chadstart 1.0.5 → 1.0.6

package/chadstart.example.yaml

@@ -415,6 +415,28 @@ sentry:
   tracesSampleRate: 1.0       # Fraction of transactions to sample (0.0–1.0)
   debug: false                # Enable Sentry SDK debug logging
 
+# ── Email / SMTP ──────────────────────────────────────────────────────────────
+# Configure SMTP for transactional emails (verification, password reset, etc.).
+# The SMTP password is a secret and must be provided via the SMTP_PASS env var.
+# All fields can be overridden by environment variables:
+#   SMTP_HOST, SMTP_PORT, SMTP_USER, SMTP_PASS, SMTP_FROM
+
+email:
+  host: smtp.example.com       # SMTP server hostname. Overridable via SMTP_HOST
+  port: 587                     # SMTP port (587=STARTTLS, 465=SSL, 25=plain). Overridable via SMTP_PORT
+  username: noreply@example.com # SMTP login. Overridable via SMTP_USER
+  from: "My App <noreply@example.com>"  # Default sender. Overridable via SMTP_FROM
+  secure: false                 # Use TLS (auto-detected from port if omitted)
+  templates:
+    verification:
+      subject: "Verify your email for {{appName}}"
+      text: "Hi {{name}},\n\nPlease verify your email by visiting:\n{{link}}\n\nThanks,\n{{appName}}"
+      html: "<h2>Verify your email</h2><p>Hi {{name}},</p><p>Please verify your email by clicking the link below:</p><p><a href=\"{{link}}\">Verify Email</a></p><p>Thanks,<br>{{appName}}</p>"
+    passwordReset:
+      subject: "Reset your password for {{appName}}"
+      text: "Hi {{name}},\n\nYou requested a password reset. Visit:\n{{link}}\n\nIf you didn't request this, ignore this email.\n\nThanks,\n{{appName}}"
+      html: "<h2>Reset your password</h2><p>Hi {{name}},</p><p>You requested a password reset. Click the link below:</p><p><a href=\"{{link}}\">Reset Password</a></p><p>If you didn't request this, ignore this email.</p><p>Thanks,<br>{{appName}}</p>"
+
 # ── OAuth / Social Login ─────────────────────────────────────────────────────
 # Powered by the "grant" library — supports 200+ OAuth providers.
 # Secrets (client keys / secrets) MUST be set via environment variables:

package/chadstart.schema.json

@@ -125,6 +125,78 @@
         }
       }
     },
+    "logs": {
+      "type": "object",
+      "description": "Request logging configuration. Logs are stored in a _cs_logs system table and accessible via GET /admin/logs.",
+      "additionalProperties": false,
+      "properties": {
+        "retention": {
+          "type": "integer",
+          "default": 30,
+          "description": "Number of days to keep log entries. 0 = keep forever. Default: 30."
+        },
+        "exclude": {
+          "type": "array",
+          "items": { "type": "string" },
+          "description": "URL path prefixes to exclude from logging (e.g. ['/health', '/admin/vendor'])."
+        }
+      }
+    },
+    "backup": {
+      "type": "object",
+      "description": "Database backup configuration. Backups are created via POST /admin/backup or `npx chadstart backup`.",
+      "additionalProperties": false,
+      "properties": {
+        "dir": {
+          "type": "string",
+          "default": "backups",
+          "description": "Directory to store backup files. Overridable via BACKUP_DIR env var. Default: backups."
+        }
+      }
+    },
+    "email": {
+      "type": "object",
+      "description": "Email / SMTP configuration for sending transactional emails (verification, password reset, notifications). The SMTP password must be supplied via the SMTP_PASS environment variable — never put it here. All fields can be overridden by SMTP_HOST, SMTP_PORT, SMTP_USER, SMTP_FROM env vars.",
+      "additionalProperties": false,
+      "properties": {
+        "host": {
+          "type": "string",
+          "description": "SMTP server hostname (e.g. smtp.gmail.com). Overridable via SMTP_HOST env var."
+        },
+        "port": {
+          "type": "integer",
+          "default": 587,
+          "description": "SMTP server port. Common values: 587 (STARTTLS), 465 (SSL/TLS), 25 (unencrypted). Overridable via SMTP_PORT env var."
+        },
+        "username": {
+          "type": "string",
+          "description": "SMTP login username. Overridable via SMTP_USER env var."
+        },
+        "from": {
+          "type": "string",
+          "description": "Default sender address (e.g. 'My App <noreply@example.com>'). Overridable via SMTP_FROM env var."
+        },
+        "secure": {
+          "type": "boolean",
+          "description": "Use TLS when connecting to the server. Defaults to true for port 465, false otherwise."
+        },
+        "templates": {
+          "type": "object",
+          "description": "Email templates with {{variable}} placeholders. Used by built-in flows (verification, password reset).",
+          "additionalProperties": false,
+          "properties": {
+            "verification": {
+              "$ref": "#/$defs/emailTemplate",
+              "description": "Template for email verification messages."
+            },
+            "passwordReset": {
+              "$ref": "#/$defs/emailTemplate",
+              "description": "Template for password reset messages."
+            }
+          }
+        }
+      }
+    },
     "oauth": {
       "type": "object",
       "description": "OAuth / social login configuration powered by the grant library. Secrets (client keys and secrets) must be supplied via OAUTH_<PROVIDER>_KEY and OAUTH_<PROVIDER>_SECRET environment variables.",
@@ -292,6 +364,7 @@
       "type": "object",
       "properties": {
         "authenticable": { "type": "boolean", "default": false, "description": "Makes this entity authenticable (adds email + password fields, enables login/signup)." },
+        "requireEmailVerification": { "type": "boolean", "default": false, "description": "When true, login is blocked until the user verifies their email address." },
         "single":        { "type": "boolean", "default": false, "description": "Single entity — only one record exists (no create/delete)." },
         "mainProp":      { "type": "string", "description": "Identifier property used in the admin panel." },
         "nameSingular":  { "type": "string" },
@@ -400,6 +473,16 @@
         "ttl":   { "type": "integer", "description": "Time window in milliseconds." }
       }
     },
+    "emailTemplate": {
+      "type": "object",
+      "description": "An email template with subject, text body, and optional HTML body. Supports {{variable}} placeholders.",
+      "additionalProperties": false,
+      "properties": {
+        "subject": { "type": "string", "description": "Email subject line. Supports {{appName}}, {{name}}, {{link}} placeholders." },
+        "text":    { "type": "string", "description": "Plain-text email body. Supports {{appName}}, {{name}}, {{link}} placeholders." },
+        "html":    { "type": "string", "description": "HTML email body. Supports {{appName}}, {{name}}, {{link}} placeholders." }
+      }
+    },
     "oauthProvider": {
       "type": "object",
       "description": "Configuration for a single OAuth provider. The key and secret should be set via OAUTH_<PROVIDER>_KEY and OAUTH_<PROVIDER>_SECRET environment variables.",

package/cli/cli.js

@@ -21,6 +21,8 @@ Usage:
   npx chadstart migrate           Run pending database migrations
   npx chadstart migrate:generate  Generate migration from config diff (git-based)
   npx chadstart migrate:status    Show current migration status
+  npx chadstart backup            Create a database backup
+  npx chadstart restore <file>    Restore database from a backup file
 
 Options:
   --config <file>         Path to config file (default: auto-discover)
@@ -77,6 +79,10 @@ if (command === 'create') {
   runMigrateGenerate();
 } else if (command === 'migrate:status') {
   runMigrateStatus();
+} else if (command === 'backup') {
+  runBackup();
+} else if (command === 'restore') {
+  runRestore();
 } else {
   console.error(`Unknown command: ${command}`);
   printUsage();
@@ -413,6 +419,78 @@ async function runMigrateStatus() {
 
