@banata-auth/convex 0.1.0

package/src/component/schema.ts

@@ -0,0 +1,916 @@
+/**
+ * Banata Auth Convex component schema.
+ *
+ * This schema defines all tables managed by the Better Auth Convex component.
+ * It covers the core auth tables plus tables for all plugins:
+ * - Core: user, session, account, verification
+ * - Two-Factor: twoFactor
+ * - Passkeys: passkey
+ * - JWT/JWKS: jwks
+ * - Rate Limiting: rateLimit
+ * - Organizations: organization, member, invitation
+ * - SSO: ssoProvider
+ * - SCIM: scimProvider
+ * - API Key: apikey
+ * - Audit: auditEvent
+ * - Webhooks: webhookEndpoint, webhookDelivery
+ * - Vault: vaultSecret
+ * - Domains: domainVerification
+ *
+ * This file would normally be auto-generated by:
+ *   npx auth generate --config ./auth.ts --output ./schema.ts
+ *
+ * We define it manually to ensure all fields needed by Banata Auth are present,
+ * including custom fields not in the default Better Auth schema.
+ */
+import { defineSchema, defineTable } from "convex/server";
+import { v } from "convex/values";
+
+const schema = defineSchema({
+	// ─── Project Tables ─────────────────────────────────────────────
+	// These are the top-level organizational units. A project represents
+	// a product/app (e.g., "Twitter Clone").
+	// All other tables are scoped to a project.
+
+	/**
+	 * Project table — top-level organizational unit.
+	 * Each project is a fully isolated auth tenant with its own users,
+	 * sessions, orgs, branding, templates, webhooks, API keys, etc.
+	 *
+	 * Example: A software firm uses Banata Auth to power auth for
+	 * multiple client products — each product is a project.
+	 */
+	project: defineTable({
+		name: v.string(), // "Twitter Clone"
+		slug: v.string(), // "twitter-clone" (unique)
+		description: v.optional(v.string()),
+		logoUrl: v.optional(v.string()),
+
+		/** The dashboard user who created this project. */
+		ownerId: v.string(),
+
+		createdAt: v.float64(),
+		updatedAt: v.float64(),
+	})
+		.index("slug", ["slug"])
+		.index("ownerId", ["ownerId"])
+		.index("createdAt", ["createdAt"]),
+
+	// ─── Core Auth Tables ────────────────────────────────────────────
+
+	/**
+	 * User table - stores all user accounts.
+	 * Extended with username, phone, admin, and 2FA fields.
+	 * Scoped per project — each project has its own isolated user base.
+	 */
+	user: defineTable({
+		name: v.string(),
+		email: v.string(),
+		emailVerified: v.boolean(),
+		image: v.optional(v.string()),
+
+		// Project scoping — isolates users per project
+		projectId: v.optional(v.string()),
+
+		// Username plugin
+		username: v.optional(v.string()),
+		displayUsername: v.optional(v.string()),
+
+		// Phone plugin
+		phoneNumber: v.optional(v.string()),
+		phoneNumberVerified: v.optional(v.boolean()),
+
+		// Admin plugin
+		role: v.optional(v.string()),
+		banned: v.optional(v.boolean()),
+		banReason: v.optional(v.string()),
+		banExpires: v.optional(v.float64()),
+
+		// Two-factor plugin
+		twoFactorEnabled: v.optional(v.boolean()),
+
+		// Anonymous plugin
+		isAnonymous: v.optional(v.boolean()),
+
+		// Custom metadata
+		metadata: v.optional(v.any()),
+
+		// Timestamps
+		createdAt: v.float64(),
+		updatedAt: v.float64(),
+	})
+		.index("email", ["email"])
+		.index("username", ["username"])
+		.index("phoneNumber", ["phoneNumber"])
+		.index("role", ["role"])
+		.index("createdAt", ["createdAt"])
+		.index("projectId", ["projectId"])
+		.index("projectId_email", ["projectId", "email"]),
+
+	/**
+	 * Session table - stores active user sessions.
+	 * Better Auth manages session lifecycle (create, refresh, revoke).
