@nightowlsdev/storage-supabase 0.3.0

package/dist/index.cjs

@@ -0,0 +1,1825 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+
+// src/index.ts
+var index_exports = {};
+__export(index_exports, {
+  MIGRATIONS: () => MIGRATIONS,
+  createMastraPgStore: () => createMastraPgStore,
+  createMastraVectorStore: () => createMastraVectorStore,
+  createPostgresFloor: () => createPostgresFloor,
+  createSupabaseStorage: () => createSupabaseStorage,
+  listAgentVersions: () => listAgentVersions,
+  nightOwlsPlugin: () => nightOwlsPlugin,
+  publishAgentVersion: () => publishAgentVersion,
+  rollbackAgentVersion: () => rollbackAgentVersion
+});
+module.exports = __toCommonJS(index_exports);
+
+// src/client.ts
+var import_pg = require("pg");
+var import_supabase_js = require("@supabase/supabase-js");
+function makeCtx(o) {
+  if (/:6543\b/.test(o.dbUrl)) throw new Error("dbUrl must be the Session/Direct port (5432), not the Transaction pooler (6543) \u2014 @mastra/pg/pg prepared statements break on 6543");
+  const isLocal = o.dbUrl.includes("127.0.0.1") || o.dbUrl.includes("localhost");
+  const ssl = isLocal ? void 0 : o.ssl ?? true;
+  const pool = new import_pg.Pool({ connectionString: o.dbUrl, max: o.max ?? 10, ssl, options: "-c search_path=nightowls,public" });
+  const sb = (0, import_supabase_js.createClient)(o.url, o.secretKey, { auth: { persistSession: false } });
+  return { pool, sb };
+}
+
+// src/events.ts
+var import_core = require("@nightowlsdev/core");
+
+// src/sql.ts
+async function one(pool, text, params = []) {
+  const r = await pool.query(text, params);
+  return r.rows[0] ?? null;
+}
+async function many(pool, text, params = []) {
+  const r = await pool.query(text, params);
+  return r.rows;
+}
+
+// src/subscribe.ts
+var fromWire = (w) => ({ ...w.payload, seq: w.seq, runId: w.run_id });
+function makeSubscribe(ctx, accessToken) {
+  return function subscribe(runId) {
+    return { [Symbol.asyncIterator]() {
+      return iterator(ctx, runId, accessToken);
+    } };
+  };
+}
+function iterator(ctx, runId, accessToken) {
+  const buffer = [];
+  const waiters = [];
+  let failure = null, closed = false, channel = null;
+  const push = (ev) => {
+    const w = waiters.shift();
+    if (w) w({ value: ev, done: false });
+    else buffer.push(ev);
+  };
+  const fail = (err) => {
+    failure = err;
+    while (waiters.length) waiters.shift()({ value: void 0, done: true });
+  };
+  const ready = (async () => {
+    await ctx.sb.realtime.setAuth(accessToken);
+    channel = ctx.sb.channel(`run:${runId}`, { config: { private: true } }).on("broadcast", { event: "*" }, ({ payload }) => push(fromWire(payload))).subscribe((status, err) => {
+      if (closed) return;
+      if (status === "CHANNEL_ERROR" || status === "TIMED_OUT") fail(err ?? new Error(`realtime ${status} for run:${runId}`));
+    });
+  })();
+  const teardown = async () => {
+    closed = true;
+    if (channel) await ctx.sb.removeChannel(channel);
+  };
+  return {
+    async next() {
+      await ready;
+      if (buffer.length) return { value: buffer.shift(), done: false };
+      if (failure) {
+        await teardown();
+        throw failure;
+      }
+      if (closed) return { value: void 0, done: true };
+      const r = await new Promise((res) => waiters.push(res));
+      if (r.done) {
+        if (failure) {
+          await teardown();
+          throw failure;
+        }
+        return { value: void 0, done: true };
+      }
+      return r;
+    },
+    async return() {
+      await teardown();
+      return { value: void 0, done: true };
+    }
+  };
+}
+
+// src/events.ts
+var orgCache = new import_core.RowCache({ max: 1e3, ttlMs: 6e4 });
+async function orgOf(ctx, runId) {
+  return orgCache.get(runId, async () => {
+    const row = await one(ctx.pool, "select org_id from runs where id = $1", [runId]);
+    if (!row) throw new Error(`unknown run: ${runId}`);
+    return row.org_id;
+  });
+}
+function fromRow(r) {
+  return { ...r.payload, seq: Number(r.seq), runId: r.run_id };
+}
+function makeEventStore(ctx) {
+  return {
+    async append(e) {
+      const orgId = await orgOf(ctx, e.runId);
+      const row = await one(
+        ctx.pool,
+        `insert into events(org_id, run_id, type, agent_slug, from_agent, payload, schema_version, ts)
+         values($1,$2,$3,$4,$5,$6,$7,$8) returning seq`,
+        [orgId, e.runId, e.type, e.agentSlug, null, e, e.schemaVersion, e.ts]
+      );
+      return Number(row.seq);
+    },
+    // R11: org-scoped — a forged cross-org runId returns [] at the store (the service connection bypasses RLS,
+    // so tenancy is enforced in code, not just by the caller). This closes the events-hydrate cross-org read.
+    async list(tenantId, runId, sinceSeq) {
+      const rows = await many(ctx.pool, "select run_id, seq, payload from events where org_id=$1 and run_id=$2 and seq>$3 order by seq", [tenantId, runId, sinceSeq]);
+      return rows.map(fromRow);
+    },
+    subscribe: makeSubscribe(ctx)
+  };
+}
+
+// src/runs.ts
+var READ_STATUS = { running: "running", suspended: "suspended", waiting: "suspended", done: "done", success: "done", failed: "failed", bailed: "failed" };
+function makeRunStore(ctx) {
+  return {
+    async create(run) {
+      await ctx.pool.query(
+        `insert into runs(id, org_id, user_id, agent_slug, thread_id, resource_id, runner, status)
+         values($1,$2,$3,$4,$5,$6,'nextjs','running') on conflict (id) do nothing`,
+        [run.runId, run.tenantId, run.userId, run.agentSlug, run.threadId, `${run.tenantId}:${run.userId}`]
+      );
+    },
+    async setStatus(runId, status, _patch) {
+      await ctx.pool.query("update runs set status=$2, updated_at=now() where id=$1", [runId, status]);
+    },
+    async saveSnapshot(runId, snapshot) {
+      await ctx.pool.query("update runs set snapshot=$2, updated_at=now() where id=$1", [runId, JSON.stringify(snapshot)]);
+    },
+    // R11: org-scoped — a cross-org runId returns null at the store (the service connection bypasses RLS, so
+    // tenancy is enforced in code). Resume also gates via findSuspended; this is defense-in-depth.
+    async loadSnapshot(tenantId, runId) {
+      const r = await one(ctx.pool, "select snapshot from runs where id=$1 and org_id=$2", [runId, tenantId]);
+      return r?.snapshot ?? null;
+    },
+    async findSuspended(tenantId, followupId) {
+      const r = await one(
+        ctx.pool,
+        "select run_id, tool_call_id from followups where id=$1 and org_id=$2 and answered_at is null",
+        [followupId, tenantId]
+      );
+      return r ? { runId: r.run_id, toolCallId: r.tool_call_id } : null;
+    },
+    async get(runId) {
+      const r = await one(
+        ctx.pool,
+        "select id, org_id, user_id, thread_id, agent_slug, status from runs where id=$1",
+        [runId]
+      );
+      return r ? { runId: r.id, tenantId: r.org_id, userId: r.user_id, threadId: r.thread_id, agentSlug: r.agent_slug, status: READ_STATUS[r.status] ?? "running" } : null;
+    },
+    async listActive(tenantId, container) {
+      const { rows } = await ctx.pool.query(
+        `select id, thread_id, agent_slug, status from runs
+          where org_id=$1 and (thread_id=$2 or left(thread_id, length($2)+1) = $2 || ':')
+            and (status='suspended' or (status='running' and updated_at > now() - interval '10 minutes'))`,
+        [tenantId, container]
+      );
+      return rows.map((r) => ({ runId: r.id, threadId: r.thread_id, agentSlug: r.agent_slug, status: READ_STATUS[r.status] ?? "running" }));
+    },
+    // R14: the user's distinct containers (newest-active first) for participation-based listThreads. One query
+    // over the runs the user owns; container = thread_id before any ':lane' (split_part is injection-safe).
+    async listUserContainers(tenantId, userId, limit = 50) {
+      const { rows } = await ctx.pool.query(
+        `select split_part(thread_id, ':', 1) as container, max(updated_at) as last
+           from runs where org_id=$1 and user_id=$2
+          group by 1 order by last desc limit $3`,
+        [tenantId, userId, limit]
+      );
+      return rows.map((r) => r.container);
+    },
+    // R14 security gate: may this user read this container? True iff it has NO runs (empty/new — nothing to
+    // protect) OR the user has a run in it (participant). One query; split_part is injection-safe.
+    async canAccessContainer(tenantId, userId, container) {
+      const { rows } = await ctx.pool.query(
+        `select (not exists(select 1 from runs where org_id=$1 and split_part(thread_id, ':', 1)=$3))
+             or  exists(select 1 from runs where org_id=$1 and user_id=$2 and split_part(thread_id, ':', 1)=$3) as ok`,
+        [tenantId, userId, container]
+      );
+      return rows[0]?.ok ?? true;
+    },
+    // Durable runner (Plan 4): persist/read the vendor waitpoint token id on the followup row.
+    async attachWaitpoint(followupId, token, kind) {
+      await ctx.pool.query("update followups set waitpoint_token=$2, runner_kind=$3 where id=$1", [followupId, token, kind]);
+    },
+    async getWaitpoint(followupId) {
+      const r = await one(ctx.pool, "select waitpoint_token from followups where id=$1", [followupId]);
+      return r?.waitpoint_token ?? null;
+    }
+  };
+}
+
+// src/messages.ts
+function makeMessageStore(ctx) {
+  return {
+    async append(m) {
+      const org = await one(ctx.pool, "select org_id from threads where id=$1", [m.threadId]);
+      if (!org) throw new Error(`unknown thread: ${m.threadId}`);
+      await ctx.pool.query(
+        "insert into messages(org_id, thread_id, role, text, ts) values($1,$2,$3,$4, to_timestamp($5/1000.0))",
+        [org.org_id, m.threadId, m.role, m.text, m.ts]
+      );
+    },
+    // R11: org-scoped (defense-in-depth). NOTE: no production caller — the runner's history endpoint uses
+    // engine.history (Mastra recall, scoped by resourceId=tenant:user). Kept consistent with the tenant contract.
