npm - nobalmako - Versions diffs - 1.0.0 - Mend

nobalmako 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (123) hide show

package/README.md +112 -0
package/components.json +22 -0
package/dist/nobalmako.js +272 -0
package/drizzle/0000_pink_spiral.sql +126 -0
package/drizzle/meta/0000_snapshot.json +1027 -0
package/drizzle/meta/_journal.json +13 -0
package/drizzle.config.ts +10 -0
package/eslint.config.mjs +18 -0
package/next.config.ts +7 -0
package/package.json +80 -0
package/postcss.config.mjs +7 -0
package/public/file.svg +1 -0
package/public/globe.svg +1 -0
package/public/next.svg +1 -0
package/public/vercel.svg +1 -0
package/public/window.svg +1 -0
package/server/index.ts +118 -0
package/src/app/api/api-keys/[id]/route.ts +147 -0
package/src/app/api/api-keys/route.ts +151 -0
package/src/app/api/audit-logs/route.ts +84 -0
package/src/app/api/auth/forgot-password/route.ts +47 -0
package/src/app/api/auth/login/route.ts +99 -0
package/src/app/api/auth/logout/route.ts +15 -0
package/src/app/api/auth/me/route.ts +23 -0
package/src/app/api/auth/mfa/setup/route.ts +33 -0
package/src/app/api/auth/mfa/verify/route.ts +45 -0
package/src/app/api/auth/register/route.ts +140 -0
package/src/app/api/auth/reset-password/route.ts +52 -0
package/src/app/api/auth/update/route.ts +71 -0
package/src/app/api/auth/verify/route.ts +39 -0
package/src/app/api/environments/route.ts +227 -0
package/src/app/api/team-members/route.ts +385 -0
package/src/app/api/teams/route.ts +217 -0
package/src/app/api/variable-history/route.ts +218 -0
package/src/app/api/variables/route.ts +476 -0
package/src/app/api/webhooks/route.ts +77 -0
package/src/app/api-keys/APIKeysClient.tsx +316 -0
package/src/app/api-keys/page.tsx +10 -0
package/src/app/api-reference/page.tsx +324 -0
package/src/app/audit-log/AuditLogClient.tsx +229 -0
package/src/app/audit-log/page.tsx +10 -0
package/src/app/auth/forgot-password/page.tsx +121 -0
package/src/app/auth/login/LoginForm.tsx +145 -0
package/src/app/auth/login/page.tsx +11 -0
package/src/app/auth/register/RegisterForm.tsx +156 -0
package/src/app/auth/register/page.tsx +16 -0
package/src/app/auth/reset-password/page.tsx +160 -0
package/src/app/dashboard/DashboardClient.tsx +219 -0
package/src/app/dashboard/page.tsx +11 -0
package/src/app/docs/page.tsx +251 -0
package/src/app/favicon.ico +0 -0
package/src/app/globals.css +123 -0
package/src/app/layout.tsx +35 -0
package/src/app/page.tsx +231 -0
package/src/app/profile/ProfileClient.tsx +230 -0
package/src/app/profile/page.tsx +10 -0
package/src/app/project/[id]/ProjectDetailsClient.tsx +512 -0
package/src/app/project/[id]/page.tsx +17 -0
package/src/bin/nobalmako.ts +341 -0
package/src/components/ApiKeysManager.tsx +529 -0
package/src/components/AppLayout.tsx +193 -0
package/src/components/BulkActions.tsx +138 -0
package/src/components/CreateEnvironmentDialog.tsx +207 -0
package/src/components/CreateTeamDialog.tsx +174 -0
package/src/components/CreateVariableDialog.tsx +311 -0
package/src/components/DeleteEnvironmentDialog.tsx +104 -0
package/src/components/DeleteTeamDialog.tsx +112 -0
package/src/components/DeleteVariableDialog.tsx +103 -0
package/src/components/EditEnvironmentDialog.tsx +202 -0
package/src/components/EditMemberDialog.tsx +143 -0
package/src/components/EditTeamDialog.tsx +178 -0
package/src/components/EditVariableDialog.tsx +231 -0
package/src/components/ImportVariablesDialog.tsx +347 -0
package/src/components/InviteMemberDialog.tsx +191 -0
package/src/components/LeaveProjectDialog.tsx +111 -0
package/src/components/MFASettings.tsx +136 -0
package/src/components/ProjectDiff.tsx +123 -0
package/src/components/Providers.tsx +24 -0
package/src/components/RemoveMemberDialog.tsx +112 -0
package/src/components/SearchDialog.tsx +276 -0
