@minion-stack/db 0.2.0 → 0.3.1

package/dist/schema/user-identities.js

@@ -0,0 +1,30 @@
+import { sqliteTable, text, integer, uniqueIndex, index } from 'drizzle-orm/sqlite-core';
+import { user } from './auth/index.js';
+/**
+ * Canonical per-user identity row. Covers OAuth providers (kind='oauth',
+ * e.g. google) and channel identities (kind='channel', e.g. whatsapp/telegram).
+ * Secret material (OAuth ADC blob) is stored app-level-encrypted as hex text
+ * in secretCiphertext/secretIv (same scheme as servers.token); null for
+ * channel identities that carry no secret.
+ */
+export const userIdentities = sqliteTable('user_identities', {
+    id: text('id').primaryKey(),
+    userId: text('user_id')
+        .notNull()
+        .references(() => user.id, { onDelete: 'cascade' }),
+    provider: text('provider').notNull(), // 'google' | 'whatsapp' | 'telegram' | 'discord' | 'signal' | 'slack'
+    kind: text('kind').notNull(), // 'oauth' | 'channel'
+    externalId: text('external_id').notNull(),
+    displayName: text('display_name'),
+    scope: text('scope'),
+    secretCiphertext: text('secret_ciphertext'),
+    secretIv: text('secret_iv'),
+    expiresAt: integer('expires_at'),
+    verifiedAt: integer('verified_at'),
+    createdAt: integer('created_at').notNull(),
+    updatedAt: integer('updated_at').notNull(),
+}, (t) => [
+    uniqueIndex('idx_user_identity_unique').on(t.provider, t.externalId),
+    index('idx_user_identity_user').on(t.userId),
+]);
+//# sourceMappingURL=user-identities.js.map

package/dist/schema/user-identities.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"user-identities.js","sourceRoot":"","sources":["../../src/schema/user-identities.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO,EAAE,WAAW,EAAE,KAAK,EAAE,MAAM,yBAAyB,CAAC;AACzF,OAAO,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAC;AAEvC;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,WAAW,CACvC,iBAAiB,EACjB;IACE,EAAE,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE;IAC3B,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC;SACpB,OAAO,EAAE;SACT,UAAU,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;IACrD,QAAQ,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC,OAAO,EAAE,EAAE,sEAAsE;IAC5G,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,EAAE,sBAAsB;IACpD,UAAU,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC,OAAO,EAAE;IACzC,WAAW,EAAE,IAAI,CAAC,cAAc,CAAC;IACjC,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC;IACpB,gBAAgB,EAAE,IAAI,CAAC,mBAAmB,CAAC;IAC3C,QAAQ,EAAE,IAAI,CAAC,WAAW,CAAC;IAC3B,SAAS,EAAE,OAAO,CAAC,YAAY,CAAC;IAChC,UAAU,EAAE,OAAO,CAAC,aAAa,CAAC;IAClC,SAAS,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;IAC1C,SAAS,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC,OAAO,EAAE;CAC3C,EACD,CAAC,CAAC,EAAE,EAAE,CAAC;IACL,WAAW,CAAC,0BAA0B,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,UAAU,CAAC;IACpE,KAAK,CAAC,wBAAwB,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC;CAC7C,CACF,CAAC"}

