insforge 1.2.10 → 1.4.8

package/backend/src/api/routes/realtime/permissions.routes.ts

@@ -0,0 +1,19 @@
+import { Router, Response, NextFunction } from 'express';
+import { verifyAdmin, AuthRequest } from '@/api/middlewares/auth.js';
+import { RealtimeChannelService } from '@/services/realtime/realtime-channel.service.js';
+import { successResponse } from '@/utils/response.js';
+
+const router = Router();
+const channelService = RealtimeChannelService.getInstance();
+
+// Get realtime RLS permissions (subscribe on channels, publish on messages)
+router.get('/', verifyAdmin, async (_req: AuthRequest, res: Response, next: NextFunction) => {
+  try {
+    const permissions = await channelService.getPermissions();
+    successResponse(res, permissions);
+  } catch (error) {
+    next(error);
+  }
+});
+
+export { router as permissionsRouter };

package/backend/src/api/routes/storage/index.routes.ts

@@ -79,9 +79,12 @@ router.post(
       });
 
       const socket = SocketManager.getInstance();
-      socket.broadcastToRoom('role:project_admin', ServerEvents.DATA_UPDATE, {
-        resource: DataUpdateResourceType.BUCKETS,
-      });
+      socket.broadcastToRoom(
+        'role:project_admin',
+        ServerEvents.DATA_UPDATE,
+        { resource: DataUpdateResourceType.BUCKETS },
+        'system'
+      );
 
       const accessInfo = isPublic
         ? 'This is a PUBLIC bucket - objects can be accessed without authentication.'
@@ -150,12 +153,12 @@ router.patch(
       });
 
       const socket = SocketManager.getInstance();
-      socket.broadcastToRoom('role:project_admin', ServerEvents.DATA_UPDATE, {
-        resource: DataUpdateResourceType.BUCKETS,
-        data: {
-          bucketName,
-        },
-      });
+      socket.broadcastToRoom(
+        'role:project_admin',
+        ServerEvents.DATA_UPDATE,
+        { resource: DataUpdateResourceType.BUCKETS, data: { bucketName } },
+        'system'
+      );
 
       const accessInfo = isPublic
         ? 'Bucket is now PUBLIC - objects can be accessed without authentication.'
@@ -379,9 +382,12 @@ router.delete(
       });
 
       const socket = SocketManager.getInstance();
-      socket.broadcastToRoom('role:project_admin', ServerEvents.DATA_UPDATE, {
-        resource: DataUpdateResourceType.BUCKETS,
-      });
+      socket.broadcastToRoom(
+        'role:project_admin',
+        ServerEvents.DATA_UPDATE,
+        { resource: DataUpdateResourceType.BUCKETS },
+        'system'
+      );
 
       successResponse(
         res,

package/backend/src/api/routes/usage/index.routes.ts

@@ -33,10 +33,12 @@ usageRouter.post(
       // Broadcast MCP tool usage to frontend via socket
       const socketService = SocketManager.getInstance();
 
-      socketService.broadcastToRoom('role:project_admin', ServerEvents.MCP_CONNECTED, {
-        tool_name,
-        created_at: result.created_at,
-      });
+      socketService.broadcastToRoom(
+        'role:project_admin',
+        ServerEvents.MCP_CONNECTED,
+        { tool_name, created_at: result.created_at },
+        'system'
+      );
 
