assistme 0.1.4 → 0.1.5

package/dist/{chunk-VWSNGP65.js → chunk-QXT7DH44.js}

@@ -138,22 +138,6 @@ function writeAuthStore(data) {
   ensureAuthDir();
   writeFileSync(AUTH_FILE, JSON.stringify(data, null, 2), { mode: 384 });
 }
-var fileStorage = {
-  getItem(key) {
-    const store = readAuthStore();
-    return store[key] ?? null;
-  },
-  setItem(key, value) {
-    const store = readAuthStore();
-    store[key] = value;
-    writeAuthStore(store);
-  },
-  removeItem(key) {
-    const store = readAuthStore();
-    delete store[key];
-    writeAuthStore(store);
-  }
-};
 var supabase = null;
 function getSupabase() {
   if (!supabase) {
@@ -164,12 +148,7 @@ function getSupabase() {
       );
     }
     supabase = createClient(config2.supabaseUrl, config2.supabaseAnonKey, {
-      auth: {
-        storage: fileStorage,
-        autoRefreshToken: false,
-        // We handle refresh via am_ token
-        persistSession: true
-      }
+      auth: { persistSession: false }
     });
   }
   return supabase;
@@ -177,16 +156,13 @@ function getSupabase() {
 function hashToken(token) {
   return createHash("sha256").update(token).digest("hex");
 }
-async function authenticateWithMcpToken(mcpToken) {
-  const tokenHash = hashToken(mcpToken);
-  const sb = getSupabase();
-  const { data, error } = await sb.rpc("login_with_mcp_token", {
-    p_token_hash: tokenHash
-  });
-  if (error) throw new Error(`Token validation failed: ${error.message}`);
-  if (data?.error) throw new Error(data.error);
-  if (!data?.access_token) throw new Error("Token validation returned no session");
-  return data;
+function getTokenHash() {
+  const store = readAuthStore();
+  const token = store["mcp_token"];
+  if (!token || !token.startsWith("am_")) {
+    throw new Error("Not authenticated. Run `assistme login`.");
+  }
+  return hashToken(token);
 }
 async function loginWithToken(mcpToken) {
   if (!mcpToken.startsWith("am_")) {
@@ -194,195 +170,149 @@ async function loginWithToken(mcpToken) {
       "Invalid token format. Use an am_ token from the web page."
     );
   }
-  const { access_token, user_id } = await authenticateWithMcpToken(mcpToken);
-  const store = readAuthStore();
-  store["mcp_token"] = mcpToken;
-  writeAuthStore(store);
+  const hash = hashToken(mcpToken);
   const sb = getSupabase();
-  const { data, error } = await sb.auth.setSession({
-    access_token,
-    refresh_token: "mcp_managed"
-    // placeholder; we refresh via am_ token
+  const { data, error } = await sb.rpc("validate_mcp_token", {
+    p_token_hash: hash
   });
-  if (error) throw new Error(`Login failed: ${error.message}`);
-  if (!data.user) throw new Error("Login failed: no user returned");
-  return data.user.id;
-}
-async function refreshWithCliToken() {
+  if (error) throw new Error(`Token validation failed: ${error.message}`);
+  if (!data || data.length === 0) throw new Error("Invalid or expired token");
   const store = readAuthStore();
-  const mcpToken = store["mcp_token"];
-  if (!mcpToken || !mcpToken.startsWith("am_")) return null;
-  try {
-    const { access_token } = await authenticateWithMcpToken(mcpToken);
-    const sb = getSupabase();
-    const { data, error } = await sb.auth.setSession({
-      access_token,
-      refresh_token: "mcp_managed"
-    });
-    if (error || !data.user) return null;
-    return data.user.id;
-  } catch {
-    return null;
-  }
-}
-async function getSession() {
-  const sb = getSupabase();
-  const { data } = await sb.auth.getSession();
-  return data.session;
+  store["mcp_token"] = mcpToken;
+  writeAuthStore(store);
+  return data[0].out_user_id;
 }
 async function getCurrentUserId() {
+  const hash = getTokenHash();
   const sb = getSupabase();
-  const { data, error } = await sb.auth.getUser();
-  if (error || !data.user) {
-    const refreshed = await refreshWithCliToken();
-    if (refreshed) return refreshed;
-    throw new Error("Not authenticated. Run `assistme login`.");
+  const { data, error } = await sb.rpc("validate_mcp_token", {
+    p_token_hash: hash
+  });
+  if (error || !data || data.length === 0) {
+    throw new Error("Token expired or revoked. Run `assistme login`.");
   }
-  return data.user.id;
+  return data[0].out_user_id;
 }
 async function logout() {
-  const sb = getSupabase();
-  await sb.auth.signOut();
   try {
     writeAuthStore({});
   } catch {
   }
 }
-async function createSession(userId, sessionName, workspacePath, version) {
+async function createSession(_userId, sessionName, workspacePath, version) {
   const sb = getSupabase();
-  const { data, error } = await sb.from("agent_sessions").insert({
-    user_id: userId,
-    session_name: sessionName,
-    status: "online",
-    workspace_path: workspacePath,
-    agent_version: version,
-    metadata: { model: getConfig().model }
-  }).select().single();
+  const { data, error } = await sb.rpc("mcp_create_session", {
+    p_token_hash: getTokenHash(),
+    p_session_name: sessionName,
+    p_workspace_path: workspacePath,
+    p_version: version,
+    p_model: getConfig().model || null
+  });
   if (error) throw new Error(`Failed to create session: ${error.message}`);
   return data;
 }
 async function updateHeartbeat(sessionId) {
   const sb = getSupabase();
-  const { error } = await sb.from("agent_sessions").update({ last_heartbeat_at: (/* @__PURE__ */ new Date()).toISOString() }).eq("id", sessionId);
+  const { error } = await sb.rpc("mcp_heartbeat", {
+    p_token_hash: getTokenHash(),
+    p_session_id: sessionId
+  });
   if (error) log.warn(`Heartbeat update failed: ${error.message}`);
 }
 async function endSession(sessionId) {
   const sb = getSupabase();
-  const { error } = await sb.from("agent_sessions").update({
-    status: "offline",
-    ended_at: (/* @__PURE__ */ new Date()).toISOString()
-  }).eq("id", sessionId);
+  const { error } = await sb.rpc("mcp_end_session", {
+    p_token_hash: getTokenHash(),
+    p_session_id: sessionId
+  });
   if (error) log.error(`Failed to end session: ${error.message}`);
 }
 async function setSessionBusy(sessionId, busy) {
   const sb = getSupabase();
-  await sb.from("agent_sessions").update({ status: busy ? "busy" : "online" }).eq("id", sessionId);
+  await sb.rpc("mcp_set_session_busy", {
+    p_token_hash: getTokenHash(),
+    p_session_id: sessionId,
+    p_busy: busy
+  });
 }
-async function getOrCreateCliConversation(userId, sessionId) {
+async function getOrCreateCliConversation(_userId, _sessionId) {
   const sb = getSupabase();
-  const { data: existing } = await sb.from("conversations").select("id").eq("agent", "cli").eq("created_by", userId).order("created_at", { ascending: false }).limit(1);
-  if (existing && existing.length > 0) {
-    return existing[0].id;
-  }
