync: {
+              type: 'integer',
+              minimum: 1,
+              maximum: 500000,
+              default: 5000,
+              description:
+                'Safety cap on messages collected per sync. The first sync drains all messages up to this cap; subsequent syncs ingest only new messages, so the cap rarely binds.',
+            },
+          },
+        },
+        eventKinds: {
+          message: {
+            description: 'A WhatsApp message (text, caption, or system).',
+            metadataSchema: {
+              type: 'object',
+              properties: {
+                source: { type: 'string', const: 'whatsapp_local' },
+                chat_jid: { type: 'string' },
+                is_group: { type: 'boolean' },
+                from_me: { type: 'boolean' },
+                participant: { type: 'string' },
+                sender_jid: { type: 'string' },
+                sender_phone: { type: 'string' },
+                push_name: { type: 'string' },
+                media_type: { type: 'string' },
+                quoted_id: { type: 'string' },
+                is_forwarded: { type: 'boolean' },
+                is_starred: { type: 'boolean' },
+                is_system_event: { type: 'boolean' },
+                voice_note_skipped: {
+                  type: 'string',
+                  enum: ['not_downloaded', 'too_large', 'empty', 'read_error', 'invalid_path'],
+                },
+              },
+            },
+            entityLinks: [
+              {
+                entityType: 'person',
+                autoCreate: true,
+                titlePath: 'metadata.push_name',
+                identities: [
+                  { namespace: IDENTITY.WA_JID, eventPath: 'metadata.sender_jid' },
+                  { namespace: IDENTITY.PHONE, eventPath: 'metadata.sender_phone' },
+                ],
+                traits: {
+                  push_name: {
+                    eventPath: 'metadata.push_name',
+                    behavior: 'prefer_non_empty',
+                  },
+                  last_seen_at: {
+                    eventPath: 'occurred_at',
+                    behavior: 'overwrite',
+                  },
+                },
+              },
+            ],
+          },
+        },
+      },
+    },
+  };
+
+  async sync(_ctx: SyncContext): Promise<SyncResult> {
+    throw new Error(BRIDGE_ONLY);
+  }
+
+  async execute(): Promise<ActionResult> {
+    throw new Error(BRIDGE_ONLY);
+  }
+}

package/dist/connectors/x.ts

@@ -17,7 +17,12 @@ import {
   type SyncContext,
   type SyncResult,
 } from '@lobu/connector-sdk';
-import { getBrowserCookies, validateCookieNotExpired } from './browser-scraper-utils';
+import {
+  getBrowserCdpUrl,
+  getBrowserCookies,
+  getBrowserUserDataDir,
+  validateCookieNotExpired,
+} from './browser-scraper-utils';
 
 interface XCheckpoint {
   last_tweet_id?: string;
@@ -358,12 +363,16 @@ async function syncViaBrowser(
   const searchFilter = (config.search_filter as string) ?? 'live';
   const searchUrl = `https://x.com/search?q=${encodeURIComponent(searchQuery)}&src=typed_query&f=${searchFilter}`;
 
+  const userDataDir = getBrowserUserDataDir(ctx.sessionState);
+  const cdpUrl = getBrowserCdpUrl(ctx.sessionState) ?? 'auto';
   let cookies: any[] = [];
-  try {
-    cookies = getBrowserCookies(ctx.checkpoint as any, ctx.sessionState as any, 'x');
-    validateCookieNotExpired(cookies, 'auth_token', 'x');
-  } catch {
-    // No stored cookies — CDP will be the only path
+  if (!userDataDir) {
+    try {
+      cookies = getBrowserCookies(ctx.checkpoint as any, ctx.sessionState as any, 'x');
+      validateCookieNotExpired(cookies, 'auth_token', 'x');
+    } catch {
+      // No stored cookies — CDP will be the only path
+    }
   }
 
   const result = await browserNetworkSync<XTweet>({
@@ -376,8 +385,9 @@ async function syncViaBrowser(
       navigationTimeoutMs: 15000,
     },
     url: searchUrl,
-    cdpUrl: 'auto',
+    cdpUrl,
     cookies,
+    userDataDir,
     parseResponse: parseBrowserSearchResponse,
     checkAuth: async (page) => {
       const url = page.url();

