writbase 0.1.0

package/migrations/00001_enums.sql

@@ -0,0 +1,7 @@
+CREATE TYPE priority AS ENUM ('low', 'medium', 'high', 'critical');
+CREATE TYPE status AS ENUM ('todo', 'in_progress', 'blocked', 'done', 'cancelled');
+CREATE TYPE actor_type AS ENUM ('human', 'agent', 'system');
+CREATE TYPE source AS ENUM ('ui', 'mcp', 'api', 'system');
+CREATE TYPE event_category AS ENUM ('task', 'admin', 'system');
+CREATE TYPE target_type AS ENUM ('task', 'agent_key', 'project', 'department');
+CREATE TYPE agent_role AS ENUM ('worker', 'manager');

package/migrations/00002_core_tables.sql

@@ -0,0 +1,105 @@
+-- projects
+CREATE TABLE projects (
+  id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  name text UNIQUE NOT NULL,
+  slug text UNIQUE NOT NULL,
+  is_archived boolean DEFAULT false NOT NULL,
+  created_at timestamptz DEFAULT now() NOT NULL,
+  created_by uuid REFERENCES auth.users(id)
+);
+
+-- departments
+CREATE TABLE departments (
+  id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  name text UNIQUE NOT NULL,
+  slug text UNIQUE NOT NULL,
+  is_archived boolean DEFAULT false NOT NULL,
+  created_at timestamptz DEFAULT now() NOT NULL,
+  created_by uuid REFERENCES auth.users(id)
+);
+
+-- tasks
+CREATE TABLE tasks (
+  id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  project_id uuid NOT NULL REFERENCES projects(id),
+  department_id uuid REFERENCES departments(id),
+  priority priority DEFAULT 'medium' NOT NULL,
+  description text NOT NULL,
+  notes text,
+  due_date timestamptz,
+  status status DEFAULT 'todo' NOT NULL,
+  version integer DEFAULT 1 NOT NULL,
+  created_at timestamptz DEFAULT now() NOT NULL,
+  updated_at timestamptz DEFAULT now() NOT NULL,
+  created_by_type actor_type NOT NULL,
+  created_by_id text NOT NULL,
+  updated_by_type actor_type NOT NULL,
+  updated_by_id text NOT NULL,
+  source source NOT NULL
+);
+
+-- event_log
+CREATE TABLE event_log (
+  id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  event_category event_category NOT NULL,
+  target_type target_type NOT NULL,
+  target_id uuid NOT NULL,
+  event_type text NOT NULL,
+  field_name text,
+  old_value jsonb,
+  new_value jsonb,
+  actor_type actor_type NOT NULL,
+  actor_id text NOT NULL,
+  actor_label text NOT NULL,
+  source source NOT NULL,
+  created_at timestamptz DEFAULT now() NOT NULL
+);
+
+-- agent_keys
+CREATE TABLE agent_keys (
+  id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  name text NOT NULL,
+  role agent_role DEFAULT 'worker' NOT NULL,
+  key_hash text NOT NULL,
+  key_prefix text NOT NULL,
+  is_active boolean DEFAULT true NOT NULL,
+  special_prompt text,
+  created_at timestamptz DEFAULT now() NOT NULL,
+  last_used_at timestamptz,
+  created_by text NOT NULL
+);
+
+-- agent_permissions
+CREATE TABLE agent_permissions (
+  id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  agent_key_id uuid NOT NULL REFERENCES agent_keys(id) ON DELETE CASCADE,
+  project_id uuid NOT NULL REFERENCES projects(id),
+  department_id uuid REFERENCES departments(id),
+  can_read boolean DEFAULT false NOT NULL,
+  can_create boolean DEFAULT false NOT NULL,
+  can_update boolean DEFAULT false NOT NULL,
+  created_at timestamptz DEFAULT now() NOT NULL,
+  UNIQUE NULLS NOT DISTINCT (agent_key_id, project_id, department_id)
+);
+
+-- app_settings
+CREATE TABLE app_settings (
+  id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+  department_required boolean DEFAULT false NOT NULL,
+  require_human_approval_for_agent_keys boolean DEFAULT false NOT NULL,
+  created_at timestamptz DEFAULT now() NOT NULL,
+  updated_at timestamptz DEFAULT now() NOT NULL
+);
+
+-- rate_limits
+CREATE TABLE rate_limits (
+  agent_key_id uuid NOT NULL REFERENCES agent_keys(id),
+  window_start timestamptz NOT NULL,
+  request_count integer DEFAULT 1 NOT NULL,
+  UNIQUE (agent_key_id, window_start)
+);
+
+-- admin_users
+CREATE TABLE admin_users (
+  user_id uuid REFERENCES auth.users(id) PRIMARY KEY
+);

