@lobu/cli 6.1.1 → 7.1.0

package/dist/connectors/trustpilot.ts

@@ -15,6 +15,8 @@ import {
   type SyncResult,
 } from '@lobu/connector-sdk';
 import {
+  getBrowserCdpUrl,
+  getBrowserUserDataDir,
   handleCookieConsent,
   openStealthBrowser,
   validateUrlDomain,
@@ -96,10 +98,16 @@ export default class TrustpilotConnector extends ConnectorRuntime {
       throw new Error('Either business_url or business_name is required');
     }
 
-    const baseUrl = businessUrl || `https://www.trustpilot.com/review/${businessName}`;
+    // encodeURIComponent the user-supplied businessName so a value like
+    // "../search?foo=bar" can't escape the /review/ path on trustpilot.com.
+    const baseUrl =
+      businessUrl ||
+      `https://www.trustpilot.com/review/${encodeURIComponent(businessName ?? '')}`;
     validateUrlDomain(baseUrl, 'trustpilot.com');
 
-    const session = await openStealthBrowser({ cdpUrl: 'auto' });
+    const userDataDir = getBrowserUserDataDir(ctx.sessionState);
+    const cdpUrl = getBrowserCdpUrl(ctx.sessionState) ?? 'auto';
+    const session = await openStealthBrowser({ cdpUrl, userDataDir });
 
     return withBrowserErrorCapture(session, 'trustpilot-sync', async (page) => {
       await page.goto(baseUrl, {
@@ -157,27 +165,34 @@ export default class TrustpilotConnector extends ConnectorRuntime {
       // Filter reviews with meaningful content (more than 10 chars)
       const reviews: TrustpilotReview[] = rawReviews.filter((r) => r.text && r.text.length > 10);
 
-      // Transform to EventEnvelope format
-      const events: EventEnvelope[] = reviews.map((review) => {
+      // Transform to EventEnvelope format. Drop rows whose `date` attribute
+      // was missing/invalid in the DOM — `new Date("")` yields an Invalid
+      // Date, which downstream sorting/checkpointing then can't compare, and
+      // an empty `date` made `origin_id` collide on `-<author>` across rows.
+      const events: EventEnvelope[] = reviews.flatMap((review) => {
         const content = review.title ? `${review.title}\n\n${review.text}` : review.text;
-
-        return {
-          origin_id: `${review.date}-${review.author}`,
-          payload_text: content,
-          author_name: review.author,
-          occurred_at: new Date(review.date),
-          origin_type: 'review',
-          score: calculateEngagementScore('trustpilot', {
-            rating: review.rating,
-            helpful_count: 0,
-          }),
-          source_url: baseUrl,
-          metadata: {
-            rating: review.rating,
-            helpful_count: 0,
-            title: review.title,
+        const parsedDate = review.date ? new Date(review.date) : null;
+        if (!parsedDate || Number.isNaN(parsedDate.getTime())) return [];
+
+        return [
+          {
+            origin_id: `${review.date}-${review.author}`,
+            payload_text: content,
+            author_name: review.author,
+            occurred_at: parsedDate,
+            origin_type: 'review',
+            score: calculateEngagementScore('trustpilot', {
+              rating: review.rating,
+              helpful_count: 0,
+            }),
+            source_url: baseUrl,
+            metadata: {
+              rating: review.rating,
+              helpful_count: 0,
+              title: review.title,
+            },
           },
-        };
+        ];
       });
 
       return {

package/dist/connectors/website.ts

@@ -20,6 +20,7 @@ import {
   type SyncResult,
 } from '@lobu/connector-sdk';
 import type { Page } from 'playwright';
+import { validatePublicUrl } from './browser-scraper-utils.ts';
 
 interface PageSection {
   heading: string;
@@ -50,72 +51,6 @@ function shouldSkipCookieBannerText(text: string): boolean {
   return countPatternMatches(normalized, COOKIE_BANNER_PATTERNS) >= 3;
 }
 
