@lastshotlabs/bunshot 0.0.27 → 0.0.28

package/dist/packages/bunshot-postgres/src/adapter.js

@@ -0,0 +1,794 @@
+import { and, asc, eq, gt, ilike, isNull, or, sql } from 'drizzle-orm';
+import { drizzle } from 'drizzle-orm/node-postgres';
+import { HttpError } from '../../bunshot-core/src/index.js';
+import { groupMemberships, groups, oauthAccounts, recoveryCodes, tenantRoles, userRoles, users, webauthnCredentials, } from './schema.js';
+function encodeCursor(createdAt, id) {
+    return btoa(JSON.stringify({ createdAt: createdAt.toISOString(), id }));
+}
+function decodeCursor(cursor) {
+    try {
+        const parsed = JSON.parse(atob(cursor));
+        if (typeof parsed.createdAt === 'string' && typeof parsed.id === 'string') {
+            return { createdAt: parsed.createdAt, id: parsed.id };
+        }
+        return null;
+    }
+    catch {
+        return null;
+    }
+}
+// PostgreSQL error code 23505 = unique_violation
+function isUniqueViolation(err) {
+    return (typeof err === 'object' &&
+        err !== null &&
+        'code' in err &&
+        err.code === '23505');
+}
+const MIGRATIONS = [
+    // v1: core auth tables
+    async (client) => {
+        await client.query(`
+      CREATE TABLE IF NOT EXISTS bunshot_users (
+        id TEXT PRIMARY KEY,
+        email TEXT UNIQUE,
+        password_hash TEXT,
+        email_verified BOOLEAN NOT NULL DEFAULT FALSE,
+        suspended BOOLEAN NOT NULL DEFAULT FALSE,
+        suspended_reason TEXT,
+        suspended_at TIMESTAMPTZ,
+        display_name TEXT,
+        first_name TEXT,
+        last_name TEXT,
+        external_id TEXT,
+        user_metadata JSONB,
+        app_metadata JSONB,
+        created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+        updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+      )
+    `);
+        await client.query(`
+      CREATE TABLE IF NOT EXISTS bunshot_oauth_accounts (
+        user_id TEXT NOT NULL REFERENCES bunshot_users(id) ON DELETE CASCADE,
+        provider TEXT NOT NULL,
+        provider_user_id TEXT NOT NULL,
+        created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+        PRIMARY KEY (provider, provider_user_id)
+      )
+    `);
+        await client.query(`
+      CREATE TABLE IF NOT EXISTS bunshot_user_roles (
+        user_id TEXT NOT NULL REFERENCES bunshot_users(id) ON DELETE CASCADE,
+        role TEXT NOT NULL,
+        PRIMARY KEY (user_id, role)
+      )
+    `);
+        await client.query(`
+      CREATE TABLE IF NOT EXISTS bunshot_tenant_roles (
+        user_id TEXT NOT NULL REFERENCES bunshot_users(id) ON DELETE CASCADE,
+        tenant_id TEXT NOT NULL,
+        role TEXT NOT NULL,
+        PRIMARY KEY (user_id, tenant_id, role)
+      )
+    `);
+    },
+    // v2: MFA, WebAuthn, and Groups
+    async (client) => {
+        // MFA columns on users
+        await client.query(`ALTER TABLE bunshot_users ADD COLUMN IF NOT EXISTS mfa_secret TEXT`);
+        await client.query(`ALTER TABLE bunshot_users ADD COLUMN IF NOT EXISTS mfa_enabled BOOLEAN NOT NULL DEFAULT FALSE`);
+        await client.query(`ALTER TABLE bunshot_users ADD COLUMN IF NOT EXISTS mfa_methods TEXT[] NOT NULL DEFAULT '{}'`);
