feat : Pluggable Storage Layer, Login Redesign & Zitadel OIDC

.env.example

@@ -30,7 +30,7 @@ JWT_SECRET=your_32_character_random_string_here
 # AUTHENTICATION PROVIDER
 # ============================================
 # "local" (default) = email/password login (ADMIN_EMAIL/ADMIN_PASSWORD, USER_EMAIL/USER_PASSWORD)
-# "oidc"            = OpenID Connect SSO (Auth0, Keycloak, Okta, Azure AD, etc.)
+# "oidc"            = OpenID Connect SSO (Auth0, Keycloak, Okta, Azure AD, Zitadel, etc.)
 NEXT_PUBLIC_AUTH_PROVIDER=local
 
 # ============================================
@@ -43,6 +43,7 @@ NEXT_PUBLIC_AUTH_PROVIDER=local
 
 # Scopes to request (default: openid profile email)
 # OIDC_SCOPE=openid profile email
+# if using Zitadel, add this scope: urn:zitadel:iam:org:project:roles
 
 # Role mapping (optional) — claim path for determining admin vs user role
 # Supports dot-notation for nested claims (e.g. "realm_access.roles")
@@ -56,6 +57,25 @@ NEXT_PUBLIC_AUTH_PROVIDER=local
 # Keycloak:  OIDC_ROLE_CLAIM=realm_access.roles
 # Okta:      OIDC_ROLE_CLAIM=groups
 # Azure AD:  OIDC_ROLE_CLAIM=roles
+# Zitadel:   OIDC_ROLE_CLAIM=urn:zitadel:iam:org:project:roles
+
+# ============================================
+# STORAGE PROVIDER (Optional)
+# ============================================
+# Controls where application data is persisted.
+# "local" (default) = browser localStorage only (zero config, great for dev)
+# "sqlite"          = SQLite file on server (persistent, single-node)
+# "postgres"        = PostgreSQL database (persistent, multi-node, enterprise)
+#
+# Note: NOT prefixed with NEXT_PUBLIC_ — server-side only, discovered at runtime
+# via GET /api/storage/config endpoint.
+STORAGE_PROVIDER=local
+
+# SQLite storage path (required when STORAGE_PROVIDER=sqlite)
+# STORAGE_SQLITE_PATH=./data/libredb-storage.db
+
+# PostgreSQL connection URL (required when STORAGE_PROVIDER=postgres)
+# STORAGE_POSTGRES_URL=postgresql://user:pass@host:5432/libredb
 
 # ===========================================
 # LLM Configuration (Strategy Pattern)

.gitignore

@@ -83,3 +83,5 @@ Thumbs.db
 
 
 !.claude/skills
+.orchids/
+.codegraph/

CLAUDE.md

@@ -6,6 +6,11 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
 
 LibreDB Studio is a web-based SQL IDE for cloud-native teams. It supports PostgreSQL, MySQL, SQLite, Oracle, SQL Server, MongoDB, Redis, and a demo mode with AI-powered query assistance.
 