package/dist/schema/workspace-membership.d.ts

@@ -0,0 +1,94 @@
+/**
+ * workspace_membership — bridge between hub identity and Paperclip company tenancy.
+ *
+ * Each row means "user X holds role Y in Paperclip company Z".
+ * Composite PK: a user may belong to many Paperclip companies.
+ *
+ * Used by:
+ *   - CompanySwitcher (Task 10): lists rows for the current user
+ *   - JWT mint (Task 8): uses the selected row's paperclipCompanyId as the JWT companyId claim
+ */
+export declare const workspaceMembership: import("drizzle-orm/sqlite-core").SQLiteTableWithColumns<{
+    name: "workspace_membership";
+    schema: undefined;
+    columns: {
+        userId: import("drizzle-orm/sqlite-core").SQLiteColumn<{
+            name: "user_id";
+            tableName: "workspace_membership";
+            dataType: "string";
+            columnType: "SQLiteText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: number | undefined;
+        }>;
+        paperclipCompanyId: import("drizzle-orm/sqlite-core").SQLiteColumn<{
+            name: "paperclip_company_id";
+            tableName: "workspace_membership";
+            dataType: "string";
+            columnType: "SQLiteText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: number | undefined;
+        }>;
+        role: import("drizzle-orm/sqlite-core").SQLiteColumn<{
+            name: "role";
+            tableName: "workspace_membership";
+            dataType: "string";
+            columnType: "SQLiteText";
+            data: string;
+            driverParam: string;
+            notNull: true;
+            hasDefault: true;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: [string, ...string[]];
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {
+            length: number | undefined;
+        }>;
+        createdAt: import("drizzle-orm/sqlite-core").SQLiteColumn<{
+            name: "created_at";
+            tableName: "workspace_membership";
+            dataType: "date";
+            columnType: "SQLiteTimestamp";
+            data: Date;
+            driverParam: number;
+            notNull: true;
+            hasDefault: false;
+            isPrimaryKey: false;
+            isAutoincrement: false;
+            hasRuntimeDefault: false;
+            enumValues: undefined;
+            baseColumn: never;
+            identity: undefined;
+            generated: undefined;
+        }, {}, {}>;
+    };
+    dialect: "sqlite";
+}>;
+export type WorkspaceMembership = typeof workspaceMembership.$inferSelect;
+export type NewWorkspaceMembership = typeof workspaceMembership.$inferInsert;
+//# sourceMappingURL=workspace-membership.d.ts.map

package/dist/schema/workspace-membership.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"workspace-membership.d.ts","sourceRoot":"","sources":["../../src/schema/workspace-membership.ts"],"names":[],"mappings":"AAGA;;;;;;;;;GASG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAc/B,CAAC;AAEF,MAAM,MAAM,mBAAmB,GAAG,OAAO,mBAAmB,CAAC,YAAY,CAAC;AAC1E,MAAM,MAAM,sBAAsB,GAAG,OAAO,mBAAmB,CAAC,YAAY,CAAC"}

package/dist/schema/workspace-membership.js

@@ -0,0 +1,24 @@
+import { sqliteTable, text, integer, index, primaryKey } from 'drizzle-orm/sqlite-core';
+import { user } from './auth/index.js';
+/**
+ * workspace_membership — bridge between hub identity and Paperclip company tenancy.
+ *
+ * Each row means "user X holds role Y in Paperclip company Z".
+ * Composite PK: a user may belong to many Paperclip companies.
+ *
+ * Used by:
+ *   - CompanySwitcher (Task 10): lists rows for the current user
+ *   - JWT mint (Task 8): uses the selected row's paperclipCompanyId as the JWT companyId claim
+ */
+export const workspaceMembership = sqliteTable('workspace_membership', {
+    userId: text('user_id')
+        .notNull()
+        .references(() => user.id, { onDelete: 'cascade' }),
+    paperclipCompanyId: text('paperclip_company_id').notNull(),
+    role: text('role').notNull().default('admin'),
+    createdAt: integer('created_at', { mode: 'timestamp' }).notNull(),
+}, (t) => [
+    primaryKey({ columns: [t.userId, t.paperclipCompanyId] }),
+    index('idx_workspace_membership_user').on(t.userId),
+]);
+//# sourceMappingURL=workspace-membership.js.map

