# Database & Architecture Todos ## Server-Side & Schema Tasks ### Schema Changes (Postgres/Supabase) - [ ] **Split `profiles` Table**: - [ ] Create `user_secrets` table (Columns: `user_id` (PK, FK), `openai_api_key`, `bria_api_key`, `replicate_api_key`, `settings`, `google_api_key`). - [ ] Migrate data from `profiles` to `user_secrets` (Ref: [`src/integrations/supabase/types.ts`](../src/integrations/supabase/types.ts)). - [ ] Drop secret columns from `profiles`. - [ ] Rename `profiles` to `profiles_public` (optional, or just restrict access). - [ ] **Create `page_collaborators` Table**: - [ ] Columns: `page_id` (FK), `user_id` (FK), `role` (enum: 'viewer', 'editor', 'owner'), `created_at`. - [ ] Add unique constraint on `(page_id, user_id)`. - [ ] **RLS Policies Update**: - [ ] `user_secrets`: Enable RLS. Policy: `auth.uid() = user_id`. - [ ] `profiles`: Policy: Public read. Update strictly limited to owner. - [ ] `pages`: Policy: - Read: `is_public` OR `auth.uid() = owner` OR `auth.uid() IN (select user_id from page_collaborators)`. - Update: `auth.uid() = owner` OR `auth.uid() IN (select user_id from page_collaborators where role IN ('editor', 'owner'))`. ### Server Logic (Node/Hono) - [ ] **Implement `ServingProduct` Endpoints** (Ref: [`server/src/products/serving/index.ts`](../server/src/products/serving/index.ts)): - [ ] `GET /api/feed`: Returns hydrated feed (Posts + Authors + Cover Images). - [ ] `GET /api/profile/:id`: Returns public profile + recent posts. - [ ] `GET /api/me/secrets`: (Secure) Returns user secrets for settings page. - [ ] **Server-Side Injection**: - [ ] Update `handleServeApp` in [`ServingProduct`](../server/src/products/serving/index.ts) to pre-fetch User & Feed. - [ ] Inject into `index.html` as `window.__INITIAL_STATE__`. --- ## Client-Side Tasks ### `src/lib/db.ts` Refactor - [ ] **Deprecate Direct Selects**: Identify all `supabase.from('posts').select(...)` calls in [`src/lib/db.ts`](../src/lib/db.ts). - [ ] **Implement Proxy Clients**: - [ ] Create `fetchFeedFromProxy()` calling `/api/feed` in [`src/lib/db.ts`](../src/lib/db.ts). - [ ] Create `fetchProfileFromProxy(id)` calling `/api/profile/:id` in [`src/lib/db.ts`](../src/lib/db.ts). - [ ] **Hydration Logic**: - [ ] Check `window.__INITIAL_STATE__` on app boot to populate React Query cache before fetching. ### Component Updates - [ ] **Post Page**: - [ ] Use `fetchPostFromProxy` (or standard `db.fetchPostById` redirected to proxy) in [`src/pages/Post.tsx`](../src/pages/Post.tsx). - [ ] Handle 404s gracefully (See Security.md for details). - [ ] **PageManager**: - [ ] Update [`src/components/PageManager.tsx`](../src/components/PageManager.tsx) to fetch "My Pages" AND "Shared Pages".