agent-relay-server 0.15.1 → 0.17.0

package/src/insights-db.ts

@@ -77,7 +77,7 @@ export function recordObservation(input: RecordObservationInput): InsightObserva
   const now = input.createdAt ?? Date.now();
 
   const result = getDb()
-    .prepare(
+    .query(
       `INSERT INTO insights_observations (session_id, agent_id, project, signal, value, outcome, source, created_at)
        VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
     )
@@ -95,7 +95,7 @@ export function recordObservation(input: RecordObservationInput): InsightObserva
 }
 
 export function getObservation(id: number): InsightObservation | null {
-  const row = getDb().prepare("SELECT * FROM insights_observations WHERE id = ?").get(id) as ObservationRow | undefined;
+  const row = getDb().query("SELECT * FROM insights_observations WHERE id = ?").get(id) as ObservationRow | undefined;
   return row ? rowToObservation(row) : null;
 }
 
@@ -124,7 +124,7 @@ export function listObservations(query: ListObservationsQuery = {}): InsightObse
   const where = clauses.length ? `WHERE ${clauses.join(" AND ")}` : "";
   const limit = Math.min(Math.max(query.limit ?? 200, 1), 1000);
   const rows = getDb()
-    .prepare(`SELECT * FROM insights_observations ${where} ORDER BY created_at DESC, id DESC LIMIT ?`)
+    .query(`SELECT * FROM insights_observations ${where} ORDER BY created_at DESC, id DESC LIMIT ?`)
     .all(...args, limit) as ObservationRow[];
   return rows.map(rowToObservation);
 }
@@ -139,7 +139,7 @@ export function getObservationStats(signal?: string): InsightsStats[] {
   const signalFilter = signal ? "WHERE signal = ?" : "";
   const args = signal ? [signal] : [];
   const perProject = getDb()
-    .prepare(
+    .query(
       `SELECT signal, project,
               COUNT(*) AS count,
               AVG(CAST(json_extract(value, '$.ratio') AS REAL)) AS avg_ratio,
@@ -152,7 +152,7 @@ export function getObservationStats(signal?: string): InsightsStats[] {
     .all(...args) as Array<{ signal: string; project: string; count: number; avg_ratio: number | null; last_at: number | null }>;
 
   const global = getDb()
-    .prepare(
+    .query(
       `SELECT signal,
               COUNT(*) AS count,
               AVG(CAST(json_extract(value, '$.ratio') AS REAL)) AS avg_ratio,
@@ -173,7 +173,7 @@ export function getObservationStats(signal?: string): InsightsStats[] {
 /** Distinct projects that have produced at least one observation — feeds per-project baselines. */
 export function listObservationProjects(): string[] {
   const rows = getDb()
-    .prepare("SELECT DISTINCT project FROM insights_observations ORDER BY project ASC")
+    .query("SELECT DISTINCT project FROM insights_observations ORDER BY project ASC")
     .all() as Array<{ project: string }>;
   return rows.map((r) => r.project);
 }

package/src/lifecycle-manager.ts

@@ -472,7 +472,7 @@ export class LifecycleManager {
   }
 
   private lastActivityAt(agentId: string): number {
-    const row = getDb().prepare(`
+    const row = getDb().query(`
       SELECT max(created_at) AS at
       FROM messages
       WHERE from_agent = ? OR to_target = ? OR resolved_to_agent = ?
@@ -481,12 +481,12 @@ export class LifecycleManager {
   }
 
   private hasQueuedMessages(policyName: string): boolean {
-    const row = getDb().prepare("SELECT 1 FROM messages WHERE to_target = ? AND delivery_status = 'queued' LIMIT 1").get(`policy:${policyName}`);
+    const row = getDb().query("SELECT 1 FROM messages WHERE to_target = ? AND delivery_status = 'queued' LIMIT 1").get(`policy:${policyName}`);
     return Boolean(row);
   }
 
