patchrelay 0.1.0

package/dist/db/linear-installation-store.js

@@ -0,0 +1,184 @@
+import { isoNow } from "./shared.js";
+export class LinearInstallationStore {
+    connection;
+    constructor(connection) {
+        this.connection = connection;
+    }
+    upsertLinearInstallation(params) {
+        const now = isoNow();
+        const existing = params.workspaceId
+            ? this.connection
+                .prepare("SELECT id FROM linear_installations WHERE workspace_id = ? ORDER BY id DESC LIMIT 1")
+                .get(params.workspaceId)
+            : undefined;
+        if (existing) {
+            this.connection
+                .prepare(`
+          UPDATE linear_installations
+          SET workspace_name = COALESCE(?, workspace_name),
+              workspace_key = COALESCE(?, workspace_key),
+              actor_id = COALESCE(?, actor_id),
+              actor_name = COALESCE(?, actor_name),
+              access_token_ciphertext = ?,
+              refresh_token_ciphertext = COALESCE(?, refresh_token_ciphertext),
+              scopes_json = ?,
+              token_type = COALESCE(?, token_type),
+              expires_at = COALESCE(?, expires_at),
+              updated_at = ?
+          WHERE id = ?
+          `)
+                .run(params.workspaceName ?? null, params.workspaceKey ?? null, params.actorId ?? null, params.actorName ?? null, params.accessTokenCiphertext, params.refreshTokenCiphertext ?? null, params.scopesJson, params.tokenType ?? null, params.expiresAt ?? null, now, existing.id);
+            return this.getLinearInstallation(existing.id);
+        }
+        const result = this.connection
+            .prepare(`
+        INSERT INTO linear_installations (
+          workspace_id, workspace_name, workspace_key, actor_id, actor_name,
+          access_token_ciphertext, refresh_token_ciphertext, scopes_json, token_type, expires_at, created_at, updated_at
+        ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+        `)
+            .run(params.workspaceId ?? null, params.workspaceName ?? null, params.workspaceKey ?? null, params.actorId ?? null, params.actorName ?? null, params.accessTokenCiphertext, params.refreshTokenCiphertext ?? null, params.scopesJson, params.tokenType ?? null, params.expiresAt ?? null, now, now);
+        return this.getLinearInstallation(Number(result.lastInsertRowid));
+    }
+    saveLinearInstallation(params) {
+        return this.upsertLinearInstallation(params);
+    }
+    updateLinearInstallationTokens(id, params) {
+        this.connection
+            .prepare(`
+        UPDATE linear_installations
+        SET access_token_ciphertext = ?,
+            refresh_token_ciphertext = COALESCE(?, refresh_token_ciphertext),
+            scopes_json = COALESCE(?, scopes_json),
+            token_type = COALESCE(?, token_type),
+            expires_at = COALESCE(?, expires_at),
+            updated_at = ?
+        WHERE id = ?
+        `)
+            .run(params.accessTokenCiphertext, params.refreshTokenCiphertext ?? null, params.scopesJson ?? null, params.tokenType ?? null, params.expiresAt ?? null, isoNow(), id);
+        return this.getLinearInstallation(id);
+    }
+    getLinearInstallation(id) {
+        const row = this.connection
+            .prepare("SELECT * FROM linear_installations WHERE id = ?")
+            .get(id);
+        return row ? mapLinearInstallation(row) : undefined;
+    }
+    listLinearInstallations() {
+        const rows = this.connection
+            .prepare("SELECT * FROM linear_installations ORDER BY updated_at DESC, id DESC")
+            .all();
+        return rows.map((row) => mapLinearInstallation(row));
+    }
+    linkProjectInstallation(projectId, installationId) {
+        const now = isoNow();
+        this.connection
+            .prepare(`
+        INSERT INTO project_installations (project_id, installation_id, linked_at)
+        VALUES (?, ?, ?)
+        ON CONFLICT(project_id) DO UPDATE SET installation_id = excluded.installation_id, linked_at = excluded.linked_at
+        `)
+            .run(projectId, installationId, now);
+        return this.getProjectInstallation(projectId);
+    }
+    setProjectInstallation(projectId, installationId) {
+        return this.linkProjectInstallation(projectId, installationId);
+    }
+    getProjectInstallation(projectId) {
