migrations/versions/020_add_zerotier_models.py

"""Add ZeroTier / Portal Network models.

Revision ID: 020_zerotier
Revises: 019_audit_varchar
Create Date: 2026-03-19

Tables created:
  - portal_networks          — manager-created ZeroTier network bindings
  - devices                  — user-registered ZeroTier node endpoints
  - user_network_approvals    — durable manager approval records
  - device_network_memberships — per-device per-network workflow records
  - activation_sessions       — temporary activation windows
  - zerotier_memberships     — observed controller-side member state
  - kill_switch_events        — explicit rapid deactivation records
"""

from alembic import op
import sqlalchemy as sa

revision = "020_zerotier"
down_revision = "019_audit_varchar"
branch_labels = None
depends_on = None


def _pg_enum(enum_name: str, values: list[str]) -> sa.Enum:
    return sa.Enum(*values, name=enum_name, create_type=False)


def upgrade():
    bind = op.get_bind()
    dialect = bind.dialect.name

    # ── 1. Enum types ─────────────────────────────────────────────────────────

    if dialect == "postgresql":
        op.execute("CREATE TYPE network_environment AS ENUM (%s)" % ", ".join(
            f"'{v}'" for v in ["production", "staging", "development", "lab"]
        ))
        op.execute("CREATE TYPE network_request_mode AS ENUM (%s)" % ", ".join(
            f"'{v}'" for v in ["open", "approval_required", "invite_only"]
        ))
        op.execute("CREATE TYPE approval_grant_type AS ENUM (%s)" % ", ".join(
            f"'{v}'" for v in ["requested", "assigned"]
        ))
        op.execute("CREATE TYPE approval_state AS ENUM (%s)" % ", ".join(
            f"'{v}'" for v in ["pending", "approved", "rejected", "revoked", "suspended"]
        ))
        op.execute("CREATE TYPE membership_state AS ENUM (%s)" % ", ".join(
            f"'{v}'" for v in [
                "pending_device_registration",
                "pending_request",
                "pending_manager_approval",
                "approved_inactive",
                "joined_deauthorized",
                "active_authorized",
                "activation_expired",
                "suspended",
                "revoked",
                "rejected",
            ]
        ))
        op.execute("CREATE TYPE activation_end_reason AS ENUM (%s)" % ", ".join(
            f"'{v}'" for v in [
                "expired", "logout", "kill_switch",
                "manual_revoke", "approval_revoked", "admin_action",
            ]
        ))
        op.execute("CREATE TYPE kill_switch_scope AS ENUM (%s)" % ", ".join(
            f"'{v}'" for v in ["organization", "global", "selected_networks"]
        ))
        op.execute("CREATE TYPE device_status AS ENUM (%s)" % ", ".join(
            f"'{v}'" for v in ["active", "inactive"]
        ))

    # ── 2. portal_networks ────────────────────────────────────────────────────

    op.create_table(
        "portal_networks",
        sa.Column("id", sa.String(36), primary_key=True),
        sa.Column("created_at", sa.DateTime(timezone=True), nullable=False),
        sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False),
        sa.Column("deleted_at", sa.DateTime(timezone=True), nullable=True),
        sa.Column("organization_id", sa.String(36), sa.ForeignKey("organizations.id"), nullable=False, index=True),
        sa.Column("name", sa.String(255), nullable=False),
        sa.Column("description", sa.Text, nullable=True),
        sa.Column("owner_user_id", sa.String(36), sa.ForeignKey("users.id"), nullable=False),
        sa.Column("zerotier_network_id", sa.String(16), nullable=False, index=True),
        sa.Column(
            "environment",
            _pg_enum("network_environment", ["production", "staging", "development", "lab"]) if dialect == "postgresql"
            else sa.String(20),
            nullable=False,
        ),
        sa.Column(
            "request_mode",
            _pg_enum("network_request_mode", ["open", "approval_required", "invite_only"]) if dialect == "postgresql"
            else sa.String(20),
            nullable=False,
        ),
        sa.Column("default_activation_lifetime_minutes", sa.Integer, nullable=False, default=480),
        sa.Column("max_activation_lifetime_minutes", sa.Integer, nullable=True),
        sa.Column("is_active", sa.Boolean, nullable=False, default=True),
    )
    op.create_index(
        "ix_portal_networks_org_zt",
        "portal_networks",
        ["organization_id", "zerotier_network_id"],
        unique=True,
        postgresql_where=sa.text("deleted_at IS NULL"),
    )

