diff --git a/README.md b/README.md index b3b0c58..ecbfc20 100644 --- a/README.md +++ b/README.md @@ -4,239 +4,108 @@ A template for building AI-powered coding agents that supports Claude Code, Open ![Coding Agent Template Screenshot](screenshot.png) -## Changelog - -### Version 2.0.0 - Major Update: User Authentication & Security - -This release introduces **user authentication** and **major security improvements**, but contains **breaking changes** that require migration for existing deployments. - -#### New Features - -- **User Authentication System** - - Sign in with Vercel - - Sign in with GitHub - - Session management with encrypted tokens - - User profile management - -- **Multi-User Support** - - Each user has their own tasks and connectors - - Users can manage their own API keys (Anthropic, OpenAI, Cursor, Gemini, AI Gateway) - - GitHub account connection for repository access - -- **Security Enhancements** - - Per-user GitHub authentication - each user uses their own GitHub token instead of shared credentials - - All sensitive data (tokens, API keys, env vars) encrypted at rest - - Session-based authentication with JWT encryption - - User-scoped authorization - users can only access their own resources - -- **Database Enhancements** - - New `users` table for user profiles and OAuth accounts - - New `accounts` table for linked accounts (e.g., Vercel users connecting GitHub) - - New `keys` table for user-provided API keys - - Foreign key relationships ensure data integrity - - Soft delete support for tasks - -#### Breaking Changes - -**These changes require action if upgrading from v1.x:** - -1. **Database Schema Changes** - - `tasks` table now requires `userId` (foreign key to `users.id`) - - `connectors` table now requires `userId` (foreign key to `users.id`) - - `connectors.env` changed from `jsonb` to encrypted `text` - - Added `tasks.deletedAt` for soft deletes - -2. **API Changes** - - All API endpoints now require authentication - - Task creation requires `userId` in request body - - Tasks are now filtered by user ownership - - GitHub API access uses user's own GitHub token (no shared token fallback) - -3. **Environment Variables** - - **New Required Variables:** - - `JWE_SECRET`: Base64-encoded secret for session encryption (generate: `openssl rand -base64 32`) - - `ENCRYPTION_KEY`: 32-byte hex string for encrypting sensitive data (generate: `openssl rand -hex 32`) - - `NEXT_PUBLIC_AUTH_PROVIDERS`: Configure which auth providers to enable (`github`, `vercel`, or both) - - - **New OAuth Configuration (at least one required):** - - GitHub: `GITHUB_CLIENT_ID`, `GITHUB_CLIENT_SECRET`, `NEXT_PUBLIC_GITHUB_CLIENT_ID` - - Vercel: `VERCEL_CLIENT_ID`, `VERCEL_CLIENT_SECRET` - - - **Changed Authentication:** - - `GITHUB_TOKEN` no longer used as fallback in API routes - - Users must connect their own GitHub account for repository access - - Each user's GitHub token is used for their requests - -4. **Authentication Required** - - All routes now require user authentication - - No anonymous access to tasks or API endpoints - - Users must sign in with GitHub or Vercel before creating tasks - -#### Migration Guide for Existing Deployments - -If you're upgrading from v1.x to v2.0.0, follow these steps: - -##### Step 1: Backup Your Database - -```bash -# Create a backup of your existing database -pg_dump $POSTGRES_URL > backup-before-v2-migration.sql -``` - -##### Step 2: Add Required Environment Variables - -Add these new variables to your `.env.local` or Vercel project settings: - -```bash -# Session encryption (REQUIRED) -JWE_SECRET=$(openssl rand -base64 32) -ENCRYPTION_KEY=$(openssl rand -hex 32) - -# Configure auth providers (REQUIRED - choose at least one) -NEXT_PUBLIC_AUTH_PROVIDERS=github # or "vercel" or "github,vercel" - -# GitHub OAuth (if using GitHub authentication) -GITHUB_CLIENT_ID=your_github_client_id -GITHUB_CLIENT_SECRET=your_github_client_secret -NEXT_PUBLIC_GITHUB_CLIENT_ID=your_github_client_id - -# Vercel OAuth (if using Vercel authentication) -VERCEL_CLIENT_ID=your_vercel_client_id -VERCEL_CLIENT_SECRET=your_vercel_client_secret -``` - -##### Step 3: Set Up OAuth Applications - -Create OAuth applications for your chosen authentication provider(s). See the [Setup](#4-set-up-oauth-applications) section for detailed instructions. - -##### Step 4: Prepare Database Migration - -Before running migrations, you need to handle existing data: - -**Option A: Fresh Start (Recommended for Development)** - -If you don't have production data to preserve: - -```bash -# Drop existing tables and start fresh -pnpm db:push --force - -# This will create all new tables with proper structure -``` - -**Option B: Preserve Existing Data (Production)** +## Deploy Your Own -If you have existing tasks/connectors to preserve: +You can deploy your own version of the coding agent template to Vercel with one click: -1. **Create a system user first:** +[![Deploy with Vercel](https://vercel.com/button)](https://vercel.com/new/clone?repository-url=https%3A%2F%2Fgithub.com%2Fvercel-labs%2Fcoding-agent-template&env=VERCEL_TEAM_ID,VERCEL_PROJECT_ID,VERCEL_TOKEN,JWE_SECRET,ENCRYPTION_KEY&envDescription=Required+environment+variables+for+the+coding+agent+template.+You+must+also+configure+at+least+one+OAuth+provider+(GitHub+or+Vercel)+after+deployment.+Optional+API+keys+can+be+added+later.&stores=%5B%7B%22type%22%3A%22postgres%22%7D%5D&project-name=coding-agent-template&repository-name=coding-agent-template) -```sql --- Connect to your database and run: -INSERT INTO users (id, provider, external_id, access_token, username, email, created_at, updated_at, last_login_at) -VALUES ( - 'system-user-migration', - 'github', - 'system-migration', - 'encrypted-placeholder-token', -- You'll need to encrypt a placeholder - 'System Migration User', - NULL, - NOW(), - NOW(), - NOW() -); -``` +**What happens during deployment:** +- **Automatic Database Setup**: A Neon Postgres database is automatically created and connected to your project +- **Environment Configuration**: You'll be prompted to provide required environment variables (Vercel credentials and encryption keys) +- **OAuth Setup**: After deployment, you'll need to configure at least one OAuth provider (GitHub or Vercel) in your project settings for user authentication -2. **Update existing records:** +## Features -```sql --- Add userId to existing tasks -ALTER TABLE tasks ADD COLUMN user_id TEXT; -UPDATE tasks SET user_id = 'system-user-migration' WHERE user_id IS NULL; -ALTER TABLE tasks ALTER COLUMN user_id SET NOT NULL; -ALTER TABLE tasks ADD CONSTRAINT tasks_user_id_fkey FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE; +- **Multi-Agent Support**: Choose from Claude Code, OpenAI Codex CLI, Cursor CLI, Google Gemini CLI, or opencode to execute coding tasks +- **User Authentication**: Secure sign-in with GitHub or Vercel OAuth +- **Multi-User Support**: Each user has their own tasks, API keys, and GitHub connection +- **Vercel Sandbox**: Runs code in isolated, secure sandboxes ([docs](https://vercel.com/docs/vercel-sandbox)) +- **AI Gateway Integration**: Built for seamless integration with [Vercel AI Gateway](https://vercel.com/docs/ai-gateway) for model routing and observability +- **AI-Generated Branch Names**: Automatically generates descriptive Git branch names using AI SDK 5 + AI Gateway +- **Task Management**: Track task progress with real-time updates +- **Persistent Storage**: Tasks stored in Neon Postgres database +- **Git Integration**: Automatically creates branches and commits changes +- **Modern UI**: Clean, responsive interface built with Next.js and Tailwind CSS +- **MCP Server Support**: Connect MCP servers to Claude Code for extended capabilities (Claude