refactor: restructure repository with separate backend and frontend directories

- Move Java backend to backend/ directory
- Create frontend/ directory for TypeScript TUI and future WebUI
- Update .gitignore for Node.js and worktrees
- Update README.md with new repository structure
- Copy documentation to backend/

backend/src/main/resources/db/changelog/changes/001-create-user-management-schema.xml

@@ -0,0 +1,112 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<databaseChangeLog
+        xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog
+        http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-latest.xsd">
+
+    <changeSet id="001-create-roles-table" author="effigenix">
+        <createTable tableName="roles">
+            <column name="id" type="VARCHAR(36)">
+                <constraints primaryKey="true" nullable="false"/>
+            </column>
+            <column name="name" type="VARCHAR(50)">
+                <constraints nullable="false" unique="true"/>
+            </column>
+            <column name="description" type="VARCHAR(500)"/>
+        </createTable>
+        <createIndex tableName="roles" indexName="idx_roles_name">
+            <column name="name"/>
+        </createIndex>
+        <sql>
+            ALTER TABLE roles ADD CONSTRAINT chk_role_name CHECK (name IN (
+                'ADMIN', 'PRODUCTION_MANAGER', 'PRODUCTION_WORKER',
+                'QUALITY_MANAGER', 'QUALITY_INSPECTOR', 'PROCUREMENT_MANAGER',
+                'WAREHOUSE_WORKER', 'SALES_MANAGER', 'SALES_STAFF'
+            ));
+        </sql>
+    </changeSet>
+
+    <changeSet id="001-create-role-permissions-table" author="effigenix">
+        <createTable tableName="role_permissions">
+            <column name="role_id" type="VARCHAR(36)">
+                <constraints nullable="false"/>
+            </column>
+            <column name="permission" type="VARCHAR(100)">
+                <constraints nullable="false"/>
+            </column>
+        </createTable>
+        <addPrimaryKey tableName="role_permissions" columnNames="role_id, permission"/>
+        <addForeignKeyConstraint baseTableName="role_permissions" baseColumnNames="role_id"
+                                 referencedTableName="roles" referencedColumnNames="id"
+                                 constraintName="fk_role_permissions_role" onDelete="CASCADE"/>
+        <createIndex tableName="role_permissions" indexName="idx_role_permissions_role_id">
+            <column name="role_id"/>
+        </createIndex>
+    </changeSet>
+
+    <changeSet id="001-create-users-table" author="effigenix">
+        <createTable tableName="users">
+            <column name="id" type="VARCHAR(36)">
+                <constraints primaryKey="true" nullable="false"/>
+            </column>
+            <column name="username" type="VARCHAR(100)">
+                <constraints nullable="false" unique="true"/>
+            </column>
+            <column name="email" type="VARCHAR(255)">
+                <constraints nullable="false" unique="true"/>
+            </column>
+            <column name="password_hash" type="VARCHAR(60)">
+                <constraints nullable="false"/>
+            </column>
+            <column name="branch_id" type="VARCHAR(36)"/>
+            <column name="status" type="VARCHAR(20)" defaultValue="ACTIVE">
+                <constraints nullable="false"/>
+            </column>
+            <column name="created_at" type="TIMESTAMP" defaultValueComputed="CURRENT_TIMESTAMP">
+                <constraints nullable="false"/>
+            </column>
+            <column name="last_login" type="TIMESTAMP"/>
+        </createTable>
+        <sql>
+            ALTER TABLE users ADD CONSTRAINT chk_user_status CHECK (status IN ('ACTIVE', 'INACTIVE', 'LOCKED'));
+        </sql>
+        <createIndex tableName="users" indexName="idx_users_username">
+            <column name="username"/>
+        </createIndex>
+        <createIndex tableName="users" indexName="idx_users_email">
+            <column name="email"/>
+        </createIndex>
+        <createIndex tableName="users" indexName="idx_users_branch_id">
+            <column name="branch_id"/>
+        </createIndex>
+        <createIndex tableName="users" indexName="idx_users_status">
+            <column name="status"/>
+        </createIndex>
+    </changeSet>
+
+    <changeSet id="001-create-user-roles-table" author="effigenix">
+        <createTable tableName="user_roles">
+            <column name="user_id" type="VARCHAR(36)">
+                <constraints nullable="false"/>
+            </column>
+            <column name="role_id" type="VARCHAR(36)">
+                <constraints nullable="false"/>
+            </column>
+        </createTable>
+        <addPrimaryKey tableName="user_roles" columnNames="user_id, role_id"/>
+        <addForeignKeyConstraint baseTableName="user_roles" baseColumnNames="user_id"
+                                 referencedTableName="users" referencedColumnNames="id"
+                                 constraintName="fk_user_roles_user" onDelete="CASCADE"/>
+        <addForeignKeyConstraint baseTableName="user_roles" baseColumnNames="role_id"
+                                 referencedTableName="roles" referencedColumnNames="id"
+                                 constraintName="fk_user_roles_role" onDelete="CASCADE"/>
+        <createIndex tableName="user_roles" indexName="idx_user_roles_user_id">
+            <column name="user_id"/>
+        </createIndex>
+        <createIndex tableName="user_roles" indexName="idx_user_roles_role_id">
+            <column name="role_id"/>
+        </createIndex>
+    </changeSet>
+
+</databaseChangeLog>

