Add admin users, BYOC teams, hosts schema, and Redis for host registration

Introduce three migrations: admin permissions (is_admin + permissions table),
BYOC team tracking, and multi-host support (hosts, host_tokens, host_tags).
Add Redis to dev infra and wire up client in control plane for ephemeral
host registration tokens. Add go-redis dependency.

db/migrations/20260316203135_admin_users.sql

@@ -0,0 +1,21 @@
+-- +goose Up
+
+ALTER TABLE users
+    ADD COLUMN is_admin BOOLEAN NOT NULL DEFAULT FALSE;
+
+CREATE TABLE admin_permissions (
+    id         TEXT PRIMARY KEY,
+    user_id    TEXT NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+    permission TEXT NOT NULL,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    UNIQUE (user_id, permission)
+);
+
+CREATE INDEX idx_admin_permissions_user ON admin_permissions(user_id);
+
+-- +goose Down
+
+DROP TABLE admin_permissions;
+
+ALTER TABLE users
+    DROP COLUMN is_admin;

db/migrations/20260316203138_byoc_teams.sql

@@ -0,0 +1,9 @@
+-- +goose Up
+
+ALTER TABLE teams
+    ADD COLUMN is_byoc BOOLEAN NOT NULL DEFAULT FALSE;
+
+-- +goose Down
+
+ALTER TABLE teams
+    DROP COLUMN is_byoc;

db/migrations/20260316203142_hosts.sql

@@ -0,0 +1,47 @@
+-- +goose Up
+
+CREATE TABLE hosts (
+    id                TEXT PRIMARY KEY,
+    type              TEXT NOT NULL DEFAULT 'regular',  -- 'regular' or 'byoc'
+    team_id           TEXT REFERENCES teams(id) ON DELETE SET NULL,
+    provider          TEXT,
+    availability_zone TEXT,
+    arch              TEXT,
+    cpu_cores         INTEGER,
+    memory_mb         INTEGER,
+    disk_gb           INTEGER,
+    address           TEXT,                             -- ip:port of host agent
+    status            TEXT NOT NULL DEFAULT 'pending',  -- 'pending', 'online', 'offline', 'draining'
+    last_heartbeat_at TIMESTAMPTZ,
+    metadata          JSONB NOT NULL DEFAULT '{}',
+    created_by        TEXT NOT NULL REFERENCES users(id),
+    created_at        TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at        TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE TABLE host_tokens (
+    id         TEXT PRIMARY KEY,
+    host_id    TEXT NOT NULL REFERENCES hosts(id) ON DELETE CASCADE,
+    created_by TEXT NOT NULL REFERENCES users(id),
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    expires_at TIMESTAMPTZ NOT NULL,
+    used_at    TIMESTAMPTZ
+);
+
+CREATE TABLE host_tags (
+    host_id TEXT NOT NULL REFERENCES hosts(id) ON DELETE CASCADE,
+    tag     TEXT NOT NULL,
+    PRIMARY KEY (host_id, tag)
+);
+
+CREATE INDEX idx_hosts_type ON hosts(type);
+CREATE INDEX idx_hosts_team ON hosts(team_id);
+CREATE INDEX idx_hosts_status ON hosts(status);
+CREATE INDEX idx_host_tokens_host ON host_tokens(host_id);
+CREATE INDEX idx_host_tags_tag ON host_tags(tag);
+
+-- +goose Down
+
+DROP TABLE host_tags;
+DROP TABLE host_tokens;
+DROP TABLE hosts;

