npm - @hiai-gg/hiai-docs - Versions diffs - 0.0.1 - Mend

@hiai-gg/hiai-docs 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (216) hide show

package/.all-contributorsrc +18 -0
package/.claude/settings.local.json +61 -0
package/.dockerignore +113 -0
package/.env.example +68 -0
package/.github/FUNDING.yml +5 -0
package/.github/ISSUE_TEMPLATE/bug_report.md +74 -0
package/.github/ISSUE_TEMPLATE/feature_request.md +78 -0
package/.github/dependabot.yml +136 -0
package/.github/pull_request_template.md +96 -0
package/.github/workflows/ci.yml +283 -0
package/AGENTS.md +237 -0
package/CODE_OF_CONDUCT.md +134 -0
package/CONTRIBUTING.md +77 -0
package/Caddyfile +50 -0
package/Dockerfile.backend +60 -0
package/LICENSE +21 -0
package/README.md +284 -0
package/RELEASE_CHECKLIST.md +34 -0
package/SECURITY.md +60 -0
package/backend/package.json +43 -0
package/backend/src/__tests__/auth-helpers.test.ts +51 -0
package/backend/src/__tests__/chunker.test.ts +65 -0
package/backend/src/__tests__/config.test.ts +91 -0
package/backend/src/__tests__/csrf.test.ts +91 -0
package/backend/src/__tests__/embedding.test.ts +48 -0
package/backend/src/__tests__/rate-limit.test.ts +46 -0
package/backend/src/__tests__/routes.test.ts +38 -0
package/backend/src/__tests__/schema.test.ts +31 -0
package/backend/src/__tests__/validation.test.ts +556 -0
package/backend/src/api/middleware/auth.ts +56 -0
package/backend/src/api/middleware/csrf.ts +91 -0
package/backend/src/api/middleware/rate-limit.ts +77 -0
package/backend/src/api/middleware/webhook-verify.ts +22 -0
package/backend/src/api/routes/attachments.ts +280 -0
package/backend/src/api/routes/auth.ts +52 -0
package/backend/src/api/routes/collaboration.ts +121 -0
package/backend/src/api/routes/documents.ts +664 -0
package/backend/src/api/routes/folders.ts +226 -0
package/backend/src/api/routes/search.ts +354 -0
package/backend/src/api/routes/share.ts +512 -0
package/backend/src/api/routes/tags.ts +247 -0
package/backend/src/api/routes/versions.ts +99 -0
package/backend/src/api/routes/webhooks.ts +43 -0
package/backend/src/embedding/chunker.ts +74 -0
package/backend/src/embedding/index.ts +117 -0
package/backend/src/embedding/providers/ollama.ts +63 -0
package/backend/src/embedding/providers/openrouter.ts +71 -0
package/backend/src/embedding/utils.ts +13 -0
package/backend/src/embedding/worker.ts +89 -0
package/backend/src/index.ts +147 -0
package/backend/src/lib/auth-helpers.ts +27 -0
package/backend/src/lib/auth.ts +35 -0
package/backend/src/lib/config.ts +73 -0
package/backend/src/lib/db.ts +7 -0
package/backend/src/lib/embedding-queue.ts +12 -0
package/backend/src/lib/logger.ts +18 -0
package/backend/src/lib/markdown-to-doc.ts +45 -0
package/backend/src/lib/minio.ts +46 -0
package/backend/src/lib/redis.ts +19 -0
package/backend/src/lib/yjs-provider.ts +182 -0
package/backend/tests/integration/_harness.ts +754 -0
package/backend/tests/integration/auth.test.ts +296 -0
package/backend/tests/integration/routes.documents.test.ts +459 -0
package/backend/tests/integration/routes.folders.test.ts +337 -0
package/backend/tests/integration/routes.search.test.ts +322 -0
package/backend/tests/integration/routes.share.test.ts +773 -0
package/backend/tests/integration/routes.tags.test.ts +425 -0
package/backend/tests/integration/routes.versions.test.ts +233 -0
package/backend/tsconfig.json +18 -0
package/docker-compose.yml +218 -0
package/docs/API.md +328 -0
package/docs/ARCHITECTURE.md +75 -0
package/docs/DEPLOYMENT.md +113 -0
package/docs/PRODUCTION_STATUS.md +61 -0
package/docs/openapi.json +385 -0
package/frontend/.svelte-kit.old/ambient.d.ts +230 -0
package/frontend/.svelte-kit.old/env.d.ts +1 -0