+        const row = this.connection
+            .prepare("SELECT * FROM project_installations WHERE project_id = ?")
+            .get(projectId);
+        return row ? mapProjectInstallation(row) : undefined;
+    }
+    listProjectInstallations() {
+        const rows = this.connection
+            .prepare("SELECT * FROM project_installations ORDER BY project_id")
+            .all();
+        return rows.map((row) => mapProjectInstallation(row));
+    }
+    unlinkProjectInstallation(projectId) {
+        this.connection.prepare("DELETE FROM project_installations WHERE project_id = ?").run(projectId);
+    }
+    getLinearInstallationForProject(projectId) {
+        const row = this.connection
+            .prepare(`
+        SELECT li.*
+        FROM linear_installations li
+        INNER JOIN project_installations pi ON pi.installation_id = li.id
+        WHERE pi.project_id = ?
+        `)
+            .get(projectId);
+        return row ? mapLinearInstallation(row) : undefined;
+    }
+    createOAuthState(params) {
+        const now = isoNow();
+        const result = this.connection
+            .prepare(`
+        INSERT INTO oauth_states (provider, state, project_id, redirect_uri, actor, created_at, status)
+        VALUES (?, ?, ?, ?, ?, ?, 'pending')
+        `)
+            .run(params.provider, params.state, params.projectId ?? null, params.redirectUri, params.actor, now);
+        return this.getOAuthStateById(Number(result.lastInsertRowid));
+    }
+    getOAuthState(state) {
+        const row = this.connection
+            .prepare("SELECT * FROM oauth_states WHERE state = ? ORDER BY id DESC LIMIT 1")
+            .get(state);
+        return row ? mapOAuthState(row) : undefined;
+    }
+    finalizeOAuthState(params) {
+        const now = isoNow();
+        this.connection
+            .prepare(`
+        UPDATE oauth_states
+        SET status = ?, consumed_at = ?, installation_id = COALESCE(?, installation_id), error_message = COALESCE(?, error_message)
+        WHERE state = ?
+        `)
+            .run(params.status, now, params.installationId ?? null, params.errorMessage ?? null, params.state);
+        return this.getOAuthState(params.state);
+    }
+    getOAuthStateById(id) {
+        const row = this.connection.prepare("SELECT * FROM oauth_states WHERE id = ?").get(id);
+        return row ? mapOAuthState(row) : undefined;
+    }
+}
+function mapLinearInstallation(row) {
+    return {
+        id: Number(row.id),
+        provider: "linear",
+        ...(row.workspace_id === null ? {} : { workspaceId: String(row.workspace_id) }),
+        ...(row.workspace_name === null ? {} : { workspaceName: String(row.workspace_name) }),
+        ...(row.workspace_key === null ? {} : { workspaceKey: String(row.workspace_key) }),
+        ...(row.actor_id === null ? {} : { actorId: String(row.actor_id) }),
+        ...(row.actor_name === null ? {} : { actorName: String(row.actor_name) }),
+        accessTokenCiphertext: String(row.access_token_ciphertext),
+        ...(row.refresh_token_ciphertext === null ? {} : { refreshTokenCiphertext: String(row.refresh_token_ciphertext) }),
+        scopesJson: String(row.scopes_json),
+        ...(row.token_type === null ? {} : { tokenType: String(row.token_type) }),
+        ...(row.expires_at === null ? {} : { expiresAt: String(row.expires_at) }),
+        createdAt: String(row.created_at),
+        updatedAt: String(row.updated_at),
+    };
+}
+function mapProjectInstallation(row) {
+    return {
+        projectId: String(row.project_id),
+        installationId: Number(row.installation_id),
+        linkedAt: String(row.linked_at),
+    };
+}
+function mapOAuthState(row) {
+    return {
+        id: Number(row.id),
+        provider: "linear",
+        state: String(row.state),
+        ...(row.project_id === null ? {} : { projectId: String(row.project_id) }),
+        redirectUri: String(row.redirect_uri),
+        actor: row.actor,
+        createdAt: String(row.created_at),
+        status: row.status ?? "pending",
+        ...(row.consumed_at === null ? {} : { consumedAt: String(row.consumed_at) }),
+        ...(row.installation_id === null ? {} : { installationId: Number(row.installation_id) }),
+        ...(row.error_message === null ? {} : { errorMessage: String(row.error_message) }),
+    };
+}

