@realtimex/folio 0.1.2

package/supabase/functions/api-v1-settings/index.ts

@@ -0,0 +1,66 @@
+import { corsHeaders } from "../_shared/cors.ts";
+import { authenticate } from "../_shared/auth.ts";
+
+Deno.serve(async (req: Request) => {
+  if (req.method === "OPTIONS") {
+    return new Response("ok", { headers: corsHeaders });
+  }
+
+  try {
+    const { user, client } = await authenticate(req);
+
+    if (req.method === "GET") {
+      const { data, error } = await client
+        .from("user_settings")
+        .select("*")
+        .eq("user_id", user.id)
+        .maybeSingle();
+
+      if (error) {
+        return Response.json({ error: error.message }, { status: 500, headers: corsHeaders });
+      }
+
+      return Response.json({ settings: data }, { headers: corsHeaders });
+    }
+
+    if (req.method === "PATCH") {
+      const body = await req.json();
+      const rawVisionMap = body.vision_model_capabilities;
+      const payload = {
+        llm_provider: body.llm_provider,
+        llm_model: body.llm_model,
+        sync_interval_minutes: body.sync_interval_minutes,
+        tts_auto_play: body.tts_auto_play,
+        tts_provider: body.tts_provider,
+        tts_voice: body.tts_voice,
+        tts_speed: body.tts_speed,
+        tts_quality: body.tts_quality,
+        embedding_provider: body.embedding_provider,
+        embedding_model: body.embedding_model,
+        storage_path: body.storage_path,
+        vision_model_capabilities: rawVisionMap && typeof rawVisionMap === "object" && !Array.isArray(rawVisionMap)
+          ? rawVisionMap
+          : undefined
+      };
+
+      const { data, error } = await client
+        .from("user_settings")
+        .upsert({ user_id: user.id, ...payload }, { onConflict: "user_id" })
+        .select("*")
+        .single();
+
+      if (error) {
+        return Response.json({ error: error.message }, { status: 500, headers: corsHeaders });
+      }
+
+      return Response.json({ settings: data }, { headers: corsHeaders });
+    }
+
+    return Response.json({ error: "Method not allowed" }, { status: 405, headers: corsHeaders });
+  } catch (error) {
+    return Response.json(
+      { error: error instanceof Error ? error.message : "Unexpected error" },
+      { status: 401, headers: corsHeaders }
+    );
+  }
+});

