lbedner
diff --git a/‎CLAUDE.md‎
Lines changed: 1 addition & 1 deletion b/‎CLAUDE.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎aegis/__init__.py‎
Lines changed: 1 addition & 1 deletion b/‎aegis/__init__.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎aegis/core/migration_generator.py‎
Lines changed: 78 additions & 1 deletion b/‎aegis/core/migration_generator.py‎
Lines changed: 78 additions & 1 deletion
diff --git a/‎aegis/core/post_gen_tasks.py‎
Lines changed: 1 addition & 0 deletions b/‎aegis/core/post_gen_tasks.py‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎aegis/templates/copier-aegis-project/{{ project_slug }}/app/cli/migrate_fix.py.jinja‎
Lines changed: 2 additions & 2 deletions b/‎aegis/templates/copier-aegis-project/{{ project_slug }}/app/cli/migrate_fix.py.jinja‎
Lines changed: 2 additions & 2 deletions
@@ -32,7 +32,7 @@ Each generated project includes:
 
 ## Installation
 
-**Current Version**: 0.6.7
+**Current Version**: 0.6.8rc1
 
 ```bash
 pip install aegis-stack
 
@@ -2,4 +2,4 @@
 Aegis Stack CLI - Component generation and project management tools.
 """
 
-__version__ = "0.6.7"
+__version__ = "0.6.8rc1"
@@ -101,6 +101,10 @@ class ServiceMigrationSpec:
                 ),
                 ColumnSpec("hashed_password", "sa.String()", nullable=False),
                 ColumnSpec("last_login", "sa.DateTime()", nullable=True),
+                ColumnSpec(
+                    "failed_login_attempts", "sa.Integer()", nullable=False, default="0"
+                ),
+                ColumnSpec("locked_until", "sa.DateTime()", nullable=True),
                 ColumnSpec("created_at", "sa.DateTime()", nullable=False),
                 ColumnSpec("updated_at", "sa.DateTime()", nullable=True),
             ],
@@ -138,7 +142,10 @@ class ServiceMigrationSpec:
                 ColumnSpec("created_at", "sa.DateTime()", nullable=False),
                 ColumnSpec("updated_at", "sa.DateTime()", nullable=True),
             ],
-            indexes=[IndexSpec("ix_organization_slug", ["slug"], unique=True)],
+            indexes=[
+                IndexSpec("ix_organization_name", ["name"]),
+                IndexSpec("ix_organization_slug", ["slug"], unique=True),
+            ],
         ),
         TableSpec(
             name="organization_member",
@@ -169,6 +176,30 @@ class ServiceMigrationSpec:
                 ForeignKeySpec(["user_id"], "user", ["id"]),
             ],
         ),
+        TableSpec(
+            name="org_invite",
+            columns=[
+                ColumnSpec("id", "sa.Integer()", nullable=False, primary_key=True),
+                ColumnSpec("organization_id", "sa.Integer()", nullable=False),
+                ColumnSpec("email", "sa.String()", nullable=False),
+                ColumnSpec("role", "sa.String()", nullable=False, default="'member'"),
+                ColumnSpec("invited_by", "sa.Integer()", nullable=False),
+                ColumnSpec(
+                    "status", "sa.String()", nullable=False, default="'pending'"
+                ),
+                ColumnSpec("token", "sa.String()", nullable=False),
+                ColumnSpec("created_at", "sa.DateTime()", nullable=False),
+            ],
+            indexes=[
+                IndexSpec("ix_org_invite_email", ["email"]),
+                IndexSpec("ix_org_invite_org_id", ["organization_id"]),
+                IndexSpec("ix_org_invite_token", ["token"], unique=True),
+            ],
+            foreign_keys=[
+                ForeignKeySpec(["organization_id"], "organization", ["id"]),
+                ForeignKeySpec(["invited_by"], "user", ["id"]),
+            ],
+        ),
     ],
 )
 
@@ -378,6 +409,47 @@ class ServiceMigrationSpec:
     ],
 )
 
+AUTH_TOKENS_MIGRATION = ServiceMigrationSpec(
+    service_name="auth_tokens",
+    description="Auth token tables (password reset, email verification)",
+    tables=[
+        TableSpec(
+            name="password_reset_token",
+            columns=[
+                ColumnSpec("id", "sa.Integer()", nullable=False, primary_key=True),
+                ColumnSpec("user_id", "sa.Integer()", nullable=False),
+                ColumnSpec("token", "sa.String()", nullable=False),
+                ColumnSpec("created_at", "sa.DateTime()", nullable=False),
+                ColumnSpec("used", "sa.Boolean()", nullable=False, default="'false'"),
+            ],
+            indexes=[
+                IndexSpec("ix_password_reset_token_user_id", ["user_id"]),
+                IndexSpec("ix_password_reset_token_token", ["token"], unique=True),
+            ],
+            foreign_keys=[
+                ForeignKeySpec(["user_id"], "user", ["id"]),
+            ],
+        ),
+        TableSpec(
+            name="email_verification_token",
+            columns=[
+                ColumnSpec("id", "sa.Integer()", nullable=False, primary_key=True),
+                ColumnSpec("user_id", "sa.Integer()", nullable=False),
+                ColumnSpec("token", "sa.String()", nullable=False),
+                ColumnSpec("created_at", "sa.DateTime()", nullable=False),
+                ColumnSpec("used", "sa.Boolean()", nullable=False, default="'false'"),
+            ],
+            indexes=[
+                IndexSpec("ix_email_verification_token_user_id", ["user_id"]),
+                IndexSpec("ix_email_verification_token_token", ["token"], unique=True),
+            ],
+            foreign_keys=[
+                ForeignKeySpec(["user_id"], "user", ["id"]),
+            ],
+        ),
+    ],
+)
+
 VOICE_MIGRATION = ServiceMigrationSpec(
     service_name="ai_voice",
     description="AI voice service table (TTS and STT usage tracking)",
@@ -442,6 +514,7 @@ class ServiceMigrationSpec:
     "auth": AUTH_MIGRATION,
     "auth_rbac": AUTH_RBAC_MIGRATION,
     "auth_org": ORG_MIGRATION,
+    "auth_tokens": AUTH_TOKENS_MIGRATION,
     "ai": AI_MIGRATION,
     "ai_voice": VOICE_MIGRATION,
 }
@@ -767,6 +840,10 @@ def get_services_needing_migrations(context: dict[str, Any]) -> list[str]:
     if include_auth == "yes" or include_auth is True:
         services.append("auth")
 
+    # Auth token tables (password reset, email verification) - always with auth
+    if include_auth == "yes" or include_auth is True:
+        services.append("auth_tokens")
+
     # Auth RBAC columns (rbac or org level)
     include_auth_rbac = context.get("include_auth_rbac")
     auth_level = context.get("auth_level")
 
@@ -444,6 +444,7 @@ def _rename_backend_files(suffix: str) -> set[str]:
         remove_file(project_path, "app/models/org.py")
         remove_file(project_path, "app/services/auth/org_service.py")
         remove_file(project_path, "app/services/auth/membership_service.py")
+        remove_file(project_path, "app/services/auth/invite_service.py")
         remove_dir(project_path, "app/components/backend/api/orgs")
         remove_file(
             project_path,
 
@@ -23,10 +23,10 @@ from app.i18n import t
 
 {% if include_auth %}
 # Import models to register with SQLModel metadata
-from app.models.user import User  # noqa: F401
+from app.models.user import User, PasswordResetToken, EmailVerificationToken  # noqa: F401
 {% endif %}
 {% if include_auth_org %}
-from app.models.org import Organization, OrganizationMember  # noqa: F401
+from app.models.org import Organization, OrganizationMember, OrgInvite  # noqa: F401
 {% endif %}