package/dist/schema/workspace-membership.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"workspace-membership.js","sourceRoot":"","sources":["../../src/schema/workspace-membership.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,UAAU,EAAE,MAAM,yBAAyB,CAAC;AACxF,OAAO,EAAE,IAAI,EAAE,MAAM,iBAAiB,CAAC;AAEvC;;;;;;;;;GASG;AACH,MAAM,CAAC,MAAM,mBAAmB,GAAG,WAAW,CAC5C,sBAAsB,EACtB;IACE,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC;SACpB,OAAO,EAAE;SACT,UAAU,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,EAAE,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;IACrD,kBAAkB,EAAE,IAAI,CAAC,sBAAsB,CAAC,CAAC,OAAO,EAAE;IAC1D,IAAI,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,OAAO,CAAC;IAC7C,SAAS,EAAE,OAAO,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC,CAAC,OAAO,EAAE;CAClE,EACD,CAAC,CAAC,EAAE,EAAE,CAAC;IACL,UAAU,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,kBAAkB,CAAC,EAAE,CAAC;IACzD,KAAK,CAAC,+BAA+B,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC;CACpD,CACF,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@minion-stack/db",
-  "version": "0.2.0",
+  "version": "0.3.1",
   "description": "Drizzle ORM schema for the Minion shared database (LibSQL/Turso).",
   "license": "MIT",
   "repository": {
@@ -24,6 +24,10 @@
       "types": "./dist/schema/auth/index.d.ts",
       "import": "./dist/schema/auth/index.js"
     },
+    "./pg": {
+      "types": "./dist/pg/schema/index.d.ts",
+      "import": "./dist/pg/schema/index.js"
+    },
     "./relations": {
       "types": "./dist/relations.d.ts",
       "import": "./dist/relations.js"
@@ -43,7 +47,11 @@
   ],
   "scripts": {
     "build": "tsc",
-    "prepublishOnly": "tsc"
+    "prepublishOnly": "tsc",
+    "typecheck": "tsc --noEmit",
+    "lint": "oxlint src",
+    "db:pg:generate": "drizzle-kit generate --config=drizzle.pg.config.ts",
+    "test": "vitest run"
   },
   "peerDependencies": {
     "drizzle-orm": ">=0.45.0"
@@ -51,8 +59,10 @@
   "devDependencies": {
     "@minion-stack/tsconfig": "workspace:*",
     "@paralleldrive/cuid2": "^3.3.0",
-    "drizzle-orm": "^0.45.1",
     "drizzle-kit": "^0.31.9",
-    "typescript": "^5.0.0"
+    "drizzle-orm": "^0.45.1",
+    "oxlint": "^1.66.0",
+    "typescript": "^5.0.0",
+    "vitest": "^2.1.9"
   }
 }

package/src/pg/crypto.test.ts

@@ -0,0 +1,28 @@
+import { describe, it, expect, beforeAll } from 'vitest';
+import { sealSecret, openSecret } from './crypto.js';
+
+beforeAll(() => {
+  process.env.ENCRYPTION_KEY = 'test-key-do-not-use-in-prod';
+});
+
+describe('identity secret crypto', () => {
+  it('round-trips a plaintext through seal/open', () => {
+    const plaintext = JSON.stringify({ type: 'authorized_user', refresh_token: 'abc123' });
+    const { ciphertext, iv } = sealSecret(plaintext);
+    expect(ciphertext).toMatch(/^[0-9a-f]+$/);
+    expect(iv).toMatch(/^[0-9a-f]+$/);
+    expect(openSecret(ciphertext, iv)).toBe(plaintext);
+  });
+
+  it('fails to open with a tampered ciphertext (GCM auth)', () => {
+    const { ciphertext, iv } = sealSecret('hello');
+    const tampered = ciphertext.slice(0, -2) + (ciphertext.endsWith('00') ? '11' : '00');
+    expect(() => openSecret(tampered, iv)).toThrow();
+  });
+
+  it('is wire-compatible with hub layout (ciphertext = hex(encrypted || authTag), 16-byte tag last)', () => {
+    const { ciphertext } = sealSecret('x');
+    // hex of (>=0 bytes ciphertext) + 16-byte tag → at least 32 hex chars of tag.
+    expect(ciphertext.length).toBeGreaterThanOrEqual(32);
+  });
+});

