feat(new-deepnotes): Postgres ACL for realtime page and group Redis hashes

Wire Hyperdrive in UserRealtimeRoom so executeRealtimeWsBatch can authorize page: and group: HGET/HSET/SUBSCRIBE via resolveRealtimeHashFieldAccess (viewGroupPages / editGroupPages). Keep user-only sync gate when Hyperdrive is absent. Add Vitest for ACL-injected page HGET; update TRPC_REST_MAP and PLAN_PROGRESS.

Author: gustavotoyota

new-deepnotes/PLAN_PROGRESS.md

@@ -12,8 +12,8 @@
 
 | Area | State |
 |------|--------|
-| **API / REST** | TRPC_REST_MAP HTTP rows largely done; **collab WS** MVP (**Durable Object** relay + Postgres append, legacy lib0 framing via `@deepnotes/collab-wire`); **realtime** **`GET /api/realtime-ws`** + **`UserRealtimeRoom` DO** + `@deepnotes/realtime-wire`. Framing + Vitest round-trips; **`USER_NOTIFICATION`** push after `performNotifyUsers`. **Hash slice:** when **Upstash** is configured (`UPSTASH_REDIS_*`), DO handles legacy **REQUEST** batches for **`user:{userId}`** Redis (**HGET**/**HSET**/**SUBSCRIBE**/**UNSUBSCRIBE** → **RESPONSE** + **DATA_NOTIFICATION** intra-DO fan-out). **Still open:** **`page`** / **`group`** hash ACL vs Postgres (legacy DataAbstraction); cross-process Redis pub/sub (legacy `expiremember`/KeyDB) not replicated. SPA remains REST-heavy for titles until client opts into hash WS. |
-| **SPA** | Auth, lists, **`PageEditorView`** (Tiptap+Y+collab **WebSocket when configured** else REST, **encrypted awareness + collaboration carets** on WS, link/underline/placeholder, **tables, images, tasks, code (lowlight), KaTeX math (inline + block), YouTube embeds (Vue node view + resize handle like legacy)**, highlight, align, sub/sup, HR, path breadcrumb, bump/favorite/recent, **snapshots list/save/restore/delete**, **set-as-main + soft-delete + purge**, **cross-group move/reencrypt**), groups/**members**/invite/join + **group settings** (join policy, soft-delete, **make public / make private**, **group purge**), notifications list **with decrypt**, **`/account`**, home **recents/favorites/starting/defaults** UIs, theme, **live notification toast** when **`/api/realtime-ws`** connected. Missing: **`page`/`group` realtime hashes + SPA wired** (full legacy parity; worker has **`user:{id}`** hash slice when Upstash is set); **spatial/world** canvas, native shells. |
+| **API / REST** | TRPC_REST_MAP HTTP rows largely done; **collab WS** MVP (**Durable Object** relay + Postgres append, legacy lib0 framing via `@deepnotes/collab-wire`); **realtime** **`GET /api/realtime-ws`** + **`UserRealtimeRoom` DO** + `@deepnotes/realtime-wire`. Framing + Vitest round-trips; **`USER_NOTIFICATION`** push after `performNotifyUsers`. **Hash slice:** when **Upstash** (`UPSTASH_REDIS_*`) **and** **`HYPERDRIVE`** are set, DO serves **`user:`** / **`page:`** / **`group:`** Redis hashes with Postgres ACL (`resolveRealtimeHashFieldAccess`: read=`viewGroupPages`, write=`editGroupPages`). With Upstash only, **`user:{id}`** still works (sync user-only gate). **Still open:** cross-process Redis pub/sub (legacy `expiremember`/KeyDB); SPA still REST-first for titles until it sends legacy **REQUEST** batches. |
+| **SPA** | Auth, lists, **`PageEditorView`** (Tiptap+Y+collab **WebSocket when configured** else REST, **encrypted awareness + collaboration carets** on WS, link/underline/placeholder, **tables, images, tasks, code (lowlight), KaTeX math (inline + block), YouTube embeds (Vue node view + resize handle like legacy)**, highlight, align, sub/sup, HR, path breadcrumb, bump/favorite/recent, **snapshots list/save/restore/delete**, **set-as-main + soft-delete + purge**, **cross-group move/reencrypt**), groups/**members**/invite/join + **group settings** (join policy, soft-delete, **make public / make private**, **group purge**), notifications list **with decrypt**, **`/account`**, home **recents/favorites/starting/defaults** UIs, theme, **live notification toast** when **`/api/realtime-ws`** connected. Missing: **legacy RealtimeClient-style REQUEST batches** from SPA for **`page`/`group`** hash titles (API path ready when Upstash+HYPERDRIVE); **spatial/world** canvas, native shells. |
 
