nobalmako 1.0.0

package/src/lib/auth.ts

@@ -0,0 +1,108 @@
+import jwt from 'jsonwebtoken';
+import { cookies, headers } from 'next/headers';
+import { db } from '@/lib/db';
+import { users, apiKeys } from '@/lib/schema';
+import { eq } from 'drizzle-orm';
+import bcrypt from 'bcryptjs';
+
+const JWT_SECRET = process.env.JWT_SECRET || 'your-secret-key';
+
+export interface AuthUser {
+  id: string;
+  name: string;
+  email: string;
+  avatar?: string | null;
+}
+
+export async function getUserFromToken(): Promise<AuthUser | null> {
+  try {
+    const headerList = await headers();
+    const authHeader = headerList.get('Authorization');
+    
+    // Check for API Key first (Bearer nm_...)
+    if (authHeader && authHeader.startsWith('Bearer nm_')) {
+      const apiKeyString = authHeader.replace('Bearer ', '');
+      
+      // In a real production app with many keys, we'd use a faster lookup (like a prefix or hint)
+      // but for this implementation we'll fetch all keys and verify (or use a better strategy if possible)
+      // Since we hash with bcrypt, we can't search by index. 
+      // Optimization: we could store a non-hashed hint/prefix to narrow it down.
+      // But for now, we'll fetch all and check.
+      const allKeys = await db.select().from(apiKeys);
+      
+      for (const keyRecord of allKeys) {
+        const isValid = await bcrypt.compare(apiKeyString, keyRecord.keyHash);
+        if (isValid) {
+          // Verify expiry
+          if (keyRecord.expiresAt && keyRecord.expiresAt < new Date()) {
+            continue;
+          }
+
+          // IP Whitelisting
+          const userIp = headerList.get('x-forwarded-for')?.split(',')[0] || headerList.get('x-real-ip');
+          if (keyRecord.allowedIps && keyRecord.allowedIps.length > 0) {
+            if (!userIp || !keyRecord.allowedIps.includes(userIp)) {
+              console.warn(`Blocked request from ${userIp} for API key ${keyRecord.id}`);
+              continue;
+            }
+          }
+
+          // Fetch the user
+          const [user] = await db
+            .select({
+              id: users.id,
+              name: users.name,
+              email: users.email,
+              avatar: users.avatar,
+            })
+            .from(users)
+            .where(eq(users.id, keyRecord.userId))
+            .limit(1);
+
+          if (user) {
+            // Update last used
+            await db.update(apiKeys)
+              .set({ lastUsed: new Date() })
+              .where(eq(apiKeys.id, keyRecord.id));
+            
+            return user;
+          }
+        }
+      }
+    }
+
+    // Fallback to cookie-based JWT
+    const cookieStore = await cookies();
+    const token = cookieStore.get('auth-token')?.value;
+
+    if (!token) {
+      return null;
+    }
+
+    const decoded = jwt.verify(token, JWT_SECRET) as { userId: string; email: string };
+
+    const [user] = await db
+      .select({
+        id: users.id,
+        name: users.name,
+        email: users.email,
+        avatar: users.avatar,
+      })
+      .from(users)
+      .where(eq(users.id, decoded.userId))
+      .limit(1);
+
+    return user || null;
+  } catch (error) {
+    console.error('Token verification error:', error);
+    return null;
+  }
+}
+
+export function verifyToken(token: string): { userId: number; email: string } | null {
+  try {
+    return jwt.verify(token, JWT_SECRET) as { userId: number; email: string };
+  } catch (_error) {
+    return null;
+  }
+}

