From 83aab4e4287f114223e88f8076151ad43d0c2d6e Mon Sep 17 00:00:00 2001
From: Arjun Komath <arjunkomath@gmail.com>
Date: Sat, 31 Jan 2026 16:51:21 +1100
Subject: [PATCH] Fix permissions

---
 app/(api)/api/blob/confirm/route.ts           |   7 +-
 app/(api)/api/blob/presign/route.ts           |   5 +-
 .../calendar/[ownerId]/[projectId]/route.ts   |   4 +-
 app/(api)/api/cron/blob-cleanup/route.ts      |  39 ++++++
 app/(api)/api/trpc/[trpc]/route.ts            |   2 +-
 app/(auth)/accept-invite/page.tsx             |   6 +-
 app/(auth)/sign-in/page.tsx                   |  12 +-
 .../[tenant]/projects/[projectId]/layout.tsx  |   4 +-
 .../[tenant]/projects/[projectId]/page.tsx    |  10 +-
 .../projects/[projectId]/settings/page.tsx    |   6 +-
 .../tasklists/[tasklistId]/page.tsx           |   6 +-
 .../projects/[projectId]/tasklists/page.tsx   |  10 +-
 app/api/auth/[...all]/route.ts                |   2 +-
 app/page.tsx                                  |  12 +-
 components/auth/otp-verification-form.tsx     |   4 +-
 components/core/cmd-menu.tsx                  |   2 +-
 components/core/search-panel.tsx              |   2 +-
 components/editor/mention-suggestion-menu.tsx |   2 +-
 components/form/editable-date.tsx             |   2 +-
 components/form/event.tsx                     |  10 +-
 components/form/notes-form.tsx                |  10 +-
 components/form/shared.tsx                    |   2 +-
 components/form/task.tsx                      |   2 +-
 components/layout/header.tsx                  |   2 +-
 components/layout/navbar.tsx                  |   2 +-
 components/layout/page-title.tsx              |   2 +-
 components/project/comment/comment.tsx        |   6 +-
 components/project/comment/comments.tsx       |   3 +
 .../project/events/date-time-picker.tsx       |   3 +-
 components/project/events/full-calendar.tsx   |  16 +--
 components/project/events/week-calendar.tsx   |   4 +-
 components/settings/team-settings.tsx         |  22 +--
 drizzle/auth-schema.ts                        |   4 +-
 drizzle/schema.ts                             |  27 ++--
 hooks/use-project-prefetch.ts                 |   2 +-
 hooks/use-tasklist.tsx                        |   4 +-
 hooks/use-tasks.tsx                           |   5 +-
 lib/auth/client.ts                            |   2 +-
 lib/auth/index.ts                             |   2 +-
 lib/blobStore/cleanup.ts                      |  68 +++++++++
 proxy.ts                                      |   2 +-
 trpc/init.ts                                  |   2 +-
 trpc/routers/events.ts                        |   8 ++
 trpc/routers/permissions.ts                   |  74 +++++++---
 trpc/routers/posts.ts                         |   8 ++
 trpc/routers/projects.ts                      | 130 ++++++++++++++++--
 trpc/routers/search.ts                        |   7 +-
 trpc/routers/settings.ts                      |  33 ++++-
 trpc/routers/tasks.ts                         | 113 ++++++++++++---
 trpc/routers/user.ts                          |  34 ++++-
 vercel.json                                   |   8 ++
 51 files changed, 584 insertions(+), 170 deletions(-)
 create mode 100644 app/(api)/api/cron/blob-cleanup/route.ts
 create mode 100644 lib/blobStore/cleanup.ts
 create mode 100644 vercel.json

diff --git a/app/(api)/api/blob/confirm/route.ts b/app/(api)/api/blob/confirm/route.ts
index f28c48fa..45bd2906 100644
--- a/app/(api)/api/blob/confirm/route.ts
+++ b/app/(api)/api/blob/confirm/route.ts
@@ -1,5 +1,5 @@
-import mime from "mime-types";
 import { eq } from "drizzle-orm";
+import mime from "mime-types";
 import { type NextRequest, NextResponse } from "next/server";
 import { blob } from "@/drizzle/schema";
 import { headObject } from "@/lib/blobStore";
@@ -17,10 +17,7 @@ export async function POST(request: NextRequest) {
 	const { fileId } = body as { fileId: string };
 
 	if (!fileId) {
-		return NextResponse.json(
-			{ error: "Missing fileId" },
-			{ status: 400 },
-		);
+		return NextResponse.json({ error: "Missing fileId" }, { status: 400 });
 	}
 
 	const db = database();
diff --git a/app/(api)/api/blob/presign/route.ts b/app/(api)/api/blob/presign/route.ts
index 3a94edbe..fe6dbe2a 100644
--- a/app/(api)/api/blob/presign/route.ts
+++ b/app/(api)/api/blob/presign/route.ts
@@ -38,7 +38,10 @@ export async function POST(request: NextRequest) {
 	}
 
 	if (!ALLOWED_TYPES.includes(contentType)) {
-		return NextResponse.json({ error: "File type not allowed" }, { status: 400 });
+		return NextResponse.json(
+			{ error: "File type not allowed" },
+			{ status: 400 },
+		);
 	}
 
 	if (contentSize > MAX_FILE_SIZE) {
diff --git a/app/(api)/api/calendar/[ownerId]/[projectId]/route.ts b/app/(api)/api/calendar/[ownerId]/[projectId]/route.ts
index 1def26c8..697e20fb 100644
--- a/app/(api)/api/calendar/[ownerId]/[projectId]/route.ts
+++ b/app/(api)/api/calendar/[ownerId]/[projectId]/route.ts
@@ -1,8 +1,8 @@
-import { calendarEvent, project, task, taskList, user } from "@/drizzle/schema";
-import { database } from "@/lib/utils/useDatabase";
 import { and, desc, eq, lte } from "drizzle-orm";
 import ical, { ICalCalendarMethod } from "ical-generator";
 import type { NextRequest } from "next/server";
+import { calendarEvent, project, task, taskList, user } from "@/drizzle/schema";
+import { database } from "@/lib/utils/useDatabase";
 
 export const revalidate = 0;
 export const dynamic = "force-dynamic";
diff --git a/app/(api)/api/cron/blob-cleanup/route.ts b/app/(api)/api/cron/blob-cleanup/route.ts
new file mode 100644
index 00000000..f8671b9a
--- /dev/null
+++ b/app/(api)/api/cron/blob-cleanup/route.ts
@@ -0,0 +1,39 @@
+import { and, eq, lt } from "drizzle-orm";
+import { type NextRequest, NextResponse } from "next/server";
+import { blob } from "@/drizzle/schema";
+import { deleteFile } from "@/lib/blobStore";
+import { database } from "@/lib/utils/useDatabase";
+
+export async function GET(request: NextRequest) {
+	const authHeader = request.headers.get("authorization");
+	if (authHeader !== `Bearer ${process.env.CRON_SECRET}`) {
+		return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+	}
+
+	const db = database();
+	const oneHourAgo = new Date(Date.now() - 60 * 60 * 1000);
+
+	const stalePending = await db
+		.select()
+		.from(blob)
+		.where(and(eq(blob.status, "pending"), lt(blob.createdAt, oneHourAgo)));
+
+	const results = await Promise.allSettled(
+		stalePending.map(async (b) => {
+			await deleteFile(b.key);
+			await db.delete(blob).where(eq(blob.id, b.id));
+			return b.id;
+		}),
+	);
+
+	const deletedCount = results.filter((r) => r.status === "fulfilled").length;
+	const errors = results
+		.filter((r): r is PromiseRejectedResult => r.status === "rejected")
+		.map((r, i) => `Failed to delete blob ${stalePending[i].id}: ${r.reason}`);
+
+	return NextResponse.json({
+		found: stalePending.length,
+		deleted: deletedCount,
+		errors: errors.length > 0 ? errors : undefined,
+	});
+}
diff --git a/app/(api)/api/trpc/[trpc]/route.ts b/app/(api)/api/trpc/[trpc]/route.ts
index d62a7b6e..34f3d81c 100644
--- a/app/(api)/api/trpc/[trpc]/route.ts
+++ b/app/(api)/api/trpc/[trpc]/route.ts
@@ -1,6 +1,6 @@
+import { fetchRequestHandler } from "@trpc/server/adapters/fetch";
 import { createTRPCContext } from "@/trpc/init";
 import { appRouter } from "@/trpc/routers/_app";
-import { fetchRequestHandler } from "@trpc/server/adapters/fetch";
 
 export const maxDuration = 60;
 export const dynamic = "force-dynamic";
diff --git a/app/(auth)/accept-invite/page.tsx b/app/(auth)/accept-invite/page.tsx
index 879845b4..21d5b152 100644
--- a/app/(auth)/accept-invite/page.tsx
+++ b/app/(auth)/accept-invite/page.tsx
@@ -1,13 +1,13 @@
 "use client";
 