package/supabase/functions/setup/index.ts

@@ -0,0 +1,91 @@
+import "jsr:@supabase/functions-js/edge-runtime.d.ts";
+import { getAdminClient } from "../_shared/supabaseAdmin.ts";
+import { corsHeaders, createErrorResponse } from "../_shared/cors.ts";
+
+async function createFirstUser(req: Request) {
+    try {
+        const { email, password, first_name, last_name } = await req.json();
+        console.log(`[Setup] Starting setup for ${email}`);
+
+        const supabaseAdmin = getAdminClient();
+
+        // Check if any users exist
+        const { count, error: countError } = await supabaseAdmin
+            .from("profiles")
+            .select("*", { count: "exact", head: true });
+
+        if (countError) {
+            console.error("[Setup] Error checking profiles table:", countError);
+            return createErrorResponse(500, `Database error checking profiles: ${countError.message} (code: ${countError.code})`);
+        }
+
+        console.log(`[Setup] Existing profiles count: ${count}`);
+        if (count && count > 0) {
+            return createErrorResponse(403, "First user already exists");
+        }
+
+        // Create user with admin API
+        console.log("[Setup] Creating admin user...");
+        const { data, error: userError } = await supabaseAdmin.auth.admin.createUser({
+            email,
+            password,
+            email_confirm: true,
+            user_metadata: { first_name, last_name },
+        });
+
+        if (userError || !data?.user) {
+            console.error("[Setup] Error creating auth user:", userError);
+            return createErrorResponse(500, `Failed to create auth user: ${userError?.message || 'Unknown error'}`);
+        }
+
+        console.log(`[Setup] User created successfully: ${data.user.id}. Creating profile...`);
+
+        // Explicitly create profile as admin
+        const { error: profileError } = await supabaseAdmin
+            .from("profiles")
+            .upsert({
+                id: data.user.id,
+                email: data.user.email,
+                first_name: first_name || null,
+                last_name: last_name || null,
+                is_admin: true,
+            }, { onConflict: 'id' });
+
+        if (profileError) {
+            console.error("[Setup] Error creating profile row:", profileError);
+            return createErrorResponse(500, `User created but profile record failed: ${profileError.message} (code: ${profileError.code})`);
+        }
+
+        console.log("[Setup] Setup completed successfully");
+
+        return new Response(
+            JSON.stringify({
+                data: {
+                    id: data.user.id,
+                    email: data.user.email,
+                },
+            }),
+            {
+                headers: { "Content-Type": "application/json", ...corsHeaders },
+            },
+        );
+    } catch (error) {
+        console.error("Unexpected error in createFirstUser:", error);
+        return createErrorResponse(500, `Internal Server Error: ${error instanceof Error ? error.message : 'Unknown error'}`);
+    }
+}
+
+Deno.serve(async (req: Request) => {
+    if (req.method === "OPTIONS") {
+        return new Response(null, {
+            status: 204,
+            headers: corsHeaders,
+        });
+    }
+
+    if (req.method === "POST") {
+        return createFirstUser(req);
+    }
+
+    return createErrorResponse(405, "Method Not Allowed");
+});

