insforge 1.3.0 → 1.4.8

package/shared-schemas/src/auth.schema.ts

@@ -25,28 +25,34 @@ export const roleSchema = z.enum(['anon', 'authenticated', 'project_admin']);
 
 export const verificationMethodSchema = z.enum(['code', 'link']);
 
+/**
+ * User profile schema with default fields and passthrough for custom fields
+ * Note: Using snake_case for fields as they are stored directly in PostgreSQL JSONB
+ */
+export const profileSchema = z
+  .object({
+    name: z.string().optional(),
+    // eslint-disable-next-line @typescript-eslint/naming-convention
+    avatar_url: z.string().url().optional(),
+  })
+  .passthrough();
+
 // ============================================================================
 // Core entity schemas
 // ============================================================================
 
 /**
- * User entity schema - represents the _user table in PostgreSQL
+ * User entity schema - represents the auth.users table in PostgreSQL
  */
 export const userSchema = z.object({
   id: userIdSchema,
   email: emailSchema,
-  name: nameSchema,
   emailVerified: z.boolean(),
-  identities: z
-    .array(
-      z.object({
-        provider: z.string(),
-      })
-    )
-    .optional(),
-  providerType: z.string().optional(),
+  providers: z.array(z.string()).optional(),
   createdAt: z.string(), // PostgreSQL timestamp
   updatedAt: z.string(), // PostgreSQL timestamp
+  profile: profileSchema.nullable(), // User profile data (name, avatar_url, bio, etc.)
+  metadata: z.record(z.unknown()).nullable(), // System metadata (device ID, login IP, etc.)
 });
 
 /**
@@ -123,6 +129,7 @@ export type EmailSchema = z.infer<typeof emailSchema>;
 export type PasswordSchema = z.infer<typeof passwordSchema>;
 export type RoleSchema = z.infer<typeof roleSchema>;
 export type VerificationMethodSchema = z.infer<typeof verificationMethodSchema>;
+export type ProfileSchema = z.infer<typeof profileSchema>;
 export type UserSchema = z.infer<typeof userSchema>;
 export type TokenPayloadSchema = z.infer<typeof tokenPayloadSchema>;
 export type OAuthConfigSchema = z.infer<typeof oAuthConfigSchema>;

package/shared-schemas/src/cloud-events.schema.ts

@@ -37,6 +37,24 @@ export const navigateToUsageSchema = z.object({
   type: z.literal('NAVIGATE_TO_USAGE'),
 });
 
+export const showContactModalEventSchema = z.object({
+  type: z.literal('SHOW_CONTACT_MODAL'),
+});
+
+export const showConnectOverlayEventSchema = z.object({
+  type: z.literal('SHOW_CONNECT_OVERLAY'),
+});
+
+export const authorizationCodeEventSchema = z.object({
+  type: z.literal('AUTHORIZATION_CODE'),
+  code: z.string(),
+});
+
+export const routeChangeEventSchema = z.object({
+  type: z.literal('ROUTE_CHANGE'),
+  path: z.string(),
+});
+
 export const cloudEventSchema = z.discriminatedUnion('type', [
   appRouteChangeEventSchema,
   authSuccessEventSchema,
@@ -46,6 +64,10 @@ export const cloudEventSchema = z.discriminatedUnion('type', [
   showSettingsOverlayEventSchema,
   onboardingSuccessSchema,
   navigateToUsageSchema,
+  showContactModalEventSchema,
+  showConnectOverlayEventSchema,
+  authorizationCodeEventSchema,
+  routeChangeEventSchema,
 ]);
 
