feat(db): Phase 1 — DB-Schema, goose-Migrations, GORM-Models

Initialer Schema-Set (8 Migrationen, 13 Tabellen) für EdgeGuard v1:
users + audit_log + system_settings, ha_nodes, backends/domains/
routing_rules/tls_certs, forward_proxy_acls, wireguard_peers,
firewall_rules, dns_zones/dns_records, licenses. Migrations liegen
in internal/database/migrations/ (analog mail-gateway) und werden
per //go:embed ins Binary gepackt — keine separate SQL-Dateien im
.deb. ValidateMigrations + Test schützen vor Duplicate-Versionen
(mail-gateway 2026-05-08-Vorfall). GORM-Models für alle Tabellen,
sensible Felder (password_hash, private_key_enc) sind json:"-".

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

internal/database/db.go

@@ -0,0 +1,188 @@
+// Package database owns the PostgreSQL connection pool and migration
+// runner for edgeguard-api.
+//
+// All routes read and write through a *pgxpool.Pool (jackc/pgx v5).
+// GORM (in internal/models) is used for struct tags / query convenience
+// against the same DSN; the schema itself is owned by goose
+// (// +goose Up/Down files in migrations/).
+package database
+
+import (
+	"context"
+	"embed"
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/jackc/pgx/v5/pgxpool"
+	"github.com/pressly/goose/v3"
+
+	_ "github.com/jackc/pgx/v5/stdlib" // register "pgx" driver for goose
+)
+
+//go:embed migrations/*.sql
+var embeddedMigrations embed.FS
+
+// ConnStringFromEnv returns the DSN for edgeguard-api. Priority:
+//
+//  1. EDGEGUARD_DB_URL as a full libpq/pgx URL or key=value DSN
+//  2. /etc/edgeguard/api.env line "EDGEGUARD_DB_URL=..."
+//  3. default: unix-socket peer auth against db "edgeguard"
+//
+// The default matches the layout edgeguard-ctl initdb sets up
+// (see docs/architecture.md §6).
+func ConnStringFromEnv() string {
+	if v := os.Getenv("EDGEGUARD_DB_URL"); v != "" {
+		return v
+	}
+	if data, err := os.ReadFile("/etc/edgeguard/api.env"); err == nil {
+		for _, line := range strings.Split(string(data), "\n") {
+			line = strings.TrimSpace(line)
+			if strings.HasPrefix(line, "EDGEGUARD_DB_URL=") {
+				return strings.TrimSpace(strings.TrimPrefix(line, "EDGEGUARD_DB_URL="))
+			}
+		}
+	}
+	return "host=/var/run/postgresql dbname=edgeguard sslmode=disable"
+}
+
+// Open constructs a pool and pings the server. Never returns a pool
+// that failed its initial ping.
+func Open(ctx context.Context, dsn string) (*pgxpool.Pool, error) {
+	if dsn == "" {
+		return nil, errors.New("empty DSN")
+	}
+	cfg, err := pgxpool.ParseConfig(dsn)
+	if err != nil {
+		return nil, fmt.Errorf("parse DSN: %w", err)
+	}
+	if cfg.MaxConns == 0 {
+		cfg.MaxConns = 10
+	}
+	cfg.MaxConnLifetime = 30 * time.Minute
+
+	pool, err := pgxpool.NewWithConfig(ctx, cfg)
+	if err != nil {
+		return nil, fmt.Errorf("open pool: %w", err)
+	}
+	pingCtx, cancel := context.WithTimeout(ctx, 5*time.Second)
+	defer cancel()
+	if err := pool.Ping(pingCtx); err != nil {
+		pool.Close()
+		return nil, fmt.Errorf("ping: %w", err)
+	}
+	return pool, nil
+}
+
+// Migrate runs goose `up` with the embedded migrations. Pass an empty
+// dsnOverride to use ConnStringFromEnv().
+//
+// Pre-flight ValidateMigrations runs first so a duplicate version