package/src/components/SecurityOverview.tsx +92 -0
package/src/components/TeamMembersManager.tsx +103 -0
package/src/components/VariableHistoryDialog.tsx +265 -0
package/src/components/WebhooksManager.tsx +169 -0
package/src/components/ui/alert-dialog.tsx +160 -0
package/src/components/ui/alert.tsx +59 -0
package/src/components/ui/avatar.tsx +53 -0
package/src/components/ui/badge.tsx +46 -0
package/src/components/ui/button.tsx +62 -0
package/src/components/ui/card.tsx +92 -0
package/src/components/ui/checkbox.tsx +32 -0
package/src/components/ui/dialog.tsx +143 -0
package/src/components/ui/dropdown-menu.tsx +257 -0
package/src/components/ui/input.tsx +21 -0
package/src/components/ui/label.tsx +24 -0
package/src/components/ui/select.tsx +190 -0
package/src/components/ui/separator.tsx +28 -0
package/src/components/ui/sonner.tsx +37 -0
package/src/components/ui/switch.tsx +31 -0
package/src/components/ui/table.tsx +117 -0
package/src/components/ui/tabs.tsx +66 -0
package/src/components/ui/textarea.tsx +18 -0
package/src/hooks/use-api-keys.ts +95 -0
package/src/hooks/use-audit-logs.ts +58 -0
package/src/hooks/use-auth.tsx +121 -0
package/src/hooks/use-environments.ts +33 -0
package/src/hooks/use-project-permissions.ts +49 -0
package/src/hooks/use-team-members.ts +30 -0
package/src/hooks/use-teams.ts +33 -0
package/src/hooks/use-variables.ts +38 -0
package/src/lib/audit.ts +36 -0
package/src/lib/auth.ts +108 -0
package/src/lib/crypto.ts +39 -0
package/src/lib/db.ts +15 -0
package/src/lib/dynamic-providers.ts +19 -0
package/src/lib/email.ts +110 -0
package/src/lib/mail.ts +51 -0
package/src/lib/permissions.ts +51 -0
package/src/lib/schema.ts +240 -0
package/src/lib/seed.ts +107 -0
package/src/lib/utils.ts +6 -0
package/src/lib/webhooks.ts +42 -0
package/tsconfig.json +34 -0

package/README.md ADDED Viewed

@@ -0,0 +1,112 @@
+# Nobalmako - Secure Environment Variable Manager
+Nobalmako is a full-stack MVP designed to help developers and teams securely store, manage, and share secrets. It features end-to-end encryption for sensitive values and robust role-based access control.
+## Features
+- **End-to-End Security:** All environment variable values are encrypted using AES-256-CBC before storage.
+- **Projects & Environments:** Organize secrets by project and categorize them into `development`, `staging`, or `production`.
+- **Role-Based Access Control (RBAC):**
+  - `Owner`: Full control over the project and members.
+  - `Admin`: Manage members and secrets.
+  - `Developer`: View and manage secrets.
+  - `Viewer`: Read-only access to secrets.
+- **Audit Logs:** Track every action performed on your secrets for compliance and security.
+- **API Keys:** Secure programmatic access for CI/CD and CLI integrations.
+- **Variable History:** View and compare previous versions of any secret.
+## Nobalmako CLI
+Manage your secrets directly from your terminal or CI/CD pipeline.
+### Installation
+For global system-wide access:
+\`bash
+# Build the CLI
+npm run build:cli
+# Install globally
+npm install -g .
+\`
+Alternatively, run without installing using \`npx\`:
+\`bash
+# Build first
+npm run build:cli
+# Run via npx (from project root)
+npx nobalmako --help
+\`
+### Usage
+1. **Local Authentication:**
+   Authenticate your CLI once and it will remember your session:
+   \`bash
+   nobalmako login --email dev@nobalmako.com --password "your_password"
+   \`
+   Alternatively, use an API Token for CI/CD:
+   \`bash
+   export NOBALMAKO_TOKEN="nm_your_api_key_here"
+   \`
+2. **Pull Secrets:**
+   \`bash
+   nobalmako pull -p "Project Name" -e "production" -f ".env"
+   \`
+3. **Push Secrets:**
+   \`bash
+   nobalmako push -p "Project Name" -e "staging" -f ".env"
+   \`
+## Tech Stack
+- **Frontend:** Next.js 15, React, Tailwind CSS, Lucide Icons, Radix UI.