+	 */
+	session: defineTable({
+		userId: v.string(),
+		token: v.string(),
+		expiresAt: v.float64(),
+
+		// Project scoping
+		projectId: v.optional(v.string()),
+
+		// Session context
+		ipAddress: v.optional(v.string()),
+		userAgent: v.optional(v.string()),
+
+		// Organization context (organization plugin)
+		activeOrganizationId: v.optional(v.string()),
+
+		// Impersonation (admin plugin)
+		impersonatedBy: v.optional(v.string()),
+
+		createdAt: v.float64(),
+		updatedAt: v.float64(),
+	})
+		.index("token", ["token"])
+		.index("userId", ["userId"])
+		.index("projectId", ["projectId"]),
+
+	/**
+	 * Account table - stores provider credentials (OAuth, email/password, SAML, etc.)
+	 * Each user can have multiple accounts (one per provider).
+	 */
+	account: defineTable({
+		userId: v.string(),
+		accountId: v.string(),
+		providerId: v.string(),
+
+		// Project scoping
+		projectId: v.optional(v.string()),
+
+		// OAuth tokens
+		accessToken: v.optional(v.string()),
+		refreshToken: v.optional(v.string()),
+		accessTokenExpiresAt: v.optional(v.float64()),
+		refreshTokenExpiresAt: v.optional(v.float64()),
+		scope: v.optional(v.string()),
+		idToken: v.optional(v.string()),
+
+		// Credential provider
+		password: v.optional(v.string()),
+
+		createdAt: v.float64(),
+		updatedAt: v.float64(),
+	})
+		.index("userId", ["userId"])
+		.index("accountId_providerId", ["accountId", "providerId"])
+		.index("projectId", ["projectId"]),
+
+	/**
+	 * Verification table - stores email verification tokens, password reset tokens,
+	 * magic link tokens, and OTPs.
+	 */
+	verification: defineTable({
+		identifier: v.string(),
+		value: v.string(),
+		expiresAt: v.float64(),
+
+		// Project scoping
+		projectId: v.optional(v.string()),
+
+		createdAt: v.optional(v.float64()),
+		updatedAt: v.optional(v.float64()),
+	})
+		.index("identifier", ["identifier"])
+		.index("projectId", ["projectId"]),
+
+	// ─── Plugin Tables ──────────────────────────────────────────────
+
+	/**
+	 * Two-factor authentication table.
+	 * Stores TOTP secrets and backup codes per user.
+	 */
+	twoFactor: defineTable({
+		userId: v.string(),
+		secret: v.string(),
+		backupCodes: v.string(),
+
+		// Project scoping
+		projectId: v.optional(v.string()),
+
+		createdAt: v.float64(),
+		updatedAt: v.float64(),
+	})
+		.index("userId", ["userId"])
+		.index("projectId", ["projectId"]),
+
+	/**
+	 * Passkey (WebAuthn) credentials.
+	 * Stores registered passkeys for passwordless authentication.
+	 */
+	passkey: defineTable({
+		userId: v.string(),
+		name: v.optional(v.string()),
+
+		// Project scoping
+		projectId: v.optional(v.string()),
+
+		credentialID: v.string(),
+		publicKey: v.string(),
+		counter: v.float64(),
+		transports: v.optional(v.string()),
+		deviceType: v.optional(v.string()),
+		backedUp: v.optional(v.boolean()),
+
+		createdAt: v.float64(),
+	})
+		.index("credentialID", ["credentialID"])
+		.index("userId", ["userId"])
+		.index("projectId", ["projectId"]),
+
+	/**
+	 * JWKS table - stores RS256 key pairs for JWT signing.
+	 * Better Auth generates and rotates these automatically.
+	 * Scoped per project — each project has its own signing keys.
+	 */
+	jwks: defineTable({
+		publicKey: v.string(),
+		privateKey: v.string(),
+
+		// Project scoping
+		projectId: v.optional(v.string()),
+
+		createdAt: v.float64(),
+	}).index("projectId", ["projectId"]),
+
+	/**
+	 * Rate limiting table.
+	 * Tracks request counts per key (IP + endpoint hash).
+	 */
+	rateLimit: defineTable({
+		key: v.string(),
+		count: v.float64(),
+		lastRequest: v.float64(),
+
+		// Project scoping
+		projectId: v.optional(v.string()),
+	})
+		.index("key", ["key"])
+		.index("projectId", ["projectId"]),
+
+	// ─── Organization Tables ────────────────────────────────────────
+
+	/**
+	 * Organization table.
