+
+ );
+};
+```
+
+### 2.4 Chat Message Component
+
+```tsx
+// src/components/chat/ChatMessage.tsx
+import React from 'react';
+import { ChatMessage as ChatMessageType } from '@/types/chat';
+import { ToolCallDisplay } from './ToolCallDisplay';
+import ReactMarkdown from 'react-markdown';
+
+interface Props {
+ message: ChatMessageType;
+}
+
+export const ChatMessage: React.FC
+ {messages.length === 0 ? (
+
+
+
+
+
+ ) : (
+ messages.map((message) => (
+ Ask me anything!
+
+ I can help you create projects, suggest configurations,
+ and deploy your applications to the cloud.
+
+
+ );
+};
+```
+
+### 2.5 Chat Input Component
+
+```tsx
+// src/components/chat/ChatInput.tsx
+import React, { useState } from 'react';
+import { useChatStore } from '@/stores/chatStore';
+import { useAiAssistant } from '@/hooks/useAiAssistant';
+
+export const ChatInput: React.FC = () => {
+ const [input, setInput] = useState('');
+ const isProcessing = useChatStore((state) => state.isProcessing);
+ const { sendMessage } = useAiAssistant();
+
+ const handleSubmit = async (e: React.FormEvent) => {
+ e.preventDefault();
+ if (!input.trim() || isProcessing) return;
+
+ await sendMessage(input);
+ setInput('');
+ };
+
+ return (
+
+ );
+};
+
+const QuickAction: React.FC<{ action: string }> = ({ action }) => {
+ const { sendMessage } = useAiAssistant();
+
+ return (
+
+ );
+};
+```
+
+---
+
+## Phase 3: AI Assistant Hook (Week 3)
+
+### 3.1 AI Assistant Logic
+
+```typescript
+// src/hooks/useAiAssistant.ts
+import { useMcp } from '@/contexts/McpContext';
+import { useChatStore } from '@/stores/chatStore';
+import { OpenAI } from 'openai';
+
+const openai = new OpenAI({
+ apiKey: process.env.REACT_APP_OPENAI_API_KEY,
+ dangerouslyAllowBrowser: true // Only for demo; use backend proxy in production
+});
+
+export const useAiAssistant = () => {
+ const { client } = useMcp();
+ const addMessage = useChatStore((state) => state.addMessage);
+ const updateMessage = useChatStore((state) => state.updateMessage);
+ const setProcessing = useChatStore((state) => state.setProcessing);
+ const context = useChatStore((state) => state.context);
+ const messages = useChatStore((state) => state.messages);
+
+ const sendMessage = async (userMessage: string) => {
+ if (!client?.isConnected()) {
+ addMessage({
+ role: 'system',
+ content: 'MCP connection lost. Please refresh the page.',
+ });
+ return;
+ }
+
+ // Add user message
+ addMessage({
+ role: 'user',
+ content: userMessage,
+ });
+
+ setProcessing(true);
+
+ try {
+ // Get available tools from MCP server
+ const tools = await client.listTools();
+
+ // Convert MCP tools to OpenAI function format
+ const openaiTools = tools.map((tool) => ({
+ type: 'function' as const,
+ function: {
+ name: tool.name,
+ description: tool.description,
+ parameters: tool.inputSchema,
+ },
+ }));
+
+ // Build conversation history for OpenAI
+ const conversationMessages = [
+ {
+ role: 'system' as const,
+ content: buildSystemPrompt(context),
+ },
+ ...messages.slice(-10).map((msg) => ({
+ role: msg.role as 'user' | 'assistant',
+ content: msg.content,
+ })),
+ {
+ role: 'user' as const,
+ content: userMessage,
+ },
+ ];
+
+ // Call OpenAI with tools
+ const response = await openai.chat.completions.create({
+ model: 'gpt-4-turbo-preview',
+ messages: conversationMessages,
+ tools: openaiTools,
+ tool_choice: 'auto',
+ });
+
+ const assistantMessage = response.choices[0].message;
+
+ // Handle tool calls
+ if (assistantMessage.tool_calls) {
+ const messageId = crypto.randomUUID();
+
+ addMessage({
+ role: 'assistant',
+ content: 'Let me help you with that...',
+ toolCalls: assistantMessage.tool_calls.map((tc) => ({
+ id: tc.id,
+ toolName: tc.function.name,
+ arguments: JSON.parse(tc.function.arguments),
+ status: 'pending' as const,
+ })),
+ });
+
+ // Execute tools via MCP
+ for (const toolCall of assistantMessage.tool_calls) {
+ try {
+ const result = await client.callTool(
+ toolCall.function.name,
+ JSON.parse(toolCall.function.arguments)
+ );
+
+ updateMessage(messageId, {
+ toolCalls: assistantMessage.tool_calls.map((tc) =>
+ tc.id === toolCall.id
+ ? {
+ id: tc.id,
+ toolName: tc.function.name,
+ arguments: JSON.parse(tc.function.arguments),
+ result: {
+ success: !result.isError,
+ data: result.content[0].text,
+ },
+ status: 'completed' as const,
+ }
+ : tc
+ ),
+ });
+
+ // Parse result and update context
+ if (toolCall.function.name === 'create_project' && result.content[0].text) {
+ const project = JSON.parse(result.content[0].text);
+ useChatStore.getState().setContext({
+ currentProject: {
+ id: project.id,
+ name: project.name,
+ apps: project.apps,
+ },
+ });
+ }
+ } catch (error) {
+ updateMessage(messageId, {
+ toolCalls: assistantMessage.tool_calls.map((tc) =>
+ tc.id === toolCall.id
+ ? {
+ id: tc.id,
+ toolName: tc.function.name,
+ arguments: JSON.parse(tc.function.arguments),
+ result: {
+ success: false,
+ error: error instanceof Error ? error.message : 'Unknown error',
+ },
+ status: 'failed' as const,
+ }
+ : tc
+ ),
+ });
+ }
+ }
+
+ // Get final response after tool execution
+ const finalResponse = await openai.chat.completions.create({
+ model: 'gpt-4-turbo-preview',
+ messages: [
+ ...conversationMessages,
+ assistantMessage,
+ ...assistantMessage.tool_calls.map((tc) => ({
+ role: 'tool' as const,
+ tool_call_id: tc.id,
+ content: 'Tool executed successfully',
+ })),
+ ],
+ });
+
+ addMessage({
+ role: 'assistant',
+ content: finalResponse.choices[0].message.content || 'Done!',
+ });
+ } else {
+ // No tool calls, just add assistant response
+ addMessage({
+ role: 'assistant',
+ content: assistantMessage.content || 'I understand. How can I help further?',
+ });
+ }
+ } catch (error) {
+ addMessage({
+ role: 'system',
+ content: `Error: ${error instanceof Error ? error.message : 'Unknown error'}`,
+ });
+ } finally {
+ setProcessing(false);
+ }
+ };
+
+ return { sendMessage };
+};
+
+function buildSystemPrompt(context: any): string {
+ return `You are an AI assistant for the Stacker platform, helping users build and deploy Docker-based application stacks.
+
+Current context:
+${context.currentProject ? `- Working on project: "${context.currentProject.name}" (ID: ${context.currentProject.id})` : '- No active project'}
+${context.lastAction ? `- Last action: ${context.lastAction}` : ''}
+
+You can help users with:
+1. Creating new projects with multiple services
+2. Suggesting appropriate resource limits (CPU, RAM, storage)
+3. Listing available templates (WordPress, Node.js, Django, etc.)
+4. Deploying projects to cloud providers
+5. Managing cloud credentials
+6. Validating domains and ports
+
+Always be helpful, concise, and guide users through multi-step processes one step at a time.
+When creating projects, ask for all necessary details before calling the create_project tool.`;
+}
+```
+
+---
+
+## Phase 4: Form Integration (Week 4)
+
+### 4.1 Enhanced Project Form with AI
+
+```tsx
+// src/components/project/ProjectFormWithAI.tsx
+import React, { useState } from 'react';
+import { useChatStore } from '@/stores/chatStore';
+import { ChatSidebar } from '@/components/chat/ChatSidebar';
+import { ProjectForm } from '@/components/project/ProjectForm';
+
+export const ProjectFormWithAI: React.FC = () => {
+ const [showChat, setShowChat] = useState(true);
+ const context = useChatStore((state) => state.context);
+
+ // Auto-fill form from AI context
+ const formData = context.currentProject || {
+ name: '',
+ apps: [],
+ };
+
+ return (
+
+ {!isUser && (
+
+
+
+ AI Assistant
+
+ )}
+
+
+ {message.content}
+
+
+ {message.toolCalls && message.toolCalls.length > 0 && (
+
+ {message.toolCalls.map((toolCall) => (
+
+ )}
+
+
+ {message.timestamp.toLocaleTimeString()}
+
+
+ {/* Main Form Area */}
+
+ );
+};
+```
+
+### 4.2 Progressive Form Steps
+
+```tsx
+// src/components/project/ProgressiveProjectForm.tsx
+import React, { useState } from 'react';
+import { useAiAssistant } from '@/hooks/useAiAssistant';
+import { useChatStore } from '@/stores/chatStore';
+
+const STEPS = [
+ { id: 1, name: 'Basic Info', description: 'Project name and description' },
+ { id: 2, name: 'Services', description: 'Add applications and Docker images' },
+ { id: 3, name: 'Resources', description: 'Configure CPU, RAM, and storage' },
+ { id: 4, name: 'Networking', description: 'Set up domains and ports' },
+ { id: 5, name: 'Review', description: 'Review and deploy' },
+];
+
+export const ProgressiveProjectForm: React.FC = () => {
+ const [currentStep, setCurrentStep] = useState(1);
+ const context = useChatStore((state) => state.context);
+ const { sendMessage } = useAiAssistant();
+
+ const project = context.currentProject || {
+ name: '',
+ description: '',
+ apps: [],
+ };
+
+ const handleAiSuggestion = (prompt: string) => {
+ sendMessage(prompt);
+ };
+
+ return (
+
+
+
+ {/* Chat Sidebar */}
+ {showChat && (
+
+
+
+
+
+ Create New Project
+ +
+
+ )}
+
+ {/* Progress Stepper */}
+
+ );
+};
+```
+
+---
+
+## Phase 5: Testing & Optimization (Week 5)
+
+### 5.1 Unit Tests
+
+```typescript
+// src/lib/mcp/__tests__/client.test.ts
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { StackerMcpClient } from '../client';
+
+describe('StackerMcpClient', () => {
+ let client: StackerMcpClient;
+
+ beforeEach(() => {
+ client = new StackerMcpClient({
+ url: 'ws://localhost:8000/mcp',
+ authToken: 'test-token',
+ });
+ });
+
+ afterEach(async () => {
+ if (client.isConnected()) {
+ await client.disconnect();
+ }
+ });
+
+ it('should connect successfully', async () => {
+ await client.connect();
+ expect(client.isConnected()).toBe(true);
+ });
+
+ it('should list available tools', async () => {
+ await client.connect();
+ const tools = await client.listTools();
+
+ expect(tools).toBeInstanceOf(Array);
+ expect(tools.length).toBeGreaterThan(0);
+ expect(tools[0]).toHaveProperty('name');
+ expect(tools[0]).toHaveProperty('description');
+ });
+
+ it('should call create_project tool', async () => {
+ await client.connect();
+
+ const result = await client.callTool('create_project', {
+ name: 'Test Project',
+ apps: [
+ {
+ name: 'web',
+ dockerImage: { repository: 'nginx' },
+ },
+ ],
+ });
+
+ expect(result.content).toBeInstanceOf(Array);
+ expect(result.isError).toBeFalsy();
+ });
+});
+```
+
+### 5.2 Integration Tests
+
+```typescript
+// src/components/chat/__tests__/ChatSidebar.integration.test.tsx
+import { render, screen, waitFor } from '@testing-library/react';
+import userEvent from '@testing-library/user-event';
+import { ChatSidebar } from '../ChatSidebar';
+import { McpProvider } from '@/contexts/McpContext';
+
+describe('ChatSidebar Integration', () => {
+ it('should send message and receive response', async () => {
+ render(
+
+
+
+ {/* AI Suggestions */}
+
+ {STEPS.map((step, index) => (
+
+
+
+ ))}
+
+
+
+ {step.id < currentStep ? '✓' : step.id}
+
+ {step.name}
+ {step.description}
+
+
+
+ {/* Step Content */}
+
+
+
+
+
+ + AI Suggestion for Step {currentStep}: +
+ {currentStep === 1 && ( + + )} + {currentStep === 2 && ( + + )} + {currentStep === 3 && ( + + )} +
+ {currentStep === 1 &&
+
+ {/* Navigation */}
+
+
+
+
+ 
+
+# Technical Requirements: TryDirect Marketplace Implementation
+
+**Document Date:** 2025-12-29
+**Target:** Backend \& Frontend Development Teams
+**Dependencies:** Marketplace schema (`marketplace_schema.sql`) deployed
+
+***
+
+## 1. Core Workflows
+
+### **Workflow 1: Template Creation \& Submission (Stack Builder)**
+
+1. User builds stack in Stack Builder and clicks **"Publish to Marketplace"**
+2. System extracts current project configuration as `stack_definition` (JSONB)
+3. Frontend presents submission form → calls `POST /api/templates`
+4. Backend creates `stack_template` record with `status = 'draft'`
+5. User fills metadata → clicks **"Submit for Review"** → `status = 'submitted'`
+
+### **Workflow 2: Admin Moderation**
+
+1. Admin views `/admin/templates?status=submitted`
+2. For each template: review `stack_definition`, run security checks
+3. Admin approves (`POST /api/admin/templates/{id}/approve`) or rejects with reason
+4. On approval: `status = 'approved'`, create `stack_template_review` record
+
+### **Workflow 3: Marketplace Browsing \& Deployment**
+
+1. User visits `/applications` → lists `approved` templates
+2. User clicks **"Deploy this stack"** → `GET /api/templates/{slug}`
+3. Frontend loads latest `stack_template_version.stack_definition` into Stack Builder
+4. New `project` created with `source_template_id` populated
+5. User customizes and deploys normally
+
+### **Workflow 4: Paid Template Purchase**
+
+1. User selects paid template → redirected to Stripe checkout
+2. On success: create `template_purchase` record
+3. Unlock access → allow deployment
+
+***
+
+## 2. Backend API Specifications
+
+### **Public Endpoints (no auth)**
+
+```
+GET /api/templates # List approved templates (paginated)
+ ?category=AI+Agents&tag=n8n&sort=popular
+GET /api/templates/{slug} # Single template details + latest version
+```
+
+**Response Structure:**
+
+```
+{
+ "id": "uuid",
+ "slug": "ai-agent-starter",
+ "name": "AI Agent Starter Stack",
+ "short_description": "...",
+ "long_description": "...",
+ "status": "approved",
+ "creator": {"id": "user-123", "name": "Alice Dev"},
+ "category": {"id": 1, "name": "AI Agents"},
+ "tags": ["ai", "n8n", "qdrant"],
+ "tech_stack": {"services": ["n8n", "Qdrant"]},
+ "stats": {
+ "deploy_count": 142,
+ "average_rating": 4.7,
+ "view_count": 2500
+ },
+ "pricing": {
+ "plan_type": "free",
+ "price": null
+ },
+ "latest_version": {
+ "version": "1.0.2",
+ "stack_definition": {...} // Full YAML/JSON
+ }
+}
+```
+
+
+### **Authenticated Creator Endpoints**
+
+```
+POST /api/templates # Create draft from current project
+PUT /api/templates/{id} # Edit metadata (only draft/rejected)
+POST /api/templates/{id}/submit # Submit for review
+GET /api/templates/mine # User's templates + status
+```
+
+
+### **Admin Endpoints**
+
+```
+GET /api/admin/templates?status=submitted # Pending review
+POST /api/admin/templates/{id}/approve # Approve template
+POST /api/admin/templates/{id}/reject # Reject with reason
+```
+
+
+***
+
+## 3. Frontend Integration Points
+
+### **Stack Builder (Project Detail Page)**
+
+**New Panel: "Publish to Marketplace"**
+
+```
+[ ] I confirm this stack contains no secrets/API keys
+
+📝 Name: [AI Agent Starter Stack]
+🏷️ Category: [AI Agents ▼]
+🔖 Tags: [n8n] [qdrant] [ollama] [+ Add tag]
+📄 Short Description: [Deploy production-ready...]