package/src/lib/crypto.ts

@@ -0,0 +1,39 @@
+import crypto from 'crypto';
+
+const ALGORITHM = 'aes-256-cbc';
+const IV_LENGTH = 16; // For AES, this is always 16
+
+function getEncryptionKey() {
+  const key = process.env.ENCRYPTION_KEY;
+  if (!key) {
+    throw new Error('ENCRYPTION_KEY is not set in environment variables');
+  }
+  return key;
+}
+
+export function encrypt(text: string): string {
+  const key = getEncryptionKey();
+  const iv = crypto.randomBytes(IV_LENGTH);
+  const cipher = crypto.createCipheriv(ALGORITHM, Buffer.from(key, 'hex'), iv);
+  let encrypted = cipher.update(text);
+  encrypted = Buffer.concat([encrypted, cipher.final()]);
+  return iv.toString('hex') + ':' + encrypted.toString('hex');
+}
+
+export function decrypt(text: string): string {
+  const key = getEncryptionKey();
+  try {
+    const textParts = text.split(':');
+    const iv = Buffer.from(textParts.shift()!, 'hex');
+    const encryptedText = Buffer.from(textParts.join(':'), 'hex');
+    const decipher = crypto.createDecipheriv(ALGORITHM, Buffer.from(key, 'hex'), iv);
+    let decrypted = decipher.update(encryptedText);
+    decrypted = Buffer.concat([decrypted, decipher.final()]);
+    return decrypted.toString();
+  } catch (error) {
+    console.error('Decryption failed:', error);
+    // If decryption fails, return the original text as fallback (for migration)
+    // In a real app, you might want to handle this differently
+    return text;
+  }
+}

package/src/lib/db.ts

@@ -0,0 +1,15 @@
+import { drizzle } from 'drizzle-orm/neon-serverless'
+import { Pool } from '@neondatabase/serverless'
+import * as schema from './schema'
+import 'dotenv/config'
+
+const connectionString = process.env.DATABASE_URL
+if (!connectionString) {
+  throw new Error('DATABASE_URL is not set')
+}
+
+// Neon Serverless Pool supports transactions over WebSockets
+const pool = new Pool({ connectionString })
+export const db = drizzle(pool, { schema })
+
+export type DB = typeof db

package/src/lib/dynamic-providers.ts

@@ -0,0 +1,19 @@
+export async function resolveDynamicSecret(v: any) {
+  if (!v.isDynamic || !v.provider) return v.value;
+
+  try {
+    switch (v.provider) {
+      case 'aws':
+        // Mocking AWS SM call
+        return `dynamic-aws-resolved-${v.key}-value`;
+      case 'vault':
+        // Mocking Hashicorp Vault call
+        return `dynamic-vault-resolved-${v.key}-value`;
+      default:
+        return v.value;
+    }
+  } catch (error) {
+    console.error(`Failed to resolve dynamic secret ${v.id}:`, error);
+    return 'REF_ERROR: Failed to resolve dynamic secret';
+  }
+}

