npm - insforge - Versions diffs - 1.2.10 → 1.4.8 - Mend

insforge 1.2.10 → 1.4.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (506) hide show

package/.claude-plugin/marketplace.json +20 -20
package/.dockerignore +60 -60
package/.env.example +83 -77
package/.github/ISSUE_TEMPLATE/bug_report.yml +36 -36
package/.github/ISSUE_TEMPLATE/config.yml +11 -11
package/.github/ISSUE_TEMPLATE/feature_request.yml +26 -26
package/.github/PULL_REQUEST_TEMPLATE.md +7 -7
package/.github/copilot-instructions.md +146 -146
package/.github/workflows/build-image.yml +65 -65
package/.github/workflows/ci-premerge-check.yml +23 -23
package/.github/workflows/e2e.yml +63 -63
package/.github/workflows/lint-and-format.yml +32 -32
package/.prettierignore +64 -64
package/CHANGELOG.md +46 -44
package/CLAUDE_PLUGIN.md +104 -104
package/CODE_OF_CONDUCT.md +128 -128
package/CONTRIBUTING.md +125 -125
package/Dockerfile +30 -30
package/GITHUB_OAUTH_SETUP.md +49 -49
package/GOOGLE_OAUTH_SETUP.md +148 -148
package/LICENSE +201 -201
package/README.md +182 -182
package/assets/Dark.svg +23 -23
package/auth/package.json +30 -28
package/auth/src/lib/broadcastService.ts +4 -4
package/auth/src/lib/insforge.ts +8 -0
package/auth/src/main.tsx +2 -4
package/auth/src/pages/SignInPage.tsx +5 -2
package/auth/src/pages/SignUpPage.tsx +5 -2
package/auth/src/pages/VerifyEmailPage.tsx +18 -0
package/auth/tsconfig.json +33 -32
package/auth/tsconfig.node.json +11 -11
package/backend/package.json +82 -75
package/backend/src/api/middlewares/rate-limiters.ts +127 -127
package/backend/src/api/routes/ai/index.routes.ts +475 -468
package/backend/src/api/routes/auth/index.routes.ts +720 -570
package/backend/src/api/routes/auth/oauth.routes.ts +478 -448
package/backend/src/api/routes/database/advance.routes.ts +37 -16
package/backend/src/api/routes/database/index.routes.ts +80 -1
package/backend/src/api/routes/database/records.routes.ts +48 -184
package/backend/src/api/routes/database/rpc.routes.ts +69 -0
package/backend/src/api/routes/database/tables.routes.ts +0 -14
package/backend/src/api/routes/deployments/index.routes.ts +192 -0
package/backend/src/api/routes/docs/index.routes.ts +76 -76
package/backend/src/api/routes/email/index.routes.ts +35 -0
package/backend/src/api/routes/functions/index.routes.ts +21 -15
package/backend/src/api/routes/metadata/index.routes.ts +38 -0
package/backend/src/api/routes/realtime/channels.routes.ts +81 -0
package/backend/src/api/routes/realtime/index.routes.ts +12 -0
package/backend/src/api/routes/realtime/messages.routes.ts +48 -0
package/backend/src/api/routes/realtime/permissions.routes.ts +19 -0
package/backend/src/api/routes/storage/index.routes.ts +18 -12
package/backend/src/api/routes/usage/index.routes.ts +6 -4
package/backend/src/api/routes/webhooks/index.routes.ts +109 -0
package/backend/src/infra/database/database.manager.ts +14 -11
package/backend/src/infra/database/migrations/000_create-base-tables.sql +141 -141
package/backend/src/infra/database/migrations/001_create-helper-functions.sql +40 -40
package/backend/src/infra/database/migrations/002_rename-auth-tables.sql +29 -29
package/backend/src/infra/database/migrations/003_create-users-table.sql +55 -55
package/backend/src/infra/database/migrations/004_add-reload-postgrest-func.sql +23 -23
package/backend/src/infra/database/migrations/005_enable-project-admin-modify-users.sql +29 -29
package/backend/src/infra/database/migrations/006_modify-ai-usage-table.sql +24 -24
package/backend/src/infra/database/migrations/007_drop-metadata-table.sql +1 -1
package/backend/src/infra/database/migrations/008_add-system-tables.sql +76 -76
package/backend/src/infra/database/migrations/009_add-function-secrets.sql +23 -23
package/backend/src/infra/database/migrations/010_modify-ai-config-modalities.sql +93 -93
package/backend/src/infra/database/migrations/011_refactor-secrets-table.sql +15 -15
package/backend/src/infra/database/migrations/012_add-storage-uploaded-by.sql +7 -7
package/backend/src/infra/database/migrations/013_create-auth-schema-functions.sql +44 -44
package/backend/src/infra/database/migrations/014_add-updated-at-trigger-user-table.sql +7 -7
package/backend/src/infra/database/migrations/015_create-auth-config-and-email-otp-tables.sql +59 -59
package/backend/src/infra/database/migrations/016_update-auth-config-and-email-otp.sql +24 -24
package/backend/src/infra/database/migrations/017_create-realtime-schema.sql +233 -0
package/backend/src/infra/database/migrations/018_schema-rework.sql +441 -0
package/backend/src/infra/database/migrations/019_create-deployments-table.sql +36 -0
package/backend/src/infra/database/migrations/020_add-audio-modality.sql +11 -0
package/backend/src/infra/database/migrations/bootstrap/bootstrap-migrations.js +103 -0
package/backend/src/infra/realtime/realtime.manager.ts +246 -0
package/backend/src/infra/realtime/webhook-sender.ts +82 -0
package/backend/src/infra/security/token.manager.ts +216 -125
package/backend/src/infra/socket/socket.manager.ts +198 -64
package/backend/src/providers/ai/openrouter.provider.ts +24 -12
package/backend/src/providers/database/base.provider.ts +39 -0
package/backend/src/providers/database/cloud.provider.ts +159 -0
package/backend/src/providers/deployments/vercel.provider.ts +516 -0
package/backend/src/providers/email/base.provider.ts +4 -7
package/backend/src/providers/email/cloud.provider.ts +84 -0
package/backend/src/providers/oauth/apple.provider.ts +266 -0
package/backend/src/providers/oauth/index.ts +1 -0
package/backend/src/server.ts +329 -284
package/backend/src/services/ai/ai-config.service.ts +6 -6
package/backend/src/services/ai/ai-model.service.ts +60 -60
package/backend/src/services/ai/ai-usage.service.ts +7 -7
package/backend/src/services/ai/chat-completion.service.ts +415 -220
package/backend/src/services/ai/helpers.ts +64 -64
package/backend/src/services/ai/image-generation.service.ts +3 -3
package/backend/src/services/ai/index.ts +13 -13
package/backend/src/services/auth/auth-config.service.ts +4 -4
package/backend/src/services/auth/auth-otp.service.ts +6 -6
package/backend/src/services/auth/auth.service.ts +148 -74
package/backend/src/services/auth/index.ts +4 -4
package/backend/src/services/auth/oauth-config.service.ts +12 -12
package/backend/src/services/database/database-advance.service.ts +19 -55
package/backend/src/services/database/database-table.service.ts +38 -94
package/backend/src/services/database/database.service.ts +127 -0
package/backend/src/services/database/postgrest-proxy.service.ts +165 -0
package/backend/src/services/deployments/deployment.service.ts +693 -0
package/backend/src/services/email/email.service.ts +5 -7
package/backend/src/services/functions/function.service.ts +61 -41
package/backend/src/services/logs/audit.service.ts +10 -10
package/backend/src/services/realtime/index.ts +3 -0
package/backend/src/services/realtime/realtime-auth.service.ts +104 -0
package/backend/src/services/realtime/realtime-channel.service.ts +237 -0
package/backend/src/services/realtime/realtime-message.service.ts +260 -0
package/backend/src/services/secrets/secret.service.ts +101 -27
package/backend/src/services/storage/storage.service.ts +30 -30
package/backend/src/services/usage/usage.service.ts +6 -6
package/backend/src/types/ai.ts +8 -0
package/backend/src/types/auth.ts +16 -1
package/backend/src/types/database.ts +2 -0
package/backend/src/types/deployments.ts +33 -0
package/backend/src/types/realtime.ts +18 -0
package/backend/src/types/socket.ts +7 -31
package/backend/src/types/storage.ts +1 -1
package/backend/src/types/webhooks.ts +45 -0
package/backend/src/utils/cookies.ts +34 -0
package/backend/src/utils/environment.ts +0 -14
package/backend/src/utils/s3-config-loader.ts +64 -0
package/backend/src/utils/seed.ts +79 -43
package/backend/src/utils/sql-parser.ts +216 -0
package/backend/src/utils/utils.ts +114 -114
package/backend/src/utils/validations.ts +10 -10
package/backend/tests/README.md +133 -133
package/backend/tests/cleanup-all-test-data.sh +230 -230
package/backend/tests/cloud/test-s3-multitenant.sh +131 -131
package/backend/tests/local/comprehensive-curl-tests.sh +155 -155
package/backend/tests/local/test-ai-config.sh +129 -129
package/backend/tests/local/test-ai-usage.sh +80 -80
package/backend/tests/local/test-auth-router.sh +143 -143
package/backend/tests/local/test-database-router.sh +222 -222
package/backend/tests/local/test-e2e.sh +240 -240
package/backend/tests/local/test-fk-errors.sh +96 -96
package/backend/tests/local/test-functions.sh +123 -123
package/backend/tests/local/test-id-field.sh +200 -200
package/backend/tests/local/test-logs.sh +132 -132
package/backend/tests/local/test-public-bucket.sh +264 -264
package/backend/tests/local/test-rpc.sh +141 -0
package/backend/tests/local/test-secrets.sh +249 -249
package/backend/tests/local/test-serverless-functions.sh.disabled +325 -325
package/backend/tests/local/test-traditional-rest.sh +208 -208
package/backend/tests/manual/README.md +50 -50
package/backend/tests/manual/create-large-table-simple.sql +10 -10
package/backend/tests/manual/seed-large-table.sql +100 -100
package/backend/tests/manual/setup-large-table-extras.sql +33 -33
package/backend/tests/manual/test-ai-model-plugins.sh +258 -0
package/backend/tests/manual/test-bulk-upsert.sh +409 -409
package/backend/tests/manual/test-database-advance.sh +296 -296
package/backend/tests/manual/test-postgrest-stability.sh +191 -191
package/backend/tests/manual/test-rawsql-export-import.sh +411 -411
package/backend/tests/manual/test-rawsql-modes.sh +244 -244
package/backend/tests/manual/test-universal-storage.sh +263 -263
package/backend/tests/manual/test-users.sql +17 -17
package/backend/tests/run-all-tests.sh +139 -139
package/backend/tests/setup.ts +0 -0
package/backend/tests/test-config.sh +338 -338
package/backend/tests/unit/analyze-query.test.ts +697 -0
package/backend/tests/unit/database-advance.test.ts +326 -0
package/backend/tests/unit/helpers.test.ts +2 -2
package/backend/tsconfig.json +22 -22
package/claude-plugin/.claude-plugin/plugin.json +24 -24
package/claude-plugin/README.md +133 -133
package/claude-plugin/skills/insforge-schema-patterns/SKILL.md +273 -270
package/docker-compose.prod.yml +204 -200
package/docker-compose.yml +232 -228
package/docker-init/db/db-init.sql +97 -97
package/docker-init/db/jwt.sql +5 -5
package/docker-init/db/postgresql.conf +16 -16
package/docker-init/logs/vector.yml +236 -236
package/docs/README.md +44 -44
package/docs/agent-docs/deployment.md +79 -0
package/docs/agent-docs/real-time.md +269 -0
package/docs/changelog.mdx +212 -67
package/docs/core-concepts/ai/architecture.mdx +350 -372
package/docs/core-concepts/ai/sdk.mdx +238 -213
package/docs/core-concepts/authentication/architecture.mdx +276 -278
package/docs/core-concepts/authentication/sdk.mdx +710 -414
package/docs/core-concepts/authentication/ui-components/customization.mdx +733 -529
package/docs/core-concepts/authentication/ui-components/nextjs.mdx +247 -221
package/docs/core-concepts/authentication/ui-components/react-router.mdx +183 -184
package/docs/core-concepts/authentication/ui-components/react.mdx +136 -129
package/docs/core-concepts/database/architecture.mdx +292 -255
package/docs/core-concepts/database/pgvector.mdx +138 -0
package/docs/core-concepts/database/sdk.mdx +382 -382
package/docs/core-concepts/deployments/architecture.mdx +152 -0
package/docs/core-concepts/email/architecture.mdx +103 -0
package/docs/core-concepts/email/sdk.mdx +53 -0
package/docs/core-concepts/functions/architecture.mdx +105 -105
package/docs/core-concepts/functions/sdk.mdx +183 -184
package/docs/core-concepts/realtime/architecture.mdx +446 -0
package/docs/core-concepts/realtime/sdk.mdx +409 -0
package/docs/core-concepts/storage/architecture.mdx +243 -243
package/docs/core-concepts/storage/sdk.mdx +253 -253
package/docs/deployment/README.md +94 -94
package/docs/deployment/deploy-to-aws-ec2.md +564 -564
package/docs/deployment/deploy-to-azure-virtual-machines.md +312 -312
package/docs/deployment/deploy-to-google-cloud-compute-engine.md +613 -613
package/docs/deployment/deploy-to-render.md +441 -441
package/docs/deprecated/insforge-auth-api.md +214 -214
package/docs/deprecated/insforge-auth-sdk.md +99 -99
package/docs/deprecated/insforge-db-api.md +358 -358
package/docs/deprecated/insforge-db-sdk.md +139 -139
