@minion-stack/db 0.7.0 → 0.9.0

package/src/pg/schema/auth.ts

@@ -0,0 +1,198 @@
+/**
+ * Better Auth schema tables — Postgres variant.
+ *
+ * Faithful 1:1 port of `../../schema/auth/index.ts` (sqlite) for the Turso→Supabase
+ * Better Auth cutover (Stage 5 / Track B). Export NAMES must match Better Auth's
+ * model names (`user`, `session`, …) because the auth factory passes this module
+ * straight to the drizzle adapter. Ids stay `text` (Better Auth generates string
+ * ids — keeping them text preserves existing ids across the store migration, so
+ * `profiles.legacy_user_id` keeps mapping). sqlite `integer{mode:timestamp}` →
+ * `timestamptz`; `integer{mode:boolean}` → `boolean`.
+ *
+ * Provider: pg, plugins: emailAndPassword, google OAuth, jwt, organization, oidc.
+ */
+import { pgTable, text, timestamp, boolean, index } from 'drizzle-orm/pg-core';
+
+// ── Core: user ──────────────────────────────────────────────────────────────
+export const user = pgTable('user', {
+  id: text('id').primaryKey(),
+  name: text('name').notNull(),
+  email: text('email').notNull().unique(),
+  emailVerified: boolean('email_verified').notNull(),
+  image: text('image'),
+  createdAt: timestamp('created_at', { withTimezone: true }).notNull(),
+  updatedAt: timestamp('updated_at', { withTimezone: true }).notNull(),
+  role: text('role', { enum: ['user', 'admin'] })
+    .notNull()
+    .default('user'),
+  personalAgentId: text('personal_agent_id'),
+});
+
+// ── Core: session ────────────────────────────────────────────────────────────
+export const session = pgTable(
+  'session',
+  {
+    id: text('id').primaryKey(),
+    expiresAt: timestamp('expires_at', { withTimezone: true }).notNull(),
+    token: text('token').notNull().unique(),
+    createdAt: timestamp('created_at', { withTimezone: true }).notNull(),
+    updatedAt: timestamp('updated_at', { withTimezone: true }).notNull(),
+    ipAddress: text('ip_address'),
+    userAgent: text('user_agent'),
+    userId: text('user_id')
+      .notNull()
+      .references(() => user.id, { onDelete: 'cascade' }),
+    // Added by organization plugin
+    activeOrganizationId: text('active_organization_id'),
+  },
+  (t) => [index('idx_session_user').on(t.userId)],
+);
+
+// ── Core: account ────────────────────────────────────────────────────────────
+export const account = pgTable(
+  'account',
+  {
+    id: text('id').primaryKey(),
+    accountId: text('account_id').notNull(),
+    providerId: text('provider_id').notNull(),
+    userId: text('user_id')
+      .notNull()
+      .references(() => user.id, { onDelete: 'cascade' }),
+    accessToken: text('access_token'),
+    refreshToken: text('refresh_token'),
+    idToken: text('id_token'),
+    accessTokenExpiresAt: timestamp('access_token_expires_at', { withTimezone: true }),
+    refreshTokenExpiresAt: timestamp('refresh_token_expires_at', { withTimezone: true }),
+    scope: text('scope'),
+    password: text('password'),
+    createdAt: timestamp('created_at', { withTimezone: true }).notNull(),
+    updatedAt: timestamp('updated_at', { withTimezone: true }).notNull(),
+  },
+  (t) => [index('idx_account_user').on(t.userId)],
+);
+
+// ── Core: verification ────────────────────────────────────────────────────────
+export const verification = pgTable(
+  'verification',
+  {
+    id: text('id').primaryKey(),
+    identifier: text('identifier').notNull(),
+    value: text('value').notNull(),
+    expiresAt: timestamp('expires_at', { withTimezone: true }).notNull(),
+    createdAt: timestamp('created_at', { withTimezone: true }).notNull(),
+    updatedAt: timestamp('updated_at', { withTimezone: true }).notNull(),
+  },
+  (t) => [index('idx_verification_identifier').on(t.identifier)],
+);
+
+// ── JWT plugin: jwks ─────────────────────────────────────────────────────────
+export const jwks = pgTable('jwks', {
+  id: text('id').primaryKey(),
+  publicKey: text('public_key').notNull(),
+  privateKey: text('private_key').notNull(),
+  createdAt: timestamp('created_at', { withTimezone: true }).notNull(),
+});
+
