identity

func (*AgentIdentity) ActualDomain ¶

func (a *AgentIdentity) ActualDomain() string

ActualDomain returns the DNS domain for the agent.

func (*AgentIdentity) EmailAddress ¶

func (a *AgentIdentity) EmailAddress() string

EmailAddress returns the agent's email address (always the ID).

func (*AgentIdentity) IsSharedDomain ¶

func (a *AgentIdentity) IsSharedDomain(sharedDomain string) bool

IsSharedDomain returns true if the agent's domain matches the configured shared domain (the host that backs slug-based registration). When sharedDomain is empty, the deployment has slug registration disabled and no agent can be on the shared domain.

func (PendingApprovalEdit) Apply ¶

func (e PendingApprovalEdit) Apply(msg *Message) bool

Apply mutates msg to reflect any fields the reviewer changed. Returns true if any field was actually different from what msg already held (signals the edited flag should be set).

func (*Store) ApproveAndSend ¶

func (s *Store) ApproveAndSend(
	ctx context.Context,
	messageID, userID string,
	edits PendingApprovalEdit,
	send func(msg *Message) (SendResult, error),
) (*Message, error)

ApproveAndSend finalizes a pending_approval message by running it through a caller-supplied send function inside a transaction that holds a row lock on the pending row. If send returns an error the transaction rolls back and the message remains pending. On success the row is updated to 'sent' with the provider-assigned Message-ID and the body/attachments columns are scrubbed.

edits, if any fields are populated, are applied to the in-memory message before send is called and the 'edited' column is set to true when any field differs from what was stored. Approval-via-magic-link callers pass the zero edits value.

Ownership is enforced by the agent -> user join. Messages owned by another user return ErrMessageNotFound. Messages whose status is not 'pending_approval' return ErrNotPendingApproval. If another worker is already mid-send for this message (rare; only possible after the approval row lock was released without status changing — e.g. a pool drop mid-send), this returns ErrSendInProgress.

Concurrency / failure mode notes:

• The row-level FOR NO KEY UPDATE lock is held on the messages row for the duration of the send callback. In practice that is bounded by outbound.SMTPRelay's per-attempt deadline (2min) plus its internal retry backoff (1s/5s/15s) — worst case ~6.5min of lock on this single row. Other rows are unaffected; deadlock is not possible because only one row is ever locked per call.

  Why NO KEY UPDATE rather than the stricter FOR UPDATE: the send_attempts INSERT below runs on a SEPARATE pool connection and needs a KEY SHARE lock on this messages row for FK enforcement. FOR UPDATE blocks KEY SHARE; FOR NO KEY UPDATE allows it. The downgrade is safe because nothing in this codebase mutates messages.id (the only key column) after creation — all UPDATEs touch non-key columns, which NO KEY UPDATE serializes against itself exactly like FOR UPDATE.

• The old crash window where send() succeeded at SES but the subsequent UPDATE/Commit failed (DB blip, pool exhaustion) is now closed by the send_attempts table. Around send() we run two small auxiliary transactions that outlive the surrounding approval transaction: ClaimSendAttempt before send(), MarkSendSucceeded (or MarkSendFailed) after. If the approval tx rolls back AFTER send() succeeded, the next retry of ApproveAndSend reads send_attempts.status='sent', reuses the recorded SendResult, and skips the upstream send entirely.

func (*Store) AutoDisableFailingWebhooks ¶ added in v0.3.0

func (s *Store) AutoDisableFailingWebhooks(ctx context.Context) (int, error)

AutoDisableFailingWebhooks scans for webhooks whose recent delivery history exceeds the failure threshold and flips them to enabled=false with auto_disabled_at = now(). Returns the count of webhooks newly disabled. Designed to be called periodically (e.g. every 5 minutes) from a janitor goroutine.

"Consecutive failed events" is interpreted as: in the last AutoDisableWindow, at least AutoDisableThreshold rows in webhook_subscriber_deliveries reached status='failed' AND zero rows reached status='delivered'. The zero-delivered guard prevents a noisy webhook that's still mostly working from being disabled.

func (*Store) BootstrapUser ¶

func (s *Store) BootstrapUser(ctx context.Context, email string) (*User, error)

BootstrapUser finds a user by email, or creates one with a synthetic google_subject if none exists. Used by the -bootstrap-email CLI flag for self-host first-run, where there's no Google OAuth flow yet.

func (*Store) ClaimOrCreateDomain ¶

func (s *Store) ClaimOrCreateDomain(ctx context.Context, domain, userID string) (*Domain, error)

