superset-sh · saddlepaddle · Jan 16, 2026 · Jan 16, 2026 · Jan 16, 2026 · Jan 16, 2026
diff --git a/apps/admin/package.json b/apps/admin/package.json
@@ -37,7 +37,7 @@
 		"require-in-the-middle": "8.0.1",
 		"server-only": "^0.0.1",
 		"superjson": "^2.2.5",
-		"zod": "^4.1.13"
+		"zod": "^4.3.5"
 	},
 	"devDependencies": {
 		"@superset/typescript": "workspace:*",

diff --git a/apps/api/package.json b/apps/api/package.json
@@ -11,7 +11,7 @@
 		"typecheck": "tsc --noEmit"
 	},
 	"dependencies": {
-		"@electric-sql/client": "1.4.0",
+		"@electric-sql/client": "https://pkg.pr.new/@electric-sql/client@3724",
 		"@linear/sdk": "^68.1.0",
 		"@sentry/nextjs": "^10.32.1",
 		"@superset/auth": "workspace:*",
@@ -32,7 +32,7 @@
 		"react": "^19.2.3",
 		"react-dom": "^19.2.3",
 		"require-in-the-middle": "8.0.1",
-		"zod": "^4.1.13"
+		"zod": "^4.3.5"
 	},
 	"devDependencies": {
 		"@superset/typescript": "workspace:*",

diff --git a/apps/api/src/app/api/electric/[...path]/utils.ts b/apps/api/src/app/api/electric/[...path]/utils.ts
@@ -5,7 +5,6 @@ import {
 	repositories,
 	taskStatuses,
 	tasks,
-	users,
 } from "@superset/db/schema";
 import { eq, inArray, sql } from "drizzle-orm";
 import type { PgColumn, PgTable } from "drizzle-orm/pg-core";
@@ -95,23 +94,8 @@ export async function buildWhereClause(
 		}
 
 		case "auth.users": {
-			const orgMembers = await db.query.members.findMany({
-				where: eq(members.organizationId, organizationId),
-				columns: { userId: true },
-			});
-			if (orgMembers.length === 0) {
-				return { fragment: "1 = 0", params: [] };
-			}
-			const userIds = [...new Set(orgMembers.map((m) => m.userId))];
-			const whereExpr = inArray(sql`${sql.identifier(users.id.name)}`, userIds);
-			const qb = new QueryBuilder();
-			const { sql: query, params } = qb
-				.select()
-				.from(users)
-				.where(whereExpr)
-				.toSQL();
-			const fragment = query.replace(/^select .* from .* where\s+/i, "");
-			return { fragment, params };
+			const fragment = `$1 = ANY("organization_ids")`;
+			return { fragment, params: [organizationId] };
 		}
 
 		default:

diff --git a/apps/api/src/trpc/context.ts b/apps/api/src/trpc/context.ts
@@ -10,5 +10,9 @@ export const createContext = async ({
 	const session = await auth.api.getSession({
 		headers: req.headers,
 	});
-	return createTRPCContext({ session });
+	return createTRPCContext({
+		session,
+		auth,
+		headers: req.headers,
+	});
 };
diff --git a/apps/desktop/package.json b/apps/desktop/package.json
@@ -36,7 +36,8 @@
 		"@dnd-kit/core": "^6.3.1",
 		"@dnd-kit/sortable": "^10.0.0",
 		"@dnd-kit/utilities": "^3.2.2",
-		"@electric-sql/client": "1.4.0",
+		"@electric-sql/client": "https://pkg.pr.new/@electric-sql/client@3724",
+		"@hookform/resolvers": "^5.2.2",
 		"@monaco-editor/react": "^4.7.0",
 		"@radix-ui/react-dialog": "^1.1.15",
 		"@radix-ui/react-label": "^2.1.8",
@@ -49,15 +50,16 @@
 		"@superset/ui": "workspace:*",
 		"@t3-oss/env-core": "^0.13.8",
 		"@tanstack/db": "^0.5.16",
-		"@tanstack/electric-db-collection": "^0.2.20",
-		"@tanstack/react-db": "^0.1.60",
+		"@tanstack/electric-db-collection": "0.2.24",
+		"@tanstack/react-db": "0.1.64",
 		"@tanstack/react-query": "^5.90.10",
 		"@tanstack/react-router": "^1.147.3",
 		"@tanstack/react-table": "^8.21.3",
 		"@trpc/client": "^11.7.1",
 		"@trpc/react-query": "^11.7.1",
 		"@trpc/server": "^11.7.1",
 		"@types/express": "^5.0.5",
+		"@vercel/blob": "^2.0.0",
 		"@xterm/addon-canvas": "^0.7.0",
 		"@xterm/addon-clipboard": "^0.1.0",
 		"@xterm/addon-fit": "^0.10.0",
@@ -107,6 +109,7 @@
 		"react-dnd": "^16.0.1",
 		"react-dnd-html5-backend": "^16.0.1",
 		"react-dom": "^19.2.3",
+		"react-hook-form": "^7.71.1",
 		"react-icons": "^5.5.0",
 		"react-markdown": "^10.1.0",
 		"react-mosaic-component": "^6.1.1",
@@ -124,7 +127,7 @@
 		"trpc-electron": "^0.1.2",
 		"tw-animate-css": "^1.4.0",
 		"unique-names-generator": "^4.7.1",
-		"zod": "^4.1.13",
+		"zod": "^4.3.5",
 		"zustand": "^5.0.8"
 	},
 	"devDependencies": {

