@ojokesusu/lintasai 1.1.2

package/templates/CROSS_REPO_TYPES_PIPELINE.md

@@ -0,0 +1,473 @@
+# Cross-Repo Auto Types Pipeline - lintasAI
+
+> Otomatisasi penuh: backend update schema → types auto-generate → @<project>/shared publish → Discord notify → frontend Renovate auto-PR.
+> Audience: Owner setup awal (sekali).
+
+---
+
+## Filosofi: "Backend Owns the Contract"
+
+Backend = single source of truth untuk:
+- Database schema (Prisma)
+- API endpoint signatures
+- Business logic types
+
+Frontend = consumer of contract via @<project>/shared package.
+
+Tidak ada manual sync. Pipeline auto-handle.
+
+Kenapa filosofi ini penting:
+- Frontend tidak boleh "tebak-tebakan" bentuk data dari backend
+- Setiap kontrak (type, schema, signature) hanya diubah di backend
+- Frontend cuma konsumsi versi terbaru lewat package manager
+- Conflict resolution jadi mudah karena cuma satu sumber kebenaran
+
+---
+
+## Setup di akses-backend Repo
+
+### Step 1: Install dependencies
+
+```bash
+cd akses-backend
+npm install --save-dev tsup typescript semantic-release @semantic-release/git @semantic-release/exec
+npm install --save zod  # untuk shared validation schemas
+```
+
+Penjelasan tiap dependency:
+- `tsup` — bundler super cepat untuk build TypeScript types
+- `typescript` — compiler resmi
+- `semantic-release` — opsional, untuk auto-bump version berdasarkan commit message
+- `zod` — runtime validation schemas yang bisa di-share frontend + backend
+
+### Step 2: Setup tsup config
+
+Create akses-backend/tsup.shared.config.ts:
+
+```typescript
+import { defineConfig } from 'tsup'
+
+export default defineConfig({
+  entry: ['src/shared/index.ts'],  // export types yang shared
+  format: ['esm', 'cjs'],
+  dts: true,                        // auto-generate .d.ts
+  outDir: 'shared-dist',
+  clean: true,
+})
+```
+
+Catatan:
+- `format: ['esm', 'cjs']` — support modern bundler (Vite, Next.js) sekaligus legacy (Jest, ts-node)
+- `dts: true` — auto-generate file `.d.ts` (declaration file) untuk type inference di frontend
+- `outDir: 'shared-dist'` — jangan di `dist/` supaya tidak konflik dengan build backend
+
+### Step 3: Define shared types (manual + auto-generated)
+
+Create akses-backend/src/shared/index.ts:
+
+```typescript
+// Re-export Prisma types yang aman di-share ke frontend
+export type {
+  User,
+  Order,
+  Platform
+  // Don't export: Credentials (sensitive), Sessions (internal)
+} from '@prisma/client'
+
+// Export Zod schemas untuk runtime validation
+export { UserSchema, OrderSchema } from './schemas/user'
+export { TrackingSchema, type OrderTracking } from './schemas/tracking'
+
+// Manual types untuk API response wrappers
+export type ApiResponse<T> = { data: T, meta?: any } | { error: string }
+```
+
+PENTING: Filter type yang sensitif:
+- `Credentials`, `Sessions`, `ApiKey`, `Token` — JANGAN di-export
+- Field internal seperti `internal_notes`, `cost_price`, `commission` — pakai DTO terpisah
+- Buat type wrapper `PublicUser` (cuma field yang aman ke client) vs `User` (full Prisma model di backend)
+
+### Step 4: Auto-generate script
+
+Add to akses-backend/package.json:
+
+```json
+{
+  "scripts": {
+    "generate:types": "prisma generate && tsup --config tsup.shared.config.ts",
+    "publish:shared": "cd shared-dist && npm publish --registry=https://npm.pkg.github.com"
+  }
+}
+```
+
+Test lokal:
+```bash
+npm run generate:types
+ls shared-dist/   # cek output: index.d.ts, index.js, index.mjs, package.json
+```
+
+### Step 5: GitHub Actions auto-pipeline
+
+Create akses-backend/.github/workflows/publish-shared.yml:
+
+```yaml
+name: Publish @<project>/shared on schema change
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'prisma/schema.prisma'
+      - 'src/shared/**'
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          registry-url: 'https://npm.pkg.github.com'
+      - run: npm ci
+      - name: Generate types
+        run: npm run generate:types
+      - name: Bump version & publish
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          cd shared-dist
+          npm version patch -m 'chore(shared): bump version [skip ci]'
+          npm publish
+      - name: Notify Discord
+        run: |
+          VERSION=$(node -p "require('./shared-dist/package.json').version")
+          curl -X POST ${{ secrets.DISCORD_WEBHOOK_DEPS }} \
+            -H 'Content-Type: application/json' \
+            -d "{\"content\": \"@<project>/shared v$VERSION published. Frontend team: PR dari Renovate akan masuk dalam 24 jam, atau manual npm install untuk segera dapat update.\"}"
+```
+
+Catatan trigger:
+- `paths` filter — workflow hanya jalan kalau yang berubah Prisma schema atau folder shared
+- Kalau cuma update business logic backend (di luar shared/), workflow skip → hemat CI minutes
+- `[skip ci]` di commit version bump — supaya tidak trigger workflow lagi (infinite loop)
+
+---
+
+## Real-Time Trigger Pattern (Recommended for Fast-Moving Teams)
+
+> Backend publish → Frontend repo auto-update DALAM 3-5 MENIT (vs Renovate 24 jam).
+> Pakai GitHub Actions repository_dispatch event.
+
+### Filosofi
+
+Renovate = polling-based (scan periodic). Untuk team yang kerja CEPAT (AI Claude Code-powered), 24 jam terlalu lama.
+
+Solusi: push-based. Backend lapor SEKARANG, frontend respond SEKARANG.
+
+### Setup Backend Side
+
+Update .github/workflows/publish-shared.yml di akses-backend, tambah step terakhir:
+
+```yaml
+      - name: Trigger frontend repo update
+        uses: peter-evans/repository-dispatch@v3
+        with:
+          token: ${{ secrets.FRONTEND_REPO_DISPATCH_TOKEN }}
+          repository: <owner>/<project>-frontend
+          event-type: shared-package-published
+          client-payload: |
+            {
+              "version": "${{ env.NEW_VERSION }}",
+              "commit": "${{ github.sha }}",
+              "changelog_url": "https://github.com/<owner>/<project>-backend/commits/main"
+            }
+```
+
+Setup secret:
+1. Generate Personal Access Token (PAT) di GitHub > Settings > Developer settings > Tokens (classic)
+2. Scope: `repo` + `workflow` (untuk akses repo frontend)
+3. Save ke akses-backend > Settings > Secrets > FRONTEND_REPO_DISPATCH_TOKEN
+
+### Setup Frontend Side
+
+Create .github/workflows/receive-shared-update.yml di akses-frontend:
+
+```yaml
+name: Receive @<project>/shared update
+
+on:
+  repository_dispatch:
+    types: [shared-package-published]
+
+jobs:
+  update:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          registry-url: 'https://npm.pkg.github.com'
+          scope: '@<project>'
+      - name: Install new shared version
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          npm install @<project>/shared@${{ github.event.client_payload.version }}
+      - name: Create PR
+        uses: peter-evans/create-pull-request@v6
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: "chore(deps): bump @<project>/shared to ${{ github.event.client_payload.version }}"
+          title: "Auto-update @<project>/shared to v${{ github.event.client_payload.version }}"
+          body: |
+            Triggered by backend publish.
