@sonicjs-cms/core 2.18.1 → 3.0.0-beta.2

package/dist/types-Dea1eNxU.d.ts

@@ -0,0 +1,286 @@
+/**
+ * Typed hook event catalog
+ *
+ * The single source of truth for which lifecycle events a plugin may subscribe
+ * to, and the payload shape each one carries. Subscribing through the typed
+ * facade (`createTypedHooks`) gives a plugin the narrowed payload type with no
+ * casting — TypeScript rejects a wrong field name at the `.on()` call site.
+ *
+ * Scope note: this catalog lists the events that are (or are being) dispatched
+ * in production. The legacy string-keyed `HOOKS` map in `../types` declared many
+ * more events than were ever fired; reconciling that list down to what actually
+ * dispatches is tracked in the plugin-overhaul plan. Add an event here only when
+ * a real dispatch site exists (or is landing in the same change).
+ */
+/**
+ * The acting user on a hook event. ONE canonical shape across every event —
+ * always `id` (never `userId`), so a plugin reading `payload.user.id` works on
+ * content events and auth events alike.
+ */
+interface HookActor {
+    id: string;
+    email: string;
+    role?: string;
+}
+/** Common shape for content lifecycle events. */
+interface ContentEventPayload {
+    /** Collection / content-type slug the event is about. */
+    collection: string;
+    /** Content row id, when known (absent for pre-create events). */
+    id?: string;
+    /** The content data being read/written. Mutable by `before` handlers in the chain. */
+    data: Record<string, unknown>;
+    /** The acting user, when the event originates from an authenticated request. */
+    user?: HookActor;
+}
+/** Emitted after a user completes self-registration. */
+interface AuthRegistrationCompletedPayload {
+    user: HookActor;
+}
+/** Emitted when a password reset is requested (carries the reset token internally). */
+interface AuthPasswordResetRequestedPayload {
+    user: HookActor;
+    /** Single-use reset token. Never expose this in an API response. */
+    resetToken: string;
+}
+/** Emitted after a password reset is confirmed. */
+interface AuthPasswordResetCompletedPayload {
+    user: HookActor;
+}
+/** Emitted after a magic-link sign-in link is successfully consumed. */
+interface AuthMagicLinkConsumedPayload {
+    user: HookActor;
+}
+/** Emitted after an OTP code is successfully verified. */
+interface AuthOtpVerifiedPayload {
+    user: HookActor;
+}
+/**
+ * The catalog: event name → payload type.
+ *
+ * Keep keys in sync with `HookEventName` (derived below) and with the dispatch
+ * sites. This is an interface (not a const) so it participates in type-level
+ * lookups and can be augmented via declaration merging if a downstream package
+ * needs to extend it.
+ */
+interface HookEventPayloads {
+    'content:read': ContentEventPayload;
+    'content:before:create': ContentEventPayload;
+    'content:before:update': ContentEventPayload;
+    'content:before:delete': ContentEventPayload;
+    'content:after:create': ContentEventPayload;
+    'content:after:update': ContentEventPayload;
+    'content:after:delete': ContentEventPayload;
+    'content:after:publish': ContentEventPayload;
+    'auth:registration:completed': AuthRegistrationCompletedPayload;
+    'auth:password-reset:requested': AuthPasswordResetRequestedPayload;
+    'auth:password-reset:completed': AuthPasswordResetCompletedPayload;
+    'auth:magic-link:consumed': AuthMagicLinkConsumedPayload;
+    'auth:otp:verified': AuthOtpVerifiedPayload;
+}
+/** Union of all catalog event names. */
+type HookEventName = keyof HookEventPayloads;
+/** The payload type for a given event name. */
+type HookPayload<E extends HookEventName> = HookEventPayloads[E];
+/**
+ * Runtime list of catalog event names.
+ *
+ * Useful for validation (e.g. "is this a known event?") and for diagnostics.
+ * Kept as a typed tuple so it can't silently drift from the interface: any new
+ * key added to `HookEventPayloads` should be added here too, and the
+ * `satisfies` check below fails the build if the list references an unknown
+ * event.
+ */
+declare const HOOK_EVENT_NAMES: readonly ["content:read", "content:before:create", "content:before:update", "content:before:delete", "content:after:create", "content:after:update", "content:after:delete", "content:after:publish", "auth:registration:completed", "auth:password-reset:requested", "auth:password-reset:completed", "auth:magic-link:consumed", "auth:otp:verified"];
+/** True if `name` is a canonical catalog event. */
+declare function isKnownHookEvent(name: string): name is HookEventName;
+/** Deprecated event names mapped to their canonical payload type. */
