initiall commit

2026-06-04 04:23:00 +00:00 · 2026-04-10 12:03:31 +02:00
commit 7ddfb1f52b
276 changed files with 37629 additions and 0 deletions
@@ -0,0 +1,84 @@
+package database
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+	"log/slog"
+	"os"
+	"path/filepath"
+	"time"
+
+	"github.com/jackc/pgx/v5/pgxpool"
+	"github.com/jackc/pgx/v5/stdlib"
+	"github.com/pressly/goose/v3"
+)
+
+func Connect(ctx context.Context, databaseURL string) (*pgxpool.Pool, error) {
+	var lastErr error
+	for attempt := 1; attempt <= 20; attempt++ {
+		config, err := pgxpool.ParseConfig(databaseURL)
+		if err != nil {
+			return nil, fmt.Errorf("parse database config: %w", err)
+		}
+
+		config.MaxConnLifetime = 30 * time.Minute
+		config.MaxConns = 20
+		config.MinConns = 2
+
+		pool, err := pgxpool.NewWithConfig(ctx, config)
+		if err != nil {
+			lastErr = fmt.Errorf("create pool: %w", err)
+		} else if err := pool.Ping(ctx); err != nil {
+			pool.Close()
+			lastErr = fmt.Errorf("ping database: %w", err)
+		} else {
+			return pool, nil
+		}
+
+		select {
+		case <-ctx.Done():
+			return nil, ctx.Err()
+		case <-time.After(2 * time.Second):
+		}
+	}
+	return nil, lastErr
+}
+
+func RunMigrations(databaseURL, migrationsDir string, logger *slog.Logger) error {
+	if err := goose.SetDialect("postgres"); err != nil {
+		return fmt.Errorf("set goose dialect: %w", err)
+	}
+	sqlDB, err := sql.Open("pgx", databaseURL)
+	if err != nil {
+		return fmt.Errorf("open sql db: %w", err)
+	}
+	defer sqlDB.Close()
+
+	if err := goose.Up(sqlDB, migrationsDir); err != nil {
+		return fmt.Errorf("goose up: %w", err)
+	}
+	logger.Info("database migrations complete", "dir", migrationsDir)
+	return nil
+}
+
+func RunMigrationsFromPool(pool *pgxpool.Pool, migrationsDir string, logger *slog.Logger) error {
+	sqlDB := stdlib.OpenDBFromPool(pool)
+	defer sqlDB.Close()
+
+	if err := goose.SetDialect("postgres"); err != nil {
+		return fmt.Errorf("set goose dialect: %w", err)
+	}
+	if err := goose.Up(sqlDB, migrationsDir); err != nil {
+		return fmt.Errorf("goose up: %w", err)
+	}
+	logger.Info("database migrations complete", "dir", migrationsDir)
+	return nil
+}
+
+func ResolveMigrationsDir() string {
+	if dir := os.Getenv("BACKEND_MIGRATIONS_DIR"); dir != "" {
+		return dir
+	}
+	return filepath.Join("db", "migrations")
+}
@@ -0,0 +1,201 @@
+// Code generated by sqlc. DO NOT EDIT.
+// versions:
+//   sqlc v1.29.0
+// source: api_keys.sql
+
+package db
+
+import (
+	"context"
+
+	"github.com/google/uuid"
+	"github.com/jackc/pgx/v5/pgtype"
+)
+
+const createAPIKey = `-- name: CreateAPIKey :one
+INSERT INTO core.api_keys (
+  project_id,
+  name,
+  prefix,
+  secret_hash,
+  created_by_user_id
+) VALUES ($1, $2, $3, $4, $5)
+RETURNING id, project_id, name, prefix, secret_hash, created_by_user_id, last_used_at, revoked_at, created_at
+`
+
+type CreateAPIKeyParams struct {
+	ProjectID       uuid.UUID   `json:"project_id"`
+	Name            string      `json:"name"`
+	Prefix          string      `json:"prefix"`
+	SecretHash      []byte      `json:"secret_hash"`
+	CreatedByUserID pgtype.UUID `json:"created_by_user_id"`
+}
+
+func (q *Queries) CreateAPIKey(ctx context.Context, arg CreateAPIKeyParams) (CoreApiKey, error) {
+	row := q.db.QueryRow(ctx, createAPIKey,
+		arg.ProjectID,
+		arg.Name,
+		arg.Prefix,
+		arg.SecretHash,
+		arg.CreatedByUserID,
+	)
+	var i CoreApiKey
+	err := row.Scan(
+		&i.ID,
+		&i.ProjectID,
+		&i.Name,
+		&i.Prefix,
+		&i.SecretHash,
+		&i.CreatedByUserID,
+		&i.LastUsedAt,
+		&i.RevokedAt,
+		&i.CreatedAt,
+	)
+	return i, err
+}
+
+const getAPIKeyByIDForProject = `-- name: GetAPIKeyByIDForProject :one
+SELECT id, project_id, name, prefix, secret_hash, created_by_user_id, last_used_at, revoked_at, created_at FROM core.api_keys
+WHERE project_id = $1
+  AND id = $2
+`
+
+type GetAPIKeyByIDForProjectParams struct {
+	ProjectID uuid.UUID `json:"project_id"`
+	ID        uuid.UUID `json:"id"`
+}
+
+func (q *Queries) GetAPIKeyByIDForProject(ctx context.Context, arg GetAPIKeyByIDForProjectParams) (CoreApiKey, error) {
+	row := q.db.QueryRow(ctx, getAPIKeyByIDForProject, arg.ProjectID, arg.ID)
+	var i CoreApiKey
+	err := row.Scan(
+		&i.ID,
+		&i.ProjectID,
+		&i.Name,
+		&i.Prefix,
+		&i.SecretHash,
+		&i.CreatedByUserID,
+		&i.LastUsedAt,
+		&i.RevokedAt,
+		&i.CreatedAt,
+	)
+	return i, err
+}
+
+const getAPIKeyByPrefix = `-- name: GetAPIKeyByPrefix :one
+SELECT
+  ak.id, ak.project_id, ak.name, ak.prefix, ak.secret_hash, ak.created_by_user_id, ak.last_used_at, ak.revoked_at, ak.created_at,
+  p.organization_id
+FROM core.api_keys ak
+JOIN core.projects p ON p.id = ak.project_id
+WHERE ak.prefix = $1
+`
+
+type GetAPIKeyByPrefixRow struct {
+	ID              uuid.UUID          `json:"id"`
+	ProjectID       uuid.UUID          `json:"project_id"`
+	Name            string             `json:"name"`
+	Prefix          string             `json:"prefix"`
+	SecretHash      []byte             `json:"secret_hash"`
+	CreatedByUserID pgtype.UUID        `json:"created_by_user_id"`
+	LastUsedAt      pgtype.Timestamptz `json:"last_used_at"`
+	RevokedAt       pgtype.Timestamptz `json:"revoked_at"`
+	CreatedAt       pgtype.Timestamptz `json:"created_at"`
+	OrganizationID  uuid.UUID          `json:"organization_id"`
+}
+
+func (q *Queries) GetAPIKeyByPrefix(ctx context.Context, prefix string) (GetAPIKeyByPrefixRow, error) {
+	row := q.db.QueryRow(ctx, getAPIKeyByPrefix, prefix)
+	var i GetAPIKeyByPrefixRow
+	err := row.Scan(
+		&i.ID,
+		&i.ProjectID,
+		&i.Name,
+		&i.Prefix,
+		&i.SecretHash,
+		&i.CreatedByUserID,
+		&i.LastUsedAt,
+		&i.RevokedAt,
+		&i.CreatedAt,
+		&i.OrganizationID,
+	)
+	return i, err
+}
+
+const listAPIKeysForProject = `-- name: ListAPIKeysForProject :many
+SELECT id, project_id, name, prefix, secret_hash, created_by_user_id, last_used_at, revoked_at, created_at FROM core.api_keys
+WHERE project_id = $1
+ORDER BY created_at DESC
+`
+
+func (q *Queries) ListAPIKeysForProject(ctx context.Context, projectID uuid.UUID) ([]CoreApiKey, error) {
+	rows, err := q.db.Query(ctx, listAPIKeysForProject, projectID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []CoreApiKey
+	for rows.Next() {
+		var i CoreApiKey
+		if err := rows.Scan(
+			&i.ID,
+			&i.ProjectID,
+			&i.Name,
+			&i.Prefix,
+			&i.SecretHash,
+			&i.CreatedByUserID,
+			&i.LastUsedAt,
+			&i.RevokedAt,
+			&i.CreatedAt,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const revokeAPIKey = `-- name: RevokeAPIKey :one
+UPDATE core.api_keys
+SET revoked_at = NOW()
+WHERE project_id = $1
+  AND id = $2
+  AND revoked_at IS NULL
+RETURNING id, project_id, name, prefix, secret_hash, created_by_user_id, last_used_at, revoked_at, created_at
+`
+
+type RevokeAPIKeyParams struct {
+	ProjectID uuid.UUID `json:"project_id"`
+	ID        uuid.UUID `json:"id"`
+}
+
+func (q *Queries) RevokeAPIKey(ctx context.Context, arg RevokeAPIKeyParams) (CoreApiKey, error) {
+	row := q.db.QueryRow(ctx, revokeAPIKey, arg.ProjectID, arg.ID)
+	var i CoreApiKey
+	err := row.Scan(
+		&i.ID,
+		&i.ProjectID,
+		&i.Name,
+		&i.Prefix,
+		&i.SecretHash,
+		&i.CreatedByUserID,
+		&i.LastUsedAt,
+		&i.RevokedAt,
+		&i.CreatedAt,
+	)
+	return i, err
+}
+
+const touchAPIKey = `-- name: TouchAPIKey :exec
+UPDATE core.api_keys
+SET last_used_at = NOW()
+WHERE id = $1
+`
+
+func (q *Queries) TouchAPIKey(ctx context.Context, id uuid.UUID) error {
+	_, err := q.db.Exec(ctx, touchAPIKey, id)
+	return err
+}
@@ -0,0 +1,175 @@
+// Code generated by sqlc. DO NOT EDIT.
