@lobu/cli 6.1.1 → 7.1.0

package/dist/db/migrations/20260512131703_connections_slug.sql

@@ -0,0 +1,131 @@
+-- migrate:up
+
+-- Add a stable `slug` identity to `connections` so `lobu apply` can diff
+-- connections by an immutable key instead of the mutable `display_name`.
+--
+-- Mirrors the existing `auth_profiles.slug` design: text slug, unique per org
+-- among live rows (partial index on `deleted_at IS NULL`), generated from the
+-- display name when not supplied explicitly.
+--
+-- Backfill MUST produce exactly what `ensureUniqueConnectionSlug` /
+-- `slugifyConnectionName` in packages/server/src/utils/connections.ts would
+-- generate (that file is the source of truth):
+--   1. base = slugify(display_name); if empty, slugify(connector_key); if still
+--      empty, the literal 'connection'. slugify = lowercase, every run of
+--      non-alphanumerics -> '-', trim leading/trailing '-'.
+--   2. Collisions per (organization_id) among live (`deleted_at IS NULL`) rows
+--      are resolved with a deterministic numeric suffix loop: base, base-2,
+--      base-3, ... assigned in ascending id order. Soft-deleted rows do not
+--      participate in the unique index, so they keep their base slug freely.
+
+ALTER TABLE public.connections
+    ADD COLUMN IF NOT EXISTS slug text;
+
+-- slugify(display_name) -> slugify(connector_key) -> 'connection'
+WITH base AS (
+    SELECT
+        c.id,
+        coalesce(
+            NULLIF(
+                regexp_replace(
+                    regexp_replace(lower(coalesce(c.display_name, '')), '[^a-z0-9]+', '-', 'g'),
+                    '(^-+|-+$)', '', 'g'
+                ),
+                ''
+            ),
+            NULLIF(
+                regexp_replace(
+                    regexp_replace(lower(coalesce(c.connector_key, '')), '[^a-z0-9]+', '-', 'g'),
+                    '(^-+|-+$)', '', 'g'
+                ),
+                ''
+            ),
+            'connection'
+        ) AS base_slug
+    FROM public.connections c
+)
+UPDATE public.connections c
+SET slug = b.base_slug
+FROM base b
+WHERE b.id = c.id
+  AND c.slug IS NULL;
+
+-- Resolve collisions to base / base-2 / base-3 / ... in ascending id order.
+-- Loops until no live (deleted_at IS NULL) duplicates remain — a re-assigned
+-- `base-N` could itself collide with another row whose base slug is already
+-- `base-N`, so a single pass is not enough.
+--
+-- This produces a deterministic, collision-free assignment with the same
+-- semantics as the runtime (slugified connector_key fallback, numeric `-N`
+-- suffixing). It is NOT guaranteed to be byte-identical to what
+-- `ensureUniqueConnectionSlug` would pick for pathological mixed-name sets
+-- (the runtime resolves in row-creation order against live DB state, which
+-- pure SQL can't replay) — `packages/server/src/utils/connections.ts` is the
+-- source of truth for new rows.
+DO $$
+DECLARE
+    v_changed integer;
+BEGIN
+    LOOP
+        WITH ranked AS (
+            SELECT
+                id,
+                organization_id,
+                slug,
+                -- strip any suffix we may have appended on a prior pass so the
+                -- base groups stay stable across iterations
+                regexp_replace(slug, '-[0-9]+$', '') AS base_slug,
+                row_number() OVER (
+                    PARTITION BY organization_id, regexp_replace(slug, '-[0-9]+$', '')
+                    ORDER BY id
+                ) AS rn
+            FROM public.connections
+            WHERE deleted_at IS NULL
+        ),
+        target AS (
+            SELECT
+                id,
+                CASE WHEN rn = 1 THEN base_slug ELSE base_slug || '-' || rn::text END AS desired_slug
+            FROM ranked
+        )
+        UPDATE public.connections c
+        SET slug = t.desired_slug
+        FROM target t
+        WHERE t.id = c.id
+          AND c.slug IS DISTINCT FROM t.desired_slug;
+
+        GET DIAGNOSTICS v_changed = ROW_COUNT;
+        EXIT WHEN v_changed = 0;
+    END LOOP;
+END $$;
+
+-- Guard: there must be no live-slug duplicate per org before the unique index.
+DO $$
+DECLARE
+    v_dups integer;
+BEGIN
+    SELECT count(*) INTO v_dups
+    FROM (
+        SELECT organization_id, slug
+        FROM public.connections
+        WHERE deleted_at IS NULL
+        GROUP BY organization_id, slug
+        HAVING count(*) > 1
+    ) d;
+    IF v_dups > 0 THEN
+        RAISE EXCEPTION 'connections.slug backfill left % duplicate (organization_id, slug) group(s) among live rows', v_dups;
+    END IF;
+END $$;
+
+ALTER TABLE public.connections
+    ALTER COLUMN slug SET NOT NULL;
+
+CREATE UNIQUE INDEX IF NOT EXISTS connections_org_slug_unique
+    ON public.connections (organization_id, slug)
+    WHERE deleted_at IS NULL;
+
+-- migrate:down
+
+DROP INDEX IF EXISTS public.connections_org_slug_unique;
+ALTER TABLE public.connections
+    DROP COLUMN IF EXISTS slug;