package/src/pg/crypto.ts

@@ -0,0 +1,44 @@
+import { createCipheriv, createDecipheriv, randomBytes, scryptSync } from 'node:crypto';
+
+const ALGORITHM = 'aes-256-gcm';
+const IV_BYTES = 12;
+const AUTH_TAG_BYTES = 16;
+
+// MUST match minion_hub/src/server/auth/crypto.ts so hub + site interoperate:
+//   key = scryptSync(ENCRYPTION_KEY, 'minion-hub-salt', 32)
+//   ciphertext (hex) = encrypted || authTag   (16-byte tag LAST)
+//   iv (hex) = 12 random bytes, stored separately
+let cachedKey: Buffer | null = null;
+function key(): Buffer {
+  if (cachedKey) return cachedKey;
+  const raw = process.env.ENCRYPTION_KEY;
+  if (!raw) {
+    if (process.env.NODE_ENV === 'production') {
+      throw new Error('ENCRYPTION_KEY environment variable must be set in production');
+    }
+    cachedKey = scryptSync('minion-hub-dev-key', 'minion-hub-salt', 32);
+    return cachedKey;
+  }
+  cachedKey = scryptSync(raw, 'minion-hub-salt', 32);
+  return cachedKey;
+}
+
+/** Seal plaintext → { ciphertext, iv }. ciphertext = hex(encrypted || authTag). */
+export function sealSecret(plaintext: string): { ciphertext: string; iv: string } {
+  const iv = randomBytes(IV_BYTES);
+  const cipher = createCipheriv(ALGORITHM, key(), iv);
+  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+  const authTag = cipher.getAuthTag();
+  const combined = Buffer.concat([encrypted, authTag]);
+  return { ciphertext: combined.toString('hex'), iv: iv.toString('hex') };
+}
+
+/** Open hex(encrypted || authTag) + hex(iv) → plaintext. Throws on auth failure. */
+export function openSecret(ciphertext: string, iv: string): string {
+  const combined = Buffer.from(ciphertext, 'hex');
+  const encrypted = combined.subarray(0, combined.length - AUTH_TAG_BYTES);
+  const authTag = combined.subarray(combined.length - AUTH_TAG_BYTES);
+  const decipher = createDecipheriv(ALGORITHM, key(), Buffer.from(iv, 'hex'));
+  decipher.setAuthTag(authTag);
+  return decipher.update(encrypted) + decipher.final('utf8');
+}

package/src/pg/identity-mapper.test.ts

@@ -0,0 +1,35 @@
+import { describe, it, expect } from 'vitest';
+import { mapGoogleIdentity, type GoTrueUserLike } from './identity-mapper.js';
+
+const gotrueUser: GoTrueUserLike = {
+  id: '11111111-1111-1111-1111-111111111111',
+  email: 'nik@example.com',
+  user_metadata: { full_name: 'Nik P', provider_id: 'google-sub-123' },
+  app_metadata: { provider: 'google' },
+};
+
+describe('mapGoogleIdentity', () => {
+  it('produces a profile row from the GoTrue user', () => {
+    const { profile } = mapGoogleIdentity(gotrueUser, { refreshToken: 'rt', scope: 'email profile' });
+    expect(profile).toEqual({
+      id: '11111111-1111-1111-1111-111111111111',
+      email: 'nik@example.com',
+      displayName: 'Nik P',
+    });
+  });
+
+  it('produces a google oauth identity keyed by email as externalId', () => {
+    const { identity } = mapGoogleIdentity(gotrueUser, { refreshToken: 'rt', scope: 'email profile' });
+    expect(identity.provider).toBe('google');
+    expect(identity.kind).toBe('oauth');
+    expect(identity.externalId).toBe('nik@example.com');
+    expect(identity.userId).toBe(gotrueUser.id);
+    expect(identity.scope).toBe('email profile');
+    expect(identity.hasSecret).toBe(true);
+  });
+
+  it('marks hasSecret false when no refresh token present', () => {
+    const { identity } = mapGoogleIdentity(gotrueUser, { refreshToken: null, scope: null });
+    expect(identity.hasSecret).toBe(false);
+  });
+});

package/src/pg/identity-mapper.ts

@@ -0,0 +1,48 @@
+export interface GoTrueUserLike {
+  id: string;
+  email: string | null;
+  user_metadata?: { full_name?: string; name?: string; provider_id?: string } | null;
+  app_metadata?: { provider?: string } | null;
+}
+
+export interface GoogleGrant {
+  refreshToken: string | null;
+  scope: string | null;
+}
+
+export interface MappedProfile {
+  id: string;
+  email: string;
+  displayName: string | null;
+}
+
+export interface MappedIdentity {
+  userId: string;
+  provider: 'google';
+  kind: 'oauth';
+  externalId: string; // google email
+  displayName: string | null;
+  scope: string | null;
+  hasSecret: boolean;
+}
+
+/** Pure mapping — no DB, no crypto. Caller seals the secret and upserts. */
+export function mapGoogleIdentity(
+  user: GoTrueUserLike,
+  grant: GoogleGrant,
+): { profile: MappedProfile; identity: MappedIdentity } {
+  const email = user.email ?? '';
+  const displayName = user.user_metadata?.full_name ?? user.user_metadata?.name ?? null;
+  return {
+    profile: { id: user.id, email, displayName },
+    identity: {
+      userId: user.id,
+      provider: 'google',
+      kind: 'oauth',
+      externalId: email,
+      displayName,
+      scope: grant.scope,
+      hasSecret: Boolean(grant.refreshToken),
+    },
+  };
+}