package/migrations/00003_constraints_indexes.sql

@@ -0,0 +1,69 @@
+-- Task indexes
+CREATE INDEX idx_tasks_project_dept_status ON tasks(project_id, department_id, status);
+CREATE INDEX idx_tasks_project_created_id ON tasks(project_id, created_at, id);
+CREATE INDEX idx_tasks_updated_at ON tasks(updated_at);
+
+-- Event log indexes
+CREATE INDEX idx_event_log_target ON event_log(target_id, event_category);
+CREATE INDEX idx_event_log_created_at ON event_log(created_at);
+
+-- Agent permissions index
+CREATE INDEX idx_agent_permissions_key ON agent_permissions(agent_key_id);
+
+-- Rate limits index
+CREATE INDEX idx_rate_limits_key_window ON rate_limits(agent_key_id, window_start);
+
+-- Description min length check
+ALTER TABLE tasks ADD CONSTRAINT chk_description_min_length CHECK (char_length(description) >= 3);
+
+-- Revoke mutation on event_log for non-service roles
+REVOKE UPDATE, DELETE ON event_log FROM anon, authenticated;
+
+-- Cursor pagination RPC
+CREATE OR REPLACE FUNCTION get_tasks_page(
+  p_project_id uuid,
+  p_department_id uuid DEFAULT NULL,
+  p_status status DEFAULT NULL,
+  p_priority priority DEFAULT NULL,
+  p_updated_after timestamptz DEFAULT NULL,
+  p_cursor_created_at timestamptz DEFAULT NULL,
+  p_cursor_id uuid DEFAULT NULL,
+  p_limit integer DEFAULT 20
+)
+RETURNS TABLE (
+  id uuid,
+  project_id uuid,
+  department_id uuid,
+  priority priority,
+  description text,
+  notes text,
+  due_date timestamptz,
+  status status,
+  version integer,
+  created_at timestamptz,
+  updated_at timestamptz,
+  created_by_type actor_type,
+  created_by_id text,
+  updated_by_type actor_type,
+  updated_by_id text,
+  source source
+)
+LANGUAGE sql
+STABLE
+AS $$
+  SELECT t.id, t.project_id, t.department_id, t.priority, t.description,
+         t.notes, t.due_date, t.status, t.version, t.created_at, t.updated_at,
+         t.created_by_type, t.created_by_id, t.updated_by_type, t.updated_by_id, t.source
+  FROM tasks t
+  WHERE t.project_id = p_project_id
+    AND (p_department_id IS NULL OR t.department_id = p_department_id)
+    AND (p_status IS NULL OR t.status = p_status)
+    AND (p_priority IS NULL OR t.priority = p_priority)
+    AND (p_updated_after IS NULL OR t.updated_at > p_updated_after)
+    AND (
+      p_cursor_created_at IS NULL
+      OR (t.created_at, t.id) > (p_cursor_created_at, p_cursor_id)
+    )
+  ORDER BY t.created_at ASC, t.id ASC
+  LIMIT LEAST(p_limit, 50);
+$$;