+        // Recovery codes — separate table for atomic single-query consume
+        await client.query(`
+      CREATE TABLE IF NOT EXISTS bunshot_recovery_codes (
+        user_id TEXT NOT NULL REFERENCES bunshot_users(id) ON DELETE CASCADE,
+        code_hash TEXT NOT NULL,
+        PRIMARY KEY (user_id, code_hash)
+      )
+    `);
+        // WebAuthn credentials
+        await client.query(`
+      CREATE TABLE IF NOT EXISTS bunshot_webauthn_credentials (
+        credential_id TEXT PRIMARY KEY,
+        user_id TEXT NOT NULL REFERENCES bunshot_users(id) ON DELETE CASCADE,
+        public_key TEXT NOT NULL,
+        sign_count INTEGER NOT NULL DEFAULT 0,
+        transports TEXT[],
+        name TEXT,
+        created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+      )
+    `);
+        await client.query(`CREATE INDEX IF NOT EXISTS idx_bunshot_webauthn_user_id ON bunshot_webauthn_credentials(user_id)`);
+        // Groups — partial unique indexes enforce name uniqueness within scope
+        await client.query(`
+      CREATE TABLE IF NOT EXISTS bunshot_groups (
+        id TEXT PRIMARY KEY,
+        name TEXT NOT NULL,
+        display_name TEXT,
+        description TEXT,
+        roles TEXT[] NOT NULL DEFAULT '{}',
+        tenant_id TEXT,
+        created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+        updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+      )
+    `);
+        await client.query(`CREATE UNIQUE INDEX IF NOT EXISTS idx_bunshot_groups_name_appwide ON bunshot_groups(name) WHERE tenant_id IS NULL`);
+        await client.query(`CREATE UNIQUE INDEX IF NOT EXISTS idx_bunshot_groups_name_tenant ON bunshot_groups(name, tenant_id) WHERE tenant_id IS NOT NULL`);
+        await client.query(`CREATE INDEX IF NOT EXISTS idx_bunshot_groups_tenant ON bunshot_groups(tenant_id)`);
+        // Group memberships
+        await client.query(`
+      CREATE TABLE IF NOT EXISTS bunshot_group_memberships (
+        user_id TEXT NOT NULL REFERENCES bunshot_users(id) ON DELETE CASCADE,
+        group_id TEXT NOT NULL REFERENCES bunshot_groups(id) ON DELETE CASCADE,
+        roles TEXT[] NOT NULL DEFAULT '{}',
+        tenant_id TEXT,
+        created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+        PRIMARY KEY (user_id, group_id)
+      )
+    `);
+        await client.query(`CREATE INDEX IF NOT EXISTS idx_bunshot_gm_group_id ON bunshot_group_memberships(group_id)`);
+        await client.query(`CREATE INDEX IF NOT EXISTS idx_bunshot_gm_user_tenant ON bunshot_group_memberships(user_id, tenant_id)`);
+    },
+    // Add future migrations here. Never edit or reorder existing entries.
+];
+// Arbitrary but stable lock IDs for pg_advisory_xact_lock(int, int).
+// These serialize concurrent migration runs across multiple processes.
+const MIGRATION_LOCK_KEY1 = 7283;
+const MIGRATION_LOCK_KEY2 = 4829;
+async function runMigrations(pool) {
+    const client = await pool.connect();
+    try {
+        await client.query('BEGIN');
+        // Advisory lock is released automatically when the transaction ends.