package/docs/deprecated/insforge-debug-sdk.md +156 -156
package/docs/deprecated/insforge-debug.md +64 -64
package/docs/deprecated/insforge-instructions.md +123 -123
package/docs/deprecated/insforge-project.md +117 -117
package/docs/deprecated/insforge-storage-api.md +278 -278
package/docs/deprecated/insforge-storage-sdk.md +158 -158
package/docs/docs.json +240 -210
package/docs/examples/framework-guides/nextjs.mdx +131 -131
package/docs/examples/framework-guides/nuxt.mdx +165 -165
package/docs/examples/framework-guides/react.mdx +165 -165
package/docs/examples/framework-guides/svelte.mdx +153 -153
package/docs/examples/framework-guides/vue.mdx +159 -159
package/docs/examples/overview.mdx +67 -67
package/docs/favicon.png +0 -0
package/docs/favicon.svg +4 -19
package/docs/images/changelog/dec-2025/ai-integration.png +0 -0
package/docs/images/changelog/dec-2025/ai-models.webp +0 -0
package/docs/images/changelog/dec-2025/alipay-payment.webp +0 -0
package/docs/images/changelog/dec-2025/apple-login.jpg +0 -0
package/docs/images/changelog/dec-2025/apple-oauth.mp4 +0 -0
package/docs/images/changelog/dec-2025/mcp-installer.png +0 -0
package/docs/images/changelog/dec-2025/moreModels.png +0 -0
package/docs/images/changelog/dec-2025/multi-region.webp +0 -0
package/docs/images/changelog/dec-2025/postgres-connection.webp +0 -0
package/docs/images/changelog/dec-2025/realtime-module.jpg +0 -0
package/docs/images/changelog/dec-2025/realtime2.png +0 -0
package/docs/images/icons/ai.svg +4 -4
package/docs/images/logos/nextjs.svg +4 -4
package/docs/images/logos/nuxt.svg +4 -4
package/docs/images/logos/react.svg +5 -5
package/docs/images/logos/svelte.svg +4 -4
package/docs/images/logos/vue.svg +5 -5
package/docs/images/mcp-setup/CC-MCP-1.mp4 +0 -0
package/docs/images/mcp-setup/CC-MCP-2.mp4 +0 -0
package/docs/images/mcp-setup/Cursor-MCP-1.mp4 +0 -0
package/docs/images/mcp-setup/Cursor-MCP-2.mp4 +0 -0
package/docs/images/mcp-setup/Cursor-MCP-3.mp4 +0 -0
package/docs/images/mcp-setup/claude-code-connect.png +0 -0
package/docs/images/mcp-setup/cline-1.png +0 -0
package/docs/images/mcp-setup/cline-2.png +0 -0
package/docs/images/mcp-setup/cline-3.png +0 -0
package/docs/images/mcp-setup/connect-project.png +0 -0
package/docs/images/mcp-setup/copilot-1.png +0 -0
package/docs/images/mcp-setup/copilot-2.png +0 -0
package/docs/images/mcp-setup/copilot-3.png +0 -0
package/docs/images/mcp-setup/mcp-json-1.png +0 -0
package/docs/images/mcp-setup/mcp-json-2.png +0 -0
package/docs/images/mcp-setup/qoder-1.png +0 -0
package/docs/images/mcp-setup/qoder-2.png +0 -0
package/docs/images/mcp-setup/roocode-1.png +0 -0
package/docs/images/mcp-setup/roocode-2.png +0 -0
package/docs/images/mcp-setup/trae-1.png +0 -0
package/docs/images/mcp-setup/trae-2.png +0 -0
package/docs/images/mcp-setup/trae-3.png +0 -0
package/docs/images/mcp-setup/trae-4.png +0 -0
package/docs/images/mcp-setup/trae-5.png +0 -0
package/docs/images/mcp-setup/windsurf-1.png +0 -0
package/docs/images/mcp-setup/windsurf-2.png +0 -0
package/docs/insforge-instructions-sdk.md +93 -88
package/docs/introduction.mdx +46 -45
package/docs/logo/dark.svg +22 -22
package/docs/logo/light.svg +20 -20
package/docs/mcp-setup.mdx +332 -0
package/docs/oauth-server.mdx +563 -0
package/docs/partnership.mdx +720 -646
package/docs/quickstart.mdx +82 -82
package/docs/showcase.mdx +52 -52
package/docs/snippets/sdk-installation.mdx +21 -21
package/docs/snippets/service-icons.mdx +27 -27
package/docs/vscode-extension.mdx +74 -0
package/eslint.config.js +1 -0
package/examples/oauth/frontend-oauth-example.html +250 -250
package/examples/response-examples.md +443 -443
package/frontend/components.json +17 -17
package/frontend/package.json +69 -69
package/frontend/src/App.tsx +8 -3
package/frontend/src/assets/icons/checkbox_checked.svg +6 -6
package/frontend/src/assets/icons/checkbox_undetermined.svg +6 -6
package/frontend/src/assets/icons/checked.svg +3 -3
package/frontend/src/assets/icons/connected.svg +3 -3
package/frontend/src/assets/icons/error.svg +3 -3
package/frontend/src/assets/icons/loader.svg +9 -9
package/frontend/src/assets/icons/pencil.svg +4 -4
package/frontend/src/assets/icons/refresh.svg +4 -4
package/frontend/src/assets/icons/step_active.svg +3 -3
package/frontend/src/assets/icons/step_inactive.svg +11 -11
package/frontend/src/assets/icons/warning.svg +3 -3
package/frontend/src/assets/logos/antigravity.svg +1 -0
package/frontend/src/assets/logos/apple.svg +3 -3
package/frontend/src/assets/logos/claude_code.svg +3 -3
package/frontend/src/assets/logos/cline.svg +6 -6
package/frontend/src/assets/logos/copilot.svg +10 -0
package/frontend/src/assets/logos/cursor.svg +20 -20
package/frontend/src/assets/logos/deepseek.svg +139 -0
package/frontend/src/assets/logos/discord.svg +8 -8
package/frontend/src/assets/logos/facebook.svg +3 -3
package/frontend/src/assets/logos/gemini.svg +19 -19
package/frontend/src/assets/logos/github.svg +5 -5
package/frontend/src/assets/logos/google.svg +13 -13
package/frontend/src/assets/logos/grok.svg +10 -10
package/frontend/src/assets/logos/insforge_dark.svg +15 -15
package/frontend/src/assets/logos/insforge_light.svg +15 -15
package/frontend/src/assets/logos/instagram.svg +1 -1
package/frontend/src/assets/logos/kiro.svg +9 -0
package/frontend/src/assets/logos/linkedin.svg +3 -3
package/frontend/src/assets/logos/openai.svg +10 -10
package/frontend/src/assets/logos/qoder.svg +4 -0
package/frontend/src/assets/logos/qwen.svg +15 -0
package/frontend/src/assets/logos/roo_code.svg +9 -9
package/frontend/src/assets/logos/spotify.svg +16 -16
package/frontend/src/assets/logos/tiktok.svg +5 -5
package/frontend/src/assets/logos/trae.svg +3 -3
package/frontend/src/assets/logos/windsurf.svg +10 -10
package/frontend/src/assets/logos/x.svg +3 -3
package/frontend/src/components/CodeBlock.tsx +2 -2
package/frontend/src/components/ConnectCTA.tsx +3 -2
package/frontend/src/components/datagrid/DataGrid.tsx +90 -62
package/frontend/src/components/datagrid/datagridTypes.tsx +2 -1
package/frontend/src/components/datagrid/index.ts +1 -1
package/frontend/src/components/index.ts +0 -1
package/frontend/src/components/layout/AppHeader.tsx +13 -37
package/frontend/src/components/layout/AppSidebar.tsx +85 -100
package/frontend/src/components/layout/Layout.tsx +34 -32
package/frontend/src/components/layout/PrimaryMenu.tsx +12 -4
package/frontend/src/components/radix/Select.tsx +151 -151
package/frontend/src/features/ai/components/AIConfigCard.tsx +200 -200
package/frontend/src/features/ai/components/AIEmptyState.tsx +23 -23
package/frontend/src/features/ai/components/ModalityFilterSidebar.tsx +102 -101
package/frontend/src/features/ai/components/ModelSelectionDialog.tsx +135 -135
package/frontend/src/features/ai/components/ModelSelectionGrid.tsx +51 -51
package/frontend/src/features/ai/components/SystemPromptDialog.tsx +118 -118
package/frontend/src/features/ai/components/index.ts +6 -6
package/frontend/src/features/ai/helpers.ts +147 -141
package/frontend/src/features/ai/{page → pages}/AIPage.tsx +166 -166
package/frontend/src/features/auth/components/AuthPreview.tsx +96 -96
package/frontend/src/features/auth/components/OAuthConfigDialog.tsx +1 -0
package/frontend/src/features/auth/components/UsersDataGrid.tsx +61 -31
package/frontend/src/features/auth/components/index.ts +5 -5
package/frontend/src/features/auth/helpers.tsx +8 -0
package/frontend/src/features/auth/{page → pages}/AuthMethodsPage.tsx +275 -275
package/frontend/src/features/auth/{page → pages}/UsersPage.tsx +0 -28
package/frontend/src/features/dashboard/{page → pages}/DashboardPage.tsx +1 -1
package/frontend/src/features/database/components/DatabaseDataGrid.tsx +0 -2
package/frontend/src/features/database/components/ForeignKeyCell.tsx +38 -11
package/frontend/src/features/database/components/ForeignKeyPopover.tsx +18 -8
package/frontend/src/features/database/components/LinkRecordModal.tsx +61 -13
package/frontend/src/features/database/components/RecordFormField.tsx +1 -1
package/frontend/src/features/database/components/SQLModal.tsx +75 -0
package/frontend/src/features/database/components/TableForm.tsx +0 -4
package/frontend/src/features/database/components/TableSidebar.tsx +0 -3
package/frontend/src/features/database/components/TablesEmptyState.tsx +1 -1
package/frontend/src/features/database/components/TemplatePreview.tsx +1 -2
package/frontend/src/features/database/constants.ts +16 -28
package/frontend/src/features/database/hooks/useCSVImport.ts +3 -2
package/frontend/src/features/database/hooks/useDatabase.ts +66 -0
package/frontend/src/features/database/hooks/useRawSQL.ts +3 -2
package/frontend/src/features/database/hooks/useTables.ts +30 -28
package/frontend/src/features/database/index.ts +1 -0
package/frontend/src/features/database/{page → pages}/FunctionsPage.tsx +29 -42
package/frontend/src/features/database/{page → pages}/IndexesPage.tsx +34 -51
package/frontend/src/features/database/{page → pages}/PoliciesPage.tsx +42 -58
package/frontend/src/features/database/{page → pages}/SQLEditorPage.tsx +2 -2
package/frontend/src/features/database/{page → pages}/TablesPage.tsx +0 -42
package/frontend/src/features/database/{page → pages}/TriggersPage.tsx +34 -51
package/frontend/src/features/database/services/advance.service.ts +1 -41
package/frontend/src/features/database/services/database.service.ts +55 -0
package/frontend/src/features/database/services/record.service.ts +4 -20
package/frontend/src/features/database/services/table.service.ts +1 -10
package/frontend/src/features/database/templates/ai-chatbot.ts +6 -6
package/frontend/src/features/database/templates/ecommerce-platform.ts +2 -2
package/frontend/src/features/database/templates/instagram-clone.ts +10 -10
package/frontend/src/features/database/templates/notion-clone.ts +8 -8
package/frontend/src/features/database/templates/reddit-clone.ts +10 -10
package/frontend/src/features/deployments/components/DeploymentRow.tsx +93 -0
package/frontend/src/features/deployments/components/DeploymentsEmptyState.tsx +15 -0
package/frontend/src/features/deployments/hooks/useDeployments.ts +157 -0
package/frontend/src/features/deployments/pages/DeploymentsPage.tsx +318 -0
package/frontend/src/features/deployments/services/deployments.service.ts +63 -0
package/frontend/src/features/functions/components/FunctionRow.tsx +72 -72
package/frontend/src/features/functions/components/FunctionsSidebar.tsx +56 -56
package/frontend/src/features/functions/components/SecretRow.tsx +3 -3
package/frontend/src/features/functions/components/index.ts +5 -5
package/frontend/src/features/functions/hooks/useFunctions.ts +5 -4
package/frontend/src/features/functions/hooks/useSecrets.ts +6 -9
package/frontend/src/features/functions/{page → pages}/FunctionsPage.tsx +21 -44
package/frontend/src/features/functions/{page → pages}/SecretsPage.tsx +118 -116
package/frontend/src/features/functions/services/function.service.ts +8 -25
package/frontend/src/features/functions/services/secret.service.ts +23 -41
package/frontend/src/features/login/{page → pages}/CloudLoginPage.tsx +125 -118
package/frontend/src/features/logs/components/LogDetailPanel.tsx +41 -0
package/frontend/src/features/logs/components/LogsDataGrid.tsx +32 -1
package/frontend/src/features/logs/components/index.ts +1 -0
package/frontend/src/features/logs/hooks/useMcpUsage.ts +13 -66
package/frontend/src/features/logs/{page → pages}/LogsPage.tsx +36 -6
package/frontend/src/features/onboard/components/ApiCredentialsSection.tsx +59 -0
package/frontend/src/features/onboard/components/ConnectionStringSection.tsx +180 -0
package/frontend/src/features/onboard/components/McpConnectionSection.tsx +159 -0
package/frontend/src/features/onboard/components/OnboardingController.tsx +68 -0
package/frontend/src/features/onboard/components/OnboardingModal.tsx +121 -267
package/frontend/src/features/onboard/components/ShowPasswordButton.tsx +21 -0
package/frontend/src/features/onboard/components/index.ts +9 -4
package/frontend/src/features/onboard/components/mcp/CursorDeeplinkGenerator.tsx +1 -1
package/frontend/src/features/onboard/components/mcp/QoderDeeplinkGenerator.tsx +36 -0
package/frontend/src/features/onboard/components/mcp/helpers.tsx +123 -98
package/frontend/src/features/onboard/components/mcp/index.ts +4 -3
package/frontend/src/features/onboard/index.ts +17 -13