+## Github
+* Repository: https://github.com/libredb/libredb-studio
+* Container Registry: https://github.com/libredb/libredb-studio/pkgs/container/libredb-studio
+* Docker Image: ghcr.io/libredb/libredb-studio:latest
+
 ## Development Commands
 
 ```bash
@@ -58,6 +63,7 @@ The project uses ESLint 9 for linting and `bun:test` for testing with `@testing-
 - **AI:** Multi-model support (Gemini, OpenAI, Ollama, Custom)
 - **Databases:** PostgreSQL (`pg`), MySQL (`mysql2`), SQLite (`better-sqlite3`), Oracle (`oracledb`), SQL Server (`mssql`), MongoDB (`mongodb`), Redis (`ioredis`)
 - **Auth:** JWT-based with `jose` library + OIDC SSO with `openid-client` (Auth0, Keycloak, Okta, Azure AD)
+- **Storage:** Pluggable storage layer — localStorage (default), SQLite (`better-sqlite3`), or PostgreSQL (`pg`)
 
 ### Directory Structure
 
@@ -69,6 +75,7 @@ src/
 │   │   │   └── oidc/       # OIDC login + callback routes (PKCE, code exchange)
 │   │   ├── ai/             # AI endpoints (chat, nl2sql, explain, safety)
 │   │   ├── db/             # Query, schema, health, maintenance, transactions
+│   │   ├── storage/        # Storage sync API (config, CRUD, migrate)
 │   │   └── admin/          # Fleet health, audit endpoints
 │   ├── admin/              # Admin dashboard (RBAC protected)
 │   └── login/              # Login page
@@ -83,6 +90,15 @@ src/
 │   └── ui/                 # Shadcn/UI primitives
 ├── hooks/                  # Custom React hooks
 └── lib/
+    ├── storage/            # Storage abstraction layer
+    │   ├── index.ts        # Barrel export
+    │   ├── types.ts        # StorageData, ServerStorageProvider interfaces
+    │   ├── storage-facade.ts # Public sync API + CustomEvent dispatch
+    │   ├── local-storage.ts  # Pure localStorage CRUD
+    │   ├── factory.ts      # Env-based provider factory (singleton)
+    │   └── providers/
+    │       ├── sqlite.ts   # better-sqlite3 backend
+    │       └── postgres.ts # pg backend
     ├── db/                 # Database provider module (Strategy Pattern)
     │   ├── providers/
     │   │   ├── sql/        # SQL providers (postgres, mysql, sqlite, oracle, mssql)
@@ -133,7 +149,12 @@ e2e/                        # Playwright E2E tests (browser)
 
 4. **API Routes:** All backend logic in `src/app/api/`. Protected routes require valid JWT. Public routes: `/login`, `/api/auth`, `/api/db/health`
 
-5. **Client State:** LocalStorage for connections, query history, and saved queries (`src/lib/storage.ts`)
+5. **Storage Abstraction:** `src/lib/storage/` module provides pluggable persistence:
+   - **Local** (default): Browser localStorage, zero config
+   - **SQLite**: `better-sqlite3` file DB for single-node persistent storage
+   - **PostgreSQL**: `pg` for multi-node enterprise storage
+   - Write-through cache: localStorage always serves reads; `useStorageSync` hook pushes mutations to server (debounced)
+   - Controlled by `STORAGE_PROVIDER` env var (server-side only, discovered at runtime via `/api/storage/config`)
 
 6. **Multi-Tab Workspace:** Each query tab has independent state (query, results, execution status)
 
@@ -164,6 +185,11 @@ LLM_PROVIDER=gemini             # gemini, openai, ollama, custom
 LLM_API_KEY=<key>
 LLM_MODEL=gemini-2.5-flash
 LLM_API_URL=<url>               # For ollama/custom providers
+
+# Optional storage config (server-side only, not NEXT_PUBLIC_)
+STORAGE_PROVIDER=local                  # local (default) | sqlite | postgres
+STORAGE_SQLITE_PATH=./data/libredb-storage.db  # SQLite file path
+STORAGE_POSTGRES_URL=postgresql://...           # PostgreSQL connection URL
 ```
 
 ### Path Aliases

Dockerfile

@@ -11,6 +11,7 @@ WORKDIR /usr/src/app
 
 # Install dependencies only when needed
 FROM base AS deps
+RUN apt-get update && apt-get install -y python3 make g++ --no-install-recommends && rm -rf /var/lib/apt/lists/*
 COPY package.json bun.lock ./
 RUN bun install --frozen-lockfile
 
@@ -49,14 +50,20 @@ ENV NODE_OPTIONS="--max-old-space-size=384"
 
 COPY --from=builder /usr/src/app/public ./public
 
-# Set the correct permission for prerender cache
-RUN mkdir -p .next
+# Set the correct permission for prerender cache and storage
+RUN mkdir -p .next data
 