+// versions:
+//   sqlc v1.29.0
+// source: audit.sql
+
+package db
+
+import (
+	"context"
+
+	"github.com/jackc/pgx/v5/pgtype"
+)
+
+const countAuditLogsForProject = `-- name: CountAuditLogsForProject :one
+SELECT COUNT(*)::BIGINT
+FROM core.audit_logs
+WHERE project_id = $1
+  AND (
+    NULLIF(TRIM($2), '') IS NULL
+    OR action ILIKE '%' || TRIM($2) || '%'
+    OR resource_type ILIKE '%' || TRIM($2) || '%'
+    OR resource_id ILIKE '%' || TRIM($2) || '%'
+    OR request_id ILIKE '%' || TRIM($2) || '%'
+    OR metadata::text ILIKE '%' || TRIM($2) || '%'
+  )
+  AND (
+    NULLIF(TRIM($3), '') IS NULL
+    OR action ILIKE TRIM($3) || '%'
+  )
+`
+
+type CountAuditLogsForProjectParams struct {
+	ProjectID pgtype.UUID `json:"project_id"`
+	Btrim     string      `json:"btrim"`
+	Btrim_2   string      `json:"btrim_2"`
+}
+
+func (q *Queries) CountAuditLogsForProject(ctx context.Context, arg CountAuditLogsForProjectParams) (int64, error) {
+	row := q.db.QueryRow(ctx, countAuditLogsForProject, arg.ProjectID, arg.Btrim, arg.Btrim_2)
+	var column_1 int64
+	err := row.Scan(&column_1)
+	return column_1, err
+}
+
+const createAuditLog = `-- name: CreateAuditLog :one
+INSERT INTO core.audit_logs (
+  organization_id,
+  project_id,
+  actor_user_id,
+  actor_api_key_id,
+  action,
+  resource_type,
+  resource_id,
+  metadata,
+  request_id
+) VALUES (
+  $1,
+  $2,
+  $3,
+  $4,
+  $5,
+  $6,
+  $7,
+  $8,
+  $9
+)
+RETURNING id, organization_id, project_id, actor_user_id, actor_api_key_id, action, resource_type, resource_id, metadata, request_id, created_at
+`
+
+type CreateAuditLogParams struct {
+	OrganizationID pgtype.UUID `json:"organization_id"`
+	ProjectID      pgtype.UUID `json:"project_id"`
+	ActorUserID    pgtype.UUID `json:"actor_user_id"`
+	ActorApiKeyID  pgtype.UUID `json:"actor_api_key_id"`
+	Action         string      `json:"action"`
+	ResourceType   string      `json:"resource_type"`
+	ResourceID     string      `json:"resource_id"`
+	Metadata       []byte      `json:"metadata"`
+	RequestID      string      `json:"request_id"`
+}
+
+func (q *Queries) CreateAuditLog(ctx context.Context, arg CreateAuditLogParams) (CoreAuditLog, error) {
+	row := q.db.QueryRow(ctx, createAuditLog,
+		arg.OrganizationID,
+		arg.ProjectID,
+		arg.ActorUserID,
+		arg.ActorApiKeyID,
+		arg.Action,
+		arg.ResourceType,
+		arg.ResourceID,
+		arg.Metadata,
+		arg.RequestID,
+	)
+	var i CoreAuditLog
+	err := row.Scan(
+		&i.ID,
+		&i.OrganizationID,
+		&i.ProjectID,
+		&i.ActorUserID,
+		&i.ActorApiKeyID,
+		&i.Action,
+		&i.ResourceType,
+		&i.ResourceID,
+		&i.Metadata,
+		&i.RequestID,
+		&i.CreatedAt,
+	)
+	return i, err
+}
+
+const listAuditLogsForProject = `-- name: ListAuditLogsForProject :many
+SELECT id, organization_id, project_id, actor_user_id, actor_api_key_id, action, resource_type, resource_id, metadata, request_id, created_at FROM core.audit_logs
+WHERE project_id = $1
+  AND (
+    NULLIF(TRIM($2), '') IS NULL
+    OR action ILIKE '%' || TRIM($2) || '%'
+    OR resource_type ILIKE '%' || TRIM($2) || '%'
+    OR resource_id ILIKE '%' || TRIM($2) || '%'
+    OR request_id ILIKE '%' || TRIM($2) || '%'
+    OR metadata::text ILIKE '%' || TRIM($2) || '%'
+  )
+  AND (
+    NULLIF(TRIM($3), '') IS NULL
+    OR action ILIKE TRIM($3) || '%'
+  )
+ORDER BY created_at DESC
+LIMIT $4
+OFFSET $5
+`
+
+type ListAuditLogsForProjectParams struct {
+	ProjectID pgtype.UUID `json:"project_id"`
+	Btrim     string      `json:"btrim"`
+	Btrim_2   string      `json:"btrim_2"`
+	Limit     int32       `json:"limit"`
+	Offset    int32       `json:"offset"`
+}
+
+func (q *Queries) ListAuditLogsForProject(ctx context.Context, arg ListAuditLogsForProjectParams) ([]CoreAuditLog, error) {
+	rows, err := q.db.Query(ctx, listAuditLogsForProject,
+		arg.ProjectID,
+		arg.Btrim,
+		arg.Btrim_2,
+		arg.Limit,
+		arg.Offset,
+	)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []CoreAuditLog
+	for rows.Next() {
+		var i CoreAuditLog
+		if err := rows.Scan(
+			&i.ID,
+			&i.OrganizationID,
+			&i.ProjectID,
+			&i.ActorUserID,
+			&i.ActorApiKeyID,
+			&i.Action,
+			&i.ResourceType,
+			&i.ResourceID,
+			&i.Metadata,
+			&i.RequestID,
+			&i.CreatedAt,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
@@ -0,0 +1,81 @@
+// Code generated by sqlc. DO NOT EDIT.
+// versions:
+//   sqlc v1.29.0
+// source: bootstrap.sql
+
+package db
+
+import (
+	"context"
+
+	"github.com/google/uuid"
+)
+
+const bootstrapOrganization = `-- name: BootstrapOrganization :one
+WITH new_org AS (
+  INSERT INTO core.organizations (slug, name)
+  VALUES ($1, $2)
+  RETURNING id, slug, name, created_at
+),
+new_org_member AS (
+  INSERT INTO core.organization_members (organization_id, user_id, role)
+  SELECT id, $3, 'owner'::core.org_role FROM new_org
+),
+new_project AS (
+  INSERT INTO core.projects (organization_id, slug, name, description)
+  SELECT id, $4, $5, $6 FROM new_org
+  RETURNING id, organization_id, slug, name, description, created_at
+),
+new_project_member AS (
+  INSERT INTO core.project_members (project_id, user_id, role)
+  SELECT id, $3, 'admin'::core.project_role FROM new_project
+)
+SELECT
+  new_org.id AS organization_id,
+  new_org.slug AS organization_slug,
+  new_org.name AS organization_name,
+  new_project.id AS project_id,
+  new_project.slug AS project_slug,
+  new_project.name AS project_name
+FROM new_org
+JOIN new_project ON TRUE
+`
+
+type BootstrapOrganizationParams struct {
+	Slug        string    `json:"slug"`
+	Name        string    `json:"name"`
+	UserID      uuid.UUID `json:"user_id"`
+	Slug_2      string    `json:"slug_2"`
+	Name_2      string    `json:"name_2"`
+	Description *string   `json:"description"`
+}
+
+type BootstrapOrganizationRow struct {
+	OrganizationID   uuid.UUID `json:"organization_id"`
+	OrganizationSlug string    `json:"organization_slug"`
+	OrganizationName string    `json:"organization_name"`
+	ProjectID        uuid.UUID `json:"project_id"`
+	ProjectSlug      string    `json:"project_slug"`
+	ProjectName      string    `json:"project_name"`
+}
+
+func (q *Queries) BootstrapOrganization(ctx context.Context, arg BootstrapOrganizationParams) (BootstrapOrganizationRow, error) {
+	row := q.db.QueryRow(ctx, bootstrapOrganization,
+		arg.Slug,
+		arg.Name,
+		arg.UserID,
+		arg.Slug_2,
+		arg.Name_2,
+		arg.Description,
+	)
+	var i BootstrapOrganizationRow
+	err := row.Scan(
+		&i.OrganizationID,
+		&i.OrganizationSlug,
+		&i.OrganizationName,
+		&i.ProjectID,
+		&i.ProjectSlug,
+		&i.ProjectName,
+	)
+	return i, err
+}
@@ -0,0 +1,190 @@
+// Code generated by sqlc. DO NOT EDIT.
+// versions:
+//   sqlc v1.29.0
+// source: buckets.sql
+
+package db
+
+import (
+	"context"
+
+	"github.com/google/uuid"
+	"github.com/jackc/pgx/v5/pgtype"
+)
+
+const createBucket = `-- name: CreateBucket :one
+INSERT INTO core.buckets (
+  project_id,
+  slug,
+  name,
+  visibility,
+  created_by_user_id
+) VALUES ($1, $2, $3, $4, $5)
+RETURNING id, project_id, slug, name, visibility, created_by_user_id, created_at
+`
+
+type CreateBucketParams struct {
+	ProjectID       uuid.UUID   `json:"project_id"`
+	Slug            string      `json:"slug"`
+	Name            string      `json:"name"`
+	Visibility      string      `json:"visibility"`
+	CreatedByUserID pgtype.UUID `json:"created_by_user_id"`
+}
+
+func (q *Queries) CreateBucket(ctx context.Context, arg CreateBucketParams) (CoreBucket, error) {
+	row := q.db.QueryRow(ctx, createBucket,
+		arg.ProjectID,
+		arg.Slug,
+		arg.Name,
+		arg.Visibility,
+		arg.CreatedByUserID,
+	)
+	var i CoreBucket
+	err := row.Scan(
+		&i.ID,
+		&i.ProjectID,
+		&i.Slug,
+		&i.Name,
+		&i.Visibility,
+		&i.CreatedByUserID,
+		&i.CreatedAt,
+	)
+	return i, err
+}
+
+const deleteBucketByID = `-- name: DeleteBucketByID :one
+DELETE FROM core.buckets
+WHERE id = $1
+RETURNING id, project_id, slug, name, visibility, created_by_user_id, created_at
+`
+
+func (q *Queries) DeleteBucketByID(ctx context.Context, id uuid.UUID) (CoreBucket, error) {
+	row := q.db.QueryRow(ctx, deleteBucketByID, id)
+	var i CoreBucket
+	err := row.Scan(
+		&i.ID,
+		&i.ProjectID,
+		&i.Slug,
+		&i.Name,
+		&i.Visibility,
+		&i.CreatedByUserID,
+		&i.CreatedAt,
+	)
+	return i, err
+}
+
+const getBucketByID = `-- name: GetBucketByID :one
+SELECT
+  b.id, b.project_id, b.slug, b.name, b.visibility, b.created_by_user_id, b.created_at,
+  p.organization_id
+FROM core.buckets b
+JOIN core.projects p ON p.id = b.project_id
+WHERE b.id = $1
+`
+
+type GetBucketByIDRow struct {
+	ID              uuid.UUID          `json:"id"`
+	ProjectID       uuid.UUID          `json:"project_id"`
+	Slug            string             `json:"slug"`
+	Name            string             `json:"name"`
+	Visibility      string             `json:"visibility"`
+	CreatedByUserID pgtype.UUID        `json:"created_by_user_id"`
+	CreatedAt       pgtype.Timestamptz `json:"created_at"`
+	OrganizationID  uuid.UUID          `json:"organization_id"`
+}
+
+func (q *Queries) GetBucketByID(ctx context.Context, id uuid.UUID) (GetBucketByIDRow, error) {
+	row := q.db.QueryRow(ctx, getBucketByID, id)
+	var i GetBucketByIDRow
+	err := row.Scan(
+		&i.ID,
+		&i.ProjectID,
+		&i.Slug,
+		&i.Name,
+		&i.Visibility,
+		&i.CreatedByUserID,
+		&i.CreatedAt,
+		&i.OrganizationID,
+	)
+	return i, err
+}
+
+const listBucketsForProject = `-- name: ListBucketsForProject :many
+SELECT id, project_id, slug, name, visibility, created_by_user_id, created_at FROM core.buckets
+WHERE project_id = $1
+  AND (
+    btrim($2) = ''
+    OR slug ILIKE '%' || btrim($2) || '%'
+    OR name ILIKE '%' || btrim($2) || '%'
+  )
+ORDER BY created_at ASC
+`
+
+type ListBucketsForProjectParams struct {
+	ProjectID uuid.UUID `json:"project_id"`
+	Btrim     string    `json:"btrim"`
+}
+
+func (q *Queries) ListBucketsForProject(ctx context.Context, arg ListBucketsForProjectParams) ([]CoreBucket, error) {
+	rows, err := q.db.Query(ctx, listBucketsForProject, arg.ProjectID, arg.Btrim)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []CoreBucket
+	for rows.Next() {
+		var i CoreBucket
+		if err := rows.Scan(
+			&i.ID,
+			&i.ProjectID,
+			&i.Slug,
+			&i.Name,
+			&i.Visibility,
+			&i.CreatedByUserID,
+			&i.CreatedAt,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const updateBucketByID = `-- name: UpdateBucketByID :one
+UPDATE core.buckets
+SET slug = $2,
+    name = $3,
+    visibility = $4
+WHERE id = $1
+RETURNING id, project_id, slug, name, visibility, created_by_user_id, created_at
+`
+
+type UpdateBucketByIDParams struct {
+	ID         uuid.UUID `json:"id"`
+	Slug       string    `json:"slug"`
+	Name       string    `json:"name"`
+	Visibility string    `json:"visibility"`
+}
+
+func (q *Queries) UpdateBucketByID(ctx context.Context, arg UpdateBucketByIDParams) (CoreBucket, error) {
+	row := q.db.QueryRow(ctx, updateBucketByID,
+		arg.ID,
+		arg.Slug,
+		arg.Name,
+		arg.Visibility,
+	)
+	var i CoreBucket
+	err := row.Scan(
+		&i.ID,
+		&i.ProjectID,
+		&i.Slug,
+		&i.Name,
+		&i.Visibility,
+		&i.CreatedByUserID,
+		&i.CreatedAt,
+	)
+	return i, err
+}
@@ -0,0 +1,344 @@
+// Code generated by sqlc. DO NOT EDIT.
