import { pgTable, text, boolean, timestamp, index, uniqueIndex } from 'drizzle-orm/pg-core';

/**
 * Single-use admin-issued invites for CRM users (better-auth realm).
 *
 * `tokenHash` is a SHA-256 hash of the raw token sent in the email. Lookups
 * happen by hash so a DB compromise never leaks active tokens. The invite
 * is consumed at /set-password - the route creates the better-auth `user`
 * row + `account` credential and the matching `user_profiles` extension.
 */
export const crmUserInvites = pgTable(
  'crm_user_invites',
  {
    id: text('id')
      .primaryKey()
      .$defaultFn(() => crypto.randomUUID()),
    email: text('email').notNull(),
    name: text('name'),
    tokenHash: text('token_hash').notNull(),
    isSuperAdmin: boolean('is_super_admin').notNull().default(false),
    expiresAt: timestamp('expires_at', { withTimezone: true }).notNull(),
    usedAt: timestamp('used_at', { withTimezone: true }),
    createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
  },
  (table) => [
    uniqueIndex('idx_crm_invites_token_hash').on(table.tokenHash),
    index('idx_crm_invites_email').on(table.email),
  ],
);

export type CrmUserInvite = typeof crmUserInvites.$inferSelect;
export type NewCrmUserInvite = typeof crmUserInvites.$inferInsert;