App v0.1

Minimal private upload slice

Target workflow: account signup/signin, private account-scoped upload, file bytes in private object storage, metadata in a relational database, deterministic validation, and a private validation summary page for the owner.

Architecture

Static public site stays public; authenticated app pages live under /app/.
Vercel-style serverless API routes under /api/ enforce auth, ownership, upload, and download.
Supabase Postgres stores users, sessions, upload metadata, and validation summaries.
Supabase private Storage bucket stores raw upload bytes keyed by user_id/upload_id/filename.
A server-side deterministic validator checks CGES JSON structure plus the repo's core semantic rules before the summary page is shown.

Assumptions and Risks

Area	Assumption	Risk / Mitigation
Upload format	v0.1 accepts JSON CGES uploads only.	This narrows the validator and keeps the slice shippable; native CAD file ingestion can be added later as a separate import step.
Scale	Up to about 500k upload rows and mostly 25kB to 1MB files.	Postgres metadata plus object storage is well within range if uploads are indexed by `user_id` and file bytes never live in the repo or function filesystem.
Auth model	Single-user private accounts only.	No team/org logic is included in v0.1; every authorization check uses a direct `user_id` ownership boundary.
Validation	The validator is deterministic and CGES-focused, not a generic JSON Schema engine.	This is sufficient for the first product proof and aligns with the repo's conformance rules; full schema-engine coverage can be added later if needed.
Upload transport	Browser sends base64 JSON payloads to the API for files up to 2MB.	There is some overhead, but it keeps the first slice dependency-light and acceptable for the stated file sizes.

Minimal File and Folder Structure

Path	Purpose
`api/_lib/`	Shared server helpers for env loading, cookies, sessions, Supabase REST/storage calls, and validation.
`api/app-*.js`	Auth, session, upload list/create, upload detail, and private download routes.
`app/`	Minimal static HTML pages for signup, signin, dashboard, upload, and validation summary.
`assets/app-*.js`	Plain browser scripts for forms, session checks, upload flow, and detail rendering.
`scripts/supabase-app-v0.1.sql`	Schema and indexes for the relational metadata layer.
`examples/cges-file/example.cges.json`	Known-good local upload sample for the new flow.

Minimal Data Model

Table	Fields	Why it exists
`app_users`	`id`, `email`, `password_hash`, `created_at`	Single-account identity with normalized unique email.
`app_sessions`	`id`, `user_id`, `token_hash`, `expires_at`, `created_at`, `last_seen_at`	Opaque server-side sessions stored independently from the browser cookie.
`uploads`	`id`, `user_id`, `original_filename`, `storage_bucket`, `storage_key`, `mime_type`, `size_bytes`, `sha256_hex`, `validation_status`, `validation_summary`, timestamps	Ownership boundary, upload metadata, and validation result cache.
`upload_events`	`id`, `upload_id`, `event_type`, `metadata_json`, `created_at`	Minimal audit trail for upload, validate, download, and delete actions.

Implementation Order

Provision Supabase env vars, database schema, and a private storage bucket.
Add shared server utilities for auth, cookie/session handling, storage, and validation.
Implement API routes for signup, signin, session lookup, signout, upload list/create, upload detail, and private download.
Add minimal app pages under /app/ and plain browser scripts for the end-to-end workflow.
Use the bundled example JSON to prove: account -> upload -> private storage -> validation summary.

Local test note: the runtime assumes Node-based serverless execution plus Supabase credentials. For local testing, set the new environment variables, create the schema and private bucket, run the site with your local Vercel dev server, then use /examples/cges-file/example.cges.json as the first upload.