package/migrations/00004_rls_policies.sql

@@ -0,0 +1,169 @@
+-- Enable RLS on all tables
+ALTER TABLE projects ENABLE ROW LEVEL SECURITY;
+ALTER TABLE departments ENABLE ROW LEVEL SECURITY;
+ALTER TABLE tasks ENABLE ROW LEVEL SECURITY;
+ALTER TABLE event_log ENABLE ROW LEVEL SECURITY;
+ALTER TABLE agent_keys ENABLE ROW LEVEL SECURITY;
+ALTER TABLE agent_permissions ENABLE ROW LEVEL SECURITY;
+ALTER TABLE app_settings ENABLE ROW LEVEL SECURITY;
+ALTER TABLE rate_limits ENABLE ROW LEVEL SECURITY;
+ALTER TABLE admin_users ENABLE ROW LEVEL SECURITY;
+
+-- Helper: admin check expression
+-- auth.uid() IN (SELECT user_id FROM admin_users)
+
+-- projects: full CRUD for admins
+CREATE POLICY "admin_select_projects" ON projects
+  FOR SELECT TO authenticated
+  USING (auth.uid() IN (SELECT user_id FROM admin_users));
+
+CREATE POLICY "admin_insert_projects" ON projects
+  FOR INSERT TO authenticated
+  WITH CHECK (auth.uid() IN (SELECT user_id FROM admin_users));
+
+CREATE POLICY "admin_update_projects" ON projects
+  FOR UPDATE TO authenticated
+  USING (auth.uid() IN (SELECT user_id FROM admin_users))
+  WITH CHECK (auth.uid() IN (SELECT user_id FROM admin_users));
+
+CREATE POLICY "admin_delete_projects" ON projects
+  FOR DELETE TO authenticated
+  USING (auth.uid() IN (SELECT user_id FROM admin_users));
+
+-- departments: full CRUD for admins
+CREATE POLICY "admin_select_departments" ON departments
+  FOR SELECT TO authenticated
+  USING (auth.uid() IN (SELECT user_id FROM admin_users));
+
+CREATE POLICY "admin_insert_departments" ON departments
+  FOR INSERT TO authenticated
+  WITH CHECK (auth.uid() IN (SELECT user_id FROM admin_users));
+
+CREATE POLICY "admin_update_departments" ON departments
+  FOR UPDATE TO authenticated
+  USING (auth.uid() IN (SELECT user_id FROM admin_users))
+  WITH CHECK (auth.uid() IN (SELECT user_id FROM admin_users));
+
+CREATE POLICY "admin_delete_departments" ON departments
+  FOR DELETE TO authenticated
+  USING (auth.uid() IN (SELECT user_id FROM admin_users));
+
+-- tasks: full CRUD for admins
+CREATE POLICY "admin_select_tasks" ON tasks
+  FOR SELECT TO authenticated
+  USING (auth.uid() IN (SELECT user_id FROM admin_users));
+
+CREATE POLICY "admin_insert_tasks" ON tasks
+  FOR INSERT TO authenticated
+  WITH CHECK (auth.uid() IN (SELECT user_id FROM admin_users));
+
+CREATE POLICY "admin_update_tasks" ON tasks
+  FOR UPDATE TO authenticated
+  USING (auth.uid() IN (SELECT user_id FROM admin_users))
+  WITH CHECK (auth.uid() IN (SELECT user_id FROM admin_users));
+
+CREATE POLICY "admin_delete_tasks" ON tasks
+  FOR DELETE TO authenticated
+  USING (auth.uid() IN (SELECT user_id FROM admin_users));
+
+-- agent_keys: full CRUD for admins
+CREATE POLICY "admin_select_agent_keys" ON agent_keys
+  FOR SELECT TO authenticated
+  USING (auth.uid() IN (SELECT user_id FROM admin_users));
+
+CREATE POLICY "admin_insert_agent_keys" ON agent_keys
+  FOR INSERT TO authenticated
+  WITH CHECK (auth.uid() IN (SELECT user_id FROM admin_users));
+
+CREATE POLICY "admin_update_agent_keys" ON agent_keys
+  FOR UPDATE TO authenticated
+  USING (auth.uid() IN (SELECT user_id FROM admin_users))
+  WITH CHECK (auth.uid() IN (SELECT user_id FROM admin_users));
+
+CREATE POLICY "admin_delete_agent_keys" ON agent_keys
+  FOR DELETE TO authenticated
+  USING (auth.uid() IN (SELECT user_id FROM admin_users));
+