backend/src/main/resources/db/changelog/changes/002-seed-roles-and-permissions.sql

@@ -0,0 +1,348 @@
+-- ==================== Seed Data: Roles and Permissions ====================
+-- Loads the 8 predefined roles with their permissions for the Effigenix ERP system.
+--
+-- Roles:
+-- 1. ADMIN - System Administrator (full access)
+-- 2. PRODUCTION_MANAGER - Manages production recipes, batches, and orders
+-- 3. PRODUCTION_WORKER - Executes production tasks
+-- 4. QUALITY_MANAGER - HACCP compliance and quality assurance
+-- 5. QUALITY_INSPECTOR - Quality inspections and measurements
+-- 6. PROCUREMENT_MANAGER - Manages purchasing and suppliers
+-- 7. WAREHOUSE_WORKER - Manages inventory and stock
+-- 8. SALES_MANAGER - Manages sales orders and customers
+-- 9. SALES_STAFF - Creates sales orders
+--
+-- Database: PostgreSQL
+-- Liquibase Changeset: 002
+-- ==================== ==================== ====================
+
+-- ==================== 1. ADMIN Role ====================
+-- System Administrator - full access to all features across all bounded contexts
+
+INSERT INTO roles (id, name, description)
+VALUES (
+    'c0a80121-0000-0000-0000-000000000001',
+    'ADMIN',
+    'System Administrator with full access to all features and all bounded contexts'
+);
+
+-- ADMIN Permissions: ALL permissions
+INSERT INTO role_permissions (role_id, permission) VALUES
+    -- Production BC
+    ('c0a80121-0000-0000-0000-000000000001', 'RECIPE_READ'),
+    ('c0a80121-0000-0000-0000-000000000001', 'RECIPE_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000001', 'RECIPE_DELETE'),
+    ('c0a80121-0000-0000-0000-000000000001', 'BATCH_READ'),
+    ('c0a80121-0000-0000-0000-000000000001', 'BATCH_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000001', 'BATCH_COMPLETE'),
+    ('c0a80121-0000-0000-0000-000000000001', 'BATCH_DELETE'),
+    ('c0a80121-0000-0000-0000-000000000001', 'PRODUCTION_ORDER_READ'),
+    ('c0a80121-0000-0000-0000-000000000001', 'PRODUCTION_ORDER_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000001', 'PRODUCTION_ORDER_DELETE'),
+    -- Quality BC
+    ('c0a80121-0000-0000-0000-000000000001', 'HACCP_READ'),
+    ('c0a80121-0000-0000-0000-000000000001', 'HACCP_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000001', 'TEMPERATURE_LOG_READ'),
+    ('c0a80121-0000-0000-0000-000000000001', 'TEMPERATURE_LOG_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000001', 'CLEANING_RECORD_READ'),
+    ('c0a80121-0000-0000-0000-000000000001', 'CLEANING_RECORD_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000001', 'GOODS_INSPECTION_READ'),
+    ('c0a80121-0000-0000-0000-000000000001', 'GOODS_INSPECTION_WRITE'),
+    -- Inventory BC
+    ('c0a80121-0000-0000-0000-000000000001', 'STOCK_READ'),
+    ('c0a80121-0000-0000-0000-000000000001', 'STOCK_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000001', 'STOCK_MOVEMENT_READ'),
+    ('c0a80121-0000-0000-0000-000000000001', 'STOCK_MOVEMENT_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000001', 'INVENTORY_COUNT_READ'),
+    ('c0a80121-0000-0000-0000-000000000001', 'INVENTORY_COUNT_WRITE'),
+    -- Procurement BC
+    ('c0a80121-0000-0000-0000-000000000001', 'PURCHASE_ORDER_READ'),
+    ('c0a80121-0000-0000-0000-000000000001', 'PURCHASE_ORDER_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000001', 'PURCHASE_ORDER_DELETE'),