+        await client.query('SELECT pg_advisory_xact_lock($1, $2)', [
+            MIGRATION_LOCK_KEY1,
+            MIGRATION_LOCK_KEY2,
+        ]);
+        await client.query(`
+      CREATE TABLE IF NOT EXISTS _bunshot_auth_schema_version (
+        version INTEGER NOT NULL DEFAULT 0
+      )
+    `);
+        await client.query(`
+      INSERT INTO _bunshot_auth_schema_version (version)
+      SELECT 0 WHERE NOT EXISTS (SELECT 1 FROM _bunshot_auth_schema_version)
+    `);
+        const result = await client.query('SELECT version FROM _bunshot_auth_schema_version');
+        const currentVersion = result.rows[0]?.version ?? 0;
+        for (let i = currentVersion; i < MIGRATIONS.length; i++) {
+            await MIGRATIONS[i](client);
+            await client.query('UPDATE _bunshot_auth_schema_version SET version = $1', [i + 1]);
+        }
+        await client.query('COMMIT');
+    }
+    catch (err) {
+        await client.query('ROLLBACK');
+        throw err;
+    }
+    finally {
+        client.release();
+    }
+}
+export async function createPostgresAdapter(opts) {
+    await runMigrations(opts.pool);
+    const db = drizzle(opts.pool);
+    return {
+        // ── Tier 1 — CoreAuthAdapter ──────────────────────────────────────────────
+        async findByEmail(email) {
+            const row = await db
+                .select({ id: users.id, passwordHash: users.passwordHash })
+                .from(users)
+                .where(eq(users.email, email))
+                .then(r => r[0] ?? null);
+            if (!row)
+                return null;
+            return { id: row.id, passwordHash: row.passwordHash ?? '' };
+        },
+        async create(email, passwordHash) {
+            const id = crypto.randomUUID();
+            await db.insert(users).values({
+                id,
+                email: email.toLowerCase(),
+                passwordHash,
+                emailVerified: false,
+                suspended: false,
+            });
+            return { id };
+        },
+        async verifyPassword(userId, password) {
+            const row = await db
+                .select({ passwordHash: users.passwordHash })
+                .from(users)
+                .where(eq(users.id, userId))
+                .then(r => r[0] ?? null);
+            if (!row?.passwordHash)
+                return false;
+            return Bun.password.verify(password, row.passwordHash);
+        },
+        async getIdentifier(userId) {
+            const row = await db
+                .select({ email: users.email })
+                .from(users)
+                .where(eq(users.id, userId))
+                .then(r => r[0] ?? null);
+            return row?.email ?? userId;
+        },
+        async consumeRecoveryCode(userId, hashedCode) {
+            const deleted = await db
+                .delete(recoveryCodes)
+                .where(and(eq(recoveryCodes.userId, userId), eq(recoveryCodes.codeHash, hashedCode)))
+                .returning({ codeHash: recoveryCodes.codeHash });
+            return deleted.length > 0;
+        },
+        // ── Tier 1 — CoreAuthAdapter optional methods ─────────────────────────────
+        async getUser(userId) {
+            const row = await db
+                .select()
+                .from(users)
+                .where(eq(users.id, userId))
+                .then(r => r[0] ?? null);
+            if (!row)
+                return null;
+            return {
+                email: row.email ?? undefined,
+                displayName: row.displayName ?? undefined,
+                firstName: row.firstName ?? undefined,
+                lastName: row.lastName ?? undefined,
+                externalId: row.externalId ?? undefined,
+                emailVerified: row.emailVerified,
+                suspended: row.suspended,
+                suspendedReason: row.suspendedReason ?? undefined,
+                userMetadata: row.userMetadata ?? undefined,
+                appMetadata: row.appMetadata ?? undefined,
+            };
+        },
+        async setPassword(userId, passwordHash) {
+            await db
+                .update(users)
+                .set({ passwordHash, updatedAt: new Date() })
+                .where(eq(users.id, userId));
+        },
+        async deleteUser(userId) {
+            await db.delete(users).where(eq(users.id, userId));
+        },
+        async setEmailVerified(userId, verified) {
+            await db
+                .update(users)
+                .set({ emailVerified: verified, updatedAt: new Date() })
+                .where(eq(users.id, userId));
+        },
+        async getEmailVerified(userId) {
+            const row = await db
+                .select({ emailVerified: users.emailVerified })
+                .from(users)