package/frontend/.svelte-kit.old/generated/client/app.js +46 -0
package/frontend/.svelte-kit.old/generated/client/matchers.js +1 -0
package/frontend/.svelte-kit.old/generated/client/nodes/0.js +3 -0
package/frontend/.svelte-kit.old/generated/client/nodes/1.js +1 -0
package/frontend/.svelte-kit.old/generated/client/nodes/10.js +3 -0
package/frontend/.svelte-kit.old/generated/client/nodes/2.js +1 -0
package/frontend/.svelte-kit.old/generated/client/nodes/3.js +1 -0
package/frontend/.svelte-kit.old/generated/client/nodes/4.js +1 -0
package/frontend/.svelte-kit.old/generated/client/nodes/5.js +3 -0
package/frontend/.svelte-kit.old/generated/client/nodes/6.js +1 -0
package/frontend/.svelte-kit.old/generated/client/nodes/7.js +3 -0
package/frontend/.svelte-kit.old/generated/client/nodes/8.js +1 -0
package/frontend/.svelte-kit.old/generated/client/nodes/9.js +3 -0
package/frontend/.svelte-kit.old/generated/root.js +3 -0
package/frontend/.svelte-kit.old/generated/root.svelte +80 -0
package/frontend/.svelte-kit.old/generated/server/internal.js +55 -0
package/frontend/.svelte-kit.old/non-ambient.d.ts +59 -0
package/frontend/.svelte-kit.old/tsconfig.json +59 -0
package/frontend/.svelte-kit.old/types/route_meta_data.json +40 -0
package/frontend/.svelte-kit.old/types/src/routes/$types.d.ts +21 -0
package/frontend/.svelte-kit.old/types/src/routes/(app)/$types.d.ts +30 -0
package/frontend/.svelte-kit.old/types/src/routes/(app)/docs/[id]/$types.d.ts +27 -0
package/frontend/.svelte-kit.old/types/src/routes/(app)/docs/[id]/proxy+page.ts +25 -0
package/frontend/.svelte-kit.old/types/src/routes/api/[...path]/$types.d.ts +10 -0
package/frontend/.svelte-kit.old/types/src/routes/folders/[id]/$types.d.ts +27 -0
package/frontend/.svelte-kit.old/types/src/routes/folders/[id]/proxy+page.ts +15 -0
package/frontend/.svelte-kit.old/types/src/routes/login/$types.d.ts +17 -0
package/frontend/.svelte-kit.old/types/src/routes/register/$types.d.ts +17 -0
package/frontend/.svelte-kit.old/types/src/routes/s/[token]/$types.d.ts +20 -0
package/frontend/.svelte-kit.old/types/src/routes/s/[token]/proxy+page.ts +6 -0
package/frontend/.svelte-kit.old/types/src/routes/search/$types.d.ts +19 -0
package/frontend/.svelte-kit.old/types/src/routes/search/proxy+page.ts +26 -0
package/frontend/.svelte-kit.old/types/src/routes/settings/$types.d.ts +17 -0
package/frontend/Dockerfile +44 -0
package/frontend/biome.json +40 -0
package/frontend/components.json +18 -0
package/frontend/messages/en.json +434 -0
package/frontend/package.json +70 -0
package/frontend/project.inlang/settings.json +12 -0
package/frontend/src/app.css +6 -0
package/frontend/src/app.d.ts +13 -0
package/frontend/src/app.html +30 -0
package/frontend/src/hooks.server.ts +10 -0
package/frontend/src/hooks.ts +10 -0
package/frontend/src/lib/api/attachments.ts +45 -0
package/frontend/src/lib/api/client.test.ts +15 -0
package/frontend/src/lib/api/client.ts +57 -0
package/frontend/src/lib/api/documents.ts +83 -0
package/frontend/src/lib/api/folders.ts +180 -0
package/frontend/src/lib/api/search.test.ts +52 -0
package/frontend/src/lib/api/search.ts +128 -0
package/frontend/src/lib/api/settings.ts +95 -0
package/frontend/src/lib/api/share.ts +71 -0
package/frontend/src/lib/api/tags.test.ts +91 -0
package/frontend/src/lib/api/tags.ts +87 -0
package/frontend/src/lib/auth-client.ts +10 -0
package/frontend/src/lib/collaboration.ts +63 -0
package/frontend/src/lib/components/AttachmentUpload.svelte +110 -0
package/frontend/src/lib/components/DatePicker.svelte +322 -0
package/frontend/src/lib/components/DocumentCard.svelte +166 -0
package/frontend/src/lib/components/EmptyState.svelte +49 -0
