@varshylinc/team-management 0.1.0 → 0.2.0

package/src/index.ts

@@ -1,24 +0,0 @@
-// ─── Server exports (Node.js + tsc, DO NOT import in browser bundles) ─────────
-export { createServerModule } from './server/index.js';
-export type {
-  ServerModuleAdapter,
-  TeamManagementConfig,
-  TeamManagementServerModule,
-  OrgRole,
-  AuditActorType,
-  TransferStatus,
-  TmOrganization,
-  TmMembership,
-  TmInvitation,
-  TmAuditEvent,
-  TmOwnershipTransfer,
-  TmPasswordResetRequest,
-  TeamManagementFeatureFlags,
-} from './server/types.js';
-
-// ─── Shared types (safe everywhere) ───────────────────────────────────────────
-export type { TeamMember, TeamInvite } from './shared/types.js';
-
-// NOTE: Client exports live in packages/team-management/src/client/index.ts
-// Import them in your bundler (Vite/webpack) via the "client" export condition:
-//   import { PlaceholderPage } from '@varshylinc/team-management/client'

package/src/server/crypto.ts

@@ -1,47 +0,0 @@
-import { createCipheriv, createDecipheriv, randomBytes, createHash } from 'crypto';
-
-const ALGORITHM = 'aes-256-gcm';
-const IV_LENGTH = 12;
-
-function getKey(): Buffer {
-  const secret = process.env.TM_ENCRYPTION_KEY;
-  if (!secret) throw new Error('TM_ENCRYPTION_KEY environment variable is required');
-  return createHash('sha256').update(secret).digest();
-}
-
-export function encrypt(plaintext: string): string {
-  const key = getKey();
-  const iv = randomBytes(IV_LENGTH);
-  const cipher = createCipheriv(ALGORITHM, key, iv);
-  const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
-  const tag = cipher.getAuthTag();
-  return `${iv.toString('hex')}:${tag.toString('hex')}:${encrypted.toString('hex')}`;
-}
-
-export function decrypt(ciphertext: string): string {
-  const key = getKey();
-  const parts = ciphertext.split(':');
-  if (parts.length !== 3) throw new Error('Invalid ciphertext format');
-  const [ivHex, tagHex, encHex] = parts;
-  const iv = Buffer.from(ivHex, 'hex');
-  const tag = Buffer.from(tagHex, 'hex');
-  const encrypted = Buffer.from(encHex, 'hex');
-  const decipher = createDecipheriv(ALGORITHM, key, iv);
-  decipher.setAuthTag(tag);
-  return decipher.update(encrypted).toString('utf8') + decipher.final('utf8');
-}
-
-export function sha256(input: string): string {
-  return createHash('sha256').update(input).digest('hex');
-}
-
-export function generateToken(byteLength = 32): string {
-  return randomBytes(byteLength).toString('hex');
-}
-
-export function generateSixDigitCode(): string {
-  // Cryptographically random 6-digit code (100000-999999)
-  const rand = randomBytes(4).readUInt32BE(0);
-  return String(100000 + (rand % 900000));
-}
-