+import { useRouter, useSearchParams } from "next/navigation";
 import { useState } from "react";
-import { useSearchParams, useRouter } from "next/navigation";
+import { toast } from "sonner";
+import { OtpVerificationForm } from "@/components/auth/otp-verification-form";
 import { Button } from "@/components/ui/button";
 import { Input } from "@/components/ui/input";
 import { Label } from "@/components/ui/label";
 import { authClient, useSession } from "@/lib/auth/client";
-import { toast } from "sonner";
-import { OtpVerificationForm } from "@/components/auth/otp-verification-form";
 
 export default function AcceptInvitePage() {
 	const router = useRouter();
diff --git a/app/(auth)/sign-in/page.tsx b/app/(auth)/sign-in/page.tsx
index 8d319a2b..237cb236 100644
--- a/app/(auth)/sign-in/page.tsx
+++ b/app/(auth)/sign-in/page.tsx
@@ -1,10 +1,11 @@
 "use client";
 
+import { Loader2, Mail } from "lucide-react";
+import { useRouter, useSearchParams } from "next/navigation";
 import { useState } from "react";
-import { useSearchParams, useRouter } from "next/navigation";
+import { toast } from "sonner";
+import { OtpVerificationForm } from "@/components/auth/otp-verification-form";
 import { Button } from "@/components/ui/button";
-import { Input } from "@/components/ui/input";
-import { Label } from "@/components/ui/label";
 import {
 	Card,
 	CardContent,
@@ -12,10 +13,9 @@ import {
 	CardHeader,
 	CardTitle,
 } from "@/components/ui/card";
+import { Input } from "@/components/ui/input";
+import { Label } from "@/components/ui/label";
 import { authClient } from "@/lib/auth/client";
-import { toast } from "sonner";
-import { Loader2, Mail } from "lucide-react";
-import { OtpVerificationForm } from "@/components/auth/otp-verification-form";
 
 export default function SignInPage() {
 	const router = useRouter();
diff --git a/app/(dashboard)/[tenant]/projects/[projectId]/layout.tsx b/app/(dashboard)/[tenant]/projects/[projectId]/layout.tsx
index eaac17f8..ac61f820 100644
--- a/app/(dashboard)/[tenant]/projects/[projectId]/layout.tsx
+++ b/app/(dashboard)/[tenant]/projects/[projectId]/layout.tsx
@@ -1,8 +1,8 @@
 "use client";
 
-import { TaskListsProvider } from "@/hooks/use-tasklist";
-import { useProjectPrefetch } from "@/hooks/use-project-prefetch";
 import { useParams } from "next/navigation";
+import { useProjectPrefetch } from "@/hooks/use-project-prefetch";
+import { TaskListsProvider } from "@/hooks/use-tasklist";
 
 export default function Layout({ children }: { children: React.ReactNode }) {
 	const params = useParams();
diff --git a/app/(dashboard)/[tenant]/projects/[projectId]/page.tsx b/app/(dashboard)/[tenant]/projects/[projectId]/page.tsx
index b86c6519..bd47ef23 100644
--- a/app/(dashboard)/[tenant]/projects/[projectId]/page.tsx
+++ b/app/(dashboard)/[tenant]/projects/[projectId]/page.tsx
@@ -1,5 +1,9 @@
 "use client";
 
+import { useMutation, useQueries, useQueryClient } from "@tanstack/react-query";
+import { CalendarIcon, ListIcon } from "lucide-react";
+import Link from "next/link";
+import { useParams, useRouter } from "next/navigation";
 import EmptyState from "@/components/core/empty-state";
 import { PageLoading } from "@/components/core/loaders";
 import PageSection from "@/components/core/section";
@@ -11,14 +15,10 @@ import { CommentsSection } from "@/components/project/comment/comments-section";
 import WeekCalendar from "@/components/project/events/week-calendar";
 import { TaskListHeader } from "@/components/project/tasklist/tasklist-header";
 import { buttonVariants } from "@/components/ui/button";
+import { TaskStatus } from "@/drizzle/types";
 import { toStartOfDay } from "@/lib/utils/date";
 import { displayMutationError } from "@/lib/utils/error";
 import { useTRPC } from "@/trpc/client";
-import { useMutation, useQueries, useQueryClient } from "@tanstack/react-query";
-import { CalendarIcon, ListIcon } from "lucide-react";
-import Link from "next/link";
-import { useParams, useRouter } from "next/navigation";
-import { TaskStatus } from "@/drizzle/types";
 
 export default function ProjectDetails() {
 	const router = useRouter();
diff --git a/app/(dashboard)/[tenant]/projects/[projectId]/settings/page.tsx b/app/(dashboard)/[tenant]/projects/[projectId]/settings/page.tsx
index e17adbcd..936143c4 100644
--- a/app/(dashboard)/[tenant]/projects/[projectId]/settings/page.tsx
+++ b/app/(dashboard)/[tenant]/projects/[projectId]/settings/page.tsx
@@ -1,13 +1,13 @@
 "use client";
 
+import { useQuery } from "@tanstack/react-query";
+import { Settings2, Shield } from "lucide-react";
+import { useParams } from "next/navigation";
 import { PageLoading } from "@/components/core/loaders";
 import PermissionsManagement from "@/components/core/permissions-management";
 import PageSection from "@/components/core/section";
 import PageTitle from "@/components/layout/page-title";
 import { useTRPC } from "@/trpc/client";
-import { useQuery } from "@tanstack/react-query";
-import { Shield, Settings2 } from "lucide-react";
-import { useParams } from "next/navigation";
 
 export default function ProjectSettings() {
 	const params = useParams();
diff --git a/app/(dashboard)/[tenant]/projects/[projectId]/tasklists/[tasklistId]/page.tsx b/app/(dashboard)/[tenant]/projects/[projectId]/tasklists/[tasklistId]/page.tsx
index 3d6185fb..d82ed849 100644
--- a/app/(dashboard)/[tenant]/projects/[projectId]/tasklists/[tasklistId]/page.tsx
+++ b/app/(dashboard)/[tenant]/projects/[projectId]/tasklists/[tasklistId]/page.tsx
@@ -1,5 +1,8 @@
 "use client";
 
+import { useQueries } from "@tanstack/react-query";
+import { useParams } from "next/navigation";
+import { parseAsBoolean, useQueryState } from "nuqs";
 import { PageLoading } from "@/components/core/loaders";
 import PageSection from "@/components/core/section";
 import { ConfirmButton } from "@/components/form/button";
@@ -13,9 +16,6 @@ import { useTaskLists } from "@/hooks/use-tasklist";
 import { TasksProvider } from "@/hooks/use-tasks";
 import { toStartOfDay } from "@/lib/utils/date";
 import { useTRPC } from "@/trpc/client";
-import { useQueries } from "@tanstack/react-query";
-import { useParams } from "next/navigation";
-import { parseAsBoolean, useQueryState } from "nuqs";
 
 export default function TaskLists() {
 	const { projectId, tasklistId } = useParams();
diff --git a/app/(dashboard)/[tenant]/projects/[projectId]/tasklists/page.tsx b/app/(dashboard)/[tenant]/projects/[projectId]/tasklists/page.tsx
index c1836273..cb2f8eed 100644
--- a/app/(dashboard)/[tenant]/projects/[projectId]/tasklists/page.tsx
+++ b/app/(dashboard)/[tenant]/projects/[projectId]/tasklists/page.tsx
@@ -1,5 +1,10 @@
 "use client";
 
+import { Title } from "@radix-ui/react-dialog";
+import { useQuery } from "@tanstack/react-query";
+import Link from "next/link";
+import { useParams } from "next/navigation";
+import { parseAsBoolean, useQueryState } from "nuqs";
 import EmptyState from "@/components/core/empty-state";
 import { Panel } from "@/components/core/panel";
 import PageSection from "@/components/core/section";
@@ -12,11 +17,6 @@ import { TaskListStatus } from "@/drizzle/types";
 import { useTaskLists } from "@/hooks/use-tasklist";
 import { TasksProvider } from "@/hooks/use-tasks";
 import { useTRPC } from "@/trpc/client";
-import { Title } from "@radix-ui/react-dialog";
-import { useQuery } from "@tanstack/react-query";
-import Link from "next/link";
-import { useParams } from "next/navigation";
-import { parseAsBoolean, useQueryState } from "nuqs";
 
 export default function TaskLists() {
 	const { projectId, tenant } = useParams();
diff --git a/app/api/auth/[...all]/route.ts b/app/api/auth/[...all]/route.ts
index 5b67b064..83ab371a 100644
--- a/app/api/auth/[...all]/route.ts
+++ b/app/api/auth/[...all]/route.ts
@@ -1,4 +1,4 @@
-import { auth } from "@/lib/auth";
 import { toNextJsHandler } from "better-auth/next-js";
+import { auth } from "@/lib/auth";
 