package/dist/db/migrations.js

@@ -0,0 +1,183 @@
+const baseMigration = `
+CREATE TABLE IF NOT EXISTS webhook_events (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  webhook_id TEXT NOT NULL UNIQUE,
+  received_at TEXT NOT NULL,
+  event_type TEXT NOT NULL,
+  issue_id TEXT,
+  project_id TEXT,
+  headers_json TEXT NOT NULL,
+  payload_json TEXT NOT NULL,
+  signature_valid INTEGER NOT NULL,
+  dedupe_status TEXT NOT NULL,
+  processing_status TEXT NOT NULL DEFAULT 'pending'
+);
+
+CREATE TABLE IF NOT EXISTS event_receipts (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  source TEXT NOT NULL,
+  external_id TEXT NOT NULL,
+  event_type TEXT NOT NULL,
+  received_at TEXT NOT NULL,
+  acceptance_status TEXT NOT NULL,
+  processing_status TEXT NOT NULL DEFAULT 'pending',
+  project_id TEXT,
+  linear_issue_id TEXT,
+  headers_json TEXT,
+  payload_json TEXT,
+  UNIQUE(source, external_id)
+);
+
+CREATE TABLE IF NOT EXISTS issue_control (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  project_id TEXT NOT NULL,
+  linear_issue_id TEXT NOT NULL,
+  desired_stage TEXT,
+  desired_receipt_id INTEGER,
+  active_run_lease_id INTEGER,
+  active_workspace_ownership_id INTEGER,
+  service_owned_comment_id TEXT,
+  active_agent_session_id TEXT,
+  lifecycle_status TEXT NOT NULL,
+  updated_at TEXT NOT NULL,
+  UNIQUE(project_id, linear_issue_id)
+);
+
+CREATE TABLE IF NOT EXISTS issue_projection (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  project_id TEXT NOT NULL,
+  linear_issue_id TEXT NOT NULL,
+  issue_key TEXT,
+  title TEXT,
+  issue_url TEXT,
+  current_linear_state TEXT,
+  last_webhook_at TEXT,
+  updated_at TEXT NOT NULL,
+  UNIQUE(project_id, linear_issue_id)
+);
+
+CREATE TABLE IF NOT EXISTS workspace_ownership (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  project_id TEXT NOT NULL,
+  linear_issue_id TEXT NOT NULL,
+  branch_name TEXT NOT NULL,
+  worktree_path TEXT NOT NULL,
+  status TEXT NOT NULL,
+  current_run_lease_id INTEGER,
+  created_at TEXT NOT NULL,
+  updated_at TEXT NOT NULL,
+  UNIQUE(project_id, linear_issue_id)
+);
+
+CREATE TABLE IF NOT EXISTS run_leases (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  issue_control_id INTEGER NOT NULL,
+  project_id TEXT NOT NULL,
+  linear_issue_id TEXT NOT NULL,
+  workspace_ownership_id INTEGER NOT NULL,
+  stage TEXT NOT NULL,
+  status TEXT NOT NULL,
+  trigger_receipt_id INTEGER,
+  workflow_file TEXT NOT NULL DEFAULT '',
+  prompt_text TEXT NOT NULL DEFAULT '',
+  thread_id TEXT,
+  parent_thread_id TEXT,
+  turn_id TEXT,
+  started_at TEXT NOT NULL,
+  ended_at TEXT,
+  failure_reason TEXT,
+  FOREIGN KEY(issue_control_id) REFERENCES issue_control(id) ON DELETE CASCADE,
+  FOREIGN KEY(workspace_ownership_id) REFERENCES workspace_ownership(id) ON DELETE CASCADE,
+  FOREIGN KEY(trigger_receipt_id) REFERENCES event_receipts(id) ON DELETE SET NULL
+);
+
+CREATE TABLE IF NOT EXISTS run_reports (
+  run_lease_id INTEGER PRIMARY KEY,
+  summary_json TEXT,
+  report_json TEXT,
+  created_at TEXT NOT NULL,
+  updated_at TEXT NOT NULL,
+  FOREIGN KEY(run_lease_id) REFERENCES run_leases(id) ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS run_thread_events (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  run_lease_id INTEGER NOT NULL,
+  thread_id TEXT NOT NULL,
+  turn_id TEXT,
+  method TEXT NOT NULL,
+  event_json TEXT NOT NULL,
+  created_at TEXT NOT NULL,
+  FOREIGN KEY(run_lease_id) REFERENCES run_leases(id) ON DELETE CASCADE
+);
+
+CREATE TABLE IF NOT EXISTS obligations (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  project_id TEXT NOT NULL,
+  linear_issue_id TEXT NOT NULL,
+  kind TEXT NOT NULL,
+  status TEXT NOT NULL,
+  source TEXT NOT NULL,
+  payload_json TEXT NOT NULL,
+  run_lease_id INTEGER,
+  thread_id TEXT,
+  turn_id TEXT,
+  dedupe_key TEXT,
+  last_error TEXT,
+  created_at TEXT NOT NULL,
+  updated_at TEXT NOT NULL,
+  completed_at TEXT,
+  FOREIGN KEY(run_lease_id) REFERENCES run_leases(id) ON DELETE SET NULL
+);
+
+CREATE TABLE IF NOT EXISTS linear_installations (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  provider TEXT NOT NULL DEFAULT 'linear',
+  workspace_id TEXT,
+  workspace_name TEXT,
+  workspace_key TEXT,
+  actor_id TEXT,
+  actor_name TEXT,
+  access_token_ciphertext TEXT NOT NULL,
+  refresh_token_ciphertext TEXT,
+  scopes_json TEXT NOT NULL,
+  token_type TEXT,
+  expires_at TEXT,
+  created_at TEXT NOT NULL,
+  updated_at TEXT NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS project_installations (
+  project_id TEXT PRIMARY KEY,
+  installation_id INTEGER NOT NULL,
+  linked_at TEXT NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS oauth_states (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  provider TEXT NOT NULL,
+  state TEXT NOT NULL UNIQUE,
+  project_id TEXT,
+  redirect_uri TEXT NOT NULL,
+  actor TEXT NOT NULL,
+  created_at TEXT NOT NULL,
+  status TEXT NOT NULL DEFAULT 'pending',
+  consumed_at TEXT,
+  installation_id INTEGER,
+  error_message TEXT
+);
+
+CREATE INDEX IF NOT EXISTS idx_event_receipts_project_issue ON event_receipts(project_id, linear_issue_id);
+CREATE INDEX IF NOT EXISTS idx_issue_control_ready ON issue_control(desired_stage, active_run_lease_id);
+CREATE INDEX IF NOT EXISTS idx_issue_projection_issue_key ON issue_projection(issue_key);
+CREATE INDEX IF NOT EXISTS idx_run_leases_active ON run_leases(status, project_id, linear_issue_id);
+CREATE INDEX IF NOT EXISTS idx_run_leases_thread ON run_leases(thread_id);
+CREATE INDEX IF NOT EXISTS idx_run_thread_events_run ON run_thread_events(run_lease_id, id);
+CREATE INDEX IF NOT EXISTS idx_obligations_pending ON obligations(status, run_lease_id, kind);
+CREATE UNIQUE INDEX IF NOT EXISTS idx_obligations_dedupe
+ON obligations(run_lease_id, kind, dedupe_key)
+WHERE dedupe_key IS NOT NULL;
+`;
+export function runPatchRelayMigrations(connection) {
+    connection.exec(baseMigration);
+}

