@nexpress/core 0.2.1 → 0.3.0

package/dist/{chunk-M43PGOQY.js → chunk-X7K5F2UI.js}

@@ -1,4 +1,4 @@
-// src/db/schema/system.ts
+// src/db/schema/community.ts
 import {
   boolean as boolean2,
   index as index3,
@@ -26,7 +26,7 @@ import {
   uuid as uuid2
 } from "drizzle-orm/pg-core";
 
-// src/db/schema/community.ts
+// src/db/schema/system.ts
 import {
   boolean,
   index,
@@ -40,336 +40,228 @@ import {
   unique,
   uuid
 } from "drizzle-orm/pg-core";
-var npMemberStatusEnum = pgEnum("np_member_status", [
-  "active",
-  "pending",
-  "suspended",
-  "deleted",
-  "imported"
-]);
-var npBanScopeEnum = pgEnum("np_ban_scope", ["site", "category", "collection"]);
-var npBanKindEnum = pgEnum("np_ban_kind", ["temporary", "permanent"]);
-var npCommentStatusEnum = pgEnum("np_comment_status", [
-  "visible",
-  "pending",
-  "hidden",
-  "deleted"
+var npUserRoleEnum = pgEnum("np_user_role", [
+  "admin",
+  "editor",
+  // 9.5: community moderator. Sits OUTSIDE the linear content-edit
+  // hierarchy — a moderator handles community moderation (hide
+  // comments, resolve reports, issue bans) but cannot author or edit
+  // collection content. ROLE_HIERARCHY in config/types.ts intentionally
+  // does not list this role; community-moderation paths check the role
+  // explicitly via `principalCan()`.
+  "moderator",
+  "author",
+  "viewer"
 ]);
-var npMemberRoleScopeEnum = pgEnum("np_member_role_scope", [
-  "site",
-  "category",
-  "collection",
-  "thread"
+var npRevisionStatusEnum = pgEnum("np_revision_status", [
+  "draft",
+  "published",
+  "autosave"
 ]);
-var npMembers = pgTable(
-  "np_members",
+var npPasswordResetPurposeEnum = pgEnum("np_password_reset_purpose", ["invite", "reset"]);
+var npUsers = pgTable("np_users", {
+  id: uuid("id").defaultRandom().primaryKey(),
+  email: text("email").notNull().unique(),
+  password: text("password").notNull(),
+  name: text("name").notNull(),
+  role: npUserRoleEnum("role").notNull(),
+  /**
+   * Phase 15.5 — super-admin flag. Bypasses per-site membership
+   * checks; the super-admin can manage every site including
+   * creating / deleting tenants. The flag is independent of
+   * the per-site `role` enum (a super-admin still needs a
+   * `role` field for non-multi-site contexts; multi-site
+   * permissions check `is_super_admin OR site_membership`).
+   */
+  isSuperAdmin: boolean("is_super_admin").default(false).notNull(),
+  avatar: uuid("avatar").references(() => npMedia.id),
+  loginAttempts: integer("login_attempts").default(0).notNull(),
+  lockUntil: timestamp("lock_until", { withTimezone: true, mode: "date" }),
+  tokenVersion: integer("token_version").default(0).notNull(),
+  passwordResetTokenHash: text("password_reset_token_hash"),
+  passwordResetExpiresAt: timestamp("password_reset_expires_at", {
+    withTimezone: true,
+    mode: "date"
+  }),
+  passwordResetPurpose: npPasswordResetPurposeEnum("password_reset_purpose"),
+  createdAt: timestamp("created_at", { withTimezone: true, mode: "date" }).defaultNow().notNull(),
+  updatedAt: timestamp("updated_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
+});
+var npSiteMemberships = pgTable(
+  "np_site_memberships",
   {
-    id: uuid("id").defaultRandom().primaryKey(),
-    handle: text("handle").notNull().unique(),
-    email: text("email").notNull().unique(),
-    emailVerified: boolean("email_verified").default(false).notNull(),
-    /** Argon2 hash. Nullable so SSO-only members can exist without a password. */
-    password: text("password"),
-    displayName: text("display_name").notNull(),
-    avatar: uuid("avatar").references(() => npMedia.id),
-    bio: text("bio"),
-    status: npMemberStatusEnum("status").default("pending").notNull(),
-    reputation: integer("reputation").default(0).notNull(),
-    loginAttempts: integer("login_attempts").default(0).notNull(),
-    lockUntil: timestamp("lock_until", { withTimezone: true, mode: "date" }),
-    /** Bumped to invalidate every issued JWT (logout-everywhere, password reset). */
-    tokenVersion: integer("token_version").default(0).notNull(),
-    passwordResetTokenHash: text("password_reset_token_hash"),
-    passwordResetExpiresAt: timestamp("password_reset_expires_at", {
-      withTimezone: true,
-      mode: "date"
-    }),
-    emailVerifyTokenHash: text("email_verify_token_hash"),
-    emailVerifyExpiresAt: timestamp("email_verify_expires_at", {
-      withTimezone: true,
-      mode: "date"
-    }),
-    /** Plugin-extensible bag — preferences, custom profile fields, etc. */
-    meta: jsonb("meta").$type().default({}).notNull(),
-    /**
-     * Phase 16.3 — per-member notification preferences. Shape:
-     *   { disabled?: string[] }   — kinds the member opted out of
-     *   { digest?: "off"|"daily"|"weekly" }  — email digest cadence (16.4)
-     * Empty default = every kind enabled, no email digest.
