insforge 1.3.0 → 1.4.8

package/backend/tests/unit/database-advance.test.ts

@@ -0,0 +1,326 @@
+import { describe, test, expect } from 'vitest';
+import { DatabaseAdvanceService } from '../../src/services/database/database-advance.service';
+import { AppError } from '../../src/api/middlewares/error';
+import { ERROR_CODES } from '../../src/types/error-constants';
+
+describe('DatabaseAdvanceService - sanitizeQuery', () => {
+  const service = DatabaseAdvanceService.getInstance();
+
+  describe('auth schema blocking', () => {
+    test('blocks DELETE FROM auth.users', () => {
+      const query = "DELETE FROM auth.users WHERE id = '00000000-0000-0000-0000-000000000001'";
+      expect(() => service.sanitizeQuery(query)).toThrow(AppError);
+      expect(() => service.sanitizeQuery(query)).toThrow(/auth schema/i);
+    });
+
+    test('blocks DELETE FROM quoted auth schema', () => {
+      const query = 'DELETE FROM "auth"."users" WHERE id = $1';
+      expect(() => service.sanitizeQuery(query)).toThrow(AppError);
+    });
+
+    test('blocks TRUNCATE auth.users', () => {
+      const query = 'TRUNCATE TABLE auth.users';
+      expect(() => service.sanitizeQuery(query)).toThrow(AppError);
+    });
+
+    test('blocks TRUNCATE without TABLE keyword', () => {
+      const query = 'TRUNCATE auth.users';
+      expect(() => service.sanitizeQuery(query)).toThrow(AppError);
+    });
+
+    test('blocks DROP TABLE auth.users', () => {
+      const query = 'DROP TABLE auth.users';
+      expect(() => service.sanitizeQuery(query)).toThrow(AppError);
+    });
+
+    test('blocks DROP TABLE with IF EXISTS', () => {
+      const query = 'DROP TABLE IF EXISTS auth.users';
+      expect(() => service.sanitizeQuery(query)).toThrow(AppError);
+    });
+
+    test('blocks DROP INDEX on auth schema', () => {
+      const query = 'DROP INDEX auth.users_email_idx';
+      expect(() => service.sanitizeQuery(query)).toThrow(AppError);
+    });
+
+    test('blocks DROP TRIGGER on auth schema tables', () => {
+      const queries = [
+        'DROP TRIGGER user_created_trigger ON auth.users',
+        'DROP TRIGGER IF EXISTS user_created_trigger ON auth.users',
+        'DROP TRIGGER trigger_name ON "auth"."users"',
+      ];
+
+      queries.forEach((query) => {
+        expect(() => service.sanitizeQuery(query)).toThrow(AppError);
+      });
+    });
+
+    test('blocks DROP FUNCTION on auth schema', () => {
+      const query = 'DROP FUNCTION auth.create_user_profile()';
+      expect(() => service.sanitizeQuery(query)).toThrow(AppError);
+    });
+
+    test('blocks DROP VIEW on auth schema', () => {
+      const query = 'DROP VIEW auth.user_summary';
+      expect(() => service.sanitizeQuery(query)).toThrow(AppError);
+    });
+
+    test('blocks DROP SCHEMA auth (no dot after auth)', () => {
+      const queries = [
+        'DROP SCHEMA auth',
+        'DROP SCHEMA auth CASCADE',
+        'DROP SCHEMA IF EXISTS auth',
+        'DROP SCHEMA "auth" CASCADE',
+      ];
+
+      queries.forEach((query) => {
+        expect(() => service.sanitizeQuery(query)).toThrow(AppError);
+      });
+    });
+
+    test('allows SELECT FROM auth.users (read-only)', () => {
+      const query = 'SELECT * FROM auth.users LIMIT 1';
+      expect(() => service.sanitizeQuery(query)).not.toThrow();
+    });
+
+    test('blocks case-insensitive AUTH.users', () => {
+      const query = 'DELETE FROM AUTH.users WHERE id = $1';
+      expect(() => service.sanitizeQuery(query)).toThrow(AppError);
+    });
+
+    test('blocks mixed case Auth.Users', () => {
+      const query = 'DELETE FROM Auth.Users WHERE id = $1';
+      expect(() => service.sanitizeQuery(query)).toThrow(AppError);
+    });
+
+    test('blocks auth schema with quoted table name', () => {
+      const query = 'DELETE FROM auth."users" WHERE id = $1';
+      expect(() => service.sanitizeQuery(query)).toThrow(AppError);
+    });
+
+    test('blocks DELETE with whitespace before dot in auth schema', () => {
