mig: scope user oauth tokens to toolset

[walker-tx]

This migration indexes user OAuth tokens by toolset_id instead of Issuer.

---

[changeset-bot]

⚠️ No Changeset found

Latest commit: e6ba3aa

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[devin-ai-integration]

Devin Review found 1 potential issue.

🔴 1 issue in files not directly in the diff

🔴 UpsertUserOAuthToken ON CONFLICT clause references non-existent unique index (server/internal/oauth/repo/queries.sql:138)

The UpsertUserOAuthToken query uses ON CONFLICT (user_id, organization_id, oauth_server_issuer) but the migration changes the unique index to (user_id, organization_id, toolset_id). After the migration runs, the ON CONFLICT clause will not match any unique constraint.

Click to expand

Impact

When a user completes OAuth authentication and the system tries to store/update their token via UpsertUserOAuthToken at server/internal/oauth/external_oauth.go:479, PostgreSQL will either:

1. Raise an error because the ON CONFLICT target doesn't match any unique constraint
2. Insert duplicate rows instead of updating existing ones

Actual vs Expected

• Actual: The query's ON CONFLICT references (user_id, organization_id, oauth_server_issuer) which no longer has a unique index
• Expected: The ON CONFLICT should reference (user_id, organization_id, toolset_id) to match the new unique index

Code Reference

The migration at server/migrations/20260203225638_index-user-tokens-by-toolset-id.sql:6 creates:

CREATE UNIQUE INDEX ... ON "user_oauth_tokens" ("user_id", "organization_id", "toolset_id")

But the query at server/internal/oauth/repo/queries.sql:138 still uses:

ON CONFLICT (user_id, organization_id, oauth_server_issuer) WHERE deleted IS FALSE DO UPDATE SET

Recommendation: Update the ON CONFLICT clause to use (user_id, organization_id, toolset_id) to match the new unique index. Also update the DO UPDATE SET clause to include toolset_id = EXCLUDED.toolset_id if needed, and consider whether client_registration_id and project_id should also be updated.

View issue and 4 additional flags in Devin Review.

[github-actions]

atlas migrate lint on server/migrations

Status	Step	Result
	1 new migration file detected	20260203225638_index-user-tokens-by-toolset-id.sql
	ERD and visual diff generated	View Visualization
	Analyze 20260203225638_index-user-tokens-by-toolset-id.sql 1 reports were found in analysis	Data dependent changes detected Adding a unique index "user_oauth_tokens_user_org_issuer_key" on table "user_oauth_tokens" might fail in case columns "user_id", "organization_id", "toolset_id" contain duplicate entries (MF101)
Read the full linting report on Atlas Cloud

[github-actions]

atlas migrate lint on server/clickhouse/migrations

Status	Step	Result
	No migration files detected
	ERD and visual diff generated	View Visualization
	No issues found	View Report
Read the full linting report on Atlas Cloud

[speakeasybot]

🚀 Preview Environment (PR #1478)

Preview URL: https://pr-1478.dev.getgram.ai

Component	Status	Details	Updated (UTC)
✅ Database	Ready	Created and validated	2026-02-03 23:10:32.
✅ Images	Available	Container images ready	2026-02-03 23:10:14.

_{Gram Preview Bot}