   private hasActiveCommand(target: string, type: string): boolean {
-    const row = getDb().prepare("SELECT 1 FROM commands WHERE target = ? AND type = ? AND status IN ('pending', 'accepted', 'running') LIMIT 1").get(target, type);
+    const row = getDb().query("SELECT 1 FROM commands WHERE target = ? AND type = ? AND status IN ('pending', 'accepted', 'running') LIMIT 1").get(target, type);
     return Boolean(row);
   }
 

package/src/maintenance.ts

@@ -26,6 +26,7 @@ import {
   releaseExpiredClaims,
   releaseExpiredMergeLeases,
   releaseOrphanedTasks,
+  runDbMaintenance,
   sendMessage,
   sweepArtifacts,
   updateWorkspaceStatus,
@@ -56,6 +57,11 @@ const OUTBOX_RETENTION_MS = Number(process.env.AGENT_RELAY_OUTBOX_RETENTION_MS)
 const TOKEN_RECORD_RETENTION_SECONDS = Number(process.env.AGENT_RELAY_TOKEN_RECORD_RETENTION_SECONDS) || 7 * 24 * 60 * 60;
 const CONFLICT_SCAN_INTERVAL_MS = Number(process.env.AGENT_RELAY_CONFLICT_SCAN_INTERVAL_MS) || 2 * 60 * 1000;
 const WORKSPACE_RETENTION_MS = Number(process.env.AGENT_RELAY_WORKSPACE_RETENTION_MS) || DAY_MS;
+const DB_MAINTENANCE_INTERVAL_MS = Number(process.env.AGENT_RELAY_DB_MAINTENANCE_INTERVAL_MS) || DAY_MS;
+// VACUUM rewrites the whole file (auto_vacuum is off), so run it sparingly.
+// Default: every 7th db-maintenance pass (~weekly at the default daily interval).
+const DB_VACUUM_EVERY = Number(process.env.AGENT_RELAY_DB_VACUUM_EVERY) || 7;
+let dbMaintenanceRuns = 0;
 const WORKSPACE_REVIEW_TTL_MS = Number(process.env.AGENT_RELAY_WORKSPACE_REVIEW_TTL_MS) || 3 * DAY_MS;
 const WORKSPACE_GC_INTERVAL_MS = Number(process.env.AGENT_RELAY_WORKSPACE_GC_INTERVAL_MS) || 60 * 60 * 1000;
 // Deterministic auto-land (Layer 0): merge clean fast-forwards with no human in
@@ -305,6 +311,19 @@ const definitions: MaintenanceJobDefinition[] = [
       return { prunedMessages: pruneOldMessages(retentionDays * DAY_MS) };
     },
   },
+  {
+    id: "db-maintenance",
+    title: "Database maintenance",
+    description: "Refresh planner stats (ANALYZE + optimize), truncate the WAL, and periodically VACUUM to reclaim space.",
+    intervalMs: DB_MAINTENANCE_INTERVAL_MS,
+    runOnStart: false,
+    timeoutMs: 5 * 60 * 1000,
+    handler() {
+      dbMaintenanceRuns += 1;
+      const vacuum = DB_VACUUM_EVERY > 0 && dbMaintenanceRuns % DB_VACUUM_EVERY === 0;
+      return runDbMaintenance({ vacuum });
+    },
+  },
   {
     id: "bus-outbox-prune",
     title: "Bus outbox prune",
@@ -867,7 +886,7 @@ export function startMaintenanceScheduler(): void {
 