package/supabase/migrations/20260223000000_initial_foundation.sql

@@ -0,0 +1,136 @@
+-- Folio foundation schema
+
+create table if not exists public.profiles (
+  id uuid primary key references auth.users(id) on delete cascade,
+  first_name text,
+  last_name text,
+  email text,
+  avatar_url text,
+  is_admin boolean default false,
+  created_at timestamptz default now(),
+  updated_at timestamptz default now()
+);
+
+create table if not exists public.user_settings (
+  id uuid primary key default gen_random_uuid(),
+  user_id uuid not null references auth.users(id) on delete cascade unique,
+  llm_provider text,
+  llm_model text,
+  sync_interval_minutes integer not null default 5 check (sync_interval_minutes >= 1 and sync_interval_minutes <= 60),
+  created_at timestamptz default now(),
+  updated_at timestamptz default now()
+);
+
+create table if not exists public.integrations (
+  id uuid primary key default gen_random_uuid(),
+  user_id uuid not null references auth.users(id) on delete cascade,
+  provider text not null,
+  credentials jsonb not null default '{}'::jsonb,
+  is_enabled boolean not null default true,
+  created_at timestamptz default now(),
+  updated_at timestamptz default now(),
+  unique (user_id, provider)
+);
+
+create table if not exists public.processing_jobs (
+  id uuid primary key default gen_random_uuid(),
+  user_id uuid not null references auth.users(id) on delete cascade,
+  status text not null check (status in ('queued', 'running', 'completed', 'failed')),
+  source_type text not null,
+  payload jsonb not null default '{}'::jsonb,
+  runtime_key text,
+  error_message text,
+  created_at timestamptz default now(),
+  updated_at timestamptz default now()
+);
+
+create table if not exists public.system_logs (
+  id uuid primary key default gen_random_uuid(),
+  user_id uuid references auth.users(id) on delete cascade,
+  level text not null,
+  scope text not null,
+  message text not null,
+  metadata jsonb not null default '{}'::jsonb,
+  created_at timestamptz default now()
+);
+
+alter table public.profiles enable row level security;
+alter table public.user_settings enable row level security;
+alter table public.integrations enable row level security;
+alter table public.processing_jobs enable row level security;
+alter table public.system_logs enable row level security;
+
+create policy "profiles own rows" on public.profiles
+  for all using (auth.uid() = id);
+
+create policy "user_settings own rows" on public.user_settings
+  for all using (auth.uid() = user_id);
+
+create policy "integrations own rows" on public.integrations
+  for all using (auth.uid() = user_id);
+
+create policy "processing_jobs own rows" on public.processing_jobs
+  for all using (auth.uid() = user_id);
+
+create policy "system_logs own rows" on public.system_logs
+  for all using (auth.uid() = user_id);
+
+create index if not exists idx_user_settings_user_id on public.user_settings(user_id);
+create index if not exists idx_integrations_user_id on public.integrations(user_id);
+create index if not exists idx_processing_jobs_user_id on public.processing_jobs(user_id);
+create index if not exists idx_processing_jobs_status on public.processing_jobs(status);
+create index if not exists idx_system_logs_user_id_created_at on public.system_logs(user_id, created_at desc);
+
+create or replace function public.update_updated_at_column()
+returns trigger
+language plpgsql
+as $$
+begin
+  new.updated_at = now();
+  return new;
+end;
+$$;
+
+drop trigger if exists update_profiles_updated_at on public.profiles;
+create trigger update_profiles_updated_at
+before update on public.profiles
+for each row execute function public.update_updated_at_column();
+
+drop trigger if exists update_user_settings_updated_at on public.user_settings;
+create trigger update_user_settings_updated_at
+before update on public.user_settings
+for each row execute function public.update_updated_at_column();
+
+drop trigger if exists update_integrations_updated_at on public.integrations;
+create trigger update_integrations_updated_at
+before update on public.integrations
+for each row execute function public.update_updated_at_column();
+
+drop trigger if exists update_processing_jobs_updated_at on public.processing_jobs;
+create trigger update_processing_jobs_updated_at
+before update on public.processing_jobs
+for each row execute function public.update_updated_at_column();
+
+create or replace function public.handle_new_user()
+returns trigger
+language plpgsql
+security definer
+set search_path = public
+as $$
+begin
+  insert into public.profiles (id, email)
+  values (new.id, new.email)
+  on conflict (id) do nothing;
+
+  insert into public.user_settings (user_id)
+  values (new.id)
+  on conflict (user_id) do nothing;
+
+  return new;
+end;
+$$;
+
+drop trigger if exists on_auth_user_created on auth.users;
+create trigger on_auth_user_created
+after insert on auth.users
+for each row execute procedure public.handle_new_user();

package/supabase/migrations/20260223000001_add_migration_rpc.sql

@@ -0,0 +1,10 @@
+create or replace function public.get_latest_migration_timestamp()
+returns text
+language sql
+security definer
+set search_path = ''
+as $$
+  select max(version) from supabase_migrations.schema_migrations;
+$$;
+
+grant execute on function public.get_latest_migration_timestamp() to anon, authenticated;

package/supabase/migrations/20260224000002_add_init_state_view.sql

@@ -0,0 +1,20 @@
+-- Init-state parity with email-automator, adapted for Folio.
+-- In Folio, user presence is represented by public.profiles.
+
+create or replace view public.init_state
+  with (security_invoker=off)
+  as
+select
+  count(id) as is_initialized
+from
+  (
+    select
+      profiles.id
+    from
+      public.profiles
+    limit
+      1
+  ) sub;
+
+grant usage on schema public to anon, authenticated;
+grant select on public.init_state to anon, authenticated;

package/supabase/migrations/20260224000003_port_user_creation_parity.sql

@@ -0,0 +1,139 @@
+-- Port user creation parity from email-automator (foundation only).
+-- This keeps Folio profile bootstrap synced with auth.users lifecycle.
+
+create or replace function public.handle_new_auth_user()
+returns trigger
+language plpgsql
+security definer
+set search_path = 'pg_catalog', 'public'
+as $$
+declare
+  should_be_admin boolean;
+begin
+  -- Serialize first-user admin assignment to avoid races.
+  perform pg_advisory_xact_lock(602240003);
+
+  select not exists (
+    select 1
+    from public.profiles p
+    where p.is_admin = true
+  )
+  into should_be_admin;
+
+  insert into public.profiles (id, first_name, last_name, email, is_admin)
+  values (
+    new.id,
+    new.raw_user_meta_data ->> 'first_name',
+    new.raw_user_meta_data ->> 'last_name',
+    new.email,
+    should_be_admin
+  )
+  on conflict (id) do update
+  set
+    first_name = coalesce(excluded.first_name, public.profiles.first_name),
+    last_name = coalesce(excluded.last_name, public.profiles.last_name),
+    email = excluded.email,
+    updated_at = now();
+
+  insert into public.user_settings (user_id)
+  values (new.id)
+  on conflict (user_id) do nothing;
+
+  return new;
+end;
+$$;
+
+create or replace function public.handle_update_auth_user()
+returns trigger
+language plpgsql
+security definer
+set search_path = 'pg_catalog', 'public'
+as $$
+begin
+  update public.profiles
+  set
+    first_name = coalesce(new.raw_user_meta_data ->> 'first_name', first_name),
+    last_name = coalesce(new.raw_user_meta_data ->> 'last_name', last_name),
+    email = new.email,
+    updated_at = now()
+  where id = new.id;
+
+  return new;
+end;
+$$;
+
+drop trigger if exists on_auth_user_created on auth.users;
+create trigger on_auth_user_created
+after insert on auth.users
+for each row execute function public.handle_new_auth_user();
+
+drop trigger if exists on_auth_user_updated on auth.users;
+create trigger on_auth_user_updated
+after update on auth.users
+for each row
+when (
+  old.email is distinct from new.email
+  or old.raw_user_meta_data is distinct from new.raw_user_meta_data
+)
+execute function public.handle_update_auth_user();
+
+-- Backfill profiles for existing auth.users rows where trigger might not have run.
+insert into public.profiles (id, first_name, last_name, email, is_admin, created_at, updated_at)
+select
+  u.id,
+  u.raw_user_meta_data ->> 'first_name',
+  u.raw_user_meta_data ->> 'last_name',
+  u.email,
+  false,
+  coalesce(u.created_at, now()),
+  now()
+from auth.users u
+where not exists (
+  select 1
+  from public.profiles p
+  where p.id = u.id
+);
+
+-- Ensure exactly one bootstrap admin exists for legacy projects.
+with admin_candidate as (
+  select p.id
+  from public.profiles p
+  left join auth.users u on u.id = p.id
+  order by coalesce(u.created_at, p.created_at), p.id
+  limit 1
+)
+update public.profiles p
+set
+  is_admin = true,
+  updated_at = now()
+where p.id in (select id from admin_candidate)
+  and not exists (
+    select 1
+    from public.profiles existing_admin
+    where existing_admin.is_admin = true
+  );
+
+-- Keep profile identity fields synchronized for existing users.
+update public.profiles p
+set
+  first_name = coalesce(u.raw_user_meta_data ->> 'first_name', p.first_name),
+  last_name = coalesce(u.raw_user_meta_data ->> 'last_name', p.last_name),
+  email = u.email,
+  updated_at = now()
+from auth.users u
+where u.id = p.id
+  and (
+    p.email is distinct from u.email
+    or p.first_name is distinct from (u.raw_user_meta_data ->> 'first_name')
+    or p.last_name is distinct from (u.raw_user_meta_data ->> 'last_name')
+  );
+
+-- Backfill user_settings for existing users if missing.
+insert into public.user_settings (user_id)
+select u.id
+from auth.users u
+where not exists (
+  select 1
+  from public.user_settings s
+  where s.user_id = u.id
+);

package/supabase/migrations/20260224000004_add_avatars_storage.sql

@@ -0,0 +1,26 @@
+-- Storage bucket for user avatars
+insert into storage.buckets (id, name, public)
+values ('avatars', 'avatars', true)
+on conflict (id) do nothing;
+
+-- RLS policies for avatars bucket
+create policy "Avatar upload" on storage.objects
+  for insert with check (
+    bucket_id = 'avatars' 
+    and (storage.foldername(name))[1] = auth.uid()::text
+  );
+
+create policy "Avatar update" on storage.objects
+  for update with check (
+    bucket_id = 'avatars' 
+    and (storage.foldername(name))[1] = auth.uid()::text
+  );
+
+create policy "Avatar delete" on storage.objects
+  for delete using (
+    bucket_id = 'avatars' 
+    and (storage.foldername(name))[1] = auth.uid()::text
+  );
+
+create policy "Avatar public access" on storage.objects
+  for select using (bucket_id = 'avatars');

package/supabase/migrations/20260224000005_add_tts_and_embed_settings.sql

@@ -0,0 +1,24 @@
+-- Migration: Add TTS and Embedding settings to user_settings
+-- Created: 2026-02-24
+
+-- Add TTS settings
+ALTER TABLE public.user_settings 
+ADD COLUMN IF NOT EXISTS tts_auto_play BOOLEAN DEFAULT false,
+ADD COLUMN IF NOT EXISTS tts_provider TEXT DEFAULT 'piper_local',
+ADD COLUMN IF NOT EXISTS tts_voice TEXT DEFAULT NULL,
+ADD COLUMN IF NOT EXISTS tts_speed NUMERIC DEFAULT 1.0,
+ADD COLUMN IF NOT EXISTS tts_quality INTEGER DEFAULT 10;
+
+-- Add Embedding settings
+ALTER TABLE public.user_settings
+ADD COLUMN IF NOT EXISTS embedding_provider TEXT DEFAULT 'realtimexai',
+ADD COLUMN IF NOT EXISTS embedding_model TEXT DEFAULT 'text-embedding-3-small';
+
+-- Add comments for documentation
+COMMENT ON COLUMN public.user_settings.tts_auto_play IS 'Automatically read AI responses aloud using text-to-speech';
+COMMENT ON COLUMN public.user_settings.tts_provider IS 'TTS provider (piper_local, supertonic_local, etc.)';
+COMMENT ON COLUMN public.user_settings.tts_voice IS 'Voice ID specific to the selected provider';
+COMMENT ON COLUMN public.user_settings.tts_speed IS 'Speech speed (0.5x to 2.0x)';
+COMMENT ON COLUMN public.user_settings.tts_quality IS 'Audio quality/bitrate (1-20, higher = better quality)';
+COMMENT ON COLUMN public.user_settings.embedding_provider IS 'Default embedding provider for RAG and search';
+COMMENT ON COLUMN public.user_settings.embedding_model IS 'Default embedding model name';