only) --- Add userId to existing connectors -ALTER TABLE connectors ADD COLUMN user_id TEXT; -UPDATE connectors SET user_id = 'system-user-migration' WHERE user_id IS NULL; -ALTER TABLE connectors ALTER COLUMN user_id SET NOT NULL; -ALTER TABLE connectors ADD CONSTRAINT connectors_user_id_fkey FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE; +## Quick Start --- Convert connector env from jsonb to encrypted text (requires app-level encryption) --- Note: You'll need to manually encrypt existing env values using your ENCRYPTION_KEY -``` +For detailed setup instructions, see the [Local Development Setup](#local-development-setup) section below. -3. **Run the standard migrations:** +**TL;DR:** +1. Click the "Deploy with Vercel" button above (automatic database setup!) +2. Configure OAuth (GitHub or Vercel) in your project settings +3. Users sign in and start creating tasks +Or run locally: ```bash -pnpm db:generate +git clone https://github.com/vercel-labs/coding-agent-template.git +cd coding-agent-template +pnpm install +# Set up .env.local with required variables pnpm db:push +pnpm dev ``` -##### Step 5: Update Your Code - -Pull the latest changes: - -```bash -git pull origin main -pnpm install -``` +## Usage -##### Step 6: Test Authentication +1. **Sign In**: Authenticate with GitHub or Vercel +2. **Create a Task**: Enter a repository URL and describe what you want the AI to do +3. **Monitor Progress**: Watch real-time logs as the agent works +4. **Review Results**: See the changes made and the branch created +5. **Manage Tasks**: View all your tasks in the sidebar with status updates -1. Start the development server: `pnpm dev` -2. Navigate to `http://localhost:3000` -3. Sign in with your configured OAuth provider -4. Verify you can create and view tasks +## How It Works -##### Step 7: Verify Security Fix +1. **Task Creation**: When you submit a task, it's stored in the database +2. **AI Branch Name Generation**: AI SDK 5 + AI Gateway automatically generates a descriptive branch name based on your task (non-blocking using Next.js 15's `after()`) +3. **Sandbox Setup**: A Vercel sandbox is created with your repository +4. **Agent Execution**: Your chosen coding agent (Claude Code, Codex CLI, Cursor CLI, Gemini CLI, or opencode) analyzes your prompt and makes changes +5. **Git Operations**: Changes are committed and pushed to the AI-generated branch +6. **Cleanup**: The sandbox is shut down to free resources -Confirm that: -- Users can only see their own tasks -- File diff/files endpoints require GitHub connection -- Users without GitHub connection see "GitHub authentication required" errors -- No `GITHUB_TOKEN` fallback is being used in API routes +## AI Branch Name Generation -#### Important Notes +The system automatically generates descriptive Git branch names using AI SDK 5 and Vercel AI Gateway. This feature: -- **All users will need to sign in** after this upgrade - no anonymous access -- **Existing tasks** will be owned by the system user if using Option B migration -- **Users must connect GitHub** (if they signed in with Vercel) to access repositories -- **API keys** can now be per-user - users can override global API keys in their profile -- **Breaking API changes**: If you have external integrations calling your API, they'll need to be updated to include authentication +- **Non-blocking**: Uses Next.js 15's `after()` function to generate names without delaying task creation +- **Descriptive**: Creates meaningful branch names like `feature/user-authentication-A1b2C3` or `fix/memory-leak-parser-X9y8Z7` +- **Conflict-free**: Adds a 6-character alphanumeric hash to prevent naming conflicts +- **Fallback**: Gracefully falls back to timestamp-based names if AI generation fails +- **Context-aware**: Uses task description, repository name, and agent context for better names -#### Security Improvements +### Branch