package/frontend/src/lib/components/FolderCard.svelte +93 -0
package/frontend/src/lib/components/ScrollToTop.svelte +72 -0
package/frontend/src/lib/components/SearchBar.svelte +47 -0
package/frontend/src/lib/components/SearchResult.svelte +115 -0
package/frontend/src/lib/components/SettingsDialog.svelte +271 -0
package/frontend/src/lib/components/ShareDialog.svelte +158 -0
package/frontend/src/lib/components/ShareLink.svelte +98 -0
package/frontend/src/lib/components/TagCreateDialog.svelte +284 -0
package/frontend/src/lib/components/VersionDiff.svelte +55 -0
package/frontend/src/lib/components/VersionHistory.svelte +96 -0
package/frontend/src/lib/components/editor/DocumentTitle.svelte +87 -0
package/frontend/src/lib/components/editor/EditorToolbar.svelte +1367 -0
package/frontend/src/lib/components/editor/HiAiEditor.svelte +531 -0
package/frontend/src/lib/components/editor/LinkDialog.svelte +134 -0
package/frontend/src/lib/components/editor/MarkdownToggle.svelte +88 -0
package/frontend/src/lib/components/editor/editorExtensions.ts +53 -0
package/frontend/src/lib/components/editor/markdown.ts +38 -0
package/frontend/src/lib/components/sidebar/FolderTree.svelte +731 -0
package/frontend/src/lib/components/sidebar/RecentDocs.svelte +311 -0
package/frontend/src/lib/components/sidebar/Sidebar.svelte +156 -0
package/frontend/src/lib/components/sidebar/TagList.svelte +200 -0
package/frontend/src/lib/components/ui/confirm-dialog/ConfirmDialog.svelte +76 -0
package/frontend/src/lib/components/ui/confirm-dialog/index.ts +1 -0
package/frontend/src/lib/stores/tag-store.svelte.ts +56 -0
package/frontend/src/lib/stores/theme.svelte.ts +97 -0
package/frontend/src/lib/svelte.d.ts +6 -0
package/frontend/src/lib/types.ts +44 -0
package/frontend/src/lib/utils/clipboard.ts +17 -0
package/frontend/src/lib/utils/strip-markdown.ts +59 -0
package/frontend/src/lib/utils.ts +33 -0
package/frontend/src/routes/(app)/+layout.svelte +17 -0
package/frontend/src/routes/(app)/+page.server.ts +10 -0
package/frontend/src/routes/(app)/+page.svelte +303 -0
package/frontend/src/routes/(app)/docs/[id]/+page.server.ts +10 -0
package/frontend/src/routes/(app)/docs/[id]/+page.svelte +1108 -0
package/frontend/src/routes/(app)/docs/[id]/+page.ts +24 -0
package/frontend/src/routes/(app)/search/+page.svelte +593 -0
package/frontend/src/routes/(app)/search/+page.ts +25 -0
package/frontend/src/routes/+error.svelte +12 -0
package/frontend/src/routes/+layout.svelte +18 -0
package/frontend/src/routes/+layout.ts +2 -0
package/frontend/src/routes/api/[...path]/+server.ts +111 -0
package/frontend/src/routes/folders/[id]/+page.server.ts +10 -0
package/frontend/src/routes/folders/[id]/+page.svelte +319 -0
package/frontend/src/routes/folders/[id]/+page.ts +14 -0
package/frontend/src/routes/login/+page.svelte +90 -0
package/frontend/src/routes/register/+page.svelte +97 -0
package/frontend/src/routes/s/[token]/+page.svelte +496 -0
package/frontend/src/routes/s/[token]/+page.ts +5 -0
package/frontend/src/routes/settings/+page.svelte +175 -0
package/frontend/static/favicon.png +0 -0
package/frontend/static/logo.png +0 -0
package/frontend/svelte.config.js +15 -0
package/frontend/tsconfig.json +15 -0
package/frontend/vite.config.ts +25 -0
package/init.sql +9 -0
package/logo.png +0 -0
package/package.json +39 -0
package/package.public.json +39 -0
package/packages/db/drizzle.config.ts +10 -0
package/packages/db/package.json +30 -0
package/packages/db/src/client.ts +9 -0
package/packages/db/src/index.ts +2 -0
package/packages/db/src/migrations/0000_nice_bedlam.sql +165 -0
package/packages/db/src/migrations/0001_w2_3_test.sql +5 -0