+      const queries = [
+        'DELETE FROM auth . users WHERE id = $1',
+        'DELETE FROM auth  .users WHERE id = $1',
+        'DELETE FROM auth\t.users WHERE id = $1',
+      ];
+
+      queries.forEach((query) => {
+        expect(() => service.sanitizeQuery(query)).toThrow(AppError);
+      });
+    });
+
+    test('allows UPDATE on auth schema (not blocked)', () => {
+      // UPDATE is allowed on auth schema
+      const queries = [
+        'UPDATE auth.users SET email = $1 WHERE id = $2',
+        'UPDATE auth.user_providers SET provider = $1 WHERE id = $2',
+      ];
+
+      queries.forEach((query) => {
+        expect(() => service.sanitizeQuery(query)).not.toThrow();
+      });
+    });
+
+    test('blocks DELETE on other auth schema tables', () => {
+      const queries = [
+        'DELETE FROM auth.user_providers WHERE id = $1',
+        'DELETE FROM auth.configs WHERE id = $1',
+        'DELETE FROM auth.oauth_configs WHERE id = $1',
+      ];
+
+      queries.forEach((query) => {
+        expect(() => service.sanitizeQuery(query)).toThrow(AppError);
+      });
+    });
+
+    test('blocks TRUNCATE on other auth schema tables', () => {
+      const queries = ['TRUNCATE TABLE auth.user_providers', 'TRUNCATE auth.configs'];
+
+      queries.forEach((query) => {
+        expect(() => service.sanitizeQuery(query)).toThrow(AppError);
+      });
+    });
+
+    test('blocks DROP operations on other auth schema tables', () => {
+      const queries = [
+        'DROP TABLE auth.user_providers',
+        'DROP INDEX auth.configs_key_idx',
+        'DROP FUNCTION auth.some_function()',
+        'DROP VIEW auth.user_view',
+        'DROP SEQUENCE auth.user_id_seq',
+        'DROP POLICY auth_policy ON auth.users',
+        'DROP TYPE auth.user_type',
+        'DROP DOMAIN auth.email_domain',
+      ];
+
+      queries.forEach((query) => {
+        expect(() => service.sanitizeQuery(query)).toThrow(AppError);
+      });
+    });
+
+    test('allows SELECT on other auth schema tables', () => {
+      const queries = [
+        'SELECT * FROM auth.email_otps',
+        'SELECT * FROM auth.user_providers',
+        'SELECT * FROM auth.configs',
+      ];
+
+      queries.forEach((query) => {
+        expect(() => service.sanitizeQuery(query)).not.toThrow();
+      });
+    });
+
+    test('allows INSERT into auth schema (for test users)', () => {
+      const queries = [
+        "INSERT INTO auth.users (email, password) VALUES ('test@example.com', 'hashed')",
+        'INSERT INTO auth.user_providers (user_id, provider) VALUES ($1, $2)',
+      ];
+
+      queries.forEach((query) => {
+        expect(() => service.sanitizeQuery(query)).not.toThrow();
+      });
+    });
+
+    test('allows CREATE TRIGGER on auth schema', () => {
+      const query =
+        'CREATE TRIGGER user_profile_trigger AFTER INSERT ON auth.users FOR EACH ROW EXECUTE FUNCTION create_user_profile()';
+      expect(() => service.sanitizeQuery(query)).not.toThrow();
+    });
+
+    test('allows ALTER TABLE on auth schema (for indexes, constraints)', () => {
+      const queries = [
+        'ALTER TABLE auth.users ADD CONSTRAINT email_unique UNIQUE (email)',
+        'CREATE INDEX idx_auth_users_email ON auth.users(email)',
+      ];
+
+      queries.forEach((query) => {
+        expect(() => service.sanitizeQuery(query)).not.toThrow();
+      });
+    });
+
+    test('throws AppError with FORBIDDEN error code', () => {
+      const query = 'DELETE FROM auth.users WHERE id = $1';
+      try {
+        service.sanitizeQuery(query);
+        expect.fail('Should have thrown an error');
+      } catch (error) {
+        expect(error).toBeInstanceOf(AppError);
+        if (error instanceof AppError) {
+          expect(error.statusCode).toBe(403);
+          expect(error.code).toBe(ERROR_CODES.FORBIDDEN);
+          expect(error.message).toContain('auth schema');
+        }
+      }