-  const { data: conv, error: convErr } = await sb.from("conversations").insert({
-    conversation_type: "direct",
-    agent: "cli",
-    created_by: userId
-  }).select("id").single();
-  if (convErr || !conv) {
-    throw new Error(`Failed to create conversation: ${convErr?.message}`);
-  }
-  await sb.from("conversation_participants").insert([
-    { conversation_id: conv.id, user_id: userId, role: "member" },
-    { conversation_id: conv.id, user_id: CLI_AGENT_ID, role: "member" }
-  ]);
-  return conv.id;
+  const { data, error } = await sb.rpc("mcp_get_or_create_conversation", {
+    p_token_hash: getTokenHash()
+  });
+  if (error) throw new Error(`Failed to get conversation: ${error.message}`);
+  return data;
 }
-async function createTask(conversationId, userId, sessionId, prompt) {
+async function createTask(conversationId, _userId, sessionId, prompt) {
   const sb = getSupabase();
-  const { data: rpcResult, error: rpcError } = await sb.rpc(
-    "create_task_pair",
-    {
-      p_conversation_id: conversationId,
-      p_user_id: userId,
-      p_agent_id: CLI_AGENT_ID,
-      p_session_id: sessionId,
-      p_prompt: prompt
-    }
-  );
-  if (!rpcError && rpcResult) {
-    return { ...rpcResult, prompt };
-  }
-  if (rpcError) {
-    log.debug(`create_task_pair RPC unavailable, using fallback: ${rpcError.message}`);
-  }
-  const { error: userErr } = await sb.from("conversation_messages").insert({
-    conversation_id: conversationId,
-    sender_id: userId,
-    role: "user",
-    content: prompt
+  const { data, error } = await sb.rpc("mcp_create_task", {
+    p_token_hash: getTokenHash(),
+    p_conversation_id: conversationId,
+    p_session_id: sessionId,
+    p_prompt: prompt
   });
-  if (userErr) throw new Error(`Failed to create user message: ${userErr.message}`);
-  const { data, error } = await sb.from("conversation_messages").insert({
-    conversation_id: conversationId,
-    sender_id: CLI_AGENT_ID,
-    role: "assistant",
-    content: "",
-    status: "pending",
-    session_id: sessionId,
-    metadata: { prompt }
-  }).select().single();
   if (error) throw new Error(`Failed to create task: ${error.message}`);
   return { ...data, prompt };
 }
 async function pollPendingTasks(sessionId) {
   const sb = getSupabase();
-  const { data, error } = await sb.from("conversation_messages").select("*").eq("session_id", sessionId).eq("status", "pending").order("created_at", { ascending: true }).limit(1);
+  const { data, error } = await sb.rpc("mcp_poll_tasks", {
+    p_token_hash: getTokenHash(),
+    p_session_id: sessionId
+  });
   if (error) {
     log.warn(`Task poll failed: ${error.message}`);
     return [];
   }
-  return (data || []).map((row) => ({
+  const rows = data || [];
+  return rows.map((row) => ({
     ...row,
     prompt: row.metadata?.prompt || row.content || ""
   }));
 }
+async function pollAndClaimTask(sessionId) {
+  const sb = getSupabase();
+  const { data, error } = await sb.rpc("mcp_poll_and_claim_task", {
+    p_token_hash: getTokenHash(),
+    p_session_id: sessionId
+  });
+  if (error) {
+    log.warn(`Poll-and-claim failed: ${error.message}`);
+    return null;
+  }
+  if (!data) return null;
+  const row = data;
+  return {
+    ...row,
+    prompt: row.metadata?.prompt || row.content || ""
+  };
+}
 async function claimTask(messageId) {
   const sb = getSupabase();
-  const { error } = await sb.from("conversation_messages").update({
-    status: "running",
-    metadata: { started_at: (/* @__PURE__ */ new Date()).toISOString() }
-  }).eq("id", messageId).eq("status", "pending");
+  const { data, error } = await sb.rpc("mcp_claim_task", {
+    p_token_hash: getTokenHash(),
+    p_message_id: messageId
+  });
   if (error) throw new Error(`Failed to claim task: ${error.message}`);
+  return data;
 }
 async function completeTask(messageId, resultSummary, tokenUsage) {
   const sb = getSupabase();
-  const { data: current } = await sb.from("conversation_messages").select("metadata").eq("id", messageId).single();
-  const existingMeta = current?.metadata || {};
-  const { error } = await sb.from("conversation_messages").update({
-    content: resultSummary,
-    status: "completed",
-    metadata: {
-      ...existingMeta,
-      completed_at: (/* @__PURE__ */ new Date()).toISOString(),
-      token_usage: tokenUsage || null
-    }
-  }).eq("id", messageId);
+  const { error } = await sb.rpc("mcp_complete_task", {
+    p_token_hash: getTokenHash(),
+    p_message_id: messageId,
+    p_result: resultSummary,
+    p_token_usage: tokenUsage || null
+  });
   if (error) throw new Error(`Failed to complete task: ${error.message}`);
 }
 async function failTask(messageId, errorMessage) {
   const sb = getSupabase();
-  const { data: current } = await sb.from("conversation_messages").select("metadata").eq("id", messageId).single();
-  const existingMeta = current?.metadata || {};
-  const { error } = await sb.from("conversation_messages").update({
-    status: "failed",
-    content: errorMessage,
-    metadata: {
-      ...existingMeta,
-      completed_at: (/* @__PURE__ */ new Date()).toISOString(),
-      error_message: errorMessage
-    }
-  }).eq("id", messageId);
+  const { error } = await sb.rpc("mcp_fail_task", {
+    p_token_hash: getTokenHash(),
+    p_message_id: messageId,
+    p_error: errorMessage
+  });
   if (error) log.error(`Failed to update task status: ${error.message}`);
 }
 var eventSequence = 0;
@@ -392,26 +322,26 @@ function resetEventSequence() {
 async function emitEvent(messageId, eventType, eventData) {
   const sb = getSupabase();
   eventSequence++;
-  const { error } = await sb.from("message_events").insert({
-    message_id: messageId,
-    event_type: eventType,
-    event_data: eventData,
-    sequence_number: eventSequence
+  const { error } = await sb.rpc("mcp_emit_event", {
+    p_token_hash: getTokenHash(),
+    p_message_id: messageId,
+    p_event_type: eventType,
+    p_event_data: eventData,
+    p_seq: eventSequence
   });
   if (error) log.warn(`Failed to emit event: ${error.message}`);
 }
 async function emitEvents(messageId, events) {
   const sb = getSupabase();
-  const rows = events.map((e) => {
+  const eventsJson = events.map((e) => {
     eventSequence++;
-    return {
-      message_id: messageId,
-      event_type: e.type,
-      event_data: e.data,
-      sequence_number: eventSequence
-    };
+    return { type: e.type, data: e.data, seq: eventSequence };
+  });
+  const { error } = await sb.rpc("mcp_emit_events", {
+    p_token_hash: getTokenHash(),
+    p_message_id: messageId,
+    p_events: eventsJson
   });
-  const { error } = await sb.from("message_events").insert(rows);
   if (error) log.warn(`Failed to emit events batch: ${error.message}`);
 }
 