+	 * Stores organization details and policies.
+	 * Scoped per project — each project has its own orgs.
+	 */
+	organization: defineTable({
+		name: v.string(),
+		slug: v.string(),
+		logo: v.optional(v.string()),
+
+		// Project scoping
+		projectId: v.optional(v.string()),
+
+		metadata: v.optional(v.any()),
+
+		createdAt: v.float64(),
+		updatedAt: v.float64(),
+	})
+		.index("slug", ["slug"])
+		.index("createdAt", ["createdAt"])
+		.index("projectId", ["projectId"]),
+
+	/**
+	 * Organization member table.
+	 * Links users to organizations with roles.
+	 */
+	member: defineTable({
+		organizationId: v.string(),
+		userId: v.string(),
+		role: v.string(),
+
+		// Project scoping
+		projectId: v.optional(v.string()),
+
+		createdAt: v.float64(),
+		updatedAt: v.float64(),
+	})
+		.index("organizationId", ["organizationId"])
+		.index("userId", ["userId"])
+		.index("organizationId_userId", ["organizationId", "userId"])
+		.index("projectId", ["projectId"]),
+
+	/**
+	 * Organization invitation table.
+	 * Stores pending invitations to join an organization.
+	 */
+	invitation: defineTable({
+		organizationId: v.string(),
+		email: v.string(),
+		role: v.string(),
+		inviterId: v.string(),
+
+		// Project scoping
+		projectId: v.optional(v.string()),
+
+		status: v.string(),
+		expiresAt: v.float64(),
+
+		createdAt: v.float64(),
+	})
+		.index("organizationId", ["organizationId"])
+		.index("email", ["email"])
+		.index("status", ["status"])
+		.index("projectId", ["projectId"]),
+
+	// ─── SSO Tables ────────────────────────────────────────────────────
+
+	/**
+	 * SSO Provider table - stores SAML/OIDC connection configurations.
+	 * Created by the @better-auth/sso plugin.
+	 */
+	ssoProvider: defineTable({
+		organizationId: v.optional(v.string()),
+		providerId: v.string(),
+		issuer: v.string(),
+		domain: v.string(),
+		name: v.optional(v.string()),
+		domainVerified: v.optional(v.boolean()),
+
+		// Project scoping
+		projectId: v.optional(v.string()),
+
+		// OIDC config
+		oidcConfig: v.optional(v.any()),
+
+		// SAML config
+		samlConfig: v.optional(v.any()),
+
+		// Provider state
+		providerType: v.string(), // "saml" | "oidc"
+		active: v.optional(v.boolean()),
+
+		userId: v.optional(v.string()),
+
+		createdAt: v.float64(),
+		updatedAt: v.float64(),
+	})
+		.index("providerId", ["providerId"])
+		.index("domain", ["domain"])
+		.index("organizationId", ["organizationId"])
+		.index("projectId", ["projectId"]),
+
+	// ─── SCIM Tables ───────────────────────────────────────────────────
+
+	/**
+	 * SCIM Provider table - stores SCIM directory connection configurations.
+	 * Created by the @better-auth/scim plugin.
+	 */
+	scimProvider: defineTable({
+		organizationId: v.optional(v.string()),
+		providerId: v.string(),
+		scimToken: v.optional(v.string()),
+		name: v.optional(v.string()),
+		provider: v.optional(v.string()),
+
+		// Project scoping
+		projectId: v.optional(v.string()),
+
+		// SCIM endpoint URL (auto-generated)
+		endpointUrl: v.optional(v.string()),
+
+		// Bearer token for SCIM API (hashed)
+		tokenHash: v.optional(v.string()),
+
+		// Provider state
+		active: v.optional(v.boolean()),
+		lastSyncAt: v.optional(v.float64()),
+		lastSyncStatus: v.optional(v.string()),
+
+		userId: v.optional(v.string()),
+
+		createdAt: v.float64(),
+		updatedAt: v.float64(),
+	})
+		.index("providerId", ["providerId"])
+		.index("scimToken", ["scimToken"])
+		.index("organizationId", ["organizationId"])
+		.index("projectId", ["projectId"]),
+
+	// ─── API Key Tables ────────────────────────────────────────────────
+
+	/**
+	 * API Key table - stores API keys for programmatic access.