 # Automatically leverage output traces to reduce image size
 # https://nextjs.org/docs/advanced-features/output-file-tracing
 COPY --from=builder /usr/src/app/.next/standalone ./
 COPY --from=builder /usr/src/app/.next/static ./.next/static
 
+# Copy better-sqlite3 native binding for server storage support
+COPY --from=builder /usr/src/app/node_modules/better-sqlite3 ./node_modules/better-sqlite3
+COPY --from=builder /usr/src/app/node_modules/bindings ./node_modules/bindings
+COPY --from=builder /usr/src/app/node_modules/file-uri-to-path ./node_modules/file-uri-to-path
+# prebuild-install is only needed at build time, not runtime
+
 # Create non-root user for security
 RUN addgroup --system --gid 1001 nodejs && \
     adduser --system --uid 1001 nextjs && \

README.md

@@ -136,7 +136,7 @@ The demo runs in **Demo Mode** with simulated data. No real database required!
 
 ### Authentication & SSO
 - **Dual Auth Modes**: Local email/password login or OpenID Connect (OIDC) Single Sign-On — switchable via environment variable.
-- **Vendor-Agnostic OIDC**: Works with any OIDC-compliant provider — Auth0, Keycloak, Okta, Azure AD, Google, and more.
+- **Vendor-Agnostic OIDC**: Works with any OIDC-compliant provider — Auth0, Keycloak, Okta, Azure AD, Zitadel, Google, and more.
 - **PKCE Security**: Authorization Code Flow with Proof Key for Code Exchange (S256) for secure authentication.
 - **Auto Role Mapping**: Configurable claim-based role mapping with dot-notation for nested claims (e.g., `realm_access.roles`).
 - **Provider Logout**: Logout clears both local JWT session and identity provider session.
@@ -406,7 +406,7 @@ LibreDB Studio is optimized for K8s with:
 - [x] **Phase 12**: Advanced Charting (Scatter, Histogram, Stacked Charts, Aggregation, Date Grouping, Chart Save/Load, Chart Dashboard).
 - [x] **Phase 13**: Monitoring Enhancement (Time-Series Trends, Threshold Alerting, Connection Pool Stats, Configurable Polling).
 - [x] **Phase 14**: Enterprise Database Support (Oracle Database via oracledb Thin mode, Microsoft SQL Server via mssql/tedious).
-- [x] **Phase 15**: SSO Integration — Vendor-agnostic OIDC authentication (Auth0, Keycloak, Okta, Azure AD) with PKCE, role mapping, and provider logout.
+- [x] **Phase 15**: SSO Integration — Vendor-agnostic OIDC authentication (Auth0, Keycloak, Okta, Azure AD, Zitadel) with PKCE, role mapping, and provider logout.
 - [ ] **Phase 16**: DBA & Monitoring (Lock Dependency Graph, Vacuum Scheduler, Prometheus Export).
 - [ ] **Phase 17**: Enterprise Collaboration (User Identity, Shared Workspaces, SAML 2.0).
 
@@ -419,7 +419,7 @@ LibreDB Studio is optimized for K8s with:
 | [DeepWiki](https://deepwiki.com/libredb/libredb-studio) | AI-powered documentation — always up-to-date with the codebase |
 | [SonarCloud](https://sonarcloud.io/project/overview?id=libredb_libredb-studio) | Code quality, security analysis, and technical debt tracking |
 | [API Docs](docs/API_DOCS.md) | Complete REST API reference |
-| [OIDC Setup Guide](docs/OIDC_SETUP.md) | SSO configuration for Auth0, Keycloak, Okta, Azure AD |
+| [OIDC Setup Guide](docs/OIDC_SETUP.md) | SSO configuration for Auth0, Keycloak, Okta, Azure AD, Zitadel |
 | [OIDC Architecture](docs/OIDC_ARCH.md) | OIDC subsystem internals, security model, extension points |
 | [Theming Guide](docs/THEMING.md) | CSS theming, dark mode, and styling customization |
 | [Architecture](docs/ARCHITECTURE.md) | System architecture and design patterns |