@@ -428,8 +358,6 @@ export {
   DAYBOX_AGENT_ID,
   getSupabase,
   loginWithToken,
-  refreshWithCliToken,
-  getSession,
   getCurrentUserId,
   logout,
   createSession,
@@ -439,6 +367,7 @@ export {
   getOrCreateCliConversation,
   createTask,
   pollPendingTasks,
+  pollAndClaimTask,
   claimTask,
   completeTask,
   failTask,

package/dist/index.js

@@ -1,6 +1,5 @@
 #!/usr/bin/env node
 import {
-  claimTask,
   clearConfig,
   completeTask,
   createSession,
@@ -17,14 +16,14 @@ import {
   loginWithToken,
   logout,
   newCorrelationId,
-  pollPendingTasks,
+  pollAndClaimTask,
   resetEventSequence,
   setConfig,
   setCorrelationId,
   setLogLevel,
   setSessionBusy,
   updateHeartbeat
-} from "./chunk-VWSNGP65.js";
+} from "./chunk-QXT7DH44.js";
 
 // src/index.ts
 import { Command } from "commander";
@@ -277,12 +276,11 @@ var SessionManager = class {
       return;
     }
     try {
-      const tasks = await pollPendingTasks(this.session.id);
+      const task = await pollAndClaimTask(this.session.id);
       this.consecutivePollFailures = 0;
-      if (tasks.length > 0) {
+      if (task) {
         this.processing = true;
-        const task = tasks[0];
-        log.info(`New task received: ${task.id}`);
+        log.info(`New task claimed: ${task.id}`);
         log.agent(`Task from conversation: ${task.conversation_id}`);
         await setSessionBusy(this.session.id, true);
         try {
@@ -2449,11 +2447,6 @@ var TaskProcessor = class {
     const toolCallRecords = [];
     const usedSkillNames = [];
     try {
-      await withRetry(() => claimTask(task.id), {
-        maxRetries: 2,
-        baseDelayMs: 300,
-        label: "claimTask"
-      });
       await emitEvent(task.id, "status_change", { status: "running" });
       let systemPrompt = BASE_SYSTEM_PROMPT.replace(
         "{workspace_path}",
@@ -3087,7 +3080,7 @@ program.command("start", { isDefault: true }).description("Start the agent and l
       }
       log.agent(`Processing: "${input}"`);
       try {
-        const { createTask: createTask2 } = await import("./supabase-XHDOQMOM.js");
+        const { createTask: createTask2 } = await import("./supabase-QU7MFNDI.js");
         const session = sessionManager.getSession();
         const conversationId = sessionManager.getConversationId();
         if (session && conversationId) {
@@ -3116,7 +3109,7 @@ program.command("start", { isDefault: true }).description("Start the agent and l
 program.command("status").description("Check the status of the current agent session").action(async () => {
   try {
     const userId = await getCurrentUserId();
-    const { getSupabase: getSupabase2 } = await import("./supabase-XHDOQMOM.js");
+    const { getSupabase: getSupabase2 } = await import("./supabase-QU7MFNDI.js");
     const sb = getSupabase2();
     const { data: sessions } = await sb.from("agent_sessions").select("*").eq("user_id", userId).in("status", ["online", "busy"]).order("started_at", { ascending: false }).limit(5);
     if (!sessions || sessions.length === 0) {