+// versions:
+//   sqlc v1.29.0
+// source: collections.sql
+
+package db
+
+import (
+	"context"
+
+	"github.com/google/uuid"
+	"github.com/jackc/pgx/v5/pgtype"
+)
+
+const countDocuments = `-- name: CountDocuments :one
+SELECT COUNT(*) FROM core.documents
+WHERE collection_id = $1
+`
+
+func (q *Queries) CountDocuments(ctx context.Context, collectionID uuid.UUID) (int64, error) {
+	row := q.db.QueryRow(ctx, countDocuments, collectionID)
+	var count int64
+	err := row.Scan(&count)
+	return count, err
+}
+
+const createCollection = `-- name: CreateCollection :one
+INSERT INTO core.collections (
+  project_id, slug, name, description, schema, created_by_user_id
+) VALUES (
+  $1, $2, $3, $4, $5, $6
+) RETURNING id, project_id, slug, name, description, schema, created_by_user_id, created_at, updated_at
+`
+
+type CreateCollectionParams struct {
+	ProjectID       uuid.UUID   `json:"project_id"`
+	Slug            string      `json:"slug"`
+	Name            string      `json:"name"`
+	Description     *string     `json:"description"`
+	Schema          []byte      `json:"schema"`
+	CreatedByUserID pgtype.UUID `json:"created_by_user_id"`
+}
+
+func (q *Queries) CreateCollection(ctx context.Context, arg CreateCollectionParams) (CoreCollection, error) {
+	row := q.db.QueryRow(ctx, createCollection,
+		arg.ProjectID,
+		arg.Slug,
+		arg.Name,
+		arg.Description,
+		arg.Schema,
+		arg.CreatedByUserID,
+	)
+	var i CoreCollection
+	err := row.Scan(
+		&i.ID,
+		&i.ProjectID,
+		&i.Slug,
+		&i.Name,
+		&i.Description,
+		&i.Schema,
+		&i.CreatedByUserID,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const createDocument = `-- name: CreateDocument :one
+INSERT INTO core.documents (
+  collection_id, data, created_by_user_id
+) VALUES (
+  $1, $2, $3
+) RETURNING id, collection_id, data, created_by_user_id, created_at, updated_at
+`
+
+type CreateDocumentParams struct {
+	CollectionID    uuid.UUID   `json:"collection_id"`
+	Data            []byte      `json:"data"`
+	CreatedByUserID pgtype.UUID `json:"created_by_user_id"`
+}
+
+func (q *Queries) CreateDocument(ctx context.Context, arg CreateDocumentParams) (CoreDocument, error) {
+	row := q.db.QueryRow(ctx, createDocument, arg.CollectionID, arg.Data, arg.CreatedByUserID)
+	var i CoreDocument
+	err := row.Scan(
+		&i.ID,
+		&i.CollectionID,
+		&i.Data,
+		&i.CreatedByUserID,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const deleteCollection = `-- name: DeleteCollection :exec
+DELETE FROM core.collections
+WHERE id = $1 AND project_id = $2
+`
+
+type DeleteCollectionParams struct {
+	ID        uuid.UUID `json:"id"`
+	ProjectID uuid.UUID `json:"project_id"`
+}
+
+func (q *Queries) DeleteCollection(ctx context.Context, arg DeleteCollectionParams) error {
+	_, err := q.db.Exec(ctx, deleteCollection, arg.ID, arg.ProjectID)
+	return err
+}
+
+const deleteDocument = `-- name: DeleteDocument :exec
+DELETE FROM core.documents
+WHERE id = $1 AND collection_id = $2
+`
+
+type DeleteDocumentParams struct {
+	ID           uuid.UUID `json:"id"`
+	CollectionID uuid.UUID `json:"collection_id"`
+}
+
+func (q *Queries) DeleteDocument(ctx context.Context, arg DeleteDocumentParams) error {
+	_, err := q.db.Exec(ctx, deleteDocument, arg.ID, arg.CollectionID)
+	return err
+}
+
+const getCollectionByID = `-- name: GetCollectionByID :one
+SELECT id, project_id, slug, name, description, schema, created_by_user_id, created_at, updated_at FROM core.collections
+WHERE id = $1
+`
+
+func (q *Queries) GetCollectionByID(ctx context.Context, id uuid.UUID) (CoreCollection, error) {
+	row := q.db.QueryRow(ctx, getCollectionByID, id)
+	var i CoreCollection
+	err := row.Scan(
+		&i.ID,
+		&i.ProjectID,
+		&i.Slug,
+		&i.Name,
+		&i.Description,
+		&i.Schema,
+		&i.CreatedByUserID,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const getCollectionBySlug = `-- name: GetCollectionBySlug :one
+SELECT id, project_id, slug, name, description, schema, created_by_user_id, created_at, updated_at FROM core.collections
+WHERE project_id = $1 AND slug = $2
+`
+
+type GetCollectionBySlugParams struct {
+	ProjectID uuid.UUID `json:"project_id"`
+	Slug      string    `json:"slug"`
+}
+
+func (q *Queries) GetCollectionBySlug(ctx context.Context, arg GetCollectionBySlugParams) (CoreCollection, error) {
+	row := q.db.QueryRow(ctx, getCollectionBySlug, arg.ProjectID, arg.Slug)
+	var i CoreCollection
+	err := row.Scan(
+		&i.ID,
+		&i.ProjectID,
+		&i.Slug,
+		&i.Name,
+		&i.Description,
+		&i.Schema,
+		&i.CreatedByUserID,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const getDocumentByID = `-- name: GetDocumentByID :one
+SELECT id, collection_id, data, created_by_user_id, created_at, updated_at FROM core.documents
+WHERE id = $1 AND collection_id = $2
+`
+
+type GetDocumentByIDParams struct {
+	ID           uuid.UUID `json:"id"`
+	CollectionID uuid.UUID `json:"collection_id"`
+}
+
+func (q *Queries) GetDocumentByID(ctx context.Context, arg GetDocumentByIDParams) (CoreDocument, error) {
+	row := q.db.QueryRow(ctx, getDocumentByID, arg.ID, arg.CollectionID)
+	var i CoreDocument
+	err := row.Scan(
+		&i.ID,
+		&i.CollectionID,
+		&i.Data,
+		&i.CreatedByUserID,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const listCollections = `-- name: ListCollections :many
+SELECT id, project_id, slug, name, description, schema, created_by_user_id, created_at, updated_at FROM core.collections
+WHERE project_id = $1
+ORDER BY created_at DESC
+`
+
+func (q *Queries) ListCollections(ctx context.Context, projectID uuid.UUID) ([]CoreCollection, error) {
+	rows, err := q.db.Query(ctx, listCollections, projectID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []CoreCollection
+	for rows.Next() {
+		var i CoreCollection
+		if err := rows.Scan(
+			&i.ID,
+			&i.ProjectID,
+			&i.Slug,
+			&i.Name,
+			&i.Description,
+			&i.Schema,
+			&i.CreatedByUserID,
+			&i.CreatedAt,
+			&i.UpdatedAt,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const listDocuments = `-- name: ListDocuments :many
+SELECT id, collection_id, data, created_by_user_id, created_at, updated_at FROM core.documents
+WHERE collection_id = $1
+ORDER BY created_at DESC
+LIMIT $2 OFFSET $3
+`
+
+type ListDocumentsParams struct {
+	CollectionID uuid.UUID `json:"collection_id"`
+	Limit        int32     `json:"limit"`
+	Offset       int32     `json:"offset"`
+}
+
+func (q *Queries) ListDocuments(ctx context.Context, arg ListDocumentsParams) ([]CoreDocument, error) {
+	rows, err := q.db.Query(ctx, listDocuments, arg.CollectionID, arg.Limit, arg.Offset)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []CoreDocument
+	for rows.Next() {
+		var i CoreDocument
+		if err := rows.Scan(
+			&i.ID,
+			&i.CollectionID,
+			&i.Data,
+			&i.CreatedByUserID,
+			&i.CreatedAt,
+			&i.UpdatedAt,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const updateCollection = `-- name: UpdateCollection :one
+UPDATE core.collections
+SET 
+  name = $3,
+  description = $4,
+  schema = $5,
+  updated_at = NOW()
+WHERE id = $1 AND project_id = $2
+RETURNING id, project_id, slug, name, description, schema, created_by_user_id, created_at, updated_at
+`
+
+type UpdateCollectionParams struct {
+	ID          uuid.UUID `json:"id"`
+	ProjectID   uuid.UUID `json:"project_id"`
+	Name        string    `json:"name"`
+	Description *string   `json:"description"`
+	Schema      []byte    `json:"schema"`
+}
+
+func (q *Queries) UpdateCollection(ctx context.Context, arg UpdateCollectionParams) (CoreCollection, error) {
+	row := q.db.QueryRow(ctx, updateCollection,
+		arg.ID,
+		arg.ProjectID,
+		arg.Name,
+		arg.Description,
+		arg.Schema,
+	)
+	var i CoreCollection
+	err := row.Scan(
+		&i.ID,
+		&i.ProjectID,
+		&i.Slug,
+		&i.Name,
+		&i.Description,
+		&i.Schema,
+		&i.CreatedByUserID,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
+
+const updateDocument = `-- name: UpdateDocument :one
+UPDATE core.documents
+SET 
+  data = $3,
+  updated_at = NOW()
+WHERE id = $1 AND collection_id = $2
+RETURNING id, collection_id, data, created_by_user_id, created_at, updated_at
+`
+
+type UpdateDocumentParams struct {
+	ID           uuid.UUID `json:"id"`
+	CollectionID uuid.UUID `json:"collection_id"`
+	Data         []byte    `json:"data"`
+}
+
+func (q *Queries) UpdateDocument(ctx context.Context, arg UpdateDocumentParams) (CoreDocument, error) {
+	row := q.db.QueryRow(ctx, updateDocument, arg.ID, arg.CollectionID, arg.Data)
+	var i CoreDocument
+	err := row.Scan(
+		&i.ID,
+		&i.CollectionID,
+		&i.Data,
+		&i.CreatedByUserID,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+	)
+	return i, err
+}
@@ -0,0 +1,32 @@
+// Code generated by sqlc. DO NOT EDIT.
+// versions:
+//   sqlc v1.29.0
+
+package db
+
+import (
+	"context"
+
+	"github.com/jackc/pgx/v5"
+	"github.com/jackc/pgx/v5/pgconn"
+)
+
+type DBTX interface {
+	Exec(context.Context, string, ...interface{}) (pgconn.CommandTag, error)
+	Query(context.Context, string, ...interface{}) (pgx.Rows, error)
+	QueryRow(context.Context, string, ...interface{}) pgx.Row
+}
+
+func New(db DBTX) *Queries {
+	return &Queries{db: db}
+}
+
+type Queries struct {
+	db DBTX
+}
+
+func (q *Queries) WithTx(tx pgx.Tx) *Queries {
+	return &Queries{
+		db: tx,
+	}
+}
@@ -0,0 +1,267 @@
+// Code generated by sqlc. DO NOT EDIT.
+// versions:
+//   sqlc v1.29.0
+
+package db
+
+import (
+	"database/sql/driver"
+	"fmt"
+
+	"github.com/google/uuid"
+	"github.com/jackc/pgx/v5/pgtype"
+)
+
+type CoreBucketVisibility string
+
+const (
+	CoreBucketVisibilityPrivate CoreBucketVisibility = "private"
+	CoreBucketVisibilityPublic  CoreBucketVisibility = "public"
+)
+
+func (e *CoreBucketVisibility) Scan(src interface{}) error {
+	switch s := src.(type) {
+	case []byte:
+		*e = CoreBucketVisibility(s)
+	case string:
+		*e = CoreBucketVisibility(s)
+	default:
+		return fmt.Errorf("unsupported scan type for CoreBucketVisibility: %T", src)
+	}
+	return nil
+}
+
+type NullCoreBucketVisibility struct {
+	CoreBucketVisibility CoreBucketVisibility `json:"core_bucket_visibility"`
+	Valid                bool                 `json:"valid"` // Valid is true if CoreBucketVisibility is not NULL
+}
+
+// Scan implements the Scanner interface.
+func (ns *NullCoreBucketVisibility) Scan(value interface{}) error {
+	if value == nil {
+		ns.CoreBucketVisibility, ns.Valid = "", false
+		return nil
+	}
+	ns.Valid = true
+	return ns.CoreBucketVisibility.Scan(value)
+}
+
+// Value implements the driver Valuer interface.
+func (ns NullCoreBucketVisibility) Value() (driver.Value, error) {
+	if !ns.Valid {
+		return nil, nil
+	}
+	return string(ns.CoreBucketVisibility), nil
+}
+
+type CoreOrgRole string
+
+const (
+	CoreOrgRoleOwner  CoreOrgRole = "owner"
+	CoreOrgRoleAdmin  CoreOrgRole = "admin"
+	CoreOrgRoleMember CoreOrgRole = "member"
+)
+
+func (e *CoreOrgRole) Scan(src interface{}) error {
+	switch s := src.(type) {
+	case []byte:
+		*e = CoreOrgRole(s)
+	case string:
+		*e = CoreOrgRole(s)
+	default:
+		return fmt.Errorf("unsupported scan type for CoreOrgRole: %T", src)
+	}
+	return nil
+}
+
+type NullCoreOrgRole struct {
+	CoreOrgRole CoreOrgRole `json:"core_org_role"`
+	Valid       bool        `json:"valid"` // Valid is true if CoreOrgRole is not NULL
+}
+
+// Scan implements the Scanner interface.
