feat(identity): add Atlas migrations and schema loader (#1342)

* feat(identity): add Atlas migrations and schema loader for identity service

- Create services/identity/atlas/atlas.hcl with local, ci, and production
  environments pointing to the identity migrations directory
- Create services/identity/migrations/20260302000001_initial.sql with
  identity, role_assignment, and invitation tables, CHECK constraints for
  status enums, and a partial unique index enforcing one active role per
  identity per role type
- Run atlas migrate hash to generate atlas.sum integrity file
- Update utilities/atlas-loader to support --schema=identity, loading
  IdentityEntity, RoleAssignmentEntity, and InvitationEntity

* feat(identity): register identity service database in migration runner

Add identity service entry to ServiceDatabases mapping so that the
migration runner can provision meridian_identity database and apply
the initial schema migration.

* fix(identity): add foreign key constraints to role_assignment and invitation tables

Add FK constraints from role_assignment(identity_id, granted_by, revoked_by) and
invitation(identity_id, invited_by) referencing identity(id) to enforce
referential integrity at the database level. Uses ON DELETE RESTRICT to prevent
orphaned records when an identity is deleted.

---------

Co-authored-by: Ben Coombs <bjcoombs@users.noreply.github.com>

Author: bjcoombs

internal/migrations/runner.go

@@ -69,6 +69,7 @@ var ServiceDatabases = map[string]ServiceDatabase{
 	"tenant":               {Database: "meridian_platform", User: "meridian_platform_user", Password: ""},
 	"current-account":      {Database: "meridian_current_account", User: "meridian_current_account_user", Password: ""},
 	"financial-accounting": {Database: "meridian_financial_accounting", User: "meridian_financial_accounting_user", Password: ""},
+	"identity":             {Database: "meridian_identity", User: "meridian_identity_user", Password: ""},
 	"position-keeping":     {Database: "meridian_position_keeping", User: "meridian_position_keeping_user", Password: ""},
 	"payment-order":        {Database: "meridian_payment_order", User: "meridian_payment_order_user", Password: ""},
 	"party":                {Database: "meridian_party", User: "meridian_party_user", Password: ""},

services/identity/atlas/atlas.hcl

@@ -0,0 +1,77 @@
+// Atlas configuration for Identity Service
+// Manages platform identities (user accounts), role assignments, and invitations
+// Uses database-per-service architecture with unqualified table names
+//
+// Multi-tenant support:
+// - Migrations use unqualified table names (no schema prefix)
+// - For multi-org mode: search_path routes to organization schemas (org_{tenant_id})
+// - For local development: uses default public schema in service-specific database
+
+data "external_schema" "gorm" {
+  program = [
+    "go",
+    "run",
+    "-mod=mod",
+    "./utilities/atlas-loader",
+    "--schema=identity"
+  ]
+}
+
+env "local" {
+  // Service-specific migration directory
+  migration {
+    dir = "file://services/identity/migrations"
+  }
+
+  // Dev database - uses default public schema
+  dev = "docker://postgres/16/dev"
+
+  // Source schema from GORM models via external loader
+  src = data.external_schema.gorm.url
+
+  // Lint configuration to catch dangerous changes
+  lint {
+    destructive {
+      error = true
+    }
+    data_depend {
+      error = true
+    }
+    incompatible {
+      error = true
+    }
+  }
+}
+
+env "ci" {
+  migration {
+    dir = "file://services/identity/migrations"
+  }
+
+  dev = "docker://postgres/16/dev"
+
+  src = data.external_schema.gorm.url
+
+  lint {
+    destructive {
+      error = true
+    }
+    data_depend {
+      error = true
+    }
+    incompatible {
+      error = true
+    }
+  }
+}
+
+env "production" {
+  // Production environment - apply only, never diff
+  // URL points to service-specific database (meridian_identity)
+  // For multi-org: URL includes search_path for org schema
+  url = getenv("DATABASE_URL")
+
+  migration {
+    dir = "file://services/identity/migrations"
+  }
+}