+- **Backend:** Node.js, Express (custom server), Next.js API Routes.
+- **Database:** PostgreSQL (using Drizzle ORM).
+- **Authentication:** JWT (JSON Web Tokens).
+## Setup Instructions
+### 1. Prerequisites
+- Node.js 18+
+- PostgreSQL database (or a Neon/Supabase project)
+### 2. Environment Variables
+Copy `.env.example` to `.env` and fill in the values:
+\`bash
+cp .env.example .env
+\`
+### 3. Installation
+\`bash
+npm install
+\`
+### 4. Database Setup
+\`bash
+# Push schema to database
+npx drizzle-kit push
+\`
+### 5. Running the Application
+\`bash
+# Development mode
+npm run dev
+# Build and Start
+npm run build
+npm start
+\`
+## Security Model
+1. **At-Rest:** Secrets are encrypted using AES-256-CBC. Even if the database is compromised, the values remain unreadable without the `ENCRYPTION_KEY`.
+2. **In-Transit:** All requests are handled via HTTPS (recommended for production).
+3. **Application Level:** RBAC is enforced on every API request. A `Viewer` cannot perform `POST/PUT/DELETE` operations on secrets.
+## License
+MIT

package/components.json ADDED Viewed

@@ -0,0 +1,22 @@
+{
+  "$schema": "https://ui.shadcn.com/schema.json",
+  "style": "new-york",
+  "rsc": true,
+  "tsx": true,
+  "tailwind": {
+    "config": "",
+    "css": "src/app/globals.css",
+    "baseColor": "neutral",
+    "cssVariables": true,
+    "prefix": ""
+  },
+  "iconLibrary": "lucide",
+  "aliases": {
+    "components": "@/components",
+    "utils": "@/lib/utils",
+    "ui": "@/components/ui",
+    "lib": "@/lib",
+    "hooks": "@/hooks"
+  },
+  "registries": {}
+}

package/dist/nobalmako.js ADDED Viewed

@@ -0,0 +1,272 @@
+#!/usr/bin/env node
+"use strict";
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+// src/bin/nobalmako.ts
+var import_commander = require("commander");
+var import_fs = __toESM(require("fs"));
+var import_path = __toESM(require("path"));
+var import_dotenv = __toESM(require("dotenv"));
+var import_os = __toESM(require("os"));
+var import_child_process = require("child_process");
+var import_enquirer = require("enquirer");
+var program = new import_commander.Command();
+var CONFIG_FILE = import_path.default.join(import_os.default.homedir(), ".nobalmako.json");
+var PROJECT_CONFIG = import_path.default.join(process.cwd(), "nobalmako.json");
+function saveConfig(config) {
+  const current = loadConfig();
+  import_fs.default.writeFileSync(CONFIG_FILE, JSON.stringify({ ...current, ...config }, null, 2));
+}
+function loadConfig() {
+  if (import_fs.default.existsSync(CONFIG_FILE)) {
+    return JSON.parse(import_fs.default.readFileSync(CONFIG_FILE, "utf-8"));
+  }
+  return {};
+}
+function loadProjectConfig() {
+  if (import_fs.default.existsSync(PROJECT_CONFIG)) {
+    return JSON.parse(import_fs.default.readFileSync(PROJECT_CONFIG, "utf-8"));
+  }
+  return {};
+}
+function getToken(optionsToken) {
+  const config = loadConfig();
+  return optionsToken || process.env.NOBALMAKO_TOKEN || config.token;
+}
+program.name("nobalmako").description("Securing your environment variables").version("1.0.0");
+program.command("login").description("Login to Nobalmako").option("--email <email>", "User email").option("--password <password>", "User password").option("--api-url <url>", "Base API URL", "http://localhost:3000/api").action(async (options) => {
+  let { email, password } = options;
+  if (!email) {
+    const response = await (0, import_enquirer.prompt)({
+      type: "input",
+      name: "email",
+      message: "Enter your email:"
+    });
+    email = response.email;
+  }
+  if (!password) {
+    const response = await (0, import_enquirer.prompt)({
+      type: "password",
+      name: "password",
+      message: "Enter your password:"
+    });
+    password = response.password;
+  }
+  try {
+    const response = await fetch(`${options.apiUrl}/auth/login`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ email, password })
+    });
+    if (!response.ok) {
+      throw new Error("Login failed. Please check your credentials.");