+    ('c0a80121-0000-0000-0000-000000000001', 'GOODS_RECEIPT_READ'),
+    ('c0a80121-0000-0000-0000-000000000001', 'GOODS_RECEIPT_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000001', 'SUPPLIER_READ'),
+    ('c0a80121-0000-0000-0000-000000000001', 'SUPPLIER_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000001', 'SUPPLIER_DELETE'),
+    -- Sales BC
+    ('c0a80121-0000-0000-0000-000000000001', 'ORDER_READ'),
+    ('c0a80121-0000-0000-0000-000000000001', 'ORDER_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000001', 'ORDER_DELETE'),
+    ('c0a80121-0000-0000-0000-000000000001', 'INVOICE_READ'),
+    ('c0a80121-0000-0000-0000-000000000001', 'INVOICE_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000001', 'INVOICE_DELETE'),
+    ('c0a80121-0000-0000-0000-000000000001', 'CUSTOMER_READ'),
+    ('c0a80121-0000-0000-0000-000000000001', 'CUSTOMER_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000001', 'CUSTOMER_DELETE'),
+    -- Labeling BC
+    ('c0a80121-0000-0000-0000-000000000001', 'LABEL_READ'),
+    ('c0a80121-0000-0000-0000-000000000001', 'LABEL_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000001', 'LABEL_PRINT'),
+    -- Filiales BC
+    ('c0a80121-0000-0000-0000-000000000001', 'BRANCH_READ'),
+    ('c0a80121-0000-0000-0000-000000000001', 'BRANCH_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000001', 'BRANCH_DELETE'),
+    -- User Management BC
+    ('c0a80121-0000-0000-0000-000000000001', 'USER_READ'),
+    ('c0a80121-0000-0000-0000-000000000001', 'USER_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000001', 'USER_DELETE'),
+    ('c0a80121-0000-0000-0000-000000000001', 'USER_LOCK'),
+    ('c0a80121-0000-0000-0000-000000000001', 'USER_UNLOCK'),
+    ('c0a80121-0000-0000-0000-000000000001', 'ROLE_READ'),
+    ('c0a80121-0000-0000-0000-000000000001', 'ROLE_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000001', 'ROLE_ASSIGN'),
+    ('c0a80121-0000-0000-0000-000000000001', 'ROLE_REMOVE'),
+    -- Reporting BC
+    ('c0a80121-0000-0000-0000-000000000001', 'REPORT_READ'),
+    ('c0a80121-0000-0000-0000-000000000001', 'REPORT_GENERATE'),
+    -- Notifications BC
+    ('c0a80121-0000-0000-0000-000000000001', 'NOTIFICATION_READ'),
+    ('c0a80121-0000-0000-0000-000000000001', 'NOTIFICATION_SEND'),
+    -- System
+    ('c0a80121-0000-0000-0000-000000000001', 'AUDIT_LOG_READ'),
+    ('c0a80121-0000-0000-0000-000000000001', 'SYSTEM_SETTINGS_READ'),
+    ('c0a80121-0000-0000-0000-000000000001', 'SYSTEM_SETTINGS_WRITE');
+
+
+-- ==================== 2. PRODUCTION_MANAGER Role ====================
+-- Manages recipes, batches, and production orders
+
+INSERT INTO roles (id, name, description)
+VALUES (
+    'c0a80121-0000-0000-0000-000000000002',
+    'PRODUCTION_MANAGER',
+    'Manages production recipes, batches, and production orders. Can read stock levels.'
+);
+
+-- PRODUCTION_MANAGER Permissions
+INSERT INTO role_permissions (role_id, permission) VALUES
+    -- Production BC - Full access
+    ('c0a80121-0000-0000-0000-000000000002', 'RECIPE_READ'),
+    ('c0a80121-0000-0000-0000-000000000002', 'RECIPE_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000002', 'RECIPE_DELETE'),
+    ('c0a80121-0000-0000-0000-000000000002', 'BATCH_READ'),
+    ('c0a80121-0000-0000-0000-000000000002', 'BATCH_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000002', 'BATCH_COMPLETE'),