ClaimOrCreateDomain implements the atomic create/claim logic from the design doc. Creates if new, returns the existing row when the same user already owns it (verified or not), and errors if a different user owns it. The verification_token and DKIM keypair are minted on first INSERT and remain stable across re-claims — a caller that has already published the TXT record on DNS (or has mail in flight signed with the DKIM key) isn't silently invalidated by a second call. A different user cannot take over an unverified row; that closes a squatting window where the new owner could verify against a TXT record the original owner already published. Callers are responsible for rejecting the configured shared domain before invoking this — the store has no concept of a reserved domain.

func (*Store) ClaimSendAttempt ¶ added in v0.3.0

func (s *Store) ClaimSendAttempt(ctx context.Context, messageID string) (SendAttemptResult, error)

ClaimSendAttempt atomically reserves the send_attempts row for messageID. Concurrency model mirrors internal/idempotency.Claim: one UPSERT with a stale-takeover WHERE clause; the loser does a follow-up SELECT to classify the existing row.

Allowed transitions:

(no row)                              → acquired (fresh INSERT)
status='failed'                       → acquired (UPSERT path takes over)
status='attempting' AND stale         → acquired (UPSERT path takes over)
status='attempting' AND NOT stale     → InFlight (refuse)
status='sent'                         → AlreadySent (reuse recorded result)

Called from ApproveAndSend in a SEPARATE small transaction so the claim row outlives any rollback of the surrounding approval transaction. That's what closes the documented double-send window: once status='sent' is committed here, a retry sees AlreadySent and skips the upstream send even if the messages-row UPDATE inside the approval tx never committed.

func (*Store) ClearExpiredPrevSecrets ¶ added in v0.3.0

func (s *Store) ClearExpiredPrevSecrets(ctx context.Context) (int64, error)

ClearExpiredPrevSecrets nulls signing_secret_prev / signing_secret_prev_expires_at on rows past their grace window. Idempotent. The worker already ignores expired prev secrets at signing time; this janitor is a hygiene pass so GET responses don't carry a meaningless prev_expires_at.

func (*Store) CountWebhooksByUser ¶ added in v0.3.0

func (s *Store) CountWebhooksByUser(ctx context.Context, userID string) (int, error)

CountWebhooksByUser returns the total number of webhooks (enabled + disabled) the user owns. Used by CreateWebhook to enforce the per-user cap from account_limits.max_webhooks.

func (*Store) CreateAPIKey ¶

func (s *Store) CreateAPIKey(ctx context.Context, userID, name string, expiresAt *time.Time) (*APIKey, error)

CreateAPIKey issues a fresh API key for the user. expiresAt is the optional hard expiration; pass nil to issue a never-expiring key (the backward-compatible default).

func (*Store) CreateAgent ¶

func (s *Store) CreateAgent(ctx context.Context, agentEmail, domain, name, webhookURL, agentMode, userID string) (*AgentIdentity, error)

CreateAgent inserts an agent with a domain FK. Does NOT check domain ownership — that's the API handler's responsibility (shared domain skips the check).

func (*Store) CreateAgentTx ¶ added in v0.3.0

func (s *Store) CreateAgentTx(ctx context.Context, tx pgx.Tx, agentEmail, domain, name, webhookURL, agentMode, userID string) (*AgentIdentity, error)

CreateAgentTx inserts an agent inside a caller-owned transaction. Used by the OAuth consent flow so the slug auto-create row and the authorization-code insert (in oauth_auth_codes) commit together — without this, a code-issue failure after the agent commit would leave a phantom inbox the user never authorized.

func (*Store) CreateInboundMessage ¶

func (s *Store) CreateInboundMessage(ctx context.Context, id, agentID, senderEmail, recipient, emailMessageID, subject, conversationID, deliveryStatus string, rawMessage []byte, authHeaders map[string]string, toRecipients, cc, replyTo []string) (*Message, error)

CreateInboundMessage stores an inbound message. If id is empty a new one is generated; otherwise the caller's pre-generated ID is used so the upstream signer can bind auth headers to the same ID that gets stored. toRecipients and cc are the parsed To: and Cc: headers from the original RFC 2822 message; recipient is the per-delivery target for this row (may be one of the To: addresses, or absent from the header list when the agent was Bcc'd). replyTo is the parsed Reply-To: header (empty when absent — never silently falls back to sender).

func (*Store) CreateInboundMessageInTx ¶ added in v0.3.0

func (s *Store) CreateInboundMessageInTx(ctx context.Context, tx pgx.Tx, id, agentID, senderEmail, recipient, emailMessageID, subject, conversationID, deliveryStatus string, rawMessage []byte, authHeaders map[string]string, toRecipients, cc, replyTo []string) (*Message, error)

CreateInboundMessageInTx writes the messages row inside the caller's transaction. Used by the slice-3 relay refactor (per design §4.2) so the messages INSERT and the webhook_events outbox INSERT commit together, closing the at-least-once publish-loss window.