package/dist/{supabase-XHDOQMOM.js → supabase-QU7MFNDI.js}

@@ -11,16 +11,15 @@ import {
   failTask,
   getCurrentUserId,
   getOrCreateCliConversation,
-  getSession,
   getSupabase,
   loginWithToken,
   logout,
+  pollAndClaimTask,
   pollPendingTasks,
-  refreshWithCliToken,
   resetEventSequence,
   setSessionBusy,
   updateHeartbeat
-} from "./chunk-VWSNGP65.js";
+} from "./chunk-QXT7DH44.js";
 export {
   CLI_AGENT_ID,
   DAYBOX_AGENT_ID,
@@ -34,12 +33,11 @@ export {
   failTask,
   getCurrentUserId,
   getOrCreateCliConversation,
-  getSession,
   getSupabase,
   loginWithToken,
   logout,
+  pollAndClaimTask,
   pollPendingTasks,
-  refreshWithCliToken,
   resetEventSequence,
   setSessionBusy,
   updateHeartbeat

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "assistme",
-  "version": "0.1.4",
+  "version": "0.1.5",
   "description": "AssistMe CLI Agent - AI-powered assistant that controls your real browser",
   "type": "module",
   "main": "dist/index.js",

package/src/agent/processor.test.ts

@@ -19,7 +19,6 @@ vi.mock("@anthropic-ai/claude-agent-sdk", () => ({
 
 // Mock Supabase DB functions
 const mockDbFns = {
-  claimTask: vi.fn().mockResolvedValue(undefined),
   completeTask: vi.fn().mockResolvedValue(undefined),
   failTask: vi.fn().mockResolvedValue(undefined),
   emitEvent: vi.fn().mockResolvedValue(undefined),
@@ -130,7 +129,7 @@ describe("TaskProcessor", () => {
 
     await processor.processTask(makeTask("say hello"));
 
-    expect(mockDbFns.claimTask).toHaveBeenCalledWith("task-001");
+    // Task is already claimed by pollAndClaimTask in session.ts, not processor
     expect(mockDbFns.completeTask).toHaveBeenCalledWith(
       "task-001",
       expect.stringContaining("Hello!")
@@ -196,7 +195,7 @@ describe("TaskProcessor", () => {
   });
 
   it("handles task failure gracefully", async () => {
-    mockDbFns.claimTask.mockRejectedValueOnce(new Error("DB error"));
+    mockDbFns.emitEvent.mockRejectedValueOnce(new Error("DB error"));
 
     await processor.processTask(makeTask("will fail"));
 

package/src/agent/processor.ts

@@ -5,7 +5,6 @@ import {
 } from "@anthropic-ai/claude-agent-sdk";
 import {
   AgentTask,
-  claimTask,
   completeTask,
   failTask,
   emitEvent,
@@ -108,12 +107,7 @@ export class TaskProcessor {
     const usedSkillNames: string[] = [];
 
     try {
-      // Claim the task (with retry for transient DB failures)
-      await withRetry(() => claimTask(task.id), {
-        maxRetries: 2,
-        baseDelayMs: 300,
-        label: "claimTask",
-      });
+      // Task is already claimed atomically by pollAndClaimTask in session.ts
       await emitEvent(task.id, "status_change", { status: "running" });
 
       // Build system prompt with memories + skills

package/src/agent/session.test.ts

@@ -30,7 +30,7 @@ const mockCreateSession = vi.fn().mockResolvedValue(mockSession);
 const mockUpdateHeartbeat = vi.fn().mockResolvedValue(undefined);
 const mockEndSession = vi.fn().mockResolvedValue(undefined);
 const mockSetSessionBusy = vi.fn().mockResolvedValue(undefined);
-const mockPollPendingTasks = vi.fn().mockResolvedValue([]);
+const mockPollAndClaimTask = vi.fn().mockResolvedValue(null);
 const mockGetOrCreateCliConversation = vi.fn().mockResolvedValue("conv-001");
 
 vi.mock("../db/supabase.js", () => ({
@@ -38,7 +38,7 @@ vi.mock("../db/supabase.js", () => ({
   updateHeartbeat: (...args: any[]) => mockUpdateHeartbeat(...args),
   endSession: (...args: any[]) => mockEndSession(...args),
   setSessionBusy: (...args: any[]) => mockSetSessionBusy(...args),
-  pollPendingTasks: (...args: any[]) => mockPollPendingTasks(...args),
+  pollAndClaimTask: (...args: any[]) => mockPollAndClaimTask(...args),
   createTask: vi.fn().mockResolvedValue({ id: "task-001", prompt: "test" }),
   getOrCreateCliConversation: (...args: any[]) => mockGetOrCreateCliConversation(...args),
   getSupabase: vi.fn().mockReturnValue({ from: vi.fn().mockReturnValue(chain) }),
@@ -79,7 +79,7 @@ describe("SessionManager", () => {
     mockUpdateHeartbeat.mockResolvedValue(undefined);
     mockEndSession.mockResolvedValue(undefined);
     mockSetSessionBusy.mockResolvedValue(undefined);
-    mockPollPendingTasks.mockResolvedValue([]);
+    mockPollAndClaimTask.mockResolvedValue(null);
     vi.useFakeTimers({ shouldAdvanceTime: true });
     manager = new SessionManager();
   });
@@ -117,12 +117,12 @@ describe("SessionManager", () => {
 
     await vi.advanceTimersByTimeAsync(3_000);
 
