forgeos 0.1.0-alpha.11 → 0.1.0-alpha.13

package/src/forge/delta/ids.ts

@@ -0,0 +1,44 @@
+import { randomBytes } from "node:crypto";
+
+export type DeltaIdPrefix =
+  | "actor"
+  | "sess"
+  | "op"
+  | "txn"
+  | "filechg"
+  | "cmdrun"
+  | "proof"
+  | "rtcall"
+  | "artifact"
+  | "gitmap"
+  | "aevt"
+  | "amem"
+  | "worksess"
+  | "wssig"
+  | "wssum";
+
+const CROCKFORD = "0123456789ABCDEFGHJKMNPQRSTVWXYZ";
+
+function encodeTime(time: number): string {
+  let value = BigInt(time);
+  let output = "";
+  for (let index = 0; index < 10; index++) {
+    output = CROCKFORD[Number(value % 32n)] + output;
+    value = value / 32n;
+  }
+  return output;
+}
+
+function encodeRandom(bytes: Uint8Array): string {
+  let value = BigInt(`0x${Buffer.from(bytes).toString("hex")}`);
+  let output = "";
+  for (let index = 0; index < 16; index++) {
+    output = CROCKFORD[Number(value % 32n)] + output;
+    value = value / 32n;
+  }
+  return output;
+}
+
+export function createDeltaId(prefix: DeltaIdPrefix): string {
+  return `${prefix}_${encodeTime(Date.now())}${encodeRandom(randomBytes(10))}`;
+}

package/src/forge/delta/index.ts

@@ -0,0 +1,6 @@
+export { runDeltaStatus, formatDeltaStatusHuman, formatDeltaStatusJson } from "./status.ts";
+export { runDeltaTimeline, formatDeltaTimelineHuman, formatDeltaTimelineJson } from "./timeline.ts";
+export { runDeltaExplain, formatDeltaExplainHuman, formatDeltaExplainJson } from "./explain.ts";
+export { runDeltaSessionCommand, formatDeltaSessionHuman, formatDeltaSessionJson } from "./session.ts";
+export { createAmbientDeltaRecorder, recordParsedCliCommand, isDeltaDisabled } from "./recorder.ts";
+export { DeltaStore, getDeltaStorePath } from "./store.ts";

package/src/forge/delta/recorder.ts

@@ -0,0 +1,350 @@
+import { readFileSync, readdirSync } from "node:fs";
+import { join, relative } from "node:path";
+import type { ForgeCommand } from "../cli/parse.ts";
+import { GENERATED_DIR } from "../compiler/emitter/constants.ts";
+import { normalizePath } from "../compiler/primitives/paths.ts";
+import { hashUtf8Bytes } from "../compiler/primitives/hash.ts";
+import { DeltaStore, type DeltaRuntimeCallInput } from "./store.ts";
+import { classifyArtifactKind } from "./classifier.ts";
+import { readDeltaGitSnapshot } from "./git-observer.ts";
+
+export interface AmbientDeltaRecorder {
+  sessionId?: string;
+  recordRuntimeCall(input: DeltaRuntimeCallInput & { diagnostics?: unknown[] }): Promise<void>;
+  recordAgentTool(input: { toolName: string; risk?: string; status: "completed" | "failed"; traceId?: string; durationMs?: number }): Promise<void>;
+  recordFileChanged(path: string, changeType?: "created" | "modified" | "deleted" | "renamed" | "generated"): Promise<void>;
+  close(summary?: string): Promise<void>;
+}
+
+export function isDeltaDisabled(argv: string[] = process.argv.slice(2)): boolean {
+  return argv.includes("--no-delta") || process.env.FORGE_DELTA === "0";
+}
+
+export async function createAmbientDeltaRecorder(
+  workspaceRoot: string,
+  source: "forge-dev" | "forge-command" | "auto",
+  summary?: string,
+): Promise<AmbientDeltaRecorder> {
+  if (isDeltaDisabled()) {
+    return noopRecorder;
+  }
+  try {
+    const store = await DeltaStore.open(workspaceRoot);
+    const actorId = await store.ensureActor("forge", "forge-cli", { pid: process.pid });
+    const sessionId = await store.createSession({
+      source,
+      summary,
+      metadata: { actorId },
+      git: readDeltaGitSnapshot(workspaceRoot),
+    });
+    return {
+      sessionId,
+      async recordRuntimeCall(input) {
+        await safeDelta(async () => {
+          const failedCode = input.diagnosticCode ?? diagnosticCode(input.diagnostics);
+          await store.appendOperation({
+            sessionId,
+            actorId,