-/**
- * Validates a URL is safe for server-side fetching.
- * Blocks private/internal network addresses to prevent SSRF attacks.
- */
-function validatePublicUrl(url: string): void {
-  let parsed: URL;
-  try {
-    parsed = new URL(url);
-  } catch {
-    throw new Error(`Invalid URL: ${url}`);
-  }
-
-  if (parsed.protocol !== 'https:' && parsed.protocol !== 'http:') {
-    throw new Error(`URL must use http: or https: protocol, got ${parsed.protocol}`);
-  }
-
-  const hostname = parsed.hostname.toLowerCase();
-
-  // Block localhost variants
-  if (hostname === 'localhost' || hostname === '[::1]' || hostname.endsWith('.localhost')) {
-    throw new Error(`URL must not point to localhost: ${hostname}`);
-  }
-
-  // Block private/internal IP ranges
-  // IPv4 patterns: 127.x.x.x, 10.x.x.x, 192.168.x.x, 172.16-31.x.x, 169.254.x.x, 0.x.x.x
-  const ipv4Match = hostname.match(/^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/);
-  if (ipv4Match) {
-    const [, a, b] = ipv4Match.map(Number);
-    if (
-      a === 127 || // 127.0.0.0/8 loopback
-      a === 10 || // 10.0.0.0/8 private
-      (a === 172 && b >= 16 && b <= 31) || // 172.16.0.0/12 private
-      (a === 192 && b === 168) || // 192.168.0.0/16 private
-      (a === 169 && b === 254) || // 169.254.0.0/16 link-local
-      a === 0 // 0.0.0.0/8
-    ) {
-      throw new Error(`URL must not point to a private/internal IP address: ${hostname}`);
-    }
-  }
-
-  // Block IPv6 private ranges (bracketed notation in URLs)
-  if (hostname.startsWith('[')) {
-    const ipv6 = hostname.slice(1, -1).toLowerCase();
-    if (
-      ipv6 === '::1' ||
-      ipv6.startsWith('fe80:') || // link-local
-      ipv6.startsWith('fc') || // unique local (fc00::/7)
-      ipv6.startsWith('fd') || // unique local (fc00::/7)
-      ipv6 === '::' || // unspecified
-      ipv6.startsWith('::ffff:') // IPv4-mapped IPv6
-    ) {
-      throw new Error(`URL must not point to a private/internal IPv6 address: ${hostname}`);
-    }
-  }
-
-  // Block common internal hostnames
-  if (
-    hostname.endsWith('.internal') ||
-    hostname.endsWith('.local') ||
-    hostname.endsWith('.corp') ||
-    hostname.endsWith('.lan')
-  ) {
-    throw new Error(`URL must not point to an internal hostname: ${hostname}`);
-  }
-}
-
 export default class WebsiteConnector extends ConnectorRuntime {
   readonly definition: ConnectorDefinition = {
     key: 'website',
@@ -238,7 +173,7 @@ export default class WebsiteConnector extends ConnectorRuntime {
     urls = urls.slice(0, maxPages);
 
     // Launch browser
-    const { browser } = await launchBrowser({} as any, { stealth: false });
+    const { browser } = await launchBrowser({ stealth: false });
     const events: EventEnvelope[] = [];
     const newHashes: Record<string, string> = {};
 
@@ -457,7 +392,11 @@ export default class WebsiteConnector extends ConnectorRuntime {
     return result.join('\n');
   }
 
-  private async fetchSitemap(sitemapUrl: string): Promise<string[]> {
+  private async fetchSitemap(sitemapUrl: string, depth = 0): Promise<string[]> {
+    // Sitemap-index recursion bound — caps fan-out from a remote sitemap that
+    // links to a sitemap that links to a sitemap... untrusted XML must not
+    // drive unbounded outbound traffic.
+    if (depth > 2) return [];
     const response = await fetch(sitemapUrl, {
       headers: { 'User-Agent': 'Mozilla/5.0 (compatible; LobuBot/1.0)' },
     });
@@ -493,7 +432,7 @@ export default class WebsiteConnector extends ConnectorRuntime {
       }
       for (const childUrl of childSitemaps.slice(0, 5)) {
         validatePublicUrl(childUrl);
-        const childUrls = await this.fetchSitemap(childUrl);
+        const childUrls = await this.fetchSitemap(childUrl, depth + 1);
         urls.push(...childUrls);
       }
     }

