create-forgeon 0.3.15 → 0.3.17

package/templates/base/package.json

@@ -1,8 +1,8 @@
-{
-  "name": "forgeon",
-  "version": "0.1.0",
-  "private": true,
-  "packageManager": "pnpm@10.0.0",
+{
+  "name": "forgeon",
+  "version": "0.1.0",
+  "private": true,
+  "packageManager": "pnpm@10.0.0",
   "scripts": {
     "dev": "pnpm --parallel --filter @forgeon/api --filter @forgeon/web dev",
     "build": "pnpm -r build",
@@ -12,13 +12,19 @@
     "docker:down": "docker compose -f infra/docker/compose.yml down -v"
   },
   "pnpm": {
-    "onlyBuiltDependencies": [
-      "@nestjs/core",
-      "@prisma/client",
-      "@prisma/engines",
-      "esbuild",
-      "prisma"
-    ]
-  }
-}
-
+    "onlyBuiltDependencies": [
+      "@nestjs/core",
+      "@prisma/client",
+      "@prisma/engines",
+      "esbuild",
+      "prisma"
+    ]
+  },
+  "forgeon": {
+    "diagnostics": {
+      "probes": {
+        "enabled": true
+      }
+    }
+  }
+}

package/templates/base/scripts/forgeon-sync-integrations.mjs

@@ -2,303 +2,105 @@
 import fs from 'node:fs';
 import path from 'node:path';
 
-const PRISMA_AUTH_STORE_CONTENT = `import {
-  AuthRefreshTokenStore,
-} from '@forgeon/auth-api';
-import { PrismaService } from '@forgeon/db-prisma';
-import { Injectable } from '@nestjs/common';
+const ACCOUNTS_RBAC_MARKERS = {
+  start: '<!-- forgeon:accounts:rbac:start -->',
+  end: '<!-- forgeon:accounts:rbac:end -->',
+};
 
-@Injectable()
-export class PrismaAuthRefreshTokenStore implements AuthRefreshTokenStore {
-  readonly kind = 'prisma';
+const ACCOUNTS_RBAC_ENABLED_BLOCK =
+  '- RBAC compatibility sync: contracts and JWT payload surfaces are prepared for optional RBAC claims, while the base accounts schema remains free of roles and permissions.';
 
-  constructor(private readonly prisma: PrismaService) {}
-
-  async saveRefreshTokenHash(subject: string, hash: string): Promise<void> {
-    await this.prisma.user.upsert({
-      where: { email: subject },
-      create: { email: subject, refreshTokenHash: hash },
-      update: { refreshTokenHash: hash },
-      select: { id: true },
-    });
-  }
-
-  async getRefreshTokenHash(subject: string): Promise<string | null> {
-    const user = await this.prisma.user.findUnique({
-      where: { email: subject },
-      select: { refreshTokenHash: true },
-    });
-    return user?.refreshTokenHash ?? null;
-  }
+function escapeRegExp(value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
 
-  async removeRefreshTokenHash(subject: string): Promise<void> {
-    await this.prisma.user.updateMany({
-      where: { email: subject },
-      data: { refreshTokenHash: null },
-    });
+function replaceReadmeManagedBlock(content, startMarker, endMarker, nextBody) {
+  const pattern = new RegExp(`${escapeRegExp(startMarker)}\\n[\\s\\S]*?\\n${escapeRegExp(endMarker)}`);
+  if (!pattern.test(content)) {
+    return content;
   }
+  return content.replace(pattern, `${startMarker}\n${nextBody}\n${endMarker}`);
 }
-`;
-
-const PRISMA_AUTH_MIGRATION_CONTENT = `-- AlterTable
-ALTER TABLE "User"
-ADD COLUMN "refreshTokenHash" TEXT;
-`;
-
-const AUTH_PERSISTENCE_STRATEGIES = [
-  {
-    id: 'db-prisma',
-    providerLabel: 'db-prisma',
-    isDetected: (detected) => detected.dbPrisma,
-    apply: syncJwtDbPrisma,
-  },
-];
 
 function detectModules(rootDir) {
   const appModulePath = path.join(rootDir, 'apps', 'api', 'src', 'app.module.ts');
   const appModuleText = fs.existsSync(appModulePath) ? fs.readFileSync(appModulePath, 'utf8') : '';
 