package/dist/db/migrations/20260510220000_connector_required_capability.sql

@@ -0,0 +1,47 @@
+-- migrate:up
+
+-- Add a per-connector capability gate for worker dispatch. Workers advertise
+-- their capabilities on poll; the runs scheduler only assigns connector runs
+-- to workers whose capabilities include the connector's required_capability.
+-- NULL means "no special capability required" (the default for API/browser
+-- connectors that the existing fleet can run).
+--
+-- `runtime` carries platform metadata for device-bound connectors (e.g.
+-- `{"platforms": ["macos"]}` for apple.screen_time / local.directory, which
+-- only run inside Lobu for Mac — that data is unreachable from a server-side
+-- worker). NULL = cloud connector.
+--
+-- Initial use case: apple.screen_time and local.directory, served by Lobu for
+-- Mac polling /api/workers/* as a user-scoped device worker.
+
+ALTER TABLE public.connector_definitions
+    ADD COLUMN IF NOT EXISTS required_capability text,
+    ADD COLUMN IF NOT EXISTS runtime jsonb;
+
+CREATE INDEX IF NOT EXISTS connector_definitions_required_capability_idx
+    ON public.connector_definitions (required_capability)
+    WHERE required_capability IS NOT NULL;
+
+CREATE TABLE IF NOT EXISTS public.device_workers (
+    user_id text NOT NULL,
+    worker_id text NOT NULL,
+    platform text,
+    app_version text,
+    capabilities jsonb NOT NULL DEFAULT '[]'::jsonb,
+    label text,
+    first_seen_at timestamptz NOT NULL DEFAULT now(),
+    last_seen_at timestamptz NOT NULL DEFAULT now(),
+    PRIMARY KEY (user_id, worker_id)
+);
+
+CREATE INDEX IF NOT EXISTS device_workers_user_id_idx
+    ON public.device_workers (user_id);
+
+-- migrate:down
+
+DROP INDEX IF EXISTS public.device_workers_user_id_idx;
+DROP TABLE IF EXISTS public.device_workers;
+DROP INDEX IF EXISTS public.connector_definitions_required_capability_idx;
+ALTER TABLE public.connector_definitions
+    DROP COLUMN IF EXISTS runtime,
+    DROP COLUMN IF EXISTS required_capability;