package/dist/db/migrations/20260513000000_chat_user_identities.sql

@@ -0,0 +1,24 @@
+-- migrate:up
+
+-- Maps a chat-platform user (Slack `U…`, …) to a Lobu account. Recorded as a
+-- side effect of `/lobu link <code>` — the code is minted by an authenticated
+-- `lobu run`, so `oauth_states.payload.createdBy` is the Lobu user. Once a user
+-- is linked here, they can re-bind any chat to an agent they can manage via
+-- `/lobu link <agentId>` without minting a fresh code.
+
+CREATE TABLE IF NOT EXISTS public.chat_user_identities (
+    platform          text NOT NULL,
+    team_id           text NOT NULL DEFAULT '',  -- workspace id; '' for platforms without one
+    platform_user_id  text NOT NULL,
+    lobu_user_id      text NOT NULL REFERENCES public."user"(id) ON DELETE CASCADE,
+    created_at        timestamptz NOT NULL DEFAULT now(),
+    updated_at        timestamptz NOT NULL DEFAULT now(),
+    PRIMARY KEY (platform, team_id, platform_user_id)
+);
+
+CREATE INDEX IF NOT EXISTS chat_user_identities_lobu_user_idx
+    ON public.chat_user_identities (lobu_user_id);
+
+-- migrate:down
+
+DROP TABLE IF EXISTS public.chat_user_identities;

