@sonicjs-cms/core 1.0.0-alpha.4 → 2.0.0-alpha.10

package/migrations/001_initial_schema.sql

@@ -0,0 +1,198 @@
+-- Initial schema for SonicJS AI
+-- Create users table for authentication
+CREATE TABLE IF NOT EXISTS users (
+  id TEXT PRIMARY KEY,
+  email TEXT NOT NULL UNIQUE,
+  username TEXT NOT NULL UNIQUE,
+  first_name TEXT NOT NULL,
+  last_name TEXT NOT NULL,
+  password_hash TEXT,
+  role TEXT NOT NULL DEFAULT 'viewer',
+  avatar TEXT,
+  is_active INTEGER NOT NULL DEFAULT 1,
+  last_login_at INTEGER,
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL
+);
+
+-- Create collections table for content schema definitions
+CREATE TABLE IF NOT EXISTS collections (
+  id TEXT PRIMARY KEY,
+  name TEXT NOT NULL UNIQUE,
+  display_name TEXT NOT NULL,
+  description TEXT,
+  schema TEXT NOT NULL, -- JSON schema definition
+  is_active INTEGER NOT NULL DEFAULT 1,
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL
+);
+
+-- Create content table for actual content data
+CREATE TABLE IF NOT EXISTS content (
+  id TEXT PRIMARY KEY,
+  collection_id TEXT NOT NULL REFERENCES collections(id),
+  slug TEXT NOT NULL,
+  title TEXT NOT NULL,
+  data TEXT NOT NULL, -- JSON content data
+  status TEXT NOT NULL DEFAULT 'draft',
+  published_at INTEGER,
+  author_id TEXT NOT NULL REFERENCES users(id),
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL
+);
+
+-- Create content_versions table for versioning
+CREATE TABLE IF NOT EXISTS content_versions (
+  id TEXT PRIMARY KEY,
+  content_id TEXT NOT NULL REFERENCES content(id),
+  version INTEGER NOT NULL,
+  data TEXT NOT NULL, -- JSON data
+  author_id TEXT NOT NULL REFERENCES users(id),
+  created_at INTEGER NOT NULL
+);
+
+-- Create media/files table with comprehensive R2 integration
+CREATE TABLE IF NOT EXISTS media (
+  id TEXT PRIMARY KEY,
+  filename TEXT NOT NULL,
+  original_name TEXT NOT NULL,
+  mime_type TEXT NOT NULL,
+  size INTEGER NOT NULL,
+  width INTEGER,
+  height INTEGER,
+  folder TEXT NOT NULL DEFAULT 'uploads',
+  r2_key TEXT NOT NULL, -- R2 storage key
+  public_url TEXT NOT NULL, -- CDN URL
+  thumbnail_url TEXT, -- Cloudflare Images URL
+  alt TEXT,
+  caption TEXT,
+  tags TEXT, -- JSON array of tags
+  uploaded_by TEXT NOT NULL REFERENCES users(id),
+  uploaded_at INTEGER NOT NULL,
+  updated_at INTEGER,
+  published_at INTEGER,
+  scheduled_at INTEGER,
+  archived_at INTEGER,
+  deleted_at INTEGER
+);
+
+-- Create API tokens table for programmatic access
+CREATE TABLE IF NOT EXISTS api_tokens (
+  id TEXT PRIMARY KEY,
+  name TEXT NOT NULL,
+  token TEXT NOT NULL UNIQUE,
+  user_id TEXT NOT NULL REFERENCES users(id),
+  permissions TEXT NOT NULL, -- JSON array of permissions
+  expires_at INTEGER,
+  last_used_at INTEGER,
+  created_at INTEGER NOT NULL
+);
+
+-- Create workflow history table for content workflow tracking
+CREATE TABLE IF NOT EXISTS workflow_history (
+  id TEXT PRIMARY KEY,
+  content_id TEXT NOT NULL REFERENCES content(id),
+  action TEXT NOT NULL,
+  from_status TEXT NOT NULL,
+  to_status TEXT NOT NULL,
+  user_id TEXT NOT NULL REFERENCES users(id),
+  comment TEXT,
+  created_at INTEGER NOT NULL
+);
+
+-- Create indexes for better performance
+CREATE INDEX IF NOT EXISTS idx_users_email ON users(email);
+CREATE INDEX IF NOT EXISTS idx_users_username ON users(username);
+CREATE INDEX IF NOT EXISTS idx_users_role ON users(role);
+
+CREATE INDEX IF NOT EXISTS idx_collections_name ON collections(name);
+CREATE INDEX IF NOT EXISTS idx_collections_active ON collections(is_active);
+
+CREATE INDEX IF NOT EXISTS idx_content_collection ON content(collection_id);
+CREATE INDEX IF NOT EXISTS idx_content_author ON content(author_id);
+CREATE INDEX IF NOT EXISTS idx_content_status ON content(status);
+CREATE INDEX IF NOT EXISTS idx_content_published ON content(published_at);
+CREATE INDEX IF NOT EXISTS idx_content_slug ON content(slug);
+
+CREATE INDEX IF NOT EXISTS idx_content_versions_content ON content_versions(content_id);
+CREATE INDEX IF NOT EXISTS idx_content_versions_version ON content_versions(version);
+
+CREATE INDEX IF NOT EXISTS idx_media_folder ON media(folder);
+CREATE INDEX IF NOT EXISTS idx_media_type ON media(mime_type);