package/dist/db/migrations/20260512000000_device_worker_connection_binding.sql

@@ -0,0 +1,113 @@
+-- migrate:up
+
+-- Make a connection's execution target explicit, and give every device worker
+-- a home organization.
+--
+-- connections.device_worker_id (nullable) is the binding:
+--   NULL  -> runs on the cloud connector-worker pool (today's behavior)
+--   set   -> runs are pinned to that device worker
+-- For device-type connectors the binding is mandatory; for cloud connectors
+-- it's an optional override. A connection can only be pinned to a device that
+-- is attached to that connection's organization.
+--
+-- device_workers.organization_id is the device's home org — chosen at setup,
+-- defaulting to the owner's personal workspace. The device's connectors live
+-- there; re-attaching the device to a different org (a member of which the
+-- owner must be) is the only knob. There is no per-connection device→org grant.
+
+-- Surrogate key for device_workers so connections / UI can reference a device
+-- by a single stable id. The (user_id, worker_id) primary key stays.
+ALTER TABLE public.device_workers
+    ADD COLUMN IF NOT EXISTS id uuid NOT NULL DEFAULT gen_random_uuid(),
+    ADD COLUMN IF NOT EXISTS organization_id text;
+
+CREATE UNIQUE INDEX IF NOT EXISTS device_workers_id_key
+    ON public.device_workers (id);
+
+CREATE INDEX IF NOT EXISTS idx_device_workers_organization_id
+    ON public.device_workers (organization_id)
+    WHERE organization_id IS NOT NULL;
+
+ALTER TABLE public.connections
+    ADD COLUMN IF NOT EXISTS device_worker_id uuid;
+
+DO $$
+BEGIN
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'connections_device_worker_id_fkey'
+    ) THEN
+        ALTER TABLE public.connections
+            ADD CONSTRAINT connections_device_worker_id_fkey
+            FOREIGN KEY (device_worker_id)
+            REFERENCES public.device_workers (id)
+            ON DELETE SET NULL;
+    END IF;
+END$$;
+
+CREATE INDEX IF NOT EXISTS idx_connections_device_worker_id
+    ON public.connections (device_worker_id)
+    WHERE device_worker_id IS NOT NULL;
+
+-- Attach existing devices to their owner's personal workspace (no-op on a
+-- fresh database — there are no users yet; the device heartbeat sets this for
+-- new devices either way).
+UPDATE public.device_workers dw
+SET organization_id = (
+    SELECT o.id FROM public.organization o
+    WHERE (o.metadata::jsonb)->>'personal_org_for_user_id' = dw.user_id
+    LIMIT 1
+)
+WHERE dw.organization_id IS NULL;
+
+-- Backfill: existing auto-wired personal-org device connections (created_by
+-- set, no auth profile) whose owner has exactly one device get pinned to that
+-- device — but at most one per (org, connector_key, owner) so the unique index
+-- created below can never be violated. Ambiguous ones stay NULL and the UI
+-- prompts for a device.
+UPDATE public.connections c
+SET device_worker_id = dw.id
+FROM (
+    -- Users with exactly one device worker (no min(uuid) needed — and Postgres
+    -- has no aggregate for uuid anyway).
+    SELECT dw1.user_id, dw1.id
+    FROM public.device_workers dw1
+    WHERE NOT EXISTS (
+        SELECT 1 FROM public.device_workers dw2
+        WHERE dw2.user_id = dw1.user_id AND dw2.id <> dw1.id
+    )
+) dw
+WHERE c.created_by = dw.user_id
+  AND c.device_worker_id IS NULL
+  AND c.deleted_at IS NULL
+  AND c.auth_profile_id IS NULL
+  AND c.connector_key IN (
+      SELECT key FROM public.connector_definitions WHERE required_capability IS NOT NULL
+  )
+  AND c.id = (
+      SELECT min(c2.id) FROM public.connections c2
+      WHERE c2.organization_id = c.organization_id
+        AND c2.connector_key = c.connector_key
+        AND c2.created_by = c.created_by
+        AND c2.deleted_at IS NULL
+  );
+
+-- One active connection per (org, connector, device). A second device backing
+-- the same connector is a second connection. Doubles as DB-level idempotency
+-- for the create-vs-auto-wire race. Created AFTER the backfill above.
+DROP INDEX IF EXISTS public.idx_connections_org_connector_device_live;
+CREATE UNIQUE INDEX idx_connections_org_connector_device_live
+    ON public.connections (organization_id, connector_key, device_worker_id)
+    WHERE deleted_at IS NULL AND device_worker_id IS NOT NULL;
+
+-- migrate:down
+
+DROP INDEX IF EXISTS public.idx_connections_org_connector_device_live;
+DROP INDEX IF EXISTS public.idx_connections_device_worker_id;
+ALTER TABLE public.connections
+    DROP CONSTRAINT IF EXISTS connections_device_worker_id_fkey,
+    DROP COLUMN IF EXISTS device_worker_id;
+DROP INDEX IF EXISTS public.device_workers_id_key;
+DROP INDEX IF EXISTS public.idx_device_workers_organization_id;
+ALTER TABLE public.device_workers
+    DROP COLUMN IF EXISTS id,
+    DROP COLUMN IF EXISTS organization_id;

