@vellumai/assistant 0.5.5 → 0.5.7

package/src/memory/migrations/143-rename-guardian-verification-values.ts

@@ -1,6 +1,41 @@
 import { type DrizzleDb, getSqliteFrom } from "../db-connection.js";
 import { withCrashRecovery } from "./validate-migration-state.js";
 
+/**
+ * Reverse v23: add the "guardian_" prefix back to verification-related
+ * call_mode and event_type values.
+ */
+export function downRenameGuardianVerificationValues(
+  database: DrizzleDb,
+): void {
+  const raw = getSqliteFrom(database);
+
+  // Rename call_mode values back
+  raw.exec(
+    /*sql*/ `UPDATE call_sessions SET call_mode = 'guardian_verification' WHERE call_mode = 'verification'`,
+  );
+
+  // Rename event_type values back
+  raw.exec(
+    /*sql*/ `UPDATE call_events SET event_type = 'guardian_voice_verification_started' WHERE event_type = 'voice_verification_started'`,
+  );
+  raw.exec(
+    /*sql*/ `UPDATE call_events SET event_type = 'guardian_voice_verification_succeeded' WHERE event_type = 'voice_verification_succeeded'`,
+  );
+  raw.exec(
+    /*sql*/ `UPDATE call_events SET event_type = 'guardian_voice_verification_failed' WHERE event_type = 'voice_verification_failed'`,
+  );
+  raw.exec(
+    /*sql*/ `UPDATE call_events SET event_type = 'outbound_guardian_voice_verification_started' WHERE event_type = 'outbound_voice_verification_started'`,
+  );
+  raw.exec(
+    /*sql*/ `UPDATE call_events SET event_type = 'outbound_guardian_voice_verification_succeeded' WHERE event_type = 'outbound_voice_verification_succeeded'`,
+  );
+  raw.exec(
+    /*sql*/ `UPDATE call_events SET event_type = 'outbound_guardian_voice_verification_failed' WHERE event_type = 'outbound_voice_verification_failed'`,
+  );
+}
+
 /**
  * One-shot migration: rename persisted `guardian_verification` and
  * `guardian_voice_verification_*` / `outbound_guardian_voice_verification_*`

package/src/memory/migrations/144-rename-voice-to-phone.ts

@@ -1,6 +1,142 @@
 import { type DrizzleDb, getSqliteFrom } from "../db-connection.js";
 import { withCrashRecovery } from "./validate-migration-state.js";
 