+    });
+  });
+
+  describe('allowed queries', () => {
+    test('allows DELETE from other tables even when auth is referenced in subquery', () => {
+      const queries = [
+        'DELETE FROM orders WHERE user_id NOT IN (SELECT id FROM auth.users)',
+        'DELETE FROM user_profiles WHERE id IN (SELECT user_id FROM auth.sessions WHERE expired = true)',
+        'DELETE FROM public.users WHERE email IN (SELECT email FROM auth.users WHERE verified = false)',
+      ];
+
+      queries.forEach((query) => {
+        expect(() => service.sanitizeQuery(query)).not.toThrow();
+      });
+    });
+
+    test('allows queries with auth schema in string literals or comments', () => {
+      const queries = [
+        "SELECT 'DELETE FROM auth.users' AS example_query",
+        '/* DELETE FROM auth.users */ SELECT * FROM public.users',
+        "SELECT 'DROP TABLE auth.users' AS test",
+      ];
+
+      queries.forEach((query) => {
+        expect(() => service.sanitizeQuery(query)).not.toThrow();
+      });
+    });
+
+    test('blocks DELETE FROM auth even when previous line has a comment', () => {
+      const queries = [
+        'SELECT 1; -- some comment\nDELETE FROM auth.users WHERE id = 1',
+        '-- previous comment\nDELETE FROM auth.users',
+        '/* block comment */\nDELETE FROM auth.users WHERE id = 1',
+      ];
+
+      queries.forEach((query) => {
+        expect(() => service.sanitizeQuery(query)).toThrow(AppError);
+      });
+    });
+
+    test('allows SELECT from public schema', () => {
+      const query = 'SELECT 1 as test';
+      expect(() => service.sanitizeQuery(query)).not.toThrow();
+    });
+
+    test('allows auth.uid() function calls', () => {
+      const queries = [
+        'SELECT auth.uid()',
+        'SELECT * FROM users WHERE id = auth.uid()',
+        'CREATE POLICY test ON users FOR SELECT USING (id = auth.uid())',
+      ];
+
+      queries.forEach((query) => {
+        expect(() => service.sanitizeQuery(query)).not.toThrow();
+      });
+    });
+
+    test('allows auth.role() and auth.email() function calls', () => {
+      const queries = [
+        'SELECT auth.role()',
+        'SELECT auth.email()',
+        'SELECT * FROM users WHERE email = auth.email()',
+      ];
+
+      queries.forEach((query) => {
+        expect(() => service.sanitizeQuery(query)).not.toThrow();
+      });
+    });
+
+    test('allows DELETE from public schema tables', () => {
+      const query = 'DELETE FROM users WHERE id = $1';
+      expect(() => service.sanitizeQuery(query)).not.toThrow();
+    });
+
+    test('allows INSERT into public schema tables', () => {
+      const query = "INSERT INTO products (name) VALUES ('test')";
+      expect(() => service.sanitizeQuery(query)).not.toThrow();
+    });
+
+    test('allows UPDATE public schema tables', () => {
+      const query = 'UPDATE products SET price = 100 WHERE id = $1';
+      expect(() => service.sanitizeQuery(query)).not.toThrow();
+    });
+
+    test('allows CREATE TABLE in public schema', () => {
+      const query = 'CREATE TABLE test_table (id UUID PRIMARY KEY)';
+      expect(() => service.sanitizeQuery(query)).not.toThrow();
+    });
+  });
+
+  describe('other blocked operations', () => {
+    test('blocks DROP DATABASE', () => {
+      const query = 'DROP DATABASE testdb';
+      expect(() => service.sanitizeQuery(query)).toThrow(AppError);
+    });
+
+    test('blocks CREATE DATABASE', () => {
+      const query = 'CREATE DATABASE testdb';
+      expect(() => service.sanitizeQuery(query)).toThrow(AppError);
+    });
+
+    test('blocks ALTER DATABASE', () => {
+      const query = 'ALTER DATABASE testdb SET connection_limit = 100';
+      expect(() => service.sanitizeQuery(query)).toThrow(AppError);
+    });
+
+    test('blocks pg_catalog access', () => {
+      const query = 'SELECT * FROM pg_catalog.pg_tables';
+      expect(() => service.sanitizeQuery(query)).toThrow(AppError);
+    });
+  });
+});

