Switch database IDs from TEXT to native UUID

Consolidate 16 migrations into one with UUID columns for all entity IDs. TEXT is kept only for polymorphic fields (audit_logs.actor_id, resource_id) and template names. The id package now generates UUIDs via google/uuid, with Format*/Parse* helpers for the prefixed wire format (sb-{uuid}, usr-{uuid}, etc.). Auth context, services, and handlers pass pgtype.UUID internally; conversion to/from prefixed strings happens at API and RPC boundaries. Adds PlatformTeamID (all-zeros UUID) for shared resources.
2026-03-26 16:16:21 +06:00
parent cdd89a7cee
commit 4ddd494160
66 changed files with 1350 additions and 1127 deletions
--- a/internal/api/middleware_jwt.go
+++ b/internal/api/middleware_jwt.go
@ -5,6 +5,7 @@ import (
 	"strings"

 	"git.omukk.dev/wrenn/sandbox/internal/auth"
+	"git.omukk.dev/wrenn/sandbox/internal/id"
 )

 // requireJWT validates the Authorization: Bearer <token> header, verifies the JWT
@ -25,9 +26,20 @@ func requireJWT(secret []byte) func(http.Handler) http.Handler {
 				return
 			}

+			teamID, err := id.ParseTeamID(claims.TeamID)
+			if err != nil {
+				writeError(w, http.StatusUnauthorized, "unauthorized", "invalid team ID in token")
+				return
+			}
+			userID, err := id.ParseUserID(claims.Subject)
+			if err != nil {
+				writeError(w, http.StatusUnauthorized, "unauthorized", "invalid user ID in token")
+				return
+			}
+
 			ctx := auth.WithAuthContext(r.Context(), auth.AuthContext{
-				TeamID:  claims.TeamID,
-				UserID:  claims.Subject,
+				TeamID:  teamID,
+				UserID:  userID,
 				Email:   claims.Email,
 				Name:    claims.Name,
 				Role:    claims.Role,