 export function listMaintenanceJobs(): MaintenanceJob[] {
   ensureMaintenanceJobs();
-  const rows = getDb().prepare("SELECT * FROM maintenance_jobs ORDER BY title COLLATE NOCASE ASC").all() as MaintenanceJobRow[];
+  const rows = getDb().query("SELECT * FROM maintenance_jobs ORDER BY title COLLATE NOCASE ASC").all() as MaintenanceJobRow[];
   const now = Date.now();
   return rows.map((row) => rowToJob(row, now));
 }
@@ -895,7 +914,7 @@ async function runMaintenanceJobsNow(ids: string[]): Promise<MaintenanceJobRun[]
 async function runDueMaintenanceJobs(): Promise<void> {
   ensureMaintenanceJobs();
   const now = Date.now();
-  const rows = getDb().prepare(`
+  const rows = getDb().query(`
     SELECT id FROM maintenance_jobs
     WHERE enabled = 1
       AND next_run_at IS NOT NULL
@@ -914,7 +933,7 @@ async function runDueMaintenanceJobs(): Promise<void> {
 function ensureMaintenanceJobs(): void {
   const db = getDb();
   const now = Date.now();
-  const stmt = db.prepare(`
+  const stmt = db.query(`
     INSERT INTO maintenance_jobs (id, title, description, interval_ms, timeout_ms, enabled, run_on_start, next_run_at, updated_at)
     VALUES (?, ?, ?, ?, ?, 1, ?, ?, ?)
     ON CONFLICT(id) DO UPDATE SET
@@ -946,7 +965,7 @@ async function runJob(definition: MaintenanceJobDefinition, options: { force?: b
   const owner = `${process.pid}-${randomUUID()}`;
   const timeoutMs = definition.timeoutMs ?? DEFAULT_TIMEOUT_MS;
   const leaseUntil = startedAt + timeoutMs + 5_000;
-  const claim = db.prepare(`
+  const claim = db.query(`
     UPDATE maintenance_jobs
     SET lease_owner = ?, lease_until = ?, last_status = 'running', updated_at = ?
     WHERE id = ?
@@ -963,7 +982,7 @@ async function runJob(definition: MaintenanceJobDefinition, options: { force?: b
     const result = await withTimeout(Promise.resolve(definition.handler()), timeoutMs);
     const finishedAt = Date.now();
     const durationMs = finishedAt - startedAt;
-    db.prepare(`
+    db.query(`
       UPDATE maintenance_jobs
       SET last_run_at = ?, next_run_at = ?, last_duration_ms = ?, last_status = 'succeeded',
           last_error = NULL, last_result = ?, consecutive_failures = 0,
@@ -975,7 +994,7 @@ async function runJob(definition: MaintenanceJobDefinition, options: { force?: b
     const finishedAt = Date.now();
     const durationMs = finishedAt - startedAt;
     const message = error instanceof Error ? error.message : String(error);
-    db.prepare(`
+    db.query(`
       UPDATE maintenance_jobs
       SET last_run_at = ?, next_run_at = ?, last_duration_ms = ?, last_status = 'failed',
           last_error = ?, consecutive_failures = consecutive_failures + 1,

package/src/managed-policy.ts

@@ -1,5 +1,5 @@
 import { resolveProviderSelection } from "agent-relay-sdk/provider-catalog";
-import { getAgentProfile } from "./config-store";
+import { getAgentProfile, workspaceSpawnParams } from "./config-store";
 import { runnerRuntimeTokenEnv } from "./runtime-tokens";
 import type { SpawnPolicy, WorkspaceMode } from "./types";
 
@@ -55,6 +55,7 @@ export function buildManagedSpawnParams(policy: SpawnPolicy, requestId: string,
     ...resolvedModelParams(policy),
     ...(policy.profile ? { profile: policy.profile } : {}),
     ...(agentProfile ? { agentProfile } : {}),
+    ...workspaceSpawnParams(),
     label: policy.label,
     tags: policy.tags,
     capabilities: policy.capabilities,

package/src/memory-sqlite-broker.ts

@@ -86,10 +86,10 @@ export class SqliteMemoryBroker implements MemoryBroker {
       expiresAt: input.ttlMs === undefined ? undefined : now + input.ttlMs,
     }, { now });
     const contentHash = memoryContentHash(memory);
-    const existing = this.db.prepare("SELECT * FROM memories WHERE content_hash = ? ORDER BY updated_at DESC LIMIT 1").get(contentHash) as MemoryRow | undefined;
+    const existing = this.db.query("SELECT * FROM memories WHERE content_hash = ? ORDER BY updated_at DESC LIMIT 1").get(contentHash) as MemoryRow | undefined;
     if (existing) return rowToMemory(existing);
 