       successResponse(res, { success: true });
     } catch (error) {

package/backend/src/api/routes/webhooks/index.routes.ts

@@ -0,0 +1,109 @@
+import crypto from 'crypto';
+import { Router, Request, Response, NextFunction } from 'express';
+import { DeploymentService } from '@/services/deployments/deployment.service.js';
+import { SecretService } from '@/services/secrets/secret.service.js';
+import { AppError } from '@/api/middlewares/error.js';
+import { ERROR_CODES } from '@/types/error-constants.js';
+import {
+  VERCEL_EVENT_TO_STATUS,
+  type VercelWebhookPayload,
+  type VercelDeploymentEventType,
+} from '@/types/webhooks.js';
+import logger from '@/utils/logger.js';
+
+const router = Router();
+const deploymentService = DeploymentService.getInstance();
+const secretService = SecretService.getInstance();
+
+/**
+ * Vercel webhook endpoint
+ * POST /api/webhooks/vercel
+ *
+ * Receives deployment events from Vercel and updates the database accordingly.
+ * Verifies the request using HMAC-SHA1 signature in x-vercel-signature header.
+ */
+router.post('/vercel', async (req: Request, res: Response, next: NextFunction) => {
+  try {
+    const signature = req.headers['x-vercel-signature'] as string | undefined;
+
+    if (!signature) {
+      throw new AppError('Missing x-vercel-signature header', 401, ERROR_CODES.AUTH_UNAUTHORIZED);
+    }
+
+    // Get the webhook secret from secrets service
+    const webhookSecret = await secretService.getSecretByKey('VERCEL_WEBHOOK_SECRET');
+
+    if (!webhookSecret) {
+      logger.error('VERCEL_WEBHOOK_SECRET not found in secrets');
+      throw new AppError('Webhook not configured', 500, ERROR_CODES.INTERNAL_ERROR);
+    }
+
+    // req.body is raw Buffer (express.raw middleware applied in server.ts)
+    const rawBody = req.body as Buffer;
+
+    // Verify the signature using HMAC-SHA1 on original bytes
+    const expectedSignature = crypto
+      .createHmac('sha1', webhookSecret)
+      .update(rawBody)
+      .digest('hex');
+
+    // Use timing-safe comparison to prevent timing attacks
+    const signatureBuffer = Buffer.from(signature);
+    const expectedBuffer = Buffer.from(expectedSignature);
+
+    if (
+      signatureBuffer.length !== expectedBuffer.length ||
+      !crypto.timingSafeEqual(signatureBuffer, expectedBuffer)
+    ) {
+      logger.warn('Invalid Vercel webhook signature');
+      throw new AppError('Invalid signature', 401, ERROR_CODES.AUTH_UNAUTHORIZED);
+    }
+
+    // Parse the webhook payload after signature verification
+    const webhookPayload = JSON.parse(rawBody.toString()) as VercelWebhookPayload;
+    const eventType = webhookPayload.type;
+
+    // Check if this is a deployment event we handle
+    if (!(eventType in VERCEL_EVENT_TO_STATUS)) {
+      logger.info('Ignoring unhandled Vercel webhook event', { eventType });
+      return res.status(200).json({ received: true, handled: false });
+    }
+
+    const status = VERCEL_EVENT_TO_STATUS[eventType as VercelDeploymentEventType];
+    const deploymentId = webhookPayload.payload.deployment.id;
+    const url = webhookPayload.payload.deployment.url
+      ? `https://${webhookPayload.payload.deployment.url}`
+      : null;
+
+    // Update the deployment in our database
+    const deployment = await deploymentService.updateDeploymentFromWebhook(
+      deploymentId,
+      status,
+      url,
+      {
+        webhookEventId: webhookPayload.id,
+        webhookEventType: eventType,
+        target: webhookPayload.payload.target,
+        projectId: webhookPayload.payload.project?.id,
+      }
+    );
+
+    if (!deployment) {
+      // Deployment not found in our database - this is ok, might be from another source
+      logger.info('Deployment not found for webhook, ignoring', { deploymentId });
+      return res.status(200).json({ received: true, handled: false });
+    }
+
+    logger.info('Vercel webhook processed successfully', {
+      eventType,
+      deploymentId,
+      status,
+    });
+
+    res.status(200).json({ received: true, handled: true });
+  } catch (error) {
+    next(error);
+  }
+});
+
+export { router as webhooksRouter };

package/backend/src/infra/database/database.manager.ts

@@ -1,4 +1,4 @@
-import { Pool } from 'pg';
+import { Pool, Client } from 'pg';
 import path from 'path';
 import fs from 'fs/promises';
 import { fileURLToPath } from 'url';
@@ -37,14 +37,6 @@ export class DatabaseManager {
       idleTimeoutMillis: 30000,
       connectionTimeoutMillis: 2000,
     });
-
-    const client = await this.pool.connect();
-    await client.query('BEGIN');
-
-    // Note: Schema migrations are now handled by node-pg-migrate
-    // Run: npm run migrate:up
-
-    await client.query('COMMIT');
   }
 
