madbase/.trae/documents/plan_20260311_205838.md

I will implement Phase 2: Realtime & Storage Enhancements, specifically focusing on Signed URLs for Storage and Resume Support for Realtime.

1. Storage: Signed URLs

I will implement a mechanism to generate and verify time-limited access tokens for private objects.

• storage/src/handlers.rs:
  • Add sign_object handler (POST /object/sign/:bucket/:wildcard):
    • Checks user permissions via RLS.
    • Generates a JWT containing bucket, key, and expiration.
    • Returns a signed URL.
  • Add get_signed_object handler (GET /object/sign/:bucket/:wildcard):
    • Validates the token from the query string.
    • Bypasses RLS (since token proves prior auth) and streams the file from S3.
• storage/src/lib.rs: Register the new endpoints.
• Tests: Add integration tests to verify signed URL generation and access.

2. Realtime: Resume Support

I will leverage the existing madbase_realtime.messages table to allow clients to catch up on missed events.

• realtime/src/ws.rs:
  • Update the phx_join handler to accept a last_event_id in the payload.
  • If provided, query madbase_realtime.messages for events occurring after that ID matching the topic.
  • Send these missed events to the client immediately upon joining.
• Tests: Add integration tests to verify that a client reconnecting with a last_event_id receives missed messages.

Note: Full replacement of LISTEN/NOTIFY with pgoutput is deferred to a later step within Phase 2 due to its complexity, but Resume Support is a critical prerequisite for reliability.