 export const { GET, POST } = toNextJsHandler(auth);
diff --git a/app/page.tsx b/app/page.tsx
index 1059c2ad..0e34ec0b 100644
--- a/app/page.tsx
+++ b/app/page.tsx
@@ -59,11 +59,7 @@ export default async function Home() {
 								href="https://railway.com/deploy/manage"
 								className="inline-flex items-center gap-2 px-6 py-3 rounded-full text-lg font-semibold bg-violet-600 text-white shadow-sm shadow-violet-600/25 border-b-4 border-violet-700 hover:bg-violet-500 hover:border-violet-600 active:border-violet-600 active:shadow-sm active:translate-y-0.5 transition-all duration-150"
 							>
-								<svg
-									className="w-5 h-5"
-									viewBox="0 0 1024 1024"
-									fill="none"
-								>
+								<svg className="w-5 h-5" viewBox="0 0 1024 1024" fill="none">
 									<path
 										d="M4.756 438.175A520.713 520.713 0 0 0 0 489.735h777.799c-2.716-5.306-6.365-10.09-10.045-14.772-132.97-171.791-204.498-156.896-306.819-161.26-34.114-1.403-57.249-1.967-193.037-1.967-72.677 0-151.688.185-228.628.39-9.96 26.884-19.566 52.942-24.243 74.14h398.571v51.909H4.756ZM783.93 541.696H.399c.82 13.851 2.112 27.517 3.978 40.999h723.39c32.248 0 50.299-18.297 56.162-40.999ZM45.017 724.306S164.941 1018.77 511.46 1024c207.112 0 385.071-123.006 465.907-299.694H45.017Z"
 										fill="currentColor"
@@ -309,11 +305,7 @@ export default async function Home() {
 									href="https://railway.com/deploy/manage"
 									className="inline-flex items-center gap-2 px-6 py-3 rounded-full font-semibold bg-violet-600 text-white shadow-sm shadow-violet-600/25 border-b-4 border-violet-700 hover:bg-violet-500 hover:border-violet-600 active:border-violet-600 active:shadow-sm active:translate-y-0.5 transition-all duration-150"
 								>
-									<svg
-										className="w-5 h-5"
-										viewBox="0 0 1024 1024"
-										fill="none"
-									>
+									<svg className="w-5 h-5" viewBox="0 0 1024 1024" fill="none">
 										<path
 											d="M4.756 438.175A520.713 520.713 0 0 0 0 489.735h777.799c-2.716-5.306-6.365-10.09-10.045-14.772-132.97-171.791-204.498-156.896-306.819-161.26-34.114-1.403-57.249-1.967-193.037-1.967-72.677 0-151.688.185-228.628.39-9.96 26.884-19.566 52.942-24.243 74.14h398.571v51.909H4.756ZM783.93 541.696H.399c.82 13.851 2.112 27.517 3.978 40.999h723.39c32.248 0 50.299-18.297 56.162-40.999ZM45.017 724.306S164.941 1018.77 511.46 1024c207.112 0 385.071-123.006 465.907-299.694H45.017Z"
 											fill="currentColor"
diff --git a/components/auth/otp-verification-form.tsx b/components/auth/otp-verification-form.tsx
index 9cef6bae..055a36f4 100644
--- a/components/auth/otp-verification-form.tsx
+++ b/components/auth/otp-verification-form.tsx
@@ -1,14 +1,14 @@
 "use client";
 
 import { useState } from "react";
-import { Button } from "@/components/ui/button";
-import { authClient } from "@/lib/auth/client";
 import { toast } from "sonner";
+import { Button } from "@/components/ui/button";
 import {
 	InputOTP,
 	InputOTPGroup,
 	InputOTPSlot,
 } from "@/components/ui/input-otp";
+import { authClient } from "@/lib/auth/client";
 
 interface OtpVerificationFormProps {
 	email: string;
diff --git a/components/core/cmd-menu.tsx b/components/core/cmd-menu.tsx
index 3817f80f..c23d0ec5 100644
--- a/components/core/cmd-menu.tsx
+++ b/components/core/cmd-menu.tsx
@@ -1,10 +1,10 @@
 "use client";
 
-import { useTRPC } from "@/trpc/client";
 import { useQueries } from "@tanstack/react-query";
 import { Calendar, Menu, Plus, Settings } from "lucide-react";
 import { useRouter } from "next/navigation";
 import { useEffect, useState } from "react";
+import { useTRPC } from "@/trpc/client";
 import { Button } from "../ui/button";
 import {
 	CommandDialog,
diff --git a/components/core/search-panel.tsx b/components/core/search-panel.tsx
index 5374301b..591f2fc6 100644
--- a/components/core/search-panel.tsx
+++ b/components/core/search-panel.tsx
@@ -19,6 +19,7 @@ import { useRouter } from "next/navigation";
 import { useCallback, useEffect, useState } from "react";
 import { useDebounce } from "use-debounce";
 import { HtmlPreview } from "@/components/core/html-view";
+import { Panel } from "@/components/core/panel";
 import { Badge } from "@/components/ui/badge";
 import { Button } from "@/components/ui/button";
 import {
@@ -30,7 +31,6 @@ import {
 import { Input } from "@/components/ui/input";
 import { cn } from "@/lib/utils";
 import { useTRPC } from "@/trpc/client";
-import { Panel } from "@/components/core/panel";
 
 interface SearchResult {
 	id: string;
diff --git a/components/editor/mention-suggestion-menu.tsx b/components/editor/mention-suggestion-menu.tsx
index dd1d9e1c..01c08741 100644
--- a/components/editor/mention-suggestion-menu.tsx
+++ b/components/editor/mention-suggestion-menu.tsx
@@ -1,8 +1,8 @@
-import { UserAvatar } from "@/components/core/user-avatar";
 import type {
 	DefaultReactSuggestionItem,
 	SuggestionMenuProps,
 } from "@blocknote/react";
+import { UserAvatar } from "@/components/core/user-avatar";
 
 interface User {
 	id: string;
diff --git a/components/form/editable-date.tsx b/components/form/editable-date.tsx
index 790bf98d..f49e01ce 100644
--- a/components/form/editable-date.tsx
+++ b/components/form/editable-date.tsx
@@ -1,8 +1,8 @@
 "use client";
 
-import { toDateStringWithDay } from "@/lib/utils/date";
 import { Check, ClockIcon, TrashIcon } from "lucide-react";
 import { useEffect, useState } from "react";
+import { toDateStringWithDay } from "@/lib/utils/date";
 import { DateTimePicker } from "../project/events/date-time-picker";
 
 export default function EditableDate({
diff --git a/components/form/event.tsx b/components/form/event.tsx
index 45cd2882..e30eebb7 100644
--- a/components/form/event.tsx
+++ b/components/form/event.tsx
@@ -1,15 +1,15 @@
 "use client";
 
+import { useMutation, useQueryClient } from "@tanstack/react-query";
+import { useParams } from "next/navigation";
+import { parseAsBoolean, useQueryState } from "nuqs";
+import { type Dispatch, memo, type SetStateAction, useState } from "react";
+import { type Frequency, RRule, rrulestr } from "rrule";
 import { Input } from "@/components/ui/input";
 import type { EventWithCreator } from "@/drizzle/types";
 import { toStartOfHour } from "@/lib/utils/date";
 import { displayMutationError } from "@/lib/utils/error";
 import { useTRPC } from "@/trpc/client";
-import { useMutation, useQueryClient } from "@tanstack/react-query";
-import { useParams } from "next/navigation";
-import { parseAsBoolean, useQueryState } from "nuqs";
-import { type Dispatch, type SetStateAction, memo, useState } from "react";
-import { type Frequency, RRule, rrulestr } from "rrule";
 import Editor from "../editor";
 import { DateTimePicker } from "../project/events/date-time-picker";
 import { Button } from "../ui/button";
diff --git a/components/form/notes-form.tsx b/components/form/notes-form.tsx
index 93b3bb0d..ca085b98 100644
--- a/components/form/notes-form.tsx
+++ b/components/form/notes-form.tsx
@@ -1,5 +1,6 @@
 "use client";
 
+import type { PartialBlock } from "@blocknote/core";
 import { Edit } from "lucide-react";
 import { useEffect, useState } from "react";
 import { useFormStatus } from "react-dom";
@@ -11,9 +12,11 @@ import { Spinner } from "../core/loaders";
 export default function NotesForm({
 	value,
 	name,
+	metadata,
 }: {
 	value: string | null | undefined;
 	name: string;
+	metadata?: PartialBlock[] | undefined;
 }) {
 	const { pending } = useFormStatus();
 	const [isEditing, setIsEditing] = useState(false);
@@ -27,7 +30,12 @@ export default function NotesForm({
 	if (isEditing)
 		return (
 			<div className="flex-grow">
-				<Editor defaultValue={value ?? ""} name={name} allowImageUpload />
+				<Editor
+					defaultValue={value ?? ""}
+					name={name}
+					metadata={metadata}
+					allowImageUpload
+				/>
 				<div className="mt-2">
 					<Button
 						type="button"
diff --git a/components/form/shared.tsx b/components/form/shared.tsx
index b34c2645..7b4c6fa1 100644
--- a/components/form/shared.tsx
+++ b/components/form/shared.tsx
@@ -52,7 +52,7 @@ export default function SharedForm({
 					<div className="mt-2 max-w-xs sm:col-span-2 sm:mt-0">
 						<DateTimePicker
 							name="dueDate"
-							// @ts-ignore
+							// @ts-expect-error
 							defaultValue={item?.dueDate}
 							dateOnly
 						/>
diff --git a/components/form/task.tsx b/components/form/task.tsx
index 2dc7bbc9..7df64aa3 100644
--- a/components/form/task.tsx
+++ b/components/form/task.tsx
@@ -5,8 +5,8 @@ import { X } from "lucide-react";
 import { useCallback, useRef, useState } from "react";
 import { Input } from "@/components/ui/input";
 import { Kbd } from "@/components/ui/kbd";
-import { cn } from "@/lib/utils";
 import { useKeyboardShortcut } from "@/hooks/use-keyboard-shortcut";
+import { cn } from "@/lib/utils";
 import { Button } from "../ui/button";
 