+interface LegacyHookEventPayloads {
+    'content:create': ContentEventPayload;
+    'content:update': ContentEventPayload;
+    'content:delete': ContentEventPayload;
+    'content:publish': ContentEventPayload;
+    /** No after-only successor; folded into update. */
+    'content:save': ContentEventPayload;
+}
+/** Map each deprecated name to the canonical name it resolves to. */
+declare const LEGACY_EVENT_ALIASES: {
+    readonly 'content:create': "content:after:create";
+    readonly 'content:update': "content:after:update";
+    readonly 'content:delete': "content:after:delete";
+    readonly 'content:publish': "content:after:publish";
+    readonly 'content:save': "content:after:update";
+};
+/** A deprecated event name accepted (with a warning) at subscribe time. */
+type LegacyHookEventName = keyof LegacyHookEventPayloads;
+/** True if `name` is a deprecated alias. */
+declare function isLegacyHookEvent(name: string): name is LegacyHookEventName;
+/**
+ * Resolve a subscribe-time event name to its canonical form: returns the name
+ * itself if canonical, the aliased canonical name if deprecated, or `undefined`
+ * if unknown.
+ */
+declare function resolveHookEventName(name: string): HookEventName | undefined;
+
+/**
+ * Typed hook facade
+ *
+ * Wraps the (string-keyed, untyped) hook system in a catalog-aware API:
+ *
+ *   const hooks = createTypedHooks(hookSystem)
+ *   hooks.on('auth:registration:completed', (payload) => {
+ *     payload.user.email   // ✓ narrowed — no cast
+ *     payload.user.nope    // ✗ type error
+ *   })
+ *   await hooks.dispatch('auth:registration:completed', { user: {...} })
+ *
+ * The facade is intentionally structural about the underlying hook system (see
+ * `HookSystemLike`) so both `HookSystemImpl` and `ScopedHookSystem` — and the
+ * `src`/`dist` duplicate type identities — all satisfy it without casts.
+ */
+
+/** A name accepted at subscribe time: a canonical event or a deprecated alias. */
+type SubscribableEvent = HookEventName | LegacyHookEventName;
+/** The payload type for a subscribable name — canonical payload, even for aliases. */
+type PayloadForEvent<E extends SubscribableEvent> = E extends HookEventName ? HookPayload<E> : E extends LegacyHookEventName ? LegacyHookEventPayloads[E] : never;
+/**
+ * Minimal structural contract the typed facade needs from a hook system.
+ * Satisfied by `HookSystemImpl` and `ScopedHookSystem`.
+ */
+interface HookSystemLike {
+    register(hookName: string, handler: (data: any, context: any) => any, priority?: number): void;
+    execute(hookName: string, data: any, context?: any): Promise<any>;
+    unregister?(hookName: string, handler: (data: any, context: any) => any): void;
+}
+/** Context passed to a typed hook handler (kept loose; mirrors the legacy HookContext). */
+interface TypedHookContext {
+    /** Plugin that registered the hook, if known. */
+    plugin?: string;
+    /** Cancel the remaining hook chain. */
+    cancel?: () => void;
+    [key: string]: unknown;
+}
+/**
+ * A typed hook handler. May mutate and return the payload (threaded to the next
+ * handler), or return nothing (the current payload is preserved).
+ */
+type TypedHookHandler<E extends HookEventName> = (payload: HookPayload<E>, context: TypedHookContext) => HookPayload<E> | void | Promise<HookPayload<E> | void>;
+interface TypedHooks {
+    /**
+     * Subscribe to a catalog event. Accepts canonical names and (for one release)
+     * deprecated aliases — an alias resolves to its canonical name and emits a
+     * one-time deprecation warning. Lower priority runs earlier (default 10).
+     */
+    on<E extends SubscribableEvent>(event: E, handler: (payload: PayloadForEvent<E>, context: TypedHookContext) => PayloadForEvent<E> | void | Promise<PayloadForEvent<E> | void>, priority?: number): void;
+    /**
+     * Dispatch a catalog event through the handler chain. Canonical names only —
+     * the host owns dispatch sites. Returns the (possibly mutated) payload.
+     */
+    dispatch<E extends HookEventName>(event: E, payload: HookPayload<E>, context?: TypedHookContext): Promise<HookPayload<E>>;
+}
+/**
+ * Build a typed facade over a hook system.
+ *
+ * `on()` resolves deprecated aliases to canonical names (warning once), then
+ * registers under the canonical name so a legacy subscriber fires when the host
+ * dispatches the canonical event. Returning `void` from a handler preserves the
+ * current payload in the chain (the underlying `execute()` threads whatever each
+ * handler returns, so we coalesce `undefined` back to the incoming data).
+ */
+declare function createTypedHooks(hookSystem: HookSystemLike): TypedHooks;