package/dist/db/shared.js

@@ -0,0 +1,101 @@
+import { DatabaseSync } from "node:sqlite";
+function isSqlInputValue(value) {
+    return value === null || typeof value === "string" || typeof value === "number" || typeof value === "bigint" || ArrayBuffer.isView(value);
+}
+function toSqlInputValue(value) {
+    if (!isSqlInputValue(value)) {
+        throw new TypeError(`Unsupported SQLite parameter type: ${typeof value}`);
+    }
+    return value;
+}
+function toNamedParameters(value) {
+    const normalized = {};
+    for (const [key, entry] of Object.entries(value)) {
+        normalized[key] = toSqlInputValue(entry);
+    }
+    return normalized;
+}
+function normalizeParameters(parameters) {
+    if (parameters.length === 1) {
+        const [value] = parameters;
+        if (Array.isArray(value)) {
+            return value.map(toSqlInputValue);
+        }
+        if (value && typeof value === "object") {
+            return toNamedParameters(value);
+        }
+    }
+    return parameters.map(toSqlInputValue);
+}
+class SqliteStatementAdapter {
+    statement;
+    constructor(statement) {
+        this.statement = statement;
+    }
+    run(...parameters) {
+        const normalized = normalizeParameters(parameters);
+        if (Array.isArray(normalized)) {
+            return this.statement.run(...normalized);
+        }
+        return this.statement.run(normalized);
+    }
+    get(...parameters) {
+        const normalized = normalizeParameters(parameters);
+        if (Array.isArray(normalized)) {
+            return this.statement.get(...normalized);
+        }
+        return this.statement.get(normalized);
+    }
+    all(...parameters) {
+        const normalized = normalizeParameters(parameters);
+        if (Array.isArray(normalized)) {
+            return this.statement.all(...normalized);
+        }
+        return this.statement.all(normalized);
+    }
+    iterate(...parameters) {
+        const normalized = normalizeParameters(parameters);
+        if (Array.isArray(normalized)) {
+            return this.statement.iterate(...normalized);
+        }
+        return this.statement.iterate(normalized);
+    }
+}
+export class SqliteConnection {
+    database;
+    savepointId = 0;
+    constructor(path) {
+        this.database = new DatabaseSync(path);
+    }
+    close() {
+        this.database.close();
+    }
+    exec(sql) {
+        this.database.exec(sql);
+    }
+    pragma(statement) {
+        this.database.exec(`PRAGMA ${statement}`);
+    }
+    prepare(sql) {
+        return new SqliteStatementAdapter(this.database.prepare(sql));
+    }
+    transaction(fn) {
+        return () => {
+            const savepoint = `patchrelay_txn_${this.savepointId++}`;
+            this.database.exec(`SAVEPOINT ${savepoint}`);
+            try {
+                const result = fn();
+                this.database.exec(`RELEASE SAVEPOINT ${savepoint}`);
+                return result;
+            }
+            catch (error) {
+                this.database.exec(`ROLLBACK TO SAVEPOINT ${savepoint}`);
+                this.database.exec(`RELEASE SAVEPOINT ${savepoint}`);
+                throw error;
+            }
+        };
+    }
+}
+export function isoNow() {
+    return new Date().toISOString();
+}