package/dist/db/migrations/20260513120000_auth_profiles_device_binding.sql

@@ -0,0 +1,50 @@
+-- migrate:up
+
+-- Let an auth_profile of kind 'browser_session' live on a specific device worker
+-- instead of holding cookies in auth_data. When device_worker_id is set, cookies
+-- live on disk inside the Mac app's managed --user-data-dir at user_data_dir;
+-- the server never sees them. Cloud/fleet path (device_worker_id NULL,
+-- auth_data populated) is unchanged.
+
+ALTER TABLE public.auth_profiles
+    ADD COLUMN IF NOT EXISTS device_worker_id uuid,
+    ADD COLUMN IF NOT EXISTS browser_kind text,
+    ADD COLUMN IF NOT EXISTS user_data_dir text;
+
+DO $$
+BEGIN
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'auth_profiles_device_worker_id_fkey'
+    ) THEN
+        ALTER TABLE public.auth_profiles
+            ADD CONSTRAINT auth_profiles_device_worker_id_fkey
+            FOREIGN KEY (device_worker_id)
+            REFERENCES public.device_workers (id)
+            ON DELETE CASCADE;
+    END IF;
+END$$;
+
+DO $$
+BEGIN
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'auth_profiles_browser_kind_check'
+    ) THEN
+        ALTER TABLE public.auth_profiles
+            ADD CONSTRAINT auth_profiles_browser_kind_check
+            CHECK (browser_kind IS NULL OR browser_kind = ANY (ARRAY['chrome','brave','arc','edge']));
+    END IF;
+END$$;
+
+CREATE INDEX IF NOT EXISTS auth_profiles_device_worker_idx
+    ON public.auth_profiles (device_worker_id)
+    WHERE device_worker_id IS NOT NULL;
+
+-- migrate:down
+
+DROP INDEX IF EXISTS public.auth_profiles_device_worker_idx;
+ALTER TABLE public.auth_profiles
+    DROP CONSTRAINT IF EXISTS auth_profiles_browser_kind_check,
+    DROP CONSTRAINT IF EXISTS auth_profiles_device_worker_id_fkey,
+    DROP COLUMN IF EXISTS user_data_dir,
+    DROP COLUMN IF EXISTS browser_kind,
+    DROP COLUMN IF EXISTS device_worker_id;

package/dist/db/migrations/20260513150000_auth_profiles_cdp_url.sql

@@ -0,0 +1,43 @@
+-- migrate:up
+
+-- Add `cdp_url` to auth_profiles. For a device-bound `browser_session`
+-- profile, exactly one of {user_data_dir, cdp_url} should be set:
+--   user_data_dir  → managed Chrome with isolated cookies (default)
+--   cdp_url        → attach to a running Chrome via remote-debugging-port
+-- The application enforces this invariant; we don't add a CHECK constraint
+-- because the OR-on-NULL semantics are awkward to express and the column
+-- is harmless when both are NULL (legacy fleet path with cookies in
+-- auth_data jsonb).
+
+ALTER TABLE public.auth_profiles
+    ADD COLUMN IF NOT EXISTS cdp_url text;
+
+-- A device-bound browser_session profile MUST set exactly one of
+-- (user_data_dir, cdp_url). Other profile kinds — and non-device-bound
+-- browser_session profiles (cookies in auth_data, fleet-served) — are
+-- exempt. Enforcing this at the DB stops a buggy admin tool or a bad
+-- merge from setting both and then having the connector silently prefer
+-- whichever code path it sees first.
+DO $$
+BEGIN
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'auth_profiles_device_browser_path_xor'
+    ) THEN
+        ALTER TABLE public.auth_profiles
+            ADD CONSTRAINT auth_profiles_device_browser_path_xor
+            CHECK (
+                device_worker_id IS NULL
+                OR profile_kind <> 'browser_session'
+                OR (
+                    (user_data_dir IS NOT NULL AND cdp_url IS NULL)
+                    OR (user_data_dir IS NULL AND cdp_url IS NOT NULL)
+                )
+            );
+    END IF;
+END$$;
+
+-- migrate:down
+
+ALTER TABLE public.auth_profiles
+    DROP CONSTRAINT IF EXISTS auth_profiles_device_browser_path_xor,
+    DROP COLUMN IF EXISTS cdp_url;