+CREATE INDEX IF NOT EXISTS idx_media_uploaded_by ON media(uploaded_by);
+CREATE INDEX IF NOT EXISTS idx_media_uploaded_at ON media(uploaded_at);
+CREATE INDEX IF NOT EXISTS idx_media_deleted ON media(deleted_at);
+
+CREATE INDEX IF NOT EXISTS idx_api_tokens_user ON api_tokens(user_id);
+CREATE INDEX IF NOT EXISTS idx_api_tokens_token ON api_tokens(token);
+
+CREATE INDEX IF NOT EXISTS idx_workflow_history_content ON workflow_history(content_id);
+CREATE INDEX IF NOT EXISTS idx_workflow_history_user ON workflow_history(user_id);
+
+-- Insert default admin user (password: admin123)
+INSERT OR IGNORE INTO users (
+  id, email, username, first_name, last_name, password_hash, 
+  role, is_active, created_at, updated_at
+) VALUES (
+  'admin-user-id',
+  'admin@sonicjs.com',
+  'admin',
+  'Admin',
+  'User',
+  'd1c379e871838f44e21d5a55841349e50636f06df139bfef11870eec74c381db', -- SHA-256 hash of 'admin123'
+  'admin',
+  1,
+  strftime('%s', 'now') * 1000,
+  strftime('%s', 'now') * 1000
+);
+
+-- Insert sample collections
+INSERT OR IGNORE INTO collections (
+  id, name, display_name, description, schema, 
+  is_active, created_at, updated_at
+) VALUES (
+  'blog-posts-collection',
+  'blog_posts',
+  'Blog Posts',
+  'Blog post content collection',
+  '{"type":"object","properties":{"title":{"type":"string","title":"Title","required":true},"content":{"type":"string","title":"Content","format":"richtext"},"excerpt":{"type":"string","title":"Excerpt"},"featured_image":{"type":"string","title":"Featured Image","format":"media"},"tags":{"type":"array","title":"Tags","items":{"type":"string"}},"status":{"type":"string","title":"Status","enum":["draft","published","archived"],"default":"draft"}},"required":["title"]}',
+  1,
+  strftime('%s', 'now') * 1000,
+  strftime('%s', 'now') * 1000
+),
+(
+  'pages-collection',
+  'pages',
+  'Pages',
+  'Static page content collection',
+  '{"type":"object","properties":{"title":{"type":"string","title":"Title","required":true},"content":{"type":"string","title":"Content","format":"richtext"},"slug":{"type":"string","title":"Slug"},"meta_description":{"type":"string","title":"Meta Description"},"featured_image":{"type":"string","title":"Featured Image","format":"media"}},"required":["title"]}',
+  1,
+  strftime('%s', 'now') * 1000,
+  strftime('%s', 'now') * 1000
+),
+(
+  'news-collection',
+  'news',
+  'News',
+  'News article content collection',
+  '{"type":"object","properties":{"title":{"type":"string","title":"Title","required":true},"content":{"type":"string","title":"Content","format":"richtext"},"publish_date":{"type":"string","title":"Publish Date","format":"date"},"author":{"type":"string","title":"Author"},"category":{"type":"string","title":"Category","enum":["technology","business","general"]}},"required":["title"]}',
+  1,
+  strftime('%s', 'now') * 1000,
+  strftime('%s', 'now') * 1000
+);
+
+-- Insert sample content
+INSERT OR IGNORE INTO content (
+  id, collection_id, slug, title, data, status, 
+  author_id, created_at, updated_at
+) VALUES (
+  'welcome-blog-post',
+  'blog-posts-collection',
+  'welcome-to-sonicjs-ai',
+  'Welcome to SonicJS AI',
+  '{"title":"Welcome to SonicJS AI","content":"<h1>Welcome to SonicJS AI</h1><p>This is your first blog post created with SonicJS AI, a modern headless CMS built on Cloudflare Workers.</p><h2>Features</h2><ul><li>Cloudflare-native architecture</li><li>TypeScript-first development</li><li>Hono.js framework</li><li>D1 database</li><li>R2 media storage</li><li>Edge computing</li></ul><p>Get started by exploring the admin interface and creating your own content!</p>","excerpt":"Welcome to SonicJS AI, a modern headless CMS built on Cloudflare Workers with TypeScript and Hono.js.","status":"published","tags":["welcome","cms","cloudflare"]}',
+  'published',
+  'admin-user-id',
+  strftime('%s', 'now') * 1000,
+  strftime('%s', 'now') * 1000
+);

package/migrations/002_faq_plugin.sql

@@ -0,0 +1,86 @@
+-- FAQ Plugin Migration (DEPRECATED - Now managed by third-party plugin)
+-- Creates FAQ table for the FAQ plugin
+-- NOTE: This migration is kept for historical purposes. 