-    expect(mockPollPendingTasks).toHaveBeenCalledWith("sess-001");
+    expect(mockPollAndClaimTask).toHaveBeenCalledWith("sess-001");
   });
 
-  it("processes tasks when polled", async () => {
+  it("processes tasks when polled and claimed atomically", async () => {
     const task = { id: "task-001", conversation_id: "conv-001", prompt: "hello" };
-    mockPollPendingTasks.mockResolvedValueOnce([task]);
+    mockPollAndClaimTask.mockResolvedValueOnce(task);
 
     await manager.start("user-123", onTask);
     await vi.advanceTimersByTimeAsync(3_000);
@@ -133,24 +133,24 @@ describe("SessionManager", () => {
   });
 
   it("applies exponential backoff on poll failures", async () => {
-    mockPollPendingTasks
+    mockPollAndClaimTask
       .mockRejectedValueOnce(new Error("Network error"))
       .mockRejectedValueOnce(new Error("Network error"))
-      .mockResolvedValue([]);
+      .mockResolvedValue(null);
 
     await manager.start("user-123", onTask);
 
     // First poll at ~2s base interval
     await vi.advanceTimersByTimeAsync(3_000);
-    expect(mockPollPendingTasks).toHaveBeenCalledTimes(1);
+    expect(mockPollAndClaimTask).toHaveBeenCalledTimes(1);
 
     // After first failure: backoff = 2s * 2^1 = 4s → fires at ~6s total
     await vi.advanceTimersByTimeAsync(4_000);
-    expect(mockPollPendingTasks).toHaveBeenCalledTimes(2);
+    expect(mockPollAndClaimTask).toHaveBeenCalledTimes(2);
 
     // After second failure: backoff = 2s * 2^2 = 8s → fires at ~14s total
     await vi.advanceTimersByTimeAsync(8_500);
-    expect(mockPollPendingTasks).toHaveBeenCalledTimes(3);
+    expect(mockPollAndClaimTask).toHaveBeenCalledTimes(3);
     // Third call succeeds, so backoff resets. Next poll at 2s would be at ~16s
     // We don't advance that far, so only 3 calls total.
   });

package/src/agent/session.ts

@@ -3,7 +3,7 @@ import {
   updateHeartbeat,
   endSession,
   setSessionBusy,
-  pollPendingTasks,
+  pollAndClaimTask,
   createTask,
   getOrCreateCliConversation,
   getSupabase,
@@ -145,14 +145,15 @@ export class SessionManager {
     }
 
     try {
-      const tasks = await pollPendingTasks(this.session.id);
+      // Atomic poll + claim: if a pending task exists, it's claimed in one DB call.
+      // FOR UPDATE SKIP LOCKED ensures no two CLIs grab the same task.
+      const task = await pollAndClaimTask(this.session.id);
       // Reset backoff on success
       this.consecutivePollFailures = 0;
 
-      if (tasks.length > 0) {
+      if (task) {
         this.processing = true;
-        const task = tasks[0];
-        log.info(`New task received: ${task.id}`);
+        log.info(`New task claimed: ${task.id}`);
         log.agent(`Task from conversation: ${task.conversation_id}`);
 
         await setSessionBusy(this.session.id, true);

package/src/db/supabase.ts

@@ -11,8 +11,7 @@ import { homedir } from "os";
 export const CLI_AGENT_ID = "00000000-0000-0000-0000-000000000001";
 export const DAYBOX_AGENT_ID = "00000000-0000-0000-0000-000000000002";
 
-// ── File-Based Storage Adapter ─────────────────────────────────────
-// Node.js has no localStorage, so we persist Supabase auth tokens to disk.
+// ── Auth Store (persists am_ token to disk) ──────────────────────────
 
 const AUTH_DIR = join(homedir(), ".config", "assistme");
 const AUTH_FILE = join(AUTH_DIR, "auth.json");
@@ -39,28 +38,7 @@ function writeAuthStore(data: Record<string, string>) {
   writeFileSync(AUTH_FILE, JSON.stringify(data, null, 2), { mode: 0o600 });
 }
 
-/**
- * Custom storage adapter for Supabase client.
- * Persists auth sessions to ~/.config/assistme/auth.json
- */
-const fileStorage = {
-  getItem(key: string): string | null {
-    const store = readAuthStore();
-    return store[key] ?? null;
-  },
-  setItem(key: string, value: string): void {
-    const store = readAuthStore();
-    store[key] = value;
-    writeAuthStore(store);
-  },
-  removeItem(key: string): void {
-    const store = readAuthStore();
-    delete store[key];
-    writeAuthStore(store);
-  },
-};
-
-// ── Supabase Client ────────────────────────────────────────────────
+// ── Supabase Client (anon key only, no auth session) ────────────────
 
 let supabase: SupabaseClient | null = null;
 
@@ -73,47 +51,33 @@ export function getSupabase(): SupabaseClient {
       );
     }
     supabase = createClient(config.supabaseUrl, config.supabaseAnonKey, {
-      auth: {
-        storage: fileStorage,
-        autoRefreshToken: false, // We handle refresh via am_ token
-        persistSession: true,
-      },
+      auth: { persistSession: false },
     });
   }
   return supabase;
 }
 
-// ── Auth: Token-Based Login ────────────────────────────────────────
+// ── Token Hash ──────────────────────────────────────────────────────
 
-/** SHA-256 hex hash of a token string. */
 function hashToken(token: string): string {
   return createHash("sha256").update(token).digest("hex");
 }
 