 **Deferred (confirm vs parity):** optional anon `GET …/groups/:id/pages`; richer Stripe webhook tests. **Infra naming:** Workers/DO replaces standalone collab/realtime/scheduler processes.
 
@@ -26,7 +26,7 @@
 | **0** | Done | Map, OpenAPI, Drizzle baseline, CLIENT_FORKS |
 | **1** | Skip? | Legacy monorepo only |
 | **2** | Done | Turbo/CI/template DB/deploy docs |
-| **3** | WIP | **realtime:** `USER_NOTIFICATION` WS + DO + invite **`notifyUsers`**; **`user`-hash** REQUEST (**Upstash**) + RESP/DATA_NOTIFICATION in-DO (**`page`/`group` ACL + cross-node pub/sub** still open); collab WS MVP **done** |
+| **3** | WIP | **realtime:** `USER_NOTIFICATION` WS + DO + invite **`notifyUsers`**; hash **REQUEST** + **`page`/`group` Postgres ACL** when Hyperdrive + Upstash; cross-node Redis pub/sub **still open**; collab WS MVP **done** |
 | **4** | WIP | See checklist below |
 | **5** | Todo | Cutover after **parity gate** + metrics + decrypt spot-checks |
 
@@ -46,7 +46,7 @@
 - [x] `[parity]` Page ops + group settings — **make private** + cross-group **move/reencrypt** + **purge** UI (page + group); **make public**, snapshots + main + soft-delete **done** in SPA  
 - [ ] `[parity]` Editor UX vs legacy (rich + spatial/world if in scope) — **partial:** WS awareness+carets; TipTap **tables, images, tasks**, **code (lowlight), math (inline + block), YouTube** (Vue node view + resize handle), typography (highlight, align, sub/sup, HR), link/underline/placeholder (**no** spatial/world canvas yet)  
 - [x] `[parity]` Notifications: decrypt/display as legacy  
-- [x] Legacy **realtime** — **partial:** `USER_NOTIFICATION` over **`/api/realtime-ws`** + per-user DO (`@deepnotes/realtime-wire`); join-invite **DB notifications** + E2EE payloads; **`user:{id}`** hash **REQUEST**/RESP (**Upstash** optional); **`page`/`group`** caches + Redis pub/sub parity **not** done  
+- [x] Legacy **realtime** — **partial:** `USER_NOTIFICATION` + hash **REQUEST** (`user` / `page` / `group` when **Upstash** + **Hyperdrive**); join-invite **DB notifications** + E2EE payloads; cross-process Redis pub/sub parity **not** done  
 - [ ] Capacitor/Tauri **after web parity**
 
