Add admin users, BYOC teams, hosts schema, and Redis for host registration

Introduce three migrations: admin permissions (is_admin + permissions table),
BYOC team tracking, and multi-host support (hosts, host_tokens, host_tags).
Add Redis to dev infra and wire up client in control plane for ephemeral
host registration tokens. Add go-redis dependency.

db/queries/hosts.sql

@@ -0,0 +1,66 @@
+-- name: InsertHost :one
+INSERT INTO hosts (id, type, team_id, provider, availability_zone, created_by)
+VALUES ($1, $2, $3, $4, $5, $6)
+RETURNING *;
+
+-- name: GetHost :one
+SELECT * FROM hosts WHERE id = $1;
+
+-- name: ListHosts :many
+SELECT * FROM hosts ORDER BY created_at DESC;
+
+-- name: ListHostsByType :many
+SELECT * FROM hosts WHERE type = $1 ORDER BY created_at DESC;
+
+-- name: ListHostsByTeam :many
+SELECT * FROM hosts WHERE team_id = $1 ORDER BY created_at DESC;
+
+-- name: ListHostsByStatus :many
+SELECT * FROM hosts WHERE status = $1 ORDER BY created_at DESC;
+
+-- name: RegisterHost :exec
+UPDATE hosts
+SET arch = $2,
+    cpu_cores = $3,
+    memory_mb = $4,
+    disk_gb = $5,
+    address = $6,
+    status = 'online',
+    last_heartbeat_at = NOW(),
+    updated_at = NOW()
+WHERE id = $1;
+
+-- name: UpdateHostStatus :exec
+UPDATE hosts SET status = $2, updated_at = NOW() WHERE id = $1;
+
+-- name: UpdateHostHeartbeat :exec
+UPDATE hosts SET last_heartbeat_at = NOW(), updated_at = NOW() WHERE id = $1;
+
+-- name: DeleteHost :exec
+DELETE FROM hosts WHERE id = $1;
+
+-- name: AddHostTag :exec
+INSERT INTO host_tags (host_id, tag) VALUES ($1, $2) ON CONFLICT DO NOTHING;
+
+-- name: RemoveHostTag :exec
+DELETE FROM host_tags WHERE host_id = $1 AND tag = $2;
+
+-- name: GetHostTags :many
+SELECT tag FROM host_tags WHERE host_id = $1 ORDER BY tag;
+
+-- name: ListHostsByTag :many
+SELECT h.* FROM hosts h
+JOIN host_tags ht ON ht.host_id = h.id
+WHERE ht.tag = $1
+ORDER BY h.created_at DESC;
+
+-- name: InsertHostToken :one
+INSERT INTO host_tokens (id, host_id, created_by, expires_at)
+VALUES ($1, $2, $3, $4)
+RETURNING *;
+
+-- name: MarkHostTokenUsed :exec
+UPDATE host_tokens SET used_at = NOW() WHERE id = $1;
+
+-- name: GetHostTokensByHost :many
+SELECT * FROM host_tokens WHERE host_id = $1 ORDER BY created_at DESC;

db/queries/teams.sql

@@ -15,3 +15,9 @@ SELECT t.* FROM teams t
 JOIN users_teams ut ON ut.team_id = t.id
 WHERE ut.user_id = $1 AND ut.is_default = TRUE
 LIMIT 1;
+
+-- name: SetTeamBYOC :exec
+UPDATE teams SET is_byoc = $2 WHERE id = $1;
+
+-- name: GetBYOCTeams :many
+SELECT * FROM teams WHERE is_byoc = TRUE ORDER BY created_at;

db/queries/users.sql

@@ -13,3 +13,24 @@ SELECT * FROM users WHERE id = $1;
 INSERT INTO users (id, email)
 VALUES ($1, $2)
 RETURNING *;
+
+-- name: SetUserAdmin :exec
+UPDATE users SET is_admin = $2, updated_at = NOW() WHERE id = $1;
+
+-- name: GetAdminUsers :many
+SELECT * FROM users WHERE is_admin = TRUE ORDER BY created_at;
+
+-- name: InsertAdminPermission :exec
+INSERT INTO admin_permissions (id, user_id, permission)
+VALUES ($1, $2, $3);
+
+-- name: DeleteAdminPermission :exec
+DELETE FROM admin_permissions WHERE user_id = $1 AND permission = $2;
+
+-- name: GetAdminPermissions :many
+SELECT * FROM admin_permissions WHERE user_id = $1 ORDER BY permission;
+
+-- name: HasAdminPermission :one
+SELECT EXISTS(
+    SELECT 1 FROM admin_permissions WHERE user_id = $1 AND permission = $2
+) AS has_permission;