Mirrors the CreateAgentTx pattern at store.go:596-607 — same SQL body, executed against either *pgxpool.Pool or pgx.Tx via the messageExecutor interface below.

func (*Store) CreateOrGetUser ¶

func (s *Store) CreateOrGetUser(ctx context.Context, email, name, googleSub string) (*User, error)

func (*Store) CreateOutboundMessage ¶

func (s *Store) CreateOutboundMessage(ctx context.Context, agentID string, toRecipients []string, cc []string, bcc []string, subject, msgType, method, providerMessageID, conversationID string) (*Message, error)

CreateOutboundMessage stores an outbound message with multi-recipient support. The recipient param is kept for backward compat with the singular recipient column; toRecipients, cc, and bcc are the canonical outbound-only multi-recipient fields.

func (*Store) CreatePendingOutboundMessage ¶

func (s *Store) CreatePendingOutboundMessage(ctx context.Context, agentID string, toRecipients, cc, bcc []string, subject, bodyText, bodyHTML string, attachmentsJSON []byte, msgType, conversationID, replyToEmailMessageID string, ttlSeconds int) (*Message, error)

CreatePendingOutboundMessage stores a fully composed outbound email in pending_approval status, including body_text, body_html, and attachments so that approval can reconstruct the original SendRequest (or accept edits) without the caller needing to retain it. ttlSeconds sets how long the message remains pending before the expiration worker resolves it.

replyToEmailMessageID is the RFC 5322 Message-ID of the inbound being replied to (e.g. "<abc@gmail.com>"), or "" for fresh sends and test emails. It reuses the email_message_id column, which is unused for outbound rows in every other path — the column semantically carries "the Message-ID this row references" in both directions.

attachmentsJSON must be a JSON array matching the public Attachment shape ([{filename, content_type, data}, ...]) or nil. Callers that already have an []outbound.Attachment slice should json.Marshal it before passing in.

func (*Store) CreateSigningSecret ¶ added in v0.3.0

func (s *Store) CreateSigningSecret(ctx context.Context, userID, name string) (*SigningSecret, error)

CreateSigningSecret mints a new secret for the user. The plaintext secret value is set on the returned struct exactly once; subsequent reads (List/Get) only see the prefix.

Returns ErrSigningSecretCapReached if the user is already at MaxSigningSecretsPerUser. Race-free under concurrent callers via the per-user advisory lock.

Empty `name` is normalized server-side to "unnamed" so the dashboard always has something to display.

func (*Store) CreateUserSession ¶

func (s *Store) CreateUserSession(ctx context.Context, userID string) (string, error)

func (*Store) CreateWebhook ¶ added in v0.3.0

func (s *Store) CreateWebhook(ctx context.Context, userID, url, description string, events []string, filters WebhookFilters) (*Webhook, error)

CreateWebhook inserts a new row and returns it with the plaintext signing secret populated. The plaintext is only available on this response — subsequent GET/list calls scrub it.

Filters validation (charset, count caps, agent ownership) is the handler's job in slice 2; the storage layer only verifies the per-user count cap from account_limits.max_webhooks.

func (*Store) DeleteAPIKey ¶

func (s *Store) DeleteAPIKey(ctx context.Context, keyID, userID string) error

func (*Store) DeleteAgent ¶

func (s *Store) DeleteAgent(ctx context.Context, agentID, userID string) error

func (*Store) DeleteDomain ¶

func (s *Store) DeleteDomain(ctx context.Context, domain, userID string) error

DeleteDomain deletes a domain only if owned by the user. The handler should check for existing agents first.

func (*Store) DeleteExpiredMessages ¶

func (s *Store) DeleteExpiredMessages(ctx context.Context) (int64, error)

func (*Store) DeleteExpiredUserSessions ¶

func (s *Store) DeleteExpiredUserSessions(ctx context.Context) (int64, error)

func (*Store) DeleteSigningSecret ¶ added in v0.3.0

func (s *Store) DeleteSigningSecret(ctx context.Context, secretID, userID string) error

DeleteSigningSecret removes a secret. Refuses to delete the user's last secret — every user must keep at least one so webhooks remain verifiable. Race-free under concurrent callers via the per-user row lock.

Check order matters: ownership first (so an attacker probing IDs they don't own gets 404, not "cannot delete last" leaking that the caller has only 1 secret), then the floor.

func (*Store) DeleteUserData ¶

func (s *Store) DeleteUserData(ctx context.Context, userID string) (*DeleteUserDataResult, error)

DeleteUserData wipes everything tied to a user in a single transaction.

Schema cascades cover most of it (user_sessions, domains, agent_identities, api_keys, usage_summaries all `ON DELETE CASCADE` from users; messages cascade through agent_identities; webhook_deliveries cascade through messages). The one row that doesn't is usage_events: its FK is `ON DELETE SET NULL` so analytics survives, which we explicitly override here for full deletion.