 export type AppRouteChangeEvent = z.infer<typeof appRouteChangeEventSchema>;
@@ -55,3 +77,7 @@ export type McpConnectionStatusEvent = z.infer<typeof mcpConnectionStatusEventSc
 export type CloudEvent = z.infer<typeof cloudEventSchema>;
 export type ShowOnboardingOverlayEvent = z.infer<typeof showOnboardingOverlayEventSchema>;
 export type ShowSettingsOverlayEvent = z.infer<typeof showSettingsOverlayEventSchema>;
+export type ShowContactModalEvent = z.infer<typeof showContactModalEventSchema>;
+export type ShowConnectOverlayEvent = z.infer<typeof showConnectOverlayEventSchema>;
+export type AuthorizationCodeEvent = z.infer<typeof authorizationCodeEventSchema>;
+export type RouteChangeEvent = z.infer<typeof routeChangeEventSchema>;

package/shared-schemas/src/deployments-api.schema.ts

@@ -0,0 +1,55 @@
+import { z } from 'zod';
+import { deploymentSchema } from './deployments.schema';
+
+export const projectSettingsSchema = z.object({
+  buildCommand: z.string().nullable().optional(),
+  outputDirectory: z.string().nullable().optional(),
+  installCommand: z.string().nullable().optional(),
+  devCommand: z.string().nullable().optional(),
+  rootDirectory: z.string().nullable().optional(),
+});
+
+export const envVarSchema = z.object({
+  key: z.string(),
+  value: z.string(),
+});
+
+/**
+ * Response from creating a deployment - includes presigned upload info
+ */
+export const createDeploymentResponseSchema = z.object({
+  id: z.string().uuid(),
+  uploadUrl: z.string().url(),
+  uploadFields: z.record(z.string()), // Required for S3 presigned POST (policy, signature, key, etc.)
+});
+
+/**
+ * Request to start a deployment (step 2)
+ * Triggers upload to Vercel and creates the actual deployment
+ */
+export const startDeploymentRequestSchema = z.object({
+  projectSettings: projectSettingsSchema.optional(),
+  envVars: z.array(envVarSchema).optional(),
+  meta: z.record(z.string()).optional(),
+});
+
+/**
+ * Response from starting a deployment
+ */
+export const startDeploymentResponseSchema = deploymentSchema;
+
+export const listDeploymentsResponseSchema = z.object({
+  data: z.array(deploymentSchema),
+  pagination: z.object({
+    limit: z.number(),
+    offset: z.number(),
+    total: z.number(),
+  }),
+});
+
+export type ProjectSettings = z.infer<typeof projectSettingsSchema>;
+export type EnvVar = z.infer<typeof envVarSchema>;
+export type CreateDeploymentResponse = z.infer<typeof createDeploymentResponseSchema>;
+export type StartDeploymentRequest = z.infer<typeof startDeploymentRequestSchema>;
+export type StartDeploymentResponse = z.infer<typeof startDeploymentResponseSchema>;
+export type ListDeploymentsResponse = z.infer<typeof listDeploymentsResponseSchema>;

package/shared-schemas/src/deployments.schema.ts

@@ -0,0 +1,30 @@
+import { z } from 'zod';
+
+/**
+ * Deployment status enum schema
+ * WAITING -> UPLOADING -> (Vercel statuses: QUEUED/BUILDING/READY/ERROR/CANCELED)
+ */
+export const deploymentStatusSchema = z.enum([
+  'WAITING', // Record created, waiting for client to upload zip to S3
+  'UPLOADING', // Server is downloading from S3 and uploading to Vercel
+  'QUEUED', // Vercel: deployment queued
+  'BUILDING', // Vercel: deployment building
+  'READY', // Vercel: deployment ready
+  'ERROR', // Vercel: deployment failed
+  'CANCELED', // Vercel: deployment canceled
+]);
+
+export type DeploymentStatusType = z.infer<typeof deploymentStatusSchema>;
+
+export const deploymentSchema = z.object({
+  id: z.string().uuid(),
+  providerDeploymentId: z.string().nullable(), // Provider's deployment ID, null until deployment starts
+  provider: z.string(),
+  status: deploymentStatusSchema,
+  url: z.string().nullable(),
+  metadata: z.record(z.unknown()).nullable(),
+  createdAt: z.string().datetime(),
+  updatedAt: z.string().datetime(),
+});
+
+export type DeploymentSchema = z.infer<typeof deploymentSchema>;