package/src/server/index.ts

@@ -1,167 +0,0 @@
-import { Router } from 'express';
-import type { Pool } from 'pg';
-import { readFileSync } from 'fs';
-import { join } from 'path';
-import { createHealthRouter } from './routes/health.routes.js';
-import { createOrgsRouter } from './routes/orgs.routes.js';
-import { createInvitationsRouter } from './routes/invitations.routes.js';
-import { createMeRouter } from './routes/me.routes.js';
-import { createTransferRouter } from './routes/transfer.routes.js';
-import { createAuditRouter } from './routes/audit.routes.js';
-import { createAdminRouter } from './routes/admin.routes.js';
-import { seedSuperAdmin } from './services/super-admin.service.js';
-import type {
-  ServerModuleAdapter,
-  TeamManagementConfig,
-  TeamManagementServerModule,
-  TeamManagementFeatureFlags,
-} from './types.js';
-
-const migrationsDir = join(new URL('.', import.meta.url).pathname, 'migrations');
-
-// All migrations in order. Append new migrations here — never reorder or remove.
-const MIGRATIONS: Array<{ name: string; file: string }> = [
-  { name: '0001_create_tm_schema_migrations', file: join(migrationsDir, '0001_create_tm_schema_migrations.sql') },
-  { name: '0002_create_tm_organizations',    file: join(migrationsDir, '0002_create_tm_organizations.sql') },
-  { name: '0003_create_tm_memberships',      file: join(migrationsDir, '0003_create_tm_memberships.sql') },
-  { name: '0004_create_tm_invitations',      file: join(migrationsDir, '0004_create_tm_invitations.sql') },
-  { name: '0005_create_tm_audit_events',     file: join(migrationsDir, '0005_create_tm_audit_events.sql') },
-  { name: '0006_create_tm_email_change_requests',  file: join(migrationsDir, '0006_create_tm_email_change_requests.sql') },
-  { name: '0007_create_tm_ownership_transfers',    file: join(migrationsDir, '0007_create_tm_ownership_transfers.sql') },
-  { name: '0008_create_tm_super_admins',           file: join(migrationsDir, '0008_create_tm_super_admins.sql') },
-  { name: '0009_create_tm_password_reset_requests',file: join(migrationsDir, '0009_create_tm_password_reset_requests.sql') },
-  { name: '0010_create_tm_shared_access',          file: join(migrationsDir, '0010_create_tm_shared_access.sql') },
-  { name: '0011_seed_super_admin',                 file: join(migrationsDir, '0011_seed_super_admin.sql') },
-  { name: '0012_create_tm_user_locks',             file: join(migrationsDir, '0012_create_tm_user_locks.sql') },
-];
-
-// Default feature flags for v0.1.0
-const DEFAULT_FLAGS: Required<TeamManagementFeatureFlags> = {
-  enableInvites: true,
-  enableAuditLog: true,
-  enableOwnershipTransfer: true,
-  enableEmailChange: true,
-  enablePasswordReset: true,
-  enableSuperAdmin: false,
-  enableSharedAccess: false,
-  enableHardDelete: false,
-};
-
-// ── Standalone migration runner ─────────────────────────────────────────────
-// Exported so tests and globalSetup can call it directly without a full module.
-export async function runMigrations(
-  db: Pool,
-  logger: { info(msg: string): void } = { info: () => {} }
-): Promise<{ applied: string[]; skipped: string[] }> {
-  const applied: string[] = [];
-  const skipped: string[] = [];
-
-  // Boot step: ensure ledger table exists (idempotent — CREATE TABLE IF NOT EXISTS)
-  const ledgerSql = readFileSync(
-    join(migrationsDir, '0001_create_tm_schema_migrations.sql'),
-    'utf-8'
-  );
-  await db.query(ledgerSql);
-
-  for (const migration of MIGRATIONS) {
-    const result = await db.query(
-      'SELECT id FROM tm_schema_migrations WHERE migration = $1',
-      [migration.name]
-    );
-
-    if (result.rows.length > 0) {
-      skipped.push(migration.name);
-      logger.info(`[team-management] skipped: ${migration.name}`);
-      continue;
-    }
-
-    const sql = readFileSync(migration.file, 'utf-8');
-    await db.query(sql);
-    await db.query(
-      'INSERT INTO tm_schema_migrations (migration) VALUES ($1)',
-      [migration.name]
-    );
-
-    applied.push(migration.name);
-    logger.info(`[team-management] applied: ${migration.name}`);
-  }
-
-  return { applied, skipped };
-}
-
-/**
- * createServerModule — entry point for host products.
- *
- * Usage (production):
- *   const tm = createServerModule({ adapter, db, config });
- *   await tm.runMigrations();
- *   app.use('/api/team', tm.router);
- *
- * Usage (test shorthand — pool and features accepted as aliases):
- *   const tm = createServerModule({ adapter, pool, features });
- */
-export function createServerModule(opts: {
-  adapter: ServerModuleAdapter;
-  /** pg Pool — use `db` or `pool` interchangeably */
-  db?: Pool;
-  /** Alias for db */
-  pool?: Pool;
-  /** Full config object (takes precedence over individual fields below) */
-  config?: TeamManagementConfig;
-  /** Shorthand for config.featureFlags */
-  features?: Partial<TeamManagementFeatureFlags>;
-  /** Shorthand for config.baseUrl */
-  baseUrl?: string;
-}): TeamManagementServerModule {
-  const db = (opts.db ?? opts.pool)!;
-  const featureFlags: Partial<TeamManagementFeatureFlags> =
-    opts.config?.featureFlags ?? opts.features ?? {};
-  const baseUrl = opts.config?.baseUrl ?? opts.baseUrl ?? '';
-  const config: TeamManagementConfig = { featureFlags, baseUrl };
-  const { adapter } = opts;
-
-  const flags: Required<TeamManagementFeatureFlags> = {
-    ...DEFAULT_FLAGS,
-    ...featureFlags,
-  };
-
-  // ── Super-admin seed on boot ────────────────────────────────────────────────
-
-  if (flags.enableSuperAdmin) {
-    const superAdminEmail = process.env.TM_SUPER_ADMIN_EMAIL;
-    if (superAdminEmail) {
-      seedSuperAdmin(db, adapter, superAdminEmail).catch(e => {
-        adapter.logger.warn('[team-management] seedSuperAdmin failed', {
-          error: (e as Error).message,
-        });
-      });
-    }
-  }
-
-  // ── Routers ─────────────────────────────────────────────────────────────────
-
-  const { router: healthRouter } = createHealthRouter(db, config);
-  const orgsRouter        = createOrgsRouter(db, adapter, flags);
-  const invitationsRouter = createInvitationsRouter(db, adapter, flags, baseUrl);
-  const meRouter          = createMeRouter(db, adapter, flags, baseUrl);
-  const transferRouter    = createTransferRouter(db, adapter, flags, baseUrl);
-  const auditRouter       = createAuditRouter(db, adapter, flags);
-  const adminRouter       = createAdminRouter(db, adapter, flags, baseUrl);
-
-  const router = Router();
-
-  router.use(healthRouter);
-  router.use('/me', meRouter);
-  router.use('/orgs', orgsRouter);
-  router.use('/orgs', invitationsRouter);
-  router.use('/orgs', transferRouter);
-  router.use('/orgs', auditRouter);
-  router.use('/invitations', invitationsRouter);
-  router.use('/admin', adminRouter);
-
-  const migrate = () => runMigrations(db, adapter.logger);
-
-  return { router, runMigrations: migrate, migrate };
-}
-
-export type { ServerModuleAdapter, TeamManagementConfig, TeamManagementServerModule };