+	 * Created by the apiKey plugin from better-auth/plugins.
+	 */
+	apikey: defineTable({
+		name: v.optional(v.string()),
+		start: v.optional(v.string()),
+		prefix: v.optional(v.union(v.string(), v.null())),
+		key: v.string(),
+
+		userId: v.string(),
+
+		// Project scoping
+		projectId: v.optional(v.string()),
+
+		refillInterval: v.optional(v.union(v.string(), v.null())),
+		refillAmount: v.optional(v.union(v.float64(), v.null())),
+		lastRefillAt: v.optional(v.union(v.float64(), v.null())),
+
+		enabled: v.optional(v.boolean()),
+		rateLimitEnabled: v.optional(v.boolean()),
+		rateLimitTimeWindow: v.optional(v.float64()),
+		rateLimitMax: v.optional(v.float64()),
+
+		remaining: v.optional(v.union(v.float64(), v.null())),
+
+		requestCount: v.optional(v.float64()),
+		lastRequest: v.optional(v.union(v.float64(), v.null())),
+
+		expiresAt: v.optional(v.union(v.float64(), v.null())),
+
+		permissions: v.optional(v.string()),
+		metadata: v.optional(v.any()),
+
+		createdAt: v.float64(),
+		updatedAt: v.float64(),
+	})
+		.index("key", ["key"])
+		.index("userId", ["userId"])
+		.index("start", ["start"])
+		.index("projectId", ["projectId"]),
+
+	// ─── Audit Log Tables ──────────────────────────────────────────────
+
+	/**
+	 * Audit event table - stores all auditable auth events.
+	 */
+	auditEvent: defineTable({
+		action: v.string(),
+		version: v.optional(v.float64()),
+
+		// Project scoping
+		projectId: v.optional(v.string()),
+
+		// Actor info
+		actorType: v.string(), // "user" | "admin" | "system" | "api_key" | "scim"
+		actorId: v.string(),
+		actorName: v.optional(v.string()),
+		actorEmail: v.optional(v.string()),
+		actorMetadata: v.optional(v.any()),
+
+		// Target info (JSON stringified array)
+		targets: v.optional(v.string()),
+
+		// Context
+		organizationId: v.optional(v.string()),
+		ipAddress: v.optional(v.string()),
+		userAgent: v.optional(v.string()),
+		requestId: v.optional(v.string()),
+
+		// Changes (before/after JSON)
+		changes: v.optional(v.string()),
+
+		idempotencyKey: v.optional(v.string()),
+		metadata: v.optional(v.any()),
+
+		occurredAt: v.float64(),
+		createdAt: v.float64(),
+	})
+		.index("action", ["action"])
+		.index("actorId", ["actorId"])
+		.index("organizationId", ["organizationId"])
+		.index("occurredAt", ["occurredAt"])
+		.index("idempotencyKey", ["idempotencyKey"])
+		.index("projectId", ["projectId"])
+		.index("projectId_occurredAt", ["projectId", "occurredAt"]),
+
+	// ─── Webhook Tables ────────────────────────────────────────────────
+
+	/**
+	 * Webhook endpoint table - stores registered webhook URLs.
+	 */
+	webhookEndpoint: defineTable({
+		url: v.string(),
+		secret: v.string(),
+
+		// Project scoping
+		projectId: v.optional(v.string()),
+
+		eventTypes: v.optional(v.string()), // JSON stringified array
+		enabled: v.boolean(),
+
+		successCount: v.optional(v.float64()),
+		failureCount: v.optional(v.float64()),
+		consecutiveFailures: v.optional(v.float64()),
+
+		lastDeliveryAt: v.optional(v.float64()),
+		lastDeliveryStatus: v.optional(v.string()),
+
+		createdAt: v.float64(),
+		updatedAt: v.float64(),
+	})
+		.index("enabled", ["enabled"])
+		.index("projectId", ["projectId"]),
+
+	/**
+	 * Webhook delivery table - stores delivery attempts for audit trail.