package/packages/db/src/migrations/0002_rename_content_json.sql +2 -0
package/packages/db/src/migrations/meta/0000_snapshot.json +1331 -0
package/packages/db/src/migrations/meta/0001_snapshot.json +1399 -0
package/packages/db/src/migrations/meta/0002_snapshot.json +1399 -0
package/packages/db/src/migrations/meta/_journal.json +27 -0
package/packages/db/src/schema.ts +378 -0
package/packages/db/tsconfig.json +17 -0
package/scripts/export-openapi.ts +37 -0
package/scripts/health-check.sh +75 -0
package/scripts/migrate.sh +135 -0
package/scripts/prework_backup.sh +25 -0
package/scripts/release.sh +83 -0
package/tsconfig.json +25 -0

package/backend/src/api/routes/documents.ts ADDED Viewed

@@ -0,0 +1,664 @@
+import {
+	documents,
+	documentTags,
+	folders,
+	tags,
+	versions,
+} from "@hiai-docs/db/schema";
+import { and, count, desc, eq, inArray, sql } from "drizzle-orm";
+import { Elysia } from "elysia";
+import { z } from "zod";
+import { getSessionUserId } from "../../lib/auth-helpers";
+import { db } from "../../lib/db";
+import { enqueueEmbedding } from "../../lib/embedding-queue";
+import { logger } from "../../lib/logger";
+import { markdownToDocJson } from "../../lib/markdown-to-doc";
+import {
+	documentRateLimiter,
+	rateLimitHeaders,
+	writeRateLimiter,
+} from "../middleware/rate-limit";
+const createDocumentSchema = z.object({
+	title: z.string().min(1).max(500).default("Untitled"),
+	content: z.string().optional(),
+	folderId: z.string().uuid().optional(),
+});
+const updateDocumentSchema = z.object({
+	title: z.string().min(1).max(500).optional(),
+	content: z.string().optional(),
+	contentJson: z.unknown().optional(),
+	metadata: z.unknown().optional(),
+	folderId: z.string().uuid().nullable().optional(),
+});
+const listQuerySchema = z.object({
+	folderId: z.string().uuid().optional(),
+	tag: z.string().uuid().optional(),
+	page: z.coerce.number().int().min(1).default(1),
+	limit: z.coerce.number().int().min(1).max(100).default(20),
+});
+const ALLOWED_IMPORT_EXTENSIONS = [".md", ".txt", ".markdown", ".json"];
+const MAX_IMPORT_SIZE = 10 * 1024 * 1024;
+const importJsonSchema = z.object({
+	title: z.string().min(1).max(500).optional(),
+	content: z.string().min(1).max(5_000_000),
+	folderId: z.string().uuid().optional(),
+});
+/**
+ * Attach a `tags` array (`{ id, name, color }`) to each document row in a
+ * list response. Runs a single grouped query for all rows so the list
+ * endpoint can show tags without an N+1 round trip.
+ */
+async function withTags<T extends { id: string }>(
+	rows: T[],
+): Promise<
+	Array<T & { tags: Array<{ id: string; name: string; color: string | null }> }>
+> {
+	if (rows.length === 0) return [];
+	const ids = rows.map((r) => r.id);
+	const tagRows = await db
+		.select({
+			documentId: documentTags.documentId,
+			id: tags.id,
+			name: tags.name,
+			color: tags.color,
+		})
+		.from(documentTags)
+		.innerJoin(tags, eq(tags.id, documentTags.tagId))
+		.where(inArray(documentTags.documentId, ids));
+	const byDoc = new Map<
+		string,
+		Array<{ id: string; name: string; color: string | null }>
+	>();
+	for (const t of tagRows) {
+		const list = byDoc.get(t.documentId) ?? [];
+		list.push({ id: t.id, name: t.name, color: t.color });
+		byDoc.set(t.documentId, list);
+	}
+	return rows.map((r) => ({ ...r, tags: byDoc.get(r.id) ?? [] }));
+}
+export const documentRoutes = new Elysia({ prefix: "/api" })
+	// GET /api/documents — List documents with pagination
+	.get("/documents", async ({ query, set, request }) => {
+		const ip =
+			request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() ??
+			request.headers.get("x-real-ip") ??