+
+/**
+ * Provider-agnostic email types
+ *
+ * The whole point of this layer: a SonicJS app sends mail through one
+ * `EmailService` chokepoint, and the *transport* is a swappable `EmailProvider`.
+ * Built-ins ship for Resend and SendGrid, but a developer can drop in any
+ * implementation of `EmailProvider` (Postmark, SES, an internal relay, a mock in
+ * tests) without touching call sites. Every send is recorded in `email_log`.
+ */
+/** A message as authored by a caller. `from` is optional (the service fills a default). */
+interface EmailMessage {
+    to: string | string[];
+    subject: string;
+    html?: string;
+    text?: string;
+    /** Overrides the service's default from-address. */
+    from?: string;
+    replyTo?: string;
+    cc?: string | string[];
+    bcc?: string | string[];
+    /** Extra transport headers. */
+    headers?: Record<string, string>;
+    /**
+     * Logical flow this send belongs to (e.g. `'password-reset'`, `'otp'`,
+     * `'magic-link'`, `'welcome'`, `'test'`). Recorded in `email_log.flow` for
+     * observability; does not affect delivery.
+     */
+    flow?: string;
+    /** Free-form metadata recorded (as JSON) in `email_log.metadata`. */
+    metadata?: Record<string, unknown>;
+}
+/** A message after the service has resolved defaults — what a provider receives. */
+interface NormalizedEmailMessage extends Omit<EmailMessage, 'to' | 'cc' | 'bcc'> {
+    to: string[];
+    from: string;
+    cc?: string[];
+    bcc?: string[];
+}
+/** Outcome of a single send attempt. */
+interface SendResult {
+    ok: boolean;
+    /** Provider that handled (or attempted) the send. */
+    provider: string;
+    /** Provider-side message id, when the transport returns one. */
+    providerId?: string;
+    /** Error message when `ok` is false. */
+    error?: string;
+    /** id of the `email_log` row written for this attempt, when logging is enabled. */
+    logId?: string;
+}
+/**
+ * A swappable email transport.
+ *
+ * Implement this to support any provider. `isConfigured()` lets the service (and
+ * `resolveEmailProvider`) decide whether a provider is usable before attempting a
+ * send — e.g. a Resend provider with no API key reports `false`.
+ */
+/**
+ * An email_log entry as seen by the reconciliation method.
+ * Derived from the documents row data JSON for type_id='email_log'.
+ * `id` is the document root_id used to identify the row.
+ */
+interface EmailLogRow {
+    id: string;
+    provider_id?: string | null;
+    provider: string;
+    status: 'sent' | 'failed' | string;
+    delivery_state?: string | null;
+}
+interface EmailProvider {
+    /** Stable identifier recorded in `email_log.provider` (e.g. `'resend'`). */
+    readonly name: string;
+    /** True if the provider has everything it needs to send (credentials, etc.). */
+    isConfigured(): boolean;
+    /** Attempt delivery. Must not throw for ordinary failures — return `ok: false`. */
+    send(message: NormalizedEmailMessage): Promise<SendResult>;
+    /**
+     * Optional: reconcile delivery state for a batch of recently-sent messages.
+     *
+     * Called by the core `email-reconciliation` cron. Providers that expose a
+     * delivery/event API (e.g. Cloudflare Email with delivery webhooks) implement
+     * this to backfill `delivery_state`. Providers without delivery status APIs
+     * (e.g. Resend, SendGrid at the current integration level) leave this undefined
+     * — those rows stay with `delivery_state = null`.
+     *
+     * Returning an array of `{ id, delivery_state }` updates the matching rows in
+     * `email_log`. Errors do not propagate (cron is fire-and-log).
+     */
+    reconcile?(rows: EmailLogRow[]): Promise<Array<{
+        id: string;
+        delivery_state: string;
+    }>>;
+}
+
+export { type AuthMagicLinkConsumedPayload as A, type ContentEventPayload as C, type EmailProvider as E, HOOK_EVENT_NAMES as H, LEGACY_EVENT_ALIASES as L, type NormalizedEmailMessage as N, type PayloadForEvent as P, type SubscribableEvent as S, type TypedHookContext as T, type AuthOtpVerifiedPayload as a, type AuthPasswordResetCompletedPayload as b, type AuthPasswordResetRequestedPayload as c, type AuthRegistrationCompletedPayload as d, type HookActor as e, type HookEventName as f, type HookEventPayloads as g, type HookPayload as h, type HookSystemLike as i, type LegacyHookEventName as j, type LegacyHookEventPayloads as k, type TypedHookHandler as l, type TypedHooks as m, createTypedHooks as n, isKnownHookEvent as o, isLegacyHookEvent as p, type SendResult as q, resolveHookEventName as r, type EmailLogRow as s, type EmailMessage as t };