-/**
- * Validate an am_ token via RPC and get a signed JWT.
- * No edge function needed — calls login_with_mcp_token directly.
- */
-async function authenticateWithMcpToken(
-  mcpToken: string
-): Promise<{ access_token: string; user_id: string }> {
-  const tokenHash = hashToken(mcpToken);
-  const sb = getSupabase();
-
-  const { data, error } = await sb.rpc("login_with_mcp_token", {
-    p_token_hash: tokenHash,
-  });
-
-  if (error) throw new Error(`Token validation failed: ${error.message}`);
-  if (data?.error) throw new Error(data.error);
-  if (!data?.access_token) throw new Error("Token validation returned no session");
-
-  return data;
+/** Get stored token hash (computed from persisted am_ token). */
+function getTokenHash(): string {
+  const store = readAuthStore();
+  const token = store["mcp_token"];
+  if (!token || !token.startsWith("am_")) {
+    throw new Error("Not authenticated. Run `assistme login`.");
+  }
+  return hashToken(token);
 }
 
+// ── Auth ─────────────────────────────────────────────────────────────
+
 /**
  * Login using an am_ MCP token.
- * Validates via DB, gets a signed JWT, sets the Supabase session.
+ * Validates against DB via validate_mcp_token RPC, stores locally.
  */
 export async function loginWithToken(mcpToken: string): Promise<string> {
   if (!mcpToken.startsWith("am_")) {
@@ -122,70 +86,37 @@ export async function loginWithToken(mcpToken: string): Promise<string> {
     );
   }
 
-  const { access_token, user_id } = await authenticateWithMcpToken(mcpToken);
-
-  // Persist the MCP token so we can re-authenticate later
-  const store = readAuthStore();
-  store["mcp_token"] = mcpToken;
-  writeAuthStore(store);
-
+  const hash = hashToken(mcpToken);
   const sb = getSupabase();
-  const { data, error } = await sb.auth.setSession({
-    access_token,
-    refresh_token: "mcp_managed", // placeholder; we refresh via am_ token
-  });
 
-  if (error) throw new Error(`Login failed: ${error.message}`);
-  if (!data.user) throw new Error("Login failed: no user returned");
+  const { data, error } = await sb.rpc("validate_mcp_token", {
+    p_token_hash: hash,
+  });
 
-  return data.user.id;
-}
+  if (error) throw new Error(`Token validation failed: ${error.message}`);
+  if (!data || data.length === 0) throw new Error("Invalid or expired token");
 
-/**
- * Re-authenticate using the stored MCP token (am_).
- * Called automatically when the Supabase session has expired.
- */
-export async function refreshWithCliToken(): Promise<string | null> {
+  // Persist token
   const store = readAuthStore();
-  const mcpToken = store["mcp_token"];
-  if (!mcpToken || !mcpToken.startsWith("am_")) return null;
-
-  try {
-    const { access_token } = await authenticateWithMcpToken(mcpToken);
-    const sb = getSupabase();
-    const { data, error } = await sb.auth.setSession({
-      access_token,
-      refresh_token: "mcp_managed",
-    });
-    if (error || !data.user) return null;
-    return data.user.id;
-  } catch {
-    return null;
-  }
-}
+  store["mcp_token"] = mcpToken;
+  writeAuthStore(store);
 
-export async function getSession() {
-  const sb = getSupabase();
-  const { data } = await sb.auth.getSession();
-  return data.session;
+  return data[0].out_user_id;
 }
 
 export async function getCurrentUserId(): Promise<string> {
+  const hash = getTokenHash();
   const sb = getSupabase();
-  const { data, error } = await sb.auth.getUser();
-  if (error || !data.user) {
-    // Try auto-refresh with stored CLI token
-    const refreshed = await refreshWithCliToken();
-    if (refreshed) return refreshed;
-    throw new Error("Not authenticated. Run `assistme login`.");
+  const { data, error } = await sb.rpc("validate_mcp_token", {
+    p_token_hash: hash,
+  });
+  if (error || !data || data.length === 0) {
+    throw new Error("Token expired or revoked. Run `assistme login`.");
   }
-  return data.user.id;
+  return data[0].out_user_id;
 }
 
 export async function logout(): Promise<void> {
-  const sb = getSupabase();
-  await sb.auth.signOut();
-  // Also clear the file
   try {
     writeAuthStore({});
   } catch {
@@ -209,24 +140,19 @@ export interface AgentSession {
 }
 
 export async function createSession(
-  userId: string,
+  _userId: string,
   sessionName: string,
   workspacePath: string,
   version: string
 ): Promise<AgentSession> {
   const sb = getSupabase();
-  const { data, error } = await sb
-    .from("agent_sessions")
-    .insert({
-      user_id: userId,
-      session_name: sessionName,
-      status: "online",
-      workspace_path: workspacePath,
-      agent_version: version,
-      metadata: { model: getConfig().model },
-    })
-    .select()
-    .single();
+  const { data, error } = await sb.rpc("mcp_create_session", {
+    p_token_hash: getTokenHash(),
+    p_session_name: sessionName,
+    p_workspace_path: workspacePath,
+    p_version: version,
+    p_model: getConfig().model || null,
+  });
 
   if (error) throw new Error(`Failed to create session: ${error.message}`);
   return data as AgentSession;
@@ -234,24 +160,19 @@ export async function createSession(
 
 export async function updateHeartbeat(sessionId: string): Promise<void> {
   const sb = getSupabase();
-  const { error } = await sb
-    .from("agent_sessions")
-    .update({ last_heartbeat_at: new Date().toISOString() })
-    .eq("id", sessionId);
-
+  const { error } = await sb.rpc("mcp_heartbeat", {
+    p_token_hash: getTokenHash(),
+    p_session_id: sessionId,
+  });
   if (error) log.warn(`Heartbeat update failed: ${error.message}`);
 }
 
 export async function endSession(sessionId: string): Promise<void> {
   const sb = getSupabase();
-  const { error } = await sb
-    .from("agent_sessions")
-    .update({
-      status: "offline",
-      ended_at: new Date().toISOString(),
-    })
-    .eq("id", sessionId);
-
+  const { error } = await sb.rpc("mcp_end_session", {
+    p_token_hash: getTokenHash(),
+    p_session_id: sessionId,
+  });
   if (error) log.error(`Failed to end session: ${error.message}`);
 }
 