+
+            **Version**: v${{ github.event.client_payload.version }}
+            **Backend commit**: [${{ github.event.client_payload.commit }}](${{ github.event.client_payload.changelog_url }})
+
+            ## Action Required
+
+            - Review changes di backend (klik commit link di atas)
+            - Test di local: `npm run dev` + check halaman yang affected
+            - Approve + merge kalau OK
+
+            ## Auto-Generated
+            Workflow: `.github/workflows/receive-shared-update.yml`
+          branch: auto/shared-update-${{ github.event.client_payload.version }}
+          labels: |
+            auto-update
+            shared-types
+```
+
+### Workflow End-to-End (3-5 Menit Total)
+
+```
+10:00:00 Backend staff prompt AI -> push schema change ke akses-backend main
+10:00:05 GitHub Actions: publish-shared.yml triggered
+10:01:30 Types generated + version bumped + publish ke GitHub Packages
+10:02:00 npm publish complete
+10:02:05 Discord webhook notif posted
+10:02:10 repository_dispatch ke akses-frontend
+10:02:15 Frontend repo: receive-shared-update.yml triggered
+10:03:00 npm install @<project>/shared@latest
+10:03:30 Create PR via peter-evans/create-pull-request
+10:04:00 PR ready di akses-frontend
+10:04:05 Discord notif update: "PR ready di frontend repo, please review"
+
+Total: ~4 menit dari backend push to frontend PR ready.
+```
+
+### Comparison: Renovate vs Real-Time Trigger
+
+| Aspect | Renovate (24 jam) | Real-Time Trigger (4 menit) |
+|---|---|---|
+| Latency | <24 jam | <5 menit |
+| Setup complexity | Low (1 file renovate.json) | Medium (2 workflow files + PAT) |
+| Reliability | High (mature tool) | High (GitHub native event) |
+| Cost | $0 | $0 |
+| Best for | Slow teams, less critical updates | Fast teams, AI Claude Code-powered |
+
+### Recommendation for akses
+
+Pakai DUA-DUANYA:
+- Real-time trigger = PRIMARY (handle real-time updates)
+- Renovate = BACKUP (catch missed events, weekly scan)
+
+Plus Discord notif at both stages untuk human awareness.
+
+### Optional: Auto-Merge (Aggressive Mode)
+
+Kalau super trust + tim kecil (< 5 frontend), bisa auto-merge:
+
+```yaml
+      - name: Enable auto-merge
+        run: |
+          gh pr merge ${{ steps.cpr.outputs.pull-request-number }} --auto --squash
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+```
+
+Risk: kalau backend publish breaking change, langsung kena frontend.
+Mitigation: backend MUST commit dengan "BREAKING:" prefix -> workflow detect + skip auto-merge.
+
+---
+
+## Setup di akses-frontend Repo
+
+### Renovate Auto-PR (Backup, untuk catch missed real-time events)
+
+### Step 1: Renovate config
+
+Create akses-frontend/renovate.json:
+
+```json
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["config:recommended"],
+  "schedule": ["after 9am every weekday"],
+  "packageRules": [
+    {
+      "matchPackageNames": ["@<project>/shared"],
+      "schedule": ["at any time"],
+      "automerge": false,
+      "groupName": "shared package",
+      "reviewers": ["<owner-username>"],
+      "labels": ["auto-update", "shared-types"]
+    }
+  ],
+  "vulnerabilityAlerts": {
+    "enabled": true
+  }
+}
+```
+
+Enable Renovate bot di GitHub: https://github.com/marketplace/renovate
+
+Konfigurasi penting:
+- `schedule: ["at any time"]` untuk @<project>/shared — bypass default schedule supaya update urgent type bisa langsung dibuatkan PR
+- `automerge: false` — owner tetap review sebelum merge (safety)
+- `reviewers` — auto-assign ke owner supaya notif langsung muncul
+
+### Step 2: AI Auto-Check di session start
+
+Edit akses-frontend/.claude-kit/AGENTS.md tambah section:
+
+```markdown
+## Session Start Auto-Check (untuk AI Claude Code)
+
+Saat session pertama tiap hari, AI WAJIB:
+
+1. Cek @<project>/shared version:
+   - Read package.json: catat version yang dipakai
+   - Run: npm view @<project>/shared version --registry=https://npm.pkg.github.com (atau alternatif: curl GitHub Packages API)
+   - Compare: kalau outdated, output warning:
+     "@<project>/shared outdated (current: <local>, latest: <remote>)
+      Lanjut npm install untuk update? Atau lanjut dengan version lama?"