package/src/lib/email.ts

@@ -0,0 +1,110 @@
+import nodemailer from 'nodemailer';
+
+// SMTP Configuration from environment variables
+const SMTP_HOST = process.env.SMTP_HOST || 'smtp.mailtrap.io';
+const SMTP_PORT = parseInt(process.env.SMTP_PORT || '2525');
+const SMTP_USER = process.env.SMTP_USER || '';
+const SMTP_PASS = process.env.SMTP_PASS || '';
+const FROM_EMAIL = process.env.FROM_EMAIL || 'noreply@nobalmako.com';
+
+const transporter = nodemailer.createTransport({
+  host: SMTP_HOST,
+  port: SMTP_PORT,
+  secure: SMTP_PORT === 465, // true for 465, false for other ports
+  auth: {
+    user: SMTP_USER,
+    pass: SMTP_PASS,
+  },
+});
+
+export async function sendEmail({ to, subject, html, text }: { to: string; subject: string; html: string; text?: string }) {
+  try {
+    const info = await transporter.sendMail({
+      from: `"Nobalmako" <${FROM_EMAIL}>`,
+      to,
+      subject,
+      text: text || subject, // Fallback if html not supported
+      html,
+    });
+    console.log('Email sent: %s', info.messageId);
+    return { success: true, messageId: info.messageId };
+  } catch (error) {
+    console.error('Error sending email:', error);
+    return { success: false, error };
+  }
+}
+
+// Pre-defined templates
+export const emailTemplates = {
+  welcome: (name: string) => ({
+    subject: 'Welcome to Nobalmako! 🚀',
+    html: `
+      <div style="font-family: sans-serif; max-width: 600px; margin: 0 auto; padding: 20px; border: 1px solid #eee; border-radius: 10px;">
+        <h1 style="color: #2563eb;">Welcome, ${name}!</h1>
+        <p>We're thrilled to have you join Nobalmako. You're now ready to start securing and managing your environment variables with ease.</p>
+        <p>With Nobalmako, you can:</p>
+        <ul>
+          <li>Collaborate with your team on projects</li>
+          <li>Inherit variables between environments</li>
+          <li>Set up dynamic secrets with AWS & Vault</li>
+          <li>Lock down access with IP whitelisting and MFA</li>
+        </ul>
+        <a href="https://nobalmako.com/dashboard" style="display: inline-block; background-color: #2563eb; color: white; padding: 12px 24px; border-radius: 5px; text-decoration: none; margin-top: 20px;">Go to Dashboard</a>
+        <p style="margin-top: 30px; font-size: 0.8em; color: #666;">If you have any questions, just reply to this email.</p>
+      </div>
+    `,
+  }),
+  
+  verification: (name: string, token: string) => ({
+    subject: 'Verify your Nobalmako account',
+    html: `
+      <div style="font-family: sans-serif; max-width: 600px; margin: 0 auto; padding: 20px; border: 1px solid #eee; border-radius: 10px;">
+        <h1 style="color: #2563eb;">One last step, ${name}!</h1>
+        <p>Please click the button below to verify your email address and activate your account.</p>
+        <a href="https://nobalmako.com/api/auth/verify?token=${token}" style="display: inline-block; background-color: #2563eb; color: white; padding: 12px 24px; border-radius: 5px; text-decoration: none; margin-top: 20px;">Verify Email</a>
+        <p style="margin-top: 20px;">Or copy and paste this link:</p>
+        <p style="font-size: 0.8em; color: #666; word-break: break-all;">https://nobalmako.com/api/auth/verify?token=${token}</p>
+        <p style="margin-top: 30px; font-size: 0.8em; color: #666;">This link will expire in 24 hours.</p>
+      </div>
+    `,
+  }),
+
+  mfaEnabled: (name: string) => ({
+    subject: 'MFA has been enabled on your account',
+    html: `
+      <div style="font-family: sans-serif; max-width: 600px; margin: 0 auto; padding: 20px; border: 1px solid #eee; border-radius: 10px;">
+        <h1 style="color: #10b981;">Security Update</h1>
+        <p>Hello ${name},</p>
+        <p>Multi-Factor Authentication (MFA) has been successfully enabled on your Nobalmako account. Your account is now even more secure.</p>
+        <p>If you did not perform this action, please contact our security team immediately.</p>
+        <a href="https://nobalmako.com/profile" style="display: inline-block; background-color: #10b981; color: white; padding: 12px 24px; border-radius: 5px; text-decoration: none; margin-top: 20px;">Manage Security Settings</a>
+      </div>
+    `,
+  }),
+
+  passwordReset: (name: string, token: string) => ({
+    subject: 'Reset your Nobalmako password',
+    html: `
+      <div style="font-family: sans-serif; max-width: 600px; margin: 0 auto; padding: 20px; border: 1px solid #eee; border-radius: 10px;">
+        <h1 style="color: #2563eb;">Password Reset Request</h1>
+        <p>Hello ${name},</p>
+        <p>We received a request to reset your password. Click the button below to choose a new one.</p>
+        <a href="https://nobalmako.com/auth/reset-password?token=${token}" style="display: inline-block; background-color: #2563eb; color: white; padding: 12px 24px; border-radius: 5px; text-decoration: none; margin-top: 20px;">Reset Password</a>
+        <p style="margin-top: 20px; font-size: 0.8em; color: #666;">This link will expire in 1 hour. If you didn't request this, you can safely ignore this email.</p>
+      </div>
+    `,
+  }),
+
+  teamInvitation: (inviterName: string, teamName: string, teamId: string, token: string) => ({
+    subject: `Invitation to join ${teamName} on Nobalmako`,
+    html: `
+      <div style="font-family: sans-serif; max-width: 600px; margin: 0 auto; padding: 20px; border: 1px solid #eee; border-radius: 10px;">
+        <h1 style="color: #2563eb;">You've been invited!</h1>
+        <p>${inviterName} has invited you to join the team <strong>${teamName}</strong> on Nobalmako.</p>
+        <p>Nobalmako is a secure environment variable management platform that helps teams collaborate safely.</p>
+        <a href="https://nobalmako.com/auth/register?invite=${token}" style="display: inline-block; background-color: #2563eb; color: white; padding: 12px 24px; border-radius: 5px; text-decoration: none; margin-top: 20px;">Accept Invitation</a>
+        <p style="margin-top: 20px; font-size: 0.8em; color: #666;">If you already have an account, make sure to log in first or use the same email address.</p>
+      </div>
+    `,
+  })
+};