+-- agent_permissions: full CRUD for admins
+CREATE POLICY "admin_select_agent_permissions" ON agent_permissions
+  FOR SELECT TO authenticated
+  USING (auth.uid() IN (SELECT user_id FROM admin_users));
+
+CREATE POLICY "admin_insert_agent_permissions" ON agent_permissions
+  FOR INSERT TO authenticated
+  WITH CHECK (auth.uid() IN (SELECT user_id FROM admin_users));
+
+CREATE POLICY "admin_update_agent_permissions" ON agent_permissions
+  FOR UPDATE TO authenticated
+  USING (auth.uid() IN (SELECT user_id FROM admin_users))
+  WITH CHECK (auth.uid() IN (SELECT user_id FROM admin_users));
+
+CREATE POLICY "admin_delete_agent_permissions" ON agent_permissions
+  FOR DELETE TO authenticated
+  USING (auth.uid() IN (SELECT user_id FROM admin_users));
+
+-- app_settings: full CRUD for admins
+CREATE POLICY "admin_select_app_settings" ON app_settings
+  FOR SELECT TO authenticated
+  USING (auth.uid() IN (SELECT user_id FROM admin_users));
+
+CREATE POLICY "admin_insert_app_settings" ON app_settings
+  FOR INSERT TO authenticated
+  WITH CHECK (auth.uid() IN (SELECT user_id FROM admin_users));
+
+CREATE POLICY "admin_update_app_settings" ON app_settings
+  FOR UPDATE TO authenticated
+  USING (auth.uid() IN (SELECT user_id FROM admin_users))
+  WITH CHECK (auth.uid() IN (SELECT user_id FROM admin_users));
+
+CREATE POLICY "admin_delete_app_settings" ON app_settings
+  FOR DELETE TO authenticated
+  USING (auth.uid() IN (SELECT user_id FROM admin_users));
+
+-- event_log: SELECT only for admins, INSERT via service_role only (no RLS policy for insert = blocked for anon/authenticated)
+CREATE POLICY "admin_select_event_log" ON event_log
+  FOR SELECT TO authenticated
+  USING (auth.uid() IN (SELECT user_id FROM admin_users));
+
+-- rate_limits: no direct access (managed by service_role in Edge Functions)
+-- No policies = all access denied for anon/authenticated; service_role bypasses RLS
+
+-- admin_users: SELECT for authenticated (so RLS policies can self-check)
+CREATE POLICY "authenticated_select_admin_users" ON admin_users
+  FOR SELECT TO authenticated
+  USING (true);
+
+-- admin_users: INSERT/UPDATE/DELETE for existing admins only
+CREATE POLICY "admin_insert_admin_users" ON admin_users
+  FOR INSERT TO authenticated
+  WITH CHECK (auth.uid() IN (SELECT user_id FROM admin_users));
+
+CREATE POLICY "admin_update_admin_users" ON admin_users
+  FOR UPDATE TO authenticated
+  USING (auth.uid() IN (SELECT user_id FROM admin_users))
+  WITH CHECK (auth.uid() IN (SELECT user_id FROM admin_users));
+
+CREATE POLICY "admin_delete_admin_users" ON admin_users
+  FOR DELETE TO authenticated
+  USING (auth.uid() IN (SELECT user_id FROM admin_users));
+
+-- Append-only trigger on event_log (service_role bypasses RLS but not triggers)
+CREATE FUNCTION prevent_event_log_mutation() RETURNS TRIGGER AS $$
+BEGIN RAISE EXCEPTION 'event_log is append-only: % not permitted', TG_OP; END;
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER enforce_append_only BEFORE UPDATE OR DELETE ON event_log
+  FOR EACH ROW EXECUTE FUNCTION prevent_event_log_mutation();
+
+-- updated_at trigger for tasks
+CREATE OR REPLACE FUNCTION update_updated_at()
+RETURNS TRIGGER AS $$
+BEGIN
+  NEW.updated_at = now();
+  RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER tasks_updated_at
+  BEFORE UPDATE ON tasks
+  FOR EACH ROW EXECUTE FUNCTION update_updated_at();