+
+2. Cek Swagger API spec:
+   - Fetch: curl -s https://api-staging.<project>.id/docs/openapi.json > /tmp/api-spec.json
+   - Cache spec untuk reference saat AI suggest API call
+   - Kalau Swagger 404, log warning "Backend offline atau spec belum ready"
+
+3. Cek Discord channel #akses-deps untuk recent updates (manual check, owner periodically share).
+
+Tujuan: Frontend AI selalu aware latest API contract + types.
+```
+
+---
+
+## Setup Discord Webhook
+
+1. Discord server > Settings > Integrations > Webhooks > New Webhook
+2. Name: "akses-shared-publisher"
+3. Channel: #akses-deps (bikin channel baru kalau belum ada)
+4. Copy URL
+5. Save sebagai GitHub Secret di akses-backend:
+   - Settings > Secrets > New: DISCORD_WEBHOOK_DEPS
+   - Value: paste URL
+
+Tips kanal Discord:
+- Bikin role @deps-watcher dan mention di template message → tim FE dapat notifikasi langsung
+- Aktifkan thread auto-create per release → diskusi breaking change tidak nyampur dengan notif lain
+- Pin pesan pinned dengan link ke dokumen ini supaya tim baru tahu workflow
+
+---
+
+## Workflow End-to-End
+
+```
+Day 1, jam 10:00 — Backend staff
+  Prompt: "tambah field estimated_arrival di Order"
+    ↓
+  AI:
+    - Update prisma/schema.prisma
+    - Run prisma migrate dev (local staging)
+    - Update src/shared/schemas/tracking.ts (tambah type)
+    - Run npm run generate:types
+    - Commit + push
+    ↓
+Day 1, jam 10:05 — GitHub Actions
+  - Detect push to main with schema change
+  - Run publish-shared.yml workflow
+  - Generate types
+  - Bump @<project>/shared dari v1.1.0 → v1.1.1
+  - Publish ke GitHub Packages
+  - POST Discord webhook
+    ↓
+Day 1, jam 10:06 — Discord channel #akses-deps
+  Bot post: "@<project>/shared v1.1.1 published"
+    ↓
+Day 1, jam 11:00 — Renovate scan (atau next morning)
+  - Detect @<project>/shared v1.1.0 → v1.1.1 available
+  - Auto-create PR di akses-frontend
+  - Title: "chore(deps): bump @<project>/shared from 1.1.0 to 1.1.1"
+    ↓
+Day 2, jam 09:00 — Owner morning routine
+  - Review PR di GitHub
+  - Approve + merge
+  - Frontend tim dapat update di next pull
+    ↓
+Day 2, jam 09:30 — Frontend staff
+  Prompt: "bikin halaman tracking"
+    ↓
+  AI session start auto-check:
+    - @<project>/shared v1.1.1 sudah pakai
+    - Swagger spec fetched, endpoint tracking ada
+    - AI proceed dengan up-to-date context
+```
+
+---
+
+## Versioning & Breaking Changes
+
+Pakai semver disiplin:
+- PATCH (1.1.0 → 1.1.1) — tambah field optional, tambah type baru, fix typo
+- MINOR (1.1.0 → 1.2.0) — tambah endpoint baru, tambah enum value
+- MAJOR (1.x → 2.0.0) — hapus field, rename field, ubah signature
+
+Untuk MAJOR:
+1. Backend buat branch `breaking/v2` dulu
+2. Publish dengan dist-tag `next` (bukan `latest`)
+3. Frontend bisa coba `npm install @<project>/shared@next`
+4. Setelah migration di frontend done, baru promote ke `latest`
+
+---
+
+## FAQ
+
+**Q: Kalau backend gak mau auto-publish (mau review dulu)?**
+A: Hapus trigger 'on: push: branches: [main]'. Ganti dengan 'on: workflow_dispatch' (manual trigger).