+// number fails with a clear message instead of goose's panic deep in
+// migrate.go (mail-gateway 2026-05-08 incident).
+func Migrate(ctx context.Context, dsnOverride string) error {
+	if err := ValidateMigrations(); err != nil {
+		return err
+	}
+	dsn := dsnOverride
+	if dsn == "" {
+		dsn = ConnStringFromEnv()
+	}
+	db, err := goose.OpenDBWithDriver("pgx", dsn)
+	if err != nil {
+		return fmt.Errorf("open db for migrate: %w", err)
+	}
+	defer db.Close()
+
+	goose.SetBaseFS(embeddedMigrations)
+	if err := goose.SetDialect("postgres"); err != nil {
+		return err
+	}
+	return goose.RunContext(ctx, "up", db, "migrations")
+}
+
+// MigrateDown rolls back the most recent migration. Used in tests and
+// development; production is forward-only.
+func MigrateDown(ctx context.Context, dsnOverride string) error {
+	dsn := dsnOverride
+	if dsn == "" {
+		dsn = ConnStringFromEnv()
+	}
+	db, err := goose.OpenDBWithDriver("pgx", dsn)
+	if err != nil {
+		return err
+	}
+	defer db.Close()
+	goose.SetBaseFS(embeddedMigrations)
+	if err := goose.SetDialect("postgres"); err != nil {
+		return err
+	}
+	return goose.RunContext(ctx, "down", db, "migrations")
+}
+
+// ValidateMigrations checks the embedded migration files for duplicate
+// version prefixes. Called from Migrate() (runtime), from
+// `edgeguard-ctl migrate check` (postinst pre-flight), and from
+// TestEmbeddedMigrationsUnique (CI gate).
+func ValidateMigrations() error {
+	entries, err := embeddedMigrations.ReadDir("migrations")
+	if err != nil {
+		return fmt.Errorf("read embedded migrations: %w", err)
+	}
+	versionToFile := map[int64]string{}
+	versionRe := regexp.MustCompile(`^(\d+)_[^/]+\.sql$`)
+	var problems []string
+	for _, e := range entries {
+		if e.IsDir() || !strings.HasSuffix(e.Name(), ".sql") {
+			continue
+		}
+		m := versionRe.FindStringSubmatch(e.Name())
+		if m == nil {
+			problems = append(problems, fmt.Sprintf("%s: filename does not match <version>_<name>.sql", e.Name()))
+			continue
+		}
+		v, err := strconv.ParseInt(m[1], 10, 64)
+		if err != nil {
+			problems = append(problems, fmt.Sprintf("%s: version is not an integer", e.Name()))
+			continue
+		}
+		if existing, dup := versionToFile[v]; dup {
+			problems = append(problems, fmt.Sprintf(
+				"duplicate migration version %d: %s and %s",
+				v, existing, e.Name()))
+			continue
+		}
+		versionToFile[v] = e.Name()
+	}
+	if len(problems) > 0 {
+		return fmt.Errorf("migration validation failed:\n  %s", strings.Join(problems, "\n  "))
+	}
+	return nil
+}
+
+// CopyEmbeddedMigrationsTo writes the embedded SQL files to dst. Used
+// by edgeguard-ctl to dump the embedded set for manual inspection.
+func CopyEmbeddedMigrationsTo(dst string) error {
+	if err := os.MkdirAll(dst, 0o755); err != nil {
+		return err
+	}
+	entries, err := embeddedMigrations.ReadDir("migrations")
+	if err != nil {
+		return err
+	}
+	for _, e := range entries {
+		data, err := embeddedMigrations.ReadFile(filepath.ToSlash(filepath.Join("migrations", e.Name())))
+		if err != nil {
+			return err
+		}
+		if err := os.WriteFile(filepath.Join(dst, e.Name()), data, 0o644); err != nil {
+			return err
+		}
+	}
+	return nil
+}