   static async getColumnTypeMap(tableName: string): Promise<Record<string, string>> {
@@ -74,7 +66,6 @@ export class DatabaseManager {
           FROM information_schema.tables
           WHERE table_schema = 'public'
           AND table_type = 'BASE TABLE'
-          AND (table_name NOT LIKE '\\_%')
           ORDER BY table_name
         `
       );
@@ -100,7 +91,6 @@ export class DatabaseManager {
               FROM information_schema.tables
               WHERE table_schema = 'public'
               AND table_type = 'BASE TABLE'
-              AND (table_name NOT LIKE '\\_%')
               ORDER BY table_name
             `
             );
@@ -163,6 +153,19 @@ export class DatabaseManager {
     return this.pool;
   }
 
+  /**
+   * Create a dedicated client for operations that can't use pooled connections (e.g., LISTEN/NOTIFY)
+   */
+  createClient(): Client {
+    return new Client({
+      host: process.env.POSTGRES_HOST || 'localhost',
+      port: parseInt(process.env.POSTGRES_PORT || '5432'),
+      database: process.env.POSTGRES_DB || 'insforge',
+      user: process.env.POSTGRES_USER || 'postgres',
+      password: process.env.POSTGRES_PASSWORD || 'postgres',
+    });
+  }
+
   async close(): Promise<void> {
     await this.pool.end();
   }

package/backend/src/infra/database/migrations/000_create-base-tables.sql

@@ -1,142 +1,142 @@
--- Migration: 000 - Create base system tables
--- This migration creates all the initial tables that the application needs
-
--- System configuration
-CREATE TABLE IF NOT EXISTS _config (
-  key TEXT PRIMARY KEY,
-  value TEXT NOT NULL,
-  created_at TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
-  updated_at TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP
-);
-
--- App metadata
-CREATE TABLE IF NOT EXISTS _metadata (
-  key TEXT PRIMARY KEY,
-  value TEXT,
-  created_at TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
-  updated_at TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP
-);
-
--- Storage buckets table to track bucket-level settings
-CREATE TABLE IF NOT EXISTS _storage_buckets (
-  name TEXT PRIMARY KEY,
-  public BOOLEAN DEFAULT TRUE,
-  created_at TIMESTAMPTZ DEFAULT NOW(),
-  updated_at TIMESTAMPTZ DEFAULT NOW()
-);
-
--- Storage files table
-CREATE TABLE IF NOT EXISTS _storage (
-  bucket TEXT NOT NULL,
-  key TEXT NOT NULL,
-  size INTEGER NOT NULL,
-  mime_type TEXT,
-  uploaded_at TIMESTAMPTZ DEFAULT NOW(),
-  PRIMARY KEY (bucket, key),
-  FOREIGN KEY (bucket) REFERENCES _storage_buckets(name) ON DELETE CASCADE
-);
-
--- MCP usage tracking table
-CREATE TABLE IF NOT EXISTS _mcp_usage (
-  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-  tool_name VARCHAR(255) NOT NULL,
-  success BOOLEAN DEFAULT true,
-  created_at TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP
-);
-
--- AI configurations table
-CREATE TABLE IF NOT EXISTS _ai_configs (
-  id UUID DEFAULT gen_random_uuid() PRIMARY KEY,
-  modality VARCHAR(255) NOT NULL,
-  provider VARCHAR(255) NOT NULL,
-  model_id VARCHAR(255) UNIQUE NOT NULL,
-  system_prompt TEXT,
-  created_at TIMESTAMPTZ DEFAULT NOW(),
-  updated_at TIMESTAMPTZ DEFAULT NOW()
-);
-
-CREATE TABLE IF NOT EXISTS _ai_usage (
-  id UUID DEFAULT gen_random_uuid() PRIMARY KEY,
-  config_id UUID NOT NULL,
-  input_tokens INT,
-  output_tokens INT,
-  image_count INT,
-  image_resolution TEXT,
-  created_at TIMESTAMPTZ DEFAULT NOW(),
-  FOREIGN KEY (config_id) REFERENCES _ai_configs(id) ON DELETE NO ACTION
-);
-
--- Indexes for AI tables
-CREATE INDEX IF NOT EXISTS idx_ai_usage_config_id ON _ai_usage(config_id);
-CREATE INDEX IF NOT EXISTS idx_ai_usage_created_at ON _ai_usage(created_at DESC);
-
--- Index for efficient date range queries
-CREATE INDEX IF NOT EXISTS idx_mcp_usage_created_at ON _mcp_usage(created_at DESC);
-
--- Edge functions
-CREATE TABLE IF NOT EXISTS _edge_functions (
-  id UUID DEFAULT gen_random_uuid() PRIMARY KEY,
-  slug VARCHAR(255) UNIQUE NOT NULL,
-  name VARCHAR(255) NOT NULL,
-  description TEXT,
-  code TEXT NOT NULL,
-  status VARCHAR(50) DEFAULT 'draft',
-  created_at TIMESTAMPTZ DEFAULT NOW(),
-  updated_at TIMESTAMPTZ DEFAULT NOW(),
-  deployed_at TIMESTAMPTZ
-);
-
--- Auth Tables (2-table structure)
--- User table
-CREATE TABLE IF NOT EXISTS _user (
-  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-  email TEXT UNIQUE NOT NULL,
-  password TEXT, -- NULL for OAuth-only users
-  name TEXT,
-  email_verified BOOLEAN DEFAULT false,
-  created_at TIMESTAMPTZ DEFAULT NOW(),
-  updated_at TIMESTAMPTZ DEFAULT NOW()
-);
-
--- Account table (for OAuth connections)
-CREATE TABLE IF NOT EXISTS _account (
-  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-  user_id UUID NOT NULL REFERENCES _user(id) ON DELETE CASCADE,
-  provider TEXT NOT NULL, -- OAuth provider name: 'google', 'github', etc.
-  provider_account_id TEXT NOT NULL, -- User's unique ID on the provider's system
-  access_token TEXT, -- OAuth access token for making API calls to provider
-  refresh_token TEXT, -- OAuth refresh token for renewing access
-  provider_data JSONB, -- OAuth provider's user profile
-  created_at TIMESTAMPTZ DEFAULT NOW(),
-  updated_at TIMESTAMPTZ DEFAULT NOW(),
-  UNIQUE(provider, provider_account_id)
-);
-
--- Create update timestamp function
-CREATE OR REPLACE FUNCTION update_updated_at_column()
-RETURNS TRIGGER AS $$
-BEGIN
-  NEW.updated_at = NOW();
-  RETURN NEW;
-END;
-$$ language 'plpgsql';
-
--- Create triggers for updated_at
-DROP TRIGGER IF EXISTS update__config_updated_at ON _config;
-CREATE TRIGGER update__config_updated_at BEFORE UPDATE ON _config
-FOR EACH ROW EXECUTE FUNCTION update_updated_at_column();
-
-DROP TRIGGER IF EXISTS update__metadata_updated_at ON _metadata;
-CREATE TRIGGER update__metadata_updated_at BEFORE UPDATE ON _metadata
-FOR EACH ROW EXECUTE FUNCTION update_updated_at_column();
-
-DROP TRIGGER IF EXISTS update__edge_functions_updated_at ON _edge_functions;
-CREATE TRIGGER update__edge_functions_updated_at BEFORE UPDATE ON _edge_functions
-FOR EACH ROW EXECUTE FUNCTION update_updated_at_column();
-
--- Insert initial metadata
-INSERT INTO _metadata (key, value) VALUES ('version', '1.0.0')
-ON CONFLICT (key) DO UPDATE SET value = EXCLUDED.value;
-
-INSERT INTO _metadata (key, value) VALUES ('created_at', NOW()::TEXT)
+-- Migration: 000 - Create base system tables
+-- This migration creates all the initial tables that the application needs
+
+-- System configuration
+CREATE TABLE IF NOT EXISTS _config (
+  key TEXT PRIMARY KEY,
+  value TEXT NOT NULL,
+  created_at TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
+  updated_at TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP
+);
+
+-- App metadata
+CREATE TABLE IF NOT EXISTS _metadata (
+  key TEXT PRIMARY KEY,
+  value TEXT,
+  created_at TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP,
+  updated_at TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP
+);
+
+-- Storage buckets table to track bucket-level settings
+CREATE TABLE IF NOT EXISTS _storage_buckets (
+  name TEXT PRIMARY KEY,
+  public BOOLEAN DEFAULT TRUE,
+  created_at TIMESTAMPTZ DEFAULT NOW(),
+  updated_at TIMESTAMPTZ DEFAULT NOW()
+);
+
+-- Storage files table
+CREATE TABLE IF NOT EXISTS _storage (
+  bucket TEXT NOT NULL,
+  key TEXT NOT NULL,
+  size INTEGER NOT NULL,
+  mime_type TEXT,
+  uploaded_at TIMESTAMPTZ DEFAULT NOW(),
+  PRIMARY KEY (bucket, key),
+  FOREIGN KEY (bucket) REFERENCES _storage_buckets(name) ON DELETE CASCADE
+);
+
+-- MCP usage tracking table
+CREATE TABLE IF NOT EXISTS _mcp_usage (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  tool_name VARCHAR(255) NOT NULL,
+  success BOOLEAN DEFAULT true,
+  created_at TIMESTAMPTZ DEFAULT CURRENT_TIMESTAMP
+);
+
+-- AI configurations table
+CREATE TABLE IF NOT EXISTS _ai_configs (
+  id UUID DEFAULT gen_random_uuid() PRIMARY KEY,
+  modality VARCHAR(255) NOT NULL,
+  provider VARCHAR(255) NOT NULL,
+  model_id VARCHAR(255) UNIQUE NOT NULL,
+  system_prompt TEXT,
+  created_at TIMESTAMPTZ DEFAULT NOW(),
+  updated_at TIMESTAMPTZ DEFAULT NOW()
+);
+
+CREATE TABLE IF NOT EXISTS _ai_usage (
+  id UUID DEFAULT gen_random_uuid() PRIMARY KEY,
+  config_id UUID NOT NULL,
+  input_tokens INT,
+  output_tokens INT,
+  image_count INT,
+  image_resolution TEXT,
+  created_at TIMESTAMPTZ DEFAULT NOW(),
+  FOREIGN KEY (config_id) REFERENCES _ai_configs(id) ON DELETE NO ACTION
+);
+
+-- Indexes for AI tables
+CREATE INDEX IF NOT EXISTS idx_ai_usage_config_id ON _ai_usage(config_id);
+CREATE INDEX IF NOT EXISTS idx_ai_usage_created_at ON _ai_usage(created_at DESC);
+
+-- Index for efficient date range queries
+CREATE INDEX IF NOT EXISTS idx_mcp_usage_created_at ON _mcp_usage(created_at DESC);
+
+-- Edge functions
+CREATE TABLE IF NOT EXISTS _edge_functions (
+  id UUID DEFAULT gen_random_uuid() PRIMARY KEY,
+  slug VARCHAR(255) UNIQUE NOT NULL,
+  name VARCHAR(255) NOT NULL,
+  description TEXT,
+  code TEXT NOT NULL,
+  status VARCHAR(50) DEFAULT 'draft',
+  created_at TIMESTAMPTZ DEFAULT NOW(),
+  updated_at TIMESTAMPTZ DEFAULT NOW(),
+  deployed_at TIMESTAMPTZ
+);
+
+-- Auth Tables (2-table structure)
+-- User table
+CREATE TABLE IF NOT EXISTS _user (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  email TEXT UNIQUE NOT NULL,
+  password TEXT, -- NULL for OAuth-only users
+  name TEXT,
+  email_verified BOOLEAN DEFAULT false,
+  created_at TIMESTAMPTZ DEFAULT NOW(),
+  updated_at TIMESTAMPTZ DEFAULT NOW()
+);
+
+-- Account table (for OAuth connections)
+CREATE TABLE IF NOT EXISTS _account (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  user_id UUID NOT NULL REFERENCES _user(id) ON DELETE CASCADE,
+  provider TEXT NOT NULL, -- OAuth provider name: 'google', 'github', etc.
+  provider_account_id TEXT NOT NULL, -- User's unique ID on the provider's system
+  access_token TEXT, -- OAuth access token for making API calls to provider
+  refresh_token TEXT, -- OAuth refresh token for renewing access
+  provider_data JSONB, -- OAuth provider's user profile
+  created_at TIMESTAMPTZ DEFAULT NOW(),
+  updated_at TIMESTAMPTZ DEFAULT NOW(),
+  UNIQUE(provider, provider_account_id)
+);
+
+-- Create update timestamp function
+CREATE OR REPLACE FUNCTION update_updated_at_column()
+RETURNS TRIGGER AS $$
+BEGIN
+  NEW.updated_at = NOW();
+  RETURN NEW;
+END;
+$$ language 'plpgsql';
+
+-- Create triggers for updated_at
+DROP TRIGGER IF EXISTS update__config_updated_at ON _config;
+CREATE TRIGGER update__config_updated_at BEFORE UPDATE ON _config
+FOR EACH ROW EXECUTE FUNCTION update_updated_at_column();
+
+DROP TRIGGER IF EXISTS update__metadata_updated_at ON _metadata;
+CREATE TRIGGER update__metadata_updated_at BEFORE UPDATE ON _metadata
+FOR EACH ROW EXECUTE FUNCTION update_updated_at_column();
+
+DROP TRIGGER IF EXISTS update__edge_functions_updated_at ON _edge_functions;
+CREATE TRIGGER update__edge_functions_updated_at BEFORE UPDATE ON _edge_functions
+FOR EACH ROW EXECUTE FUNCTION update_updated_at_column();
+
+-- Insert initial metadata
+INSERT INTO _metadata (key, value) VALUES ('version', '1.0.0')
+ON CONFLICT (key) DO UPDATE SET value = EXCLUDED.value;
+
+INSERT INTO _metadata (key, value) VALUES ('created_at', NOW()::TEXT)
 ON CONFLICT (key) DO NOTHING;

package/backend/src/infra/database/migrations/001_create-helper-functions.sql

@@ -1,41 +1,41 @@
--- Migration: 001 - Create helper functions for RLS
--- These functions extract user information from JWT claims
-
--- Function to get current user ID from JWT
-CREATE OR REPLACE FUNCTION public.uid()
-RETURNS uuid
-LANGUAGE sql STABLE
-AS $$
-  SELECT
-  nullif(
-    coalesce(
-      current_setting('request.jwt.claim.sub', true),
-      (current_setting('request.jwt.claims', true)::jsonb ->> 'sub')
-    ),
-    ''
-  )::uuid
-$$;
-
--- Function to get current user role from JWT
-CREATE OR REPLACE FUNCTION public.role()
-RETURNS text
-LANGUAGE sql STABLE
-AS $$
-  SELECT
-  coalesce(
-    current_setting('request.jwt.claim.role', true),
-    (current_setting('request.jwt.claims', true)::jsonb ->> 'role')
-  )::text
-$$;
-
--- Function to get current user email from JWT
-CREATE OR REPLACE FUNCTION public.email()
-RETURNS text
-LANGUAGE sql STABLE
-AS $$
-  SELECT
-  coalesce(
-    current_setting('request.jwt.claim.email', true),
-    (current_setting('request.jwt.claims', true)::jsonb ->> 'email')
-  )::text
+-- Migration: 001 - Create helper functions for RLS
+-- These functions extract user information from JWT claims
+
+-- Function to get current user ID from JWT
+CREATE OR REPLACE FUNCTION public.uid()
+RETURNS uuid
+LANGUAGE sql STABLE
+AS $$
+  SELECT
+  nullif(
+    coalesce(
+      current_setting('request.jwt.claim.sub', true),
+      (current_setting('request.jwt.claims', true)::jsonb ->> 'sub')
+    ),
+    ''
+  )::uuid
+$$;
+
+-- Function to get current user role from JWT
+CREATE OR REPLACE FUNCTION public.role()
+RETURNS text
+LANGUAGE sql STABLE
+AS $$
+  SELECT
+  coalesce(
+    current_setting('request.jwt.claim.role', true),
+    (current_setting('request.jwt.claims', true)::jsonb ->> 'role')
+  )::text
+$$;
+
+-- Function to get current user email from JWT
+CREATE OR REPLACE FUNCTION public.email()
+RETURNS text
+LANGUAGE sql STABLE
+AS $$
+  SELECT
+  coalesce(
+    current_setting('request.jwt.claim.email', true),
+    (current_setting('request.jwt.claims', true)::jsonb ->> 'email')
+  )::text
 $$;