+// ── Organization plugin: organization ────────────────────────────────────────
+export const organization = pgTable('organization', {
+  id: text('id').primaryKey(),
+  name: text('name').notNull(),
+  slug: text('slug').unique(),
+  logo: text('logo'),
+  createdAt: timestamp('created_at', { withTimezone: true }).notNull(),
+  metadata: text('metadata'),
+});
+
+// ── Organization plugin: member ───────────────────────────────────────────────
+export const member = pgTable(
+  'member',
+  {
+    id: text('id').primaryKey(),
+    organizationId: text('organization_id')
+      .notNull()
+      .references(() => organization.id, { onDelete: 'cascade' }),
+    userId: text('user_id')
+      .notNull()
+      .references(() => user.id, { onDelete: 'cascade' }),
+    role: text('role').notNull(),
+    createdAt: timestamp('created_at', { withTimezone: true }).notNull(),
+  },
+  (t) => [index('idx_member_org').on(t.organizationId), index('idx_member_user').on(t.userId)],
+);
+
+// ── Organization plugin: invitation ──────────────────────────────────────────
+export const invitation = pgTable(
+  'invitation',
+  {
+    id: text('id').primaryKey(),
+    organizationId: text('organization_id')
+      .notNull()
+      .references(() => organization.id, { onDelete: 'cascade' }),
+    email: text('email').notNull(),
+    role: text('role'),
+    status: text('status').notNull(),
+    expiresAt: timestamp('expires_at', { withTimezone: true }).notNull(),
+    inviterId: text('inviter_id')
+      .notNull()
+      .references(() => user.id, { onDelete: 'cascade' }),
+    createdAt: timestamp('created_at', { withTimezone: true }).notNull(),
+  },
+  (t) => [index('idx_invitation_org').on(t.organizationId)],
+);
+
+// ── OIDC provider plugin: oauthApplication ──────────────────────────────────
+export const oauthApplication = pgTable('oauth_application', {
+  id: text('id').primaryKey(),
+  name: text('name').notNull(),
+  icon: text('icon'),
+  metadata: text('metadata'),
+  clientId: text('client_id').notNull().unique(),
+  clientSecret: text('client_secret'),
+  redirectUrls: text('redirect_urls').notNull(),
+  type: text('type').notNull(),
+  disabled: boolean('disabled').default(false),
+  userId: text('user_id').references(() => user.id, { onDelete: 'cascade' }),
+  createdAt: timestamp('created_at', { withTimezone: true }).notNull(),
+  updatedAt: timestamp('updated_at', { withTimezone: true }).notNull(),
+});
+
+// ── OIDC provider plugin: oauthAccessToken ──────────────────────────────────
+export const oauthAccessToken = pgTable(
+  'oauth_access_token',
+  {
+    id: text('id').primaryKey(),
+    accessToken: text('access_token').notNull().unique(),
+    refreshToken: text('refresh_token').notNull().unique(),
+    accessTokenExpiresAt: timestamp('access_token_expires_at', { withTimezone: true }).notNull(),
+    refreshTokenExpiresAt: timestamp('refresh_token_expires_at', { withTimezone: true }).notNull(),
+    clientId: text('client_id').notNull(),
+    userId: text('user_id').references(() => user.id, { onDelete: 'cascade' }),
+    scopes: text('scopes').notNull(),
+    createdAt: timestamp('created_at', { withTimezone: true }).notNull(),
+    updatedAt: timestamp('updated_at', { withTimezone: true }).notNull(),
+  },
+  (t) => [
+    index('idx_oauth_access_token_client').on(t.clientId),
+    index('idx_oauth_access_token_user').on(t.userId),
+  ],
+);
+
+// ── OIDC provider plugin: oauthConsent ──────────────────────────────────────
+export const oauthConsent = pgTable(
+  'oauth_consent',
+  {
+    id: text('id').primaryKey(),
+    clientId: text('client_id').notNull(),
+    userId: text('user_id')
+      .notNull()
+      .references(() => user.id, { onDelete: 'cascade' }),
+    scopes: text('scopes').notNull(),
+    createdAt: timestamp('created_at', { withTimezone: true }).notNull(),
+    updatedAt: timestamp('updated_at', { withTimezone: true }).notNull(),
+    consentGiven: boolean('consent_given').notNull(),
+  },
+  (t) => [
+    index('idx_oauth_consent_client').on(t.clientId),
+    index('idx_oauth_consent_user').on(t.userId),
+  ],
+);