    # ── 3. devices ───────────────────────────────────────────────────────────

    op.create_table(
        "devices",
        sa.Column("id", sa.String(36), primary_key=True),
        sa.Column("created_at", sa.DateTime(timezone=True), nullable=False),
        sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False),
        sa.Column("deleted_at", sa.DateTime(timezone=True), nullable=True),
        sa.Column("user_id", sa.String(36), sa.ForeignKey("users.id"), nullable=False, index=True),
        sa.Column("organization_id", sa.String(36), sa.ForeignKey("organizations.id"), nullable=False, index=True),
        sa.Column("node_id", sa.String(10), nullable=False, index=True),
        sa.Column("device_nickname", sa.String(255), nullable=True),
        sa.Column("hostname", sa.String(255), nullable=True),
        sa.Column("asset_tag", sa.String(255), nullable=True),
        sa.Column("serial_number", sa.String(255), nullable=True),
        sa.Column(
            "status",
            _pg_enum("device_status", ["active", "inactive"]) if dialect == "postgresql"
            else sa.String(20),
            nullable=False,
            default="active",
        ),
    )
    if dialect == "postgresql":
        op.create_index(
            "ix_devices_node_id_active",
            "devices",
            ["node_id"],
            unique=True,
            postgresql_where=sa.text("deleted_at IS NULL"),
        )
    else:
        op.create_index("ix_devices_node_id", "devices", ["node_id"], unique=False)

    # ── 4. user_network_approvals ─────────────────────────────────────────────

    op.create_table(
        "user_network_approvals",
        sa.Column("id", sa.String(36), primary_key=True),
        sa.Column("created_at", sa.DateTime(timezone=True), nullable=False),
        sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False),
        sa.Column("deleted_at", sa.DateTime(timezone=True), nullable=True),
        sa.Column("organization_id", sa.String(36), sa.ForeignKey("organizations.id"), nullable=False, index=True),
        sa.Column("user_id", sa.String(36), sa.ForeignKey("users.id"), nullable=False, index=True),
        sa.Column("portal_network_id", sa.String(36), sa.ForeignKey("portal_networks.id"), nullable=False, index=True),
        sa.Column("granted_by_user_id", sa.String(36), sa.ForeignKey("users.id"), nullable=True),
        sa.Column(
            "grant_type",
            _pg_enum("approval_grant_type", ["requested", "assigned"]) if dialect == "postgresql"
            else sa.String(20),
            nullable=False,
            default="requested",
        ),
        sa.Column(
            "state",
            _pg_enum("approval_state", ["pending", "approved", "rejected", "revoked", "suspended"]) if dialect == "postgresql"
            else sa.String(20),
            nullable=False,
            default="pending",
            index=True,
        ),
        sa.Column("justification", sa.Text, nullable=True),
    )
    op.create_index(
        "ix_user_network_approvals_user_network",
        "user_network_approvals",
        ["user_id", "portal_network_id"],
        unique=True,
        postgresql_where=sa.text("deleted_at IS NULL"),
    )

    # ── 5. device_network_memberships ────────────────────────────────────────

    op.create_table(
        "device_network_memberships",
        sa.Column("id", sa.String(36), primary_key=True),
        sa.Column("created_at", sa.DateTime(timezone=True), nullable=False),
        sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False),
        sa.Column("deleted_at", sa.DateTime(timezone=True), nullable=True),
        sa.Column("organization_id", sa.String(36), sa.ForeignKey("organizations.id"), nullable=False, index=True),
        sa.Column("user_id", sa.String(36), sa.ForeignKey("users.id"), nullable=False, index=True),
        sa.Column("device_id", sa.String(36), sa.ForeignKey("devices.id"), nullable=False, index=True),
        sa.Column("portal_network_id", sa.String(36), sa.ForeignKey("portal_networks.id"), nullable=False, index=True),
        sa.Column("user_network_approval_id", sa.String(36), sa.ForeignKey("user_network_approvals.id"), nullable=True, index=True),
        sa.Column(
            "state",
            _pg_enum(
                "membership_state",
                [
                    "pending_device_registration", "pending_request",
                    "pending_manager_approval", "approved_inactive",
                    "joined_deauthorized", "active_authorized",
                    "activation_expired", "suspended", "revoked", "rejected",
                ],
            ) if dialect == "postgresql" else sa.String(30),
            nullable=False,
            default="pending_device_registration",
            index=True,
        ),
        sa.Column("join_seen", sa.Boolean, nullable=False, default=False),
        sa.Column("currently_authorized", sa.Boolean, nullable=False, default=False),
        sa.Column("approved_for_activation", sa.Boolean, nullable=False, default=True),
    )
    op.create_index(
        "ix_device_network_memberships_device_network",
        "device_network_memberships",
        ["device_id", "portal_network_id"],
        unique=True,
        postgresql_where=sa.text("deleted_at IS NULL"),
    )