package/dist/db/migrations/20260513200000_notifications_as_events.sql

@@ -0,0 +1,86 @@
+-- migrate:up
+
+-- Unify notifications with events.
+--
+-- A notification was a (org, user, title, body, type, resource_url) row in
+-- its own table with per-user `is_read`. Conceptually it's an event with a
+-- particular kind + per-user delivery / read-state. This migration turns
+-- every notification into:
+--   1. an event with semantic_type='notification' (org-wide visibility in
+--      the events stream — searchable, addressable, links into knowledge);
+--   2. a notification_targets row (event_id, user_id, delivered_at, read_at)
+--      so the inbox still scopes to the targeted user.
+--
+-- After this, "send to admins" inserts one event + N targets; "mark read"
+-- updates a target row; "unread count" counts target rows without read_at.
+-- Search across events naturally includes notifications, but a user's
+-- inbox is still private to them.
+
+CREATE TABLE public.notification_targets (
+    event_id bigint NOT NULL REFERENCES public.events(id) ON DELETE CASCADE,
+    user_id text NOT NULL,
+    delivered_at timestamp with time zone NOT NULL DEFAULT now(),
+    read_at timestamp with time zone,
+    PRIMARY KEY (event_id, user_id)
+);
+
+-- Fast inbox lookups: list a user's unread notifications, newest first.
+CREATE INDEX idx_notification_targets_user_unread
+    ON public.notification_targets (user_id, delivered_at DESC)
+    WHERE read_at IS NULL;
+
+-- All of a user's notifications, newest first (for read-list pagination).
+CREATE INDEX idx_notification_targets_user_all
+    ON public.notification_targets (user_id, delivered_at DESC);
+
+-- Backfill existing notifications. We keep 1:1 row mapping (one event per
+-- legacy notification) for safety — at scale the right model is "one event,
+-- many targets" but the old schema didn't capture that and we can't
+-- retroactively coalesce without an oracle.
+WITH legacy AS (
+    SELECT id, organization_id, user_id, type, title, body,
+           resource_type, resource_id, resource_url, is_read, created_at
+    FROM public.notifications
+    ORDER BY id ASC
+),
+inserted AS (
+    INSERT INTO public.events
+        (organization_id, title, payload_text, payload_type, semantic_type,
+         occurred_at, created_at, metadata, origin_id)
+    SELECT
+        l.organization_id,
+        l.title,
+        l.body,
+        'text',
+        'notification',
+        l.created_at,
+        l.created_at,
+        jsonb_build_object(
+            'notification_type', l.type,
+            'resource_type', l.resource_type,
+            'resource_id', l.resource_id,
+            'resource_url', l.resource_url,
+            'legacy_notification_id', l.id
+        ),
+        'notification:legacy:' || l.id::text
+    FROM legacy l
+    RETURNING id AS event_id, (metadata->>'legacy_notification_id')::bigint AS legacy_id
+)
+INSERT INTO public.notification_targets (event_id, user_id, delivered_at, read_at)
+SELECT
+    i.event_id,
+    l.user_id,
+    l.created_at,
+    CASE WHEN l.is_read THEN l.created_at ELSE NULL END
+FROM inserted i
+JOIN public.notifications l ON l.id = i.legacy_id;
+
+-- Drop the legacy table. All readers/writers go through the new service.
+DROP TABLE public.notifications;
+
+-- migrate:down
+
+-- One-way migration. Recovery is from backup; events created here stay
+-- (deleting them would also wipe their notification_targets via CASCADE).
+-- If you really need to roll back: re-create the table, copy notifications
+-- back out of events + notification_targets, drop the event rows.