 export default function InlineTaskForm({
diff --git a/components/layout/header.tsx b/components/layout/header.tsx
index 2b1bdaa0..608c8ea3 100644
--- a/components/layout/header.tsx
+++ b/components/layout/header.tsx
@@ -2,9 +2,9 @@
 
 import Image from "next/image";
 import Link from "next/link";
+import { useSession } from "@/lib/auth/client";
 import logo from "../../public/images/logo.png";
 import { buttonVariants } from "../ui/button";
-import { useSession } from "@/lib/auth/client";
 
 interface HeaderProps {
 	disableSignups?: boolean;
diff --git a/components/layout/navbar.tsx b/components/layout/navbar.tsx
index 5669fab7..e42dc0c9 100644
--- a/components/layout/navbar.tsx
+++ b/components/layout/navbar.tsx
@@ -20,8 +20,8 @@ import { useTRPC } from "@/trpc/client";
 import { CommandMenu } from "../core/cmd-menu";
 import { GlobalSearch } from "../core/global-search";
 import { Notifications } from "../core/notifications";
-import { SearchSheet } from "../core/search-panel";
 import { OrgSwitcher } from "../core/org-switcher";
+import { SearchSheet } from "../core/search-panel";
 import { UserMenu } from "../core/user-menu";
 
 interface NavLink {
diff --git a/components/layout/page-title.tsx b/components/layout/page-title.tsx
index fab2ae1c..3ba49c39 100644
--- a/components/layout/page-title.tsx
+++ b/components/layout/page-title.tsx
@@ -1,7 +1,7 @@
 "use client";
 
-import { cn } from "@/lib/utils";
 import type { JSX, PropsWithChildren } from "react";
+import { cn } from "@/lib/utils";
 import EditableText from "../form/editable-text";
 
 interface Props {
diff --git a/components/project/comment/comment.tsx b/components/project/comment/comment.tsx
index f2bad46f..a36f8901 100644
--- a/components/project/comment/comment.tsx
+++ b/components/project/comment/comment.tsx
@@ -54,13 +54,17 @@ export default function CommentForm({
 				});
 
 				queryClient.invalidateQueries({
-					queryKey: trpc.projects.getComments.queryKey({ roomId }),
+					queryKey: trpc.projects.getComments.queryKey({
+						roomId,
+						projectId: +projectId!,
+					}),
 				});
 
 				if (parentCommentId) {
 					queryClient.invalidateQueries({
 						queryKey: trpc.projects.getComments.queryKey({
 							roomId: `comment-${parentCommentId}`,
+							projectId: +projectId!,
 						}),
 					});
 				}
diff --git a/components/project/comment/comments.tsx b/components/project/comment/comments.tsx
index d00de7a0..ebd80334 100644
--- a/components/project/comment/comments.tsx
+++ b/components/project/comment/comments.tsx
@@ -50,6 +50,7 @@ function CommentThread({
 	const { data: replies = [], isLoading: repliesLoading } = useQuery({
 		...trpc.projects.getComments.queryOptions({
 			roomId: `comment-${comment.id}`,
+			projectId: +projectId,
 		}),
 		enabled: shouldLoadReplies,
 	});
@@ -136,6 +137,7 @@ function CommentThread({
 								queryClient.invalidateQueries({
 									queryKey: trpc.projects.getComments.queryKey({
 										roomId: `comment-${comment.id}`,
+										projectId: +projectId,
 									}),
 								});
 							}}
@@ -199,6 +201,7 @@ export function Comments({
 	const { data: comments = [], refetch } = useQuery(
 		trpc.projects.getComments.queryOptions({
 			roomId,
+			projectId: +projectId!,
 		}),
 	);
 
diff --git a/components/project/events/date-time-picker.tsx b/components/project/events/date-time-picker.tsx
index 9d2abb76..ee742c2c 100644
--- a/components/project/events/date-time-picker.tsx
+++ b/components/project/events/date-time-picker.tsx
@@ -1,8 +1,8 @@
 "use client";
 
 import { format } from "date-fns";
+import { CalendarIcon } from "lucide-react";
 import * as React from "react";
-
 import { Button } from "@/components/ui/button";
 import { Calendar } from "@/components/ui/calendar";
 import {
@@ -12,7 +12,6 @@ import {
 } from "@/components/ui/popover";
 import { ScrollArea, ScrollBar } from "@/components/ui/scroll-area";
 import { cn } from "@/lib/utils";
-import { CalendarIcon } from "lucide-react";
 
 type Props = {
 	name: string;
diff --git a/components/project/events/full-calendar.tsx b/components/project/events/full-calendar.tsx
index 800b4093..90257106 100644
--- a/components/project/events/full-calendar.tsx
+++ b/components/project/events/full-calendar.tsx
@@ -1,13 +1,5 @@
 "use client";
 
-import { Button } from "@/components/ui/button";
-import { Separator } from "@/components/ui/separator";
-import { Kbd } from "@/components/ui/kbd";
-import type { CalendarEvent } from "@/drizzle/types";
-import { useIsMobile } from "@/hooks/use-mobile";
-import { cn } from "@/lib/utils";
-import { toDateString, toTimeString, toTimeZone } from "@/lib/utils/date";
-import { useTRPC } from "@/trpc/client";
 import { useQuery } from "@tanstack/react-query";
 import {
 	add,
@@ -29,7 +21,15 @@ import { ChevronLeftIcon, ChevronRightIcon } from "lucide-react";
 import { parseAsBoolean, useQueryState } from "nuqs";
 import { useCallback, useMemo, useState } from "react";
 import { rrulestr } from "rrule";
+import { Button } from "@/components/ui/button";
+import { Kbd } from "@/components/ui/kbd";
+import { Separator } from "@/components/ui/separator";
+import type { CalendarEvent } from "@/drizzle/types";
 import { useKeyboardShortcut } from "@/hooks/use-keyboard-shortcut";
+import { useIsMobile } from "@/hooks/use-mobile";
+import { cn } from "@/lib/utils";
+import { toDateString, toTimeString, toTimeZone } from "@/lib/utils/date";
+import { useTRPC } from "@/trpc/client";
 
 interface Event {
 	id: number;
diff --git a/components/project/events/week-calendar.tsx b/components/project/events/week-calendar.tsx
index eaed11ee..c46e0332 100644
--- a/components/project/events/week-calendar.tsx
+++ b/components/project/events/week-calendar.tsx
@@ -1,11 +1,11 @@
 "use client";
 
+import { useQuery } from "@tanstack/react-query";
+import { useParams } from "next/navigation";
 import { Skeleton } from "@/components/ui/skeleton";
 import type { EventWithCreator } from "@/drizzle/types";
 import { toMachineDateString } from "@/lib/utils/date";
 import { useTRPC } from "@/trpc/client";
-import { useQuery } from "@tanstack/react-query";
-import { useParams } from "next/navigation";
 import EventsList from "./events-list";
 
 export default function WeekCalendar({
diff --git a/components/settings/team-settings.tsx b/components/settings/team-settings.tsx
index aeb7e9a0..80517bbb 100644
--- a/components/settings/team-settings.tsx
+++ b/components/settings/team-settings.tsx
@@ -1,8 +1,18 @@
 "use client";
 
 import { useQuery } from "@tanstack/react-query";
-import { useState, useEffect, useCallback } from "react";
+import { Mail, UserPlus, X } from "lucide-react";
+import { useCallback, useEffect, useState } from "react";
+import { toast } from "sonner";
+import { UserAvatar } from "@/components/core/user-avatar";
 import { Button } from "@/components/ui/button";
+import {
+	Dialog,
+	DialogContent,
+	DialogFooter,
+	DialogHeader,
+	DialogTitle,
+} from "@/components/ui/dialog";
 import { Input } from "@/components/ui/input";
 import { Label } from "@/components/ui/label";
 import {
@@ -12,18 +22,8 @@ import {
 	SelectTrigger,
 	SelectValue,
 } from "@/components/ui/select";
-import {
-	Dialog,
-	DialogContent,
-	DialogHeader,
-	DialogTitle,
-	DialogFooter,
-} from "@/components/ui/dialog";
-import { UserAvatar } from "@/components/core/user-avatar";
 import { authClient, useActiveOrganization } from "@/lib/auth/client";
 import { useTRPC } from "@/trpc/client";
-import { toast } from "sonner";
-import { Mail, UserPlus, X } from "lucide-react";
 
 type Member = {
 	id: string;
diff --git a/drizzle/auth-schema.ts b/drizzle/auth-schema.ts
index e6deeea9..8692842f 100644
--- a/drizzle/auth-schema.ts
+++ b/drizzle/auth-schema.ts
@@ -1,10 +1,10 @@
 import { relations } from "drizzle-orm";
 import {
+	boolean,
+	index,
 	pgTable,
 	text,
 	timestamp,
-	boolean,
-	index,
 	uniqueIndex,
 } from "drizzle-orm/pg-core";
 