 // ─── Other helpers ───────────────────────────────────────────────────────────
 
+async function runBackup() {
+  if (!fs.existsSync(configPath)) {
+    console.error(`Config not found: ${configPath}`);
+    process.exit(1);
+  }
+
+  try {
+    const { loadConfig } = require('../core/config-loader');
+    const { validateSchema } = require('../core/schema-validator');
+    const { buildCore } = require('../core/entity-engine');
+    const { initDb, closeDb } = require('../core/db');
+    const { createBackup } = require('../core/backup');
+
+    const config = loadConfig(configPath);
+    validateSchema(config);
+    const core = buildCore(config);
+    await initDb(core);
+
+    console.log('\n💾 Creating backup...\n');
+    const result = await createBackup(core.backup);
+    console.log(`  ✅ Backup created: ${result.file}`);
+    console.log(`     Path:   ${result.path}`);
+    console.log(`     Size:   ${(result.size / 1024).toFixed(1)} KB`);
+    console.log(`     Engine: ${result.engine}\n`);
+
+    await closeDb();
+  } catch (err) {
+    console.error(`\n❌ ${err.message}\n`);
+    process.exit(1);
+  }
+}
+
+async function runRestore() {
+  const backupFile = args[1];
+  if (!backupFile) {
+    console.error('Error: backup file name is required. Usage: npx chadstart restore <file>');
+    process.exit(1);
+  }
+
+  if (!fs.existsSync(configPath)) {
+    console.error(`Config not found: ${configPath}`);
+    process.exit(1);
+  }
+
+  try {
+    const { loadConfig } = require('../core/config-loader');
+    const { validateSchema } = require('../core/schema-validator');
+    const { buildCore } = require('../core/entity-engine');
+    const { initDb } = require('../core/db');
+    const { restoreBackup } = require('../core/backup');
+
+    const config = loadConfig(configPath);
+    validateSchema(config);
+    const core = buildCore(config);
+    await initDb(core);
+
+    console.log(`\n🔄 Restoring from ${backupFile}...\n`);
+    const result = await restoreBackup(backupFile, core.backup);
+    if (result.success) {
+      console.log(`  ✅ ${result.message}\n`);
+    } else {
+      console.error(`  ❌ ${result.message}\n`);
+      process.exit(1);
+    }
+  } catch (err) {
+    console.error(`\n❌ ${err.message}\n`);
+    process.exit(1);
+  }
+}
+
+// ─── Other helpers ───────────────────────────────────────────────────────────
+
 function applyPortOverride() {
   if (portOverride) {
     process.env.CHADSTART_PORT = portOverride;

package/core/auth.js

@@ -7,6 +7,10 @@
  *   POST /api/auth/:slug/signup
  *   POST /api/auth/:slug/login
  *   GET  /api/auth/:slug/me
+ *   POST /api/auth/:slug/request-verification
+ *   POST /api/auth/:slug/confirm-verification
+ *   POST /api/auth/:slug/request-password-reset
+ *   POST /api/auth/:slug/confirm-password-reset
  *   GET  /api/auth/:slug/api-keys
  *   POST /api/auth/:slug/api-keys
  *   DELETE /api/auth/:slug/api-keys/:id
@@ -42,6 +46,25 @@ function signToken(payload, expiresIn) {
 }
 function verifyToken(token) { return jwt.verify(token, JWT_SECRET); }
 
+/** Generate a cryptographically secure random hex token. */
+function generateSecureToken() {
+  return crypto.randomBytes(32).toString('hex');
+}
+
+// ─── Default email templates ─────────────────────────────────────────────────
+
+const DEFAULT_VERIFICATION_TEMPLATE = {
+  subject: 'Verify your email for {{appName}}',
+  text: 'Hi {{name}},\n\nPlease verify your email address by using the following token:\n\n{{token}}\n\nOr click this link: {{link}}\n\nThanks,\n{{appName}}',
+  html: '<h2>Verify your email</h2><p>Hi {{name}},</p><p>Please verify your email address by clicking the link below:</p><p><a href="{{link}}">Verify Email</a></p><p>Or use this token: <code>{{token}}</code></p><p>Thanks,<br>{{appName}}</p>',
+};
+
+const DEFAULT_PASSWORD_RESET_TEMPLATE = {
+  subject: 'Reset your password for {{appName}}',
+  text: 'Hi {{name}},\n\nYou requested a password reset. Use the following token:\n\n{{token}}\n\nOr click this link: {{link}}\n\nThis link expires in 1 hour.\n\nIf you did not request this, please ignore this email.\n\nThanks,\n{{appName}}',
+  html: '<h2>Reset your password</h2><p>Hi {{name}},</p><p>You requested a password reset. Click the link below:</p><p><a href="{{link}}">Reset Password</a></p><p>Or use this token: <code>{{token}}</code></p><p>This link expires in 1 hour.</p><p>If you did not request this, please ignore this email.</p><p>Thanks,<br>{{appName}}</p>',
+};
+
 // ─── API Keys ─────────────────────────────────────────────────────────────────
 