package/src/pg/schema/builder.ts

@@ -123,7 +123,9 @@ export const builtAgents = pgTable(
       .notNull()
       .default('draft'),
     gatewayId: uuid('gateway_id').references(() => gateway.id, { onDelete: 'cascade' }),
-    tenantId: uuid('tenant_id'),
+    // Org-owned (Phase 4: no global drafts). Matches the NOT NULL constraint in
+    // 20260606224238_built_agents_tenant_not_null.sql.
+    tenantId: uuid('tenant_id').notNull(),
     createdBy: text('created_by'),
     publishedAt: timestamp('published_at', { withTimezone: true }),
     createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),

package/src/pg/schema/channels.ts

@@ -1,4 +1,14 @@
-import { pgTable, uuid, text, timestamp, index, uniqueIndex } from 'drizzle-orm/pg-core';
+import {
+  pgTable,
+  uuid,
+  text,
+  timestamp,
+  boolean,
+  integer,
+  index,
+  uniqueIndex,
+} from 'drizzle-orm/pg-core';
+import { sql } from 'drizzle-orm';
 import { gateway } from './gateway.js';
 import { profiles } from './profiles.js';
 
@@ -19,19 +29,70 @@ export const channels = pgTable(
       .notNull()
       .references(() => gateway.id, { onDelete: 'cascade' }),
     type: text('type', { enum: ['discord', 'whatsapp', 'telegram'] }).notNull(),
+    // Gateway account key (phone/handle, e.g. '+51906090526') — the join to the
+    // gateway's per-account config. Nullable for legacy rows; the natural upsert
+    // key for a linked account is (tenant_id, gateway_id, type, account_id).
+    accountId: text('account_id'),
     label: text('label').notNull(),
     credentials: text('credentials').notNull().default(''),
     credentialsIv: text('credentials_iv').notNull().default(''),
     credentialsMeta: text('credentials_meta').notNull().default('{}'),
+    // Observed coarse status (kept for existing consumers / hub badge).
     status: text('status', { enum: ['active', 'inactive', 'pairing'] })
       .notNull()
       .default('inactive'),
+
+    // --- Intent (user-configured rules; one concern per column). See
+    //     specs/2026-06-19-linked-channels-config-restructure.md ---
+    // Should the gateway hold a live session (runtime enable/disable).
+    enabled: boolean('enabled').notNull().default(true),
+    // Reply behavior. 'none' = noAgent (never reply, even owner/self); 'bound' =
+    // reply only where a channel_bindings row matches. No 'auto' on purpose.
+    replies: text('replies', { enum: ['none', 'bound'] }).notNull().default('none'),
+    // DM sender access gate (consulted only when replies='bound'). [] = nobody,
+    // ['*'] = anyone. Replaces the old dm_policy enum (derivable from this).
+    allowFrom: text('allow_from').array().notNull().default(sql`'{}'`),
+    groupAllowFrom: text('group_allow_from').array().notNull().default(sql`'{}'`),
+    // Groups reply only when @-mentioned.
+    requireMention: boolean('require_mention').notNull().default(true),
+
+    // --- Observed (gateway-reported, read-only) ---
+    reconnectCount: integer('reconnect_count').notNull().default(0),
+    lastSeenAt: timestamp('last_seen_at', { withTimezone: true }),
+    lastError: text('last_error'),
+
     createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
     updatedAt: timestamp('updated_at', { withTimezone: true }).notNull().defaultNow(),
   },
   (t) => [
     index('idx_channels_tenant_gateway').on(t.tenantId, t.gatewayId),
     uniqueIndex('channels_uniq_type_label').on(t.tenantId, t.gatewayId, t.type, t.label),
+    // Upsert key for gateway-account sync (account_id is the gateway account key).
+    uniqueIndex('channels_uniq_type_account').on(t.tenantId, t.gatewayId, t.type, t.accountId),
+  ],
+);
+
+/**
+ * Agent routing for a channel. A channel with NO rows here resolves to no agent
+ * (receive-only). agent_id NULL on a row is an explicit noAgent binding. Match
+ * specificity orders resolution: dm_peer > group > catchall (no priority column).
+ */
+export const channelBindings = pgTable(
+  'channel_bindings',
+  {
+    id: uuid('id').primaryKey().defaultRandom(),
+    tenantId: uuid('tenant_id').notNull(),
+    channelId: text('channel_id')
+      .notNull()
+      .references(() => channels.id, { onDelete: 'cascade' }),
+    matchKind: text('match_kind', { enum: ['catchall', 'dm_peer', 'group'] }).notNull(),
+    matchPeer: text('match_peer'),
+    agentId: text('agent_id'), // null = explicit noAgent
+    createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
+  },
+  (t) => [
+    index('idx_channel_bindings_channel').on(t.channelId),
+    uniqueIndex('channel_bindings_uniq').on(t.channelId, t.matchKind, t.matchPeer),
   ],
 );
 