+    }
+    const data = await response.json();
+    saveConfig({ token: data.token, email: data.user.email });
+    console.log(`\x1B[32mSuccessfully logged in as ${data.user.email}!\x1B[0m`);
+  } catch (error) {
+    console.error(`\x1B[31mError:\x1B[0m ${error.message}`);
+    process.exit(1);
+  }
+});
+program.command("logout").description("Clear local credentials").action(() => {
+  if (import_fs.default.existsSync(CONFIG_FILE)) {
+    import_fs.default.unlinkSync(CONFIG_FILE);
+    console.log("\x1B[32mSuccessfully logged out.\x1B[0m");
+  } else {
+    console.log("You are not logged in.");
+  }
+});
+program.command("init").description("Initialize a local project configuration").option("-p, --project <project>", "Project name").option("-e, --env <environment>", "Default environment name").action(async (options) => {
+  let { project, env } = options;
+  if (!project) {
+    const response = await (0, import_enquirer.prompt)({
+      type: "input",
+      name: "project",
+      message: "Project name (slug):"
+    });
+    project = response.project;
+  }
+  if (!env) {
+    const response = await (0, import_enquirer.prompt)({
+      type: "input",
+      name: "env",
+      message: "Default environment (e.g. production):"
+    });
+    env = response.env;
+  }
+  import_fs.default.writeFileSync(PROJECT_CONFIG, JSON.stringify({ project, environment: env }, null, 2));
+  console.log(`\x1B[32mCreated nobalmako.json with defaults.\x1B[0m`);
+});
+program.command("pull").description("Pull environment variables from Nobalmako and save to .env").option("-p, --project <project>", "Project name").option("-e, --env <environment>", "Environment name (e.g. production, staging)").option("-f, --file <filename>", "Output filename").option("--api-url <url>", "Base API URL", "http://localhost:3000/api").option("-t, --token <token>", "API Token (overrides login)").action(async (options) => {
+  const token = getToken(options.token);
+  const pConfig = loadProjectConfig();
+  const project = options.project || pConfig.project;
+  const env = options.env || pConfig.environment;
+  const file = options.file || pConfig.file || ".env";
+  if (!token) {
+    console.error("\x1B[31mError: Not logged in.\x1B[0m Run \x1B[33mnobalmako login\x1B[0m or set \x1B[33mNOBALMAKO_TOKEN\x1B[0m.");
+    process.exit(1);
+  }
+  if (!project || !env) {
+    console.error("\x1B[31mError: Project and Environment are required.\x1B[0m Use \x1B[33mnobalmako init\x1B[0m or provide flags.");
+    process.exit(1);
+  }
+  console.log(`\x1B[34m[Nobalmako]\x1B[0m Fetching secrets for project \x1B[36m${project}\x1B[0m (\x1B[35m${env}\x1B[0m)...`);
+  try {
+    const response = await fetch(`${options.apiUrl}/variables?team=${encodeURIComponent(project)}&environment=${encodeURIComponent(env)}`, {
+      headers: {
+        "Authorization": `Bearer ${token}`
+      }
+    });
+    if (!response.ok) {
+      const errorData = await response.json();
+      throw new Error(errorData.error || `HTTP error! status: ${response.status}`);
+    }
+    const data = await response.json();
+    const variables = data.variables || [];
+    if (variables.length === 0) {
+      console.log("\x1B[33mNo variables found for this project and environment.\x1B[0m");
+      return;
+    }
+    let envContent = `# Generated by Nobalmako on ${(/* @__PURE__ */ new Date()).toISOString()}
+`;
+    variables.forEach((v) => {
+      if (v.description) {
+        envContent += `# ${v.description}
+`;
+      }
+      envContent += `${v.key}=${v.value}
+`;
+    });
+    const outputPath = import_path.default.resolve(process.cwd(), file);
+    import_fs.default.writeFileSync(outputPath, envContent);
+    console.log(`\x1B[32mSuccess!\x1B[0m Pulled ${variables.length} variables into \x1B[33m${file}\x1B[0m`);
+  } catch (error) {
+    console.error(`\x1B[31mPull failed:\x1B[0m ${error.message}`);
+    process.exit(1);
+  }
+});