package/frontend/src/features/realtime/components/ChannelRow.tsx +83 -0
package/frontend/src/features/realtime/components/EditChannelModal.tsx +246 -0
package/frontend/src/features/realtime/components/MessageRow.tsx +85 -0
package/frontend/src/features/realtime/components/RealtimeEmptyState.tsx +30 -0
package/frontend/src/features/realtime/hooks/useRealtime.ts +218 -0
package/frontend/src/features/realtime/index.ts +11 -0
package/frontend/src/features/realtime/pages/RealtimeChannelsPage.tsx +172 -0
package/frontend/src/features/realtime/pages/RealtimeMessagesPage.tsx +211 -0
package/frontend/src/features/realtime/pages/RealtimePermissionsPage.tsx +191 -0
package/frontend/src/features/realtime/services/realtime.service.ts +107 -0
package/frontend/src/features/settings/pages/SettingsPage.tsx +349 -0
package/frontend/src/features/storage/{page → pages}/StoragePage.tsx +1 -29
package/frontend/src/features/visualizer/components/AuthNode.tsx +4 -4
package/frontend/src/features/visualizer/components/SchemaVisualizer.tsx +24 -11
package/frontend/src/features/visualizer/{page → pages}/VisualizerPage.tsx +11 -36
package/frontend/src/index.css +249 -249
package/frontend/src/lib/contexts/ModalContext.tsx +35 -0
package/frontend/src/lib/contexts/SocketContext.tsx +119 -75
package/frontend/src/lib/hooks/useMetadata.ts +45 -1
package/frontend/src/lib/hooks/useModal.tsx +2 -0
package/frontend/src/lib/routing/AppRoutes.tsx +103 -84
package/frontend/src/lib/services/metadata.service.ts +20 -3
package/frontend/src/lib/utils/cloudMessaging.ts +1 -1
package/frontend/src/lib/utils/menuItems.ts +223 -183
package/frontend/src/lib/utils/utils.ts +196 -183
package/frontend/tsconfig.json +25 -25
package/frontend/tsconfig.node.json +9 -9
package/functions/deno.json +24 -24
package/functions/server.ts +6 -6
package/functions/worker-template.js +1 -1
package/i18n/README.ar.md +130 -130
package/i18n/README.de.md +130 -130
package/i18n/README.es.md +154 -154
package/i18n/README.fr.md +134 -134
package/i18n/README.hi.md +129 -129
package/i18n/README.ja.md +174 -174
package/i18n/README.ko.md +136 -136
package/i18n/README.pt-BR.md +131 -131
package/i18n/README.ru.md +129 -129
package/i18n/README.zh-CN.md +133 -133
package/openapi/ai.yaml +825 -715
package/openapi/auth.yaml +1324 -1244
package/openapi/email.yaml +158 -0
package/openapi/functions.yaml +475 -475
package/openapi/health.yaml +29 -29
package/openapi/logs.yaml +221 -223
package/openapi/metadata.yaml +175 -177
package/openapi/realtime.yaml +699 -0
package/openapi/records.yaml +381 -381
package/openapi/secrets.yaml +370 -370
package/openapi/storage.yaml +875 -875
package/openapi/tables.yaml +462 -463
package/package.json +97 -97
package/shared-schemas/package.json +31 -31
package/shared-schemas/src/ai-api.schema.ts +251 -143
package/shared-schemas/src/ai.schema.ts +8 -4
package/shared-schemas/src/auth-api.schema.ts +380 -339
package/shared-schemas/src/auth.schema.ts +18 -11
package/shared-schemas/src/cloud-events.schema.ts +26 -0
package/shared-schemas/src/database-api.schema.ts +32 -1
package/shared-schemas/src/database.schema.ts +39 -0
package/shared-schemas/src/deployments-api.schema.ts +55 -0
package/shared-schemas/src/deployments.schema.ts +30 -0
package/shared-schemas/src/docs.schema.ts +32 -0
package/shared-schemas/src/email-api.schema.ts +30 -0
package/shared-schemas/src/functions-api.schema.ts +13 -4
package/shared-schemas/src/functions.schema.ts +1 -1
package/shared-schemas/src/index.ts +22 -14
package/shared-schemas/src/metadata.schema.ts +39 -4
package/shared-schemas/src/realtime-api.schema.ts +111 -0
package/shared-schemas/src/realtime.schema.ts +143 -0
package/shared-schemas/src/secrets-api.schema.ts +44 -0
package/shared-schemas/src/secrets.schema.ts +15 -0
package/shared-schemas/tsconfig.json +21 -21
package/tsconfig.json +7 -7
package/zeabur/README.md +26 -13
package/zeabur/template.yml +1001 -1032
package/.cursor/rules/cursor-rules.mdc +0 -94
package/backend/src/types/profile.ts +0 -55
package/frontend/src/components/ProjectInfoModal.tsx +0 -128
package/frontend/src/features/database/hooks/useFullMetadata.ts +0 -18
package/test-gemini.sh +0 -35
package/test-usage-admin.sh +0 -57
package/test-usage.sh +0 -50
/package/frontend/src/features/auth/{page → pages}/ConfigurationPage.tsx +0 -0
/package/frontend/src/features/database/{page → pages}/TemplatesPage.tsx +0 -0
/package/frontend/src/features/login/{page → pages}/LoginPage.tsx +0 -0
/package/frontend/src/features/logs/{page → pages}/AuditsPage.tsx +0 -0
/package/frontend/src/features/logs/{page → pages}/MCPLogsPage.tsx +0 -0

package/openapi/auth.yaml CHANGED Viewed

@@ -1,1244 +1,1324 @@
-openapi: 3.0.3
-info:
-  title: Insforge Authentication API
-  version: 2.0.0
-  description: Authentication endpoints with separated auth and profile tables
-paths:
-  /api/auth/public-config:
-    get:
-      summary: Get public authentication configuration
-      description: Get all public authentication configuration including OAuth providers and email auth settings (public endpoint)
-      tags:
-        - Client
-      responses:
-        '200':
-          description: Public authentication configuration
-          content:
-            application/json:
-              schema:
-                type: object
-                properties:
-                  oAuthProviders:
-                    type: array
-                    items:
-                      type: object
-                      properties:
-                        provider:
-                          type: string
-                          enum: [google, github, discord, linkedin, facebook, microsoft]
-                        useSharedKey:
-                          type: boolean
-                  requireEmailVerification:
-                    type: boolean
-                  passwordMinLength:
-                    type: integer
-                    minimum: 4
-                    maximum: 128
-                  requireNumber:
-                    type: boolean
-                  requireLowercase:
-                    type: boolean
-                  requireUppercase:
-                    type: boolean
-                  requireSpecialChar:
-                    type: boolean
-                  verifyEmailRedirectTo:
-                    type: string
-                    nullable: true
-                    description: URL to redirect users after successful email verification (if not set, shows default success page)
-                  resetPasswordRedirectTo:
-                    type: string
-                    nullable: true
-                    description: URL to redirect users after successful password reset (if not set, shows default success page)
-                  verifyEmailMethod:
-                    type: string
-                    enum: [code, link]
-                    description: Method for email verification (code = 6-digit OTP, link = magic link)
-                  resetPasswordMethod:
-                    type: string
-                    enum: [code, link]
-                    description: Method for password reset (code = 6-digit OTP + exchange flow, link = magic link)
-  /api/auth/config:
-    get:
-      summary: Get authentication configuration
-      description: Get current authentication settings including all configuration options (admin only)
-      tags:
-        - Admin
-      security:
-        - bearerAuth: []
-      responses:
-        '200':
-          description: Authentication configuration
-          content:
-            application/json:
-              schema:
-                type: object
-                properties:
-                  id:
-                    type: string
-                    format: uuid
-                  requireEmailVerification:
-                    type: boolean
-                  passwordMinLength:
-                    type: integer
-                    minimum: 4
-                    maximum: 128
-                  requireNumber:
-                    type: boolean
-                  requireLowercase:
-                    type: boolean
-                  requireUppercase:
-                    type: boolean
-                  requireSpecialChar:
-                    type: boolean
-                  verifyEmailRedirectTo:
-                    type: string
-                    nullable: true
-                    description: URL to redirect users after successful email verification (if not set, shows default success page)
-                  resetPasswordRedirectTo:
-                    type: string
-                    nullable: true
-                    description: URL to redirect users after successful password reset (if not set, shows default success page)
-                  verifyEmailMethod:
-                    type: string
-                    enum: [code, link]
-                    description: Method for email verification (code = 6-digit OTP, link = magic link)
-                  resetPasswordMethod:
-                    type: string
-                    enum: [code, link]
-                    description: Method for password reset (code = 6-digit OTP + exchange flow, link = magic link)
-                  signInRedirectTo:
-                    type: string
-                    nullable: true
-                    description: URL to redirect users after successful sign in
-                  createdAt:
-                    type: string
-                    format: date-time
-                  updatedAt:
-                    type: string
-                    format: date-time
-        '401':
-          description: Unauthorized
-        '403':
-          description: Forbidden - Admin only
-    put:
-      summary: Update authentication configuration
-      description: Update authentication settings (admin only)
-      tags:
-        - Admin
-      security:
-        - bearerAuth: []
-      requestBody:
-        required: true
-        content:
-          application/json:
-            schema:
-              type: object
-              properties:
-                requireEmailVerification:
-                  type: boolean
-                passwordMinLength:
-                  type: integer
-                  minimum: 4
-                  maximum: 128
-                requireNumber:
-                  type: boolean
-                requireLowercase:
-                  type: boolean
-                requireUppercase:
-                  type: boolean
-                requireSpecialChar:
-                  type: boolean
-                verifyEmailRedirectTo:
-                  type: string
-                  nullable: true
-                  description: URL to redirect users after successful email verification (if not set, shows default success page)
-                resetPasswordRedirectTo:
-                  type: string
-                  nullable: true
-                  description: URL to redirect users after successful password reset (if not set, shows default success page)
-                verifyEmailMethod:
-                  type: string
-                  enum: [code, link]
-                  description: Method for email verification (code = 6-digit OTP, link = magic link)
-                resetPasswordMethod:
-                  type: string
-                  enum: [code, link]
-                  description: Method for password reset (code = 6-digit OTP + exchange flow, link = magic link)
-                signInRedirectTo:
-                  type: string
-                  nullable: true
-                  description: URL to redirect users after successful sign in
-      responses:
-        '200':
-          description: Configuration updated successfully
-          content:
-            application/json:
-              schema:
-                type: object
-                properties:
-                  id:
-                    type: string
-                    format: uuid
-                  requireEmailVerification:
-                    type: boolean
-                  passwordMinLength:
-                    type: integer
-                    minimum: 4
-                    maximum: 128
-                  requireNumber:
-                    type: boolean
-                  requireLowercase:
-                    type: boolean
-                  requireUppercase:
-                    type: boolean