package/dist/db/stage-event-store.js

@@ -0,0 +1,33 @@
+import { isoNow } from "./shared.js";
+export class StageEventStore {
+    connection;
+    constructor(connection) {
+        this.connection = connection;
+    }
+    saveThreadEvent(params) {
+        const result = this.connection
+            .prepare(`
+        INSERT INTO run_thread_events (run_lease_id, thread_id, turn_id, method, event_json, created_at)
+        VALUES (?, ?, ?, ?, ?, ?)
+        `)
+            .run(params.stageRunId, params.threadId, params.turnId ?? null, params.method, params.eventJson, isoNow());
+        return Number(result.lastInsertRowid);
+    }
+    listThreadEvents(stageRunId) {
+        const rows = this.connection
+            .prepare("SELECT * FROM run_thread_events WHERE run_lease_id = ? ORDER BY id")
+            .all(stageRunId);
+        return rows.map((row) => mapThreadEvent(row));
+    }
+}
+function mapThreadEvent(row) {
+    return {
+        id: Number(row.id),
+        stageRunId: Number(row.run_lease_id),
+        threadId: String(row.thread_id),
+        ...(row.turn_id === null ? {} : { turnId: String(row.turn_id) }),
+        method: String(row.method),
+        eventJson: String(row.event_json),
+        createdAt: String(row.created_at),
+    };
+}

package/dist/db/webhook-event-store.js

@@ -0,0 +1,46 @@
+export class WebhookEventStore {
+    connection;
+    constructor(connection) {
+        this.connection = connection;
+    }
+    insertWebhookEvent(params) {
+        const existing = this.connection.prepare("SELECT id FROM webhook_events WHERE webhook_id = ?").get(params.webhookId);
+        if (existing) {
+            this.connection.prepare("UPDATE webhook_events SET dedupe_status = 'duplicate' WHERE id = ?").run(existing.id);
+            return { id: existing.id, inserted: false };
+        }
+        const result = this.connection
+            .prepare(`
+        INSERT INTO webhook_events (
+          webhook_id, received_at, event_type, issue_id, project_id, headers_json, payload_json, signature_valid, dedupe_status
+        ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
+        `)
+            .run(params.webhookId, params.receivedAt, params.eventType, params.issueId ?? null, params.projectId ?? null, params.headersJson, params.payloadJson, params.signatureValid ? 1 : 0, params.dedupeStatus);
+        return { id: Number(result.lastInsertRowid), inserted: true };
+    }
+    markWebhookProcessed(id, status) {
+        this.connection.prepare("UPDATE webhook_events SET processing_status = ? WHERE id = ?").run(status, id);
+    }
+    assignWebhookProject(id, projectId) {
+        this.connection.prepare("UPDATE webhook_events SET project_id = ? WHERE id = ?").run(projectId, id);
+    }
+    getWebhookEvent(id) {
+        const row = this.connection.prepare("SELECT * FROM webhook_events WHERE id = ?").get(id);
+        return row ? mapWebhookEvent(row) : undefined;
+    }
+}
+function mapWebhookEvent(row) {
+    return {
+        id: Number(row.id),
+        webhookId: String(row.webhook_id),
+        receivedAt: String(row.received_at),
+        eventType: String(row.event_type),
+        ...(row.issue_id === null ? {} : { issueId: String(row.issue_id) }),
+        ...(row.project_id === null ? {} : { projectId: String(row.project_id) }),
+        headersJson: String(row.headers_json),
+        payloadJson: String(row.payload_json),
+        signatureValid: Number(row.signature_valid) === 1,
+        dedupeStatus: row.dedupe_status,
+        processingStatus: row.processing_status,
+    };
+}