package/src/lib/mail.ts

@@ -0,0 +1,51 @@
+import nodemailer from 'nodemailer';
+
+const transporter = nodemailer.createTransport({
+  host: process.env.SMTP_HOST,
+  port: parseInt(process.env.SMTP_PORT || '587'),
+  secure: process.env.SMTP_SECURE === 'true',
+  auth: {
+    user: process.env.SMTP_USER,
+    pass: process.env.SMTP_PASS,
+  },
+});
+
+export async function sendInviteEmail({ 
+  to, 
+  teamName, 
+  inviterName, 
+  inviteLink 
+}: { 
+  to: string, 
+  teamName: string, 
+  inviterName: string, 
+  inviteLink: string 
+}) {
+  const mailOptions = {
+    from: `"Nobalmako" <${process.env.SMTP_FROM || process.env.SMTP_USER}>`,
+    to,
+    subject: `You've been invited to join ${teamName} on Nobalmako`,
+    html: `
+      <div style="font-family: sans-serif; max-width: 600px; margin: 0 auto; padding: 20px; border: 1px solid #e2e8f0; rounded: 8px;">
+        <h2 style="color: #0f172a; margin-bottom: 24px;">Join your team on Nobalmako</h2>
+        <p style="color: #475569; font-size: 16px; line-height: 24px;">
+          <strong>${inviterName}</strong> has invited you to join the project <strong>${teamName}</strong> on Nobalmako.
+        </p>
+        <div style="margin: 32px 0;">
+          <a href="${inviteLink}" style="background-color: #3b82f6; color: white; padding: 12px 24px; border-radius: 6px; text-decoration: none; font-weight: 600; display: inline-block;">
+            Accept Invitation
+          </a>
+        </div>
+        <p style="color: #64748b; font-size: 14px; margin-top: 32px;">
+          If you don't have an account yet, you'll be asked to create one after clicking the button.
+        </p>
+        <hr style="border: 0; border-top: 1px solid #e2e8f0; margin: 32px 0;" />
+        <p style="color: #94a3b8; font-size: 12px;">
+          Nobalmako - Secure Environment Variable Manager
+        </p>
+      </div>
+    `,
+  };
+
+  return transporter.sendMail(mailOptions);
+}

package/src/lib/permissions.ts

@@ -0,0 +1,51 @@
+import { db } from './db';
+import { teamMembers, teams } from './schema';
+import { and, eq } from 'drizzle-orm';
+
+export type Role = 'owner' | 'admin' | 'developer' | 'viewer';
+
+export const RoleHierarchy: Record<Role, number> = {
+  owner: 4,
+  admin: 3,
+  developer: 2,
+  viewer: 1,
+};
+
+export async function getUserRoleInTeam(userId: string, teamId: string): Promise<Role | null> {
+  // Check if user is the owner of the team
+  const team = await db
+    .select()
+    .from(teams)
+    .where(and(eq(teams.id, teamId), eq(teams.ownerId, userId)))
+    .limit(1);
+
+  if (team.length > 0) return 'owner';
+
+  // Check team_members table
+  const membership = await db
+    .select()
+    .from(teamMembers)
+    .where(and(eq(teamMembers.teamId, teamId), eq(teamMembers.userId, userId)))
+    .limit(1);
+
+  if (membership.length > 0) return membership[0].role as Role;
+
+  return null;
+}
+
+export async function hasPermission(
+  userId: string,
+  teamId: string,
+  requiredRole: Role
+): Promise<boolean> {
+  const userRole = await getUserRoleInTeam(userId, teamId);
+  if (!userRole) return false;
+
+  return RoleHierarchy[userRole] >= RoleHierarchy[requiredRole];
+}
+
+export const Permissions = {
+  MANAGE_TEAM: 'admin' as Role,
+  MANAGE_SECRETS: 'developer' as Role,
+  VIEW_SECRETS: 'viewer' as Role,
+};

