diff --git a/internal/store/types.go b/internal/store/types.go
index 762bee7..88758e4 100644
--- a/internal/store/types.go
+++ b/internal/store/types.go
@@ -9,12 +9,15 @@ import (
 
 // User mirrors the users table.
 type User struct {
-	ID           string
-	Username     string
-	PasswordHash string
-	Role         Role
-	CreatedAt    time.Time
-	LastLoginAt  *time.Time
+	ID                 string
+	Username           string
+	PasswordHash       string
+	Role               Role
+	Email              *string    // optional; nil = not set
+	DisabledAt         *time.Time // nil = enabled
+	MustChangePassword bool
+	CreatedAt          time.Time
+	LastLoginAt        *time.Time
 }
 
 // Role enumerates the access tiers from spec.md §7.2.
@@ -219,3 +222,14 @@ type AuditEntry struct {
 	TS         time.Time
 	Payload    json.RawMessage
 }
+
+// SetupToken mirrors the user_setup_tokens table. The raw token
+// itself is never stored; the field shown here is the sha256 hex
+// digest of the raw token, which is what callers compare against.
+type SetupToken struct {
+	UserID    string
+	TokenHash string
+	ExpiresAt time.Time
+	CreatedAt time.Time
+	CreatedBy *string // admin user id; nil only after CASCADE SET NULL
+}