package/dist/db/migrations/20260512131703_connections_slug.sql

@@ -0,0 +1,131 @@
+-- migrate:up
+
+-- Add a stable `slug` identity to `connections` so `lobu apply` can diff
+-- connections by an immutable key instead of the mutable `display_name`.
+--
+-- Mirrors the existing `auth_profiles.slug` design: text slug, unique per org
+-- among live rows (partial index on `deleted_at IS NULL`), generated from the
+-- display name when not supplied explicitly.
+--
+-- Backfill MUST produce exactly what `ensureUniqueConnectionSlug` /
+-- `slugifyConnectionName` in packages/server/src/utils/connections.ts would
+-- generate (that file is the source of truth):
+--   1. base = slugify(display_name); if empty, slugify(connector_key); if still
+--      empty, the literal 'connection'. slugify = lowercase, every run of
+--      non-alphanumerics -> '-', trim leading/trailing '-'.
+--   2. Collisions per (organization_id) among live (`deleted_at IS NULL`) rows
+--      are resolved with a deterministic numeric suffix loop: base, base-2,
+--      base-3, ... assigned in ascending id order. Soft-deleted rows do not
+--      participate in the unique index, so they keep their base slug freely.
+
+ALTER TABLE public.connections
+    ADD COLUMN IF NOT EXISTS slug text;
+
+-- slugify(display_name) -> slugify(connector_key) -> 'connection'
+WITH base AS (
+    SELECT
+        c.id,
+        coalesce(
+            NULLIF(
+                regexp_replace(
+                    regexp_replace(lower(coalesce(c.display_name, '')), '[^a-z0-9]+', '-', 'g'),
+                    '(^-+|-+$)', '', 'g'
+                ),
+                ''
+            ),
+            NULLIF(
+                regexp_replace(
+                    regexp_replace(lower(coalesce(c.connector_key, '')), '[^a-z0-9]+', '-', 'g'),
+                    '(^-+|-+$)', '', 'g'
+                ),
+                ''
+            ),
+            'connection'
+        ) AS base_slug
+    FROM public.connections c
+)
+UPDATE public.connections c
+SET slug = b.base_slug
+FROM base b
+WHERE b.id = c.id
+  AND c.slug IS NULL;
+
+-- Resolve collisions to base / base-2 / base-3 / ... in ascending id order.
+-- Loops until no live (deleted_at IS NULL) duplicates remain — a re-assigned
+-- `base-N` could itself collide with another row whose base slug is already
+-- `base-N`, so a single pass is not enough.
+--
+-- This produces a deterministic, collision-free assignment with the same
+-- semantics as the runtime (slugified connector_key fallback, numeric `-N`
+-- suffixing). It is NOT guaranteed to be byte-identical to what
+-- `ensureUniqueConnectionSlug` would pick for pathological mixed-name sets
+-- (the runtime resolves in row-creation order against live DB state, which
+-- pure SQL can't replay) — `packages/server/src/utils/connections.ts` is the
+-- source of truth for new rows.
+DO $$
+DECLARE
+    v_changed integer;
+BEGIN
+    LOOP
+        WITH ranked AS (
+            SELECT
+                id,
+                organization_id,
+                slug,
+                -- strip any suffix we may have appended on a prior pass so the
+                -- base groups stay stable across iterations
+                regexp_replace(slug, '-[0-9]+$', '') AS base_slug,
+                row_number() OVER (
+                    PARTITION BY organization_id, regexp_replace(slug, '-[0-9]+$', '')
+                    ORDER BY id
+                ) AS rn
+            FROM public.connections
+            WHERE deleted_at IS NULL
+        ),
+        target AS (
+            SELECT
+                id,
+                CASE WHEN rn = 1 THEN base_slug ELSE base_slug || '-' || rn::text END AS desired_slug
+            FROM ranked
+        )
+        UPDATE public.connections c
+        SET slug = t.desired_slug
+        FROM target t
+        WHERE t.id = c.id
+          AND c.slug IS DISTINCT FROM t.desired_slug;
+
+        GET DIAGNOSTICS v_changed = ROW_COUNT;
+        EXIT WHEN v_changed = 0;
+    END LOOP;
+END $$;
+
+-- Guard: there must be no live-slug duplicate per org before the unique index.
+DO $$
+DECLARE
+    v_dups integer;
+BEGIN
+    SELECT count(*) INTO v_dups
+    FROM (
+        SELECT organization_id, slug
+        FROM public.connections
+        WHERE deleted_at IS NULL
+        GROUP BY organization_id, slug
+        HAVING count(*) > 1
+    ) d;
+    IF v_dups > 0 THEN
+        RAISE EXCEPTION 'connections.slug backfill left % duplicate (organization_id, slug) group(s) among live rows', v_dups;
+    END IF;
+END $$;
+
+ALTER TABLE public.connections
+    ALTER COLUMN slug SET NOT NULL;
+
+CREATE UNIQUE INDEX IF NOT EXISTS connections_org_slug_unique
+    ON public.connections (organization_id, slug)
+    WHERE deleted_at IS NULL;
+
+-- migrate:down
+
+DROP INDEX IF EXISTS public.connections_org_slug_unique;
+ALTER TABLE public.connections
+    DROP COLUMN IF EXISTS slug;

