Initial project snapshot

backend/migrations/000020_installation_authority.up.sql

@@ -0,0 +1,39 @@
+CREATE TABLE IF NOT EXISTS installation_authority (
+    id SMALLINT PRIMARY KEY DEFAULT 1,
+    install_id TEXT NOT NULL,
+    authority_state TEXT NOT NULL DEFAULT 'active',
+    product_root_key_fingerprint TEXT NOT NULL DEFAULT '',
+    activation_payload JSONB NOT NULL,
+    activation_signature TEXT NOT NULL,
+    bootstrapped_owner_email TEXT NOT NULL,
+    bootstrapped_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    CONSTRAINT installation_authority_singleton_check CHECK (id = 1),
+    CONSTRAINT installation_authority_state_check CHECK (authority_state IN ('active', 'recovery_required', 'locked'))
+);
+
+CREATE TABLE IF NOT EXISTS platform_role_grants (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+    role TEXT NOT NULL,
+    install_id TEXT NOT NULL,
+    grant_payload JSONB NOT NULL,
+    grant_signature TEXT NOT NULL,
+    grant_source TEXT NOT NULL DEFAULT 'installation_activation',
+    granted_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    expires_at TIMESTAMPTZ,
+    revoked_at TIMESTAMPTZ,
+    metadata JSONB NOT NULL DEFAULT '{}'::JSONB,
+    CONSTRAINT platform_role_grants_role_check
+        CHECK (role IN ('platform_admin', 'platform_recovery_admin')),
+    CONSTRAINT platform_role_grants_source_check
+        CHECK (grant_source IN ('installation_activation', 'recovery_manifest', 'dev_insecure'))
+);
+
+CREATE INDEX IF NOT EXISTS idx_platform_role_grants_user_active
+    ON platform_role_grants(user_id, role, revoked_at, expires_at);
+
+CREATE UNIQUE INDEX IF NOT EXISTS idx_platform_role_grants_unique_install_role
+    ON platform_role_grants(user_id, role, install_id)
+    WHERE revoked_at IS NULL;