+    async history(tenantId, threadId, limit = 50) {
+      const rows = await many(ctx.pool, "select thread_id, role, text, extract(epoch from ts)*1000 as ts from messages where org_id=$1 and thread_id=$2 order by ts asc limit $3", [tenantId, threadId, limit]);
+      return rows.map((r) => ({ threadId: r.thread_id, role: r.role, text: r.text, ts: Number(r.ts) }));
+    }
+  };
+}
+
+// src/scratchpad.ts
+var import_core2 = require("@nightowlsdev/core");
+function makeScratchpadStore(ctx) {
+  return {
+    async write(tenantId, container, section, key, content, by) {
+      const col = section === "public" ? "public_entries" : "meta_entries";
+      const entry = JSON.stringify({ author: by.agentSlug, user: by.userId, requestedBy: by.requestedBy, content, ts: Date.now() });
+      await ctx.pool.query(
+        `insert into nightowls.scratchpad(org_id, container, ${col}, updated_by, updated_by_user, updated_at)
+           values($1,$2, jsonb_build_object($3::text, $4::jsonb), $5, $6, now())
+         on conflict (org_id, container) do update
+           set ${col} = (
+                 select coalesce(jsonb_object_agg(key, value), '{}'::jsonb)
+                   from (select key, value
+                           from jsonb_each(jsonb_set(coalesce(nightowls.scratchpad.${col}, '{}'::jsonb), array[$3::text], $4::jsonb, true))
+                          order by (value->>'ts')::bigint desc nulls last
+                          limit $7) top
+               ),
+               updated_by = $5, updated_by_user = $6, updated_at = now()`,
+        [tenantId, container, key, entry, by.agentSlug, by.userId, by.maxKeys ?? import_core2.SCRATCHPAD_MAX_KEYS]
+        // L3: per-write cap
+      );
+    },
+    async list(tenantId, container) {
+      const row = await one(
+        ctx.pool,
+        "select public_entries, meta_entries from nightowls.scratchpad where org_id=$1 and container=$2",
+        [tenantId, container]
+      );
+      if (!row) return [];
+      const out = [];
+      for (const section of ["public", "meta"]) {
+        const map = section === "public" ? row.public_entries : row.meta_entries;
+        for (const [key, e] of Object.entries(map ?? {})) {
+          out.push({ section, key, author: e.author, requestedBy: e.requestedBy ?? "unknown", content: e.content, updatedAt: Number(e.ts) });
+        }
+      }
+      return out;
+    }
+  };
+}
+
+// src/subscribe-invalidations.ts
+var INVALIDATE_CHANNEL = "nightowls_agent_invalidate";
+async function listenForInvalidations(ctx, onInvalidate) {
+  const client = await ctx.pool.connect();
+  const onNotification = (msg) => {
+    if (msg.channel === INVALIDATE_CHANNEL && msg.payload) onInvalidate(msg.payload);
+  };
+  client.on("notification", onNotification);
+  client.on("error", (e) => {
+    client.removeListener("notification", onNotification);
+    console.warn(
+      "[nightowls] agent-cache invalidation LISTEN connection errored \u2014 cross-process eviction paused until restart; the 30s cache TTL still bounds staleness:",
+      e instanceof Error ? e.message : e
+    );
+  });
+  await client.query(`LISTEN ${INVALIDATE_CHANNEL}`);
+  let released = false;
+  return {
+    unsubscribe: async () => {
+      if (released) return;
+      released = true;
+      client.removeListener("notification", onNotification);
+      try {
+        await client.query(`UNLISTEN ${INVALIDATE_CHANNEL}`);
+      } catch {
+      }
+      try {
+        client.release();
+      } catch {
+      }
+    }
+  };
+}
+
+// src/agents.ts
+function rowToVersion(r) {
+  return {
+    slug: r.slug,
+    version: r.version,
+    role: r.role,
+    personality: r.personality,
+    capabilities: r.capabilities ?? [],
+    skillNames: r.skill_names ?? [],
+    delegateSlugs: r.delegate_slugs ?? [],
+    modelId: r.model_id
+  };
+}
+function makeAgentRepo(ctx) {
+  return {
+    async head(tenantId, slug) {
+      const r = await one(
+        ctx.pool,
+        `select a.slug, v.version, v.role, v.personality, v.capabilities, v.skill_names, v.delegate_slugs, v.model_id
+         from agents a join agent_versions v on v.id = a.current_version_id
+         where a.org_id=$1 and a.slug=$2`,
+        [tenantId, slug]
+      );
+      return r ? rowToVersion(r) : null;
+    },
+    async getVersion(tenantId, slug, version) {
+      const r = await one(
+        ctx.pool,
+        `select a.slug, v.version, v.role, v.personality, v.capabilities, v.skill_names, v.delegate_slugs, v.model_id
+         from agents a join agent_versions v on v.agent_id = a.id
+         where a.org_id=$1 and a.slug=$2 and v.version=$3`,
+        [tenantId, slug, version]
+      );
+      return r ? rowToVersion(r) : null;
+    },
+    async listSlugs(tenantId) {
+      const rows = await many(ctx.pool, "select slug from agents where org_id=$1", [tenantId]);
+      return rows.map((r) => r.slug);
+    }
+  };
+}
+async function commitVersion(client, agentId, tenantId, content, action, actor, auditAfter) {
+  const nextV = (await client.query("select coalesce(max(version),0)+1 v from agent_versions where agent_id=$1", [agentId])).rows[0].v;
+  const ver = (await client.query(
+    `insert into agent_versions(agent_id, org_id, version, role, personality, capabilities, skill_names, delegate_slugs, model_id, status)
+     values($1,$2,$3,$4,$5,$6,$7,$8,$9,'published') returning id`,
+    [agentId, tenantId, nextV, content.role, content.personality, JSON.stringify(content.capabilities), JSON.stringify(content.skillNames), JSON.stringify(content.delegateSlugs), content.modelId]
+  )).rows[0];
+  await client.query("update agents set current_version_id=$2 where id=$1", [agentId, ver.id]);
+  await client.query(
+    "insert into audit_log(org_id, actor, action, entity, entity_id, after) values($1,$2,$3,'agent',$4,$5)",
+    [tenantId, actor, action, agentId, JSON.stringify({ version: nextV, ...auditAfter })]
+  );
+  return nextV;
+}
+async function notifyInvalidate(client, tenantId, slug) {
+  try {
+    await client.query("select pg_notify($1, $2)", [INVALIDATE_CHANNEL, `${tenantId}:${slug}`]);
+  } catch {
+  }
+}
+async function publishAgentVersion(ctx, def) {
+  const client = await ctx.pool.connect();
+  try {
+    await client.query("begin");
+    const agent = (await client.query(
+      `insert into agents(org_id, slug, is_orchestrator) values($1,$2,$3)
+       on conflict (org_id, project_id, slug) do update set slug=excluded.slug returning id`,
+      [def.tenantId, def.slug, def.role === "orchestrator"]
+    )).rows[0];
+    await commitVersion(client, agent.id, def.tenantId, def, "publish", def.actor ?? "seed", { slug: def.slug });
+    await client.query("commit");
+    await notifyInvalidate(client, def.tenantId, def.slug);
+  } catch (e) {
+    await client.query("rollback");
+    throw e;
+  } finally {
+    client.release();
+  }
+}
+async function listAgentVersions(ctx, tenantId, slug) {
+  const rows = await many(
+    ctx.pool,
+    `select v.version, v.role, v.model_id, v.status, (v.id = a.current_version_id) as is_current
+     from agents a join agent_versions v on v.agent_id = a.id
+     where a.org_id=$1 and a.slug=$2 order by v.version`,
+    [tenantId, slug]
+  );
+  return rows.map((r) => ({ version: Number(r.version), role: r.role, modelId: r.model_id, status: r.status, isCurrent: r.is_current }));
+}
+async function rollbackAgentVersion(ctx, args) {
+  const client = await ctx.pool.connect();
+  try {
+    await client.query("begin");
+    const target = (await client.query(
+      `select a.id as agent_id, v.role, v.personality, v.capabilities, v.skill_names, v.delegate_slugs, v.model_id
+       from agents a join agent_versions v on v.agent_id = a.id
+       where a.org_id=$1 and a.slug=$2 and v.version=$3`,
+      [args.tenantId, args.slug, args.toVersion]
+    )).rows[0];
+    if (!target) throw new Error(`cannot roll back ${args.slug} to v${args.toVersion}: no such version for this tenant`);
+    const content = {
+      role: target.role,
+      personality: target.personality,
+      capabilities: target.capabilities ?? [],
+      skillNames: target.skill_names ?? [],
+      delegateSlugs: target.delegate_slugs ?? [],
+      modelId: target.model_id
+    };
+    const version = await commitVersion(client, target.agent_id, args.tenantId, content, "rollback", args.actor ?? "rollback", {
+      slug: args.slug,
+      restoredFrom: args.toVersion
+    });
+    await client.query("commit");
+    await notifyInvalidate(client, args.tenantId, args.slug);
+    return { version, restoredFrom: args.toVersion };
+  } catch (e) {
+    await client.query("rollback");
+    throw e;
+  } finally {
+    client.release();
+  }
+}
+
+// src/mastra-store.ts
+var import_pg2 = require("@mastra/pg");
+function createMastraPgStore(opts) {
+  if (/:6543\b/.test(opts.dbUrl)) throw new Error("use Session/Direct port (5432), not the Transaction pooler (6543)");
+  return new import_pg2.PostgresStore({ id: "nightowls-mastra", connectionString: opts.dbUrl, disableInit: opts.disableInit ?? true, schemaName: "nightowls" });
+}
+function createMastraVectorStore(opts) {
+  if (/:6543\b/.test(opts.dbUrl)) throw new Error("use Session/Direct port (5432), not the Transaction pooler (6543)");
+  return new import_pg2.PgVector({ id: "nightowls-vector", connectionString: opts.dbUrl, schemaName: "nightowls" });
+}
+
+// src/migrations/0001_core.ts
+var M0001_CORE = {
+  version: "0001_core",
+  name: "corale core schema (orgs/agents/runs/events/... + RLS + realtime broadcast + grants)",
+  sql: (
+    /* sql */
+    `
+create schema if not exists corale;
+
+create table corale.orgs (
+  id uuid primary key default gen_random_uuid(), slug text not null, name text,
+  created_at timestamptz not null default now(), unique (slug)
+);
+create table corale.org_members (
+  org_id uuid not null references corale.orgs(id) on delete cascade,
+  user_id uuid not null, role text not null default 'member',
+  created_at timestamptz not null default now(), primary key (org_id, user_id)
+);
+create index org_members_user_idx on corale.org_members (user_id);
+
+create table corale.agents (
+  id uuid primary key default gen_random_uuid(),
+  org_id uuid not null references corale.orgs(id) on delete cascade,
+  project_id uuid, slug text not null, current_version_id uuid,
+  is_orchestrator boolean not null default false,
+  -- NULLS NOT DISTINCT (PG15+) so the common project_id = NULL case still collides on
+  -- (org, slug); without it \`ON CONFLICT (org_id, project_id, slug)\` in publishAgentVersion
+  -- never fires and a re-publish inserts a duplicate agent row (head then breaks).
