insforge 0.3.1

package/docker-init/db/db-init.sql

@@ -0,0 +1,125 @@
+-- init.sql
+-- Create role for anonymous user
+CREATE ROLE anon NOLOGIN;
+
+-- Create role for authenticator
+CREATE ROLE authenticated NOLOGIN;
+
+-- Create project admin role for admin users
+CREATE ROLE project_admin NOLOGIN;
+
+GRANT USAGE ON SCHEMA public TO anon;
+GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO anon;
+GRANT USAGE ON SCHEMA public TO authenticated;
+GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO authenticated;
+GRANT USAGE ON SCHEMA public TO project_admin;
+GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO project_admin;
+
+-- Grant permissions to roles
+-- NOTICE: The anon role is intended for unauthenticated users, so it should only have read access.
+GRANT SELECT ON ALL TABLES IN SCHEMA public TO anon;
+ALTER DEFAULT PRIVILEGES IN SCHEMA public
+  GRANT SELECT ON TABLES TO anon;
+
+GRANT SELECT ON ALL TABLES IN SCHEMA public TO authenticated;
+ALTER DEFAULT PRIVILEGES IN SCHEMA public
+  GRANT SELECT ON TABLES TO authenticated;
+
+GRANT INSERT ON ALL TABLES IN SCHEMA public TO authenticated;
+ALTER DEFAULT PRIVILEGES IN SCHEMA public
+  GRANT INSERT ON TABLES TO authenticated;
+
+GRANT UPDATE ON ALL TABLES IN SCHEMA public TO authenticated;
+ALTER DEFAULT PRIVILEGES IN SCHEMA public
+  GRANT UPDATE ON TABLES TO authenticated;
+
+GRANT DELETE ON ALL TABLES IN SCHEMA public TO authenticated;
+ALTER DEFAULT PRIVILEGES IN SCHEMA public
+  GRANT DELETE ON TABLES TO authenticated;
+
+GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO project_admin;
+ALTER DEFAULT PRIVILEGES IN SCHEMA public
+  GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO project_admin;
+
+-- Create function to automatically create RLS policies for new tables
+CREATE OR REPLACE FUNCTION public.create_default_policies()
+RETURNS event_trigger AS $$
+DECLARE
+  obj record;
+  table_schema text;
+  table_name text;
+  has_rls boolean;
+BEGIN
+  FOR obj IN SELECT * FROM pg_event_trigger_ddl_commands() WHERE command_tag = 'CREATE TABLE'
+  LOOP
+    -- Extract schema and table name from object_identity
+    -- Handle quoted identifiers by removing quotes
+    SELECT INTO table_schema, table_name
+      split_part(obj.object_identity, '.', 1),
+      trim(both '"' from split_part(obj.object_identity, '.', 2));
+    -- Check if RLS is enabled on the table
+    SELECT INTO has_rls
+      rowsecurity
+    FROM pg_tables
+    WHERE schemaname = table_schema
+      AND tablename = table_name;
+    -- Only create policies if RLS is enabled
+    IF has_rls THEN
+      -- Create policies for each role
+      -- anon: read-only access
+      EXECUTE format('CREATE POLICY "anon_policy" ON %s FOR SELECT TO anon USING (true)', obj.object_identity);
+      -- authenticated: full access
+      EXECUTE format('CREATE POLICY "authenticated_policy" ON %s FOR ALL TO authenticated USING (true) WITH CHECK (true)', obj.object_identity);
+      -- project_admin: full access
+      EXECUTE format('CREATE POLICY "project_admin_policy" ON %s FOR ALL TO project_admin USING (true) WITH CHECK (true)', obj.object_identity);
+    END IF;
+  END LOOP;
+END;
+$$ LANGUAGE plpgsql;
+
+-- Create event trigger to run the function when new tables are created
+CREATE EVENT TRIGGER create_policies_on_table_create
+  ON ddl_command_end
+  WHEN TAG IN ('CREATE TABLE')
+  EXECUTE FUNCTION public.create_default_policies();
+
+-- Create function to handle RLS enablement
+CREATE OR REPLACE FUNCTION public.create_policies_after_rls()
+RETURNS event_trigger AS $$
+DECLARE
+  obj record;
+  table_schema text;
+  table_name text;
+BEGIN
+  FOR obj IN SELECT * FROM pg_event_trigger_ddl_commands() WHERE command_tag = 'ALTER TABLE'
+  LOOP
+    -- Extract schema and table name
+    -- Handle quoted identifiers by removing quotes
+    SELECT INTO table_schema, table_name
+      split_part(obj.object_identity, '.', 1),
+      trim(both '"' from split_part(obj.object_identity, '.', 2));
+    -- Check if table has RLS enabled and no policies yet
+    IF EXISTS (
+      SELECT 1 FROM pg_tables
+      WHERE schemaname = table_schema
+        AND tablename = table_name
+        AND rowsecurity = true
+    ) AND NOT EXISTS (
+      SELECT 1 FROM pg_policies
+      WHERE schemaname = table_schema
+        AND tablename = table_name
+    ) THEN
+      -- Create default policies
+      EXECUTE format('CREATE POLICY "anon_policy" ON %s FOR SELECT TO anon USING (true)', obj.object_identity);
+      EXECUTE format('CREATE POLICY "authenticated_policy" ON %s FOR ALL TO authenticated USING (true) WITH CHECK (true)', obj.object_identity);
+      EXECUTE format('CREATE POLICY "project_admin_policy" ON %s FOR ALL TO project_admin USING (true) WITH CHECK (true)', obj.object_identity);
+    END IF;
+  END LOOP;
+END;
+$$ LANGUAGE plpgsql;
+
+-- Create event trigger for ALTER TABLE commands
+CREATE EVENT TRIGGER create_policies_on_rls_enable
+  ON ddl_command_end
+  WHEN TAG IN ('ALTER TABLE')
+  EXECUTE FUNCTION public.create_policies_after_rls();