+-- The FAQ functionality is now provided by the faq-plugin third-party plugin.
+
+CREATE TABLE IF NOT EXISTS faqs (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  question TEXT NOT NULL,
+  answer TEXT NOT NULL,
+  category TEXT,
+  tags TEXT,
+  isPublished INTEGER NOT NULL DEFAULT 1,
+  sortOrder INTEGER NOT NULL DEFAULT 0,
+  created_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now')),
+  updated_at INTEGER NOT NULL DEFAULT (strftime('%s', 'now'))
+);
+
+-- Create indexes for better performance
+CREATE INDEX IF NOT EXISTS idx_faqs_category ON faqs(category);
+CREATE INDEX IF NOT EXISTS idx_faqs_published ON faqs(isPublished);
+CREATE INDEX IF NOT EXISTS idx_faqs_sort_order ON faqs(sortOrder);
+
+-- Create trigger to update updated_at timestamp
+CREATE TRIGGER IF NOT EXISTS faqs_updated_at
+  AFTER UPDATE ON faqs
+BEGIN
+  UPDATE faqs SET updated_at = strftime('%s', 'now') WHERE id = NEW.id;
+END;
+
+-- Insert sample FAQ data
+INSERT OR IGNORE INTO faqs (question, answer, category, tags, isPublished, sortOrder) VALUES 
+('What is SonicJS AI?', 
+'SonicJS AI is a modern, TypeScript-first headless CMS built for Cloudflare''s edge platform. It provides a complete content management system with admin interface, API endpoints, and plugin architecture.',
+'general',
+'sonicjs, cms, cloudflare',
+1,
+1),
+
+('How do I get started with SonicJS AI?',
+'To get started: 1) Clone the repository, 2) Install dependencies with npm install, 3) Set up your Cloudflare account and services, 4) Run the development server with npm run dev, 5) Access the admin interface at /admin.',
+'general',
+'getting-started, setup',
+1,
+2),
+
+('What technologies does SonicJS AI use?',
+'SonicJS AI is built with: TypeScript for type safety, Hono.js as the web framework, Cloudflare D1 for the database, Cloudflare R2 for media storage, Cloudflare Workers for serverless execution, and Tailwind CSS for styling.',
+'technical',
+'technology-stack, typescript, cloudflare',
+1,
+3),
+
+('How do I create content in SonicJS AI?',
+'Content creation is done through the admin interface. Navigate to /admin, log in with your credentials, go to Content section, select a collection, and click "New Content" to create articles, pages, or other content types.',
+'general',
+'content-creation, admin',
+1,
+4),
+
+('Is SonicJS AI free to use?',
+'SonicJS AI is open source and free to use. You only pay for the Cloudflare services you consume (D1 database, R2 storage, Workers execution time). Cloudflare offers generous free tiers for development and small projects.',
+'billing',
+'pricing, open-source, cloudflare',
+1,
+5),
+
+('How do I add custom functionality?',
+'SonicJS AI features a plugin system that allows you to extend functionality. You can create plugins using the PluginBuilder API, add custom routes, models, admin pages, and integrate with external services.',
+'technical',
+'plugins, customization, development',
+1,
+6),
+
+('Can I customize the admin interface?',
+'Yes! The admin interface is built with TypeScript templates and can be customized. You can modify existing templates, create new components, add custom pages, and integrate your own styling while maintaining the dark theme.',
+'technical',
+'admin-interface, customization, templates',
+1,
+7),
+
+('How does authentication work?',
+'SonicJS AI includes a built-in authentication system with JWT tokens, role-based access control (admin, editor, viewer), secure password hashing, and session management. Users can be managed through the admin interface.',
+'technical',
+'authentication, security, users',
+1,
+8);

package/migrations/003_stage5_enhancements.sql

@@ -0,0 +1,121 @@
+-- Stage 5: Advanced Content Management enhancements
+-- Add scheduling and workflow features to content table
+
+-- Add content scheduling columns
+ALTER TABLE content ADD COLUMN scheduled_publish_at INTEGER;