package/migrations/00005_seed_app_settings.sql

@@ -0,0 +1,2 @@
+INSERT INTO app_settings (department_required, require_human_approval_for_agent_keys)
+VALUES (false, false);

package/migrations/00006_rate_limit_rpc.sql

@@ -0,0 +1,14 @@
+-- RPC used by the rate-limit Edge Function module.
+-- Atomically increments the per-minute request counter for an agent key.
+CREATE OR REPLACE FUNCTION increment_rate_limit(p_key_id uuid)
+RETURNS integer
+LANGUAGE sql
+VOLATILE
+SECURITY DEFINER
+AS $$
+  INSERT INTO rate_limits (agent_key_id, window_start, request_count)
+  VALUES (p_key_id, date_trunc('minute', now()), 1)
+  ON CONFLICT (agent_key_id, window_start)
+  DO UPDATE SET request_count = rate_limits.request_count + 1
+  RETURNING request_count;
+$$;

package/migrations/00007_rate_limit_rpc_search_path.sql

@@ -0,0 +1,14 @@
+-- Fix SECURITY DEFINER function: add SET search_path to prevent schema hijacking.
+CREATE OR REPLACE FUNCTION increment_rate_limit(p_key_id uuid)
+RETURNS integer
+LANGUAGE sql
+VOLATILE
+SECURITY DEFINER
+SET search_path = public
+AS $$
+  INSERT INTO rate_limits (agent_key_id, window_start, request_count)
+  VALUES (p_key_id, date_trunc('minute', now()), 1)
+  ON CONFLICT (agent_key_id, window_start)
+  DO UPDATE SET request_count = rate_limits.request_count + 1
+  RETURNING request_count;
+$$;

package/migrations/00008_indexes_and_cleanup.sql

@@ -0,0 +1,22 @@
+-- Add missing indexes for performance (G8)
+CREATE INDEX IF NOT EXISTS idx_event_log_actor_id ON event_log (actor_id);
+CREATE INDEX IF NOT EXISTS idx_agent_permissions_project_dept ON agent_permissions (project_id, department_id);
+
+-- RPC function for rate_limits cleanup (G7)
+-- Call via pg_cron: SELECT cleanup_rate_limits();
+-- Recommended schedule: every 15 minutes
+-- Deletes rate_limit windows older than 5 minutes (well past the 1-minute window)
+CREATE OR REPLACE FUNCTION cleanup_rate_limits()
+RETURNS integer
+LANGUAGE sql
+VOLATILE
+SECURITY DEFINER
+SET search_path = public
+AS $$
+  WITH deleted AS (
+    DELETE FROM rate_limits
+    WHERE window_start < now() - interval '5 minutes'
+    RETURNING 1
+  )
+  SELECT count(*)::integer FROM deleted;
+$$;