+            kind: input.result === "denied"
+              ? "runtime.entry.denied"
+              : input.result === "failed"
+                ? "runtime.entry.failed"
+                : "runtime.entry.executed",
+            summary: `${input.entryName} ${input.result ?? "executed"}`,
+            data: {
+              entryName: input.entryName,
+              entryKind: input.entryKind,
+              result: input.result,
+              traceId: input.traceId,
+              diagnosticCode: failedCode,
+            },
+            runtimeCall: { ...input, diagnosticCode: failedCode },
+          });
+        });
+      },
+      async recordAgentTool(input) {
+        await safeDelta(async () => {
+          await store.appendOperation({
+            sessionId,
+            actorId,
+            kind: "agent.tool.called",
+            summary: `${input.toolName} ${input.status}`,
+            data: {
+              toolName: input.toolName,
+              risk: input.risk,
+              status: input.status,
+              traceId: input.traceId,
+              durationMs: input.durationMs,
+            },
+          });
+        });
+      },
+      async recordFileChanged(path, changeType = "modified") {
+        await safeDelta(() => store.recordFilePath(sessionId, path, changeType));
+      },
+      async close(closeSummary) {
+        await safeDelta(async () => {
+          await store.endSession(sessionId, closeSummary);
+          await store.close();
+        });
+      },
+    };
+  } catch {
+    return noopRecorder;
+  }
+}
+
+export async function recordParsedCliCommand(input: {
+  command: ForgeCommand;
+  argv: string[];
+  exitCode: number;
+  durationMs: number;
+}): Promise<void> {
+  if (
+    isDeltaDisabled(input.argv) ||
+    input.command.kind === "delta" ||
+    input.command.kind === "session" ||
+    input.command.kind === "timeline" ||
+    input.command.kind === "explain"
+  ) {
+    return;
+  }
+  await safeDelta(async () => {
+    const workspaceRoot = commandWorkspaceRoot(input.command);
+    const store = await DeltaStore.open(workspaceRoot);
+    const actorId = await store.ensureActor("forge", "forge-cli", { pid: process.pid });
+    const sessionId = await store.createSession({
+      source: "forge-command",
+      summary: `forge ${input.command.kind}`,
+      metadata: { argv: input.argv },
+      git: readDeltaGitSnapshot(workspaceRoot),
+    });
+    const commandName = commandDisplayName(input.command);
+    const exitKind = input.exitCode === 0 ? "forge.command.completed" : "forge.command.failed";
+    const data = {
+      command: commandName,
+      exitCode: input.exitCode,
+      durationMs: input.durationMs,
+      git: readDeltaGitSnapshot(workspaceRoot),
+    };
+    await store.appendOperation({
+      sessionId,
+      actorId,
+      kind: exitKind,
+      summary: `${commandName} ${input.exitCode === 0 ? "completed" : "failed"}`,
+      data,
+      commandRun: {
+        commandName,
+        argv: input.argv,
+        exitCode: input.exitCode,
+        durationMs: input.durationMs,
+      },
+    });
+
+    await recordSpecializedCommand(store, sessionId, actorId, input.command, input.exitCode, commandName);
+    await store.endSession(sessionId, `forge ${input.command.kind} exited ${input.exitCode}`);
+    await store.close();
+  });
+}
+
+async function recordSpecializedCommand(
+  store: DeltaStore,
+  sessionId: string,
+  actorId: string,
+  command: ForgeCommand,
+  exitCode: number,
+  commandName: string,
+): Promise<void> {
+  if (command.kind === "generate" && exitCode === 0) {
+    const artifacts = listGeneratedArtifacts(process.cwd()).map((path) => ({
+      path,
+      artifactKind: classifyArtifactKind(path),
+      generated: true,
+      hash: hashFileIfPresent(process.cwd(), path),
+    }));
+    await store.appendOperation({