package/dist/db/migrations/20260513000000_chat_user_identities.sql

@@ -0,0 +1,24 @@
+-- migrate:up
+
+-- Maps a chat-platform user (Slack `U…`, …) to a Lobu account. Recorded as a
+-- side effect of `/lobu link <code>` — the code is minted by an authenticated
+-- `lobu run`, so `oauth_states.payload.createdBy` is the Lobu user. Once a user
+-- is linked here, they can re-bind any chat to an agent they can manage via
+-- `/lobu link <agentId>` without minting a fresh code.
+
+CREATE TABLE IF NOT EXISTS public.chat_user_identities (
+    platform          text NOT NULL,
+    team_id           text NOT NULL DEFAULT '',  -- workspace id; '' for platforms without one
+    platform_user_id  text NOT NULL,
+    lobu_user_id      text NOT NULL REFERENCES public."user"(id) ON DELETE CASCADE,
+    created_at        timestamptz NOT NULL DEFAULT now(),
+    updated_at        timestamptz NOT NULL DEFAULT now(),
+    PRIMARY KEY (platform, team_id, platform_user_id)
+);
+
+CREATE INDEX IF NOT EXISTS chat_user_identities_lobu_user_idx
+    ON public.chat_user_identities (lobu_user_id);
+
+-- migrate:down
+
+DROP TABLE IF EXISTS public.chat_user_identities;

package/dist/db/migrations/20260513120000_auth_profiles_device_binding.sql

@@ -0,0 +1,50 @@
+-- migrate:up
+
+-- Let an auth_profile of kind 'browser_session' live on a specific device worker
+-- instead of holding cookies in auth_data. When device_worker_id is set, cookies
+-- live on disk inside the Mac app's managed --user-data-dir at user_data_dir;
+-- the server never sees them. Cloud/fleet path (device_worker_id NULL,
+-- auth_data populated) is unchanged.
+
+ALTER TABLE public.auth_profiles
+    ADD COLUMN IF NOT EXISTS device_worker_id uuid,
+    ADD COLUMN IF NOT EXISTS browser_kind text,
+    ADD COLUMN IF NOT EXISTS user_data_dir text;
+
+DO $$
+BEGIN
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'auth_profiles_device_worker_id_fkey'
+    ) THEN
+        ALTER TABLE public.auth_profiles
+            ADD CONSTRAINT auth_profiles_device_worker_id_fkey
+            FOREIGN KEY (device_worker_id)
+            REFERENCES public.device_workers (id)
+            ON DELETE CASCADE;
+    END IF;
+END$$;
+
+DO $$
+BEGIN
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'auth_profiles_browser_kind_check'
+    ) THEN
+        ALTER TABLE public.auth_profiles
+            ADD CONSTRAINT auth_profiles_browser_kind_check
+            CHECK (browser_kind IS NULL OR browser_kind = ANY (ARRAY['chrome','brave','arc','edge']));
+    END IF;
+END$$;
+
+CREATE INDEX IF NOT EXISTS auth_profiles_device_worker_idx
+    ON public.auth_profiles (device_worker_id)
+    WHERE device_worker_id IS NOT NULL;
+
+-- migrate:down
+
+DROP INDEX IF EXISTS public.auth_profiles_device_worker_idx;
+ALTER TABLE public.auth_profiles
+    DROP CONSTRAINT IF EXISTS auth_profiles_browser_kind_check,
+    DROP CONSTRAINT IF EXISTS auth_profiles_device_worker_id_fkey,
+    DROP COLUMN IF EXISTS user_data_dir,
+    DROP COLUMN IF EXISTS browser_kind,
+    DROP COLUMN IF EXISTS device_worker_id;

package/dist/db/migrations/20260513150000_auth_profiles_cdp_url.sql

@@ -0,0 +1,43 @@
+-- migrate:up
+
+-- Add `cdp_url` to auth_profiles. For a device-bound `browser_session`
+-- profile, exactly one of {user_data_dir, cdp_url} should be set:
+--   user_data_dir  → managed Chrome with isolated cookies (default)
+--   cdp_url        → attach to a running Chrome via remote-debugging-port
+-- The application enforces this invariant; we don't add a CHECK constraint
+-- because the OR-on-NULL semantics are awkward to express and the column
+-- is harmless when both are NULL (legacy fleet path with cookies in
+-- auth_data jsonb).
+
+ALTER TABLE public.auth_profiles
+    ADD COLUMN IF NOT EXISTS cdp_url text;
+
+-- A device-bound browser_session profile MUST set exactly one of
+-- (user_data_dir, cdp_url). Other profile kinds — and non-device-bound
+-- browser_session profiles (cookies in auth_data, fleet-served) — are
+-- exempt. Enforcing this at the DB stops a buggy admin tool or a bad
+-- merge from setting both and then having the connector silently prefer
+-- whichever code path it sees first.
+DO $$
+BEGIN
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'auth_profiles_device_browser_path_xor'
+    ) THEN
+        ALTER TABLE public.auth_profiles
+            ADD CONSTRAINT auth_profiles_device_browser_path_xor
+            CHECK (
+                device_worker_id IS NULL
+                OR profile_kind <> 'browser_session'
+                OR (
+                    (user_data_dir IS NOT NULL AND cdp_url IS NULL)
+                    OR (user_data_dir IS NULL AND cdp_url IS NOT NULL)
+                )
+            );
+    END IF;
+END$$;
+
+-- migrate:down
+
+ALTER TABLE public.auth_profiles
+    DROP CONSTRAINT IF EXISTS auth_profiles_device_browser_path_xor,
+    DROP COLUMN IF EXISTS cdp_url;