package/shared-schemas/src/docs.schema.ts

@@ -3,23 +3,29 @@ import { z } from 'zod';
 export const docTypeSchema = z
   .enum([
     'instructions',
+    'auth-sdk',
     'db-sdk',
     'storage-sdk',
     'functions-sdk',
     'ai-integration-sdk',
     'auth-components-react',
+    'auth-components-nextjs',
     'real-time',
+    'deployment',
   ])
   .describe(
     `
-    Documentation type: 
+    Documentation type:
       "instructions" (essential backend setup - use FIRST),
       "db-sdk" (database operations),
       "storage-sdk" (file storage),
       "functions-sdk" (edge functions),
+      "auth-sdk" (direct SDK methods for custom auth flows),
       "auth-components-react" (authentication components for React+Vite applications),
+      "auth-components-nextjs" (authentication components for Next.js applications),
       "ai-integration-sdk" (AI features),
-      "real-time" (real-time pub/sub through WebSockets)
+      "real-time" (real-time pub/sub through WebSockets),
+      "deployment" (deploy frontend applications via MCP tool)
     `
   );
 

package/shared-schemas/src/email-api.schema.ts

@@ -1,30 +1,30 @@
-import { z } from 'zod';
-import { emailSchema } from './auth.schema';
-
-const emailOrEmails = z.union([
-  emailSchema,
-  z
-    .array(emailSchema)
-    .min(1, 'At least one email is required')
-    .max(50, 'Maximum 50 recipients allowed'),
-]);
-
-export const sendRawEmailRequestSchema = z.object({
-  to: emailOrEmails,
-  subject: z.string().trim().min(1, 'Subject is required').max(500, 'Subject too long'),
-  html: z.string().trim().min(1, 'HTML content is required'),
-  cc: emailOrEmails.optional(),
-  bcc: emailOrEmails.optional(),
-  from: z.string().trim().max(100, 'From name too long').optional(),
-  replyTo: z.string().email('Reply-To must be a valid email').optional(),
-});
-
-export type SendRawEmailRequest = z.infer<typeof sendRawEmailRequestSchema>;
-
-/**
- * Response for POST /api/email/send-raw
- * Empty on success - extend with optional fields later if needed
- */
-export const sendEmailResponseSchema = z.object({});
-
-export type SendEmailResponse = z.infer<typeof sendEmailResponseSchema>;
+import { z } from 'zod';
+import { emailSchema } from './auth.schema';
+
+const emailOrEmails = z.union([
+  emailSchema,
+  z
+    .array(emailSchema)
+    .min(1, 'At least one email is required')
+    .max(50, 'Maximum 50 recipients allowed'),
+]);
+
+export const sendRawEmailRequestSchema = z.object({
+  to: emailOrEmails,
+  subject: z.string().trim().min(1, 'Subject is required').max(500, 'Subject too long'),
+  html: z.string().trim().min(1, 'HTML content is required'),
+  cc: emailOrEmails.optional(),
+  bcc: emailOrEmails.optional(),
+  from: z.string().trim().max(100, 'From name too long').optional(),
+  replyTo: z.string().email('Reply-To must be a valid email').optional(),
+});
+
+export type SendRawEmailRequest = z.infer<typeof sendRawEmailRequestSchema>;
+
+/**
+ * Response for POST /api/email/send-raw
+ * Empty on success - extend with optional fields later if needed
+ */
+export const sendEmailResponseSchema = z.object({});
+
+export type SendEmailResponse = z.infer<typeof sendEmailResponseSchema>;

package/shared-schemas/src/functions-api.schema.ts

@@ -1,6 +1,7 @@
 import { z } from 'zod';
+import { functionSchema } from './functions.schema';
 