+ALTER TABLE content ADD COLUMN scheduled_unpublish_at INTEGER;
+
+-- Add workflow and review columns
+ALTER TABLE content ADD COLUMN review_status TEXT DEFAULT 'none'; -- none, pending, approved, rejected
+ALTER TABLE content ADD COLUMN reviewer_id TEXT REFERENCES users(id);
+ALTER TABLE content ADD COLUMN reviewed_at INTEGER;
+ALTER TABLE content ADD COLUMN review_notes TEXT;
+
+-- Add content metadata
+ALTER TABLE content ADD COLUMN meta_title TEXT;
+ALTER TABLE content ADD COLUMN meta_description TEXT;
+ALTER TABLE content ADD COLUMN featured_image_id TEXT REFERENCES media(id);
+ALTER TABLE content ADD COLUMN content_type TEXT DEFAULT 'standard'; -- standard, template, component
+
+-- Create content_fields table for dynamic field definitions
+CREATE TABLE IF NOT EXISTS content_fields (
+  id TEXT PRIMARY KEY,
+  collection_id TEXT NOT NULL REFERENCES collections(id),
+  field_name TEXT NOT NULL,
+  field_type TEXT NOT NULL, -- text, richtext, number, boolean, date, select, media, relationship
+  field_label TEXT NOT NULL,
+  field_options TEXT, -- JSON for select options, validation rules, etc.
+  field_order INTEGER NOT NULL DEFAULT 0,
+  is_required INTEGER NOT NULL DEFAULT 0,
+  is_searchable INTEGER NOT NULL DEFAULT 0,
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL,
+  UNIQUE(collection_id, field_name)
+);
+
+-- Create content_relationships table for content relationships
+CREATE TABLE IF NOT EXISTS content_relationships (
+  id TEXT PRIMARY KEY,
+  source_content_id TEXT NOT NULL REFERENCES content(id),
+  target_content_id TEXT NOT NULL REFERENCES content(id),
+  relationship_type TEXT NOT NULL, -- references, tags, categories
+  created_at INTEGER NOT NULL,
+  UNIQUE(source_content_id, target_content_id, relationship_type)
+);
+
+-- Create workflow_templates table for reusable workflows
+CREATE TABLE IF NOT EXISTS workflow_templates (
+  id TEXT PRIMARY KEY,
+  name TEXT NOT NULL,
+  description TEXT,
+  collection_id TEXT REFERENCES collections(id), -- null means applies to all collections
+  workflow_steps TEXT NOT NULL, -- JSON array of workflow steps
+  is_active INTEGER NOT NULL DEFAULT 1,
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL
+);
+
+-- Add indexes for new columns
+CREATE INDEX IF NOT EXISTS idx_content_scheduled_publish ON content(scheduled_publish_at);
+CREATE INDEX IF NOT EXISTS idx_content_scheduled_unpublish ON content(scheduled_unpublish_at);
+CREATE INDEX IF NOT EXISTS idx_content_review_status ON content(review_status);
+CREATE INDEX IF NOT EXISTS idx_content_reviewer ON content(reviewer_id);
+CREATE INDEX IF NOT EXISTS idx_content_content_type ON content(content_type);
+
+CREATE INDEX IF NOT EXISTS idx_content_fields_collection ON content_fields(collection_id);
+CREATE INDEX IF NOT EXISTS idx_content_fields_name ON content_fields(field_name);
+CREATE INDEX IF NOT EXISTS idx_content_fields_type ON content_fields(field_type);
+CREATE INDEX IF NOT EXISTS idx_content_fields_order ON content_fields(field_order);
+
+CREATE INDEX IF NOT EXISTS idx_content_relationships_source ON content_relationships(source_content_id);
+CREATE INDEX IF NOT EXISTS idx_content_relationships_target ON content_relationships(target_content_id);
+CREATE INDEX IF NOT EXISTS idx_content_relationships_type ON content_relationships(relationship_type);
+
+CREATE INDEX IF NOT EXISTS idx_workflow_templates_collection ON workflow_templates(collection_id);
+CREATE INDEX IF NOT EXISTS idx_workflow_templates_active ON workflow_templates(is_active);
+
+-- Insert default workflow template
+INSERT OR IGNORE INTO workflow_templates (
+  id, name, description, workflow_steps, is_active, created_at, updated_at
+) VALUES (
+  'default-content-workflow',
+  'Default Content Workflow',
+  'Standard content workflow: Draft → Review → Published',
+  '[
+    {"step": "draft", "name": "Draft", "description": "Content is being created", "permissions": ["author", "editor", "admin"]},