-    this.db.prepare(`
+    this.db.query(`
       INSERT INTO memories (
         id, type, scope, title, content, tags, visibility, sensitivity, confidence, redaction_state,
         relevance_score, source_agent, source_task, created_by, content_hash, metadata, access_count,
@@ -124,7 +124,7 @@ export class SqliteMemoryBroker implements MemoryBroker {
   }
 
   async get(id: string, _ctx: MemoryBrokerContext): Promise<Memory | null> {
-    const row = this.db.prepare("SELECT * FROM memories WHERE id = ?").get(id) as MemoryRow | undefined;
+    const row = this.db.query("SELECT * FROM memories WHERE id = ?").get(id) as MemoryRow | undefined;
     return row ? rowToMemory(row) : null;
   }
 
@@ -156,7 +156,7 @@ export class SqliteMemoryBroker implements MemoryBroker {
     }, { now: ctx.now });
     const contentHash = memoryContentHash(next);
 
-    this.db.prepare(`
+    this.db.query(`
       UPDATE memories SET
         title = ?,
         content = ?,
@@ -191,12 +191,12 @@ export class SqliteMemoryBroker implements MemoryBroker {
   }
 
   async delete(id: string, _ctx: MemoryBrokerContext): Promise<void> {
-    this.db.prepare("DELETE FROM memories WHERE id = ?").run(id);
+    this.db.query("DELETE FROM memories WHERE id = ?").run(id);
   }
 
   async stats(ctx: MemoryBrokerContext): Promise<MemoryStats> {
     const memories = filterMemoriesForQuery(
-      (this.db.prepare("SELECT * FROM memories").all() as MemoryRow[]).map(rowToMemory),
+      (this.db.query("SELECT * FROM memories").all() as MemoryRow[]).map(rowToMemory),
       {},
       ctx,
     );
@@ -243,12 +243,12 @@ export class SqliteMemoryBroker implements MemoryBroker {
 
   async markInjected(agentId: string, memoryIds: string[], ctx: MemoryBrokerContext): Promise<void> {
     const uniqueIds = [...new Set(memoryIds)];
-    const insert = this.db.prepare(`
+    const insert = this.db.query(`
       INSERT INTO agent_active_memories (agent_id, memory_id, loaded_at)
       VALUES (?, ?, ?)
       ON CONFLICT(agent_id, memory_id) DO UPDATE SET loaded_at = excluded.loaded_at
     `);
-    const touch = this.db.prepare("UPDATE memories SET access_count = access_count + 1, last_accessed_at = ? WHERE id = ?");
+    const touch = this.db.query("UPDATE memories SET access_count = access_count + 1, last_accessed_at = ? WHERE id = ?");
     const tx = this.db.transaction(() => {
       for (const memoryId of uniqueIds) {
         insert.run(agentId, memoryId, ctx.now);
@@ -259,11 +259,11 @@ export class SqliteMemoryBroker implements MemoryBroker {
   }
 
   async clearActive(agentId: string, _reason: ActiveMemoryClearReason, _ctx: MemoryBrokerContext): Promise<void> {
-    this.db.prepare("DELETE FROM agent_active_memories WHERE agent_id = ?").run(agentId);
+    this.db.query("DELETE FROM agent_active_memories WHERE agent_id = ?").run(agentId);
   }
 
   async listActive(agentId: string, ctx: MemoryBrokerContext): Promise<Memory[]> {
-    const rows = this.db.prepare(`
+    const rows = this.db.query(`
       SELECT memories.*
       FROM agent_active_memories
       JOIN memories ON memories.id = agent_active_memories.memory_id
@@ -274,7 +274,7 @@ export class SqliteMemoryBroker implements MemoryBroker {
   }
 
   listActiveMemoryIds(agentId: string): string[] {
-    return (this.db.prepare("SELECT memory_id FROM agent_active_memories WHERE agent_id = ? ORDER BY loaded_at DESC").all(agentId) as Array<{ memory_id: string }>).map((row) => row.memory_id);
+    return (this.db.query("SELECT memory_id FROM agent_active_memories WHERE agent_id = ? ORDER BY loaded_at DESC").all(agentId) as Array<{ memory_id: string }>).map((row) => row.memory_id);
   }
 