+💰 Pricing: [Free ○] [One-time $29 ●] [Subscription $9/mo ○]
+
+Status: [Not submitted] [In review] [Approved! View listing]
+[Submit for Review] [Edit Draft]
+```
+
+
+### **Applications Page (`/applications`)**
+
+**Template Card Structure:**
+
+```
+[Icon] AI Agent Starter Stack
+"Deploy n8n + Qdrant + Ollama in 5 minutes"
+⭐ 4.7 (28) 🚀 142 deploys 👀 2.5k views
+By Alice Dev • AI Agents • n8n qdrant ollama
+[Free] [Deploy this stack] [View details]
+```
+
+
+### **Admin Dashboard**
+
+**Template Review Interface:**
+
+```
+Template: AI Agent Starter Stack v1.0.0
+Status: Submitted 2h ago
+Creator: Alice Dev
+
+[View Stack Definition] [Security Scan] [Test Deploy]
+
+Security Checklist:
+☐ No secrets detected
+☐ Valid Docker syntax
+☐ No malicious code
+[Notes] [Approve] [Reject] [Request Changes]
+```
+
+
+***
+
+## 4. Data Structures \& Field Constraints
+
+### **`stack_template` Table**
+
+| Field | Type | Constraints | Description |
+| :-- | :-- | :-- | :-- |
+| `id` | UUID | PK | Auto-generated |
+| `creator_user_id` | VARCHAR(50) | FK `users(id)` | Template owner |
+| `name` | VARCHAR(255) | NOT NULL | Display name |
+| `slug` | VARCHAR(255) | UNIQUE | URL: `/applications/{slug}` |
+| `status` | VARCHAR(50) | CHECK: draft\|submitted\|... | Lifecycle state |
+| `plan_type` | VARCHAR(50) | CHECK: free\|one_time\|subscription | Pricing model |
+| `tags` | JSONB | DEFAULT `[]` | `["n8n", "qdrant"]` |
+
+### **`stack_template_version` Table**
+
+| Field | Type | Constraints | Description |
+| :-- | :-- | :-- | :-- |
+| `template_id` | UUID | FK | Links to template |
+| `version` | VARCHAR(20) | UNIQUE w/ template_id | Semver: "1.0.2" |
+| `stack_definition` | JSONB | NOT NULL | Docker Compose YAML as JSON |
+| `is_latest` | BOOLEAN | DEFAULT false | Only one true per template |
+
+### **Status Value Constraints**
+
+```
+stack_template.status: ['draft', 'submitted', 'under_review', 'approved', 'rejected', 'deprecated']
+stack_template_review.decision: ['pending', 'approved', 'rejected', 'needs_changes']
+stack_template.plan_type: ['free', 'one_time', 'subscription']
+```
+
+
+***
+
+## 5. Security \& Validation Requirements
+
+### **Template Submission Validation**
+
+1. **Secret Scanning**: Regex check for API keys, passwords in `stack_definition`
+2. **Docker Syntax**: Parse YAML, validate service names/ports/volumes
+3. **Resource Limits**: Reject templates requiring >64GB RAM
+4. **Malware Scan**: Check docker images against vulnerability DB
+
+### **Review Checklist Fields** (`security_checklist` JSONB)
+
+```
+{
+ "no_secrets": true,
+ "no_hardcoded_creds": true,
+ "valid_docker_syntax": true,
+ "no_malicious_code": true,
+ "reasonable_resources": true
+}
+```
+
+
+### **Casbin Permissions** (extend existing rules)
+
+```
+# Creators manage their templates
+p, creator_user_id, stack_template, edit, template_id
+p, creator_user_id, stack_template, delete, template_id
+
+# Admins review/approve
+p, admin, stack_template, approve, *
+p, admin, stack_template_review, create, *
+
+# Public read approved templates
+p, *, stack_template, read, status=approved
+```
+
+
+***
+
+## 6. Analytics \& Metrics
+
+### **Template Stats (updated via triggers)**
+
+- `deploy_count`: Count `project` records with `source_template_id`
+- `average_rating`: AVG from `stack_template_rating`
+- `view_count`: Increment on `GET /api/templates/{slug}`
+
+
+### **Creator Dashboard Metrics**
+
+```
+Your Templates (3)
+• AI Agent Stack: 142 deploys, $1,240 earned
+• RAG Pipeline: 28 deploys, $420 earned
+• Data ETL: 5 deploys, $0 earned (free)
+
+Total Revenue: $1,660 (80% share)
+```
+
+
+***
+
+## 7. Integration Testing Checklist
+
+- [ ] User can submit template from Stack Builder → appears in admin queue
+- [ ] Admin approves template → visible on `/applications`
+- [ ] User deploys template → `project.source_template_id` populated
+- [ ] Stats update correctly (views, deploys, ratings)
+- [ ] Paid template purchase → deployment unlocked
+- [ ] Rejected template → creator receives reason, can resubmit
+
+***
+
+## 8. Deployment Phases
+
+**Week 1:** Backend tables + core APIs (`stack_template`, review workflow)
+**Week 2:** Frontend integration (Stack Builder panel, `/applications` cards)
+**Week 3:** Monetization (Stripe, `template_purchase`)
+**Week 4:** Admin dashboard + analytics
+
+This spec provides complete end-to-end implementation guidance without code examples.
+
+
+⁂
+
+[^1]: https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/images/156249360/1badb17d-ae6d-4002-b9c0-9371e2a0cdb9/Screenshot-2025-12-28-at-21.25.20.jpg
+
+[^2]: https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/156249360/821876d8-35e0-46f9-af9c-b318f416d680/dump-stacker-202512291130.sql
+
+[^3]: https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/156249360/9cbd962c-d7b5-40f6-a86d-8a05280502ed/TryDirect-DB-diagram.graphml
+
diff --git a/docs/Updated_ Cross-Microservice Integration for `_appl.md b/docs/Updated_ Cross-Microservice Integration for `_appl.md
new file mode 100644
index 00000000..5ae46ef7
--- /dev/null
+++ b/docs/Updated_ Cross-Microservice Integration for `_appl.md
@@ -0,0 +1,253 @@
+
+
+## Updated: Cross-Microservice Integration for `/applications`
+
+**Key Challenge:** `/applications` endpoint lives in a **separate microservice** (TryDirect User Service) (not Stacker). Marketplace templates must be **federated** into this external catalog.
+
+***
+
+## **1. New Microservice Communication Pattern**
+
+### **Option A: API Federation (Recommended)**
+
+Stacker Marketplace → **publishes approved templates** to TryDirect User microservice via **webhook/API**.
+
+```
+Approved Template in Stacker
+ ↓
+POST /api/stack/templates ← Stacker webhook
+ ↓
+TryDirect User microservice stores in OWN `marketplace_templates` table
+ ↓
+Unified /applications endpoint serves both official + marketplace
+```
+
+
+### **Option B: Query Federation**
+
+User service microservice **queries Stacker** for approved templates on each request.
+
+```
+GET /applications
+ ↓
+User service microservice:
+ - Official stacks (local DB)
+ + Marketplace templates (GET Stacker /api/templates?status=approved)
+ ↓
+Unified response
+```
+
+**Recommendation: Option A** (webhook) – better performance, caching, unified data model.
+
+***
+
+## **2. Stacker → TryDirect User Microservice Webhook Flow**
+
+### **When template approved in Stacker:**
+
+```
+1. Admin approves → stack_template.status = 'approved'
+2. Stacker fires webhook:
+ POST https://user:4100/marketplace/sync
+
+ Body:
+ {
+ "action": "template_approved",
+ "template_id": "uuid-123",
+ "slug": "ai-agent-starter",
+ "stack_definition": {...},
+ "creator": "Alice Dev",
+ "stats": {"deploy_count": 0}
+ }
+3. TryDirect User service creates/updates ITS local copy
+```
+
+
+### **When template updated/rejected/deprecated:**
+
+```
+Same webhook with action: "template_updated", "template_rejected", "template_deprecated"
+```
+
+
+***
+
+## **3. TryDirect User Microservice Requirements**
+
+**Add to TryDirect User service (not Stacker):**
+
+### **New Table: `marketplace_templates`**
+
+```
+id UUID PK
+stacker_template_id UUID ← Links back to Stacker
+slug VARCHAR(255) UNIQUE
+name VARCHAR(255)
+short_description TEXT
+creator_name VARCHAR(255)
+category VARCHAR(100)
+tags JSONB
+pricing JSONB
+stats JSONB ← {deploy_count, rating, views}
+stack_definition JSONB ← Cached for fast loading
+is_active BOOLEAN DEFAULT true
+synced_at TIMESTAMP
+```
+
+
+### **New Endpoint: `/api/marketplace/sync` (TryDirect User service)**
+
+```
+POST /api/marketplace/sync
+Headers: Authorization: Bearer stacker-service-token
+
+Actions:
+- "template_approved" → INSERT/UPDATE marketplace_templates
+- "template_updated" → UPDATE marketplace_templates
+- "template_rejected" → SET is_active = false
+- "template_deprecated" → DELETE
+```
+
+
+### **Updated `/applications` Query (TryDirect User service):**
+
+```sql
+-- Official stacks (existing)
+SELECT * FROM stacks WHERE is_active = true
+
+UNION ALL
+
+-- Marketplace templates (new table)
+SELECT
+ id, name, slug,
+ short_description as description,
+ creator_name,
+ '👥 Community' as badge,
+ stats->>'deploy_count' as deploy_count
+FROM marketplace_templates
+WHERE is_active = true
+ORDER BY popularity DESC
+```
+
+
+***
+
+## **4. Stack Builder Integration Changes (Minimal)**
+
+Stacker only needs to:
+
+1. **Add marketplace tables** (as per schema)
+2. **Implement webhook client** on template status changes
+3. **Expose public API** for TryDirect User service:
+
+```
+GET /api/templates?status=approved ← For fallback/sync
+GET /api/templates/{slug} ← Stack definition + stats
+```
+
+
+**Stack Builder UI unchanged** – "Publish to Marketplace" still works the same.