+      sessionId,
+      actorId,
+      kind: "artifact.generated",
+      summary: `Generated ${artifacts.length} Forge artifacts`,
+      data: { count: artifacts.length, generator: "forge generate" },
+      artifacts,
+    });
+    return;
+  }
+
+  if (command.kind === "manifest") {
+    await store.appendOperation({
+      sessionId,
+      actorId,
+      kind: command.subcommand === "import" ? "manifest.imported" : "manifest.validated",
+      summary: `${command.subcommand} ${command.path}`,
+      data: { path: command.path, subcommand: command.subcommand, exitCode },
+      artifacts: command.subcommand === "import"
+        ? ["externalServices.json", "agentContract.json", "api.json"].map((name) => ({
+            path: `${GENERATED_DIR}/${name}`,
+            generated: true,
+          }))
+        : undefined,
+    });
+    return;
+  }
+
+  if (command.kind === "run" && command.name) {
+    const queryMode = command.queryMode === true;
+    await store.appendOperation({
+      sessionId,
+      actorId,
+      kind: exitCode === 0 ? "runtime.entry.executed" : "runtime.entry.failed",
+      summary: `${command.name} ${exitCode === 0 ? "success" : "failed"}`,
+      data: { entryName: command.name, entryKind: queryMode ? "query" : "command", exitCode },
+      runtimeCall: {
+        entryName: command.name,
+        entryKind: queryMode ? "query" : "command",
+        result: exitCode === 0 ? "success" : "failed",
+      },
+    });
+    return;
+  }
+
+  if (command.kind === "query" && command.subcommand === "run" && command.name) {
+    await store.appendOperation({
+      sessionId,
+      actorId,
+      kind: exitCode === 0 ? "runtime.entry.executed" : "runtime.entry.failed",
+      summary: `${command.name} ${exitCode === 0 ? "success" : "failed"}`,
+      data: { entryName: command.name, entryKind: "query", exitCode },
+      runtimeCall: {
+        entryName: command.name,
+        entryKind: "query",
+        result: exitCode === 0 ? "success" : "failed",
+      },
+    });
+    return;
+  }
+
+  if (command.kind === "security" && command.subcommand === "prove") {
+    await store.appendOperation({
+      sessionId,
+      actorId,
+      kind: "proof.run",
+      summary: `security prove ${exitCode === 0 ? "passed" : "failed"}`,
+      data: { command: commandName, exitCode },
+      proof: {
+        proofKind: "security-prove",
+        command: commandName,
+        result: exitCode === 0 ? "passed" : "failed",
+      },
+    });
+    return;
+  }
+
+  if (command.kind === "ai" && command.subcommand === "redteam") {
+    await store.appendOperation({
+      sessionId,
+      actorId,
+      kind: "proof.run",
+      summary: `ai redteam ${exitCode === 0 ? "passed" : "failed"}`,
+      data: { command: commandName, exitCode },
+      proof: {
+        proofKind: "ai-redteam",
+        command: commandName,
+        result: exitCode === 0 ? "passed" : "failed",
+      },
+    });
+    return;
+  }
+
+  if (command.kind === "check" || command.kind === "verify") {
+    await store.appendOperation({
+      sessionId,
+      actorId,
+      kind: "proof.run",
+      summary: `${commandName} ${exitCode === 0 ? "passed" : "failed"}`,
+      data: { command: commandName, exitCode },
+      proof: {
+        proofKind: command.kind === "check" ? "forge-check" : "forge-verify",
+        command: commandName,
+        result: exitCode === 0 ? "passed" : "failed",
+      },
+    });
+  }
+}
+
+const noopRecorder: AmbientDeltaRecorder = {
+  async recordRuntimeCall() {},
+  async recordAgentTool() {},
+  async recordFileChanged() {},
+  async close() {},
+};
+
+async function safeDelta(fn: () => Promise<void>): Promise<void> {
+  try {
+    await fn();
+  } catch {
+    // Delta recording is ambient. It must never change primary command behavior.