Name Examples -With the introduction of multi-user authentication, the system now properly isolates user access: +- `feature/add-user-auth-K3mP9n` (for "Add user authentication with JWT") +- `fix/resolve-memory-leak-B7xQ2w` (for "Fix memory leak in image processing") +- `chore/update-deps-M4nR8s` (for "Update all project dependencies") +- `docs/api-endpoints-F9tL5v` (for "Document REST API endpoints") -- Each user uses their own GitHub token (not a shared credential) -- Users can only access repositories they have permission for -- Proper user-scoped authorization enforced throughout the application -- All sensitive data encrypted at rest with per-user encryption +## Tech Stack -## Deploy Your Own +- **Frontend**: Next.js 15, React 19, Tailwind CSS +- **UI Components**: shadcn/ui +- **Database**: PostgreSQL with Drizzle ORM +- **AI SDK**: AI SDK 5 with Vercel AI Gateway integration +- **AI Agents**: Claude Code, OpenAI Codex CLI, Cursor CLI, Google Gemini CLI, opencode +- **Sandbox**: [Vercel Sandbox](https://vercel.com/docs/vercel-sandbox) +- **Authentication**: Next Auth (OAuth with GitHub/Vercel) +- **Git**: Automated branching and commits with AI-generated branch names -You can deploy your own version of the coding agent template to Vercel with one click: +## MCP Server Support -[![Deploy with Vercel](https://vercel.com/button)](https://vercel.com/new/clone?repository-url=https%3A%2F%2Fgithub.com%2Fvercel-labs%2Fcoding-agent-template&env=VERCEL_TEAM_ID,VERCEL_PROJECT_ID,VERCEL_TOKEN,JWE_SECRET,ENCRYPTION_KEY&envDescription=Required+environment+variables+for+the+coding+agent+template.+You+must+also+configure+at+least+one+OAuth+provider+(GitHub+or+Vercel)+after+deployment.+Optional+API+keys+can+be+added+later.&stores=%5B%7B%22type%22%3A%22postgres%22%7D%5D&project-name=coding-agent-template&repository-name=coding-agent-template) +Connect MCP Servers to extend Claude Code with additional tools and integrations. **Currently only works with Claude Code agent.** -**What happens during deployment:** -- **Automatic Database Setup**: A Neon Postgres database is automatically created and connected to your project -- **Environment Configuration**: You'll be prompted to provide required environment variables (Vercel credentials and encryption keys) -- **OAuth Setup**: After deployment, you'll need to configure at least one OAuth provider (GitHub or Vercel) in your project settings for user authentication +### How to Add MCP Servers -## Features +1. Go to the "Connectors" tab and click "Add MCP Server" +2. Enter server details (name, base URL, optional OAuth credentials) +3. If using OAuth, ensure `ENCRYPTION_KEY` is set in your environment variables -- **Multi-Agent Support**: Choose from Claude Code, OpenAI Codex CLI, Cursor CLI, Google Gemini CLI, or opencode to execute coding tasks -- **Vercel Sandbox**: Runs code in isolated, secure sandboxes ([docs](https://vercel.com/docs/vercel-sandbox)) -- **AI Gateway Integration**: Built for seamless integration with [Vercel AI Gateway](https://vercel.com/docs/ai-gateway) for model routing and observability -- **AI-Generated Branch Names**: Automatically generates descriptive Git branch names using AI SDK 5 + AI Gateway -- **Task Management**: Track task progress with real-time updates -- **Persistent Storage**: Tasks stored in Neon Postgres database -- **Git Integration**: Automatically creates branches and commits changes -- **Modern UI**: Clean, responsive interface built with Next.js and Tailwind CSS -- **MCP Server Support**: Connect MCP servers to Claude Code for extended capabilities (Claude only) +**Note**: `ENCRYPTION_KEY` is required when using MCP servers with OAuth authentication. -## Setup +## Local Development Setup ### 1. Clone the repository @@ -331,7 +200,6 @@ These API keys can be set globally (fallback for all users) or left unset to req #### Optional