+  created_at timestamptz not null default now(), unique nulls not distinct (org_id, project_id, slug)
+);
+create table corale.agent_versions (
+  id uuid primary key default gen_random_uuid(),
+  agent_id uuid not null references corale.agents(id) on delete cascade,
+  org_id uuid not null references corale.orgs(id) on delete cascade,
+  version integer not null,
+  role text not null default 'specialist' check (role in ('orchestrator','specialist')),
+  personality text not null, capabilities jsonb not null default '[]',
+  skill_names jsonb not null default '[]', delegate_slugs jsonb not null default '[]',
+  model_id text not null, model_settings jsonb not null default '{}', guardrails_override jsonb,
+  status text not null default 'draft' check (status in ('draft','published','archived')),
+  created_by uuid, created_at timestamptz not null default now(), unique (agent_id, version)
+);
+alter table corale.agents add constraint agents_current_version_fk
+  foreign key (current_version_id) references corale.agent_versions(id);
+
+create table corale.mcp_servers (
+  id uuid primary key default gen_random_uuid(),
+  org_id uuid not null references corale.orgs(id) on delete cascade,
+  slug text not null, transport text not null check (transport in ('stdio','http')),
+  config jsonb not null default '{}', auth_ref text,
+  auth_scope text not null default 'org' check (auth_scope in ('user','org')),
+  current_version_id uuid, created_at timestamptz not null default now(), unique (org_id, slug)
+);
+create table corale.api_connections (
+  id uuid primary key default gen_random_uuid(),
+  org_id uuid not null references corale.orgs(id) on delete cascade,
+  slug text not null, base_url text, auth_ref text,
+  auth_scope text not null default 'org' check (auth_scope in ('user','org')),
+  config jsonb not null default '{}', current_version_id uuid,
+  created_at timestamptz not null default now(), unique (org_id, slug)
+);
+create table corale.tools (
+  id uuid primary key default gen_random_uuid(),
+  org_id uuid not null references corale.orgs(id) on delete cascade,
+  slug text not null, kind text not null check (kind in ('predefined','user','mcp','rest')),
+  origin_mcp_server_id uuid references corale.mcp_servers(id),
+  origin_api_connection_id uuid references corale.api_connections(id),
+  current_version_id uuid, created_at timestamptz not null default now(), unique (org_id, slug)
+);
+create table corale.tool_versions (
+  id uuid primary key default gen_random_uuid(),
+  tool_id uuid not null references corale.tools(id) on delete cascade,
+  org_id uuid not null references corale.orgs(id) on delete cascade,
+  version integer not null, input_schema jsonb not null, output_schema jsonb,
+  config jsonb not null default '{}', needs_approval boolean not null default false,
+  created_at timestamptz not null default now(), unique (tool_id, version)
+);
+alter table corale.tools add constraint tools_current_version_fk
+  foreign key (current_version_id) references corale.tool_versions(id);
+create table corale.skills (
+  id uuid primary key default gen_random_uuid(),
+  org_id uuid not null references corale.orgs(id) on delete cascade,
+  tool_id uuid not null references corale.tools(id), slug text not null, description text not null,
+  current_version_id uuid, created_at timestamptz not null default now(), unique (org_id, slug)
+);
+create table corale.skill_versions (
+  id uuid primary key default gen_random_uuid(),
+  skill_id uuid not null references corale.skills(id) on delete cascade,
+  org_id uuid not null references corale.orgs(id) on delete cascade,
+  version integer not null, description text not null, config jsonb not null default '{}',
+  created_at timestamptz not null default now(), unique (skill_id, version)
+);
+alter table corale.skills add constraint skills_current_version_fk
+  foreign key (current_version_id) references corale.skill_versions(id);
+create table corale.agent_skills (
+  agent_version_id uuid not null references corale.agent_versions(id) on delete cascade,
+  skill_version_id uuid not null references corale.skill_versions(id),
+  org_id uuid not null references corale.orgs(id) on delete cascade,
+  enabled boolean not null default true, primary key (agent_version_id, skill_version_id)
+);
+
+create table corale.swarms (
+  id uuid primary key default gen_random_uuid(),
+  org_id uuid not null references corale.orgs(id) on delete cascade,
+  project_id uuid, slug text not null, current_version_id uuid,
+  -- NULLS NOT DISTINCT (PG15+): same rationale as corale.agents \u2014 keep (org, NULL project, slug) unique.
+  created_at timestamptz not null default now(), unique nulls not distinct (org_id, project_id, slug)
+);
+create table corale.swarm_members (
+  swarm_id uuid not null references corale.swarms(id) on delete cascade,
+  agent_id uuid not null references corale.agents(id),
+  org_id uuid not null references corale.orgs(id) on delete cascade,
+  role text not null default 'specialist' check (role in ('orchestrator','specialist')),
+  can_delegate_to uuid[] default '{}', primary key (swarm_id, agent_id)
+);
+create unique index one_orchestrator_per_swarm on corale.swarm_members (swarm_id) where role = 'orchestrator';
+
+create table corale.threads (
+  id uuid primary key default gen_random_uuid(),
+  org_id uuid not null references corale.orgs(id) on delete cascade,
+  project_id uuid, user_id text not null, title text, created_at timestamptz not null default now()
+);
+create table corale.runs (
+  id uuid primary key default gen_random_uuid(),
+  org_id uuid not null references corale.orgs(id) on delete cascade,
+  project_id uuid, user_id text not null, swarm_id uuid references corale.swarms(id),
+  agent_slug text not null, thread_id uuid not null references corale.threads(id),
+  mastra_run_id text, resource_id text not null,
+  runner text not null check (runner in ('nextjs','background')),
+  status text not null default 'running'
+    check (status in ('running','suspended','waiting','done','success','failed','bailed')),
+  agent_version_pins jsonb not null default '{}', usage jsonb, cost_usd numeric, trace_id text,
+  model_id text, snapshot jsonb, error jsonb,
+  created_at timestamptz not null default now(), updated_at timestamptz not null default now()
+);
+create index runs_thread_idx on corale.runs (thread_id);
+create index runs_status_idx on corale.runs (org_id, status);
+create index runs_user_idx on corale.runs (user_id);
+create table corale.run_steps (
+  id uuid primary key default gen_random_uuid(),
+  run_id uuid not null references corale.runs(id) on delete cascade,
+  org_id uuid not null references corale.orgs(id) on delete cascade,
+  agent_slug text not null, step_index integer not null,
+  type text not null check (type in ('delegation','tool','suspend','resume','finish')),
+  status text, tool_call_id text, followup_id text, suspend_payload jsonb, resume_payload jsonb,
+  finish_reason text, created_at timestamptz not null default now()
+);
+create index run_steps_run_idx on corale.run_steps (run_id, step_index);
+create index run_steps_suspended_idx on corale.run_steps (org_id, followup_id) where status = 'suspended';
+create table corale.run_usage (
+  id uuid primary key default gen_random_uuid(),
+  run_id uuid not null references corale.runs(id) on delete cascade,
+  org_id uuid not null references corale.orgs(id) on delete cascade,
+  step_index integer, model_id text, input_tokens integer, output_tokens integer, cost_usd numeric,
+  created_at timestamptz not null default now()
+);
+create index run_usage_run_idx on corale.run_usage (run_id);
+create table corale.followups (
+  id text primary key, run_id uuid not null references corale.runs(id) on delete cascade,
+  org_id uuid not null references corale.orgs(id) on delete cascade,
+  tool_call_id text not null, to_target text, answered_at timestamptz,
+  created_at timestamptz not null default now()
+);
+create index followups_run_idx on corale.followups (run_id);
+create table corale.messages (
+  id uuid primary key default gen_random_uuid(),
+  org_id uuid not null references corale.orgs(id) on delete cascade,
+  thread_id uuid not null references corale.threads(id) on delete cascade,
+  run_id uuid references corale.runs(id) on delete cascade,
+  role text not null check (role in ('user','assistant')), text text not null,
+  ts timestamptz not null default now()
+);
+create index messages_thread_idx on corale.messages (thread_id, ts);
+create table corale.events (
+  id uuid primary key default gen_random_uuid(),
+  org_id uuid not null references corale.orgs(id) on delete cascade,
+  run_id uuid not null references corale.runs(id) on delete cascade,
+  seq bigint generated always as identity, type text not null, agent_slug text,
+  from_agent text, to_agent text, payload jsonb not null,
+  schema_version smallint not null default 1, ts bigint, created_at timestamptz not null default now()
+);
+create index events_run_seq on corale.events (run_id, seq);
+create table corale.tenant_policies (
+  org_id uuid primary key references corale.orgs(id) on delete cascade,
+  allowed_models text[], max_cost_per_run_usd numeric, monthly_budget_usd numeric,
+  default_max_steps int, can_self_evolve boolean not null default false
+);
+create table corale.eval_runs (
+  id uuid primary key default gen_random_uuid(),
+  org_id uuid not null references corale.orgs(id) on delete cascade,
+  suite text not null, agent_slug text not null, score jsonb, created_at timestamptz not null default now()
+);
+create table corale.audit_log (
+  id uuid primary key default gen_random_uuid(),
+  org_id uuid not null references corale.orgs(id) on delete cascade,
+  actor text, action text not null, entity text not null, entity_id uuid,
+  before jsonb, after jsonb, created_at timestamptz not null default now()
+);
+create index audit_log_entity_idx on corale.audit_log (org_id, entity, entity_id);
+
+-- Redacted Broadcast-from-Database (CONTRACTS \xA74): forward stored SwarmEvent + authoritative seq.
+-- NOTE (m2): this original forwards new.payload verbatim \u2014 secret/PII scrubbing is the UPSTREAM emitter's
+-- job (the engine writes already-redacted SwarmEvents). SUPERSEDED by 0011_broadcast_allowlist, which
+-- create-or-replaces this function to forward only an explicit SwarmEvent field allowlist (R2,
+-- defense-in-depth). This definition is kept as-is for migration-history fidelity; 0011 is the live one.