+/**
+ * Reverse v24: rename "phone" channel values back to "voice" across all
+ * tables with channel text columns.
+ */
+export function downRenameVoiceToPhone(database: DrizzleDb): void {
+  const raw = getSqliteFrom(database);
+
+  // contact_channels.type
+  raw.exec(
+    /*sql*/ `UPDATE contact_channels SET type = 'voice' WHERE type = 'phone'`,
+  );
+
+  // conversations.origin_channel
+  raw.exec(
+    /*sql*/ `UPDATE conversations SET origin_channel = 'voice' WHERE origin_channel = 'phone'`,
+  );
+
+  // conversations.origin_interface
+  raw.exec(
+    /*sql*/ `UPDATE conversations SET origin_interface = 'voice' WHERE origin_interface = 'phone'`,
+  );
+
+  // messages.metadata — reverse the JSON string replacement
+  raw.exec(
+    /*sql*/ `UPDATE messages SET metadata = REPLACE(metadata, '"phone"', '"voice"') WHERE metadata LIKE '%"phone"%'`,
+  );
+
+  // assistant_ingress_invites.source_channel
+  raw.exec(
+    /*sql*/ `UPDATE assistant_ingress_invites SET source_channel = 'voice' WHERE source_channel = 'phone'`,
+  );
+
+  // assistant_inbox_thread_state.source_channel
+  raw.exec(
+    /*sql*/ `UPDATE assistant_inbox_thread_state SET source_channel = 'voice' WHERE source_channel = 'phone'`,
+  );
+
+  // guardian_action_requests.source_channel
+  raw.exec(
+    /*sql*/ `UPDATE guardian_action_requests SET source_channel = 'voice' WHERE source_channel = 'phone'`,
+  );
+
+  // guardian_action_requests.answered_by_channel
+  raw.exec(
+    /*sql*/ `UPDATE guardian_action_requests SET answered_by_channel = 'voice' WHERE answered_by_channel = 'phone'`,
+  );
+
+  // channel_verification_sessions.channel (the forward migration ran after v21 rename)
+  raw.exec(
+    /*sql*/ `UPDATE channel_verification_sessions SET channel = 'voice' WHERE channel = 'phone'`,
+  );
+
+  // channel_guardian_approval_requests.channel
+  raw.exec(
+    /*sql*/ `UPDATE channel_guardian_approval_requests SET channel = 'voice' WHERE channel = 'phone'`,
+  );
+
+  // channel_guardian_rate_limits.channel
+  // Dedup: remove phone rows that would collide with existing voice rows
+  raw.exec(/*sql*/ `DELETE FROM channel_guardian_rate_limits WHERE channel = 'phone' AND EXISTS (
+      SELECT 1 FROM channel_guardian_rate_limits AS t2
+      WHERE t2.channel = 'voice'
+        AND t2.actor_external_user_id = channel_guardian_rate_limits.actor_external_user_id
+        AND t2.actor_chat_id = channel_guardian_rate_limits.actor_chat_id
+    )`);
+  raw.exec(
+    /*sql*/ `UPDATE channel_guardian_rate_limits SET channel = 'voice' WHERE channel = 'phone'`,
+  );
+
+  // notification_events.source_channel
+  raw.exec(
+    /*sql*/ `UPDATE notification_events SET source_channel = 'voice' WHERE source_channel = 'phone'`,
+  );
+
+  // notification_deliveries.channel
+  raw.exec(
+    /*sql*/ `UPDATE notification_deliveries SET channel = 'voice' WHERE channel = 'phone'`,
+  );
+
+  // external_conversation_bindings.source_channel
+  raw.exec(
+    /*sql*/ `UPDATE external_conversation_bindings SET source_channel = 'voice' WHERE source_channel = 'phone'`,
+  );
+
+  // channel_inbound_events.source_channel
+  raw.exec(
+    /*sql*/ `UPDATE channel_inbound_events SET source_channel = 'voice' WHERE source_channel = 'phone'`,
+  );
+
+  // conversation_attention_events.source_channel
+  raw.exec(
+    /*sql*/ `UPDATE conversation_attention_events SET source_channel = 'voice' WHERE source_channel = 'phone'`,
+  );
+
+  // conversation_assistant_attention_state.last_seen_source_channel
+  raw.exec(
+    /*sql*/ `UPDATE conversation_assistant_attention_state SET last_seen_source_channel = 'voice' WHERE last_seen_source_channel = 'phone'`,
+  );
+
+  // canonical_guardian_requests.source_channel
+  raw.exec(
+    /*sql*/ `UPDATE canonical_guardian_requests SET source_channel = 'voice' WHERE source_channel = 'phone'`,
+  );
+
+  // canonical_guardian_deliveries.destination_channel
+  raw.exec(
+    /*sql*/ `UPDATE canonical_guardian_deliveries SET destination_channel = 'voice' WHERE destination_channel = 'phone'`,
+  );
+
+  // guardian_action_deliveries.destination_channel
+  raw.exec(
+    /*sql*/ `UPDATE guardian_action_deliveries SET destination_channel = 'voice' WHERE destination_channel = 'phone'`,
+  );
+
+  // scoped_approval_grants: request_channel, decision_channel, execution_channel
+  raw.exec(
+    /*sql*/ `UPDATE scoped_approval_grants SET request_channel = 'voice' WHERE request_channel = 'phone'`,
+  );
+  raw.exec(
+    /*sql*/ `UPDATE scoped_approval_grants SET decision_channel = 'voice' WHERE decision_channel = 'phone'`,
+  );
+  raw.exec(
+    /*sql*/ `UPDATE scoped_approval_grants SET execution_channel = 'voice' WHERE execution_channel = 'phone'`,
+  );
+
+  // sequences.channel
+  raw.exec(
+    /*sql*/ `UPDATE sequences SET channel = 'voice' WHERE channel = 'phone'`,
+  );
+
+  // followups.channel
+  raw.exec(
+    /*sql*/ `UPDATE followups SET channel = 'voice' WHERE channel = 'phone'`,
+  );
+}
+
 /**
  * One-shot migration: rename stored "voice" channel values to "phone" across
  * all tables that persist channel identifiers as text.