+func (ns *NullCoreOrgRole) Scan(value interface{}) error {
+	if value == nil {
+		ns.CoreOrgRole, ns.Valid = "", false
+		return nil
+	}
+	ns.Valid = true
+	return ns.CoreOrgRole.Scan(value)
+}
+
+// Value implements the driver Valuer interface.
+func (ns NullCoreOrgRole) Value() (driver.Value, error) {
+	if !ns.Valid {
+		return nil, nil
+	}
+	return string(ns.CoreOrgRole), nil
+}
+
+type CoreProjectRole string
+
+const (
+	CoreProjectRoleAdmin     CoreProjectRole = "admin"
+	CoreProjectRoleDeveloper CoreProjectRole = "developer"
+	CoreProjectRoleViewer    CoreProjectRole = "viewer"
+)
+
+func (e *CoreProjectRole) Scan(src interface{}) error {
+	switch s := src.(type) {
+	case []byte:
+		*e = CoreProjectRole(s)
+	case string:
+		*e = CoreProjectRole(s)
+	default:
+		return fmt.Errorf("unsupported scan type for CoreProjectRole: %T", src)
+	}
+	return nil
+}
+
+type NullCoreProjectRole struct {
+	CoreProjectRole CoreProjectRole `json:"core_project_role"`
+	Valid           bool            `json:"valid"` // Valid is true if CoreProjectRole is not NULL
+}
+
+// Scan implements the Scanner interface.
+func (ns *NullCoreProjectRole) Scan(value interface{}) error {
+	if value == nil {
+		ns.CoreProjectRole, ns.Valid = "", false
+		return nil
+	}
+	ns.Valid = true
+	return ns.CoreProjectRole.Scan(value)
+}
+
+// Value implements the driver Valuer interface.
+func (ns NullCoreProjectRole) Value() (driver.Value, error) {
+	if !ns.Valid {
+		return nil, nil
+	}
+	return string(ns.CoreProjectRole), nil
+}
+
+type CoreApiKey struct {
+	ID              uuid.UUID          `json:"id"`
+	ProjectID       uuid.UUID          `json:"project_id"`
+	Name            string             `json:"name"`
+	Prefix          string             `json:"prefix"`
+	SecretHash      []byte             `json:"secret_hash"`
+	CreatedByUserID pgtype.UUID        `json:"created_by_user_id"`
+	LastUsedAt      pgtype.Timestamptz `json:"last_used_at"`
+	RevokedAt       pgtype.Timestamptz `json:"revoked_at"`
+	CreatedAt       pgtype.Timestamptz `json:"created_at"`
+}
+
+type CoreAuditLog struct {
+	ID             uuid.UUID          `json:"id"`
+	OrganizationID pgtype.UUID        `json:"organization_id"`
+	ProjectID      pgtype.UUID        `json:"project_id"`
+	ActorUserID    pgtype.UUID        `json:"actor_user_id"`
+	ActorApiKeyID  pgtype.UUID        `json:"actor_api_key_id"`
+	Action         string             `json:"action"`
+	ResourceType   string             `json:"resource_type"`
+	ResourceID     string             `json:"resource_id"`
+	Metadata       []byte             `json:"metadata"`
+	RequestID      string             `json:"request_id"`
+	CreatedAt      pgtype.Timestamptz `json:"created_at"`
+}
+
+type CoreBucket struct {
+	ID              uuid.UUID          `json:"id"`
+	ProjectID       uuid.UUID          `json:"project_id"`
+	Slug            string             `json:"slug"`
+	Name            string             `json:"name"`
+	Visibility      string             `json:"visibility"`
+	CreatedByUserID pgtype.UUID        `json:"created_by_user_id"`
+	CreatedAt       pgtype.Timestamptz `json:"created_at"`
+}
+
+type CoreBucketObject struct {
+	ID               uuid.UUID          `json:"id"`
+	BucketID         uuid.UUID          `json:"bucket_id"`
+	ObjectKey        string             `json:"object_key"`
+	ContentType      string             `json:"content_type"`
+	SizeBytes        int64              `json:"size_bytes"`
+	ChecksumSha256   string             `json:"checksum_sha256"`
+	StoragePath      string             `json:"storage_path"`
+	UploadedByUserID pgtype.UUID        `json:"uploaded_by_user_id"`
+	CreatedAt        pgtype.Timestamptz `json:"created_at"`
+}
+
+type CoreCollection struct {
+	ID              uuid.UUID          `json:"id"`
+	ProjectID       uuid.UUID          `json:"project_id"`
+	Slug            string             `json:"slug"`
+	Name            string             `json:"name"`
+	Description     *string            `json:"description"`
+	Schema          []byte             `json:"schema"`
+	CreatedByUserID pgtype.UUID        `json:"created_by_user_id"`
+	CreatedAt       pgtype.Timestamptz `json:"created_at"`
+	UpdatedAt       pgtype.Timestamptz `json:"updated_at"`
+}
+
+type CoreDocument struct {
+	ID              uuid.UUID          `json:"id"`
+	CollectionID    uuid.UUID          `json:"collection_id"`
+	Data            []byte             `json:"data"`
+	CreatedByUserID pgtype.UUID        `json:"created_by_user_id"`
+	CreatedAt       pgtype.Timestamptz `json:"created_at"`
+	UpdatedAt       pgtype.Timestamptz `json:"updated_at"`
+}
+
+type CoreOrganization struct {
+	ID        uuid.UUID          `json:"id"`
+	Slug      string             `json:"slug"`
+	Name      string             `json:"name"`
+	CreatedAt pgtype.Timestamptz `json:"created_at"`
+}
+
+type CoreOrganizationMember struct {
+	ID             uuid.UUID          `json:"id"`
+	OrganizationID uuid.UUID          `json:"organization_id"`
+	UserID         uuid.UUID          `json:"user_id"`
+	Role           string             `json:"role"`
+	CreatedAt      pgtype.Timestamptz `json:"created_at"`
+}
+
+type CoreProject struct {
+	ID             uuid.UUID          `json:"id"`
+	OrganizationID uuid.UUID          `json:"organization_id"`
+	Slug           string             `json:"slug"`
+	Name           string             `json:"name"`
+	Description    *string            `json:"description"`
+	CreatedAt      pgtype.Timestamptz `json:"created_at"`
+}
+
+type CoreProjectInvitation struct {
+	ID              uuid.UUID           `json:"id"`
+	OrganizationID  uuid.UUID           `json:"organization_id"`
+	ProjectID       pgtype.UUID         `json:"project_id"`
+	Email           string              `json:"email"`
+	OrgRole         string              `json:"org_role"`
+	ProjectRole     NullCoreProjectRole `json:"project_role"`
+	TokenHash       string              `json:"token_hash"`
+	ExpiresAt       pgtype.Timestamptz  `json:"expires_at"`
+	AcceptedAt      pgtype.Timestamptz  `json:"accepted_at"`
+	InvitedByUserID pgtype.UUID         `json:"invited_by_user_id"`
+	CreatedAt       pgtype.Timestamptz  `json:"created_at"`
+}
+
+type CoreProjectMember struct {
+	ID        uuid.UUID          `json:"id"`
+	ProjectID uuid.UUID          `json:"project_id"`
+	UserID    uuid.UUID          `json:"user_id"`
+	Role      string             `json:"role"`
+	CreatedAt pgtype.Timestamptz `json:"created_at"`
+}
+
+type CoreUser struct {
+	ID            uuid.UUID          `json:"id"`
+	AuthSubject   string             `json:"auth_subject"`
+	Email         string             `json:"email"`
+	Name          string             `json:"name"`
+	EmailVerified bool               `json:"email_verified"`
+	CreatedAt     pgtype.Timestamptz `json:"created_at"`
+	UpdatedAt     pgtype.Timestamptz `json:"updated_at"`
+	LastSeenAt    pgtype.Timestamptz `json:"last_seen_at"`
+}
@@ -0,0 +1,229 @@
+// Code generated by sqlc. DO NOT EDIT.
+// versions:
+//   sqlc v1.29.0
+// source: objects.sql
+
+package db
+
+import (
+	"context"
+
+	"github.com/google/uuid"
+	"github.com/jackc/pgx/v5/pgtype"
+)
+
+const countBucketObjects = `-- name: CountBucketObjects :one
+SELECT COUNT(*)::BIGINT
+FROM core.bucket_objects
+WHERE bucket_id = $1
+  AND (btrim($2) = '' OR object_key ILIKE '%' || btrim($2) || '%')
+`
+
+type CountBucketObjectsParams struct {
+	BucketID uuid.UUID `json:"bucket_id"`
+	Btrim    string    `json:"btrim"`
+}
+
+func (q *Queries) CountBucketObjects(ctx context.Context, arg CountBucketObjectsParams) (int64, error) {
+	row := q.db.QueryRow(ctx, countBucketObjects, arg.BucketID, arg.Btrim)
+	var column_1 int64
+	err := row.Scan(&column_1)
+	return column_1, err
+}
+
+const createBucketObject = `-- name: CreateBucketObject :one
+INSERT INTO core.bucket_objects (
+  bucket_id,
+  object_key,
+  content_type,
+  size_bytes,
+  checksum_sha256,
+  storage_path,
+  uploaded_by_user_id
+) VALUES ($1, $2, $3, $4, $5, $6, $7)
+RETURNING id, bucket_id, object_key, content_type, size_bytes, checksum_sha256, storage_path, uploaded_by_user_id, created_at
+`
+
+type CreateBucketObjectParams struct {
+	BucketID         uuid.UUID   `json:"bucket_id"`
+	ObjectKey        string      `json:"object_key"`
+	ContentType      string      `json:"content_type"`
+	SizeBytes        int64       `json:"size_bytes"`
+	ChecksumSha256   string      `json:"checksum_sha256"`
+	StoragePath      string      `json:"storage_path"`
+	UploadedByUserID pgtype.UUID `json:"uploaded_by_user_id"`
+}
+
+func (q *Queries) CreateBucketObject(ctx context.Context, arg CreateBucketObjectParams) (CoreBucketObject, error) {
+	row := q.db.QueryRow(ctx, createBucketObject,
+		arg.BucketID,
+		arg.ObjectKey,
+		arg.ContentType,
+		arg.SizeBytes,
+		arg.ChecksumSha256,
+		arg.StoragePath,
+		arg.UploadedByUserID,
+	)
+	var i CoreBucketObject
+	err := row.Scan(
+		&i.ID,
+		&i.BucketID,
+		&i.ObjectKey,
+		&i.ContentType,
+		&i.SizeBytes,
+		&i.ChecksumSha256,
+		&i.StoragePath,
+		&i.UploadedByUserID,
+		&i.CreatedAt,
+	)
+	return i, err
+}
+
+const deleteBucketObjectByKey = `-- name: DeleteBucketObjectByKey :one
+DELETE FROM core.bucket_objects
+WHERE bucket_id = $1
+  AND object_key = $2
+RETURNING id, bucket_id, object_key, content_type, size_bytes, checksum_sha256, storage_path, uploaded_by_user_id, created_at
+`
+
+type DeleteBucketObjectByKeyParams struct {
+	BucketID  uuid.UUID `json:"bucket_id"`
+	ObjectKey string    `json:"object_key"`
+}
+
+func (q *Queries) DeleteBucketObjectByKey(ctx context.Context, arg DeleteBucketObjectByKeyParams) (CoreBucketObject, error) {
+	row := q.db.QueryRow(ctx, deleteBucketObjectByKey, arg.BucketID, arg.ObjectKey)
+	var i CoreBucketObject
+	err := row.Scan(
+		&i.ID,
+		&i.BucketID,
+		&i.ObjectKey,
+		&i.ContentType,
+		&i.SizeBytes,
+		&i.ChecksumSha256,
+		&i.StoragePath,
+		&i.UploadedByUserID,
+		&i.CreatedAt,
+	)
+	return i, err
+}
+
+const getBucketObjectByKey = `-- name: GetBucketObjectByKey :one
+SELECT id, bucket_id, object_key, content_type, size_bytes, checksum_sha256, storage_path, uploaded_by_user_id, created_at FROM core.bucket_objects
+WHERE bucket_id = $1
+  AND object_key = $2
+`
+
+type GetBucketObjectByKeyParams struct {
+	BucketID  uuid.UUID `json:"bucket_id"`
+	ObjectKey string    `json:"object_key"`
+}
+
+func (q *Queries) GetBucketObjectByKey(ctx context.Context, arg GetBucketObjectByKeyParams) (CoreBucketObject, error) {
+	row := q.db.QueryRow(ctx, getBucketObjectByKey, arg.BucketID, arg.ObjectKey)
+	var i CoreBucketObject
+	err := row.Scan(
+		&i.ID,
+		&i.BucketID,
+		&i.ObjectKey,
+		&i.ContentType,
+		&i.SizeBytes,
+		&i.ChecksumSha256,
+		&i.StoragePath,
+		&i.UploadedByUserID,
+		&i.CreatedAt,
+	)
+	return i, err
+}
+
+const listBucketObjects = `-- name: ListBucketObjects :many
+SELECT id, bucket_id, object_key, content_type, size_bytes, checksum_sha256, storage_path, uploaded_by_user_id, created_at FROM core.bucket_objects
+WHERE bucket_id = $1
+  AND (btrim($2) = '' OR object_key ILIKE '%' || btrim($2) || '%')
+ORDER BY created_at DESC
+LIMIT $3
+OFFSET $4
+`
+
+type ListBucketObjectsParams struct {
+	BucketID uuid.UUID `json:"bucket_id"`
+	Btrim    string    `json:"btrim"`
+	Limit    int32     `json:"limit"`
+	Offset   int32     `json:"offset"`
+}
+
+func (q *Queries) ListBucketObjects(ctx context.Context, arg ListBucketObjectsParams) ([]CoreBucketObject, error) {
+	rows, err := q.db.Query(ctx, listBucketObjects,
+		arg.BucketID,
+		arg.Btrim,
+		arg.Limit,
+		arg.Offset,
+	)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []CoreBucketObject
+	for rows.Next() {
+		var i CoreBucketObject
+		if err := rows.Scan(
+			&i.ID,
+			&i.BucketID,
+			&i.ObjectKey,
+			&i.ContentType,
+			&i.SizeBytes,
+			&i.ChecksumSha256,
+			&i.StoragePath,
+			&i.UploadedByUserID,
+			&i.CreatedAt,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const moveBucketObject = `-- name: MoveBucketObject :one
+UPDATE core.bucket_objects
+SET bucket_id = $3,
+    object_key = $4,
+    storage_path = $5
+WHERE bucket_id = $1
+  AND object_key = $2
+RETURNING id, bucket_id, object_key, content_type, size_bytes, checksum_sha256, storage_path, uploaded_by_user_id, created_at
+`
+
+type MoveBucketObjectParams struct {
+	BucketID    uuid.UUID `json:"bucket_id"`
+	ObjectKey   string    `json:"object_key"`
+	BucketID_2  uuid.UUID `json:"bucket_id_2"`
+	ObjectKey_2 string    `json:"object_key_2"`
+	StoragePath string    `json:"storage_path"`
+}
+
+func (q *Queries) MoveBucketObject(ctx context.Context, arg MoveBucketObjectParams) (CoreBucketObject, error) {
+	row := q.db.QueryRow(ctx, moveBucketObject,
+		arg.BucketID,
+		arg.ObjectKey,
+		arg.BucketID_2,
+		arg.ObjectKey_2,
+		arg.StoragePath,
+	)
+	var i CoreBucketObject
+	err := row.Scan(
+		&i.ID,
+		&i.BucketID,
+		&i.ObjectKey,
+		&i.ContentType,
+		&i.SizeBytes,
+		&i.ChecksumSha256,
+		&i.StoragePath,
+		&i.UploadedByUserID,
+		&i.CreatedAt,
+	)
+	return i, err
+}
@@ -0,0 +1,594 @@
+// Code generated by sqlc. DO NOT EDIT.