 ---
@@ -80,6 +80,7 @@
 
 | Date | Note |
 |------|------|
+| 2026-04-29 | **Realtime hash ACL (Postgres):** `resolveRealtimeHashFieldAccess` in `@deepnotes/session` for **`page:`** / **`group:`** (`viewGroupPages` / `editGroupPages`); `UserRealtimeRoom` wires **Hyperdrive** + Vitest mock-ACL **page** HGET. |
 | 2026-04-29 | **Realtime Redis hash slice (Upstash):** `UserRealtimeRoom` handles binary **REQUEST** (`executeRealtimeWsBatch`); **`user:{userId}`** HGET/HSET/SUBSCRIBE/UNSUBSCRIBE + subscriber fan-out; **`realtime-ws-batch.test.ts`**. |
 | 2026-04-29 | **Realtime wire framing parity:** `@deepnotes/realtime-wire` decodes/encodes legacy **RESPONSE**, **DATA_NOTIFICATION**, and client **REQUEST** batches (msgpackr + lib0) with Vitest; Worker DO unchanged (`USER_NOTIFICATION` only). Moves toward Redis hash cache parity without E2E. |
 | 2026-04-29 | **Realtime `USER_NOTIFICATION` parity slice:** `@deepnotes/realtime-wire`, `UserRealtimeRoom` DO, `GET /api/realtime-ws`, `performNotifyUsers` + join-invite optional `notifications` + bootstrap `?inviteeUserId=` keyrings; SPA toast + `buildGroupInviteSentNotifications`. |

new-deepnotes/apps/api-worker/src/realtime-ws-batch.test.ts

@@ -10,6 +10,8 @@ import {
   canRealtimeHashAccess,
   executeRealtimeWsBatch,
   realtimeFullKey,
+  redisHashKey,
+  type RealtimeHashAclPort,
   type RealtimeHashPort,
 } from "./realtime-ws-batch.js";
 
@@ -52,7 +54,7 @@ function createMemoryHashPort(
 }
 
 describe("executeRealtimeWsBatch", () => {
-  it("denies group/page hash access (user-only until Postgres ACL)", () => {
+  it("denies page/group hash without Postgres ACL port (user-only sync)", () => {
     expect(canRealtimeHashAccess("u1", "group", "g1")).toBe(false);
     expect(canRealtimeHashAccess("u1", "page", "p1")).toBe(false);
     expect(canRealtimeHashAccess("u1", "user", "u1")).toBe(true);
@@ -86,6 +88,7 @@ describe("executeRealtimeWsBatch", () => {
       decoded,
       redis: port,
       hooks,
+      acl: null,
     });
     expect(out.responseBytes).not.toBeNull();
     expect(out.subscribeNotifyBytes).toBeNull();
@@ -120,6 +123,7 @@ describe("executeRealtimeWsBatch", () => {
         },
         unsubscribeField: () => {},
       },
+      acl: null,
     });
     expect(subs).toEqual([realtimeFullKey("user", "u1", "email")]);
     expect(out.subscribeNotifyBytes).not.toBeNull();
@@ -145,10 +149,46 @@ describe("executeRealtimeWsBatch", () => {
       decoded,
       redis: port,
       hooks: { subscribeField: () => {}, unsubscribeField: () => {} },
+      acl: null,
     });
     expect(out.hsetBroadcastItems).toHaveLength(1);
     expect(out.hsetBroadcastItems[0]?.fullKey).toBe(
       realtimeFullKey("user", "u1", "email"),
     );
   });
+
+  it("HGET on page hash succeeds when ACL grants read", async () => {
+    const { port } = createMemoryHashPort({
+      "page:p9": { "encrypted-relative-title": "enc" },
+    });
+    const req = encodeRealtimeClientRequest({
+      firstCommandId: 5,
+      commands: [
+        {
+          type: RealtimeCommandType.HGET,
+          args: ["page", "p9", "encrypted-relative-title"],
+        },
+      ],
+    });
+    const decoded = decodeRealtimeClientBinaryMessage(req);
+    if (decoded == null) {
+      throw new Error("decode");
+    }
+    const acl: RealtimeHashAclPort = {
+      async resolveBatch(needs) {
+        expect(needs.get(redisHashKey("page", "p9"))?.read).toBe(true);
+        const m = new Map<string, { readOk: boolean; writeOk: boolean }>();
+        m.set(redisHashKey("page", "p9"), { readOk: true, writeOk: true });
+        return m;
+      },
+    };
+    const out = await executeRealtimeWsBatch({
+      userId: "u1",
+      decoded,
+      redis: port,
+      hooks: { subscribeField: () => {}, unsubscribeField: () => {} },
+      acl,
+    });
+    expect(out.responseBytes).not.toBeNull();
+  });
 });

