@camox/api 0.2.0-alpha.5

package/LICENSE.md

@@ -0,0 +1,110 @@
+# Functional Source License, Version 1.1, MIT Future License
+
+## Abbreviation
+
+FSL-1.1-MIT
+
+## Notice
+
+Copyright 2026 Rémi de Juvigny
+
+## Terms and Conditions
+
+### Licensor ("We")
+
+The party offering the Software under these Terms and Conditions.
+
+### The Software
+
+The "Software" is each version of the software that we make available under
+these Terms and Conditions, as indicated by our inclusion of these Terms and
+Conditions with the Software.
+
+### License Grant
+
+Subject to your compliance with this License Grant and the Patents,
+Redistribution and Trademark clauses below, we hereby grant you the right to
+use, copy, modify, create derivative works, publicly perform, publicly display
+and redistribute the Software for any Permitted Purpose identified below.
+
+### Permitted Purpose
+
+A Permitted Purpose is any purpose other than a Competing Use. A Competing Use
+means making the Software available to others in a commercial product or
+service that:
+
+1. substitutes for the Software;
+
+2. substitutes for any other product or service we offer using the Software
+   that exists as of the date we make the Software available; or
+
+3. offers the same or substantially similar functionality as the Software.
+
+Permitted Purposes specifically include using the Software:
+
+1. for your internal use and access;
+
+2. for non-commercial education;
+
+3. for non-commercial research; and
+
+4. in connection with professional services that you provide to a licensee
+   using the Software in accordance with these Terms and Conditions.
+
+### Patents
+
+To the extent your use for a Permitted Purpose would necessarily infringe our
+patents, the license grant above includes a license under our patents. If you
+make a claim against any party that the Software infringes or contributes to
+the infringement of any patent, then your patent license to the Software ends
+immediately.
+
+### Redistribution
+
+The Terms and Conditions apply to all copies, modifications and derivatives of
+the Software.
+
+If you redistribute any copies, modifications or derivatives of the Software,
+you must include a copy of or a link to these Terms and Conditions and not
+remove any copyright notices provided in or with the Software.
+
+### Disclaimer
+
+THE SOFTWARE IS PROVIDED "AS IS" AND WITHOUT WARRANTIES OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR
+PURPOSE, MERCHANTABILITY, TITLE OR NON-INFRINGEMENT.
+
+IN NO EVENT WILL WE HAVE ANY LIABILITY TO YOU ARISING OUT OF OR RELATED TO THE
+SOFTWARE, INCLUDING INDIRECT, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES,
+EVEN IF WE HAVE BEEN INFORMED OF THEIR POSSIBILITY IN ADVANCE.
+
+### Trademarks
+
+Except for displaying the License Details and identifying us as the origin of
+the Software, you have no right under these Terms and Conditions to use our
+trademarks, trade names, service marks or product names.
+
+## Grant of Future License
+
+We hereby irrevocably grant you an additional license to use the Software under
+the MIT license that is effective on the second anniversary of the date we make
+the Software available. On or after that date, you may use the Software under
+the MIT license, in which case the following will apply:
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
+of the Software, and to permit persons to whom the Software is furnished to do
+so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,21 @@
+```txt
+npm install
+npm run dev
+```
+
+```txt
+npm run deploy
+```
+
+[For generating/synchronizing types based on your Worker configuration run](https://developers.cloudflare.com/workers/wrangler/commands/#types):
+
+```txt
+npm run cf-typegen
+```
+
+Pass the `CloudflareBindings` as generics when instantiation `Hono`:
+
+```ts
+// src/index.ts
+const app = new Hono<{ Bindings: CloudflareBindings }>();
+```