-export const functionUploadRequestSchema = z.object({
+export const uploadFunctionRequestSchema = z.object({
   name: z.string().min(1, 'Name is required'),
   slug: z
     .string()
@@ -14,12 +15,20 @@ export const functionUploadRequestSchema = z.object({
   status: z.enum(['draft', 'active']).optional().default('active'),
 });
 
-export const functionUpdateRequestSchema = z.object({
+export const updateFunctionRequestSchema = z.object({
   name: z.string().optional(),
   code: z.string().optional(),
   description: z.string().optional(),
   status: z.enum(['draft', 'active']).optional(),
 });
 
-export type FunctionUploadRequest = z.infer<typeof functionUploadRequestSchema>;
-export type FunctionUpdateRequest = z.infer<typeof functionUpdateRequestSchema>;
+export const listFunctionsResponseSchema = z.object({
+  functions: z.array(functionSchema),
+  runtime: z.object({
+    status: z.enum(['running', 'unavailable']),
+  }),
+});
+
+export type UploadFunctionRequest = z.infer<typeof uploadFunctionRequestSchema>;
+export type UpdateFunctionRequest = z.infer<typeof updateFunctionRequestSchema>;
+export type ListFunctionsResponse = z.infer<typeof listFunctionsResponseSchema>;

package/shared-schemas/src/functions.schema.ts

@@ -7,7 +7,7 @@ export const functionSchema = z.object({
   name: z.string(),
   description: z.string().nullable(),
   code: z.string(),
-  status: z.enum(['draft', 'active']),
+  status: z.enum(['draft', 'active', 'error']),
   createdAt: z.string(),
   updatedAt: z.string(),
   deployedAt: z.string().nullable(),

package/shared-schemas/src/index.ts

@@ -1,18 +1,22 @@
-export * from './database.schema';
-export * from './database-api.schema';
-export * from './storage.schema';
-export * from './storage-api.schema';
-export * from './auth.schema';
-export * from './auth-api.schema';
-export * from './metadata.schema';
-export * from './ai.schema';
-export * from './ai-api.schema';
-export * from './logs.schema';
-export * from './logs-api.schema';
-export * from './functions.schema';
-export * from './functions-api.schema';
-export * from './cloud-events.schema';
-export * from './realtime.schema';
-export * from './realtime-api.schema';
-export * from './docs.schema';
-export * from './email-api.schema';
+export * from './database.schema';
+export * from './database-api.schema';
+export * from './secrets.schema';
+export * from './secrets-api.schema';
+export * from './storage.schema';
+export * from './storage-api.schema';
+export * from './auth.schema';
+export * from './auth-api.schema';
+export * from './metadata.schema';
+export * from './ai.schema';
+export * from './ai-api.schema';
+export * from './logs.schema';
+export * from './logs-api.schema';
+export * from './functions.schema';
+export * from './functions-api.schema';
+export * from './cloud-events.schema';
+export * from './realtime.schema';
+export * from './realtime-api.schema';
+export * from './docs.schema';
+export * from './email-api.schema';
+export * from './deployments.schema';
+export * from './deployments-api.schema';

package/shared-schemas/src/metadata.schema.ts

@@ -1,12 +1,10 @@
 import { z } from 'zod';
 import { storageBucketSchema } from './storage.schema';
-import { oAuthConfigSchema } from './auth.schema';
 import { realtimeChannelSchema } from './realtime.schema';
 import { realtimePermissionsResponseSchema } from './realtime-api.schema';
+import { getPublicAuthConfigResponseSchema } from './auth-api.schema';
 