    # ── 6. activation_sessions ────────────────────────────────────────────────

    op.create_table(
        "activation_sessions",
        sa.Column("id", sa.String(36), primary_key=True),
        sa.Column("created_at", sa.DateTime(timezone=True), nullable=False),
        sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False),
        sa.Column("deleted_at", sa.DateTime(timezone=True), nullable=True),
        sa.Column("organization_id", sa.String(36), sa.ForeignKey("organizations.id"), nullable=False, index=True),
        sa.Column("user_id", sa.String(36), sa.ForeignKey("users.id"), nullable=False, index=True),
        sa.Column("device_network_membership_id", sa.String(36), sa.ForeignKey("device_network_memberships.id"), nullable=False, index=True),
        sa.Column("authenticated_at", sa.DateTime(timezone=True), nullable=False),
        sa.Column("expires_at", sa.DateTime(timezone=True), nullable=False),
        sa.Column("ended_at", sa.DateTime(timezone=True), nullable=True),
        sa.Column(
            "end_reason",
            _pg_enum(
                "activation_end_reason",
                ["expired", "logout", "kill_switch", "manual_revoke", "approval_revoked", "admin_action"],
            ) if dialect == "postgresql" else sa.String(20),
            nullable=True,
        ),
        sa.Column("created_by", sa.String(36), sa.ForeignKey("users.id"), nullable=False),
    )

    # ── 7. zerotier_memberships ───────────────────────────────────────────────

    op.create_table(
        "zerotier_memberships",
        sa.Column("id", sa.String(36), primary_key=True),
        sa.Column("created_at", sa.DateTime(timezone=True), nullable=False),
        sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False),
        sa.Column("deleted_at", sa.DateTime(timezone=True), nullable=True),
        sa.Column("organization_id", sa.String(36), sa.ForeignKey("organizations.id"), nullable=False, index=True),
        sa.Column("device_network_membership_id", sa.String(36), sa.ForeignKey("device_network_memberships.id"), nullable=True, index=True),
        sa.Column("zerotier_network_id", sa.String(16), nullable=False, index=True),
        sa.Column("node_id", sa.String(10), nullable=False, index=True),
        sa.Column("member_seen", sa.Boolean, nullable=False, default=False),
        sa.Column("authorized", sa.Boolean, nullable=False, default=False),
        sa.Column("join_seen_at", sa.DateTime(timezone=True), nullable=True),
        sa.Column("last_synced_at", sa.DateTime(timezone=True), nullable=True),
        sa.Column("raw_controller_payload", sa.JSON, nullable=True),
    )
    op.create_index(
        "ix_zerotier_memberships_network_node",
        "zerotier_memberships",
        ["zerotier_network_id", "node_id"],
        unique=True,
    )