db/queries/hosts.sql

@@ -0,0 +1,66 @@
+-- name: InsertHost :one
+INSERT INTO hosts (id, type, team_id, provider, availability_zone, created_by)
+VALUES ($1, $2, $3, $4, $5, $6)
+RETURNING *;
+
+-- name: GetHost :one
+SELECT * FROM hosts WHERE id = $1;
+
+-- name: ListHosts :many
+SELECT * FROM hosts ORDER BY created_at DESC;
+
+-- name: ListHostsByType :many
+SELECT * FROM hosts WHERE type = $1 ORDER BY created_at DESC;
+
+-- name: ListHostsByTeam :many
+SELECT * FROM hosts WHERE team_id = $1 ORDER BY created_at DESC;
+
+-- name: ListHostsByStatus :many
+SELECT * FROM hosts WHERE status = $1 ORDER BY created_at DESC;
+
+-- name: RegisterHost :exec
+UPDATE hosts
+SET arch = $2,
+    cpu_cores = $3,
+    memory_mb = $4,
+    disk_gb = $5,
+    address = $6,
+    status = 'online',
+    last_heartbeat_at = NOW(),
+    updated_at = NOW()
+WHERE id = $1;
+
+-- name: UpdateHostStatus :exec
+UPDATE hosts SET status = $2, updated_at = NOW() WHERE id = $1;
+
+-- name: UpdateHostHeartbeat :exec
+UPDATE hosts SET last_heartbeat_at = NOW(), updated_at = NOW() WHERE id = $1;
+
+-- name: DeleteHost :exec
+DELETE FROM hosts WHERE id = $1;
+
+-- name: AddHostTag :exec
+INSERT INTO host_tags (host_id, tag) VALUES ($1, $2) ON CONFLICT DO NOTHING;
+
+-- name: RemoveHostTag :exec
+DELETE FROM host_tags WHERE host_id = $1 AND tag = $2;
+
+-- name: GetHostTags :many
+SELECT tag FROM host_tags WHERE host_id = $1 ORDER BY tag;
+
+-- name: ListHostsByTag :many
+SELECT h.* FROM hosts h
+JOIN host_tags ht ON ht.host_id = h.id
+WHERE ht.tag = $1
+ORDER BY h.created_at DESC;
+
+-- name: InsertHostToken :one
+INSERT INTO host_tokens (id, host_id, created_by, expires_at)
+VALUES ($1, $2, $3, $4)
+RETURNING *;
+
+-- name: MarkHostTokenUsed :exec
+UPDATE host_tokens SET used_at = NOW() WHERE id = $1;
+
+-- name: GetHostTokensByHost :many
+SELECT * FROM host_tokens WHERE host_id = $1 ORDER BY created_at DESC;

db/queries/teams.sql

@@ -15,3 +15,9 @@ SELECT t.* FROM teams t
 JOIN users_teams ut ON ut.team_id = t.id
 WHERE ut.user_id = $1 AND ut.is_default = TRUE
 LIMIT 1;
+
+-- name: SetTeamBYOC :exec
+UPDATE teams SET is_byoc = $2 WHERE id = $1;
+
+-- name: GetBYOCTeams :many
+SELECT * FROM teams WHERE is_byoc = TRUE ORDER BY created_at;

db/queries/users.sql

@@ -13,3 +13,24 @@ SELECT * FROM users WHERE id = $1;
 INSERT INTO users (id, email)
 VALUES ($1, $2)
 RETURNING *;
+
+-- name: SetUserAdmin :exec
+UPDATE users SET is_admin = $2, updated_at = NOW() WHERE id = $1;
+
+-- name: GetAdminUsers :many
+SELECT * FROM users WHERE is_admin = TRUE ORDER BY created_at;
+
+-- name: InsertAdminPermission :exec
+INSERT INTO admin_permissions (id, user_id, permission)
+VALUES ($1, $2, $3);
+
+-- name: DeleteAdminPermission :exec
+DELETE FROM admin_permissions WHERE user_id = $1 AND permission = $2;
+
+-- name: GetAdminPermissions :many
+SELECT * FROM admin_permissions WHERE user_id = $1 ORDER BY permission;
+
+-- name: HasAdminPermission :one
+SELECT EXISTS(
+    SELECT 1 FROM admin_permissions WHERE user_id = $1 AND permission = $2
+) AS has_permission;