package/dist/types.d.cts

@@ -1,4 +1,4 @@
-export { B as BlockDefinition, a as BlockDefinitions, C as CollectionConfig, b as CollectionConfigModule, c as CollectionSchema, d as CollectionSyncResult, F as FieldConfig, e as FieldType } from './collection-config-B4PG-AaF.cjs';
+export { B as BlockDefinition, a as BlockDefinitions, C as CollectionConfig, b as CollectionConfigModule, c as CollectionSchema, d as CollectionSyncResult, F as FieldConfig, e as FieldType } from './collection-config-JgHOpFCG.cjs';
 export { A as AuthService, C as ContentService, H as HOOKS, a as HookContext, b as HookHandler, c as HookName, d as HookSystem, M as MediaService, e as ModelRelationship, P as Plugin, f as PluginAdminPage, g as PluginBuilderOptions, h as PluginComponent, i as PluginConfig, j as PluginContext, k as PluginHook, l as PluginLogger, m as PluginManager, n as PluginMenuItem, o as PluginMiddleware, p as PluginModel, q as PluginRegistry, r as PluginRoutes, s as PluginService, t as PluginStatus, u as PluginValidationResult, v as PluginValidator, S as ScopedHookSystem } from './plugin-DDYetMF-.cjs';
 export { P as PluginManifest } from './plugin-manifest-Dpy8wxIB.cjs';
 export { T as TelemetryConfig, a as TelemetryEvent, b as TelemetryIdentity, c as TelemetryProperties } from './telemetry-B9vIV4wh.cjs';

package/dist/types.d.ts

@@ -1,4 +1,4 @@
-export { B as BlockDefinition, a as BlockDefinitions, C as CollectionConfig, b as CollectionConfigModule, c as CollectionSchema, d as CollectionSyncResult, F as FieldConfig, e as FieldType } from './collection-config-B4PG-AaF.js';
+export { B as BlockDefinition, a as BlockDefinitions, C as CollectionConfig, b as CollectionConfigModule, c as CollectionSchema, d as CollectionSyncResult, F as FieldConfig, e as FieldType } from './collection-config-JgHOpFCG.js';
 export { A as AuthService, C as ContentService, H as HOOKS, a as HookContext, b as HookHandler, c as HookName, d as HookSystem, M as MediaService, e as ModelRelationship, P as Plugin, f as PluginAdminPage, g as PluginBuilderOptions, h as PluginComponent, i as PluginConfig, j as PluginContext, k as PluginHook, l as PluginLogger, m as PluginManager, n as PluginMenuItem, o as PluginMiddleware, p as PluginModel, q as PluginRegistry, r as PluginRoutes, s as PluginService, t as PluginStatus, u as PluginValidationResult, v as PluginValidator, S as ScopedHookSystem } from './plugin-DDYetMF-.js';
 export { P as PluginManifest } from './plugin-manifest-Dpy8wxIB.js';
 export { T as TelemetryConfig, a as TelemetryEvent, b as TelemetryIdentity, c as TelemetryProperties } from './telemetry-B9vIV4wh.js';

package/dist/utils.cjs

@@ -1,8 +1,9 @@
 'use strict';
 