    # ── 8. kill_switch_events ────────────────────────────────────────────────

    op.create_table(
        "kill_switch_events",
        sa.Column("id", sa.String(36), primary_key=True),
        sa.Column("created_at", sa.DateTime(timezone=True), nullable=False),
        sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False),
        sa.Column("deleted_at", sa.DateTime(timezone=True), nullable=True),
        sa.Column("organization_id", sa.String(36), sa.ForeignKey("organizations.id"), nullable=False, index=True),
        sa.Column("target_user_id", sa.String(36), sa.ForeignKey("users.id"), nullable=False, index=True),
        sa.Column(
            "scope",
            _pg_enum("kill_switch_scope", ["organization", "global", "selected_networks"]) if dialect == "postgresql"
            else sa.String(20),
            nullable=False,
            default="organization",
        ),
        sa.Column("triggered_by_user_id", sa.String(36), sa.ForeignKey("users.id"), nullable=False),
        sa.Column("reason", sa.Text, nullable=True),
        sa.Column("network_ids", sa.JSON, nullable=True),
    )


def downgrade():
    bind = op.get_bind()
    dialect = bind.dialect.name

    op.drop_table("kill_switch_events")
    op.drop_table("zerotier_memberships")
    op.drop_table("activation_sessions")
    op.drop_table("device_network_memberships")
    op.drop_table("user_network_approvals")
    op.drop_table("devices")
    op.drop_table("portal_networks")

    if dialect == "postgresql":
        op.execute("DROP TYPE IF EXISTS kill_switch_scope")
        op.execute("DROP TYPE IF EXISTS device_status")
        op.execute("DROP TYPE IF EXISTS activation_end_reason")
        op.execute("DROP TYPE IF EXISTS membership_state")
        op.execute("DROP TYPE IF EXISTS approval_state")
        op.execute("DROP TYPE IF EXISTS approval_grant_type")
        op.execute("DROP TYPE IF EXISTS network_request_mode")
        op.execute("DROP TYPE IF EXISTS network_environment")
feat(zerotier): add ZeroTier network governance module 2026-03-20 21:50:20 +10:30			`"""Add ZeroTier / Portal Network models.`

			`Revision ID: 020_zerotier`
			`Revises: 019_audit_varchar`
			`Create Date: 2026-03-19`

			`Tables created:`
			`- portal_networks — manager-created ZeroTier network bindings`
			`- devices — user-registered ZeroTier node endpoints`
			`- user_network_approvals — durable manager approval records`
			`- device_network_memberships — per-device per-network workflow records`
			`- activation_sessions — temporary activation windows`
			`- zerotier_memberships — observed controller-side member state`
			`- kill_switch_events — explicit rapid deactivation records`
			`"""`

			`from alembic import op`
			`import sqlalchemy as sa`

			`revision = "020_zerotier"`
			`down_revision = "019_audit_varchar"`
			`branch_labels = None`
			`depends_on = None`


			`def _pg_enum(enum_name: str, values: list[str]) -> sa.Enum:`
			`return sa.Enum(*values, name=enum_name, create_type=False)`


			`def upgrade():`
			`bind = op.get_bind()`
			`dialect = bind.dialect.name`

			`# ── 1. Enum types ─────────────────────────────────────────────────────────`

			`if dialect == "postgresql":`
			`op.execute("CREATE TYPE network_environment AS ENUM (%s)" % ", ".join(`
			`f"'{v}'" for v in ["production", "staging", "development", "lab"]`
			`))`
			`op.execute("CREATE TYPE network_request_mode AS ENUM (%s)" % ", ".join(`
			`f"'{v}'" for v in ["open", "approval_required", "invite_only"]`
			`))`
			`op.execute("CREATE TYPE approval_grant_type AS ENUM (%s)" % ", ".join(`
			`f"'{v}'" for v in ["requested", "assigned"]`
			`))`
			`op.execute("CREATE TYPE approval_state AS ENUM (%s)" % ", ".join(`
			`f"'{v}'" for v in ["pending", "approved", "rejected", "revoked", "suspended"]`
			`))`
			`op.execute("CREATE TYPE membership_state AS ENUM (%s)" % ", ".join(`
			`f"'{v}'" for v in [`
			`"pending_device_registration",`
			`"pending_request",`
			`"pending_manager_approval",`
			`"approved_inactive",`
			`"joined_deauthorized",`
			`"active_authorized",`
			`"activation_expired",`
			`"suspended",`
			`"revoked",`
			`"rejected",`
			`]`
			`))`
			`op.execute("CREATE TYPE activation_end_reason AS ENUM (%s)" % ", ".join(`
			`f"'{v}'" for v in [`
			`"expired", "logout", "kill_switch",`
			`"manual_revoke", "approval_revoked", "admin_action",`
			`]`
			`))`
			`op.execute("CREATE TYPE kill_switch_scope AS ENUM (%s)" % ", ".join(`
			`f"'{v}'" for v in ["organization", "global", "selected_networks"]`
			`))`
			`op.execute("CREATE TYPE device_status AS ENUM (%s)" % ", ".join(`
			`f"'{v}'" for v in ["active", "inactive"]`
			`))`

