@hogsend/engine 0.1.0 → 0.1.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hogsend/engine",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "type": "module",
   "license": "MIT",
   "repository": {
@@ -37,9 +37,9 @@
     "zod": "^4.4.3",
     "@hogsend/core": "^0.1.0",
     "@hogsend/db": "^0.1.0",
-    "@hogsend/email": "^0.0.1",
-    "@hogsend/plugin-posthog": "^0.0.1",
-    "@hogsend/plugin-resend": "^0.0.1"
+    "@hogsend/email": "^0.1.0",
+    "@hogsend/plugin-posthog": "^0.1.0",
+    "@hogsend/plugin-resend": "^0.1.0"
   },
   "devDependencies": {
     "@types/node": "^22.15.3",

package/src/app.ts

@@ -1,3 +1,4 @@
+import { user } from "@hogsend/db";
 import { OpenAPIHono } from "@hono/zod-openapi";
 import { apiReference } from "@scalar/hono-api-reference";
 import { compress } from "hono/compress";
@@ -8,6 +9,7 @@ import type { ErrorHandler, MiddlewareHandler } from "hono/types";
 import type { HogsendClient } from "./container.js";
 import { API_VERSION } from "./env.js";
 import type { Auth } from "./lib/auth.js";
+import { mountStudio } from "./lib/studio.js";
 import type { ApiKeyContext } from "./middleware/api-key.js";
 import { errorHandler } from "./middleware/error-handler.js";
 import { requestLogger } from "./middleware/request-logger.js";
@@ -64,13 +66,48 @@ export function createApp(
     return c.json({ error: "Not Found" }, 404);
   });
 
+  // Closed signup: the first user may register (first-load "create admin");
+  // once any user exists, sign-up is blocked. This is the security control that
+  // lets `requireAdmin` trust any authenticated session in a single-tenant app.
+  app.use("/api/auth/sign-up/*", async (c, next) => {
+    if (c.req.method === "POST") {
+      const { db } = c.get("container");
+      const existing = await db.select({ id: user.id }).from(user).limit(1);
+      if (existing.length > 0) {
+        return c.json(
+          { error: "Sign-ups are closed. An admin already exists." },
+          403,
+        );
+      }
+    }
+    return next();
+  });
+
   app.on(["POST", "GET"], "/api/auth/*", (c) => {
     const { auth } = c.get("container");
     return auth.handler(c.req.raw);
   });
 
+  // Public bootstrap probe: tells the Studio whether to show the first-run
+  // "create admin" screen (no users yet) instead of the login screen.
+  app.get("/v1/auth/status", async (c) => {
+    const { db } = c.get("container");
+    const existing = await db.select({ id: user.id }).from(user).limit(1);
+    return c.json({ needsSetup: existing.length === 0 });
+  });
+
   registerRoutes(app, { webhookSources: opts.webhookSources ?? [] });
 
+  // Serve the Studio SPA at /studio/* (static layer, no auth — the SPA gates
+  // itself via /v1/auth/status + login; data endpoints stay behind requireAdmin).
+  // No-op when no built dist is present, so an unbuilt studio never crashes boot.
+  const studio = mountStudio(app);
+  if (studio.mounted) {
+    container.logger.info(
+      `Studio mounted at /studio (dist: ${studio.distPath})`,
+    );
+  }
+
   opts.routes?.(app);
 
   if (container.env.NODE_ENV !== "production") {

package/src/container.ts

@@ -49,6 +49,13 @@ export interface HogsendClient {
   auth: Auth;
   email: Resend;
   emailService: EmailService;
+  /**
+   * The app's template registry (key → component + subject + category +
+   * optional preview/examples). Same object threaded into the engine mailer;
+   * exposed here so admin preview/catalog routes can enumerate keys and render
+   * templates without going through a send. Empty when no templates are wired.
+   */
+  templates: TemplateRegistry;
   analytics?: PostHogService;
   registry: JourneyRegistry;
   hatchet: HatchetClient;
@@ -154,6 +161,18 @@ export function createHogsendClient(
       db,
       secret: env.BETTER_AUTH_SECRET,
       baseURL: env.BETTER_AUTH_URL,
+      // Always trust the public API origin; add any explicitly configured ones
+      // (e.g. a remote Studio origin) on top. baseURL is trusted automatically.
+      trustedOrigins: Array.from(
+        new Set(
+          [
+            env.API_PUBLIC_URL,
+            ...(env.BETTER_AUTH_TRUSTED_ORIGINS?.split(",") ?? []),
+          ]
+            .map((o) => o.trim())
+            .filter(Boolean),
+        ),
+      ),
     });
 
   const email = createResendClient({ apiKey: env.RESEND_API_KEY });
@@ -183,12 +202,14 @@ export function createHogsendClient(
     sendWindow: defaults.sendWindow,
   });
 