Per-table counts are returned to the caller so an operator can attest to what was removed in audit / compliance contexts.

func (*Store) DeleteUserSession ¶

func (s *Store) DeleteUserSession(ctx context.Context, token string) error

func (*Store) DeleteWebhook ¶ added in v0.3.0

func (s *Store) DeleteWebhook(ctx context.Context, webhookID, userID string) error

DeleteWebhook removes a webhook owned by the user. Idempotent: deleting a non-existent or cross-user webhook returns ErrWebhookNotFound, never silently succeeds. The ON DELETE CASCADE on webhook_subscriber_deliveries.webhook_id drops pending delivery rows automatically — no separate cleanup needed.

Slice 1 includes this method (rather than deferring to slice 2's handler work) because tests need it for setup teardown and the implementation is trivial.

func (*Store) EnsureSharedDomain ¶

func (s *Store) EnsureSharedDomain(ctx context.Context, domain string) error

EnsureSharedDomain inserts a system row for the configured shared mail domain so slug-based agent registration can satisfy the agent_identities.domain → domains.domain foreign key. The row is owned by no user (user_id = NULL) and pre-verified — it represents infrastructure the operator runs, not user-claimed identity.

Called once at server startup. Idempotent via ON CONFLICT DO NOTHING, and a no-op when the operator has not configured a shared domain. Without this, any deployment whose shared_domain differs from the hardcoded migration seed (`agents.e2a.dev`) gets an FK violation the first time a user tries to register a slug-based agent.

func (*Store) EnsureUserHasSigningSecret ¶ added in v0.3.0

func (s *Store) EnsureUserHasSigningSecret(ctx context.Context, userID string) error

EnsureUserHasSigningSecret guarantees the user has at least one signing secret, creating a "default" one if not. Idempotent. Concurrent callers serialize via the per-user advisory lock so we can't accidentally insert two "default" rows.

func (*Store) ExpireApproveAndSend ¶

func (s *Store) ExpireApproveAndSend(
	ctx context.Context,
	messageID string,
	send func(msg *Message) (SendResult, error),
) (*Message, error)

ExpireApproveAndSend is the worker-side counterpart to ApproveAndSend: no user ownership check (the caller is the expiration worker, which is system-scoped), SELECT ... FOR NO KEY UPDATE SKIP LOCKED so concurrent workers don't race for the same row, and the terminal status is 'expired_approved' instead of 'sent'. On send failure the transaction rolls back; the worker should then call ExpireReject to move the row to a final state so the row doesn't get picked up on every sweep.

Exactly-once guarantee: like ApproveAndSend, this method runs the send() callback under a send_attempts gate so a crash between SES acceptance and the surrounding tx commit does NOT cause the next worker poll to re-send. ClaimSendAttempt / MarkSendSucceeded / MarkSendFailed run in separate small transactions that outlive the approval tx; on retry, an AlreadySent verdict reuses the cached SendResult and skips the upstream send entirely. Without this, the polling-loop nature of the worker would guarantee a re-send on any commit failure — strictly worse than the human-approval path, where a re-send needs an explicit click.

SKIP LOCKED means multiple app instances can run the worker without contending on the same row. The row-level FOR NO KEY UPDATE lock on messages is held for the duration of the send callback (bounded by SMTPRelay timeouts); FOR NO KEY UPDATE rather than FOR UPDATE so the send_attempts INSERT in a separate connection can acquire its KEY SHARE lock for FK enforcement — see ApproveAndSend's docstring for the full rationale.

If a concurrent worker is mid-send for the same row (the send_attempts row is 'attempting' and not yet stale), returns ErrSendInProgress. The worker loop should treat this like ErrNotPendingApproval — skip silently and let the next poll handle it.

func (*Store) ExpireReject ¶

func (s *Store) ExpireReject(ctx context.Context, messageID, reason string) (*Message, error)

ExpireReject transitions a pending_approval message to expired_rejected and scrubs body columns. No user ownership check — this is the worker path. If the row is no longer pending (racing worker, already handled) returns ErrNotPendingApproval; caller can treat as a no-op.

func (*Store) ExportUserData ¶

func (s *Store) ExportUserData(ctx context.Context, userID string) (*UserExport, error)

ExportUserData gathers everything a user owns into a single struct for the right-of-access flow. Reads run inside a REPEATABLE READ transaction so the snapshot is internally consistent even if writes arrive while the export is being assembled.

func (*Store) GetAgentByEmail ¶

func (s *Store) GetAgentByEmail(ctx context.Context, email string) (*AgentIdentity, error)

GetAgentByEmail looks up an agent by email address (same as GetAgentByID since ID = email).

func (*Store) GetAgentByID ¶

func (s *Store) GetAgentByID(ctx context.Context, id string) (*AgentIdentity, error)

GetAgentByID looks up an agent by its ID (full email) with domain verification status.

func (*Store) GetConversationByID ¶ added in v0.3.0

func (s *Store) GetConversationByID(ctx context.Context, agentID, conversationID string) (*ConversationDetail, error)

GetConversationByID returns the aggregate summary fields plus every member message, ordered oldest-first (chronological reading order). Returns ErrMessageNotFound when no non-expired messages exist for the given (agentID, conversationID) — mirrors the "looks-like-not-found-on-cross-agent" convention used by single- message reads. The same code path handles "wrong agent" and "real non-existent": either way the agent has no business seeing it.