package/dist/db/migrations/20260514000000_scheduled_jobs.sql

@@ -0,0 +1,97 @@
+-- migrate:up
+
+-- User-driven scheduled jobs.
+--
+-- Why a separate table:
+--   * `runs` already holds *fired* / *pending-to-fire* rows via
+--     scheduler.spawn(). Each scheduled_jobs row is the *definition* of a
+--     recurring (or one-shot) schedule — its source of truth.
+--   * The ticker (`scheduled-jobs-tick`) scans this table on cron, spawns
+--     a runs row per firing via TaskScheduler.spawn, and advances
+--     next_run_at from `cron`. If the tick or a firing fails, the next
+--     tick re-reads the same row (next_run_at didn't move forward) and
+--     retries. Self-healing.
+--   * Attribution lives here: who scheduled it (user or agent), what run
+--     was the trigger, what event was the trigger. Lets "why did the
+--     system act?" become a single JOIN.
+--   * Cascade-on-delete: when an agent is deleted, all its schedules
+--     evaporate via the FK — no orphan wake-ups firing into the void.
+
+CREATE TABLE public.scheduled_jobs (
+    id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+    organization_id text NOT NULL REFERENCES public.organization(id) ON DELETE CASCADE,
+
+    -- What fires
+    action_type text NOT NULL,        -- 'send_notification' | 'wake_agent' | ...
+    action_args jsonb NOT NULL,       -- handler payload
+    cron text,                        -- null = one-shot; cron string = recurring
+    next_run_at timestamp with time zone NOT NULL,
+    last_fired_at timestamp with time zone,
+    last_fired_run_id bigint,         -- the runs.id from the most recent firing
+    paused boolean NOT NULL DEFAULT false,
+
+    description text NOT NULL,        -- human summary for the UI / audit
+
+    -- Attribution
+    created_by_user text,             -- user that scheduled it (null when agent did)
+    created_by_agent text,            -- agent that scheduled it (null when user did)
+    source_run_id bigint,             -- runs.id that originated the scheduling, if any
+    source_event_id bigint,           -- events.id that originated, if any
+    source_thread_id text,            -- chat-thread context, if any
+
+    created_at timestamp with time zone NOT NULL DEFAULT now(),
+    updated_at timestamp with time zone NOT NULL DEFAULT now(),
+
+    CONSTRAINT scheduled_jobs_attribution_check CHECK (
+        created_by_user IS NOT NULL OR created_by_agent IS NOT NULL
+    )
+);
+
+-- Cascade: dropping an agent kills its scheduled jobs (so an agent's
+-- wake-ups don't outlive the agent itself). Conditional so the migration
+-- works on installs where the agents table doesn't exist yet (very
+-- old) — every row already has organization_id which is the harder constraint.
+DO $$
+BEGIN
+    IF EXISTS (SELECT 1 FROM pg_class WHERE relname = 'agents' AND relkind = 'r') THEN
+        ALTER TABLE public.scheduled_jobs
+            ADD CONSTRAINT scheduled_jobs_agent_fkey
+            FOREIGN KEY (created_by_agent) REFERENCES public.agents(id) ON DELETE CASCADE;
+    END IF;
+END$$;
+
+DO $$
+BEGIN
+    IF EXISTS (SELECT 1 FROM pg_class WHERE relname = 'runs' AND relkind = 'r') THEN
+        ALTER TABLE public.scheduled_jobs
+            ADD CONSTRAINT scheduled_jobs_source_run_fkey
+            FOREIGN KEY (source_run_id) REFERENCES public.runs(id) ON DELETE SET NULL;
+    END IF;
+END$$;
+
+DO $$
+BEGIN
+    IF EXISTS (SELECT 1 FROM pg_class WHERE relname = 'events' AND relkind = 'r') THEN
+        ALTER TABLE public.scheduled_jobs
+            ADD CONSTRAINT scheduled_jobs_source_event_fkey
+            FOREIGN KEY (source_event_id) REFERENCES public.events(id) ON DELETE SET NULL;
+    END IF;
+END$$;
+
+-- Index: the ticker's hot read.
+CREATE INDEX idx_scheduled_jobs_due
+    ON public.scheduled_jobs (next_run_at)
+    WHERE NOT paused;
+
+-- Index: list per-agent / per-user.
+CREATE INDEX idx_scheduled_jobs_org_agent
+    ON public.scheduled_jobs (organization_id, created_by_agent)
+    WHERE created_by_agent IS NOT NULL;
+
+CREATE INDEX idx_scheduled_jobs_org_user
+    ON public.scheduled_jobs (organization_id, created_by_user)
+    WHERE created_by_user IS NOT NULL;
+
+-- migrate:down
+
+DROP TABLE IF EXISTS public.scheduled_jobs;

package/dist/db/migrations/20260514120000_auth_profiles_connector_key_nullable.sql