+    {"step": "review", "name": "Under Review", "description": "Content is pending review", "permissions": ["editor", "admin"]},
+    {"step": "published", "name": "Published", "description": "Content is live", "permissions": ["editor", "admin"]},
+    {"step": "archived", "name": "Archived", "description": "Content is archived", "permissions": ["admin"]}
+  ]',
+  1,
+  strftime('%s', 'now') * 1000,
+  strftime('%s', 'now') * 1000
+);
+
+-- Insert enhanced field definitions for existing collections
+INSERT OR IGNORE INTO content_fields (
+  id, collection_id, field_name, field_type, field_label, field_options, field_order, is_required, is_searchable, created_at, updated_at
+) VALUES 
+-- Blog Posts fields
+('blog-title-field', 'blog-posts-collection', 'title', 'text', 'Title', '{"maxLength": 200, "placeholder": "Enter blog post title"}', 1, 1, 1, strftime('%s', 'now') * 1000, strftime('%s', 'now') * 1000),
+('blog-content-field', 'blog-posts-collection', 'content', 'richtext', 'Content', '{"toolbar": "full", "height": 400}', 2, 1, 1, strftime('%s', 'now') * 1000, strftime('%s', 'now') * 1000),
+('blog-excerpt-field', 'blog-posts-collection', 'excerpt', 'text', 'Excerpt', '{"maxLength": 500, "rows": 3, "placeholder": "Brief description of the post"}', 3, 0, 1, strftime('%s', 'now') * 1000, strftime('%s', 'now') * 1000),
+('blog-tags-field', 'blog-posts-collection', 'tags', 'select', 'Tags', '{"multiple": true, "options": ["technology", "business", "tutorial", "news", "update"], "allowCustom": true}', 4, 0, 1, strftime('%s', 'now') * 1000, strftime('%s', 'now') * 1000),
+('blog-featured-image-field', 'blog-posts-collection', 'featured_image', 'media', 'Featured Image', '{"accept": "image/*", "maxSize": "5MB"}', 5, 0, 0, strftime('%s', 'now') * 1000, strftime('%s', 'now') * 1000),
+('blog-publish-date-field', 'blog-posts-collection', 'publish_date', 'date', 'Publish Date', '{"format": "YYYY-MM-DD", "defaultToday": true}', 6, 0, 0, strftime('%s', 'now') * 1000, strftime('%s', 'now') * 1000),
+('blog-featured-field', 'blog-posts-collection', 'is_featured', 'boolean', 'Featured Post', '{"default": false}', 7, 0, 0, strftime('%s', 'now') * 1000, strftime('%s', 'now') * 1000),
+
+-- Pages fields
+('pages-title-field', 'pages-collection', 'title', 'text', 'Title', '{"maxLength": 200, "placeholder": "Enter page title"}', 1, 1, 1, strftime('%s', 'now') * 1000, strftime('%s', 'now') * 1000),
+('pages-content-field', 'pages-collection', 'content', 'richtext', 'Content', '{"toolbar": "full", "height": 500}', 2, 1, 1, strftime('%s', 'now') * 1000, strftime('%s', 'now') * 1000),
+('pages-slug-field', 'pages-collection', 'slug', 'text', 'URL Slug', '{"pattern": "^[a-z0-9-]+$", "placeholder": "url-friendly-slug"}', 3, 1, 0, strftime('%s', 'now') * 1000, strftime('%s', 'now') * 1000),
+('pages-meta-desc-field', 'pages-collection', 'meta_description', 'text', 'Meta Description', '{"maxLength": 160, "rows": 2, "placeholder": "SEO description for search engines"}', 4, 0, 0, strftime('%s', 'now') * 1000, strftime('%s', 'now') * 1000),
+('pages-template-field', 'pages-collection', 'template', 'select', 'Page Template', '{"options": ["default", "landing", "contact", "about"], "default": "default"}', 5, 0, 0, strftime('%s', 'now') * 1000, strftime('%s', 'now') * 1000),
+
+-- News fields
+('news-title-field', 'news-collection', 'title', 'text', 'Title', '{"maxLength": 200, "placeholder": "Enter news title"}', 1, 1, 1, strftime('%s', 'now') * 1000, strftime('%s', 'now') * 1000),
+('news-content-field', 'news-collection', 'content', 'richtext', 'Content', '{"toolbar": "news", "height": 400}', 2, 1, 1, strftime('%s', 'now') * 1000, strftime('%s', 'now') * 1000),
+('news-category-field', 'news-collection', 'category', 'select', 'Category', '{"options": ["technology", "business", "politics", "sports", "entertainment", "health"], "required": true}', 3, 1, 1, strftime('%s', 'now') * 1000, strftime('%s', 'now') * 1000),
