@tstdl/base 0.93.178 → 0.93.180

package/cryptography/tests/module.test.js

@@ -0,0 +1,100 @@
+import { describe, expect, test } from 'vitest';
+import { runInInjectionContext } from '../../injector/inject.js';
+import { Injector } from '../../injector/injector.js';
+import { importKey } from '../cryptography.js';
+import { configureSecrets, injectDerivedBytes, injectDerivedCryptoKey, masterSecretAlgorithm, masterSecretKeyUsages } from '../module.js';
+describe('Secrets Module', () => {
+    test('configure and derive bytes', async () => {
+        const injector = new Injector('test');
+        const key = 'my-super-secret-key';
+        configureSecrets({ injector, key });
+        await runInInjectionContext(injector, async () => {
+            const derived = injectDerivedBytes('test-info', 32);
+            const sameDerived = injectDerivedBytes('test-info', 32);
+            const differentDerived = injectDerivedBytes('other-info', 32);
+            const bytes = await derived.getBytes();
+            expect(bytes.byteLength).toBe(32);
+            const sameBytes = await sameDerived.getBytes();
+            expect(new Uint8Array(bytes)).toEqual(new Uint8Array(sameBytes));
+            const differentBytes = await differentDerived.getBytes();
+            expect(new Uint8Array(bytes)).not.toEqual(new Uint8Array(differentBytes));
+        });
+    });
+    test('derive crypto key', async () => {
+        const injector = new Injector('test');
+        const key = 'my-super-secret-key';
+        configureSecrets({ injector, key });
+        await runInInjectionContext(injector, async () => {
+            const derived = injectDerivedCryptoKey('test-info', { name: 'HMAC', hash: 'SHA-256' }, ['sign']);
+            const cryptoKey = await derived.getKey();
+            expect(cryptoKey.type).toBe('secret');
+            expect(cryptoKey.algorithm.name).toBe('HMAC');
+            expect(cryptoKey.usages).toContain('sign');
+        });
+    });
+    test('fail when not configured', async () => {
+        const injector = new Injector('test');
+        await runInInjectionContext(injector, async () => {
+            // getBaseKeyFromInjector should throw if not configured
+            expect(() => injectDerivedBytes('test-info', 32)).toThrow('No secret key configured');
+        });
+    });
+    test('fail when requesting bytes from key-configured derived key', async () => {
+        const injector = new Injector('test');
+        configureSecrets({ injector, key: 'secret' });
+        await runInInjectionContext(injector, async () => {
+            const derived = injectDerivedCryptoKey('info', { name: 'HMAC', hash: 'SHA-256' }, ['sign']);
+            await expect(derived.getBytes()).rejects.toThrow('This key was not configured to derive bytes');
+        });
+    });
+    test('fail when requesting key from byte-configured derived key', async () => {
+        const injector = new Injector('test');
+        configureSecrets({ injector, key: 'secret' });
+        await runInInjectionContext(injector, async () => {
+            const derived = injectDerivedBytes('info', 32);
+            await expect(derived.getKey()).rejects.toThrow('This key was not configured to derive a CryptoKey');
+        });
+    });
+    test('hierarchical injector configuration', async () => {
+        const parentInjector = new Injector('parent');
+        const childInjector = parentInjector.fork('child');
+        const key = 'parent-key';
+        configureSecrets({ injector: parentInjector, key });
+        await runInInjectionContext(childInjector, async () => {
+            const derived = injectDerivedBytes('info', 32);
+            const bytes = await derived.getBytes();
+            expect(bytes.byteLength).toBe(32);
+        });
+    });
+    test('global injector configuration', async () => {
+        const key = 'global-key';
+        configureSecrets({ key }); // Registers on global Injector
+        const injector = new Injector('test');
+        await runInInjectionContext(injector, async () => {
+            const derived = injectDerivedBytes('info', 32);
+            const bytes = await derived.getBytes();
+            expect(bytes.byteLength).toBe(32);
+        });
+    });
+    test('configureSecrets with BufferSource', async () => {
+        const injector = new Injector('test');
+        const key = new Uint8Array([1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6]);
+        configureSecrets({ injector, key });
+        await runInInjectionContext(injector, async () => {
+            const derived = injectDerivedBytes(new Uint8Array([1, 2, 3]), 32, { salt: new Uint8Array([4, 5, 6]) });
+            const bytes = await derived.getBytes();
+            expect(bytes.byteLength).toBe(32);
+        });
+    });
+    test('configureSecrets with CryptoKey', async () => {
+        const injector = new Injector('test');
+        const keyMaterial = new Uint8Array([1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6]);
+        const cryptoKey = await importKey('raw-secret', keyMaterial, masterSecretAlgorithm, false, masterSecretKeyUsages);
+        configureSecrets({ injector, key: cryptoKey });
+        await runInInjectionContext(injector, async () => {
+            const derived = injectDerivedBytes('', 32, { salt: 'my-salt' });
+            const bytes = await derived.getBytes();
+            expect(bytes.byteLength).toBe(32);
+        });
+    });
+});

package/cryptography/tests/totp.test.d.ts

@@ -0,0 +1 @@
+export {};

package/cryptography/tests/totp.test.js

@@ -0,0 +1,108 @@
+import { describe, expect, test } from 'vitest';
+import { importKey } from '../cryptography.js';
+import { encodeTotpSecret, generateTotpRecoveryCodes, generateTotpSecret, generateTotpToken, generateTotpUri, hashTotpRecoveryCode, verifyTotpRecoveryCode, verifyTotpToken } from '../totp.js';
+const totpOptions = {
+    codeHashAlgorithm: 'SHA-1',
+    recoveryCodeHashOptions: {
+        algorithm: { name: 'PBKDF2', hash: 'SHA-256', salt: new Uint8Array(16), iterations: 10 },
+        length: 64,
+    },
+};
+describe('TOTP Utilities', () => {
+    test('should generate a secret of appropriate length', () => {
+        expect(generateTotpSecret('SHA-1').byteLength).toBe(20);
+        expect(generateTotpSecret('SHA-256').byteLength).toBe(32);
+        expect(generateTotpSecret('SHA-512').byteLength).toBe(64);
+    });
+    test('should generate a valid TOTP token', async () => {
+        const secretData = new Uint8Array(new ArrayBuffer(20));
+        secretData.fill(1);
+        const secret = await importKey('raw-secret', secretData, { name: 'HMAC', hash: 'SHA-1' }, false, ['sign']);
+        const token = await generateTotpToken(secret, { ...totpOptions, timestamp: 1000000000 });
+        expect(token).toMatch(/^\d{6}$/);
+    });
+    test('should verify a valid TOTP token', async () => {
+        const secretData = new Uint8Array(new ArrayBuffer(20));
+        secretData.fill(1);
+        const secret = await importKey('raw-secret', secretData, { name: 'HMAC', hash: 'SHA-1' }, false, ['sign']);
+        const timestamp = 1000000000;
+        const token = await generateTotpToken(secret, { ...totpOptions, timestamp });
+        const isValid = await verifyTotpToken(secret, token, { ...totpOptions, timestamp });
+        expect(isValid).toBe(true);
+    });
+    test('should fail to verify an invalid TOTP token', async () => {
+        const secretData = new Uint8Array(new ArrayBuffer(20));
+        secretData.fill(1);
+        const secret = await importKey('raw-secret', secretData, { name: 'HMAC', hash: 'SHA-1' }, false, ['sign']);
+        const isValid = await verifyTotpToken(secret, '000000', { ...totpOptions, timestamp: 1000000000 });
+        expect(isValid).toBe(false);
+    });
+    test('should generate a valid otpauth URI', () => {
+        const secret = new Uint8Array(new ArrayBuffer(20));
+        secret.fill(1);
+        const encodedSecret = encodeTotpSecret(secret);
+        const uri = generateTotpUri(encodedSecret, 'user@example.com', 'MyApp', totpOptions);
+        expect(uri).toBe('otpauth://totp/MyApp:user%40example.com?secret=AEAQCAIBAEAQCAIBAEAQCAIBAEAQCAIB&issuer=MyApp&algorithm=SHA1&digits=6&period=30');
+    });
+    test('should generate a valid otpauth URI with SHA-256', () => {
+        const secret = new Uint8Array(new ArrayBuffer(32));
+        secret.fill(1);
+        const encodedSecret = encodeTotpSecret(secret);
+        const uri = generateTotpUri(encodedSecret, 'user@example.com', 'MyApp', { ...totpOptions, codeHashAlgorithm: 'SHA-256' });
+        expect(uri).toBe('otpauth://totp/MyApp:user%40example.com?secret=AEAQCAIBAEAQCAIBAEAQCAIBAEAQCAIBAEAQCAIBAEAQCAIBAEAQ&issuer=MyApp&algorithm=SHA256&digits=6&period=30');
+    });
+    test('should verify a valid TOTP token with SHA-256', async () => {
+        const secretData = new Uint8Array(new ArrayBuffer(32));
+        secretData.fill(1);
+        const secret = await importKey('raw-secret', secretData, { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']);
+        const timestamp = 1000000000;
+        const options = { ...totpOptions, timestamp, codeHashAlgorithm: 'SHA-256' };
+        const token = await generateTotpToken(secret, options);
+        const isValid = await verifyTotpToken(secret, token, options);
+        expect(isValid).toBe(true);
+    });
+    test('should verify a valid TOTP token with SHA-512', async () => {
+        const secretData = new Uint8Array(new ArrayBuffer(64));
+        secretData.fill(1);
+        const secret = await importKey('raw-secret', secretData, { name: 'HMAC', hash: 'SHA-512' }, false, ['sign']);
+        const timestamp = 1000000000;
+        const options = { ...totpOptions, timestamp, codeHashAlgorithm: 'SHA-512' };
+        const token = await generateTotpToken(secret, options);
+        const isValid = await verifyTotpToken(secret, token, options);
+        expect(isValid).toBe(true);
+    });
+    test('should generate recovery codes', () => {
+        const codes = generateTotpRecoveryCodes(10, 8);
+        expect(codes.length).toBe(10);
+        for (const code of codes) {
+            expect(code).toMatch(/^[A-Z2-7]{8}$/);
+        }
+    });
+    test('should hash and verify a recovery code', async () => {
+        const code = 'ABCDEFGH';
+        const salt = new Uint8Array(new ArrayBuffer(16));
+        salt.fill(1);
+        const options = { algorithm: { name: 'PBKDF2', hash: 'SHA-256', salt, iterations: 10 }, length: 64 };
+        const hash = await hashTotpRecoveryCode(code, options);
+        const isValid = await verifyTotpRecoveryCode(code, hash, options);
+        expect(isValid).toBe(true);
+    });
+    test('should fail to verify an invalid recovery code', async () => {
+        const code = 'ABCDEFGH';
+        const salt = new Uint8Array(new ArrayBuffer(16));
+        salt.fill(1);
+        const options = { algorithm: { name: 'PBKDF2', hash: 'SHA-256', salt, iterations: 10 }, length: 64 };
+        const hash = await hashTotpRecoveryCode(code, options);
+        const isValid = await verifyTotpRecoveryCode('WRONGONE', hash, options);
+        expect(isValid).toBe(false);
+    });
+    test('should hash and verify a recovery code with Argon2id', async () => {
+        const code = 'ABCDEFGH';
+        const salt = new Uint8Array(new ArrayBuffer(16));
+        salt.fill(1);
+        const options = { algorithm: { name: 'Argon2id', parallelism: 1, memory: 1024, passes: 1, nonce: salt }, length: 64 };
+        const hash = await hashTotpRecoveryCode(code, options);
+        const isValid = await verifyTotpRecoveryCode(code, hash, options);
+        expect(isValid).toBe(true);
+    });
+});

package/cryptography/totp.d.ts

@@ -0,0 +1,96 @@
+/** biome-ignore-all lint/suspicious/noBitwiseOperators: ok */
+import type { TypedOmit } from '../types/types.js';
+import { type DeriveAlgorithm } from './cryptography.js';
+export type TotpHashAlgorithm = 'SHA-1' | 'SHA-256' | 'SHA-512';
+export type TotpOptions = {
+    codeHashAlgorithm: TotpHashAlgorithm;
+    recoveryCodeHashOptions: TotpRecoveryCodeHashingOptions;
+    /**
+   * The timestamp to use for token generation/verification in seconds.
+   * Defaults to the current time.
+   */
+    timestamp?: number;
+    /**
+     * The time step in seconds.
+     * Defaults to 30.
+     */
+    period?: number;
+    /**
+     * The number of digits in the token.
+     * Defaults to 6.
+     */
+    digits?: number;
+    /**
+     * The number of previous/next steps to check during verification.
+     * Defaults to 1 (checks current, -1, and +1 step).
+     */
+    window?: number;
+};
+export type TotpRecoveryCodeHashingOptions = {
+    /**
+     * The hashing algorithm to use.
+     */
+    algorithm: Exclude<DeriveAlgorithm, string>;
+    /**
+     * Length of the resulting hash in bytes.
+     */
+    length: number;
+};
+/**
+ * Generates a random TOTP secret.
+ * @param algorithm The TOTP algorithm to use for determining the secret length.
+ * @returns The generated secret.
+ */
+export declare function generateTotpSecret(algorithm: TotpHashAlgorithm): Uint8Array<ArrayBuffer>;
+/**
+ * Generates a TOTP token for a given secret.
+ * @param secret The TOTP secret.
+ * @param options TOTP configuration options.
+ * @returns The generated token as a string.
+ */
+export declare function generateTotpToken(secret: CryptoKey, options: TypedOmit<TotpOptions, 'recoveryCodeHashOptions'>): Promise<string>;
+/**
+ * Verifies a TOTP token against a secret.
+ * @param secret The TOTP secret.
+ * @param token The token to verify.
+ * @param options TOTP configuration options.
+ * @returns True if the token is valid, false otherwise.
+ */
+export declare function verifyTotpToken(secret: CryptoKey, token: string, options: TypedOmit<TotpOptions, 'recoveryCodeHashOptions'>): Promise<boolean>;
+/**
+ * Encodes a TOTP secret to Base32.
+ * @param secret The TOTP secret.
+ * @returns The Base32 encoded secret.
+ */
+export declare function encodeTotpSecret(secret: Uint8Array<ArrayBuffer>): string;
+/**
+ * Generates an otpauth URI for enrollment.
+ * @param encodedSecret The Base32 encoded TOTP secret.
+ * @param accountName The name of the account (e.g., user email).
+ * @param issuer The name of the application or service.
+ * @param options TOTP configuration options.
+ * @returns The formatted otpauth URI.
+ */
+export declare function generateTotpUri(encodedSecret: string, accountName: string, issuer: string, options: TypedOmit<TotpOptions, 'recoveryCodeHashOptions'>): string;
+/**
+ * Generates a set of random recovery codes.
+ * @param count The number of codes to generate. Defaults to 10.
+ * @param length The length of each code. Defaults to 8.
+ * @returns An array of generated recovery codes.
+ */
+export declare function generateTotpRecoveryCodes(count?: number, length?: number): string[];
+/**
+ * Hashes a recovery code.
+ * @param code The recovery code to hash.
+ * @param options Configuration for hashing.
+ * @returns The hashed recovery code.
+ */
+export declare function hashTotpRecoveryCode(code: string, options: TotpRecoveryCodeHashingOptions): Promise<Uint8Array<ArrayBuffer>>;
+/**
+ * Verifies a recovery code against its hash.
+ * @param codeOrHash The recovery code (string) or a pre-computed hash to verify.
+ * @param hash The expected hash.
+ * @param options Configuration for hashing.
+ * @returns True if the code matches the hash, false otherwise.
+ */
+export declare function verifyTotpRecoveryCode(codeOrHash: string | Uint8Array<ArrayBuffer>, hash: Uint8Array<ArrayBuffer>, options: TotpRecoveryCodeHashingOptions): Promise<boolean>;

package/cryptography/totp.js

@@ -0,0 +1,123 @@
+/** biome-ignore-all lint/suspicious/noBitwiseOperators: ok */
+import { Alphabet } from '../utils/alphabet.js';
+import { encodeBase32 } from '../utils/base32.js';
+import { currentTimestampSeconds } from '../utils/date-time.js';
+import { encodeUtf8 } from '../utils/encoding.js';
+import { timingSafeBinaryEquals, timingSafeStringEquals } from '../utils/equals.js';
+import { getRandomBytes, getRandomString } from '../utils/random.js';
+import { isString } from '../utils/type-guards.js';
+import { deriveBytes, importKey, sign } from './cryptography.js';
+const totpSecretLengthMap = {
+    'SHA-1': 20,
+    'SHA-256': 32,
+    'SHA-512': 64,
+};
+/**
+ * Generates a random TOTP secret.
+ * @param algorithm The TOTP algorithm to use for determining the secret length.
+ * @returns The generated secret.
+ */
+export function generateTotpSecret(algorithm) {
+    const length = totpSecretLengthMap[algorithm];
+    return getRandomBytes(length);
+}
+/**
+ * Generates a TOTP token for a given secret.
+ * @param secret The TOTP secret.
+ * @param options TOTP configuration options.
+ * @returns The generated token as a string.
+ */
+export async function generateTotpToken(secret, options) {
+    const { codeHashAlgorithm, timestamp = currentTimestampSeconds(), period = 30, digits = 6 } = options;
+    const counter = Math.floor(timestamp / period);
+    const counterBuffer = new Uint8Array(8);
+    const counterView = new DataView(counterBuffer.buffer);
+    // Set 64-bit big-endian counter
+    counterView.setUint32(0, Math.floor(counter / 0x100000000), false);
+    counterView.setUint32(4, counter % 0x100000000, false);
+    const hmacResult = await sign({ name: 'HMAC', hash: codeHashAlgorithm }, secret, counterBuffer).toBuffer();
+    const hash = new Uint8Array(hmacResult);
+    const offset = hash[hash.length - 1] & 0xf;
+    const binary = ((hash[offset] & 0x7f) << 24)
+        | ((hash[offset + 1] & 0xff) << 16)
+        | ((hash[offset + 2] & 0xff) << 8)
+        | (hash[offset + 3] & 0xff);
+    const otp = binary % (10 ** digits);
+    return otp.toString().padStart(digits, '0');
+}
+/**
+ * Verifies a TOTP token against a secret.
+ * @param secret The TOTP secret.
+ * @param token The token to verify.
+ * @param options TOTP configuration options.
+ * @returns True if the token is valid, false otherwise.
+ */
+export async function verifyTotpToken(secret, token, options) {
+    const { timestamp = currentTimestampSeconds(), period = 30, window = 1 } = options;
+    for (let i = -window; i <= window; i++) {
+        const stepTimestamp = timestamp + (i * period);
+        const expectedToken = await generateTotpToken(secret, { ...options, timestamp: stepTimestamp });
+        if (timingSafeStringEquals(token, expectedToken)) {
+            return true;
+        }
+    }
+    return false;
+}
+/**
+ * Encodes a TOTP secret to Base32.
+ * @param secret The TOTP secret.
+ * @returns The Base32 encoded secret.
+ */
+export function encodeTotpSecret(secret) {
+    return encodeBase32(secret, false);
+}
+/**
+ * Generates an otpauth URI for enrollment.
+ * @param encodedSecret The Base32 encoded TOTP secret.
+ * @param accountName The name of the account (e.g., user email).
+ * @param issuer The name of the application or service.
+ * @param options TOTP configuration options.
+ * @returns The formatted otpauth URI.
+ */
+export function generateTotpUri(encodedSecret, accountName, issuer, options) {
+    const { digits = 6, period = 30, codeHashAlgorithm } = options;
+    const label = `${encodeURIComponent(issuer)}:${encodeURIComponent(accountName)}`;
+    const normalizedAlgorithm = codeHashAlgorithm.replace('-', '');
+    return `otpauth://totp/${label}?secret=${encodedSecret}&issuer=${encodeURIComponent(issuer)}&algorithm=${normalizedAlgorithm}&digits=${digits}&period=${period}`;
+}
+/**
+ * Generates a set of random recovery codes.
+ * @param count The number of codes to generate. Defaults to 10.
+ * @param length The length of each code. Defaults to 8.
+ * @returns An array of generated recovery codes.
+ */
+export function generateTotpRecoveryCodes(count = 10, length = 8) {
+    const codes = [];
+    for (let i = 0; i < count; i++) {
+        codes.push(getRandomString(length, Alphabet.Base32));
+    }
+    return codes;
+}
+/**
+ * Hashes a recovery code.
+ * @param code The recovery code to hash.
+ * @param options Configuration for hashing.
+ * @returns The hashed recovery code.
+ */
+export async function hashTotpRecoveryCode(code, options) {
+    const { length, algorithm } = options;
+    const keyMaterial = encodeUtf8(code);
+    const key = await importKey('raw-secret', keyMaterial, algorithm, false, ['deriveBits']);
+    return await deriveBytes(algorithm, key, length);
+}
+/**
+ * Verifies a recovery code against its hash.
+ * @param codeOrHash The recovery code (string) or a pre-computed hash to verify.
+ * @param hash The expected hash.
+ * @param options Configuration for hashing.
+ * @returns True if the code matches the hash, false otherwise.
+ */
+export async function verifyTotpRecoveryCode(codeOrHash, hash, options) {
+    const computedHash = isString(codeOrHash) ? await hashTotpRecoveryCode(codeOrHash, options) : codeOrHash;
+    return timingSafeBinaryEquals(computedHash, hash);
+}

package/document-management/server/drizzle/{0000_curious_nighthawk.sql → 0000_sharp_scream.sql}

@@ -8,7 +8,7 @@ CREATE TYPE "document_management"."workflow_fail_reason" AS ENUM('no-suitable-co
 CREATE TYPE "document_management"."workflow_state" AS ENUM('pending', 'running', 'review', 'completed', 'error', 'failed');--> statement-breakpoint
 CREATE TYPE "document_management"."workflow_step" AS ENUM('content-extraction', 'classification', 'data-extraction', 'assignment', 'validation');--> statement-breakpoint
 CREATE TABLE "document_management"."document" (
-	"id" uuid DEFAULT gen_random_uuid() NOT NULL,
+	"id" uuid DEFAULT uuidv7() NOT NULL,
 	"tenant_id" uuid NOT NULL,
 	"type_id" uuid,
 	"title" text,
@@ -31,7 +31,7 @@ CREATE TABLE "document_management"."document" (
 );
 --> statement-breakpoint
 CREATE TABLE "document_management"."assignment_scope" (
-	"id" uuid DEFAULT gen_random_uuid() NOT NULL,
+	"id" uuid DEFAULT uuidv7() NOT NULL,
 	"tenant_id" uuid NOT NULL,
 	"task_id" uuid NOT NULL,
 	"collection_id" uuid NOT NULL,
@@ -45,7 +45,7 @@ CREATE TABLE "document_management"."assignment_scope" (
 );
 --> statement-breakpoint
 CREATE TABLE "document_management"."assignment_task" (
-	"id" uuid DEFAULT gen_random_uuid() NOT NULL,
+	"id" uuid DEFAULT uuidv7() NOT NULL,
 	"tenant_id" uuid NOT NULL,
 	"document_id" uuid NOT NULL,
 	"target" "document_management"."assignment_target" NOT NULL,
@@ -59,7 +59,7 @@ CREATE TABLE "document_management"."assignment_task" (
 );
 --> statement-breakpoint
 CREATE TABLE "document_management"."category" (
-	"id" uuid DEFAULT gen_random_uuid() NOT NULL,
+	"id" uuid DEFAULT uuidv7() NOT NULL,
 	"tenant_id" uuid NOT NULL,
 	"parent_id" uuid,
 	"label" text NOT NULL,
@@ -75,7 +75,7 @@ CREATE TABLE "document_management"."category" (
 );
 --> statement-breakpoint
 CREATE TABLE "document_management"."collection" (
-	"id" uuid DEFAULT gen_random_uuid() NOT NULL,
+	"id" uuid DEFAULT uuidv7() NOT NULL,
 	"tenant_id" uuid NOT NULL,
 	"parent_id" uuid,
 	"revision" integer NOT NULL,
@@ -87,7 +87,7 @@ CREATE TABLE "document_management"."collection" (
 );
 --> statement-breakpoint
 CREATE TABLE "document_management"."collection_assignment" (
-	"id" uuid DEFAULT gen_random_uuid() NOT NULL,
+	"id" uuid DEFAULT uuidv7() NOT NULL,
 	"tenant_id" uuid NOT NULL,
 	"collection_id" uuid NOT NULL,
 	"document_id" uuid NOT NULL,
@@ -102,7 +102,7 @@ CREATE TABLE "document_management"."collection_assignment" (
 );
 --> statement-breakpoint
 CREATE TABLE "document_management"."property" (
-	"id" uuid DEFAULT gen_random_uuid() NOT NULL,
+	"id" uuid DEFAULT uuidv7() NOT NULL,
 	"tenant_id" uuid NOT NULL,
 	"label" text NOT NULL,
 	"key" text,
@@ -118,7 +118,7 @@ CREATE TABLE "document_management"."property" (
 );
 --> statement-breakpoint
 CREATE TABLE "document_management"."property_value" (
-	"id" uuid DEFAULT gen_random_uuid() NOT NULL,
+	"id" uuid DEFAULT uuidv7() NOT NULL,
 	"tenant_id" uuid NOT NULL,
 	"document_id" uuid NOT NULL,
 	"property_id" uuid NOT NULL,
@@ -138,7 +138,7 @@ CREATE TABLE "document_management"."property_value" (
 );
 --> statement-breakpoint
 CREATE TABLE "document_management"."request" (
-	"id" uuid DEFAULT gen_random_uuid() NOT NULL,
+	"id" uuid DEFAULT uuidv7() NOT NULL,
 	"tenant_id" uuid NOT NULL,
 	"type_id" uuid,
 	"document_id" uuid,
@@ -154,7 +154,7 @@ CREATE TABLE "document_management"."request" (
 );
 --> statement-breakpoint
 CREATE TABLE "document_management"."request_collection_assignment" (
-	"id" uuid DEFAULT gen_random_uuid() NOT NULL,
+	"id" uuid DEFAULT uuidv7() NOT NULL,
 	"tenant_id" uuid NOT NULL,
 	"request_id" uuid NOT NULL,
 	"collection_id" uuid NOT NULL,
@@ -168,7 +168,7 @@ CREATE TABLE "document_management"."request_collection_assignment" (
 );
 --> statement-breakpoint
 CREATE TABLE "document_management"."request_template" (
-	"id" uuid DEFAULT gen_random_uuid() NOT NULL,
+	"id" uuid DEFAULT uuidv7() NOT NULL,
 	"tenant_id" uuid NOT NULL,
 	"requests_template_id" uuid NOT NULL,
 	"type_id" uuid NOT NULL,
@@ -182,7 +182,7 @@ CREATE TABLE "document_management"."request_template" (
 );
 --> statement-breakpoint
 CREATE TABLE "document_management"."requests_template" (
-	"id" uuid DEFAULT gen_random_uuid() NOT NULL,
+	"id" uuid DEFAULT uuidv7() NOT NULL,
 	"tenant_id" uuid NOT NULL,