package/src/pg/schema/gateway.ts

@@ -9,6 +9,10 @@ import { profiles } from './profiles.js';
 export const gateway = pgTable('gateway', {
   id: uuid('id').primaryKey().defaultRandom(),
   legacyServerId: text('legacy_server_id'),
+  // Owning org (soft ref to organizations.id). Used by server-token ingest auth
+  // (resolveServerTokenAuth) to resolve the tenant — the Turso `servers.tenant_id`
+  // equivalent. Nullable during the Turso→Supabase gateway-token cutover bake.
+  orgId: uuid('org_id'),
   name: text('name').notNull(),
   url: text('url').notNull(),
   tokenCiphertext: text('token_ciphertext').notNull().default(''),

package/src/pg/schema/index.ts

@@ -34,7 +34,12 @@ export {
   agentBuiltSkills,
   builtTools,
 } from './builder.js';
-export { channels, channelAssignments, channelIdentities } from './channels.js';
+export {
+  channels,
+  channelAssignments,
+  channelIdentities,
+  channelBindings,
+} from './channels.js';
 export { sessions, sessionTasks } from './sessions.js';
 export { missions, tasks } from './missions.js';
 export { chatMessages } from './chat-messages.js';
@@ -50,3 +55,19 @@ export { workspaceMembership } from './workspace-membership.js';
 export type { WorkspaceMembership, NewWorkspaceMembership } from './workspace-membership.js';
 // Org-scoped agent memory corpus (pgvector) — RAG retrieval + hub visualization.
 export { agentMemories } from './agent-memories.js';
+// Better Auth tables (Postgres) — Turso→Supabase Better Auth cutover (Track B).
+// Export names mirror Better Auth's model names so the auth factory can pass
+// this module straight to the drizzle adapter (provider: 'pg').
+export {
+  user,
+  session,
+  account,
+  verification,
+  jwks,
+  organization,
+  member,
+  invitation,
+  oauthApplication,
+  oauthAccessToken,
+  oauthConsent,
+} from './auth.js';

package/src/schema/bugs.ts

@@ -26,5 +26,11 @@ export const bugs = sqliteTable(
     createdAt: integer('created_at').notNull(),
     updatedAt: integer('updated_at').notNull(),
   },
-  (t) => [index('idx_bugs_tenant').on(t.tenantId), index('idx_bugs_server').on(t.serverId)],
+  (t) => [
+    index('idx_bugs_tenant').on(t.tenantId),
+    index('idx_bugs_server').on(t.serverId),
+    // Covers the tenant-scoped bug list (bug.service.ts listBugs): tenant_id,
+    // ordered by created_at desc.
+    index('idx_bugs_tenant_created').on(t.tenantId, t.createdAt),
+  ],
 );