-export const authMetadataSchema = z.object({
-  oauths: z.array(oAuthConfigSchema),
-});
+export const authMetadataSchema = getPublicAuthConfigResponseSchema;
 
 export const databaseMetadataSchema = z.object({
   tables: z.array(
@@ -68,3 +66,31 @@ export type EdgeFunctionMetadataSchema = z.infer<typeof edgeFunctionMetadataSche
 export type AIMetadataSchema = z.infer<typeof aiMetadataSchema>;
 export type RealtimeMetadataSchema = z.infer<typeof realtimeMetadataSchema>;
 export type AppMetadataSchema = z.infer<typeof appMetaDataSchema>;
+
+// Database connection schemas
+export const databaseConnectionParametersSchema = z.object({
+  host: z.string(),
+  port: z.number(),
+  database: z.string(),
+  user: z.string(),
+  password: z.string(),
+  sslmode: z.string(),
+});
+
+export const databaseConnectionInfoSchema = z.object({
+  connectionURL: z.string(),
+  parameters: databaseConnectionParametersSchema,
+});
+
+export const databasePasswordInfoSchema = z.object({
+  databasePassword: z.string(),
+});
+
+export const apiKeyResponseSchema = z.object({
+  apiKey: z.string(),
+});
+
+export type DatabaseConnectionParameters = z.infer<typeof databaseConnectionParametersSchema>;
+export type DatabaseConnectionInfo = z.infer<typeof databaseConnectionInfoSchema>;
+export type DatabasePasswordInfo = z.infer<typeof databasePasswordInfoSchema>;
+export type ApiKeyResponse = z.infer<typeof apiKeyResponseSchema>;

package/shared-schemas/src/secrets-api.schema.ts

@@ -0,0 +1,44 @@
+import { z } from 'zod';
+import { secretSchema } from './secrets.schema';
+
+// GET /secrets - List all secrets
+export const listSecretsResponseSchema = z.object({
+  secrets: z.array(secretSchema),
+});
+
+// GET /secrets/:key - Get secret value
+export const getSecretValueResponseSchema = z.object({
+  key: z.string(),
+  value: z.string(),
+});
+
+// POST /secrets - Create secret (user-facing API)
+export const createSecretRequestSchema = z.object({
+  key: z.string().regex(/^[A-Z0-9_]+$/, 'Use uppercase letters, numbers, and underscores only'),
+  value: z.string().min(1, 'Value is required'),
+});
+
+export const createSecretResponseSchema = z.object({
+  success: z.literal(true),
+  message: z.string(),
+  id: z.string(),
+});
+
+export const updateSecretResponseSchema = z.object({
+  success: z.literal(true),
+  message: z.string(),
+});
+
+// DELETE /secrets/:key - Delete secret
+export const deleteSecretResponseSchema = z.object({
+  success: z.literal(true),
+  message: z.string(),
+});
+
+// Export types
+export type ListSecretsResponse = z.infer<typeof listSecretsResponseSchema>;
+export type GetSecretValueResponse = z.infer<typeof getSecretValueResponseSchema>;
+export type CreateSecretRequest = z.infer<typeof createSecretRequestSchema>;
+export type CreateSecretResponse = z.infer<typeof createSecretResponseSchema>;
+export type UpdateSecretResponse = z.infer<typeof updateSecretResponseSchema>;
+export type DeleteSecretResponse = z.infer<typeof deleteSecretResponseSchema>;

package/shared-schemas/src/secrets.schema.ts

@@ -0,0 +1,15 @@
+import { z } from 'zod';
+
+// Secret metadata (without value - for listing)
+export const secretSchema = z.object({
+  id: z.string(),
+  key: z.string(),
+  isActive: z.boolean(),
+  isReserved: z.boolean(),
+  lastUsedAt: z.string().nullable(),
+  expiresAt: z.string().nullable(),
+  createdAt: z.string(),
+  updatedAt: z.string(),
+});
+
+export type SecretSchema = z.infer<typeof secretSchema>;

package/zeabur/README.md

@@ -2,12 +2,25 @@
 
 Internal template for one-click InsForge deployment on Zeabur.
 