+
+***
+
+## **5. Service-to-Service Authentication**
+
+### **Webhook Security:**
+
+```
+Stack → TryDirect User:
+- API Token: `stacker_service_token` (stored in TryDirect User env)
+- Verify `stacker_service_token` header matches expected value
+- Rate limit: 100 req/min
+```
+
+
+### **Fallback Query Security (if webhook fails):**
+
+```
+TryDirect User → Stacker:
+- API Key: `applications_service_key` (stored in Stacker env)
+- Stacker verifies key on `/api/templates` endpoints
+```
+
+
+***
+
+## **6. Deployment Coordination**
+
+### **Phase 1: Stacker Changes**
+
+```
+✅ Deploy marketplace_schema.sql
+✅ Implement template APIs + webhook client
+✅ Test "template approved → webhook fires"
+```
+
+
+### **Phase 2: TryDirect User Service Changes**
+
+```
+✅ Add marketplace_templates table
+✅ Implement /api/marketplace/sync webhook receiver
+✅ Update /applications endpoint (UNION query)
+✅ Test webhook → unified listing
+```
+
+
+### **Phase 3: Stack Builder UI**
+
+```
+✅ "Publish to Marketplace" panel
+✅ Template cards show on /applications
+✅ "Deploy this stack" → loads from TryDirect User cache
+```
+
+
+***
+
+## **7. Fallback \& Resilience**
+
+**If webhook fails:**
+
+```
+1. TryDirect User service queries Stacker directly (every 15min cron)
+2. Mark templates as "stale" if >1h out of sync
+3. Show warning badge: "🔄 Syncing..."
+```
+
+**Data Consistency:**
+
+```
+Stacker = Source of Truth (approved templates)
+TryDirect User = Cache (fast listing + stack_definitions)
+```
+
+
+***
+
+## **Summary: Clean Microservice Boundaries**
+
+```
+Stacker responsibilities:
+├── Marketplace tables + workflows
+├── Template submission/review
+└── Webhook: "template approved → notify TryDirect User"
+
+TryDirect User responsibilities:
+├── Unified /applications listing
+├── marketplace_templates cache table
+├── Webhook receiver /api/marketplace/sync
+└── "Deploy this stack" → return cached stack_definition
+```
+
+**Result:** Zero changes to existing `/applications` consumer code. Marketplace templates appear **naturally** alongside official stacks. 🚀
+
+
+⁂
+
+[^1]: https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/images/156249360/1badb17d-ae6d-4002-b9c0-9371e2a0cdb9/Screenshot-2025-12-28-at-21.25.20.jpg
+
+[^2]: https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/156249360/821876d8-35e0-46f9-af9c-b318f416d680/dump-stacker-202512291130.sql
+
+[^3]: https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/attachments/156249360/9cbd962c-d7b5-40f6-a86d-8a05280502ed/TryDirect-DB-diagram.graphml
+
diff --git a/migrations/20240128174529_casbin_rule.up.sql b/migrations/20240128174529_casbin_rule.up.sql
index 15b99142..ef9ddec2 100644
--- a/migrations/20240128174529_casbin_rule.up.sql
+++ b/migrations/20240128174529_casbin_rule.up.sql
@@ -1,5 +1,5 @@
-- Add up migration script here
-CREATE TABLE casbin_rule (
+CREATE TABLE IF NOT EXISTS casbin_rule (
id SERIAL PRIMARY KEY,
ptype VARCHAR NOT NULL,
v0 VARCHAR NOT NULL,
diff --git a/migrations/20251227000000_casbin_root_admin_group.down.sql b/migrations/20251227000000_casbin_root_admin_group.down.sql
new file mode 100644
index 00000000..6eaf28b0
--- /dev/null
+++ b/migrations/20251227000000_casbin_root_admin_group.down.sql
@@ -0,0 +1,3 @@
+-- Rollback: Remove root group from group_admin
+DELETE FROM public.casbin_rule
+WHERE ptype = 'g' AND v0 = 'root' AND v1 = 'group_admin';
diff --git a/migrations/20251227000000_casbin_root_admin_group.up.sql b/migrations/20251227000000_casbin_root_admin_group.up.sql
new file mode 100644
index 00000000..8e2fd9be
--- /dev/null
+++ b/migrations/20251227000000_casbin_root_admin_group.up.sql
@@ -0,0 +1,5 @@
+-- Add root group assigned to group_admin for external application access
+-- Idempotent insert; ignore if the mapping already exists
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('g', 'root', 'group_admin', '', '', '', '')
+ON CONFLICT DO NOTHING;
diff --git a/migrations/20251227132000_add_group_admin_project_get_rule.down.sql b/migrations/20251227132000_add_group_admin_project_get_rule.down.sql
new file mode 100644
index 00000000..d737da4f
--- /dev/null
+++ b/migrations/20251227132000_add_group_admin_project_get_rule.down.sql
@@ -0,0 +1,3 @@
+-- Rollback: remove the group_admin GET /project rule
+DELETE FROM public.casbin_rule
+WHERE ptype = 'p' AND v0 = 'group_admin' AND v1 = '/project' AND v2 = 'GET' AND v3 = '' AND v4 = '' AND v5 = '';
diff --git a/migrations/20251227132000_add_group_admin_project_get_rule.up.sql b/migrations/20251227132000_add_group_admin_project_get_rule.up.sql
new file mode 100644
index 00000000..8a9e2d3d
--- /dev/null
+++ b/migrations/20251227132000_add_group_admin_project_get_rule.up.sql
@@ -0,0 +1,4 @@
+-- Ensure group_admin can GET /project
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'group_admin', '/project', 'GET', '', '', '')
+ON CONFLICT ON CONSTRAINT unique_key_sqlx_adapter DO NOTHING;
diff --git a/migrations/20251227140000_casbin_mcp_endpoint.down.sql b/migrations/20251227140000_casbin_mcp_endpoint.down.sql
new file mode 100644
index 00000000..6f26ad99
--- /dev/null
+++ b/migrations/20251227140000_casbin_mcp_endpoint.down.sql
@@ -0,0 +1,7 @@
+-- Remove Casbin rules for MCP WebSocket endpoint
+
+DELETE FROM public.casbin_rule
+WHERE ptype = 'p'
+ AND v0 IN ('group_admin', 'group_user')
+ AND v1 = '/mcp'
+ AND v2 = 'GET';
diff --git a/migrations/20251227140000_casbin_mcp_endpoint.up.sql b/migrations/20251227140000_casbin_mcp_endpoint.up.sql
new file mode 100644
index 00000000..9eb3a28d
--- /dev/null
+++ b/migrations/20251227140000_casbin_mcp_endpoint.up.sql
@@ -0,0 +1,8 @@
+-- Add Casbin rules for MCP WebSocket endpoint
+-- Allow authenticated users and admins to access MCP
+
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES
+ ('p', 'group_admin', '/mcp', 'GET', '', '', ''),
+ ('p', 'group_user', '/mcp', 'GET', '', '', '')
+ON CONFLICT ON CONSTRAINT unique_key_sqlx_adapter DO NOTHING;
diff --git a/migrations/20251229120000_marketplace.down.sql b/migrations/20251229120000_marketplace.down.sql
new file mode 100644
index 00000000..0af56cdd
--- /dev/null
+++ b/migrations/20251229120000_marketplace.down.sql
@@ -0,0 +1,31 @@
+-- Rollback TryDirect Marketplace Schema
+
+DROP TRIGGER IF EXISTS auto_create_product_on_approval ON stack_template;
+DROP FUNCTION IF EXISTS create_product_for_approved_template();
+
+DROP TRIGGER IF EXISTS update_stack_template_updated_at ON stack_template;
+
+-- Drop indexes
+DROP INDEX IF EXISTS idx_project_source_template;
+DROP INDEX IF EXISTS idx_review_decision;
+DROP INDEX IF EXISTS idx_review_template;
+DROP INDEX IF EXISTS idx_template_version_latest;
+DROP INDEX IF EXISTS idx_template_version_template;
+DROP INDEX IF EXISTS idx_stack_template_product;
+DROP INDEX IF EXISTS idx_stack_template_category;
+DROP INDEX IF EXISTS idx_stack_template_slug;
+DROP INDEX IF EXISTS idx_stack_template_status;
+DROP INDEX IF EXISTS idx_stack_template_creator;
+
+-- Remove columns from existing tables
+ALTER TABLE IF EXISTS project DROP COLUMN IF EXISTS template_version;
+ALTER TABLE IF EXISTS project DROP COLUMN IF EXISTS source_template_id;
+
+-- Drop marketplace tables (CASCADE to handle dependencies)
+DROP TABLE IF EXISTS stack_template_review CASCADE;
+DROP TABLE IF EXISTS stack_template_version CASCADE;
+DROP TABLE IF EXISTS stack_template CASCADE;
+DROP TABLE IF EXISTS stack_category CASCADE;
+
+-- Drop functions last
+DROP FUNCTION IF EXISTS update_updated_at_column() CASCADE;
diff --git a/migrations/20251229120000_marketplace.up.sql b/migrations/20251229120000_marketplace.up.sql
new file mode 100644
index 00000000..9bc0504c
--- /dev/null
+++ b/migrations/20251229120000_marketplace.up.sql
@@ -0,0 +1,155 @@
+-- TryDirect Marketplace Schema Migration
+-- Integrates with existing Product/Rating system
+
+-- Ensure UUID generation
+CREATE EXTENSION IF NOT EXISTS pgcrypto;
+
+-- 1. Categories (needed by templates)
+CREATE TABLE IF NOT EXISTS stack_category (
+ id SERIAL PRIMARY KEY,
+ name VARCHAR(255) UNIQUE NOT NULL
+);
+
+-- 2. Core marketplace table - templates become products when approved
+CREATE TABLE IF NOT EXISTS stack_template (
+ id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+ creator_user_id VARCHAR(50) NOT NULL,
+ creator_name VARCHAR(255),
+ name VARCHAR(255) NOT NULL,
+ slug VARCHAR(255) UNIQUE NOT NULL,
+ short_description TEXT,
+ long_description TEXT,
+ category_id INTEGER REFERENCES stack_category(id),
+ tags JSONB DEFAULT '[]'::jsonb,
+ tech_stack JSONB DEFAULT '{}'::jsonb,
+ status VARCHAR(50) NOT NULL DEFAULT 'draft' CHECK (
+ status IN ('draft', 'submitted', 'under_review', 'approved', 'rejected', 'deprecated')
+ ),
+ is_configurable BOOLEAN DEFAULT true,
+ view_count INTEGER DEFAULT 0,
+ deploy_count INTEGER DEFAULT 0,
+ product_id INTEGER, -- Links to product table when approved for ratings
+ created_at TIMESTAMP WITH TIME ZONE DEFAULT now(),
+ updated_at TIMESTAMP WITH TIME ZONE DEFAULT now(),
+ approved_at TIMESTAMP WITH TIME ZONE,
+ CONSTRAINT fk_product FOREIGN KEY(product_id) REFERENCES product(id) ON DELETE SET NULL
+);
+
+CREATE TABLE IF NOT EXISTS stack_template_version (
+ id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+ template_id UUID NOT NULL REFERENCES stack_template(id) ON DELETE CASCADE,
+ version VARCHAR(20) NOT NULL,
+ stack_definition JSONB NOT NULL,
+ definition_format VARCHAR(20) DEFAULT 'yaml',
+ changelog TEXT,
+ is_latest BOOLEAN DEFAULT false,
+ created_at TIMESTAMP WITH TIME ZONE DEFAULT now(),
+ UNIQUE(template_id, version)
+);
+
+CREATE TABLE IF NOT EXISTS stack_template_review (
+ id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+ template_id UUID NOT NULL REFERENCES stack_template(id) ON DELETE CASCADE,
+ reviewer_user_id VARCHAR(50),
+ decision VARCHAR(50) NOT NULL DEFAULT 'pending' CHECK (
+ decision IN ('pending', 'approved', 'rejected', 'needs_changes')
+ ),
+ review_reason TEXT,
+ security_checklist JSONB DEFAULT '{
+ "no_secrets": null,
+ "no_hardcoded_creds": null,
+ "valid_docker_syntax": null,
+ "no_malicious_code": null
+ }'::jsonb,
+ submitted_at TIMESTAMP WITH TIME ZONE DEFAULT now(),
+ reviewed_at TIMESTAMP WITH TIME ZONE
+);
+
+-- Extend existing tables
+DO $$ BEGIN
+ IF NOT EXISTS (
+ SELECT 1 FROM information_schema.columns
+ WHERE table_name = 'project' AND column_name = 'source_template_id'
+ ) THEN
+ ALTER TABLE project ADD COLUMN source_template_id UUID REFERENCES stack_template(id);
+ END IF;
+END $$;
+
+DO $$ BEGIN
+ IF NOT EXISTS (
+ SELECT 1 FROM information_schema.columns
+ WHERE table_name = 'project' AND column_name = 'template_version'
+ ) THEN
+ ALTER TABLE project ADD COLUMN template_version VARCHAR(20);
+ END IF;
+END $$;
+
+-- Indexes
+CREATE INDEX IF NOT EXISTS idx_stack_template_creator ON stack_template(creator_user_id);
+CREATE INDEX IF NOT EXISTS idx_stack_template_status ON stack_template(status);
+CREATE INDEX IF NOT EXISTS idx_stack_template_slug ON stack_template(slug);
+CREATE INDEX IF NOT EXISTS idx_stack_template_category ON stack_template(category_id);