new-deepnotes/apps/api-worker/src/realtime-ws-batch.ts

@@ -1,6 +1,6 @@
 /**
  * LEGACY-compat realtime hash commands over WS (RESPONSE / DATA_NOTIFICATION).
- * Only `user:{userId}` Redis hashes are allowed for parity until group/page ACL is wired via Postgres.
+ * `user:{id}` allowed on the isolate; `page:` / `group:` when `acl` resolves Postgres membership.
  */
 import {
   RealtimeCommandType,
@@ -32,6 +32,75 @@ export function canRealtimeHashAccess(
   return false;
 }
 
+export type RealtimeHashAclPort = {
+  resolveBatch(
+    needs: Map<string, { read: boolean; write: boolean }>,
+  ): Promise<Map<string, { readOk: boolean; writeOk: boolean }>>;
+};
+
+function accumulateRealtimeHashNeeds(
+  meta: { cmd: RealtimeClientCommand; commandId: number }[],
+): Map<string, { read: boolean; write: boolean }> {
+  const needs = new Map<string, { read: boolean; write: boolean }>();
+  function add(key: string, read: boolean, write: boolean): void {
+    const cur = needs.get(key) ?? { read: false, write: false };
+    if (read) {
+      cur.read = true;
+    }
+    if (write) {
+      cur.write = true;
+    }
+    needs.set(key, cur);
+  }
+  for (const { cmd } of meta) {
+    switch (cmd.type) {
+      case RealtimeCommandType.HGET: {
+        const t = parseTripleArgs(cmd.args);
+        if (t != null) {
+          add(redisHashKey(t[0], t[1]), true, false);
+        }
+        break;
+      }
+      case RealtimeCommandType.SUBSCRIBE: {
+        const t = parseTripleArgs(cmd.args);
+        if (t != null) {
+          add(redisHashKey(t[0], t[1]), true, false);
+        }
+        break;
+      }
+      case RealtimeCommandType.HSET: {
+        const t = parseHSetArgs(cmd.args);
+        if (t != null) {
+          add(redisHashKey(t.prefix, t.suffix), false, true);
+        }
+        break;
+      }
+      default:
+        break;
+    }
+  }
+  return needs;
+}
+
+function syncResolveRealtimeHashAccess(
+  userId: string,
+  needs: Map<string, { read: boolean; write: boolean }>,
+): Map<string, { readOk: boolean; writeOk: boolean }> {
+  const out = new Map<string, { readOk: boolean; writeOk: boolean }>();
+  for (const [key, need] of needs) {
+    const i = key.indexOf(":");
+    const prefix = i > 0 ? key.slice(0, i) : "";
+    const suffix = i > 0 ? key.slice(i + 1) : "";
+    const allowed =
+      prefix !== "" && canRealtimeHashAccess(userId, prefix, suffix);
+    out.set(key, {
+      readOk: !need.read || allowed,
+      writeOk: !need.write || allowed,
+    });
+  }
+  return out;
+}
+
 export type RealtimeHashPort = {
   hmget(key: string, fields: readonly string[]): Promise<(unknown | null)[]>;
   hset(key: string, entries: Record<string, unknown>): Promise<void>;
@@ -85,13 +154,22 @@ export async function executeRealtimeWsBatch(input: {
   decoded: DecodedRealtimeClientRequest;
   redis: RealtimeHashPort | null;
   hooks: RealtimeBatchHooks;
+  acl: RealtimeHashAclPort | null;
 }): Promise<ExecuteRealtimeWsBatchResult> {
-  const { userId, decoded, redis, hooks } = input;
+  const { userId, decoded, redis, hooks, acl } = input;
   const meta = decoded.commands.map((cmd, i) => ({
     cmd,
     commandId: decoded.firstCommandId + i,
   }));
 