package/backend/tests/unit/helpers.test.ts

@@ -57,7 +57,7 @@ describe('convertSqlTypeToColumnType', () => {
     });
   });
 
-  it('returns first 5 chars for unknown types', () => {
-    expect(convertSqlTypeToColumnType('customtype')).toBe('custo');
+  it('returns first 8 chars for unknown types', () => {
+    expect(convertSqlTypeToColumnType('customtype')).toBe('customty');
   });
 });

package/claude-plugin/skills/insforge-schema-patterns/SKILL.md

@@ -15,8 +15,8 @@ Expert patterns for designing PostgreSQL schemas optimized for InsForge's PostgR
 ```sql
 CREATE TABLE follows (
   id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-  follower_id UUID REFERENCES users(id) ON DELETE CASCADE,
-  following_id UUID REFERENCES users(id) ON DELETE CASCADE,
+  follower_id UUID REFERENCES auth.users(id) ON DELETE CASCADE,
+  following_id UUID REFERENCES auth.users(id) ON DELETE CASCADE,
   created_at TIMESTAMPTZ DEFAULT NOW(),
   UNIQUE(follower_id, following_id)
 );
@@ -44,16 +44,16 @@ CREATE POLICY "Users can unfollow" ON follows
 
 **Query with InsForge SDK:**
 ```javascript
-// Get users I follow with their profiles
+// Get users I follow
 const { data: following } = await client.database
   .from('follows')
-  .select('*, following:following_id(id, nickname, avatar_url, bio)')
+  .select()
   .eq('follower_id', currentUserId);
 
 // Get my followers
 const { data: followers } = await client.database
   .from('follows')
-  .select('*, follower:follower_id(id, nickname, avatar_url, bio)')
+  .select()
   .eq('following_id', currentUserId);
 
 // Check if user1 follows user2
@@ -80,7 +80,7 @@ await client.database
 ```sql
 CREATE TABLE likes (
   id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-  user_id UUID REFERENCES users(id) ON DELETE CASCADE,
+  user_id UUID REFERENCES auth.users(id) ON DELETE CASCADE,
   post_id UUID REFERENCES posts(id) ON DELETE CASCADE,
   created_at TIMESTAMPTZ DEFAULT NOW(),
   UNIQUE(user_id, post_id)  -- Prevent duplicate likes
@@ -143,7 +143,7 @@ await client.database
 CREATE TABLE comments (
   id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
   post_id UUID REFERENCES posts(id) ON DELETE CASCADE,
-  user_id UUID REFERENCES users(id) ON DELETE CASCADE,
+  user_id UUID REFERENCES auth.users(id) ON DELETE CASCADE,
   parent_comment_id UUID REFERENCES comments(id) ON DELETE CASCADE,
   content TEXT NOT NULL,
   created_at TIMESTAMPTZ DEFAULT NOW(),
@@ -178,17 +178,20 @@ CREATE POLICY "Users can delete their comments" ON comments
 **Query with InsForge SDK:**
 ```javascript
 // Get top-level comments with author info
+// Note: profile is a JSONB column containing { name, avatar_url, bio, birthday }
 const { data: comments } = await client.database
   .from('comments')
-  .select('*, author:user_id(nickname, avatar_url)')
+  .select('*, author:user_id(id, profile)')
   .eq('post_id', postId)
   .is('parent_comment_id', null)
   .order('created_at', { ascending: false });
 