internal/database/migrations/0001_init.sql

@@ -0,0 +1,56 @@
+-- +goose Up
+-- +goose StatementBegin
+
+-- Admin users (analog enconf admin_users). Auth is JWT-based; password
+-- is bcrypt'd via golang.org/x/crypto/bcrypt. role is a free-form
+-- text column today (only "admin" exists in v1) so future RBAC roles
+-- can be added without a CHECK-constraint migration.
+CREATE TABLE IF NOT EXISTS users (
+    id            BIGSERIAL PRIMARY KEY,
+    email         TEXT NOT NULL,
+    password_hash TEXT NOT NULL,
+    role          TEXT NOT NULL DEFAULT 'admin',
+    active        BOOLEAN NOT NULL DEFAULT TRUE,
+    last_login_at TIMESTAMPTZ,
+    created_at    TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at    TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    CONSTRAINT users_email_unique UNIQUE (email)
+);
+
+CREATE INDEX IF NOT EXISTS idx_users_active ON users (active) WHERE active;
+
+-- Append-only audit trail. Every config change, login, license event,
+-- upgrade trigger gets an entry. detail is freeform JSONB so each
+-- handler can attach whatever context is meaningful (e.g. diff of the
+-- domain row, apt versions before/after, cluster-join token hash).
+CREATE TABLE IF NOT EXISTS audit_log (
+    id         BIGSERIAL PRIMARY KEY,
+    actor      TEXT NOT NULL,
+    action     TEXT NOT NULL,
+    subject    TEXT,
+    detail     JSONB,
+    node_id    TEXT,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_audit_log_created_at ON audit_log (created_at DESC);
+CREATE INDEX IF NOT EXISTS idx_audit_log_subject    ON audit_log (subject);
+CREATE INDEX IF NOT EXISTS idx_audit_log_action     ON audit_log (action);
+
+-- Global key/value config. Avoids one-row tables for things like
+-- cluster FQDN, ACME contact e-mail, default WireGuard listen port.
+-- value is TEXT — JSON encoding is on the caller if needed.
+CREATE TABLE IF NOT EXISTS system_settings (
+    key        TEXT PRIMARY KEY,
+    value      TEXT NOT NULL,
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+-- +goose StatementEnd
+
+-- +goose Down
+-- +goose StatementBegin
+DROP TABLE IF EXISTS system_settings;
+DROP TABLE IF EXISTS audit_log;
+DROP TABLE IF EXISTS users;
+-- +goose StatementEnd

internal/database/migrations/0002_cluster.sql

@@ -0,0 +1,35 @@
+-- +goose Up
+-- +goose StatementBegin
+
+-- Cluster peers. Populated by edgeguard-ctl cluster-join. Used by:
+--   * internal/proxy → resolve current PG primary URL (also via KeyDB)
+--   * internal/aggregator → fan-out reads to peer APIs
+--   * internal/unbound → generate eg.cluster local-zone records
+--   * internal/firewall → open peer-internal ports per IP
+--
+-- id is a stable UUID (not BIGSERIAL) so a node keeps its identity
+-- across re-joins / re-images. fqdn is the externally addressable
+-- name; api_url is its 9443 endpoint via mTLS.
+CREATE TABLE IF NOT EXISTS ha_nodes (
+    id          TEXT PRIMARY KEY,
+    name        TEXT NOT NULL,
+    fqdn        TEXT NOT NULL,
+    api_url     TEXT NOT NULL,
+    public_ip   INET,
+    internal_ip INET,
+    role        TEXT NOT NULL DEFAULT 'peer',
+    last_seen   TIMESTAMPTZ,
+    joined_at   TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    created_at  TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at  TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    CONSTRAINT ha_nodes_fqdn_unique UNIQUE (fqdn)
+);
+
+CREATE INDEX IF NOT EXISTS idx_ha_nodes_last_seen ON ha_nodes (last_seen DESC);
+
+-- +goose StatementEnd
+
+-- +goose Down
+-- +goose StatementBegin
+DROP TABLE IF EXISTS ha_nodes;
+-- +goose StatementEnd