package/src/pg/schema/gateway.ts

@@ -0,0 +1,37 @@
+import { pgTable, uuid, text, boolean, timestamp, primaryKey, index, uniqueIndex } from 'drizzle-orm/pg-core';
+import { profiles } from './profiles.js';
+
+/**
+ * Supabase-backed registry of Minion gateway servers.
+ * Mirrors Turso `servers`. legacy_server_id preserves the old Turso text PK
+ * so Turso log/event rows (which still carry the old id) can join here.
+ */
+export const gateway = pgTable('gateway', {
+  id: uuid('id').primaryKey().defaultRandom(),
+  legacyServerId: text('legacy_server_id'),
+  name: text('name').notNull(),
+  url: text('url').notNull(),
+  tokenCiphertext: text('token_ciphertext').notNull().default(''),
+  tokenIv: text('token_iv').notNull().default(''),
+  authMode: text('auth_mode', { enum: ['token', 'none'] }).notNull().default('token'),
+  lastConnectedAt: timestamp('last_connected_at', { withTimezone: true }),
+  createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
+  updatedAt: timestamp('updated_at', { withTimezone: true }).notNull().defaultNow(),
+}, (t) => [
+  uniqueIndex('gateway_uniq_url').on(t.url),
+  index('idx_gateway_legacy').on(t.legacyServerId),
+]);
+
+/**
+ * Per-user gateway link. Mirrors Turso `user_servers`.
+ * profile_id references profiles.id (== auth.users.id).
+ */
+export const userGateway = pgTable('user_gateway', {
+  profileId: uuid('profile_id').notNull().references(() => profiles.id, { onDelete: 'cascade' }),
+  gatewayId: uuid('gateway_id').notNull().references(() => gateway.id, { onDelete: 'cascade' }),
+  isDefault: boolean('is_default').notNull().default(false),
+  createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
+}, (t) => [
+  primaryKey({ columns: [t.profileId, t.gatewayId] }),
+  index('idx_user_gateway_gateway').on(t.gatewayId),
+]);

package/src/pg/schema/index.ts

@@ -0,0 +1,14 @@
+export { profiles } from './profiles.js';
+export { userIdentities } from './user-identities.js';
+export { joinRequest, joinLink } from './join.js';
+
+// Identity helpers (consumed by minion_site auth path)
+export { mapGoogleIdentity } from '../identity-mapper.js';
+export type {
+  GoTrueUserLike,
+  GoogleGrant,
+  MappedProfile,
+  MappedIdentity,
+} from '../identity-mapper.js';
+export { sealSecret, openSecret } from '../crypto.js';
+export { gateway, userGateway } from './gateway.js';