+  const needs = accumulateRealtimeHashNeeds(meta);
+  const resolved =
+    needs.size === 0
+      ? new Map<string, { readOk: boolean; writeOk: boolean }>()
+      : acl != null
+        ? await acl.resolveBatch(needs)
+        : syncResolveRealtimeHashAccess(userId, needs);
+
   const hgetResponses = new Map<number, unknown>();
 
   type AllowedHGet = {
@@ -112,7 +190,7 @@ export async function executeRealtimeWsBatch(input: {
       continue;
     }
     const [prefix, suffix, field] = t;
-    if (!canRealtimeHashAccess(userId, prefix, suffix)) {
+    if (!resolved.get(redisHashKey(prefix, suffix))?.readOk) {
       hgetResponses.set(row.commandId, undefined);
       continue;
     }
@@ -168,7 +246,7 @@ export async function executeRealtimeWsBatch(input: {
         if (t == null) {
           return;
         }
-        if (!canRealtimeHashAccess(userId, t.prefix, t.suffix)) {
+        if (!resolved.get(redisHashKey(t.prefix, t.suffix))?.writeOk) {
           return;
         }
         const fk = realtimeFullKey(t.prefix, t.suffix, t.field);
@@ -193,7 +271,7 @@ export async function executeRealtimeWsBatch(input: {
         }
         const [prefix, suffix, field] = t;
         const fk = realtimeFullKey(prefix, suffix, field);
-        if (!canRealtimeHashAccess(userId, prefix, suffix)) {
+        if (!resolved.get(redisHashKey(prefix, suffix))?.readOk) {
           subscribeItems.push({ prefix, suffix, field, value: undefined });
           return;
         }

new-deepnotes/apps/api-worker/src/user-realtime-room.ts

@@ -4,16 +4,21 @@ import {
   encodeRealtimeServerDataNotification,
   encodeUserNotificationServerMessage,
 } from "@deepnotes/realtime-wire";
+import { resolveRealtimeHashFieldAccess } from "@deepnotes/session";
 
 import {
   executeRealtimeWsBatch,
+  type RealtimeHashAclPort,
   type RealtimeHashPort,
 } from "./realtime-ws-batch.js";
+import { getDbForConnectionString } from "./db-pool.js";
 
 export type UserRealtimeRoomEnv = {
   REALTIME_INTERNAL_SECRET?: string;
   UPSTASH_REDIS_REST_URL?: string;
   UPSTASH_REDIS_REST_TOKEN?: string;
+  /** When set, `page:` / `group:` hash REQUEST batches use Postgres-backed ACL. */
+  HYPERDRIVE?: Hyperdrive;
 };
 
 /**
@@ -182,10 +187,24 @@ export class UserRealtimeRoom {
     }
 
     try {
+      const hyper = this.env.HYPERDRIVE;
+      const acl: RealtimeHashAclPort | null =
+        hyper != null
+          ? {
+              resolveBatch: (needs) =>
+                resolveRealtimeHashFieldAccess({
+                  db: getDbForConnectionString(hyper.connectionString),
+                  userId,
+                  needs,
+                }),
+            }
+          : null;
+
       const out = await executeRealtimeWsBatch({
         userId,
         decoded,
         redis: this.hashPort(),
+        acl,
         hooks: {
           subscribeField: (fk) => {
             this.addSubscription(fk, ws);