-var chunkSQ6FNXU2_cjs = require('./chunk-SQ6FNXU2.cjs');
+var chunkIXUHXTHW_cjs = require('./chunk-IXUHXTHW.cjs');
 var chunkP3XDZL6Q_cjs = require('./chunk-P3XDZL6Q.cjs');
 var chunkRCQ2HIQD_cjs = require('./chunk-RCQ2HIQD.cjs');
+var chunkLRZIAW7U_cjs = require('./chunk-LRZIAW7U.cjs');
 var chunkMNWKYY5E_cjs = require('./chunk-MNWKYY5E.cjs');
 require('./chunk-IGJUBJBW.cjs');
 
@@ -10,43 +11,35 @@ require('./chunk-IGJUBJBW.cjs');
 
 Object.defineProperty(exports, "QueryFilterBuilder", {
   enumerable: true,
-  get: function () { return chunkSQ6FNXU2_cjs.QueryFilterBuilder; }
-});
-Object.defineProperty(exports, "SONICJS_VERSION", {
-  enumerable: true,
-  get: function () { return chunkSQ6FNXU2_cjs.SONICJS_VERSION; }
+  get: function () { return chunkIXUHXTHW_cjs.QueryFilterBuilder; }
 });
 Object.defineProperty(exports, "TemplateRenderer", {
   enumerable: true,
-  get: function () { return chunkSQ6FNXU2_cjs.TemplateRenderer; }
+  get: function () { return chunkIXUHXTHW_cjs.TemplateRenderer; }
 });
 Object.defineProperty(exports, "buildQuery", {
   enumerable: true,
-  get: function () { return chunkSQ6FNXU2_cjs.buildQuery; }
+  get: function () { return chunkIXUHXTHW_cjs.buildQuery; }
 });
 Object.defineProperty(exports, "generateSlug", {
   enumerable: true,
-  get: function () { return chunkSQ6FNXU2_cjs.generateSlug; }
+  get: function () { return chunkIXUHXTHW_cjs.generateSlug; }
 });
 Object.defineProperty(exports, "getBlocksFieldConfig", {
   enumerable: true,
-  get: function () { return chunkSQ6FNXU2_cjs.getBlocksFieldConfig; }
-});
-Object.defineProperty(exports, "getCoreVersion", {
-  enumerable: true,
-  get: function () { return chunkSQ6FNXU2_cjs.getCoreVersion; }
+  get: function () { return chunkIXUHXTHW_cjs.getBlocksFieldConfig; }
 });
 Object.defineProperty(exports, "parseBlocksValue", {
   enumerable: true,
-  get: function () { return chunkSQ6FNXU2_cjs.parseBlocksValue; }
+  get: function () { return chunkIXUHXTHW_cjs.parseBlocksValue; }
 });
 Object.defineProperty(exports, "renderTemplate", {
   enumerable: true,
-  get: function () { return chunkSQ6FNXU2_cjs.renderTemplate; }
+  get: function () { return chunkIXUHXTHW_cjs.renderTemplate; }
 });
 Object.defineProperty(exports, "templateRenderer", {
   enumerable: true,
-  get: function () { return chunkSQ6FNXU2_cjs.templateRenderer; }
+  get: function () { return chunkIXUHXTHW_cjs.templateRenderer; }
 });
 Object.defineProperty(exports, "generateInstallationId", {
   enumerable: true,
@@ -84,6 +77,14 @@ Object.defineProperty(exports, "metricsTracker", {
   enumerable: true,
   get: function () { return chunkRCQ2HIQD_cjs.metricsTracker; }
 });
+Object.defineProperty(exports, "SONICJS_VERSION", {
+  enumerable: true,
+  get: function () { return chunkLRZIAW7U_cjs.SONICJS_VERSION; }
+});
+Object.defineProperty(exports, "getCoreVersion", {
+  enumerable: true,
+  get: function () { return chunkLRZIAW7U_cjs.getCoreVersion; }
+});
 Object.defineProperty(exports, "escapeHtml", {
   enumerable: true,
   get: function () { return chunkMNWKYY5E_cjs.escapeHtml; }

