production persistence

Email queue

Emails do not expose the question and have a retry path.

The persistence layer turns OmenHall from polished halls into a service where purchase, scroll, email, archive, and deletion have a verifiable trail.

What is stored

Only what is needed for delivery, archive, support, accounting, and user control.

Do not put everything into the database just because it looks useful in analytics.

If a customer loses an email, Stripe sends a duplicate webhook, or a user requests deletion, the owner has an action route.

Tables

public.reading_records

The primary record for question, sealed input, payment status, and result.

public.oracle_artifacts

PDF, share-card, gift artifact, and print-view as separate deliverable entities.

public.delivery_jobs

Email, PDF, gift, receipt, Echo, and recovery are sent as tracked jobs.

public.omen_consents

A separate ledger for archive, email, Echo, Passport, public share, and gift consent.

public.echo_threads

Returns to scrolls without a new reading: cadence, prompts, next return, and archive tags.

Risk rules

Do not write to Passport, email, or public share without explicit consent.

Share-card receives safe fields only; full question remains private.

Delivery jobs have attempts, status, next_run_at, and support path.

Stripe event id and checkout session id have unique indexes.

artifact may reference reading_record, council_session, or gift key and must have status.

Echo and email do not pressure with fear or sell a repeat question as salvation.

There is data_deletion_requests with scope, verification, status, and retention note.