package/dist/connectors/whatsapp.ts

@@ -164,6 +164,7 @@ export default class WhatsAppConnector extends ConnectorRuntime {
             metadataSchema: {
               type: 'object',
               properties: {
+                source: { type: 'string', const: 'whatsapp' },
                 chat_jid: { type: 'string' },
                 is_group: { type: 'boolean' },
                 from_me: { type: 'boolean' },
@@ -178,7 +179,7 @@ export default class WhatsAppConnector extends ConnectorRuntime {
             },
             entityLinks: [
               {
-                entityType: '$member',
+                entityType: 'person',
                 autoCreate: true,
                 titlePath: 'metadata.push_name',
                 identities: [
@@ -423,11 +424,7 @@ export default class WhatsAppConnector extends ConnectorRuntime {
         },
       };
     } catch (error) {
-      try {
-        sock.end(undefined);
-      } catch {
-        /* ignore */
-      }
+      safeEnd(sock);
       throw error;
     }
   }
@@ -477,11 +474,7 @@ async function attemptPairing(
       sock.ev.off('connection.update', handler);
       sock.ev.off('creds.update', credsListener);
       ctx.signal.removeEventListener('abort', onAbort);
-      try {
-        sock.end(undefined);
-      } catch {
-        /* ignore */
-      }
+      safeEnd(sock);
       resolve(outcome);
     };
 
@@ -591,11 +584,7 @@ async function drainHistory(
     sock.ev.off('chats.upsert', chatsListener);
     sock.ev.off('messaging-history.set', historyListener);
     sock.ev.off('messages.upsert', messagesListener);
-    try {
-      sock.end(undefined);
-    } catch {
-      /* ignore */
-    }
+    safeEnd(sock);
   };
 
   try {
@@ -828,6 +817,14 @@ function delay(ms: number): Promise<void> {
   return new Promise((r) => setTimeout(r, ms));
 }
 
+function safeEnd(sock: ReturnType<typeof makeWASocket>): void {
+  try {
+    sock.end(undefined);
+  } catch {
+    /* ignore */
+  }
+}
+
 function waitForOpen(sock: ReturnType<typeof makeWASocket>, timeoutMs: number): Promise<boolean> {
   return new Promise((resolve) => {
     let newLogin = false;
@@ -962,12 +959,7 @@ export function toEvent(
   const text = extractText(m.message);
   if (!text) return null;
 
-  const tsRaw =
-    typeof m.messageTimestamp === 'number'
-      ? m.messageTimestamp
-      : ((m.messageTimestamp as { low?: number; toNumber?: () => number } | null)?.toNumber?.() ??
-        (m.messageTimestamp as { low?: number } | null)?.low ??
-        0);
+  const tsRaw = extractTs(m);
   if (!tsRaw) return null;
   const occurredAt = new Date(tsRaw * 1000);
 
@@ -1001,6 +993,13 @@ export function toEvent(
     occurred_at: occurredAt,
     origin_parent_id: chatJid,
     metadata: {
+      // Mirror the bridge's `source` field so consumers can tell which
+      // transport delivered an event when the same message arrives via both
+      // (QR-paired socket and the local Mac archive). Origin id alignment
+      // (both connectors emit the bare WhatsApp stanza id) makes the gateway
+      // dedupe on insert; `source` records which side produced the row that
+      // survived.
+      source: 'whatsapp',
       chat_jid: chatJid,
       is_group: isGroup,
       from_me: fromMe,