+## CLI Authentication
+
+```bash
+npx zeabur@latest auth login
+npx zeabur@latest auth logout
+```
+
 ## Deploy
 
 ```bash
 npx zeabur@latest template deploy -f template.yml
 ```
 
+## Update
+
+```bash
+npx zeabur@latest template update -c Q82M3Y -f template.yml
+```
+
 ## Documentation
 
 - Zeabur docs: https://zeabur.com/docs/en-US/template/template-in-code

package/zeabur/template.yml

@@ -175,30 +175,8 @@ spec:
                     GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO project_admin;
 
                     -- Grant permissions to roles
-                    -- NOTICE: The anon role is intended for unauthenticated users, so it should only have read access.
-                    GRANT SELECT ON ALL TABLES IN SCHEMA public TO anon;
-                    ALTER DEFAULT PRIVILEGES IN SCHEMA public
-                      GRANT SELECT ON TABLES TO anon;
-
-                    GRANT SELECT ON ALL TABLES IN SCHEMA public TO authenticated;
-                    ALTER DEFAULT PRIVILEGES IN SCHEMA public
-                      GRANT SELECT ON TABLES TO authenticated;
-
-                    GRANT INSERT ON ALL TABLES IN SCHEMA public TO authenticated;
-                    ALTER DEFAULT PRIVILEGES IN SCHEMA public
-                      GRANT INSERT ON TABLES TO authenticated;
-
-                    GRANT UPDATE ON ALL TABLES IN SCHEMA public TO authenticated;
-                    ALTER DEFAULT PRIVILEGES IN SCHEMA public
-                      GRANT UPDATE ON TABLES TO authenticated;
-
-                    GRANT DELETE ON ALL TABLES IN SCHEMA public TO authenticated;
-                    ALTER DEFAULT PRIVILEGES IN SCHEMA public
-                      GRANT DELETE ON TABLES TO authenticated;
-
-                    GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO project_admin;
-                    ALTER DEFAULT PRIVILEGES IN SCHEMA public
-                      GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO project_admin;
+                    GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO anon, authenticated, project_admin;
+                    ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO anon, authenticated, project_admin;
 
                     -- Create function to automatically create RLS policies for new tables
                     CREATE OR REPLACE FUNCTION public.create_default_policies()
@@ -224,12 +202,8 @@ spec:
                           AND tablename = table_name;
                         -- Only create policies if RLS is enabled
                         IF has_rls THEN
-                          -- Create policies for each role
-                          -- anon: read-only access
-                          EXECUTE format('CREATE POLICY "anon_policy" ON %s FOR SELECT TO anon USING (true)', obj.object_identity);
-                          -- authenticated: full access
-                          EXECUTE format('CREATE POLICY "authenticated_policy" ON %s FOR ALL TO authenticated USING (true) WITH CHECK (true)', obj.object_identity);
-                          -- project_admin: full access
+                          -- Create policy for project_admin role only
+                          -- Users must define their own policies for anon and authenticated roles
                           EXECUTE format('CREATE POLICY "project_admin_policy" ON %s FOR ALL TO project_admin USING (true) WITH CHECK (true)', obj.object_identity);
                         END IF;
                       END LOOP;
@@ -268,9 +242,8 @@ spec:
                           WHERE schemaname = table_schema
                             AND tablename = table_name
                         ) THEN
-                          -- Create default policies
-                          EXECUTE format('CREATE POLICY "anon_policy" ON %s FOR SELECT TO anon USING (true)', obj.object_identity);
-                          EXECUTE format('CREATE POLICY "authenticated_policy" ON %s FOR ALL TO authenticated USING (true) WITH CHECK (true)', obj.object_identity);
+                          -- Create policy for project_admin role only
+                          -- Users must define their own policies for anon and authenticated roles
                           EXECUTE format('CREATE POLICY "project_admin_policy" ON %s FOR ALL TO project_admin USING (true) WITH CHECK (true)', obj.object_identity);
                         END IF;
                       END LOOP;
@@ -382,7 +355,7 @@ spec:
                 POSTGREST_BASE_URL:
                     default: http://postgrest:3000
                 WORKER_TIMEOUT_MS:
-                    default: "30000"
+                    default: "60000"
                 ENCRYPTION_KEY:
                     default: ${PASSWORD}
                 JWT_SECRET:
@@ -399,7 +372,7 @@ spec:
                     console.log(`Deno serverless runtime running on port ${port}`);
 