package/src/server/middleware/require-membership.ts

@@ -1,48 +0,0 @@
-import type { Request, Response, NextFunction } from 'express';
-import type { Pool } from 'pg';
-import type { ServerModuleAdapter, OrgRole } from '../types.js';
-
-export interface AuthenticatedRequest extends Request {
-  userId: number;
-  orgId: number;
-  userRole: OrgRole;
-}
-
-export function requireMembership(pool: Pool, adapter: ServerModuleAdapter) {
-  return async (req: Request, res: Response, next: NextFunction): Promise<void> => {
-    try {
-      const userId = await adapter.getCurrentUserId(req);
-      if (!userId) {
-        res.status(401).json({ error: 'Authentication required' });
-        return;
-      }
-
-      const orgIdParam = parseInt(req.params.orgId || req.params.id || '', 10);
-      if (isNaN(orgIdParam)) {
-        res.status(400).json({ error: 'Invalid org ID' });
-        return;
-      }
-
-      const result = await pool.query(
-        `SELECT m.role FROM tm_memberships m
-         JOIN tm_organizations o ON o.id = m.org_id
-         WHERE m.org_id = $1 AND m.user_id = $2 AND m.removed_at IS NULL
-           AND o.deleted_at IS NULL`,
-        [orgIdParam, userId]
-      );
-
-      if (result.rows.length === 0) {
-        res.status(403).json({ error: 'You are not a member of this organization' });
-        return;
-      }
-
-      (req as AuthenticatedRequest).userId = userId;
-      (req as AuthenticatedRequest).orgId = orgIdParam;
-      (req as AuthenticatedRequest).userRole = result.rows[0].role as OrgRole;
-      next();
-    } catch (e) {
-      adapter.logger.error('[requireMembership]', { error: (e as Error).message });
-      res.status(500).json({ error: 'Authentication check failed' });
-    }
-  };
-}