   return {
-    jwtAuth:
-      fs.existsSync(path.join(rootDir, 'packages', 'auth-api', 'package.json')) ||
-      appModuleText.includes("from '@forgeon/auth-api'"),
+    accounts:
+      fs.existsSync(path.join(rootDir, 'packages', 'accounts-api', 'package.json')) ||
+      appModuleText.includes("from '@forgeon/accounts-api'"),
     rbac:
       fs.existsSync(path.join(rootDir, 'packages', 'rbac', 'package.json')) ||
       appModuleText.includes("from '@forgeon/rbac'"),
-    dbPrisma:
-      fs.existsSync(path.join(rootDir, 'packages', 'db-prisma', 'package.json')) ||
-      appModuleText.includes("from '@forgeon/db-prisma'"),
   };
 }
 
-function ensureLineAfter(content, anchorLine, lineToInsert) {
-  if (content.includes(lineToInsert)) {
-    return content;
-  }
-  const index = content.indexOf(anchorLine);
-  if (index < 0) {
-    return `${content.trimEnd()}\n${lineToInsert}\n`;
-  }
-  const insertAt = index + anchorLine.length;
-  return `${content.slice(0, insertAt)}\n${lineToInsert}${content.slice(insertAt)}`;
-}
-
-function resolveAuthPersistenceStrategy(detected) {
-  const matched = AUTH_PERSISTENCE_STRATEGIES.filter((strategy) => strategy.isDetected(detected));
-  if (matched.length === 0) {
-    return { kind: 'none' };
-  }
-  if (matched.length > 1) {
-    return { kind: 'conflict', strategies: matched };
-  }
-  return { kind: 'single', strategy: matched[0] };
-}
-
-function syncJwtDbPrisma({ rootDir, changedFiles }) {
-  const appModulePath = path.join(rootDir, 'apps', 'api', 'src', 'app.module.ts');
-  const schemaPath = path.join(rootDir, 'apps', 'api', 'prisma', 'schema.prisma');
-  const storePath = path.join(rootDir, 'apps', 'api', 'src', 'auth', 'prisma-auth-refresh-token.store.ts');
-  const migrationPath = path.join(
-    rootDir,
-    'apps',
-    'api',
-    'prisma',
-    'migrations',
-    '0002_auth_refresh_token_hash',
-    'migration.sql',
-  );
+function syncAccountsRbac(rootDir, changedFiles) {
+  const contractsPath = path.join(rootDir, 'packages', 'accounts-contracts', 'src', 'index.ts');
+  const authTypesPath = path.join(rootDir, 'packages', 'accounts-api', 'src', 'auth.types.ts');
   const readmePath = path.join(rootDir, 'README.md');
 
-  if (!fs.existsSync(appModulePath) || !fs.existsSync(schemaPath)) {
-    return { applied: false, reason: 'app module or prisma schema is missing' };
+  if (!fs.existsSync(contractsPath) || !fs.existsSync(authTypesPath) || !fs.existsSync(readmePath)) {
+    return { applied: false, reason: 'accounts package files are missing' };
   }
 
   let touched = false;
 