+// versions:
+//   sqlc v1.29.0
+// source: organizations.sql
+
+package db
+
+import (
+	"context"
+
+	"github.com/google/uuid"
+	"github.com/jackc/pgx/v5/pgtype"
+)
+
+const addOrganizationMember = `-- name: AddOrganizationMember :one
+INSERT INTO core.organization_members (organization_id, user_id, role)
+VALUES ($1, $2, $3)
+ON CONFLICT (organization_id, user_id) DO UPDATE
+SET role = EXCLUDED.role
+RETURNING id, organization_id, user_id, role, created_at
+`
+
+type AddOrganizationMemberParams struct {
+	OrganizationID uuid.UUID `json:"organization_id"`
+	UserID         uuid.UUID `json:"user_id"`
+	Role           string    `json:"role"`
+}
+
+func (q *Queries) AddOrganizationMember(ctx context.Context, arg AddOrganizationMemberParams) (CoreOrganizationMember, error) {
+	row := q.db.QueryRow(ctx, addOrganizationMember, arg.OrganizationID, arg.UserID, arg.Role)
+	var i CoreOrganizationMember
+	err := row.Scan(
+		&i.ID,
+		&i.OrganizationID,
+		&i.UserID,
+		&i.Role,
+		&i.CreatedAt,
+	)
+	return i, err
+}
+
+const countOrganizationOwners = `-- name: CountOrganizationOwners :one
+SELECT COUNT(*)::BIGINT FROM core.organization_members
+WHERE organization_id = $1
+  AND role = 'owner'
+`
+
+func (q *Queries) CountOrganizationOwners(ctx context.Context, organizationID uuid.UUID) (int64, error) {
+	row := q.db.QueryRow(ctx, countOrganizationOwners, organizationID)
+	var column_1 int64
+	err := row.Scan(&column_1)
+	return column_1, err
+}
+
+const createInvitation = `-- name: CreateInvitation :one
+INSERT INTO core.project_invitations (
+  organization_id,
+  project_id,
+  email,
+  org_role,
+  project_role,
+  token_hash,
+  expires_at,
+  invited_by_user_id
+) VALUES (
+  $1,
+  $2,
+  LOWER($3),
+  $4,
+  $5,
+  $6,
+  $7,
+  $8
+)
+RETURNING id, organization_id, project_id, email, org_role, project_role, token_hash, expires_at, accepted_at, invited_by_user_id, created_at
+`
+
+type CreateInvitationParams struct {
+	OrganizationID  uuid.UUID           `json:"organization_id"`
+	ProjectID       pgtype.UUID         `json:"project_id"`
+	Lower           string              `json:"lower"`
+	OrgRole         string              `json:"org_role"`
+	ProjectRole     NullCoreProjectRole `json:"project_role"`
+	TokenHash       string              `json:"token_hash"`
+	ExpiresAt       pgtype.Timestamptz  `json:"expires_at"`
+	InvitedByUserID pgtype.UUID         `json:"invited_by_user_id"`
+}
+
+func (q *Queries) CreateInvitation(ctx context.Context, arg CreateInvitationParams) (CoreProjectInvitation, error) {
+	row := q.db.QueryRow(ctx, createInvitation,
+		arg.OrganizationID,
+		arg.ProjectID,
+		arg.Lower,
+		arg.OrgRole,
+		arg.ProjectRole,
+		arg.TokenHash,
+		arg.ExpiresAt,
+		arg.InvitedByUserID,
+	)
+	var i CoreProjectInvitation
+	err := row.Scan(
+		&i.ID,
+		&i.OrganizationID,
+		&i.ProjectID,
+		&i.Email,
+		&i.OrgRole,
+		&i.ProjectRole,
+		&i.TokenHash,
+		&i.ExpiresAt,
+		&i.AcceptedAt,
+		&i.InvitedByUserID,
+		&i.CreatedAt,
+	)
+	return i, err
+}
+
+const createOrganization = `-- name: CreateOrganization :one
+INSERT INTO core.organizations (slug, name)
+VALUES ($1, $2)
+RETURNING id, slug, name, created_at
+`
+
+type CreateOrganizationParams struct {
+	Slug string `json:"slug"`
+	Name string `json:"name"`
+}
+
+func (q *Queries) CreateOrganization(ctx context.Context, arg CreateOrganizationParams) (CoreOrganization, error) {
+	row := q.db.QueryRow(ctx, createOrganization, arg.Slug, arg.Name)
+	var i CoreOrganization
+	err := row.Scan(
+		&i.ID,
+		&i.Slug,
+		&i.Name,
+		&i.CreatedAt,
+	)
+	return i, err
+}
+
+const deleteOrganizationByID = `-- name: DeleteOrganizationByID :one
+DELETE FROM core.organizations
+WHERE id = $1
+RETURNING id, slug, name, created_at
+`
+
+func (q *Queries) DeleteOrganizationByID(ctx context.Context, id uuid.UUID) (CoreOrganization, error) {
+	row := q.db.QueryRow(ctx, deleteOrganizationByID, id)
+	var i CoreOrganization
+	err := row.Scan(
+		&i.ID,
+		&i.Slug,
+		&i.Name,
+		&i.CreatedAt,
+	)
+	return i, err
+}
+
+const deletePendingInvitationByIDForOrganization = `-- name: DeletePendingInvitationByIDForOrganization :one
+DELETE FROM core.project_invitations
+WHERE organization_id = $1
+  AND id = $2
+  AND accepted_at IS NULL
+RETURNING id, organization_id, project_id, email, org_role, project_role, token_hash, expires_at, accepted_at, invited_by_user_id, created_at
+`
+
+type DeletePendingInvitationByIDForOrganizationParams struct {
+	OrganizationID uuid.UUID `json:"organization_id"`
+	ID             uuid.UUID `json:"id"`
+}
+
+func (q *Queries) DeletePendingInvitationByIDForOrganization(ctx context.Context, arg DeletePendingInvitationByIDForOrganizationParams) (CoreProjectInvitation, error) {
+	row := q.db.QueryRow(ctx, deletePendingInvitationByIDForOrganization, arg.OrganizationID, arg.ID)
+	var i CoreProjectInvitation
+	err := row.Scan(
+		&i.ID,
+		&i.OrganizationID,
+		&i.ProjectID,
+		&i.Email,
+		&i.OrgRole,
+		&i.ProjectRole,
+		&i.TokenHash,
+		&i.ExpiresAt,
+		&i.AcceptedAt,
+		&i.InvitedByUserID,
+		&i.CreatedAt,
+	)
+	return i, err
+}
+
+const getInvitationByIDForOrganization = `-- name: GetInvitationByIDForOrganization :one
+SELECT id, organization_id, project_id, email, org_role, project_role, token_hash, expires_at, accepted_at, invited_by_user_id, created_at FROM core.project_invitations
+WHERE organization_id = $1
+  AND id = $2
+`
+
+type GetInvitationByIDForOrganizationParams struct {
+	OrganizationID uuid.UUID `json:"organization_id"`
+	ID             uuid.UUID `json:"id"`
+}
+
+func (q *Queries) GetInvitationByIDForOrganization(ctx context.Context, arg GetInvitationByIDForOrganizationParams) (CoreProjectInvitation, error) {
+	row := q.db.QueryRow(ctx, getInvitationByIDForOrganization, arg.OrganizationID, arg.ID)
+	var i CoreProjectInvitation
+	err := row.Scan(
+		&i.ID,
+		&i.OrganizationID,
+		&i.ProjectID,
+		&i.Email,
+		&i.OrgRole,
+		&i.ProjectRole,
+		&i.TokenHash,
+		&i.ExpiresAt,
+		&i.AcceptedAt,
+		&i.InvitedByUserID,
+		&i.CreatedAt,
+	)
+	return i, err
+}
+
+const getInvitationByTokenHash = `-- name: GetInvitationByTokenHash :one
+SELECT id, organization_id, project_id, email, org_role, project_role, token_hash, expires_at, accepted_at, invited_by_user_id, created_at FROM core.project_invitations
+WHERE token_hash = $1
+`
+
+func (q *Queries) GetInvitationByTokenHash(ctx context.Context, tokenHash string) (CoreProjectInvitation, error) {
+	row := q.db.QueryRow(ctx, getInvitationByTokenHash, tokenHash)
+	var i CoreProjectInvitation
+	err := row.Scan(
+		&i.ID,
+		&i.OrganizationID,
+		&i.ProjectID,
+		&i.Email,
+		&i.OrgRole,
+		&i.ProjectRole,
+		&i.TokenHash,
+		&i.ExpiresAt,
+		&i.AcceptedAt,
+		&i.InvitedByUserID,
+		&i.CreatedAt,
+	)
+	return i, err
+}
+
+const getOrganizationMembership = `-- name: GetOrganizationMembership :one
+SELECT
+  om.id, om.organization_id, om.user_id, om.role, om.created_at,
+  o.name AS organization_name,
+  o.slug AS organization_slug
+FROM core.organization_members om
+JOIN core.organizations o ON o.id = om.organization_id
+WHERE om.organization_id = $1
+  AND om.user_id = $2
+`
+
+type GetOrganizationMembershipParams struct {
+	OrganizationID uuid.UUID `json:"organization_id"`
+	UserID         uuid.UUID `json:"user_id"`
+}
+
+type GetOrganizationMembershipRow struct {
+	ID               uuid.UUID          `json:"id"`
+	OrganizationID   uuid.UUID          `json:"organization_id"`
+	UserID           uuid.UUID          `json:"user_id"`
+	Role             string             `json:"role"`
+	CreatedAt        pgtype.Timestamptz `json:"created_at"`
+	OrganizationName string             `json:"organization_name"`
+	OrganizationSlug string             `json:"organization_slug"`
+}
+
+func (q *Queries) GetOrganizationMembership(ctx context.Context, arg GetOrganizationMembershipParams) (GetOrganizationMembershipRow, error) {
+	row := q.db.QueryRow(ctx, getOrganizationMembership, arg.OrganizationID, arg.UserID)
+	var i GetOrganizationMembershipRow
+	err := row.Scan(
+		&i.ID,
+		&i.OrganizationID,
+		&i.UserID,
+		&i.Role,
+		&i.CreatedAt,
+		&i.OrganizationName,
+		&i.OrganizationSlug,
+	)
+	return i, err
+}
+
+const listBucketsForOrganization = `-- name: ListBucketsForOrganization :many
+SELECT b.id
+FROM core.buckets b
+JOIN core.projects p ON p.id = b.project_id