+                .where(eq(users.id, userId))
+                .then(r => r[0] ?? null);
+            return row?.emailVerified ?? false;
+        },
+        async hasPassword(userId) {
+            const row = await db
+                .select({ passwordHash: users.passwordHash })
+                .from(users)
+                .where(eq(users.id, userId))
+                .then(r => r[0] ?? null);
+            return !!row?.passwordHash;
+        },
+        async updateProfile(userId, fields) {
+            await db
+                .update(users)
+                .set({
+                displayName: fields.displayName,
+                firstName: fields.firstName,
+                lastName: fields.lastName,
+                externalId: fields.externalId,
+                updatedAt: new Date(),
+            })
+                .where(eq(users.id, userId));
+        },
+        async getUserMetadata(userId) {
+            const row = await db
+                .select({ userMetadata: users.userMetadata, appMetadata: users.appMetadata })
+                .from(users)
+                .where(eq(users.id, userId))
+                .then(r => r[0] ?? null);
+            return {
+                userMetadata: row?.userMetadata ?? undefined,
+                appMetadata: row?.appMetadata ?? undefined,
+            };
+        },
+        async setUserMetadata(userId, data) {
+            await db
+                .update(users)
+                .set({ userMetadata: data, updatedAt: new Date() })
+                .where(eq(users.id, userId));
+        },
+        async setAppMetadata(userId, data) {
+            await db
+                .update(users)
+                .set({ appMetadata: data, updatedAt: new Date() })
+                .where(eq(users.id, userId));
+        },
+        // ── Tier 2 — OAuthAdapter ─────────────────────────────────────────────────
+        async findOrCreateByProvider(provider, providerId, profile) {
+            const existing = await db
+                .select({ userId: oauthAccounts.userId })
+                .from(oauthAccounts)
+                .where(and(eq(oauthAccounts.provider, provider), eq(oauthAccounts.providerUserId, providerId)))
+                .then(r => r[0] ?? null);
+            if (existing) {
+                return { id: existing.userId, created: false };
+            }
+            const normalizedEmail = profile.email?.toLowerCase();
+            if (normalizedEmail) {
+                const emailConflict = await db
+                    .select({ id: users.id })
+                    .from(users)
+                    .where(eq(users.email, normalizedEmail))
+                    .then(r => r[0] ?? null);
+                if (emailConflict) {
+                    throw new HttpError(409, 'An account with this email already exists. Sign in with your credentials, then link the provider from your account settings.', 'PROVIDER_EMAIL_CONFLICT');
+                }
+            }
+            const id = crypto.randomUUID();
+            await db.transaction(async (tx) => {
+                await tx.insert(users).values({
+                    id,
+                    email: normalizedEmail,
+                    emailVerified: false,
+                    suspended: false,
+                    displayName: profile.displayName,
+                    firstName: profile.firstName,
+                    lastName: profile.lastName,
+                    externalId: profile.externalId,
+                });
+                await tx.insert(oauthAccounts).values({ userId: id, provider, providerUserId: providerId });
+            });
+            return { id, created: true };
+        },
+        async linkProvider(userId, provider, providerId) {
+            await db
+                .insert(oauthAccounts)
+                .values({ userId, provider, providerUserId: providerId })
+                .onConflictDoNothing();
+        },
+        async unlinkProvider(userId, provider) {
+            await db
+                .delete(oauthAccounts)
+                .where(and(eq(oauthAccounts.userId, userId), eq(oauthAccounts.provider, provider)));
+        },
+        // ── Tier 3 — MfaAdapter ───────────────────────────────────────────────────
+        async setMfaSecret(userId, secret) {
+            await db
+                .update(users)
+                .set({ mfaSecret: secret, updatedAt: new Date() })
+                .where(eq(users.id, userId));
+        },
+        async getMfaSecret(userId) {
+            const row = await db
+                .select({ mfaSecret: users.mfaSecret })
+                .from(users)
+                .where(eq(users.id, userId))
+                .then(r => r[0] ?? null);
+            return row?.mfaSecret ?? null;
+        },
+        async isMfaEnabled(userId) {
+            const row = await db