 /**
@@ -231,6 +254,34 @@ function registerApiKeyRoutes(app, core) {
 
 function registerAuthRoutes(app, core, emit) {
   const _emit = typeof emit === 'function' ? emit : () => {};
+
+  // Lazily load email module to avoid circular dependency at module load time
+  let _emailMod;
+  function _getEmail() {
+    if (!_emailMod) _emailMod = require('./email');
+    return _emailMod;
+  }
+
+  /** Try to send an email — logs and swallows errors so auth flow still succeeds when SMTP is down. */
+  async function _trySend(opts) {
+    try {
+      await _getEmail().sendEmail(opts);
+    } catch (e) {
+      logger.warn(`Email send failed (${opts.to}): ${e.message}`);
+    }
+  }
+
+  /** Merge user-defined template with built-in default. */
+  function _tpl(kind) {
+    const defaults = kind === 'verification' ? DEFAULT_VERIFICATION_TEMPLATE : DEFAULT_PASSWORD_RESET_TEMPLATE;
+    const custom = ((core.email || {}).templates || {})[kind] || {};
+    return {
+      subject: custom.subject || defaults.subject,
+      text: custom.text || defaults.text,
+      html: custom.html || defaults.html,
+    };
+  }
+
   for (const entity of Object.values(core.authenticableEntities || {})) {
     const slug = entity.slug;
     const table = entity.tableName;
@@ -240,34 +291,135 @@ function registerAuthRoutes(app, core, emit) {
     const signupPolicies = (entity.policies || {}).signup;
     const signupForbidden = signupPolicies && signupPolicies.length > 0 && signupPolicies[0].access === 'forbidden';
 
+    // ── Signup ────────────────────────────────────────────────────────────
     app.post(`/api/auth/${slug}/signup`, async (req, res) => {
       try {
         if (signupForbidden) return res.status(403).json({ error: 'Signup is forbidden for this entity' });
         const { email, password, ...rest } = req.body || {};
         if (!email || !password) return res.status(400).json({ error: 'email and password are required' });
         if ((await db.findAllSimple(table, { email })).length) return res.status(409).json({ error: 'Email already registered' });
-        const user = await db.create(table, { email, password: await bcrypt.hash(password, BCRYPT_ROUNDS), ...sanitize(rest) });
+
+        // Generate email verification token
+        const verificationToken = generateSecureToken();
+        const user = await db.create(table, {
+          email,
+          password: await bcrypt.hash(password, BCRYPT_ROUNDS),
+          emailVerified: 0,
+          emailVerificationToken: verificationToken,
+          ...sanitize(rest),
+        });
         _emit(`${entity.name}.created`, omitPassword(user));
+
+        // Send verification email (best-effort — does not block signup)
+        const tpl = _tpl('verification');
+        const vars = { appName: core.name, name: email, token: verificationToken, link: `${_appUrl()}/verify?token=${verificationToken}` };
+        _trySend({ to: email, subject: tpl.subject, text: tpl.text, html: tpl.html, vars });
+
         res.status(201).json({ token: signToken({ id: user.id, entity: entity.name }), user: omitPassword(user) });
       } catch (e) { logger.error('signup error', e.message); res.status(500).json({ error: e.message }); }
     });
 
+    // ── Login ─────────────────────────────────────────────────────────────
     app.post(`/api/auth/${slug}/login`, async (req, res) => {
       try {
         const { email, password } = req.body || {};
         if (!email || !password) return res.status(400).json({ error: 'email and password are required' });
         const user = (await db.findAllSimple(table, { email }))[0];
         if (!user || !(await bcrypt.compare(password, user.password))) return res.status(401).json({ error: 'Invalid credentials' });
+
+        // Block login if email verification is required but not done
+        if (entity.requireEmailVerification && !user.emailVerified) {
+          return res.status(403).json({ error: 'Email not verified. Please verify your email before logging in.' });
+        }
+
         res.json({ token: signToken({ id: user.id, entity: entity.name }), user: omitPassword(user) });
       } catch (e) { logger.error('login error', e.message); res.status(500).json({ error: e.message }); }
     });
 
+    // ── Me ─────────────────────────────────────────────────────────────────
     app.get(`/api/auth/${slug}/me`, requireAuth(entity.name), async (req, res) => {
       const user = await db.findById(table, req.user.id);
       if (!user) return res.status(404).json({ error: 'User not found' });
       res.json(omitPassword(user));
     });
 