internal/database/migrations/0003_http_frontend.sql

@@ -0,0 +1,88 @@
+-- +goose Up
+-- +goose StatementBegin
+
+-- Upstream backends (target servers behind the reverse-proxy).
+CREATE TABLE IF NOT EXISTS backends (
+    id                 BIGSERIAL PRIMARY KEY,
+    name               TEXT NOT NULL,
+    scheme             TEXT NOT NULL DEFAULT 'http',
+    address            TEXT NOT NULL,
+    port               INTEGER NOT NULL,
+    health_check_path  TEXT,
+    active             BOOLEAN NOT NULL DEFAULT TRUE,
+    created_at         TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at         TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    CONSTRAINT backends_name_unique UNIQUE (name),
+    CONSTRAINT backends_scheme_check CHECK (scheme IN ('http', 'https')),
+    CONSTRAINT backends_port_check   CHECK (port > 0 AND port < 65536)
+);
+
+CREATE INDEX IF NOT EXISTS idx_backends_active ON backends (active) WHERE active;
+
+-- Public-facing domains. primary_backend_id is the default upstream
+-- when no path-rule matches.
+CREATE TABLE IF NOT EXISTS domains (
+    id                  BIGSERIAL PRIMARY KEY,
+    name                TEXT NOT NULL,
+    active              BOOLEAN NOT NULL DEFAULT TRUE,
+    primary_backend_id  BIGINT REFERENCES backends(id) ON DELETE SET NULL,
+    http_to_https       BOOLEAN NOT NULL DEFAULT TRUE,
+    hsts_enabled        BOOLEAN NOT NULL DEFAULT FALSE,
+    notes               TEXT,
+    created_at          TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at          TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    CONSTRAINT domains_name_unique UNIQUE (name)
+);
+
+CREATE INDEX IF NOT EXISTS idx_domains_active ON domains (active) WHERE active;
+
+-- Path-based routing rules. Higher priority wins; ties broken by id.
+CREATE TABLE IF NOT EXISTS routing_rules (
+    id           BIGSERIAL PRIMARY KEY,
+    domain_id    BIGINT NOT NULL REFERENCES domains(id) ON DELETE CASCADE,
+    path_prefix  TEXT NOT NULL DEFAULT '/',
+    backend_id   BIGINT NOT NULL REFERENCES backends(id) ON DELETE RESTRICT,
+    priority     INTEGER NOT NULL DEFAULT 100,
+    active       BOOLEAN NOT NULL DEFAULT TRUE,
+    created_at   TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at   TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_routing_rules_domain   ON routing_rules (domain_id);
+CREATE INDEX IF NOT EXISTS idx_routing_rules_priority ON routing_rules (domain_id, priority DESC);
+
+-- ACME-managed TLS certificates. status mirrors certbot's view:
+--   pending  — issue requested, not yet completed
+--   active   — issued, currently deployed
+--   renewing — renewal in progress
+--   expired  — past not_after, awaiting cleanup
+--   error    — last attempt failed (see audit_log for detail)
+CREATE TABLE IF NOT EXISTS tls_certs (
+    id               BIGSERIAL PRIMARY KEY,
+    domain           TEXT NOT NULL,
+    issuer           TEXT NOT NULL DEFAULT 'letsencrypt',
+    status           TEXT NOT NULL DEFAULT 'pending',
+    cert_path        TEXT,
+    key_path         TEXT,
+    not_before       TIMESTAMPTZ,
+    not_after        TIMESTAMPTZ,
+    last_renewed_at  TIMESTAMPTZ,
+    last_error       TEXT,
+    created_at       TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at       TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    CONSTRAINT tls_certs_domain_unique UNIQUE (domain),
+    CONSTRAINT tls_certs_status_check  CHECK (status IN ('pending', 'active', 'renewing', 'expired', 'error'))
+);
+
+CREATE INDEX IF NOT EXISTS idx_tls_certs_not_after ON tls_certs (not_after);
+CREATE INDEX IF NOT EXISTS idx_tls_certs_status   ON tls_certs (status);
+
+-- +goose StatementEnd
+
+-- +goose Down
+-- +goose StatementBegin
+DROP TABLE IF EXISTS tls_certs;
+DROP TABLE IF EXISTS routing_rules;
+DROP TABLE IF EXISTS domains;
+DROP TABLE IF EXISTS backends;
+-- +goose StatementEnd

internal/database/migrations/0004_forward_proxy.sql

@@ -0,0 +1,32 @@
+-- +goose Up
+-- +goose StatementBegin
+
+-- Squid forward-proxy ACL entries. Generator merges all active rows
+-- into /etc/edgeguard/squid/squid.conf via internal/squid templates.
+--
+-- acl_type matches squid's vocabulary: src, dst, dstdomain, port,
+-- proto, time, url_regex, urlpath_regex, ...
+-- action is allow|deny.
+CREATE TABLE IF NOT EXISTS forward_proxy_acls (
+    id         BIGSERIAL PRIMARY KEY,
+    name       TEXT NOT NULL,
+    acl_type   TEXT NOT NULL,
+    value      TEXT NOT NULL,
+    action     TEXT NOT NULL,
+    priority   INTEGER NOT NULL DEFAULT 100,
+    active     BOOLEAN NOT NULL DEFAULT TRUE,
+    comment    TEXT,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    CONSTRAINT forward_proxy_acls_action_check CHECK (action IN ('allow', 'deny'))
+);
+
+CREATE INDEX IF NOT EXISTS idx_forward_proxy_acls_priority ON forward_proxy_acls (priority DESC);
+CREATE INDEX IF NOT EXISTS idx_forward_proxy_acls_active   ON forward_proxy_acls (active) WHERE active;
+
+-- +goose StatementEnd
+
+-- +goose Down
+-- +goose StatementBegin
+DROP TABLE IF EXISTS forward_proxy_acls;
+-- +goose StatementEnd

