Module mailbox 

SQLite mailbox schema shared by team-mcp and integration tests.

The actual connection handling lives in team-mcp; this module defines the schema + migrations so both crates agree on the shape of the data.

Constants

PRIVILEGED_KIND

The one privileged mailbox kind. A system message is a lifecycle signal (drain, startup, rate-limit) the supervisor emits inline + real-time; only a system:* source may originate one (#254). If any agent or user:* could, a forged “session terminating” signal would be trivial.

SCHEMA

Idempotent schema bootstrap. Safe to run on every connect.

Functions

ensure

Bootstrap the schema and apply additive migrations. Idempotent — safe on every connect. Replaces direct execute_batch(SCHEMA) calls so that existing databases pick up new columns without a destructive reset.

is_privileged_kind

Is kind the privileged system kind? Single source of truth for the privileged-kind contract, consulted on every mailbox write path — the insert allowlist (team-mcp store::send_dm_kind, sender-gated) and the UPDATE guard (team-bot media dispatch, which refuses it outright) — so the contract has one definition rather than a "system" literal copied per site (#320).