+program.command("push").description("Push environment variables from a .env file to Nobalmako").option("-p, --project <project>", "Project name").option("-e, --env <environment>", "Environment name (e.g. production, staging)").option("-f, --file <filename>", "Input filename").option("-s, --secret", "Mark all variables as secret", false).option("--api-url <url>", "Base API URL", "http://localhost:3000/api").option("-t, --token <token>", "API Token (overrides login)").action(async (options) => {
+  const token = getToken(options.token);
+  const pConfig = loadProjectConfig();
+  const project = options.project || pConfig.project;
+  const env = options.env || pConfig.environment;
+  const file = options.file || pConfig.file || ".env";
+  if (!token) {
+    console.error("\x1B[31mError: Not logged in.\x1B[0m Run \x1B[33mnobalmako login\x1B[0m or set \x1B[33mNOBALMAKO_TOKEN\x1B[0m.");
+    process.exit(1);
+  }
+  if (!project || !env) {
+    console.error("\x1B[31mError: Project and Environment are required.\x1B[0m Use \x1B[33mnobalmako init\x1B[0m or provide flags.");
+    process.exit(1);
+  }
+  const inputPath = import_path.default.resolve(process.cwd(), file);
+  if (!import_fs.default.existsSync(inputPath)) {
+    console.error(`\x1B[31mError: File not found: ${file}\x1B[0m`);
+    process.exit(1);
+  }
+  const envContent = import_fs.default.readFileSync(inputPath, "utf-8");
+  const envVars = import_dotenv.default.parse(envContent);
+  const keys = Object.keys(envVars);
+  console.log(`\x1B[34m[Nobalmako]\x1B[0m Pushing ${keys.length} variables to \x1B[36m${project}\x1B[0m (\x1B[35m${env}\x1B[0m)...`);
+  try {
+    const envsResponse = await fetch(`${options.apiUrl}/environments`, {
+      headers: { "Authorization": `Bearer ${token}` }
+    });
+    if (!envsResponse.ok) throw new Error("Failed to fetch environments");
+    const envsData = await envsResponse.json();
+    const targetEnv = envsData.environments.find(
+      (e) => e.teamName === project && e.name === env
+    );
+    if (!targetEnv) {
+      throw new Error(`Could not find environment "${env}" for project "${project}".`);
+    }
+    let successCount = 0;
+    for (const [key, value] of Object.entries(envVars)) {
+      const response = await fetch(`${options.apiUrl}/variables`, {
+        method: "POST",
+        headers: {
+          "Authorization": `Bearer ${token}`,
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify({
+          key,
+          value,
+          teamId: targetEnv.teamId,
+          environmentId: targetEnv.id,
+          isSecret: options.secret
+        })
+      });
+      if (response.ok) {
+        successCount++;
+        process.stdout.write(`\rProgress: ${successCount}/${keys.length}`);
+      }
+    }
+    console.log(`
+\x1B[32mSuccess!\x1B[0m Pushed ${successCount} variables to \x1B[33m${project}\x1B[0m`);
+  } catch (error) {
+    console.error(`\x1B[31mPush failed:\x1B[0m ${error.message}`);
+    process.exit(1);
+  }
+});
+program.command("run").description("Run a command with environment variables injected").argument("<command...>", "The command to execute").option("-p, --project <project>", "Project name").option("-e, --env <environment>", "Environment name").option("--api-url <url>", "Base API URL", "http://localhost:3000/api").option("-t, --token <token>", "API Token").action(async (commandArgs, options) => {
+  const token = getToken(options.token);
+  const pConfig = loadProjectConfig();
+  const project = options.project || pConfig.project;
+  const env = options.env || pConfig.environment;
+  if (!token) {
+    console.error("\x1B[31mError: Not logged in.\x1B[0m");
+    process.exit(1);
+  }
+  if (!project || !env) {
+    console.error("\x1B[31mError: Project and Environment are required.\x1B[0m");
+    process.exit(1);
+  }
+  try {
+    const response = await fetch(`${options.apiUrl}/variables?team=${encodeURIComponent(project)}&environment=${encodeURIComponent(env)}`, {
+      headers: { "Authorization": `Bearer ${token}` }
+    });