package/dist/utils.d.cts

@@ -1,6 +1,6 @@
 export { F as FilterCondition, a as FilterGroup, b as FilterOperator, Q as QueryFilter, c as QueryFilterBuilder, d as QueryResult, S as SONICJS_VERSION, T as TemplateRenderer, e as buildQuery, f as escapeHtml, g as getCoreVersion, m as metricsTracker, r as renderTemplate, s as sanitizeInput, h as sanitizeObject, t as templateRenderer } from './version-DFTyGfIH.cjs';
 import { T as TelemetryConfig } from './telemetry-B9vIV4wh.cjs';
-import { a as BlockDefinitions } from './collection-config-B4PG-AaF.cjs';
+import { a as BlockDefinitions } from './collection-config-JgHOpFCG.cjs';
 
 /**
  * Slug generation utilities for creating URL-friendly slugs

package/dist/utils.d.ts

@@ -1,6 +1,6 @@
 export { F as FilterCondition, a as FilterGroup, b as FilterOperator, Q as QueryFilter, c as QueryFilterBuilder, d as QueryResult, S as SONICJS_VERSION, T as TemplateRenderer, e as buildQuery, f as escapeHtml, g as getCoreVersion, m as metricsTracker, r as renderTemplate, s as sanitizeInput, h as sanitizeObject, t as templateRenderer } from './version-DFTyGfIH.js';
 import { T as TelemetryConfig } from './telemetry-B9vIV4wh.js';
-import { a as BlockDefinitions } from './collection-config-B4PG-AaF.js';
+import { a as BlockDefinitions } from './collection-config-JgHOpFCG.js';
 
 /**
  * Slug generation utilities for creating URL-friendly slugs

package/dist/utils.js

@@ -1,6 +1,7 @@
-export { QueryFilterBuilder, SONICJS_VERSION, TemplateRenderer, buildQuery, generateSlug, getBlocksFieldConfig, getCoreVersion, parseBlocksValue, renderTemplate, templateRenderer } from './chunk-MGFRZO24.js';
+export { QueryFilterBuilder, TemplateRenderer, buildQuery, generateSlug, getBlocksFieldConfig, parseBlocksValue, renderTemplate, templateRenderer } from './chunk-QZGABF2M.js';
 export { generateInstallationId, generateProjectId, getDefaultTelemetryConfig, getTelemetryConfig, isTelemetryEnabled, sanitizeErrorMessage, sanitizeRoute, shouldSkipEvent } from './chunk-X7ZAEI5S.js';
 export { metricsTracker } from './chunk-FICTAGD4.js';
+export { SONICJS_VERSION, getCoreVersion } from './chunk-NMPEMSU4.js';
 export { escapeHtml, sanitizeInput, sanitizeObject } from './chunk-TQABQWOP.js';
 import './chunk-V4OQ3NZ2.js';
 //# sourceMappingURL=utils.js.map