+create or replace function corale.broadcast_event()
+  returns trigger language plpgsql security definer set search_path = '' as $$
+begin
+  perform realtime.send(
+    jsonb_build_object('type', new.type, 'seq', new.seq, 'run_id', new.run_id,
+      'from_agent', new.from_agent, 'to_agent', new.to_agent, 'payload', new.payload),
+    new.type, 'run:' || new.run_id::text, true);
+  return new;
+end; $$;
+create trigger trg_broadcast_event after insert on corale.events
+  for each row execute function corale.broadcast_event();
+
+-- RLS (defense-in-depth). corale.is_org_member drives reads; service_role bypasses everything.
+create or replace function corale.is_org_member(p_org uuid)
+  returns boolean language sql stable set search_path = '' as $$
+  select exists (select 1 from corale.org_members m
+    where m.org_id = p_org and m.user_id = (select auth.uid()));
+$$;
+do $$ declare t text; begin
+  foreach t in array array['orgs','org_members','agents','agent_versions',
+    'skills','skill_versions','tools','tool_versions','agent_skills',
+    'swarms','swarm_members','threads','runs','run_steps',
+    'run_usage','followups','messages','events','mcp_servers',
+    'api_connections','tenant_policies','eval_runs','audit_log']
+  loop execute format('alter table corale.%I enable row level security;', t); end loop; end $$;
+create policy org_read_orgs on corale.orgs for select to authenticated using ((select corale.is_org_member(id)));
+create policy self_read_membership on corale.org_members for select to authenticated using (user_id = (select auth.uid()));
+do $$ declare t text; begin
+  foreach t in array array['agents','agent_versions','skills','skill_versions',
+    'tools','tool_versions','agent_skills','swarms','swarm_members',
+    'threads','runs','run_steps','run_usage','followups','messages',
+    'events','tenant_policies','eval_runs','audit_log']
+  loop execute format('create policy org_read_%1$s on corale.%1$I for select to authenticated using ((select corale.is_org_member(org_id)));', t);
+       execute format('create index %1$s_org_idx on corale.%1$I (org_id);', t); end loop; end $$;
+-- corale.mcp_servers / corale.api_connections: no client read policy (secret refs). Server adapter only.
+create index mcp_servers_org_idx on corale.mcp_servers (org_id);
+create index api_connections_org_idx on corale.api_connections (org_id);
+
+-- Private Realtime read gate: only members of the run's org receive run:<id> broadcasts.
+create policy members_receive_run_events on realtime.messages for select to authenticated using (
+  realtime.messages.extension = 'broadcast' and (select realtime.topic()) like 'run:%'
+  and exists (select 1 from corale.runs r
+    where ('run:' || r.id::text) = (select realtime.topic()) and (select corale.is_org_member(r.org_id))));
+
+-- GRANTs (CRITICAL): a fresh schema is granted to nobody. Without these the JWT-scoped Realtime gate
+-- (is_org_member reading corale.org_members during a private subscribe) fails permission-denied.
+-- RLS still gates ROWS (default-deny on policy-less tables); these only open the schema + read path.
+grant usage on schema corale to anon, authenticated;
+grant select on all tables in schema corale to authenticated;
+alter default privileges in schema corale grant select on tables to authenticated;
+`
+  )
+};
+
+// src/migrations/0002_mastra.ts
+var M0002_MASTRA = {
+  version: "0002_mastra",
+  name: "mastra storage tables (corale schema, via @mastra/pg exportSchemas)",
+  sql: (
+    /* sql */
+    `
+CREATE SCHEMA IF NOT EXISTS "corale";
+
+
+            CREATE TABLE IF NOT EXISTS "corale"."mastra_threads" (
+              "id" TEXT PRIMARY KEY NOT NULL,
+"resourceId" TEXT NOT NULL,
+"title" TEXT NOT NULL,
+"metadata" JSONB ,
+"createdAt" TIMESTAMP NOT NULL,
+"updatedAt" TIMESTAMP NOT NULL,
+"createdAtZ" TIMESTAMPTZ DEFAULT NOW(),
+"updatedAtZ" TIMESTAMPTZ DEFAULT NOW()
+            );
+            
+          
+          
+
+            CREATE TABLE IF NOT EXISTS "corale"."mastra_messages" (
+              "id" TEXT PRIMARY KEY NOT NULL,
+"thread_id" TEXT NOT NULL,
+"content" TEXT NOT NULL,
+"role" TEXT NOT NULL,
+"type" TEXT NOT NULL,
+"createdAt" TIMESTAMP NOT NULL,
+"resourceId" TEXT ,
+"createdAtZ" TIMESTAMPTZ DEFAULT NOW()
+            );
+            
+          
+          
+
+            CREATE TABLE IF NOT EXISTS "corale"."mastra_resources" (
+              "id" TEXT PRIMARY KEY NOT NULL,
+"workingMemory" TEXT ,
+"metadata" JSONB ,
+"createdAt" TIMESTAMP NOT NULL,
+"updatedAt" TIMESTAMP NOT NULL,
+"createdAtZ" TIMESTAMPTZ DEFAULT NOW(),
+"updatedAtZ" TIMESTAMPTZ DEFAULT NOW()
+            );
+            
+          
+          
+
+            CREATE TABLE IF NOT EXISTS "corale"."mastra_observational_memory" (
+              "id" TEXT PRIMARY KEY NOT NULL,
+"lookupKey" TEXT NOT NULL,
+"scope" TEXT NOT NULL,
+"resourceId" TEXT ,
+"threadId" TEXT ,
+"activeObservations" TEXT NOT NULL,
+"activeObservationsPendingUpdate" TEXT ,
+"originType" TEXT NOT NULL,
+"config" TEXT NOT NULL,
+"generationCount" INTEGER NOT NULL,
+"lastObservedAt" TIMESTAMP ,
+"lastReflectionAt" TIMESTAMP ,
+"pendingMessageTokens" INTEGER NOT NULL,
+"totalTokensObserved" INTEGER NOT NULL,
+"observationTokenCount" INTEGER NOT NULL,
+"isObserving" BOOLEAN NOT NULL,
+"isReflecting" BOOLEAN NOT NULL,
+"observedMessageIds" JSONB ,
+"observedTimezone" TEXT ,
+"bufferedObservations" TEXT ,
+"bufferedObservationTokens" INTEGER ,
+"bufferedMessageIds" JSONB ,
+"bufferedReflection" TEXT ,
+"bufferedReflectionTokens" INTEGER ,
+"bufferedReflectionInputTokens" INTEGER ,
+"reflectedObservationLineCount" INTEGER ,
+"bufferedObservationChunks" JSONB ,
+"isBufferingObservation" BOOLEAN NOT NULL,
+"isBufferingReflection" BOOLEAN NOT NULL,
+"lastBufferedAtTokens" INTEGER NOT NULL,
+"lastBufferedAtTime" TIMESTAMP ,
+"metadata" JSONB ,
+"createdAt" TIMESTAMP NOT NULL,
+"updatedAt" TIMESTAMP NOT NULL,
+"lastObservedAtZ" TIMESTAMPTZ DEFAULT NOW(),
+"lastReflectionAtZ" TIMESTAMPTZ DEFAULT NOW(),
+"lastBufferedAtTimeZ" TIMESTAMPTZ DEFAULT NOW(),
+"createdAtZ" TIMESTAMPTZ DEFAULT NOW(),
+"updatedAtZ" TIMESTAMPTZ DEFAULT NOW()
+            );
+            
+          
+          
+CREATE INDEX IF NOT EXISTS "corale_idx_om_lookup_key" ON "corale"."mastra_observational_memory" ("lookupKey");
+CREATE INDEX IF NOT EXISTS "corale_mastra_threads_resourceid_createdat_idx" ON "corale"."mastra_threads" ("resourceId", "createdAt" DESC);
+CREATE INDEX IF NOT EXISTS "corale_mastra_messages_thread_id_createdat_idx" ON "corale"."mastra_messages" ("thread_id", "createdAt" DESC);
+
+            CREATE TABLE IF NOT EXISTS "corale"."mastra_ai_spans" (
+              "traceId" TEXT NOT NULL,
+"spanId" TEXT NOT NULL,
+"name" TEXT NOT NULL,
+"spanType" TEXT NOT NULL,
+"isEvent" BOOLEAN NOT NULL,
+"startedAt" TIMESTAMP NOT NULL,
+"parentSpanId" TEXT ,
+"entityType" TEXT ,
+"entityId" TEXT ,
+"entityName" TEXT ,
+"parentEntityType" TEXT ,
+"parentEntityId" TEXT ,
+"parentEntityName" TEXT ,
+"rootEntityType" TEXT ,
+"rootEntityId" TEXT ,
+"rootEntityName" TEXT ,
+"userId" TEXT ,
+"organizationId" TEXT ,
+"resourceId" TEXT ,
+"runId" TEXT ,
+"sessionId" TEXT ,
+"threadId" TEXT ,
+"requestId" TEXT ,
+"environment" TEXT ,
+"serviceName" TEXT ,
+"scope" JSONB ,
+"entityVersionId" TEXT ,
+"parentEntityVersionId" TEXT ,
+"rootEntityVersionId" TEXT ,
+"experimentId" TEXT ,
+"source" TEXT ,
+"metadata" JSONB ,
+"tags" JSONB ,
+"attributes" JSONB ,
+"links" JSONB ,
+"input" JSONB ,
+"output" JSONB ,
+"error" JSONB ,
+"endedAt" TIMESTAMP ,
+"requestContext" JSONB ,
+"createdAt" TIMESTAMP NOT NULL,
+"updatedAt" TIMESTAMP ,
+"startedAtZ" TIMESTAMPTZ DEFAULT NOW(),
+"endedAtZ" TIMESTAMPTZ DEFAULT NOW(),
+"createdAtZ" TIMESTAMPTZ DEFAULT NOW(),
+"updatedAtZ" TIMESTAMPTZ DEFAULT NOW()
+            );
+            
+          
+            DO $$ BEGIN
+              IF NOT EXISTS (
+                SELECT 1 FROM pg_constraint WHERE conname = lower('corale_mastra_ai_spans_traceid_spanid_pk') AND connamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'corale')
+              ) THEN
+                ALTER TABLE "corale"."mastra_ai_spans"
+                ADD CONSTRAINT corale_mastra_ai_spans_traceid_spanid_pk
+                PRIMARY KEY ("traceId", "spanId");
+              END IF;
+            END $$;
+            
+          
+CREATE OR REPLACE FUNCTION "corale".trigger_set_timestamps()
+RETURNS TRIGGER AS $$
+BEGIN
+    IF TG_OP = 'INSERT' THEN
+        NEW."createdAt" = NOW();
+        NEW."updatedAt" = NOW();
+        NEW."createdAtZ" = NOW();
+        NEW."updatedAtZ" = NOW();
+    ELSIF TG_OP = 'UPDATE' THEN
+        NEW."updatedAt" = NOW();
+        NEW."updatedAtZ" = NOW();