+WHERE p.organization_id = $1
+`
+
+func (q *Queries) ListBucketsForOrganization(ctx context.Context, organizationID uuid.UUID) ([]uuid.UUID, error) {
+	rows, err := q.db.Query(ctx, listBucketsForOrganization, organizationID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []uuid.UUID
+	for rows.Next() {
+		var id uuid.UUID
+		if err := rows.Scan(&id); err != nil {
+			return nil, err
+		}
+		items = append(items, id)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const listInvitationsForOrganization = `-- name: ListInvitationsForOrganization :many
+SELECT
+  i.id,
+  i.organization_id,
+  i.project_id,
+  p.name AS project_name,
+  i.email,
+  i.org_role,
+  i.project_role,
+  i.expires_at,
+  i.accepted_at,
+  i.invited_by_user_id,
+  i.created_at
+FROM core.project_invitations i
+LEFT JOIN core.projects p ON p.id = i.project_id
+WHERE i.organization_id = $1
+ORDER BY i.created_at DESC
+`
+
+type ListInvitationsForOrganizationRow struct {
+	ID              uuid.UUID           `json:"id"`
+	OrganizationID  uuid.UUID           `json:"organization_id"`
+	ProjectID       pgtype.UUID         `json:"project_id"`
+	ProjectName     *string             `json:"project_name"`
+	Email           string              `json:"email"`
+	OrgRole         string              `json:"org_role"`
+	ProjectRole     NullCoreProjectRole `json:"project_role"`
+	ExpiresAt       pgtype.Timestamptz  `json:"expires_at"`
+	AcceptedAt      pgtype.Timestamptz  `json:"accepted_at"`
+	InvitedByUserID pgtype.UUID         `json:"invited_by_user_id"`
+	CreatedAt       pgtype.Timestamptz  `json:"created_at"`
+}
+
+func (q *Queries) ListInvitationsForOrganization(ctx context.Context, organizationID uuid.UUID) ([]ListInvitationsForOrganizationRow, error) {
+	rows, err := q.db.Query(ctx, listInvitationsForOrganization, organizationID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []ListInvitationsForOrganizationRow
+	for rows.Next() {
+		var i ListInvitationsForOrganizationRow
+		if err := rows.Scan(
+			&i.ID,
+			&i.OrganizationID,
+			&i.ProjectID,
+			&i.ProjectName,
+			&i.Email,
+			&i.OrgRole,
+			&i.ProjectRole,
+			&i.ExpiresAt,
+			&i.AcceptedAt,
+			&i.InvitedByUserID,
+			&i.CreatedAt,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const listOrganizationMembers = `-- name: ListOrganizationMembers :many
+SELECT
+  om.organization_id,
+  om.user_id,
+  om.role,
+  om.created_at,
+  u.email,
+  u.name,
+  u.email_verified
+FROM core.organization_members om
+JOIN core.users u ON u.id = om.user_id
+WHERE om.organization_id = $1
+ORDER BY om.created_at ASC
+`
+
+type ListOrganizationMembersRow struct {
+	OrganizationID uuid.UUID          `json:"organization_id"`
+	UserID         uuid.UUID          `json:"user_id"`
+	Role           string             `json:"role"`
+	CreatedAt      pgtype.Timestamptz `json:"created_at"`
+	Email          string             `json:"email"`
+	Name           string             `json:"name"`
+	EmailVerified  bool               `json:"email_verified"`
+}
+
+func (q *Queries) ListOrganizationMembers(ctx context.Context, organizationID uuid.UUID) ([]ListOrganizationMembersRow, error) {
+	rows, err := q.db.Query(ctx, listOrganizationMembers, organizationID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []ListOrganizationMembersRow
+	for rows.Next() {
+		var i ListOrganizationMembersRow
+		if err := rows.Scan(
+			&i.OrganizationID,
+			&i.UserID,
+			&i.Role,
+			&i.CreatedAt,
+			&i.Email,
+			&i.Name,
+			&i.EmailVerified,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const listOrganizationsForUser = `-- name: ListOrganizationsForUser :many
+SELECT
+  o.id, o.slug, o.name, o.created_at,
+  om.role AS membership_role
+FROM core.organizations o
+JOIN core.organization_members om ON om.organization_id = o.id
+WHERE om.user_id = $1
+ORDER BY o.created_at ASC
+`
+
+type ListOrganizationsForUserRow struct {
+	ID             uuid.UUID          `json:"id"`
+	Slug           string             `json:"slug"`
+	Name           string             `json:"name"`
+	CreatedAt      pgtype.Timestamptz `json:"created_at"`
+	MembershipRole string             `json:"membership_role"`
+}
+
+func (q *Queries) ListOrganizationsForUser(ctx context.Context, userID uuid.UUID) ([]ListOrganizationsForUserRow, error) {
+	rows, err := q.db.Query(ctx, listOrganizationsForUser, userID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []ListOrganizationsForUserRow
+	for rows.Next() {
+		var i ListOrganizationsForUserRow
+		if err := rows.Scan(
+			&i.ID,
+			&i.Slug,
+			&i.Name,
+			&i.CreatedAt,
+			&i.MembershipRole,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const markInvitationAccepted = `-- name: MarkInvitationAccepted :one
+UPDATE core.project_invitations
+SET accepted_at = NOW()
+WHERE id = $1
+RETURNING id, organization_id, project_id, email, org_role, project_role, token_hash, expires_at, accepted_at, invited_by_user_id, created_at
+`
+
+func (q *Queries) MarkInvitationAccepted(ctx context.Context, id uuid.UUID) (CoreProjectInvitation, error) {
+	row := q.db.QueryRow(ctx, markInvitationAccepted, id)
+	var i CoreProjectInvitation
+	err := row.Scan(
+		&i.ID,
+		&i.OrganizationID,
+		&i.ProjectID,
+		&i.Email,
+		&i.OrgRole,
+		&i.ProjectRole,
+		&i.TokenHash,
+		&i.ExpiresAt,
+		&i.AcceptedAt,
+		&i.InvitedByUserID,
+		&i.CreatedAt,
+	)
+	return i, err
+}
+
+const removeOrganizationMember = `-- name: RemoveOrganizationMember :one
+DELETE FROM core.organization_members
+WHERE organization_id = $1
+  AND user_id = $2
+RETURNING id, organization_id, user_id, role, created_at
+`
+
+type RemoveOrganizationMemberParams struct {
+	OrganizationID uuid.UUID `json:"organization_id"`
+	UserID         uuid.UUID `json:"user_id"`
+}
+
+func (q *Queries) RemoveOrganizationMember(ctx context.Context, arg RemoveOrganizationMemberParams) (CoreOrganizationMember, error) {
+	row := q.db.QueryRow(ctx, removeOrganizationMember, arg.OrganizationID, arg.UserID)
+	var i CoreOrganizationMember
+	err := row.Scan(
+		&i.ID,
+		&i.OrganizationID,
+		&i.UserID,
+		&i.Role,
+		&i.CreatedAt,
+	)
+	return i, err
+}
+
+const removeProjectMembershipsForOrganizationUser = `-- name: RemoveProjectMembershipsForOrganizationUser :exec
+DELETE FROM core.project_members pm
+USING core.projects p
+WHERE pm.project_id = p.id
+  AND p.organization_id = $1
+  AND pm.user_id = $2
+`
+
+type RemoveProjectMembershipsForOrganizationUserParams struct {
+	OrganizationID uuid.UUID `json:"organization_id"`
+	UserID         uuid.UUID `json:"user_id"`
+}
+
+func (q *Queries) RemoveProjectMembershipsForOrganizationUser(ctx context.Context, arg RemoveProjectMembershipsForOrganizationUserParams) error {
+	_, err := q.db.Exec(ctx, removeProjectMembershipsForOrganizationUser, arg.OrganizationID, arg.UserID)
+	return err
+}
+
+const updateOrganizationByID = `-- name: UpdateOrganizationByID :one
+UPDATE core.organizations
+SET slug = $2,
+    name = $3
+WHERE id = $1
+RETURNING id, slug, name, created_at
+`
+
+type UpdateOrganizationByIDParams struct {
+	ID   uuid.UUID `json:"id"`
+	Slug string    `json:"slug"`
+	Name string    `json:"name"`
+}
+
+func (q *Queries) UpdateOrganizationByID(ctx context.Context, arg UpdateOrganizationByIDParams) (CoreOrganization, error) {
+	row := q.db.QueryRow(ctx, updateOrganizationByID, arg.ID, arg.Slug, arg.Name)
+	var i CoreOrganization
+	err := row.Scan(
+		&i.ID,
+		&i.Slug,
+		&i.Name,
+		&i.CreatedAt,
+	)
+	return i, err
+}
+
+const updateOrganizationMemberRole = `-- name: UpdateOrganizationMemberRole :one
+UPDATE core.organization_members
+SET role = $3
+WHERE organization_id = $1
+  AND user_id = $2
+RETURNING id, organization_id, user_id, role, created_at
+`
+
+type UpdateOrganizationMemberRoleParams struct {
+	OrganizationID uuid.UUID `json:"organization_id"`
+	UserID         uuid.UUID `json:"user_id"`
+	Role           string    `json:"role"`
+}
+
+func (q *Queries) UpdateOrganizationMemberRole(ctx context.Context, arg UpdateOrganizationMemberRoleParams) (CoreOrganizationMember, error) {
+	row := q.db.QueryRow(ctx, updateOrganizationMemberRole, arg.OrganizationID, arg.UserID, arg.Role)
+	var i CoreOrganizationMember
+	err := row.Scan(
+		&i.ID,
+		&i.OrganizationID,
+		&i.UserID,
+		&i.Role,
+		&i.CreatedAt,
+	)
+	return i, err
+}
@@ -0,0 +1,460 @@
+// Code generated by sqlc. DO NOT EDIT.