+			"unknown";
+		const rl = await documentRateLimiter(ip);
+		if (!rl.allowed) {
+			set.status = 429;
+			set.headers = rateLimitHeaders(0, rl.retryAfter);
+			return { error: "Too many requests" };
+		}
+		set.headers = rateLimitHeaders(rl.remaining);
+		const userId = await getSessionUserId(request.headers);
+		if (!userId) {
+			set.status = 401;
+			return { error: "Unauthorized" };
+		}
+		const parsed = listQuerySchema.safeParse(query);
+		if (!parsed.success) {
+			set.status = 400;
+			return { error: "Invalid query", details: parsed.error.flatten() };
+		}
+		const { folderId, tag, page, limit } = parsed.data;
+		const offset = (page - 1) * limit;
+		try {
+			const conditions = [eq(documents.ownerId, userId)];
+			if (folderId) conditions.push(eq(documents.folderId, folderId));
+			if (tag) {
+				const [countResult, rows] = await Promise.all([
+					db
+						.select({ total: count() })
+						.from(documents)
+						.innerJoin(documentTags, eq(documents.id, documentTags.documentId))
+						.where(and(eq(documentTags.tagId, tag), ...conditions)),
+					db
+						.select({
+							id: documents.id,
+							title: documents.title,
+							content: sql<string>`LEFT(${documents.content}, 200)`.as(
+								"content",
+							),
+							folderId: documents.folderId,
+							createdAt: documents.createdAt,
+							updatedAt: documents.updatedAt,
+						})
+						.from(documents)
+						.innerJoin(documentTags, eq(documents.id, documentTags.documentId))
+						.where(and(eq(documentTags.tagId, tag), ...conditions))
+						.orderBy(desc(documents.updatedAt))
+						.limit(limit)
+						.offset(offset),
+				]);
+				return {
+					items: await withTags(rows),
+					total: countResult[0]?.total ?? 0,
+					page,
+					limit,
+				};
+			}
+			const [countResult, rows] = await Promise.all([
+				db
+					.select({ total: count() })
+					.from(documents)
+					.where(and(...conditions)),
+				db
+					.select({
+						id: documents.id,
+						title: documents.title,
+						content: sql<string>`LEFT(${documents.content}, 200)`.as("content"),
+						folderId: documents.folderId,
+						createdAt: documents.createdAt,
+						updatedAt: documents.updatedAt,
+					})
+					.from(documents)
+					.where(and(...conditions))
+					.orderBy(desc(documents.updatedAt))
+					.limit(limit)
+					.offset(offset),
+			]);
+			return {
+				items: await withTags(rows),
+				total: countResult[0]?.total ?? 0,
+				page,
+				limit,
+			};
+		} catch (err) {
+			logger.error({ err }, "Failed to list documents");
+			set.status = 500;
+			return { error: "Failed to list documents" };
+		}
+	})
+	// POST /api/documents — Create document + initial version
+	.post("/documents", async ({ request, set }) => {
+		const ip =
+			request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() ??
+			request.headers.get("x-real-ip") ??
+			"unknown";
+		const rl = await writeRateLimiter(ip);
+		if (!rl.allowed) {
+			set.status = 429;
+			set.headers = rateLimitHeaders(0, rl.retryAfter);
+			return { error: "Too many requests" };
+		}
+		set.headers = rateLimitHeaders(rl.remaining);
+		const userId = await getSessionUserId(request.headers);
+		if (!userId) {
+			set.status = 401;
+			return { error: "Unauthorized" };
+		}
+		const body = createDocumentSchema.safeParse(await request.json());
+		if (!body.success) {
+			set.status = 400;
+			return { error: "Invalid input", details: body.error.flatten() };
+		}
+		try {
+			// If the client posts raw markdown without the TipTap JSON view
+			// (e.g. an import, a script, or any path that bypasses the
+			// editor), generate the JSON server-side so the editor opens
+			// with formatted content rather than the raw markdown source
+			// the next time the document is opened. `markdownToDocJson`
+			// returns `null` for empty input or on parse failure, in which
+			// case we simply persist the markdown without a JSON view — the
+			// frontend's `markdownToJson` helper will recover on load.
+			const initialContent = body.data.content ?? "";
+			const initialDocJson = initialContent
+				? await markdownToDocJson(initialContent)
+				: null;
+			const [created] = await db
+				.insert(documents)
+				.values({
+					ownerId: userId,
+					title: body.data.title,
+					content: initialContent,
+					contentJson: initialDocJson,
+					folderId: body.data.folderId ?? null,
+				})
+				.returning();
+			if (!created) {
+				set.status = 500;
+				return { error: "Failed to create document" };
+			}
+			await db.insert(versions).values({
+				documentId: created.id,
+				content: initialContent,
+				contentJson: initialDocJson,
+				createdBy: userId,
+			});
+			enqueueEmbedding(created.id);
+			set.status = 201;
+			return created;
+		} catch (err) {
+			logger.error({ err }, "Failed to create document");
+			set.status = 500;
+			return { error: "Failed to create document" };
+		}
+	})
+	// GET /api/documents/:id — Get document with tags
+	.get("/documents/:id", async ({ params, set, request }) => {
+		const ip =
+			request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() ??