 	"label" text NOT NULL,
 	"description" text,
@@ -195,7 +195,7 @@ CREATE TABLE "document_management"."requests_template" (
 );
 --> statement-breakpoint
 CREATE TABLE "document_management"."tag" (
-	"id" uuid DEFAULT gen_random_uuid() NOT NULL,
+	"id" uuid DEFAULT uuidv7() NOT NULL,
 	"tenant_id" uuid NOT NULL,
 	"label" text NOT NULL,
 	"revision" integer NOT NULL,
@@ -208,7 +208,7 @@ CREATE TABLE "document_management"."tag" (
 );
 --> statement-breakpoint
 CREATE TABLE "document_management"."tag_assignment" (
-	"id" uuid DEFAULT gen_random_uuid() NOT NULL,
+	"id" uuid DEFAULT uuidv7() NOT NULL,
 	"tenant_id" uuid NOT NULL,
 	"document_id" uuid NOT NULL,
 	"tag_id" uuid NOT NULL,
@@ -222,7 +222,7 @@ CREATE TABLE "document_management"."tag_assignment" (
 );
 --> statement-breakpoint
 CREATE TABLE "document_management"."type" (
-	"id" uuid DEFAULT gen_random_uuid() NOT NULL,
+	"id" uuid DEFAULT uuidv7() NOT NULL,
 	"tenant_id" uuid NOT NULL,
 	"category_id" uuid NOT NULL,
 	"label" text NOT NULL,
@@ -238,7 +238,7 @@ CREATE TABLE "document_management"."type" (
 );
 --> statement-breakpoint
 CREATE TABLE "document_management"."type_property" (
-	"id" uuid DEFAULT gen_random_uuid() NOT NULL,
+	"id" uuid DEFAULT uuidv7() NOT NULL,
 	"tenant_id" uuid NOT NULL,
 	"type_id" uuid NOT NULL,
 	"property_id" uuid NOT NULL,
@@ -252,7 +252,7 @@ CREATE TABLE "document_management"."type_property" (
 );
 --> statement-breakpoint
 CREATE TABLE "document_management"."document_type_validation" (
-	"id" uuid DEFAULT gen_random_uuid() NOT NULL,
+	"id" uuid DEFAULT uuidv7() NOT NULL,
 	"tenant_id" uuid NOT NULL,
 	"type_id" uuid NOT NULL,
 	"validation_id" uuid NOT NULL,
@@ -266,7 +266,7 @@ CREATE TABLE "document_management"."document_type_validation" (
 );
 --> statement-breakpoint
 CREATE TABLE "document_management"."validation_definition" (
-	"id" uuid DEFAULT gen_random_uuid() NOT NULL,
+	"id" uuid DEFAULT uuidv7() NOT NULL,
 	"tenant_id" uuid NOT NULL,
 	"identifier" text NOT NULL,
 	"label" text NOT NULL,
@@ -281,7 +281,7 @@ CREATE TABLE "document_management"."validation_definition" (
 );
 --> statement-breakpoint
 CREATE TABLE "document_management"."validation_execution" (
-	"id" uuid DEFAULT gen_random_uuid() NOT NULL,
+	"id" uuid DEFAULT uuidv7() NOT NULL,
 	"tenant_id" uuid NOT NULL,
 	"workflow_id" uuid NOT NULL,
 	"definition_id" uuid NOT NULL,
@@ -300,7 +300,7 @@ CREATE TABLE "document_management"."validation_execution" (
 );
 --> statement-breakpoint
 CREATE TABLE "document_management"."validation_execution_related_document" (
-	"id" uuid DEFAULT gen_random_uuid() NOT NULL,
+	"id" uuid DEFAULT uuidv7() NOT NULL,
 	"tenant_id" uuid NOT NULL,
 	"execution_id" uuid NOT NULL,
 	"document_id" uuid NOT NULL,
@@ -314,7 +314,7 @@ CREATE TABLE "document_management"."validation_execution_related_document" (
 );
 --> statement-breakpoint
 CREATE TABLE "document_management"."workflow" (
-	"id" uuid DEFAULT gen_random_uuid() NOT NULL,
+	"id" uuid DEFAULT uuidv7() NOT NULL,
 	"tenant_id" uuid NOT NULL,
 	"document_id" uuid NOT NULL,
 	"step" "document_management"."workflow_step" NOT NULL,