+  }
+}
+
+function diagnosticCode(diagnostics: unknown[] | undefined): string | undefined {
+  const first = diagnostics?.find((diagnostic) =>
+    diagnostic && typeof diagnostic === "object" && "code" in diagnostic,
+  ) as { code?: unknown } | undefined;
+  return typeof first?.code === "string" ? first.code : undefined;
+}
+
+function commandWorkspaceRoot(command: ForgeCommand): string {
+  if ("workspaceRoot" in command && typeof command.workspaceRoot === "string") {
+    return command.workspaceRoot;
+  }
+  if ("options" in command && command.options && typeof command.options === "object" && "workspaceRoot" in command.options) {
+    const root = (command.options as { workspaceRoot?: unknown }).workspaceRoot;
+    if (typeof root === "string") {
+      return root;
+    }
+  }
+  return process.cwd().replace(/\\/g, "/");
+}
+
+function commandDisplayName(command: ForgeCommand): string {
+  if ("subcommand" in command && typeof command.subcommand === "string") {
+    return `forge ${command.kind} ${command.subcommand}`;
+  }
+  if ("options" in command && command.options && typeof command.options === "object" && "subcommand" in command.options) {
+    const subcommand = (command.options as { subcommand?: unknown }).subcommand;
+    if (typeof subcommand === "string") {
+      return `forge ${command.kind} ${subcommand}`;
+    }
+  }
+  return `forge ${command.kind}`;
+}
+
+function listGeneratedArtifacts(workspaceRoot: string): string[] {
+  const root = join(workspaceRoot, GENERATED_DIR);
+  try {
+    return walk(root).map((path) => normalizePath(relative(workspaceRoot, path)));
+  } catch {
+    return [];
+  }
+}
+
+function walk(root: string): string[] {
+  const entries: string[] = [];
+  for (const entry of readdirSync(root, { withFileTypes: true })) {
+    const path = join(root, entry.name);
+    if (entry.isDirectory()) {
+      entries.push(...walk(path));
+    } else if (entry.isFile()) {
+      entries.push(path);
+    }
+  }
+  return entries;
+}
+
+function hashFileIfPresent(workspaceRoot: string, path: string): string | undefined {
+  try {
+    return hashUtf8Bytes(readFileSync(join(workspaceRoot, path)));
+  } catch {
+    return undefined;
+  }
+}

package/src/forge/delta/redaction.ts

@@ -0,0 +1,50 @@
+import { scrubEnvelopePayload } from "../runtime/telemetry/scrubber.ts";
+
+const SECRET_KEY_PATTERN = /password|secret|token|apikey|apiKey|api_key|authorization|cookie/i;
+
+export interface DeltaRedactionResult<T> {
+  value: T;
+  redaction: {
+    diagnostics: string[];
+    redacted: boolean;
+  };
+}
+
+function collectSecretLikeKeys(value: unknown, path: string[] = [], keys: string[] = []): string[] {
+  if (!value || typeof value !== "object") {
+    return keys;
+  }
+  if (Array.isArray(value)) {
+    value.forEach((item, index) => collectSecretLikeKeys(item, [...path, String(index)], keys));
+    return keys;
+  }
+  for (const [key, child] of Object.entries(value as Record<string, unknown>)) {
+    const next = [...path, key];
+    if (SECRET_KEY_PATTERN.test(key)) {
+      keys.push(next.join("."));
+    }
+    collectSecretLikeKeys(child, next, keys);
+  }
+  return keys;
+}
+
+export function redactDeltaPayload<T extends Record<string, unknown>>(
+  value: T,
+  options: { secretValues?: string[] } = {},
+): DeltaRedactionResult<T> {
+  const secretKeys = collectSecretLikeKeys(value);
+  const scrubbed = scrubEnvelopePayload(value, {
+    secretValues: options.secretValues,
+  });
+  return {
+    value: scrubbed.value,
+    redaction: {
+      diagnostics: [
+        ...secretKeys.map((key) => `redacted secret-like key ${key}`),
+        ...scrubbed.diagnostics.map((diagnostic) => diagnostic.message),
+      ],
+      redacted: secretKeys.length > 0 || scrubbed.diagnostics.length > 0,
+    },
+  };
+}
+

package/src/forge/delta/schema.ts

@@ -0,0 +1,238 @@
+export const DELTA_SCHEMA_VERSION = "0.3.0";
+
+export const DELTA_SCHEMA_SQL = [