package/dist/db-ports.js

@@ -0,0 +1,5 @@
+export * from "./webhook-event-ports.js";
+export * from "./installation-ports.js";
+export * from "./ledger-ports.js";
+export * from "./stage-event-ports.js";
+export * from "./workflow-ports.js";

package/dist/db-types.js

@@ -0,0 +1 @@
+export {};

package/dist/db.js

@@ -0,0 +1,40 @@
+import { AuthoritativeLedgerStore } from "./db/authoritative-ledger-store.js";
+import { IssueWorkflowStore } from "./db/issue-workflow-store.js";
+import { LinearInstallationStore } from "./db/linear-installation-store.js";
+import { runPatchRelayMigrations } from "./db/migrations.js";
+import { StageEventStore } from "./db/stage-event-store.js";
+import { SqliteConnection } from "./db/shared.js";
+import { WebhookEventStore } from "./db/webhook-event-store.js";
+export class PatchRelayDatabase {
+    connection;
+    authoritativeLedger;
+    eventReceipts;
+    issueControl;
+    workspaceOwnership;
+    runLeases;
+    obligations;
+    webhookEvents;
+    issueWorkflows;
+    stageEvents;
+    linearInstallations;
+    constructor(databasePath, wal) {
+        this.connection = new SqliteConnection(databasePath);
+        this.connection.pragma("foreign_keys = ON");
+        if (wal) {
+            this.connection.pragma("journal_mode = WAL");
+        }
+        this.authoritativeLedger = new AuthoritativeLedgerStore(this.connection);
+        this.eventReceipts = this.authoritativeLedger;
+        this.issueControl = this.authoritativeLedger;
+        this.workspaceOwnership = this.authoritativeLedger;
+        this.runLeases = this.authoritativeLedger;
+        this.obligations = this.authoritativeLedger;
+        this.webhookEvents = new WebhookEventStore(this.connection);
+        this.issueWorkflows = new IssueWorkflowStore(this.connection);
+        this.stageEvents = new StageEventStore(this.connection);
+        this.linearInstallations = new LinearInstallationStore(this.connection);
+    }
+    runMigrations() {
+        runPatchRelayMigrations(this.connection);
+    }
+}

package/dist/file-permissions.js

@@ -0,0 +1,40 @@
+import { chmod, open } from "node:fs/promises";
+export const SERVICE_ENV_FILE_MODE = 0o600;
+export const DATABASE_FILE_MODE = 0o600;
+export const LOG_FILE_MODE = 0o640;
+async function setMode(filePath, mode) {
+    if (process.platform === "win32") {
+        return;
+    }
+    await chmod(filePath, mode);
+}
+async function enforceFileMode(filePath, mode, options) {
+    if (options?.create) {
+        const handle = await open(filePath, "a", mode);
+        await handle.close();
+    }
+    try {
+        await setMode(filePath, mode);
+    }
+    catch (error) {
+        if (error &&
+            typeof error === "object" &&
+            "code" in error &&
+            error.code === "ENOENT") {
+            return;
+        }
+        throw error;
+    }
+}
+export async function enforceArbitraryFilePermissions(filePath, mode, options) {
+    await enforceFileMode(filePath, mode, options);
+}
+export async function enforceServiceEnvPermissions(serviceEnvPath) {
+    await enforceFileMode(serviceEnvPath, SERVICE_ENV_FILE_MODE);
+}
+export async function enforceRuntimeFilePermissions(config) {
+    await enforceFileMode(config.database.path, DATABASE_FILE_MODE, { create: true });
+    await enforceFileMode(config.logging.filePath, LOG_FILE_MODE, { create: true });
+    await enforceFileMode(`${config.database.path}-wal`, DATABASE_FILE_MODE);
+    await enforceFileMode(`${config.database.path}-shm`, DATABASE_FILE_MODE);
+}