feat: implement enterprise RBAC, profile identity, system management, and audit stabilization

backend/prisma/migrations/20260417231000_enterprise_security_system/migration.sql

@@ -0,0 +1,110 @@
+-- AlterTable
+ALTER TABLE "User"
+ADD COLUMN "avatar_url" TEXT,
+ADD COLUMN "profile_metadata" JSONB NOT NULL DEFAULT '{}',
+ADD COLUMN "must_change_password" BOOLEAN NOT NULL DEFAULT false,
+ADD COLUMN "mfa_enabled" BOOLEAN NOT NULL DEFAULT false,
+ADD COLUMN "mfa_secret" TEXT,
+ADD COLUMN "mfa_recovery_codes" JSONB NOT NULL DEFAULT '[]',
+ADD COLUMN "password_changed_at" TIMESTAMP(3);
+
+-- AlterTable
+ALTER TABLE "Tenant"
+ADD COLUMN "trial_starts_at" TIMESTAMP(3),
+ADD COLUMN "trial_ends_at" TIMESTAMP(3),
+ADD COLUMN "trial_grace_ends_at" TIMESTAMP(3),
+ADD COLUMN "trial_days" INTEGER,
+ADD COLUMN "trial_locked" BOOLEAN NOT NULL DEFAULT false;
+
+-- CreateTable
+CREATE TABLE "AuthSession" (
+    "id" TEXT NOT NULL,
+    "user_id" TEXT NOT NULL,
+    "refresh_token_hash" TEXT NOT NULL,
+    "ip_address" TEXT,
+    "user_agent" TEXT,
+    "issued_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "expires_at" TIMESTAMP(3) NOT NULL,
+    "last_used_at" TIMESTAMP(3),
+    "revoked_at" TIMESTAMP(3),
+    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "AuthSession_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "PasswordResetToken" (
+    "id" TEXT NOT NULL,
+    "user_id" TEXT NOT NULL,
+    "token_hash" TEXT NOT NULL,
+    "expires_at" TIMESTAMP(3) NOT NULL,
+    "used_at" TIMESTAMP(3),
+    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+
+    CONSTRAINT "PasswordResetToken_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "CmsPage" (
+    "id" TEXT NOT NULL,
+    "slug" TEXT NOT NULL,
+    "title" TEXT NOT NULL,
+    "section" TEXT NOT NULL DEFAULT 'general',
+    "content" JSONB NOT NULL DEFAULT '{}',
+    "is_published" BOOLEAN NOT NULL DEFAULT false,
+    "created_by" TEXT,
+    "updated_by" TEXT,
+    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "CmsPage_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "SiteNavigationItem" (
+    "id" TEXT NOT NULL,
+    "label" TEXT NOT NULL,
+    "href" TEXT NOT NULL,
+    "position" TEXT NOT NULL DEFAULT 'header',
+    "sort_order" INTEGER NOT NULL DEFAULT 100,
+    "is_enabled" BOOLEAN NOT NULL DEFAULT true,
+    "metadata" JSONB NOT NULL DEFAULT '{}',
+    "created_at" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updated_at" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "SiteNavigationItem_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "AuthSession_refresh_token_hash_key" ON "AuthSession"("refresh_token_hash");
+
+-- CreateIndex
+CREATE INDEX "AuthSession_user_id_revoked_at_idx" ON "AuthSession"("user_id", "revoked_at");
+
+-- CreateIndex
+CREATE INDEX "AuthSession_expires_at_idx" ON "AuthSession"("expires_at");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "PasswordResetToken_token_hash_key" ON "PasswordResetToken"("token_hash");
+
+-- CreateIndex
+CREATE INDEX "PasswordResetToken_user_id_expires_at_idx" ON "PasswordResetToken"("user_id", "expires_at");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "CmsPage_slug_key" ON "CmsPage"("slug");
+
+-- CreateIndex
+CREATE INDEX "CmsPage_section_is_published_idx" ON "CmsPage"("section", "is_published");
+
+-- CreateIndex
+CREATE INDEX "SiteNavigationItem_position_sort_order_idx" ON "SiteNavigationItem"("position", "sort_order");
+
+-- CreateIndex
+CREATE INDEX "Tenant_trial_ends_at_idx" ON "Tenant"("trial_ends_at");
+
+-- AddForeignKey
+ALTER TABLE "AuthSession" ADD CONSTRAINT "AuthSession_user_id_fkey" FOREIGN KEY ("user_id") REFERENCES "User"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "PasswordResetToken" ADD CONSTRAINT "PasswordResetToken_user_id_fkey" FOREIGN KEY ("user_id") REFERENCES "User"("id") ON DELETE CASCADE ON UPDATE CASCADE;