			`# ── 2. portal_networks ────────────────────────────────────────────────────`

			`op.create_table(`
			`"portal_networks",`
			`sa.Column("id", sa.String(36), primary_key=True),`
			`sa.Column("created_at", sa.DateTime(timezone=True), nullable=False),`
			`sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False),`
			`sa.Column("deleted_at", sa.DateTime(timezone=True), nullable=True),`
			`sa.Column("organization_id", sa.String(36), sa.ForeignKey("organizations.id"), nullable=False, index=True),`
			`sa.Column("name", sa.String(255), nullable=False),`
			`sa.Column("description", sa.Text, nullable=True),`
			`sa.Column("owner_user_id", sa.String(36), sa.ForeignKey("users.id"), nullable=False),`
			`sa.Column("zerotier_network_id", sa.String(16), nullable=False, index=True),`
			`sa.Column(`
			`"environment",`
			`_pg_enum("network_environment", ["production", "staging", "development", "lab"]) if dialect == "postgresql"`
			`else sa.String(20),`
			`nullable=False,`
			`),`
			`sa.Column(`
			`"request_mode",`
			`_pg_enum("network_request_mode", ["open", "approval_required", "invite_only"]) if dialect == "postgresql"`
			`else sa.String(20),`
			`nullable=False,`
			`),`
			`sa.Column("default_activation_lifetime_minutes", sa.Integer, nullable=False, default=480),`
			`sa.Column("max_activation_lifetime_minutes", sa.Integer, nullable=True),`
			`sa.Column("is_active", sa.Boolean, nullable=False, default=True),`
			`)`
			`op.create_index(`
			`"ix_portal_networks_org_zt",`
			`"portal_networks",`
			`["organization_id", "zerotier_network_id"],`
			`unique=True,`
			`postgresql_where=sa.text("deleted_at IS NULL"),`
			`)`

			`# ── 3. devices ───────────────────────────────────────────────────────────`

			`op.create_table(`
			`"devices",`
			`sa.Column("id", sa.String(36), primary_key=True),`
			`sa.Column("created_at", sa.DateTime(timezone=True), nullable=False),`
			`sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False),`
			`sa.Column("deleted_at", sa.DateTime(timezone=True), nullable=True),`
			`sa.Column("user_id", sa.String(36), sa.ForeignKey("users.id"), nullable=False, index=True),`
			`sa.Column("organization_id", sa.String(36), sa.ForeignKey("organizations.id"), nullable=False, index=True),`
			`sa.Column("node_id", sa.String(10), nullable=False, index=True),`
			`sa.Column("device_nickname", sa.String(255), nullable=True),`
			`sa.Column("hostname", sa.String(255), nullable=True),`
			`sa.Column("asset_tag", sa.String(255), nullable=True),`
			`sa.Column("serial_number", sa.String(255), nullable=True),`
			`sa.Column(`
			`"status",`
			`_pg_enum("device_status", ["active", "inactive"]) if dialect == "postgresql"`
			`else sa.String(20),`
			`nullable=False,`
			`default="active",`
			`),`
			`)`
			`if dialect == "postgresql":`
			`op.create_index(`
			`"ix_devices_node_id_active",`
			`"devices",`
			`["node_id"],`
			`unique=True,`
			`postgresql_where=sa.text("deleted_at IS NULL"),`
			`)`
			`else:`
			`op.create_index("ix_devices_node_id", "devices", ["node_id"], unique=False)`