+    ('c0a80121-0000-0000-0000-000000000002', 'BATCH_DELETE'),
+    ('c0a80121-0000-0000-0000-000000000002', 'PRODUCTION_ORDER_READ'),
+    ('c0a80121-0000-0000-0000-000000000002', 'PRODUCTION_ORDER_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000002', 'PRODUCTION_ORDER_DELETE'),
+    -- Inventory BC - Read-only access to stock
+    ('c0a80121-0000-0000-0000-000000000002', 'STOCK_READ'),
+    ('c0a80121-0000-0000-0000-000000000002', 'STOCK_MOVEMENT_READ'),
+    -- Quality BC - Read access to quality records
+    ('c0a80121-0000-0000-0000-000000000002', 'HACCP_READ'),
+    ('c0a80121-0000-0000-0000-000000000002', 'TEMPERATURE_LOG_READ'),
+    ('c0a80121-0000-0000-0000-000000000002', 'CLEANING_RECORD_READ'),
+    -- Reporting
+    ('c0a80121-0000-0000-0000-000000000002', 'REPORT_READ'),
+    ('c0a80121-0000-0000-0000-000000000002', 'REPORT_GENERATE');
+
+
+-- ==================== 3. PRODUCTION_WORKER Role ====================
+-- Executes recipes and creates batches
+
+INSERT INTO roles (id, name, description)
+VALUES (
+    'c0a80121-0000-0000-0000-000000000003',
+    'PRODUCTION_WORKER',
+    'Executes production recipes and creates batches. Can complete batches and view production orders.'
+);
+
+-- PRODUCTION_WORKER Permissions
+INSERT INTO role_permissions (role_id, permission) VALUES
+    -- Production BC - Execution permissions
+    ('c0a80121-0000-0000-0000-000000000003', 'RECIPE_READ'),
+    ('c0a80121-0000-0000-0000-000000000003', 'BATCH_READ'),
+    ('c0a80121-0000-0000-0000-000000000003', 'BATCH_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000003', 'BATCH_COMPLETE'),
+    ('c0a80121-0000-0000-0000-000000000003', 'PRODUCTION_ORDER_READ'),
+    -- Inventory BC - Read-only access to stock
+    ('c0a80121-0000-0000-0000-000000000003', 'STOCK_READ'),
+    -- Labeling BC - Print labels
+    ('c0a80121-0000-0000-0000-000000000003', 'LABEL_READ'),
+    ('c0a80121-0000-0000-0000-000000000003', 'LABEL_PRINT');
+
+
+-- ==================== 4. QUALITY_MANAGER Role ====================
+-- HACCP compliance and quality assurance
+
+INSERT INTO roles (id, name, description)
+VALUES (
+    'c0a80121-0000-0000-0000-000000000004',
+    'QUALITY_MANAGER',
+    'Manages HACCP compliance, quality assurance, and quality inspections.'
+);
+
+-- QUALITY_MANAGER Permissions
+INSERT INTO role_permissions (role_id, permission) VALUES
+    -- Quality BC - Full access
+    ('c0a80121-0000-0000-0000-000000000004', 'HACCP_READ'),
+    ('c0a80121-0000-0000-0000-000000000004', 'HACCP_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000004', 'TEMPERATURE_LOG_READ'),
+    ('c0a80121-0000-0000-0000-000000000004', 'TEMPERATURE_LOG_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000004', 'CLEANING_RECORD_READ'),
+    ('c0a80121-0000-0000-0000-000000000004', 'CLEANING_RECORD_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000004', 'GOODS_INSPECTION_READ'),
+    ('c0a80121-0000-0000-0000-000000000004', 'GOODS_INSPECTION_WRITE'),
+    -- Production BC - Read access to batches and recipes
+    ('c0a80121-0000-0000-0000-000000000004', 'RECIPE_READ'),
+    ('c0a80121-0000-0000-0000-000000000004', 'BATCH_READ'),
+    -- Inventory BC - Read access to stock
+    ('c0a80121-0000-0000-0000-000000000004', 'STOCK_READ'),
+    -- Procurement BC - Read access to goods receipts
+    ('c0a80121-0000-0000-0000-000000000004', 'GOODS_RECEIPT_READ'),