   private queryRows(query: MemoryQuery): MemoryRow[] {
@@ -293,7 +293,7 @@ export class SqliteMemoryBroker implements MemoryBroker {
       params.push(query.visibility);
     }
     sql += " ORDER BY relevance_score DESC, updated_at DESC";
-    return this.db.prepare(sql).all(...params) as MemoryRow[];
+    return this.db.query(sql).all(...params) as MemoryRow[];
   }
 
   private get db(): Database {

package/src/provider-catalog-store.ts

@@ -36,7 +36,7 @@ interface ProviderModelOverrideInput {
 
 function listProviderModelOverrides(): ProviderModelOverride[] {
   const rows = getDb()
-    .prepare("SELECT * FROM provider_model_overrides ORDER BY provider ASC, alias ASC")
+    .query("SELECT * FROM provider_model_overrides ORDER BY provider ASC, alias ASC")
     .all() as ProviderModelOverrideRow[];
   return rows.map(rowToOverride).filter((entry): entry is ProviderModelOverride => Boolean(entry));
 }
@@ -44,7 +44,7 @@ function listProviderModelOverrides(): ProviderModelOverride[] {
 export function upsertProviderModelOverride(input: ProviderModelOverrideInput): ProviderModelOverride {
   const normalized = normalizeOverrideInput(input);
   const now = Date.now();
-  getDb().prepare(`
+  getDb().query(`
     INSERT INTO provider_model_overrides (provider, alias, entry, deleted, updated_at, updated_by)
     VALUES (?, ?, ?, ?, ?, ?)
     ON CONFLICT(provider, alias) DO UPDATE SET

package/src/recipe-db.ts

@@ -53,7 +53,7 @@ export function validateRecipeArtifactRefs(refs: AttachmentRef[]): void {
 export function createRecipeInstance(input: CreateRecipeInstanceInput): RecipeInstance {
   const now = Date.now();
   const id = randomUUID();
-  getDb().prepare(`
+  getDb().query(`
     INSERT INTO recipe_instances (id, recipe_name, recipe_source, cwd, orchestrator_id, status, started_by, started_at)
     VALUES (?, ?, ?, ?, ?, ?, ?, ?)
   `).run(id, input.recipeName, input.recipeSource, input.cwd, input.orchestratorId, "starting", input.startedBy, now);
@@ -81,13 +81,13 @@ export function linkRecipeArtifacts(instanceId: string, refs: AttachmentRef[], c
 
 export function listRecipeInstances(status?: RecipeInstanceStatus): RecipeInstance[] {
   const rows = status
-    ? getDb().prepare("SELECT * FROM recipe_instances WHERE status = ? ORDER BY started_at DESC").all(status)
-    : getDb().prepare("SELECT * FROM recipe_instances ORDER BY started_at DESC").all();
+    ? getDb().query("SELECT * FROM recipe_instances WHERE status = ? ORDER BY started_at DESC").all(status)
+    : getDb().query("SELECT * FROM recipe_instances ORDER BY started_at DESC").all();
   return (rows as RecipeInstanceRow[]).map(rowToRecipeInstance);
 }
 
 export function getRecipeInstance(id: string): RecipeInstance | null {
-  const row = getDb().prepare("SELECT * FROM recipe_instances WHERE id = ?").get(id) as RecipeInstanceRow | undefined;
+  const row = getDb().query("SELECT * FROM recipe_instances WHERE id = ?").get(id) as RecipeInstanceRow | undefined;
   return row ? rowToRecipeInstance(row) : null;
 }
 