			`# ── 4. user_network_approvals ─────────────────────────────────────────────`

			`op.create_table(`
			`"user_network_approvals",`
			`sa.Column("id", sa.String(36), primary_key=True),`
			`sa.Column("created_at", sa.DateTime(timezone=True), nullable=False),`
			`sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False),`
			`sa.Column("deleted_at", sa.DateTime(timezone=True), nullable=True),`
			`sa.Column("organization_id", sa.String(36), sa.ForeignKey("organizations.id"), nullable=False, index=True),`
			`sa.Column("user_id", sa.String(36), sa.ForeignKey("users.id"), nullable=False, index=True),`
			`sa.Column("portal_network_id", sa.String(36), sa.ForeignKey("portal_networks.id"), nullable=False, index=True),`
			`sa.Column("granted_by_user_id", sa.String(36), sa.ForeignKey("users.id"), nullable=True),`
			`sa.Column(`
			`"grant_type",`
			`_pg_enum("approval_grant_type", ["requested", "assigned"]) if dialect == "postgresql"`
			`else sa.String(20),`
			`nullable=False,`
			`default="requested",`
			`),`
			`sa.Column(`
			`"state",`
			`_pg_enum("approval_state", ["pending", "approved", "rejected", "revoked", "suspended"]) if dialect == "postgresql"`
			`else sa.String(20),`
			`nullable=False,`
			`default="pending",`
			`index=True,`
			`),`
			`sa.Column("justification", sa.Text, nullable=True),`
			`)`
			`op.create_index(`
			`"ix_user_network_approvals_user_network",`
			`"user_network_approvals",`
			`["user_id", "portal_network_id"],`
			`unique=True,`
			`postgresql_where=sa.text("deleted_at IS NULL"),`
			`)`

			`# ── 5. device_network_memberships ────────────────────────────────────────`

			`op.create_table(`
			`"device_network_memberships",`
			`sa.Column("id", sa.String(36), primary_key=True),`
			`sa.Column("created_at", sa.DateTime(timezone=True), nullable=False),`
			`sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False),`
			`sa.Column("deleted_at", sa.DateTime(timezone=True), nullable=True),`
			`sa.Column("organization_id", sa.String(36), sa.ForeignKey("organizations.id"), nullable=False, index=True),`
			`sa.Column("user_id", sa.String(36), sa.ForeignKey("users.id"), nullable=False, index=True),`
			`sa.Column("device_id", sa.String(36), sa.ForeignKey("devices.id"), nullable=False, index=True),`
			`sa.Column("portal_network_id", sa.String(36), sa.ForeignKey("portal_networks.id"), nullable=False, index=True),`
			`sa.Column("user_network_approval_id", sa.String(36), sa.ForeignKey("user_network_approvals.id"), nullable=True, index=True),`
			`sa.Column(`
			`"state",`
			`_pg_enum(`
			`"membership_state",`
			`[`
			`"pending_device_registration", "pending_request",`
			`"pending_manager_approval", "approved_inactive",`
			`"joined_deauthorized", "active_authorized",`
			`"activation_expired", "suspended", "revoked", "rejected",`
			`],`
			`) if dialect == "postgresql" else sa.String(30),`
			`nullable=False,`
			`default="pending_device_registration",`
			`index=True,`
			`),`
			`sa.Column("join_seen", sa.Boolean, nullable=False, default=False),`
			`sa.Column("currently_authorized", sa.Boolean, nullable=False, default=False),`
			`sa.Column("approved_for_activation", sa.Boolean, nullable=False, default=True),`
			`)`
			`op.create_index(`
			`"ix_device_network_memberships_device_network",`
			`"device_network_memberships",`
			`["device_id", "portal_network_id"],`
			`unique=True,`
			`postgresql_where=sa.text("deleted_at IS NULL"),`
			`)`

			`# ── 6. activation_sessions ────────────────────────────────────────────────`

			`op.create_table(`
			`"activation_sessions",`
			`sa.Column("id", sa.String(36), primary_key=True),`
			`sa.Column("created_at", sa.DateTime(timezone=True), nullable=False),`
			`sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False),`
			`sa.Column("deleted_at", sa.DateTime(timezone=True), nullable=True),`
			`sa.Column("organization_id", sa.String(36), sa.ForeignKey("organizations.id"), nullable=False, index=True),`
			`sa.Column("user_id", sa.String(36), sa.ForeignKey("users.id"), nullable=False, index=True),`
			`sa.Column("device_network_membership_id", sa.String(36), sa.ForeignKey("device_network_memberships.id"), nullable=False, index=True),`
			`sa.Column("authenticated_at", sa.DateTime(timezone=True), nullable=False),`
			`sa.Column("expires_at", sa.DateTime(timezone=True), nullable=False),`
			`sa.Column("ended_at", sa.DateTime(timezone=True), nullable=True),`
			`sa.Column(`
			`"end_reason",`
			`_pg_enum(`
			`"activation_end_reason",`
			`["expired", "logout", "kill_switch", "manual_revoke", "approval_revoked", "admin_action"],`
			`) if dialect == "postgresql" else sa.String(20),`
			`nullable=True,`
			`),`
			`sa.Column("created_by", sa.String(36), sa.ForeignKey("users.id"), nullable=False),`
			`)`