-     */
-    notificationPrefs: jsonb("notification_prefs").$type().default({}).notNull(),
+    siteId: text("site_id").notNull(),
+    userId: uuid("user_id").notNull().references(() => npUsers.id, { onDelete: "cascade" }),
+    role: npUserRoleEnum("role").notNull(),
     createdAt: timestamp("created_at", { withTimezone: true, mode: "date" }).defaultNow().notNull(),
     updatedAt: timestamp("updated_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
   },
-  (table) => [index("np_members_status_idx").on(table.status)]
+  (table) => [primaryKey({ columns: [table.siteId, table.userId] })]
 );
-var npMemberSessions = pgTable("np_member_sessions", {
-  id: uuid("id").defaultRandom().primaryKey(),
-  memberId: uuid("member_id").notNull().references(() => npMembers.id, { onDelete: "cascade" }),
-  tokenHash: text("token_hash").notNull(),
-  userAgent: text("user_agent"),
-  ip: text("ip"),
-  expiresAt: timestamp("expires_at", { withTimezone: true, mode: "date" }).notNull(),
-  createdAt: timestamp("created_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
-});
-var npMemberIdentities = pgTable(
-  "np_member_identities",
+var npUserOAuthIdentities = pgTable(
+  "np_user_oauth_identities",
   {
     id: uuid("id").defaultRandom().primaryKey(),
-    memberId: uuid("member_id").notNull().references(() => npMembers.id, { onDelete: "cascade" }),
+    userId: uuid("user_id").notNull().references(() => npUsers.id, { onDelete: "cascade" }),
     provider: text("provider").notNull(),
-    subject: text("subject").notNull(),
-    email: text("email"),
+    providerUserId: text("provider_user_id").notNull(),
     /** Free-form per-provider metadata (avatar URL, scopes granted, etc.). */
     metadata: jsonb("metadata").$type().default({}).notNull(),
     createdAt: timestamp("created_at", { withTimezone: true, mode: "date" }).defaultNow().notNull(),
     updatedAt: timestamp("updated_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
   },
-  (table) => [
-    unique("np_member_identities_provider_subject_uq").on(table.provider, table.subject),
-    unique("np_member_identities_member_provider_uq").on(table.memberId, table.provider),
-    index("np_member_identities_member_idx").on(table.memberId)
-  ]
-);
-var npMemberRoles = pgTable(
-  "np_member_roles",
-  {
-    id: uuid("id").defaultRandom().primaryKey(),
-    memberId: uuid("member_id").notNull().references(() => npMembers.id, { onDelete: "cascade" }),
-    role: text("role").notNull(),
-    scopeType: npMemberRoleScopeEnum("scope_type").notNull(),
-    /** Nullable for `scope_type='site'`. Otherwise an opaque string id. */
-    scopeId: text("scope_id"),
-    /**
-     * Phase 18 — the tenant the grant applies on. For
-     * `scope_type='site'` this column IS the site identifier
-     * (`scope_id` stays null because site is the root scope).
-     * For category / collection / thread grants, `site_id` says
-     * which tenant's category/collection/thread this row
-     * targets — the same slug exists on every site.
-     */
-    siteId: text("site_id").default("default").notNull(),
-    grantedBy: uuid("granted_by").references(() => npUsers.id),
-    grantedAt: timestamp("granted_at", { withTimezone: true, mode: "date" }).defaultNow().notNull(),
-    expiresAt: timestamp("expires_at", { withTimezone: true, mode: "date" })
-  },
-  (table) => [
-    // Two indexes mirror the two access patterns: "what can this member
-    // do?" (memberId scan) and "who mods this scope?" (scope scan).
-    index("np_member_roles_member_idx").on(table.memberId),
-    index("np_member_roles_scope_idx").on(table.scopeType, table.scopeId),
-    index("np_member_roles_site_idx").on(table.siteId, table.memberId),
-    // `scope_id` is null for site-wide grants. NULLS NOT
-    // DISTINCT makes two null `scope_id`s collide so the
-    // unique constraint enforces "one grant per (member, role,
-    // scope, site)." `site_id` widens the key so the same
-    // member can hold the same role on different tenants.
-    unique("np_member_roles_grant_uq").on(table.memberId, table.role, table.scopeType, table.scopeId, table.siteId).nullsNotDistinct()
-  ]
+  (table) => ({
+    providerSubjectUnique: unique("np_user_oauth_identities_provider_subject_unique").on(
+      table.provider,
+      table.providerUserId
+    ),
+    userProviderUnique: unique("np_user_oauth_identities_user_provider_unique").on(
+      table.userId,
+      table.provider
+    ),
+    userIdx: index("np_user_oauth_identities_user_idx").on(table.userId)
+  })
 );
-var npComments = pgTable(
-  "np_comments",
+var npSessions = pgTable("np_sessions", {
+  id: uuid("id").defaultRandom().primaryKey(),
+  userId: uuid("user_id").notNull().references(() => npUsers.id, { onDelete: "cascade" }),
+  tokenHash: text("token_hash").notNull(),
+  userAgent: text("user_agent"),
+  ip: text("ip"),
+  expiresAt: timestamp("expires_at", { withTimezone: true, mode: "date" }).notNull(),
+  createdAt: timestamp("created_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
+});
+var npRevisions = pgTable(
+  "np_revisions",
   {
     id: uuid("id").defaultRandom().primaryKey(),
-    targetType: text("target_type").notNull(),
-    targetId: uuid("target_id").notNull(),
-    parentId: uuid("parent_id").references(() => npComments.id, {
-      onDelete: "cascade"
-    }),
-    memberId: uuid("member_id").notNull().references(() => npMembers.id, { onDelete: "cascade" }),
-    bodyMd: text("body_md").notNull(),
-    bodyHtml: text("body_html").notNull(),
-    status: npCommentStatusEnum("status").default("visible").notNull(),
-    hiddenByUserId: uuid("hidden_by_user_id").references(() => npUsers.id),
-    hiddenByMemberId: uuid("hidden_by_member_id").references(() => npMembers.id),
-    hiddenReason: text("hidden_reason"),
-    editedAt: timestamp("edited_at", { withTimezone: true, mode: "date" }),
-    /**
-     * Phase 18 — site this comment belongs to. Filled at insert
-     * time from the target document's site (canonical) so a
-     * forged request resolver can't smuggle a comment into the
-     * wrong site. Defaults to `'default'` for legacy single-
-     * tenant rows so the migration backfill is a no-op.
