npm - @iflow-mcp/jakeliume-webpeel - Versions diffs - 0.22.0 - Mend

@iflow-mcp/jakeliume-webpeel 0.22.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (547) hide show

package/LICENSE +15 -0
package/README.md +313 -0
package/dist/cache.d.ts +30 -0
package/dist/cache.js +139 -0
package/dist/cli/commands/auth.d.ts +5 -0
package/dist/cli/commands/auth.js +411 -0
package/dist/cli/commands/doctor.d.ts +37 -0
package/dist/cli/commands/doctor.js +371 -0
package/dist/cli/commands/fetch.d.ts +6 -0
package/dist/cli/commands/fetch.js +1345 -0
package/dist/cli/commands/guide.d.ts +2 -0
package/dist/cli/commands/guide.js +183 -0
package/dist/cli/commands/interact.d.ts +5 -0
package/dist/cli/commands/interact.js +840 -0
package/dist/cli/commands/jobs.d.ts +5 -0
package/dist/cli/commands/jobs.js +997 -0
package/dist/cli/commands/monitor.d.ts +12 -0
package/dist/cli/commands/monitor.js +197 -0
package/dist/cli/commands/observe.d.ts +12 -0
package/dist/cli/commands/observe.js +158 -0
package/dist/cli/commands/screenshot.d.ts +5 -0
package/dist/cli/commands/screenshot.js +282 -0
package/dist/cli/commands/search.d.ts +5 -0
package/dist/cli/commands/search.js +1021 -0
package/dist/cli/commands/setup.d.ts +13 -0
package/dist/cli/commands/setup.js +244 -0
package/dist/cli/commands/skill.d.ts +15 -0
package/dist/cli/commands/skill.js +195 -0
package/dist/cli/utils.d.ts +84 -0
package/dist/cli/utils.js +806 -0
package/dist/cli-auth.d.ts +75 -0
package/dist/cli-auth.js +369 -0
package/dist/cli.d.ts +17 -0
package/dist/cli.js +99 -0
package/dist/core/actions.d.ts +69 -0
package/dist/core/actions.js +495 -0
package/dist/core/agent.d.ts +98 -0
package/dist/core/agent.js +558 -0
package/dist/core/answer.d.ts +42 -0
package/dist/core/answer.js +395 -0
package/dist/core/application-tracker.d.ts +84 -0
package/dist/core/application-tracker.js +184 -0
package/dist/core/apply.d.ts +162 -0
package/dist/core/apply.js +816 -0
package/dist/core/auth-detection.d.ts +35 -0
package/dist/core/auth-detection.js +358 -0
package/dist/core/auto-extract.d.ts +82 -0
package/dist/core/auto-extract.js +604 -0
package/dist/core/auto-interact.d.ts +23 -0
package/dist/core/auto-interact.js +246 -0
package/dist/core/bm25-filter.d.ts +66 -0
package/dist/core/bm25-filter.js +288 -0
package/dist/core/branding.d.ts +54 -0
package/dist/core/branding.js +234 -0
package/dist/core/browser-fetch.d.ts +323 -0
package/dist/core/browser-fetch.js +1600 -0
package/dist/core/browser-pool.d.ts +91 -0
package/dist/core/browser-pool.js +550 -0
package/dist/core/budget.d.ts +42 -0
package/dist/core/budget.js +324 -0
package/dist/core/business-intel.d.ts +47 -0
package/dist/core/business-intel.js +279 -0
package/dist/core/cache.d.ts +13 -0
package/dist/core/cache.js +121 -0
package/dist/core/cf-worker-proxy.d.ts +32 -0
package/dist/core/cf-worker-proxy.js +87 -0
package/dist/core/challenge-detection.d.ts +26 -0
package/dist/core/challenge-detection.js +468 -0
package/dist/core/change-tracking.d.ts +75 -0
package/dist/core/change-tracking.js +276 -0
package/dist/core/chunker.d.ts +46 -0
package/dist/core/chunker.js +249 -0
package/dist/core/chunking.d.ts +42 -0
package/dist/core/chunking.js +181 -0
package/dist/core/circuit-breaker.d.ts +44 -0
package/dist/core/circuit-breaker.js +85 -0
package/dist/core/content-pruner.d.ts +47 -0
package/dist/core/content-pruner.js +425 -0
package/dist/core/cookie-cache.d.ts +60 -0
package/dist/core/cookie-cache.js +163 -0
package/dist/core/crawl-checkpoint.d.ts +54 -0
package/dist/core/crawl-checkpoint.js +104 -0