			`# ── 7. zerotier_memberships ───────────────────────────────────────────────`

			`op.create_table(`
			`"zerotier_memberships",`
			`sa.Column("id", sa.String(36), primary_key=True),`
			`sa.Column("created_at", sa.DateTime(timezone=True), nullable=False),`
			`sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False),`
			`sa.Column("deleted_at", sa.DateTime(timezone=True), nullable=True),`
			`sa.Column("organization_id", sa.String(36), sa.ForeignKey("organizations.id"), nullable=False, index=True),`
			`sa.Column("device_network_membership_id", sa.String(36), sa.ForeignKey("device_network_memberships.id"), nullable=True, index=True),`
			`sa.Column("zerotier_network_id", sa.String(16), nullable=False, index=True),`
			`sa.Column("node_id", sa.String(10), nullable=False, index=True),`
			`sa.Column("member_seen", sa.Boolean, nullable=False, default=False),`
			`sa.Column("authorized", sa.Boolean, nullable=False, default=False),`
			`sa.Column("join_seen_at", sa.DateTime(timezone=True), nullable=True),`
			`sa.Column("last_synced_at", sa.DateTime(timezone=True), nullable=True),`
			`sa.Column("raw_controller_payload", sa.JSON, nullable=True),`
			`)`
			`op.create_index(`
			`"ix_zerotier_memberships_network_node",`
			`"zerotier_memberships",`
			`["zerotier_network_id", "node_id"],`
			`unique=True,`
			`)`

			`# ── 8. kill_switch_events ────────────────────────────────────────────────`

			`op.create_table(`
			`"kill_switch_events",`
			`sa.Column("id", sa.String(36), primary_key=True),`
			`sa.Column("created_at", sa.DateTime(timezone=True), nullable=False),`
			`sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False),`
			`sa.Column("deleted_at", sa.DateTime(timezone=True), nullable=True),`
			`sa.Column("organization_id", sa.String(36), sa.ForeignKey("organizations.id"), nullable=False, index=True),`
			`sa.Column("target_user_id", sa.String(36), sa.ForeignKey("users.id"), nullable=False, index=True),`
			`sa.Column(`
			`"scope",`
			`_pg_enum("kill_switch_scope", ["organization", "global", "selected_networks"]) if dialect == "postgresql"`
			`else sa.String(20),`
			`nullable=False,`
			`default="organization",`
			`),`
			`sa.Column("triggered_by_user_id", sa.String(36), sa.ForeignKey("users.id"), nullable=False),`
			`sa.Column("reason", sa.Text, nullable=True),`
			`sa.Column("network_ids", sa.JSON, nullable=True),`
			`)`


			`def downgrade():`
			`bind = op.get_bind()`
			`dialect = bind.dialect.name`

			`op.drop_table("kill_switch_events")`
			`op.drop_table("zerotier_memberships")`
			`op.drop_table("activation_sessions")`
			`op.drop_table("device_network_memberships")`
			`op.drop_table("user_network_approvals")`
			`op.drop_table("devices")`
			`op.drop_table("portal_networks")`

			`if dialect == "postgresql":`
			`op.execute("DROP TYPE IF EXISTS kill_switch_scope")`
			`op.execute("DROP TYPE IF EXISTS device_status")`
			`op.execute("DROP TYPE IF EXISTS activation_end_reason")`
			`op.execute("DROP TYPE IF EXISTS membership_state")`
			`op.execute("DROP TYPE IF EXISTS approval_state")`
			`op.execute("DROP TYPE IF EXISTS approval_grant_type")`
			`op.execute("DROP TYPE IF EXISTS network_request_mode")`
			`op.execute("DROP TYPE IF EXISTS network_environment")`