                     // Configuration
-                    const WORKER_TIMEOUT_MS = parseInt(Deno.env.get('WORKER_TIMEOUT_MS') ?? '30000');
+                    const WORKER_TIMEOUT_MS = parseInt(Deno.env.get('WORKER_TIMEOUT_MS') ?? '60000');
 
                     // Worker template code - loaded on first use
                     let workerTemplateCode: string | null = null;
@@ -423,18 +396,14 @@ spec:
                         // Get the encryption key by hashing the JWT secret
                         const keyData = new TextEncoder().encode(key);
                         const hashBuffer = await crypto.subtle.digest('SHA-256', keyData);
-                        const cryptoKey = await crypto.subtle.importKey(
-                          'raw',
-                          hashBuffer,
-                          { name: 'AES-GCM' },
-                          false,
-                          ['decrypt']
-                        );
+                        const cryptoKey = await crypto.subtle.importKey('raw', hashBuffer, { name: 'AES-GCM' }, false, [
+                          'decrypt',
+                        ]);
 
                         // Extract IV, auth tag, and encrypted data
-                        const iv = Uint8Array.from(parts[0].match(/.{2}/g)!.map(byte => parseInt(byte, 16)));
-                        const authTag = Uint8Array.from(parts[1].match(/.{2}/g)!.map(byte => parseInt(byte, 16)));
-                        const encrypted = Uint8Array.from(parts[2].match(/.{2}/g)!.map(byte => parseInt(byte, 16)));
+                        const iv = Uint8Array.from(parts[0].match(/.{2}/g)!.map((byte) => parseInt(byte, 16)));
+                        const authTag = Uint8Array.from(parts[1].match(/.{2}/g)!.map((byte) => parseInt(byte, 16)));
+                        const encrypted = Uint8Array.from(parts[2].match(/.{2}/g)!.map((byte) => parseInt(byte, 16)));
 
                         // Combine encrypted data and auth tag (GCM expects them together)
                         const cipherData = new Uint8Array(encrypted.length + authTag.length);
@@ -472,7 +441,7 @@ spec:
                         await client.connect();
 
                         const result = await client.queryObject<{ code: string }>`
-                          SELECT code FROM _functions
+                          SELECT code FROM functions.definitions
                           WHERE slug = ${slug} AND status = 'active'
                         `;
 
@@ -503,13 +472,13 @@ spec:
                           return {};
                         }
 
-                        // Fetch all active secrets from _secrets table
+                        // Fetch all active secrets from system.secrets table
                         const result = await client.queryObject<{
                           key: string;
                           value_ciphertext: string;
                         }>`
                           SELECT key, value_ciphertext
-                          FROM _secrets
+                          FROM system.secrets
                           WHERE is_active = true
                             AND (expires_at IS NULL OR expires_at > NOW())
                         `;
@@ -766,7 +735,7 @@ spec:
                          * - We need to provide Deno.env functionality so functions can access secrets
                          *
                          * How it works:
-                         * 1. The main server (server.ts) fetches all active secrets from the _secrets table
+                         * 1. The main server (server.ts) fetches all active secrets from the system.secrets table
                          * 2. Only active (is_active=true) and non-expired secrets are included
                          * 3. Secrets are decrypted and passed to this worker via the 'secrets' object
                          * 4. We create a mock Deno object that provides Deno.env.get()
@@ -890,7 +859,7 @@ spec:
           template: PREBUILT
           spec:
             source:
-                image: ghcr.io/insforge/insforge-oss:v1.2.6
+                image: ghcr.io/insforge/insforge-oss:v1.4.3
             ports:
                 - id: web
                   port: 7130
@@ -959,7 +928,7 @@ spec:
                 type: HTTP
                 port: web
                 http:
-                    path: /
+                    path: /api/health
           domainKey: PUBLIC_DOMAIN
 
 localization: