fix: shared Neon DB compat, Postgres BIGINT, mail label aliases

[steve8708]

Summary

• Fix dev/prod data sharing when using same Neon Postgres DB
• Dev mode Google status shows all accounts regardless of owner
• INTEGER → BIGINT for timestamp columns on Postgres (Date.now() overflow)
• Mail label alias system for renaming tab labels
• Mail db/index.ts switched to core's createGetDb for Postgres support
• SSE → polling migration for serverless compatibility
• Calendar stacking layout, past/declined event styling, attendee photos
• Various fixes from parallel agents

Test plan

• Mail app connects to Neon Postgres locally and in production
• Same Google account visible in both environments
• Same pinned labels/settings sync across local and prod
• Calendar event layout renders correctly with overlapping events

🤖 Generated with Claude Code

[netlify]

✅ Deploy Preview for agent-native-fw ready!

Name	Link
🔨 Latest commit	01f3fe6
🔍 Latest deploy log	https://app.netlify.com/projects/agent-native-fw/deploys/69c6dc0cf175370008dc185e
😎 Deploy Preview	https://deploy-preview-97--agent-native-fw.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
🔵 In progress View logs	agent-native-forms	01f3fe6	Commit Preview URL Branch Preview URL	Mar 27 2026, 07:35 PM

[builder-io-integration]

Builder has reviewed your changes and found 1 potential issue.

Review Details

Code Review Summary

This PR makes a single targeted change to templates/mail/server/handlers/google-auth.ts: in dev mode (when session.email === "local@localhost"), getGoogleStatus now calls getAuthStatus(undefined) instead of getAuthStatus("local@localhost"), making all production-connected OAuth accounts visible locally when sharing a Neon Postgres DB.

Risk: Standard — touches auth/session ownership logic.

Security: The local@localhost sentinel is structurally impossible in production (the Google auth plugin resolves real emails from session cookies), so there is no cross-environment leak risk.

Key Finding:

The fix is incomplete — getGoogleStatus now exposes all accounts in dev, but the rest of the mail backend still filters by the local@localhost owner. disconnectGoogle still calls getAuthStatus(session.email) for its ownership check, so any account owned by a production email will show in the UI but return 403 when you try to disconnect it. Similarly, the email-fetching handlers (listEmails, getThreads, sendEmail, etc.) continue to call isConnected("local@localhost") and getAccountTokens("local@localhost"), so those production-owned accounts won't actually serve mail data. The newly visible accounts are visible but not usable.

Confirmed by: 2 out of 2 code-review agents.

Found using 2 parallel code-review agent calls with randomized file ordering.

---

View in Builder.io

_{Code review by Builder.io}

[builder-io-integration]

Builder has reviewed your changes and found 1 potential issue.

Review Details

Incremental Review — PR #97 (3rd pass)

This incremental review covers the latest two commits: getAccountTokens() bypass in emails.ts and Postgres onnotice suppression in packages/core/src/db/client.ts.

Previous finding resolved ✅ — The disconnect (403) issue is fixed via the getAuthStatus() lib-level bypass. The getAccountTokens() bypass now correctly resolves tokens for all accounts in dev mode, fixing label loading.

One gap remains: getClients() in google-auth.ts was not updated with the local@localhost bypass. This creates an internal inconsistency: isConnected("local@localhost") now returns true (any account), but getClients("local@localhost") still calls listOAuthAccountsByOwner("google", "local@localhost") — which returns [] for accounts created in production. listGmailMessages gets zero clients and silently returns { messages: [], errors: [] }, so the inbox appears empty with no error. This is the primary user-visible failure in the shared-Neon scenario the PR targets.

onnotice suppression is safe — postgres.js only routes server NOTICE messages through this callback; query errors are still thrown normally.

Risk: Standard — auth/session ownership logic in mail template backend.

Found using 2 parallel code-review agent calls with randomized file ordering.

---

View in Builder.io

_{Code review by Builder.io}

[builder-io-integration]

🟡 getClients() still filters by owner in dev mode — inbox silently empty

isConnected() now bypasses the owner filter for local@localhost, but getClients() immediately above it does not. When listEmails runs in dev mode: (1) isConnected("local@localhost") returns true via hasOAuthTokens, (2) listGmailMessages(..., "local@localhost") calls getClients("local@localhost") which still calls listOAuthAccountsByOwner("google", "local@localhost") → [], (3) returns {messages:[], errors:[]} silently. Apply the same forEmail && forEmail !== "local@localhost" guard inside getClients() to complete the fix.

---

_{How did I do? React with 👍 or 👎 to help me improve.}