+    if (!response.ok) throw new Error("Failed to fetch variables");
+    const data = await response.json();
+    const variables = data.variables || [];
+    const newEnv = { ...process.env };
+    variables.forEach((v) => {
+      newEnv[v.key] = v.value;
+    });
+    const [cmd, ...args] = commandArgs;
+    const child = (0, import_child_process.spawn)(cmd, args, {
+      stdio: "inherit",
+      env: newEnv,
+      shell: true
+    });
+    child.on("exit", (code) => {
+      process.exit(code || 0);
+    });
+  } catch (error) {
+    console.error(`\x1B[31mRun failed:\x1B[0m ${error.message}`);
+    process.exit(1);
+  }
+});
+program.parse(process.argv);

package/drizzle/0000_pink_spiral.sql ADDED Viewed

@@ -0,0 +1,126 @@
+CREATE TABLE "api_keys" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"user_id" uuid NOT NULL,
+	"team_id" uuid,
+	"name" text NOT NULL,
+	"key_hash" text NOT NULL,
+	"permissions" jsonb DEFAULT '["read"]'::jsonb,
+	"last_used" timestamp,
+	"expires_at" timestamp,
+	"created_at" timestamp DEFAULT now() NOT NULL,
+	"updated_at" timestamp DEFAULT now() NOT NULL
+);
+--> statement-breakpoint
+CREATE TABLE "audit_logs" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"user_id" uuid,
+	"team_id" uuid,
+	"action" text NOT NULL,
+	"resource_type" text NOT NULL,
+	"resource_id" uuid NOT NULL,
+	"old_value" jsonb,
+	"new_value" jsonb,
+	"ip_address" text,
+	"user_agent" text,
+	"created_at" timestamp DEFAULT now() NOT NULL
+);
+--> statement-breakpoint
+CREATE TABLE "environment_variables" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"team_id" uuid NOT NULL,
+	"environment_id" uuid NOT NULL,
+	"key" text NOT NULL,
+	"value" text NOT NULL,
+	"description" text,
+	"is_secret" boolean DEFAULT false,
+	"tags" jsonb,
+	"created_by" uuid NOT NULL,
+	"updated_by" uuid,
+	"created_at" timestamp DEFAULT now() NOT NULL,
+	"updated_at" timestamp DEFAULT now() NOT NULL
+);
+--> statement-breakpoint
+CREATE TABLE "environments" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"team_id" uuid NOT NULL,
+	"name" text NOT NULL,
+	"description" text,
+	"color" text DEFAULT '#3b82f6',
+	"is_default" boolean DEFAULT false,
+	"created_at" timestamp DEFAULT now() NOT NULL,
+	"updated_at" timestamp DEFAULT now() NOT NULL
+);
+--> statement-breakpoint
+CREATE TABLE "team_members" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"team_id" uuid NOT NULL,
+	"user_id" uuid NOT NULL,
+	"role" text DEFAULT 'developer' NOT NULL,
+	"joined_at" timestamp DEFAULT now() NOT NULL
+);
+--> statement-breakpoint
+CREATE TABLE "teams" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"name" text NOT NULL,
+	"description" text,
+	"color" text DEFAULT '#3b82f6',
+	"owner_id" uuid NOT NULL,
+	"created_at" timestamp DEFAULT now() NOT NULL,
+	"updated_at" timestamp DEFAULT now() NOT NULL
+);
+--> statement-breakpoint
+CREATE TABLE "users" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"email" text NOT NULL,
+	"full_name" text NOT NULL,
+	"password" text NOT NULL,
+	"avatar" text,
+	"role" text DEFAULT 'user' NOT NULL,
+	"created_at" timestamp DEFAULT now() NOT NULL,
+	"updated_at" timestamp DEFAULT now() NOT NULL,
+	CONSTRAINT "users_email_unique" UNIQUE("email")
+);
+--> statement-breakpoint
+CREATE TABLE "variable_history" (
+	"id" uuid PRIMARY KEY DEFAULT gen_random_uuid() NOT NULL,
+	"variable_id" uuid NOT NULL,
+	"team_id" uuid NOT NULL,
+	"environment_id" uuid NOT NULL,
+	"key" text NOT NULL,
+	"value" text NOT NULL,
+	"description" text,
+	"is_secret" boolean DEFAULT false,
+	"changed_by" uuid NOT NULL,
+	"change_type" text NOT NULL,
+	"created_at" timestamp DEFAULT now() NOT NULL
+);
+--> statement-breakpoint