package/dist/core/crawler.d.ts +84 -0
package/dist/core/crawler.js +349 -0
package/dist/core/cross-verify.d.ts +27 -0
package/dist/core/cross-verify.js +93 -0
package/dist/core/deep-fetch.d.ts +74 -0
package/dist/core/deep-fetch.js +405 -0
package/dist/core/deep-research.d.ts +141 -0
package/dist/core/deep-research.js +972 -0
package/dist/core/design-analysis.d.ts +70 -0
package/dist/core/design-analysis.js +490 -0
package/dist/core/design-compare.d.ts +38 -0
package/dist/core/design-compare.js +264 -0
package/dist/core/diff.d.ts +61 -0
package/dist/core/diff.js +289 -0
package/dist/core/dns-cache.d.ts +20 -0
package/dist/core/dns-cache.js +198 -0
package/dist/core/documents.d.ts +23 -0
package/dist/core/documents.js +123 -0
package/dist/core/domain-memory.d.ts +66 -0
package/dist/core/domain-memory.js +163 -0
package/dist/core/domain-verify.d.ts +40 -0
package/dist/core/domain-verify.js +379 -0
package/dist/core/engine-ranker.d.ts +112 -0
package/dist/core/engine-ranker.js +395 -0
package/dist/core/extract-inline.d.ts +38 -0
package/dist/core/extract-inline.js +215 -0
package/dist/core/extract-listings.d.ts +38 -0
package/dist/core/extract-listings.js +461 -0
package/dist/core/extract.d.ts +9 -0
package/dist/core/extract.js +139 -0
package/dist/core/fetch-cache.d.ts +57 -0
package/dist/core/fetch-cache.js +95 -0
package/dist/core/fetcher.d.ts +13 -0
package/dist/core/fetcher.js +12 -0
package/dist/core/google-cache.d.ts +29 -0
package/dist/core/google-cache.js +180 -0
package/dist/core/google-serp-parser.d.ts +82 -0
package/dist/core/google-serp-parser.js +287 -0
package/dist/core/hotel-search.d.ts +122 -0
package/dist/core/hotel-search.js +382 -0
package/dist/core/http-fetch.d.ts +72 -0
package/dist/core/http-fetch.js +820 -0
package/dist/core/human.d.ts +175 -0
package/dist/core/human.js +680 -0
package/dist/core/image-caption.d.ts +44 -0
package/dist/core/image-caption.js +271 -0
package/dist/core/jobs.d.ts +75 -0
package/dist/core/jobs.js +634 -0
package/dist/core/json-ld.d.ts +15 -0
package/dist/core/json-ld.js +617 -0
package/dist/core/language-detect.d.ts +18 -0
package/dist/core/language-detect.js +135 -0
package/dist/core/links.d.ts +10 -0
package/dist/core/links.js +44 -0
package/dist/core/llm-extract.d.ts +71 -0
package/dist/core/llm-extract.js +507 -0
package/dist/core/llm-provider.d.ts +100 -0
package/dist/core/llm-provider.js +702 -0
package/dist/core/local-search.d.ts +60 -0
package/dist/core/local-search.js +308 -0
package/dist/core/logger.d.ts +28 -0
package/dist/core/logger.js +104 -0
package/dist/core/map.d.ts +33 -0
package/dist/core/map.js +127 -0
package/dist/core/markdown.d.ts +92 -0
package/dist/core/markdown.js +809 -0
package/dist/core/metadata.d.ts +34 -0
package/dist/core/metadata.js +422 -0
package/dist/core/observe.d.ts +113 -0
package/dist/core/observe.js +395 -0
package/dist/core/ocr.d.ts +12 -0
package/dist/core/ocr.js +33 -0
package/dist/core/paginate.d.ts +31 -0
package/dist/core/paginate.js +106 -0
package/dist/core/pdf.d.ts +8 -0
package/dist/core/pdf.js +25 -0
package/dist/core/peel-tls.d.ts +25 -0
package/dist/core/peel-tls.js +220 -0
package/dist/core/pipeline.d.ts +132 -0
package/dist/core/pipeline.js +1666 -0
package/dist/core/profiles.d.ts +61 -0
package/dist/core/profiles.js +350 -0
package/dist/core/prompt-guard.d.ts +30 -0
package/dist/core/prompt-guard.js +119 -0
package/dist/core/proxy-config.d.ts +90 -0
package/dist/core/proxy-config.js +172 -0
package/dist/core/quick-answer.d.ts +53 -0
package/dist/core/quick-answer.js +833 -0