+			request.headers.get("x-real-ip") ??
+			"unknown";
+		const rl = await documentRateLimiter(ip);
+		if (!rl.allowed) {
+			set.status = 429;
+			set.headers = rateLimitHeaders(0, rl.retryAfter);
+			return { error: "Too many requests" };
+		}
+		set.headers = rateLimitHeaders(rl.remaining);
+		const userId = await getSessionUserId(request.headers);
+		if (!userId) {
+			set.status = 401;
+			return { error: "Unauthorized" };
+		}
+		try {
+			const rows = await db
+				.select({
+					id: documents.id,
+					ownerId: documents.ownerId,
+					folderId: documents.folderId,
+					folderName: folders.name,
+					title: documents.title,
+					content: documents.content,
+					contentJson: documents.contentJson,
+					metadata: documents.metadata,
+					createdAt: documents.createdAt,
+					updatedAt: documents.updatedAt,
+				})
+				.from(documents)
+				.leftJoin(folders, eq(folders.id, documents.folderId))
+				.where(and(eq(documents.id, params.id), eq(documents.ownerId, userId)))
+				.limit(1);
+			const doc = rows[0];
+			if (!doc) {
+				set.status = 404;
+				return { error: "Document not found" };
+			}
+			const docTags = await db
+				.select({ id: tags.id, name: tags.name, color: tags.color })
+				.from(tags)
+				.innerJoin(documentTags, eq(tags.id, documentTags.tagId))
+				.where(eq(documentTags.documentId, doc.id));
+			return { ...doc, tags: docTags };
+		} catch (err) {
+			logger.error({ err }, "Failed to get document");
+			set.status = 500;
+			return { error: "Failed to get document" };
+		}
+	})
+	// PATCH /api/documents/:id — Update document, save version before
+	.patch("/documents/:id", async ({ params, request, set }) => {
+		const ip =
+			request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() ??
+			request.headers.get("x-real-ip") ??
+			"unknown";
+		const rl = await writeRateLimiter(ip);
+		if (!rl.allowed) {
+			set.status = 429;
+			set.headers = rateLimitHeaders(0, rl.retryAfter);
+			return { error: "Too many requests" };
+		}
+		set.headers = rateLimitHeaders(rl.remaining);
+		const userId = await getSessionUserId(request.headers);
+		if (!userId) {
+			set.status = 401;
+			return { error: "Unauthorized" };
+		}
+		const body = updateDocumentSchema.safeParse(await request.json());
+		if (!body.success) {
+			set.status = 400;
+			return { error: "Invalid input", details: body.error.flatten() };
+		}
+		if (
+			!body.data.title &&
+			body.data.content === undefined &&
+			body.data.contentJson === undefined &&
+			body.data.metadata === undefined &&
+			body.data.folderId === undefined
+		) {
+			set.status = 400;
+			return { error: "At least one field is required" };
+		}
+		try {
+			const existing = await db
+				.select({
+					id: documents.id,
+					content: documents.content,
+					contentJson: documents.contentJson,
+				})
+				.from(documents)
+				.where(and(eq(documents.id, params.id), eq(documents.ownerId, userId)))
+				.limit(1);
+			if (existing.length === 0) {
+				set.status = 404;
+				return { error: "Document not found" };
+			}
+			await db.insert(versions).values({
+				documentId: params.id,
+				content: existing[0]?.content ?? "",
+				contentJson: existing[0]?.contentJson,
+				createdBy: userId,
+			});
+			// When the client sends new `content` but no `contentJson`,
+			// generate the JSON view server-side so the editor can render
+			// formatted content on the next open. When the client sends
+			// both fields (the editor's normal save path), prefer the
+			// client-supplied JSON — it reflects the user's live edits.