package/migrations/0001_core.sql

@@ -0,0 +1,184 @@
+-- Migration 0001: Auth tables
+-- auth_user, auth_session, auth_account, auth_verification + BA plugin tables + RBAC + auth support.
+-- Only auth_* prefixed tables live here. All content lives in document_* tables (0002_documents.sql).
+
+-- ── auth_user ────────────────────────────────────────────────────────────────
+-- BA user model + SonicJS domain columns as BA additionalFields.
+CREATE TABLE IF NOT EXISTS auth_user (
+  id TEXT PRIMARY KEY,
+  name TEXT,
+  email TEXT NOT NULL UNIQUE,
+  email_verified INTEGER NOT NULL DEFAULT 0,
+  image TEXT,
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL,
+  -- SonicJS additionalFields
+  first_name TEXT NOT NULL,
+  last_name TEXT NOT NULL,
+  role TEXT NOT NULL DEFAULT 'viewer',
+  -- Platform super-admin: bypasses the multi-tenant membership gate, uses global roles in every
+  -- tenant. Opt-in (default 0); intentionally NOT derived from the 'admin' role.
+  is_super_admin INTEGER NOT NULL DEFAULT 0,
+  avatar TEXT,
+  password_hash TEXT,
+  is_active INTEGER NOT NULL DEFAULT 1,
+  last_login_at INTEGER,
+  phone TEXT,
+  bio TEXT,
+  timezone TEXT DEFAULT 'UTC',
+  language TEXT DEFAULT 'en',
+  email_notifications INTEGER DEFAULT 1,
+  theme TEXT DEFAULT 'dark',
+  invitation_token TEXT,
+  invited_by TEXT,
+  invited_at INTEGER,
+  accepted_invitation_at INTEGER,
+  failed_login_count INTEGER NOT NULL DEFAULT 0,
+  locked_until INTEGER
+);
+
+CREATE INDEX IF NOT EXISTS idx_auth_user_email ON auth_user(email);
+CREATE INDEX IF NOT EXISTS idx_auth_user_role ON auth_user(role);
+CREATE INDEX IF NOT EXISTS idx_auth_user_invitation_token ON auth_user(invitation_token);
+CREATE INDEX IF NOT EXISTS idx_auth_user_locked_until ON auth_user(locked_until) WHERE locked_until IS NOT NULL;
+
+-- ── auth_session ─────────────────────────────────────────────────────────────
+CREATE TABLE IF NOT EXISTS auth_session (
+  id TEXT PRIMARY KEY,
+  user_id TEXT NOT NULL REFERENCES auth_user(id) ON DELETE CASCADE,
+  token TEXT NOT NULL UNIQUE,
+  expires_at INTEGER NOT NULL,
+  ip_address TEXT,
+  user_agent TEXT,
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL
+);
+CREATE INDEX IF NOT EXISTS idx_auth_session_user_id ON auth_session(user_id);
+CREATE INDEX IF NOT EXISTS idx_auth_session_token ON auth_session(token);
+CREATE INDEX IF NOT EXISTS idx_auth_session_expires_at ON auth_session(expires_at);
+
+-- ── auth_account ─────────────────────────────────────────────────────────────
+CREATE TABLE IF NOT EXISTS auth_account (
+  id TEXT PRIMARY KEY,
+  user_id TEXT NOT NULL REFERENCES auth_user(id) ON DELETE CASCADE,
+  account_id TEXT NOT NULL,
+  provider_id TEXT NOT NULL,
+  access_token TEXT,
+  refresh_token TEXT,
+  access_token_expires_at INTEGER,
+  refresh_token_expires_at INTEGER,
+  scope TEXT,
+  id_token TEXT,
+  password TEXT,
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL
+);
+CREATE INDEX IF NOT EXISTS idx_auth_account_user_id ON auth_account(user_id);
+CREATE INDEX IF NOT EXISTS idx_auth_account_provider ON auth_account(provider_id, account_id);
+
+-- ── auth_verification ────────────────────────────────────────────────────────
+-- Covers email verification, password reset, magic-link tokens, OTP codes.
+CREATE TABLE IF NOT EXISTS auth_verification (
+  id TEXT PRIMARY KEY,
+  identifier TEXT NOT NULL,
+  value TEXT NOT NULL,
+  expires_at INTEGER NOT NULL,
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL
+);
+CREATE INDEX IF NOT EXISTS idx_auth_verification_identifier ON auth_verification(identifier);
+
+-- ── BA plugin tables ──────────────────────────────────────────────────────────
+
+CREATE TABLE IF NOT EXISTS auth_two_factor (
+  id           TEXT PRIMARY KEY,