+    -- Reporting
+    ('c0a80121-0000-0000-0000-000000000004', 'REPORT_READ'),
+    ('c0a80121-0000-0000-0000-000000000004', 'REPORT_GENERATE');
+
+
+-- ==================== 5. QUALITY_INSPECTOR Role ====================
+-- Quality inspections and measurements
+
+INSERT INTO roles (id, name, description)
+VALUES (
+    'c0a80121-0000-0000-0000-000000000005',
+    'QUALITY_INSPECTOR',
+    'Performs quality inspections, records temperature logs and cleaning records.'
+);
+
+-- QUALITY_INSPECTOR Permissions
+INSERT INTO role_permissions (role_id, permission) VALUES
+    -- Quality BC - Inspection and logging permissions
+    ('c0a80121-0000-0000-0000-000000000005', 'TEMPERATURE_LOG_READ'),
+    ('c0a80121-0000-0000-0000-000000000005', 'TEMPERATURE_LOG_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000005', 'CLEANING_RECORD_READ'),
+    ('c0a80121-0000-0000-0000-000000000005', 'GOODS_INSPECTION_READ'),
+    ('c0a80121-0000-0000-0000-000000000005', 'GOODS_INSPECTION_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000005', 'HACCP_READ'),
+    -- Production BC - Read access to batches
+    ('c0a80121-0000-0000-0000-000000000005', 'BATCH_READ'),
+    -- Inventory BC - Read access to stock
+    ('c0a80121-0000-0000-0000-000000000005', 'STOCK_READ');
+
+
+-- ==================== 6. PROCUREMENT_MANAGER Role ====================
+-- Manages purchasing and suppliers
+
+INSERT INTO roles (id, name, description)
+VALUES (
+    'c0a80121-0000-0000-0000-000000000006',
+    'PROCUREMENT_MANAGER',
+    'Manages purchase orders, goods receipts, and supplier relationships.'
+);
+
+-- PROCUREMENT_MANAGER Permissions
+INSERT INTO role_permissions (role_id, permission) VALUES
+    -- Procurement BC - Full access
+    ('c0a80121-0000-0000-0000-000000000006', 'PURCHASE_ORDER_READ'),
+    ('c0a80121-0000-0000-0000-000000000006', 'PURCHASE_ORDER_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000006', 'PURCHASE_ORDER_DELETE'),
+    ('c0a80121-0000-0000-0000-000000000006', 'GOODS_RECEIPT_READ'),
+    ('c0a80121-0000-0000-0000-000000000006', 'GOODS_RECEIPT_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000006', 'SUPPLIER_READ'),
+    ('c0a80121-0000-0000-0000-000000000006', 'SUPPLIER_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000006', 'SUPPLIER_DELETE'),
+    -- Inventory BC - Read access to stock
+    ('c0a80121-0000-0000-0000-000000000006', 'STOCK_READ'),
+    ('c0a80121-0000-0000-0000-000000000006', 'STOCK_MOVEMENT_READ'),
+    -- Quality BC - Access to goods inspections
+    ('c0a80121-0000-0000-0000-000000000006', 'GOODS_INSPECTION_READ'),
+    -- Reporting
+    ('c0a80121-0000-0000-0000-000000000006', 'REPORT_READ'),
+    ('c0a80121-0000-0000-0000-000000000006', 'REPORT_GENERATE');
+
+
+-- ==================== 7. WAREHOUSE_WORKER Role ====================
+-- Manages inventory and stock
+
+INSERT INTO roles (id, name, description)
+VALUES (
+    'c0a80121-0000-0000-0000-000000000007',
+    'WAREHOUSE_WORKER',
+    'Manages inventory, stock movements, and inventory counts.'
+);
+
+-- WAREHOUSE_WORKER Permissions
+INSERT INTO role_permissions (role_id, permission) VALUES
+    -- Inventory BC - Full access
+    ('c0a80121-0000-0000-0000-000000000007', 'STOCK_READ'),
+    ('c0a80121-0000-0000-0000-000000000007', 'STOCK_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000007', 'STOCK_MOVEMENT_READ'),