+  `CREATE TABLE IF NOT EXISTS delta_meta (
+    key text PRIMARY KEY,
+    value text NOT NULL,
+    updated_at text NOT NULL
+  )`,
+  `CREATE TABLE IF NOT EXISTS actors (
+    id text PRIMARY KEY,
+    kind text NOT NULL,
+    name text,
+    metadata_json text,
+    created_at text NOT NULL
+  )`,
+  `CREATE TABLE IF NOT EXISTS sessions (
+    id text PRIMARY KEY,
+    workspace_root text NOT NULL,
+    source text NOT NULL,
+    branch text,
+    started_at text NOT NULL,
+    ended_at text,
+    summary text,
+    metadata_json text
+  )`,
+  `CREATE TABLE IF NOT EXISTS operations (
+    id text PRIMARY KEY,
+    session_id text,
+    txn_id text,
+    kind text NOT NULL,
+    timestamp text NOT NULL,
+    actor_id text,
+    summary text,
+    data_json text NOT NULL,
+    redaction_json text,
+    hash text,
+    prev_hash text
+  )`,
+  `CREATE TABLE IF NOT EXISTS file_changes (
+    id text PRIMARY KEY,
+    operation_id text NOT NULL,
+    path text NOT NULL,
+    change_type text NOT NULL,
+    hash_before text,
+    hash_after text,
+    diff_summary text,
+    semantic_hints_json text
+  )`,
+  `CREATE TABLE IF NOT EXISTS command_runs (
+    id text PRIMARY KEY,
+    operation_id text NOT NULL,
+    command_name text NOT NULL,
+    argv_redacted_json text,
+    exit_code integer,
+    duration_ms integer,
+    diagnostics_json text
+  )`,
+  `CREATE TABLE IF NOT EXISTS proofs (
+    id text PRIMARY KEY,
+    operation_id text NOT NULL,
+    proof_kind text NOT NULL,
+    command text,
+    result text NOT NULL,
+    assurance text,
+    diagnostics_json text,
+    artifact_paths_json text
+  )`,
+  `CREATE TABLE IF NOT EXISTS runtime_calls (
+    id text PRIMARY KEY,
+    operation_id text NOT NULL,
+    entry_name text NOT NULL,
+    entry_kind text,
+    risk text,
+    policy text,
+    tenant_scoped integer,
+    result text,
+    diagnostic_code text,
+    trace_id text,
+    service text,
+    language text
+  )`,
+  `CREATE TABLE IF NOT EXISTS artifacts (
+    id text PRIMARY KEY,
+    operation_id text NOT NULL,
+    path text NOT NULL,
+    artifact_kind text,
+    hash text,
+    generated integer
+  )`,
+  `CREATE TABLE IF NOT EXISTS git_mappings (
+    id text PRIMARY KEY,
+    operation_id text,
+    commit_sha text,
+    branch text,
+    detected_at text,
+    confidence real,
+    metadata_json text
+  )`,
+  `CREATE TABLE IF NOT EXISTS work_sessions (
+    id text PRIMARY KEY,
+    workspace_root text NOT NULL,
+    kind text NOT NULL,
+    status text NOT NULL,
+    title text,
+    inferred_intent text,
+    confidence real NOT NULL,
+    started_at text NOT NULL,
+    ended_at text,
+    actor_ids_json text,
+    git_branch text,
+    git_head_start text,
+    git_head_end text,
+    summary text,
+    metadata_json text,
+    created_at text NOT NULL,
+    updated_at text NOT NULL
+  )`,
+  `CREATE TABLE IF NOT EXISTS work_session_operations (
+    work_session_id text NOT NULL,
+    operation_id text NOT NULL,
+    link_type text NOT NULL,
+    confidence real NOT NULL,
+    reason_json text,
+    created_at text NOT NULL,
+    PRIMARY KEY (work_session_id, operation_id)
+  )`,
+  `CREATE TABLE IF NOT EXISTS work_session_signals (
+    id text PRIMARY KEY,
+    work_session_id text,
+    operation_id text,
+    signal_type text NOT NULL,
+    weight real NOT NULL,
+    value text,
+    metadata_json text,
+    created_at text NOT NULL
+  )`,
+  `CREATE TABLE IF NOT EXISTS work_session_summaries (
+    id text PRIMARY KEY,
+    work_session_id text NOT NULL,
+    summary_type text NOT NULL,
+    content text NOT NULL,
+    generated_by text,
+    created_at text NOT NULL,
+    redaction_json text
+  )`,
+  `CREATE TABLE IF NOT EXISTS timeline_events (
+    id text PRIMARY KEY,
+    operation_id text,
+    session_id text,
+    change_id text,
+    timestamp text NOT NULL,
+    event_kind text NOT NULL,
+    title text NOT NULL,
+    summary text,
+    severity text,