+	 */
+	webhookDelivery: defineTable({
+		endpointId: v.string(),
+		eventType: v.string(),
+
+		// Project scoping
+		projectId: v.optional(v.string()),
+
+		payload: v.string(), // JSON stringified
+
+		attempt: v.float64(),
+		maxAttempts: v.float64(),
+
+		status: v.string(), // "pending" | "success" | "failed" | "retrying"
+		httpStatus: v.optional(v.float64()),
+		responseBody: v.optional(v.string()),
+		errorMessage: v.optional(v.string()),
+
+		nextRetryAt: v.optional(v.float64()),
+
+		deliveredAt: v.optional(v.float64()),
+		createdAt: v.float64(),
+	})
+		.index("endpointId", ["endpointId"])
+		.index("status", ["status"])
+		.index("nextRetryAt", ["nextRetryAt"])
+		.index("projectId", ["projectId"]),
+
+	// ─── Config Tables ────────────────────────────────────────────────
+
+	/**
+	 * Role definition table — stores custom RBAC roles defined via the dashboard.
+	 * Better Auth has static code-defined roles; this table adds dynamic CRUD roles.
+	 */
+	roleDefinition: defineTable({
+		name: v.string(),
+		slug: v.string(),
+		description: v.optional(v.string()),
+		permissions: v.optional(v.string()), // JSON stringified array of permission slugs
+		isDefault: v.optional(v.boolean()),
+
+		// Project scoping
+		projectId: v.optional(v.string()),
+
+		createdAt: v.float64(),
+		updatedAt: v.float64(),
+	})
+		.index("slug", ["slug"])
+		.index("createdAt", ["createdAt"])
+		.index("projectId", ["projectId"]),
+
+	/**
+	 * Permission definition table — stores custom RBAC permissions defined via the dashboard.
+	 */
+	permissionDefinition: defineTable({
+		name: v.string(),
+		slug: v.string(),
+		description: v.optional(v.string()),
+
+		// Project scoping
+		projectId: v.optional(v.string()),
+
+		createdAt: v.float64(),
+		updatedAt: v.float64(),
+	})
+		.index("slug", ["slug"])
+		.index("createdAt", ["createdAt"])
+		.index("projectId", ["projectId"]),
+
+	/**
+	 * Branding config table — stores UI branding settings for the hosted auth UI.
+	 * One row per project (keyed by projectId).
+	 */
+	brandingConfig: defineTable({
+		// Project scoping
+		projectId: v.optional(v.string()),
+
+		primaryColor: v.optional(v.string()),
+		bgColor: v.optional(v.string()),
+		borderRadius: v.optional(v.float64()),
+		darkMode: v.optional(v.boolean()),
+		customCss: v.optional(v.string()),
+		font: v.optional(v.string()),
+		logoUrl: v.optional(v.string()),
+
+		createdAt: v.float64(),
+		updatedAt: v.float64(),
+	}).index("projectId", ["projectId"]),
+
+	/**
+	 * Email template table — stores custom email templates as JSON block arrays.
+	 * Templates are created/edited via the dashboard's visual email editor and
+	 * can be sent programmatically via the SDK using the template slug.
+	 * Scoped per project.
+	 */
+	emailTemplate: defineTable({
+		name: v.string(),
+		slug: v.string(),
+		subject: v.string(),
+		previewText: v.optional(v.string()),
+		category: v.string(), // "auth" | "marketing" | "transactional" | "onboarding" | "notification" | "custom"
+		description: v.optional(v.string()),
+		/** JSON-serialized EmailBlock[] array. */
+		blocksJson: v.string(),
+		/** JSON-serialized EmailTemplateVariable[] array. */
+		variablesJson: v.optional(v.string()),
+		/** Whether this is a built-in auth template (not deletable). */
+		builtIn: v.optional(v.boolean()),
+		/** The built-in email type this overrides (if any). */
+		builtInType: v.optional(v.string()),
+
+		// Project scoping
+		projectId: v.optional(v.string()),
+
+		createdAt: v.float64(),
+		updatedAt: v.float64(),
+	})
+		.index("slug", ["slug"])
+		.index("category", ["category"])
+		.index("builtInType", ["builtInType"])
+		.index("createdAt", ["createdAt"])
+		.index("projectId", ["projectId"])
+		.index("projectId_slug", ["projectId", "slug"]),
+
+	/**
+	 * Email config table — stores per-email-type enable/disable toggles.