+
+**Q: Kalau frontend gak mau auto-PR (mau pilih sendiri kapan update)?**
+A: Disable Renovate, pakai manual npm install routine. Lapis 3 (workflow routine) + Lapis 4 (AI auto-check) tetap aktif.
+
+**Q: Cost?**
+A: $0. GitHub Actions free tier, GitHub Packages free (private up to 500MB), Renovate free.
+
+**Q: Berapa lama setup?**
+A: 2-3 jam owner one-time. Setelah itu zero ongoing maintenance.
+
+**Q: Bagaimana kalau ada conflict antar staff yang ubah shared types bersamaan?**
+A: Karena hanya backend yang punya akses tulis ke `src/shared/`, conflict cuma terjadi di repo backend. Resolusi pakai PR review standar GitHub.
+
+**Q: Kalau Renovate tidak detect update dalam 24 jam?**
+A: Buka manual: GitHub > akses-frontend > Insights > Dependency graph > Renovate logs. Atau trigger manual via Dependency Dashboard issue.
+
+**Q: Bagaimana audit history apa saja yang berubah di types?**
+A: Lihat commit history di akses-backend `src/shared/` + GitHub Packages versions page. Setiap version punya tag commit yang menghasilkan publish.
+
+**Q: Apakah perlu pakai semantic-release?**
+A: Tidak wajib. `npm version patch` di workflow sudah cukup untuk auto-bump. Pakai semantic-release kalau mau analyze commit message untuk decide patch/minor/major otomatis.
+
+**Q: Kalau frontend tim banyak (>3), apakah workflow ini cukup?**
+A: Cukup. Setiap dev tarik pakai `git pull` + `npm install` setelah PR Renovate merged. Tidak perlu koordinasi manual.

package/templates/DB_SCHEMA_SCAN_PROMPT.md

@@ -0,0 +1,194 @@
+# templates/DB_SCHEMA_SCAN_PROMPT.md — Scan Database Schema → docs/db-schema.md
+
+> Versi 1 · 2026-06-01
+> Standalone prompt untuk generate `docs/db-schema.md` dari source code project.
+
+---
+
+## Kapan pakai prompt ini?
+
+Paste prompt ini ke Claude Code **kalau**:
+- ✅ Pertama kali setup project + ingin AI paham database struktur project sebelum bantu coding.
+- ✅ Schema baru saja berubah (model ditambah/dihapus, relasi diubah) dan `docs/db-schema.md` belum update.
+- ✅ Audit relasi antar-model untuk planning refactor.
+
+**JANGAN paste prompt ini kalau**:
+- ❌ Project belum punya ORM / schema file (mis. project Express tanpa Prisma → schema implicit di code).
+- ❌ Schema confidential dan tidak boleh ke-ekspos ke `.md` (mis. financial data dengan field PII sensitif).
+
+---
+
+## Untuk AI (mulai dari sini)
+
+### Peran
+Kamu adalah **Database Architect + Tech Writer**. Tujuan: generate `docs/db-schema.md` yang akurat berdasarkan source code, BUKAN tebakan generic.
+
+### Aturan kerja
+- **Bahasa Indonesia**, junior-friendly.
+- **Akurasi > kelengkapan**. Lebih baik `[TBD: <alasan>]` daripada karang relasi.
+- **Setiap klaim traceable** ke file/baris source (mis. `prisma/schema.prisma:42`).
+- **JANGAN baca file rahasia** (`.env`, `*.key`, `secrets/`, `credentials*`).
+- **Cek dulu** apakah `docs/db-schema.md` sudah ada — kalau ada, baca dulu untuk anti-overwrite + delta detection.