package/src/server/middleware/require-role.ts

@@ -1,19 +0,0 @@
-import type { Request, Response, NextFunction } from 'express';
-import type { OrgRole } from '../types.js';
-import { roleAtLeast } from '../types.js';
-import type { AuthenticatedRequest } from './require-membership.js';
-
-export function requireRole(minimumRole: OrgRole) {
-  return (req: Request, res: Response, next: NextFunction): void => {
-    const authReq = req as AuthenticatedRequest;
-    if (!authReq.userRole) {
-      res.status(401).json({ error: 'Authentication required' });
-      return;
-    }
-    if (!roleAtLeast(authReq.userRole, minimumRole)) {
-      res.status(403).json({ error: `Requires ${minimumRole} role or higher` });
-      return;
-    }
-    next();
-  };
-}

package/src/server/middleware/require-super-admin.ts

@@ -1,32 +0,0 @@
-import type { Request, Response, NextFunction } from 'express';
-import type { Pool } from 'pg';
-import type { ServerModuleAdapter, TeamManagementFeatureFlags } from '../types.js';
-
-export function requireSuperAdmin(pool: Pool, adapter: ServerModuleAdapter, flags: TeamManagementFeatureFlags) {
-  return async (req: Request, res: Response, next: NextFunction): Promise<void> => {
-    if (!flags.enableSuperAdmin) {
-      res.status(404).json({ error: 'Not found' });
-      return;
-    }
-    try {
-      const userId = await adapter.getCurrentUserId(req);
-      if (!userId) {
-        res.status(401).json({ error: 'Authentication required' });
-        return;
-      }
-      const result = await pool.query(
-        `SELECT user_id FROM tm_super_admins WHERE user_id = $1 AND revoked_at IS NULL`,
-        [userId]
-      );
-      if (result.rows.length === 0) {
-        res.status(403).json({ error: 'Super-admin access required' });
-        return;
-      }
-      (req as Request & { superAdminUserId: number }).superAdminUserId = userId;
-      next();
-    } catch (e) {
-      adapter.logger.error('[requireSuperAdmin]', { error: (e as Error).message });
-      res.status(500).json({ error: 'Authorization check failed' });
-    }
-  };
-}

package/src/server/migrations/0001_create_tm_schema_migrations.sql

@@ -1,13 +0,0 @@
--- Migration: 0001_create_tm_schema_migrations
--- Creates the ledger table that tracks which team-management
--- migrations have been applied. All tm_* tables are owned by
--- the team-management module — host products never query them directly.
-
-CREATE TABLE IF NOT EXISTS tm_schema_migrations (
-  id          SERIAL       PRIMARY KEY,
-  migration   VARCHAR(255) NOT NULL UNIQUE,
-  applied_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW()
-);
-
-CREATE INDEX IF NOT EXISTS idx_tm_schema_migrations_migration
-  ON tm_schema_migrations (migration);

package/src/server/migrations/0002_create_tm_organizations.sql

@@ -1,14 +0,0 @@
-CREATE TABLE IF NOT EXISTS tm_organizations (
-  id SERIAL PRIMARY KEY,
-  name TEXT NOT NULL,
-  slug TEXT NOT NULL UNIQUE,
-  owner_user_id INTEGER NOT NULL,  -- denormalized for quick lookup
-  settings JSONB NOT NULL DEFAULT '{}',
-  deleted_at TIMESTAMPTZ,
-  delete_scheduled_for TIMESTAMPTZ,
-  deleted_by_user_id INTEGER,
-  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-  updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
-);
-CREATE UNIQUE INDEX IF NOT EXISTS idx_tm_orgs_slug ON tm_organizations(slug) WHERE deleted_at IS NULL;
-CREATE INDEX IF NOT EXISTS idx_tm_orgs_owner ON tm_organizations(owner_user_id);