@@ -260,64 +181,28 @@ export async function setSessionBusy(
   busy: boolean
 ): Promise<void> {
   const sb = getSupabase();
-  await sb
-    .from("agent_sessions")
-    .update({ status: busy ? "busy" : "online" })
-    .eq("id", sessionId);
+  await sb.rpc("mcp_set_session_busy", {
+    p_token_hash: getTokenHash(),
+    p_session_id: sessionId,
+    p_busy: busy,
+  });
 }
 
 // ── Conversation Management ─────────────────────────────────────────
 
-/**
- * Find or create a CLI conversation for a given session.
- * Each agent session gets one conversation.
- */
 export async function getOrCreateCliConversation(
-  userId: string,
-  sessionId: string
+  _userId: string,
+  _sessionId: string
 ): Promise<string> {
   const sb = getSupabase();
-
-  // Check if a CLI conversation already exists for this user's current session
-  // by looking for conversations where the agent is 'cli' and user is participant
-  const { data: existing } = await sb
-    .from("conversations")
-    .select("id")
-    .eq("agent", "cli")
-    .eq("created_by", userId)
-    .order("created_at", { ascending: false })
-    .limit(1);
-
-  if (existing && existing.length > 0) {
-    return existing[0].id;
-  }
-
-  // Create new conversation
-  const { data: conv, error: convErr } = await sb
-    .from("conversations")
-    .insert({
-      conversation_type: "direct",
-      agent: "cli",
-      created_by: userId,
-    })
-    .select("id")
-    .single();
-
-  if (convErr || !conv) {
-    throw new Error(`Failed to create conversation: ${convErr?.message}`);
-  }
-
-  // Add participants: user + CLI agent
-  await sb.from("conversation_participants").insert([
-    { conversation_id: conv.id, user_id: userId, role: "member" },
-    { conversation_id: conv.id, user_id: CLI_AGENT_ID, role: "member" },
-  ]);
-
-  return conv.id;
+  const { data, error } = await sb.rpc("mcp_get_or_create_conversation", {
+    p_token_hash: getTokenHash(),
+  });
+  if (error) throw new Error(`Failed to get conversation: ${error.message}`);
+  return data as string;
 }
 
 // ── Message / Task Management ────────────────────────────────────────
-// A "task" is now an assistant message in conversation_messages with a status.
 
 export interface ConversationMessage {
   id: string;
@@ -332,115 +217,88 @@ export interface ConversationMessage {
   metadata: Record<string, unknown>;
   created_at: string;
   updated_at: string;
-  /** The original user prompt (stored in metadata for assistant messages) */
   prompt: string;
 }
 
-// Keep AgentTask as an alias for backward compatibility with processor.ts
 export type AgentTask = ConversationMessage;
 
-/**
- * Create a user prompt + pending assistant message pair atomically.
- * Uses a PG function for transactional safety. Falls back to sequential
- * inserts if the function doesn't exist yet.
- * Returns the assistant message (the "task" to process).
- */
 export async function createTask(
   conversationId: string,
-  userId: string,
+  _userId: string,
   sessionId: string,
   prompt: string
 ): Promise<ConversationMessage> {
   const sb = getSupabase();
-
-  // Try atomic RPC first
-  const { data: rpcResult, error: rpcError } = await sb.rpc(
-    "create_task_pair",
-    {
-      p_conversation_id: conversationId,
-      p_user_id: userId,
-      p_agent_id: CLI_AGENT_ID,
-      p_session_id: sessionId,
-      p_prompt: prompt,
-    }
-  );
-
-  if (!rpcError && rpcResult) {
-    return { ...rpcResult, prompt } as ConversationMessage;
-  }
-
-  // Fallback: sequential inserts (for environments without the PG function)
-  if (rpcError) {
-    log.debug(`create_task_pair RPC unavailable, using fallback: ${rpcError.message}`);
-  }
-
-  // Insert user message
-  const { error: userErr } = await sb.from("conversation_messages").insert({
-    conversation_id: conversationId,
-    sender_id: userId,
-    role: "user",
-    content: prompt,
+  const { data, error } = await sb.rpc("mcp_create_task", {
+    p_token_hash: getTokenHash(),
+    p_conversation_id: conversationId,
+    p_session_id: sessionId,
+    p_prompt: prompt,
   });
 
-  if (userErr) throw new Error(`Failed to create user message: ${userErr.message}`);
-
-  // Insert assistant placeholder (the "task")
-  const { data, error } = await sb
-    .from("conversation_messages")
-    .insert({
-      conversation_id: conversationId,
-      sender_id: CLI_AGENT_ID,
-      role: "assistant",
-      content: "",
-      status: "pending",
-      session_id: sessionId,
-      metadata: { prompt },
-    })
-    .select()
-    .single();
-
   if (error) throw new Error(`Failed to create task: ${error.message}`);
   return { ...data, prompt } as ConversationMessage;
 }
 
