Feat(Chore): Verify Flow, Invites, Suspend, Depart Cert Policy

feat: add password reset and email verification flow
feat: add org invite listing, cancellation, and invite link fallback
feat: add user suspend/unsuspend with audit logging
feat: add department certificate policy (expiry, extensions)
feat: enforce dept cert policy on SSH certificate signing
feat: wire up OIDC consent and token flow (replace mocks)
feat: rework CLI auth bridge to use frontend login flow
feat: add admin OAuth provider management (CRUD)
chore: refactor model import paths after module reorganisation
chore: clean up config, decorators, and dev tooling

migrations/versions/010_password_reset_email_verify.py

@@ -0,0 +1,50 @@
+"""add password reset and email verification token tables
+
+Revision ID: 010_password_reset_email_verify
+Revises: 009_sync_auditaction_enum
+Create Date: 2025-01-01 00:00:00.000000
+"""
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = '010_password_reset_email_verify'
+down_revision = '009'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    op.create_table(
+        'password_reset_tokens',
+        sa.Column('id', sa.String(36), primary_key=True, nullable=False),
+        sa.Column('user_id', sa.String(36), sa.ForeignKey('users.id', ondelete='CASCADE'), nullable=False),
+        sa.Column('token', sa.String(128), nullable=False, unique=True),
+        sa.Column('expires_at', sa.DateTime, nullable=False),
+        sa.Column('used_at', sa.DateTime, nullable=True),
+        sa.Column('created_at', sa.DateTime, nullable=False),
+        sa.Column('updated_at', sa.DateTime, nullable=False),
+        sa.Column('deleted_at', sa.DateTime, nullable=True),
+    )
+    op.create_index('ix_password_reset_tokens_user_id', 'password_reset_tokens', ['user_id'])
+    op.create_index('ix_password_reset_tokens_token', 'password_reset_tokens', ['token'])
+
+    op.create_table(
+        'email_verification_tokens',
+        sa.Column('id', sa.String(36), primary_key=True, nullable=False),
+        sa.Column('user_id', sa.String(36), sa.ForeignKey('users.id', ondelete='CASCADE'), nullable=False),
+        sa.Column('token', sa.String(128), nullable=False, unique=True),
+        sa.Column('expires_at', sa.DateTime, nullable=False),
+        sa.Column('used_at', sa.DateTime, nullable=True),
+        sa.Column('created_at', sa.DateTime, nullable=False),
+        sa.Column('updated_at', sa.DateTime, nullable=False),
+        sa.Column('deleted_at', sa.DateTime, nullable=True),
+    )
+    op.create_index('ix_email_verification_tokens_user_id', 'email_verification_tokens', ['user_id'])
+    op.create_index('ix_email_verification_tokens_token', 'email_verification_tokens', ['token'])
+
+
+def downgrade():
+    op.drop_table('email_verification_tokens')
+    op.drop_table('password_reset_tokens')

migrations/versions/011_org_invite_tokens.py

@@ -0,0 +1,38 @@
+"""add org_invite_tokens table
+
+Revision ID: 011_org_invite_tokens
+Revises: 010_password_reset_email_verify
+Create Date: 2025-01-01 00:00:00.000000
+"""
+from alembic import op
+import sqlalchemy as sa
+
+
+revision = '011_org_invite_tokens'
+down_revision = '010_password_reset_email_verify'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    op.create_table(
+        'org_invite_tokens',
+        sa.Column('id', sa.String(36), primary_key=True, nullable=False),
+        sa.Column('organization_id', sa.String(36), sa.ForeignKey('organizations.id', ondelete='CASCADE'), nullable=False),
+        sa.Column('invited_by_id', sa.String(36), sa.ForeignKey('users.id', ondelete='SET NULL'), nullable=True),
+        sa.Column('email', sa.String(255), nullable=False),
+        sa.Column('role', sa.String(64), nullable=False, server_default='member'),
+        sa.Column('token', sa.String(128), nullable=False, unique=True),
+        sa.Column('expires_at', sa.DateTime, nullable=False),
+        sa.Column('accepted_at', sa.DateTime, nullable=True),
+        sa.Column('created_at', sa.DateTime, nullable=False),
+        sa.Column('updated_at', sa.DateTime, nullable=False),
+        sa.Column('deleted_at', sa.DateTime, nullable=True),
+    )
+    op.create_index('ix_org_invite_tokens_organization_id', 'org_invite_tokens', ['organization_id'])
+    op.create_index('ix_org_invite_tokens_email', 'org_invite_tokens', ['email'])
+    op.create_index('ix_org_invite_tokens_token', 'org_invite_tokens', ['token'])
+
+
+def downgrade():
+    op.drop_table('org_invite_tokens')

migrations/versions/014_add_dept_cert_policy.py

@@ -0,0 +1,44 @@
+"""add_department_cert_policies
+
+Adds the department_cert_policies table which stores per-department
+SSH certificate issuance rules:
+  - whether users may choose their own expiry
+  - default and maximum expiry durations
+  - allowed SSH certificate extensions
+"""
+
+from alembic import op
+import sqlalchemy as sa
+
+revision = "014_add_dept_cert_policy"
+down_revision = "013"
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    op.create_table(
+        "department_cert_policies",
+        sa.Column("id", sa.String(36), primary_key=True),
+        sa.Column("department_id", sa.String(36), sa.ForeignKey("departments.id"), nullable=False, unique=True),
+        # Whether users are allowed to specify their own expiry (up to max)
+        sa.Column("allow_user_expiry", sa.Boolean(), nullable=False, server_default="0"),
+        # Default validity in hours (used when user doesn't specify, or not allowed to)
+        sa.Column("default_expiry_hours", sa.Integer(), nullable=False, server_default="1"),
+        # Hard cap on validity; admin cannot be exceeded
+        sa.Column("max_expiry_hours", sa.Integer(), nullable=False, server_default="24"),
+        # JSON list of extension names that are enabled for this department
+        # e.g. ["permit-pty", "permit-agent-forwarding"]
+        sa.Column("allowed_extensions", sa.JSON(), nullable=False, server_default='["permit-pty","permit-agent-forwarding","permit-X11-forwarding","permit-port-forwarding","permit-user-rc"]'),
+        # Admin-defined custom extension names beyond the standard five
+        sa.Column("custom_extensions", sa.JSON(), nullable=False, server_default="[]"),
+        sa.Column("created_at", sa.DateTime(), nullable=True),
+        sa.Column("updated_at", sa.DateTime(), nullable=True),
+        sa.Column("deleted_at", sa.DateTime(), nullable=True),
+    )
+    op.create_index("idx_dept_cert_policy_dept", "department_cert_policies", ["department_id"])
+
+
+def downgrade():
+    op.drop_index("idx_dept_cert_policy_dept", "department_cert_policies")
+    op.drop_table("department_cert_policies")