+    // ── Request Verification ──────────────────────────────────────────────
+    app.post(`/api/auth/${slug}/request-verification`, requireAuth(entity.name), async (req, res) => {
+      try {
+        const user = await db.findById(table, req.user.id);
+        if (!user) return res.status(404).json({ error: 'User not found' });
+        if (user.emailVerified) return res.json({ message: 'Email already verified' });
+
+        const token = generateSecureToken();
+        await db.update(table, user.id, { emailVerificationToken: token });
+
+        const tpl = _tpl('verification');
+        const vars = { appName: core.name, name: user.email, token, link: `${_appUrl()}/verify?token=${token}` };
+        await _trySend({ to: user.email, subject: tpl.subject, text: tpl.text, html: tpl.html, vars });
+
+        res.json({ message: 'Verification email sent' });
+      } catch (e) { logger.error('request-verification error', e.message); res.status(500).json({ error: e.message }); }
+    });
+
+    // ── Confirm Verification ──────────────────────────────────────────────
+    app.post(`/api/auth/${slug}/confirm-verification`, async (req, res) => {
+      try {
+        const { token } = req.body || {};
+        if (!token) return res.status(400).json({ error: 'token is required' });
+
+        const user = (await db.findAllSimple(table, { emailVerificationToken: token }))[0];
+        if (!user) return res.status(400).json({ error: 'Invalid or expired verification token' });
+
+        await db.update(table, user.id, { emailVerified: 1, emailVerificationToken: null });
+        res.json({ message: 'Email verified successfully' });
+      } catch (e) { logger.error('confirm-verification error', e.message); res.status(500).json({ error: e.message }); }
+    });
+
+    // ── Request Password Reset ────────────────────────────────────────────
+    app.post(`/api/auth/${slug}/request-password-reset`, async (req, res) => {
+      try {
+        const { email } = req.body || {};
+        if (!email) return res.status(400).json({ error: 'email is required' });
+
+        // Always return 200 to avoid leaking whether email exists
+        const user = (await db.findAllSimple(table, { email }))[0];
+        if (user) {
+          const token = generateSecureToken();
+          const expiry = new Date(Date.now() + 60 * 60 * 1000).toISOString(); // 1 hour
+          await db.update(table, user.id, { passwordResetToken: token, passwordResetExpiry: expiry });
+
+          const tpl = _tpl('passwordReset');
+          const vars = { appName: core.name, name: user.email, token, link: `${_appUrl()}/reset-password?token=${token}` };
+          _trySend({ to: user.email, subject: tpl.subject, text: tpl.text, html: tpl.html, vars });
+        }
+
+        res.json({ message: 'If an account with that email exists, a password reset email has been sent.' });
+      } catch (e) { logger.error('request-password-reset error', e.message); res.status(500).json({ error: e.message }); }
+    });
+
+    // ── Confirm Password Reset ────────────────────────────────────────────
+    app.post(`/api/auth/${slug}/confirm-password-reset`, async (req, res) => {
+      try {
+        const { token, password } = req.body || {};
+        if (!token || !password) return res.status(400).json({ error: 'token and password are required' });
+
+        const user = (await db.findAllSimple(table, { passwordResetToken: token }))[0];
+        if (!user) return res.status(400).json({ error: 'Invalid or expired reset token' });
+
+        // Check expiry
+        if (!user.passwordResetExpiry || new Date(user.passwordResetExpiry) < new Date()) {
+          return res.status(400).json({ error: 'Reset token has expired' });
+        }
+
+        await db.update(table, user.id, {
+          password: await bcrypt.hash(password, BCRYPT_ROUNDS),
+          passwordResetToken: null,
+          passwordResetExpiry: null,
+        });
+        res.json({ message: 'Password reset successfully' });
+      } catch (e) { logger.error('confirm-password-reset error', e.message); res.status(500).json({ error: e.message }); }
+    });
+
     logger.info(`  Registered auth routes at /api/auth/${slug}/`);
   }
 }
@@ -294,13 +446,18 @@ async function optionalAuth(req, _res, next) {
 }
 
 function omitPassword(user) {
-  const { password: _, ...rest } = user;
+  const { password: _, emailVerificationToken: _2, passwordResetToken: _3, passwordResetExpiry: _4, ...rest } = user;
   return rest;
 }
 