package/src/server/migrations/0003_create_tm_memberships.sql

@@ -1,24 +0,0 @@
--- If the type already exists, ignore
-DO $$ BEGIN
-  CREATE TYPE tm_role AS ENUM ('owner', 'admin', 'member', 'viewer');
-EXCEPTION WHEN duplicate_object THEN NULL;
-END $$;
-
-CREATE TABLE IF NOT EXISTS tm_memberships (
-  id SERIAL PRIMARY KEY,
-  org_id INTEGER NOT NULL REFERENCES tm_organizations(id) ON DELETE CASCADE,
-  user_id INTEGER NOT NULL,
-  role tm_role NOT NULL DEFAULT 'member',
-  joined_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-  removed_at TIMESTAMPTZ,
-  removed_by_user_id INTEGER,
-  removal_reason TEXT,
-  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-  updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
-);
--- Only one active membership per user per org
-CREATE UNIQUE INDEX IF NOT EXISTS idx_tm_memberships_active ON tm_memberships(org_id, user_id) WHERE removed_at IS NULL;
--- Only one owner per org (active)
-CREATE UNIQUE INDEX IF NOT EXISTS idx_tm_memberships_owner ON tm_memberships(org_id) WHERE role = 'owner' AND removed_at IS NULL;
-CREATE INDEX IF NOT EXISTS idx_tm_memberships_user ON tm_memberships(user_id);
-CREATE INDEX IF NOT EXISTS idx_tm_memberships_org ON tm_memberships(org_id);

package/src/server/migrations/0004_create_tm_invitations.sql

@@ -1,22 +0,0 @@
-CREATE TABLE IF NOT EXISTS tm_invitations (
-  id SERIAL PRIMARY KEY,
-  org_id INTEGER NOT NULL REFERENCES tm_organizations(id) ON DELETE CASCADE,
-  invited_by_user_id INTEGER NOT NULL,
-  email TEXT NOT NULL,
-  role tm_role NOT NULL DEFAULT 'member',
-  token_hash TEXT NOT NULL UNIQUE,   -- SHA-256 of the magic-link token
-  code_encrypted TEXT NOT NULL,      -- AES-256-GCM encrypted 6-digit code
-  expires_at TIMESTAMPTZ NOT NULL,   -- NOW() + 7 days
-  accepted_at TIMESTAMPTZ,
-  revoked_at TIMESTAMPTZ,
-  revoked_by_user_id INTEGER,
-  resent_count INTEGER NOT NULL DEFAULT 0,
-  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-  updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
-);
--- Only one pending (non-accepted, non-revoked) invite per email per org
--- Note: expires_at check omitted from predicate (NOW() is not IMMUTABLE); enforced at query time
-CREATE UNIQUE INDEX IF NOT EXISTS idx_tm_invitations_pending ON tm_invitations(org_id, email) WHERE accepted_at IS NULL AND revoked_at IS NULL;
-CREATE INDEX IF NOT EXISTS idx_tm_invitations_org ON tm_invitations(org_id);
-CREATE INDEX IF NOT EXISTS idx_tm_invitations_email ON tm_invitations(email);
-

package/src/server/migrations/0005_create_tm_audit_events.sql

@@ -1,17 +0,0 @@
-CREATE TABLE IF NOT EXISTS tm_audit_events (
-  id BIGSERIAL PRIMARY KEY,
-  org_id INTEGER REFERENCES tm_organizations(id) ON DELETE SET NULL,
-  actor_user_id INTEGER,
-  actor_type TEXT NOT NULL DEFAULT 'user' CHECK (actor_type IN ('user', 'super_admin')),
-  action TEXT NOT NULL,
-  target_type TEXT,
-  target_id TEXT,
-  before_state JSONB,
-  after_state JSONB,
-  ip TEXT,
-  user_agent TEXT,
-  reason TEXT,  -- required for super_admin actions
-  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
-);
-CREATE INDEX IF NOT EXISTS idx_tm_audit_org ON tm_audit_events(org_id, created_at DESC);
-CREATE INDEX IF NOT EXISTS idx_tm_audit_actor ON tm_audit_events(actor_user_id);

package/src/server/migrations/0006_create_tm_email_change_requests.sql

@@ -1,13 +0,0 @@
-CREATE TABLE IF NOT EXISTS tm_email_change_requests (
-  id SERIAL PRIMARY KEY,
-  user_id INTEGER NOT NULL,
-  old_email TEXT,
-  new_email TEXT NOT NULL,
-  verify_token_hash TEXT NOT NULL UNIQUE,   -- SHA-256 of verification token
-  cancel_token_hash TEXT NOT NULL UNIQUE,   -- SHA-256 of cancellation token
-  expires_at TIMESTAMPTZ NOT NULL,          -- NOW() + 24 hours
-  verified_at TIMESTAMPTZ,
-  cancelled_at TIMESTAMPTZ,
-  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
-);
-CREATE INDEX IF NOT EXISTS idx_tm_email_change_user ON tm_email_change_requests(user_id, created_at DESC);