@@ -0,0 +1,42 @@
+-- migrate:up
+
+-- Drop the NOT NULL on auth_profiles.connector_key so browser_session
+-- profiles can be device-bound resources without a connector binding.
+--
+-- A browser_session profile is physically (device, browser_kind, user_data_dir
+-- XOR cdp_url) — the connector_key was always a hint, not a gate. One CDP
+-- attach on a Mac already has cookies for every site the user is logged into;
+-- forcing one row per connector against the same cdp_url was bookkeeping for
+-- the DB's benefit, not the user's. Connection resolution falls back to
+-- "browser_session on the connection's device_worker_id" when no exact
+-- connector match exists.
+--
+-- Other profile kinds (env, oauth_app, oauth_account, interactive) remain
+-- per-connector; the new check constraint keeps them honest.
+
+ALTER TABLE public.auth_profiles
+    ALTER COLUMN connector_key DROP NOT NULL;
+
+DO $$
+BEGIN
+    IF NOT EXISTS (
+        SELECT 1 FROM pg_constraint WHERE conname = 'auth_profiles_connector_key_required'
+    ) THEN
+        ALTER TABLE public.auth_profiles
+            ADD CONSTRAINT auth_profiles_connector_key_required
+            CHECK (
+                connector_key IS NOT NULL
+                OR profile_kind = 'browser_session'
+            );
+    END IF;
+END$$;
+
+-- migrate:down
+
+ALTER TABLE public.auth_profiles
+    DROP CONSTRAINT IF EXISTS auth_profiles_connector_key_required;
+
+-- Restoring NOT NULL would fail if any browser_session rows now have
+-- connector_key = NULL. Backfill with a placeholder before running this.
+ALTER TABLE public.auth_profiles
+    ALTER COLUMN connector_key SET NOT NULL;

package/dist/db/migrations/20260514130000_connection_action_modes.sql

@@ -0,0 +1,103 @@
+-- migrate:up
+
+-- Collapse `connection.config.auto_approve_actions` (string[]) and
+-- `connection.config.require_approval_actions` (string[]) into a single
+-- `action_modes` (Record<string, 'disabled' | 'approval' | 'auto'>) map.
+--
+-- The old two-array model couldn't express "agent must not call this op
+-- at all" — every action the connector defined was always reachable, the
+-- arrays only flipped approval prompts. The new map adds 'disabled' as the
+-- third state and gives every op an explicit user-chosen mode.
+--
+-- Backfill rule, per row, for every op listed in either array:
+--   op in auto_approve_actions      → action_modes[op] = 'auto'
+--   op in require_approval_actions  → action_modes[op] = 'approval'
+-- When an op appears in both, 'approval' wins (it's the stricter signal:
+-- the user explicitly opted in to seeing an approval prompt).
+--
+-- Ops the user never touched are not stored in action_modes; the server
+-- falls back to the connector's per-op `requires_approval` default at read
+-- time, which preserves today's "all on" behavior.
+--
+-- We drop the two old keys in the same statement so the new state is the
+-- only state on disk after migration.
+
+UPDATE public.connections
+SET config = (
+        COALESCE(config, '{}'::jsonb)
+        - 'auto_approve_actions'
+        - 'require_approval_actions'
+    )
+    || jsonb_build_object(
+        'action_modes',
+        COALESCE(
+            (
+                -- 'approval' wins over 'auto' when an op appears in both arrays
+                -- (MIN('approval', 'auto') = 'approval' lexicographically).
+                SELECT jsonb_object_agg(op_key, mode)
+                FROM (
+                    SELECT op_key, MIN(mode) AS mode
+                    FROM (
+                        SELECT op_key, 'approval'::text AS mode
+                        FROM jsonb_array_elements_text(
+                            CASE
+                                WHEN jsonb_typeof(config->'require_approval_actions') = 'array'
+                                    THEN config->'require_approval_actions'
+                                ELSE '[]'::jsonb
+                            END
+                        ) AS op_key
+                        UNION ALL
+                        SELECT op_key, 'auto'::text AS mode
+                        FROM jsonb_array_elements_text(
+                            CASE
+                                WHEN jsonb_typeof(config->'auto_approve_actions') = 'array'
+                                    THEN config->'auto_approve_actions'
+                                ELSE '[]'::jsonb
+                            END
+                        ) AS op_key
+                    ) all_modes
+                    GROUP BY op_key
+                ) collapsed
+            ),
+            '{}'::jsonb
+        )
+    )
+WHERE config IS NOT NULL
+  AND (
+      config ? 'auto_approve_actions'
+      OR config ? 'require_approval_actions'
+  );
+
+-- migrate:down
+
+-- Reverse the collapse: split action_modes back into the two arrays.
+-- 'auto'     → auto_approve_actions
+-- 'approval' → require_approval_actions
+-- 'disabled' has no pre-refactor equivalent and is silently dropped on
+-- downgrade — the agent will see the op again as if no override existed.
+UPDATE public.connections
+SET config = (
+        COALESCE(config, '{}'::jsonb) - 'action_modes'
+    )
+    || jsonb_build_object(
+        'auto_approve_actions',
+        COALESCE(
+            (
+                SELECT jsonb_agg(key)
+                FROM jsonb_each_text(config->'action_modes')
+                WHERE value = 'auto'
+            ),
+            '[]'::jsonb
+        ),
+        'require_approval_actions',
+        COALESCE(
+            (
+                SELECT jsonb_agg(key)
+                FROM jsonb_each_text(config->'action_modes')
+                WHERE value = 'approval'
+            ),
+            '[]'::jsonb
+        )
+    )
+WHERE config IS NOT NULL
+  AND jsonb_typeof(config->'action_modes') = 'object';