+  secret       TEXT NOT NULL,
+  backup_codes TEXT NOT NULL,
+  user_id      TEXT NOT NULL REFERENCES auth_user(id) ON DELETE CASCADE,
+  verified     INTEGER NOT NULL DEFAULT 1,
+  created_at   INTEGER NOT NULL,
+  updated_at   INTEGER NOT NULL
+);
+CREATE INDEX IF NOT EXISTS idx_auth_two_factor_user_id ON auth_two_factor(user_id);
+
+CREATE TABLE IF NOT EXISTS auth_tenant (
+  id         TEXT PRIMARY KEY,
+  name       TEXT NOT NULL,
+  slug       TEXT NOT NULL UNIQUE,
+  logo       TEXT,
+  metadata   TEXT,
+  -- SonicJS tenant-resolution fields (BA organization additionalFields):
+  status     TEXT NOT NULL DEFAULT 'active',
+  domain     TEXT,
+  notes      TEXT NOT NULL DEFAULT '',
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL
+);
+CREATE INDEX IF NOT EXISTS idx_auth_tenant_domain ON auth_tenant(domain);
+
+CREATE TABLE IF NOT EXISTS auth_tenant_member (
+  id        TEXT PRIMARY KEY,
+  tenant_id TEXT NOT NULL REFERENCES auth_tenant(id) ON DELETE CASCADE,
+  user_id   TEXT NOT NULL REFERENCES auth_user(id)   ON DELETE CASCADE,
+  role      TEXT NOT NULL DEFAULT 'member',
+  email     TEXT,
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL,
+  UNIQUE(tenant_id, user_id)
+);
+CREATE INDEX IF NOT EXISTS idx_auth_tenant_member_tenant ON auth_tenant_member(tenant_id);
+CREATE INDEX IF NOT EXISTS idx_auth_tenant_member_user   ON auth_tenant_member(user_id);
+
+CREATE TABLE IF NOT EXISTS auth_tenant_invitation (
+  id         TEXT PRIMARY KEY,
+  tenant_id  TEXT NOT NULL REFERENCES auth_tenant(id) ON DELETE CASCADE,
+  email      TEXT NOT NULL,
+  role       TEXT NOT NULL DEFAULT 'member',
+  status     TEXT NOT NULL DEFAULT 'pending',
+  expires_at INTEGER NOT NULL,
+  inviter_id TEXT REFERENCES auth_user(id) ON DELETE SET NULL,
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL
+);
+CREATE INDEX IF NOT EXISTS idx_auth_tenant_invitation_tenant ON auth_tenant_invitation(tenant_id);
+CREATE INDEX IF NOT EXISTS idx_auth_tenant_invitation_email  ON auth_tenant_invitation(email);
+
+CREATE TABLE IF NOT EXISTS auth_tenant_team (
+  id        TEXT PRIMARY KEY,
+  name      TEXT NOT NULL,
+  tenant_id TEXT NOT NULL REFERENCES auth_tenant(id) ON DELETE CASCADE,
+  created_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL
+);
+
+-- ── RBAC ─────────────────────────────────────────────────────────────────────
+-- RBAC roles, verbs, and user-role assignments are document-backed (is_auth doc
+-- types rbac_role / rbac_verb / rbac_user_roles — see services/rbac.ts). The
+-- system roles/verbs/grants are seeded at bootstrap by RbacService.ensureSystemRbacSeed().
+-- No auth_rbac_* tables.
+
+-- ── Auth support tables ───────────────────────────────────────────────────────
+CREATE TABLE IF NOT EXISTS auth_password_history (
+  id TEXT PRIMARY KEY,
+  user_id TEXT NOT NULL REFERENCES auth_user(id) ON DELETE CASCADE,
+  password_hash TEXT NOT NULL,
+  created_at INTEGER NOT NULL
+);
+CREATE INDEX IF NOT EXISTS idx_auth_password_history_user_id ON auth_password_history(user_id);
+
+CREATE TABLE IF NOT EXISTS auth_api_tokens (
+  id TEXT PRIMARY KEY,
+  name TEXT NOT NULL,
+  token TEXT NOT NULL UNIQUE,
+  user_id TEXT NOT NULL REFERENCES auth_user(id),
+  permissions TEXT NOT NULL,
+  expires_at INTEGER,
+  last_used_at INTEGER,
+  created_at INTEGER NOT NULL
+);
+CREATE INDEX IF NOT EXISTS idx_auth_api_tokens_user ON auth_api_tokens(user_id);
+CREATE INDEX IF NOT EXISTS idx_auth_api_tokens_token ON auth_api_tokens(token);
+
+-- User profiles moved to the document model: a `user_profile` document (is_auth type),
+-- one per user, addressed by slug = userId. See services/document-types-seed.ts and
+-- plugins/core-plugins/user-profiles/user-profile-document.ts. No auth_user_profiles table.