Participants are computed as the union of sender + recipient + each row's to_recipients / cc / bcc (when populated). Empty strings are dropped. Labels are the union of all members' labels[]; both are sorted lexicographically for stable output.

func (*Store) GetDKIMKeyInternal ¶ added in v0.3.0

func (s *Store) GetDKIMKeyInternal(ctx context.Context, domain string) (string, []byte, error)

GetDKIMKeyInternal returns the stored selector + private key bytes for a domain. The "Internal" suffix is load-bearing: this function does NOT scope by user — it takes a domain name and returns whoever owns that domain's signing key. ONLY call from server-internal codepaths where the domain has already been resolved from a trusted source (e.g. an outbound message's sender field, after the agent layer has authenticated the owner). A handler that ever takes a user-supplied domain string and feeds it to this function becomes a "sign as anyone" primitive: don't.

Returns ("", nil, nil) when the domain has no key — callers MUST treat this as "skip signing" and fall back to whatever the relay-level fallback does.

func (*Store) GetDashboardStats ¶ added in v0.3.0

func (s *Store) GetDashboardStats(ctx context.Context, userID string, windowDays int) (*DashboardStats, error)

GetDashboardStats returns workspace-level aggregates for the authenticated user, with a configurable lookback window. windowDays controls Inbound/Outbound totals AND the delivery-success ratio's sample period — passing 0 falls back to DashboardDefaultWindowDays (7), values above DashboardMaxWindowDays (90) are clamped.

Three independent reads — kept separate because the source tables have different indexes and one slow read shouldn't slow the others. All reads are O(rows-for-this-user-only) thanks to the existing per-user indexes.

Robust to missing data: deployments without usage tracking enabled (E2A_USAGE_TRACKING=false — the default for self-hosters) return zero counts rather than erroring. Same for users who have no messages yet. The UI renders zero values as "—".

Delta percentages: today vs yesterday on usage_summaries. Avoids divide-by-zero when yesterday was zero by returning 0. 100% in/de- crease maps to ±100; values clipped at ±999 for integer width.

func (*Store) GetInboundByEmailMessageID ¶ added in v0.3.0

func (s *Store) GetInboundByEmailMessageID(ctx context.Context, agentID, emailMessageID string) (*Message, error)

GetInboundByEmailMessageID looks up an inbound message by its RFC 5322 Message-ID for the given agent. Used by HITL flows to reach the parent inbound at approval time so the References chain can be rebuilt — the pending-outbound row only stores the parent's Message-ID, not its raw message. Scoped to agent_id to prevent any cross-agent reach across shared infra. Returns sql.ErrNoRows when the inbound has expired or was never persisted; callers must tolerate that and fall back to legacy single-id threading.

auth_headers is included in the SELECT so HITL review handlers can surface SPF/DKIM/DMARC provenance on the reply-context pane.

func (*Store) GetInboundMessage ¶

func (s *Store) GetInboundMessage(ctx context.Context, id string) (*Message, error)

func (*Store) GetMessageWithContent ¶

func (s *Store) GetMessageWithContent(ctx context.Context, messageID, agentID string) (*Message, error)

GetMessageWithContent returns a full message including raw_message and auth_headers. Marks the message as 'read' if it was 'unread'.

func (*Store) GetMessagesByAgent ¶

func (s *Store) GetMessagesByAgent(ctx context.Context, f MessageListFilter) ([]Message, error)

GetMessagesByAgent returns messages for an agent, filtered by status, direction, and the optional search filters on the MessageListFilter struct.

• direction: "inbound" (default for SDK polling), "outbound", or "all" (used by the dashboard inbox).
• status: "unread" | "read" | "all" — only applies when direction selects inbound rows; ignored on pure outbound queries.
• descending: cursor walks newest→oldest when true; oldest→newest when false (FIFO polling).
• From / SubjectContains: case-insensitive substring (ILIKE).
• ConversationID: exact match.
• Since / Until: time-range bracket on created_at.