+    ('c0a80121-0000-0000-0000-000000000007', 'STOCK_MOVEMENT_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000007', 'INVENTORY_COUNT_READ'),
+    ('c0a80121-0000-0000-0000-000000000007', 'INVENTORY_COUNT_WRITE'),
+    -- Procurement BC - Goods receipt access
+    ('c0a80121-0000-0000-0000-000000000007', 'GOODS_RECEIPT_READ'),
+    ('c0a80121-0000-0000-0000-000000000007', 'GOODS_RECEIPT_WRITE'),
+    -- Sales BC - Read access to orders
+    ('c0a80121-0000-0000-0000-000000000007', 'ORDER_READ'),
+    -- Labeling BC - Print labels
+    ('c0a80121-0000-0000-0000-000000000007', 'LABEL_READ'),
+    ('c0a80121-0000-0000-0000-000000000007', 'LABEL_PRINT');
+
+
+-- ==================== 8. SALES_MANAGER Role ====================
+-- Manages sales orders and customers
+
+INSERT INTO roles (id, name, description)
+VALUES (
+    'c0a80121-0000-0000-0000-000000000008',
+    'SALES_MANAGER',
+    'Manages sales orders, invoices, and customer relationships.'
+);
+
+-- SALES_MANAGER Permissions
+INSERT INTO role_permissions (role_id, permission) VALUES
+    -- Sales BC - Full access
+    ('c0a80121-0000-0000-0000-000000000008', 'ORDER_READ'),
+    ('c0a80121-0000-0000-0000-000000000008', 'ORDER_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000008', 'ORDER_DELETE'),
+    ('c0a80121-0000-0000-0000-000000000008', 'INVOICE_READ'),
+    ('c0a80121-0000-0000-0000-000000000008', 'INVOICE_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000008', 'INVOICE_DELETE'),
+    ('c0a80121-0000-0000-0000-000000000008', 'CUSTOMER_READ'),
+    ('c0a80121-0000-0000-0000-000000000008', 'CUSTOMER_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000008', 'CUSTOMER_DELETE'),
+    -- Inventory BC - Read access to stock
+    ('c0a80121-0000-0000-0000-000000000008', 'STOCK_READ'),
+    ('c0a80121-0000-0000-0000-000000000008', 'STOCK_MOVEMENT_READ'),
+    -- Production BC - Read access to batches
+    ('c0a80121-0000-0000-0000-000000000008', 'BATCH_READ'),
+    -- Reporting
+    ('c0a80121-0000-0000-0000-000000000008', 'REPORT_READ'),
+    ('c0a80121-0000-0000-0000-000000000008', 'REPORT_GENERATE');
+
+
+-- ==================== 9. SALES_STAFF Role ====================
+-- Creates sales orders and views customers
+
+INSERT INTO roles (id, name, description)
+VALUES (
+    'c0a80121-0000-0000-0000-000000000009',
+    'SALES_STAFF',
+    'Creates and manages sales orders, views customer information and stock levels.'
+);
+
+-- SALES_STAFF Permissions
+INSERT INTO role_permissions (role_id, permission) VALUES
+    -- Sales BC - Order management
+    ('c0a80121-0000-0000-0000-000000000009', 'ORDER_READ'),
+    ('c0a80121-0000-0000-0000-000000000009', 'ORDER_WRITE'),
+    ('c0a80121-0000-0000-0000-000000000009', 'CUSTOMER_READ'),
+    -- Inventory BC - Read access to stock
+    ('c0a80121-0000-0000-0000-000000000009', 'STOCK_READ'),
+    -- Production BC - Read access to batches
+    ('c0a80121-0000-0000-0000-000000000009', 'BATCH_READ');
+
+
+-- ==================== Verification Queries ====================
+-- Run these queries to verify the seed data was loaded correctly:
+--
+-- SELECT COUNT(*) FROM roles;                    -- Should be 9
+-- SELECT COUNT(*) FROM role_permissions;         -- Should be ~200+
+-- SELECT name, COUNT(*) as permission_count
+-- FROM roles r
+-- JOIN role_permissions rp ON r.id = rp.role_id
+-- GROUP BY name
+-- ORDER BY name;