package/src/pg/schema/join.ts

@@ -0,0 +1,38 @@
+import { pgTable, uuid, text, integer, boolean, timestamp } from 'drizzle-orm/pg-core';
+
+// Partial unique index (one open request per user/org) is created in the
+// hand-written migration (Task 5), since the WHERE-predicate form isn't
+// expressed cleanly here. Keep this table definition free of an index callback.
+export const joinRequest = pgTable('join_request', {
+  id: uuid('id').primaryKey().defaultRandom(),
+  // GoTrue auth.users.id (== profiles.id). The requester's Supabase identity.
+  supabaseId: uuid('supabase_id').notNull(),
+  // Bridged hub id (profiles.legacy_user_id ?? supabaseId) — the value used as the
+  // Turso `member.user_id` key when the request is approved. Distinct from supabase_id.
+  userId: text('user_id').notNull(),
+  email: text('email').notNull(),
+  displayName: text('display_name'),
+  message: text('message'),
+  status: text('status', { enum: ['pending', 'approved', 'denied'] }).notNull().default('pending'),
+  // Turso organization id (cross-DB reference; orgs live in Turso, so no PG FK).
+  organizationId: text('organization_id').notNull(),
+  requestedRole: text('requested_role', { enum: ['user', 'admin', 'super_admin'] }).notNull().default('user'),
+  reviewedBy: text('reviewed_by'),
+  reviewedAt: timestamp('reviewed_at', { withTimezone: true }),
+  createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
+  updatedAt: timestamp('updated_at', { withTimezone: true }).notNull().defaultNow(),
+});
+
+export const joinLink = pgTable('join_link', {
+  id: uuid('id').primaryKey().defaultRandom(),
+  token: text('token').notNull().unique(),
+  // Turso organization id (cross-DB reference; orgs live in Turso, so no PG FK).
+  organizationId: text('organization_id').notNull(),
+  role: text('role', { enum: ['user', 'admin', 'super_admin'] }).notNull(),
+  createdBy: text('created_by').notNull(),
+  expiresAt: timestamp('expires_at', { withTimezone: true }),
+  maxUses: integer('max_uses'),
+  usesCount: integer('uses_count').notNull().default(0),
+  revoked: boolean('revoked').notNull().default(false),
+  createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
+});

package/src/pg/schema/profiles.ts

@@ -0,0 +1,23 @@
+import { pgTable, uuid, text, timestamp } from 'drizzle-orm/pg-core';
+
+/**
+ * Canonical app-level user. 1:1 with GoTrue `auth.users` (id is the same uuid).
+ * GoTrue owns auth.users; this row is created post-signup by identity-sync.
+ * We intentionally do NOT add a Drizzle FK to auth.users (auth schema is
+ * GoTrue-managed); the FK is declared in the hand-written RLS/constraints
+ * migration instead.
+ */
+export const profiles = pgTable('profiles', {
+  id: uuid('id').primaryKey(), // == auth.users.id
+  email: text('email').notNull(),
+  displayName: text('display_name'),
+  role: text('role', { enum: ['user', 'admin'] })
+    .notNull()
+    .default('user'),
+  personalAgentId: text('personal_agent_id'),
+  // Better Auth `user.id` (text) this profile was migrated from. Null for
+  // users created natively in Supabase. Lets Phase 2 remap legacy FKs.
+  legacyUserId: text('legacy_user_id'),
+  createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
+  updatedAt: timestamp('updated_at', { withTimezone: true }).notNull().defaultNow(),
+});

package/src/pg/schema/user-identities.ts

@@ -0,0 +1,35 @@
+import { pgTable, uuid, text, timestamp, bigint, uniqueIndex, index } from 'drizzle-orm/pg-core';
+import { profiles } from './profiles.js';
+
+/**
+ * Canonical per-user identity row linking a user to BOTH OAuth providers
+ * (kind='oauth', e.g. google) AND channel identities (kind='channel',
+ * e.g. whatsapp/telegram/discord/signal/slack). This is the single link
+ * table replacing the SQLite channel_identities + the oauth side of account.
+ * Secret material (OAuth refresh-token ADC blob) is app-level AES-256-GCM
+ * sealed into secretCiphertext/secretIv; null for channel identities.
+ */
+export const userIdentities = pgTable(
+  'user_identities',
+  {
+    id: uuid('id').primaryKey().defaultRandom(),
+    userId: uuid('user_id')
+      .notNull()
+      .references(() => profiles.id, { onDelete: 'cascade' }),
+    provider: text('provider').notNull(), // 'google'|'whatsapp'|'telegram'|'discord'|'signal'|'slack'
+    kind: text('kind', { enum: ['oauth', 'channel'] }).notNull(),
+    externalId: text('external_id').notNull(),
+    displayName: text('display_name'),
+    scope: text('scope'),
+    secretCiphertext: text('secret_ciphertext'),
+    secretIv: text('secret_iv'),
+    expiresAt: bigint('expires_at', { mode: 'number' }),
+    verifiedAt: bigint('verified_at', { mode: 'number' }),
+    createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
+    updatedAt: timestamp('updated_at', { withTimezone: true }).notNull().defaultNow(),
+  },
+  (t) => [
+    uniqueIndex('idx_user_identity_unique').on(t.provider, t.externalId),
+    index('idx_user_identity_user').on(t.userId),
+  ],
+);