+('news-author-field', 'news-collection', 'author', 'text', 'Author', '{"placeholder": "Author name"}', 4, 1, 1, strftime('%s', 'now') * 1000, strftime('%s', 'now') * 1000),
+('news-source-field', 'news-collection', 'source', 'text', 'Source', '{"placeholder": "News source"}', 5, 0, 1, strftime('%s', 'now') * 1000, strftime('%s', 'now') * 1000),
+('news-priority-field', 'news-collection', 'priority', 'select', 'Priority', '{"options": ["low", "normal", "high", "breaking"], "default": "normal"}', 6, 0, 0, strftime('%s', 'now') * 1000, strftime('%s', 'now') * 1000);

package/migrations/004_stage6_user_management.sql

@@ -0,0 +1,183 @@
+-- Stage 6: User Management & Permissions enhancements
+-- Enhanced user system with profiles, teams, permissions, and activity logging
+
+-- Add user profile and preferences columns
+ALTER TABLE users ADD COLUMN phone TEXT;
+ALTER TABLE users ADD COLUMN bio TEXT;
+ALTER TABLE users ADD COLUMN avatar_url TEXT;
+ALTER TABLE users ADD COLUMN timezone TEXT DEFAULT 'UTC';
+ALTER TABLE users ADD COLUMN language TEXT DEFAULT 'en';
+ALTER TABLE users ADD COLUMN email_notifications INTEGER DEFAULT 1;
+ALTER TABLE users ADD COLUMN theme TEXT DEFAULT 'dark';
+ALTER TABLE users ADD COLUMN two_factor_enabled INTEGER DEFAULT 0;
+ALTER TABLE users ADD COLUMN two_factor_secret TEXT;
+ALTER TABLE users ADD COLUMN password_reset_token TEXT;
+ALTER TABLE users ADD COLUMN password_reset_expires INTEGER;
+ALTER TABLE users ADD COLUMN email_verified INTEGER DEFAULT 0;
+ALTER TABLE users ADD COLUMN email_verification_token TEXT;
+ALTER TABLE users ADD COLUMN invitation_token TEXT;
+ALTER TABLE users ADD COLUMN invited_by TEXT REFERENCES users(id);
+ALTER TABLE users ADD COLUMN invited_at INTEGER;
+ALTER TABLE users ADD COLUMN accepted_invitation_at INTEGER;
+
+-- Create teams table for team-based collaboration
+CREATE TABLE IF NOT EXISTS teams (
+  id TEXT PRIMARY KEY,
+  name TEXT NOT NULL,
+  description TEXT,
+  slug TEXT NOT NULL UNIQUE,
+  owner_id TEXT NOT NULL REFERENCES users(id),
+  settings TEXT, -- JSON for team settings
+  is_active INTEGER NOT NULL DEFAULT 1,
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL
+);
+
+-- Create team memberships table
+CREATE TABLE IF NOT EXISTS team_memberships (
+  id TEXT PRIMARY KEY,
+  team_id TEXT NOT NULL REFERENCES teams(id) ON DELETE CASCADE,
+  user_id TEXT NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+  role TEXT NOT NULL DEFAULT 'member', -- owner, admin, editor, member, viewer
+  permissions TEXT, -- JSON for specific permissions
+  joined_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL,
+  UNIQUE(team_id, user_id)
+);
+
+-- Create permissions table for granular access control
+CREATE TABLE IF NOT EXISTS permissions (
+  id TEXT PRIMARY KEY,
+  name TEXT NOT NULL UNIQUE,
+  description TEXT,
+  category TEXT NOT NULL, -- content, users, collections, media, settings
+  created_at INTEGER NOT NULL
+);
+
+-- Create role permissions mapping
+CREATE TABLE IF NOT EXISTS role_permissions (
+  id TEXT PRIMARY KEY,
+  role TEXT NOT NULL,
+  permission_id TEXT NOT NULL REFERENCES permissions(id),
+  created_at INTEGER NOT NULL,
+  UNIQUE(role, permission_id)
+);
+
+-- Create user sessions table for better session management
+CREATE TABLE IF NOT EXISTS user_sessions (
+  id TEXT PRIMARY KEY,
+  user_id TEXT NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+  token_hash TEXT NOT NULL,
+  ip_address TEXT,
+  user_agent TEXT,
+  is_active INTEGER NOT NULL DEFAULT 1,
+  expires_at INTEGER NOT NULL,
+  created_at INTEGER NOT NULL,
+  last_used_at INTEGER
+);
+
+-- Create activity log table for audit trails
+CREATE TABLE IF NOT EXISTS activity_logs (
+  id TEXT PRIMARY KEY,
+  user_id TEXT REFERENCES users(id),
+  action TEXT NOT NULL,
+  resource_type TEXT, -- users, content, collections, media, etc.