@@ -97,7 +97,7 @@ export function updateRecipeInstance(
 ): RecipeInstance | null {
   const existing = getRecipeInstance(id);
   if (!existing) return null;
-  getDb().prepare(`
+  getDb().query(`
     UPDATE recipe_instances
     SET status = ?, error = ?, stopped_at = ?
     WHERE id = ?
@@ -111,7 +111,7 @@ export function updateRecipeInstance(
 }
 
 export function upsertRecipeAgentInstance(input: UpsertRecipeAgentInstanceInput): RecipeAgentInstance {
-  getDb().prepare(`
+  getDb().query(`
     INSERT INTO recipe_agent_instances (instance_id, role, agent_id, provider, status, idx)
     VALUES (?, ?, ?, ?, ?, ?)
     ON CONFLICT(instance_id, role, agent_id) DO UPDATE SET
@@ -128,7 +128,7 @@ export function updateRecipeAgentInstance(
   agentId: string,
   status: RecipeAgentStatus,
 ): RecipeAgentInstance | null {
-  const changed = getDb().prepare(`
+  const changed = getDb().query(`
     UPDATE recipe_agent_instances
     SET status = ?
     WHERE instance_id = ? AND agent_id = ?
@@ -143,7 +143,7 @@ export function replaceRecipeAgentInstanceAgentId(
   nextAgentId: string,
   status: RecipeAgentStatus,
 ): RecipeAgentInstance | null {
-  const changed = getDb().prepare(`
+  const changed = getDb().query(`
     UPDATE recipe_agent_instances
     SET agent_id = ?, status = ?
     WHERE instance_id = ? AND agent_id = ?
@@ -153,7 +153,7 @@ export function replaceRecipeAgentInstanceAgentId(
 }
 
 function listRecipeAgentInstances(instanceId: string): RecipeAgentInstance[] {
-  const rows = getDb().prepare(`
+  const rows = getDb().query(`
     SELECT * FROM recipe_agent_instances
     WHERE instance_id = ?
     ORDER BY role ASC, idx ASC, agent_id ASC

package/src/routes.ts

@@ -108,6 +108,9 @@ import {
   getStewardConfigEntry,
   getInsightsConfigEntry,
   setInsightsConfig,
+  getWorkspaceConfigEntry,
+  setWorkspaceConfig,
+  workspaceSpawnParams,
   listAgentProfiles,
   listSpawnPolicies,
   listConfig,
@@ -594,6 +597,12 @@ function normalizeMessageInput(body: unknown): SendMessageInput {
     }
     input.maxAgeSeconds = body.maxAgeSeconds;
   }
+  if (body.occurredAt !== undefined) {
+    if (typeof body.occurredAt !== "number" || !Number.isFinite(body.occurredAt) || body.occurredAt <= 0) {
+      throw new ValidationError("occurredAt must be a positive epoch-ms number");
+    }
+    input.occurredAt = body.occurredAt;
+  }
 
   const channel = cleanString(body.channel, "channel", { max: 120 });
   if (channel) input.channel = channel;
@@ -2296,6 +2305,7 @@ function restartSpawnParamsForAgent(
     workspaceMode,
     ...(profileName ? { profile: profileName } : {}),
     ...(agentProfile ? { agentProfile } : {}),
+    ...workspaceSpawnParams(),
     ...(label ? { label } : {}),
     agentId: agent.id,
     tags: agent.tags,
@@ -3612,6 +3622,7 @@ const postOrchestratorSpawn: Handler = async (req, params) => {
         permissionMode: approvalMode,
         profile,
         agentProfile,
+        ...workspaceSpawnParams(),
         providerArgs,
         prompt,
         systemPromptAppend,
@@ -4599,6 +4610,25 @@ const putStewardConfigRoute: Handler = async (req) => {
   }
 };
 
+const getWorkspaceConfigRoute: Handler = () => json(getWorkspaceConfigEntry());
+
+const putWorkspaceConfigRoute: Handler = async (req) => {
+  const parsed = await parseBody<unknown>(req);
+  if (!parsed.ok) return error(parsed.error, parsed.status);
+  try {
+    const value = isRecord(parsed.body) && Object.prototype.hasOwnProperty.call(parsed.body, "value")
+      ? parsed.body.value
+      : parsed.body;
+    const updatedBy = isRecord(parsed.body) ? cleanString(parsed.body.updatedBy, "updatedBy", { max: 200 }) : undefined;
+    const entry = setWorkspaceConfig(value, updatedBy);
+    emitConfigChanged(entry.namespace, entry.key, entry.version);
+    return json(entry, entry.version === 1 ? 201 : 200);
+  } catch (e) {
+    if (e instanceof ValidationError) return error(e.message, 400);
+    throw e;
+  }
+};
+
 // --- Insights / self-improvement (epic #183, docs/self-improvement.md) ---
 
 const getInsightsConfigRoute: Handler = () => json(getInsightsConfigEntry());
@@ -4635,6 +4665,14 @@ const getInsightsObservationsRoute: Handler = (req) => {
   });
 };
 