package/docker-init/db/jwt.sql

@@ -0,0 +1,5 @@
+\set jwt_secret `echo "$JWT_SECRET"`
+\set jwt_exp `echo "$JWT_EXP"`
+
+ALTER DATABASE postgres SET "app.settings.jwt_secret" TO :'jwt_secret';
+ALTER DATABASE postgres SET "app.settings.jwt_exp" TO :'jwt_exp';

package/docker-init/db/logs.sql

@@ -0,0 +1,9 @@
+\set pguser `echo "$POSTGRES_USER"`
+
+CREATE DATABASE _insforge WITH OWNER :pguser;
+
+\c _insforge
+create schema if not exists _analytics;
+alter schema _analytics owner to :pguser;
+
+\c insforge

package/docker-init/db/postgresql.conf

@@ -0,0 +1,17 @@
+# PostgreSQL configuration for InsForge
+# Enable logical replication for Logflare
+
+# Listen on all interfaces to allow container connections
+listen_addresses = '*'
+
+# Set WAL level to logical for Logflare replication
+wal_level = logical
+
+# Set max replication slots (needed for logical replication)
+max_replication_slots = 10
+
+# Set max WAL senders
+max_wal_senders = 10
+
+# Shared preload libraries (if needed)
+# shared_preload_libraries = 'pg_stat_statements'

package/docs/deprecated/insforge-auth-api.md

@@ -0,0 +1,215 @@
+# Insforge OSS Authentication API Documentation
+
+## Overview
+
+Insforge uses JWT tokens and API keys for authentication. Store tokens in localStorage after login.
+**All requests**: Use `Authorization: Bearer <token>` header (for both JWT tokens and API keys)
+
+## Base URL
+`http://localhost:7130`
+
+## User Authentication
+
+### Register New User
+**POST** `/api/auth/users`
+
+Body: `{"email": "user@example.com", "password": "password", "name": "User Name"}`
+
+Returns: `{"accessToken": "...", "user": {"id": "...", "email": "...", "name": "...", "emailVerified": false, "createdAt": "...", "updatedAt": "..."}}`
+
+**Note:** This creates an entry in the `users` table with the same `id` for profile data
+
+### Login User  
+**POST** `/api/auth/sessions`
+
+Body: `{"email": "user@example.com", "password": "password"}`
+
+Returns: `{"accessToken": "...", "user": {"id": "...", "email": "...", "name": "...", "emailVerified": false, "createdAt": "...", "updatedAt": "..."}}`
+
+### Get Current User
+**GET** `/api/auth/sessions/current` 
+
+Headers: `Authorization: Bearer <accessToken>`
+
+Returns: `{"user": {"id": "...", "email": "...", "role": "authenticated"}}`
+
+**Note**: Returns LIMITED fields (id, email, role). For user profile data (nickname, avatar, bio, etc.), query `/api/database/records/users?id=eq.<user_id>`
+
+**Common errors:**
+- `401` with `"code": "MISSING_AUTHORIZATION_HEADER"` → No token provided
+- `401` with `"code": "INVALID_TOKEN"` → Token expired or invalid
+
+## Admin Authentication
+
+### Admin Login
+**POST** `/api/auth/admin/sessions`
+
+Request:
+```json
+{
+  "email": "admin@example.com",
+  "password": "change-this-password"
+}
+```
+
+Response:
+```json
+{
+  "accessToken": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
+  "user": {
+    "id": "admin-id",
+    "email": "admin@example.com",
+    "name": "Administrator",
+    "role": "project_admin"
+  }
+}
+```
+
+```bash
+# Mac/Linux
+curl -X POST http://localhost:7130/api/auth/admin/sessions \
+  -H 'Content-Type: application/json' \
+  -d '{"email":"admin@example.com","password":"change-this-password"}'
+
+# Windows PowerShell (use curl.exe)
+curl.exe -X POST http://localhost:7130/api/auth/admin/sessions \
+  -H "Content-Type: application/json" \
+  -d '{\"email\":\"admin@example.com\",\"password\":\"change-this-password\"}'
+```
+
+## Error Response Format
+
+All error responses follow this format:
+```json
+{
+  "code": "ERROR_CODE",
+  "message": "Human-readable error message"
+}
+```
+
+Example error:
+```json
+{
+  "code": "INVALID_EMAIL",
+  "message": "Please provide a valid email"
+}
+```
+
+## OAuth Support
+
+Insforge supports Google and GitHub OAuth when configured with environment variables.
+
+OAuth workflow:
+1. End user initiates OAuth login and receives authorization URL from backend
+2. After successful user authorization, Google/GitHub redirects to backend callback
+3. Backend generates JWT token and redirects to the application page
+
+Prerequisites:
+1. Create Google or GitHub OAuth Application and obtain Client ID and Client Secret
+2. Configure each platform's Client ID/Client Secret in InsForge backend (via Environment Variables)
+
+### OAuth Endpoints
+
+#### Get OAuth URL (Google/GitHub)
+**GET** `/api/auth/oauth/:provider`
+
+Parameters:
+- `provider`: "google" or "github" in the URL path
+- Query params: `?redirect_uri=http://localhost:3000/dashboard`
+
+Returns: `{"authUrl": "https://accounts.google.com/..."}` - URL to redirect user to provider's OAuth page.
+
+```bash
+# Mac/Linux
+curl -X GET "http://localhost:7130/api/auth/oauth/google?redirect_uri=http://localhost:3000/dashboard"
+
+# Windows PowerShell (use curl.exe)
+curl.exe -X GET "http://localhost:7130/api/auth/oauth/google?redirect_uri=http://localhost:3000/dashboard"
+```
+
+Example response:
+```json
+{
+  "authUrl": "https://accounts.google.com/o/oauth2/v2/auth?client_id=..."
+}
+```
+
+#### OAuth Callback
+The OAuth provider will redirect to:
+- Google: `http://localhost:7130/api/auth/oauth/google/callback`
+- GitHub: `http://localhost:7130/api/auth/oauth/github/callback`
+
+After processing, backend redirects to your specified `redirect_uri` with JWT token in URL parameters:
+- `access_token` - JWT authentication token
+- `user_id` - User's unique ID  
+- `email` - User's email address
+- `name` - User's display name
+
+## User Profile Table
+
+### Users Table
+The `users` table stores **user profile data**:
+- **✅ READ** via: `GET /api/database/records/users`
+- **✅ WRITE** via: `PATCH /api/database/records/users?id=eq.<user_id>`
+- **✅ Foreign keys allowed** - reference `users.id`
+- **IMPORTANT**: Add columns to this table for profile data instead of creating separate profile tables
+
+**Schema:**
+- `id` - User ID (UUID, primary key)
+- `nickname` - Display name (text, nullable)
+- `avatar_url` - Profile picture URL (text, nullable)
+- `bio` - User biography (text, nullable)
+- `birthday` - Birth date (date, nullable)
+- `created_at` - Account creation timestamp
+- `updated_at` - Last update timestamp
+
+**Note:** Email and name from auth are returned by Auth API, not stored in users table
+
+Example - Create table with user reference:
+```json
+{
+  "table_name": "posts",
+  "columns": [
+    {
+      "name": "title",
+      "type": "string",
+      "nullable": false,
+      "is_unique": false
+    },
+    {
+      "name": "user_id",
+      "type": "string",
+      "nullable": false,
+      "is_unique": false,
+      "foreign_key": {
+        "reference_table": "users",
+        "reference_column": "id",
+        "on_delete": "CASCADE",
+        "on_update": "CASCADE"
+      }
+    }
+  ]
+}
+```
+
+### Available Tables
+- **users** - User profile data (read/write access)
+  - Use this table for foreign key references
+  - Update profiles with PATCH requests
+
+## Headers Summary
+
+| API Type | Header Required |
+|----------|----------------|
+| Auth endpoints | None |
+| Database/Storage | `Authorization: Bearer <accessToken>` |
+| MCP testing only | `x-api-key: <key>` |
+
+## Critical Notes
+
+1. `/api/auth/sessions/current` returns `{"user": {...}}` - nested, not root level
+2. `/api/auth/sessions/current` only has: id, email, role (limited fields)
+3. Full user profile: `GET /api/database/records/users?id=eq.<id>`
+4. POST to database requires `[{...}]` array format always
+5. Auth endpoints (register/login): no headers needed
+6. Protected endpoints: `Authorization: Bearer <accessToken>`