package/src/schema/index.ts

@@ -44,6 +44,7 @@ export { serverBackups } from './server-backups.js';
 export { agentGroups, agentGroupMembers } from './agent-groups.js';
 export { unifiedEvents } from './unified-events.js';
 export { channelIdentities } from './channel-identities.js';
+export { userIdentities } from './user-identities.js';
 export { personalAgents } from './personal-agents.js';
 export {
   builtSkills,
@@ -57,3 +58,5 @@ export {
   agentBuiltSkills,
 } from './builder.js';
 export { userPreferences } from './user-preferences.js';
+export { workspaceMembership } from './workspace-membership.js';
+export type { WorkspaceMembership, NewWorkspaceMembership } from './workspace-membership.js';

package/src/schema/user-identities.ts

@@ -0,0 +1,34 @@
+import { sqliteTable, text, integer, uniqueIndex, index } from 'drizzle-orm/sqlite-core';
+import { user } from './auth/index.js';
+
+/**
+ * Canonical per-user identity row. Covers OAuth providers (kind='oauth',
+ * e.g. google) and channel identities (kind='channel', e.g. whatsapp/telegram).
+ * Secret material (OAuth ADC blob) is stored app-level-encrypted as hex text
+ * in secretCiphertext/secretIv (same scheme as servers.token); null for
+ * channel identities that carry no secret.
+ */
+export const userIdentities = sqliteTable(
+  'user_identities',
+  {
+    id: text('id').primaryKey(),
+    userId: text('user_id')
+      .notNull()
+      .references(() => user.id, { onDelete: 'cascade' }),
+    provider: text('provider').notNull(), // 'google' | 'whatsapp' | 'telegram' | 'discord' | 'signal' | 'slack'
+    kind: text('kind').notNull(), // 'oauth' | 'channel'
+    externalId: text('external_id').notNull(),
+    displayName: text('display_name'),
+    scope: text('scope'),
+    secretCiphertext: text('secret_ciphertext'),
+    secretIv: text('secret_iv'),
+    expiresAt: integer('expires_at'),
+    verifiedAt: integer('verified_at'),
+    createdAt: integer('created_at').notNull(),
+    updatedAt: integer('updated_at').notNull(),
+  },
+  (t) => [
+    uniqueIndex('idx_user_identity_unique').on(t.provider, t.externalId),
+    index('idx_user_identity_user').on(t.userId),
+  ],
+);

package/src/schema/workspace-membership.ts

@@ -0,0 +1,31 @@
+import { sqliteTable, text, integer, index, primaryKey } from 'drizzle-orm/sqlite-core';
+import { user } from './auth/index.js';
+
+/**
+ * workspace_membership — bridge between hub identity and Paperclip company tenancy.
+ *
+ * Each row means "user X holds role Y in Paperclip company Z".
+ * Composite PK: a user may belong to many Paperclip companies.
+ *
+ * Used by:
+ *   - CompanySwitcher (Task 10): lists rows for the current user
+ *   - JWT mint (Task 8): uses the selected row's paperclipCompanyId as the JWT companyId claim
+ */
+export const workspaceMembership = sqliteTable(
+  'workspace_membership',
+  {
+    userId: text('user_id')
+      .notNull()
+      .references(() => user.id, { onDelete: 'cascade' }),
+    paperclipCompanyId: text('paperclip_company_id').notNull(),
+    role: text('role').notNull().default('admin'),
+    createdAt: integer('created_at', { mode: 'timestamp' }).notNull(),
+  },
+  (t) => [
+    primaryKey({ columns: [t.userId, t.paperclipCompanyId] }),
+    index('idx_workspace_membership_user').on(t.userId),
+  ],
+);
+
+export type WorkspaceMembership = typeof workspaceMembership.$inferSelect;
+export type NewWorkspaceMembership = typeof workspaceMembership.$inferInsert;