+  const templates = opts.email?.templates ?? ({} as TemplateRegistry);
+
   const emailService =
     opts.overrides?.mailer ??
     createTrackedMailer(
       {
         defaultFrom: env.RESEND_FROM_EMAIL,
-        templates: opts.email?.templates ?? ({} as TemplateRegistry),
+        templates,
         db,
         webhookSecret: env.RESEND_WEBHOOK_SECRET,
         bounceThreshold: 3,
@@ -216,6 +237,7 @@ export function createHogsendClient(
     auth,
     email,
     emailService,
+    templates,
     analytics,
     registry,
     hatchet: opts.overrides?.hatchet ?? hatchet,

package/src/env.ts

@@ -16,6 +16,10 @@ export const env = createEnv({
     REDIS_URL: z.string().min(1).default("redis://localhost:6379"),
     BETTER_AUTH_SECRET: z.string().min(1),
     BETTER_AUTH_URL: z.string().url().default("http://localhost:3002"),
+    // Extra origins allowed to call the auth endpoints (beyond BETTER_AUTH_URL),
+    // comma-separated. Needed when the Studio is served from a different origin
+    // than the API — e.g. the `hogsend studio` CLI pointing at a remote instance.
+    BETTER_AUTH_TRUSTED_ORIGINS: z.string().optional(),
     RESEND_API_KEY: z.string().min(1),
     RESEND_FROM_EMAIL: z.string().email().default("noreply@hogsend.com"),
     // Hatchet connection contract. The @hatchet-dev SDK also reads these straight

package/src/index.ts

@@ -86,6 +86,7 @@ export { createLogger, type Logger } from "./lib/logger.js";
 export { createTrackedMailer } from "./lib/mailer.js";
 export { getPostHog } from "./lib/posthog.js";
 export { getRedisIfConnected } from "./lib/redis.js";
+export { type MountStudioResult, mountStudio } from "./lib/studio.js";
 export {
   type ResolveTimezoneInput,
   type ResolveTimezoneResult,

package/src/lib/auth.ts

@@ -8,12 +8,19 @@ export function createAuth(opts: {
   db: Database;
   secret: string;
   baseURL: string;
+  /**
+   * Extra origins allowed to call auth endpoints, beyond `baseURL` (which is
+   * always trusted). Needed when the Studio is served from a different origin
+   * than the API (e.g. the `hogsend studio` CLI against a remote instance).
+   */
+  trustedOrigins?: string[];
 }) {
-  const { db, secret, baseURL } = opts;
+  const { db, secret, baseURL, trustedOrigins } = opts;
   return betterAuth({
     basePath: "/api/auth",
     secret,
     baseURL,
+    ...(trustedOrigins && trustedOrigins.length > 0 ? { trustedOrigins } : {}),
     database: drizzleAdapter(db, {
       provider: "pg",
       schema,

package/src/lib/email-service-types.ts

@@ -35,6 +35,9 @@ export interface SendTrackedEmailOptions<
   to: string;
   subject?: string;
   journeyStateId?: string;
+  /** Denormalized recipient identity, persisted on the email_sends row for reporting. */
+  userId?: string;
+  userEmail?: string;
   category?: string;
   tags?: Array<{ name: string; value: string }>;
   headers?: Record<string, string>;
@@ -108,6 +111,9 @@ export interface EmailServiceSendOptions<
   from?: string;
   subject?: string;
   journeyStateId?: string;
+  /** Denormalized recipient identity, persisted on the email_sends row for reporting. */
+  userId?: string;
+  userEmail?: string;
   category?: string;
   tags?: Array<{ name: string; value: string }>;
   headers?: Record<string, string>;

package/src/lib/email.ts

@@ -76,6 +76,8 @@ export async function sendEmail(
     to: opts.to,
     subject: opts.subject,
     journeyStateId: opts.journeyStateId,
+    userId: opts.userId,
+    userEmail: opts.to,
     category: "journey",
     tags: [
       { name: "journeyId", value: opts.journeyName ?? opts.template },