package/src/memory/migrations/145-drop-accounts-table.ts

@@ -17,3 +17,35 @@ export function migrateDropAccountsTable(database: DrizzleDb): void {
     raw.exec(/*sql*/ `DROP TABLE IF EXISTS accounts`);
   });
 }
+
+/**
+ * Reverse: recreate the accounts table with its original schema.
+ *
+ * Data is permanently lost — the table was dropped. This only restores the
+ * empty table structure so that earlier migrations referencing it can operate.
+ */
+export function migrateDropAccountsTableDown(database: DrizzleDb): void {
+  const raw = getSqliteFrom(database);
+
+  raw.exec(/*sql*/ `
+    CREATE TABLE IF NOT EXISTS accounts (
+      id TEXT PRIMARY KEY,
+      service TEXT NOT NULL,
+      username TEXT,
+      email TEXT,
+      display_name TEXT,
+      status TEXT NOT NULL DEFAULT 'active',
+      credential_ref TEXT,
+      metadata_json TEXT,
+      created_at INTEGER NOT NULL,
+      updated_at INTEGER NOT NULL
+    )
+  `);
+
+  raw.exec(
+    /*sql*/ `CREATE INDEX IF NOT EXISTS idx_accounts_service ON accounts(service)`,
+  );
+  raw.exec(
+    /*sql*/ `CREATE INDEX IF NOT EXISTS idx_accounts_status ON accounts(status)`,
+  );
+}

package/src/memory/migrations/147-migrate-reminders-to-schedules.ts

@@ -1,4 +1,5 @@
-import { type DrizzleDb, getSqliteFrom } from "../db-connection.js";
+import type { DrizzleDb } from "../db-connection.js";
+import { getSqliteFrom } from "../db-connection.js";
 import { withCrashRecovery } from "./validate-migration-state.js";
 
 /**
@@ -123,3 +124,15 @@ export function migrateRemindersToSchedules(database: DrizzleDb): void {
     }
   });
 }
+
+/**
+ * Reverse: no-op.
+ *
+ * Cannot reliably identify which cron_jobs rows were migrated from reminders
+ * versus created natively as schedules. Rows share the same table and there
+ * is no origin marker. Deleting the wrong rows would destroy user-created
+ * schedules.
+ */
+export function migrateRemindersToSchedulesDown(_database: DrizzleDb): void {
+  // No-op — see comment above.
+}

package/src/memory/migrations/148-drop-reminders-table.ts

@@ -1,4 +1,5 @@
-import { type DrizzleDb, getSqliteFrom } from "../db-connection.js";
+import type { DrizzleDb } from "../db-connection.js";
+import { getSqliteFrom } from "../db-connection.js";
 import { withCrashRecovery } from "./validate-migration-state.js";
 
 /**
@@ -12,3 +13,36 @@ export function migrateDropRemindersTable(database: DrizzleDb): void {
     raw.run("DROP TABLE IF EXISTS reminders");
   });
 }
+
+/**
+ * Reverse: recreate the reminders table with its original schema.
+ *
+ * Data is permanently lost — the table was dropped. This only restores the
+ * empty table structure so that earlier migrations referencing it can operate.
+ * Includes the routing_intent and routing_hints_json columns added by
+ * migration 118.
+ */
+export function migrateDropRemindersTableDown(database: DrizzleDb): void {
+  const raw = getSqliteFrom(database);
+
+  raw.exec(/*sql*/ `
+    CREATE TABLE IF NOT EXISTS reminders (
+      id TEXT PRIMARY KEY,
+      label TEXT NOT NULL,
+      message TEXT NOT NULL,
+      fire_at INTEGER NOT NULL,
+      mode TEXT NOT NULL,
+      status TEXT NOT NULL,
+      fired_at INTEGER,
+      conversation_id TEXT,
+      routing_intent TEXT NOT NULL DEFAULT 'all_channels',
+      routing_hints_json TEXT NOT NULL DEFAULT '{}',
+      created_at INTEGER NOT NULL,
+      updated_at INTEGER NOT NULL
+    )
+  `);
+
+  raw.exec(
+    /*sql*/ `CREATE INDEX IF NOT EXISTS idx_reminders_status_fire_at ON reminders(status, fire_at)`,
+  );
+}

package/src/memory/migrations/150-oauth-apps-client-secret-path.ts

@@ -1,4 +1,5 @@
-import { type DrizzleDb, getSqliteFrom } from "../db-connection.js";
+import type { DrizzleDb } from "../db-connection.js";
+import { getSqliteFrom } from "../db-connection.js";
 import { withCrashRecovery } from "./validate-migration-state.js";
 
 /**
@@ -96,3 +97,70 @@ export function migrateOAuthAppsClientSecretPath(database: DrizzleDb): void {
     },
   );
 }
+
+/**
+ * Reverse: drop the client_secret_credential_path column from oauth_apps.
+ *
+ * Rebuilds the table without the column (SQLite doesn't support DROP COLUMN
+ * on older versions). Idempotent — skips if the column doesn't exist.
+ */
+export function migrateOAuthAppsClientSecretPathDown(
+  database: DrizzleDb,
+): void {
+  const raw = getSqliteFrom(database);
+
+  // Guard: table must exist
+  const tableExists = raw
+    .query(
+      `SELECT 1 FROM sqlite_master WHERE type = 'table' AND name = 'oauth_apps'`,
+    )
+    .get();
+  if (!tableExists) return;
+
+  // Guard: if the column doesn't exist, nothing to do
+  const colInfo = raw
+    .query(
+      `SELECT 1 FROM pragma_table_info('oauth_apps') WHERE name = 'client_secret_credential_path'`,
+    )
+    .get();
+  if (!colInfo) return;
+
+  raw.exec("PRAGMA foreign_keys = OFF");
+  try {
+    raw.exec("BEGIN");
+
+    raw.exec(/*sql*/ `
+      CREATE TABLE oauth_apps_rollback (
+        id TEXT PRIMARY KEY,
+        provider_key TEXT NOT NULL REFERENCES oauth_providers(provider_key),
+        client_id TEXT NOT NULL,
+        created_at INTEGER NOT NULL,
+        updated_at INTEGER NOT NULL
+      )
+    `);
+
+    raw.exec(/*sql*/ `
+      INSERT INTO oauth_apps_rollback
+      SELECT id, provider_key, client_id, created_at, updated_at
+      FROM oauth_apps
+    `);
+
+    raw.exec(/*sql*/ `DROP TABLE oauth_apps`);
+    raw.exec(/*sql*/ `ALTER TABLE oauth_apps_rollback RENAME TO oauth_apps`);
+
+    raw.exec(
+      /*sql*/ `CREATE UNIQUE INDEX IF NOT EXISTS idx_oauth_apps_provider_client ON oauth_apps(provider_key, client_id)`,
+    );
+
+    raw.exec("COMMIT");
+  } catch (e) {
+    try {
+      raw.exec("ROLLBACK");
+    } catch {
+      /* no active transaction */
+    }
+    throw e;
+  } finally {
+    raw.exec("PRAGMA foreign_keys = ON");
+  }
+}

