src/lib/db/migrations/0054_user_profiles_username.sql

-- 0054_user_profiles_username.sql
-- ----------------------------------------------------------------------------
-- Optional username as a sign-in alternative to email. Stored alongside the
-- canonical first/last name on user_profiles so the rest of the auth/profile
-- code keeps a single place to look. The Better-Auth `user` table stays the
-- source of truth for email + password; the username is a thin alias the
-- login form looks up to resolve to the matching email before delegating
-- to better-auth's email/password flow.
--
-- Constraints (enforced application-side AND in SQL):
--   - 2..30 characters
--   - lowercase letters, digits, dot, underscore, hyphen
--   - case-insensitive uniqueness per install (no per-port scoping —
--     reps move between ports and a global username keeps URLs stable)
--
-- The column is nullable; existing users keep email-only sign-in until they
-- pick one.

ALTER TABLE user_profiles
  ADD COLUMN IF NOT EXISTS username TEXT;

-- Shape check at the DB level catches anything that slipped past the API
-- (raw SQL inserts in tests, scripts, etc.).
ALTER TABLE user_profiles
  ADD CONSTRAINT chk_user_profiles_username_shape
    CHECK (username IS NULL OR username ~ '^[a-z0-9._-]{2,30}$');

-- Case-insensitive uniqueness. Partial so multiple NULLs are allowed.
CREATE UNIQUE INDEX IF NOT EXISTS idx_user_profiles_username_unique
  ON user_profiles (LOWER(username))
  WHERE username IS NOT NULL;
audit: 33-agent comprehensive audit + critical fixes Full team audit run, all reports verbatim in docs/AUDIT-2026-05-12.md (5900+ lines, 30+ critical findings). Already-fixed this commit: - permission-overrides PUT: self-target block + RolePermissions allow-list + cross-tenant guard - /api/auth/resolve-identifier: rate-limit + synthetic miss-email kill enumeration - admin email-change: rotates account.accountId + revokes sessions - middleware: token-gated email confirm/cancel routes whitelisted - NAV_CATALOG: 10 dead-link sweeps to existing /admin/<x> targets Feature work landing same commit: optional username sign-in (migration 0054), per-user permission overrides (0055) with three-state matrix tabbed inside UserForm, user disable button, role + outcome + stage label normalisation across the platform, admin email-change with auto-notification template. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-12 16:52:35 +02:00			`-- 0054_user_profiles_username.sql`
			`-- ----------------------------------------------------------------------------`
			`-- Optional username as a sign-in alternative to email. Stored alongside the`
			`-- canonical first/last name on user_profiles so the rest of the auth/profile`
			-- code keeps a single place to look. The Better-Auth `user` table stays the
			`-- source of truth for email + password; the username is a thin alias the`
			`-- login form looks up to resolve to the matching email before delegating`
			`-- to better-auth's email/password flow.`
			`--`
			`-- Constraints (enforced application-side AND in SQL):`
			`-- - 2..30 characters`
			`-- - lowercase letters, digits, dot, underscore, hyphen`
			`-- - case-insensitive uniqueness per install (no per-port scoping —`
			`-- reps move between ports and a global username keeps URLs stable)`
			`--`
			`-- The column is nullable; existing users keep email-only sign-in until they`
			`-- pick one.`

			`ALTER TABLE user_profiles`
			`ADD COLUMN IF NOT EXISTS username TEXT;`

			`-- Shape check at the DB level catches anything that slipped past the API`
			`-- (raw SQL inserts in tests, scripts, etc.).`
			`ALTER TABLE user_profiles`
			`ADD CONSTRAINT chk_user_profiles_username_shape`
			`CHECK (username IS NULL OR username ~ '^[a-z0-9._-]{2,30}$');`

			`-- Case-insensitive uniqueness. Partial so multiple NULLs are allowed.`
			`CREATE UNIQUE INDEX IF NOT EXISTS idx_user_profiles_username_unique`
			`ON user_profiles (LOWER(username))`
			`WHERE username IS NOT NULL;`