+        NEW."createdAt" = OLD."createdAt";
+        NEW."createdAtZ" = OLD."createdAtZ";
+    END IF;
+    RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+DROP TRIGGER IF EXISTS "mastra_ai_spans_timestamps" ON "corale"."mastra_ai_spans";
+
+CREATE TRIGGER "mastra_ai_spans_timestamps"
+    BEFORE INSERT OR UPDATE ON "corale"."mastra_ai_spans"
+    FOR EACH ROW
+    EXECUTE FUNCTION "corale".trigger_set_timestamps();
+CREATE INDEX IF NOT EXISTS "corale_mastra_ai_spans_traceid_startedat_idx" ON "corale"."mastra_ai_spans" ("traceId", "startedAt" DESC);
+CREATE INDEX IF NOT EXISTS "corale_mastra_ai_spans_parentspanid_startedat_idx" ON "corale"."mastra_ai_spans" ("parentSpanId", "startedAt" DESC);
+CREATE INDEX IF NOT EXISTS "corale_mastra_ai_spans_name_idx" ON "corale"."mastra_ai_spans" ("name");
+CREATE INDEX IF NOT EXISTS "corale_mastra_ai_spans_spantype_startedat_idx" ON "corale"."mastra_ai_spans" ("spanType", "startedAt" DESC);
+CREATE INDEX IF NOT EXISTS "corale_mastra_ai_spans_root_spans_idx" ON "corale"."mastra_ai_spans" ("startedAt" DESC) WHERE "parentSpanId" IS NULL;
+CREATE INDEX IF NOT EXISTS "corale_mastra_ai_spans_entitytype_entityid_idx" ON "corale"."mastra_ai_spans" ("entityType", "entityId");
+CREATE INDEX IF NOT EXISTS "corale_mastra_ai_spans_entitytype_entityname_idx" ON "corale"."mastra_ai_spans" ("entityType", "entityName");
+CREATE INDEX IF NOT EXISTS "corale_mastra_ai_spans_orgid_userid_idx" ON "corale"."mastra_ai_spans" ("organizationId", "userId");
+CREATE INDEX IF NOT EXISTS "corale_mastra_ai_spans_metadata_gin_idx" ON "corale"."mastra_ai_spans" USING gin ("metadata");
+CREATE INDEX IF NOT EXISTS "corale_mastra_ai_spans_tags_gin_idx" ON "corale"."mastra_ai_spans" USING gin ("tags");
+
+            CREATE TABLE IF NOT EXISTS "corale"."mastra_scorers" (
+              "id" TEXT PRIMARY KEY NOT NULL,
+"scorerId" TEXT NOT NULL,
+"traceId" TEXT ,
+"spanId" TEXT ,
+"runId" TEXT NOT NULL,
+"scorer" JSONB NOT NULL,
+"preprocessStepResult" JSONB ,
+"extractStepResult" JSONB ,
+"analyzeStepResult" JSONB ,
+"score" FLOAT NOT NULL,
+"reason" TEXT ,
+"metadata" JSONB ,
+"preprocessPrompt" TEXT ,
+"extractPrompt" TEXT ,
+"generateScorePrompt" TEXT ,
+"generateReasonPrompt" TEXT ,
+"analyzePrompt" TEXT ,
+"reasonPrompt" TEXT ,
+"input" JSONB NOT NULL,
+"output" JSONB NOT NULL,
+"additionalContext" JSONB ,
+"requestContext" JSONB ,
+"entityType" TEXT ,
+"entity" JSONB ,
+"entityId" TEXT ,
+"source" TEXT NOT NULL,
+"resourceId" TEXT ,
+"threadId" TEXT ,
+"createdAt" TIMESTAMP NOT NULL,
+"updatedAt" TIMESTAMP NOT NULL,
+"createdAtZ" TIMESTAMPTZ DEFAULT NOW(),
+"updatedAtZ" TIMESTAMPTZ DEFAULT NOW()
+            );
+            
+          
+          
+CREATE INDEX IF NOT EXISTS "corale_mastra_scores_trace_id_span_id_created_at_idx" ON "corale"."mastra_scorers" ("traceId", "spanId", "createdAt" DESC);
+
+            CREATE TABLE IF NOT EXISTS "corale"."mastra_scorer_definitions" (
+              "id" TEXT PRIMARY KEY NOT NULL,
+"status" TEXT NOT NULL,
+"activeVersionId" TEXT ,
+"authorId" TEXT ,
+"metadata" JSONB ,
+"createdAt" TIMESTAMP NOT NULL,
+"updatedAt" TIMESTAMP NOT NULL,
+"createdAtZ" TIMESTAMPTZ DEFAULT NOW(),
+"updatedAtZ" TIMESTAMPTZ DEFAULT NOW()
+            );
+            
+          
+          
+
+            CREATE TABLE IF NOT EXISTS "corale"."mastra_scorer_definition_versions" (
+              "id" TEXT PRIMARY KEY NOT NULL,
+"scorerDefinitionId" TEXT NOT NULL,
+"versionNumber" INTEGER NOT NULL,
+"name" TEXT NOT NULL,
+"description" TEXT ,
+"type" TEXT NOT NULL,
+"model" JSONB ,
+"instructions" TEXT ,
+"scoreRange" JSONB ,
+"presetConfig" JSONB ,
+"defaultSampling" JSONB ,
+"changedFields" JSONB ,
+"changeMessage" TEXT ,
+"createdAt" TIMESTAMP NOT NULL,
+"createdAtZ" TIMESTAMPTZ DEFAULT NOW()
+            );
+            
+          
+          
+CREATE UNIQUE INDEX IF NOT EXISTS "corale_idx_scorer_definition_versions_def_version" ON "corale"."mastra_scorer_definition_versions" ("scorerDefinitionId", "versionNumber");
+
+            CREATE TABLE IF NOT EXISTS "corale"."mastra_prompt_blocks" (
+              "id" TEXT PRIMARY KEY NOT NULL,
+"status" TEXT NOT NULL,
+"activeVersionId" TEXT ,
+"authorId" TEXT ,
+"metadata" JSONB ,
+"createdAt" TIMESTAMP NOT NULL,
+"updatedAt" TIMESTAMP NOT NULL,
+"createdAtZ" TIMESTAMPTZ DEFAULT NOW(),
+"updatedAtZ" TIMESTAMPTZ DEFAULT NOW()
+            );
+            
+          
+          
+
+            CREATE TABLE IF NOT EXISTS "corale"."mastra_prompt_block_versions" (
+              "id" TEXT PRIMARY KEY NOT NULL,
+"blockId" TEXT NOT NULL,
+"versionNumber" INTEGER NOT NULL,
+"name" TEXT NOT NULL,
+"description" TEXT ,
+"content" TEXT NOT NULL,
+"rules" JSONB ,
+"requestContextSchema" JSONB ,
+"changedFields" JSONB ,
+"changeMessage" TEXT ,
+"createdAt" TIMESTAMP NOT NULL,
+"createdAtZ" TIMESTAMPTZ DEFAULT NOW()
+            );
+            
+          
+          
+CREATE UNIQUE INDEX IF NOT EXISTS "corale_idx_prompt_block_versions_block_version" ON "corale"."mastra_prompt_block_versions" ("blockId", "versionNumber");
+
+            CREATE TABLE IF NOT EXISTS "corale"."mastra_agents" (
+              "id" TEXT PRIMARY KEY NOT NULL,
+"status" TEXT NOT NULL,
+"activeVersionId" TEXT ,
+"authorId" TEXT ,
+"visibility" TEXT ,
+"metadata" JSONB ,
+"favoriteCount" INTEGER ,
+"createdAt" TIMESTAMP NOT NULL,
+"updatedAt" TIMESTAMP NOT NULL,
+"createdAtZ" TIMESTAMPTZ DEFAULT NOW(),
+"updatedAtZ" TIMESTAMPTZ DEFAULT NOW()
+            );
+            
+          
+          
+
+            CREATE TABLE IF NOT EXISTS "corale"."mastra_agent_versions" (
+              "id" TEXT PRIMARY KEY NOT NULL,
+"agentId" TEXT NOT NULL,
+"versionNumber" INTEGER NOT NULL,
+"name" TEXT NOT NULL,
+"description" TEXT ,
+"instructions" TEXT NOT NULL,
+"model" JSONB NOT NULL,
+"tools" JSONB ,
+"defaultOptions" JSONB ,
+"workflows" JSONB ,
+"agents" JSONB ,
+"integrationTools" JSONB ,
+"toolProviders" JSONB ,
+"inputProcessors" JSONB ,
+"outputProcessors" JSONB ,
+"memory" JSONB ,
+"scorers" JSONB ,
+"mcpClients" JSONB ,
+"requestContextSchema" JSONB ,
+"workspace" JSONB ,
+"skills" JSONB ,
+"skillsFormat" TEXT ,
+"browser" JSONB ,
+"changedFields" JSONB ,
+"changeMessage" TEXT ,
+"createdAt" TIMESTAMP NOT NULL,
+"createdAtZ" TIMESTAMPTZ DEFAULT NOW()
+            );
+            
+          
+          
+
+            CREATE TABLE IF NOT EXISTS "corale"."mastra_workflow_snapshot" (
+              "workflow_name" TEXT NOT NULL,
+"run_id" TEXT NOT NULL,
+"resourceId" TEXT ,
+"snapshot" JSONB NOT NULL,
+"createdAt" TIMESTAMP NOT NULL,
+"updatedAt" TIMESTAMP NOT NULL,
+"createdAtZ" TIMESTAMPTZ DEFAULT NOW(),
+"updatedAtZ" TIMESTAMPTZ DEFAULT NOW()
+            );
+            
+            DO $$ BEGIN
+              IF NOT EXISTS (
+                SELECT 1 FROM pg_constraint WHERE conname = lower('corale_mastra_workflow_snapshot_workflow_name_run_id_key') AND connamespace = (SELECT oid FROM pg_namespace WHERE nspname = 'corale')
+              ) AND NOT EXISTS (
+                SELECT 1 FROM pg_indexes WHERE indexname = lower('corale_mastra_workflow_snapshot_workflow_name_run_id_key') AND schemaname = 'corale'
+              ) THEN
+                ALTER TABLE "corale"."mastra_workflow_snapshot"
+                ADD CONSTRAINT corale_mastra_workflow_snapshot_workflow_name_run_id_key
+                UNIQUE (workflow_name, run_id);
+              END IF;
+              IF EXISTS (
+                SELECT 1 FROM pg_index i
+                JOIN pg_class c ON i.indexrelid = c.oid
+                JOIN pg_namespace n ON c.relnamespace = n.oid
+                WHERE c.relname = lower('corale_mastra_workflow_snapshot_workflow_name_run_id_key')
+                AND n.nspname = 'corale'
+                AND i.indisreplident = false
+              ) THEN
+                ALTER TABLE "corale"."mastra_workflow_snapshot"
+                REPLICA IDENTITY USING INDEX corale_mastra_workflow_snapshot_workflow_name_run_id_key;
+              END IF;
+            END $$;
+            
+          
+          
+
+            CREATE TABLE IF NOT EXISTS "corale"."mastra_datasets" (
+              "id" TEXT PRIMARY KEY NOT NULL,
+"name" TEXT NOT NULL,
+"description" TEXT ,
+"metadata" JSONB ,
+"inputSchema" JSONB ,
+"groundTruthSchema" JSONB ,
+"requestContextSchema" JSONB ,
+"tags" JSONB ,
+"targetType" TEXT ,
+"targetIds" JSONB ,
+"scorerIds" JSONB ,
+"version" INTEGER NOT NULL,
+"createdAt" TIMESTAMP NOT NULL,
+"updatedAt" TIMESTAMP NOT NULL,
+"createdAtZ" TIMESTAMPTZ DEFAULT NOW(),
+"updatedAtZ" TIMESTAMPTZ DEFAULT NOW()
+            );
+            
+          
+          
+
+            CREATE TABLE IF NOT EXISTS "corale"."mastra_dataset_items" (