package/package.json

@@ -0,0 +1,54 @@
+{
+  "name": "@camox/api",
+  "version": "0.2.0-alpha.5",
+  "files": [
+    "src"
+  ],
+  "type": "module",
+  "exports": {
+    ".": {
+      "types": "./src/index.ts",
+      "default": "./src/index.ts"
+    },
+    "./query-keys": {
+      "types": "./src/lib/query-keys.ts",
+      "default": "./src/lib/query-keys.ts"
+    }
+  },
+  "dependencies": {
+    "@hono/zod-validator": "^0.7.6",
+    "@orpc/server": "^1.13.13",
+    "@tanstack/ai": "^0.8.1",
+    "@tanstack/ai-openrouter": "^0.6.6",
+    "better-auth": "^1.5.6",
+    "drizzle-orm": "^0.45.2",
+    "fractional-indexing": "^3.2.0",
+    "hono": "^4.12.9",
+    "hono-party": "^2.0.3",
+    "outdent": "^0.8.0",
+    "partyserver": "^0.4.1",
+    "unique-names-generator": "^4.7.1",
+    "zod": "^4.3.6"
+  },
+  "devDependencies": {
+    "@cloudflare/workers-types": "^4.20260317.1",
+    "@libsql/client": "^0.17.2",
+    "@types/node": "^22.15.0",
+    "drizzle-kit": "^0.31.10",
+    "oxlint": "^0.15.15",
+    "tsx": "^4.21.0",
+    "wrangler": "^4.4.0"
+  },
+  "scripts": {
+    "dev": "wrangler dev",
+    "deploy": "wrangler deploy --minify",
+    "cf-typegen": "wrangler types --env-interface CloudflareBindings",
+    "db:generate": "drizzle-kit generate",
+    "db:migrate:local": "wrangler d1 migrations apply DB --local",
+    "db:migrate:remote": "wrangler d1 migrations apply DB --remote",
+    "db:studio": "drizzle-kit studio",
+    "seed": "tsx scripts/dev-seed.ts",
+    "lint": "oxlint",
+    "check": "tsgo --noEmit && oxlint --fix"
+  }
+}

package/src/authorization.ts

@@ -0,0 +1,110 @@
+import { ORPCError } from "@orpc/server";
+import { and, eq, or } from "drizzle-orm";
+
+import type { Database } from "./db";
+import {
+  member,
+  organizationTable,
+  blocks,
+  files,
+  layouts,
+  pages,
+  projects,
+  repeatableItems,
+} from "./schema";
+
+// --- Membership Helpers ---
+
+export async function assertOrgMembership(db: Database, userId: string, orgSlug: string) {
+  const result = await db
+    .select({ id: member.id })
+    .from(member)
+    .innerJoin(organizationTable, eq(organizationTable.id, member.organizationId))
+    .where(and(eq(organizationTable.slug, orgSlug), eq(member.userId, userId)))
+    .get();
+  if (!result) throw new ORPCError("FORBIDDEN");
+}
+
+/** Verify user is a member of the org that owns a project (by project ID). */
+async function assertProjectMembership(db: Database, projectId: number, userId: string) {
+  const result = await db
+    .select({ id: member.id })
+    .from(projects)
+    .innerJoin(organizationTable, eq(organizationTable.slug, projects.organizationSlug))
+    .innerJoin(
+      member,
+      and(eq(member.organizationId, organizationTable.id), eq(member.userId, userId)),
+    )
+    .where(eq(projects.id, projectId))
+    .get();
+  if (!result) throw new ORPCError("FORBIDDEN");
+}
+
+// --- Authorization Helpers ---
+
+export async function getAuthorizedProject(db: Database, projectId: number, userId: string) {
+  const project = await db.select().from(projects).where(eq(projects.id, projectId)).get();
+  if (!project) return null;
+  await assertProjectMembership(db, projectId, userId);
+  return project;
+}
+
+export async function getAuthorizedProjectBySlug(db: Database, slug: string, userId: string) {
+  const project = await db.select().from(projects).where(eq(projects.slug, slug)).get();
+  if (!project) return null;
+  await assertProjectMembership(db, project.id, userId);
+  return project;
+}
+
+export async function assertPageAccess(db: Database, pageId: number, userId: string) {
+  const result = await db
+    .select({ page: pages, projectId: projects.id })
+    .from(pages)
+    .innerJoin(projects, eq(projects.id, pages.projectId))
+    .where(eq(pages.id, pageId))
+    .get();
+  if (!result) return null;
+  await assertProjectMembership(db, result.projectId, userId);
+  return result;
+}
+
+export async function assertBlockAccess(db: Database, blockId: number, userId: string) {
+  const result = await db
+    .select({ block: blocks, projectId: projects.id, pagePath: pages.fullPath })
+    .from(blocks)
+    .leftJoin(pages, eq(blocks.pageId, pages.id))
+    .leftJoin(layouts, eq(blocks.layoutId, layouts.id))
+    .innerJoin(projects, or(eq(projects.id, pages.projectId), eq(projects.id, layouts.projectId)))
+    .where(eq(blocks.id, blockId))
+    .get();
+  if (!result) return null;
+  await assertProjectMembership(db, result.projectId, userId);
+  return result;
+}
+
+export async function assertRepeatableItemAccess(db: Database, itemId: number, userId: string) {
+  const result = await db
+    .select({ item: repeatableItems, projectId: projects.id, pagePath: pages.fullPath })
+    .from(repeatableItems)
+    .innerJoin(blocks, eq(repeatableItems.blockId, blocks.id))
+    .leftJoin(pages, eq(blocks.pageId, pages.id))
+    .leftJoin(layouts, eq(blocks.layoutId, layouts.id))
+    .innerJoin(projects, or(eq(projects.id, pages.projectId), eq(projects.id, layouts.projectId)))
+    .where(eq(repeatableItems.id, itemId))
+    .get();
+  if (!result) return null;
+  await assertProjectMembership(db, result.projectId, userId);
+  return result;
+}
+
+export async function assertFileAccess(db: Database, fileId: number, userId: string) {
+  const result = await db
+    .select({ file: files })
+    .from(files)
+    .innerJoin(projects, eq(projects.id, files.projectId))
+    .where(eq(files.id, fileId))
+    .get();
+  if (!result) return null;
+  await assertProjectMembership(db, result.file.projectId!, userId);
+  return result;
+}