+CREATE INDEX IF NOT EXISTS idx_stack_template_product ON stack_template(product_id);
+
+CREATE INDEX IF NOT EXISTS idx_template_version_template ON stack_template_version(template_id);
+CREATE INDEX IF NOT EXISTS idx_template_version_latest ON stack_template_version(template_id, is_latest) WHERE is_latest = true;
+
+CREATE INDEX IF NOT EXISTS idx_review_template ON stack_template_review(template_id);
+CREATE INDEX IF NOT EXISTS idx_review_decision ON stack_template_review(decision);
+
+CREATE INDEX IF NOT EXISTS idx_project_source_template ON project(source_template_id);
+
+-- Triggers
+CREATE OR REPLACE FUNCTION update_updated_at_column()
+RETURNS TRIGGER AS $$
+BEGIN
+ NEW.updated_at = now();
+ RETURN NEW;
+END;
+$$ language 'plpgsql';
+
+DROP TRIGGER IF EXISTS update_stack_template_updated_at ON stack_template;
+CREATE TRIGGER update_stack_template_updated_at
+ BEFORE UPDATE ON stack_template
+ FOR EACH ROW EXECUTE FUNCTION update_updated_at_column();
+
+-- Function to create product entry when template is approved
+CREATE OR REPLACE FUNCTION create_product_for_approved_template()
+RETURNS TRIGGER AS $$
+DECLARE
+ new_product_id INTEGER;
+BEGIN
+ -- When status changes to 'approved' and no product exists yet
+ IF NEW.status = 'approved' AND OLD.status != 'approved' AND NEW.product_id IS NULL THEN
+ -- Generate product_id from template UUID (use hashtext for deterministic integer)
+ new_product_id := hashtext(NEW.id::text);
+
+ -- Insert into product table
+ INSERT INTO product (id, obj_id, obj_type, created_at, updated_at)
+ VALUES (new_product_id, new_product_id, 'marketplace_template', now(), now())
+ ON CONFLICT (id) DO NOTHING;
+
+ -- Link template to product
+ NEW.product_id := new_product_id;
+ END IF;
+ RETURN NEW;
+END;
+$$ language 'plpgsql';
+
+DROP TRIGGER IF EXISTS auto_create_product_on_approval ON stack_template;
+CREATE TRIGGER auto_create_product_on_approval
+ BEFORE UPDATE ON stack_template
+ FOR EACH ROW
+ WHEN (NEW.status = 'approved' AND OLD.status != 'approved')
+ EXECUTE FUNCTION create_product_for_approved_template();
+
+-- Seed sample categories
+INSERT INTO stack_category (name)
+VALUES
+ ('AI Agents'),
+ ('Data Pipelines'),
+ ('SaaS Starter'),
+ ('Dev Tools'),
+ ('Automation')
+ON CONFLICT DO NOTHING;
+
diff --git a/migrations/20251229121000_casbin_marketplace_rules.down.sql b/migrations/20251229121000_casbin_marketplace_rules.down.sql
new file mode 100644
index 00000000..29018e0f
--- /dev/null
+++ b/migrations/20251229121000_casbin_marketplace_rules.down.sql
@@ -0,0 +1,12 @@
+-- Rollback Casbin rules for Marketplace endpoints
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'group_anonymous' AND v1 = '/api/templates' AND v2 = 'GET';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'group_anonymous' AND v1 = '/api/templates/:slug' AND v2 = 'GET';
+
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'group_user' AND v1 = '/api/templates' AND v2 = 'POST';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'group_user' AND v1 = '/api/templates/:id' AND v2 = 'PUT';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'group_user' AND v1 = '/api/templates/:id/submit' AND v2 = 'POST';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'group_user' AND v1 = '/api/templates/mine' AND v2 = 'GET';
+
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'group_admin' AND v1 = '/api/admin/templates' AND v2 = 'GET';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'group_admin' AND v1 = '/api/admin/templates/:id/approve' AND v2 = 'POST';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'group_admin' AND v1 = '/api/admin/templates/:id/reject' AND v2 = 'POST';
diff --git a/migrations/20251229121000_casbin_marketplace_rules.up.sql b/migrations/20251229121000_casbin_marketplace_rules.up.sql
new file mode 100644
index 00000000..03f29173
--- /dev/null
+++ b/migrations/20251229121000_casbin_marketplace_rules.up.sql
@@ -0,0 +1,16 @@
+-- Casbin rules for Marketplace endpoints
+
+-- Public read rules
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5) VALUES ('p', 'group_anonymous', '/api/templates', 'GET', '', '', '');
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5) VALUES ('p', 'group_anonymous', '/api/templates/:slug', 'GET', '', '', '');
+
+-- Creator rules
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5) VALUES ('p', 'group_user', '/api/templates', 'POST', '', '', '');
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5) VALUES ('p', 'group_user', '/api/templates/:id', 'PUT', '', '', '');
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5) VALUES ('p', 'group_user', '/api/templates/:id/submit', 'POST', '', '', '');
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5) VALUES ('p', 'group_user', '/api/templates/mine', 'GET', '', '', '');
+
+-- Admin moderation rules
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5) VALUES ('p', 'group_admin', '/api/admin/templates', 'GET', '', '', '');
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5) VALUES ('p', 'group_admin', '/api/admin/templates/:id/approve', 'POST', '', '', '');
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5) VALUES ('p', 'group_admin', '/api/admin/templates/:id/reject', 'POST', '', '', '');
diff --git a/migrations/20251230094608_add_required_plan_name.down.sql b/migrations/20251230094608_add_required_plan_name.down.sql
new file mode 100644
index 00000000..c6b04bc4
--- /dev/null
+++ b/migrations/20251230094608_add_required_plan_name.down.sql
@@ -0,0 +1,2 @@
+-- Add down migration script here
+ALTER TABLE stack_template DROP COLUMN IF EXISTS required_plan_name;
\ No newline at end of file
diff --git a/migrations/20251230094608_add_required_plan_name.up.sql b/migrations/20251230094608_add_required_plan_name.up.sql
new file mode 100644
index 00000000..fcd896dd
--- /dev/null
+++ b/migrations/20251230094608_add_required_plan_name.up.sql
@@ -0,0 +1,2 @@
+-- Add up migration script here
+ALTER TABLE stack_template ADD COLUMN IF NOT EXISTS required_plan_name VARCHAR(50);
\ No newline at end of file
diff --git a/migrations/20251230100000_add_marketplace_plans_rule.down.sql b/migrations/20251230100000_add_marketplace_plans_rule.down.sql
new file mode 100644
index 00000000..8658c296
--- /dev/null
+++ b/migrations/20251230100000_add_marketplace_plans_rule.down.sql
@@ -0,0 +1,2 @@
+DELETE FROM public.casbin_rule
+WHERE ptype = 'p' AND v0 = 'group_admin' AND v1 = '/admin/marketplace/plans' AND v2 = 'GET' AND v3 = '' AND v4 = '' AND v5 = '';
diff --git a/migrations/20251230100000_add_marketplace_plans_rule.up.sql b/migrations/20251230100000_add_marketplace_plans_rule.up.sql
new file mode 100644
index 00000000..eeeb4073
--- /dev/null
+++ b/migrations/20251230100000_add_marketplace_plans_rule.up.sql
@@ -0,0 +1,3 @@
+-- Casbin rule for admin marketplace plans endpoint
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'group_admin', '/admin/marketplace/plans', 'GET', '', '', '');
diff --git a/migrations/20260101090000_casbin_admin_inherits_user.down.sql b/migrations/20260101090000_casbin_admin_inherits_user.down.sql
new file mode 100644
index 00000000..3e608677
--- /dev/null
+++ b/migrations/20260101090000_casbin_admin_inherits_user.down.sql
@@ -0,0 +1,9 @@
+-- Remove the inheritance edge if rolled back
+DELETE FROM public.casbin_rule
+WHERE ptype = 'g'
+ AND v0 = 'group_admin'
+ AND v1 = 'group_user'
+ AND (v2 = '' OR v2 IS NULL)
+ AND (v3 = '' OR v3 IS NULL)
+ AND (v4 = '' OR v4 IS NULL)
+ AND (v5 = '' OR v5 IS NULL);
diff --git a/migrations/20260101090000_casbin_admin_inherits_user.up.sql b/migrations/20260101090000_casbin_admin_inherits_user.up.sql
new file mode 100644
index 00000000..7d34d4e8
--- /dev/null
+++ b/migrations/20260101090000_casbin_admin_inherits_user.up.sql
@@ -0,0 +1,4 @@
+-- Ensure group_admin inherits group_user so admin (and root) receive user permissions
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('g', 'group_admin', 'group_user', '', '', '', '')
+ON CONFLICT DO NOTHING;
diff --git a/migrations/20260102120000_add_category_fields.down.sql b/migrations/20260102120000_add_category_fields.down.sql
new file mode 100644
index 00000000..7b8aa8f3
--- /dev/null
+++ b/migrations/20260102120000_add_category_fields.down.sql
@@ -0,0 +1,7 @@
+-- Remove title and metadata fields from stack_category
+ALTER TABLE stack_category
+DROP COLUMN IF EXISTS metadata,
+DROP COLUMN IF EXISTS title;
+
+-- Drop the index
+DROP INDEX IF EXISTS idx_stack_category_title;
diff --git a/migrations/20260102120000_add_category_fields.up.sql b/migrations/20260102120000_add_category_fields.up.sql
new file mode 100644
index 00000000..7a2646dc
--- /dev/null
+++ b/migrations/20260102120000_add_category_fields.up.sql
@@ -0,0 +1,7 @@
+-- Add title and metadata fields to stack_category for User Service sync
+ALTER TABLE stack_category
+ADD COLUMN IF NOT EXISTS title VARCHAR(255),
+ADD COLUMN IF NOT EXISTS metadata JSONB DEFAULT '{}'::jsonb;
+
+-- Create index on title for display queries
+CREATE INDEX IF NOT EXISTS idx_stack_category_title ON stack_category(title);
diff --git a/migrations/20260102140000_casbin_categories_rules.down.sql b/migrations/20260102140000_casbin_categories_rules.down.sql
new file mode 100644
index 00000000..4db07afa
--- /dev/null
+++ b/migrations/20260102140000_casbin_categories_rules.down.sql
@@ -0,0 +1,4 @@
+-- Rollback: Remove Casbin rules for Categories endpoint
+
+DELETE FROM public.casbin_rule
+WHERE ptype = 'p' AND v1 = '/api/categories' AND v2 = 'GET';
diff --git a/migrations/20260102140000_casbin_categories_rules.up.sql b/migrations/20260102140000_casbin_categories_rules.up.sql
new file mode 100644
index 00000000..b24dbc12
--- /dev/null
+++ b/migrations/20260102140000_casbin_categories_rules.up.sql
@@ -0,0 +1,6 @@
+-- Casbin rules for Categories endpoint
+-- Categories are publicly readable for marketplace UI population
+
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5) VALUES ('p', 'group_anonymous', '/api/categories', 'GET', '', '', '');
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5) VALUES ('p', 'group_user', '/api/categories', 'GET', '', '', '');
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5) VALUES ('p', 'group_admin', '/api/categories', 'GET', '', '', '');
diff --git a/migrations/20260103103000_casbin_marketplace_admin_creator_rules.down.sql b/migrations/20260103103000_casbin_marketplace_admin_creator_rules.down.sql
new file mode 100644
index 00000000..c717ab0f
--- /dev/null
+++ b/migrations/20260103103000_casbin_marketplace_admin_creator_rules.down.sql
@@ -0,0 +1,4 @@
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'group_admin' AND v1 = '/api/templates' AND v2 = 'POST';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'group_admin' AND v1 = '/api/templates/:id' AND v2 = 'PUT';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'group_admin' AND v1 = '/api/templates/:id/submit' AND v2 = 'POST';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'group_admin' AND v1 = '/api/templates/mine' AND v2 = 'GET';
diff --git a/migrations/20260103103000_casbin_marketplace_admin_creator_rules.up.sql b/migrations/20260103103000_casbin_marketplace_admin_creator_rules.up.sql