+              "id" TEXT NOT NULL,
+"datasetId" TEXT NOT NULL,
+"datasetVersion" INTEGER NOT NULL,
+"validTo" INTEGER ,
+"isDeleted" BOOLEAN NOT NULL,
+"input" JSONB NOT NULL,
+"groundTruth" JSONB ,
+"requestContext" JSONB ,
+"metadata" JSONB ,
+"source" JSONB ,
+"expectedTrajectory" JSONB ,
+"createdAt" TIMESTAMP NOT NULL,
+"updatedAt" TIMESTAMP NOT NULL,
+"createdAtZ" TIMESTAMPTZ DEFAULT NOW(),
+"updatedAtZ" TIMESTAMPTZ DEFAULT NOW(),
+PRIMARY KEY ("id", "datasetVersion")
+            );
+            
+          
+          
+
+            CREATE TABLE IF NOT EXISTS "corale"."mastra_dataset_versions" (
+              "id" TEXT PRIMARY KEY NOT NULL,
+"datasetId" TEXT NOT NULL,
+"version" INTEGER NOT NULL,
+"createdAt" TIMESTAMP NOT NULL,
+"createdAtZ" TIMESTAMPTZ DEFAULT NOW()
+            );
+            
+          
+          
+
+            CREATE TABLE IF NOT EXISTS "corale"."mastra_experiments" (
+              "id" TEXT PRIMARY KEY NOT NULL,
+"name" TEXT ,
+"description" TEXT ,
+"metadata" JSONB ,
+"datasetId" TEXT ,
+"datasetVersion" INTEGER ,
+"targetType" TEXT NOT NULL,
+"targetId" TEXT NOT NULL,
+"status" TEXT NOT NULL,
+"totalItems" INTEGER NOT NULL,
+"succeededCount" INTEGER NOT NULL,
+"failedCount" INTEGER NOT NULL,
+"skippedCount" INTEGER NOT NULL,
+"startedAt" TIMESTAMP ,
+"completedAt" TIMESTAMP ,
+"agentVersion" TEXT ,
+"createdAt" TIMESTAMP NOT NULL,
+"updatedAt" TIMESTAMP NOT NULL,
+"startedAtZ" TIMESTAMPTZ DEFAULT NOW(),
+"completedAtZ" TIMESTAMPTZ DEFAULT NOW(),
+"createdAtZ" TIMESTAMPTZ DEFAULT NOW(),
+"updatedAtZ" TIMESTAMPTZ DEFAULT NOW()
+            );
+            
+          
+          
+
+            CREATE TABLE IF NOT EXISTS "corale"."mastra_experiment_results" (
+              "id" TEXT PRIMARY KEY NOT NULL,
+"experimentId" TEXT NOT NULL,
+"itemId" TEXT NOT NULL,
+"itemDatasetVersion" INTEGER ,
+"input" JSONB NOT NULL,
+"output" JSONB ,
+"groundTruth" JSONB ,
+"error" JSONB ,
+"startedAt" TIMESTAMP NOT NULL,
+"completedAt" TIMESTAMP NOT NULL,
+"retryCount" INTEGER NOT NULL,
+"traceId" TEXT ,
+"status" TEXT ,
+"tags" JSONB ,
+"createdAt" TIMESTAMP NOT NULL,
+"startedAtZ" TIMESTAMPTZ DEFAULT NOW(),
+"completedAtZ" TIMESTAMPTZ DEFAULT NOW(),
+"createdAtZ" TIMESTAMPTZ DEFAULT NOW()
+            );
+            
+          
+          
+
+            CREATE TABLE IF NOT EXISTS "corale"."mastra_background_tasks" (
+              "id" TEXT PRIMARY KEY NOT NULL,
+"tool_call_id" TEXT NOT NULL,
+"tool_name" TEXT NOT NULL,
+"agent_id" TEXT NOT NULL,
+"run_id" TEXT NOT NULL,
+"thread_id" TEXT ,
+"resource_id" TEXT ,
+"status" TEXT NOT NULL,
+"args" JSONB NOT NULL,
+"result" JSONB ,
+"error" JSONB ,
+"suspend_payload" JSONB ,
+"retry_count" INTEGER NOT NULL,
+"max_retries" INTEGER NOT NULL,
+"timeout_ms" INTEGER NOT NULL,
+"createdAt" TIMESTAMP NOT NULL,
+"startedAt" TIMESTAMP ,
+"suspendedAt" TIMESTAMP ,
+"completedAt" TIMESTAMP ,
+"createdAtZ" TIMESTAMPTZ DEFAULT NOW(),
+"startedAtZ" TIMESTAMPTZ DEFAULT NOW(),
+"suspendedAtZ" TIMESTAMPTZ DEFAULT NOW(),
+"completedAtZ" TIMESTAMPTZ DEFAULT NOW()
+            );
+            
+          
+          
+CREATE INDEX IF NOT EXISTS "corale_mastra_bg_tasks_status_created_at_idx" ON "corale"."mastra_background_tasks" ("status", "createdAt");
+CREATE INDEX IF NOT EXISTS "corale_mastra_bg_tasks_agent_status_idx" ON "corale"."mastra_background_tasks" ("agent_id", "status");
+CREATE INDEX IF NOT EXISTS "corale_mastra_bg_tasks_thread_idx" ON "corale"."mastra_background_tasks" ("thread_id", "createdAt");
+CREATE INDEX IF NOT EXISTS "corale_mastra_bg_tasks_tool_call_idx" ON "corale"."mastra_background_tasks" ("tool_call_id");
+
+            CREATE TABLE IF NOT EXISTS "corale"."mastra_favorites" (
+              "userId" TEXT NOT NULL,
+"entityType" TEXT NOT NULL,
+"entityId" TEXT NOT NULL,
+"createdAt" TIMESTAMP NOT NULL,
+"createdAtZ" TIMESTAMPTZ DEFAULT NOW(),
+PRIMARY KEY ("userId", "entityType", "entityId")
+            );
+            
+          
+          
+CREATE INDEX IF NOT EXISTS idx_favorites_entity ON "corale"."mastra_favorites" ("entityType", "entityId");
+
+            CREATE TABLE IF NOT EXISTS "corale"."mastra_channel_installations" (
+              "id" TEXT PRIMARY KEY NOT NULL,
+"platform" TEXT NOT NULL,
+"agentId" TEXT NOT NULL,
+"status" TEXT NOT NULL,
+"webhookId" TEXT ,
+"data" JSONB NOT NULL,
+"configHash" TEXT ,
+"error" TEXT ,
+"createdAt" TIMESTAMP NOT NULL,
+"updatedAt" TIMESTAMP NOT NULL,
+"createdAtZ" TIMESTAMPTZ DEFAULT NOW(),
+"updatedAtZ" TIMESTAMPTZ DEFAULT NOW()
+            );
+            
+          
+          
+
+            CREATE TABLE IF NOT EXISTS "corale"."mastra_channel_config" (
+              "platform" TEXT PRIMARY KEY NOT NULL,
+"data" JSONB NOT NULL,
+"updatedAt" TIMESTAMP NOT NULL,
+"updatedAtZ" TIMESTAMPTZ DEFAULT NOW()
+            );
+            
+          
+          
+CREATE UNIQUE INDEX IF NOT EXISTS "corale_idx_channel_installations_webhook" ON "corale"."mastra_channel_installations" ("webhookId");
+CREATE INDEX IF NOT EXISTS "corale_idx_channel_installations_platform_agent" ON "corale"."mastra_channel_installations" ("platform", "agentId");
+
+            CREATE TABLE IF NOT EXISTS "corale"."mastra_schedules" (
+              "id" TEXT PRIMARY KEY NOT NULL,
+"target" JSONB NOT NULL,
+"cron" TEXT NOT NULL,
+"timezone" TEXT ,
+"status" TEXT NOT NULL,
+"next_fire_at" BIGINT NOT NULL,
+"last_fire_at" BIGINT ,
+"last_run_id" TEXT ,
+"created_at" BIGINT NOT NULL,
+"updated_at" BIGINT NOT NULL,
+"metadata" JSONB ,
+"owner_type" TEXT ,
+"owner_id" TEXT 
+            );
+            
+          
+          
+
+            CREATE TABLE IF NOT EXISTS "corale"."mastra_schedule_triggers" (
+              "id" TEXT PRIMARY KEY NOT NULL,
+"schedule_id" TEXT NOT NULL,
+"run_id" TEXT ,
+"scheduled_fire_at" BIGINT NOT NULL,
+"actual_fire_at" BIGINT NOT NULL,
+"outcome" TEXT NOT NULL,
+"error" TEXT ,
+"trigger_kind" TEXT NOT NULL,
+"parent_trigger_id" TEXT ,
+"metadata" JSONB 
+            );
+            
+          
+          
+CREATE INDEX IF NOT EXISTS "corale_idx_mastra_schedules_status_next_fire" ON "corale"."mastra_schedules" ("status", "next_fire_at");
+CREATE INDEX IF NOT EXISTS "corale_idx_mastra_schedule_triggers_schedule_fire" ON "corale"."mastra_schedule_triggers" ("schedule_id", "actual_fire_at" DESC);
+`
+  )
+};
+
+// src/migrations/0003_followups.ts
+var M0003_FOLLOWUPS = {
+  version: "0003_followups",
+  name: "corale.followups waitpoint columns (durable runner)",
+  sql: (
+    /* sql */
+    `
+alter table corale.followups
+  add column if not exists waitpoint_token text,   -- Trigger createToken id (null for vercel/interactive)
+  add column if not exists runner_kind text;       -- 'trigger' | 'vercel'
+`
+  )
+};
+
+// src/migrations/0004_memory_vector.ts
+var M0004_MEMORY_VECTOR = {
+  version: "0004",
+  name: "memory_vector",
+  sql: `create extension if not exists vector;`
+};
+
+// src/migrations/0005_thread_text_ids.ts
+var M0005_THREAD_TEXT_IDS = {
+  version: "0005",
+  name: "thread_text_ids",
+  sql: `
+alter table corale.runs drop constraint if exists runs_thread_id_fkey;
+alter table corale.messages drop constraint if exists messages_thread_id_fkey;
+alter table corale.threads alter column id drop default;
+alter table corale.threads alter column id type text using id::text;
+alter table corale.threads alter column id set default gen_random_uuid()::text;
+alter table corale.runs alter column thread_id type text using thread_id::text;
+alter table corale.messages alter column thread_id type text using thread_id::text;
+alter table corale.runs add constraint runs_thread_id_fkey foreign key (thread_id) references corale.threads(id);
+alter table corale.messages add constraint messages_thread_id_fkey foreign key (thread_id) references corale.threads(id) on delete cascade;
+`.trim()
+};
+
+// src/migrations/0006_scratchpad.ts
+var M0006_SCRATCHPAD = {
+  version: "0006_scratchpad",
+  name: "corale container scratchpad (mutable shared doc per conversation)",
+  sql: (
+    /* sql */
+    `
+create table corale.scratchpad (
+  org_id uuid not null references corale.orgs(id) on delete cascade,
+  container text not null,
+  public_content text not null default '',
+  meta_content text not null default '',
+  updated_by text,
+  updated_by_user text,
+  updated_at timestamptz not null default now(),
+  primary key (org_id, container)
+);
+
+-- RLS (defense-in-depth), copied from 0001_core's corale.messages setup: enable RLS, an
+-- org-membership read policy via corale.is_org_member(org_id), and the org_id index. service_role
+-- (the server adapter) bypasses RLS; this only gates the browser/Realtime read path.