package/src/schema/connection-events.ts

@@ -19,8 +19,8 @@ export const connectionEvents = sqliteTable(
     reason: text('reason'),
     occurredAt: integer('occurred_at').notNull(),
   },
-  (t) => [
-    index('idx_conn_events_tenant').on(t.tenantId),
-    index('idx_conn_events_server').on(t.serverId),
-  ],
+  // No service reads or writes this table. The server index was pure write-tax for
+  // a query pattern that never runs — dropped. The tenant index is retained so the
+  // organization onDelete: cascade stays cheap.
+  (t) => [index('idx_conn_events_tenant').on(t.tenantId)],
 );

package/src/schema/index.ts

@@ -33,7 +33,6 @@ export { marketplaceAgents } from './marketplace-agents.js';
 export { marketplaceInstalls } from './marketplace-installs.js';
 export { workshopSaves } from './workshop-saves.js';
 export { deviceIdentities } from './device-identities.js';
-export { flows } from './flows.js';
 export { userServers } from './user-servers.js';
 export { userAgents } from './user-agents.js';
 export { channels } from './channels.js';

package/src/schema/reliability-events.ts

@@ -23,10 +23,9 @@ export const reliabilityEvents = sqliteTable(
     occurredAt: integer('occurred_at').notNull(),
     createdAt: integer('created_at').notNull(),
   },
-  (t) => [
-    index('idx_rel_events_server_cat_time').on(t.serverId, t.category, t.occurredAt),
-    index('idx_rel_events_server_time').on(t.serverId, t.occurredAt),
-    index('idx_rel_events_server_sev_time').on(t.serverId, t.severity, t.occurredAt),
-    index('idx_rel_events_tenant').on(t.tenantId),
-  ],
+  // No service reads or writes this table (the reliability dashboard streams live
+  // data over WS from the gateway, not from the DB). The three server_* composite
+  // indexes were pure write-tax for query patterns that never run — dropped. The
+  // tenant index is retained so the organization onDelete: cascade stays cheap.
+  (t) => [index('idx_rel_events_tenant').on(t.tenantId)],
 );

package/src/schema/unified-events.ts

@@ -27,6 +27,9 @@ export const unifiedEvents = sqliteTable(
     index('idx_unified_events_tenant').on(t.tenantId),
     index('idx_unified_events_server_cat_time').on(t.serverId, t.category, t.occurredAt),
     index('idx_unified_events_server_time').on(t.serverId, t.occurredAt),
+    // Covers the severity-filtered event list (events.service.ts listEvents):
+    // server_id + severity, ordered by occurred_at desc.
+    index('idx_unified_events_server_sev_time').on(t.serverId, t.severity, t.occurredAt),
     index('idx_unified_events_correlation').on(t.correlationId),
     uniqueIndex('idx_unified_events_dedup').on(t.tenantId, t.serverId, t.localEventId),
   ],

package/src/schema/flows.ts

@@ -1,14 +0,0 @@
-import { sqliteTable, text, integer } from 'drizzle-orm/sqlite-core';
-
-export const flows = sqliteTable('flows', {
-  id: text('id').primaryKey(),
-  name: text('name').notNull(),
-  nodes: text('nodes').notNull().default('[]'), // JSON string of FlowNode[]
-  edges: text('edges').notNull().default('[]'), // JSON string of FlowEdge[]
-  userId: text('user_id'), // owner — null for pre-migration rows (treated as shared)
-  tenantId: text('tenant_id'), // tenant scope — null for pre-migration rows
-  createdAt: integer('created_at').notNull(),
-  updatedAt: integer('updated_at').notNull(),
-  active: integer('active', { mode: 'boolean' }).notNull().default(false),
-  config: text('config').notNull().default('{}'),
-});