feat: auth & admin

alembic/env.py

@@ -8,16 +8,15 @@ registers every model so autogenerate sees the full schema.
 import asyncio
 from logging.config import fileConfig
 
+# Import side-effect: registers all ORM models on Base.metadata so autogenerate
+# sees the full schema.
+import app.infrastructure.db.models  # noqa: F401
 from alembic import context
 from app.core.config import get_settings
 from app.infrastructure.db import Base
 from sqlalchemy.engine import Connection
 from sqlalchemy.ext.asyncio import async_engine_from_config
 
-# Import side-effect: registers all ORM models on Base.metadata.
-# Uncomment once models exist (plan §11 step 2):
-# import app.infrastructure.db.models
-
 config = context.config
 if config.config_file_name is not None:
     fileConfig(config.config_file_name)

alembic/versions/20260602_0001-0001_auth_users.py

@@ -0,0 +1,77 @@
+"""auth: users and refresh_tokens
+
+Revision ID: 0001_auth_users
+Revises:
+Create Date: 2026-06-02
+
+First schema migration: authentication & user management (plan §11 step 3).
+Constraint/index names follow the metadata naming convention in
+``app.infrastructure.db.base`` so a later ``--autogenerate`` stays a no-op.
+"""
+
+from __future__ import annotations
+
+from collections.abc import Sequence
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision: str = "0001_auth_users"
+down_revision: str | None = None
+branch_labels: str | Sequence[str] | None = None
+depends_on: str | Sequence[str] | None = None
+
+
+def upgrade() -> None:
+    op.create_table(
+        "users",
+        sa.Column("id", sa.Uuid(), nullable=False),
+        sa.Column("username", sa.String(length=64), nullable=False),
+        sa.Column("password_hash", sa.String(length=255), nullable=False),
+        sa.Column("is_superuser", sa.Boolean(), nullable=False),
+        sa.Column("is_active", sa.Boolean(), nullable=False),
+        sa.Column(
+            "created_at",
+            sa.DateTime(timezone=True),
+            server_default=sa.func.now(),
+            nullable=False,
+        ),
+        sa.Column(
+            "updated_at",
+            sa.DateTime(timezone=True),
+            server_default=sa.func.now(),
+            nullable=False,
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_users")),
+    )
+    # username is unique=True + index=True -> a single unique index.
+    op.create_index(op.f("ix_users_username"), "users", ["username"], unique=True)
+
+    op.create_table(
+        "refresh_tokens",
+        sa.Column("id", sa.Uuid(), nullable=False),
+        sa.Column("user_id", sa.Uuid(), nullable=False),
+        sa.Column("jti", sa.Uuid(), nullable=False),
+        sa.Column("token_hash", sa.String(length=64), nullable=False),
+        sa.Column("expires_at", sa.DateTime(timezone=True), nullable=False),
+        sa.Column("revoked_at", sa.DateTime(timezone=True), nullable=True),
+        sa.Column("created_at", sa.DateTime(timezone=True), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["user_id"],
+            ["users.id"],
+            name=op.f("fk_refresh_tokens_user_id_users"),
+            ondelete="CASCADE",
+        ),
+        sa.PrimaryKeyConstraint("id", name=op.f("pk_refresh_tokens")),
+    )
+    op.create_index(op.f("ix_refresh_tokens_user_id"), "refresh_tokens", ["user_id"], unique=False)
+    op.create_index(op.f("ix_refresh_tokens_jti"), "refresh_tokens", ["jti"], unique=True)
+
+
+def downgrade() -> None:
+    op.drop_index(op.f("ix_refresh_tokens_jti"), table_name="refresh_tokens")
+    op.drop_index(op.f("ix_refresh_tokens_user_id"), table_name="refresh_tokens")
+    op.drop_table("refresh_tokens")
+    op.drop_index(op.f("ix_users_username"), table_name="users")
+    op.drop_table("users")