package/dist/connectors/whatsapp_local.ts

@@ -0,0 +1,125 @@
+/**
+ * WhatsApp (local) Connector — Lobu for Mac only.
+ *
+ * Reads messages directly from the WhatsApp Desktop app's local SQLite store
+ * at `~/Library/Group Containers/group.net.whatsapp.WhatsApp.shared/
+ * ChatStorage.sqlite`. Lobu for Mac snapshots the DB read-only, walks new
+ * rows since the last `Z_PK` checkpoint, and emits events that share the
+ * `whatsapp` connector's metadata shape so downstream entity links work
+ * identically.
+ *
+ * Differences from the QR-paired `whatsapp` connector:
+ *   - No Baileys, no socket, no phone-offline auto-unlink (WA Desktop itself
+ *     is the linked device).
+ *   - Ciphertext never leaves the Mac.
+ *   - Bound to one specific Mac; requires WhatsApp Desktop installed.
+ */
+
+import {
+  type ActionResult,
+  type ConnectorDefinition,
+  ConnectorRuntime,
+  IDENTITY,
+  type SyncContext,
+  type SyncResult,
+} from '@lobu/connector-sdk';
+
+const BRIDGE_ONLY =
+  'WhatsApp (local) runs only on a worker advertising capability "whatsapp_local" (Lobu for Mac with WhatsApp Desktop installed).';
+
+export default class WhatsAppLocalConnector extends ConnectorRuntime {
+  readonly definition: ConnectorDefinition = {
+    key: 'whatsapp.local',
+    name: 'WhatsApp (this Mac)',
+    description:
+      "Reads messages from the WhatsApp Desktop app's local archive on this Mac. No QR pairing, no phone-offline auto-unlink — the desktop app is itself the linked device.",
+    version: '0.1.0',
+    faviconDomain: 'whatsapp.com',
+    requiredCapability: 'whatsapp_local',
+    runtime: { platforms: ['macos'] },
+    authSchema: { methods: [{ type: 'none' }] },
+    feeds: {
+      messages: {
+        key: 'messages',
+        name: 'Messages',
+        description:
+          'Personal WhatsApp messages from 1:1 and group chats, sourced from WhatsApp Desktop.',
+        configSchema: {
+          type: 'object',
+          properties: {
+            chat_filter: {
+              type: 'string',
+              enum: ['all', 'individual', 'group'],
+              default: 'all',
+              description: 'Which chats to include.',
+            },
+            max_messages_per_sync: {
+              type: 'integer',
+              minimum: 1,
+              maximum: 500000,
+              default: 5000,
+              description:
+                'Safety cap on messages collected per sync. The first sync drains all messages up to this cap; subsequent syncs ingest only new messages, so the cap rarely binds.',
+            },
+          },
+        },
+        eventKinds: {
+          message: {
+            description: 'A WhatsApp message (text, caption, or system).',
+            metadataSchema: {
+              type: 'object',
+              properties: {
+                source: { type: 'string', const: 'whatsapp_local' },
+                chat_jid: { type: 'string' },
+                is_group: { type: 'boolean' },
+                from_me: { type: 'boolean' },
+                participant: { type: 'string' },
+                sender_jid: { type: 'string' },
+                sender_phone: { type: 'string' },
+                push_name: { type: 'string' },
+                media_type: { type: 'string' },
+                quoted_id: { type: 'string' },
+                is_forwarded: { type: 'boolean' },
+                is_starred: { type: 'boolean' },
+                is_system_event: { type: 'boolean' },
+                voice_note_skipped: {
+                  type: 'string',
+                  enum: ['not_downloaded', 'too_large', 'empty', 'read_error', 'invalid_path'],
+                },
+              },
+            },
+            entityLinks: [
+              {
+                entityType: 'person',
+                autoCreate: true,
+                titlePath: 'metadata.push_name',
+                identities: [
+                  { namespace: IDENTITY.WA_JID, eventPath: 'metadata.sender_jid' },
+                  { namespace: IDENTITY.PHONE, eventPath: 'metadata.sender_phone' },
+                ],
+                traits: {
+                  push_name: {
+                    eventPath: 'metadata.push_name',
+                    behavior: 'prefer_non_empty',
+                  },
+                  last_seen_at: {
+                    eventPath: 'occurred_at',
+                    behavior: 'overwrite',
+                  },
+                },
+              },
+            ],
+          },
+        },
+      },
+    },
+  };
+
+  async sync(_ctx: SyncContext): Promise<SyncResult> {
+    throw new Error(BRIDGE_ONLY);
+  }
+
+  async execute(): Promise<ActionResult> {
+    throw new Error(BRIDGE_ONLY);
+  }
+}

package/dist/connectors/x.ts

@@ -17,7 +17,12 @@ import {
   type SyncContext,
   type SyncResult,
 } from '@lobu/connector-sdk';
-import { getBrowserCookies, validateCookieNotExpired } from './browser-scraper-utils';
+import {
+  getBrowserCdpUrl,
+  getBrowserCookies,
+  getBrowserUserDataDir,
+  validateCookieNotExpired,
+} from './browser-scraper-utils';
 
 interface XCheckpoint {
   last_tweet_id?: string;
@@ -358,12 +363,16 @@ async function syncViaBrowser(
   const searchFilter = (config.search_filter as string) ?? 'live';
   const searchUrl = `https://x.com/search?q=${encodeURIComponent(searchQuery)}&src=typed_query&f=${searchFilter}`;
 