internal/database/migrations/0005_wireguard.sql

@@ -0,0 +1,41 @@
+-- +goose Up
+-- +goose StatementBegin
+
+-- WireGuard peers. v1 uses Option A (shared server identity, see
+-- docs/architecture.md §8.1) — the local server peer is row 1, type
+-- 'server'; remote site-to-site peers and road-warrior clients are
+-- separate rows.
+--
+-- private_key_enc holds the encrypted server private key (NULL for
+-- non-server rows); decryption key lives in /var/lib/edgeguard/.wg_key
+-- (mode 0600). Never logged.
+CREATE TABLE IF NOT EXISTS wireguard_peers (
+    id                    BIGSERIAL PRIMARY KEY,
+    name                  TEXT NOT NULL,
+    peer_type             TEXT NOT NULL,
+    public_key            TEXT NOT NULL,
+    private_key_enc       TEXT,
+    preshared_key_enc     TEXT,
+    allowed_ips           TEXT NOT NULL,
+    endpoint              TEXT,
+    listen_port           INTEGER,
+    persistent_keepalive  INTEGER,
+    last_handshake_at     TIMESTAMPTZ,
+    active                BOOLEAN NOT NULL DEFAULT TRUE,
+    notes                 TEXT,
+    created_at            TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at            TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    CONSTRAINT wireguard_peers_name_unique     UNIQUE (name),
+    CONSTRAINT wireguard_peers_pubkey_unique   UNIQUE (public_key),
+    CONSTRAINT wireguard_peers_type_check      CHECK (peer_type IN ('server', 's2s', 'roadwarrior'))
+);
+
+CREATE INDEX IF NOT EXISTS idx_wireguard_peers_active ON wireguard_peers (active) WHERE active;
+CREATE INDEX IF NOT EXISTS idx_wireguard_peers_type   ON wireguard_peers (peer_type);
+
+-- +goose StatementEnd
+
+-- +goose Down
+-- +goose StatementBegin
+DROP TABLE IF EXISTS wireguard_peers;
+-- +goose StatementEnd

internal/database/migrations/0006_firewall.sql

@@ -0,0 +1,35 @@
+-- +goose Up
+-- +goose StatementBegin
+
+-- nftables custom rules. Generator merges these into the ruleset
+-- emitted by internal/firewall on top of the base inet edgeguard
+-- table. v1 has no CrowdSec/threat_intel sets (see architecture.md
+-- §8 — those entries entfallen ohne IDS/IPS).
+--
+-- chain examples: input, forward, output, prerouting, postrouting.
+-- match is the literal nft expression body, e.g.
+--   "tcp dport 22 ip saddr 10.0.0.0/8"
+-- action: accept | drop | reject | masquerade | dnat | snat
+CREATE TABLE IF NOT EXISTS firewall_rules (
+    id         BIGSERIAL PRIMARY KEY,
+    chain      TEXT NOT NULL,
+    priority   INTEGER NOT NULL DEFAULT 100,
+    match_expr TEXT NOT NULL,
+    action     TEXT NOT NULL,
+    comment    TEXT,
+    active     BOOLEAN NOT NULL DEFAULT TRUE,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    CONSTRAINT firewall_rules_chain_check  CHECK (chain IN ('input', 'forward', 'output', 'prerouting', 'postrouting')),
+    CONSTRAINT firewall_rules_action_check CHECK (action IN ('accept', 'drop', 'reject', 'masquerade', 'dnat', 'snat'))
+);
+
+CREATE INDEX IF NOT EXISTS idx_firewall_rules_chain    ON firewall_rules (chain, priority);
+CREATE INDEX IF NOT EXISTS idx_firewall_rules_active   ON firewall_rules (active) WHERE active;
+
+-- +goose StatementEnd
+
+-- +goose Down
+-- +goose StatementBegin
+DROP TABLE IF EXISTS firewall_rules;
+-- +goose StatementEnd

