pub fn check_schema_compat(
conn: &Connection,
current: i64,
db_label: &str,
) -> Result<(), StoreError>Expand description
PRAGMA user_version tripwire (AUDIT_SQLITE_SYSTEMS §8.5).
Compare the file’s user_version to current and refuse to open
the database if it was written by a NEWER binary.
This is the forward-compat safety lock from the channels design
(SPEC_DATA_CHANNELS_2026_05_24.md §3.3). Within a channel,
multiple released AgentMux versions share one data dir; the lock
keeps an older binary from writing into a schema laid down by a
newer binary. Same discipline as Chrome’s profile-too-new check
and Postgres’s catalog version mismatch.
Must be called BEFORE run_*_schema / run_*_migrations. The
run_* functions include mutating steps (legacy-table renames,
seed inserts, CREATE TABLE for new tables the older binary
doesn’t have), so if we ran them first and only then checked the
version, a downgraded binary could still alter a newer database
before the error fires — breaking the “reject without touching
disk” invariant the lock is meant to guarantee (codex P1 on PR
#1029).
Read-only: only PRAGMA user_version query, no writes.
stamp_version does the corresponding write AFTER migrations
complete successfully.
Recovery for the user when this returns SchemaTooNew: upgrade
AgentMux to a version ≥ found, or set
AGENTMUX_CHANNEL=<other> to land in a different channel dir.
The data on disk is preserved either way — this function never
modifies the database on the rejected path.