package/src/db.ts

@@ -0,0 +1,45 @@
+import { drizzle } from "drizzle-orm/d1";
+
+import {
+  aiJobs,
+  account,
+  invitation,
+  member,
+  organizationTable,
+  session,
+  user,
+  verification,
+  blockDefinitions,
+  blocks,
+  environments,
+  files,
+  layouts,
+  pages,
+  projects,
+  repeatableItems,
+} from "./schema";
+
+const schema = {
+  projects,
+  environments,
+  pages,
+  layouts,
+  blocks,
+  repeatableItems,
+  files,
+  aiJobs,
+  blockDefinitions,
+  user,
+  session,
+  account,
+  verification,
+  organization: organizationTable,
+  member,
+  invitation,
+};
+
+export function createDb(d1: D1Database) {
+  return drizzle(d1, { schema });
+}
+
+export type Database = ReturnType<typeof createDb>;

package/src/durable-objects/ai-job-scheduler.ts

@@ -0,0 +1,135 @@
+import { DurableObject } from "cloudflare:workers";
+import { eq, or } from "drizzle-orm";
+
+import { createDb } from "../db";
+import { broadcastInvalidation } from "../lib/broadcast-invalidation";
+import { queryKeys } from "../lib/query-keys";
+import { executeBlockSummary } from "../routes/blocks";
+import { executeFileMetadata } from "../routes/files";
+import { executePageSeo } from "../routes/pages";
+import { executeRepeatableItemSummary } from "../routes/repeatable-items";
+import { blocks, files, layouts, pages, projects, repeatableItems } from "../schema";
+import type { Bindings } from "../types";
+
+type JobParams = {
+  entityTable: string;
+  entityId: number;
+  type: string;
+  delayMs: number;
+};
+
+export class AiJobScheduler extends DurableObject<Bindings> {
+  async fetch(request: Request): Promise<Response> {
+    const url = new URL(request.url);
+
+    if (request.method === "POST" && url.pathname === "/schedule") {
+      const params: JobParams = await request.json();
+      await this.ctx.storage.put("job", params);
+      await this.ctx.storage.setAlarm(Date.now() + params.delayMs);
+      return new Response(JSON.stringify({ scheduled: true }), {
+        status: 202,
+        headers: { "Content-Type": "application/json" },
+      });
+    }
+
+    return new Response("Not found", { status: 404 });
+  }
+
+  async alarm(): Promise<void> {
+    const params = await this.ctx.storage.get<JobParams>("job");
+    if (!params) return;
+
+    await this.ctx.storage.delete("job");
+
+    const db = createDb(this.env.DB);
+    const apiKey = this.env.OPEN_ROUTER_API_KEY;
+
+    const { entityTable, entityId, type } = params;
+
+    if (entityTable === "blocks" && type === "summary") {
+      const seoStale = await executeBlockSummary(db, apiKey, entityId);
+      if (seoStale) {
+        // Cascade: schedule page SEO regeneration
+        const { scheduleAiJob } = await import("../lib/schedule-ai-job");
+        scheduleAiJob(this.env.AI_JOB_SCHEDULER, {
+          entityTable: "pages",
+          entityId: seoStale.pageId,
+          type: "seo",
+          delayMs: 15000,
+        });
+      }
+
+      // Broadcast block summary update
+      const projectId = await this.getBlockProjectId(db, entityId);
+      if (projectId) {