package/dist/core/rate-governor.d.ts +80 -0
package/dist/core/rate-governor.js +238 -0
package/dist/core/readability.d.ts +57 -0
package/dist/core/readability.js +533 -0
package/dist/core/research.d.ts +66 -0
package/dist/core/research.js +270 -0
package/dist/core/retry.d.ts +60 -0
package/dist/core/retry.js +119 -0
package/dist/core/safe-browsing.d.ts +30 -0
package/dist/core/safe-browsing.js +206 -0
package/dist/core/schema-extraction.d.ts +66 -0
package/dist/core/schema-extraction.js +352 -0
package/dist/core/schema-postprocess.d.ts +32 -0
package/dist/core/schema-postprocess.js +469 -0
package/dist/core/schema-templates.d.ts +19 -0
package/dist/core/schema-templates.js +143 -0
package/dist/core/screenshot.d.ts +224 -0
package/dist/core/screenshot.js +207 -0
package/dist/core/search-engines.d.ts +25 -0
package/dist/core/search-engines.js +182 -0
package/dist/core/search-provider.d.ts +243 -0
package/dist/core/search-provider.js +1629 -0
package/dist/core/searxng-provider.d.ts +35 -0
package/dist/core/searxng-provider.js +105 -0
package/dist/core/selective-evidence.d.ts +151 -0
package/dist/core/selective-evidence.js +389 -0
package/dist/core/site-search.d.ts +44 -0
package/dist/core/site-search.js +252 -0
package/dist/core/sitemap.d.ts +23 -0
package/dist/core/sitemap.js +105 -0
package/dist/core/source-credibility.d.ts +29 -0
package/dist/core/source-credibility.js +584 -0
package/dist/core/source-scoring.d.ts +166 -0
package/dist/core/source-scoring.js +396 -0
package/dist/core/stemmer.d.ts +38 -0
package/dist/core/stemmer.js +509 -0
package/dist/core/strategies.d.ts +104 -0
package/dist/core/strategies.js +1044 -0
package/dist/core/strategy-hooks.d.ts +145 -0
package/dist/core/strategy-hooks.js +74 -0
package/dist/core/structured-extract.d.ts +43 -0
package/dist/core/structured-extract.js +550 -0
package/dist/core/summarize.d.ts +17 -0
package/dist/core/summarize.js +78 -0
package/dist/core/synonyms.d.ts +42 -0
package/dist/core/synonyms.js +184 -0
package/dist/core/system-monitor.d.ts +61 -0
package/dist/core/system-monitor.js +133 -0
package/dist/core/table-format.d.ts +30 -0
package/dist/core/table-format.js +146 -0
package/dist/core/threat-feeds.d.ts +23 -0
package/dist/core/threat-feeds.js +104 -0
package/dist/core/timing.d.ts +21 -0
package/dist/core/timing.js +33 -0
package/dist/core/transcript-export.d.ts +47 -0
package/dist/core/transcript-export.js +107 -0
package/dist/core/user-agents.d.ts +82 -0
package/dist/core/user-agents.js +239 -0
package/dist/core/vertical-search.d.ts +54 -0
package/dist/core/vertical-search.js +158 -0
package/dist/core/watch-manager.d.ts +175 -0
package/dist/core/watch-manager.js +416 -0
package/dist/core/watch.d.ts +101 -0
package/dist/core/watch.js +389 -0
package/dist/core/youtube.d.ts +130 -0
package/dist/core/youtube.js +1175 -0
package/dist/ee/challenge-re-export.d.ts +1 -0
package/dist/ee/challenge-re-export.js +1 -0
package/dist/ee/challenge-solver.d.ts +72 -0
package/dist/ee/challenge-solver.js +720 -0
package/dist/ee/domain-extractors.d.ts +8 -0
package/dist/ee/domain-extractors.js +8 -0
package/dist/ee/domain-intel.d.ts +16 -0
package/dist/ee/domain-intel.js +133 -0
package/dist/ee/extractors/allrecipes.d.ts +2 -0
package/dist/ee/extractors/allrecipes.js +120 -0
package/dist/ee/extractors/amazon.d.ts +2 -0
package/dist/ee/extractors/amazon.js +78 -0
package/dist/ee/extractors/arxiv.d.ts +2 -0
package/dist/ee/extractors/arxiv.js +137 -0
package/dist/ee/extractors/bestbuy.d.ts +2 -0