-/**
- * Poll for pending assistant messages assigned to this session.
- */
 export async function pollPendingTasks(
   sessionId: string
 ): Promise<ConversationMessage[]> {
   const sb = getSupabase();
-  const { data, error } = await sb
-    .from("conversation_messages")
-    .select("*")
-    .eq("session_id", sessionId)
-    .eq("status", "pending")
-    .order("created_at", { ascending: true })
-    .limit(1);
+  const { data, error } = await sb.rpc("mcp_poll_tasks", {
+    p_token_hash: getTokenHash(),
+    p_session_id: sessionId,
+  });
 
   if (error) {
     log.warn(`Task poll failed: ${error.message}`);
     return [];
   }
-  // Extract prompt from metadata for backward compat with processor
-  return (data || []).map((row: Record<string, unknown>) => ({
+
+  const rows = (data || []) as Record<string, unknown>[];
+  return rows.map((row) => ({
     ...row,
-    prompt: (row.metadata as Record<string, unknown>)?.prompt || row.content || "",
+    prompt:
+      (row.metadata as Record<string, unknown>)?.prompt || row.content || "",
   })) as ConversationMessage[];
 }
 
-export async function claimTask(messageId: string): Promise<void> {
+/**
+ * Atomically poll ONE pending task and claim it in a single DB call.
+ * Uses FOR UPDATE SKIP LOCKED — concurrent CLIs will never grab the same task.
+ * Returns null if no pending task exists.
+ */
+export async function pollAndClaimTask(
+  sessionId: string
+): Promise<ConversationMessage | null> {
   const sb = getSupabase();
-  const { error } = await sb
-    .from("conversation_messages")
-    .update({
-      status: "running",
-      metadata: { started_at: new Date().toISOString() },
-    })
-    .eq("id", messageId)
-    .eq("status", "pending");
+  const { data, error } = await sb.rpc("mcp_poll_and_claim_task", {
+    p_token_hash: getTokenHash(),
+    p_session_id: sessionId,
+  });
+
+  if (error) {
+    log.warn(`Poll-and-claim failed: ${error.message}`);
+    return null;
+  }
+
+  if (!data) return null;
+
+  const row = data as Record<string, unknown>;
+  return {
+    ...row,
+    prompt:
+      (row.metadata as Record<string, unknown>)?.prompt || row.content || "",
+  } as ConversationMessage;
+}
 
+export async function claimTask(messageId: string): Promise<boolean> {
+  const sb = getSupabase();
+  const { data, error } = await sb.rpc("mcp_claim_task", {
+    p_token_hash: getTokenHash(),
+    p_message_id: messageId,
+  });
   if (error) throw new Error(`Failed to claim task: ${error.message}`);
+  return data as boolean;
 }
 
 export async function completeTask(
@@ -449,29 +307,12 @@ export async function completeTask(
   tokenUsage?: Record<string, number>
 ): Promise<void> {
   const sb = getSupabase();
-
-  // Fetch current metadata to merge
-  const { data: current } = await sb
-    .from("conversation_messages")
-    .select("metadata")
-    .eq("id", messageId)
-    .single();
-
-  const existingMeta = (current?.metadata as Record<string, unknown>) || {};
-
-  const { error } = await sb
-    .from("conversation_messages")
-    .update({
-      content: resultSummary,
-      status: "completed",
-      metadata: {
-        ...existingMeta,
-        completed_at: new Date().toISOString(),
-        token_usage: tokenUsage || null,
-      },
-    })
-    .eq("id", messageId);
-
+  const { error } = await sb.rpc("mcp_complete_task", {
+    p_token_hash: getTokenHash(),
+    p_message_id: messageId,
+    p_result: resultSummary,
+    p_token_usage: tokenUsage || null,
+  });
   if (error) throw new Error(`Failed to complete task: ${error.message}`);
 }
 
@@ -480,28 +321,11 @@ export async function failTask(
   errorMessage: string
 ): Promise<void> {
   const sb = getSupabase();
-
-  const { data: current } = await sb
-    .from("conversation_messages")
-    .select("metadata")
-    .eq("id", messageId)
-    .single();
-
-  const existingMeta = (current?.metadata as Record<string, unknown>) || {};
-
-  const { error } = await sb
-    .from("conversation_messages")
-    .update({
-      status: "failed",
-      content: errorMessage,
-      metadata: {
-        ...existingMeta,
-        completed_at: new Date().toISOString(),
-        error_message: errorMessage,
-      },
-    })
-    .eq("id", messageId);
-
+  const { error } = await sb.rpc("mcp_fail_task", {
+    p_token_hash: getTokenHash(),
+    p_message_id: messageId,
+    p_error: errorMessage,
+  });
   if (error) log.error(`Failed to update task status: ${error.message}`);
 }
 
@@ -529,32 +353,29 @@ export async function emitEvent(
 ): Promise<void> {
   const sb = getSupabase();
   eventSequence++;
-  const { error } = await sb.from("message_events").insert({
-    message_id: messageId,
-    event_type: eventType,
-    event_data: eventData,
-    sequence_number: eventSequence,
+  const { error } = await sb.rpc("mcp_emit_event", {
+    p_token_hash: getTokenHash(),
+    p_message_id: messageId,
+    p_event_type: eventType,
+    p_event_data: eventData,
+    p_seq: eventSequence,
   });
-
   if (error) log.warn(`Failed to emit event: ${error.message}`);
 }
 
-// Batch emit for efficiency
 export async function emitEvents(
   messageId: string,
   events: Array<{ type: EventType; data: Record<string, unknown> }>
 ): Promise<void> {
   const sb = getSupabase();
-  const rows = events.map((e) => {
+  const eventsJson = events.map((e) => {
     eventSequence++;
-    return {
-      message_id: messageId,
-      event_type: e.type,
-      event_data: e.data,
-      sequence_number: eventSequence,
-    };
+    return { type: e.type, data: e.data, seq: eventSequence };
+  });
+  const { error } = await sb.rpc("mcp_emit_events", {
+    p_token_hash: getTokenHash(),
+    p_message_id: messageId,
+    p_events: eventsJson,
   });
-
-  const { error } = await sb.from("message_events").insert(rows);
   if (error) log.warn(`Failed to emit events batch: ${error.message}`);
 }