Environment Variables - `NPM_TOKEN`: For private npm packages -- `GITHUB_TOKEN`: Only needed if you want to provide fallback repository access for Vercel users who haven't connected GitHub ### 4. Set up OAuth Applications @@ -379,72 +247,6 @@ pnpm dev Open [http://localhost:3000](http://localhost:3000) in your browser. -## Usage - -1. **Create a Task**: Enter a repository URL and describe what you want the AI to do -2. **Monitor Progress**: Watch real-time logs as the agent works -3. **Review Results**: See the changes made and the branch created -4. **Manage Tasks**: View all your tasks in the sidebar with status updates - -## How It Works - -1. **Task Creation**: When you submit a task, it's stored in the database -2. **AI Branch Name Generation**: AI SDK 5 + AI Gateway automatically generates a descriptive branch name based on your task (non-blocking using Next.js 15's `after()`) -3. **Sandbox Setup**: A Vercel sandbox is created with your repository -4. **Agent Execution**: Your chosen coding agent (Claude Code, Codex CLI, Cursor CLI, Gemini CLI, or opencode) analyzes your prompt and makes changes -5. **Git Operations**: Changes are committed and pushed to the AI-generated branch -6. **Cleanup**: The sandbox is shut down to free resources - -## Environment Variables - -See the [Set up environment variables](#3-set-up-environment-variables) section above for a complete guide. - -**Key Points:** -- **Infrastructure**: Set `VERCEL_TOKEN`, `VERCEL_TEAM_ID`, `VERCEL_PROJECT_ID`, `JWE_SECRET`, and `ENCRYPTION_KEY` as the app developer (database is auto-provisioned on Vercel) -- **Authentication**: Configure at least one OAuth method (Vercel or GitHub) for user sign-in -- **API Keys**: Can be set globally or left for users to provide their own (per-user keys take precedence) -- **GitHub Access**: Users authenticate with their own GitHub accounts - no shared `GITHUB_TOKEN` needed! - -## AI Branch Name Generation - -The system automatically generates descriptive Git branch names using AI SDK 5 and Vercel AI Gateway. This feature: - -- **Non-blocking**: Uses Next.js 15's `after()` function to generate names without delaying task creation -- **Descriptive**: Creates meaningful branch names like `feature/user-authentication-A1b2C3` or `fix/memory-leak-parser-X9y8Z7` -- **Conflict-free**: Adds a 6-character alphanumeric hash to prevent naming conflicts -- **Fallback**: Gracefully falls back to timestamp-based names if AI generation fails -- **Context-aware**: Uses task description, repository name, and agent context for better names - -### Branch Name Examples - -- `feature/add-user-auth-K3mP9n` (for "Add user authentication with JWT") -- `fix/resolve-memory-leak-B7xQ2w` (for "Fix memory leak in image processing") -- `chore/update-deps-M4nR8s` (for "Update all project dependencies") -- `docs/api-endpoints-F9tL5v` (for "Document REST API endpoints") - -## Tech Stack - -- **Frontend**: Next.js 15, React 19, Tailwind CSS -- **UI Components**: shadcn/ui -- **Database**: PostgreSQL with Drizzle ORM -- **AI SDK**: AI SDK 5 with Vercel AI Gateway integration -- **AI Agents**: Claude Code, OpenAI Codex CLI, Cursor CLI, Google Gemini CLI, opencode -- **Sandbox**: [Vercel Sandbox](https://vercel.com/docs/vercel-sandbox) -- **Git**: Automated branching and commits with AI-generated branch names - -## MCP Server Support - -Connect MCP Servers to extend Claude Code with additional tools and integrations. **Currently only works with Claude Code agent.