package/migrations/00009_atomic_mutations.sql

@@ -0,0 +1,175 @@
+-- Atomic task creation: INSERT task + event_log in a single transaction.
+-- Accepts a single jsonb payload to avoid positional parameter bugs.
+CREATE OR REPLACE FUNCTION create_task_with_event(p_payload jsonb)
+RETURNS tasks
+LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path = public
+AS $$
+DECLARE
+  v_project   projects%ROWTYPE;
+  v_dept      departments%ROWTYPE;
+  v_task      tasks%ROWTYPE;
+  v_dept_id   uuid;
+BEGIN
+  -- 1. Validate project exists and is not archived
+  SELECT * INTO v_project
+    FROM projects
+    WHERE id = (p_payload->>'project_id')::uuid;
+
+  IF NOT FOUND THEN
+    RAISE EXCEPTION 'project_not_found:Project not found';
+  END IF;
+
+  IF v_project.is_archived THEN
+    RAISE EXCEPTION 'project_archived:Cannot create tasks in an archived project';
+  END IF;
+
+  -- 2. Validate department if provided
+  v_dept_id := (p_payload->>'department_id')::uuid;
+  IF v_dept_id IS NOT NULL THEN
+    SELECT * INTO v_dept
+      FROM departments
+      WHERE id = v_dept_id;
+
+    IF NOT FOUND THEN
+      RAISE EXCEPTION 'department_not_found:Department not found';
+    END IF;
+
+    IF v_dept.is_archived THEN
+      RAISE EXCEPTION 'department_archived:Cannot create tasks in an archived department';
+    END IF;
+  END IF;
+
+  -- 3. Insert task
+  INSERT INTO tasks (
+    project_id, department_id, priority, description, notes,
+    due_date, status, version,
+    created_by_type, created_by_id, updated_by_type, updated_by_id, source
+  ) VALUES (
+    (p_payload->>'project_id')::uuid,
+    v_dept_id,
+    COALESCE((p_payload->>'priority')::priority, 'medium'),
+    p_payload->>'description',
+    p_payload->>'notes',
+    (p_payload->>'due_date')::timestamptz,
+    COALESCE((p_payload->>'status')::status, 'todo'),
+    1,
+    (p_payload->>'created_by_type')::actor_type,
+    p_payload->>'created_by_id',
+    (p_payload->>'created_by_type')::actor_type,
+    p_payload->>'created_by_id',
+    (p_payload->>'source')::source
+  )
+  RETURNING * INTO v_task;
+
+  -- 4. Insert event_log
+  INSERT INTO event_log (
+    event_category, target_type, target_id, event_type,
+    actor_type, actor_id, actor_label, source
+  ) VALUES (
+    'task', 'task', v_task.id, 'task.created',
+    (p_payload->>'actor_type')::actor_type,
+    p_payload->>'actor_id',
+    p_payload->>'actor_label',
+    (p_payload->>'source')::source
+  );
+
+  RETURN v_task;
+END;
+$$;
+
+-- Atomic task update: UPDATE task + event_log rows in a single transaction.
+-- Does field-level diff in Postgres using IS DISTINCT FROM.
+CREATE OR REPLACE FUNCTION update_task_with_events(p_payload jsonb)
+RETURNS tasks
+LANGUAGE plpgsql
+SECURITY DEFINER
+SET search_path = public
+AS $$
+DECLARE
+  v_old       tasks%ROWTYPE;
+  v_new       tasks%ROWTYPE;
+  v_task_id   uuid;
+  v_version   integer;
+  v_updates   jsonb;
+  v_actor_type actor_type;
+  v_actor_id  text;
+  v_actor_label text;
+  v_source    source;
+BEGIN
+  v_task_id   := (p_payload->>'task_id')::uuid;
+  v_version   := (p_payload->>'version')::integer;
+  v_updates   := p_payload->'fields';
+  v_actor_type := (p_payload->>'actor_type')::actor_type;
+  v_actor_id  := p_payload->>'actor_id';
+  v_actor_label := p_payload->>'actor_label';
+  v_source    := (p_payload->>'source')::source;
+
+  -- 1. Fetch existing task
+  SELECT * INTO v_old FROM tasks WHERE id = v_task_id;
+
+  IF NOT FOUND THEN
+    RAISE EXCEPTION 'task_not_found:Task not found';
+  END IF;
+
+  -- 2. Version check
+  IF v_old.version <> v_version THEN