+  resource_id TEXT,
+  details TEXT, -- JSON with additional details
+  ip_address TEXT,
+  user_agent TEXT,
+  created_at INTEGER NOT NULL
+);
+
+-- Create password history table for security
+CREATE TABLE IF NOT EXISTS password_history (
+  id TEXT PRIMARY KEY,
+  user_id TEXT NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+  password_hash TEXT NOT NULL,
+  created_at INTEGER NOT NULL
+);
+
+-- Insert default permissions
+INSERT OR IGNORE INTO permissions (id, name, description, category, created_at) VALUES
+  ('perm_content_create', 'content.create', 'Create new content', 'content', strftime('%s', 'now') * 1000),
+  ('perm_content_read', 'content.read', 'View content', 'content', strftime('%s', 'now') * 1000),
+  ('perm_content_update', 'content.update', 'Edit existing content', 'content', strftime('%s', 'now') * 1000),
+  ('perm_content_delete', 'content.delete', 'Delete content', 'content', strftime('%s', 'now') * 1000),
+  ('perm_content_publish', 'content.publish', 'Publish/unpublish content', 'content', strftime('%s', 'now') * 1000),
+  
+  ('perm_collections_create', 'collections.create', 'Create new collections', 'collections', strftime('%s', 'now') * 1000),
+  ('perm_collections_read', 'collections.read', 'View collections', 'collections', strftime('%s', 'now') * 1000),
+  ('perm_collections_update', 'collections.update', 'Edit collections', 'collections', strftime('%s', 'now') * 1000),
+  ('perm_collections_delete', 'collections.delete', 'Delete collections', 'collections', strftime('%s', 'now') * 1000),
+  ('perm_collections_fields', 'collections.fields', 'Manage collection fields', 'collections', strftime('%s', 'now') * 1000),
+  
+  ('perm_media_upload', 'media.upload', 'Upload media files', 'media', strftime('%s', 'now') * 1000),
+  ('perm_media_read', 'media.read', 'View media files', 'media', strftime('%s', 'now') * 1000),
+  ('perm_media_update', 'media.update', 'Edit media metadata', 'media', strftime('%s', 'now') * 1000),
+  ('perm_media_delete', 'media.delete', 'Delete media files', 'media', strftime('%s', 'now') * 1000),
+  
+  ('perm_users_create', 'users.create', 'Invite new users', 'users', strftime('%s', 'now') * 1000),
+  ('perm_users_read', 'users.read', 'View user profiles', 'users', strftime('%s', 'now') * 1000),
+  ('perm_users_update', 'users.update', 'Edit user profiles', 'users', strftime('%s', 'now') * 1000),
+  ('perm_users_delete', 'users.delete', 'Deactivate users', 'users', strftime('%s', 'now') * 1000),
+  ('perm_users_roles', 'users.roles', 'Manage user roles', 'users', strftime('%s', 'now') * 1000),
+  
+  ('perm_settings_read', 'settings.read', 'View system settings', 'settings', strftime('%s', 'now') * 1000),
+  ('perm_settings_update', 'settings.update', 'Modify system settings', 'settings', strftime('%s', 'now') * 1000),
+  ('perm_activity_read', 'activity.read', 'View activity logs', 'settings', strftime('%s', 'now') * 1000);
+
+-- Assign permissions to default roles
+INSERT OR IGNORE INTO role_permissions (id, role, permission_id, created_at) VALUES
+  -- Admin has all permissions
+  ('rp_admin_content_create', 'admin', 'perm_content_create', strftime('%s', 'now') * 1000),
+  ('rp_admin_content_read', 'admin', 'perm_content_read', strftime('%s', 'now') * 1000),
+  ('rp_admin_content_update', 'admin', 'perm_content_update', strftime('%s', 'now') * 1000),
+  ('rp_admin_content_delete', 'admin', 'perm_content_delete', strftime('%s', 'now') * 1000),
+  ('rp_admin_content_publish', 'admin', 'perm_content_publish', strftime('%s', 'now') * 1000),
+  ('rp_admin_collections_create', 'admin', 'perm_collections_create', strftime('%s', 'now') * 1000),