+// versions:
+//   sqlc v1.29.0
+// source: projects.sql
+
+package db
+
+import (
+	"context"
+
+	"github.com/google/uuid"
+	"github.com/jackc/pgx/v5/pgtype"
+)
+
+const addProjectMember = `-- name: AddProjectMember :one
+INSERT INTO core.project_members (project_id, user_id, role)
+VALUES ($1, $2, $3)
+ON CONFLICT (project_id, user_id) DO UPDATE
+SET role = EXCLUDED.role
+RETURNING id, project_id, user_id, role, created_at
+`
+
+type AddProjectMemberParams struct {
+	ProjectID uuid.UUID `json:"project_id"`
+	UserID    uuid.UUID `json:"user_id"`
+	Role      string    `json:"role"`
+}
+
+func (q *Queries) AddProjectMember(ctx context.Context, arg AddProjectMemberParams) (CoreProjectMember, error) {
+	row := q.db.QueryRow(ctx, addProjectMember, arg.ProjectID, arg.UserID, arg.Role)
+	var i CoreProjectMember
+	err := row.Scan(
+		&i.ID,
+		&i.ProjectID,
+		&i.UserID,
+		&i.Role,
+		&i.CreatedAt,
+	)
+	return i, err
+}
+
+const countProjectAdmins = `-- name: CountProjectAdmins :one
+SELECT COUNT(*)::BIGINT FROM core.project_members
+WHERE project_id = $1
+  AND role = 'admin'
+`
+
+func (q *Queries) CountProjectAdmins(ctx context.Context, projectID uuid.UUID) (int64, error) {
+	row := q.db.QueryRow(ctx, countProjectAdmins, projectID)
+	var column_1 int64
+	err := row.Scan(&column_1)
+	return column_1, err
+}
+
+const createProject = `-- name: CreateProject :one
+INSERT INTO core.projects (
+  organization_id,
+  slug,
+  name,
+  description
+) VALUES ($1, $2, $3, $4)
+RETURNING id, organization_id, slug, name, description, created_at
+`
+
+type CreateProjectParams struct {
+	OrganizationID uuid.UUID `json:"organization_id"`
+	Slug           string    `json:"slug"`
+	Name           string    `json:"name"`
+	Description    *string   `json:"description"`
+}
+
+func (q *Queries) CreateProject(ctx context.Context, arg CreateProjectParams) (CoreProject, error) {
+	row := q.db.QueryRow(ctx, createProject,
+		arg.OrganizationID,
+		arg.Slug,
+		arg.Name,
+		arg.Description,
+	)
+	var i CoreProject
+	err := row.Scan(
+		&i.ID,
+		&i.OrganizationID,
+		&i.Slug,
+		&i.Name,
+		&i.Description,
+		&i.CreatedAt,
+	)
+	return i, err
+}
+
+const deleteProjectByID = `-- name: DeleteProjectByID :one
+DELETE FROM core.projects
+WHERE id = $1
+RETURNING id, organization_id, slug, name, description, created_at
+`
+
+func (q *Queries) DeleteProjectByID(ctx context.Context, id uuid.UUID) (CoreProject, error) {
+	row := q.db.QueryRow(ctx, deleteProjectByID, id)
+	var i CoreProject
+	err := row.Scan(
+		&i.ID,
+		&i.OrganizationID,
+		&i.Slug,
+		&i.Name,
+		&i.Description,
+		&i.CreatedAt,
+	)
+	return i, err
+}
+
+const getProjectByID = `-- name: GetProjectByID :one
+SELECT id, organization_id, slug, name, description, created_at FROM core.projects
+WHERE id = $1
+`
+
+func (q *Queries) GetProjectByID(ctx context.Context, id uuid.UUID) (CoreProject, error) {
+	row := q.db.QueryRow(ctx, getProjectByID, id)
+	var i CoreProject
+	err := row.Scan(
+		&i.ID,
+		&i.OrganizationID,
+		&i.Slug,
+		&i.Name,
+		&i.Description,
+		&i.CreatedAt,
+	)
+	return i, err
+}
+
+const getProjectMembership = `-- name: GetProjectMembership :one
+SELECT
+  pm.id, pm.project_id, pm.user_id, pm.role, pm.created_at,
+  p.organization_id
+FROM core.project_members pm
+JOIN core.projects p ON p.id = pm.project_id
+WHERE pm.project_id = $1
+  AND pm.user_id = $2
+`
+
+type GetProjectMembershipParams struct {
+	ProjectID uuid.UUID `json:"project_id"`
+	UserID    uuid.UUID `json:"user_id"`
+}
+
+type GetProjectMembershipRow struct {
+	ID             uuid.UUID          `json:"id"`
+	ProjectID      uuid.UUID          `json:"project_id"`
+	UserID         uuid.UUID          `json:"user_id"`
+	Role           string             `json:"role"`
+	CreatedAt      pgtype.Timestamptz `json:"created_at"`
+	OrganizationID uuid.UUID          `json:"organization_id"`
+}
+
+func (q *Queries) GetProjectMembership(ctx context.Context, arg GetProjectMembershipParams) (GetProjectMembershipRow, error) {
+	row := q.db.QueryRow(ctx, getProjectMembership, arg.ProjectID, arg.UserID)
+	var i GetProjectMembershipRow
+	err := row.Scan(
+		&i.ID,
+		&i.ProjectID,
+		&i.UserID,
+		&i.Role,
+		&i.CreatedAt,
+		&i.OrganizationID,
+	)
+	return i, err
+}
+
+const getProjectOverview = `-- name: GetProjectOverview :one
+SELECT
+  p.id AS project_id,
+  p.organization_id,
+  p.slug AS project_slug,
+  p.name AS project_name,
+  (
+    SELECT COUNT(*)::BIGINT
+    FROM core.project_members pm
+    WHERE pm.project_id = p.id
+  ) AS member_count,
+  (
+    SELECT COUNT(*)::BIGINT
+    FROM core.api_keys ak
+    WHERE ak.project_id = p.id
+      AND ak.revoked_at IS NULL
+  ) AS active_api_key_count,
+  (
+    SELECT COUNT(*)::BIGINT
+    FROM core.buckets b
+    WHERE b.project_id = p.id
+  ) AS bucket_count,
+  (
+    SELECT COUNT(*)::BIGINT
+    FROM core.bucket_objects bo
+    JOIN core.buckets b ON b.id = bo.bucket_id
+    WHERE b.project_id = p.id
+  ) AS object_count,
+  (
+    SELECT COALESCE(SUM(bo.size_bytes), 0)::BIGINT
+    FROM core.bucket_objects bo
+    JOIN core.buckets b ON b.id = bo.bucket_id
+    WHERE b.project_id = p.id
+  ) AS object_bytes_total,
+  (
+    SELECT COUNT(*)::BIGINT
+    FROM core.project_invitations pi
+    WHERE pi.organization_id = p.organization_id
+      AND (pi.project_id IS NULL OR pi.project_id = p.id)
+      AND pi.accepted_at IS NULL
+      AND pi.expires_at > NOW()
+  ) AS pending_invitation_count,
+  (
+    SELECT COUNT(*)::BIGINT
+    FROM core.audit_logs al
+    WHERE al.project_id = p.id
+      AND al.created_at >= NOW() - INTERVAL '24 hours'
+  ) AS audit_events_24h,
+  (
+    SELECT MAX(al.created_at)::TIMESTAMPTZ
+    FROM core.audit_logs al
+    WHERE al.project_id = p.id
+  ) AS last_audit_at
+FROM core.projects p
+WHERE p.id = $1
+`
+
+type GetProjectOverviewRow struct {
+	ProjectID              uuid.UUID          `json:"project_id"`
+	OrganizationID         uuid.UUID          `json:"organization_id"`
+	ProjectSlug            string             `json:"project_slug"`
+	ProjectName            string             `json:"project_name"`
+	MemberCount            int64              `json:"member_count"`
+	ActiveApiKeyCount      int64              `json:"active_api_key_count"`
+	BucketCount            int64              `json:"bucket_count"`
+	ObjectCount            int64              `json:"object_count"`
+	ObjectBytesTotal       int64              `json:"object_bytes_total"`
+	PendingInvitationCount int64              `json:"pending_invitation_count"`
+	AuditEvents24h         int64              `json:"audit_events_24h"`
+	LastAuditAt            pgtype.Timestamptz `json:"last_audit_at"`
+}
+
+func (q *Queries) GetProjectOverview(ctx context.Context, id uuid.UUID) (GetProjectOverviewRow, error) {
+	row := q.db.QueryRow(ctx, getProjectOverview, id)
+	var i GetProjectOverviewRow
+	err := row.Scan(
+		&i.ProjectID,
+		&i.OrganizationID,
+		&i.ProjectSlug,
+		&i.ProjectName,
+		&i.MemberCount,
+		&i.ActiveApiKeyCount,
+		&i.BucketCount,
+		&i.ObjectCount,
+		&i.ObjectBytesTotal,
+		&i.PendingInvitationCount,
+		&i.AuditEvents24h,
+		&i.LastAuditAt,
+	)
+	return i, err
+}
+
+const listProjectMembers = `-- name: ListProjectMembers :many
+SELECT
+  pm.project_id,
+  pm.user_id,
+  pm.role,
+  pm.created_at,
+  u.email,
+  u.name,
+  u.email_verified
+FROM core.project_members pm
+JOIN core.users u ON u.id = pm.user_id
+WHERE pm.project_id = $1
+ORDER BY pm.created_at ASC
+`
+
+type ListProjectMembersRow struct {
+	ProjectID     uuid.UUID          `json:"project_id"`
+	UserID        uuid.UUID          `json:"user_id"`
+	Role          string             `json:"role"`
+	CreatedAt     pgtype.Timestamptz `json:"created_at"`
+	Email         string             `json:"email"`
+	Name          string             `json:"name"`
+	EmailVerified bool               `json:"email_verified"`
+}
+
+func (q *Queries) ListProjectMembers(ctx context.Context, projectID uuid.UUID) ([]ListProjectMembersRow, error) {
+	rows, err := q.db.Query(ctx, listProjectMembers, projectID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []ListProjectMembersRow
+	for rows.Next() {
+		var i ListProjectMembersRow
+		if err := rows.Scan(
+			&i.ProjectID,
+			&i.UserID,
+			&i.Role,
+			&i.CreatedAt,
+			&i.Email,
+			&i.Name,
+			&i.EmailVerified,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const listProjectsForOrganization = `-- name: ListProjectsForOrganization :many
+SELECT
+  p.id, p.organization_id, p.slug, p.name, p.description, p.created_at,
+  pm.role AS membership_role
+FROM core.projects p
+LEFT JOIN core.project_members pm
+  ON pm.project_id = p.id
+  AND pm.user_id = $2
+WHERE p.organization_id = $1
+  AND (
+    btrim($3) = ''
+    OR p.slug ILIKE '%' || btrim($3) || '%'
+    OR p.name ILIKE '%' || btrim($3) || '%'
+    OR COALESCE(p.description, '') ILIKE '%' || btrim($3) || '%'
+  )
+ORDER BY p.created_at ASC
+`
+
+type ListProjectsForOrganizationParams struct {
+	OrganizationID uuid.UUID `json:"organization_id"`
+	UserID         uuid.UUID `json:"user_id"`
+	Btrim          string    `json:"btrim"`
+}
+
+type ListProjectsForOrganizationRow struct {
+	ID             uuid.UUID           `json:"id"`
+	OrganizationID uuid.UUID           `json:"organization_id"`
+	Slug           string              `json:"slug"`
+	Name           string              `json:"name"`
+	Description    *string             `json:"description"`
+	CreatedAt      pgtype.Timestamptz  `json:"created_at"`
+	MembershipRole NullCoreProjectRole `json:"membership_role"`
+}
+
+func (q *Queries) ListProjectsForOrganization(ctx context.Context, arg ListProjectsForOrganizationParams) ([]ListProjectsForOrganizationRow, error) {
+	rows, err := q.db.Query(ctx, listProjectsForOrganization, arg.OrganizationID, arg.UserID, arg.Btrim)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []ListProjectsForOrganizationRow
+	for rows.Next() {
+		var i ListProjectsForOrganizationRow
+		if err := rows.Scan(
+			&i.ID,
+			&i.OrganizationID,
+			&i.Slug,
+			&i.Name,
+			&i.Description,
+			&i.CreatedAt,
+			&i.MembershipRole,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const removeProjectMember = `-- name: RemoveProjectMember :one
+DELETE FROM core.project_members
+WHERE project_id = $1
+  AND user_id = $2
+RETURNING id, project_id, user_id, role, created_at
+`
+
+type RemoveProjectMemberParams struct {
+	ProjectID uuid.UUID `json:"project_id"`
+	UserID    uuid.UUID `json:"user_id"`
+}
+
+func (q *Queries) RemoveProjectMember(ctx context.Context, arg RemoveProjectMemberParams) (CoreProjectMember, error) {
+	row := q.db.QueryRow(ctx, removeProjectMember, arg.ProjectID, arg.UserID)
+	var i CoreProjectMember
+	err := row.Scan(
+		&i.ID,
+		&i.ProjectID,
+		&i.UserID,
+		&i.Role,
+		&i.CreatedAt,
+	)
+	return i, err
+}
+
+const updateProjectByID = `-- name: UpdateProjectByID :one
+UPDATE core.projects
+SET slug = $2,
+    name = $3,
+    description = $4
+WHERE id = $1
+RETURNING id, organization_id, slug, name, description, created_at
+`
+
+type UpdateProjectByIDParams struct {
+	ID          uuid.UUID `json:"id"`
+	Slug        string    `json:"slug"`
+	Name        string    `json:"name"`
+	Description *string   `json:"description"`
+}
+
+func (q *Queries) UpdateProjectByID(ctx context.Context, arg UpdateProjectByIDParams) (CoreProject, error) {
+	row := q.db.QueryRow(ctx, updateProjectByID,
+		arg.ID,
+		arg.Slug,
+		arg.Name,
+		arg.Description,
+	)
+	var i CoreProject
+	err := row.Scan(
+		&i.ID,
+		&i.OrganizationID,
+		&i.Slug,
+		&i.Name,
+		&i.Description,
+		&i.CreatedAt,
+	)
+	return i, err
+}
+
+const updateProjectMemberRole = `-- name: UpdateProjectMemberRole :one
+UPDATE core.project_members
+SET role = $3
+WHERE project_id = $1
+  AND user_id = $2
+RETURNING id, project_id, user_id, role, created_at
+`
+
+type UpdateProjectMemberRoleParams struct {
+	ProjectID uuid.UUID `json:"project_id"`
+	UserID    uuid.UUID `json:"user_id"`
+	Role      string    `json:"role"`
+}
+
+func (q *Queries) UpdateProjectMemberRole(ctx context.Context, arg UpdateProjectMemberRoleParams) (CoreProjectMember, error) {
+	row := q.db.QueryRow(ctx, updateProjectMemberRole, arg.ProjectID, arg.UserID, arg.Role)
+	var i CoreProjectMember
+	err := row.Scan(
+		&i.ID,
+		&i.ProjectID,
+		&i.UserID,
+		&i.Role,
+		&i.CreatedAt,
+	)
+	return i, err
+}
@@ -0,0 +1,83 @@
+// Code generated by sqlc. DO NOT EDIT.