new file mode 100644
index 00000000..3553a9a0
--- /dev/null
+++ b/migrations/20260103103000_casbin_marketplace_admin_creator_rules.up.sql
@@ -0,0 +1,6 @@
+-- Allow admin service accounts (e.g., root) to call marketplace creator endpoints
+-- Admins previously lacked creator privileges which caused 403 responses
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5) VALUES ('p', 'group_admin', '/api/templates', 'POST', '', '', '');
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5) VALUES ('p', 'group_admin', '/api/templates/:id', 'PUT', '', '', '');
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5) VALUES ('p', 'group_admin', '/api/templates/:id/submit', 'POST', '', '', '');
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5) VALUES ('p', 'group_admin', '/api/templates/mine', 'GET', '', '', '');
diff --git a/migrations/20260103120000_casbin_health_metrics_rules.down.sql b/migrations/20260103120000_casbin_health_metrics_rules.down.sql
new file mode 100644
index 00000000..19ea2ac6
--- /dev/null
+++ b/migrations/20260103120000_casbin_health_metrics_rules.down.sql
@@ -0,0 +1,7 @@
+-- Remove Casbin rules for health check metrics endpoint
+
+DELETE FROM public.casbin_rule
+WHERE ptype = 'p'
+ AND v0 IN ('group_anonymous', 'group_user', 'group_admin')
+ AND v1 = '/health_check/metrics'
+ AND v2 = 'GET';
diff --git a/migrations/20260103120000_casbin_health_metrics_rules.up.sql b/migrations/20260103120000_casbin_health_metrics_rules.up.sql
new file mode 100644
index 00000000..15194803
--- /dev/null
+++ b/migrations/20260103120000_casbin_health_metrics_rules.up.sql
@@ -0,0 +1,17 @@
+-- Add Casbin rules for health check metrics endpoint
+-- Allow all groups to access health check metrics for monitoring
+
+-- Anonymous users can check health metrics
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'group_anonymous', '/health_check/metrics', 'GET', '', '', '')
+ON CONFLICT DO NOTHING;
+
+-- Regular users can check health metrics
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'group_user', '/health_check/metrics', 'GET', '', '', '')
+ON CONFLICT DO NOTHING;
+
+-- Admins can check health metrics
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'group_admin', '/health_check/metrics', 'GET', '', '', '')
+ON CONFLICT DO NOTHING;
diff --git a/migrations/20260104120000_casbin_admin_service_rules.down.sql b/migrations/20260104120000_casbin_admin_service_rules.down.sql
new file mode 100644
index 00000000..3a1649c9
--- /dev/null
+++ b/migrations/20260104120000_casbin_admin_service_rules.down.sql
@@ -0,0 +1,7 @@
+-- Remove Casbin rules for admin_service role
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'admin_service' AND v1 = '/stacker/admin/templates' AND v2 = 'GET';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'admin_service' AND v1 = '/stacker/admin/templates/:id/approve' AND v2 = 'POST';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'admin_service' AND v1 = '/stacker/admin/templates/:id/reject' AND v2 = 'POST';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'admin_service' AND v1 = '/api/admin/templates' AND v2 = 'GET';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'admin_service' AND v1 = '/api/admin/templates/:id/approve' AND v2 = 'POST';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'admin_service' AND v1 = '/api/admin/templates/:id/reject' AND v2 = 'POST';
diff --git a/migrations/20260104120000_casbin_admin_service_rules.up.sql b/migrations/20260104120000_casbin_admin_service_rules.up.sql
new file mode 100644
index 00000000..55318516
--- /dev/null
+++ b/migrations/20260104120000_casbin_admin_service_rules.up.sql
@@ -0,0 +1,24 @@
+-- Add Casbin rules for admin_service role (internal service authentication)
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'admin_service', '/stacker/admin/templates', 'GET', '', '', '')
+ON CONFLICT DO NOTHING;
+
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'admin_service', '/stacker/admin/templates/:id/approve', 'POST', '', '', '')
+ON CONFLICT DO NOTHING;
+
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'admin_service', '/stacker/admin/templates/:id/reject', 'POST', '', '', '')
+ON CONFLICT DO NOTHING;
+
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'admin_service', '/api/admin/templates', 'GET', '', '', '')
+ON CONFLICT DO NOTHING;
+
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'admin_service', '/api/admin/templates/:id/approve', 'POST', '', '', '')
+ON CONFLICT DO NOTHING;
+
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'admin_service', '/api/admin/templates/:id/reject', 'POST', '', '', '')
+ON CONFLICT DO NOTHING;
diff --git a/migrations/20260105214000_casbin_dockerhub_rules.down.sql b/migrations/20260105214000_casbin_dockerhub_rules.down.sql
new file mode 100644
index 00000000..f03eb156
--- /dev/null
+++ b/migrations/20260105214000_casbin_dockerhub_rules.down.sql
@@ -0,0 +1,8 @@
+DELETE FROM public.casbin_rule
+WHERE v1 = '/dockerhub/namespaces' AND v2 = 'GET';
+
+DELETE FROM public.casbin_rule
+WHERE v1 = '/dockerhub/:namespace/repositories' AND v2 = 'GET';
+
+DELETE FROM public.casbin_rule
+WHERE v1 = '/dockerhub/:namespace/repositories/:repository/tags' AND v2 = 'GET';
diff --git a/migrations/20260105214000_casbin_dockerhub_rules.up.sql b/migrations/20260105214000_casbin_dockerhub_rules.up.sql
new file mode 100644
index 00000000..282211a0
--- /dev/null
+++ b/migrations/20260105214000_casbin_dockerhub_rules.up.sql
@@ -0,0 +1,17 @@
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'group_user', '/dockerhub/namespaces', 'GET', '', '', '');
+
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'group_admin', '/dockerhub/namespaces', 'GET', '', '', '');
+
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'group_user', '/dockerhub/:namespace/repositories', 'GET', '', '', '');
+
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'group_admin', '/dockerhub/:namespace/repositories', 'GET', '', '', '');
+
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'group_user', '/dockerhub/:namespace/repositories/:repository/tags', 'GET', '', '', '');
+
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'group_admin', '/dockerhub/:namespace/repositories/:repository/tags', 'GET', '', '', '');
diff --git a/migrations/20260106142135_remove_agents_deployment_fk.down.sql b/migrations/20260106142135_remove_agents_deployment_fk.down.sql
new file mode 100644
index 00000000..8ffd69e4
--- /dev/null
+++ b/migrations/20260106142135_remove_agents_deployment_fk.down.sql
@@ -0,0 +1,7 @@
+-- Restore foreign key constraint (only if deployment table has matching records)
+-- Note: This will fail if orphaned agents exist. Clean up orphans before rollback.
+ALTER TABLE agents
+ADD CONSTRAINT agents_deployment_hash_fkey
+FOREIGN KEY (deployment_hash)
+REFERENCES deployment(deployment_hash)
+ON DELETE CASCADE;
diff --git a/migrations/20260106142135_remove_agents_deployment_fk.up.sql b/migrations/20260106142135_remove_agents_deployment_fk.up.sql
new file mode 100644
index 00000000..fddc63d0
--- /dev/null
+++ b/migrations/20260106142135_remove_agents_deployment_fk.up.sql
@@ -0,0 +1,6 @@
+-- Remove foreign key constraint from agents table to allow agents without deployments in Stacker
+-- Deployments may exist in User Service "installations" table instead
+ALTER TABLE agents DROP CONSTRAINT IF EXISTS agents_deployment_hash_fkey;
+
+-- Keep the deployment_hash column indexed for queries
+-- Index already exists: idx_agents_deployment_hash
diff --git a/migrations/20260106143528_20260106_casbin_user_rating_idempotent.down.sql b/migrations/20260106143528_20260106_casbin_user_rating_idempotent.down.sql
new file mode 100644
index 00000000..dc7c3ea7
--- /dev/null
+++ b/migrations/20260106143528_20260106_casbin_user_rating_idempotent.down.sql
@@ -0,0 +1 @@
+-- No-op: this migration only ensured idempotency and did not create new rows
diff --git a/migrations/20260106143528_20260106_casbin_user_rating_idempotent.up.sql b/migrations/20260106143528_20260106_casbin_user_rating_idempotent.up.sql
new file mode 100644
index 00000000..8cb32822
--- /dev/null
+++ b/migrations/20260106143528_20260106_casbin_user_rating_idempotent.up.sql
@@ -0,0 +1,24 @@
+-- Ensure rating Casbin rules are idempotent for future migration reruns
+INSERT INTO casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'group_user', '/rating/:id', 'PUT', '', '', '')
+ON CONFLICT DO NOTHING;
+
+INSERT INTO casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'group_admin', '/admin/rating/:id', 'PUT', '', '', '')
+ON CONFLICT DO NOTHING;
+
+INSERT INTO casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'group_user', '/rating/:id', 'DELETE', '', '', '')
+ON CONFLICT DO NOTHING;
+
+INSERT INTO casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'group_admin', '/admin/rating/:id', 'DELETE', '', '', '')
+ON CONFLICT DO NOTHING;
+
+INSERT INTO casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'group_admin', '/admin/rating/:id', 'GET', '', '', '')
+ON CONFLICT DO NOTHING;
+
+INSERT INTO casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'group_admin', '/admin/rating', 'GET', '', '', '')
+ON CONFLICT DO NOTHING;
diff --git a/migrations/20260107123000_admin_service_role_inheritance.down.sql b/migrations/20260107123000_admin_service_role_inheritance.down.sql
new file mode 100644
index 00000000..e78adbe3
--- /dev/null
+++ b/migrations/20260107123000_admin_service_role_inheritance.down.sql
@@ -0,0 +1,9 @@
+-- Revoke admin_service inheritance from admin permissions
+DELETE FROM public.casbin_rule
+WHERE ptype = 'g'
+ AND v0 = 'admin_service'
+ AND v1 = 'group_admin'
+ AND v2 = ''
+ AND v3 = ''
+ AND v4 = ''
+ AND v5 = '';
diff --git a/migrations/20260107123000_admin_service_role_inheritance.up.sql b/migrations/20260107123000_admin_service_role_inheritance.up.sql
new file mode 100644
index 00000000..6c6a6630
--- /dev/null
+++ b/migrations/20260107123000_admin_service_role_inheritance.up.sql
@@ -0,0 +1,4 @@
+-- Allow admin_service JWT role to inherit all admin permissions
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('g', 'admin_service', 'group_admin', '', '', '', '')
+ON CONFLICT DO NOTHING;
diff --git a/migrations/20260109133000_extend_deployment_hash_length.down.sql b/migrations/20260109133000_extend_deployment_hash_length.down.sql
new file mode 100644
index 00000000..77b626b9
--- /dev/null
+++ b/migrations/20260109133000_extend_deployment_hash_length.down.sql
@@ -0,0 +1,21 @@
+-- Revert deployment_hash column length to the previous limit
+ALTER TABLE commands DROP CONSTRAINT IF EXISTS commands_deployment_hash_fkey;
+
+ALTER TABLE deployment
+ ALTER COLUMN deployment_hash TYPE VARCHAR(64);
+
+ALTER TABLE agents
+ ALTER COLUMN deployment_hash TYPE VARCHAR(64);
+
+ALTER TABLE audit_log
+ ALTER COLUMN deployment_hash TYPE VARCHAR(64);
+
+ALTER TABLE commands
+ ALTER COLUMN deployment_hash TYPE VARCHAR(64);
+
+ALTER TABLE command_queue
+ ALTER COLUMN deployment_hash TYPE VARCHAR(64);
+
+ALTER TABLE commands
+ ADD CONSTRAINT commands_deployment_hash_fkey
+ FOREIGN KEY (deployment_hash) REFERENCES deployment(deployment_hash) ON DELETE CASCADE;
diff --git a/migrations/20260109133000_extend_deployment_hash_length.up.sql b/migrations/20260109133000_extend_deployment_hash_length.up.sql
new file mode 100644
index 00000000..9606d66f
--- /dev/null
+++ b/migrations/20260109133000_extend_deployment_hash_length.up.sql
@@ -0,0 +1,21 @@
+-- Increase deployment_hash column length to accommodate longer identifiers
+ALTER TABLE commands DROP CONSTRAINT IF EXISTS commands_deployment_hash_fkey;
+
+ALTER TABLE deployment
+ ALTER COLUMN deployment_hash TYPE VARCHAR(128);
+
+ALTER TABLE agents
+ ALTER COLUMN deployment_hash TYPE VARCHAR(128);
+
+ALTER TABLE audit_log
+ ALTER COLUMN deployment_hash TYPE VARCHAR(128);
+
+ALTER TABLE commands
+ ALTER COLUMN deployment_hash TYPE VARCHAR(128);
+
+ALTER TABLE command_queue
+ ALTER COLUMN deployment_hash TYPE VARCHAR(128);
+
+ALTER TABLE commands
+ ADD CONSTRAINT commands_deployment_hash_fkey
+ FOREIGN KEY (deployment_hash) REFERENCES deployment(deployment_hash) ON DELETE CASCADE;
diff --git a/migrations/20260112120000_remove_commands_deployment_fk.down.sql b/migrations/20260112120000_remove_commands_deployment_fk.down.sql
new file mode 100644
index 00000000..f3006902
--- /dev/null
+++ b/migrations/20260112120000_remove_commands_deployment_fk.down.sql
@@ -0,0 +1,3 @@
+-- Restore FK constraint on commands.deployment_hash back to deployment(deployment_hash)
+ALTER TABLE commands ADD CONSTRAINT commands_deployment_hash_fkey
+ FOREIGN KEY (deployment_hash) REFERENCES deployment(deployment_hash) ON DELETE CASCADE;
diff --git a/migrations/20260112120000_remove_commands_deployment_fk.up.sql b/migrations/20260112120000_remove_commands_deployment_fk.up.sql
new file mode 100644
index 00000000..84b6ad65
--- /dev/null
+++ b/migrations/20260112120000_remove_commands_deployment_fk.up.sql
@@ -0,0 +1,2 @@
+-- Remove FK constraint from commands.deployment_hash to allow hashes from external installations
+ALTER TABLE commands DROP CONSTRAINT IF EXISTS commands_deployment_hash_fkey;
diff --git a/migrations/20260113000001_fix_command_queue_fk.down.sql b/migrations/20260113000001_fix_command_queue_fk.down.sql
new file mode 100644
index 00000000..c2f9b638
--- /dev/null
+++ b/migrations/20260113000001_fix_command_queue_fk.down.sql
@@ -0,0 +1,12 @@
+-- Revert: Fix foreign key in command_queue to reference commands.command_id (VARCHAR) instead of commands.id (UUID)
+
+-- Drop the new foreign key constraint
+ALTER TABLE command_queue DROP CONSTRAINT command_queue_command_id_fkey;
+
+-- Change command_id column back to UUID
+ALTER TABLE command_queue ALTER COLUMN command_id TYPE UUID USING command_id::UUID;
+
+-- Restore old foreign key constraint
+ALTER TABLE command_queue
+ADD CONSTRAINT command_queue_command_id_fkey
+FOREIGN KEY (command_id) REFERENCES commands(id) ON DELETE CASCADE;
diff --git a/migrations/20260113000001_fix_command_queue_fk.up.sql b/migrations/20260113000001_fix_command_queue_fk.up.sql
new file mode 100644
index 00000000..9dd21969
--- /dev/null
+++ b/migrations/20260113000001_fix_command_queue_fk.up.sql
@@ -0,0 +1,12 @@
+-- Fix foreign key in command_queue to reference commands.command_id (VARCHAR) instead of commands.id (UUID)
+
+-- Drop the old foreign key constraint
+ALTER TABLE command_queue DROP CONSTRAINT command_queue_command_id_fkey;
+
+-- Change command_id column from UUID to VARCHAR(64)
+ALTER TABLE command_queue ALTER COLUMN command_id TYPE VARCHAR(64);
+
+-- Add new foreign key constraint referencing commands.command_id instead
+ALTER TABLE command_queue
+ADD CONSTRAINT command_queue_command_id_fkey
+FOREIGN KEY (command_id) REFERENCES commands(command_id) ON DELETE CASCADE;
diff --git a/migrations/20260113000002_fix_audit_log_timestamp.down.sql b/migrations/20260113000002_fix_audit_log_timestamp.down.sql
new file mode 100644
index 00000000..4fb6213f
--- /dev/null
+++ b/migrations/20260113000002_fix_audit_log_timestamp.down.sql
@@ -0,0 +1,3 @@
+-- Revert: Fix audit_log.created_at type from TIMESTAMP to TIMESTAMPTZ
+
+ALTER TABLE audit_log ALTER COLUMN created_at TYPE TIMESTAMP;
diff --git a/migrations/20260113000002_fix_audit_log_timestamp.up.sql b/migrations/20260113000002_fix_audit_log_timestamp.up.sql
new file mode 100644
index 00000000..2372a297
--- /dev/null
+++ b/migrations/20260113000002_fix_audit_log_timestamp.up.sql
@@ -0,0 +1,3 @@
+-- Fix audit_log.created_at type from TIMESTAMP to TIMESTAMPTZ
+
+ALTER TABLE audit_log ALTER COLUMN created_at TYPE TIMESTAMPTZ;
diff --git a/migrations/20260113120000_add_deployment_capabilities_acl.up.sql b/migrations/20260113120000_add_deployment_capabilities_acl.up.sql
new file mode 100644
index 00000000..ee70b8c4
--- /dev/null
+++ b/migrations/20260113120000_add_deployment_capabilities_acl.up.sql
@@ -0,0 +1,5 @@
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'group_user', '/api/v1/deployments/:deployment_hash/capabilities', 'GET', '', '', '');
+
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'group_admin', '/api/v1/deployments/:deployment_hash/capabilities', 'GET', '', '', '');
diff --git a/migrations/20260114120000_casbin_agent_enqueue_rules.down.sql b/migrations/20260114120000_casbin_agent_enqueue_rules.down.sql
new file mode 100644
index 00000000..69b620a6
--- /dev/null
+++ b/migrations/20260114120000_casbin_agent_enqueue_rules.down.sql
@@ -0,0 +1,4 @@
+-- Remove Casbin ACL rules for /api/v1/agent/commands/enqueue endpoint
+
+DELETE FROM public.casbin_rule
+WHERE ptype='p' AND v1='/api/v1/agent/commands/enqueue' AND v2='POST';
diff --git a/migrations/20260114120000_casbin_agent_enqueue_rules.up.sql b/migrations/20260114120000_casbin_agent_enqueue_rules.up.sql
new file mode 100644
index 00000000..0ba4d953
--- /dev/null
+++ b/migrations/20260114120000_casbin_agent_enqueue_rules.up.sql
@@ -0,0 +1,14 @@
+-- Add Casbin ACL rules for /api/v1/agent/commands/enqueue endpoint
+-- This endpoint allows authenticated users to enqueue commands for their deployments
+
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'group_user', '/api/v1/agent/commands/enqueue', 'POST', '', '', '')
+ON CONFLICT ON CONSTRAINT unique_key_sqlx_adapter DO NOTHING;
+
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'group_admin', '/api/v1/agent/commands/enqueue', 'POST', '', '', '')
+ON CONFLICT ON CONSTRAINT unique_key_sqlx_adapter DO NOTHING;
+
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'client', '/api/v1/agent/commands/enqueue', 'POST', '', '', '')
+ON CONFLICT ON CONSTRAINT unique_key_sqlx_adapter DO NOTHING;
diff --git a/migrations/20260114160000_casbin_agent_role_fix.down.sql b/migrations/20260114160000_casbin_agent_role_fix.down.sql
new file mode 100644
index 00000000..d014e708
--- /dev/null
+++ b/migrations/20260114160000_casbin_agent_role_fix.down.sql
@@ -0,0 +1,10 @@
+-- Rollback agent role permissions fix
+
+DELETE FROM public.casbin_rule
+WHERE ptype = 'p' AND v0 = 'agent' AND v1 = '/api/v1/agent/commands/report' AND v2 = 'POST';
+
+DELETE FROM public.casbin_rule
+WHERE ptype = 'p' AND v0 = 'agent' AND v1 = '/api/v1/agent/commands/wait/:deployment_hash' AND v2 = 'GET';
+
+DELETE FROM public.casbin_rule
+WHERE ptype = 'g' AND v0 = 'agent' AND v1 = 'group_anonymous';
diff --git a/migrations/20260114160000_casbin_agent_role_fix.up.sql b/migrations/20260114160000_casbin_agent_role_fix.up.sql
new file mode 100644
index 00000000..24aba0cd
--- /dev/null
+++ b/migrations/20260114160000_casbin_agent_role_fix.up.sql
@@ -0,0 +1,18 @@
+-- Ensure agent role has access to agent endpoints (idempotent fix)
+-- This migration ensures agent role permissions are in place regardless of previous migration state
+-- Addresses 403 error when Status Panel agent tries to report command results
+
+-- Agent role should be able to report command results
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'agent', '/api/v1/agent/commands/report', 'POST', '', '', '')
+ON CONFLICT ON CONSTRAINT unique_key_sqlx_adapter DO NOTHING;
+
+-- Agent role should be able to poll for commands
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('p', 'agent', '/api/v1/agent/commands/wait/:deployment_hash', 'GET', '', '', '')
+ON CONFLICT ON CONSTRAINT unique_key_sqlx_adapter DO NOTHING;
+
+-- Ensure agent role group exists (inherits from group_anonymous for health checks)
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES ('g', 'agent', 'group_anonymous', '', '', '', '')
+ON CONFLICT DO NOTHING;
diff --git a/migrations/20260115120000_casbin_command_client_rules.down.sql b/migrations/20260115120000_casbin_command_client_rules.down.sql
new file mode 100644
index 00000000..f29cfc18
--- /dev/null
+++ b/migrations/20260115120000_casbin_command_client_rules.down.sql
@@ -0,0 +1,12 @@
+-- Remove Casbin rules for command endpoints for client role
+
+DELETE FROM public.casbin_rule
+WHERE ptype = 'p'
+ AND v0 = 'client'
+ AND v1 IN (
+ '/api/v1/commands',
+ '/api/v1/commands/:deployment_hash',
+ '/api/v1/commands/:deployment_hash/:command_id',
+ '/api/v1/commands/:deployment_hash/:command_id/cancel'
+ )
+ AND v2 IN ('GET', 'POST');
diff --git a/migrations/20260115120000_casbin_command_client_rules.up.sql b/migrations/20260115120000_casbin_command_client_rules.up.sql
new file mode 100644
index 00000000..b9a988c7
--- /dev/null
+++ b/migrations/20260115120000_casbin_command_client_rules.up.sql
@@ -0,0 +1,14 @@
+-- Add Casbin rules for command endpoints for client role
+
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES
+ ('p', 'client', '/api/v1/commands', 'GET', '', '', ''),
+ ('p', 'client', '/api/v1/commands/:deployment_hash', 'GET', '', '', ''),
+ ('p', 'client', '/api/v1/commands/:deployment_hash/:command_id', 'GET', '', '', ''),
+ ('p', 'client', '/api/v1/commands/:deployment_hash/:command_id/cancel', 'POST', '', '', ''),
+ ('p', 'group_user', '/api/v1/commands', 'GET', '', '', ''),
+ ('p', 'root', '/api/v1/commands', 'GET', '', '', ''),
+ ('p', 'root', '/api/v1/commands/:deployment_hash', 'GET', '', '', ''),
+ ('p', 'root', '/api/v1/commands/:deployment_hash/:command_id', 'GET', '', '', ''),
+ ('p', 'root', '/api/v1/commands/:deployment_hash/:command_id/cancel', 'POST', '', '', '')
+ON CONFLICT DO NOTHING;
diff --git a/migrations/20260122120000_create_project_app_table.down.sql b/migrations/20260122120000_create_project_app_table.down.sql
new file mode 100644
index 00000000..025e0cb9
--- /dev/null
+++ b/migrations/20260122120000_create_project_app_table.down.sql
@@ -0,0 +1,8 @@
+-- Drop project_app table and related objects
+
+DROP TRIGGER IF EXISTS project_app_updated_at_trigger ON project_app;
+DROP FUNCTION IF EXISTS update_project_app_updated_at();
+DROP INDEX IF EXISTS idx_project_app_deploy_order;
+DROP INDEX IF EXISTS idx_project_app_code;
+DROP INDEX IF EXISTS idx_project_app_project_id;
+DROP TABLE IF EXISTS project_app;
diff --git a/migrations/20260122120000_create_project_app_table.up.sql b/migrations/20260122120000_create_project_app_table.up.sql
new file mode 100644
index 00000000..31998542
--- /dev/null