** - -### How to Add MCP Servers - -1. Go to the "Connectors" tab and click "Add MCP Server" -2. Enter server details (name, base URL, optional OAuth credentials) -3. If using OAuth, generate encryption key: `openssl rand -hex 32` -4. Add to `.env.local`: `ENCRYPTION_KEY=your-32-byte-hex-key` - -**Note**: `ENCRYPTION_KEY` is only required when using MCP servers with OAuth authentication. - ## Development ### Database Operations @@ -487,4 +289,206 @@ pnpm start - **API Keys**: Rotate your API keys regularly and use the principle of least privilege. - **Database Access**: Ensure your PostgreSQL database is properly secured with strong credentials. - **Vercel Sandbox**: Sandboxes are isolated but ensure you're not exposing sensitive data in logs or outputs. -- **GitHub Token**: Use a personal access token with minimal required permissions for repository access. +- **User Authentication**: Each user uses their own GitHub token for repository access - no shared credentials +- **Encryption**: All sensitive data (tokens, API keys) is encrypted at rest using per-user encryption + +## Changelog + +### Version 2.0.0 - Major Update: User Authentication & Security + +This release introduces **user authentication** and **major security improvements**, but contains **breaking changes** that require migration for existing deployments. + +#### New Features + +- **User Authentication System** + - Sign in with Vercel + - Sign in with GitHub + - Session management with encrypted tokens + - User profile management + +- **Multi-User Support** + - Each user has their own tasks and connectors + - Users can manage their own API keys (Anthropic, OpenAI, Cursor, Gemini, AI Gateway) + - GitHub account connection for repository access + +- **Security Enhancements** + - Per-user GitHub authentication - each user uses their own GitHub token instead of shared credentials + - All sensitive data (tokens, API keys, env vars) encrypted at rest + - Session-based authentication with JWT encryption + - User-scoped authorization - users can only access their own resources + +- **Database Enhancements** + - New `users` table for user profiles and OAuth accounts + - New `accounts` table for linked accounts (e.g., Vercel users connecting GitHub) + - New `keys` table for user-provided API keys + - Foreign key relationships ensure data integrity + - Soft delete support for tasks + +#### Breaking Changes + +**These changes require action if upgrading from v1.x:** + +1. **Database Schema Changes** + - `tasks` table now requires `userId` (foreign key to `users.id`) + - `connectors` table now requires `userId` (foreign key to `users.id`) + - `connectors.env` changed from `jsonb` to encrypted `text` + - Added `tasks.deletedAt` for soft deletes + +2. **API Changes** + - All API endpoints now require authentication + - Task creation requires `userId` in request body + - Tasks are now filtered by user ownership + - GitHub API access uses user's own GitHub token (no shared token fallback) + +3. **Environment Variables** + - **New Required Variables:** + - `JWE_SECRET`: Base64-encoded secret for session encryption (generate: `openssl rand -base64 32`) + - `ENCRYPTION_KEY`: 32-byte hex string for encrypting sensitive data (generate: `openssl rand -hex 32`) + - `NEXT_PUBLIC_AUTH_PROVIDERS`: Configure which auth providers to enable (`github`, `vercel`, or both) + + - **New OAuth Configuration (at least one required):** + - GitHub: `GITHUB_CLIENT_ID`, `GITHUB_CLIENT_SECRET`, `NEXT_PUBLIC_GITHUB_CLIENT_ID` + - Vercel: `VERCEL_CLIENT_ID`, `VERCEL_CLIENT_SECRET` + + - **Changed Authentication:** + - `GITHUB_TOKEN` no longer used as fallback in API routes + - Users must connect their own GitHub account for repository access + - Each user's GitHub token is used for their requests + +4. **Authentication Required** + - All routes now require user authentication + - No anonymous access to tasks or API endpoints + - Users must sign in with GitHub or Vercel before creating tasks + +#### Migration Guide for Existing Deployments + +If you're upgrading from v1.x to v2.0.0, follow these steps: + +##### Step 1: Backup Your Database + +```bash +# Create a backup of your existing database +pg_dump $POSTGRES_URL > backup-before-v2-migration.sql +``` + +##### Step 