The SELECT includes columns both consumers need: the inbox needs `status` (outbound HITL lifecycle), `webhook_status`/`last_error` (outbound delivery), and `octet_length(raw_message)` (size column); the polling SDK ignores these fields and reads only the existing inbound-relevant ones from the Message struct.

func (*Store) GetOutboundMessageForUser ¶

func (s *Store) GetOutboundMessageForUser(ctx context.Context, messageID, userID string) (*Message, error)

GetOutboundMessageForUser returns a full message row (including body, HITL fields, and attachments) if it exists and is owned by userID (via the agent the row belongs to). Inbound messages and cross-user access both return ErrMessageNotFound — the caller should not be able to distinguish "does not exist" from "belongs to someone else".

func (*Store) GetUserByAPIKey ¶

func (s *Store) GetUserByAPIKey(ctx context.Context, apiKey string) (*User, error)

GetUserByAPIKey authenticates a bearer token and returns the owning user. Rejects revoked keys and time-expired keys; touches last_used_at only on the success path so the column stays a real "last successful authentication" signal (rather than "last attempt").

Expiration semantics: expires_at IS NULL means the key never expires (preserves the pre-migration default). A non-null expires_at must be in the future, evaluated against now() in the same query so there's no clock skew between row read and check.

func (*Store) GetUserByID ¶

func (s *Store) GetUserByID(ctx context.Context, id string) (*User, error)

func (*Store) GetUserSession ¶

func (s *Store) GetUserSession(ctx context.Context, token string) (*User, error)

func (*Store) GetUserSigningSecrets ¶ added in v0.3.0

func (s *Store) GetUserSigningSecrets(ctx context.Context, userID string) ([]SigningSecretWithValue, error)

GetUserSigningSecrets returns the plaintext secret values for a user (paired with their IDs), most-recent-first. The relay signs with [0] and asynchronously updates last_signed_at on that ID. The HITL token verifier tries each Secret in turn. Caller must NOT log the Secret values.

func (*Store) GetWebhookByID ¶ added in v0.3.0

func (s *Store) GetWebhookByID(ctx context.Context, webhookID, userID string) (*Webhook, error)

GetWebhookByID returns the webhook iff it's owned by userID. Cross- user reads (or missing rows) return ErrWebhookNotFound — same not-found-on-cross-user convention used elsewhere in the codebase (conversation reads, message reads).

The returned Webhook has SigningSecret populated for the delivery worker's benefit; the public API layer scrubs this field before responding to GETs.

func (*Store) GetWebhookByIDInternal ¶ added in v0.3.0

func (s *Store) GetWebhookByIDInternal(ctx context.Context, webhookID string) (*Webhook, error)

GetWebhookByIDInternal returns the webhook by ID with no ownership check. INTERNAL USE ONLY — handler code MUST use GetWebhookByID which scopes by user_id. The retry worker uses this to look up the URL + signing secret for a delivery row whose ownership was already established when the publisher inserted it.

The suffix Internal mirrors the convention in dkim.GetDKIMKeyInternal: a method name that calls out "skipping the standard authorization check" so a reviewer doesn't have to read the body to know why.

func (*Store) HasAgentsOnDomain ¶

func (s *Store) HasAgentsOnDomain(ctx context.Context, domain, userID string) (bool, error)

HasAgentsOnDomain checks whether the owned domain still has agents.

func (*Store) ListAPIKeys ¶

func (s *Store) ListAPIKeys(ctx context.Context, userID string) ([]APIKey, error)

func (*Store) ListActivityByAgent ¶

func (s *Store) ListActivityByAgent(ctx context.Context, agentID string, limit int) ([]Message, error)

func (*Store) ListAgentsByUser ¶

func (s *Store) ListAgentsByUser(ctx context.Context, userID string) ([]AgentIdentity, error)

ListAgentsByUser returns all agents owned by the user, joined with domain verification AND enriched with per-agent stats for the dashboard. Five correlated subqueries compute inbound/outbound 7-day counts, pending approvals, last delivery, and webhook health in a single round-trip. Other load paths (GetAgentByID, GetAgentByEmail) intentionally don't compute these — only the dashboard needs them.

func (*Store) ListConversationsByAgent ¶ added in v0.3.0

func (s *Store) ListConversationsByAgent(ctx context.Context, f ConversationListFilter) ([]ConversationSummary, error)

ListConversationsByAgent groups the agent's non-expired messages by conversation_id and returns one row per conversation sorted by most-recent activity. Messages without a conversation_id are not included in any conversation — they remain individually visible via GetMessagesByAgent.

func (*Store) ListDomainsByUser ¶

func (s *Store) ListDomainsByUser(ctx context.Context, userID string) ([]Domain, error)

ListDomainsByUser returns all domains owned by the user (excludes system rows). AgentCount is computed inline via a correlated subquery — one round-trip regardless of how many domains the user has, and the per-row count is cheap because (agent_identities.user_id, agent_identities.domain) is indexed via the existing idx_agent_identities_user.

func (*Store) ListEnabledWebhooksForRouting ¶ added in v0.3.0

func (s *Store) ListEnabledWebhooksForRouting(ctx context.Context, userID, eventType string) ([]Webhook, error)

ListEnabledWebhooksForRouting is the hot-path query used by the event publisher. Returns enabled webhooks for the user that subscribe to the given event type. The in-process publisher then applies filter matching in Go (cheaper than encoding the AND-across-types + OR-within-type rule in SQL at slice-1 scale).

The partial index idx_webhooks_user_enabled WHERE enabled = true keeps this O(log n) on the common case (a user has a small number of enabled webhooks).

func (*Store) ListExpiredPending ¶

func (s *Store) ListExpiredPending(ctx context.Context, limit int) ([]ExpirationCandidate, error)

ListExpiredPending returns pending_approval messages whose approval_expires_at is in the past, joined with their agent's hitl_expiration_action. Ordered by approval_expires_at ASC so earliest-expired are handled first.

func (*Store) ListPendingOutboundForUser ¶

func (s *Store) ListPendingOutboundForUser(ctx context.Context, userID string, limit int) ([]Message, error)

ListPendingOutboundForUser returns pending-approval messages across all of the user's agents, sorted by approval_expires_at ASC (expiring-soonest first). Body columns are not returned from this path — callers should use GetOutboundMessageForUser for detail.

func (*Store) ListSigningSecrets ¶ added in v0.3.0

func (s *Store) ListSigningSecrets(ctx context.Context, userID string) ([]SigningSecret, error)

ListSigningSecrets returns the user's secrets in most-recent-first order. Populates both Secret (plaintext) and SecretPrefix; callers that build a list shape for the dashboard get to choose which to surface.

func (*Store) ListWebhooksByUser ¶ added in v0.3.0

func (s *Store) ListWebhooksByUser(ctx context.Context, userID string) ([]Webhook, error)

ListWebhooksByUser returns every webhook owned by the user — used by the slice-2 GET /api/v1/webhooks endpoint. Storage layer surfaces enabled and disabled rows alike; filter at the handler if needed.

func (*Store) LookupConversationID ¶

func (s *Store) LookupConversationID(ctx context.Context, agentID string, messageIDs []string) (string, error)

LookupConversationID finds a conversation_id by matching In-Reply-To / References message IDs against stored messages. Checks both email_message_id (inbound) and provider_message_id (outbound). Uses prefix matching because SES bare IDs stored in provider_message_id (e.g. <010f...>) may lack the @region.amazonses.com suffix that appears in the actual email headers sent to recipients.

func (*Store) LookupDomain ¶

func (s *Store) LookupDomain(ctx context.Context, domain, userID string) (*Domain, error)

LookupDomain returns a domain if it exists and is owned by the given user.

func (*Store) MarkSendFailed ¶ added in v0.3.0

func (s *Store) MarkSendFailed(ctx context.Context, messageID, errMsg string) error

MarkSendFailed records that the upstream send failed for messageID, so the next ClaimSendAttempt is allowed to take over and retry. Idempotent against double-call: only updates rows still 'attempting'.

func (*Store) MarkSendSucceeded ¶ added in v0.3.0

func (s *Store) MarkSendSucceeded(ctx context.Context, messageID string, r SendResult) error

MarkSendSucceeded records the result of a successful upstream send. Idempotent against double-call: only updates rows still 'attempting' so a stray re-Mark from a buggy caller cannot overwrite a previous success or revive a failed row.

func (*Store) MaxWebhooksForUser ¶ added in v0.3.0

func (s *Store) MaxWebhooksForUser(ctx context.Context, userID string) (int, error)

func (*Store) ModifyMessageLabels ¶ added in v0.3.0

func (s *Store) ModifyMessageLabels(ctx context.Context, messageID, agentID string, add, remove []string) ([]string, error)

ModifyMessageLabels applies a delta — add then remove — to a message's labels[] in a single atomic statement. Returns the updated labels (deduplicated, sorted) so the caller can echo them back in the response without a second round-trip.

Inputs are assumed already normalized (lowercased, charset-validated, dedup'd within each list, e2a:* gated). The store layer:

• applies adds first, then removes (so a label in both lists ends up removed)
• rejects if the post-add total would exceed MaxLabelsPerMessage
• returns ErrMessageNotFound if the row is missing / expired / cross-agent

The whole thing runs as one UPDATE so a concurrent PATCH from a second client can't observe a partial state.

func (*Store) RejectPending ¶

func (s *Store) RejectPending(ctx context.Context, messageID, userID, reason string) (*Message, error)

RejectPending transitions a pending_approval message to rejected, records the reviewer's reason (empty string allowed), and scrubs body_text / body_html / attachments_json. Ownership checked; missing rows return ErrMessageNotFound. Non-pending rows return ErrNotPendingApproval.

func (*Store) ResolveOutboundOwner ¶

func (s *Store) ResolveOutboundOwner(ctx context.Context, messageID string) (userID, agentID string, err error)

ResolveOutboundOwner looks up the user_id and agent_id for an outbound message without requiring the caller to know the user_id up-front. It exists for token-authenticated paths (magic-link approve/reject) where the HMAC token itself is the authorization and the handler just needs enough context to dispatch into the existing user-scoped store methods.

Returns ErrMessageNotFound if the message doesn't exist or isn't outbound. The returned user_id is guaranteed to own the message's agent (via the agent_identities.user_id join).

func (*Store) RotateSecret ¶ added in v0.3.0

func (s *Store) RotateSecret(ctx context.Context, webhookID, userID string) (newPlaintext string, prevExpiresAt time.Time, err error)

RotateSecret generates a new signing secret, moves the current secret into signing_secret_prev with a 24h expiry, and returns the new plaintext (shown once). During the 24h grace window the delivery worker dual-signs each request so receivers can verify with either secret while they update their handler.

func (*Store) SetDomainPrimary ¶ added in v0.3.0

func (s *Store) SetDomainPrimary(ctx context.Context, domain, userID string) error

SetDomainPrimary marks a domain as the user's primary in a single transaction: first clear any other primary belonging to the user, then set the requested domain. The partial unique index in migration 013 makes the clear-first step necessary — otherwise the two writes would race and one would fail with a unique violation.

Returns ErrDomainNotFound when the domain doesn't exist or isn't owned by the user.

func (*Store) TouchDomainLastChecked ¶ added in v0.3.0

func (s *Store) TouchDomainLastChecked(ctx context.Context, domain, userID string) error

TouchDomainLastChecked records that the verification probe ran. Call this from POST /api/v1/domains/{domain}/verify whether the probe succeeded or not — the LastCheckedAt column is "when did we last try", not "when did we last succeed" (the latter is verified_at).

func (*Store) TouchSigningSecretLastSigned ¶ added in v0.3.0

func (s *Store) TouchSigningSecretLastSigned(ctx context.Context, secretID string) error

TouchSigningSecretLastSigned records that the relay used this secret to sign a payload. Best-effort — failure is logged but does not block the actual signing operation.

func (*Store) UpdateAgentHITL ¶

func (s *Store) UpdateAgentHITL(ctx context.Context, agentID, userID string, enabled bool, ttlSeconds int, expirationAction string) error

UpdateAgentHITL updates all three HITL settings on an agent owned by userID. The TTL and expiration action are validated against the same rules as the DB CHECK constraints so callers get a clean error rather than a raw SQL error.

func (*Store) UpdateAgentMode ¶

func (s *Store) UpdateAgentMode(ctx context.Context, agentID, userID, agentMode, webhookURL string) error

func (*Store) UpdateAgentWebhook ¶

func (s *Store) UpdateAgentWebhook(ctx context.Context, agentID, userID, webhookURL string) error

func (*Store) UpdateMessageDeliveryStatus ¶

func (s *Store) UpdateMessageDeliveryStatus(ctx context.Context, messageID, agentID, status string) error

UpdateMessageDeliveryStatus sets the inbox_status on a message.

func (*Store) UpdateUserName ¶ added in v0.3.0

func (s *Store) UpdateUserName(ctx context.Context, userID, name string) (*User, error)

UpdateUserName persists a new display name on the user row and returns the updated User. Input validation (length, whitespace) is the caller's responsibility — this layer only enforces that the row exists.

func (*Store) UpdateWebhook ¶ added in v0.3.0

func (s *Store) UpdateWebhook(ctx context.Context, webhookID, userID string, u WebhookUpdate) (*Webhook, error)

UpdateWebhook applies a partial update to a webhook. Only fields with a non-nil pointer in WebhookUpdate are touched. Returns the updated row.

Validation (charset, count caps, agent ownership) is the handler's job; the storage layer enforces only the re-enable cooldown and the per-row CHECK constraints (events non-empty, url non-empty).

func (*Store) VerifyDomain ¶

func (s *Store) VerifyDomain(ctx context.Context, domain, userID string) error

VerifyDomain marks a domain as verified, only if owned by the given user.

func (*Store) WithTx ¶ added in v0.3.0

func (s *Store) WithTx(ctx context.Context, fn func(tx pgx.Tx) error) error

WithTx opens a transaction, runs fn inside it, and commits if fn returns nil (or rolls back if fn returns an error). Used by the slice-3 relay refactor so the messages INSERT and the webhook_events outbox INSERT commit together, closing the at-least-once publish-loss window.

The relay handler is the primary v1 caller; future trigger sites (slice 4 outbound + HITL) reuse the same helper. Keeps callers from having to import pgxpool directly.