+// Accept a backfilled event time only when it's a sane epoch-ms value within a minute of
+// now (clock-skew guard); otherwise let recordObservation default to receive time.
+function sanitizeObservationOccurredAt(occurredAt: unknown): number | undefined {
+  if (typeof occurredAt !== "number" || !Number.isFinite(occurredAt)) return undefined;
+  if (occurredAt <= 0 || occurredAt > Date.now() + 60_000) return undefined;
+  return Math.floor(occurredAt);
+}
+
 const postInsightsObservationRoute: Handler = async (req) => {
   const parsed = await parseBody<unknown>(req);
   if (!parsed.ok) return error(parsed.error, parsed.status);
@@ -4656,6 +4694,10 @@ const postInsightsObservationRoute: Handler = async (req) => {
       value: isRecord(body.value) ? body.value : {},
       outcome: isRecord(body.outcome) ? body.outcome : undefined,
       source: body.source === "server" ? "server" : "agent",
+      // For insights the event time IS the record time (end-of-session). When the Runner
+      // backfilled this through its durable outbox (#196), occurredAt preserves the real
+      // moment rather than the later server-receive time.
+      createdAt: sanitizeObservationOccurredAt(body.occurredAt),
     });
     return json(observation, 201);
   } catch (e) {
@@ -6569,6 +6611,8 @@ const routes: Route[] = [
   route("DELETE", "/api/agent-profiles/:name", deleteAgentProfileRoute),
   route("GET", "/api/steward-config", getStewardConfigRoute),
   route("PUT", "/api/steward-config", putStewardConfigRoute),
+  route("GET", "/api/workspace-config", getWorkspaceConfigRoute),
+  route("PUT", "/api/workspace-config", putWorkspaceConfigRoute),
   route("GET", "/api/insights/config", getInsightsConfigRoute),
   route("PUT", "/api/insights/config", putInsightsConfigRoute),
   route("GET", "/api/insights/observations", getInsightsObservationsRoute),

package/src/security.ts

@@ -453,7 +453,7 @@ function isTokenConstraints(value: unknown): value is TokenConstraints {
 
 function isTokenRevoked(jti: string): boolean {
   try {
-    const row = getDb().prepare("SELECT revoked_at FROM tokens WHERE jti = ?").get(jti) as { revoked_at?: number | null } | undefined;
+    const row = getDb().query("SELECT revoked_at FROM tokens WHERE jti = ?").get(jti) as { revoked_at?: number | null } | undefined;
     return Boolean(row?.revoked_at);
   } catch {
     return false;

package/src/token-db.ts

@@ -143,7 +143,7 @@ export function createToken(input: {
     jti,
   };
   const token = signComponentToken(payload);
-  getDb().prepare(`
+  getDb().query(`
     INSERT INTO tokens (jti, sub, role, scope, constraints, profile_id, issued_at, expires_at, created_by)
     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
   `).run(jti, input.sub, role, JSON.stringify(scope), constraints ? JSON.stringify(constraints) : null, profile?.id ?? null, now, expiresAt ?? null, input.createdBy ?? null);
@@ -151,17 +151,17 @@ export function createToken(input: {
 }
 
 export function listTokens(): TokenRecord[] {
-  const rows = getDb().prepare("SELECT * FROM tokens ORDER BY issued_at DESC").all() as TokenRow[];
+  const rows = getDb().query("SELECT * FROM tokens ORDER BY issued_at DESC").all() as TokenRow[];
   return rows.map(rowToToken);
 }
 
