All 3 cloud models converged on real concurrency bugs in the SQLite stores:
- AppendVersion (HIGH): the seq key was `SELECT MAX(seq)+1` then INSERT in two
un-transacted statements with a NON-unique index, AND the Scan error was
swallowed (seq stayed 0 on failure). Concurrent appends could both land the
same seq, silently breaking newest-first ordering. Now: one transaction, the
Scan error is propagated, the (skill_id, seq) index is UNIQUE (the loser of a
race fails loudly), and an empty SkillID is rejected.
- MarkScheduledRun / MarkAgentScheduledRun (all 3): replaced the Get→mutate→Save
read-modify-write (lost-update window) with a single atomic UPDATE using
json_set, so a concurrent Mark/edit can't clobber it. json_set keeps the JSON
blob's NextRunAt/LastScheduledRunAt consistent with the indexed column;
RFC3339Nano matches Go's time encoding so the blob still round-trips (tested).
- Open: actually applies PRAGMA busy_timeout=5000 (the doc advertised it but it
was never set) — a contended writer waits instead of erroring SQLITE_BUSY.
- budgetStore.Add: rejects NaN/Inf secondsUsed (would irrecoverably poison the
column).
Triaged-but-kept: plaintext webhook secret (documented design, high-entropy URL
key, pre-existing); SQL()/free-form `where` helpers (no untrusted input reaches
them — defense-in-depth notes only).
Core go.sum still free of host/DB deps; contrib/store green (incl. a json_set
blob-round-trip test).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
db.Skills() satisfies skill.SkillStore over SQLite, same JSON-blob + indexed
columns pattern. Versions live in their own table (each SkillVersion embeds a
full Skill snapshot as JSON), ordered newest-first by an append seq.
Test: round-trip (Tools, ExposeAsChatbotTool), visibility listing
(public/shared/private with SharedWith filtered in Go), chatbot-exposed,
newest-first versions + GetVersionByID, scheduled-due query + MarkScheduledRun.
contrib/store now covers budget + persona + skill; audit store next.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>