+        broadcastInvalidation(this.env.ProjectRoom, projectId, [
+          queryKeys.pages.getByPathAll,
+          queryKeys.blocks.getUsageCounts,
+        ]);
+      }
+    } else if (entityTable === "repeatableItems" && type === "summary") {
+      const cascade = await executeRepeatableItemSummary(db, apiKey, entityId);
+      if (cascade) {
+        // Cascade: schedule parent block summary regeneration
+        const { scheduleAiJob } = await import("../lib/schedule-ai-job");
+        scheduleAiJob(this.env.AI_JOB_SCHEDULER, {
+          entityTable: "blocks",
+          entityId: cascade.blockId,
+          type: "summary",
+          delayMs: 5000,
+        });
+      }
+
+      // Broadcast repeatable item summary update
+      const item = await db
+        .select()
+        .from(repeatableItems)
+        .where(eq(repeatableItems.id, entityId))
+        .get();
+      if (item) {
+        const projectId = await this.getBlockProjectId(db, item.blockId);
+        if (projectId) {
+          broadcastInvalidation(this.env.ProjectRoom, projectId, [
+            queryKeys.pages.getByPathAll,
+            queryKeys.blocks.getUsageCounts,
+          ]);
+        }
+      }
+    } else if (entityTable === "files" && type === "fileMetadata") {
+      await executeFileMetadata(db, apiKey, entityId);
+
+      const file = await db.select().from(files).where(eq(files.id, entityId)).get();
+      if (file?.projectId) {
+        broadcastInvalidation(this.env.ProjectRoom, file.projectId, [
+          queryKeys.files.list,
+          queryKeys.files.get(entityId),
+        ]);
+      }
+    } else if (entityTable === "pages" && type === "seo") {
+      await executePageSeo(db, apiKey, entityId);
+
+      const page = await db.select().from(pages).where(eq(pages.id, entityId)).get();
+      if (page) {
+        broadcastInvalidation(this.env.ProjectRoom, page.projectId, [
+          queryKeys.pages.list,
+          queryKeys.pages.getById(entityId),
+        ]);
+      }
+    }
+  }
+
+  private async getBlockProjectId(
+    db: ReturnType<typeof createDb>,
+    blockId: number,
+  ): Promise<number | null> {
+    const result = await db
+      .select({ projectId: projects.id })
+      .from(blocks)
+      .leftJoin(pages, eq(blocks.pageId, pages.id))
+      .leftJoin(layouts, eq(blocks.layoutId, layouts.id))
+      .innerJoin(projects, or(eq(projects.id, pages.projectId), eq(projects.id, layouts.projectId)))
+      .where(eq(blocks.id, blockId))
+      .get();
+    return result?.projectId ?? null;
+  }
+}

package/src/durable-objects/project-room.ts

@@ -0,0 +1,16 @@
+import { Server } from "partyserver";
+
+import type { InvalidationMessage } from "../lib/query-keys";
+import type { Bindings } from "../types";
+
+export class ProjectRoom extends Server<Bindings> {
+  async onRequest(request: Request): Promise<Response> {
+    if (request.method !== "POST") {
+      return new Response("Method not allowed", { status: 405 });
+    }
+
+    const message: InvalidationMessage = await request.json();
+    this.broadcast(JSON.stringify(message));
+    return new Response("OK", { status: 200 });
+  }
+}