+                .select({ mfaEnabled: users.mfaEnabled })
+                .from(users)
+                .where(eq(users.id, userId))
+                .then(r => r[0] ?? null);
+            return row?.mfaEnabled ?? false;
+        },
+        async setMfaEnabled(userId, enabled) {
+            await db
+                .update(users)
+                .set({ mfaEnabled: enabled, updatedAt: new Date() })
+                .where(eq(users.id, userId));
+        },
+        async setRecoveryCodes(userId, codes) {
+            await db.transaction(async (tx) => {
+                await tx.delete(recoveryCodes).where(eq(recoveryCodes.userId, userId));
+                if (codes.length > 0) {
+                    await tx.insert(recoveryCodes).values(codes.map(codeHash => ({ userId, codeHash })));
+                }
+            });
+        },
+        async getRecoveryCodes(userId) {
+            const rows = await db
+                .select({ codeHash: recoveryCodes.codeHash })
+                .from(recoveryCodes)
+                .where(eq(recoveryCodes.userId, userId));
+            return rows.map(r => r.codeHash);
+        },
+        async removeRecoveryCode(userId, code) {
+            await db
+                .delete(recoveryCodes)
+                .where(and(eq(recoveryCodes.userId, userId), eq(recoveryCodes.codeHash, code)));
+        },
+        async getMfaMethods(userId) {
+            const row = await db
+                .select({ mfaMethods: users.mfaMethods })
+                .from(users)
+                .where(eq(users.id, userId))
+                .then(r => r[0] ?? null);
+            return row?.mfaMethods ?? [];
+        },
+        async setMfaMethods(userId, methods) {
+            await db
+                .update(users)
+                .set({ mfaMethods: methods, updatedAt: new Date() })
+                .where(eq(users.id, userId));
+        },
+        // ── Tier 4 — WebAuthnAdapter ──────────────────────────────────────────────
+        async getWebAuthnCredentials(userId) {
+            const rows = await db
+                .select()
+                .from(webauthnCredentials)
+                .where(eq(webauthnCredentials.userId, userId));
+            return rows.map(row => ({
+                credentialId: row.credentialId,
+                publicKey: row.publicKey,
+                signCount: row.signCount,
+                transports: row.transports ?? undefined,
+                name: row.name ?? undefined,
+                createdAt: row.createdAt.getTime(),
+            }));
+        },
+        async addWebAuthnCredential(userId, credential) {
+            await db.insert(webauthnCredentials).values({
+                credentialId: credential.credentialId,
+                userId,
+                publicKey: credential.publicKey,
+                signCount: credential.signCount,
+                transports: credential.transports ?? null,
+                name: credential.name ?? null,
+                createdAt: new Date(credential.createdAt),
+            });
+        },
+        async removeWebAuthnCredential(userId, credentialId) {
+            await db
+                .delete(webauthnCredentials)
+                .where(and(eq(webauthnCredentials.credentialId, credentialId), eq(webauthnCredentials.userId, userId)));
+        },
+        async updateWebAuthnCredentialSignCount(userId, credentialId, signCount) {
+            await db
+                .update(webauthnCredentials)
+                .set({ signCount })
+                .where(and(eq(webauthnCredentials.credentialId, credentialId), eq(webauthnCredentials.userId, userId)));
+        },
+        async findUserByWebAuthnCredentialId(credentialId) {
+            const row = await db
+                .select({ userId: webauthnCredentials.userId })
+                .from(webauthnCredentials)
+                .where(eq(webauthnCredentials.credentialId, credentialId))
+                .then(r => r[0] ?? null);
+            return row?.userId ?? null;
+        },
+        // ── Tier 5 — RolesAdapter ─────────────────────────────────────────────────
+        async getRoles(userId) {
+            const rows = await db
+                .select({ role: userRoles.role })
+                .from(userRoles)
+                .where(eq(userRoles.userId, userId));
+            return rows.map(r => r.role);
+        },
+        async setRoles(userId, roles) {
+            await db.transaction(async (tx) => {
+                await tx.delete(userRoles).where(eq(userRoles.userId, userId));
+                if (roles.length > 0) {
+                    await tx.insert(userRoles).values(roles.map(role => ({ userId, role })));
+                }
+            });
+        },
+        async addRole(userId, role) {