package/dist/db/migrations/20260514160000_auth_profiles_mirror_mode.sql

@@ -0,0 +1,32 @@
+-- migrate:up
+-- Relax the device-binding XOR for browser_session profiles to allow
+-- mirror mode, where neither user_data_dir nor cdp_url is set on the
+-- row (the source profile dir lives in auth_data.source_profile_dir).
+-- Keep the mutual exclusion of the two columns so they can't be set
+-- together; application validation enforces "exactly one of mirror /
+-- cdp / legacy" per row.
+
+ALTER TABLE auth_profiles
+  DROP CONSTRAINT IF EXISTS auth_profiles_device_browser_path_xor;
+
+ALTER TABLE auth_profiles
+  ADD CONSTRAINT auth_profiles_device_browser_path_mutex
+  CHECK (
+    device_worker_id IS NULL
+    OR profile_kind <> 'browser_session'
+    OR user_data_dir IS NULL
+    OR cdp_url IS NULL
+  );
+
+-- migrate:down
+ALTER TABLE auth_profiles
+  DROP CONSTRAINT IF EXISTS auth_profiles_device_browser_path_mutex;
+
+ALTER TABLE auth_profiles
+  ADD CONSTRAINT auth_profiles_device_browser_path_xor
+  CHECK (
+    device_worker_id IS NULL
+    OR profile_kind <> 'browser_session'
+    OR ((user_data_dir IS NOT NULL) AND (cdp_url IS NULL))
+    OR ((user_data_dir IS NULL) AND (cdp_url IS NOT NULL))
+  );