diff --git a/drizzle/schema.ts b/drizzle/schema.ts
index 905e627d..bdbf8caa 100644
--- a/drizzle/schema.ts
+++ b/drizzle/schema.ts
@@ -10,26 +10,26 @@ import {
 } from "drizzle-orm/pg-core";
 
 export {
-	user,
-	session,
 	account,
-	verification,
-	organization,
-	member,
-	invitation,
-	sessionRelations,
 	accountRelations,
-	memberRelations,
+	invitation,
 	invitationRelations,
+	member,
+	memberRelations,
+	organization,
+	session,
+	sessionRelations,
+	user,
+	verification,
 } from "./auth-schema";
 
 import {
-	user,
-	session,
 	account,
-	organization,
-	member,
 	invitation,
+	member,
+	organization,
+	session,
+	user,
 } from "./auth-schema";
 
 export const userRelations = relations(user, ({ many }) => ({
@@ -55,6 +55,7 @@ export const project = pgTable("project", {
 	id: integer("id").primaryKey().generatedAlwaysAsIdentity(),
 	name: text("name").notNull(),
 	description: text("description"),
+	metadata: jsonb("metadata"),
 	status: text("status").notNull(),
 	dueDate: timestamp("dueDate"),
 	organizationId: text("organizationId").references(() => organization.id, {
@@ -92,6 +93,7 @@ export const task = pgTable("task", {
 		}),
 	name: text("name").notNull(),
 	description: text("description"),
+	metadata: jsonb("metadata"),
 	status: text("status").notNull(),
 	dueDate: timestamp("dueDate"),
 	position: real("position").notNull(),
@@ -127,6 +129,7 @@ export const taskList = pgTable("taskList", {
 	id: integer("id").primaryKey().generatedAlwaysAsIdentity(),
 	name: text("name").notNull(),
 	description: text("description"),
+	metadata: jsonb("metadata"),
 	status: text("status").notNull(),
 	dueDate: timestamp("dueDate"),
 	createdAt: timestamp("createdAt").notNull().defaultNow(),
diff --git a/hooks/use-project-prefetch.ts b/hooks/use-project-prefetch.ts
index c6551232..b7d18692 100644
--- a/hooks/use-project-prefetch.ts
+++ b/hooks/use-project-prefetch.ts
@@ -1,8 +1,8 @@
 "use client";
 
-import { useTRPC } from "@/trpc/client";
 import { useQueryClient } from "@tanstack/react-query";
 import { useEffect } from "react";
+import { useTRPC } from "@/trpc/client";
 
 export function useProjectPrefetch(projectId: number) {
 	const trpc = useTRPC();
diff --git a/hooks/use-tasklist.tsx b/hooks/use-tasklist.tsx
index 0eadea3f..4852e96a 100644
--- a/hooks/use-tasklist.tsx
+++ b/hooks/use-tasklist.tsx
@@ -1,9 +1,9 @@
 "use client";
 
+import { useMutation, useQueryClient } from "@tanstack/react-query";
+import { createContext, type ReactNode, useCallback, useContext } from "react";
 import { displayMutationError } from "@/lib/utils/error";
 import { useTRPC } from "@/trpc/client";
-import { useMutation, useQueryClient } from "@tanstack/react-query";
-import { type ReactNode, createContext, useCallback, useContext } from "react";
 
 // biome-ignore lint/suspicious/noExplicitAny: context value typed as any for flexibility
 const TaskListsContext = createContext<any>(undefined);
diff --git a/hooks/use-tasks.tsx b/hooks/use-tasks.tsx
index a9e42dba..6ac1bf04 100644
--- a/hooks/use-tasks.tsx
+++ b/hooks/use-tasks.tsx
@@ -1,5 +1,7 @@
 "use client";
 
+import { useMutation, useQueryClient } from "@tanstack/react-query";
+import { createContext, type ReactNode, useCallback, useContext } from "react";
 import {
 	type TaskListWithTasks,
 	TaskStatus,
@@ -8,8 +10,6 @@ import {
 import { useSession } from "@/lib/auth/client";
 import { displayMutationError } from "@/lib/utils/error";
 import { useTRPC } from "@/trpc/client";
-import { useMutation, useQueryClient } from "@tanstack/react-query";
-import { type ReactNode, createContext, useCallback, useContext } from "react";
 
 // biome-ignore lint/suspicious/noExplicitAny: context value typed as any for flexibility
 const TasksContext = createContext<any>(undefined);
@@ -78,6 +78,7 @@ export function TasksProvider({
 							taskListId: newTask.taskListId || 0,
 							name: newTask.name || "",
 							description: null,
+							metadata: null,
 							status: newTask.status || TaskStatus.TODO,
 							dueDate: null,
 							createdAt: new Date(),
diff --git a/lib/auth/client.ts b/lib/auth/client.ts
index 098a4f71..4e4f2cc7 100644
--- a/lib/auth/client.ts
+++ b/lib/auth/client.ts
@@ -1,5 +1,5 @@
-import { createAuthClient } from "better-auth/react";
 import { emailOTPClient, organizationClient } from "better-auth/client/plugins";
+import { createAuthClient } from "better-auth/react";
 
 export const authClient = createAuthClient({
 	baseURL: process.env.NEXT_PUBLIC_APP_URL,
diff --git a/lib/auth/index.ts b/lib/auth/index.ts
index 0c759aa5..ce8f83bb 100644
--- a/lib/auth/index.ts
+++ b/lib/auth/index.ts
@@ -1,9 +1,9 @@
 import { betterAuth } from "better-auth";
 import { drizzleAdapter } from "better-auth/adapters/drizzle";
 import { emailOTP, organization } from "better-auth/plugins";
-import { database } from "@/lib/utils/useDatabase";
 import { isSignupDisabled } from "@/lib/config";
 import { sendEmail } from "@/lib/email";
+import { database } from "@/lib/utils/useDatabase";
 
 export const auth = betterAuth({
 	database: drizzleAdapter(database(), {
diff --git a/lib/blobStore/cleanup.ts b/lib/blobStore/cleanup.ts
new file mode 100644
index 00000000..d3e38e87
--- /dev/null
+++ b/lib/blobStore/cleanup.ts
@@ -0,0 +1,68 @@
+import { eq } from "drizzle-orm";
+import { blob } from "@/drizzle/schema";
+import type { Database } from "@/drizzle/types";
+import { deleteFile } from "./index";
+
+const BLOB_URL_REGEX = /\/api\/blob\/([a-f0-9-]{36})\//g;
+
+export function extractBlobIds(
+	content: string | null | undefined,
+): Set<string> {
+	if (!content) return new Set();
+	const ids = new Set<string>();
+	const regex = new RegExp(BLOB_URL_REGEX);
+	for (
+		let match = regex.exec(content);
+		match !== null;
+		match = regex.exec(content)
+	) {
+		ids.add(match[1]);
+	}
+	return ids;
+}
+
+export async function cleanupRemovedBlobs(
+	db: Database,
+	oldContent: string | null | undefined,
+	newContent: string | null | undefined,
+): Promise<number> {
+	const oldIds = extractBlobIds(oldContent);
+	const newIds = extractBlobIds(newContent);
+
+	const removedIds = [...oldIds].filter((id) => !newIds.has(id));
+
+	for (const id of removedIds) {
+		const [blobRecord] = await db
+			.select()
+			.from(blob)
+			.where(eq(blob.id, id))
+			.limit(1);
+		if (blobRecord) {
+			await deleteFile(blobRecord.key);
+			await db.delete(blob).where(eq(blob.id, id));
+		}
+	}
+
+	return removedIds.length;
+}
+
+export async function cleanupContentBlobs(
+	db: Database,
+	content: string | null | undefined,
+): Promise<number> {
+	const ids = extractBlobIds(content);
+
+	for (const id of [...ids]) {
+		const [blobRecord] = await db
+			.select()
+			.from(blob)
+			.where(eq(blob.id, id))
+			.limit(1);
+		if (blobRecord) {
+			await deleteFile(blobRecord.key);
+			await db.delete(blob).where(eq(blob.id, id));
+		}
+	}
+
+	return ids.size;
+}
diff --git a/proxy.ts b/proxy.ts
index 61c00029..793edcd3 100644
--- a/proxy.ts
+++ b/proxy.ts
@@ -1,4 +1,4 @@
-import { NextResponse, type NextRequest } from "next/server";
+import { type NextRequest, NextResponse } from "next/server";
 import { auth } from "@/lib/auth";
 
 const publicRoutes = [
diff --git a/trpc/init.ts b/trpc/init.ts
index 7245a6c5..40d35b0a 100644
--- a/trpc/init.ts
+++ b/trpc/init.ts
@@ -1,6 +1,6 @@
-import { headers } from "next/headers";
 import { initTRPC, TRPCError } from "@trpc/server";
 import { and, eq } from "drizzle-orm";
+import { headers } from "next/headers";
 import superjson from "superjson";
 import { ZodError } from "zod";
 import { member } from "@/drizzle/schema";
diff --git a/trpc/routers/events.ts b/trpc/routers/events.ts
index b4adf464..d6e54e94 100644
--- a/trpc/routers/events.ts
+++ b/trpc/routers/events.ts
@@ -127,6 +127,14 @@ export const eventsRouter = createTRPCRouter({
 		.query(async ({ ctx, input }) => {
 			const { date, projectId } = input;
 