-     */
-    siteId: text("site_id").default("default").notNull(),
+    collection: text("collection").notNull(),
+    documentId: text("document_id").notNull(),
+    version: integer("version").notNull(),
+    status: npRevisionStatusEnum("status").notNull(),
+    snapshot: jsonb("snapshot").$type().notNull(),
+    changedFields: text("changed_fields").array().notNull(),
+    authorId: uuid("author_id").references(() => npUsers.id),
     createdAt: timestamp("created_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
   },
-  (table) => [
-    index("np_comments_target_idx").on(table.targetType, table.targetId, table.createdAt),
-    index("np_comments_member_idx").on(table.memberId, table.createdAt),
-    index("np_comments_site_idx").on(table.siteId, table.createdAt)
-  ]
+  (table) => ({
+    documentVersionUnique: unique("np_revisions_document_id_version_unique").on(
+      table.documentId,
+      table.version
+    ),
+    collectionIdx: index("np_revisions_collection_idx").on(table.collection),
+    documentIdIdx: index("np_revisions_document_id_idx").on(table.documentId)
+  })
 );
-var npReactions = pgTable(
-  "np_reactions",
+var npSettings = pgTable(
+  "np_settings",
   {
-    id: uuid("id").defaultRandom().primaryKey(),
-    targetType: text("target_type").notNull(),
-    targetId: uuid("target_id").notNull(),
-    memberId: uuid("member_id").notNull().references(() => npMembers.id, { onDelete: "cascade" }),
-    kind: text("kind").notNull(),
-    /** Phase 18 — site this reaction belongs to (derived from target). */
     siteId: text("site_id").default("default").notNull(),
-    createdAt: timestamp("created_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
+    key: text("key").notNull(),
+    value: jsonb("value").$type().notNull(),
+    updatedAt: timestamp("updated_at", { withTimezone: true, mode: "date" }).defaultNow().notNull(),
+    updatedBy: uuid("updated_by").references(() => npUsers.id)
   },
-  (table) => [
-    index("np_reactions_target_idx").on(table.targetType, table.targetId),
-    index("np_reactions_site_idx").on(table.siteId),
-    unique("np_reactions_unique").on(table.targetType, table.targetId, table.memberId, table.kind)
-  ]
+  (table) => [primaryKey({ columns: [table.siteId, table.key] })]
 );
-var npFollows = pgTable(
-  "np_follows",
+var npSlugHistory = pgTable(
+  "np_slug_history",
   {
     id: uuid("id").defaultRandom().primaryKey(),
-    followerId: uuid("follower_id").notNull().references(() => npMembers.id, { onDelete: "cascade" }),
-    targetType: text("target_type").notNull(),
-    targetId: text("target_id").notNull(),
-    /**
-     * Phase 18 — site the follow happened on. The same global
-     * member can follow on multiple sites and each row scopes
-     * to where the click happened (so site-scoped notifications
-     * + activity feeds don't leak cross-tenant). The unique
-     * key is widened to include site_id so the same follower
-     * can have parallel follow rows under different tenants.
-     */
     siteId: text("site_id").default("default").notNull(),
+    collection: text("collection").notNull(),
+    documentId: text("document_id").notNull(),
+    oldSlug: text("old_slug").notNull(),
+    newSlug: text("new_slug").notNull(),
     createdAt: timestamp("created_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
   },
   (table) => [
-    index("np_follows_target_idx").on(table.targetType, table.targetId),
-    index("np_follows_site_idx").on(table.siteId),
-    unique("np_follows_unique").on(
-      table.followerId,
-      table.targetType,
-      table.targetId,
-      table.siteId
-    )
+    index("np_slug_history_lookup_idx").on(table.siteId, table.collection, table.oldSlug),
+    index("np_slug_history_doc_idx").on(table.siteId, table.collection, table.documentId)
   ]
 );
-var npMemberMutes = pgTable(
-  "np_member_mutes",
+var npNavigation = pgTable(
+  "np_navigation",
   {
-    memberId: uuid("member_id").notNull().references(() => npMembers.id, { onDelete: "cascade" }),
-    targetId: uuid("target_id").notNull().references(() => npMembers.id, { onDelete: "cascade" }),
-    /**
-     * Phase 18 — site the mute applies to. A muter can choose
-     * to silence someone on one tenant without affecting their
-     * other tenants. PK is widened to include site_id so the
-     * same `(member, target)` pair can hold parallel rows per
-     * site.
-     */
+    id: uuid("id").defaultRandom().primaryKey(),
     siteId: text("site_id").default("default").notNull(),
-    createdAt: timestamp("created_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
+    location: text("location").notNull(),
+    items: jsonb("items").$type().notNull(),
+    updatedAt: timestamp("updated_at", { withTimezone: true, mode: "date" }).defaultNow().notNull(),
+    updatedBy: uuid("updated_by").references(() => npUsers.id)
   },
-  (table) => [
-    primaryKey({ columns: [table.memberId, table.targetId, table.siteId] }),
-    index("np_member_mutes_target_idx").on(table.targetId)
-  ]
+  (table) => [unique("np_navigation_site_location_idx").on(table.siteId, table.location)]
 );
-var npNotifications = pgTable(
-  "np_notifications",
+var npStringOverrides = pgTable(
+  "np_string_overrides",
   {
-    id: uuid("id").defaultRandom().primaryKey(),
-    memberId: uuid("member_id").notNull().references(() => npMembers.id, { onDelete: "cascade" }),
-    kind: text("kind").notNull(),
-    payload: jsonb("payload").$type().default({}).notNull(),
-    readAt: timestamp("read_at", { withTimezone: true, mode: "date" }),
-    /**
-     * Phase 18 — site this notification belongs to. A member
-     * who's active on multiple tenants gets one inbox per site
-     * (the inbox API filters by current site) so cross-tenant
-     * activity doesn't bleed into the wrong site's UI.
-     */
     siteId: text("site_id").default("default").notNull(),
-    createdAt: timestamp("created_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
+    locale: text("locale").notNull(),
+    key: text("key").notNull(),
+    value: text("value"),
+    updatedAt: timestamp("updated_at", { withTimezone: true, mode: "date" }).defaultNow().notNull(),
+    updatedBy: uuid("updated_by").references(() => npUsers.id)
   },
-  (table) => [
-    index("np_notifications_inbox_idx").on(table.memberId, table.readAt, table.createdAt),
-    index("np_notifications_site_inbox_idx").on(table.siteId, table.memberId, table.readAt)
-  ]
+  (table) => [primaryKey({ columns: [table.siteId, table.locale, table.key] })]
 );
-var npReports = pgTable(
-  "np_reports",
+var npSites = pgTable(
+  "np_sites",
   {
-    id: uuid("id").defaultRandom().primaryKey(),
-    reporterId: uuid("reporter_id").notNull().references(() => npMembers.id, { onDelete: "cascade" }),
-    targetType: text("target_type").notNull(),
-    targetId: text("target_id").notNull(),
-    reason: text("reason").notNull(),
-    resolvedAt: timestamp("resolved_at", { withTimezone: true, mode: "date" }),
-    resolvedByUserId: uuid("resolved_by_user_id").references(() => npUsers.id),
-    resolvedByMemberId: uuid("resolved_by_member_id").references(() => npMembers.id),
-    resolution: text("resolution"),
-    /**
-     * Phase 18 — site this report belongs to. The mod queue
-     * is per-site so a category-mod on tenant A doesn't see
-     * tenant B's reports.
