feat(db): mesh data model — meshes, members, invites, audit log

- pgSchema "mesh" with 4 tables isolating the peer mesh domain
- Enums: visibility, transport, tier, role
- audit_log is metadata-only (E2E encryption enforced at broker/client)
- Cascade on mesh delete, soft-delete via archivedAt/revokedAt

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.github/workflows/ai-review.yml

@@ -0,0 +1,47 @@
+name: CI / AI Review
+
+on:
+  pull_request:
+    types: [opened, reopened, ready_for_review, synchronize]
+  issue_comment:
+jobs:
+  gpt-review:
+    if: ${{ github.event.sender.type != 'Bot' }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      issues: write
+      pull-requests: write
+      contents: write
+    steps:
+      - name: 🔍 Review
+        id: ai-review
+        uses: qodo-ai/pr-agent@main
+        env:
+          OPENAI_KEY: ${{ secrets.OPENAI_KEY }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          github_action_config.auto_describe: "false"
+
+  claude-review:
+    if: ${{ github.event.sender.type != 'Bot' }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+      id-token: write
+      actions: read # Required for Claude to read CI results on PRs
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 1
+
+      - name: Run Claude Code
+        id: claude
+        uses: anthropics/claude-code-action@beta
+        with:
+          anthropic_api_key: ${{ secrets.ANTHROPIC_KEY }}
+          additional_permissions: |
+            actions: read

.github/workflows/publish-db.yml

@@ -0,0 +1,30 @@
+name: CI / Publish db
+
+on:
+  workflow_dispatch:
+
+env:
+  NODE_VERSION: 22.x
+
+jobs:
+  db:
+    name: 🚀 Publish database
+    runs-on: ubuntu-latest
+    environment: Production
+    env:
+      DATABASE_URL: ${{ secrets.DATABASE_URL }}
+
+    steps:
+      - name: ✅ Checkout code
+        uses: actions/checkout@v5
+
+      - name: 🔨 Setup
+        uses: ./tooling/github/setup
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+
+      - name: 🔍 Check database
+        run: pnpm --filter @turbostarter/db db:check
+
+      - name: 💨 Migrate!
+        run: pnpm --filter @turbostarter/db db:migrate

.github/workflows/publish-web.yml

@@ -0,0 +1,43 @@
+name: CI / Publish web
+
+on:
+  workflow_dispatch:
+
+env:
+  NODE_VERSION: 22.x
+
+jobs:
+  tests:
+    name: 🧪 Tests
+    secrets: inherit
+    uses: ./.github/workflows/tests.yml
+
+  publish:
+    name: 🚀 Publish web
+    runs-on: ubuntu-latest
+    environment: Production
+    needs: [tests]
+    env:
+      VERCEL_ORG_ID: ${{ secrets.VERCEL_ORG_ID }}
+      VERCEL_PROJECT_ID: ${{ secrets.VERCEL_PROJECT_ID }}
+
+    steps:
+      - name: ✅ Checkout code
+        uses: actions/checkout@v5
+
+      - name: 🔨 Setup
+        uses: ./tooling/github/setup
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+
+      - name: 🔼 Install Vercel CLI
+        run: pnpm install --global vercel@latest
+
+      - name: 💪 Pull environment information
+        run: vercel pull --yes --environment=production --token=${{ secrets.VERCEL_TOKEN }}
+
+      - name: 📦 Build
+        run: vercel build --prod --token=${{ secrets.VERCEL_TOKEN }}
+
+      - name: 💨 Publish!
+        run: vercel deploy --prebuilt --prod --token=${{ secrets.VERCEL_TOKEN }}

.github/workflows/tests.yml

@@ -0,0 +1,47 @@
+name: CI / Tests
+
+on:
+  pull_request:
+    branches: ["*"]
+  push:
+    branches: ["main"]
+  merge_group:
+  workflow_dispatch:
+  workflow_call:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  FORCE_COLOR: "1"
+  NODE_VERSION: 22.x
+  # You can leverage Remote Caching with Turbo to speed up your builds
+  # @link https://turbo.build/repo/docs/guides/ci-vendors/github-actions
+  TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
+  TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
+
+jobs:
+  test:
+    name: 🧪 Test
+    runs-on: ubuntu-latest
+    steps:
+      - name: ✅ Checkout code
+        uses: actions/checkout@v5
+
+      - name: 🔨 Setup
+        uses: ./tooling/github/setup
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+
+      - name: 🖌️ Format
+        run: pnpm run format
+
+      - name: 🛻 Lint
+        run: pnpm run lint && pnpm run lint:ws
+
+      - name: 📝 Typecheck
+        run: pnpm run typecheck
+
+      - name: 🧪 Test
+        run: pnpm run test