+			const hasAccess = await canViewProject(ctx, projectId);
+			if (!hasAccess) {
+				throw new TRPCError({
+					code: "FORBIDDEN",
+					message: "Project access denied",
+				});
+			}
+
 			const { start, end } = getStartEndMonthRangeInUtc(ctx.timezone, date);
 
 			const events = await ctx.db.query.calendarEvent
diff --git a/trpc/routers/permissions.ts b/trpc/routers/permissions.ts
index a1f5dbd7..892c54ff 100644
--- a/trpc/routers/permissions.ts
+++ b/trpc/routers/permissions.ts
@@ -1,12 +1,11 @@
-import { and, eq } from "drizzle-orm";
-import { z } from "zod";
 import { TRPCError } from "@trpc/server";
-import { member, projectPermission } from "@/drizzle/schema";
+import { and, eq, inArray } from "drizzle-orm";
+import { z } from "zod";
+import { member, project, projectPermission, user } from "@/drizzle/schema";
 import { logActivity } from "@/lib/activity";
 import { createTRPCRouter, protectedProcedure } from "../init";
 
 export const permissionsRouter = createTRPCRouter({
-	// Get all permissions for a project
 	getProjectPermissions: protectedProcedure
 		.input(
 			z.object({
@@ -14,7 +13,6 @@ export const permissionsRouter = createTRPCRouter({
 			}),
 		)
 		.query(async ({ ctx, input }) => {
-			// Check if user is org admin
 			if (!ctx.isOrgAdmin) {
 				throw new TRPCError({
 					code: "FORBIDDEN",
@@ -22,6 +20,18 @@ export const permissionsRouter = createTRPCRouter({
 				});
 			}
 
+			const proj = await ctx.db.query.project.findFirst({
+				where: eq(project.id, input.projectId),
+				columns: { organizationId: true },
+			});
+
+			if (!proj || proj.organizationId !== ctx.orgId) {
+				throw new TRPCError({
+					code: "FORBIDDEN",
+					message: "Project not found or access denied",
+				});
+			}
+
 			const permissions = await ctx.db.query.projectPermission.findMany({
 				where: eq(projectPermission.projectId, input.projectId),
 				with: {
@@ -40,7 +50,6 @@ export const permissionsRouter = createTRPCRouter({
 			return permissions;
 		}),
 
-	// Grant permission to a user
 	grantPermission: protectedProcedure
 		.input(
 			z.object({
@@ -50,7 +59,6 @@ export const permissionsRouter = createTRPCRouter({
 			}),
 		)
 		.mutation(async ({ ctx, input }) => {
-			// Check if user is org admin
 			if (!ctx.isOrgAdmin) {
 				throw new TRPCError({
 					code: "FORBIDDEN",
@@ -58,7 +66,18 @@ export const permissionsRouter = createTRPCRouter({
 				});
 			}
 
-			// Check if permission already exists
+			const proj = await ctx.db.query.project.findFirst({
+				where: eq(project.id, input.projectId),
+				columns: { organizationId: true },
+			});
+
+			if (!proj || proj.organizationId !== ctx.orgId) {
+				throw new TRPCError({
+					code: "FORBIDDEN",
+					message: "Project not found or access denied",
+				});
+			}
+
 			const existingPermission = await ctx.db.query.projectPermission.findFirst(
 				{
 					where: and(
@@ -109,7 +128,6 @@ export const permissionsRouter = createTRPCRouter({
 			return { success: true };
 		}),
 
-	// Revoke permission from a user
 	revokePermission: protectedProcedure
 		.input(
 			z.object({
@@ -118,7 +136,6 @@ export const permissionsRouter = createTRPCRouter({
 			}),
 		)
 		.mutation(async ({ ctx, input }) => {
-			// Check if user is org admin
 			if (!ctx.isOrgAdmin) {
 				throw new TRPCError({
 					code: "FORBIDDEN",
@@ -126,6 +143,18 @@ export const permissionsRouter = createTRPCRouter({
 				});
 			}
 
+			const proj = await ctx.db.query.project.findFirst({
+				where: eq(project.id, input.projectId),
+				columns: { organizationId: true },
+			});
+
+			if (!proj || proj.organizationId !== ctx.orgId) {
+				throw new TRPCError({
+					code: "FORBIDDEN",
+					message: "Project not found or access denied",
+				});
+			}
+
 			await ctx.db
 				.delete(projectPermission)
 				.where(
@@ -169,9 +198,7 @@ export const permissionsRouter = createTRPCRouter({
 		return members;
 	}),
 
-	// Get all users in the organization (for permission management UI)
 	getOrganizationUsers: protectedProcedure.query(async ({ ctx }) => {
-		// Check if user is org admin
 		if (!ctx.isOrgAdmin) {
 			throw new TRPCError({
 				code: "FORBIDDEN",
@@ -179,8 +206,22 @@ export const permissionsRouter = createTRPCRouter({
 			});
 		}
 
-		// Get all users in the organization
-		const allUsers = await ctx.db.query.user.findMany({
+		if (!ctx.orgId) {
+			return [];
+		}
+
+		const orgMembers = await ctx.db.query.member.findMany({
+			where: eq(member.organizationId, ctx.orgId),
+			columns: { userId: true },
+		});
+
+		const memberUserIds = orgMembers.map((m) => m.userId);
+		if (memberUserIds.length === 0) {
+			return [];
+		}
+
+		const orgUsers = await ctx.db.query.user.findMany({
+			where: inArray(user.id, memberUserIds),
 			columns: {
 				id: true,
 				email: true,
@@ -190,9 +231,6 @@ export const permissionsRouter = createTRPCRouter({
 			},
 		});
 
-		// Filter out the current admin user since they already have access to all projects
-		const nonAdminUsers = allUsers.filter((user) => user.id !== ctx.userId);
-
-		return nonAdminUsers;
+		return orgUsers.filter((u) => u.id !== ctx.userId);
 	}),
 });
diff --git a/trpc/routers/posts.ts b/trpc/routers/posts.ts
index c429197a..96dd4c20 100644
--- a/trpc/routers/posts.ts
+++ b/trpc/routers/posts.ts
@@ -3,6 +3,10 @@ import { and, desc, eq } from "drizzle-orm";
 import { z } from "zod";
 import { post } from "@/drizzle/schema";
 import { logActivity } from "@/lib/activity";
+import {
+	cleanupContentBlobs,
+	cleanupRemovedBlobs,
+} from "@/lib/blobStore/cleanup";
 import { canEditProject, canViewProject } from "@/lib/permissions";
 import { sendMentionNotifications } from "@/lib/utils/mentionNotifications";
 import { createTRPCRouter, protectedProcedure } from "../init";
@@ -174,6 +178,8 @@ export const postsRouter = createTRPCRouter({
 					projectId: deletedPost[0].projectId,
 					oldValue,
 				});
+
+				await cleanupContentBlobs(ctx.db, existingPost.content);
 			}
 
 			return deletedPost[0];
@@ -262,6 +268,8 @@ export const postsRouter = createTRPCRouter({
 					newValue,
 				});
 
+				await cleanupRemovedBlobs(ctx.db, oldPost?.content, content);
+
 				if (updatedPost?.[0] && !isDraft && content) {
 					await sendMentionNotifications(content, {
 						type: "post",
diff --git a/trpc/routers/projects.ts b/trpc/routers/projects.ts
index 2cd56022..bef43bf1 100644
--- a/trpc/routers/projects.ts
+++ b/trpc/routers/projects.ts
@@ -4,10 +4,17 @@ import { z } from "zod";
 import {
 	activity,
 	comment,
+	post,
 	project,
 	projectPermission,
+	task,
+	taskList,
 } from "@/drizzle/schema";
 import { logActivity } from "@/lib/activity";
+import {
+	cleanupContentBlobs,
+	cleanupRemovedBlobs,
+} from "@/lib/blobStore/cleanup";
 import {
 	canEditProject,
 	canViewProject,
@@ -22,6 +29,7 @@ export const projectsRouter = createTRPCRouter({
 			z.object({
 				name: z.string(),
 				description: z.string().optional(),
+				metadata: z.any().optional(),
 				dueDate: z.date().optional(),
 			}),
 		)
@@ -38,6 +46,7 @@ export const projectsRouter = createTRPCRouter({
 				.values({
 					name: input.name,
 					description: input.description,
+					metadata: input.metadata,
 					dueDate: input.dueDate,
 					status: "active",
 					createdByUser: ctx.userId,
@@ -86,6 +95,7 @@ export const projectsRouter = createTRPCRouter({
 					z.object({
 						id: z.number(),
 						description: z.string(),
+						metadata: z.any().optional(),
 					}),
 				)
 				.or(
@@ -136,14 +146,22 @@ export const projectsRouter = createTRPCRouter({
 					projectId: +input.id,
 				});
 