package/src/lib/mailer.ts

@@ -91,6 +91,8 @@ export function createTrackedMailer(
             to: options.to,
             subject: options.subject,
             journeyStateId: options.journeyStateId,
+            userId: options.userId,
+            userEmail: options.userEmail,
             category: options.category,
             tags: options.tags,
             headers: options.headers,
@@ -190,7 +192,10 @@ export function createTrackedMailer(
         await updateEmailStatus(event.type, event.data.email_id);
         break;
       case "email.bounced":
-        await updateEmailStatus(event.type, event.data.email_id);
+        await updateEmailStatus(event.type, event.data.email_id, {
+          bounceType: event.data.bounce?.type,
+          bounceReason: event.data.bounce?.message,
+        });
         await handleBounce(event.data.to);
         break;
       case "email.complained":
@@ -247,6 +252,7 @@ export function createTrackedMailer(
   async function updateEmailStatus(
     eventType: WebhookEventType,
     resendId: string,
+    extra?: { bounceType?: string; bounceReason?: string },
   ): Promise<void> {
     if (!db) return;
 
@@ -259,6 +265,8 @@ export function createTrackedMailer(
       .set({
         status: status as typeof emailSends.$inferSelect.status,
         [timestampField]: new Date(),
+        ...(extra?.bounceType ? { bounceType: extra.bounceType } : {}),
+        ...(extra?.bounceReason ? { bounceReason: extra.bounceReason } : {}),
         updatedAt: new Date(),
       })
       .where(eq(emailSends.resendId, resendId));

package/src/lib/metrics-sql.ts

@@ -0,0 +1,17 @@
+import { sql } from "drizzle-orm";
+
+// Shared SQL building blocks for the admin metrics + reporting routers.
+
+/** Guarded divide, rounded to 4 decimal places. Returns 0 when denom <= 0. */
+export const rate = (num: number, denom: number) =>
+  denom > 0 ? Math.round((num / denom) * 10000) / 10000 : 0;
+
+/** `date_trunc` granularity literals, keyed by the API's period/granularity enum. */
+export const TRUNC_SQL = {
+  hour: sql`'hour'`,
+  day: sql`'day'`,
+  week: sql`'week'`,
+  month: sql`'month'`,
+} as const;
+
+export type TruncPeriod = keyof typeof TRUNC_SQL;