+    RAISE EXCEPTION 'version_conflict:Version conflict: expected %, current is %', v_version, v_old.version;
+  END IF;
+
+  -- 3. Update task (only provided fields)
+  UPDATE tasks SET
+    priority      = COALESCE((v_updates->>'priority')::priority, priority),
+    description   = COALESCE(v_updates->>'description', description),
+    notes         = CASE WHEN v_updates ? 'notes' THEN v_updates->>'notes' ELSE notes END,
+    department_id = CASE WHEN v_updates ? 'department_id' THEN (v_updates->>'department_id')::uuid ELSE department_id END,
+    due_date      = CASE WHEN v_updates ? 'due_date' THEN (v_updates->>'due_date')::timestamptz ELSE due_date END,
+    status        = COALESCE((v_updates->>'status')::status, status),
+    version       = version + 1,
+    updated_at    = now(),
+    updated_by_type = v_actor_type,
+    updated_by_id   = v_actor_id,
+    source          = v_source
+  WHERE id = v_task_id AND version = v_version
+  RETURNING * INTO v_new;
+
+  IF NOT FOUND THEN
+    -- Race condition: version changed between SELECT and UPDATE
+    RAISE EXCEPTION 'version_conflict:Task was modified concurrently';
+  END IF;
+
+  -- 4. Field-level diff using IS DISTINCT FROM, insert event_log rows
+  IF v_new.priority IS DISTINCT FROM v_old.priority THEN
+    INSERT INTO event_log (event_category, target_type, target_id, event_type, field_name, old_value, new_value, actor_type, actor_id, actor_label, source)
+    VALUES ('task', 'task', v_task_id, 'task.updated', 'priority', to_jsonb(v_old.priority::text), to_jsonb(v_new.priority::text), v_actor_type, v_actor_id, v_actor_label, v_source);
+  END IF;
+
+  IF v_new.description IS DISTINCT FROM v_old.description THEN
+    INSERT INTO event_log (event_category, target_type, target_id, event_type, field_name, old_value, new_value, actor_type, actor_id, actor_label, source)
+    VALUES ('task', 'task', v_task_id, 'task.updated', 'description', to_jsonb(v_old.description), to_jsonb(v_new.description), v_actor_type, v_actor_id, v_actor_label, v_source);
+  END IF;
+
+  IF v_new.notes IS DISTINCT FROM v_old.notes THEN
+    INSERT INTO event_log (event_category, target_type, target_id, event_type, field_name, old_value, new_value, actor_type, actor_id, actor_label, source)
+    VALUES ('task', 'task', v_task_id, 'task.updated', 'notes', to_jsonb(v_old.notes), to_jsonb(v_new.notes), v_actor_type, v_actor_id, v_actor_label, v_source);
+  END IF;
+
+  IF v_new.department_id IS DISTINCT FROM v_old.department_id THEN
+    INSERT INTO event_log (event_category, target_type, target_id, event_type, field_name, old_value, new_value, actor_type, actor_id, actor_label, source)
+    VALUES ('task', 'task', v_task_id, 'task.updated', 'department_id', to_jsonb(v_old.department_id), to_jsonb(v_new.department_id), v_actor_type, v_actor_id, v_actor_label, v_source);
+  END IF;
+
+  IF v_new.due_date IS DISTINCT FROM v_old.due_date THEN
+    INSERT INTO event_log (event_category, target_type, target_id, event_type, field_name, old_value, new_value, actor_type, actor_id, actor_label, source)
+    VALUES ('task', 'task', v_task_id, 'task.updated', 'due_date', to_jsonb(v_old.due_date), to_jsonb(v_new.due_date), v_actor_type, v_actor_id, v_actor_label, v_source);
+  END IF;
+
+  IF v_new.status IS DISTINCT FROM v_old.status THEN
+    INSERT INTO event_log (event_category, target_type, target_id, event_type, field_name, old_value, new_value, actor_type, actor_id, actor_label, source)
+    VALUES ('task', 'task', v_task_id, 'task.updated', 'status', to_jsonb(v_old.status::text), to_jsonb(v_new.status::text), v_actor_type, v_actor_id, v_actor_label, v_source);
+  END IF;
+
+  RETURN v_new;
+END;
+$$;

