"""Add ZeroTier / Portal Network models. Revision ID: 020_zerotier Revises: 019_audit_varchar Create Date: 2026-03-19 Tables created: - portal_networks — manager-created ZeroTier network bindings - devices — user-registered ZeroTier node endpoints - user_network_approvals — durable manager approval records - device_network_memberships — per-device per-network workflow records - activation_sessions — temporary activation windows - zerotier_memberships — observed controller-side member state - kill_switch_events — explicit rapid deactivation records """ from alembic import op import sqlalchemy as sa revision = "020_zerotier" down_revision = "019_audit_varchar" branch_labels = None depends_on = None def _pg_enum(enum_name: str, values: list[str]) -> sa.Enum: return sa.Enum(*values, name=enum_name, create_type=False) def upgrade(): bind = op.get_bind() dialect = bind.dialect.name # ── 1. Enum types ───────────────────────────────────────────────────────── if dialect == "postgresql": op.execute("CREATE TYPE network_environment AS ENUM (%s)" % ", ".join( f"'{v}'" for v in ["production", "staging", "development", "lab"] )) op.execute("CREATE TYPE network_request_mode AS ENUM (%s)" % ", ".join( f"'{v}'" for v in ["open", "approval_required", "invite_only"] )) op.execute("CREATE TYPE approval_grant_type AS ENUM (%s)" % ", ".join( f"'{v}'" for v in ["requested", "assigned"] )) op.execute("CREATE TYPE approval_state AS ENUM (%s)" % ", ".join( f"'{v}'" for v in ["pending", "approved", "rejected", "revoked", "suspended"] )) op.execute("CREATE TYPE membership_state AS ENUM (%s)" % ", ".join( f"'{v}'" for v in [ "pending_device_registration", "pending_request", "pending_manager_approval", "approved_inactive", "joined_deauthorized", "active_authorized", "activation_expired", "suspended", "revoked", "rejected", ] )) op.execute("CREATE TYPE activation_end_reason AS ENUM (%s)" % ", ".join( f"'{v}'" for v in [ "expired", "logout", "kill_switch", "manual_revoke", "approval_revoked", "admin_action", ] )) op.execute("CREATE TYPE kill_switch_scope AS ENUM (%s)" % ", ".join( f"'{v}'" for v in ["organization", "global", "selected_networks"] )) op.execute("CREATE TYPE device_status AS ENUM (%s)" % ", ".join( f"'{v}'" for v in ["active", "inactive"] )) # ── 2. portal_networks ──────────────────────────────────────────────────── op.create_table( "portal_networks", sa.Column("id", sa.String(36), primary_key=True), sa.Column("created_at", sa.DateTime(timezone=True), nullable=False), sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False), sa.Column("deleted_at", sa.DateTime(timezone=True), nullable=True), sa.Column("organization_id", sa.String(36), sa.ForeignKey("organizations.id"), nullable=False, index=True), sa.Column("name", sa.String(255), nullable=False), sa.Column("description", sa.Text, nullable=True), sa.Column("owner_user_id", sa.String(36), sa.ForeignKey("users.id"), nullable=False), sa.Column("zerotier_network_id", sa.String(16), nullable=False, index=True), sa.Column( "environment", _pg_enum("network_environment", ["production", "staging", "development", "lab"]) if dialect == "postgresql" else sa.String(20), nullable=False, ), sa.Column( "request_mode", _pg_enum("network_request_mode", ["open", "approval_required", "invite_only"]) if dialect == "postgresql" else sa.String(20), nullable=False, ), sa.Column("default_activation_lifetime_minutes", sa.Integer, nullable=False, default=480), sa.Column("max_activation_lifetime_minutes", sa.Integer, nullable=True), sa.Column("is_active", sa.Boolean, nullable=False, default=True), ) op.create_index( "ix_portal_networks_org_zt", "portal_networks", ["organization_id", "zerotier_network_id"], unique=True, postgresql_where=sa.text("deleted_at IS NULL"), ) # ── 3. devices ─────────────────────────────────────────────────────────── op.create_table( "devices", sa.Column("id", sa.String(36), primary_key=True), sa.Column("created_at", sa.DateTime(timezone=True), nullable=False), sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False), sa.Column("deleted_at", sa.DateTime(timezone=True), nullable=True), sa.Column("user_id", sa.String(36), sa.ForeignKey("users.id"), nullable=False, index=True), sa.Column("organization_id", sa.String(36), sa.ForeignKey("organizations.id"), nullable=False, index=True), sa.Column("node_id", sa.String(10), nullable=False, index=True), sa.Column("device_nickname", sa.String(255), nullable=True), sa.Column("hostname", sa.String(255), nullable=True), sa.Column("asset_tag", sa.String(255), nullable=True), sa.Column("serial_number", sa.String(255), nullable=True), sa.Column( "status", _pg_enum("device_status", ["active", "inactive"]) if dialect == "postgresql" else sa.String(20), nullable=False, default="active", ), ) if dialect == "postgresql": op.create_index( "ix_devices_node_id_active", "devices", ["node_id"], unique=True, postgresql_where=sa.text("deleted_at IS NULL"), ) else: op.create_index("ix_devices_node_id", "devices", ["node_id"], unique=False) # ── 4. user_network_approvals ───────────────────────────────────────────── op.create_table( "user_network_approvals", sa.Column("id", sa.String(36), primary_key=True), sa.Column("created_at", sa.DateTime(timezone=True), nullable=False), sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False), sa.Column("deleted_at", sa.DateTime(timezone=True), nullable=True), sa.Column("organization_id", sa.String(36), sa.ForeignKey("organizations.id"), nullable=False, index=True), sa.Column("user_id", sa.String(36), sa.ForeignKey("users.id"), nullable=False, index=True), sa.Column("portal_network_id", sa.String(36), sa.ForeignKey("portal_networks.id"), nullable=False, index=True), sa.Column("granted_by_user_id", sa.String(36), sa.ForeignKey("users.id"), nullable=True), sa.Column( "grant_type", _pg_enum("approval_grant_type", ["requested", "assigned"]) if dialect == "postgresql" else sa.String(20), nullable=False, default="requested", ), sa.Column( "state", _pg_enum("approval_state", ["pending", "approved", "rejected", "revoked", "suspended"]) if dialect == "postgresql" else sa.String(20), nullable=False, default="pending", index=True, ), sa.Column("justification", sa.Text, nullable=True), ) op.create_index( "ix_user_network_approvals_user_network", "user_network_approvals", ["user_id", "portal_network_id"], unique=True, postgresql_where=sa.text("deleted_at IS NULL"), ) # ── 5. device_network_memberships ──────────────────────────────────────── op.create_table( "device_network_memberships", sa.Column("id", sa.String(36), primary_key=True), sa.Column("created_at", sa.DateTime(timezone=True), nullable=False), sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False), sa.Column("deleted_at", sa.DateTime(timezone=True), nullable=True), sa.Column("organization_id", sa.String(36), sa.ForeignKey("organizations.id"), nullable=False, index=True), sa.Column("user_id", sa.String(36), sa.ForeignKey("users.id"), nullable=False, index=True), sa.Column("device_id", sa.String(36), sa.ForeignKey("devices.id"), nullable=False, index=True), sa.Column("portal_network_id", sa.String(36), sa.ForeignKey("portal_networks.id"), nullable=False, index=True), sa.Column("user_network_approval_id", sa.String(36), sa.ForeignKey("user_network_approvals.id"), nullable=True, index=True), sa.Column( "state", _pg_enum( "membership_state", [ "pending_device_registration", "pending_request", "pending_manager_approval", "approved_inactive", "joined_deauthorized", "active_authorized", "activation_expired", "suspended", "revoked", "rejected", ], ) if dialect == "postgresql" else sa.String(30), nullable=False, default="pending_device_registration", index=True, ), sa.Column("join_seen", sa.Boolean, nullable=False, default=False), sa.Column("currently_authorized", sa.Boolean, nullable=False, default=False), sa.Column("approved_for_activation", sa.Boolean, nullable=False, default=True), ) op.create_index( "ix_device_network_memberships_device_network", "device_network_memberships", ["device_id", "portal_network_id"], unique=True, postgresql_where=sa.text("deleted_at IS NULL"), ) # ── 6. activation_sessions ──────────────────────────────────────────────── op.create_table( "activation_sessions", sa.Column("id", sa.String(36), primary_key=True), sa.Column("created_at", sa.DateTime(timezone=True), nullable=False), sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False), sa.Column("deleted_at", sa.DateTime(timezone=True), nullable=True), sa.Column("organization_id", sa.String(36), sa.ForeignKey("organizations.id"), nullable=False, index=True), sa.Column("user_id", sa.String(36), sa.ForeignKey("users.id"), nullable=False, index=True), sa.Column("device_network_membership_id", sa.String(36), sa.ForeignKey("device_network_memberships.id"), nullable=False, index=True), sa.Column("authenticated_at", sa.DateTime(timezone=True), nullable=False), sa.Column("expires_at", sa.DateTime(timezone=True), nullable=False), sa.Column("ended_at", sa.DateTime(timezone=True), nullable=True), sa.Column( "end_reason", _pg_enum( "activation_end_reason", ["expired", "logout", "kill_switch", "manual_revoke", "approval_revoked", "admin_action"], ) if dialect == "postgresql" else sa.String(20), nullable=True, ), sa.Column("created_by", sa.String(36), sa.ForeignKey("users.id"), nullable=False), ) # ── 7. zerotier_memberships ─────────────────────────────────────────────── op.create_table( "zerotier_memberships", sa.Column("id", sa.String(36), primary_key=True), sa.Column("created_at", sa.DateTime(timezone=True), nullable=False), sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False), sa.Column("deleted_at", sa.DateTime(timezone=True), nullable=True), sa.Column("organization_id", sa.String(36), sa.ForeignKey("organizations.id"), nullable=False, index=True), sa.Column("device_network_membership_id", sa.String(36), sa.ForeignKey("device_network_memberships.id"), nullable=True, index=True), sa.Column("zerotier_network_id", sa.String(16), nullable=False, index=True), sa.Column("node_id", sa.String(10), nullable=False, index=True), sa.Column("member_seen", sa.Boolean, nullable=False, default=False), sa.Column("authorized", sa.Boolean, nullable=False, default=False), sa.Column("join_seen_at", sa.DateTime(timezone=True), nullable=True), sa.Column("last_synced_at", sa.DateTime(timezone=True), nullable=True), sa.Column("raw_controller_payload", sa.JSON, nullable=True), ) op.create_index( "ix_zerotier_memberships_network_node", "zerotier_memberships", ["zerotier_network_id", "node_id"], unique=True, ) # ── 8. kill_switch_events ──────────────────────────────────────────────── op.create_table( "kill_switch_events", sa.Column("id", sa.String(36), primary_key=True), sa.Column("created_at", sa.DateTime(timezone=True), nullable=False), sa.Column("updated_at", sa.DateTime(timezone=True), nullable=False), sa.Column("deleted_at", sa.DateTime(timezone=True), nullable=True), sa.Column("organization_id", sa.String(36), sa.ForeignKey("organizations.id"), nullable=False, index=True), sa.Column("target_user_id", sa.String(36), sa.ForeignKey("users.id"), nullable=False, index=True), sa.Column( "scope", _pg_enum("kill_switch_scope", ["organization", "global", "selected_networks"]) if dialect == "postgresql" else sa.String(20), nullable=False, default="organization", ), sa.Column("triggered_by_user_id", sa.String(36), sa.ForeignKey("users.id"), nullable=False), sa.Column("reason", sa.Text, nullable=True), sa.Column("network_ids", sa.JSON, nullable=True), ) def downgrade(): bind = op.get_bind() dialect = bind.dialect.name op.drop_table("kill_switch_events") op.drop_table("zerotier_memberships") op.drop_table("activation_sessions") op.drop_table("device_network_memberships") op.drop_table("user_network_approvals") op.drop_table("devices") op.drop_table("portal_networks") if dialect == "postgresql": op.execute("DROP TYPE IF EXISTS kill_switch_scope") op.execute("DROP TYPE IF EXISTS device_status") op.execute("DROP TYPE IF EXISTS activation_end_reason") op.execute("DROP TYPE IF EXISTS membership_state") op.execute("DROP TYPE IF EXISTS approval_state") op.execute("DROP TYPE IF EXISTS approval_grant_type") op.execute("DROP TYPE IF EXISTS network_request_mode") op.execute("DROP TYPE IF EXISTS network_environment")