-  if (!fs.existsSync(storePath)) {
-    fs.mkdirSync(path.dirname(storePath), { recursive: true });
-    fs.writeFileSync(storePath, PRISMA_AUTH_STORE_CONTENT, 'utf8');
-    changedFiles.add(storePath);
-    touched = true;
-  }
-
-  let appModule = fs.readFileSync(appModulePath, 'utf8').replace(/\r\n/g, '\n');
-  const originalAppModule = appModule;
-
-  if (!appModule.includes("AUTH_REFRESH_TOKEN_STORE, authConfig")) {
-    appModule = appModule.replace(
-      /import\s*\{\s*authConfig,\s*authEnvSchema,\s*ForgeonAuthModule\s*\}\s*from '@forgeon\/auth-api';/m,
-      "import { AUTH_REFRESH_TOKEN_STORE, authConfig, authEnvSchema, ForgeonAuthModule } from '@forgeon/auth-api';",
+  let contracts = fs.readFileSync(contractsPath, 'utf8').replace(/\r\n/g, '\n');
+  const originalContracts = contracts;
+  if (!contracts.includes('roles?: string[];')) {
+    contracts = contracts.replace(
+      "  type: 'access';",
+      "  type: 'access';\n  roles?: string[];\n  permissions?: string[];",
     );
   }
-
-  const storeImportLine = "import { PrismaAuthRefreshTokenStore } from './auth/prisma-auth-refresh-token.store';";
-  if (!appModule.includes(storeImportLine)) {
-    appModule = ensureLineAfter(
-      appModule,
-      "import { HealthController } from './health/health.controller';",
-      storeImportLine,
-    );
-  }
-
-  if (!appModule.includes('refreshTokenStoreProvider')) {
-    appModule = appModule.replace(
-      /ForgeonAuthModule\.register\(\),/m,
-      `ForgeonAuthModule.register({
-      imports: [DbPrismaModule],
-      refreshTokenStoreProvider: {
-        provide: AUTH_REFRESH_TOKEN_STORE,
-        useClass: PrismaAuthRefreshTokenStore,
-      },
-    }),`,
+  if (!contracts.includes("jti: string;\n  type: 'refresh';\n  roles?: string[];")) {
+    contracts = contracts.replace(
+      "  jti: string;\n  type: 'refresh';",
+      "  jti: string;\n  type: 'refresh';\n  roles?: string[];\n  permissions?: string[];",
     );
   }
-
-  if (appModule !== originalAppModule) {
-    fs.writeFileSync(appModulePath, `${appModule.trimEnd()}\n`, 'utf8');
-    changedFiles.add(appModulePath);
-    touched = true;
-  }
-
-  let schema = fs.readFileSync(schemaPath, 'utf8').replace(/\r\n/g, '\n');
-  const originalSchema = schema;
-  if (!schema.includes('refreshTokenHash')) {
-    schema = schema.replace(/email\s+String\s+@unique/g, 'email            String   @unique\n  refreshTokenHash String?');
-  }
-  if (schema !== originalSchema) {
-    fs.writeFileSync(schemaPath, `${schema.trimEnd()}\n`, 'utf8');
-    changedFiles.add(schemaPath);
+  if (contracts !== originalContracts) {
+    fs.writeFileSync(contractsPath, `${contracts.trimEnd()}\n`, 'utf8');
+    changedFiles.add(contractsPath);
     touched = true;
   }
 
-  if (!fs.existsSync(migrationPath)) {
-    fs.mkdirSync(path.dirname(migrationPath), { recursive: true });
-    fs.writeFileSync(migrationPath, PRISMA_AUTH_MIGRATION_CONTENT, 'utf8');
-    changedFiles.add(migrationPath);
-    touched = true;
-  }
-
-  if (fs.existsSync(readmePath)) {
-    let readme = fs.readFileSync(readmePath, 'utf8').replace(/\r\n/g, '\n');
-    const originalReadme = readme;
-    readme = readme.replace(
-      '- refresh token persistence: disabled by default (stateless mode; enable it later through a `db-adapter` provider + integration sync)',
-      '- refresh token persistence: enabled through the `db-adapter` capability (current provider: `db-prisma`)',
-    );
-    readme = readme.replace(
-      /- to enable persistence later:[\s\S]*?2\. run `pnpm forgeon:sync-integrations` to wire auth persistence to the active DB adapter implementation\./m,
-      '- migration: `apps/api/prisma/migrations/0002_auth_refresh_token_hash`',
+  let authTypes = fs.readFileSync(authTypesPath, 'utf8').replace(/\r\n/g, '\n');
+  const originalAuthTypes = authTypes;
+  if (!authTypes.includes('roles?: string[];')) {
+    authTypes = authTypes.replace(
+      "  exp?: number;",
+      "  exp?: number;\n  roles?: string[];\n  permissions?: string[];",
     );
-    if (readme !== originalReadme) {
-      fs.writeFileSync(readmePath, `${readme.trimEnd()}\n`, 'utf8');
-      changedFiles.add(readmePath);
-      touched = true;
-    }
-  }
-
-  if (!touched) {
-    return { applied: false, reason: 'already synced' };
-  }
-  return { applied: true };
-}
-
-function syncJwtRbacClaims({ rootDir, changedFiles }) {
-  const authContractsPath = path.join(rootDir, 'packages', 'auth-contracts', 'src', 'index.ts');
-  const authServicePath = path.join(rootDir, 'packages', 'auth-api', 'src', 'auth.service.ts');
-  const authControllerPath = path.join(rootDir, 'packages', 'auth-api', 'src', 'auth.controller.ts');
-  const readmePath = path.join(rootDir, 'README.md');
-
-  if (!fs.existsSync(authContractsPath) || !fs.existsSync(authServicePath) || !fs.existsSync(authControllerPath)) {
-    return { applied: false, reason: 'auth package files are missing' };
   }
-
-  let touched = false;
-
-  let authContracts = fs.readFileSync(authContractsPath, 'utf8').replace(/\r\n/g, '\n');
-  const originalAuthContracts = authContracts;
-  if (!authContracts.includes('permissions?: string[];')) {
-    authContracts = authContracts.replace(
-      '  roles: string[];',
-      `  roles: string[];
-  permissions?: string[];`,
+  if (authTypes.includes('export interface AuthRefreshTokenPayload extends AuthRefreshClaims {') && !authTypes.includes("AuthRefreshTokenPayload extends AuthRefreshClaims {\n  iat?: number;\n  exp?: number;\n  roles?: string[];")) {
+    authTypes = authTypes.replace(
+      "export interface AuthRefreshTokenPayload extends AuthRefreshClaims {\n  iat?: number;\n  exp?: number;\n}",
+      "export interface AuthRefreshTokenPayload extends AuthRefreshClaims {\n  iat?: number;\n  exp?: number;\n  roles?: string[];\n  permissions?: string[];\n}",
     );
   }
-  if (authContracts !== originalAuthContracts) {
-    fs.writeFileSync(authContractsPath, `${authContracts.trimEnd()}\n`, 'utf8');
-    changedFiles.add(authContractsPath);
+  if (authTypes !== originalAuthTypes) {
+    fs.writeFileSync(authTypesPath, `${authTypes.trimEnd()}\n`, 'utf8');
+    changedFiles.add(authTypesPath);
     touched = true;
   }
 
-  let authService = fs.readFileSync(authServicePath, 'utf8').replace(/\r\n/g, '\n');
-  const originalAuthService = authService;
-  authService = authService.replace(
-    /roles: \['user'\],/g,
-    `roles: ['admin'],
-      permissions: ['health.rbac'],`,
+  let readme = fs.readFileSync(readmePath, 'utf8').replace(/\r\n/g, '\n');
+  const originalReadme = readme;
+  readme = replaceReadmeManagedBlock(
+    readme,
+    ACCOUNTS_RBAC_MARKERS.start,
+    ACCOUNTS_RBAC_MARKERS.end,
+    ACCOUNTS_RBAC_ENABLED_BLOCK,
   );
-  if (!authService.includes('permissions: user.permissions,')) {
-    authService = authService.replace(
-      '      roles: user.roles,',
-      `      roles: user.roles,
-      permissions: user.permissions,`,
-    );
-  }
-  if (!authService.includes('permissions: Array.isArray(payload.permissions) ? payload.permissions : [],')) {
-    authService = authService.replace(
-      "      roles: Array.isArray(payload.roles) ? payload.roles : ['user'],",
-      `      roles: Array.isArray(payload.roles) ? payload.roles : ['user'],
-      permissions: Array.isArray(payload.permissions) ? payload.permissions : [],`,
-    );
-  }
-  if (!authService.includes('demoPermissions: [')) {
-    authService = authService.replace(
-      "      demoEmail: this.configService.demoEmail,",
-      `      demoEmail: this.configService.demoEmail,
-      demoPermissions: ['health.rbac'],`,
-    );
-  }
-  if (authService !== originalAuthService) {
-    fs.writeFileSync(authServicePath, `${authService.trimEnd()}\n`, 'utf8');
-    changedFiles.add(authServicePath);
+  if (readme !== originalReadme) {
+    fs.writeFileSync(readmePath, `${readme.trimEnd()}\n`, 'utf8');
+    changedFiles.add(readmePath);
     touched = true;
   }
 
-  let authController = fs.readFileSync(authControllerPath, 'utf8').replace(/\r\n/g, '\n');
-  const originalAuthController = authController;
-  if (!authController.includes('permissions: Array.isArray(payload.permissions) ? payload.permissions : [],')) {
-    authController = authController.replace(
-      "      roles: Array.isArray(payload.roles) ? payload.roles : ['user'],",
-      `      roles: Array.isArray(payload.roles) ? payload.roles : ['user'],
-      permissions: Array.isArray(payload.permissions) ? payload.permissions : [],`,
-    );
-  }
-  if (authController !== originalAuthController) {
-    fs.writeFileSync(authControllerPath, `${authController.trimEnd()}\n`, 'utf8');
-    changedFiles.add(authControllerPath);
-    touched = true;
-  }
-
-  if (fs.existsSync(readmePath)) {
-    let readme = fs.readFileSync(readmePath, 'utf8').replace(/\r\n/g, '\n');
-    const originalReadme = readme;
-    if (!readme.includes('- RBAC integration: demo auth tokens include `health.rbac` permission')) {
-      const marker = 'Default demo credentials:';
-      if (readme.includes(marker)) {
-        readme = readme.replace(
-          marker,
-          `- RBAC integration: demo auth tokens include \`health.rbac\` permission
-
-Default demo credentials:`,
-        );
-      }
-    }
-    if (readme !== originalReadme) {
-      fs.writeFileSync(readmePath, `${readme.trimEnd()}\n`, 'utf8');
-      changedFiles.add(readmePath);
-      touched = true;
-    }
-  }
-
   if (!touched) {
     return { applied: false, reason: 'already synced' };
   }
@@ -307,35 +109,18 @@ Default demo credentials:`,
 
 function run() {
   const rootDir = process.cwd();
-  const changedFiles = new Set();
   const detected = detectModules(rootDir);
+  const changedFiles = new Set();
   const summary = [];
-  const authPersistence = resolveAuthPersistenceStrategy(detected);
-
-  if (detected.jwtAuth && authPersistence.kind === 'single') {
-    summary.push({
-      feature: `jwt-auth + db-adapter (current provider: ${authPersistence.strategy.providerLabel})`,
-      result: authPersistence.strategy.apply({ rootDir, changedFiles }),
-    });
-  } else {
-    const reason =
-      authPersistence.kind === 'conflict'
-        ? 'multiple db-adapter providers detected'
-        : 'required components are not both available';
-    summary.push({
-      feature: 'jwt-auth + db-adapter (current provider: db-prisma)',
-      result: { applied: false, reason },
-    });
-  }
 
-  if (detected.jwtAuth && detected.rbac) {
+  if (detected.accounts && detected.rbac) {
     summary.push({
-      feature: 'jwt-auth + rbac',
-      result: syncJwtRbacClaims({ rootDir, changedFiles }),
+      feature: 'accounts + rbac',
+      result: syncAccountsRbac(rootDir, changedFiles),
     });
   } else {
     summary.push({
-      feature: 'jwt-auth + rbac',
+      feature: 'accounts + rbac',
       result: { applied: false, reason: 'required components are not both available' },
     });
   }
@@ -352,10 +137,9 @@ function run() {
   if (changedFiles.size > 0) {
     console.log('- changed files:');
     for (const filePath of [...changedFiles].sort()) {
-      const relative = path.relative(rootDir, filePath);
-      console.log(`  - ${relative}`);
+      console.log(`  - ${path.relative(rootDir, filePath)}`);
     }
   }
 }
 
-run();
+run();

package/templates/module-fragments/{jwt-auth → accounts}/00_title.md

@@ -1 +1,2 @@
-# MODULE: {{MODULE_LABEL}}
+# MODULE: {{MODULE_LABEL}}
+

package/templates/module-fragments/{jwt-auth → accounts}/10_overview.md

@@ -1,6 +1,6 @@
-## Overview
-
-- Id: `{{MODULE_ID}}`
-- Category: `{{MODULE_CATEGORY}}`
-- Status: {{MODULE_STATUS}}
+## Overview
+
+- Id: `{{MODULE_ID}}`
+- Category: `{{MODULE_CATEGORY}}`
+- Status: {{MODULE_STATUS}}
 - Description: {{MODULE_DESCRIPTION}}