-     */
-    siteId: text("site_id").default("default").notNull(),
-    createdAt: timestamp("created_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
+    id: text("id").primaryKey(),
+    name: text("name").notNull(),
+    hostname: text("hostname"),
+    description: text("description"),
+    settings: jsonb("settings").$type().default({}).notNull(),
+    isDefault: boolean("is_default").default(false).notNull(),
+    createdAt: timestamp("created_at", { withTimezone: true, mode: "date" }).defaultNow().notNull(),
+    updatedAt: timestamp("updated_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
   },
-  (table) => [
-    index("np_reports_queue_idx").on(table.resolvedAt, table.createdAt),
-    index("np_reports_target_idx").on(table.targetType, table.targetId),
-    index("np_reports_site_queue_idx").on(table.siteId, table.resolvedAt)
-  ]
+  (table) => [unique("np_sites_hostname_idx").on(table.hostname)]
 );
-var npAuditEvents = pgTable(
-  "np_audit_events",
+var npPlugins = pgTable("np_plugins", {
+  id: text("id").primaryKey(),
+  enabled: boolean("enabled").default(true).notNull(),
+  installedAt: timestamp("installed_at", { withTimezone: true, mode: "date" }).defaultNow().notNull(),
+  updatedAt: timestamp("updated_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
+});
+var NP_GLOBAL_PLUGIN_SITE_ID = "_global_";
+var npPluginStorage = pgTable(
+  "np_plugin_storage",
   {
-    id: uuid("id").defaultRandom().primaryKey(),
-    actorKind: text("actor_kind").notNull(),
-    actorUserId: uuid("actor_user_id").references(() => npUsers.id),
-    actorMemberId: uuid("actor_member_id").references(() => npMembers.id),
-    action: text("action").notNull(),
-    targetType: text("target_type"),
-    targetId: text("target_id"),
-    payload: jsonb("payload").$type().default({}).notNull(),
-    /**
-     * Phase 17 — site-scoped audit. Filled by `recordAuditEvent`
-     * from the current request's site (the multi-site resolver).
-     * Nullable for events that don't belong to a single site
-     * (super-admin actions, background jobs, scripts).
-     */
-    siteId: text("site_id"),
-    createdAt: timestamp("created_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
+    pluginId: text("plugin_id").notNull(),
+    siteId: text("site_id").default(NP_GLOBAL_PLUGIN_SITE_ID).notNull(),
+    key: text("key").notNull(),
+    value: jsonb("value").$type().notNull(),
+    expiresAt: timestamp("expires_at", { withTimezone: true, mode: "date" }),
+    updatedAt: timestamp("updated_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
   },
-  (table) => [
-    index("np_audit_target_idx").on(table.targetType, table.targetId, table.createdAt),
-    index("np_audit_actor_user_idx").on(table.actorUserId, table.createdAt),
-    index("np_audit_actor_member_idx").on(table.actorMemberId, table.createdAt),
-    index("np_audit_site_idx").on(table.siteId, table.createdAt)
-  ]
+  (table) => ({
+    pk: primaryKey({ columns: [table.pluginId, table.siteId, table.key] }),
+    pluginIdx: index("np_plugin_storage_plugin_id_idx").on(table.pluginId),
+    siteIdx: index("np_plugin_storage_site_idx").on(table.siteId)
+  })
 );
-var npBans = pgTable(
-  "np_bans",
+var npWorkerHeartbeats = pgTable("np_worker_heartbeats", {
+  id: text("id").primaryKey(),
+  status: text("status").default("running").notNull(),
+  startedAt: timestamp("started_at", { withTimezone: true, mode: "date" }).defaultNow().notNull(),
+  lastSeenAt: timestamp("last_seen_at", { withTimezone: true, mode: "date" }).defaultNow().notNull(),
+  /** Free-form metadata (worker version, hostname, env). */
+  meta: jsonb("meta").$type().default({}).notNull()
+});
+var npJobLogs = pgTable(
+  "np_job_logs",
   {
     id: uuid("id").defaultRandom().primaryKey(),
-    memberId: uuid("member_id").notNull().references(() => npMembers.id, { onDelete: "cascade" }),
-    scopeType: npBanScopeEnum("scope_type").notNull(),
-    scopeId: text("scope_id"),
-    kind: npBanKindEnum("kind").notNull(),
-    expiresAt: timestamp("expires_at", { withTimezone: true, mode: "date" }),
-    reason: text("reason"),
-    byUserId: uuid("by_user_id").references(() => npUsers.id),
-    byMemberId: uuid("by_member_id").references(() => npMembers.id),
-    /**
-     * Phase 18 — the tenant this ban applies to. Pre-Phase 18
-     * `scope_type='site'` rows had `scope_id=null` because
-     * "site" was the singular root scope; with multi-tenancy
-     * the column tells `assertNotBanned` WHICH site the ban
-     * blocks writes on. Category / collection scopes resolve
-     * per-site too — the same `posts` collection slug exists
-     * on every tenant.
-     */
-    siteId: text("site_id").default("default").notNull(),
+    jobId: text("job_id").notNull(),
+    level: text("level").notNull(),
+    message: text("message").notNull(),
+    context: jsonb("context").$type(),
     createdAt: timestamp("created_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
   },
   (table) => [
-    index("np_bans_member_scope_idx").on(table.memberId, table.scopeType, table.scopeId),
-    index("np_bans_active_idx").on(table.memberId, table.expiresAt),
-    index("np_bans_site_idx").on(table.siteId, table.memberId)
+    index("np_job_logs_job_idx").on(table.jobId, table.createdAt),
+    index("np_job_logs_created_idx").on(table.createdAt)
   ]
 );
 
@@ -445,233 +337,362 @@ var npMediaRefs = pgTable2(
   })
 );
 
-// src/db/schema/system.ts
-var npUserRoleEnum = pgEnum3("np_user_role", [
-  "admin",
-  "editor",
-  // 9.5: community moderator. Sits OUTSIDE the linear content-edit
-  // hierarchy — a moderator handles community moderation (hide
-  // comments, resolve reports, issue bans) but cannot author or edit
-  // collection content. ROLE_HIERARCHY in config/types.ts intentionally
-  // does not list this role; community-moderation paths check the role
-  // explicitly via `principalCan()`.