services/identity/migrations/20260302000001_initial.sql

@@ -0,0 +1,66 @@
+-- Identity Service Schema
+-- Uses UNQUALIFIED table names to support multi-organization routing via search_path.
+-- For local dev: search_path routes to default schema
+-- For multi-org: org schemas created by provisioning, search_path routes to org schema
+
+-- Create "identity" table (singular, unqualified - uses search_path for schema routing)
+CREATE TABLE "identity" (
+  "id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  "email" character varying(255) NOT NULL,
+  "status" character varying(30) NOT NULL DEFAULT 'PENDING_INVITE',
+  "password_hash" character varying(255) NOT NULL DEFAULT '',
+  "external_idp" character varying(100) NOT NULL DEFAULT '',
+  "external_sub" character varying(255) NOT NULL DEFAULT '',
+  "failed_attempts" bigint NOT NULL DEFAULT 0,
+  "version" bigint NOT NULL DEFAULT 1,
+  "created_at" timestamptz NOT NULL DEFAULT now(),
+  "updated_at" timestamptz NOT NULL DEFAULT now(),
+  "deleted_at" timestamptz NULL,
+  PRIMARY KEY ("id"),
+  CONSTRAINT "chk_identity_status" CHECK (status IN ('PENDING_INVITE', 'ACTIVE', 'SUSPENDED', 'LOCKED'))
+);
+-- Indexes for identity
+CREATE UNIQUE INDEX "idx_identity_email" ON "identity" ("email") WHERE (deleted_at IS NULL);
+CREATE INDEX "idx_identity_deleted_at" ON "identity" ("deleted_at");
+
+-- Create "role_assignment" table
+CREATE TABLE "role_assignment" (
+  "id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  "identity_id" uuid NOT NULL,
+  "granted_by" uuid NOT NULL,
+  "role" character varying(50) NOT NULL,
+  "expires_at" timestamptz NULL,
+  "revoked_at" timestamptz NULL,
+  "revoked_by" uuid NULL,
+  "created_at" timestamptz NOT NULL DEFAULT now(),
+  "updated_at" timestamptz NOT NULL DEFAULT now(),
+  PRIMARY KEY ("id"),
+  CONSTRAINT "chk_role_assignment_role" CHECK (role IN ('VIEWER', 'OPERATOR', 'ADMIN', 'TENANT_OWNER', 'PLATFORM')),
+  CONSTRAINT "fk_role_assignment_identity" FOREIGN KEY ("identity_id") REFERENCES "identity" ("id") ON UPDATE NO ACTION ON DELETE RESTRICT,
+  CONSTRAINT "fk_role_assignment_granted_by" FOREIGN KEY ("granted_by") REFERENCES "identity" ("id") ON UPDATE NO ACTION ON DELETE RESTRICT,
+  CONSTRAINT "fk_role_assignment_revoked_by" FOREIGN KEY ("revoked_by") REFERENCES "identity" ("id") ON UPDATE NO ACTION ON DELETE RESTRICT
+);
+-- Indexes for role_assignment
+CREATE INDEX "idx_role_assignment_identity" ON "role_assignment" ("identity_id");
+-- Partial unique index enforces one active role per (identity, role) pair.
+-- CockroachDB: partial index on existing columns in a separate statement is safe.
+CREATE UNIQUE INDEX "idx_role_assignment_active" ON "role_assignment" ("identity_id", "role") WHERE (revoked_at IS NULL);
+
+-- Create "invitation" table
+CREATE TABLE "invitation" (
+  "id" uuid NOT NULL DEFAULT gen_random_uuid(),
+  "identity_id" uuid NOT NULL,
+  "invited_by" uuid NOT NULL,
+  "token_hash" character varying(64) NOT NULL,
+  "expires_at" timestamptz NOT NULL,
+  "status" character varying(20) NOT NULL DEFAULT 'PENDING',
+  "created_at" timestamptz NOT NULL DEFAULT now(),
+  "updated_at" timestamptz NOT NULL DEFAULT now(),
+  PRIMARY KEY ("id"),
+  CONSTRAINT "chk_invitation_status" CHECK (status IN ('PENDING', 'ACCEPTED')),
+  CONSTRAINT "fk_invitation_identity" FOREIGN KEY ("identity_id") REFERENCES "identity" ("id") ON UPDATE NO ACTION ON DELETE RESTRICT,
+  CONSTRAINT "fk_invitation_invited_by" FOREIGN KEY ("invited_by") REFERENCES "identity" ("id") ON UPDATE NO ACTION ON DELETE RESTRICT
+);
+-- Indexes for invitation
+CREATE INDEX "idx_invitation_identity" ON "invitation" ("identity_id");
+CREATE UNIQUE INDEX "idx_invitation_token_hash" ON "invitation" ("token_hash");

services/identity/migrations/atlas.sum

@@ -0,0 +1,2 @@
+h1:Tn/5cytIH9dlz3yIx//SIVmDVeh83jHJ9Z5V1R7Jz+w=
+20260302000001_initial.sql h1:SsQN4cGTrm/6qs12GD9YXoSO6QyKTIpNZrM+4rRBWJA=

utilities/atlas-loader/main.go

@@ -10,6 +10,7 @@ import (
 	"ariga.io/atlas-provider-gorm/gormschema"
 	capersistence "github.com/meridianhub/meridian/services/current-account/adapters/persistence"
 	fapersistence "github.com/meridianhub/meridian/services/financial-accounting/adapters/persistence"
+	identitypersistence "github.com/meridianhub/meridian/services/identity/adapters/persistence"
 	partypersistence "github.com/meridianhub/meridian/services/party/adapters/persistence"
 	popersistence "github.com/meridianhub/meridian/services/payment-order/adapters/persistence"
 	tenantpersistence "github.com/meridianhub/meridian/services/tenant/adapters/persistence"
@@ -23,14 +24,15 @@ const (
 	schemaCurrentAccount      = "current_account"
 	schemaPositionKeeping     = "position_keeping"
 	schemaFinancialAccounting = "financial_accounting"
+	schemaIdentity            = "identity"
 	schemaParty               = "party"
 	schemaPaymentOrder        = "payment_order"
 	schemaPlatform            = "platform"
 )
 
 func main() {
 	// Parse schema filter flag
-	schemaFilter := flag.String("schema", "", "Filter models by schema (current_account, position_keeping, financial_accounting, party, payment_order, platform)")
+	schemaFilter := flag.String("schema", "", "Filter models by schema (current_account, position_keeping, financial_accounting, identity, party, payment_order, platform)")
 	flag.Parse()
 
 	// Determine which models to load based on schema filter
@@ -63,6 +65,13 @@ func main() {
 			&fapersistence.FinancialBookingLogEntity{},
 			&fapersistence.LedgerPostingEntity{},
 		}
+	case schemaIdentity:
+		// Identity service for platform user accounts, roles, and invitations
+		modelList = []interface{}{
+			&identitypersistence.IdentityEntity{},
+			&identitypersistence.RoleAssignmentEntity{},
+			&identitypersistence.InvitationEntity{},
+		}
 	case schemaParty:
 		// Party service for customer/organization identity management
 		modelList = []interface{}{