+	 * Each row represents a distinct email type (e.g. "welcome", "password-reset").
+	 * Scoped per project.
+	 */
+	emailConfig: defineTable({
+		emailType: v.string(), // unique identifier, e.g. "welcome", "password-reset"
+		name: v.string(),
+		description: v.optional(v.string()),
+		enabled: v.boolean(),
+		category: v.string(), // "auth" | "org"
+
+		// Project scoping
+		projectId: v.optional(v.string()),
+
+		createdAt: v.float64(),
+		updatedAt: v.float64(),
+	})
+		.index("emailType", ["emailType"])
+		.index("category", ["category"])
+		.index("projectId", ["projectId"]),
+
+	/**
+	 * Dashboard config table — stores runtime overrides for the dashboard
+	 * configuration (auth methods, social providers, features, sessions).
+	 * One row per project.
+	 */
+	dashboardConfig: defineTable({
+		configJson: v.string(),
+
+		// Project scoping
+		projectId: v.optional(v.string()),
+
+		createdAt: v.float64(),
+		updatedAt: v.float64(),
+	}).index("projectId", ["projectId"]),
+
+	// ─── Domain Config Tables ─────────────────────────────────────────
+
+	/**
+	 * Domain config table — stores service domain settings (email, admin portal,
+	 * auth API, authkit, custom). Managed via the dashboard.
+	 */
+	domainConfig: defineTable({
+		domainKey: v.string(), // unique key, e.g. "email", "admin-portal", "auth-api", "authkit", or UUID
+		title: v.string(),
+		description: v.optional(v.string()),
+		value: v.string(),
+		isDefault: v.optional(v.boolean()),
+
+		// Project scoping
+		projectId: v.optional(v.string()),
+
+		createdAt: v.float64(),
+		updatedAt: v.float64(),
+	})
+		.index("domainKey", ["domainKey"])
+		.index("createdAt", ["createdAt"])
+		.index("projectId", ["projectId"]),
+
+	// ─── Redirect Config Tables ───────────────────────────────────────
+
+	/**
+	 * Redirect config table — stores redirect URIs and endpoint settings.
+	 * One row per project.
+	 */
+	redirectConfig: defineTable({
+		configJson: v.string(), // JSON-serialized RedirectsData
+
+		// Project scoping
+		projectId: v.optional(v.string()),
+
+		createdAt: v.float64(),
+		updatedAt: v.float64(),
+	}).index("projectId", ["projectId"]),
+
+	// ─── Actions Tables ───────────────────────────────────────────────
+
+	/**
+	 * Action table — stores automated action definitions triggered by events.
+	 * Each action maps an event type to a webhook URL.
+	 * Scoped per project.
+	 */
+	actionConfig: defineTable({
+		name: v.string(),
+		description: v.optional(v.string()),
+		triggerEvent: v.string(),
+		webhookUrl: v.string(),
+
+		// Project scoping
+		projectId: v.optional(v.string()),
+
+		createdAt: v.float64(),
+		updatedAt: v.float64(),
+	})
+		.index("triggerEvent", ["triggerEvent"])
+		.index("createdAt", ["createdAt"])
+		.index("projectId", ["projectId"]),
+
+	// ─── Radar / Bot Protection Tables ────────────────────────────────
+
+	/**
+	 * Radar config table — stores bot protection / radar settings.
+	 * One row per project.
+	 */
+	radarConfig: defineTable({
+		configJson: v.string(), // JSON-serialized RadarConfig
+
+		// Project scoping
+		projectId: v.optional(v.string()),
+
+		createdAt: v.float64(),
+		updatedAt: v.float64(),
+	}).index("projectId", ["projectId"]),
+
+	// ─── Email Provider Tables ────────────────────────────────────────
+
+	/**
+	 * Email provider config table — stores email provider settings
+	 * (which provider is active, API keys, etc.).
+	 * One row per project.
+	 */
+	emailProviderConfig: defineTable({
+		configJson: v.string(), // JSON-serialized email provider config
+
+		// Project scoping
+		projectId: v.optional(v.string()),
+
+		createdAt: v.float64(),
+		updatedAt: v.float64(),
+	}).index("projectId", ["projectId"]),
+
+	// ─── Resource Type Tables ─────────────────────────────────────────
+
+	/**
+	 * Resource type table — stores fine-grained authorization resource types.