+            await db.insert(userRoles).values({ userId, role }).onConflictDoNothing();
+        },
+        async removeRole(userId, role) {
+            await db.delete(userRoles).where(and(eq(userRoles.userId, userId), eq(userRoles.role, role)));
+        },
+        async getTenantRoles(userId, tenantId) {
+            const rows = await db
+                .select({ role: tenantRoles.role })
+                .from(tenantRoles)
+                .where(and(eq(tenantRoles.userId, userId), eq(tenantRoles.tenantId, tenantId)));
+            return rows.map(r => r.role);
+        },
+        async setTenantRoles(userId, tenantId, roles) {
+            await db.transaction(async (tx) => {
+                await tx
+                    .delete(tenantRoles)
+                    .where(and(eq(tenantRoles.userId, userId), eq(tenantRoles.tenantId, tenantId)));
+                if (roles.length > 0) {
+                    await tx.insert(tenantRoles).values(roles.map(role => ({ userId, tenantId, role })));
+                }
+            });
+        },
+        async addTenantRole(userId, tenantId, role) {
+            await db.insert(tenantRoles).values({ userId, tenantId, role }).onConflictDoNothing();
+        },
+        async removeTenantRole(userId, tenantId, role) {
+            await db
+                .delete(tenantRoles)
+                .where(and(eq(tenantRoles.userId, userId), eq(tenantRoles.tenantId, tenantId), eq(tenantRoles.role, role)));
+        },
+        // ── Tier 6 — GroupsAdapter ────────────────────────────────────────────────
+        async createGroup(group) {
+            const id = crypto.randomUUID();
+            const now = new Date();
+            try {
+                await db.insert(groups).values({
+                    id,
+                    name: group.name,
+                    displayName: group.displayName,
+                    description: group.description,
+                    roles: group.roles ?? [],
+                    tenantId: group.tenantId,
+                    createdAt: now,
+                    updatedAt: now,
+                });
+            }
+            catch (err) {
+                if (isUniqueViolation(err)) {
+                    throw new HttpError(409, 'A group with this name already exists in this scope', 'GROUP_NAME_CONFLICT');
+                }
+                throw err;
+            }
+            return { id };
+        },
+        async deleteGroup(groupId) {
+            await db.delete(groups).where(eq(groups.id, groupId));
+        },
+        async getGroup(groupId) {
+            const row = await db
+                .select()
+                .from(groups)
+                .where(eq(groups.id, groupId))
+                .then(r => r[0] ?? null);
+            if (!row)
+                return null;
+            return {
+                id: row.id,
+                name: row.name,
+                displayName: row.displayName ?? undefined,
+                description: row.description ?? undefined,
+                roles: row.roles,
+                tenantId: row.tenantId,
+                createdAt: row.createdAt.getTime(),
+                updatedAt: row.updatedAt.getTime(),
+            };
+        },
+        async listGroups(tenantId, opts) {
+            const limit = Math.min(opts?.limit ?? 50, 200);
+            const cursor = opts?.cursor ? decodeCursor(opts.cursor) : null;
+            const conditions = [
+                tenantId === null ? isNull(groups.tenantId) : eq(groups.tenantId, tenantId),
+                cursor !== null
+                    ? or(gt(groups.createdAt, new Date(cursor.createdAt)), and(eq(groups.createdAt, new Date(cursor.createdAt)), gt(groups.id, cursor.id)))
+                    : undefined,
+            ].filter((c) => c !== undefined);
+            const rows = await db
+                .select()
+                .from(groups)
+                .where(and(...conditions))
+                .orderBy(asc(groups.createdAt), asc(groups.id))
+                .limit(limit + 1);
+            const hasMore = rows.length > limit;
+            const page = hasMore ? rows.slice(0, limit) : rows;
+            const lastRow = page[page.length - 1];
+            return {
+                items: page.map(row => ({
+                    id: row.id,
+                    name: row.name,
+                    displayName: row.displayName ?? undefined,
+                    description: row.description ?? undefined,
+                    roles: row.roles,
+                    tenantId: row.tenantId,
+                    createdAt: row.createdAt.getTime(),
+                    updatedAt: row.updatedAt.getTime(),
+                })),
+                nextCursor: hasMore && lastRow ? encodeCursor(lastRow.createdAt, lastRow.id) : undefined,
+            };
+        },