+
+### Workflow 4 fase
+
+#### FASE 1 — Auto-detect schema source
+
+Cari file schema dengan prioritas (top down):
+
+1. **Prisma**: `prisma/schema.prisma` (atau `schema.prisma` di root)
+2. **Drizzle**: `db/schema.ts`, `drizzle/schema.ts`, `src/db/schema.ts`
+3. **Sequelize**: `models/index.js` + `models/*.js`
+4. **TypeORM**: file dengan `@Entity()` decorator
+5. **SQLAlchemy (Python)**: file dengan `class X(Base)` declaration
+6. **Raw SQL migrations**: `migrations/*.sql`, `db/migrations/*.sql`
+7. **Hibernate (Java)**: file dengan `@Entity` annotation
+8. **Active Record (Rails)**: `db/schema.rb`
+
+Kalau **tidak ditemukan** → stop, lapor: "Schema source tidak ditemukan. Kalau project pakai database, paste file schema atau output `\d` (psql describe) untuk lanjut."
+
+Kalau **multiple sources** (mis. Prisma + raw migrations) → tanya user mana yang authoritative (biasanya schema.prisma).
+
+#### FASE 2 — Parse schema
+
+Baca file schema source, ekstrak:
+
+- **Model list** (nama tabel/entity).
+- **Field per model** (nama, tipe data, constraint: nullable, default, unique, primary key).
+- **Relasi** (1:1, 1:N, N:M) — direction + foreign key field.
+- **Index** (composite, partial, unique).
+- **Enum** (kalau ada).
+- **Trigger / function** (kalau di-export ke schema source).
+
+**Skip**:
+- Auto-generated field (mis. `_prisma_migrations` table).
+- Field internal Supabase (`auth.users`, `storage.objects`) kecuali user explicit minta.
+
+#### FASE 3 — Generate docs/db-schema.md
+
+Format wajib:
+
+```markdown
+# docs/db-schema.md — Schema database <NAMA_PROYEK>
+
+> Versi 1 · <YYYY-MM-DD> · auto-generated dari <SCHEMA_SOURCE>
+> Update: tiap schema berubah (lihat aturan AUTO-SYNC 7.1)
+
+## Pengantar
+[1-2 kalimat: stack DB (PostgreSQL via Supabase / MySQL / dll) + ORM (Prisma / Drizzle / raw) + scope (multi-tenant schema / single-tenant)]
+
+## Topology
+[Mermaid ER diagram — kalau total model <= 20. Kalau lebih, group per domain]
+
+\`\`\`mermaid
+erDiagram
+    USER ||--o{ POST : creates
+    USER ||--o{ COMMENT : writes
+    POST ||--o{ COMMENT : has
+    USER {
+        string id PK
+        string email UK
+        string name
+    }
+    POST {
+        string id PK
+        string userId FK
+        string title
+        datetime createdAt
+    }
+\`\`\`
+
+## Daftar Model
+
+### `User` (table: users)
+- **Tujuan**: [1 kalimat berbasis observasi source]
+- **Source**: `prisma/schema.prisma:12-34`
+- **Field**:
+  | Nama | Tipe | Constraint | Catatan |
+  |---|---|---|---|
+  | id | String | PK, @default(cuid()) | unique identifier |
+  | email | String | UK, NOT NULL | email login |
+  | passwordHash | String | NOT NULL | bcrypt hash |
+  | role | Role | enum | SUPERVISOR / PIC / ADMIN |
+  | createdAt | DateTime | @default(now()) | timestamp |
+- **Relasi**:
+  - 1:N → `Post` via `Post.userId`
+  - 1:N → `LoginLog` via `LoginLog.userId`
+  - 1:1 → `UserProfile` via `UserProfile.userId`
+- **Index**:
+  - UNIQUE(email)
+  - INDEX(role, isActive) — untuk filter dashboard cepat
+- **Dipakai di**:
+  - [docs/security/auth.md](security/auth.md) — login flow
+  - [docs/api/users/index.md](api/users/index.md) — CRUD user
+  - [docs/api/security.md](api/security.md) — list active sessions
+
+### `Post` (table: posts)
+[... pattern sama ...]
+
+## Enum
+### `Role`
+| Value | Deskripsi |
+|---|---|
+| SUPERVISOR | Owner, full akses |
+| PIC | Manager, akses tim |
+| ADMIN | Staff, akses terbatas |
+
+## Index Penting (cross-model)
+- `LoginLog(userId, eventType, createdAt DESC)` — untuk dashboard security
+- `Credential(deletedAt) WHERE deletedAt IS NULL` — partial index untuk soft-delete filter
+
+## Catatan Keputusan
+- **Soft-delete pattern**: model `Credential`, `Post` punya `deletedAt` column → query default `WHERE deletedAt IS NULL`.
+- **Audit trail**: `LoginLog`, `CredentialAuditLog` immutable — tidak ada UPDATE atau DELETE, hanya INSERT.
+- **Encryption-at-rest**: field `password`, `username`, `notes` di `Credential` di-encrypt via [encryption.md](security/encryption.md) sebelum simpan.
+- **Schema isolation**: project ini pakai shared DB Supabase production, schema `<nama>`. Lihat [MCP_SETUP.md](MCP_SETUP.md) untuk role isolation.
+
+## Migrasi history (recent)
+[Optional: kalau ada `prisma migrate` history yang menarik, summarize 3-5 migrasi terakhir]
+- 2026-05-09: tambah `User.activeSessionId` untuk single-session enforcement
+- 2026-05-15: tambah `ImpersonationSession` audit table
+- 2026-05-20: tambah `IpBlacklist` table
+
+## Source files
+- `prisma/schema.prisma` — schema utama
+- `prisma/migrations/` — migration history
+- `src/lib/prisma.ts` — Prisma client singleton ([prisma.md](lib/prisma.md))
+```
+
+#### FASE 4 — Update registry + cross-refs
+
+1. **Update `docs/architecture_auto.md`**: tambah entry `[db-schema.md](db-schema.md) — Schema database (X model, Y relasi)`.
+2. **Update `docs/architecture.md`** (peta makro proyek) — kalau belum ada section "Database", tambah link ke `db-schema.md`.
+3. **Cross-link**: untuk tiap model yang di-list di `db-schema.md`, cari `.md` lain yang sebut model tersebut → tambah link bi-directional.
+
+---
+
+## Aturan setelah generate
+
+- **AUTO-SYNC (7.1)**: setiap kali schema berubah (file Prisma/Drizzle/dll edited) → AI WAJIB re-generate `docs/db-schema.md` di sesi yang sama. Tidak boleh dibiarkan stale.
+- **Version bump**: kalau ada breaking change (rename model, drop field), bump versi di header `> Versi 2 · ...`.
+- **Cross-check sebelum commit**: pastikan field name di `.md` MATCH dengan source schema persis.
+
+---
+
+## Troubleshooting
+
+### Schema terlalu besar untuk fit di 1 file
+- Kalau total model > 50, split per domain: `docs/db/auth-schema.md`, `docs/db/payment-schema.md`, dst.
+- `docs/db-schema.md` jadi index yang point ke per-domain file.
+
+### Multi-database (mis. PostgreSQL + Redis + MongoDB)
+- Generate 1 file per database: `db-schema-postgres.md`, `db-schema-redis.md`, `db-schema-mongo.md`.
+- Update `architecture.md` section "Data layer" untuk overview cross-DB.
+
+### Mermaid diagram terlalu besar (> 20 model)
+- Skip Mermaid di main file, generate per-domain Mermaid di domain-specific `.md`.
+- Atau pakai PNG embed (generate via mmdc CLI lokal).
+
+---
+
+## Referensi
+- Mermaid ER diagram syntax: https://mermaid.js.org/syntax/entityRelationshipDiagram.html
+- Prisma schema reference: https://www.prisma.io/docs/orm/prisma-schema
+- Drizzle schema docs: https://orm.drizzle.team/docs/sql-schema-declaration