+			let resolvedDocJson: unknown | undefined = body.data.contentJson;
+			if (resolvedDocJson === undefined && body.data.content !== undefined) {
+				resolvedDocJson = body.data.content
+					? await markdownToDocJson(body.data.content)
+					: null;
+			}
+			const [updated] = await db
+				.update(documents)
+				.set({
+					...(body.data.title !== undefined && { title: body.data.title }),
+					...(body.data.content !== undefined && {
+						content: body.data.content,
+					}),
+					...(resolvedDocJson !== undefined && {
+						contentJson: resolvedDocJson,
+					}),
+					...(body.data.metadata !== undefined && {
+						metadata: body.data.metadata,
+					}),
+					...(body.data.folderId !== undefined && {
+						folderId: body.data.folderId,
+					}),
+					updatedAt: new Date(),
+				})
+				.where(and(eq(documents.id, params.id), eq(documents.ownerId, userId)))
+				.returning();
+			if (body.data.content !== undefined || body.data.title !== undefined) {
+				enqueueEmbedding(params.id);
+			}
+			return updated;
+		} catch (err) {
+			logger.error({ err }, "Failed to update document");
+			set.status = 500;
+			return { error: "Failed to update document" };
+		}
+	})
+	// POST /api/documents/:id/duplicate — Duplicate document with "(Copy)" suffix
+	.post("/documents/:id/duplicate", async ({ params, request, set }) => {
+		const ip =
+			request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() ??
+			request.headers.get("x-real-ip") ??
+			"unknown";
+		const rl = await writeRateLimiter(ip);
+		if (!rl.allowed) {
+			set.status = 429;
+			set.headers = rateLimitHeaders(0, rl.retryAfter);
+			return { error: "Too many requests" };
+		}
+		set.headers = rateLimitHeaders(rl.remaining);
+		const userId = await getSessionUserId(request.headers);
+		if (!userId) {
+			set.status = 401;
+			return { error: "Unauthorized" };
+		}
+		try {
+			const [source] = await db
+				.select()
+				.from(documents)
+				.where(and(eq(documents.id, params.id), eq(documents.ownerId, userId)))
+				.limit(1);
+			if (!source) {
+				set.status = 404;
+				return { error: "Document not found" };
+			}
+			const [copy] = await db
+				.insert(documents)
+				.values({
+					ownerId: userId,
+					folderId: source.folderId,
+					title: `${source.title} (Copy)`,
+					content: source.content ?? "",
+					contentJson: source.contentJson,
+					metadata: source.metadata,
+				})
+				.returning();
+			if (!copy) {
+				set.status = 500;
+				return { error: "Failed to duplicate document" };
+			}
+			await db.insert(versions).values({
+				documentId: copy.id,
+				content: copy.content ?? "",
+				contentJson: copy.contentJson,
+				createdBy: userId,
+			});
+			enqueueEmbedding(copy.id);
+			set.status = 201;
+			return copy;
+		} catch (err) {
+			logger.error({ err }, "Failed to duplicate document");
+			set.status = 500;
+			return { error: "Failed to duplicate document" };
+		}
+	})
+	// DELETE /api/documents/:id — Delete document (cascade via FK)
+	.delete("/documents/:id", async ({ params, set, request }) => {
+		const ip =
+			request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() ??
+			request.headers.get("x-real-ip") ??
+			"unknown";
+		const rl = await writeRateLimiter(ip);
+		if (!rl.allowed) {
+			set.status = 429;
+			set.headers = rateLimitHeaders(0, rl.retryAfter);
+			return { error: "Too many requests" };
+		}
+		set.headers = rateLimitHeaders(rl.remaining);
+		const userId = await getSessionUserId(request.headers);
+		if (!userId) {
+			set.status = 401;
+			return { error: "Unauthorized" };
+		}
+		try {
+			const existing = await db
+				.select({ id: documents.id })
+				.from(documents)
+				.where(and(eq(documents.id, params.id), eq(documents.ownerId, userId)))
+				.limit(1);
+			if (existing.length === 0) {
+				set.status = 404;
+				return { error: "Document not found" };
+			}
+			await db
+				.delete(documents)
+				.where(and(eq(documents.id, params.id), eq(documents.ownerId, userId)));
+			return { success: true };
+		} catch (err) {
+			logger.error({ err }, "Failed to delete document");
+			set.status = 500;
+			return { error: "Failed to delete document" };
+		}
+	})
+	.get("/documents/:id/export", async ({ params, set, request }) => {
+		const userId = await getSessionUserId(request.headers);
+		if (!userId) {
+			set.status = 401;
+			return { error: "Unauthorized" };
+		}
+		try {
+			const rows = await db
+				.select({
+					id: documents.id,
+					title: documents.title,
+					content: documents.content,
+				})
+				.from(documents)
+				.where(and(eq(documents.id, params.id), eq(documents.ownerId, userId)))
+				.limit(1);
+			const doc = rows[0];
+			if (!doc) {
+				set.status = 404;
+				return { error: "Document not found" };
+			}
+			const filename = `${doc.title.replace(/[^a-zA-Z0-9-_]/g, "_")}.md`;
+			set.headers = {
+				"Content-Type": "text/markdown; charset=utf-8",
+				"Content-Disposition": `attachment; filename="${filename}"`,
+			};
+			return doc.content ?? "";
+		} catch (err) {
+			logger.error({ err }, "Failed to export document");
+			set.status = 500;
+			return { error: "Failed to export document" };
+		}
+	})
+	.post("/documents/import", async ({ request, set }) => {
+		const ip =
+			request.headers.get("x-forwarded-for")?.split(",")[0]?.trim() ??