+++ b/migrations/20260122120000_create_project_app_table.up.sql
@@ -0,0 +1,59 @@
+-- Create project_app table for storing app configurations
+-- Each project can have multiple apps with their own configuration
+
+CREATE TABLE IF NOT EXISTS project_app (
+ id SERIAL PRIMARY KEY,
+ project_id INTEGER NOT NULL REFERENCES project(id) ON DELETE CASCADE,
+ code VARCHAR(100) NOT NULL,
+ name VARCHAR(255) NOT NULL,
+ image VARCHAR(500) NOT NULL,
+ environment JSONB DEFAULT '{}'::jsonb,
+ ports JSONB DEFAULT '[]'::jsonb,
+ volumes JSONB DEFAULT '[]'::jsonb,
+ domain VARCHAR(255),
+ ssl_enabled BOOLEAN DEFAULT FALSE,
+ resources JSONB DEFAULT '{}'::jsonb,
+ restart_policy VARCHAR(50) DEFAULT 'unless-stopped',
+ command TEXT,
+ entrypoint TEXT,
+ networks JSONB DEFAULT '[]'::jsonb,
+ depends_on JSONB DEFAULT '[]'::jsonb,
+ healthcheck JSONB,
+ labels JSONB DEFAULT '{}'::jsonb,
+ enabled BOOLEAN DEFAULT TRUE,
+ deploy_order INTEGER,
+ created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+ updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+ CONSTRAINT unique_project_app_code UNIQUE (project_id, code)
+);
+
+-- Index for fast lookup by project
+CREATE INDEX IF NOT EXISTS idx_project_app_project_id ON project_app(project_id);
+
+-- Index for code lookup
+CREATE INDEX IF NOT EXISTS idx_project_app_code ON project_app(code);
+
+-- Index for deploy order
+CREATE INDEX IF NOT EXISTS idx_project_app_deploy_order ON project_app(project_id, deploy_order);
+
+-- Trigger to update updated_at on changes
+CREATE OR REPLACE FUNCTION update_project_app_updated_at()
+RETURNS TRIGGER AS $$
+BEGIN
+ NEW.updated_at = NOW();
+ RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+DROP TRIGGER IF EXISTS project_app_updated_at_trigger ON project_app;
+CREATE TRIGGER project_app_updated_at_trigger
+ BEFORE UPDATE ON project_app
+ FOR EACH ROW
+ EXECUTE FUNCTION update_project_app_updated_at();
+
+-- Add comment for documentation
+COMMENT ON TABLE project_app IS 'App configurations within projects. Each app is a container with its own env vars, ports, volumes, etc.';
+COMMENT ON COLUMN project_app.code IS 'Unique identifier within project (e.g., nginx, postgres, redis)';
+COMMENT ON COLUMN project_app.environment IS 'Environment variables as JSON object {"VAR": "value"}';
+COMMENT ON COLUMN project_app.ports IS 'Port mappings as JSON array [{"host": 80, "container": 80, "protocol": "tcp"}]';
+COMMENT ON COLUMN project_app.deploy_order IS 'Order in which apps are deployed (lower = first)';
diff --git a/migrations/20260123120000_server_selection_columns.down.sql b/migrations/20260123120000_server_selection_columns.down.sql
new file mode 100644
index 00000000..433fb178
--- /dev/null
+++ b/migrations/20260123120000_server_selection_columns.down.sql
@@ -0,0 +1,6 @@
+-- Remove server selection columns
+
+ALTER TABLE server DROP COLUMN IF EXISTS name;
+ALTER TABLE server DROP COLUMN IF EXISTS key_status;
+ALTER TABLE server DROP COLUMN IF EXISTS connection_mode;
+ALTER TABLE server DROP COLUMN IF EXISTS vault_key_path;
diff --git a/migrations/20260123120000_server_selection_columns.up.sql b/migrations/20260123120000_server_selection_columns.up.sql
new file mode 100644
index 00000000..8e8b9c1a
--- /dev/null
+++ b/migrations/20260123120000_server_selection_columns.up.sql
@@ -0,0 +1,13 @@
+-- Add server selection columns for SSH key management via Vault
+
+-- Path to SSH key stored in Vault (e.g., secret/data/users/{user_id}/ssh_keys/{server_id})
+ALTER TABLE server ADD COLUMN vault_key_path VARCHAR(255) DEFAULT NULL;
+
+-- Connection mode: 'ssh' (maintain SSH access) or 'status_panel' (disconnect SSH after install)
+ALTER TABLE server ADD COLUMN connection_mode VARCHAR(20) NOT NULL DEFAULT 'ssh';
+
+-- Key status: 'none' (no key), 'stored' (key in Vault), 'disconnected' (key removed)
+ALTER TABLE server ADD COLUMN key_status VARCHAR(20) NOT NULL DEFAULT 'none';
+
+-- Friendly display name for the server
+ALTER TABLE server ADD COLUMN name VARCHAR(100) DEFAULT NULL;
diff --git a/migrations/20260123140000_casbin_server_rules.down.sql b/migrations/20260123140000_casbin_server_rules.down.sql
new file mode 100644
index 00000000..f4a79c8d
--- /dev/null
+++ b/migrations/20260123140000_casbin_server_rules.down.sql
@@ -0,0 +1,5 @@
+-- Remove Casbin rules for server endpoints
+
+DELETE FROM public.casbin_rule
+WHERE v1 LIKE '/server%'
+ AND v0 IN ('group_user', 'root');
diff --git a/migrations/20260123140000_casbin_server_rules.up.sql b/migrations/20260123140000_casbin_server_rules.up.sql
new file mode 100644
index 00000000..c3783d11
--- /dev/null
+++ b/migrations/20260123140000_casbin_server_rules.up.sql
@@ -0,0 +1,27 @@
+-- Add Casbin rules for server endpoints
+
+-- Server list and get endpoints (group_user role - authenticated users)
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES
+ -- Server list and get
+ ('p', 'group_user', '/server', 'GET', '', '', ''),
+ ('p', 'group_user', '/server/:id', 'GET', '', '', ''),
+ ('p', 'group_user', '/server/project/:project_id', 'GET', '', '', ''),
+ ('p', 'group_user', '/server/:id', 'PUT', '', '', ''),
+ ('p', 'group_user', '/server/:id', 'DELETE', '', '', ''),
+ -- SSH key management
+ ('p', 'group_user', '/server/:id/ssh-key/generate', 'POST', '', '', ''),
+ ('p', 'group_user', '/server/:id/ssh-key/upload', 'POST', '', '', ''),
+ ('p', 'group_user', '/server/:id/ssh-key/public', 'GET', '', '', ''),
+ ('p', 'group_user', '/server/:id/ssh-key', 'DELETE', '', '', ''),
+ -- Root role (admin access)
+ ('p', 'root', '/server', 'GET', '', '', ''),
+ ('p', 'root', '/server/:id', 'GET', '', '', ''),
+ ('p', 'root', '/server/project/:project_id', 'GET', '', '', ''),
+ ('p', 'root', '/server/:id', 'PUT', '', '', ''),
+ ('p', 'root', '/server/:id', 'DELETE', '', '', ''),
+ ('p', 'root', '/server/:id/ssh-key/generate', 'POST', '', '', ''),
+ ('p', 'root', '/server/:id/ssh-key/upload', 'POST', '', '', ''),
+ ('p', 'root', '/server/:id/ssh-key/public', 'GET', '', '', ''),
+ ('p', 'root', '/server/:id/ssh-key', 'DELETE', '', '', '')
+ON CONFLICT DO NOTHING;
diff --git a/migrations/20260128120000_insert_casbin_rule_agent_deployments_get.up.sql b/migrations/20260128120000_insert_casbin_rule_agent_deployments_get.up.sql
new file mode 100644
index 00000000..a884ab98
--- /dev/null
+++ b/migrations/20260128120000_insert_casbin_rule_agent_deployments_get.up.sql
@@ -0,0 +1,19 @@
+-- Migration: Insert casbin_rule permissions for agent deployments GET
+
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES
+ -- Server list and get
+ ('p', 'group_user', '/api/v1/agent/deployments/*', 'GET', '', '', ''),
+ ('p', 'agent', '/api/v1/agent/deployments/*', 'GET', '', '', ''),
+ ('p', 'group_admin', '/api/v1/agent/deployments/*', 'GET', '', '', ''),
+ ('p', 'root', '/api/v1/agent/deployments/*', 'GET', '', '', '')
+ON CONFLICT DO NOTHING;
+
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES
+ -- Server list and get
+ ('p', 'group_user', '/api/v1/commands/*', 'GET', '', '', ''),
+ ('p', 'agent', '/api/v1/commands/*', 'GET', '', '', ''),
+ ('p', 'group_admin', '/api/v1/commands/*', 'GET', '', '', ''),
+ ('p', 'root', '/api/v1/commands/*', 'GET', '', '', '')
+ON CONFLICT DO NOTHING;
\ No newline at end of file
diff --git a/migrations/20260129120000_add_config_versioning.down.sql b/migrations/20260129120000_add_config_versioning.down.sql
new file mode 100644
index 00000000..b30a7962
--- /dev/null
+++ b/migrations/20260129120000_add_config_versioning.down.sql
@@ -0,0 +1,8 @@
+-- Remove config versioning columns from project_app table
+
+DROP INDEX IF EXISTS idx_project_app_config_version;
+
+ALTER TABLE project_app DROP COLUMN IF EXISTS config_hash;
+ALTER TABLE project_app DROP COLUMN IF EXISTS vault_sync_version;
+ALTER TABLE project_app DROP COLUMN IF EXISTS vault_synced_at;
+ALTER TABLE project_app DROP COLUMN IF EXISTS config_version;
diff --git a/migrations/20260129120000_add_config_versioning.up.sql b/migrations/20260129120000_add_config_versioning.up.sql
new file mode 100644
index 00000000..27ed79c7
--- /dev/null
+++ b/migrations/20260129120000_add_config_versioning.up.sql
@@ -0,0 +1,16 @@
+-- Add config versioning columns to project_app table
+-- This enables tracking of configuration changes and Vault sync status
+
+ALTER TABLE project_app ADD COLUMN IF NOT EXISTS config_version INTEGER NOT NULL DEFAULT 1;
+ALTER TABLE project_app ADD COLUMN IF NOT EXISTS vault_synced_at TIMESTAMPTZ;
+ALTER TABLE project_app ADD COLUMN IF NOT EXISTS vault_sync_version INTEGER;
+ALTER TABLE project_app ADD COLUMN IF NOT EXISTS config_hash VARCHAR(64);
+
+-- Add index for quick config version lookups
+CREATE INDEX IF NOT EXISTS idx_project_app_config_version ON project_app(project_id, config_version);
+
+-- Comment on new columns
+COMMENT ON COLUMN project_app.config_version IS 'Incrementing version number for config changes';
+COMMENT ON COLUMN project_app.vault_synced_at IS 'Last time config was synced to Vault';
+COMMENT ON COLUMN project_app.vault_sync_version IS 'Config version that was last synced to Vault';
+COMMENT ON COLUMN project_app.config_hash IS 'SHA256 hash of rendered config for drift detection';
diff --git a/migrations/20260129150000_add_config_files_to_project_app.down.sql b/migrations/20260129150000_add_config_files_to_project_app.down.sql
new file mode 100644
index 00000000..3b0b291e
--- /dev/null
+++ b/migrations/20260129150000_add_config_files_to_project_app.down.sql
@@ -0,0 +1,4 @@
+-- Rollback config_files additions
+
+ALTER TABLE project_app DROP COLUMN IF EXISTS config_files;
+ALTER TABLE project_app DROP COLUMN IF EXISTS template_source;
diff --git a/migrations/20260129150000_add_config_files_to_project_app.up.sql b/migrations/20260129150000_add_config_files_to_project_app.up.sql
new file mode 100644
index 00000000..38c33182
--- /dev/null
+++ b/migrations/20260129150000_add_config_files_to_project_app.up.sql
@@ -0,0 +1,26 @@
+-- Add config_files column to project_app for template configuration files
+-- This stores config file templates (like telegraf.conf, nginx.conf) that need rendering
+
+ALTER TABLE project_app ADD COLUMN IF NOT EXISTS config_files JSONB DEFAULT '[]'::jsonb;
+
+-- Example structure:
+-- [
+-- {
+-- "name": "telegraf.conf",
+-- "path": "/etc/telegraf/telegraf.conf",
+-- "content": "# Telegraf config\n[agent]\ninterval = \"{{ interval }}\"\n...",
+-- "template_type": "jinja2",
+-- "variables": {
+-- "interval": "10s",
+-- "flush_interval": "10s",
+-- "influx_url": "http://influxdb:8086"
+-- }
+-- }
+-- ]
+
+COMMENT ON COLUMN project_app.config_files IS 'Configuration file templates as JSON array. Each entry has name, path, content (template), template_type (jinja2/tera), and variables object';
+
+-- Also add a template_source field to reference external templates from stacks repo
+ALTER TABLE project_app ADD COLUMN IF NOT EXISTS template_source VARCHAR(500);
+
+COMMENT ON COLUMN project_app.template_source IS 'Reference to external template source (e.g., tfa/roles/telegraf/templates/telegraf.conf.j2)';