package/src/memory/migrations/162-guardian-timestamps-epoch-ms.ts

@@ -281,3 +281,293 @@ function rebuildScopedApprovalGrants(raw: RawDb): void {
     raw.exec("PRAGMA foreign_keys = ON");
   }
 }
+
+// ---------------------------------------------------------------------------
+// Down functions
+// ---------------------------------------------------------------------------
+
+/**
+ * Reverse v29: convert epoch ms timestamps back to ISO 8601 text in guardian
+ * tables.
+ *
+ * Uses SQLite's datetime() to reconstruct ISO 8601 strings from the integer
+ * values. The millisecond component is appended manually since datetime()
+ * only returns second precision.
+ */
+export function migrateGuardianTimestampsEpochMsDown(
+  database: DrizzleDb,
+): void {
+  const raw = getSqliteFrom(database);
+
+  // Convert canonical_guardian_requests timestamp columns back to ISO 8601
+  raw.exec(/*sql*/ `
+    UPDATE canonical_guardian_requests
+    SET created_at = strftime('%Y-%m-%dT%H:%M:%S', created_at / 1000, 'unixepoch') || '.' || printf('%03d', created_at % 1000) || 'Z',
+        updated_at = strftime('%Y-%m-%dT%H:%M:%S', updated_at / 1000, 'unixepoch') || '.' || printf('%03d', updated_at % 1000) || 'Z',
+        expires_at = CASE
+          WHEN expires_at IS NOT NULL
+          THEN strftime('%Y-%m-%dT%H:%M:%S', expires_at / 1000, 'unixepoch') || '.' || printf('%03d', expires_at % 1000) || 'Z'
+          ELSE NULL
+        END
+    WHERE typeof(created_at) = 'integer'
+  `);
+
+  // Convert canonical_guardian_deliveries timestamp columns back to ISO 8601
+  raw.exec(/*sql*/ `
+    UPDATE canonical_guardian_deliveries
+    SET created_at = strftime('%Y-%m-%dT%H:%M:%S', created_at / 1000, 'unixepoch') || '.' || printf('%03d', created_at % 1000) || 'Z',
+        updated_at = strftime('%Y-%m-%dT%H:%M:%S', updated_at / 1000, 'unixepoch') || '.' || printf('%03d', updated_at % 1000) || 'Z'
+    WHERE typeof(created_at) = 'integer'
+  `);
+
+  // Convert scoped_approval_grants timestamp columns back to ISO 8601
+  raw.exec(/*sql*/ `
+    UPDATE scoped_approval_grants
+    SET expires_at = strftime('%Y-%m-%dT%H:%M:%S', expires_at / 1000, 'unixepoch') || '.' || printf('%03d', expires_at % 1000) || 'Z',
+        created_at = strftime('%Y-%m-%dT%H:%M:%S', created_at / 1000, 'unixepoch') || '.' || printf('%03d', created_at % 1000) || 'Z',
+        updated_at = strftime('%Y-%m-%dT%H:%M:%S', updated_at / 1000, 'unixepoch') || '.' || printf('%03d', updated_at % 1000) || 'Z',
+        consumed_at = CASE
+          WHEN consumed_at IS NOT NULL
+          THEN strftime('%Y-%m-%dT%H:%M:%S', consumed_at / 1000, 'unixepoch') || '.' || printf('%03d', consumed_at % 1000) || 'Z'
+          ELSE NULL
+        END
+    WHERE typeof(created_at) = 'integer'
+  `);
+}
+
+/**
+ * Reverse v30: rebuild guardian tables with TEXT affinity on timestamp columns.
+ *
+ * Restores the original TEXT column declarations so that timestamp columns
+ * have TEXT affinity (the state before the INTEGER rebuild).
+ */
+export function migrateGuardianTimestampsRebuildDown(
+  database: DrizzleDb,
+): void {
+  const raw = getSqliteFrom(database);
+
+  rebuildCanonicalGuardianRequestsToText(raw);
+  rebuildCanonicalGuardianDeliveriesToText(raw);
+  rebuildScopedApprovalGrantsToText(raw);
+}
+
+function hasTextAffinity(raw: RawDb, table: string, column: string): boolean {
+  const row = raw
+    .query(
+      `SELECT type FROM pragma_table_info('${table}') WHERE name = '${column}'`,
+    )
+    .get() as { type: string } | null;
+  if (!row) return true; // column doesn't exist — nothing to fix
+  return row.type.toUpperCase() === "TEXT";