internal/database/migrations/0007_dns.sql

@@ -0,0 +1,47 @@
+-- +goose Up
+-- +goose StatementBegin
+
+-- Unbound zones. zone_type 'local' = local-data records served
+-- authoritatively (e.g. eg.cluster). 'forward' = stub-zone forwarded
+-- to a specific upstream. The eg.cluster zone is auto-managed by
+-- internal/cluster; user-defined zones land here too.
+CREATE TABLE IF NOT EXISTS dns_zones (
+    id           BIGSERIAL PRIMARY KEY,
+    name         TEXT NOT NULL,
+    zone_type    TEXT NOT NULL DEFAULT 'local',
+    description  TEXT,
+    managed_by   TEXT NOT NULL DEFAULT 'user',
+    active       BOOLEAN NOT NULL DEFAULT TRUE,
+    created_at   TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at   TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    CONSTRAINT dns_zones_name_unique  UNIQUE (name),
+    CONSTRAINT dns_zones_type_check   CHECK (zone_type IN ('local', 'forward'))
+);
+
+-- DNS records. record_type matches RFC 1035 / RFC 3596 mnemonics
+-- (A, AAAA, CNAME, TXT, MX, SRV, ...). value is the record's RDATA in
+-- text form (priority + value for MX/SRV are concatenated, e.g.
+-- "10 mail.example.com").
+CREATE TABLE IF NOT EXISTS dns_records (
+    id           BIGSERIAL PRIMARY KEY,
+    zone_id      BIGINT NOT NULL REFERENCES dns_zones(id) ON DELETE CASCADE,
+    name         TEXT NOT NULL,
+    record_type  TEXT NOT NULL,
+    value        TEXT NOT NULL,
+    ttl          INTEGER NOT NULL DEFAULT 300,
+    active       BOOLEAN NOT NULL DEFAULT TRUE,
+    created_at   TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at   TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    CONSTRAINT dns_records_type_check CHECK (record_type IN ('A', 'AAAA', 'CNAME', 'TXT', 'MX', 'SRV', 'NS', 'PTR', 'CAA'))
+);
+
+CREATE INDEX IF NOT EXISTS idx_dns_records_zone   ON dns_records (zone_id);
+CREATE INDEX IF NOT EXISTS idx_dns_records_active ON dns_records (active) WHERE active;
+
+-- +goose StatementEnd
+
+-- +goose Down
+-- +goose StatementBegin
+DROP TABLE IF EXISTS dns_records;
+DROP TABLE IF EXISTS dns_zones;
+-- +goose StatementEnd

internal/database/migrations/0008_licenses.sql

@@ -0,0 +1,38 @@
+-- +goose Up
+-- +goose StatementBegin
+
+-- License state cache. The license-leader (KeyDB-locked, see
+-- architecture.md §12.1) calls https://license.netcell-it.com and
+-- mirrors the result here. Every node reads from this table for its
+-- "is the license valid?" check; the KeyDB key cluster:license-status
+-- is just the in-flight TTL cache layered on top.
+--
+-- payload holds the verbatim verify-response (limits, feature flags,
+-- expiry). active_domains_at_verify is the value that was sent to the
+-- license server — kept for audit / re-issue (so we can prove what
+-- we reported on a given day).
+CREATE TABLE IF NOT EXISTS licenses (
+    id                       BIGSERIAL PRIMARY KEY,
+    license_key              TEXT NOT NULL,
+    status                   TEXT NOT NULL,
+    valid_until              TIMESTAMPTZ,
+    last_verified_at         TIMESTAMPTZ,
+    last_verified_node       TEXT,
+    active_domains_at_verify INTEGER,
+    payload                  JSONB,
+    last_error               TEXT,
+    created_at               TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at               TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    CONSTRAINT licenses_key_unique    UNIQUE (license_key),
+    CONSTRAINT licenses_status_check  CHECK (status IN ('trial', 'active', 'expired', 'invalid', 'unknown'))
+);
+
+CREATE INDEX IF NOT EXISTS idx_licenses_valid_until ON licenses (valid_until);
+CREATE INDEX IF NOT EXISTS idx_licenses_status      ON licenses (status);
+
+-- +goose StatementEnd
+
+-- +goose Down
+-- +goose StatementBegin
+DROP TABLE IF EXISTS licenses;
+-- +goose StatementEnd

internal/database/migrations_unique_test.go

@@ -0,0 +1,19 @@
+package database
+
+import "testing"
+
+// TestEmbeddedMigrationsUnique guards against duplicate migration
+// version prefixes. mail-gateway hit this on 2026-05-08 when two
+// parallel agents both committed a 0092_*.sql; goose panicked at
+// startup, the API restart-looped, the cluster rolling-upgrade hung.
+//
+// Cheap assertion that runs as part of `go test ./...` — fails the
+// build before `make deb` ever produces an artefact, so the bad
+// version never reaches the APT registry. Same logic also runs at
+// service start via Migrate() and via `edgeguard-ctl migrate check`
+// in postinst (defense in depth).
+func TestEmbeddedMigrationsUnique(t *testing.T) {
+	if err := ValidateMigrations(); err != nil {
+		t.Fatalf("embedded migrations failed validation: %v", err)
+	}
+}