new-deepnotes/docs/TRPC_REST_MAP.md

@@ -95,7 +95,7 @@ Working checklist for Phase 0 of [docs/RESTART_PLAN.md](../../docs/RESTART_PLAN.
 | Load encrypted Yjs update chain from DB | `GET /api/pages/:pageId/collab-updates` (**implemented** — `performGetPageCollabUpdates`; `viewGroupPages`; Postgres `page_updates`; response includes **encrypted page titles** (`encrypted_relative_title` / `encrypted_absolute_title` b64), `groupId`, `pageEncryptedSymmetricKeyring`, `groupEncryptedContentKeyring`, `groupAccessKeyring`, `memberEncryptedAccessKeyring` for client-side unwrap + cross-group move) | Replaces initial `ALL_UPDATES_UNMERGED`-style payload for SPA bootstrap; binary collab WebSocket is still [Phase 3 — realtime/collab](../PLAN_PROGRESS.md#not-started-phase-3--realtime--collab-only). |
 | Append updates (optimistic concurrency) | `POST /api/pages/:pageId/collab-updates` (**implemented** — `performAppendPageCollabUpdates`; `editGroupPages`; body `expectedLastIndex` + `updates[]`) | **409** when `expectedLastIndex` is stale. |
 | Live duplex collab (Yjs + awareness relay, Postgres persist) | `GET /api/pages/:pageId/collab-ws` (**WebSocket Upgrade** — `PageCollabRoom` Durable Object; cookie auth; internal `POST /api/internal/pages/:pageId/collab-ws-append` with `COLLAB_INTERNAL_SECRET`) | Greenfield path: legacy **lib0** `CollabMessageType` framing via `@deepnotes/collab-wire`; no Redis merge / **no** key rotation (RESTART_PLAN). SPA falls back to REST when WS unavailable. |
-| Live `USER_NOTIFICATION` (legacy Redis pub/sub) | `GET /api/realtime-ws` (**WebSocket** — `UserRealtimeRoom` Durable Object per `userId`; worker pushes framed payloads after `performNotifyUsers` with `REALTIME_INTERNAL_SECRET`) | `@deepnotes/realtime-wire` framing. Join-invite path persists rows + optional SPA E2EE `notifications` on `POST …/join-invitations`. **Hash cache (partial):** when `UPSTASH_REDIS_*` is set, accepts legacy **REQUEST** batches for **HGET / HSET / SUBSCRIBE / UNSUBSCRIBE** on Redis key `user:{userId}` (Upstash); **RESPONSE** + **DATA_NOTIFICATION** (in-DO subscriber fan-out on HSET); **no** full legacy `DataAbstraction` ACL for `page` / `group` yet (Postgres-backed checks TBD). |
+| Live `USER_NOTIFICATION` (legacy Redis pub/sub) | `GET /api/realtime-ws` (**WebSocket** — `UserRealtimeRoom` Durable Object per `userId`; worker pushes framed payloads after `performNotifyUsers` with `REALTIME_INTERNAL_SECRET`) | `@deepnotes/realtime-wire` framing. Join-invite path persists rows + optional SPA E2EE `notifications` on `POST …/join-invitations`. **Hash cache:** when `UPSTASH_REDIS_*` is set, accepts legacy **REQUEST** batches (**HGET / HSET / SUBSCRIBE / UNSUBSCRIBE**) on Redis keys `user:{userId}` plus `page:{pageId}` / `group:{groupId}` when **`HYPERDRIVE`** is configured — ACL via `@deepnotes/session` `resolveRealtimeHashFieldAccess` (read=`viewGroupPages`, write=`editGroupPages`). **RESPONSE** + **DATA_NOTIFICATION** (in-DO subscriber fan-out on HSET). **Not** replicated: cross-process Redis pub/sub, KeyDB `expiremember`. |
 
 ## Legacy app-server WebSocket → target
 

new-deepnotes/packages/session/src/index.ts

@@ -127,6 +127,8 @@ export type {
   NotifyUsersItem,
   RealtimeNotificationDelivery,
 } from "./notify-users.js";
+export { resolveRealtimeHashFieldAccess } from "./realtime-hash-acl.js";
+export type { RealtimeHashAccessNeeds } from "./realtime-hash-acl.js";
 export type { StripeBillingEnv } from "./stripe-billing.js";
 export {
   findUserIdByStripeCustomerId,