package/src/lib/schema.ts

@@ -0,0 +1,240 @@
+import { pgTable, text, timestamp, boolean, jsonb, index, uuid } from 'drizzle-orm/pg-core'
+import { relations } from 'drizzle-orm'
+
+// Users table
+export const users = pgTable('users', {
+  id: uuid('id').primaryKey().defaultRandom(),
+  email: text('email').unique().notNull(),
+  name: text('full_name').notNull(),
+  password: text('password').notNull(),
+  avatar: text('avatar'),
+  role: text('role').default('user').notNull(), // 'user', 'admin'
+  emailVerified: timestamp('email_verified'),
+  verificationToken: text('verification_token'),
+  resetToken: text('reset_token'),
+  resetTokenExpiry: timestamp('reset_token_expiry'),
+  mfaEnabled: boolean('mfa_enabled').default(false).notNull(),
+  mfaSecret: text('mfa_secret'),
+  createdAt: timestamp('created_at').defaultNow().notNull(),
+  updatedAt: timestamp('updated_at').defaultNow().notNull(),
+})
+
+// Teams/Projects table
+export const teams = pgTable('teams', {
+  id: uuid('id').primaryKey().defaultRandom(),
+  name: text('name').notNull(),
+  description: text('description'),
+  color: text('color').default('#3b82f6'),
+  ownerId: uuid('owner_id').references(() => users.id, { onDelete: 'cascade' }).notNull(),
+  createdAt: timestamp('created_at').defaultNow().notNull(),
+  updatedAt: timestamp('updated_at').defaultNow().notNull(),
+}, (table) => ({
+  ownerIdx: index('teams_owner_idx').on(table.ownerId),
+}))
+
+// Team members
+export const teamMembers = pgTable('team_members', {
+  id: uuid('id').primaryKey().defaultRandom(),
+  teamId: uuid('team_id').references(() => teams.id, { onDelete: 'cascade' }).notNull(),
+  userId: uuid('user_id').references(() => users.id, { onDelete: 'cascade' }).notNull(),
+  role: text('role').default('developer').notNull(), // 'owner', 'admin', 'developer', 'viewer'
+  joinedAt: timestamp('joined_at').defaultNow().notNull(),
+}, (table) => ({
+  teamUserIdx: index('team_members_team_user_idx').on(table.teamId, table.userId),
+}))
+
+// Environments (dev, staging, prod, etc.)
+export const environments = pgTable('environments', {
+  id: uuid('id').primaryKey().defaultRandom(),
+  teamId: uuid('team_id').references(() => teams.id, { onDelete: 'cascade' }).notNull(),
+  parentId: uuid('parent_id').references((): any => environments.id), // For inheritance
+  name: text('name').notNull(),
+  description: text('description'),
+  color: text('color').default('#3b82f6'), // hex color
+  isDefault: boolean('is_default').default(false),
+  createdAt: timestamp('created_at').defaultNow().notNull(),
+  updatedAt: timestamp('updated_at').defaultNow().notNull(),
+}, (table) => ({
+  teamIdx: index('environments_team_idx').on(table.teamId),
+}))
+
+// Environment Variables
+export const environmentVariables = pgTable('environment_variables', {
+  id: uuid('id').primaryKey().defaultRandom(),
+  teamId: uuid('team_id').references(() => teams.id, { onDelete: 'cascade' }).notNull(),
+  environmentId: uuid('environment_id').references(() => environments.id, { onDelete: 'cascade' }).notNull(),
+  key: text('key').notNull(),
+  value: text('value').notNull(),
+  description: text('description'),
+  isSecret: boolean('is_secret').default(false),
+  expiresAt: timestamp('expires_at'),
+  lastRotatedAt: timestamp('last_rotated_at'),
+  isDynamic: boolean('is_dynamic').default(false),
+  provider: text('provider'), // 'aws', 'vault', 'gcp'
+  providerConfig: jsonb('provider_config'),
+  tags: jsonb('tags').$type<string[]>(),
+  createdBy: uuid('created_by').references(() => users.id).notNull(),
+  updatedBy: uuid('updated_by').references(() => users.id),
+  createdAt: timestamp('created_at').defaultNow().notNull(),
+  updatedAt: timestamp('updated_at').defaultNow().notNull(),
+}, (table) => ({
+  teamEnvIdx: index('env_vars_team_env_idx').on(table.teamId, table.environmentId),