2: Add Required Environment Variables + +Add these new variables to your `.env.local` or Vercel project settings: + +```bash +# Session encryption (REQUIRED) +JWE_SECRET=$(openssl rand -base64 32) +ENCRYPTION_KEY=$(openssl rand -hex 32) + +# Configure auth providers (REQUIRED - choose at least one) +NEXT_PUBLIC_AUTH_PROVIDERS=github # or "vercel" or "github,vercel" + +# GitHub OAuth (if using GitHub authentication) +GITHUB_CLIENT_ID=your_github_client_id +GITHUB_CLIENT_SECRET=your_github_client_secret +NEXT_PUBLIC_GITHUB_CLIENT_ID=your_github_client_id + +# Vercel OAuth (if using Vercel authentication) +VERCEL_CLIENT_ID=your_vercel_client_id +VERCEL_CLIENT_SECRET=your_vercel_client_secret +``` + +##### Step 3: Set Up OAuth Applications + +Create OAuth applications for your chosen authentication provider(s). See the [Local Development Setup](#local-development-setup) section for detailed instructions. + +##### Step 4: Prepare Database Migration + +Before running migrations, you need to handle existing data: + +**Option A: Fresh Start (Recommended for Development)** + +If you don't have production data to preserve: + +```bash +# Drop existing tables and start fresh +pnpm db:push --force + +# This will create all new tables with proper structure +``` + +**Option B: Preserve Existing Data (Production)** + +If you have existing tasks/connectors to preserve: + +1. **Create a system user first:** + +```sql +-- Connect to your database and run: +INSERT INTO users (id, provider, external_id, access_token, username, email, created_at, updated_at, last_login_at) +VALUES ( + 'system-user-migration', + 'github', + 'system-migration', + 'encrypted-placeholder-token', -- You'll need to encrypt a placeholder + 'System Migration User', + NULL, + NOW(), + NOW(), + NOW() +); +``` + +2. **Update existing records:** + +```sql +-- Add userId to existing tasks +ALTER TABLE tasks ADD COLUMN user_id TEXT; +UPDATE tasks SET user_id = 'system-user-migration' WHERE user_id IS NULL; +ALTER TABLE tasks ALTER COLUMN user_id SET NOT NULL; +ALTER TABLE tasks ADD CONSTRAINT tasks_user_id_fkey FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE; + +-- Add userId to existing connectors +ALTER TABLE connectors ADD COLUMN user_id TEXT; +UPDATE connectors SET user_id = 'system-user-migration' WHERE user_id IS NULL; +ALTER TABLE connectors ALTER COLUMN user_id SET NOT NULL; +ALTER TABLE connectors ADD CONSTRAINT connectors_user_id_fkey FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE; + +-- Convert connector env from jsonb to encrypted text (requires app-level encryption) +-- Note: You'll need to manually encrypt existing env values using your ENCRYPTION_KEY +``` + +3. **Run the standard migrations:** + +```bash +pnpm db:generate +pnpm db:push +``` + +##### Step 5: Update Your Code + +Pull the latest changes: + +```bash +git pull origin main +pnpm install +``` + +##### Step 6: Test Authentication + +1. Start the development server: `pnpm dev` +2. Navigate to `http://localhost:3000` +3. Sign in with your configured OAuth provider +4. Verify you can create and view tasks + +##### Step 7: Verify Security Fix + +Confirm that: +- Users can only see their own tasks +- File diff/files endpoints require GitHub connection +- Users without GitHub connection see "GitHub authentication required" errors +- No `GITHUB_TOKEN` fallback is being used in API routes + +#### Important Notes + +- **All users will need to sign in** after this upgrade - no anonymous access +- **Existing tasks** will be owned by the system user if using Option B migration +- **Users must connect GitHub** (if they signed in with Vercel) to access repositories +- **API keys** can now be per-user - users can override global API keys in their profile +- **Breaking API changes**: If you have external integrations calling your API, they'll need to be updated to include authentication +