insforge 0.3.3 → 1.3.0

package/docker-compose.yml

@@ -1,167 +1,232 @@
-version: '3.8'
-
-services:
-  postgres:
-    image: postgres:15.13
-    container_name: insforge-postgres
-    command: postgres -c config_file=/etc/postgresql/postgresql.conf
-    environment:
-      - POSTGRES_USER=${POSTGRES_USER:-postgres}
-      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-postgres}
-      - POSTGRES_DB=${POSTGRES_DB:-insforge}
-    volumes:
-      - postgres-data:/var/lib/postgresql/data
-      - ./docker-init/db/db-init.sql:/docker-entrypoint-initdb.d/01-init.sql
-      - ./docker-init/db/jwt.sql:/docker-entrypoint-initdb.d/02-jwt.sql
-      - ./docker-init/db/logs.sql:/docker-entrypoint-initdb.d/03-logs.sql
-      - ./docker-init/db/postgresql.conf:/etc/postgresql/postgresql.conf
-    ports:
-      - "5432:5432"
-    networks:
-      - insforge-network
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U postgres"]
-      interval: 5s
-      timeout: 5s
-      retries: 5
-
-  postgrest:
-    image: postgrest/postgrest:v12.2.12
-    container_name: insforge-postgrest
-    restart: unless-stopped
-    environment:
-      # POSTGRES_USER: ${POSTGRES_USER:-postgres}
-      # POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-postgres}
-      # POSTGRES_DB: ${POSTGRES_DB:-insforge}
-      PGRST_DB_URI: postgres://${POSTGRES_USER:-postgres}:${POSTGRES_PASSWORD:-postgres}@postgres:5432/${POSTGRES_DB:-insforge}
-      PGRST_OPENAPI_SERVER_PROXY_URI: http://localhost:3000
-      PGRST_DB_SCHEMA: public
-      PGRST_DB_ANON_ROLE: anon
-      PGRST_JWT_SECRET: ${JWT_SECRET}
-      # Enable schema reloading via NOTIFY
-      PGRST_DB_CHANNEL_ENABLED: true
-      PGRST_DB_CHANNEL: pgrst
-    ports:
-      - "5430:3000"
-    depends_on:
-      postgres:
-        condition: service_healthy
-    networks:
-      - insforge-network
-
-  insforge:
-    image: node:20-alpine
-    container_name: insforge
-    working_dir: /app
-    depends_on:
-      postgres:
-        condition: service_healthy
-    ports:
-      - "7130:7130"
-      - "7131:7131"
-    environment:
-      - PORT=7130
-      - PROJECT_ROOT=/app
-      - API_BASE_URL=${API_BASE_URL:-}
-      - VITE_API_BASE_URL=${VITE_API_BASE_URL:-}
-      - JWT_SECRET=${JWT_SECRET:-dev-secret-change-in-production}
-      - ENCRYPTION_KEY=${ENCRYPTION_KEY:-}
-      - ADMIN_EMAIL=${ADMIN_EMAIL:-admin@example.com}
-      - ADMIN_PASSWORD=${ADMIN_PASSWORD:-change-this-password}
-      # PostgreSQL connection
-      - POSTGRES_HOST=postgres
-      - POSTGRES_PORT=5432
-      - POSTGRES_DB=${POSTGRES_DB:-insforge}
-      - POSTGRES_USER=${POSTGRES_USER:-postgres}
-      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-postgres}
-      - DATABASE_URL=postgresql://${POSTGRES_USER:-postgres}:${POSTGRES_PASSWORD:-postgres}@postgres:5432/${POSTGRES_DB:-insforge}
-      - POSTGREST_BASE_URL=http://postgrest:3000
-      # Deno Runtime URL for serverless functions
-      - DENO_RUNTIME_URL=http://deno:7133
-      # Storage Configuration
-      - AWS_S3_BUCKET=${AWS_S3_BUCKET:-}
-      - AWS_REGION=${AWS_REGION:-}
-      # Multi-tenant Cloud Configuration
-      - DEPLOYMENT_ID=${DEPLOYMENT_ID:-}
-      - PROJECT_ID=${PROJECT_ID:-}
-      - APP_KEY=${APP_KEY:-}
-      - ACCESS_API_KEY=${ACCESS_API_KEY:-}
-      # LLM Model API keys
-      - OPENROUTER_API_KEY=${OPENROUTER_API_KEY:-}
-      # OAuth Configuration
-      - GOOGLE_CLIENT_ID=${GOOGLE_CLIENT_ID:-}
-      - GOOGLE_CLIENT_SECRET=${GOOGLE_CLIENT_SECRET:-}
-      - GITHUB_CLIENT_ID=${GITHUB_CLIENT_ID:-}
-      - GITHUB_CLIENT_SECRET=${GITHUB_CLIENT_SECRET:-}
-    volumes:
-      - ./package.json:/app/package.json
-      - ./backend:/app/backend
-      - ./frontend:/app/frontend
-      - ./shared-schemas:/app/shared-schemas
-      - ./docs:/app/docs
-      - node_modules:/app/node_modules
-      - backend_node_modules:/app/backend/node_modules
-      - frontend_node_modules:/app/frontend/node_modules
-      - shared_schemas_node_modules:/app/shared-schemas/node_modules
-    command: sh -c "npm install && cd backend && npm run migrate:up && cd .. && npm run dev"
-    restart: unless-stopped
-    networks:
-      - insforge-network
-
-  # Deno serverless runtime for edge functions
-  deno:
-    image: denoland/deno:alpine-2.0.6
-    container_name: insforge-deno
-    working_dir: /app
-    depends_on:
-      - postgres
-      - postgrest
-    ports:
-      - "7133:7133"
-    environment:
-      - PORT=7133
-      - DENO_ENV=${DENO_ENV:-development}
-      - DENO_DIR=/deno-dir
-      # PostgreSQL connection
-      - POSTGRES_HOST=postgres
-      - POSTGRES_PORT=5432
-      - POSTGRES_DB=${POSTGRES_DB:-insforge}
-      - POSTGRES_USER=${POSTGRES_USER:-postgres}
-      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-postgres}
-      - POSTGREST_BASE_URL=http://postgrest:3000
-      # Worker timeout (30 seconds default)
-      - WORKER_TIMEOUT_MS=${WORKER_TIMEOUT_MS:-30000}
-      # Encryption keys for decrypting function secrets
-      - ENCRYPTION_KEY=${ENCRYPTION_KEY}
-      - JWT_SECRET=${JWT_SECRET}
-    volumes:
-      - ./functions:/app/functions
-      - deno_cache:/deno-dir
-    command: >
-      sh -c "
-        echo 'Downloading Deno dependencies...' &&
-        deno cache functions/server.ts &&
-        echo 'Starting Deno server on port 7133...' &&
-        deno run --allow-net --allow-env --allow-read=./functions/worker-template.js --watch functions/server.ts
-      "
-    restart: unless-stopped
-    networks:
-      - insforge-network
-
-volumes:
-  postgres-data:
-    driver: local
-  node_modules:
-    driver: local
-  backend_node_modules:
-    driver: local
-  frontend_node_modules:
-    driver: local
-  shared_schemas_node_modules:
-    driver: local
-  deno_cache:
-    driver: local
-
-networks:
-  insforge-network:
-    driver: bridge
+version: '3.8'
+
+services:
+  postgres:
+    image: postgres:15.13
+    container_name: insforge-postgres
+    command: postgres -c config_file=/etc/postgresql/postgresql.conf
+    environment:
+      - POSTGRES_USER=${POSTGRES_USER:-postgres}
+      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-postgres}
+      - POSTGRES_DB=${POSTGRES_DB:-insforge}
+    volumes:
+      - postgres-data:/var/lib/postgresql/data
+      - ./docker-init/db/db-init.sql:/docker-entrypoint-initdb.d/01-init.sql
+      - ./docker-init/db/jwt.sql:/docker-entrypoint-initdb.d/02-jwt.sql
+      - ./docker-init/db/postgresql.conf:/etc/postgresql/postgresql.conf
+    ports:
+      - "5432:5432"
+    networks:
+      - insforge-network
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U postgres"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+
+  postgrest:
+    image: postgrest/postgrest:v12.2.12
+    container_name: insforge-postgrest
+    restart: unless-stopped
+    environment:
+      # POSTGRES_USER: ${POSTGRES_USER:-postgres}
+      # POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-postgres}
+      # POSTGRES_DB: ${POSTGRES_DB:-insforge}
+      PGRST_DB_URI: postgres://${POSTGRES_USER:-postgres}:${POSTGRES_PASSWORD:-postgres}@postgres:5432/${POSTGRES_DB:-insforge}
+      PGRST_OPENAPI_SERVER_PROXY_URI: http://localhost:3000
+      PGRST_DB_SCHEMA: public
+      PGRST_DB_ANON_ROLE: anon
+      PGRST_JWT_SECRET: ${JWT_SECRET:-dev-secret-please-change-in-production}
+      # Enable schema reloading via NOTIFY
+      PGRST_DB_CHANNEL_ENABLED: true
+      PGRST_DB_CHANNEL: pgrst
+    ports:
+      - "5430:3000"
+    depends_on:
+      postgres:
+        condition: service_healthy
+    networks:
+      - insforge-network
+
+  insforge:
+    image: node:20-alpine
+    container_name: insforge
+    working_dir: /app
+    depends_on:
+      postgres:
+        condition: service_healthy
+    ports:
+      - "7130:7130"
+      - "7131:7131"
+      - "7132:7132"
+    environment:
+      - PORT=7130
+      - PROJECT_ROOT=/app
+      - API_BASE_URL=${API_BASE_URL:-}
+      - VITE_API_BASE_URL=${VITE_API_BASE_URL:-}
+      - JWT_SECRET=${JWT_SECRET:-dev-secret-please-change-in-production}
+      - ENCRYPTION_KEY=${ENCRYPTION_KEY:-}
+      - ADMIN_EMAIL=${ADMIN_EMAIL:-admin@example.com}
+      - ADMIN_PASSWORD=${ADMIN_PASSWORD:-change-this-password}
+      - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID:-}
+      - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY:-}
+      # PostgreSQL connection
+      - POSTGRES_HOST=postgres
+      - POSTGRES_PORT=5432
+      - POSTGRES_DB=${POSTGRES_DB:-insforge}
+      - POSTGRES_USER=${POSTGRES_USER:-postgres}
+      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-postgres}
+      - DATABASE_URL=postgresql://${POSTGRES_USER:-postgres}:${POSTGRES_PASSWORD:-postgres}@postgres:5432/${POSTGRES_DB:-insforge}
+      - POSTGREST_BASE_URL=http://postgrest:3000
+      # Deno Runtime URL for serverless functions
+      - DENO_RUNTIME_URL=http://deno:7133
+      # Storage Configuration
+      - AWS_S3_BUCKET=${AWS_S3_BUCKET:-}
+      - AWS_REGION=${AWS_REGION:-}
+      - AWS_CLOUDFRONT_URL=${AWS_CLOUDFRONT_URL:-}
+      - AWS_CLOUDFRONT_KEY_PAIR_ID=${AWS_CLOUDFRONT_KEY_PAIR_ID:-}
+      - AWS_CLOUDFRONT_PRIVATE_KEY=${AWS_CLOUDFRONT_PRIVATE_KEY:-}
+      # Multi-tenant Cloud Configuration
+      - DEPLOYMENT_ID=${DEPLOYMENT_ID:-}
+      - PROJECT_ID=${PROJECT_ID:-}
+      - APP_KEY=${APP_KEY:-}
+      - ACCESS_API_KEY=${ACCESS_API_KEY:-}
+      - CLOUD_API_HOST=${CLOUD_API_HOST:-}
+      # LLM Model API keys
+      - OPENROUTER_API_KEY=${OPENROUTER_API_KEY:-}
+      # OAuth Configuration
+      - GOOGLE_CLIENT_ID=${GOOGLE_CLIENT_ID:-}
+      - GOOGLE_CLIENT_SECRET=${GOOGLE_CLIENT_SECRET:-}
+      - GITHUB_CLIENT_ID=${GITHUB_CLIENT_ID:-}
+      - GITHUB_CLIENT_SECRET=${GITHUB_CLIENT_SECRET:-}
+      - DISCORD_CLIENT_ID=${DISCORD_CLIENT_ID:-}
+      - DISCORD_CLIENT_SECRET=${DISCORD_CLIENT_SECRET:-}
+      - MICROSOFT_CLIENT_ID=${MICROSOFT_CLIENT_ID:-}
+      - MICROSOFT_CLIENT_SECRET=${MICROSOFT_CLIENT_SECRET:-}
+      - LINKEDIN_CLIENT_ID=${LINKEDIN_CLIENT_ID:-}
+      - LINKEDIN_CLIENT_SECRET=${LINKEDIN_CLIENT_SECRET:-}
+      - X_CLIENT_ID=${X_CLIENT_ID:-}
+      - X_CLIENT_SECRET=${X_CLIENT_SECRET:-}
+      - APPLE_CLIENT_ID=${APPLE_CLIENT_ID:-}
+      - APPLE_CLIENT_SECRET=${APPLE_CLIENT_SECRET:-}
+      # Logs directory
+      - LOGS_DIR=/insforge-logs
+      # Storage directory (for local file storage when S3 is not configured)
+      - STORAGE_DIR=/insforge-storage
+      # Auth app URL for development proxy
+      - AUTH_APP_URL=${AUTH_APP_URL:-http://localhost:7132}
+    volumes:
+      - ./package.json:/app/package.json
+      - ./backend:/app/backend
+      - ./frontend:/app/frontend
+      - ./auth:/app/auth
+      - ./shared-schemas:/app/shared-schemas
+      - ./docs:/app/docs
+      - node_modules:/app/node_modules
+      - backend_node_modules:/app/backend/node_modules
+      - frontend_node_modules:/app/frontend/node_modules
+      - auth_node_modules:/app/auth/node_modules
+      - shared_schemas_node_modules:/app/shared-schemas/node_modules
+      - shared-logs:/insforge-logs
+      - storage-data:/insforge-storage
+    command: sh -c "npm install && cd backend && npm run migrate:up && cd .. && npm run dev"
+    restart: unless-stopped
+    networks:
+      - insforge-network
+
+  # Deno serverless runtime for edge functions
+  deno:
+    image: denoland/deno:alpine-2.0.6
+    container_name: insforge-deno
+    working_dir: /app
+    depends_on:
+      - postgres
+      - postgrest
+    ports:
+      - "7133:7133"
+    environment:
+      - PORT=7133
+      - DENO_ENV=${DENO_ENV:-development}
+      - DENO_DIR=/deno-dir
+      # PostgreSQL connection
+      - POSTGRES_HOST=postgres
+      - POSTGRES_PORT=5432
+      - POSTGRES_DB=${POSTGRES_DB:-insforge}
+      - POSTGRES_USER=${POSTGRES_USER:-postgres}
+      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD:-postgres}
+      - POSTGREST_BASE_URL=http://postgrest:3000
+      # Worker timeout (60 seconds default)
+      - WORKER_TIMEOUT_MS=${WORKER_TIMEOUT_MS:-60000}
+      # Encryption keys for decrypting function secrets
+      - ENCRYPTION_KEY=${ENCRYPTION_KEY}
+      - JWT_SECRET=${JWT_SECRET:-dev-secret-please-change-in-production}
+    volumes:
+      - ./functions:/app/functions
+      - deno_cache:/deno-dir
+    command: >
+      sh -c "
+        echo 'Downloading Deno dependencies...' &&
+        deno cache functions/server.ts &&
+        echo 'Starting Deno server on port 7133...' &&
+        deno run --allow-net --allow-env --allow-read=./functions/worker-template.js --watch functions/server.ts
+      "
+    restart: unless-stopped
+    networks:
+      - insforge-network
+
+  # Vector.dev for log collection and shipping
+  vector:
+    container_name: insforge-vector
+    image: timberio/vector:0.28.1-alpine
+    restart: unless-stopped
+    depends_on:
+      postgres:
+        condition: service_healthy
+      postgrest:
+        condition: service_started
+      insforge:
+        condition: service_started
+      deno:
+        condition: service_started
+    volumes:
+      - ./docker-init/logs/vector.yml:/etc/vector/vector.yml:ro
+      - /var/run/docker.sock:/var/run/docker.sock:ro
+      - shared-logs:/insforge-logs
+    healthcheck:
+      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:7135/health"]
+      timeout: 5s
+      interval: 5s
+      retries: 3
+    environment:
+      - AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID:-}
+      - AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY:-}
+      - AWS_REGION=${AWS_REGION:-skip}
+      - PROJECT_ID=${PROJECT_ID:-}
+      - HOSTNAME_OVERRIDE=${HOSTNAME_OVERRIDE:-}
+    command: ["--config", "/etc/vector/vector.yml"]
+    networks:
+      - insforge-network
+
+volumes:
+  postgres-data:
+    driver: local
+  node_modules:
+    driver: local
+  backend_node_modules:
+    driver: local
+  frontend_node_modules:
+    driver: local
+  auth_node_modules:
+    driver: local
+  shared_schemas_node_modules:
+    driver: local
+  deno_cache:
+    driver: local
+  shared-logs:
+    driver: local
+  storage-data:
+    driver: local
+
+networks:
+  insforge-network:
+    driver: bridge

package/docker-init/db/db-init.sql

@@ -1,125 +1,97 @@
--- init.sql
--- Create role for anonymous user
-CREATE ROLE anon NOLOGIN;
-
--- Create role for authenticator
-CREATE ROLE authenticated NOLOGIN;
-
--- Create project admin role for admin users
-CREATE ROLE project_admin NOLOGIN;
-
-GRANT USAGE ON SCHEMA public TO anon;
-GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO anon;
-GRANT USAGE ON SCHEMA public TO authenticated;
-GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO authenticated;
-GRANT USAGE ON SCHEMA public TO project_admin;
-GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO project_admin;
-
--- Grant permissions to roles
--- NOTICE: The anon role is intended for unauthenticated users, so it should only have read access.
-GRANT SELECT ON ALL TABLES IN SCHEMA public TO anon;
-ALTER DEFAULT PRIVILEGES IN SCHEMA public
-  GRANT SELECT ON TABLES TO anon;
-
-GRANT SELECT ON ALL TABLES IN SCHEMA public TO authenticated;
-ALTER DEFAULT PRIVILEGES IN SCHEMA public
-  GRANT SELECT ON TABLES TO authenticated;
-
-GRANT INSERT ON ALL TABLES IN SCHEMA public TO authenticated;
-ALTER DEFAULT PRIVILEGES IN SCHEMA public
-  GRANT INSERT ON TABLES TO authenticated;
-
-GRANT UPDATE ON ALL TABLES IN SCHEMA public TO authenticated;
-ALTER DEFAULT PRIVILEGES IN SCHEMA public
-  GRANT UPDATE ON TABLES TO authenticated;
-
-GRANT DELETE ON ALL TABLES IN SCHEMA public TO authenticated;
-ALTER DEFAULT PRIVILEGES IN SCHEMA public
-  GRANT DELETE ON TABLES TO authenticated;
-
-GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO project_admin;
-ALTER DEFAULT PRIVILEGES IN SCHEMA public
-  GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO project_admin;
-
--- Create function to automatically create RLS policies for new tables
-CREATE OR REPLACE FUNCTION public.create_default_policies()
-RETURNS event_trigger AS $$
-DECLARE
-  obj record;
-  table_schema text;
-  table_name text;
-  has_rls boolean;
-BEGIN
-  FOR obj IN SELECT * FROM pg_event_trigger_ddl_commands() WHERE command_tag = 'CREATE TABLE'
-  LOOP
-    -- Extract schema and table name from object_identity
-    -- Handle quoted identifiers by removing quotes
-    SELECT INTO table_schema, table_name
-      split_part(obj.object_identity, '.', 1),
-      trim(both '"' from split_part(obj.object_identity, '.', 2));
-    -- Check if RLS is enabled on the table
-    SELECT INTO has_rls
-      rowsecurity
-    FROM pg_tables
-    WHERE schemaname = table_schema
-      AND tablename = table_name;
-    -- Only create policies if RLS is enabled
-    IF has_rls THEN
-      -- Create policies for each role
-      -- anon: read-only access
-      EXECUTE format('CREATE POLICY "anon_policy" ON %s FOR SELECT TO anon USING (true)', obj.object_identity);
-      -- authenticated: full access
-      EXECUTE format('CREATE POLICY "authenticated_policy" ON %s FOR ALL TO authenticated USING (true) WITH CHECK (true)', obj.object_identity);
-      -- project_admin: full access
-      EXECUTE format('CREATE POLICY "project_admin_policy" ON %s FOR ALL TO project_admin USING (true) WITH CHECK (true)', obj.object_identity);
-    END IF;
-  END LOOP;
-END;
-$$ LANGUAGE plpgsql;
-
--- Create event trigger to run the function when new tables are created
-CREATE EVENT TRIGGER create_policies_on_table_create
-  ON ddl_command_end
-  WHEN TAG IN ('CREATE TABLE')
-  EXECUTE FUNCTION public.create_default_policies();
-
--- Create function to handle RLS enablement
-CREATE OR REPLACE FUNCTION public.create_policies_after_rls()
-RETURNS event_trigger AS $$
-DECLARE
-  obj record;
-  table_schema text;
-  table_name text;
-BEGIN
-  FOR obj IN SELECT * FROM pg_event_trigger_ddl_commands() WHERE command_tag = 'ALTER TABLE'
-  LOOP
-    -- Extract schema and table name
-    -- Handle quoted identifiers by removing quotes
-    SELECT INTO table_schema, table_name
-      split_part(obj.object_identity, '.', 1),
-      trim(both '"' from split_part(obj.object_identity, '.', 2));
-    -- Check if table has RLS enabled and no policies yet
-    IF EXISTS (
-      SELECT 1 FROM pg_tables
-      WHERE schemaname = table_schema
-        AND tablename = table_name
-        AND rowsecurity = true
-    ) AND NOT EXISTS (
-      SELECT 1 FROM pg_policies
-      WHERE schemaname = table_schema
-        AND tablename = table_name
-    ) THEN
-      -- Create default policies
-      EXECUTE format('CREATE POLICY "anon_policy" ON %s FOR SELECT TO anon USING (true)', obj.object_identity);
-      EXECUTE format('CREATE POLICY "authenticated_policy" ON %s FOR ALL TO authenticated USING (true) WITH CHECK (true)', obj.object_identity);
-      EXECUTE format('CREATE POLICY "project_admin_policy" ON %s FOR ALL TO project_admin USING (true) WITH CHECK (true)', obj.object_identity);
-    END IF;
-  END LOOP;
-END;
-$$ LANGUAGE plpgsql;
-
--- Create event trigger for ALTER TABLE commands
-CREATE EVENT TRIGGER create_policies_on_rls_enable
-  ON ddl_command_end
-  WHEN TAG IN ('ALTER TABLE')
-  EXECUTE FUNCTION public.create_policies_after_rls();
+-- init.sql
+-- Create role for anonymous user
+CREATE ROLE anon NOLOGIN;
+
+-- Create role for authenticator
+CREATE ROLE authenticated NOLOGIN;
+
+-- Create project admin role for admin users
+CREATE ROLE project_admin NOLOGIN;
+
+GRANT USAGE ON SCHEMA public TO anon;
+GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO anon;
+GRANT USAGE ON SCHEMA public TO authenticated;
+GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO authenticated;
+GRANT USAGE ON SCHEMA public TO project_admin;
+GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO project_admin;
+
+-- Grant permissions to roles
+GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO anon, authenticated, project_admin;
+ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO anon, authenticated, project_admin;
+-- Create function to automatically create RLS policies for new tables
+CREATE OR REPLACE FUNCTION public.create_default_policies()
+RETURNS event_trigger AS $$
+DECLARE
+  obj record;
+  table_schema text;
+  table_name text;
+  has_rls boolean;
+BEGIN
+  FOR obj IN SELECT * FROM pg_event_trigger_ddl_commands() WHERE command_tag = 'CREATE TABLE'
+  LOOP
+    -- Extract schema and table name from object_identity
+    -- Handle quoted identifiers by removing quotes
+    SELECT INTO table_schema, table_name
+      split_part(obj.object_identity, '.', 1),
+      trim(both '"' from split_part(obj.object_identity, '.', 2));
+    -- Check if RLS is enabled on the table
+    SELECT INTO has_rls
+      rowsecurity
+    FROM pg_tables
+    WHERE schemaname = table_schema
+      AND tablename = table_name;
+    -- Only create policies if RLS is enabled
+    IF has_rls THEN
+      -- Create policy for project_admin role only
+      -- Users must define their own policies for anon and authenticated roles
+      EXECUTE format('CREATE POLICY "project_admin_policy" ON %s FOR ALL TO project_admin USING (true) WITH CHECK (true)', obj.object_identity);
+    END IF;
+  END LOOP;
+END;
+$$ LANGUAGE plpgsql;
+
+-- Create event trigger to run the function when new tables are created
+CREATE EVENT TRIGGER create_policies_on_table_create
+  ON ddl_command_end
+  WHEN TAG IN ('CREATE TABLE')
+  EXECUTE FUNCTION public.create_default_policies();
+
+-- Create function to handle RLS enablement
+CREATE OR REPLACE FUNCTION public.create_policies_after_rls()
+RETURNS event_trigger AS $$
+DECLARE
+  obj record;
+  table_schema text;
+  table_name text;
+BEGIN
+  FOR obj IN SELECT * FROM pg_event_trigger_ddl_commands() WHERE command_tag = 'ALTER TABLE'
+  LOOP
+    -- Extract schema and table name
+    -- Handle quoted identifiers by removing quotes
+    SELECT INTO table_schema, table_name
+      split_part(obj.object_identity, '.', 1),
+      trim(both '"' from split_part(obj.object_identity, '.', 2));
+    -- Check if table has RLS enabled and no policies yet
+    IF EXISTS (
+      SELECT 1 FROM pg_tables
+      WHERE schemaname = table_schema
+        AND tablename = table_name
+        AND rowsecurity = true
+    ) AND NOT EXISTS (
+      SELECT 1 FROM pg_policies
+      WHERE schemaname = table_schema
+        AND tablename = table_name
+    ) THEN
+      -- Create policy for project_admin role only
+      -- Users must define their own policies for anon and authenticated roles
+      EXECUTE format('CREATE POLICY "project_admin_policy" ON %s FOR ALL TO project_admin USING (true) WITH CHECK (true)', obj.object_identity);
+    END IF;
+  END LOOP;
+END;
+$$ LANGUAGE plpgsql;
+
+-- Create event trigger for ALTER TABLE commands
+CREATE EVENT TRIGGER create_policies_on_rls_enable
+  ON ddl_command_end
+  WHEN TAG IN ('ALTER TABLE')
+  EXECUTE FUNCTION public.create_policies_after_rls();

package/docker-init/db/jwt.sql

@@ -1,5 +1,5 @@
-\set jwt_secret `echo "$JWT_SECRET"`
-\set jwt_exp `echo "$JWT_EXP"`
-
-ALTER DATABASE postgres SET "app.settings.jwt_secret" TO :'jwt_secret';
-ALTER DATABASE postgres SET "app.settings.jwt_exp" TO :'jwt_exp';
+\set jwt_secret `echo "$JWT_SECRET"`
+\set jwt_exp `echo "$JWT_EXP"`
+
+ALTER DATABASE postgres SET "app.settings.jwt_secret" TO :'jwt_secret';
+ALTER DATABASE postgres SET "app.settings.jwt_exp" TO :'jwt_exp';