+  keyIdx: index('env_vars_key_idx').on(table.key),
+  createdByIdx: index('env_vars_created_by_idx').on(table.createdBy),
+}))
+
+// API keys for external access
+export const apiKeys = pgTable('api_keys', {
+  id: uuid('id').primaryKey().defaultRandom(),
+  userId: uuid('user_id').references(() => users.id, { onDelete: 'cascade' }).notNull(),
+  teamId: uuid('team_id').references(() => teams.id, { onDelete: 'cascade' }),
+  name: text('name').notNull(),
+  keyHash: text('key_hash').notNull(), // Hashed API key
+  permissions: jsonb('permissions').$type<string[]>().default(['read']), // ['read', 'write', 'admin']
+  allowedIps: jsonb('allowed_ips').$type<string[]>().default([]), // CIDR or IPs
+  lastUsed: timestamp('last_used'),
+  expiresAt: timestamp('expires_at'),
+  createdAt: timestamp('created_at').defaultNow().notNull(),
+  updatedAt: timestamp('updated_at').defaultNow().notNull(),
+}, (table) => ({
+  userIdx: index('api_keys_user_idx').on(table.userId),
+  teamIdx: index('api_keys_team_idx').on(table.teamId),
+}))
+export const variableHistory = pgTable('variable_history', {
+  id: uuid('id').primaryKey().defaultRandom(),
+  variableId: uuid('variable_id').notNull(),
+  teamId: uuid('team_id').references(() => teams.id, { onDelete: 'cascade' }).notNull(),
+  environmentId: uuid('environment_id').references(() => environments.id, { onDelete: 'cascade' }).notNull(),
+  key: text('key').notNull(),
+  value: text('value').notNull(),
+  description: text('description'),
+  isSecret: boolean('is_secret').default(false),
+  changedBy: uuid('changed_by').references(() => users.id).notNull(),
+  changeType: text('change_type').notNull(), // 'create', 'update', 'delete'
+  createdAt: timestamp('created_at').defaultNow().notNull(),
+}, (table) => ({
+  variableIdx: index('variable_history_variable_idx').on(table.variableId),
+  teamIdx: index('variable_history_team_idx').on(table.teamId),
+}))
+export const auditLogs = pgTable('audit_logs', {
+  id: uuid('id').primaryKey().defaultRandom(),
+  userId: uuid('user_id').references(() => users.id, { onDelete: 'set null' }),
+  teamId: uuid('team_id').references(() => teams.id, { onDelete: 'cascade' }),
+  action: text('action').notNull(), // 'create', 'update', 'delete', 'view'
+  resourceType: text('resource_type').notNull(), // 'variable', 'environment', 'team'
+  resourceId: uuid('resource_id').notNull(),
+  oldValue: jsonb('old_value'),
+  newValue: jsonb('new_value'),
+  ipAddress: text('ip_address'),
+  userAgent: text('user_agent'),
+  createdAt: timestamp('created_at').defaultNow().notNull(),
+}, (table) => ({
+  userIdx: index('audit_logs_user_idx').on(table.userId),
+  teamIdx: index('audit_logs_team_idx').on(table.teamId),
+  resourceIdx: index('audit_logs_resource_idx').on(table.resourceType, table.resourceId),
+}))
+
+// Invitations table
+export const invitations = pgTable('invitations', {
+  id: uuid('id').primaryKey().defaultRandom(),
+  teamId: uuid('team_id').references(() => teams.id, { onDelete: 'cascade' }).notNull(),
+  email: text('email').notNull(),
+  role: text('role').default('developer').notNull(), // 'admin', 'developer', 'viewer'
+  invitedBy: uuid('invited_by').references(() => users.id, { onDelete: 'cascade' }).notNull(),
+  token: text('token').unique().notNull(),
+  status: text('status').default('pending').notNull(), // 'pending', 'accepted', 'expired'
+  expiresAt: timestamp('expires_at').notNull(),
+  createdAt: timestamp('created_at').defaultNow().notNull(),
+  updatedAt: timestamp('updated_at').defaultNow().notNull(),
+}, (table) => ({
+  teamIdx: index('invitations_team_idx').on(table.teamId),
+  emailIdx: index('invitations_email_idx').on(table.email),
+  tokenIdx: index('invitations_token_idx').on(table.token),
+}))
+
+// Webhooks for notifications
+export const webhooks = pgTable('webhooks', {
+  id: uuid('id').primaryKey().defaultRandom(),