-				if ("description" in input && input.description && currentProject) {
-					await sendMentionNotifications(input.description, {
-						type: "project",
-						entityName: currentProject.name,
-						entityId: +input.id,
-						orgSlug: ctx.orgSlug,
-						fromUserId: ctx.userId,
-					});
+				if ("description" in input && currentProject) {
+					await cleanupRemovedBlobs(
+						ctx.db,
+						currentProject.description,
+						input.description,
+					);
+
+					if (input.description) {
+						await sendMentionNotifications(input.description, {
+							type: "project",
+							entityName: currentProject.name,
+							entityId: +input.id,
+							orgSlug: ctx.orgSlug,
+							fromUserId: ctx.userId,
+						});
+					}
 				}
 			}
 
@@ -164,6 +182,34 @@ export const projectsRouter = createTRPCRouter({
 				});
 			}
 
+			const projectToDelete = await ctx.db.query.project.findFirst({
+				where: eq(project.id, input.id),
+			});
+
+			const projectPosts = await ctx.db.query.post.findMany({
+				where: eq(post.projectId, input.id),
+				columns: { content: true },
+			});
+
+			const projectTaskLists = await ctx.db.query.taskList.findMany({
+				where: eq(taskList.projectId, input.id),
+				columns: { id: true, description: true },
+			});
+
+			const taskListIds = projectTaskLists.map((tl) => tl.id);
+			const projectTasks =
+				taskListIds.length > 0
+					? await ctx.db.query.task.findMany({
+							where: inArray(task.taskListId, taskListIds),
+							columns: { description: true },
+						})
+					: [];
+
+			const projectComments = await ctx.db.query.comment.findMany({
+				where: eq(comment.roomId, `project-${input.id}`),
+				columns: { content: true },
+			});
+
 			const deletedProject = await ctx.db
 				.delete(project)
 				.where(eq(project.id, input.id))
@@ -176,6 +222,40 @@ export const projectsRouter = createTRPCRouter({
 				oldValue: deletedProject[0],
 			});
 
+			const cleanupPromises: Promise<number>[] = [];
+
+			if (projectToDelete?.description) {
+				cleanupPromises.push(
+					cleanupContentBlobs(ctx.db, projectToDelete.description),
+				);
+			}
+
+			for (const p of projectPosts) {
+				if (p.content) {
+					cleanupPromises.push(cleanupContentBlobs(ctx.db, p.content));
+				}
+			}
+
+			for (const tl of projectTaskLists) {
+				if (tl.description) {
+					cleanupPromises.push(cleanupContentBlobs(ctx.db, tl.description));
+				}
+			}
+
+			for (const t of projectTasks) {
+				if (t.description) {
+					cleanupPromises.push(cleanupContentBlobs(ctx.db, t.description));
+				}
+			}
+
+			for (const c of projectComments) {
+				if (c.content) {
+					cleanupPromises.push(cleanupContentBlobs(ctx.db, c.content));
+				}
+			}
+
+			await Promise.all(cleanupPromises);
+
 			return deletedProject[0];
 		}),
 	getProjectById: protectedProcedure
@@ -224,9 +304,18 @@ export const projectsRouter = createTRPCRouter({
 		.input(
 			z.object({
 				roomId: z.string(),
+				projectId: z.number(),
 			}),
 		)
 		.query(async ({ ctx, input }) => {
+			const hasAccess = await canViewProject(ctx, input.projectId);
+			if (!hasAccess) {
+				throw new TRPCError({
+					code: "FORBIDDEN",
+					message: "Project access denied",
+				});
+			}
+
 			const comments = await ctx.db.query.comment.findMany({
 				where: eq(comment.roomId, input.roomId),
 				orderBy: desc(comment.createdAt),
@@ -315,12 +404,29 @@ export const projectsRouter = createTRPCRouter({
 			}),
 		)
 		.mutation(async ({ ctx, input }) => {
+			const canEdit = await canEditProject(ctx, input.projectId);
+			if (!canEdit) {
+				throw new TRPCError({
+					code: "FORBIDDEN",
+					message: "Project edit access denied",
+				});
+			}
+
+			const existingComment = await ctx.db.query.comment.findFirst({
+				where: eq(comment.id, input.id),
+			});
+
 			await ctx.db.delete(comment).where(eq(comment.id, input.id));
+
 			await logActivity({
 				action: "deleted",
 				type: "comment",
 				projectId: input.projectId,
 			});
+
+			if (existingComment?.content) {
+				await cleanupContentBlobs(ctx.db, existingComment.content);
+			}
 		}),
 	getActivities: protectedProcedure
 		.input(
@@ -330,6 +436,14 @@ export const projectsRouter = createTRPCRouter({
 			}),
 		)
 		.query(async ({ ctx, input }) => {
+			const hasAccess = await canViewProject(ctx, input.projectId);
+			if (!hasAccess) {
+				throw new TRPCError({
+					code: "FORBIDDEN",
+					message: "Project access denied",
+				});
+			}
+
 			const activities = await ctx.db.query.activity
 				.findMany({
 					with: {
diff --git a/trpc/routers/search.ts b/trpc/routers/search.ts
index aa9c9599..79dfdbc4 100644
--- a/trpc/routers/search.ts
+++ b/trpc/routers/search.ts
@@ -30,11 +30,12 @@ export const searchRouter = createTRPCRouter({
 		.query(async ({ input, ctx }) => {
 			let accessibleProjectIds: number[];
 
-			if (ctx.isOrgAdmin) {
-				const allProjects = await ctx.db.query.project.findMany({
+			if (ctx.isOrgAdmin && ctx.orgId) {
+				const orgProjects = await ctx.db.query.project.findMany({
+					where: eq(project.organizationId, ctx.orgId),
 					columns: { id: true },
 				});
-				accessibleProjectIds = allProjects.map((p) => p.id);
+				accessibleProjectIds = orgProjects.map((p) => p.id);
 			} else {
 				const userProjectIds = await getUserProjectIds(ctx.db, ctx.userId);
 
diff --git a/trpc/routers/settings.ts b/trpc/routers/settings.ts
index 0cd738c9..63c40c2e 100644
--- a/trpc/routers/settings.ts
+++ b/trpc/routers/settings.ts
@@ -1,18 +1,22 @@
-import { eq, sql } from "drizzle-orm";
+import { eq, inArray, sql } from "drizzle-orm";
 import { cookies } from "next/headers";
 import { z } from "zod";
-import { blob, user } from "@/drizzle/schema";
+import { blob, member, user } from "@/drizzle/schema";
 import type { User } from "@/drizzle/types";
+import { getOwner } from "@/lib/utils/useOwner";
 import { createTRPCRouter, protectedProcedure } from "../init";
 
 export const settingsRouter = createTRPCRouter({
 	getStorageUsage: protectedProcedure.query(async ({ ctx }) => {
+		const { ownerId } = await getOwner();
+
 		const details = await ctx.db
 			.select({
 				count: sql<number>`count(*)`,
 				usage: sql<number>`sum(${blob.contentSize})`,
 			})
 			.from(blob)
+			.where(sql`${blob.key} LIKE ${`${ownerId}/%`}`)
 			.execute();
 
 		return {
@@ -46,7 +50,28 @@ export const settingsRouter = createTRPCRouter({
 	getAllUsers: protectedProcedure
 		.input(z.boolean().optional().default(false))
 		.query(async ({ ctx, input }) => {
-			const users: User[] = (await ctx.db.query.user.findMany()) ?? [];
-			return input ? users : users.filter((user) => user.id !== ctx.userId);
+			if (!ctx.orgId) {
+				const currentUser = await ctx.db.query.user.findFirst({
+					where: eq(user.id, ctx.userId),
+				});
+				return currentUser ? [currentUser] : [];
+			}
+
+			const orgMembers = await ctx.db.query.member.findMany({
+				where: eq(member.organizationId, ctx.orgId),
+				columns: { userId: true },
+			});
+
+			const memberUserIds = orgMembers.map((m) => m.userId);
+			if (memberUserIds.length === 0) {
+				return [];
+			}
+
+			const users: User[] =
+				(await ctx.db.query.user.findMany({
+					where: inArray(user.id, memberUserIds),
+				})) ?? [];
+
+			return input ? users : users.filter((u) => u.id !== ctx.userId);
 		}),
 });
diff --git a/trpc/routers/tasks.ts b/trpc/routers/tasks.ts
index 2e2b9223..eab05b70 100644
--- a/trpc/routers/tasks.ts
+++ b/trpc/routers/tasks.ts
@@ -4,6 +4,10 @@ import { z } from "zod";
 import { task, taskList } from "@/drizzle/schema";
 import { TaskListStatus, TaskStatus } from "@/drizzle/types";
 import { logActivity } from "@/lib/activity";
+import {
+	cleanupContentBlobs,
+	cleanupRemovedBlobs,
+} from "@/lib/blobStore/cleanup";
 import { canEditProject, canViewProject } from "@/lib/permissions";
 import { sendMentionNotifications } from "@/lib/utils/mentionNotifications";
 import { notifyUser } from "@/lib/utils/useNotification";
@@ -58,6 +62,7 @@ export const tasksRouter = createTRPCRouter({
 					.string()
 					.nullable()
 					.transform((val) => (val?.trim()?.length ? val : null)),
+				metadata: z.any().optional(),
 				dueDate: z
 					.string()
 					.nullable()
@@ -79,6 +84,7 @@ export const tasksRouter = createTRPCRouter({
 				.values({
 					name: input.name,
 					description: input.description,
+					metadata: input.metadata,
 					dueDate: input.dueDate,
 					status: TaskListStatus.ACTIVE,
 					projectId: input.projectId,
@@ -122,6 +128,7 @@ export const tasksRouter = createTRPCRouter({
 							.string()
 							.nullable()
 							.transform((val) => (val?.trim()?.length ? val : null)),
+						metadata: z.any().optional(),
 					}),
 				)
 				.or(
@@ -179,15 +186,23 @@ export const tasksRouter = createTRPCRouter({
 					newValue: data[0],
 				});
 