package/dist/db/migrations/20260515120000_agents_per_org_pk.sql

@@ -0,0 +1,66 @@
+-- migrate:up
+-- Phase A of moving `agents` from a globally-unique `id` PK to a per-org
+-- composite PK `(organization_id, id)`. The application has always treated
+-- agents as org-scoped (every read/delete/list filters by organization_id),
+-- so the global PK is a latent footgun: two orgs cannot share an agent ID,
+-- and a stale agent in one org silently blocks another org from using the
+-- same name.
+--
+-- This phase is INTENTIONALLY NON-BREAKING. It only:
+--   1. Adds an `organization_id` column to each FK-holding child table
+--      (NULLABLE — backfilled here, set NOT NULL in a later phase once the
+--      app-code refactor lands so every INSERT writes the value).
+--   2. Backfills `organization_id` from agents (no orphan rows in prod).
+--   3. Adds a parallel UNIQUE constraint on `agents (organization_id, id)`
+--      so the schema is ready for the eventual PK swap.
+--   4. Adds composite indexes on each child table so the upcoming
+--      org-scoped query patterns are fast from day one.
+--
+-- The single-column PK on agents and the single-column FKs on child tables
+-- stay in place. App code keeps working unmodified. The PK swap and FK
+-- composite migration ship in a separate PR after the storage interfaces
+-- are plumbed with `organization_id`.
+
+-- ── 1. Add organization_id columns (nullable for now).
+ALTER TABLE agent_grants            ADD COLUMN organization_id text;
+ALTER TABLE agent_connections       ADD COLUMN organization_id text;
+ALTER TABLE agent_users             ADD COLUMN organization_id text;
+ALTER TABLE agent_channel_bindings  ADD COLUMN organization_id text;
+ALTER TABLE grants                  ADD COLUMN organization_id text;
+
+-- ── 2. Backfill from agents.
+UPDATE agent_grants           SET organization_id = a.organization_id FROM agents a WHERE agent_grants.agent_id            = a.id;
+UPDATE agent_connections      SET organization_id = a.organization_id FROM agents a WHERE agent_connections.agent_id       = a.id;
+UPDATE agent_users            SET organization_id = a.organization_id FROM agents a WHERE agent_users.agent_id             = a.id;
+UPDATE agent_channel_bindings SET organization_id = a.organization_id FROM agents a WHERE agent_channel_bindings.agent_id  = a.id;
+UPDATE grants                 SET organization_id = a.organization_id FROM agents a WHERE grants.agent_id                  = a.id;
+
+-- ── 3. Parallel UNIQUE on agents (organization_id, id). The single-column
+--     PK on (id) stays — this is purely additive and signals to readers
+--     that org-scoped uniqueness is the eventual model. The PK swap in a
+--     later migration will drop this UNIQUE and reuse the index for the
+--     new composite PK.
+ALTER TABLE agents
+  ADD CONSTRAINT agents_organization_id_id_key UNIQUE (organization_id, id);
+
+-- ── 4. Composite indexes on child tables for upcoming org-scoped queries.
+CREATE INDEX agent_grants_org_agent_idx           ON agent_grants           (organization_id, agent_id);
+CREATE INDEX agent_connections_org_agent_idx      ON agent_connections      (organization_id, agent_id);
+CREATE INDEX agent_users_org_agent_idx            ON agent_users            (organization_id, agent_id);
+CREATE INDEX agent_channel_bindings_org_agent_idx ON agent_channel_bindings (organization_id, agent_id);
+CREATE INDEX grants_org_agent_idx                 ON grants                 (organization_id, agent_id);
+
+-- migrate:down
+DROP INDEX IF EXISTS grants_org_agent_idx;
+DROP INDEX IF EXISTS agent_channel_bindings_org_agent_idx;
+DROP INDEX IF EXISTS agent_users_org_agent_idx;
+DROP INDEX IF EXISTS agent_connections_org_agent_idx;
+DROP INDEX IF EXISTS agent_grants_org_agent_idx;
+
+ALTER TABLE agents DROP CONSTRAINT IF EXISTS agents_organization_id_id_key;
+
+ALTER TABLE grants                  DROP COLUMN IF EXISTS organization_id;
+ALTER TABLE agent_channel_bindings  DROP COLUMN IF EXISTS organization_id;
+ALTER TABLE agent_users             DROP COLUMN IF EXISTS organization_id;
+ALTER TABLE agent_connections       DROP COLUMN IF EXISTS organization_id;
+ALTER TABLE agent_grants            DROP COLUMN IF EXISTS organization_id;