+	 * Scoped per project.
+	 */
+	resourceType: defineTable({
+		name: v.string(),
+		slug: v.string(),
+		description: v.optional(v.string()),
+
+		// Project scoping
+		projectId: v.optional(v.string()),
+
+		createdAt: v.float64(),
+		updatedAt: v.float64(),
+	})
+		.index("slug", ["slug"])
+		.index("createdAt", ["createdAt"])
+		.index("projectId", ["projectId"]),
+
+	// ─── Addon Config Tables ──────────────────────────────────────────
+
+	/**
+	 * Addon config table — stores third-party integration enable/disable state.
+	 * Singleton row with JSON-serialized config.
+	 */
+	addonConfig: defineTable({
+		configJson: v.string(), // JSON-serialized addon states
+
+		// Project scoping
+		projectId: v.optional(v.string()),
+
+		createdAt: v.float64(),
+		updatedAt: v.float64(),
+	}).index("projectId", ["projectId"]),
+
+	// ─── Project Config Tables ────────────────────────────────────────
+
+	/**
+	 * Project config table — stores per-project configuration overrides.
+	 * One row per project.
+	 */
+	projectConfig: defineTable({
+		configJson: v.string(), // JSON-serialized project settings
+
+		// Project scoping
+		projectId: v.optional(v.string()),
+
+		createdAt: v.float64(),
+		updatedAt: v.float64(),
+	}).index("projectId", ["projectId"]),
+
+	// ─── Vault Tables ──────────────────────────────────────────────────
+
+	/**
+	 * Vault secret table - stores encrypted secrets.
+	 * Values are encrypted at rest using envelope encryption.
+	 * Scoped per project.
+	 */
+	vaultSecret: defineTable({
+		name: v.string(),
+		encryptedValue: v.string(),
+		iv: v.string(), // Initialization vector
+
+		// Project scoping
+		projectId: v.optional(v.string()),
+
+		context: v.optional(v.string()),
+		organizationId: v.optional(v.string()),
+
+		version: v.float64(),
+
+		metadata: v.optional(v.any()),
+
+		createdAt: v.float64(),
+		updatedAt: v.float64(),
+	})
+		.index("name", ["name"])
+		.index("organizationId", ["organizationId"])
+		.index("name_context", ["name", "context"])
+		.index("projectId", ["projectId"]),
+
+	// ─── Portal Session Tables ─────────────────────────────────────────
+
+	/**
+	 * Portal session table - stores short-lived admin portal sessions.
+	 * Each session grants an org admin access to a specific portal intent.
+	 * Scoped per project.
+	 */
+	portalSession: defineTable({
+		organizationId: v.string(),
+		intent: v.string(), // "sso" | "dsync" | "domain_verification" | "audit_logs" | "log_streams" | "users"
+		returnUrl: v.optional(v.string()),
+		token: v.string(),
+
+		// Project scoping
+		projectId: v.optional(v.string()),
+
+		expiresAt: v.float64(),
+		createdAt: v.float64(),
+	})
+		.index("token", ["token"])
+		.index("organizationId", ["organizationId"])
+		.index("projectId", ["projectId"]),
+
+	// ─── Domain Verification Tables ────────────────────────────────────
+
+	/**
+	 * Domain verification table - tracks domain ownership verification.
+	 * Scoped per project.
+	 */
+	domainVerification: defineTable({
+		organizationId: v.string(),
+		domain: v.string(),
+
+		// Project scoping
+		projectId: v.optional(v.string()),
+
+		state: v.string(), // "pending" | "verified" | "failed" | "expired"
+		method: v.string(), // "dns_txt"
+
+		txtRecordName: v.string(),
+		txtRecordValue: v.string(),
+
+		verifiedAt: v.optional(v.float64()),
+		expiresAt: v.optional(v.float64()),
+		lastCheckedAt: v.optional(v.float64()),
+		checkCount: v.optional(v.float64()),
+
+		createdAt: v.float64(),
+		updatedAt: v.float64(),
+	})
+		.index("domain", ["domain"])
+		.index("organizationId", ["organizationId"])
+		.index("state", ["state"])
+		.index("projectId", ["projectId"]),
+});
+
+export default schema;