+}
+
+function rebuildCanonicalGuardianRequestsToText(raw: RawDb): void {
+  if (hasTextAffinity(raw, "canonical_guardian_requests", "created_at")) return;
+
+  raw.exec("PRAGMA foreign_keys = OFF");
+  try {
+    raw.exec("BEGIN");
+
+    raw.exec(/*sql*/ `
+      CREATE TABLE canonical_guardian_requests_rb (
+        id TEXT PRIMARY KEY,
+        kind TEXT NOT NULL,
+        source_type TEXT NOT NULL,
+        source_channel TEXT,
+        conversation_id TEXT,
+        requester_external_user_id TEXT,
+        requester_chat_id TEXT,
+        guardian_external_user_id TEXT,
+        guardian_principal_id TEXT,
+        call_session_id TEXT,
+        pending_question_id TEXT,
+        question_text TEXT,
+        request_code TEXT,
+        tool_name TEXT,
+        input_digest TEXT,
+        status TEXT NOT NULL DEFAULT 'pending',
+        answer_text TEXT,
+        decided_by_external_user_id TEXT,
+        decided_by_principal_id TEXT,
+        followup_state TEXT,
+        expires_at TEXT,
+        created_at TEXT NOT NULL,
+        updated_at TEXT NOT NULL
+      )
+    `);
+
+    raw.exec(/*sql*/ `
+      INSERT INTO canonical_guardian_requests_rb
+      SELECT id, kind, source_type, source_channel, conversation_id,
+             requester_external_user_id, requester_chat_id,
+             guardian_external_user_id, guardian_principal_id,
+             call_session_id, pending_question_id, question_text,
+             request_code, tool_name, input_digest, status, answer_text,
+             decided_by_external_user_id, decided_by_principal_id,
+             followup_state, expires_at, created_at, updated_at
+      FROM canonical_guardian_requests
+    `);
+
+    raw.exec(/*sql*/ `DROP TABLE canonical_guardian_requests`);
+    raw.exec(
+      /*sql*/ `ALTER TABLE canonical_guardian_requests_rb RENAME TO canonical_guardian_requests`,
+    );
+
+    raw.exec(
+      /*sql*/ `CREATE INDEX IF NOT EXISTS idx_canonical_guardian_requests_status ON canonical_guardian_requests(status)`,
+    );
+    raw.exec(
+      /*sql*/ `CREATE INDEX IF NOT EXISTS idx_canonical_guardian_requests_guardian ON canonical_guardian_requests(guardian_external_user_id, status)`,
+    );
+    raw.exec(
+      /*sql*/ `CREATE INDEX IF NOT EXISTS idx_canonical_guardian_requests_conversation ON canonical_guardian_requests(conversation_id, status)`,
+    );
+    raw.exec(
+      /*sql*/ `CREATE INDEX IF NOT EXISTS idx_canonical_guardian_requests_source ON canonical_guardian_requests(source_type, status)`,
+    );
+    raw.exec(
+      /*sql*/ `CREATE INDEX IF NOT EXISTS idx_canonical_guardian_requests_kind ON canonical_guardian_requests(kind, status)`,
+    );
+    raw.exec(
+      /*sql*/ `CREATE INDEX IF NOT EXISTS idx_canonical_guardian_requests_request_code ON canonical_guardian_requests(request_code)`,
+    );
+
+    raw.exec("COMMIT");
+  } catch (e) {
+    try {
+      raw.exec("ROLLBACK");
+    } catch {
+      /* no active transaction */
+    }
+    throw e;
+  } finally {
+    raw.exec("PRAGMA foreign_keys = ON");
+  }
+}
+
+function rebuildCanonicalGuardianDeliveriesToText(raw: RawDb): void {
+  if (hasTextAffinity(raw, "canonical_guardian_deliveries", "created_at"))
+    return;
+
+  raw.exec("PRAGMA foreign_keys = OFF");
+  try {
+    raw.exec("BEGIN");
+
+    raw.exec(/*sql*/ `
+      CREATE TABLE canonical_guardian_deliveries_rb (
+        id TEXT PRIMARY KEY,
+        request_id TEXT NOT NULL REFERENCES canonical_guardian_requests(id) ON DELETE CASCADE,
+        destination_channel TEXT NOT NULL,
+        destination_conversation_id TEXT,
+        destination_chat_id TEXT,
+        destination_message_id TEXT,