+  teamId: uuid('team_id').references(() => teams.id, { onDelete: 'cascade' }).notNull(),
+  url: text('url').notNull(),
+  name: text('name').notNull(),
+  events: jsonb('events').$type<string[]>().default(['variable.update', 'variable.delete']), // ['variable.create', 'variable.update', 'variable.delete']
+  secret: text('secret'),
+  isActive: boolean('is_active').default(true).notNull(),
+  createdAt: timestamp('created_at').defaultNow().notNull(),
+  updatedAt: timestamp('updated_at').defaultNow().notNull(),
+}, (table) => ({
+  teamIdx: index('webhooks_team_idx').on(table.teamId),
+}))
+
+// Relations
+export const usersRelations = relations(users, ({ many }) => ({
+  ownedTeams: many(teams, { relationName: 'teamOwner' }),
+  teamMemberships: many(teamMembers),
+  createdVariables: many(environmentVariables, { relationName: 'variableCreator' }),
+  updatedVariables: many(environmentVariables, { relationName: 'variableUpdater' }),
+  auditLogs: many(auditLogs),
+  sentInvitations: many(invitations),
+}))
+
+export const teamsRelations = relations(teams, ({ one, many }) => ({
+  owner: one(users, { fields: [teams.ownerId], references: [users.id], relationName: 'teamOwner' }),
+  members: many(teamMembers),
+  environments: many(environments),
+  variables: many(environmentVariables),
+  auditLogs: many(auditLogs),
+  invitations: many(invitations),
+  webhooks: many(webhooks),
+}))
+
+export const invitationsRelations = relations(invitations, ({ one }) => ({
+  team: one(teams, { fields: [invitations.teamId], references: [teams.id] }),
+  inviter: one(users, { fields: [invitations.invitedBy], references: [users.id] }),
+}))
+
+export const teamMembersRelations = relations(teamMembers, ({ one }) => ({
+  team: one(teams, { fields: [teamMembers.teamId], references: [teams.id] }),
+  user: one(users, { fields: [teamMembers.userId], references: [users.id] }),
+}))
+
+export const environmentsRelations = relations(environments, ({ one, many }) => ({
+  team: one(teams, { fields: [environments.teamId], references: [teams.id] }),
+  variables: many(environmentVariables),
+}))
+
+export const environmentVariablesRelations = relations(environmentVariables, ({ one }) => ({
+  team: one(teams, { fields: [environmentVariables.teamId], references: [teams.id] }),
+  environment: one(environments, { fields: [environmentVariables.environmentId], references: [environments.id] }),
+  creator: one(users, { fields: [environmentVariables.createdBy], references: [users.id], relationName: 'variableCreator' }),
+  updater: one(users, { fields: [environmentVariables.updatedBy], references: [users.id], relationName: 'variableUpdater' }),
+}))
+
+export const apiKeysRelations = relations(apiKeys, ({ one }) => ({
+  user: one(users, { fields: [apiKeys.userId], references: [users.id] }),
+  team: one(teams, { fields: [apiKeys.teamId], references: [teams.id] }),
+}))
+
+// Types
+export type User = typeof users.$inferSelect
+export type NewUser = typeof users.$inferInsert
+
+export type Team = typeof teams.$inferSelect
+export type NewTeam = typeof teams.$inferInsert
+
+export type TeamMember = typeof teamMembers.$inferSelect
+export type NewTeamMember = typeof teamMembers.$inferInsert
+
+export type Environment = typeof environments.$inferSelect
+export type NewEnvironment = typeof environments.$inferInsert
+
+export type EnvironmentVariable = typeof environmentVariables.$inferSelect
+export type NewEnvironmentVariable = typeof environmentVariables.$inferInsert
+
+export type VariableHistory = typeof variableHistory.$inferSelect
+export type NewVariableHistory = typeof variableHistory.$inferInsert
+
+export type ApiKey = typeof apiKeys.$inferSelect
+export type NewApiKey = typeof apiKeys.$inferInsert
+
+export type AuditLog = typeof auditLogs.$inferSelect
+export type NewAuditLog = typeof auditLogs.$inferInsert