package/src/lib/studio.ts

@@ -0,0 +1,105 @@
+import { existsSync } from "node:fs";
+import { createRequire } from "node:module";
+import { dirname, join, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+import { serveStatic } from "@hono/node-server/serve-static";
+import type { OpenAPIHono } from "@hono/zod-openapi";
+import type { AppEnv } from "../app.js";
+
+/**
+ * Where the built Studio SPA lives. The Studio (`@hogsend/studio`) is a separate
+ * Vite package that builds to a static `dist/` under base `/studio/`. The engine
+ * serves that `dist/` as static files at `/studio/*` with an SPA fallback.
+ *
+ * The Studio is NOT a runtime dependency of the engine — it ships as a built
+ * artifact and is optional. Mounting is best-effort: if no `dist/` is found, the
+ * mount is silently skipped so an unbuilt / studio-less deploy never crashes.
+ *
+ * Resolution order:
+ *  1. `STUDIO_DIST_PATH` env var (explicit override; absolute or cwd-relative).
+ *  2. `require.resolve("@hogsend/studio/package.json")` → sibling `dist/`
+ *     (works when the studio package is installed/linked alongside the engine).
+ *  3. Monorepo source layout: walk up from this file to `packages/studio/dist`.
+ *  4. cwd-relative `packages/studio/dist` (dogfood app run from repo root).
+ */
+function resolveStudioDist(): string | null {
+  const candidates: string[] = [];
+
+  const envPath = process.env.STUDIO_DIST_PATH;
+  if (envPath && envPath.length > 0) {
+    candidates.push(resolve(process.cwd(), envPath));
+  }
+
+  const require = createRequire(import.meta.url);
+  try {
+    const pkgJson = require.resolve("@hogsend/studio/package.json");
+    candidates.push(join(dirname(pkgJson), "dist"));
+  } catch {
+    // Not resolvable as a module — fall through to layout-based guesses.
+  }
+
+  // Monorepo source layout: this file is packages/engine/src/lib/studio.ts, so
+  // the studio dist is ../../../studio/dist relative to here.
+  const here = dirname(fileURLToPath(import.meta.url));
+  candidates.push(resolve(here, "../../../studio/dist"));
+
+  // cwd fallbacks for a repo-root process (apps/api dogfood, tests).
+  candidates.push(resolve(process.cwd(), "packages/studio/dist"));
+  candidates.push(resolve(process.cwd(), "../../packages/studio/dist"));
+
+  for (const dir of candidates) {
+    if (existsSync(join(dir, "index.html"))) {
+      return dir;
+    }
+  }
+  return null;
+}
+
+export interface MountStudioResult {
+  /** True when the SPA was mounted, false when no built dist was found. */
+  mounted: boolean;
+  /** Absolute path to the served dist directory, when mounted. */
+  distPath?: string;
+}
+
+/**
+ * Mount the Studio SPA at `/studio/*` as static files, with an SPA fallback to
+ * `index.html` for client-side routes.
+ *
+ * IMPORTANT: this is intentionally OUTSIDE the `/v1/admin` auth guard at the
+ * static layer. The SPA itself gates access via `/v1/auth/status` + login; the
+ * actual data endpoints under `/v1/admin/*` stay protected by `requireAdmin`.
+ *
+ * No-op (returns `{ mounted: false }`) when no built `dist/` is found, so an
+ * unbuilt studio never crashes the server.
+ */
+export function mountStudio(app: OpenAPIHono<AppEnv>): MountStudioResult {
+  const distPath = resolveStudioDist();
+  if (!distPath) {
+    return { mounted: false };
+  }
+
+  // serveStatic resolves `path` relative to `root` (which is relative to cwd by
+  // default). We pass an absolute `root` and strip the `/studio` URL prefix so a
+  // request for `/studio/assets/x.js` maps to `<dist>/assets/x.js`.
+  const staticHandler = serveStatic({
+    root: distPath,
+    rewriteRequestPath: (path) => path.replace(/^\/studio/, "") || "/",
+  });
+
+  // Redirect the bare `/studio` to `/studio/` so relative/base assets resolve.
+  app.get("/studio", (c) => c.redirect("/studio/"));
+
+  // Static assets (js/css/images) under /studio/*.
+  app.use("/studio/*", staticHandler);
+
+  // SPA fallback: any /studio/* path that didn't resolve to a file serves
+  // index.html so client-side (TanStack Router) routes work on hard refresh.
+  const indexHandler = serveStatic({
+    root: distPath,
+    rewriteRequestPath: () => "/index.html",
+  });
+  app.get("/studio/*", indexHandler);
+
+  return { mounted: true, distPath };
+}

package/src/lib/tracked.ts

@@ -66,6 +66,8 @@ export async function sendTrackedEmail<K extends TemplateName>(
           subject: options.subject ?? "",
           category: options.category,
           journeyStateId: options.journeyStateId,
+          userId: options.userId,
+          userEmail: options.userEmail ?? options.to,
           status: "failed",
         })
         .returning({ id: emailSends.id });
@@ -126,6 +128,8 @@ export async function sendTrackedEmail<K extends TemplateName>(
       subject,
       category: options.category ?? category,
       journeyStateId: options.journeyStateId,
+      userId: options.userId,
+      userEmail: options.userEmail ?? options.to,
       status: "queued",
     })
     .returning({ id: emailSends.id });

package/src/middleware/rate-limit.ts

@@ -13,7 +13,7 @@ export const rateLimit = createMiddleware<AppEnv>(async (c, next) => {
   if (process.env.NODE_ENV === "test") return next();
 
   const apiKey = c.get("apiKey");
-  const keyId = apiKey?.id ?? "anonymous";
+  const keyId = apiKey?.id ?? c.get("user")?.id ?? "anonymous";
   const now = Date.now();
 
   let count: number;

package/src/middleware/require-admin.ts

@@ -0,0 +1,26 @@
+import { createMiddleware } from "hono/factory";
+import type { AppEnv } from "../app.js";
+import { requireApiKey } from "./api-key.js";
+
+// Authorizes admin routes via EITHER an API key (Bearer header, the
+// programmatic/CLI path) OR a Better-Auth session (cookie, the Studio path).
+// A Bearer header is always treated as an API key; otherwise we resolve the
+// session. Role-based gating is deferred — the security control for the session
+// path is closed signup (only the first user can register; see app.ts), so any
+// authenticated session is an intended admin in this single-tenant model.
+export const requireAdmin = createMiddleware<AppEnv>(async (c, next) => {
+  const header = c.req.header("authorization");
+  if (header?.startsWith("Bearer ")) {
+    return requireApiKey(c, next);
+  }
+
+  const { auth } = c.get("container");
+  const session = await auth.api.getSession({ headers: c.req.raw.headers });
+  if (!session?.user) {
+    return c.json({ error: "Unauthorized" }, 401);
+  }
+
+  c.set("user", session.user);
+  c.set("session", session.session);
+  return next();
+});