package/src/server/migrations/0007_create_tm_ownership_transfers.sql

@@ -1,22 +0,0 @@
-DO $$ BEGIN
-  CREATE TYPE tm_transfer_status AS ENUM ('pending', 'accepted', 'cancelled', 'expired');
-EXCEPTION WHEN duplicate_object THEN NULL;
-END $$;
-
-CREATE TABLE IF NOT EXISTS tm_ownership_transfers (
-  id SERIAL PRIMARY KEY,
-  org_id INTEGER NOT NULL REFERENCES tm_organizations(id) ON DELETE CASCADE,
-  from_user_id INTEGER NOT NULL,
-  to_user_id INTEGER NOT NULL,
-  status tm_transfer_status NOT NULL DEFAULT 'pending',
-  initiated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-  accepted_at TIMESTAMPTZ,
-  cancelled_at TIMESTAMPTZ,
-  cancelled_by_user_id INTEGER,
-  expires_at TIMESTAMPTZ NOT NULL,  -- NOW() + 7 days
-  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-  updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
-);
--- Only one pending transfer per org
-CREATE UNIQUE INDEX IF NOT EXISTS idx_tm_transfers_pending ON tm_ownership_transfers(org_id) WHERE status = 'pending';
-CREATE INDEX IF NOT EXISTS idx_tm_transfers_org ON tm_ownership_transfers(org_id);

package/src/server/migrations/0008_create_tm_super_admins.sql

@@ -1,8 +0,0 @@
-CREATE TABLE IF NOT EXISTS tm_super_admins (
-  user_id INTEGER PRIMARY KEY,
-  granted_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-  granted_by_user_id INTEGER,
-  notes TEXT,
-  revoked_at TIMESTAMPTZ
-);
-CREATE INDEX IF NOT EXISTS idx_tm_super_admins_active ON tm_super_admins(user_id) WHERE revoked_at IS NULL;

package/src/server/migrations/0009_create_tm_password_reset_requests.sql

@@ -1,9 +0,0 @@
-CREATE TABLE IF NOT EXISTS tm_password_reset_requests (
-  id SERIAL PRIMARY KEY,
-  user_id INTEGER NOT NULL,
-  token_hash TEXT NOT NULL UNIQUE,  -- SHA-256 of reset token
-  expires_at TIMESTAMPTZ NOT NULL,  -- NOW() + 1 hour
-  used_at TIMESTAMPTZ,
-  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
-);
-CREATE INDEX IF NOT EXISTS idx_tm_pwd_reset_user ON tm_password_reset_requests(user_id, created_at DESC);

package/src/server/migrations/0010_create_tm_shared_access.sql

@@ -1,8 +0,0 @@
--- tm_shared_access: reserved for v0.2.0 (cross-org vendor access).
--- Empty scaffold -- no columns beyond id. Do not add anything here in v0.1.0.
-CREATE TABLE IF NOT EXISTS tm_shared_access (
-  id SERIAL PRIMARY KEY,
-  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
-);
--- NOTE: This table is intentionally empty in v0.1.0.
--- Schema will be defined in the v0.2.0 migration.

package/src/server/migrations/0011_seed_super_admin.sql

@@ -1,15 +0,0 @@
--- Seed super-admin for vaakapila@gmail.com.
--- This migration is ALWAYS run but only inserts if:
---   1. A user with that email exists in the host app's user table.
---   2. The row does not already exist in tm_super_admins.
--- The host adapter is responsible for user existence; this migration
--- does nothing if the user does not exist (host-managed users table
--- is outside module scope). The demo-host seeds this user before
--- running migrations.
---
--- Since tm_super_admins uses host user_id (INTEGER), and we cannot
--- JOIN across host tables from inside the module, this seed is
--- handled by the createServerModule boot sequence when
--- enableSuperAdmin=true (see index.ts seedSuperAdmin()).
--- This file is a no-op placeholder to reserve the migration slot.
-SELECT 1; -- placeholder: actual seed runs in application boot

package/src/server/migrations/0012_create_tm_user_locks.sql

@@ -1,7 +0,0 @@
-CREATE TABLE IF NOT EXISTS tm_user_locks (
-  user_id INTEGER PRIMARY KEY,
-  locked_by INTEGER NOT NULL,
-  reason TEXT NOT NULL,
-  locked_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-  unlocked_at TIMESTAMPTZ
-);