+ALTER TABLE "api_keys" ADD CONSTRAINT "api_keys_user_id_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."users"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "api_keys" ADD CONSTRAINT "api_keys_team_id_teams_id_fk" FOREIGN KEY ("team_id") REFERENCES "public"."teams"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "audit_logs" ADD CONSTRAINT "audit_logs_user_id_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."users"("id") ON DELETE set null ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "audit_logs" ADD CONSTRAINT "audit_logs_team_id_teams_id_fk" FOREIGN KEY ("team_id") REFERENCES "public"."teams"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "environment_variables" ADD CONSTRAINT "environment_variables_team_id_teams_id_fk" FOREIGN KEY ("team_id") REFERENCES "public"."teams"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "environment_variables" ADD CONSTRAINT "environment_variables_environment_id_environments_id_fk" FOREIGN KEY ("environment_id") REFERENCES "public"."environments"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "environment_variables" ADD CONSTRAINT "environment_variables_created_by_users_id_fk" FOREIGN KEY ("created_by") REFERENCES "public"."users"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "environment_variables" ADD CONSTRAINT "environment_variables_updated_by_users_id_fk" FOREIGN KEY ("updated_by") REFERENCES "public"."users"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "environments" ADD CONSTRAINT "environments_team_id_teams_id_fk" FOREIGN KEY ("team_id") REFERENCES "public"."teams"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "team_members" ADD CONSTRAINT "team_members_team_id_teams_id_fk" FOREIGN KEY ("team_id") REFERENCES "public"."teams"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "team_members" ADD CONSTRAINT "team_members_user_id_users_id_fk" FOREIGN KEY ("user_id") REFERENCES "public"."users"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "teams" ADD CONSTRAINT "teams_owner_id_users_id_fk" FOREIGN KEY ("owner_id") REFERENCES "public"."users"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "variable_history" ADD CONSTRAINT "variable_history_variable_id_environment_variables_id_fk" FOREIGN KEY ("variable_id") REFERENCES "public"."environment_variables"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "variable_history" ADD CONSTRAINT "variable_history_team_id_teams_id_fk" FOREIGN KEY ("team_id") REFERENCES "public"."teams"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "variable_history" ADD CONSTRAINT "variable_history_environment_id_environments_id_fk" FOREIGN KEY ("environment_id") REFERENCES "public"."environments"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "variable_history" ADD CONSTRAINT "variable_history_changed_by_users_id_fk" FOREIGN KEY ("changed_by") REFERENCES "public"."users"("id") ON DELETE no action ON UPDATE no action;--> statement-breakpoint
+CREATE INDEX "api_keys_user_idx" ON "api_keys" USING btree ("user_id");--> statement-breakpoint
+CREATE INDEX "api_keys_team_idx" ON "api_keys" USING btree ("team_id");--> statement-breakpoint
+CREATE INDEX "audit_logs_user_idx" ON "audit_logs" USING btree ("user_id");--> statement-breakpoint
+CREATE INDEX "audit_logs_team_idx" ON "audit_logs" USING btree ("team_id");--> statement-breakpoint
+CREATE INDEX "audit_logs_resource_idx" ON "audit_logs" USING btree ("resource_type","resource_id");--> statement-breakpoint
+CREATE INDEX "env_vars_team_env_idx" ON "environment_variables" USING btree ("team_id","environment_id");--> statement-breakpoint
+CREATE INDEX "env_vars_key_idx" ON "environment_variables" USING btree ("key");--> statement-breakpoint
+CREATE INDEX "env_vars_created_by_idx" ON "environment_variables" USING btree ("created_by");--> statement-breakpoint
+CREATE INDEX "environments_team_idx" ON "environments" USING btree ("team_id");--> statement-breakpoint
+CREATE INDEX "team_members_team_user_idx" ON "team_members" USING btree ("team_id","user_id");--> statement-breakpoint
+CREATE INDEX "teams_owner_idx" ON "teams" USING btree ("owner_id");--> statement-breakpoint
+CREATE INDEX "variable_history_variable_idx" ON "variable_history" USING btree ("variable_id");--> statement-breakpoint
+CREATE INDEX "variable_history_team_idx" ON "variable_history" USING btree ("team_id");