+        async updateGroup(groupId, updates) {
+            const patch = { updatedAt: new Date() };
+            if (updates.name !== undefined)
+                patch.name = updates.name;
+            if ('displayName' in updates)
+                patch.displayName = updates.displayName ?? null;
+            if ('description' in updates)
+                patch.description = updates.description ?? null;
+            if (updates.roles !== undefined)
+                patch.roles = updates.roles;
+            await db.update(groups).set(patch).where(eq(groups.id, groupId));
+        },
+        async addGroupMember(groupId, userId, roles = []) {
+            const group = await db
+                .select({ tenantId: groups.tenantId })
+                .from(groups)
+                .where(eq(groups.id, groupId))
+                .then(r => r[0] ?? null);
+            if (!group)
+                throw new HttpError(404, 'Group not found');
+            try {
+                await db.insert(groupMemberships).values({
+                    userId,
+                    groupId,
+                    roles,
+                    tenantId: group.tenantId,
+                    createdAt: new Date(),
+                });
+            }
+            catch (err) {
+                if (isUniqueViolation(err)) {
+                    throw new HttpError(409, 'User is already a member of this group', 'GROUP_MEMBER_CONFLICT');
+                }
+                throw err;
+            }
+        },
+        async updateGroupMembership(groupId, userId, roles) {
+            await db
+                .update(groupMemberships)
+                .set({ roles })
+                .where(and(eq(groupMemberships.userId, userId), eq(groupMemberships.groupId, groupId)));
+        },
+        async removeGroupMember(groupId, userId) {
+            await db
+                .delete(groupMemberships)
+                .where(and(eq(groupMemberships.userId, userId), eq(groupMemberships.groupId, groupId)));
+        },
+        async getGroupMembers(groupId, opts) {
+            const limit = Math.min(opts?.limit ?? 50, 200);
+            const cursor = opts?.cursor ? decodeCursor(opts.cursor) : null;
+            const conditions = [
+                eq(groupMemberships.groupId, groupId),
+                cursor !== null
+                    ? or(gt(groupMemberships.createdAt, new Date(cursor.createdAt)), and(eq(groupMemberships.createdAt, new Date(cursor.createdAt)), gt(groupMemberships.userId, cursor.id)))
+                    : undefined,
+            ].filter((c) => c !== undefined);
+            const rows = await db
+                .select({
+                userId: groupMemberships.userId,
+                roles: groupMemberships.roles,
+                createdAt: groupMemberships.createdAt,
+            })
+                .from(groupMemberships)
+                .where(and(...conditions))
+                .orderBy(asc(groupMemberships.createdAt), asc(groupMemberships.userId))
+                .limit(limit + 1);
+            const hasMore = rows.length > limit;
+            const page = hasMore ? rows.slice(0, limit) : rows;
+            const lastRow = page[page.length - 1];
+            return {
+                items: page.map(r => ({ userId: r.userId, roles: r.roles })),
+                nextCursor: hasMore && lastRow ? encodeCursor(lastRow.createdAt, lastRow.userId) : undefined,
+            };
+        },
+        async getUserGroups(userId, tenantId) {
+            const memberCondition = tenantId === null
+                ? and(eq(groupMemberships.userId, userId), isNull(groupMemberships.tenantId))
+                : and(eq(groupMemberships.userId, userId), eq(groupMemberships.tenantId, tenantId));
+            const rows = await db
+                .select({
+                groupId: groups.id,
+                groupName: groups.name,
+                groupDisplayName: groups.displayName,
+                groupDescription: groups.description,
+                groupRoles: groups.roles,
+                groupTenantId: groups.tenantId,
+                groupCreatedAt: groups.createdAt,
+                groupUpdatedAt: groups.updatedAt,
+                memberRoles: groupMemberships.roles,
+            })
+                .from(groupMemberships)
+                .innerJoin(groups, eq(groupMemberships.groupId, groups.id))
+                .where(memberCondition);
+            return rows.map(row => ({
+                group: {
+                    id: row.groupId,
+                    name: row.groupName,
+                    displayName: row.groupDisplayName ?? undefined,
+                    description: row.groupDescription ?? undefined,
+                    roles: row.groupRoles,
+                    tenantId: row.groupTenantId,
+                    createdAt: row.groupCreatedAt.getTime(),