 export function getToken(jti: string): TokenRecord | null {
-  const row = getDb().prepare("SELECT * FROM tokens WHERE jti = ?").get(jti) as TokenRow | undefined;
+  const row = getDb().query("SELECT * FROM tokens WHERE jti = ?").get(jti) as TokenRow | undefined;
   return row ? rowToToken(row) : null;
 }
 
 export function revokeToken(jti: string): boolean {
-  return getDb().prepare("UPDATE tokens SET revoked_at = ? WHERE jti = ? AND revoked_at IS NULL").run(Math.floor(Date.now() / 1000), jti).changes > 0;
+  return getDb().query("UPDATE tokens SET revoked_at = ? WHERE jti = ? AND revoked_at IS NULL").run(Math.floor(Date.now() / 1000), jti).changes > 0;
 }
 
 export function renewToken(input: {
@@ -192,7 +192,7 @@ export function pruneExpiredTokenRecords(input: {
   const retentionSeconds = input.retentionSeconds ?? 7 * 24 * 60 * 60;
   const nowSeconds = input.nowSeconds ?? Math.floor(Date.now() / 1000);
   const cutoff = nowSeconds - retentionSeconds;
-  const rows = getDb().prepare(`
+  const rows = getDb().query(`
     DELETE FROM tokens
     WHERE (expires_at IS NOT NULL AND expires_at <= ?)
        OR (revoked_at IS NOT NULL AND revoked_at <= ?)
@@ -203,13 +203,13 @@ export function pruneExpiredTokenRecords(input: {
 
 export function listTokenProfiles(): TokenProfile[] {
   ensureBuiltInTokenProfiles();
-  const rows = getDb().prepare("SELECT * FROM token_profiles ORDER BY built_in DESC, name COLLATE NOCASE ASC").all() as TokenProfileRow[];
+  const rows = getDb().query("SELECT * FROM token_profiles ORDER BY built_in DESC, name COLLATE NOCASE ASC").all() as TokenProfileRow[];
   return rows.map(rowToProfile);
 }
 
 export function getTokenProfile(id: string): TokenProfile | null {
   ensureBuiltInTokenProfiles();
-  const row = getDb().prepare("SELECT * FROM token_profiles WHERE id = ?").get(id) as TokenProfileRow | undefined;
+  const row = getDb().query("SELECT * FROM token_profiles WHERE id = ?").get(id) as TokenProfileRow | undefined;
   return row ? rowToProfile(row) : null;
 }
 
@@ -219,7 +219,7 @@ export function upsertTokenProfile(input: CreateTokenProfileInput): TokenProfile
   const id = input.id ?? slugify(input.name);
   const existing = getTokenProfile(id);
   if (existing?.builtIn) throw new Error("built-in token profiles cannot be modified");
-  getDb().prepare(`
+  getDb().query(`
     INSERT INTO token_profiles (id, name, description, role, scope, constraints, ttl_seconds, built_in, created_at, updated_at, created_by)
     VALUES (?, ?, ?, ?, ?, ?, ?, 0, ?, ?, ?)
     ON CONFLICT(id) DO UPDATE SET
@@ -268,12 +268,12 @@ export function updateTokenProfile(id: string, patch: UpdateTokenProfileInput):
 
 export function deleteTokenProfile(id: string): boolean {
   ensureBuiltInTokenProfiles();
-  return getDb().prepare("DELETE FROM token_profiles WHERE id = ? AND built_in = 0").run(id).changes > 0;
+  return getDb().query("DELETE FROM token_profiles WHERE id = ? AND built_in = 0").run(id).changes > 0;
 }
 
 function ensureBuiltInTokenProfiles(): void {
   const now = Date.now();
-  const stmt = getDb().prepare(`
+  const stmt = getDb().query(`
     INSERT INTO token_profiles (id, name, description, role, scope, constraints, ttl_seconds, built_in, created_at, updated_at, created_by)
     VALUES (?, ?, ?, ?, ?, ?, ?, 1, ?, ?, ?)
     ON CONFLICT(id) DO UPDATE SET