package/dist/ee/extractors/bestbuy.js +78 -0
package/dist/ee/extractors/carscom.d.ts +2 -0
package/dist/ee/extractors/carscom.js +121 -0
package/dist/ee/extractors/coingecko.d.ts +2 -0
package/dist/ee/extractors/coingecko.js +134 -0
package/dist/ee/extractors/craigslist.d.ts +2 -0
package/dist/ee/extractors/craigslist.js +92 -0
package/dist/ee/extractors/devto.d.ts +2 -0
package/dist/ee/extractors/devto.js +135 -0
package/dist/ee/extractors/ebay.d.ts +2 -0
package/dist/ee/extractors/ebay.js +90 -0
package/dist/ee/extractors/espn.d.ts +2 -0
package/dist/ee/extractors/espn.js +260 -0
package/dist/ee/extractors/etsy.d.ts +2 -0
package/dist/ee/extractors/etsy.js +52 -0
package/dist/ee/extractors/facebook.d.ts +2 -0
package/dist/ee/extractors/facebook.js +46 -0
package/dist/ee/extractors/github.d.ts +2 -0
package/dist/ee/extractors/github.js +196 -0
package/dist/ee/extractors/google-flights.d.ts +2 -0
package/dist/ee/extractors/google-flights.js +176 -0
package/dist/ee/extractors/hackernews.d.ts +2 -0
package/dist/ee/extractors/hackernews.js +147 -0
package/dist/ee/extractors/imdb.d.ts +2 -0
package/dist/ee/extractors/imdb.js +172 -0
package/dist/ee/extractors/index.d.ts +26 -0
package/dist/ee/extractors/index.js +247 -0
package/dist/ee/extractors/instagram.d.ts +2 -0
package/dist/ee/extractors/instagram.js +102 -0
package/dist/ee/extractors/kalshi.d.ts +2 -0
package/dist/ee/extractors/kalshi.js +121 -0
package/dist/ee/extractors/kayak-cars.d.ts +2 -0
package/dist/ee/extractors/kayak-cars.js +270 -0
package/dist/ee/extractors/linkedin.d.ts +2 -0
package/dist/ee/extractors/linkedin.js +113 -0
package/dist/ee/extractors/medium.d.ts +2 -0
package/dist/ee/extractors/medium.js +130 -0
package/dist/ee/extractors/news.d.ts +4 -0
package/dist/ee/extractors/news.js +173 -0
package/dist/ee/extractors/npm.d.ts +2 -0
package/dist/ee/extractors/npm.js +86 -0
package/dist/ee/extractors/pdf.d.ts +2 -0
package/dist/ee/extractors/pdf.js +108 -0
package/dist/ee/extractors/pinterest.d.ts +2 -0
package/dist/ee/extractors/pinterest.js +34 -0
package/dist/ee/extractors/polymarket.d.ts +2 -0
package/dist/ee/extractors/polymarket.js +358 -0
package/dist/ee/extractors/producthunt.d.ts +2 -0
package/dist/ee/extractors/producthunt.js +88 -0
package/dist/ee/extractors/pubmed.d.ts +2 -0
package/dist/ee/extractors/pubmed.js +162 -0
package/dist/ee/extractors/pypi.d.ts +2 -0
package/dist/ee/extractors/pypi.js +80 -0
package/dist/ee/extractors/reddit.d.ts +2 -0
package/dist/ee/extractors/reddit.js +438 -0
package/dist/ee/extractors/redfin.d.ts +2 -0
package/dist/ee/extractors/redfin.js +156 -0
package/dist/ee/extractors/semanticscholar.d.ts +2 -0
package/dist/ee/extractors/semanticscholar.js +131 -0
package/dist/ee/extractors/shared.d.ts +12 -0
package/dist/ee/extractors/shared.js +76 -0
package/dist/ee/extractors/soundcloud.d.ts +2 -0
package/dist/ee/extractors/soundcloud.js +34 -0
package/dist/ee/extractors/sportsbetting.d.ts +2 -0
package/dist/ee/extractors/sportsbetting.js +37 -0
package/dist/ee/extractors/spotify.d.ts +2 -0
package/dist/ee/extractors/spotify.js +34 -0
package/dist/ee/extractors/stackoverflow.d.ts +2 -0
package/dist/ee/extractors/stackoverflow.js +61 -0
package/dist/ee/extractors/substack.d.ts +2 -0
package/dist/ee/extractors/substack.js +115 -0
package/dist/ee/extractors/substackroot.d.ts +2 -0
package/dist/ee/extractors/substackroot.js +46 -0
package/dist/ee/extractors/tiktok.d.ts +2 -0
package/dist/ee/extractors/tiktok.js +29 -0
package/dist/ee/extractors/tradingview.d.ts +2 -0