package/docs/deprecated/insforge-auth-sdk.md

@@ -0,0 +1,100 @@
+# InsForge Auth SDK
+
+## Setup
+```javascript
+import { createClient } from '@insforge/sdk';
+const client = createClient({ baseUrl: 'http://localhost:7130' });
+```
+
+## Methods
+
+### signUp
+```javascript
+await client.auth.signUp({ email, password, name? })
+// Returns: { data: { accessToken, user }, error }
+// user: { id, email, name, emailVerified, createdAt, updatedAt }
+// Token auto-stored
+```
+
+### signInWithPassword
+```javascript
+await client.auth.signInWithPassword({ email, password })
+// Returns: { data: { accessToken, user }, error }
+// Token auto-stored
+```
+
+### signInWithOAuth
+```javascript
+const { data, error } = await client.auth.signInWithOAuth({ 
+  provider: 'google'|'github', 
+  redirectTo: window.location.origin,
+  skipBrowserRedirect: true
+})
+// Returns: { data: { url, provider }, error }
+
+// Manual redirect required
+if (data?.url) {
+  window.location.href = data.url
+}
+
+// ⚠️ IMPORTANT: No callback handling needed!
+// After OAuth, user returns to redirectTo URL already authenticated
+// The SDK automatically:
+// - Handles the OAuth callback
+// - Stores the JWT token
+// - Makes user available via getCurrentUser()
+
+// ❌ DON'T DO THIS (not needed):
+// const accessToken = urlParams.get('access_token')
+// const userId = urlParams.get('user_id')
+
+// ✅ DO THIS INSTEAD (after redirect back):
+const { data: userData } = await client.auth.getCurrentUser()
+```
+
+### getCurrentUser
+```javascript
+await client.auth.getCurrentUser()
+// Returns: { data: { user: { id, email, role }, profile: {...} }, error }
+// Makes API call to validate token and fetch profile
+```
+
+### getCurrentSession
+```javascript
+await client.auth.getCurrentSession()
+// Returns: { data: { session: { accessToken, user } }, error }
+// From localStorage, no API call
+```
+
+### getProfile
+```javascript
+await client.auth.getProfile(userId)
+// Returns: { data: { id, nickname, bio, ... }, error }
+// Returns single object, not array!
+```
+
+### setProfile
+```javascript
+await client.auth.setProfile({ nickname, bio, avatar_url })
+// Returns: { data: { id, nickname, bio, ... }, error }
+// Returns single object, not array!
+```
+
+### signOut
+```javascript
+await client.auth.signOut()
+// Returns: { error }
+// Clears token from storage
+```
+
+## Error Codes
+- `INVALID_EMAIL`
+- `WEAK_PASSWORD` 
+- `USER_ALREADY_EXISTS`
+- `INVALID_CREDENTIALS`
+- `INVALID_TOKEN`
+
+## Notes
+- Tokens stored in localStorage (browser) or memory (Node.js)
+- All requests after login automatically include token
+- User profile data in `users` table, not auth