-  "moderator",
-  "author",
-  "viewer"
+// src/db/schema/community.ts
+var npMemberStatusEnum = pgEnum3("np_member_status", [
+  "active",
+  "pending",
+  "suspended",
+  "deleted",
+  "imported"
 ]);
-var npRevisionStatusEnum = pgEnum3("np_revision_status", [
-  "draft",
-  "published",
-  "autosave"
+var npBanScopeEnum = pgEnum3("np_ban_scope", ["site", "category", "collection"]);
+var npBanKindEnum = pgEnum3("np_ban_kind", ["temporary", "permanent"]);
+var npCommentStatusEnum = pgEnum3("np_comment_status", [
+  "visible",
+  "pending",
+  "hidden",
+  "deleted"
 ]);
-var npPasswordResetPurposeEnum = pgEnum3("np_password_reset_purpose", ["invite", "reset"]);
-var npUsers = pgTable3("np_users", {
-  id: uuid3("id").defaultRandom().primaryKey(),
-  email: text3("email").notNull().unique(),
-  password: text3("password").notNull(),
-  name: text3("name").notNull(),
-  role: npUserRoleEnum("role").notNull(),
-  /**
-   * Phase 15.5 — super-admin flag. Bypasses per-site membership
-   * checks; the super-admin can manage every site including
-   * creating / deleting tenants. The flag is independent of
-   * the per-site `role` enum (a super-admin still needs a
-   * `role` field for non-multi-site contexts; multi-site
-   * permissions check `is_super_admin OR site_membership`).
-   */
-  isSuperAdmin: boolean2("is_super_admin").default(false).notNull(),
-  avatar: uuid3("avatar").references(() => npMedia.id),
-  loginAttempts: integer3("login_attempts").default(0).notNull(),
-  lockUntil: timestamp3("lock_until", { withTimezone: true, mode: "date" }),
-  tokenVersion: integer3("token_version").default(0).notNull(),
-  passwordResetTokenHash: text3("password_reset_token_hash"),
-  passwordResetExpiresAt: timestamp3("password_reset_expires_at", {
-    withTimezone: true,
-    mode: "date"
-  }),
-  passwordResetPurpose: npPasswordResetPurposeEnum("password_reset_purpose"),
-  createdAt: timestamp3("created_at", { withTimezone: true, mode: "date" }).defaultNow().notNull(),
-  updatedAt: timestamp3("updated_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
-});
-var npSiteMemberships = pgTable3(
-  "np_site_memberships",
+var npMemberRoleScopeEnum = pgEnum3("np_member_role_scope", [
+  "site",
+  "category",
+  "collection",
+  "thread"
+]);
+var npMembers = pgTable3(
+  "np_members",
   {
-    siteId: text3("site_id").notNull(),
-    userId: uuid3("user_id").notNull().references(() => npUsers.id, { onDelete: "cascade" }),
-    role: npUserRoleEnum("role").notNull(),
+    id: uuid3("id").defaultRandom().primaryKey(),
+    handle: text3("handle").notNull().unique(),
+    email: text3("email").notNull().unique(),
+    emailVerified: boolean2("email_verified").default(false).notNull(),
+    /** Argon2 hash. Nullable so SSO-only members can exist without a password. */
+    password: text3("password"),
+    displayName: text3("display_name").notNull(),
+    avatar: uuid3("avatar").references(() => npMedia.id),
+    bio: text3("bio"),
+    status: npMemberStatusEnum("status").default("pending").notNull(),
+    reputation: integer3("reputation").default(0).notNull(),
+    loginAttempts: integer3("login_attempts").default(0).notNull(),
+    lockUntil: timestamp3("lock_until", { withTimezone: true, mode: "date" }),
+    /** Bumped to invalidate every issued JWT (logout-everywhere, password reset). */
+    tokenVersion: integer3("token_version").default(0).notNull(),
+    passwordResetTokenHash: text3("password_reset_token_hash"),
+    passwordResetExpiresAt: timestamp3("password_reset_expires_at", {
+      withTimezone: true,
+      mode: "date"
+    }),
+    emailVerifyTokenHash: text3("email_verify_token_hash"),
+    emailVerifyExpiresAt: timestamp3("email_verify_expires_at", {
+      withTimezone: true,
+      mode: "date"
+    }),
+    /** Plugin-extensible bag — preferences, custom profile fields, etc. */
+    meta: jsonb3("meta").$type().default({}).notNull(),
+    /**
+     * Phase 16.3 — per-member notification preferences. Shape:
+     *   { disabled?: string[] }   — kinds the member opted out of
+     *   { digest?: "off"|"daily"|"weekly" }  — email digest cadence (16.4)
+     * Empty default = every kind enabled, no email digest.
+     */
+    notificationPrefs: jsonb3("notification_prefs").$type().default({}).notNull(),
     createdAt: timestamp3("created_at", { withTimezone: true, mode: "date" }).defaultNow().notNull(),
     updatedAt: timestamp3("updated_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
   },
-  (table) => [primaryKey2({ columns: [table.siteId, table.userId] })]
+  (table) => [index3("np_members_status_idx").on(table.status)]
 );
-var npUserOAuthIdentities = pgTable3(
-  "np_user_oauth_identities",
+var npMemberSessions = pgTable3("np_member_sessions", {
+  id: uuid3("id").defaultRandom().primaryKey(),
+  memberId: uuid3("member_id").notNull().references(() => npMembers.id, { onDelete: "cascade" }),
+  tokenHash: text3("token_hash").notNull(),
+  userAgent: text3("user_agent"),
+  ip: text3("ip"),
+  expiresAt: timestamp3("expires_at", { withTimezone: true, mode: "date" }).notNull(),
+  createdAt: timestamp3("created_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
+});
+var npMemberIdentities = pgTable3(
+  "np_member_identities",
   {
     id: uuid3("id").defaultRandom().primaryKey(),
-    userId: uuid3("user_id").notNull().references(() => npUsers.id, { onDelete: "cascade" }),
+    memberId: uuid3("member_id").notNull().references(() => npMembers.id, { onDelete: "cascade" }),
     provider: text3("provider").notNull(),