package/src/routes/admin/emails.ts

@@ -6,7 +6,20 @@ import {
   trackedLinks,
 } from "@hogsend/db";
 import { createRoute, OpenAPIHono, z } from "@hono/zod-openapi";
-import { and, count, desc, eq, gte, inArray, isNull, lte } from "drizzle-orm";
+import {
+  and,
+  asc,
+  count,
+  desc,
+  eq,
+  getTableColumns,
+  gte,
+  inArray,
+  isNotNull,
+  isNull,
+  lte,
+  or,
+} from "drizzle-orm";
 import type { AppEnv } from "../../app.js";
 
 const emailSchema = z.object({
@@ -19,6 +32,8 @@ const emailSchema = z.object({
   subject: z.string(),
   category: z.string().nullable(),
   status: z.string(),
+  userId: z.string().nullable(),
+  journeyId: z.string().nullable(),
   sentAt: z.string().nullable(),
   deliveredAt: z.string().nullable(),
   openedAt: z.string().nullable(),
@@ -29,6 +44,14 @@ const emailSchema = z.object({
   updatedAt: z.string(),
 });
 
+const eventSchema = z.object({
+  type: z.string(),
+  timestamp: z.string(),
+  url: z.string().optional(),
+  ipAddress: z.string().nullable().optional(),
+  userAgent: z.string().nullable().optional(),
+});
+
 const trackedLinkSchema = z.object({
   id: z.string(),
   originalUrl: z.string(),
@@ -54,7 +77,13 @@ const journeyContextSchema = z
 
 import { errorSchema } from "../../lib/schemas.js";
 
-function serializeEmail(row: typeof emailSends.$inferSelect) {
+function serializeEmail(
+  row: typeof emailSends.$inferSelect,
+  identity: { userId: string | null; journeyId: string | null } = {
+    userId: null,
+    journeyId: null,
+  },
+) {
   return {
     id: row.id,
     journeyStateId: row.journeyStateId,
@@ -65,6 +94,8 @@ function serializeEmail(row: typeof emailSends.$inferSelect) {
     subject: row.subject,
     category: row.category,
     status: row.status,
+    userId: identity.userId,
+    journeyId: identity.journeyId,
     sentAt: row.sentAt?.toISOString() ?? null,
     deliveredAt: row.deliveredAt?.toISOString() ?? null,
     openedAt: row.openedAt?.toISOString() ?? null,
@@ -100,6 +131,16 @@ const listRoute = createRoute({
           "failed",
         ])
         .optional(),
+      journeyId: z.string().optional(),
+      userId: z.string().optional(),
+      category: z.string().optional(),
+      engagement: z
+        .enum(["opened", "clicked", "bounced", "complained"])
+        .optional(),
+      sort: z
+        .enum(["createdAt", "sentAt", "openedAt", "clickedAt"])
+        .default("createdAt"),
+      order: z.enum(["asc", "desc"]).default("desc"),
       from: z.string().datetime().optional(),
       to: z.string().datetime().optional(),
     }),
@@ -135,6 +176,7 @@ const getRoute = createRoute({
         "application/json": {
           schema: z.object({
             email: emailSchema,
+            events: z.array(eventSchema),
             trackedLinks: z.array(trackedLinkSchema),
             journeyContext: journeyContextSchema,
           }),
@@ -188,32 +230,93 @@ async function fetchTrackedLinksWithClicks(db: Database, emailSendId: string) {
 export const emailsRouter = new OpenAPIHono<AppEnv>()
   .openapi(listRoute, async (c) => {
     const { db } = c.get("container");
-    const { limit, offset, toEmail, templateKey, status, from, to } =
-      c.req.valid("query");
+    const {
+      limit,
+      offset,
+      toEmail,
+      templateKey,
+      status,
+      journeyId,
+      userId,
+      category,
+      engagement,
+      sort,
+      order,
+      from,
+      to,
+    } = c.req.valid("query");
+
+    const engagementColumn = {
+      opened: emailSends.openedAt,
+      clicked: emailSends.clickedAt,
+      bounced: emailSends.bouncedAt,
+      complained: emailSends.complainedAt,
+    } as const;
+
+    const sortColumn = {
+      createdAt: emailSends.createdAt,
+      sentAt: emailSends.sentAt,
+      openedAt: emailSends.openedAt,
+      clickedAt: emailSends.clickedAt,
+    } as const;
 