+    confidence real NOT NULL,
+    data_json text NOT NULL
+  )`,
+  `CREATE TABLE IF NOT EXISTS timeline_entities (
+    id text PRIMARY KEY,
+    timeline_event_id text NOT NULL,
+    entity_kind text NOT NULL,
+    entity_name text NOT NULL,
+    role text NOT NULL,
+    confidence real NOT NULL
+  )`,
+  `CREATE TABLE IF NOT EXISTS timeline_edges (
+    id text PRIMARY KEY,
+    from_event_id text NOT NULL,
+    to_event_id text NOT NULL,
+    edge_kind text NOT NULL,
+    confidence real NOT NULL,
+    reason_json text
+  )`,
+  `CREATE TABLE IF NOT EXISTS timeline_projection_state (
+    id text PRIMARY KEY,
+    last_operation_id text,
+    last_rebuild_at text,
+    projection_version text,
+    graph_hash text
+  )`,
+  `CREATE TABLE IF NOT EXISTS agent_event_sources (
+    id text PRIMARY KEY,
+    source_name text NOT NULL,
+    source_kind text NOT NULL,
+    integration_kind text NOT NULL,
+    trust_level text NOT NULL,
+    config_json text,
+    created_at text NOT NULL
+  )`,
+  `CREATE TABLE IF NOT EXISTS external_agent_events (
+    id text PRIMARY KEY,
+    source_id text NOT NULL,
+    external_session_id text,
+    external_turn_id text,
+    event_kind text NOT NULL,
+    captured_at text NOT NULL,
+    payload_redacted_json text NOT NULL,
+    payload_hash text,
+    raw_stored integer DEFAULT 0,
+    normalization_status text NOT NULL
+  )`,
+  `CREATE TABLE IF NOT EXISTS agent_memory_events (
+    id text PRIMARY KEY,
+    external_event_id text,
+    forge_session_id text,
+    forge_change_id text,
+    operation_id text,
+    normalized_kind text NOT NULL,
+    summary text,
+    confidence real NOT NULL,
+    data_json text NOT NULL
+  )`,
+  `CREATE INDEX IF NOT EXISTS operations_timestamp_idx ON operations(timestamp)`,
+  `CREATE INDEX IF NOT EXISTS operations_kind_idx ON operations(kind)`,
+  `CREATE INDEX IF NOT EXISTS operations_session_idx ON operations(session_id)`,
+  `CREATE INDEX IF NOT EXISTS file_changes_path_idx ON file_changes(path)`,
+  `CREATE INDEX IF NOT EXISTS runtime_calls_entry_idx ON runtime_calls(entry_name)`,
+  `CREATE INDEX IF NOT EXISTS artifacts_path_idx ON artifacts(path)`,
+  `CREATE INDEX IF NOT EXISTS work_sessions_status_idx ON work_sessions(status, updated_at)`,
+  `CREATE INDEX IF NOT EXISTS work_sessions_branch_idx ON work_sessions(git_branch)`,
+  `CREATE INDEX IF NOT EXISTS work_session_operations_operation_idx ON work_session_operations(operation_id)`,
+  `CREATE INDEX IF NOT EXISTS work_session_signals_session_idx ON work_session_signals(work_session_id)`,
+  `CREATE INDEX IF NOT EXISTS timeline_events_time_idx ON timeline_events(timestamp)`,
+  `CREATE INDEX IF NOT EXISTS timeline_events_kind_idx ON timeline_events(event_kind)`,
+  `CREATE INDEX IF NOT EXISTS timeline_events_operation_idx ON timeline_events(operation_id)`,
+  `CREATE INDEX IF NOT EXISTS timeline_events_change_idx ON timeline_events(change_id)`,
+  `CREATE INDEX IF NOT EXISTS timeline_events_session_idx ON timeline_events(session_id)`,
+  `CREATE INDEX IF NOT EXISTS timeline_entities_entity_idx ON timeline_entities(entity_kind, entity_name)`,
+  `CREATE INDEX IF NOT EXISTS timeline_entities_event_idx ON timeline_entities(timeline_event_id)`,
+  `CREATE INDEX IF NOT EXISTS timeline_edges_from_idx ON timeline_edges(from_event_id)`,
+  `CREATE INDEX IF NOT EXISTS timeline_edges_to_idx ON timeline_edges(to_event_id)`,
+  `CREATE INDEX IF NOT EXISTS agent_event_sources_name_idx ON agent_event_sources(source_name, integration_kind)`,
+  `CREATE INDEX IF NOT EXISTS external_agent_events_source_idx ON external_agent_events(source_id, captured_at)`,
+  `CREATE INDEX IF NOT EXISTS external_agent_events_kind_idx ON external_agent_events(event_kind)`,
+  `CREATE INDEX IF NOT EXISTS agent_memory_events_kind_idx ON agent_memory_events(normalized_kind)`,
+  `CREATE INDEX IF NOT EXISTS agent_memory_events_operation_idx ON agent_memory_events(operation_id)`,
+];