+  const userDataDir = getBrowserUserDataDir(ctx.sessionState);
+  const cdpUrl = getBrowserCdpUrl(ctx.sessionState) ?? 'auto';
   let cookies: any[] = [];
-  try {
-    cookies = getBrowserCookies(ctx.checkpoint as any, ctx.sessionState as any, 'x');
-    validateCookieNotExpired(cookies, 'auth_token', 'x');
-  } catch {
-    // No stored cookies — CDP will be the only path
+  if (!userDataDir) {
+    try {
+      cookies = getBrowserCookies(ctx.checkpoint as any, ctx.sessionState as any, 'x');
+      validateCookieNotExpired(cookies, 'auth_token', 'x');
+    } catch {
+      // No stored cookies — CDP will be the only path
+    }
   }
 
   const result = await browserNetworkSync<XTweet>({
@@ -376,8 +385,9 @@ async function syncViaBrowser(
       navigationTimeoutMs: 15000,
     },
     url: searchUrl,
-    cdpUrl: 'auto',
+    cdpUrl,
     cookies,
+    userDataDir,
     parseResponse: parseBrowserSearchResponse,
     checkAuth: async (page) => {
       const url = page.url();

package/dist/db/migrations/20260510220000_connector_required_capability.sql

@@ -0,0 +1,47 @@
+-- migrate:up
+
+-- Add a per-connector capability gate for worker dispatch. Workers advertise
+-- their capabilities on poll; the runs scheduler only assigns connector runs
+-- to workers whose capabilities include the connector's required_capability.
+-- NULL means "no special capability required" (the default for API/browser
+-- connectors that the existing fleet can run).
+--
+-- `runtime` carries platform metadata for device-bound connectors (e.g.
+-- `{"platforms": ["macos"]}` for apple.screen_time / local.directory, which
+-- only run inside Lobu for Mac — that data is unreachable from a server-side
+-- worker). NULL = cloud connector.
+--
+-- Initial use case: apple.screen_time and local.directory, served by Lobu for
+-- Mac polling /api/workers/* as a user-scoped device worker.
+
+ALTER TABLE public.connector_definitions
+    ADD COLUMN IF NOT EXISTS required_capability text,
+    ADD COLUMN IF NOT EXISTS runtime jsonb;
+
+CREATE INDEX IF NOT EXISTS connector_definitions_required_capability_idx
+    ON public.connector_definitions (required_capability)
+    WHERE required_capability IS NOT NULL;
+
+CREATE TABLE IF NOT EXISTS public.device_workers (
+    user_id text NOT NULL,
+    worker_id text NOT NULL,
+    platform text,
+    app_version text,
+    capabilities jsonb NOT NULL DEFAULT '[]'::jsonb,
+    label text,
+    first_seen_at timestamptz NOT NULL DEFAULT now(),
+    last_seen_at timestamptz NOT NULL DEFAULT now(),
+    PRIMARY KEY (user_id, worker_id)
+);
+
+CREATE INDEX IF NOT EXISTS device_workers_user_id_idx
+    ON public.device_workers (user_id);
+
+-- migrate:down
+
+DROP INDEX IF EXISTS public.device_workers_user_id_idx;
+DROP TABLE IF EXISTS public.device_workers;
+DROP INDEX IF EXISTS public.connector_definitions_required_capability_idx;
+ALTER TABLE public.connector_definitions
+    DROP COLUMN IF EXISTS runtime,
+    DROP COLUMN IF EXISTS required_capability;