-    providerUserId: text3("provider_user_id").notNull(),
+    subject: text3("subject").notNull(),
+    email: text3("email"),
     /** Free-form per-provider metadata (avatar URL, scopes granted, etc.). */
     metadata: jsonb3("metadata").$type().default({}).notNull(),
     createdAt: timestamp3("created_at", { withTimezone: true, mode: "date" }).defaultNow().notNull(),
     updatedAt: timestamp3("updated_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
   },
-  (table) => ({
-    providerSubjectUnique: unique2("np_user_oauth_identities_provider_subject_unique").on(
-      table.provider,
-      table.providerUserId
-    ),
-    userProviderUnique: unique2("np_user_oauth_identities_user_provider_unique").on(
-      table.userId,
-      table.provider
-    ),
-    userIdx: index3("np_user_oauth_identities_user_idx").on(table.userId)
-  })
+  (table) => [
+    unique2("np_member_identities_provider_subject_uq").on(table.provider, table.subject),
+    unique2("np_member_identities_member_provider_uq").on(table.memberId, table.provider),
+    index3("np_member_identities_member_idx").on(table.memberId)
+  ]
 );
-var npSessions = pgTable3("np_sessions", {
-  id: uuid3("id").defaultRandom().primaryKey(),
-  userId: uuid3("user_id").notNull().references(() => npUsers.id, { onDelete: "cascade" }),
-  tokenHash: text3("token_hash").notNull(),
-  userAgent: text3("user_agent"),
-  ip: text3("ip"),
-  expiresAt: timestamp3("expires_at", { withTimezone: true, mode: "date" }).notNull(),
-  createdAt: timestamp3("created_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
-});
-var npRevisions = pgTable3(
-  "np_revisions",
+var npMemberRoles = pgTable3(
+  "np_member_roles",
   {
     id: uuid3("id").defaultRandom().primaryKey(),
-    collection: text3("collection").notNull(),
-    documentId: text3("document_id").notNull(),
-    version: integer3("version").notNull(),
-    status: npRevisionStatusEnum("status").notNull(),
-    snapshot: jsonb3("snapshot").$type().notNull(),
-    changedFields: text3("changed_fields").array().notNull(),
-    authorId: uuid3("author_id").references(() => npUsers.id),
-    createdAt: timestamp3("created_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
+    memberId: uuid3("member_id").notNull().references(() => npMembers.id, { onDelete: "cascade" }),
+    role: text3("role").notNull(),
+    scopeType: npMemberRoleScopeEnum("scope_type").notNull(),
+    /** Nullable for `scope_type='site'`. Otherwise an opaque string id. */
+    scopeId: text3("scope_id"),
+    /**
+     * Phase 18 — the tenant the grant applies on. For
+     * `scope_type='site'` this column IS the site identifier
+     * (`scope_id` stays null because site is the root scope).
+     * For category / collection / thread grants, `site_id` says
+     * which tenant's category/collection/thread this row
+     * targets — the same slug exists on every site.
+     */
+    siteId: text3("site_id").default("default").notNull(),
+    grantedBy: uuid3("granted_by").references(() => npUsers.id),
+    grantedAt: timestamp3("granted_at", { withTimezone: true, mode: "date" }).defaultNow().notNull(),
+    expiresAt: timestamp3("expires_at", { withTimezone: true, mode: "date" })
   },
-  (table) => ({
-    documentVersionUnique: unique2("np_revisions_document_id_version_unique").on(
-      table.documentId,
-      table.version
-    ),
-    collectionIdx: index3("np_revisions_collection_idx").on(table.collection),
-    documentIdIdx: index3("np_revisions_document_id_idx").on(table.documentId)
-  })
+  (table) => [
+    // Two indexes mirror the two access patterns: "what can this member
+    // do?" (memberId scan) and "who mods this scope?" (scope scan).
+    index3("np_member_roles_member_idx").on(table.memberId),
+    index3("np_member_roles_scope_idx").on(table.scopeType, table.scopeId),
+    index3("np_member_roles_site_idx").on(table.siteId, table.memberId),
+    // `scope_id` is null for site-wide grants. NULLS NOT
+    // DISTINCT makes two null `scope_id`s collide so the
+    // unique constraint enforces "one grant per (member, role,
+    // scope, site)." `site_id` widens the key so the same
+    // member can hold the same role on different tenants.
+    unique2("np_member_roles_grant_uq").on(table.memberId, table.role, table.scopeType, table.scopeId, table.siteId).nullsNotDistinct()
+  ]
 );
-var npSettings = pgTable3(
-  "np_settings",
+var npComments = pgTable3(
+  "np_comments",
   {
+    id: uuid3("id").defaultRandom().primaryKey(),
+    targetType: text3("target_type").notNull(),
+    targetId: uuid3("target_id").notNull(),
+    parentId: uuid3("parent_id").references(() => npComments.id, {
+      onDelete: "cascade"
+    }),
+    memberId: uuid3("member_id").notNull().references(() => npMembers.id, { onDelete: "cascade" }),
+    bodyMd: text3("body_md").notNull(),
+    bodyHtml: text3("body_html").notNull(),
+    status: npCommentStatusEnum("status").default("visible").notNull(),
+    hiddenByUserId: uuid3("hidden_by_user_id").references(() => npUsers.id),
+    hiddenByMemberId: uuid3("hidden_by_member_id").references(() => npMembers.id),
+    hiddenReason: text3("hidden_reason"),
+    editedAt: timestamp3("edited_at", { withTimezone: true, mode: "date" }),
+    /**
+     * Phase 18 — site this comment belongs to. Filled at insert
+     * time from the target document's site (canonical) so a
+     * forged request resolver can't smuggle a comment into the
+     * wrong site. Defaults to `'default'` for legacy single-
+     * tenant rows so the migration backfill is a no-op.
