chore: import upstream snapshot with attribution
Lint and Format Check / lint-and-format (push) Failing after 0s
Check Migrations / Check for duplicate migration numbers (push) Failing after 1s
CI Pre-merge Check / CI Pre-merge Check (push) Failing after 2m17s

This commit is contained in:
wehub-resource-sync
2026-07-13 12:23:40 +08:00
commit 3a28426bf4
1399 changed files with 257375 additions and 0 deletions
+97
View File
@@ -0,0 +1,97 @@
-- init.sql
-- Create role for anonymous user
CREATE ROLE anon NOLOGIN;
-- Create role for authenticator
CREATE ROLE authenticated NOLOGIN;
-- Create project admin role for admin users
CREATE ROLE project_admin NOLOGIN;
GRANT USAGE ON SCHEMA public TO anon;
GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO anon;
GRANT USAGE ON SCHEMA public TO authenticated;
GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO authenticated;
GRANT USAGE ON SCHEMA public TO project_admin;
GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public TO project_admin;
-- Grant permissions to roles
GRANT SELECT, INSERT, UPDATE, DELETE ON ALL TABLES IN SCHEMA public TO anon, authenticated, project_admin;
ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT SELECT, INSERT, UPDATE, DELETE ON TABLES TO anon, authenticated, project_admin;
-- Create function to automatically create RLS policies for new tables
CREATE OR REPLACE FUNCTION public.create_default_policies()
RETURNS event_trigger AS $$
DECLARE
obj record;
table_schema text;
table_name text;
has_rls boolean;
BEGIN
FOR obj IN SELECT * FROM pg_event_trigger_ddl_commands() WHERE command_tag = 'CREATE TABLE'
LOOP
-- Extract schema and table name from object_identity
-- Handle quoted identifiers by removing quotes
SELECT INTO table_schema, table_name
split_part(obj.object_identity, '.', 1),
trim(both '"' from split_part(obj.object_identity, '.', 2));
-- Check if RLS is enabled on the table
SELECT INTO has_rls
rowsecurity
FROM pg_tables
WHERE schemaname = table_schema
AND tablename = table_name;
-- Only create policies if RLS is enabled
IF has_rls THEN
-- Create policy for project_admin role only
-- Users must define their own policies for anon and authenticated roles
EXECUTE format('CREATE POLICY "project_admin_policy" ON %s FOR ALL TO project_admin USING (true) WITH CHECK (true)', obj.object_identity);
END IF;
END LOOP;
END;
$$ LANGUAGE plpgsql;
-- Create event trigger to run the function when new tables are created
CREATE EVENT TRIGGER create_policies_on_table_create
ON ddl_command_end
WHEN TAG IN ('CREATE TABLE')
EXECUTE FUNCTION public.create_default_policies();
-- Create function to handle RLS enablement
CREATE OR REPLACE FUNCTION public.create_policies_after_rls()
RETURNS event_trigger AS $$
DECLARE
obj record;
table_schema text;
table_name text;
BEGIN
FOR obj IN SELECT * FROM pg_event_trigger_ddl_commands() WHERE command_tag = 'ALTER TABLE'
LOOP
-- Extract schema and table name
-- Handle quoted identifiers by removing quotes
SELECT INTO table_schema, table_name
split_part(obj.object_identity, '.', 1),
trim(both '"' from split_part(obj.object_identity, '.', 2));
-- Check if table has RLS enabled and no policies yet
IF EXISTS (
SELECT 1 FROM pg_tables
WHERE schemaname = table_schema
AND tablename = table_name
AND rowsecurity = true
) AND NOT EXISTS (
SELECT 1 FROM pg_policies
WHERE schemaname = table_schema
AND tablename = table_name
) THEN
-- Create policy for project_admin role only
-- Users must define their own policies for anon and authenticated roles
EXECUTE format('CREATE POLICY "project_admin_policy" ON %s FOR ALL TO project_admin USING (true) WITH CHECK (true)', obj.object_identity);