package/dist/db/migrations/20260512000000_device_worker_connection_binding.sql

@@ -0,0 +1,113 @@
+-- migrate:up
+
+-- Make a connection's execution target explicit, and give every device worker
+-- a home organization.
+--
+-- connections.device_worker_id (nullable) is the binding:
+--   NULL  -> runs on the cloud connector-worker pool (today's behavior)
+--   set   -> runs are pinned to that device worker
+-- For device-type connectors the binding is mandatory; for cloud connectors
+-- it's an optional override. A connection can only be pinned to a device that
+-- is attached to that connection's organization.
+--
+-- device_workers.organization_id is the device's home org — chosen at setup,
+-- defaulting to the owner's personal workspace. The device's connectors live
+-- there; re-attaching the device to a different org (a member of which the
+-- owner must be) is the only knob. There is no per-connection device→org grant.
+
+-- Surrogate key for device_workers so connections / UI can reference a device
+-- by a single stable id. The (user_id, worker_id) primary key stays.
+ALTER TABLE public.device_workers
+    ADD COLUMN IF NOT EXISTS id uuid NOT NULL DEFAULT gen_random_uuid(),
+    ADD COLUMN IF NOT EXISTS organization_id text;
+
+CREATE UNIQUE INDEX IF NOT EXISTS device_workers_id_key
+    ON public.device_workers (id);
+
+CREATE INDEX IF NOT EXISTS idx_device_workers_organization_id
+    ON public.device_workers (organization_id)
+    WHERE organization_id IS NOT NULL;
+
+ALTER TABLE public.connections
+    ADD COLUMN IF NOT EXISTS device_worker_id uuid;
+
+DO $$
+BEGIN
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'connections_device_worker_id_fkey'
+    ) THEN
+        ALTER TABLE public.connections
+            ADD CONSTRAINT connections_device_worker_id_fkey
+            FOREIGN KEY (device_worker_id)
+            REFERENCES public.device_workers (id)
+            ON DELETE SET NULL;
+    END IF;
+END$$;
+
+CREATE INDEX IF NOT EXISTS idx_connections_device_worker_id
+    ON public.connections (device_worker_id)
+    WHERE device_worker_id IS NOT NULL;
+
+-- Attach existing devices to their owner's personal workspace (no-op on a
+-- fresh database — there are no users yet; the device heartbeat sets this for
+-- new devices either way).
+UPDATE public.device_workers dw
+SET organization_id = (
+    SELECT o.id FROM public.organization o
+    WHERE (o.metadata::jsonb)->>'personal_org_for_user_id' = dw.user_id
+    LIMIT 1
+)
+WHERE dw.organization_id IS NULL;
+
+-- Backfill: existing auto-wired personal-org device connections (created_by
+-- set, no auth profile) whose owner has exactly one device get pinned to that
+-- device — but at most one per (org, connector_key, owner) so the unique index
+-- created below can never be violated. Ambiguous ones stay NULL and the UI
+-- prompts for a device.
+UPDATE public.connections c
+SET device_worker_id = dw.id
+FROM (
+    -- Users with exactly one device worker (no min(uuid) needed — and Postgres
+    -- has no aggregate for uuid anyway).
+    SELECT dw1.user_id, dw1.id
+    FROM public.device_workers dw1
+    WHERE NOT EXISTS (
+        SELECT 1 FROM public.device_workers dw2
+        WHERE dw2.user_id = dw1.user_id AND dw2.id <> dw1.id
+    )
+) dw
+WHERE c.created_by = dw.user_id
+  AND c.device_worker_id IS NULL
+  AND c.deleted_at IS NULL
+  AND c.auth_profile_id IS NULL
+  AND c.connector_key IN (
+      SELECT key FROM public.connector_definitions WHERE required_capability IS NOT NULL
+  )
+  AND c.id = (
+      SELECT min(c2.id) FROM public.connections c2
+      WHERE c2.organization_id = c.organization_id
+        AND c2.connector_key = c.connector_key
+        AND c2.created_by = c.created_by
+        AND c2.deleted_at IS NULL
+  );
+
+-- One active connection per (org, connector, device). A second device backing
+-- the same connector is a second connection. Doubles as DB-level idempotency
+-- for the create-vs-auto-wire race. Created AFTER the backfill above.
+DROP INDEX IF EXISTS public.idx_connections_org_connector_device_live;
+CREATE UNIQUE INDEX idx_connections_org_connector_device_live
+    ON public.connections (organization_id, connector_key, device_worker_id)
+    WHERE deleted_at IS NULL AND device_worker_id IS NOT NULL;
+
+-- migrate:down
+
+DROP INDEX IF EXISTS public.idx_connections_org_connector_device_live;
+DROP INDEX IF EXISTS public.idx_connections_device_worker_id;
+ALTER TABLE public.connections
+    DROP CONSTRAINT IF EXISTS connections_device_worker_id_fkey,
+    DROP COLUMN IF EXISTS device_worker_id;
+DROP INDEX IF EXISTS public.device_workers_id_key;
+DROP INDEX IF EXISTS public.idx_device_workers_organization_id;
+ALTER TABLE public.device_workers
+    DROP COLUMN IF EXISTS id,
+    DROP COLUMN IF EXISTS organization_id;