+     */
     siteId: text3("site_id").default("default").notNull(),
-    key: text3("key").notNull(),
-    value: jsonb3("value").$type().notNull(),
-    updatedAt: timestamp3("updated_at", { withTimezone: true, mode: "date" }).defaultNow().notNull(),
-    updatedBy: uuid3("updated_by").references(() => npUsers.id)
+    createdAt: timestamp3("created_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
   },
-  (table) => [primaryKey2({ columns: [table.siteId, table.key] })]
+  (table) => [
+    index3("np_comments_target_idx").on(table.targetType, table.targetId, table.createdAt),
+    index3("np_comments_member_idx").on(table.memberId, table.createdAt),
+    index3("np_comments_site_idx").on(table.siteId, table.createdAt)
+  ]
 );
-var npSlugHistory = pgTable3(
-  "np_slug_history",
+var npReactions = pgTable3(
+  "np_reactions",
   {
     id: uuid3("id").defaultRandom().primaryKey(),
+    targetType: text3("target_type").notNull(),
+    targetId: uuid3("target_id").notNull(),
+    memberId: uuid3("member_id").notNull().references(() => npMembers.id, { onDelete: "cascade" }),
+    kind: text3("kind").notNull(),
+    /** Phase 18 — site this reaction belongs to (derived from target). */
     siteId: text3("site_id").default("default").notNull(),
-    collection: text3("collection").notNull(),
-    documentId: text3("document_id").notNull(),
-    oldSlug: text3("old_slug").notNull(),
-    newSlug: text3("new_slug").notNull(),
     createdAt: timestamp3("created_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
   },
   (table) => [
-    index3("np_slug_history_lookup_idx").on(table.siteId, table.collection, table.oldSlug),
-    index3("np_slug_history_doc_idx").on(table.siteId, table.collection, table.documentId)
+    index3("np_reactions_target_idx").on(table.targetType, table.targetId),
+    index3("np_reactions_site_idx").on(table.siteId),
+    unique2("np_reactions_unique").on(table.targetType, table.targetId, table.memberId, table.kind)
   ]
 );
-var npNavigation = pgTable3(
-  "np_navigation",
+var npFollows = pgTable3(
+  "np_follows",
   {
     id: uuid3("id").defaultRandom().primaryKey(),
+    followerId: uuid3("follower_id").notNull().references(() => npMembers.id, { onDelete: "cascade" }),
+    targetType: text3("target_type").notNull(),
+    targetId: text3("target_id").notNull(),
+    /**
+     * Phase 18 — site the follow happened on. The same global
+     * member can follow on multiple sites and each row scopes
+     * to where the click happened (so site-scoped notifications
+     * + activity feeds don't leak cross-tenant). The unique
+     * key is widened to include site_id so the same follower
+     * can have parallel follow rows under different tenants.
+     */
     siteId: text3("site_id").default("default").notNull(),
-    location: text3("location").notNull(),
-    items: jsonb3("items").$type().notNull(),
-    updatedAt: timestamp3("updated_at", { withTimezone: true, mode: "date" }).defaultNow().notNull(),
-    updatedBy: uuid3("updated_by").references(() => npUsers.id)
+    createdAt: timestamp3("created_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
   },
-  (table) => [unique2("np_navigation_site_location_idx").on(table.siteId, table.location)]
+  (table) => [
+    index3("np_follows_target_idx").on(table.targetType, table.targetId),
+    index3("np_follows_site_idx").on(table.siteId),
+    unique2("np_follows_unique").on(
+      table.followerId,
+      table.targetType,
+      table.targetId,
+      table.siteId
+    )
+  ]
 );
-var npStringOverrides = pgTable3(
-  "np_string_overrides",
+var npMemberMutes = pgTable3(
+  "np_member_mutes",
   {
+    memberId: uuid3("member_id").notNull().references(() => npMembers.id, { onDelete: "cascade" }),
+    targetId: uuid3("target_id").notNull().references(() => npMembers.id, { onDelete: "cascade" }),
+    /**
+     * Phase 18 — site the mute applies to. A muter can choose
+     * to silence someone on one tenant without affecting their
+     * other tenants. PK is widened to include site_id so the
+     * same `(member, target)` pair can hold parallel rows per
+     * site.
+     */
     siteId: text3("site_id").default("default").notNull(),
-    locale: text3("locale").notNull(),
-    key: text3("key").notNull(),
-    value: text3("value"),
-    updatedAt: timestamp3("updated_at", { withTimezone: true, mode: "date" }).defaultNow().notNull(),
-    updatedBy: uuid3("updated_by").references(() => npUsers.id)
+    createdAt: timestamp3("created_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
   },
-  (table) => [primaryKey2({ columns: [table.siteId, table.locale, table.key] })]
+  (table) => [
+    primaryKey2({ columns: [table.memberId, table.targetId, table.siteId] }),
+    index3("np_member_mutes_target_idx").on(table.targetId)
+  ]
 );
-var npSites = pgTable3(
-  "np_sites",
+var npNotifications = pgTable3(
+  "np_notifications",
   {
-    id: text3("id").primaryKey(),
-    name: text3("name").notNull(),
-    hostname: text3("hostname"),
-    description: text3("description"),
-    settings: jsonb3("settings").$type().default({}).notNull(),
-    isDefault: boolean2("is_default").default(false).notNull(),
-    createdAt: timestamp3("created_at", { withTimezone: true, mode: "date" }).defaultNow().notNull(),
-    updatedAt: timestamp3("updated_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
+    id: uuid3("id").defaultRandom().primaryKey(),
+    memberId: uuid3("member_id").notNull().references(() => npMembers.id, { onDelete: "cascade" }),
+    kind: text3("kind").notNull(),
+    payload: jsonb3("payload").$type().default({}).notNull(),
+    readAt: timestamp3("read_at", { withTimezone: true, mode: "date" }),
+    /**
+     * Phase 18 — site this notification belongs to. A member
+     * who's active on multiple tenants gets one inbox per site
+     * (the inbox API filters by current site) so cross-tenant
+     * activity doesn't bleed into the wrong site's UI.
+     */
+    siteId: text3("site_id").default("default").notNull(),
+    createdAt: timestamp3("created_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
   },
-  (table) => [unique2("np_sites_hostname_idx").on(table.hostname)]
+  (table) => [
+    index3("np_notifications_inbox_idx").on(table.memberId, table.readAt, table.createdAt),
+    index3("np_notifications_site_inbox_idx").on(table.siteId, table.memberId, table.readAt)
+  ]
 );
-var npPlugins = pgTable3("np_plugins", {
-  id: text3("id").primaryKey(),
-  enabled: boolean2("enabled").default(true).notNull(),
-  installedAt: timestamp3("installed_at", { withTimezone: true, mode: "date" }).defaultNow().notNull(),
-  updatedAt: timestamp3("updated_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
-});
-var NP_GLOBAL_PLUGIN_SITE_ID = "_global_";
-var npPluginStorage = pgTable3(
-  "np_plugin_storage",
+var npReports = pgTable3(
+  "np_reports",
   {
-    pluginId: text3("plugin_id").notNull(),
-    siteId: text3("site_id").default(NP_GLOBAL_PLUGIN_SITE_ID).notNull(),
-    key: text3("key").notNull(),
-    value: jsonb3("value").$type().notNull(),
-    expiresAt: timestamp3("expires_at", { withTimezone: true, mode: "date" }),
-    updatedAt: timestamp3("updated_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
+    id: uuid3("id").defaultRandom().primaryKey(),
+    reporterId: uuid3("reporter_id").notNull().references(() => npMembers.id, { onDelete: "cascade" }),
+    targetType: text3("target_type").notNull(),
+    targetId: text3("target_id").notNull(),
+    reason: text3("reason").notNull(),
+    resolvedAt: timestamp3("resolved_at", { withTimezone: true, mode: "date" }),
+    resolvedByUserId: uuid3("resolved_by_user_id").references(() => npUsers.id),
+    resolvedByMemberId: uuid3("resolved_by_member_id").references(() => npMembers.id),
+    resolution: text3("resolution"),
+    /**
+     * Phase 18 — site this report belongs to. The mod queue
+     * is per-site so a category-mod on tenant A doesn't see
+     * tenant B's reports.