+alter table corale.scratchpad enable row level security;
+create policy org_read_scratchpad on corale.scratchpad for select to authenticated using ((select corale.is_org_member(org_id)));
+create index scratchpad_org_idx on corale.scratchpad (org_id);
+
+-- GRANT (CRITICAL): 0001_core's schema-wide \`grant select on all tables\` only covered tables that
+-- existed then; a new table needs its own grant so the JWT-scoped Realtime/browser read path can see
+-- it. RLS still gates ROWS. Mirrors 0001's \`grant select on all tables in schema corale\` intent.
+grant select on corale.scratchpad to authenticated;
+`
+  )
+};
+
+// src/migrations/0007_scratchpad_entries.ts
+var M0007_SCRATCHPAD_ENTRIES = {
+  version: "0007_scratchpad_entries",
+  name: "corale scratchpad \u2192 keyed jsonb entries (concurrent-safe writes)",
+  sql: (
+    /* sql */
+    `
+alter table corale.scratchpad
+  drop column public_content,
+  drop column meta_content,
+  add column public_entries jsonb not null default '{}'::jsonb,
+  add column meta_entries jsonb not null default '{}'::jsonb;
+`
+  )
+};
+
+// src/migrations/0008_floor.ts
+var M0008_FLOOR = {
+  version: "0008_floor",
+  name: "corale container floor (serverless mutual-exclusion + FIFO queue)",
+  sql: (
+    /* sql */
+    `
+create table corale.floor_lock (
+  container      text primary key,
+  holder_label   text not null,
+  holder_run_id  text not null,
+  acquired_at    timestamptz not null default now()
+);
+alter table corale.floor_lock enable row level security;
+
+create table corale.floor_waiter (
+  container    text not null,
+  run_id       text not null,
+  label        text not null,
+  enqueued_at  timestamptz not null default now(),
+  last_seen    timestamptz not null default now(),
+  primary key (container, run_id)
+);
+create index floor_waiter_order on corale.floor_waiter (container, enqueued_at);
+alter table corale.floor_waiter enable row level security;
+
+revoke all on corale.floor_lock, corale.floor_waiter from anon, authenticated;
+`
+  )
+};
+
+// src/migrations/0009_scratchpad_realtime.ts
+var M0009_SCRATCHPAD_REALTIME = {
+  version: "0009_scratchpad_realtime",
+  name: "corale scratchpad realtime broadcast + member read gate",
+  sql: (
+    /* sql */
+    `
+create or replace function corale.broadcast_scratchpad()
+  returns trigger language plpgsql security definer set search_path = '' as $$
+begin
+  perform realtime.send(
+    jsonb_build_object('container', new.container, 'updated_at', new.updated_at),
+    'scratchpad', 'scratchpad:' || new.container, true);
+  return new;
+end; $$;
+create trigger trg_broadcast_scratchpad after insert or update on corale.scratchpad
+  for each row execute function corale.broadcast_scratchpad();
+
+create policy members_receive_scratchpad on realtime.messages for select to authenticated using (
+  realtime.messages.extension = 'broadcast' and (select realtime.topic()) like 'scratchpad:%'
+  and exists (select 1 from corale.scratchpad s
+    where ('scratchpad:' || s.container) = (select realtime.topic()) and (select corale.is_org_member(s.org_id))));
+`
+  )
+};
+
+// src/migrations/0010_presence_realtime.ts
+var M0010_PRESENCE_REALTIME = {
+  version: "0010_presence_realtime",
+  name: "corale run-status presence broadcast + member read gate",
+  sql: (
+    /* sql */
+    `
+create or replace function corale.broadcast_presence()
+  returns trigger language plpgsql security definer set search_path = '' as $$
+begin
+  perform realtime.send(
+    jsonb_build_object('container', split_part(new.thread_id, ':', 1), 'status', new.status),
+    'presence', 'presence:' || split_part(new.thread_id, ':', 1), true);
+  return new;
+end; $$;
+create trigger trg_broadcast_presence after insert or update of status on corale.runs
+  for each row execute function corale.broadcast_presence();
+
+create policy members_receive_presence on realtime.messages for select to authenticated using (
+  realtime.messages.extension = 'broadcast' and (select realtime.topic()) like 'presence:%'
+  and exists (select 1 from corale.runs r
+    where ('presence:' || split_part(r.thread_id, ':', 1)) = (select realtime.topic()) and (select corale.is_org_member(r.org_id))));
+`
+  )
+};
+
+// src/migrations/0011_broadcast_allowlist.ts
+var M0011_BROADCAST_ALLOWLIST = {
+  version: "0011_broadcast_allowlist",
+  name: "corale.broadcast_event: scrub forwarded payload to a SwarmEvent field allowlist",
+  sql: (
+    /* sql */
+    `
+create or replace function corale.broadcast_event()
+  returns trigger language plpgsql security definer set search_path = '' as $$
+begin
+  perform realtime.send(
+    jsonb_build_object('type', new.type, 'seq', new.seq, 'run_id', new.run_id,
+      'from_agent', new.from_agent, 'to_agent', new.to_agent,
+      -- R2: allowlist \u2014 forward only known SwarmEvent fields from new.payload, never the column verbatim.
+      'payload', jsonb_build_object(
+        'type', new.payload->'type',
+        'runId', new.payload->'runId',
+        'agentSlug', new.payload->'agentSlug',
+        'ts', new.payload->'ts',
+        'schemaVersion', new.payload->'schemaVersion',
+        'data', new.payload->'data')),
+    new.type, 'run:' || new.run_id::text, true);
+  return new;
+end; $$;
+`
+  )
+};
+
+// src/migrations/0012_thread_scoped_resource.ts
+var M0012_THREAD_SCOPED_RESOURCE = {
+  version: "0012_thread_scoped_resource",
+  name: "R14: re-key Mastra resourceId tenant:user \u2192 tenant:container (thread-scoped)",
+  sql: (
+    /* sql */
+    `
+do $$ begin
+  if exists (select 1 from corale.mastra_resources limit 1) then
+    raise exception 'corale 0012: corale.mastra_resources has rows (Mastra working memory is in use). Its resourceId (tenant:user) cannot be auto-re-keyed to tenant:container \u2014 one user-resource maps to many containers. Migrate or clear corale.mastra_resources by hand, then re-run.';
+  end if;
+end $$;
+
+update corale.mastra_messages
+  set "resourceId" = split_part("resourceId", ':', 1) || ':' || split_part(thread_id, ':', 1)
+  where "resourceId" is not null and position(':' in "resourceId") > 0;
+
+update corale.mastra_threads
+  set "resourceId" = split_part("resourceId", ':', 1) || ':' || split_part(id, ':', 1)
+  where position(':' in "resourceId") > 0;
+
+update corale.mastra_observational_memory
+  set "resourceId" = split_part("resourceId", ':', 1) || ':' || split_part("threadId", ':', 1)
+  where "resourceId" is not null and "threadId" is not null and position(':' in "resourceId") > 0;
+`
+  )
+};
+
+// src/migrations/0013_rename_schema.ts
+var M0013_RENAME_SCHEMA = {
+  version: "0013_rename_schema",
+  name: "Phase-00: rename schema corale \u2192 nightowls (+ corale_* index identifiers)",
+  sql: (
+    /* sql */
+    `
+do $$
+begin
+  if exists (select 1 from information_schema.schemata where schema_name = 'corale')
+     and not exists (select 1 from information_schema.schemata where schema_name = 'nightowls') then
+    execute 'alter schema corale rename to nightowls';
+  end if;
+end $$;
+
+-- Rename any index in the (now) nightowls schema still carrying the legacy 'corale_' prefix.