package/dist/db/migrations/20260513200000_notifications_as_events.sql

@@ -0,0 +1,86 @@
+-- migrate:up
+
+-- Unify notifications with events.
+--
+-- A notification was a (org, user, title, body, type, resource_url) row in
+-- its own table with per-user `is_read`. Conceptually it's an event with a
+-- particular kind + per-user delivery / read-state. This migration turns
+-- every notification into:
+--   1. an event with semantic_type='notification' (org-wide visibility in
+--      the events stream — searchable, addressable, links into knowledge);
+--   2. a notification_targets row (event_id, user_id, delivered_at, read_at)
+--      so the inbox still scopes to the targeted user.
+--
+-- After this, "send to admins" inserts one event + N targets; "mark read"
+-- updates a target row; "unread count" counts target rows without read_at.
+-- Search across events naturally includes notifications, but a user's
+-- inbox is still private to them.
+
+CREATE TABLE public.notification_targets (
+    event_id bigint NOT NULL REFERENCES public.events(id) ON DELETE CASCADE,
+    user_id text NOT NULL,
+    delivered_at timestamp with time zone NOT NULL DEFAULT now(),
+    read_at timestamp with time zone,
+    PRIMARY KEY (event_id, user_id)
+);
+
+-- Fast inbox lookups: list a user's unread notifications, newest first.
+CREATE INDEX idx_notification_targets_user_unread
+    ON public.notification_targets (user_id, delivered_at DESC)
+    WHERE read_at IS NULL;
+
+-- All of a user's notifications, newest first (for read-list pagination).
+CREATE INDEX idx_notification_targets_user_all
+    ON public.notification_targets (user_id, delivered_at DESC);
+
+-- Backfill existing notifications. We keep 1:1 row mapping (one event per
+-- legacy notification) for safety — at scale the right model is "one event,
+-- many targets" but the old schema didn't capture that and we can't
+-- retroactively coalesce without an oracle.
+WITH legacy AS (
+    SELECT id, organization_id, user_id, type, title, body,
+           resource_type, resource_id, resource_url, is_read, created_at
+    FROM public.notifications
+    ORDER BY id ASC
+),
+inserted AS (
+    INSERT INTO public.events
+        (organization_id, title, payload_text, payload_type, semantic_type,
+         occurred_at, created_at, metadata, origin_id)
+    SELECT
+        l.organization_id,
+        l.title,
+        l.body,
+        'text',
+        'notification',
+        l.created_at,
+        l.created_at,
+        jsonb_build_object(
+            'notification_type', l.type,
+            'resource_type', l.resource_type,
+            'resource_id', l.resource_id,
+            'resource_url', l.resource_url,
+            'legacy_notification_id', l.id
+        ),
+        'notification:legacy:' || l.id::text
+    FROM legacy l
+    RETURNING id AS event_id, (metadata->>'legacy_notification_id')::bigint AS legacy_id
+)
+INSERT INTO public.notification_targets (event_id, user_id, delivered_at, read_at)
+SELECT
+    i.event_id,
+    l.user_id,
+    l.created_at,
+    CASE WHEN l.is_read THEN l.created_at ELSE NULL END
+FROM inserted i
+JOIN public.notifications l ON l.id = i.legacy_id;
+
+-- Drop the legacy table. All readers/writers go through the new service.
+DROP TABLE public.notifications;
+
+-- migrate:down
+
+-- One-way migration. Recovery is from backup; events created here stay
+-- (deleting them would also wipe their notification_targets via CASCADE).
+-- If you really need to roll back: re-create the table, copy notifications
+-- back out of events + notification_targets, drop the event rows.