+// Access author info: comment.author.profile.name, comment.author.profile.avatar_url
+
 // Get replies to a comment
 const { data: replies } = await client.database
   .from('comments')
-  .select('*, author:user_id(nickname, avatar_url)')
+  .select('*, author:user_id(id, profile)')
   .eq('parent_comment_id', commentId)
   .order('created_at', { ascending: true });
 ```
@@ -209,7 +212,7 @@ CREATE TABLE organizations (
 
 CREATE TABLE organization_members (
   organization_id UUID REFERENCES organizations(id) ON DELETE CASCADE,
-  user_id UUID REFERENCES users(id) ON DELETE CASCADE,
+  user_id UUID REFERENCES auth.users(id) ON DELETE CASCADE,
   role TEXT NOT NULL CHECK (role IN ('owner', 'admin', 'member')),
   joined_at TIMESTAMPTZ DEFAULT NOW(),
   PRIMARY KEY (organization_id, user_id)

package/docker-compose.prod.yml

@@ -1,6 +1,6 @@
 services:
   postgres:
-    image: postgres:15.13
+    image: ghcr.io/insforge/postgres:v15.13.1
     container_name: insforge-postgres
     command: postgres -c config_file=/etc/postgresql/postgresql.conf
     environment:

package/docker-compose.yml

@@ -2,7 +2,7 @@ version: '3.8'
 
 services:
   postgres:
-    image: postgres:15.13
+    image: ghcr.io/insforge/postgres:v15.13.1
     container_name: insforge-postgres
     command: postgres -c config_file=/etc/postgresql/postgresql.conf
     environment:

package/docs/agent-docs/deployment.md

@@ -0,0 +1,79 @@
+# InsForge Deployment - Agent Documentation
+
+## Overview
+
+Deploy frontend applications to InsForge using the `create-deployment` MCP tool. The tool handles uploading source files, building, and deploying automatically.
+
+## Deploy with MCP Tool
+
+Use the `create-deployment` tool with these parameters:
+
+| Parameter | Required | Description |
+|-----------|----------|-------------|
+| `sourceDirectory` | Yes | **Absolute path** to source directory (e.g., `/Users/me/project/frontend`). Relative paths do not work. |
+| `projectSettings.buildCommand` | No | Build command (default: auto-detected) |
+| `projectSettings.outputDirectory` | No | Build output directory (default: auto-detected) |
+| `projectSettings.installCommand` | No | Install command (default: `npm install`) |
+| `projectSettings.rootDirectory` | No | Root directory within source |
+| `envVars` | No | Array of `{key, value}` objects |
+| `meta` | No | Custom metadata key-value pairs |
+
+### Example
+
+```json
+{
+  "sourceDirectory": "/Users/me/project/frontend",
+  "projectSettings": {
+    "buildCommand": "npm run build",
+    "outputDirectory": "dist"
+  },
+  "envVars": [
+    { "key": "VITE_INSFORGE_BASE_URL", "value": "https://your-project.insforge.app" },
+    { "key": "VITE_INSFORGE_ANON_KEY", "value": "your-anon-key" }
+  ]
+}
+```
+
+**Important**:
+- `sourceDirectory` must be an **absolute path** (relative paths don't work on Windows)
+- Pass the source directory, NOT pre-built static files
+- Include all required environment variables (e.g., `VITE_*` for Vite apps)
+
+## Check Deployment Status
+
+After creating a deployment, query the status using `run-raw-sql`:
+
+```sql
+SELECT id, status, url, created_at
+FROM system.deployments
+ORDER BY created_at DESC
+LIMIT 1;
+```
+
+### Status Values
+
+| Status | Description |
+|--------|-------------|
+| `WAITING` | Waiting for source upload |
+| `UPLOADING` | Uploading to build server |
+| `QUEUED` | Queued for build |
+| `BUILDING` | Building (typically ~1 min) |
+| `READY` | Deployment complete, URL available |
+| `ERROR` | Build or deployment failed |
+| `CANCELED` | Deployment was cancelled |
+
+### Get Deployment URL
+
+Once status is `READY`, the `url` column contains the live deployment URL.
+
+```sql
+SELECT url FROM system.deployments WHERE id = '<deployment-id>';
+```
+
+## Quick Reference
+
+| Task | Tool | Command |
+|------|------|---------|
+| Deploy app | `create-deployment` | Provide `sourceDirectory` and `envVars` |
+| Check status | `run-raw-sql` | `SELECT status FROM system.deployments WHERE id = '...'` |
+| List deployments | `run-raw-sql` | `SELECT * FROM system.deployments ORDER BY created_at DESC` |