+        status TEXT NOT NULL DEFAULT 'pending',
+        created_at TEXT NOT NULL,
+        updated_at TEXT NOT NULL
+      )
+    `);
+
+    raw.exec(/*sql*/ `
+      INSERT INTO canonical_guardian_deliveries_rb
+      SELECT id, request_id, destination_channel, destination_conversation_id,
+             destination_chat_id, destination_message_id, status,
+             created_at, updated_at
+      FROM canonical_guardian_deliveries
+    `);
+
+    raw.exec(/*sql*/ `DROP TABLE canonical_guardian_deliveries`);
+    raw.exec(
+      /*sql*/ `ALTER TABLE canonical_guardian_deliveries_rb RENAME TO canonical_guardian_deliveries`,
+    );
+
+    raw.exec(
+      /*sql*/ `CREATE INDEX IF NOT EXISTS idx_canonical_guardian_deliveries_request_id ON canonical_guardian_deliveries(request_id)`,
+    );
+    raw.exec(
+      /*sql*/ `CREATE INDEX IF NOT EXISTS idx_canonical_guardian_deliveries_status ON canonical_guardian_deliveries(status)`,
+    );
+    raw.exec(
+      /*sql*/ `CREATE INDEX IF NOT EXISTS idx_canonical_guardian_deliveries_destination ON canonical_guardian_deliveries(destination_channel, destination_chat_id)`,
+    );
+
+    raw.exec("COMMIT");
+  } catch (e) {
+    try {
+      raw.exec("ROLLBACK");
+    } catch {
+      /* no active transaction */
+    }
+    throw e;
+  } finally {
+    raw.exec("PRAGMA foreign_keys = ON");
+  }
+}
+
+function rebuildScopedApprovalGrantsToText(raw: RawDb): void {
+  if (hasTextAffinity(raw, "scoped_approval_grants", "created_at")) return;
+
+  raw.exec("PRAGMA foreign_keys = OFF");
+  try {
+    raw.exec("BEGIN");
+
+    raw.exec(/*sql*/ `
+      CREATE TABLE scoped_approval_grants_rb (
+        id TEXT PRIMARY KEY,
+        scope_mode TEXT NOT NULL,
+        request_id TEXT,
+        tool_name TEXT,
+        input_digest TEXT,
+        request_channel TEXT NOT NULL,
+        decision_channel TEXT NOT NULL,
+        execution_channel TEXT,
+        conversation_id TEXT,
+        call_session_id TEXT,
+        requester_external_user_id TEXT,
+        guardian_external_user_id TEXT,
+        status TEXT NOT NULL,
+        expires_at TEXT NOT NULL,
+        consumed_at TEXT,
+        consumed_by_request_id TEXT,
+        created_at TEXT NOT NULL,
+        updated_at TEXT NOT NULL
+      )
+    `);
+
+    raw.exec(/*sql*/ `
+      INSERT INTO scoped_approval_grants_rb
+      SELECT id, scope_mode, request_id, tool_name, input_digest,
+             request_channel, decision_channel, execution_channel,
+             conversation_id, call_session_id,
+             requester_external_user_id, guardian_external_user_id,
+             status, expires_at, consumed_at, consumed_by_request_id,
+             created_at, updated_at
+      FROM scoped_approval_grants
+    `);
+
+    raw.exec(/*sql*/ `DROP TABLE scoped_approval_grants`);
+    raw.exec(
+      /*sql*/ `ALTER TABLE scoped_approval_grants_rb RENAME TO scoped_approval_grants`,
+    );
+
+    raw.exec(
+      /*sql*/ `CREATE INDEX IF NOT EXISTS idx_scoped_grants_request_id ON scoped_approval_grants(request_id) WHERE request_id IS NOT NULL`,
+    );
+    raw.exec(
+      /*sql*/ `CREATE INDEX IF NOT EXISTS idx_scoped_grants_tool_sig ON scoped_approval_grants(tool_name, input_digest) WHERE tool_name IS NOT NULL`,
+    );
+    raw.exec(
+      /*sql*/ `CREATE INDEX IF NOT EXISTS idx_scoped_grants_status_expires ON scoped_approval_grants(status, expires_at)`,
+    );
+
+    raw.exec("COMMIT");
+  } catch (e) {
+    try {
+      raw.exec("ROLLBACK");
+    } catch {
+      /* no active transaction */
+    }
+    throw e;
+  } finally {
+    raw.exec("PRAGMA foreign_keys = ON");
+  }
+}