+			request.headers.get("x-real-ip") ??
+			"unknown";
+		const rl = await writeRateLimiter(ip);
+		if (!rl.allowed) {
+			set.status = 429;
+			set.headers = rateLimitHeaders(0, rl.retryAfter);
+			return { error: "Too many requests" };
+		}
+		set.headers = rateLimitHeaders(rl.remaining);
+		const userId = await getSessionUserId(request.headers);
+		if (!userId) {
+			set.status = 401;
+			return { error: "Unauthorized" };
+		}
+		try {
+			const contentType = request.headers.get("content-type") ?? "";
+			let title: string;
+			let content: string;
+			let folderId: string | null = null;
+			if (contentType.includes("application/json")) {
+				const body = await request.json();
+				const parsed = importJsonSchema.safeParse(body);
+				if (!parsed.success) {
+					set.status = 400;
+					return {
+						error: "Invalid import data",
+						details: parsed.error.flatten(),
+					};
+				}
+				title = parsed.data.title ?? "Imported Document";
+				content = parsed.data.content;
+				folderId = parsed.data.folderId ?? null;
+			} else if (contentType.includes("multipart/form-data")) {
+				const formData = await request.formData();
+				const file = formData.get("file") as File | null;
+				folderId = (formData.get("folderId") as string) ?? null;
+				if (!file) {
+					set.status = 400;
+					return { error: "File is required" };
+				}
+				if (file.size > MAX_IMPORT_SIZE) {
+					set.status = 413;
+					return {
+						error: `File too large. Maximum size: ${MAX_IMPORT_SIZE / 1024 / 1024}MB`,
+					};
+				}
+				const ext = `.${file.name.split(".").pop()?.toLowerCase()}`;
+				if (!ALLOWED_IMPORT_EXTENSIONS.includes(ext)) {
+					set.status = 415;
+					return {
+						error: `Invalid file type. Allowed: ${ALLOWED_IMPORT_EXTENSIONS.join(", ")}`,
+					};
+				}
+				if (folderId && !z.string().uuid().safeParse(folderId).success) {
+					set.status = 400;
+					return { error: "Invalid folderId" };
+				}
+				const text = await file.text();
+				const name = file.name;
+				if (name.endsWith(".json")) {
+					const jsonBody = JSON.parse(text);
+					const jsonParsed = importJsonSchema.safeParse(jsonBody);
+					if (!jsonParsed.success) {
+						set.status = 400;
+						return {
+							error: "Invalid JSON format",
+							details: jsonParsed.error.flatten(),
+						};
+					}
+					title = jsonParsed.data.title ?? name.replace(/\.json$/, "");
+					content = jsonParsed.data.content;
+				} else {
+					title = name.replace(/\.(md|txt|markdown)$/, "");
+					content = text;
+				}
+			} else {
+				set.status = 415;
+				return {
+					error:
+						"Unsupported content type. Use application/json or multipart/form-data",
+				};
+			}
+			const [created] = await db
+				.insert(documents)
+				.values({
+					ownerId: userId,
+					title,
+					content,
+					folderId: folderId ?? null,
+				})
+				.returning();
+			if (!created) {
+				set.status = 500;
+				return { error: "Failed to import document" };
+			}
+			await db.insert(versions).values({
+				documentId: created.id,
+				content,
+				createdBy: userId,
+			});
+			enqueueEmbedding(created.id);
+			set.status = 201;
+			return created;
+		} catch (err) {
+			logger.error({ err }, "Failed to import document");
+			set.status = 500;
+			return { error: "Failed to import document" };
+		}
+	});