+                    updatedAt: row.groupUpdatedAt.getTime(),
+                },
+                membershipRoles: row.memberRoles,
+            }));
+        },
+        async getEffectiveRoles(userId, tenantId) {
+            // Direct roles
+            let direct;
+            if (tenantId !== null) {
+                const rows = await db
+                    .select({ role: tenantRoles.role })
+                    .from(tenantRoles)
+                    .where(and(eq(tenantRoles.userId, userId), eq(tenantRoles.tenantId, tenantId)));
+                direct = rows.map(r => r.role);
+            }
+            else {
+                const rows = await db
+                    .select({ role: userRoles.role })
+                    .from(userRoles)
+                    .where(eq(userRoles.userId, userId));
+                direct = rows.map(r => r.role);
+            }
+            // Group roles — single JOIN query, not N+1
+            const memberCondition = tenantId === null
+                ? and(eq(groupMemberships.userId, userId), isNull(groupMemberships.tenantId))
+                : and(eq(groupMemberships.userId, userId), eq(groupMemberships.tenantId, tenantId));
+            const memberRows = await db
+                .select({ groupRoles: groups.roles, memberRoles: groupMemberships.roles })
+                .from(groupMemberships)
+                .innerJoin(groups, eq(groupMemberships.groupId, groups.id))
+                .where(memberCondition);
+            const fromGroups = memberRows.flatMap(r => [...r.groupRoles, ...r.memberRoles]);
+            return [...new Set([...direct, ...fromGroups])];
+        },
+        // ── Tier 7 — SuspensionAdapter ────────────────────────────────────────────
+        async setSuspended(userId, suspended, reason) {
+            await db
+                .update(users)
+                .set({
+                suspended,
+                suspendedReason: suspended ? (reason ?? null) : null,
+                suspendedAt: suspended ? new Date() : null,
+                updatedAt: new Date(),
+            })
+                .where(eq(users.id, userId));
+        },
+        async getSuspended(userId) {
+            const row = await db
+                .select({ suspended: users.suspended, suspendedReason: users.suspendedReason })
+                .from(users)
+                .where(eq(users.id, userId))
+                .then(r => r[0] ?? null);
+            if (!row)
+                return null;
+            return {
+                suspended: row.suspended,
+                suspendedReason: row.suspendedReason ?? undefined,
+            };
+        },
+        // ── Tier 8 — EnterpriseAdapter ────────────────────────────────────────────
+        async listUsers(query) {
+            const { startIndex = 0, count = 50, email: emailFilter, externalId, suspended } = query ?? {};
+            const limit = Math.min(count, 200);
+            const conditions = [
+                emailFilter !== undefined ? ilike(users.email, `%${emailFilter}%`) : undefined,
+                externalId !== undefined ? eq(users.externalId, externalId) : undefined,
+                suspended !== undefined ? eq(users.suspended, suspended) : undefined,
+            ].filter((c) => c !== undefined);
+            const whereClause = conditions.length > 0 ? and(...conditions) : undefined;
+            const { userRows, total } = await db.transaction(async (tx) => {
+                const userRows = await tx
+                    .select()
+                    .from(users)
+                    .where(whereClause)
+                    .limit(limit)
+                    .offset(startIndex);
+                const countResult = await tx
+                    .select({ count: sql `count(*)` })
+                    .from(users)
+                    .where(whereClause);
+                return { userRows, total: Number(countResult[0].count) };
+            });
+            return {
+                users: userRows.map(row => ({
+                    id: row.id,
+                    email: row.email ?? undefined,
+                    displayName: row.displayName ?? undefined,
+                    firstName: row.firstName ?? undefined,
+                    lastName: row.lastName ?? undefined,
+                    externalId: row.externalId ?? undefined,
+                    emailVerified: row.emailVerified,
+                    suspended: row.suspended,
+                    suspendedAt: row.suspendedAt ?? undefined,
+                    suspendedReason: row.suspendedReason ?? undefined,
+                    userMetadata: row.userMetadata ?? undefined,
+                    appMetadata: row.appMetadata ?? undefined,
+                })),
+                totalResults: total,
+            };
+        },
+    };
+}