+/** Derive the app's base URL for email links. */
+function _appUrl() {
+  return process.env.APP_URL || process.env.BASE_URL || `http://localhost:${process.env.PORT || 3000}`;
+}
+
 module.exports = {
   registerAuthRoutes, registerApiKeyRoutes, initApiKeys,
   requireAuth, optionalAuth, resolveAuthHeader,
-  signToken, verifyToken, omitPassword, JWT_SECRET,
+  signToken, verifyToken, omitPassword, JWT_SECRET, generateSecureToken,
   createApiKey, listApiKeys, listAllApiKeys, deleteApiKey, verifyApiKeyStr,
 };

package/core/backup.js

@@ -0,0 +1,191 @@
+'use strict';
+
+/**
+ * Backup & Restore module for ChadStart.
+ *
+ * Supports SQLite (file copy), PostgreSQL (pg_dump), and MySQL (mysqldump).
+ *
+ * Configuration via YAML `backup` section:
+ *   backup:
+ *     dir: backups           # Directory for backup files (default: backups)
+ */
+
+const fs = require('fs');
+const path = require('path');
+const crypto = require('crypto');
+const { execFileSync } = require('child_process');
+const db = require('./db');
+const logger = require('../utils/logger');
+
+const DB_ENGINE = db.DB_ENGINE;
+
+/**
+ * Get the backup directory. Creates it if it doesn't exist.
+ *
+ * @param {object|null} backupCfg  Value of `core.backup` (may be null).
+ * @returns {string}               Absolute path to backup directory.
+ */
+function getBackupDir(backupCfg) {
+  const dir = (backupCfg && backupCfg.dir) || process.env.BACKUP_DIR || 'backups';
+  const resolved = path.resolve(dir);
+  fs.mkdirSync(resolved, { recursive: true });
+  return resolved;
+}
+
+/**
+ * Generate a backup filename with timestamp.
+ *
+ * @param {string} ext  File extension (e.g. 'db', 'sql').
+ * @returns {string}
+ */
+function generateBackupName(ext) {
+  const ts = new Date().toISOString().replace(/[:.]/g, '-');
+  const id = crypto.randomBytes(4).toString('hex');
+  return `backup-${ts}-${id}.${ext}`;
+}
+
+/**
+ * Create a backup of the database.
+ *
+ * @param {object|null} backupCfg  Value of `core.backup` (may be null).
+ * @returns {{ file: string, path: string, size: number, engine: string }}
+ */
+async function createBackup(backupCfg) {
+  const dir = getBackupDir(backupCfg);
+
+  if (DB_ENGINE === 'sqlite') {
+    const sqliteDb = db.getDb();
+    const name = generateBackupName('db');
+    const dest = path.join(dir, name);
+    await sqliteDb.backup(dest);
+    const stats = fs.statSync(dest);
+    logger.info(`Backup created: ${dest} (${stats.size} bytes)`);
+    return { file: name, path: dest, size: stats.size, engine: 'sqlite' };
+  }
+
+  if (DB_ENGINE === 'postgres') {
+    const name = generateBackupName('sql');
+    const dest = path.join(dir, name);
+    const args = [
+      '-h', process.env.DB_HOST || 'localhost',
+      '-p', process.env.DB_PORT || '5432',
+      '-U', process.env.DB_USERNAME || 'postgres',
+      '-d', process.env.DB_DATABASE || 'manifest',
+      '-f', dest,
+    ];
+    execFileSync('pg_dump', args, {
+      env: { ...process.env, PGPASSWORD: process.env.DB_PASSWORD || 'postgres' },
+      timeout: 120000,
+    });
+    const stats = fs.statSync(dest);
+    logger.info(`Backup created: ${dest} (${stats.size} bytes)`);
+    return { file: name, path: dest, size: stats.size, engine: 'postgres' };
+  }
+
+  if (DB_ENGINE === 'mysql') {
+    const name = generateBackupName('sql');
+    const dest = path.join(dir, name);
+    const args = [
+      '-h', process.env.DB_HOST || 'localhost',
+      '-P', process.env.DB_PORT || '3306',
+      '-u', process.env.DB_USERNAME || 'root',
+      `--result-file=${dest}`,
+      process.env.DB_DATABASE || 'manifest',
+    ];
+    const env = { ...process.env };
+    if (process.env.DB_PASSWORD) env.MYSQL_PWD = process.env.DB_PASSWORD;
+    execFileSync('mysqldump', args, { env, timeout: 120000 });
+    const stats = fs.statSync(dest);
+    logger.info(`Backup created: ${dest} (${stats.size} bytes)`);
+    return { file: name, path: dest, size: stats.size, engine: 'mysql' };