package/templates/module-fragments/accounts/20_scope.md

@@ -0,0 +1,29 @@
+## Scope
+
+Implemented scope:
+
+1. Public installer surface:
+   - single umbrella add-module: `accounts`
+   - requires `db-adapter`
+2. Internal runtime split:
+   - `@forgeon/accounts-contracts`
+   - `@forgeon/accounts-api`
+   - users core, auth core, auth-jwt, auth-password, email stub port/adapter
+3. API runtime:
+   - `POST /api/auth/register`
+   - `POST /api/auth/login`
+   - `POST /api/auth/refresh`
+   - `POST /api/auth/logout`
+   - `GET /api/auth/me`
+   - `POST /api/auth/change-password`
+   - stub endpoints for verify-email and password reset
+4. Users surface:
+   - owner-scoped routes under `/api/users/:id`, `/api/users/:id/profile`, `/api/users/:id/settings`
+   - `/users/me` is resolved through the same owner-scoped route surface
+5. Persistence and security:
+   - DB-backed `User`, `UserProfile`, `UserSettings`, `AuthIdentity`, `AuthCredential`, `AuthRefreshToken`
+   - argon2 for password and refresh-token hashing
+   - refresh token rotation + revoke with per-token storage rows
+6. Module checks:
+   - API probe endpoint: `GET /api/health/auth`
+   - default web probe button + result block

package/templates/module-fragments/accounts/90_status_implemented.md

@@ -0,0 +1,8 @@
+## Current State
+
+Status: implemented.
+
+Notes:
+- `accounts` is a hard consumer of the `db-adapter` capability.
+- The base accounts schema does not store RBAC roles or permissions.
+- Email verification and password reset are routed through an internal email stub boundary until the public `emails` module is implemented.

package/templates/module-fragments/accounts/90_status_planned.md

@@ -0,0 +1,7 @@
+## Current State
+
+Status: planned.
+
+Notes:
+- public provider add-modules and DB-backed RBAC authz storage are intentionally deferred
+- the future `emails` module is expected to plug into the existing `AccountsEmailPort`

package/templates/module-fragments/rbac/30_what_it_adds.md

@@ -12,5 +12,6 @@ This module is backend-first. It does not include frontend route guards. If fron
 
 Optional integration:
 
-- `jwt-auth` can extend demo JWT claims with RBAC permissions through `pnpm forgeon:sync-integrations`
-- this module does not require `jwt-auth` to install or work for header-based/manual probe checks
+- `accounts` can extend demo JWT claims with RBAC permissions through `pnpm forgeon:sync-integrations`
+- this module does not require `accounts` to install or work for header-based/manual probe checks
+

package/templates/module-fragments/rbac/40_how_it_works.md

@@ -21,5 +21,6 @@ Failure path:
 
 Integration note:
 
-- if `jwt-auth` is also installed, the optional `auth-rbac-claims` integration can expose demo permissions inside JWT payloads
+- if `accounts` is also installed, the optional `accounts-rbac` integration can expose demo permissions inside JWT payloads
 - that integration is explicit and is applied through `pnpm forgeon:sync-integrations`
+

package/templates/module-fragments/rbac/50_how_to_use.md

@@ -20,5 +20,6 @@ Manual forbidden-path check:
 
 Optional follow-up:
 
-1. install `jwt-auth` if you want RBAC claims in demo JWT payloads
+1. install `accounts` if you want RBAC claims in demo JWT payloads
 2. run `pnpm forgeon:sync-integrations`
+

package/templates/module-fragments/swagger/20_scope.md

@@ -14,4 +14,5 @@
 Not included:
 
 - no auto-patching of Swagger decorators into feature modules
-- no implicit integration with `jwt-auth` or other add-modules
+- no implicit integration with `accounts` or other add-modules
+

package/templates/module-presets/accounts/apps/api/prisma/migrations/0002_accounts_core/migration.sql