+do $$
+declare r record;
+begin
+  for r in
+    select indexname from pg_indexes
+    where schemaname = 'nightowls' and indexname like 'corale\\_%'
+  loop
+    execute format('alter index nightowls.%I rename to %I', r.indexname, 'nightowls_' || substring(r.indexname from 8));
+  end loop;
+end $$;
+`
+  )
+};
+
+// src/migrations/index.ts
+var MIGRATIONS = [M0001_CORE, M0002_MASTRA, M0003_FOLLOWUPS, M0004_MEMORY_VECTOR, M0005_THREAD_TEXT_IDS, M0006_SCRATCHPAD, M0007_SCRATCHPAD_ENTRIES, M0008_FLOOR, M0009_SCRATCHPAD_REALTIME, M0010_PRESENCE_REALTIME, M0011_BROADCAST_ALLOWLIST, M0012_THREAD_SCOPED_RESOURCE, M0013_RENAME_SCHEMA];
+
+// src/plugin.ts
+var nightOwlsPlugin = {
+  name: "storage-supabase",
+  version: "0.0.0",
+  kind: "storage",
+  pkg: "@nightowlsdev/storage-supabase",
+  description: "Supabase Postgres storage + the nightowls schema (migrations, Realtime, RLS).",
+  migrations: MIGRATIONS,
+  // { version, name, sql }[]
+  env: [
+    { key: "SUPABASE_URL", example: "http://127.0.0.1:54321", comment: "Supabase project URL" },
+    {
+      key: "SUPABASE_SECRET_KEY",
+      example: "",
+      comment: "service_role/secret \u2014 server storage adapter ONLY (never in the browser)"
+    },
+    {
+      key: "DATABASE_URL",
+      example: "postgresql://postgres:postgres@127.0.0.1:5432/postgres",
+      comment: "Session/Direct port 5432 \u2014 NOT 6543 (nightowls migrations + the pg pool)"
+    },
+    { key: "SUPABASE_ANON_KEY", example: "", comment: "publishable/anon \u2014 browser auth + Realtime ONLY" }
+  ],
+  config: {
+    import: "import { createSupabaseStorage } from '@nightowlsdev/storage-supabase';",
+    snippet: "storage = createSupabaseStorage({ url: env.SUPABASE_URL, secretKey: env.SUPABASE_SECRET_KEY, dbUrl: env.DATABASE_URL });",
+    marker: "storage"
+  },
+  // Print-only (idempotent) — runs on init/install + `owl init storage-supabase`. NEVER applies DDL.
+  init: (ctx) => {
+    ctx.log(
+      "Night Owls's migrations were installed into supabase/migrations/. Apply them with: supabase db push"
+    );
+  },
+  commands: [
+    {
+      name: "info",
+      description: "Show the nightowls migrations and env this adapter contributes.",
+      // PURE — no DB/network. Reads only the static manifest data.
+      run: (ctx) => {
+        ctx.log(`migrations: ${MIGRATIONS.map((m) => m.version).join(", ")}`);
+        ctx.log("env: SUPABASE_URL, SUPABASE_SECRET_KEY, DATABASE_URL, SUPABASE_ANON_KEY");
+      }
+    }
+  ]
+};
+
+// src/floor.ts
+function createPostgresFloor(pool, opts = {}) {
+  const maxHoldSecs = (opts.maxHoldMs ?? 18e4) / 1e3;
+  const pollMs = opts.pollMs ?? 250;
+  const waiterStaleSecs = Math.max(pollMs * 20, 1e4) / 1e3;
+  const releaseLock = (container, runId) => pool.query("delete from nightowls.floor_lock where container=$1 and holder_run_id=$2", [container, runId]);
+  const makeRelease = (container, runId) => {
+    let released = false;
+    return async () => {
+      if (released) return;
+      released = true;
+      await releaseLock(container, runId);
+    };
+  };
+  async function claim(container, who, ahead, params) {
+    const { rows } = await pool.query(
+      `insert into nightowls.floor_lock as fl (container, holder_label, holder_run_id, acquired_at)
+       select $1, $2, $3, now()
+       where not exists (
+         select 1 from nightowls.floor_waiter w
+         where w.container = $1 and w.last_seen >= now() - make_interval(secs => $5) ${ahead}
+       )
+       on conflict (container) do update
+         set holder_label = excluded.holder_label, holder_run_id = excluded.holder_run_id, acquired_at = now()
+         where fl.acquired_at < now() - make_interval(secs => $4)
+       returning holder_run_id`,
+      [container, who.label, who.runId, maxHoldSecs, waiterStaleSecs, ...params]
+    );
+    return rows.length > 0;
+  }
+  async function tryAcquire(container, who) {
+    const got = await claim(container, who, "", []);
+    return got ? makeRelease(container, who.runId) : null;
+  }
+  function sleep(ms, signal) {
+    return new Promise((resolve) => {
+      if (signal?.aborted) return resolve();
+      const onAbort = () => {
+        clearTimeout(t);
+        resolve();
+      };
+      const t = setTimeout(() => {
+        signal?.removeEventListener("abort", onAbort);
+        resolve();
+      }, ms);
+      signal?.addEventListener("abort", onAbort, { once: true });
+    });
+  }
+  const AHEAD = "and (date_trunc('milliseconds', w.enqueued_at), w.run_id) < (date_trunc('milliseconds', $6::timestamptz), $3)";
+  async function acquire(container, who, signal) {
+    const noop = () => {
+    };
+    const deleteWaiter = () => pool.query("delete from nightowls.floor_waiter where container=$1 and run_id=$2", [container, who.runId]);
+    if (signal?.aborted) return noop;
+    const reg = await pool.query(
+      `insert into nightowls.floor_waiter(container, run_id, label) values($1,$2,$3)
+       on conflict (container, run_id) do update set last_seen = now()
+       returning enqueued_at`,
+      [container, who.runId, who.label]
+    );
+    const myEnqueuedAt = reg.rows[0].enqueued_at;
+    try {
+      for (; ; ) {
+        if (signal?.aborted) {
+          await deleteWaiter();
+          return noop;
+        }
+        await pool.query("update nightowls.floor_waiter set last_seen = now() where container=$1 and run_id=$2", [container, who.runId]);
+        if (await claim(container, who, AHEAD, [myEnqueuedAt])) {
+          await deleteWaiter();
+          return makeRelease(container, who.runId);
+        }
+        await sleep(pollMs, signal);
+      }
+    } catch (e) {
+      await deleteWaiter().catch(() => {
+      });
+      throw e;
+    }
+  }
+  async function holder(container) {
+    const { rows } = await pool.query(
+      `select holder_label, holder_run_id from nightowls.floor_lock
+        where container=$1 and acquired_at >= now() - make_interval(secs => $2)`,
+      [container, maxHoldSecs]
+    );
+    return rows.length ? { label: rows[0].holder_label, runId: rows[0].holder_run_id } : null;
+  }
+  async function queueDepth(container) {
+    const { rows } = await pool.query(
+      `select count(*)::int as n from nightowls.floor_waiter
+        where container=$1 and last_seen >= now() - make_interval(secs => $2)`,
+      [container, waiterStaleSecs]
+    );
+    return rows[0].n;
+  }
+  return { tryAcquire, acquire, holder, queueDepth };
+}
+
+// src/index.ts
+function createSupabaseStorage(opts) {
+  const ctx = makeCtx(opts);
+  let invalidationSub = null;
+  return {
+    agents: makeAgentRepo(ctx),
+    runs: makeRunStore(ctx),
+    events: makeEventStore(ctx),
+    messages: makeMessageStore(ctx),
+    scratchpad: makeScratchpadStore(ctx),
+    // Record the suspended run in the tenant-scoped followup index so `runs.findSuspended` (the resume
+    // authz gate) can resolve it. RE-OPEN on conflict (reset `answered_at`): Mastra REUSES the same
+    // `toolCallId` when an agent asks AGAIN after a resume, so the engine's `followupId = runId:toolCallId`
+    // collides with the prior (now-answered) round. `do nothing` would leave it answered → `findSuspended`
+    // (filters `answered_at is null`) returns null → the next answer 403s. Re-opening makes each successive
+    // `ask` answerable. (Safe: a redundant re-record of the SAME live suspend just re-nulls an already-null
+    // `answered_at`.)
+    recordSuspend: async (runId, tenantId, followupId, toolCallId) => {
+      await ctx.pool.query(
+        "insert into followups(id, run_id, org_id, tool_call_id, created_at) values($1,$2,$3,$4, now()) on conflict (id) do update set answered_at = null, created_at = now()",
+        [followupId, runId, tenantId, toolCallId]
+      );
+    },
+    // Mark a followup answered so `findSuspended` (which filters `answered_at is null`) stops returning
+    // it — closes the replay window once a resume begins. Tenant-scoped + idempotent.
+    markFollowupAnswered: async (followupId, tenantId) => {
+      await ctx.pool.query("update followups set answered_at = now() where id=$1 and org_id=$2 and answered_at is null", [
+        followupId,
+        tenantId
+      ]);
+    },
+    // R12: cross-process cache invalidation via Postgres LISTEN. The engine wires this to
+    // `rowCache.invalidate`; a `publishAgentVersion` elsewhere NOTIFYs the key and every instance evicts
+    // immediately. Returns a sync unsubscribe (the engine ignores it — `close()` owns teardown).
+    subscribeInvalidations: (onInvalidate) => {
+      if (invalidationSub) throw new Error("subscribeInvalidations: already registered for this storage");
+      const sub = listenForInvalidations(ctx, onInvalidate);
+      sub.catch(() => {
+      });
+      invalidationSub = sub;
+      let torn = false;
+      return () => {
+        if (torn) return;
+        torn = true;
+        const pending = invalidationSub;
+        invalidationSub = null;
+        void pending?.then((s) => s.unsubscribe()).catch(() => {
+        });
+      };
+    },
+    ctx,
+    // typed internal handle reused by publishAgentVersion (Task 10) — no `__ctx` any-cast.
+    // Gracefully tear down Realtime (remove channels + close the WS) BEFORE ending the
+    // pg pool, so a force-closed socket can't surface a late "transport failure" rejection.
+    close: async () => {
+      if (invalidationSub) {
+        try {
+          await (await invalidationSub).unsubscribe();
+        } catch {
+        }
+        invalidationSub = null;
+      }
+      try {
+        await ctx.sb.removeAllChannels();
+        await ctx.sb.realtime.disconnect();
+      } catch {
+      }
+      await ctx.pool.end();
+    }
+  };
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  MIGRATIONS,
+  createMastraPgStore,
+  createMastraVectorStore,
+  createPostgresFloor,
+  createSupabaseStorage,
+  listAgentVersions,
+  nightOwlsPlugin,
+  publishAgentVersion,
+  rollbackAgentVersion
+});