package/migrations/00010_user_rate_limits.sql

@@ -0,0 +1,52 @@
+-- Per-user rate limiting for the human dashboard.
+-- Separate from agent rate_limits which has FK to agent_keys.
+
+CREATE TABLE user_rate_limits (
+  user_id uuid NOT NULL,
+  window_start timestamptz NOT NULL,
+  request_count integer NOT NULL DEFAULT 1,
+  UNIQUE (user_id, window_start)
+);
+
+-- Atomic upsert: increment per-minute counter for a user
+CREATE OR REPLACE FUNCTION increment_user_rate_limit(p_user_id uuid)
+RETURNS integer
+LANGUAGE sql
+VOLATILE
+SECURITY DEFINER
+SET search_path = public
+AS $$
+  INSERT INTO user_rate_limits (user_id, window_start, request_count)
+  VALUES (p_user_id, date_trunc('minute', now()), 1)
+  ON CONFLICT (user_id, window_start)
+  DO UPDATE SET request_count = user_rate_limits.request_count + 1
+  RETURNING request_count;
+$$;
+
+-- Update cleanup function to also clean user_rate_limits
+CREATE OR REPLACE FUNCTION cleanup_rate_limits()
+RETURNS integer
+LANGUAGE plpgsql
+VOLATILE
+SECURITY DEFINER
+SET search_path = public
+AS $$
+DECLARE
+  v_count integer;
+BEGIN
+  WITH deleted_agent AS (
+    DELETE FROM rate_limits
+    WHERE window_start < now() - interval '5 minutes'
+    RETURNING 1
+  ),
+  deleted_user AS (
+    DELETE FROM user_rate_limits
+    WHERE window_start < now() - interval '5 minutes'
+    RETURNING 1
+  )
+  SELECT (SELECT count(*) FROM deleted_agent) + (SELECT count(*) FROM deleted_user)
+  INTO v_count;
+
+  RETURN v_count;
+END;
+$$;

package/migrations/00011_atomic_permission_update.sql

@@ -0,0 +1,31 @@
+-- Atomic permission update: delete + insert in a single transaction
+-- Prevents race condition where agent has zero permissions between
+-- separate DELETE and INSERT calls.
+CREATE OR REPLACE FUNCTION update_agent_permissions(
+  p_key_id uuid,
+  p_rows jsonb
+) RETURNS void
+LANGUAGE plpgsql SECURITY DEFINER SET search_path = public AS $$
+BEGIN
+  -- Enforce admin-only access (defense-in-depth alongside GRANT restrictions)
+  IF NOT EXISTS (SELECT 1 FROM admin_users WHERE user_id = auth.uid()) THEN
+    RAISE EXCEPTION 'unauthorized: admin access required';
+  END IF;
+
+  DELETE FROM agent_permissions WHERE agent_key_id = p_key_id;
+
+  INSERT INTO agent_permissions (agent_key_id, project_id, department_id, can_read, can_create, can_update)
+  SELECT p_key_id,
+         (r->>'project_id')::uuid,
+         (r->>'department_id')::uuid,
+         (r->>'can_read')::boolean,
+         (r->>'can_create')::boolean,
+         (r->>'can_update')::boolean
+  FROM jsonb_array_elements(p_rows) AS r;
+END;
+$$;
+
+-- Restrict execution: revoke from public/anon, allow only authenticated users
+REVOKE ALL ON FUNCTION update_agent_permissions(uuid, jsonb) FROM PUBLIC;
+REVOKE ALL ON FUNCTION update_agent_permissions(uuid, jsonb) FROM anon;
+GRANT EXECUTE ON FUNCTION update_agent_permissions(uuid, jsonb) TO authenticated;