+  }
+
+  throw new Error(`Unsupported database engine for backup: ${DB_ENGINE}`);
+}
+
+/**
+ * Restore a database from a backup file.
+ *
+ * @param {string} backupFile  Filename of the backup (relative to backup dir).
+ * @param {object|null} backupCfg  Value of `core.backup` (may be null).
+ * @returns {{ success: boolean, message: string }}
+ */
+async function restoreBackup(backupFile, backupCfg) {
+  const dir = getBackupDir(backupCfg);
+  const src = path.join(dir, path.basename(backupFile)); // basename to prevent path traversal
+
+  if (!fs.existsSync(src)) {
+    return { success: false, message: `Backup file not found: ${backupFile}` };
+  }
+
+  if (DB_ENGINE === 'sqlite') {
+    const sqliteDb = db.getDb();
+    // better-sqlite3 exposes .name as the file path of the opened database
+    const dbPath = sqliteDb.name;
+    // Close, copy, re-open would require server restart — use SQLite's deserialization
+    // For simplicity, copy the backup over the current DB file
+    sqliteDb.close();
+    fs.copyFileSync(src, dbPath);
+    logger.info(`Restored backup: ${src} → ${dbPath}`);
+    return { success: true, message: `Database restored from ${backupFile}. Server restart may be required.` };
+  }
+
+  if (DB_ENGINE === 'postgres') {
+    const args = [
+      '-h', process.env.DB_HOST || 'localhost',
+      '-p', process.env.DB_PORT || '5432',
+      '-U', process.env.DB_USERNAME || 'postgres',
+      '-d', process.env.DB_DATABASE || 'manifest',
+      '-f', src,
+    ];
+    execFileSync('psql', args, {
+      env: { ...process.env, PGPASSWORD: process.env.DB_PASSWORD || 'postgres' },
+      timeout: 120000,
+    });
+    logger.info(`Restored backup: ${src}`);
+    return { success: true, message: `Database restored from ${backupFile}` };
+  }
+
+  if (DB_ENGINE === 'mysql') {
+    const content = fs.readFileSync(src, 'utf-8');
+    const args = [
+      '-h', process.env.DB_HOST || 'localhost',
+      '-P', process.env.DB_PORT || '3306',
+      '-u', process.env.DB_USERNAME || 'root',
+      process.env.DB_DATABASE || 'manifest',
+    ];
+    const env = { ...process.env };
+    if (process.env.DB_PASSWORD) env.MYSQL_PWD = process.env.DB_PASSWORD;
+    execFileSync('mysql', args, { env, input: content, timeout: 120000 });
+    logger.info(`Restored backup: ${src}`);
+    return { success: true, message: `Database restored from ${backupFile}` };
+  }
+
+  return { success: false, message: `Unsupported database engine: ${DB_ENGINE}` };
+}
+
+/**
+ * List available backups.
+ *
+ * @param {object|null} backupCfg  Value of `core.backup` (may be null).
+ * @returns {Array<{ file: string, size: number, createdAt: string }>}
+ */
+function listBackups(backupCfg) {
+  const dir = getBackupDir(backupCfg);
+  if (!fs.existsSync(dir)) return [];
+
+  return fs.readdirSync(dir)
+    .filter((f) => f.startsWith('backup-'))
+    .map((f) => {
+      const stats = fs.statSync(path.join(dir, f));
+      return { file: f, size: stats.size, createdAt: stats.mtime.toISOString() };
+    })
+    .sort((a, b) => b.createdAt.localeCompare(a.createdAt)); // newest first
+}
+
+module.exports = {
+  getBackupDir,
+  createBackup,
+  restoreBackup,
+  listBackups,
+};

package/core/db.js

@@ -235,6 +235,10 @@ function buildColumnDefs(entity, allEntities) {
   if (entity.authenticable) {
     cols.push({ name: 'email',    def: `${q('email')} ${authStrType()} NOT NULL UNIQUE` });
     cols.push({ name: 'password', def: `${q('password')} ${authStrType()} NOT NULL` });
+    cols.push({ name: 'emailVerified',          def: `${q('emailVerified')} INTEGER DEFAULT 0` });
+    cols.push({ name: 'emailVerificationToken', def: `${q('emailVerificationToken')} TEXT` });
+    cols.push({ name: 'passwordResetToken',     def: `${q('passwordResetToken')} TEXT` });
+    cols.push({ name: 'passwordResetExpiry',    def: `${q('passwordResetExpiry')} TEXT` });
   }
 
   for (const p of entity.properties) {