diff --git a/apps/desktop/src/lib/trpc/routers/auth/index.ts b/apps/desktop/src/lib/trpc/routers/auth/index.ts
@@ -16,9 +16,7 @@ import {
 
 export const createAuthRouter = () => {
 	return router({
-		getStoredToken: publicProcedure.query(async () => {
-			return await loadToken();
-		}),
+		getStoredToken: publicProcedure.query(() => loadToken()),
 
 		persistToken: publicProcedure
 			.input(
@@ -63,10 +61,10 @@ export const createAuthRouter = () => {
 					const state = crypto.randomBytes(32).toString("base64url");
 					stateStore.set(state, Date.now());
 
-					// Clean up old states (older than 10 minutes)
-					const tenMinutesAgo = Date.now() - 10 * 60 * 1000;
+					// Clean up expired states (10 minutes)
+					const cutoff = Date.now() - 10 * 60 * 1000;
 					for (const [s, ts] of stateStore) {
-						if (ts < tenMinutesAgo) stateStore.delete(s);
+						if (ts < cutoff) stateStore.delete(s);
 					}
 
 					const connectUrl = new URL(
@@ -86,9 +84,7 @@ export const createAuthRouter = () => {
 			}),
 
 		signOut: publicProcedure.mutation(async () => {
-			try {
-				await fs.unlink(TOKEN_FILE);
-			} catch {}
+			await fs.unlink(TOKEN_FILE).catch(() => {});
-			await fs.unlink(TOKEN_FILE).catch(() => {});
+			await fs.unlink(TOKEN_FILE).catch((err: NodeJS.ErrnoException) => {
+				if (err?.code !== "ENOENT") {
+					console.warn("[auth/signOut] failed to delete token file", err);
+					throw err;
+				}
+			});
-			await fs.unlink(TOKEN_FILE).catch(() => {});
+			await fs.unlink(TOKEN_FILE).catch((err: NodeJS.ErrnoException) => {
+				if (err?.code !== "ENOENT") {
+					console.warn("[auth/signOut] failed to delete token file", err);
+					throw err;
+				}
+			});
 			return { success: true };
 		}),
 	});

diff --git a/apps/desktop/src/lib/trpc/routers/cache/index.ts b/apps/desktop/src/lib/trpc/routers/cache/index.ts
@@ -0,0 +1,33 @@
+import { session } from "electron";
+import { env } from "main/env.main";
+import { publicProcedure, router } from "../..";
+
+export const createCacheRouter = () => {
+	return router({
+		clearElectricCache: publicProcedure.mutation(async () => {
+			try {
+				// Clear all storage (including HTTP cache) for the API origin only
+				// This targets Electric shape responses without clearing app assets
+				await session.defaultSession.clearStorageData({
+					origin: env.NEXT_PUBLIC_API_URL,
+				});
+
+				console.log(
+					"[cache] Cleared Electric cache for origin:",
+					env.NEXT_PUBLIC_API_URL,
+				);
+
+				return { success: true };
+			} catch (error) {
+				console.error("[cache] Failed to clear Electric cache:", error);
+				return {
+					success: false,
+					error:
+						error instanceof Error ? error.message : "Failed to clear cache",
+				};
+			}
+		}),
+	});
+};
+
+export type CacheRouter = ReturnType<typeof createCacheRouter>;
diff --git a/apps/desktop/src/lib/trpc/routers/index.ts b/apps/desktop/src/lib/trpc/routers/index.ts
@@ -3,6 +3,7 @@ import { router } from "..";
 import { createAnalyticsRouter } from "./analytics";
 import { createAuthRouter } from "./auth";
 import { createAutoUpdateRouter } from "./auto-update";
+import { createCacheRouter } from "./cache";
 import { createChangesRouter } from "./changes";
 import { createConfigRouter } from "./config";
 import { createExternalRouter } from "./external";
@@ -23,6 +24,7 @@ export const createAppRouter = (getWindow: () => BrowserWindow | null) => {
 		analytics: createAnalyticsRouter(),
 		auth: createAuthRouter(),
 		autoUpdate: createAutoUpdateRouter(),
+		cache: createCacheRouter(),
 		window: createWindowRouter(getWindow),
 		projects: createProjectsRouter(getWindow),
 		workspaces: createWorkspacesRouter(),

diff --git a/apps/desktop/src/renderer/lib/api-trpc-client.ts b/apps/desktop/src/renderer/lib/api-trpc-client.ts
@@ -0,0 +1,28 @@
+import type { AppRouter } from "@superset/trpc";
+import { createTRPCProxyClient, httpBatchLink } from "@trpc/client";
+import { env } from "renderer/env.renderer";
+import superjson from "superjson";
+import { getAuthToken } from "./auth-client";
+
+/**
+ * HTTP tRPC client for calling the API server.
+ * Uses bearer token authentication like the auth client.
+ * For mutations only - for fetching data we already have electric
+ */
+export const apiTrpcClient = createTRPCProxyClient<AppRouter>({
+	links: [
+		httpBatchLink({
+			url: `${env.NEXT_PUBLIC_API_URL}/api/trpc`,
+			transformer: superjson,
+			headers: () => {
+				const token = getAuthToken();
+				if (token) {
+					return {
+						Authorization: `Bearer ${token}`,
+					};
+				}
+				return {};
+			},
+		}),
+	],
+});
diff --git a/apps/desktop/src/renderer/routes/_authenticated/layout.tsx b/apps/desktop/src/renderer/routes/_authenticated/layout.tsx
@@ -23,6 +23,7 @@ export const Route = createFileRoute("/_authenticated")({
 function AuthenticatedLayout() {
 	const { data: session } = authClient.useSession();
 	const isSignedIn = !!session?.user;
+	const activeOrganizationId = session?.session?.activeOrganizationId;
 	const navigate = useNavigate();
 	const utils = electronTrpc.useUtils();
 
@@ -61,6 +62,10 @@ function AuthenticatedLayout() {
 		return <Navigate to="/sign-in" replace />;
 	}
 
+	if (!activeOrganizationId) {
+		return <Navigate to="/create-organization" replace />;
+	}
+
 	return (
 		<DndProvider manager={dragDropManager}>
 			<CollectionsProvider>

diff --git a/.../src/renderer/routes/_authenticated/providers/CollectionsProvider/CollectionsProvider.tsx b/.../src/renderer/routes/_authenticated/providers/CollectionsProvider/CollectionsProvider.tsx
@@ -1,4 +1,3 @@
-import { Spinner } from "@superset/ui/spinner";
 import { createContext, type ReactNode, useContext, useMemo } from "react";
 import { authClient } from "renderer/lib/auth-client";
 import { getCollections } from "./collections";
@@ -20,11 +19,7 @@ export function CollectionsProvider({ children }: { children: ReactNode }) {
 	}, [activeOrganizationId]);
 
 	if (!collections) {
-		return (
-			<div className="flex items-center justify-center h-screen">
-				<Spinner className="size-8" />
-			</div>
-		);
+		return null;
 	}
 
 	return (