[codex] Cut storage over to FumaDB (#817)

* Cut storage over to FumaDB

* Move DB setup out of core SDK

* Tighten plugin FumaDB table typing

* Move table collection into createExecutor

* Remove FumaDB helper casts

* Use FumaDB directly in plugin stores

* Restore cloud database scripts

* Restore cloud migration history

* Restore OpenAPI OAuth coverage

* Restore connection SDK coverage

* Restore SDK credential behavior coverage

* Split cloud database layers

* Use socket-backed cloud test database

* Fix FumaDB build and worker test resolution

* Remove obsolete local migration embedding

* Restore OpenAPI source query coverage

* Move plugin storage onto FumaDB

* Add FumaDB table policy interceptors

* Harden scoped FumaDB policy tests

* Keep FumaDB query context off SDK surface

* Move FumaDB policy test into FumaDB package

* Update FumaDB cutover migration handling

* Use cloud migrations for PGlite setup

* Restore FumaDB cutover coverage

* Build vendored FumaDB for package previews

Author: RhysSullivan

.oxfmtrc.json

@@ -7,9 +7,11 @@
     "dist",
     "integrationsdotsh",
     "node_modules",
+    "packages/core/fumadb",
     "bun.lock",
     "*.tsbuildinfo",
     "executor-*.tgz",
-    "**/routeTree.gen.ts"
+    "**/routeTree.gen.ts",
+    "apps/cloud/src/services/executor-schema.ts"
   ]
 }

.oxlintrc.jsonc

@@ -118,6 +118,7 @@
     "dist/",
     "integrationsdotsh/",
     "node_modules/",
+    "packages/core/fumadb/",
     "bun.lock",
     "*.tsbuildinfo",
     "executor-*.tgz",

apps/cloud/drizzle.config.ts

@@ -4,7 +4,7 @@ import { defineConfig } from "drizzle-kit";
 // migrate) ignores it. Default to the local PGlite socket started by
 // `bun run dev:db`; override via `DATABASE_URL` for prod studio sessions.
 // drizzle-kit uses node-postgres (`pg`) for studio and the `ssl` option in
-// dbCredentials doesn't reliably reach the pool — append `sslmode=require`
+// dbCredentials doesn't reliably reach the pool - append `sslmode=require`
 // directly to the URL instead, which `pg` honours.
 const DEFAULT_DEV_URL = "postgresql://postgres:postgres@127.0.0.1:5433/postgres";
 

apps/cloud/drizzle/0016_fumadb_cutover.sql

@@ -0,0 +1,114 @@
+CREATE TABLE IF NOT EXISTS "private_executor_cloud_settings" (
+	"id" varchar(255) PRIMARY KEY NOT NULL,
+	"version" varchar(255) DEFAULT '1.0.0' NOT NULL
+);
+--> statement-breakpoint
+INSERT INTO "private_executor_cloud_settings" ("id", "version")
+VALUES ('default', '1.0.0')
+ON CONFLICT ("id") DO UPDATE SET "version" = excluded."version";
+--> statement-breakpoint
+ALTER TABLE "credential_binding" ADD COLUMN IF NOT EXISTS "secret_scope_id" text;
+--> statement-breakpoint
+ALTER TABLE "blob" ADD COLUMN IF NOT EXISTS "row_id" varchar(255);
+--> statement-breakpoint
+ALTER TABLE "blob" ADD COLUMN IF NOT EXISTS "id" varchar(255);
+--> statement-breakpoint
+UPDATE "blob"
+SET
+	"id" = COALESCE("id", '[' || to_json("namespace")::text || ',' || to_json("key")::text || ']'),
+	"row_id" = COALESCE("row_id", 'legacy_' || md5("namespace" || chr(31) || "key"))
+WHERE "id" IS NULL OR "row_id" IS NULL;
+--> statement-breakpoint
+ALTER TABLE "blob" ALTER COLUMN "id" SET NOT NULL;
+--> statement-breakpoint
+ALTER TABLE "blob" ALTER COLUMN "row_id" SET NOT NULL;
+--> statement-breakpoint
+DO $$
+BEGIN
+	IF EXISTS (
+		SELECT 1 FROM pg_constraint
+		WHERE conrelid = 'public.blob'::regclass
+			AND conname = 'blob_namespace_key_pk'
+	) THEN
+		ALTER TABLE "blob" DROP CONSTRAINT "blob_namespace_key_pk";
+	END IF;
+
+	IF NOT EXISTS (
+		SELECT 1 FROM pg_constraint
+		WHERE conrelid = 'public.blob'::regclass
+			AND conname = 'blob_pkey'
+	) THEN
+		ALTER TABLE "blob" ADD CONSTRAINT "blob_pkey" PRIMARY KEY ("row_id");
+	END IF;
+END $$;
+--> statement-breakpoint
+CREATE UNIQUE INDEX IF NOT EXISTS "blob_id_uidx" ON "blob" USING btree ("id");
+--> statement-breakpoint
+DO $$
+DECLARE
+	table_name text;
+	legacy_pk_name text;
+	new_pk_name text;
+	new_unique_name text;
+BEGIN
+	FOREACH table_name IN ARRAY ARRAY[
+		'connection',
+		'credential_binding',
+		'definition',
+		'graphql_operation',
+		'graphql_source',
+		'graphql_source_header',
+		'graphql_source_query_param',
+		'mcp_binding',
+		'mcp_source',
+		'mcp_source_header',
+		'mcp_source_query_param',
+		'oauth2_session',
+		'openapi_operation',
+		'openapi_source',
+		'openapi_source_header',
+		'openapi_source_query_param',
+		'openapi_source_spec_fetch_header',
+		'openapi_source_spec_fetch_query_param',
+		'secret',
+		'source',
+		'tool',
+		'tool_policy',
+		'workos_vault_metadata'
+	]
+	LOOP
+		legacy_pk_name := table_name || '_scope_id_id_pk';
+		new_pk_name := table_name || '_pkey';
+		new_unique_name := table_name || '_scope_id_id_uidx';
+
+		EXECUTE format('ALTER TABLE %I ADD COLUMN IF NOT EXISTS "row_id" varchar(255)', table_name);
+		EXECUTE format(
+			'UPDATE %I SET "row_id" = COALESCE("row_id", %L || md5("scope_id" || chr(31) || "id")) WHERE "row_id" IS NULL',
+			table_name,
+			'legacy_'
+		);
+		EXECUTE format('ALTER TABLE %I ALTER COLUMN "row_id" SET NOT NULL', table_name);
+
+		IF EXISTS (
+			SELECT 1 FROM pg_constraint
+			WHERE conrelid = format('public.%I', table_name)::regclass
+				AND conname = legacy_pk_name
+		) THEN
+			EXECUTE format('ALTER TABLE %I DROP CONSTRAINT %I', table_name, legacy_pk_name);
+		END IF;
+
+		IF NOT EXISTS (
+			SELECT 1 FROM pg_constraint
+			WHERE conrelid = format('public.%I', table_name)::regclass
+				AND conname = new_pk_name
+		) THEN
+			EXECUTE format('ALTER TABLE %I ADD CONSTRAINT %I PRIMARY KEY ("row_id")', table_name, new_pk_name);
+		END IF;
+
+		EXECUTE format(
+			'CREATE UNIQUE INDEX IF NOT EXISTS %I ON %I USING btree ("scope_id", "id")',
+			new_unique_name,
+			table_name
+		);
+	END LOOP;
+END $$;