feat: onboarding pre-work

backend/src/features/admin/migrations/001_create_admin_users.sql

@@ -18,10 +18,8 @@ CREATE INDEX IF NOT EXISTS idx_admin_users_created_at ON admin_users(created_at)
 -- Create index on revoked_at for active admin queries
 CREATE INDEX IF NOT EXISTS idx_admin_users_revoked_at ON admin_users(revoked_at);
 
--- Seed initial admin user (idempotent)
-INSERT INTO admin_users (auth0_sub, email, role, created_by)
-VALUES ('system|bootstrap', 'admin@motovaultpro.com', 'admin', 'system')
-ON CONFLICT (auth0_sub) DO NOTHING;
+-- Note: Initial admin user is created via `make create-admin` command
+-- This allows for dynamic email/password configuration on fresh deployments
 
 -- Create update trigger function (if not exists)
 DO $$

backend/src/features/user-profile/api/user-profile.controller.ts

@@ -157,12 +157,11 @@ export class UserProfileController {
         });
       }
 
-      const { password, confirmationText } = validation.data;
+      const { confirmationText } = validation.data;
 
-      // Request deletion
+      // Request deletion (user is already authenticated via JWT)
       const profile = await this.userProfileService.requestDeletion(
         auth0Sub,
-        password,
         confirmationText
       );
 
@@ -178,13 +177,6 @@ export class UserProfileController {
         userId: request.userContext?.userId,
       });
 
-      if (error.message.includes('Invalid password')) {
-        return reply.code(401).send({
-          error: 'Unauthorized',
-          message: 'Invalid password',
-        });
-      }
-
       if (error.message.includes('Invalid confirmation')) {
         return reply.code(400).send({
           error: 'Bad Request',

backend/src/features/user-profile/api/user-profile.validation.ts

@@ -18,7 +18,6 @@ export const updateProfileSchema = z.object({
 export type UpdateProfileInput = z.infer<typeof updateProfileSchema>;
 
 export const requestDeletionSchema = z.object({
-  password: z.string().min(1, 'Password is required'),
   confirmationText: z.string().refine((val) => val === 'DELETE', {
     message: 'Confirmation text must be exactly "DELETE"',
   }),

backend/src/features/user-profile/domain/user-profile.service.ts

@@ -328,12 +328,12 @@ export class UserProfileService {
   // ============================================
 
   /**
-   * Request account deletion with password verification
+   * Request account deletion
    * Sets 30-day grace period before permanent deletion
+   * Note: User is already authenticated via JWT, confirmation text is sufficient
    */
   async requestDeletion(
     auth0Sub: string,
-    password: string,
     confirmationText: string
   ): Promise<UserProfile> {
     try {
@@ -353,12 +353,6 @@ export class UserProfileService {
         throw new Error('Deletion already requested');
       }
 
-      // Verify password with Auth0
-      const passwordValid = await auth0ManagementClient.verifyPassword(profile.email, password);
-      if (!passwordValid) {
-        throw new Error('Invalid password');
-      }
-
       // Request deletion
       const updatedProfile = await this.repository.requestDeletion(auth0Sub);