END IF;
END LOOP;
END;
$$ LANGUAGE plpgsql;
-- Create event trigger for ALTER TABLE commands
CREATE EVENT TRIGGER create_policies_on_rls_enable
ON ddl_command_end
WHEN TAG IN ('ALTER TABLE')
EXECUTE FUNCTION public.create_policies_after_rls();
+5
View File
@@ -0,0 +1,5 @@
\set jwt_secret `echo "$JWT_SECRET"`
\set jwt_exp `echo "$JWT_EXP"`
ALTER DATABASE postgres SET "app.settings.jwt_secret" TO :'jwt_secret';
ALTER DATABASE postgres SET "app.settings.jwt_exp" TO :'jwt_exp';
+29
View File
@@ -0,0 +1,29 @@
# PostgreSQL configuration for InsForge
# Enable logical replication for Logflare
# Listen on all interfaces to allow container connections
listen_addresses = '*'
# Set WAL level to logical for Logflare replication
wal_level = logical
# Set max replication slots (needed for logical replication)
max_replication_slots = 10
# Set max WAL senders
max_wal_senders = 10
# Shared preload libraries
shared_preload_libraries = 'pg_cron,http,pgcrypto,insforge_pg_utils'
insforge.policy_grant_role = 'project_admin'
insforge.policy_grant_tables = 'storage.objects,realtime.channels,realtime.messages,payments.stripe_checkout_sessions,payments.stripe_customer_portal_sessions,payments.razorpay_orders,payments.razorpay_subscriptions'
# InsForge-internal schemas that must never be exposed to the REST data API.
# Read by system.is_exposed_schema (migration 056) to decide PostgREST's
# db_schemas allowlist. Comma-separated, no spaces. Postgres internals (pg_*,
# information_schema) and extension-owned schemas are handled separately and
# need not be listed here. Edit + `SELECT pg_reload_conf()` to apply at runtime.
insforge.internal_schemas = 'ai,auth,compute,deployments,email,functions,memory,payments,realtime,schedules,storage,system'
cron.database_name = 'insforge' # Add this line to specify the database for pg_cron
+236
View File
@@ -0,0 +1,236 @@
api:
enabled: true
address: 0.0.0.0:7135
sources:
docker_host:
type: docker_logs
exclude_containers:
- insforge-vector
include_containers:
- insforge
- insforge-deno
- insforge-postgrest
- insforge-postgres
transforms:
project_logs:
type: remap
inputs:
- docker_host
source: |-
.project = "default"
.event_message = del(.message)
# Remove leading slash from container name if present
container = to_string!(del(.container_name))
if starts_with(container, "/") {
.appname = slice!(container, 1)
} else {
.appname = container
}
del(.container_created_at)
del(.container_id)
del(.source_type)
del(.stream)
del(.label)
del(.image)
del(.host)
del(.stream)
router:
type: route
inputs:
- project_logs
route:
insforge: '.appname == "insforge"'
deno: '.appname == "insforge-deno"'
rest: '.appname == "insforge-postgrest"'
db: '.appname == "insforge-postgres"'
realtime: '.appname == "insforge-realtime"'
# PostgREST logs with proper parsing
rest_logs:
type: remap
inputs:
- router.rest
source: |-
# .metadata.host = .project
# Parse PostgREST log format: DD/Mon/YYYY:HH:MM:SS +ZZZZ: message
parsed, err = parse_regex(.event_message, r'^(?P<time>\d{2}/\w{3}/\d{4}:\d{2}:\d{2}:\d{2} [+-]\d{4}): (?P<msg>.*)$')
if err == null && parsed != null {
.event_message = parsed.msg
.metadata.level = "info"
} else {
# If parsing fails, keep original message
.metadata.level = "info"
}
# InsForge logs are structured JSON, parse and handle both request logs and application logs
insforge_logs:
type: remap
inputs:
- router.insforge
source: |-
# Remove the [backend] prefix if present
.event_message = replace!(.event_message, r'^\[backend\] ', "")
req, err = parse_json(.event_message)
if err == null {
# Set timestamp from log
if req.timestamp != null {
.timestamp = to_timestamp!(req.timestamp)