package/src/index.ts

@@ -0,0 +1,125 @@
+import { RPCHandler } from "@orpc/server/fetch";
+import { Hono } from "hono";
+import { partyserverMiddleware } from "hono-party";
+import { cors } from "hono/cors";
+
+import { createDb } from "./db";
+import { router } from "./router";
+import { authRoutes, createAuth } from "./routes/auth";
+import { fileHonoRoutes } from "./routes/files";
+import type { AppEnv } from "./types";
+
+export type { Router } from "./router";
+
+// ---------------------------------------------------------------------------
+// Hono app + global middleware
+// ---------------------------------------------------------------------------
+
+const app = new Hono<AppEnv>();
+
+// Inject db into every request
+app.use("*", async (c, next) => {
+  c.set("db", createDb(c.env.DB));
+  await next();
+});
+
+// CORS — accepts any origin (Camox sites run on arbitrary domains)
+app.use(
+  "*",
+  cors({
+    origin: (origin) => origin,
+    allowHeaders: [
+      "Content-Type",
+      "Authorization",
+      "Better-Auth-Cookie",
+      "x-sync-secret",
+      "x-environment-name",
+    ],
+    allowMethods: ["POST", "GET", "OPTIONS"],
+    exposeHeaders: ["Content-Length", "Set-Better-Auth-Cookie"],
+    maxAge: 600,
+    credentials: true,
+  }),
+);
+
+// Session middleware — populates c.var.user/session
+app.use("*", async (c, next) => {
+  const auth = createAuth(c.var.db, c.env);
+  const session = await auth.api.getSession({ headers: c.req.raw.headers });
+
+  if (!session) {
+    c.set("user", null);
+    c.set("session", null);
+    await next();
+    return;
+  }
+
+  c.set("user", session.user);
+  c.set("session", session.session);
+  await next();
+});
+
+// Environment name middleware — reads x-environment-name header, defaults to "production"
+app.use("*", async (c, next) => {
+  c.set("environmentName", c.req.header("x-environment-name") || "production");
+  await next();
+});
+
+// PartyServer — intercepts WebSocket upgrade requests for real-time invalidation
+app.use(
+  "*",
+  partyserverMiddleware<AppEnv>({
+    options: {
+      onBeforeConnect: async (req, _lobby, c) => {
+        const db = createDb(c.env.DB);
+        const auth = createAuth(db, c.env);
+        const session = await auth.api.getSession({ headers: req.headers });
+        if (!session) return new Response("Unauthorized", { status: 401 });
+      },
+    },
+  }),
+);
+
+// ---------------------------------------------------------------------------
+// Hono routes (auth, file upload/serve)
+// ---------------------------------------------------------------------------
+
+app.route("/api/auth", authRoutes);
+app.route("/files", fileHonoRoutes);
+
+// ---------------------------------------------------------------------------
+// oRPC handler (all other API procedures)
+// ---------------------------------------------------------------------------
+
+const rpcHandler = new RPCHandler(router);
+
+app.all("/rpc/*", async (c) => {
+  const { matched, response } = await rpcHandler.handle(c.req.raw, {
+    prefix: "/rpc",
+    context: {
+      db: c.var.db,
+      user: c.var.user,
+      session: c.var.session,
+      env: c.env,
+      headers: c.req.raw.headers,
+      environmentName: c.var.environmentName,
+    },
+  });
+
+  if (matched) {
+    return new Response(response.body, response);
+  }
+
+  return c.notFound();
+});
+
+// ---------------------------------------------------------------------------
+// Error logging (development)
+// ---------------------------------------------------------------------------
+
+app.onError((err, c) => {
+  console.error(`[${c.req.method}] ${c.req.path} →`, err);
+  return c.json({ error: "Internal Server Error" }, 500);
+});
+
+export default app;

package/src/lib/broadcast-invalidation.ts

@@ -0,0 +1,17 @@
+import type { InvalidationMessage, QueryKey } from "./query-keys";
+
+export function broadcastInvalidation(
+  projectRoomNamespace: DurableObjectNamespace,
+  projectId: number,
+  targets: QueryKey[],
+) {
+  const id = projectRoomNamespace.idFromName(String(projectId));
+  const stub = projectRoomNamespace.get(id);
+  const message: InvalidationMessage = { type: "invalidate", targets };
+  // Fire-and-forget — don't block the mutation response
+  stub.fetch("http://do/broadcast", {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(message),
+  });
+}