backend/src/main/resources/db/changelog/changes/002-seed-roles-and-permissions.xml

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<databaseChangeLog
+        xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog
+        http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-latest.xsd">
+
+    <changeSet id="002-seed-roles-and-permissions" author="effigenix">
+        <sqlFile path="db/changelog/changes/002-seed-roles-and-permissions.sql"
+                 splitStatements="true"
+                 stripComments="true"/>
+    </changeSet>
+
+</databaseChangeLog>

backend/src/main/resources/db/changelog/changes/003-create-audit-logs-table.xml

@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<databaseChangeLog
+        xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog
+        http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-latest.xsd">
+
+    <changeSet id="003-create-audit-logs-table" author="effigenix">
+        <createTable tableName="audit_logs">
+            <column name="id" type="VARCHAR(36)">
+                <constraints primaryKey="true" nullable="false"/>
+            </column>
+            <column name="event" type="VARCHAR(100)">
+                <constraints nullable="false"/>
+            </column>
+            <column name="entity_id" type="VARCHAR(36)"/>
+            <column name="performed_by" type="VARCHAR(36)"/>
+            <column name="details" type="VARCHAR(2000)"/>
+            <column name="timestamp" type="TIMESTAMP">
+                <constraints nullable="false"/>
+            </column>
+            <column name="ip_address" type="VARCHAR(45)"/>
+            <column name="user_agent" type="VARCHAR(500)"/>
+            <column name="created_at" type="TIMESTAMP" defaultValueComputed="CURRENT_TIMESTAMP">
+                <constraints nullable="false"/>
+            </column>
+        </createTable>
+        <createIndex tableName="audit_logs" indexName="idx_audit_event">
+            <column name="event"/>
+        </createIndex>
+        <createIndex tableName="audit_logs" indexName="idx_audit_actor">
+            <column name="performed_by"/>
+        </createIndex>
+        <createIndex tableName="audit_logs" indexName="idx_audit_timestamp">
+            <column name="timestamp"/>
+        </createIndex>
+        <createIndex tableName="audit_logs" indexName="idx_audit_entity">
+            <column name="entity_id"/>
+        </createIndex>
+        <createIndex tableName="audit_logs" indexName="idx_audit_created_at">
+            <column name="created_at"/>
+        </createIndex>
+    </changeSet>
+
+</databaseChangeLog>

backend/src/main/resources/db/changelog/changes/004-seed-admin-user.sql

@@ -0,0 +1,26 @@
+-- Seed Admin User for initial system access
+-- Username: admin
+-- Password: admin123
+-- BCrypt hash with strength 12
+
+-- Insert Admin User
+INSERT INTO users (id, username, email, password_hash, branch_id, status, created_at, last_login)
+VALUES (
+    '00000000-0000-0000-0000-000000000001',  -- Fixed UUID for admin
+    'admin',
+    'admin@effigenix.com',
+    '$2a$12$LQv3c1yqBWVHxkd0LHAkCOYz6TtxMQJqhN8/LewY5GyYKKHFw3zqm',  -- BCrypt hash for "admin123"
+    NULL,  -- No branch = global access
+    'ACTIVE',
+    CURRENT_TIMESTAMP,
+    NULL
+);
+
+-- Assign ADMIN role to admin user
+INSERT INTO user_roles (user_id, role_id)
+SELECT '00000000-0000-0000-0000-000000000001', id
+FROM roles
+WHERE name = 'ADMIN';
+
+-- Add comment
+COMMENT ON TABLE users IS 'Default admin user: username=admin, password=admin123 (CHANGE IN PRODUCTION!)';

backend/src/main/resources/db/changelog/changes/004-seed-admin-user.xml

@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<databaseChangeLog
+        xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog
+        http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-latest.xsd">
+
+    <changeSet id="004-seed-admin-user" author="effigenix">
+        <sqlFile path="db/changelog/changes/004-seed-admin-user.sql"
+                 splitStatements="true"
+                 stripComments="true"/>
+    </changeSet>
+
+</databaseChangeLog>

backend/src/main/resources/db/changelog/db.changelog-master.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<databaseChangeLog
+        xmlns="http://www.liquibase.org/xml/ns/dbchangelog"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="http://www.liquibase.org/xml/ns/dbchangelog
+        http://www.liquibase.org/xml/ns/dbchangelog/dbchangelog-latest.xsd">
+
+    <include file="db/changelog/changes/001-create-user-management-schema.xml"/>
+    <include file="db/changelog/changes/002-seed-roles-and-permissions.xml"/>
+    <include file="db/changelog/changes/003-create-audit-logs-table.xml"/>
+    <include file="db/changelog/changes/004-seed-admin-user.xml"/>
+
+</databaseChangeLog>