v0.2.0 (#50)

Co-authored-by: Tasnim Kabir Sadik <tksadik@omukk.dev>

Reviewed-on: wrenn/wrenn#50

db/migrations/20260518200117_add_sessions.sql

@@ -0,0 +1,21 @@
+-- +goose Up
+-- +goose StatementBegin
+CREATE TABLE sessions (
+    id            TEXT PRIMARY KEY,
+    user_id       UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+    team_id       UUID NOT NULL REFERENCES teams(id) ON DELETE CASCADE,
+    csrf_token    TEXT NOT NULL,
+    user_agent    TEXT NOT NULL DEFAULT '',
+    ip_address    TEXT NOT NULL DEFAULT '',
+    created_at    TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    last_seen_at  TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    expires_at    TIMESTAMPTZ NOT NULL
+);
+CREATE INDEX sessions_user_id_idx ON sessions(user_id);
+CREATE INDEX sessions_expires_at_idx ON sessions(expires_at);
+-- +goose StatementEnd
+
+-- +goose Down
+-- +goose StatementBegin
+DROP TABLE IF EXISTS sessions;
+-- +goose StatementEnd

db/migrations/20260519231056_hash_session_ids.sql

@@ -0,0 +1,15 @@
+-- +goose Up
+-- +goose StatementBegin
+-- Session IDs are now stored as sha256(raw_sid) hex so a DB/Redis dump
+-- cannot be replayed as session cookies. Existing sessions hold raw SIDs
+-- in id; they are unrecoverable under the new scheme and must be wiped.
+-- Users will need to log in again after this migration.
+TRUNCATE TABLE sessions;
+-- +goose StatementEnd
+
+-- +goose Down
+-- +goose StatementBegin
+-- Down: nothing to do schematically. Hashed rows remain but will never
+-- match a raw cookie under the old code path; safest is to wipe again.
+TRUNCATE TABLE sessions;
+-- +goose StatementEnd

db/migrations/20260522154716_seed_system_base_templates.sql

@@ -0,0 +1,49 @@
+-- +goose Up
+
+-- Replace the old all-zeros "minimal" base template with the four system base
+-- templates (ubuntu/alpine/arch/fedora). All are platform-owned (team_id
+-- all-zeros) with reserved template IDs 0..3, default user wrenn-user.
+--
+-- Template IDs are well-known: the all-zeros UUID + low byte = {0,1,2,3}.
+-- On disk each lives at images/teams/{base36(0)}/{base36(id)}/rootfs.ext4.
+
+-- 0 → minimal-ubuntu (was "minimal").
+UPDATE templates
+SET name = 'minimal-ubuntu',
+    default_user = 'wrenn-user'
+WHERE id = '00000000-0000-0000-0000-000000000000';
+
+-- Seed the row if it did not already exist (fresh DBs).
+INSERT INTO templates (id, name, type, vcpus, memory_mb, size_bytes, team_id, default_user)
+VALUES ('00000000-0000-0000-0000-000000000000', 'minimal-ubuntu', 'base', 1, 512, 0,
+        '00000000-0000-0000-0000-000000000000', 'wrenn-user')
+ON CONFLICT (id) DO NOTHING;
+
+-- 1 → minimal-alpine, 2 → minimal-arch, 3 → minimal-fedora.
+INSERT INTO templates (id, name, type, vcpus, memory_mb, size_bytes, team_id, default_user)
+VALUES
+    ('00000000-0000-0000-0000-000000000001', 'minimal-alpine', 'base', 1, 512, 0,
+     '00000000-0000-0000-0000-000000000000', 'wrenn-user'),
+    ('00000000-0000-0000-0000-000000000002', 'minimal-arch', 'base', 1, 512, 0,
+     '00000000-0000-0000-0000-000000000000', 'wrenn-user'),
+    ('00000000-0000-0000-0000-000000000003', 'minimal-fedora', 'base', 1, 512, 0,
+     '00000000-0000-0000-0000-000000000000', 'wrenn-user')
+ON CONFLICT (id) DO NOTHING;
+
+-- Point the sandboxes.template column default at the new default base template.
+ALTER TABLE sandboxes ALTER COLUMN template SET DEFAULT 'minimal-ubuntu';
+
+-- +goose Down
+
+ALTER TABLE sandboxes ALTER COLUMN template SET DEFAULT 'minimal';
+
+DELETE FROM templates WHERE id IN (
+    '00000000-0000-0000-0000-000000000001',
+    '00000000-0000-0000-0000-000000000002',
+    '00000000-0000-0000-0000-000000000003'
+);
+
+UPDATE templates
+SET name = 'minimal',
+    default_user = 'root'
+WHERE id = '00000000-0000-0000-0000-000000000000';