diff --git a/migrations/20260130120000_add_config_files_to_project_app.down.sql b/migrations/20260130120000_add_config_files_to_project_app.down.sql
new file mode 100644
index 00000000..daa6c3ce
--- /dev/null
+++ b/migrations/20260130120000_add_config_files_to_project_app.down.sql
@@ -0,0 +1,4 @@
+-- Rollback: remove config_files column from project_app
+
+ALTER TABLE project_app
+DROP COLUMN IF EXISTS config_files;
diff --git a/migrations/20260130120000_add_config_files_to_project_app.up.sql b/migrations/20260130120000_add_config_files_to_project_app.up.sql
new file mode 100644
index 00000000..2f7f1a86
--- /dev/null
+++ b/migrations/20260130120000_add_config_files_to_project_app.up.sql
@@ -0,0 +1,26 @@
+-- Add config_files column to project_app for storing configuration file templates
+-- This supports apps like Telegraf that require config files beyond env vars
+
+-- Add config_files column
+ALTER TABLE project_app
+ADD COLUMN IF NOT EXISTS config_files JSONB DEFAULT '[]'::jsonb;
+
+-- Add comment for documentation
+COMMENT ON COLUMN project_app.config_files IS 'Configuration file templates as JSON array [{"filename": "telegraf.conf", "path": "/etc/telegraf/telegraf.conf", "content": "template content...", "is_template": true}]';
+
+-- Example structure:
+-- [
+-- {
+-- "filename": "telegraf.conf",
+-- "path": "/etc/telegraf/telegraf.conf",
+-- "content": "[agent]\n interval = \"{{ interval | default(\"10s\") }}\"\n...",
+-- "is_template": true,
+-- "description": "Telegraf agent configuration"
+-- },
+-- {
+-- "filename": "custom.conf",
+-- "path": "/etc/myapp/custom.conf",
+-- "content": "static content...",
+-- "is_template": false
+-- }
+-- ]
diff --git a/migrations/20260131120000_casbin_commands_post_rules.down.sql b/migrations/20260131120000_casbin_commands_post_rules.down.sql
new file mode 100644
index 00000000..55f4fcbc
--- /dev/null
+++ b/migrations/20260131120000_casbin_commands_post_rules.down.sql
@@ -0,0 +1,26 @@
+-- Remove Casbin POST rules for commands API
+
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'group_user' AND v1 = '/api/v1/commands/*' AND v2 = 'POST';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'agent' AND v1 = '/api/v1/commands/*' AND v2 = 'POST';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'group_admin' AND v1 = '/api/v1/commands/*' AND v2 = 'POST';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'root' AND v1 = '/api/v1/commands/*' AND v2 = 'POST';
+
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'group_user' AND v1 = '/api/v1/commands/*' AND v2 = 'PUT';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'agent' AND v1 = '/api/v1/commands/*' AND v2 = 'PUT';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'group_admin' AND v1 = '/api/v1/commands/*' AND v2 = 'PUT';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'root' AND v1 = '/api/v1/commands/*' AND v2 = 'PUT';
+
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'group_user' AND v1 = '/api/v1/commands/*' AND v2 = 'DELETE';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'agent' AND v1 = '/api/v1/commands/*' AND v2 = 'DELETE';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'group_admin' AND v1 = '/api/v1/commands/*' AND v2 = 'DELETE';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'root' AND v1 = '/api/v1/commands/*' AND v2 = 'DELETE';
+
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'group_user' AND v1 = '/api/v1/commands' AND v2 = 'POST';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'agent' AND v1 = '/api/v1/commands' AND v2 = 'POST';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'group_admin' AND v1 = '/api/v1/commands' AND v2 = 'POST';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'root' AND v1 = '/api/v1/commands' AND v2 = 'POST';
+
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'group_user' AND v1 = '/api/v1/commands' AND v2 = 'PUT';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'agent' AND v1 = '/api/v1/commands' AND v2 = 'PUT';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'group_admin' AND v1 = '/api/v1/commands' AND v2 = 'PUT';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'root' AND v1 = '/api/v1/commands' AND v2 = 'PUT';
diff --git a/migrations/20260131120000_casbin_commands_post_rules.up.sql b/migrations/20260131120000_casbin_commands_post_rules.up.sql
new file mode 100644
index 00000000..26a9eb44
--- /dev/null
+++ b/migrations/20260131120000_casbin_commands_post_rules.up.sql
@@ -0,0 +1,47 @@
+-- Add Casbin POST rules for commands API
+
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES
+ -- Commands POST access
+ ('p', 'group_user', '/api/v1/commands/*', 'POST', '', '', ''),
+ ('p', 'agent', '/api/v1/commands/*', 'POST', '', '', ''),
+ ('p', 'group_admin', '/api/v1/commands/*', 'POST', '', '', ''),
+ ('p', 'root', '/api/v1/commands/*', 'POST', '', '', '')
+ON CONFLICT DO NOTHING;
+
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES
+ -- Server list and get
+ ('p', 'group_user', '/api/v1/commands/*', 'PUT', '', '', ''),
+ ('p', 'agent', '/api/v1/commands/*', 'PUT', '', '', ''),
+ ('p', 'group_admin', '/api/v1/commands/*', 'PUT', '', '', ''),
+ ('p', 'root', '/api/v1/commands/*', 'PUT', '', '', '')
+ON CONFLICT DO NOTHING;
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES
+ -- Server list and get
+ ('p', 'group_user', '/api/v1/commands/*', 'DELETE', '', '', ''),
+ ('p', 'agent', '/api/v1/commands/*', 'DELETE', '', '', ''),
+ ('p', 'group_admin', '/api/v1/commands/*', 'DELETE', '', '', ''),
+ ('p', 'root', '/api/v1/commands/*', 'DELETE', '', '', '')
+ON CONFLICT DO NOTHING;
+
+
+
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES
+ -- Server list and get
+ ('p', 'group_user', '/api/v1/commands', 'POST', '', '', ''),
+ ('p', 'agent', '/api/v1/commands', 'POST', '', '', ''),
+ ('p', 'group_admin', '/api/v1/commands', 'POST', '', '', ''),
+ ('p', 'root', '/api/v1/commands', 'POST', '', '', '')
+ON CONFLICT DO NOTHING;
+
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES
+ -- Server list and get
+ ('p', 'group_user', '/api/v1/commands', 'PUT', '', '', ''),
+ ('p', 'agent', '/api/v1/commands', 'PUT', '', '', ''),
+ ('p', 'group_admin', '/api/v1/commands', 'PUT', '', '', ''),
+ ('p', 'root', '/api/v1/commands', 'PUT', '', '', '')
+ON CONFLICT DO NOTHING;
diff --git a/migrations/20260131121000_casbin_apps_status_rules.down.sql b/migrations/20260131121000_casbin_apps_status_rules.down.sql
new file mode 100644
index 00000000..c1a54f54
--- /dev/null
+++ b/migrations/20260131121000_casbin_apps_status_rules.down.sql
@@ -0,0 +1,5 @@
+-- Remove Casbin POST rule for app status updates reported by agents
+
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'agent' AND v1 = '/api/v1/apps/status' AND v2 = 'POST';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'group_admin' AND v1 = '/api/v1/apps/status' AND v2 = 'POST';
+DELETE FROM public.casbin_rule WHERE ptype = 'p' AND v0 = 'root' AND v1 = '/api/v1/apps/status' AND v2 = 'POST';
diff --git a/migrations/20260131121000_casbin_apps_status_rules.up.sql b/migrations/20260131121000_casbin_apps_status_rules.up.sql
new file mode 100644
index 00000000..fcd1934a
--- /dev/null
+++ b/migrations/20260131121000_casbin_apps_status_rules.up.sql
@@ -0,0 +1,8 @@
+-- Add Casbin POST rule for app status updates reported by agents
+
+INSERT INTO public.casbin_rule (ptype, v0, v1, v2, v3, v4, v5)
+VALUES
+ ('p', 'agent', '/api/v1/apps/status', 'POST', '', '', ''),
+ ('p', 'group_admin', '/api/v1/apps/status', 'POST', '', '', ''),
+ ('p', 'root', '/api/v1/apps/status', 'POST', '', '', '')
+ON CONFLICT DO NOTHING;
diff --git a/migrations/20260202120000_add_parent_app_code.down.sql b/migrations/20260202120000_add_parent_app_code.down.sql
new file mode 100644
index 00000000..967f1e59
--- /dev/null
+++ b/migrations/20260202120000_add_parent_app_code.down.sql
@@ -0,0 +1,4 @@
+-- Rollback: Remove parent_app_code column from project_app
+
+DROP INDEX IF EXISTS idx_project_app_parent;
+ALTER TABLE project_app DROP COLUMN IF EXISTS parent_app_code;
diff --git a/migrations/20260202120000_add_parent_app_code.up.sql b/migrations/20260202120000_add_parent_app_code.up.sql
new file mode 100644
index 00000000..67b3a974
--- /dev/null
+++ b/migrations/20260202120000_add_parent_app_code.up.sql
@@ -0,0 +1,11 @@
+-- Add parent_app_code column to project_app for hierarchical service linking
+-- This allows multi-service compose stacks (e.g., Komodo with core, ferretdb, periphery)
+-- to link child services back to the parent stack
+
+ALTER TABLE project_app ADD COLUMN IF NOT EXISTS parent_app_code VARCHAR(255) DEFAULT NULL;
+
+-- Create index for efficient queries on parent apps
+CREATE INDEX IF NOT EXISTS idx_project_app_parent ON project_app(project_id, parent_app_code) WHERE parent_app_code IS NOT NULL;
+
+-- Add comment for documentation
+COMMENT ON COLUMN project_app.parent_app_code IS 'Parent app code for child services in multi-service stacks (e.g., "komodo" for komodo-core, komodo-ferretdb)';
diff --git a/package-lock.json b/package-lock.json
new file mode 100644
index 00000000..4c049143
--- /dev/null
+++ b/package-lock.json
@@ -0,0 +1,33 @@
+{
+ "name": "stacker",
+ "lockfileVersion": 3,
+ "requires": true,
+ "packages": {
+ "": {
+ "dependencies": {
+ "ws": "^8.18.3"
+ }
+ },
+ "node_modules/ws": {
+ "version": "8.18.3",
+ "resolved": "https://registry.npmjs.org/ws/-/ws-8.18.3.tgz",
+ "integrity": "sha512-PEIGCY5tSlUt50cqyMXfCzX+oOPqN0vuGqWzbcJ2xvnkzkq46oOpz7dQaTDBdfICb4N14+GARUDw2XV2N4tvzg==",
+ "license": "MIT",
+ "engines": {
+ "node": ">=10.0.0"
+ },
+ "peerDependencies": {
+ "bufferutil": "^4.0.1",
+ "utf-8-validate": ">=5.0.2"
+ },
+ "peerDependenciesMeta": {
+ "bufferutil": {
+ "optional": true
+ },
+ "utf-8-validate": {
+ "optional": true
+ }
+ }
+ }
+ }
+}
diff --git a/package.json b/package.json
new file mode 100644
index 00000000..31fef034
--- /dev/null
+++ b/package.json
@@ -0,0 +1,5 @@
+{
+ "dependencies": {
+ "ws": "^8.18.3"
+ }
+}
diff --git a/src/banner.rs b/src/banner.rs
new file mode 100644
index 00000000..bbd5c301
--- /dev/null
+++ b/src/banner.rs
@@ -0,0 +1,64 @@
+/// Display a banner with version and useful information
+pub fn print_banner() {
+ let version = env!("CARGO_PKG_VERSION");
+ let name = env!("CARGO_PKG_NAME");
+
+ let banner = format!(
+ r#"
+ _ | |
+ ___ _| |_ _____ ____| | _ _____ ____
+ /___|_ _|____ |/ ___) |_/ ) ___ |/ ___)
+|___ | | |_/ ___ ( (___| _ (| ____| |
+(___/ \__)_____|\____)_| \_)_____)_|
+
+──────────────────────────────────────────
+ {}
+ Version: {}
+ Build: {}
+ Edition: {}
+─────────────────────────────────────────
+
+"#,
+ capitalize(name),
+ version,
+ env!("CARGO_PKG_VERSION"),
+ "2021"
+ );
+
+ println!("{}", banner);
+}
+
+/// Display startup information
+pub fn print_startup_info(host: &str, port: u16) {
+ let info = format!(
+ r#"
+📋 Configuration Loaded
+ 🌐 Server Address: http://{}:{}
+ 📦 Ready to accept connections
+
+"#,
+ host, port
+ );
+
+ println!("{}", info);
+}
+
+fn capitalize(s: &str) -> String {
+ let mut chars = s.chars();
+ match chars.next() {
+ None => String::new(),
+ Some(first) => first.to_uppercase().collect::