}
# Set log level
.metadata.level = req.level
# Check if this is a request log (has duration field)
if req.duration != null {
# Flatten request log fields to top level
.user_agent = req.userAgent
.ip = req.ip
.method = req.method
.path = req.path
.protocol = "HTTP/1.1"
.status_code = req.status
.size = req.size
.duration = req.duration
# Format as nginx-style log line
.event_message = join!([req.method, req.path, to_string!(req.status), to_string!(req.size), req.duration, "-", req.ip, "-", req.userAgent], " ")
.log_type = "request"
} else {
# This is an application log
.event_message = join!([req.level, req.message], " - ")
.log_type = "application"
if req.error != null {
.error = req.error
}
if req.stack != null {
.stack = req.stack
}
}
}
realtime_logs:
type: remap
inputs:
- router.realtime
source: |-
parsed, err = parse_regex(.event_message, r'^(?P<time>\d+:\d+:\d+\.\d+) \[(?P<level>\w+)\] (?P<msg>.*)$')
if err == null {
.event_message = parsed.msg
.metadata.level = parsed.level
}
deno_logs:
type: remap
inputs:
- router.deno
source: |-
parsed, err = parse_regex(.event_message, r'^(?P<time>\d+:\d+:\d+\.\d+) \[(?P<level>\w+)\] (?P<msg>.*)$')
if err == null {
.event_message = parsed.msg
.timestamp = to_timestamp!(parsed.time)
.metadata.level = upcase!(parsed.level)
# .metadata.host = .project
}
# Postgres logs with proper parsing
db_logs:
type: remap
inputs:
- router.db
source: |-
# .metadata.host = "db-default"
# Parse PostgreSQL log format: YYYY-MM-DD HH:MM:SS.SSS TZ [PID] LEVEL: message
parsed, err = parse_regex(.event_message, r'^(?P<time>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\.\d{3}) (?P<tz>\w+) \[(?P<pid>\d+)\] (?P<level>LOG|ERROR|WARNING|INFO|NOTICE|FATAL|PANIC|STATEMENT|DETAIL): (?P<msg>.*)$')
if err == null && parsed != null {
.metadata.parsed.pid = parsed.pid
.metadata.level = upcase!(parsed.level)
.event_message = parsed.msg
# Normalize STATEMENT and DETAIL to appropriate log levels
if .metadata.level == "STATEMENT" {
.metadata.level = "INFO"
}
if .metadata.level == "DETAIL" {
.metadata.level = "INFO"
}
} else {
# If parsing fails, keep original message and set default severity
.metadata.level = "LOG"
}
sinks:
# File sinks - JSONL format for FileProvider (always enabled)
file_insforge:
type: 'file'
inputs:
- insforge_logs
path: '/insforge-logs/insforge.logs.jsonl'
encoding:
codec: 'json'
file_deno:
type: 'file'
inputs:
- deno_logs
path: '/insforge-logs/function.logs.jsonl'
encoding:
codec: 'json'
file_rest:
type: 'file'
inputs:
- rest_logs
path: '/insforge-logs/postgrest.logs.jsonl'
encoding:
codec: 'json'
file_db:
type: 'file'
inputs:
- db_logs
path: '/insforge-logs/postgres.logs.jsonl'
encoding:
codec: 'json'
# CloudWatch sinks (ignored if AWS_REGION not set)
cw_insforge:
type: aws_cloudwatch_logs
inputs:
- insforge_logs
region: ${AWS_REGION:-skip}
group_name: /insforge/local
stream_name: ${HOSTNAME_OVERRIDE:-local}-insforge-vector
encoding:
codec: json
healthcheck:
enabled: false
cw_rest:
type: aws_cloudwatch_logs
inputs:
- rest_logs
region: ${AWS_REGION:-skip}
group_name: /insforge/local
stream_name: ${HOSTNAME_OVERRIDE:-local}-postgrest-vector
encoding:
codec: json
healthcheck:
enabled: false
cw_deno:
type: aws_cloudwatch_logs
inputs:
- deno_logs
region: ${AWS_REGION:-skip}
group_name: /insforge/local
stream_name: ${HOSTNAME_OVERRIDE:-local}-function-vector
encoding:
codec: json
healthcheck:
enabled: false
cw_db:
type: aws_cloudwatch_logs
inputs:
- db_logs
region: ${AWS_REGION:-skip}
group_name: /insforge/local
stream_name: ${HOSTNAME_OVERRIDE:-local}-postgres-vector
encoding:
codec: json
healthcheck:
enabled: false