-                  requireSpecialChar:
-                    type: boolean
-                  verifyEmailRedirectTo:
-                    type: string
-                    nullable: true
-                    description: URL to redirect users after successful email verification (if not set, shows default success page)
-                  resetPasswordRedirectTo:
-                    type: string
-                    nullable: true
-                    description: URL to redirect users after successful password reset (if not set, shows default success page)
-                  verifyEmailMethod:
-                    type: string
-                    enum: [code, link]
-                  resetPasswordMethod:
-                    type: string
-                    enum: [code, link]
-                  signInRedirectTo:
-                    type: string
-                    nullable: true
-                  createdAt:
-                    type: string
-                    format: date-time
-                  updatedAt:
-                    type: string
-                    format: date-time
-        '400':
-          description: Invalid request
-        '401':
-          description: Unauthorized
-        '403':
-          description: Forbidden - Admin only
-  /api/auth/users:
-    post:
-      summary: Register new user
-      description: Creates a new user account
-      tags:
-          - Client
-      requestBody:
-        required: true
-        content:
-          application/json:
-            schema:
-              type: object
-              required:
-                - email
-                - password
-              properties:
-                email:
-                  type: string
-                  format: email
-                  example: user@example.com
-                password:
-                  type: string
-                  description: Password meeting configured requirements (check /api/auth/email/config for current requirements)
-                  example: securepassword123
-                name:
-                  type: string
-                  example: John Doe
-      responses:
-        '200':
-          description: User created successfully
-          content:
-            application/json:
-              schema:
-                type: object
-                properties:
-                  user:
-                    $ref: '#/components/schemas/UserResponse'
-                  accessToken:
-                    type: string
-                    nullable: true
-                    description: JWT authentication token (null if email verification required)
-                  requireEmailVerification:
-                    type: boolean
-                    description: Whether email verification is required before login
-                  redirectTo:
-                    type: string
-                    format: uri
-                    description: Optional URL to redirect user after registration (only present if email verification not required)
-        '400':
-          description: Invalid request
-        '409':
-          description: User already exists
-    get:
-      summary: List all users (admin only)
-      description: Returns paginated list of users
-      tags:
-        - Admin
-      security:
-        - bearerAuth: []
-      parameters:
-        - name: offset
-          in: query
-          schema:
-            type: string
-            default: '0'
-          description: Number of records to skip
-        - name: limit
-          in: query
-          schema:
-            type: string
-            default: '10'
-          description: Maximum number of records to return
-        - name: search
-          in: query
-          schema:
-            type: string
-          description: Search by email or name
-      responses:
-        '200':
-          description: List of users
-          content:
-            application/json:
-              schema:
-                type: object
-                properties:
-                  data:
-                    type: array
-                    items:
-                      $ref: '#/components/schemas/UserResponse'
-                  pagination:
-                    type: object
-                    properties:
-                      offset:
-                        type: integer
-                      limit:
-                        type: integer
-                      total:
-                        type: integer
-        '401':
-          description: Unauthorized
-        '403':
-          description: Forbidden - Admin only
-    delete:
-      summary: Delete users (admin only)
-      description: Delete multiple users by their IDs
-      tags:
-        - Admin
-      security:
-        - bearerAuth: []
-      requestBody:
-        required: true
-        content:
-          application/json:
-            schema:
-              type: object
-              properties:
-                userIds:
-                  type: array
-                  items:
-                    type: string
-              required:
-                - userIds
-      responses:
-        '200':
-          description: Users deleted successfully
-          content:
-            application/json:
-              schema:
-                type: object
-                properties:
-                  message:
-                    type: string
-                  deletedCount:
-                    type: integer
-        '401':
-          description: Unauthorized
-        '403':
-          description: Forbidden - Admin only
-  /api/auth/users/{userId}:
-    get:
-      summary: Get specific user
-      description: Get user details by ID (admin only)
-      tags:
-        - Admin
-      security:
-        - bearerAuth: []
-      parameters:
-        - name: userId
-          in: path
-          required: true
-          schema:
-            type: string
-            format: uuid
-          description: User ID
-      responses:
-        '200':
-          description: User details
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/UserResponse'
-        '400':
-          description: Invalid user ID format
-        '401':
-          description: Unauthorized
-        '403':
-          description: Forbidden - Admin only
-        '404':
-          description: User not found
-  /api/auth/sessions:
-    post:
-      summary: User login
-      description: Authenticates user and returns access token
-      tags:
-        - Client
-      requestBody:
-        required: true
-        content:
-          application/json:
-            schema:
-              type: object
-              required:
-                - email
-                - password
-              properties:
-                email:
-                  type: string
-                  format: email
-                password:
-                  type: string
-      responses:
-        '200':
-          description: Login successful
-          content:
-            application/json:
-              schema:
-                type: object
-                properties:
-                  user:
-                    $ref: '#/components/schemas/UserResponse'
-                  accessToken:
-                    type: string
-                  redirectTo:
-                    type: string
-                    format: uri
-                    description: Optional URL to redirect user after login (if configured)
-        '401':
-          description: Invalid credentials
-        '403':
-          description: Email verification required
-  /api/auth/sessions/current:
-    get:
-      summary: Get current user
-      description: Returns the currently authenticated user's basic info from JWT token
-      tags:
-        - Client
-      security:
-        - bearerAuth: []
-      responses:
-        '200':
-          description: Current user info
-          content:
-            application/json:
-              schema:
-                type: object
-                properties:
-                  user:
-                    type: object
-                    properties:
-                      id:
-                        type: string
-                        format: uuid
-                      email:
-                        type: string
-                        format: email
-                      role:
-                        type: string
-                        enum: [authenticated, project_admin]
-        '401':
-          description: Unauthorized
-  /api/auth/admin/sessions:
-    post:
-      summary: Admin login
-      description: Authenticates admin user for dashboard access
-      tags:
-        - Admin
-      requestBody:
-        required: true
-        content:
-          application/json:
-            schema:
-              type: object
-              required:
-                - email
-                - password
-              properties:
-                email:
-                  type: string
-                  format: email
-                password:
-                  type: string
-      responses:
-        '200':
-          description: Admin login successful
-          content:
-            application/json:
-              schema:
-                type: object
-                properties:
-                  user:
-                    $ref: '#/components/schemas/UserResponse'
-                  accessToken:
-                    type: string
-        '401':
-          description: Invalid credentials
-        '403':
-          description: User is not an admin
-  /api/auth/admin/sessions/exchange:
-    post:
-      summary: Exchange cloud provider authorization code for admin session
-      description: Verifies an authorization code/JWT from from Insforge Cloud platform and issues an internal admin session token with project_admin role
-      tags:
-        - Admin
-      requestBody:
-        required: true
-        content:
-          application/json:
-            schema:
-              type: object
-              required:
-                - code
-              properties:
-                code:
-                  type: string
-                  description: Authorization code or JWT from the Insforge
-                  example: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
-      responses:
-        '200':
-          description: Cloud authorization verified, admin session created
-          content:
-            application/json:
-              schema:
-                type: object
-                properties:
-                  user:
-                    $ref: '#/components/schemas/UserResponse'
-                  accessToken:
-                    type: string
-                    description: Internal JWT for admin authentication
-        '400':
-          description: Invalid authorization code or JWT verification failed
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/ErrorResponse'
-  /api/auth/tokens/anon:
-    post:
-      summary: Generate anonymous token
-      description: Generate a non-expiring anonymous JWT token for public API access (admin only)
-      tags:
-        - Admin
-      security:
-        - bearerAuth: []
-      responses:
-        '200':
-          description: Anonymous token generated successfully
-          content:
-            application/json:
-              schema:
-                type: object
-                properties:
-                  accessToken:
-                    type: string
-                    description: Non-expiring anonymous JWT token
-                    example: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
-                  message:
-                    type: string
-                    description: Success message
-                    example: "Anonymous token generated successfully (never expires)"
-        '401':
-          description: Unauthorized - requires authentication
-        '403':
-          description: Forbidden - admin access required
-  /api/auth/email/send-verification:
-    post:
-      summary: Send email verification (code or link based on config)
-      description: Send email verification using the method configured in auth settings (verifyEmailMethod). When method is 'code', sends a 6-digit numeric code. When method is 'link', sends a magic link. Prevents user enumeration by returning success even if email doesn't exist.
-      tags:
-        - Client
-      requestBody:
-        required: true
-        content:
-          application/json:
-            schema:
-              type: object
-              required:
-                - email
-              properties:
-                email:
-                  type: string
-                  format: email
-                  example: user@example.com
-      responses:
-        '202':
-          description: Verification email sent (if email exists). Message varies based on configured method.
-          content:
-            application/json:
-              schema:
-                type: object
-                properties:
-                  success:
-                    type: boolean
-                  message:
-                    type: string
-                    example: "If your email is registered, we have sent you a verification code/link. Please check your inbox."
-        '400':
-          description: Invalid request
-  /api/auth/email/verify:
-    post:
-      summary: Verify email with code or link
-      description: |
-        Verify email address using the method configured in auth settings (verifyEmailMethod):
-        - Code verification: Provide both `email` and `otp` (6-digit numeric code)
-        - Link verification: Provide only `otp` (64-character hex token from magic link)
-        Successfully verified users will receive a session token.
-        The email verification link sent to users always points to the backend API endpoint.
-        If `verifyEmailRedirectTo` is configured, the backend will redirect to that URL after successful verification.
-        Otherwise, a default success page is displayed.
-      tags:
-        - Client
-      requestBody:
-        required: true
-        content:
-          application/json:
-            schema:
-              type: object
-              required:
-                - otp
-              properties:
-                email:
-                  type: string
-                  format: email
-                  description: Required for numeric code verification, omit for magic link verification
-                  example: user@example.com
-                otp:
-                  type: string
-                  description: Either a 6-digit numeric code or a 64-character hex token from magic link
-                  example: "123456"
-      responses:
-        '200':
-          description: Email verified successfully, session created
-          content:
-            application/json:
-              schema:
-                type: object
-                properties:
-                  user:
-                    $ref: '#/components/schemas/UserResponse'
-                  accessToken:
-                    type: string
-                    description: JWT authentication token
-                  redirectTo:
-                    type: string
-                    format: uri
-                    description: Optional URL to redirect user after verification (only present if configured)
-        '400':
-          description: Invalid verification code or token
-        '401':
-          description: Verification code/token expired or invalid
-  /api/auth/email/send-reset-password:
-    post:
-      summary: Send password reset (code or link based on config)
-      description: Send password reset email using the method configured in auth settings (resetPasswordMethod). When method is 'code', sends a 6-digit numeric code for two-step flow. When method is 'link', sends a magic link. Prevents user enumeration by returning success even if email doesn't exist.
-      tags:
-        - Client
-      requestBody:
-        required: true
-        content:
-          application/json:
-            schema:
-              type: object
-              required:
-                - email
-              properties:
-                email:
-                  type: string
-                  format: email
-                  example: user@example.com
-      responses:
-        '202':
-          description: Password reset email sent (if email exists). Message varies based on configured method.
-          content:
-            application/json:
-              schema:
-                type: object
-                properties:
-                  success:
-                    type: boolean
-                  message:
-                    type: string
-                    example: "If your email is registered, we have sent you a password reset code/link. Please check your inbox."
-        '400':
-          description: Invalid request
-  /api/auth/email/exchange-reset-password-token:
-    post:
-      summary: Exchange reset password code for reset token
-      description: |
-        Step 1 of two-step password reset flow (only used when resetPasswordMethod is 'code'):
-        1. Verify the 6-digit code sent to user's email
-        2. Return a reset token that can be used to actually reset the password
-        This endpoint is not used when resetPasswordMethod is 'link' (magic link flow is direct).
-      tags:
-        - Client
-      requestBody:
-        required: true
-        content:
-          application/json:
-            schema:
-              type: object
-              required:
-                - email
-                - code
-              properties:
-                email:
-                  type: string
-                  format: email
-                  example: user@example.com
-                code:
-                  type: string
-                  description: 6-digit numeric code from email
-                  example: "123456"
-      responses:
-        '200':
-          description: Code verified successfully, reset token returned
-          content:
-            application/json:
-              schema:
-                type: object
-                properties:
-                  token:
-                    type: string
-                    description: Reset token to be used in reset-password endpoint
-                  expiresAt:
-                    type: string
-                    format: date-time
-                    description: Token expiration timestamp
-        '400':
-          description: Invalid request
-        '401':
-          description: Invalid or expired code
-  /api/auth/email/reset-password:
-    post:
-      summary: Reset password with token
-      description: |
-        Reset user password with a token. The token can be:
-        - Magic link token (64-character hex token from send-reset-password when method is 'link')
-        - Reset token (from exchange-reset-password-token after code verification when method is 'code')
-        Both token types use RESET_PASSWORD purpose and are verified the same way.
-        Flow summary:
-        - Code method: send-reset-password → exchange-reset-password-token → reset-password (with resetToken)
-        - Link method: send-reset-password → reset-password (with link token directly)
-      tags:
-        - Client
-      requestBody:
-        required: true
-        content:
-          application/json:
-            schema:
-              type: object
-              required:
-                - newPassword
-                - otp
-              properties:
-                newPassword:
-                  type: string
-                  description: New password meeting configured requirements
-                  example: newSecurePassword123
-                otp:
-                  type: string
-                  description: Reset token (either from magic link or from exchange-reset-password-token endpoint)
-                  example: "a1b2c3d4..."
-      responses:
-        '200':
-          description: Password reset successfully
-          content:
-            application/json:
-              schema:
-                type: object
-                properties:
-                  message:
-                    type: string
-                    example: "Password reset successfully"
-        '400':
-          description: Invalid request or password requirements not met
-        '401':
-          description: Verification code/token expired or invalid
-  /api/auth/oauth/configs:
-    get:
-      summary: List all OAuth configurations
-      description: Get all configured OAuth providers (admin only)
-      tags:
-        - Admin
-      security:
-        - bearerAuth: []
-      responses:
-        '200':
-          description: List of OAuth configurations
-          content:
-            application/json:
-              schema:
-                type: object
-                properties:
-                  data:
-                    type: array
-                    items:
-                      $ref: '#/components/schemas/OAuthConfig'
-                  count:
-                    type: integer
-        '401':
-          description: Unauthorized
-        '403':
-          description: Forbidden - Admin only
-    post:
-      summary: Create OAuth configuration
-      description: Create a new OAuth provider configuration (admin only)
-      tags:
-        - Admin
-      security:
-        - bearerAuth: []
-      requestBody:
-        required: true
-        content:
-          application/json:
-            schema:
-              type: object
-              required:
-                - provider
-              properties:
-                provider:
-                  type: string
-                  enum: [google, github, discord, linkedin, facebook, microsoft]
-                clientId:
-                  type: string
-                clientSecret:
-                  type: string
-                redirectUri:
-                  type: string
-                scopes:
-                  type: array
-                  items:
-                    type: string
-                useSharedKey:
-                  type: boolean
-      responses:
-        '200':
-          description: OAuth configuration created
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/OAuthConfig'
-        '400':
-          description: Invalid request
-        '401':
-          description: Unauthorized
-        '403':
-          description: Forbidden - Admin only
-  /api/auth/oauth/{provider}/config:
-    get:
-      summary: Get OAuth configuration for specific provider
-      description: Get OAuth configuration including client secret (admin only)
-      tags:
-        - Admin
-      security:
-        - bearerAuth: []
-      parameters:
-        - name: provider
-          in: path
-          required: true
-          schema:
-            type: string
-            enum: [google, github, discord, linkedin, facebook, microsoft]
-      responses:
-        '200':
-          description: OAuth configuration
-          content:
-            application/json:
-              schema:
-                allOf:
-                  - $ref: '#/components/schemas/OAuthConfig'
-                  - type: object
-                    properties:
-                      clientSecret:
-                        type: string
-        '401':
-          description: Unauthorized
-        '403':
-          description: Forbidden - Admin only
-        '404':
-          description: Configuration not found
-    put:
-      summary: Update OAuth configuration
-      description: Update OAuth provider configuration (admin only)
-      tags:
-        - Admin
-      security:
-        - bearerAuth: []
-      parameters:
-        - name: provider
-          in: path
-          required: true
-          schema:
-            type: string
-            enum: [google, github, discord, linkedin, facebook, microsoft]
-      requestBody:
-        required: true
-        content:
-          application/json:
-            schema:
-              type: object
-              properties:
-                clientId:
-                  type: string
-                clientSecret:
-                  type: string
-                redirectUri:
-                  type: string
-                scopes:
-                  type: array
-                  items:
-                    type: string
-                useSharedKey:
-                  type: boolean
-      responses:
-        '200':
-          description: Configuration updated
-          content:
-            application/json:
-              schema:
-                $ref: '#/components/schemas/OAuthConfig'
-        '400':
-          description: Invalid request
-        '401':
-          description: Unauthorized
-        '403':
-          description: Forbidden - Admin only
-        '404':
-          description: Configuration not found
-    delete:
-      summary: Delete OAuth configuration
-      description: Delete OAuth provider configuration (admin only)
-      tags:
-        - Admin
-      security:
-        - bearerAuth: []
-      parameters:
-        - name: provider
-          in: path
-          required: true
-          schema:
-            type: string
-            enum: [google, github, discord, linkedin, facebook, microsoft]
-      responses:
-        '200':
-          description: Configuration deleted
-          content:
-            application/json:
-              schema:
-                type: object
-                properties:
-                  success:
-                    type: boolean
-                  message:
-                    type: string
-        '401':
-          description: Unauthorized
-        '403':
-          description: Forbidden - Admin only
-        '404':
-          description: Configuration not found
-  /api/auth/oauth/{provider}:
-    get:
-      summary: Initiate OAuth flow
-      description: Generate OAuth authorization URL for any supported provider
-      tags:
-        - Client
-      parameters:
-        - name: provider
-          in: path
-          required: true
-          schema:
-            type: string
-            enum: [google, github, discord, linkedin, facebook, microsoft]
-        - name: redirect_uri
-          in: query
-          required: true
-          schema:
-            type: string
-            format: uri
-          description: URL to redirect after authentication
-      responses:
-        '200':
-          description: OAuth authorization URL
-          content:
-            application/json:
-              schema:
-                type: object
-                properties:
-                  authUrl:
-                    type: string
-                    format: uri
-        '400':
-          description: Invalid request or provider not supported
-        '500':
-          description: OAuth not configured
-  /api/auth/oauth/shared/callback/{state}:
-    get:
-      summary: Shared OAuth callback handler
-      description: Handles OAuth callbacks from InsForge Cloud shared OAuth
-      tags:
-        - Client
-      parameters:
-        - name: state
-          in: path
-          required: true
-          schema:
-            type: string
-          description: JWT state parameter
-        - name: success
-          in: query
-          schema:
-            type: string
-          description: Success flag
-        - name: error
-          in: query
-          schema:
-            type: string
-          description: Error message
-        - name: payload
-          in: query
-          schema:
-            type: string
-          description: Base64 encoded user payload
-      responses:
-        '302':
-          description: Redirect to application with access token or error
-          headers:
-            Location:
-              schema:
-                type: string
-                format: uri
-  /api/auth/oauth/{provider}/callback:
-    get:
-      summary: Provider-specific OAuth callback
-      description: OAuth callback endpoint for provider-specific flows
-      tags:
-        - Client
-      parameters:
-        - name: provider
-          in: path
-          required: true
-          schema:
-            type: string
-            enum: [google, github, discord, linkedin, facebook, microsoft]
-        - name: code
-          in: query
-          schema:
-            type: string
-          description: Authorization code from OAuth provider
-        - name: state
-          in: query
-          required: true
-          schema:
-            type: string
-          description: JWT state with redirect URI
-        - name: token
-          in: query
-          schema:
-            type: string
-          description: Direct ID token (for some providers)
-      responses:
-        '302':
-          description: Redirect to application with access token
-          headers:
-            Location:
-              schema:
-                type: string
-                format: uri
-                description: Redirect URL with access_token, user_id, email, and name query params
-components:
-  securitySchemes:
-    bearerAuth:
-      type: http
-      scheme: bearer
-      bearerFormat: JWT
-    apiKey:
-      type: apiKey
-      in: header
-      name: x-api-key
-  schemas:
-    UserResponse:
-      type: object
-      properties:
-        id:
-          type: string
-          format: uuid
-        email:
-          type: string
-          format: email
-        name:
-          type: string
-        emailVerified:
-          type: boolean
-        identities:
-          type: array
-          items:
-            type: object
-            properties:
-              provider:
-                type: string
-        providerType:
-          type: string
-        createdAt:
-          type: string
-          format: date-time
-        updatedAt:
-          type: string
-          format: date-time
-    OAuthConfig:
-      type: object
-      properties:
-        id:
-          type: string
-          format: uuid
-        provider:
-          type: string
-          enum: [google, github, discord, linkedin, facebook, microsoft]
-        clientId:
-          type: string
-          nullable: true
-        redirectUri:
-          type: string
-          nullable: true
-        scopes:
-          type: array
-          items:
-            type: string
-          nullable: true
-        useSharedKey:
-          type: boolean
-        createdAt:
-          type: string
-          format: date-time
-        updatedAt:
-          type: string
-          format: date-time
-    AuthRecord:
-      type: object
-      properties:
-        id:
-          type: string
-          format: uuid
-        email:
-          type: string
-          format: email
-        passwordHash:
-          type: string
-          description: SHA256 hash of password
-        createdAt:
-          type: string
-          format: date-time
-        updatedAt:
-          type: string
-          format: date-time
-    ProfileRecord:
-      type: object
-      properties:
-        id:
-          type: string
-          format: uuid
-        authId:
-          type: string
-          format: uuid
-          description: Foreign key to auth table
-        name:
-          type: string
-        avatar_url:
-          type: string
-          nullable: true
-        bio:
-          type: string
-          nullable: true
-        metadata:
-          type: object
-          description: JSONB field for flexible data
-        createdAt:
-          type: string
-          format: date-time
-        updatedAt:
-          type: string
-          format: date-time
-    ErrorResponse:
-      type: object
-      required:
-        - error
-        - message
-        - statusCode
-      properties:
-        error:
-          type: string
-          description: Error code for programmatic handling
-          example: "VALIDATION_ERROR"
-        message:
-          type: string
-          description: Human-readable error message
-          example: "Email is already in use"
-        statusCode:
-          type: integer
-          description: HTTP status code
-          example: 400
-        nextActions:
-          type: string
-          description: Suggested action to resolve the error
-          example: "Please use a different email address"
+openapi: 3.0.3
+info:
+  title: Insforge Authentication API
+  version: 2.0.0
+  description: Authentication endpoints with separated auth and profile tables
+paths:
+  /api/auth/public-config:
+    get:
+      summary: Get public authentication configuration
+      description: Get all public authentication configuration including OAuth providers and email auth settings (public endpoint)
+      tags:
+        - Client
+      responses:
+        '200':
+          description: Public authentication configuration
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  oAuthProviders:
+                    type: array
+                    items:
+                      type: object
+                      properties:
+                        provider:
+                          type: string
+                          enum: [google, github, discord, linkedin, facebook, instagram, tiktok, apple, x, spotify, microsoft]
+                        useSharedKey:
+                          type: boolean
+                  requireEmailVerification:
+                    type: boolean
+                  passwordMinLength:
+                    type: integer
+                    minimum: 4
+                    maximum: 128
+                  requireNumber:
+                    type: boolean
+                  requireLowercase:
+                    type: boolean
+                  requireUppercase:
+                    type: boolean
+                  requireSpecialChar:
+                    type: boolean
+                  verifyEmailRedirectTo:
+                    type: string
+                    nullable: true
+                    description: URL to redirect users after successful email verification (if not set, shows default success page)
+                  resetPasswordRedirectTo:
+                    type: string
+                    nullable: true
+                    description: URL to redirect users after successful password reset (if not set, shows default success page)
+                  verifyEmailMethod:
+                    type: string
+                    enum: [code, link]
+                    description: Method for email verification (code = 6-digit OTP, link = magic link)
+                  resetPasswordMethod:
+                    type: string
+                    enum: [code, link]
+                    description: Method for password reset (code = 6-digit OTP + exchange flow, link = magic link)
+  /api/auth/profiles/current:
+    patch:
+      summary: Update current user's profile
+      description: Update the profile of the currently authenticated user
+      tags:
+        - Client
+      security:
+        - bearerAuth: []
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required:
+                - profile
+              properties:
+                profile:
+                  type: object
+                  additionalProperties: true
+                  description: Profile data (name, avatar_url, and any custom fields)
+                  properties:
+                    name:
+                      type: string
+                    avatar_url:
+                      type: string
+                      format: uri
+      responses:
+        '200':
+          description: Profile updated successfully
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ProfileResponse'
+        '400':
+          description: Invalid request
+        '401':
+          description: Unauthorized - authentication required
+  /api/auth/profiles/{userId}:
+    get:
+      summary: Get user profile by ID
+      description: Get public profile information for a user by their ID (public endpoint)
+      tags:
+        - Client
+      parameters:
+        - name: userId
+          in: path
+          required: true
+          schema:
+            type: string
+            format: uuid
+          description: User ID
+      responses:
+        '200':
+          description: User profile
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ProfileResponse'
+        '400':
+          description: Invalid user ID format
+        '404':
+          description: User not found
+  /api/auth/config:
+    get:
+      summary: Get authentication configuration
+      description: Get current authentication settings including all configuration options (admin only)
+      tags:
+        - Admin
+      security:
+        - bearerAuth: []
+      responses:
+        '200':
+          description: Authentication configuration
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  id:
+                    type: string
+                    format: uuid
+                  requireEmailVerification:
+                    type: boolean
+                  passwordMinLength:
+                    type: integer
+                    minimum: 4
+                    maximum: 128
+                  requireNumber:
+                    type: boolean
+                  requireLowercase:
+                    type: boolean
+                  requireUppercase:
+                    type: boolean
+                  requireSpecialChar:
+                    type: boolean
+                  verifyEmailRedirectTo:
+                    type: string
+                    nullable: true
+                    description: URL to redirect users after successful email verification (if not set, shows default success page)
+                  resetPasswordRedirectTo:
+                    type: string
+                    nullable: true
+                    description: URL to redirect users after successful password reset (if not set, shows default success page)
+                  verifyEmailMethod:
+                    type: string
+                    enum: [code, link]
+                    description: Method for email verification (code = 6-digit OTP, link = magic link)
+                  resetPasswordMethod:
+                    type: string
+                    enum: [code, link]
+                    description: Method for password reset (code = 6-digit OTP + exchange flow, link = magic link)
+                  signInRedirectTo:
+                    type: string
+                    nullable: true
+                    description: URL to redirect users after successful sign in
+                  createdAt:
+                    type: string
+                    format: date-time
+                  updatedAt:
+                    type: string
+                    format: date-time
+        '401':
+          description: Unauthorized
+        '403':
+          description: Forbidden - Admin only
+    put:
+      summary: Update authentication configuration
+      description: Update authentication settings (admin only)
+      tags:
+        - Admin
+      security:
+        - bearerAuth: []
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              properties:
+                requireEmailVerification:
+                  type: boolean
+                passwordMinLength:
+                  type: integer
+                  minimum: 4
+                  maximum: 128
+                requireNumber:
+                  type: boolean
+                requireLowercase:
+                  type: boolean
+                requireUppercase:
+                  type: boolean
+                requireSpecialChar:
+                  type: boolean
+                verifyEmailRedirectTo:
+                  type: string
+                  nullable: true
+                  description: URL to redirect users after successful email verification (if not set, shows default success page)
+                resetPasswordRedirectTo:
+                  type: string
+                  nullable: true
+                  description: URL to redirect users after successful password reset (if not set, shows default success page)
+                verifyEmailMethod:
+                  type: string
+                  enum: [code, link]
+                  description: Method for email verification (code = 6-digit OTP, link = magic link)
+                resetPasswordMethod:
+                  type: string
+                  enum: [code, link]
+                  description: Method for password reset (code = 6-digit OTP + exchange flow, link = magic link)
+                signInRedirectTo:
+                  type: string
+                  nullable: true
+                  description: URL to redirect users after successful sign in
+      responses:
+        '200':
+          description: Configuration updated successfully
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  id:
+                    type: string
+                    format: uuid
+                  requireEmailVerification:
+                    type: boolean
+                  passwordMinLength:
+                    type: integer
+                    minimum: 4
+                    maximum: 128
+                  requireNumber:
+                    type: boolean
+                  requireLowercase:
+                    type: boolean
+                  requireUppercase:
+                    type: boolean
+                  requireSpecialChar:
+                    type: boolean
+                  verifyEmailRedirectTo:
+                    type: string
+                    nullable: true
+                    description: URL to redirect users after successful email verification (if not set, shows default success page)
+                  resetPasswordRedirectTo:
+                    type: string
+                    nullable: true
+                    description: URL to redirect users after successful password reset (if not set, shows default success page)
+                  verifyEmailMethod:
+                    type: string
+                    enum: [code, link]
+                  resetPasswordMethod:
+                    type: string
+                    enum: [code, link]
+                  signInRedirectTo:
+                    type: string
+                    nullable: true
+                  createdAt:
+                    type: string
+                    format: date-time
+                  updatedAt:
+                    type: string
+                    format: date-time
+        '400':
+          description: Invalid request
+        '401':
+          description: Unauthorized
+        '403':
+          description: Forbidden - Admin only
+  /api/auth/users:
+    post:
+      summary: Register new user
+      description: Creates a new user account
+      tags:
+          - Client
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required:
+                - email
+                - password
+              properties:
+                email:
+                  type: string
+                  format: email
+                  example: user@example.com
+                password:
+                  type: string
+                  description: Password meeting configured requirements (check /api/auth/email/config for current requirements)
+                  example: securepassword123
+                name:
+                  type: string
+                  example: John Doe
+      responses:
+        '200':
+          description: User created successfully
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  user:
+                    $ref: '#/components/schemas/UserResponse'
+                  accessToken:
+                    type: string
+                    nullable: true
+                    description: JWT authentication token (null if email verification required)
+                  requireEmailVerification:
+                    type: boolean
+                    description: Whether email verification is required before login
+                  redirectTo:
+                    type: string
+                    format: uri
+                    description: Optional URL to redirect user after registration (only present if email verification not required)
+        '400':
+          description: Invalid request
+        '409':
+          description: User already exists
+    get:
+      summary: List all users (admin only)
+      description: Returns paginated list of users
+      tags:
+        - Admin
+      security:
+        - bearerAuth: []
+      parameters:
+        - name: offset
+          in: query
+          schema:
+            type: string
+            default: '0'
+          description: Number of records to skip
+        - name: limit
+          in: query
+          schema:
+            type: string
+            default: '10'
+          description: Maximum number of records to return
+        - name: search
+          in: query
+          schema:
+            type: string
+          description: Search by email or name
+      responses:
+        '200':
+          description: List of users
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  data:
+                    type: array
+                    items:
+                      $ref: '#/components/schemas/UserResponse'
+                  pagination:
+                    type: object
+                    properties:
+                      offset:
+                        type: integer
+                      limit:
+                        type: integer
+                      total:
+                        type: integer
+        '401':
+          description: Unauthorized
+        '403':
+          description: Forbidden - Admin only
+    delete:
+      summary: Delete users (admin only)
+      description: Delete multiple users by their IDs
+      tags:
+        - Admin
+      security:
+        - bearerAuth: []
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              properties:
+                userIds:
+                  type: array
+                  items:
+                    type: string
+              required:
+                - userIds
+      responses:
+        '200':
+          description: Users deleted successfully
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  message:
+                    type: string
+                  deletedCount:
+                    type: integer
+        '401':
+          description: Unauthorized
+        '403':
+          description: Forbidden - Admin only
+  /api/auth/users/{userId}:
+    get:
+      summary: Get specific user
+      description: Get user details by ID (admin only)
+      tags:
+        - Admin
+      security:
+        - bearerAuth: []
+      parameters:
+        - name: userId
+          in: path
+          required: true
+          schema:
+            type: string
+            format: uuid
+          description: User ID
+      responses:
+        '200':
+          description: User details
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/UserResponse'
+        '400':
+          description: Invalid user ID format
+        '401':
+          description: Unauthorized
+        '403':
+          description: Forbidden - Admin only
+        '404':
+          description: User not found
+  /api/auth/sessions:
+    post:
+      summary: User login
+      description: Authenticates user and returns access token
+      tags:
+        - Client
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required:
+                - email
+                - password
+              properties:
+                email:
+                  type: string
+                  format: email
+                password:
+                  type: string
+      responses:
+        '200':
+          description: Login successful
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  user:
+                    $ref: '#/components/schemas/UserResponse'
+                  accessToken:
+                    type: string
+                  redirectTo:
+                    type: string
+                    format: uri
+                    description: Optional URL to redirect user after login (if configured)
+        '401':
+          description: Invalid credentials
+        '403':
+          description: Email verification required
+  /api/auth/sessions/current:
+    get:
+      summary: Get current user
+      description: Returns the currently authenticated user's basic info from JWT token
+      tags:
+        - Client
+      security:
+        - bearerAuth: []
+      responses:
+        '200':
+          description: Current user info
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  user:
+                    type: object
+                    properties:
+                      id:
+                        type: string
+                        format: uuid
+                      email:
+                        type: string
+                        format: email
+                      role:
+                        type: string
+                        enum: [authenticated, project_admin]
+        '401':
+          description: Unauthorized
+  /api/auth/admin/sessions:
+    post:
+      summary: Admin login
+      description: Authenticates admin user for dashboard access
+      tags:
+        - Admin
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required:
+                - email
+                - password
+              properties:
+                email:
+                  type: string
+                  format: email
+                password:
+                  type: string
+      responses:
+        '200':
+          description: Admin login successful
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  user:
+                    $ref: '#/components/schemas/UserResponse'
+                  accessToken:
+                    type: string
+        '401':
+          description: Invalid credentials
+        '403':
+          description: User is not an admin
+  /api/auth/admin/sessions/exchange:
+    post:
+      summary: Exchange cloud provider authorization code for admin session
+      description: Verifies an authorization code/JWT from from Insforge Cloud platform and issues an internal admin session token with project_admin role
+      tags:
+        - Admin
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required:
+                - code
+              properties:
+                code:
+                  type: string
+                  description: Authorization code or JWT from the Insforge
+                  example: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
+      responses:
+        '200':
+          description: Cloud authorization verified, admin session created
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  user:
+                    $ref: '#/components/schemas/UserResponse'
+                  accessToken:
+                    type: string
+                    description: Internal JWT for admin authentication
+        '400':
+          description: Invalid authorization code or JWT verification failed
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ErrorResponse'
+  /api/auth/tokens/anon:
+    post:
+      summary: Generate anonymous token
+      description: Generate a non-expiring anonymous JWT token for public API access (admin only)
+      tags:
+        - Admin
+      security:
+        - bearerAuth: []
+      responses:
+        '200':
+          description: Anonymous token generated successfully
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  accessToken:
+                    type: string
+                    description: Non-expiring anonymous JWT token
+                    example: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
+                  message:
+                    type: string
+                    description: Success message
+                    example: "Anonymous token generated successfully (never expires)"
+        '401':
+          description: Unauthorized - requires authentication
+        '403':
+          description: Forbidden - admin access required
+  /api/auth/email/send-verification:
+    post:
+      summary: Send email verification (code or link based on config)
+      description: Send email verification using the method configured in auth settings (verifyEmailMethod). When method is 'code', sends a 6-digit numeric code. When method is 'link', sends a magic link. Prevents user enumeration by returning success even if email doesn't exist.
+      tags:
+        - Client
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required:
+                - email
+              properties:
+                email:
+                  type: string
+                  format: email
+                  example: user@example.com
+      responses:
+        '202':
+          description: Verification email sent (if email exists). Message varies based on configured method.
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  success:
+                    type: boolean
+                  message:
+                    type: string
+                    example: "If your email is registered, we have sent you a verification code/link. Please check your inbox."
+        '400':
+          description: Invalid request
+  /api/auth/email/verify:
+    post:
+      summary: Verify email with code or link
+      description: |
+        Verify email address using the method configured in auth settings (verifyEmailMethod):
+        - Code verification: Provide both `email` and `otp` (6-digit numeric code)
+        - Link verification: Provide only `otp` (64-character hex token from magic link)
+        Successfully verified users will receive a session token.
+        The email verification link sent to users always points to the backend API endpoint.
+        If `verifyEmailRedirectTo` is configured, the backend will redirect to that URL after successful verification.
+        Otherwise, a default success page is displayed.
+      tags:
+        - Client
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required:
+                - otp
+              properties:
+                email:
+                  type: string
+                  format: email
+                  description: Required for numeric code verification, omit for magic link verification
+                  example: user@example.com
+                otp:
+                  type: string
+                  description: Either a 6-digit numeric code or a 64-character hex token from magic link
+                  example: "123456"
+      responses:
+        '200':
+          description: Email verified successfully, session created
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  user:
+                    $ref: '#/components/schemas/UserResponse'
+                  accessToken:
+                    type: string
+                    description: JWT authentication token
+                  redirectTo:
+                    type: string
+                    format: uri
+                    description: Optional URL to redirect user after verification (only present if configured)
+        '400':
+          description: Invalid verification code or token
+        '401':
+          description: Verification code/token expired or invalid
+  /api/auth/email/send-reset-password:
+    post:
+      summary: Send password reset (code or link based on config)
+      description: Send password reset email using the method configured in auth settings (resetPasswordMethod). When method is 'code', sends a 6-digit numeric code for two-step flow. When method is 'link', sends a magic link. Prevents user enumeration by returning success even if email doesn't exist.
+      tags:
+        - Client
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required:
+                - email
+              properties:
+                email:
+                  type: string
+                  format: email
+                  example: user@example.com
+      responses:
+        '202':
+          description: Password reset email sent (if email exists). Message varies based on configured method.
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  success:
+                    type: boolean
+                  message:
+                    type: string
+                    example: "If your email is registered, we have sent you a password reset code/link. Please check your inbox."
+        '400':
+          description: Invalid request
+  /api/auth/email/exchange-reset-password-token:
+    post:
+      summary: Exchange reset password code for reset token
+      description: |
+        Step 1 of two-step password reset flow (only used when resetPasswordMethod is 'code'):
+        1. Verify the 6-digit code sent to user's email
+        2. Return a reset token that can be used to actually reset the password
+        This endpoint is not used when resetPasswordMethod is 'link' (magic link flow is direct).
+      tags:
+        - Client
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required:
+                - email
+                - code
+              properties:
+                email:
+                  type: string
+                  format: email
+                  example: user@example.com
+                code:
+                  type: string
+                  description: 6-digit numeric code from email
+                  example: "123456"
+      responses:
+        '200':
+          description: Code verified successfully, reset token returned
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  token:
+                    type: string
+                    description: Reset token to be used in reset-password endpoint
+                  expiresAt:
+                    type: string
+                    format: date-time
+                    description: Token expiration timestamp
+        '400':
+          description: Invalid request
+        '401':
+          description: Invalid or expired code
+  /api/auth/email/reset-password:
+    post:
+      summary: Reset password with token
+      description: |
+        Reset user password with a token. The token can be:
+        - Magic link token (64-character hex token from send-reset-password when method is 'link')
+        - Reset token (from exchange-reset-password-token after code verification when method is 'code')
+        Both token types use RESET_PASSWORD purpose and are verified the same way.
+        Flow summary:
+        - Code method: send-reset-password → exchange-reset-password-token → reset-password (with resetToken)
+        - Link method: send-reset-password → reset-password (with link token directly)
+      tags:
+        - Client
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required:
+                - newPassword
+                - otp
+              properties:
+                newPassword:
+                  type: string
+                  description: New password meeting configured requirements
+                  example: newSecurePassword123
+                otp:
+                  type: string
+                  description: Reset token (either from magic link or from exchange-reset-password-token endpoint)
+                  example: "a1b2c3d4..."
+      responses:
+        '200':
+          description: Password reset successfully
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  message:
+                    type: string
+                    example: "Password reset successfully"
+        '400':
+          description: Invalid request or password requirements not met
+        '401':
+          description: Verification code/token expired or invalid
+  /api/auth/oauth/configs:
+    get:
+      summary: List all OAuth configurations
+      description: Get all configured OAuth providers (admin only)
+      tags:
+        - Admin
+      security:
+        - bearerAuth: []
+      responses:
+        '200':
+          description: List of OAuth configurations
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  data:
+                    type: array
+                    items:
+                      $ref: '#/components/schemas/OAuthConfig'
+                  count:
+                    type: integer
+        '401':
+          description: Unauthorized
+        '403':
+          description: Forbidden - Admin only
+    post:
+      summary: Create OAuth configuration
+      description: Create a new OAuth provider configuration (admin only)
+      tags:
+        - Admin
+      security:
+        - bearerAuth: []
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              required:
+                - provider
+              properties:
+                provider:
+                  type: string
+                  enum: [google, github, discord, linkedin, facebook, instagram, tiktok, apple, x, spotify, microsoft]
+                clientId:
+                  type: string
+                clientSecret:
+                  type: string
+                redirectUri:
+                  type: string
+                scopes:
+                  type: array
+                  items:
+                    type: string
+                useSharedKey:
+                  type: boolean
+      responses:
+        '200':
+          description: OAuth configuration created
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/OAuthConfig'
+        '400':
+          description: Invalid request
+        '401':
+          description: Unauthorized
+        '403':
+          description: Forbidden - Admin only
+  /api/auth/oauth/{provider}/config:
+    get:
+      summary: Get OAuth configuration for specific provider
+      description: Get OAuth configuration including client secret (admin only)
+      tags:
+        - Admin
+      security:
+        - bearerAuth: []
+      parameters:
+        - name: provider
+          in: path
+          required: true
+          schema:
+            type: string
+            enum: [google, github, discord, linkedin, facebook, instagram, tiktok, apple, x, spotify, microsoft]
+      responses:
+        '200':
+          description: OAuth configuration
+          content:
+            application/json:
+              schema:
+                allOf:
+                  - $ref: '#/components/schemas/OAuthConfig'
+                  - type: object
+                    properties:
+                      clientSecret:
+                        type: string
+        '401':
+          description: Unauthorized
+        '403':
+          description: Forbidden - Admin only
+        '404':
+          description: Configuration not found
+    put:
+      summary: Update OAuth configuration
+      description: Update OAuth provider configuration (admin only)
+      tags:
+        - Admin
+      security:
+        - bearerAuth: []
+      parameters:
+        - name: provider
+          in: path
+          required: true
+          schema:
+            type: string
+            enum: [google, github, discord, linkedin, facebook, instagram, tiktok, apple, x, spotify, microsoft]
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              type: object
+              properties:
+                clientId:
+                  type: string
+                clientSecret:
+                  type: string
+                redirectUri:
+                  type: string
+                scopes:
+                  type: array
+                  items:
+                    type: string
+                useSharedKey:
+                  type: boolean
+      responses:
+        '200':
+          description: Configuration updated
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/OAuthConfig'
+        '400':
+          description: Invalid request
+        '401':
+          description: Unauthorized
+        '403':
+          description: Forbidden - Admin only
+        '404':
+          description: Configuration not found
+    delete:
+      summary: Delete OAuth configuration
+      description: Delete OAuth provider configuration (admin only)
+      tags:
+        - Admin
+      security:
+        - bearerAuth: []
+      parameters:
+        - name: provider
+          in: path
+          required: true
+          schema:
+            type: string
+            enum: [google, github, discord, linkedin, facebook, instagram, tiktok, apple, x, spotify, microsoft]
+      responses:
+        '200':
+          description: Configuration deleted
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  success:
+                    type: boolean
+                  message:
+                    type: string
+        '401':
+          description: Unauthorized
+        '403':
+          description: Forbidden - Admin only
+        '404':
+          description: Configuration not found
+  /api/auth/oauth/{provider}:
+    get:
+      summary: Initiate OAuth flow
+      description: Generate OAuth authorization URL for any supported provider
+      tags:
+        - Client
+      parameters:
+        - name: provider
+          in: path
+          required: true
+          schema:
+            type: string
+            enum: [google, github, discord, linkedin, facebook, instagram, tiktok, apple, x, spotify, microsoft]
+        - name: redirect_uri
+          in: query
+          required: true
+          schema:
+            type: string
+            format: uri
+          description: URL to redirect after authentication
+      responses:
+        '200':
+          description: OAuth authorization URL
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  authUrl:
+                    type: string
+                    format: uri
+        '400':
+          description: Invalid request or provider not supported
+        '500':
+          description: OAuth not configured
+  /api/auth/oauth/shared/callback/{state}:
+    get:
+      summary: Shared OAuth callback handler
+      description: Handles OAuth callbacks from InsForge Cloud shared OAuth
+      tags:
+        - Client
+      parameters:
+        - name: state
+          in: path
+          required: true
+          schema:
+            type: string
+          description: JWT state parameter
+        - name: success
+          in: query
+          schema:
+            type: string
+          description: Success flag
+        - name: error
+          in: query
+          schema:
+            type: string
+          description: Error message
+        - name: payload
+          in: query
+          schema:
+            type: string
+          description: Base64 encoded user payload
+      responses:
+        '302':
+          description: Redirect to application with access token or error
+          headers:
+            Location:
+              schema:
+                type: string
+                format: uri
+  /api/auth/oauth/{provider}/callback:
+    get:
+      summary: Provider-specific OAuth callback
+      description: OAuth callback endpoint for provider-specific flows
+      tags:
+        - Client
+      parameters:
+        - name: provider
+          in: path
+          required: true
+          schema:
+            type: string
+            enum: [google, github, discord, linkedin, facebook, instagram, tiktok, apple, x, spotify, microsoft]
+        - name: code
+          in: query
+          schema:
+            type: string
+          description: Authorization code from OAuth provider
+        - name: state
+          in: query
+          required: true
+          schema:
+            type: string
+          description: JWT state with redirect URI
+        - name: token
+          in: query
+          schema:
+            type: string
+          description: Direct ID token (for some providers)
+      responses:
+        '302':
+          description: Redirect to application with access token
+          headers:
+            Location:
+              schema:
+                type: string
+                format: uri
+                description: Redirect URL with access_token, user_id, email, and name query params
+components:
+  securitySchemes:
+    bearerAuth:
+      type: http
+      scheme: bearer
+      bearerFormat: JWT
+    apiKey:
+      type: apiKey
+      in: header
+      name: x-api-key
+  schemas:
+    UserResponse:
+      type: object
+      properties:
+        id:
+          type: string
+          format: uuid
+        email:
+          type: string
+          format: email
+        metadata:
+          type: object
+          additionalProperties: true
+        emailVerified:
+          type: boolean
+        providers:
+          type: array
+          items:
+            type: string
+        createdAt:
+          type: string
+          format: date-time
+        updatedAt:
+          type: string
+          format: date-time
+    ProfileResponse:
+      type: object
+      properties:
+        id:
+          type: string
+          format: uuid
+          description: User ID
+        profile:
+          type: object
+          nullable: true
+          additionalProperties: true
+          description: User profile data (can contain custom fields)
+          properties:
+            name:
+              type: string
+            avatar_url:
+              type: string
+              format: uri
+    OAuthConfig:
+      type: object
+      properties:
+        id:
+          type: string
+          format: uuid
+        provider:
+          type: string
+          enum: [google, github, discord, linkedin, facebook, instagram, tiktok, apple, x, spotify, microsoft]
+        clientId:
+          type: string
+          nullable: true
+        redirectUri:
+          type: string
+          nullable: true
+        scopes:
+          type: array
+          items:
+            type: string
+          nullable: true
+        useSharedKey:
+          type: boolean
+        createdAt:
+          type: string
+          format: date-time
+        updatedAt:
+          type: string
+          format: date-time
+    AuthRecord:
+      type: object
+      properties:
+        id:
+          type: string
+          format: uuid
+        email:
+          type: string
+          format: email
+        passwordHash:
+          type: string
+          description: SHA256 hash of password
+        createdAt:
+          type: string
+          format: date-time
+        updatedAt:
+          type: string
+          format: date-time
+    ProfileRecord:
+      type: object
+      properties:
+        id:
+          type: string
+          format: uuid
+        authId:
+          type: string
+          format: uuid
+          description: Foreign key to auth table
+        name:
+          type: string
+        avatar_url:
+          type: string
+          nullable: true
+        bio:
+          type: string
+          nullable: true
+        metadata:
+          type: object
+          description: JSONB field for flexible data
+        createdAt:
+          type: string
+          format: date-time
+        updatedAt:
+          type: string
+          format: date-time
+    ErrorResponse:
+      type: object
+      required:
+        - error
+        - message
+        - statusCode
+      properties:
+        error:
+          type: string
+          description: Error code for programmatic handling
+          example: "VALIDATION_ERROR"
+        message:
+          type: string
+          description: Human-readable error message
+          example: "Email is already in use"
+        statusCode:
+          type: integer
+          description: HTTP status code
+          example: 400
+        nextActions:
+          type: string
+          description: Suggested action to resolve the error
+          example: "Please use a different email address"