+// versions:
+//   sqlc v1.29.0
+
+package db
+
+import (
+	"context"
+
+	"github.com/google/uuid"
+)
+
+type Querier interface {
+	AddOrganizationMember(ctx context.Context, arg AddOrganizationMemberParams) (CoreOrganizationMember, error)
+	AddProjectMember(ctx context.Context, arg AddProjectMemberParams) (CoreProjectMember, error)
+	BootstrapOrganization(ctx context.Context, arg BootstrapOrganizationParams) (BootstrapOrganizationRow, error)
+	CountAuditLogsForProject(ctx context.Context, arg CountAuditLogsForProjectParams) (int64, error)
+	CountBucketObjects(ctx context.Context, arg CountBucketObjectsParams) (int64, error)
+	CountDocuments(ctx context.Context, collectionID uuid.UUID) (int64, error)
+	CountOrganizationOwners(ctx context.Context, organizationID uuid.UUID) (int64, error)
+	CountOrganizations(ctx context.Context) (int64, error)
+	CountProjectAdmins(ctx context.Context, projectID uuid.UUID) (int64, error)
+	CreateAPIKey(ctx context.Context, arg CreateAPIKeyParams) (CoreApiKey, error)
+	CreateAuditLog(ctx context.Context, arg CreateAuditLogParams) (CoreAuditLog, error)
+	CreateBucket(ctx context.Context, arg CreateBucketParams) (CoreBucket, error)
+	CreateBucketObject(ctx context.Context, arg CreateBucketObjectParams) (CoreBucketObject, error)
+	CreateCollection(ctx context.Context, arg CreateCollectionParams) (CoreCollection, error)
+	CreateDocument(ctx context.Context, arg CreateDocumentParams) (CoreDocument, error)
+	CreateInvitation(ctx context.Context, arg CreateInvitationParams) (CoreProjectInvitation, error)
+	CreateOrganization(ctx context.Context, arg CreateOrganizationParams) (CoreOrganization, error)
+	CreateProject(ctx context.Context, arg CreateProjectParams) (CoreProject, error)
+	DeleteBucketByID(ctx context.Context, id uuid.UUID) (CoreBucket, error)
+	DeleteBucketObjectByKey(ctx context.Context, arg DeleteBucketObjectByKeyParams) (CoreBucketObject, error)
+	DeleteCollection(ctx context.Context, arg DeleteCollectionParams) error
+	DeleteDocument(ctx context.Context, arg DeleteDocumentParams) error
+	DeleteOrganizationByID(ctx context.Context, id uuid.UUID) (CoreOrganization, error)
+	DeletePendingInvitationByIDForOrganization(ctx context.Context, arg DeletePendingInvitationByIDForOrganizationParams) (CoreProjectInvitation, error)
+	DeleteProjectByID(ctx context.Context, id uuid.UUID) (CoreProject, error)
+	GetAPIKeyByIDForProject(ctx context.Context, arg GetAPIKeyByIDForProjectParams) (CoreApiKey, error)
+	GetAPIKeyByPrefix(ctx context.Context, prefix string) (GetAPIKeyByPrefixRow, error)
+	GetBucketByID(ctx context.Context, id uuid.UUID) (GetBucketByIDRow, error)
+	GetBucketObjectByKey(ctx context.Context, arg GetBucketObjectByKeyParams) (CoreBucketObject, error)
+	GetCollectionByID(ctx context.Context, id uuid.UUID) (CoreCollection, error)
+	GetCollectionBySlug(ctx context.Context, arg GetCollectionBySlugParams) (CoreCollection, error)
+	GetDocumentByID(ctx context.Context, arg GetDocumentByIDParams) (CoreDocument, error)
+	GetInvitationByIDForOrganization(ctx context.Context, arg GetInvitationByIDForOrganizationParams) (CoreProjectInvitation, error)
+	GetInvitationByTokenHash(ctx context.Context, tokenHash string) (CoreProjectInvitation, error)
+	GetOrganizationMembership(ctx context.Context, arg GetOrganizationMembershipParams) (GetOrganizationMembershipRow, error)
+	GetProjectByID(ctx context.Context, id uuid.UUID) (CoreProject, error)
+	GetProjectMembership(ctx context.Context, arg GetProjectMembershipParams) (GetProjectMembershipRow, error)
+	GetProjectOverview(ctx context.Context, id uuid.UUID) (GetProjectOverviewRow, error)
+	GetUserByAuthSubject(ctx context.Context, authSubject string) (CoreUser, error)
+	GetUserByID(ctx context.Context, id uuid.UUID) (CoreUser, error)
+	ListAPIKeysForProject(ctx context.Context, projectID uuid.UUID) ([]CoreApiKey, error)
+	ListAuditLogsForProject(ctx context.Context, arg ListAuditLogsForProjectParams) ([]CoreAuditLog, error)
+	ListBucketObjects(ctx context.Context, arg ListBucketObjectsParams) ([]CoreBucketObject, error)
+	ListBucketsForOrganization(ctx context.Context, organizationID uuid.UUID) ([]uuid.UUID, error)
+	ListBucketsForProject(ctx context.Context, arg ListBucketsForProjectParams) ([]CoreBucket, error)
+	ListCollections(ctx context.Context, projectID uuid.UUID) ([]CoreCollection, error)
+	ListDocuments(ctx context.Context, arg ListDocumentsParams) ([]CoreDocument, error)
+	ListInvitationsForOrganization(ctx context.Context, organizationID uuid.UUID) ([]ListInvitationsForOrganizationRow, error)
+	ListOrganizationMembers(ctx context.Context, organizationID uuid.UUID) ([]ListOrganizationMembersRow, error)
+	ListOrganizationsForUser(ctx context.Context, userID uuid.UUID) ([]ListOrganizationsForUserRow, error)
+	ListProjectMembers(ctx context.Context, projectID uuid.UUID) ([]ListProjectMembersRow, error)
+	ListProjectsForOrganization(ctx context.Context, arg ListProjectsForOrganizationParams) ([]ListProjectsForOrganizationRow, error)
+	MarkInvitationAccepted(ctx context.Context, id uuid.UUID) (CoreProjectInvitation, error)
+	MoveBucketObject(ctx context.Context, arg MoveBucketObjectParams) (CoreBucketObject, error)
+	RemoveOrganizationMember(ctx context.Context, arg RemoveOrganizationMemberParams) (CoreOrganizationMember, error)
+	RemoveProjectMember(ctx context.Context, arg RemoveProjectMemberParams) (CoreProjectMember, error)
+	RemoveProjectMembershipsForOrganizationUser(ctx context.Context, arg RemoveProjectMembershipsForOrganizationUserParams) error
+	RevokeAPIKey(ctx context.Context, arg RevokeAPIKeyParams) (CoreApiKey, error)
+	TouchAPIKey(ctx context.Context, id uuid.UUID) error
+	UpdateBucketByID(ctx context.Context, arg UpdateBucketByIDParams) (CoreBucket, error)
+	UpdateCollection(ctx context.Context, arg UpdateCollectionParams) (CoreCollection, error)
+	UpdateDocument(ctx context.Context, arg UpdateDocumentParams) (CoreDocument, error)
+	UpdateOrganizationByID(ctx context.Context, arg UpdateOrganizationByIDParams) (CoreOrganization, error)
+	UpdateOrganizationMemberRole(ctx context.Context, arg UpdateOrganizationMemberRoleParams) (CoreOrganizationMember, error)
+	UpdateProjectByID(ctx context.Context, arg UpdateProjectByIDParams) (CoreProject, error)
+	UpdateProjectMemberRole(ctx context.Context, arg UpdateProjectMemberRoleParams) (CoreProjectMember, error)
+	UpsertUser(ctx context.Context, arg UpsertUserParams) (CoreUser, error)
+}
+
+var _ Querier = (*Queries)(nil)
@@ -0,0 +1,119 @@
+// Code generated by sqlc. DO NOT EDIT.
+// versions:
+//   sqlc v1.29.0
+// source: users.sql
+
+package db
+
+import (
+	"context"
+
+	"github.com/google/uuid"
+)
+
+const countOrganizations = `-- name: CountOrganizations :one
+SELECT COUNT(*)::BIGINT FROM core.organizations
+`
+
+func (q *Queries) CountOrganizations(ctx context.Context) (int64, error) {
+	row := q.db.QueryRow(ctx, countOrganizations)
+	var column_1 int64
+	err := row.Scan(&column_1)
+	return column_1, err
+}
+
+const getUserByAuthSubject = `-- name: GetUserByAuthSubject :one
+SELECT id, auth_subject, email, name, email_verified, created_at, updated_at, last_seen_at FROM core.users
+WHERE auth_subject = $1
+`
+
+func (q *Queries) GetUserByAuthSubject(ctx context.Context, authSubject string) (CoreUser, error) {
+	row := q.db.QueryRow(ctx, getUserByAuthSubject, authSubject)
+	var i CoreUser
+	err := row.Scan(
+		&i.ID,
+		&i.AuthSubject,
+		&i.Email,
+		&i.Name,
+		&i.EmailVerified,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+		&i.LastSeenAt,
+	)
+	return i, err
+}
+
+const getUserByID = `-- name: GetUserByID :one
+SELECT id, auth_subject, email, name, email_verified, created_at, updated_at, last_seen_at FROM core.users
+WHERE id = $1
+`
+
+func (q *Queries) GetUserByID(ctx context.Context, id uuid.UUID) (CoreUser, error) {
+	row := q.db.QueryRow(ctx, getUserByID, id)
+	var i CoreUser
+	err := row.Scan(
+		&i.ID,
+		&i.AuthSubject,
+		&i.Email,
+		&i.Name,
+		&i.EmailVerified,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+		&i.LastSeenAt,
+	)
+	return i, err
+}
+
+const upsertUser = `-- name: UpsertUser :one
+INSERT INTO core.users (
+  auth_subject,
+  email,
+  name,
+  email_verified,
+  updated_at,
+  last_seen_at
+) VALUES (
+  $1,
+  $2,
+  $3,
+  $4,
+  NOW(),
+  NOW()
+)
+ON CONFLICT (auth_subject) DO UPDATE
+SET
+  email = EXCLUDED.email,
+  name = EXCLUDED.name,
+  email_verified = EXCLUDED.email_verified,
+  updated_at = NOW(),
+  last_seen_at = NOW()
+RETURNING id, auth_subject, email, name, email_verified, created_at, updated_at, last_seen_at
+`
+
+type UpsertUserParams struct {
+	AuthSubject   string `json:"auth_subject"`
+	Email         string `json:"email"`
+	Name          string `json:"name"`
+	EmailVerified bool   `json:"email_verified"`
+}
+
+func (q *Queries) UpsertUser(ctx context.Context, arg UpsertUserParams) (CoreUser, error) {
+	row := q.db.QueryRow(ctx, upsertUser,
+		arg.AuthSubject,
+		arg.Email,
+		arg.Name,
+		arg.EmailVerified,
+	)
+	var i CoreUser
+	err := row.Scan(
+		&i.ID,
+		&i.AuthSubject,
+		&i.Email,
+		&i.Name,
+		&i.EmailVerified,
+		&i.CreatedAt,
+		&i.UpdatedAt,
+		&i.LastSeenAt,
+	)
+	return i, err
+}