@@ -0,0 +1,97 @@
+-- CreateEnum
+-- no enum is required in v1
+
+-- AlterTable
+ALTER TABLE "User"
+DROP COLUMN IF EXISTS "email",
+ADD COLUMN IF NOT EXISTS "status" TEXT NOT NULL DEFAULT 'active',
+ADD COLUMN IF NOT EXISTS "data" JSONB,
+ADD COLUMN IF NOT EXISTS "deletedAt" TIMESTAMP(3),
+ADD COLUMN IF NOT EXISTS "updatedAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP;
+
+-- CreateTable
+CREATE TABLE IF NOT EXISTS "UserProfile" (
+  "userId" TEXT NOT NULL,
+  "name" TEXT,
+  "avatar" TEXT,
+  "data" JSONB,
+  CONSTRAINT "UserProfile_pkey" PRIMARY KEY ("userId")
+);
+
+-- CreateTable
+CREATE TABLE IF NOT EXISTS "UserSettings" (
+  "userId" TEXT NOT NULL,
+  "theme" TEXT,
+  "locale" TEXT,
+  "data" JSONB,
+  CONSTRAINT "UserSettings_pkey" PRIMARY KEY ("userId")
+);
+
+-- CreateTable
+CREATE TABLE IF NOT EXISTS "AuthIdentity" (
+  "id" TEXT NOT NULL,
+  "userId" TEXT NOT NULL,
+  "provider" TEXT NOT NULL,
+  "providerId" TEXT NOT NULL,
+  "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  CONSTRAINT "AuthIdentity_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE IF NOT EXISTS "AuthCredential" (
+  "id" TEXT NOT NULL,
+  "userId" TEXT NOT NULL,
+  "passwordHash" TEXT NOT NULL,
+  "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  CONSTRAINT "AuthCredential_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE IF NOT EXISTS "AuthRefreshToken" (
+  "id" TEXT NOT NULL,
+  "userId" TEXT NOT NULL,
+  "tokenHash" TEXT NOT NULL,
+  "expiresAt" TIMESTAMP(3) NOT NULL,
+  "revokedAt" TIMESTAMP(3),
+  "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  CONSTRAINT "AuthRefreshToken_pkey" PRIMARY KEY ("id")
+);
+
+-- Indexes
+CREATE UNIQUE INDEX IF NOT EXISTS "AuthIdentity_provider_providerId_key" ON "AuthIdentity"("provider", "providerId");
+CREATE UNIQUE INDEX IF NOT EXISTS "AuthCredential_userId_key" ON "AuthCredential"("userId");
+CREATE INDEX IF NOT EXISTS "AuthRefreshToken_userId_createdAt_idx" ON "AuthRefreshToken"("userId", "createdAt");
+
+-- Foreign keys
+DO $$
+BEGIN
+  IF NOT EXISTS (SELECT 1 FROM pg_constraint WHERE conname = 'UserProfile_userId_fkey') THEN
+    ALTER TABLE "UserProfile"
+    ADD CONSTRAINT "UserProfile_userId_fkey"
+    FOREIGN KEY ("userId") REFERENCES "User"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+  END IF;
+
+  IF NOT EXISTS (SELECT 1 FROM pg_constraint WHERE conname = 'UserSettings_userId_fkey') THEN
+    ALTER TABLE "UserSettings"
+    ADD CONSTRAINT "UserSettings_userId_fkey"
+    FOREIGN KEY ("userId") REFERENCES "User"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+  END IF;
+
+  IF NOT EXISTS (SELECT 1 FROM pg_constraint WHERE conname = 'AuthIdentity_userId_fkey') THEN
+    ALTER TABLE "AuthIdentity"
+    ADD CONSTRAINT "AuthIdentity_userId_fkey"
+    FOREIGN KEY ("userId") REFERENCES "User"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+  END IF;
+
+  IF NOT EXISTS (SELECT 1 FROM pg_constraint WHERE conname = 'AuthCredential_userId_fkey') THEN
+    ALTER TABLE "AuthCredential"
+    ADD CONSTRAINT "AuthCredential_userId_fkey"
+    FOREIGN KEY ("userId") REFERENCES "User"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+  END IF;
+
+  IF NOT EXISTS (SELECT 1 FROM pg_constraint WHERE conname = 'AuthRefreshToken_userId_fkey') THEN
+    ALTER TABLE "AuthRefreshToken"
+    ADD CONSTRAINT "AuthRefreshToken_userId_fkey"
+    FOREIGN KEY ("userId") REFERENCES "User"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+  END IF;
+END $$;