+     */
+    siteId: text3("site_id").default("default").notNull(),
+    createdAt: timestamp3("created_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
   },
-  (table) => ({
-    pk: primaryKey2({ columns: [table.pluginId, table.siteId, table.key] }),
-    pluginIdx: index3("np_plugin_storage_plugin_id_idx").on(table.pluginId),
-    siteIdx: index3("np_plugin_storage_site_idx").on(table.siteId)
-  })
+  (table) => [
+    index3("np_reports_queue_idx").on(table.resolvedAt, table.createdAt),
+    index3("np_reports_target_idx").on(table.targetType, table.targetId),
+    index3("np_reports_site_queue_idx").on(table.siteId, table.resolvedAt)
+  ]
 );
-var npWorkerHeartbeats = pgTable3("np_worker_heartbeats", {
-  id: text3("id").primaryKey(),
-  status: text3("status").default("running").notNull(),
-  startedAt: timestamp3("started_at", { withTimezone: true, mode: "date" }).defaultNow().notNull(),
-  lastSeenAt: timestamp3("last_seen_at", { withTimezone: true, mode: "date" }).defaultNow().notNull(),
-  /** Free-form metadata (worker version, hostname, env). */
-  meta: jsonb3("meta").$type().default({}).notNull()
-});
-var npJobLogs = pgTable3(
-  "np_job_logs",
+var npAuditEvents = pgTable3(
+  "np_audit_events",
   {
     id: uuid3("id").defaultRandom().primaryKey(),
-    jobId: text3("job_id").notNull(),
-    level: text3("level").notNull(),
-    message: text3("message").notNull(),
-    context: jsonb3("context").$type(),
+    actorKind: text3("actor_kind").notNull(),
+    actorUserId: uuid3("actor_user_id").references(() => npUsers.id),
+    actorMemberId: uuid3("actor_member_id").references(() => npMembers.id),
+    action: text3("action").notNull(),
+    targetType: text3("target_type"),
+    targetId: text3("target_id"),
+    payload: jsonb3("payload").$type().default({}).notNull(),
+    /**
+     * Phase 17 — site-scoped audit. Filled by `recordAuditEvent`
+     * from the current request's site (the multi-site resolver).
+     * Nullable for events that don't belong to a single site
+     * (super-admin actions, background jobs, scripts).
+     */
+    siteId: text3("site_id"),
+    createdAt: timestamp3("created_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
+  },
+  (table) => [
+    index3("np_audit_target_idx").on(table.targetType, table.targetId, table.createdAt),
+    index3("np_audit_actor_user_idx").on(table.actorUserId, table.createdAt),
+    index3("np_audit_actor_member_idx").on(table.actorMemberId, table.createdAt),
+    index3("np_audit_site_idx").on(table.siteId, table.createdAt)
+  ]
+);
+var npBans = pgTable3(
+  "np_bans",
+  {
+    id: uuid3("id").defaultRandom().primaryKey(),
+    memberId: uuid3("member_id").notNull().references(() => npMembers.id, { onDelete: "cascade" }),
+    scopeType: npBanScopeEnum("scope_type").notNull(),
+    scopeId: text3("scope_id"),
+    kind: npBanKindEnum("kind").notNull(),
+    expiresAt: timestamp3("expires_at", { withTimezone: true, mode: "date" }),
+    reason: text3("reason"),
+    byUserId: uuid3("by_user_id").references(() => npUsers.id),
+    byMemberId: uuid3("by_member_id").references(() => npMembers.id),
+    /**
+     * Phase 18 — the tenant this ban applies to. Pre-Phase 18
+     * `scope_type='site'` rows had `scope_id=null` because
+     * "site" was the singular root scope; with multi-tenancy
+     * the column tells `assertNotBanned` WHICH site the ban
+     * blocks writes on. Category / collection scopes resolve
+     * per-site too — the same `posts` collection slug exists
+     * on every tenant.
+     */
+    siteId: text3("site_id").default("default").notNull(),
     createdAt: timestamp3("created_at", { withTimezone: true, mode: "date" }).defaultNow().notNull()
   },
   (table) => [
-    index3("np_job_logs_job_idx").on(table.jobId, table.createdAt),
-    index3("np_job_logs_created_idx").on(table.createdAt)
+    index3("np_bans_member_scope_idx").on(table.memberId, table.scopeType, table.scopeId),
+    index3("np_bans_active_idx").on(table.memberId, table.expiresAt),
+    index3("np_bans_site_idx").on(table.siteId, table.memberId)
   ]
 );
 
 export {
+  npMemberStatusEnum,
+  npBanScopeEnum,
+  npBanKindEnum,
+  npCommentStatusEnum,
+  npMemberRoleScopeEnum,
+  npMembers,
+  npMemberSessions,
+  npMemberIdentities,
+  npMemberRoles,
+  npComments,
+  npReactions,
+  npFollows,
+  npMemberMutes,
+  npNotifications,
+  npReports,
+  npAuditEvents,
+  npBans,
+  npMediaStatusEnum,
+  npMediaFolders,
+  npMedia,
+  npMediaRefs,
   npUserRoleEnum,
   npRevisionStatusEnum,
   npPasswordResetPurposeEnum,
@@ -689,27 +710,6 @@ export {
   NP_GLOBAL_PLUGIN_SITE_ID,
   npPluginStorage,
   npWorkerHeartbeats,
-  npJobLogs,
-  npMediaStatusEnum,
-  npMediaFolders,
-  npMedia,
-  npMediaRefs,
-  npMemberStatusEnum,
-  npBanScopeEnum,
-  npBanKindEnum,
-  npCommentStatusEnum,
-  npMemberRoleScopeEnum,
-  npMembers,
-  npMemberSessions,
-  npMemberIdentities,
-  npMemberRoles,
-  npComments,
-  npReactions,
-  npFollows,
-  npMemberMutes,
-  npNotifications,
-  npReports,
-  npAuditEvents,
-  npBans
+  npJobLogs
 };
-//# sourceMappingURL=chunk-M43PGOQY.js.map
+//# sourceMappingURL=chunk-X7K5F2UI.js.map