     const conditions = [];
     if (toEmail) conditions.push(eq(emailSends.toEmail, toEmail));
     if (templateKey) conditions.push(eq(emailSends.templateKey, templateKey));
     if (status) conditions.push(eq(emailSends.status, status));
+    if (category) conditions.push(eq(emailSends.category, category));
+    if (journeyId) conditions.push(eq(journeyStates.journeyId, journeyId));
+    // Match the denormalized identity OR the journey-state join, so journeyless
+    // sends (which only carry the denormalized userId) are still filterable.
+    if (userId) {
+      conditions.push(
+        or(eq(emailSends.userId, userId), eq(journeyStates.userId, userId)),
+      );
+    }
+    if (engagement) conditions.push(isNotNull(engagementColumn[engagement]));
     if (from) conditions.push(gte(emailSends.createdAt, new Date(from)));
     if (to) conditions.push(lte(emailSends.createdAt, new Date(to)));
 
     const where = conditions.length > 0 ? and(...conditions) : undefined;
 
+    const orderBy =
+      order === "asc" ? asc(sortColumn[sort]) : desc(sortColumn[sort]);
+
+    const joinCondition = and(
+      eq(emailSends.journeyStateId, journeyStates.id),
+      isNull(journeyStates.deletedAt),
+    );
+
     const [rows, totalRows] = await Promise.all([
       db
-        .select()
+        .select({
+          ...getTableColumns(emailSends),
+          identityUserId: journeyStates.userId,
+          identityJourneyId: journeyStates.journeyId,
+        })
         .from(emailSends)
+        .leftJoin(journeyStates, joinCondition)
         .where(where)
-        .orderBy(desc(emailSends.createdAt))
+        .orderBy(orderBy)
         .limit(limit)
         .offset(offset),
-      db.select({ count: count() }).from(emailSends).where(where),
+      db
+        .select({ count: count() })
+        .from(emailSends)
+        .leftJoin(journeyStates, joinCondition)
+        .where(where),
     ]);
 
     return c.json(
       {
-        emails: rows.map(serializeEmail),
+        emails: rows.map(({ identityUserId, identityJourneyId, ...row }) =>
+          // Prefer the denormalized identity on the send row; fall back to the
+          // journey-state join (covers rows written before denormalization).
+          serializeEmail(row, {
+            userId: row.userId ?? identityUserId,
+            journeyId: identityJourneyId,
+          }),
+        ),
         total: totalRows[0]?.count ?? 0,
         limit,
         offset,
@@ -258,9 +361,52 @@ export const emailsRouter = new OpenAPIHono<AppEnv>()
         : Promise.resolve(null),
     ]);
 
+    const events: z.infer<typeof eventSchema>[] = [];
+    if (row.createdAt)
+      events.push({ type: "queued", timestamp: row.createdAt.toISOString() });
+    if (row.sentAt)
+      events.push({ type: "sent", timestamp: row.sentAt.toISOString() });
+    if (row.deliveredAt)
+      events.push({
+        type: "delivered",
+        timestamp: row.deliveredAt.toISOString(),
+      });
+    if (row.openedAt)
+      events.push({ type: "opened", timestamp: row.openedAt.toISOString() });
+    if (row.bouncedAt)
+      events.push({ type: "bounced", timestamp: row.bouncedAt.toISOString() });
+    if (row.complainedAt)
+      events.push({
+        type: "complained",
+        timestamp: row.complainedAt.toISOString(),
+      });
+    if (row.status === "failed" && row.updatedAt)
+      events.push({ type: "failed", timestamp: row.updatedAt.toISOString() });
+
+    for (const link of links) {
+      for (const click of link.clicks) {
+        events.push({
+          type: "clicked",
+          timestamp: click.clickedAt,
+          url: link.originalUrl,
+          ipAddress: click.ipAddress,
+          userAgent: click.userAgent,
+        });
+      }
+    }
+
+    events.sort(
+      (a, b) =>
+        new Date(a.timestamp).getTime() - new Date(b.timestamp).getTime(),
+    );
+
     return c.json(
       {
-        email: serializeEmail(row),
+        email: serializeEmail(row, {
+          userId: row.userId ?? journeyContext?.userId ?? null,
+          journeyId: journeyContext?.journeyId ?? null,
+        }),
+        events,
         trackedLinks: links,
         journeyContext,
       },