-				if (data?.[0] && "description" in input && input.description) {
-					await sendMentionNotifications(input.description, {
-						type: "tasklist",
-						entityName: oldTaskList.name,
-						entityId: input.id,
-						projectId: oldTaskList.projectId,
-						orgSlug: ctx.orgSlug,
-						fromUserId: ctx.userId,
-					});
+				if ("description" in input) {
+					await cleanupRemovedBlobs(
+						ctx.db,
+						oldTaskList.description,
+						input.description,
+					);
+
+					if (data?.[0] && input.description) {
+						await sendMentionNotifications(input.description, {
+							type: "tasklist",
+							entityName: oldTaskList.name,
+							entityId: input.id,
+							projectId: oldTaskList.projectId,
+							orgSlug: ctx.orgSlug,
+							fromUserId: ctx.userId,
+						});
+					}
 				}
 			}
 
@@ -196,7 +211,6 @@ export const tasksRouter = createTRPCRouter({
 	deleteTaskList: protectedProcedure
 		.input(z.object({ id: z.number() }))
 		.mutation(async ({ ctx, input }) => {
-			// First get the task list to check permissions
 			const taskListToDelete = await ctx.db.query.taskList.findFirst({
 				where: eq(taskList.id, input.id),
 			});
@@ -212,6 +226,11 @@ export const tasksRouter = createTRPCRouter({
 				);
 			}
 
+			const tasksInList = await ctx.db.query.task.findMany({
+				where: eq(task.taskListId, input.id),
+				columns: { description: true },
+			});
+
 			const data = await ctx.db
 				.delete(taskList)
 				.where(eq(taskList.id, input.id))
@@ -224,6 +243,22 @@ export const tasksRouter = createTRPCRouter({
 					projectId: data[0].projectId,
 					oldValue: data[0],
 				});
+
+				const cleanupPromises: Promise<number>[] = [];
+
+				if (taskListToDelete.description) {
+					cleanupPromises.push(
+						cleanupContentBlobs(ctx.db, taskListToDelete.description),
+					);
+				}
+
+				for (const t of tasksInList) {
+					if (t.description) {
+						cleanupPromises.push(cleanupContentBlobs(ctx.db, t.description));
+					}
+				}
+
+				await Promise.all(cleanupPromises);
 			}
 
 			return data?.[0];
@@ -264,6 +299,14 @@ export const tasksRouter = createTRPCRouter({
 				throw new Error(`TaskList with id ${input.id} not found`);
 			}
 
+			const hasAccess = await canViewProject(ctx, data.projectId);
+			if (!hasAccess) {
+				throw new TRPCError({
+					code: "FORBIDDEN",
+					message: "Project access denied",
+				});
+			}
+
 			return data;
 		}),
 
@@ -274,6 +317,7 @@ export const tasksRouter = createTRPCRouter({
 				status: z.nativeEnum(TaskStatus).optional().default(TaskStatus.TODO),
 				taskListId: z.number().optional().default(0),
 				description: z.string().optional(),
+				metadata: z.any().optional(),
 				assignedToUser: z.string().nullable().optional(),
 				dueDate: z
 					.string()
@@ -283,7 +327,6 @@ export const tasksRouter = createTRPCRouter({
 			}),
 		)
 		.mutation(async ({ ctx, input }) => {
-			// Get the task list to find the project ID
 			const taskListDetails = await ctx.db.query.taskList.findFirst({
 				where: eq(taskList.id, input.taskListId),
 				columns: {
@@ -362,6 +405,7 @@ export const tasksRouter = createTRPCRouter({
 					z.object({
 						id: z.number(),
 						description: z.string(),
+						metadata: z.any().optional(),
 					}),
 				)
 				.or(
@@ -446,16 +490,24 @@ export const tasksRouter = createTRPCRouter({
 					newValue: updatedTask[0],
 				});
 
-				if (updatedTask?.[0] && "description" in input && input.description) {
-					await sendMentionNotifications(input.description, {
-						type: "task",
-						entityName: oldTask.name,
-						entityId: input.id,
-						projectId: oldTask.taskList.projectId,
-						taskListId: oldTask.taskListId,
-						orgSlug: ctx.orgSlug,
-						fromUserId: ctx.userId,
-					});
+				if ("description" in input) {
+					await cleanupRemovedBlobs(
+						ctx.db,
+						oldTask.description,
+						input.description,
+					);
+
+					if (updatedTask?.[0] && input.description) {
+						await sendMentionNotifications(input.description, {
+							type: "task",
+							entityName: oldTask.name,
+							entityId: input.id,
+							projectId: oldTask.taskList.projectId,
+							taskListId: oldTask.taskListId,
+							orgSlug: ctx.orgSlug,
+							fromUserId: ctx.userId,
+						});
+					}
 				}
 			}
 
@@ -495,6 +547,10 @@ export const tasksRouter = createTRPCRouter({
 					projectId: currentTask.taskList.projectId,
 					oldValue: currentTask,
 				});
+
+				if (currentTask.description) {
+					await cleanupContentBlobs(ctx.db, currentTask.description);
+				}
 			}
 
 			return currentTask;
@@ -502,7 +558,6 @@ export const tasksRouter = createTRPCRouter({
 	tidyUpTaskList: protectedProcedure
 		.input(z.object({ id: z.number() }))
 		.mutation(async ({ ctx, input }) => {
-			// Get the task list to check permissions
 			const taskListDetails = await ctx.db.query.taskList.findFirst({
 				where: eq(taskList.id, input.id),
 				columns: {
@@ -521,6 +576,14 @@ export const tasksRouter = createTRPCRouter({
 				);
 			}
 
+			const doneTasks = await ctx.db.query.task.findMany({
+				where: and(
+					eq(task.taskListId, input.id),
+					eq(task.status, TaskStatus.DONE),
+				),
+				columns: { id: true, description: true },
+			});
+
 			const data = await ctx.db
 				.update(task)
 				.set({ status: TaskStatus.DELETED })
@@ -529,6 +592,12 @@ export const tasksRouter = createTRPCRouter({
 				)
 				.returning();
 
+			await Promise.all(
+				doneTasks
+					.filter((t) => t.description)
+					.map((t) => cleanupContentBlobs(ctx.db, t.description)),
+			);
+
 			return data;
 		}),
 });
diff --git a/trpc/routers/user.ts b/trpc/routers/user.ts
index e19710b7..f7f50830 100644
--- a/trpc/routers/user.ts
+++ b/trpc/routers/user.ts
@@ -1,7 +1,8 @@
+import { and, desc, eq, inArray, isNull, or } from "drizzle-orm";
 import { headers } from "next/headers";
-import { and, desc, eq, isNull, or } from "drizzle-orm";
 import { z } from "zod";
 import {
+	member,
 	notification,
 	project,
 	projectPermission,
@@ -154,7 +155,32 @@ export const userRouter = createTRPCRouter({
 			}),
 		)
 		.query(async ({ ctx, input }) => {
+			if (!ctx.orgId) {
+				const currentUser = await ctx.db.query.user.findFirst({
+					where: eq(user.id, ctx.userId),
+					columns: {
+						id: true,
+						email: true,
+						firstName: true,
+						lastName: true,
+						image: true,
+					},
+				});
+				return currentUser ? [currentUser] : [];
+			}
+
+			const orgMembers = await ctx.db.query.member.findMany({
+				where: eq(member.organizationId, ctx.orgId),
+				columns: { userId: true },
+			});
+
+			const memberUserIds = orgMembers.map((m) => m.userId);
+			if (memberUserIds.length === 0) {
+				return [];
+			}
+
 			const users = await ctx.db.query.user.findMany({
+				where: inArray(user.id, memberUserIds),
 				columns: {
 					id: true,
 					email: true,
@@ -166,10 +192,10 @@ export const userRouter = createTRPCRouter({
 
 			if (input.query) {
 				const query = input.query.toLowerCase();
-				return users.filter((user) => {
+				return users.filter((u) => {
 					const fullName =
-						`${user.firstName || ""} ${user.lastName || ""}`.toLowerCase();
-					const email = user.email.toLowerCase();
+						`${u.firstName || ""} ${u.lastName || ""}`.toLowerCase();
+					const email = u.email.toLowerCase();
 					return fullName.includes(query) || email.includes(query);
 				});
 			}
diff --git a/vercel.json b/vercel.json
new file mode 100644
index 00000000..30e2d957
--- /dev/null
+++ b/vercel.json
@@ -0,0 +1,8 @@
+{
+	"crons": [
+		{
+			"path": "/api/cron/blob-cleanup",
+			"schedule": "0 * * * *"
+		}
+	]
+}