+  ('rp_admin_collections_read', 'admin', 'perm_collections_read', strftime('%s', 'now') * 1000),
+  ('rp_admin_collections_update', 'admin', 'perm_collections_update', strftime('%s', 'now') * 1000),
+  ('rp_admin_collections_delete', 'admin', 'perm_collections_delete', strftime('%s', 'now') * 1000),
+  ('rp_admin_collections_fields', 'admin', 'perm_collections_fields', strftime('%s', 'now') * 1000),
+  ('rp_admin_media_upload', 'admin', 'perm_media_upload', strftime('%s', 'now') * 1000),
+  ('rp_admin_media_read', 'admin', 'perm_media_read', strftime('%s', 'now') * 1000),
+  ('rp_admin_media_update', 'admin', 'perm_media_update', strftime('%s', 'now') * 1000),
+  ('rp_admin_media_delete', 'admin', 'perm_media_delete', strftime('%s', 'now') * 1000),
+  ('rp_admin_users_create', 'admin', 'perm_users_create', strftime('%s', 'now') * 1000),
+  ('rp_admin_users_read', 'admin', 'perm_users_read', strftime('%s', 'now') * 1000),
+  ('rp_admin_users_update', 'admin', 'perm_users_update', strftime('%s', 'now') * 1000),
+  ('rp_admin_users_delete', 'admin', 'perm_users_delete', strftime('%s', 'now') * 1000),
+  ('rp_admin_users_roles', 'admin', 'perm_users_roles', strftime('%s', 'now') * 1000),
+  ('rp_admin_settings_read', 'admin', 'perm_settings_read', strftime('%s', 'now') * 1000),
+  ('rp_admin_settings_update', 'admin', 'perm_settings_update', strftime('%s', 'now') * 1000),
+  ('rp_admin_activity_read', 'admin', 'perm_activity_read', strftime('%s', 'now') * 1000),
+  
+  -- Editor permissions
+  ('rp_editor_content_create', 'editor', 'perm_content_create', strftime('%s', 'now') * 1000),
+  ('rp_editor_content_read', 'editor', 'perm_content_read', strftime('%s', 'now') * 1000),
+  ('rp_editor_content_update', 'editor', 'perm_content_update', strftime('%s', 'now') * 1000),
+  ('rp_editor_content_publish', 'editor', 'perm_content_publish', strftime('%s', 'now') * 1000),
+  ('rp_editor_collections_read', 'editor', 'perm_collections_read', strftime('%s', 'now') * 1000),
+  ('rp_editor_media_upload', 'editor', 'perm_media_upload', strftime('%s', 'now') * 1000),
+  ('rp_editor_media_read', 'editor', 'perm_media_read', strftime('%s', 'now') * 1000),
+  ('rp_editor_media_update', 'editor', 'perm_media_update', strftime('%s', 'now') * 1000),
+  ('rp_editor_users_read', 'editor', 'perm_users_read', strftime('%s', 'now') * 1000),
+  
+  -- Viewer permissions
+  ('rp_viewer_content_read', 'viewer', 'perm_content_read', strftime('%s', 'now') * 1000),
+  ('rp_viewer_collections_read', 'viewer', 'perm_collections_read', strftime('%s', 'now') * 1000),
+  ('rp_viewer_media_read', 'viewer', 'perm_media_read', strftime('%s', 'now') * 1000),
+  ('rp_viewer_users_read', 'viewer', 'perm_users_read', strftime('%s', 'now') * 1000);
+
+-- Create indexes for performance
+CREATE INDEX IF NOT EXISTS idx_team_memberships_team_id ON team_memberships(team_id);
+CREATE INDEX IF NOT EXISTS idx_team_memberships_user_id ON team_memberships(user_id);
+CREATE INDEX IF NOT EXISTS idx_user_sessions_user_id ON user_sessions(user_id);
+CREATE INDEX IF NOT EXISTS idx_user_sessions_token_hash ON user_sessions(token_hash);
+CREATE INDEX IF NOT EXISTS idx_activity_logs_user_id ON activity_logs(user_id);
+CREATE INDEX IF NOT EXISTS idx_activity_logs_created_at ON activity_logs(created_at);
+CREATE INDEX IF NOT EXISTS idx_activity_logs_resource ON activity_logs(resource_type, resource_id);
+CREATE INDEX IF NOT EXISTS idx_password_history_user_id ON password_history(user_id);
+CREATE INDEX IF NOT EXISTS idx_users_email_verification_token ON users(email_verification_token);
+CREATE INDEX IF NOT EXISTS idx_users_password_reset_token ON users(password_reset_token);
+CREATE INDEX IF NOT EXISTS idx_users_invitation_token ON users(invitation_token);