package/supabase/migrations/20260224000006_add_policies_table.sql

@@ -0,0 +1,48 @@
+-- Create policies table for user-managed FPE policies
+CREATE TABLE IF NOT EXISTS policies (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    user_id UUID NOT NULL REFERENCES auth.users(id) ON DELETE CASCADE,
+    policy_id TEXT NOT NULL,  -- the metadata.id from the YAML (e.g. "tesla-invoice-handler")
+    metadata JSONB NOT NULL,
+    spec JSONB NOT NULL,
+    enabled BOOLEAN NOT NULL DEFAULT true,
+    priority INTEGER NOT NULL DEFAULT 100,
+    api_version TEXT NOT NULL DEFAULT 'folio/v1',
+    kind TEXT NOT NULL DEFAULT 'Policy',
+    created_at TIMESTAMPTZ DEFAULT NOW(),
+    updated_at TIMESTAMPTZ DEFAULT NOW(),
+    UNIQUE(user_id, policy_id)
+);
+
+-- Enable RLS
+ALTER TABLE policies ENABLE ROW LEVEL SECURITY;
+
+-- Users can only manage their own policies
+CREATE POLICY "Users can read own policies"
+    ON policies FOR SELECT
+    USING (auth.uid() = user_id);
+
+CREATE POLICY "Users can insert own policies"
+    ON policies FOR INSERT
+    WITH CHECK (auth.uid() = user_id);
+
+CREATE POLICY "Users can update own policies"
+    ON policies FOR UPDATE
+    USING (auth.uid() = user_id);
+
+CREATE POLICY "Users can delete own policies"
+    ON policies FOR DELETE
+    USING (auth.uid() = user_id);
+
+-- Auto-update updated_at
+CREATE OR REPLACE FUNCTION update_policies_updated_at()
+RETURNS TRIGGER AS $$
+BEGIN
+    NEW.updated_at = NOW();
+    RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER policies_updated_at
+    BEFORE UPDATE ON policies
+    FOR EACH ROW EXECUTE FUNCTION update_policies_updated_at();

package/supabase/migrations/20260224000007_fix_migration_rpc.sql

@@ -0,0 +1,9 @@
+-- Fix get_latest_migration_timestamp() to exclude sentinel/test migrations
+-- Migrations with timestamps >= 29990000000000 are development-only sentinels
+-- and should not influence the migration version comparison logic.
+CREATE OR REPLACE FUNCTION get_latest_migration_timestamp()
+RETURNS text AS $$
+    SELECT max(version)::text
+    FROM supabase_migrations.schema_migrations
+    WHERE version < '29990000000000';
+$$ LANGUAGE sql SECURITY DEFINER;

package/supabase/migrations/20260224000008_add_ingestions_table.sql

@@ -0,0 +1,42 @@
+-- Ingestion log table: tracks every document processed through Folio's Policy Engine
+CREATE TABLE IF NOT EXISTS ingestions (
+    id              uuid PRIMARY KEY DEFAULT gen_random_uuid(),
+    user_id         uuid NOT NULL REFERENCES auth.users(id) ON DELETE CASCADE,
+    source          text NOT NULL DEFAULT 'upload',   -- 'upload' | 'dropzone' | 'email' | 'url'
+    filename        text NOT NULL,
+    mime_type       text,
+    file_size       bigint,
+    status          text NOT NULL DEFAULT 'pending',  -- 'pending' | 'processing' | 'matched' | 'no_match' | 'error'
+    policy_id       text,                             -- matched policy id (nullable)
+    policy_name     text,                             -- denormalised for display
+    extracted       jsonb DEFAULT '{}'::jsonb,        -- key/value pairs extracted by FPE
+    actions_taken   jsonb DEFAULT '[]'::jsonb,        -- list of actions executed
+    error_message   text,
+    storage_path    text,                             -- supabase storage path (if file stored)
+    created_at      timestamptz NOT NULL DEFAULT now(),
+    updated_at      timestamptz NOT NULL DEFAULT now()
+);
+
+-- Index for per-user list queries
+CREATE INDEX IF NOT EXISTS ingestions_user_id_idx ON ingestions(user_id, created_at DESC);
+
+-- RLS
+ALTER TABLE ingestions ENABLE ROW LEVEL SECURITY;
+
+CREATE POLICY "Users can manage their own ingestions"
+    ON ingestions FOR ALL
+    USING (auth.uid() = user_id)
+    WITH CHECK (auth.uid() = user_id);
+
+-- updated_at trigger
+CREATE OR REPLACE FUNCTION update_ingestions_updated_at()
+RETURNS TRIGGER AS $$
+BEGIN
+    NEW.updated_at = now();
+    RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+CREATE TRIGGER ingestions_updated_at
+    BEFORE UPDATE ON ingestions
+    FOR EACH ROW EXECUTE FUNCTION update_ingestions_updated_at();