package/dist/ee/extractors/tradingview.js +182 -0
package/dist/ee/extractors/twitch.d.ts +2 -0
package/dist/ee/extractors/twitch.js +36 -0
package/dist/ee/extractors/twitter.d.ts +2 -0
package/dist/ee/extractors/twitter.js +327 -0
package/dist/ee/extractors/types.d.ts +14 -0
package/dist/ee/extractors/types.js +1 -0
package/dist/ee/extractors/walmart.d.ts +2 -0
package/dist/ee/extractors/walmart.js +50 -0
package/dist/ee/extractors/weather.d.ts +2 -0
package/dist/ee/extractors/weather.js +133 -0
package/dist/ee/extractors/wikipedia.d.ts +4 -0
package/dist/ee/extractors/wikipedia.js +235 -0
package/dist/ee/extractors/yelp.d.ts +2 -0
package/dist/ee/extractors/yelp.js +216 -0
package/dist/ee/extractors/youtube.d.ts +2 -0
package/dist/ee/extractors/youtube.js +189 -0
package/dist/ee/extractors/zillow.d.ts +54 -0
package/dist/ee/extractors/zillow.js +247 -0
package/dist/ee/extractors-re-export.d.ts +1 -0
package/dist/ee/extractors-re-export.js +1 -0
package/dist/ee/premium-hooks.d.ts +20 -0
package/dist/ee/premium-hooks.js +50 -0
package/dist/ee/spa-detection.d.ts +2 -0
package/dist/ee/spa-detection.js +2 -0
package/dist/ee/stability.d.ts +4 -0
package/dist/ee/stability.js +29 -0
package/dist/ee/swr-cache.d.ts +14 -0
package/dist/ee/swr-cache.js +34 -0
package/dist/index.d.ts +143 -0
package/dist/index.js +291 -0
package/dist/integrations/index.d.ts +2 -0
package/dist/integrations/index.js +2 -0
package/dist/integrations/langchain.d.ts +64 -0
package/dist/integrations/langchain.js +115 -0
package/dist/integrations/llamaindex.d.ts +50 -0
package/dist/integrations/llamaindex.js +91 -0
package/dist/mcp/handlers/act.d.ts +5 -0
package/dist/mcp/handlers/act.js +34 -0
package/dist/mcp/handlers/definitions.d.ts +6 -0
package/dist/mcp/handlers/definitions.js +395 -0
package/dist/mcp/handlers/extract.d.ts +7 -0
package/dist/mcp/handlers/extract.js +135 -0
package/dist/mcp/handlers/fetch.d.ts +6 -0
package/dist/mcp/handlers/fetch.js +98 -0
package/dist/mcp/handlers/find.d.ts +5 -0
package/dist/mcp/handlers/find.js +137 -0
package/dist/mcp/handlers/index.d.ts +13 -0
package/dist/mcp/handlers/index.js +63 -0
package/dist/mcp/handlers/legacy.d.ts +25 -0
package/dist/mcp/handlers/legacy.js +450 -0
package/dist/mcp/handlers/meta.d.ts +6 -0
package/dist/mcp/handlers/meta.js +40 -0
package/dist/mcp/handlers/monitor.d.ts +5 -0
package/dist/mcp/handlers/monitor.js +41 -0
package/dist/mcp/handlers/observe.d.ts +8 -0
package/dist/mcp/handlers/observe.js +37 -0
package/dist/mcp/handlers/read.d.ts +6 -0
package/dist/mcp/handlers/read.js +78 -0
package/dist/mcp/handlers/see.d.ts +5 -0
package/dist/mcp/handlers/see.js +75 -0
package/dist/mcp/handlers/types.d.ts +29 -0
package/dist/mcp/handlers/types.js +28 -0
package/dist/mcp/server.d.ts +7 -0
package/dist/mcp/server.js +108 -0
package/dist/mcp/smart-router.d.ts +23 -0
package/dist/mcp/smart-router.js +178 -0
package/dist/server/app.d.ts +14 -0
package/dist/server/app.js +632 -0
package/dist/server/auth-store.d.ts +28 -0
package/dist/server/auth-store.js +88 -0
package/dist/server/bull-queues.d.ts +60 -0
package/dist/server/bull-queues.js +90 -0
package/dist/server/email-service.d.ts +55 -0
package/dist/server/email-service.js +291 -0
package/dist/server/job-queue.d.ts +100 -0
package/dist/server/job-queue.js +145 -0
package/dist/server/logger.d.ts +10 -0
package/dist/server/logger.js +37 -0
package/dist/server/middleware/audit-log.d.ts +14 -0
package/dist/server/middleware/audit-log.js +73 -0
package/dist/server/middleware/auth.d.ts +35 -0
package/dist/server/middleware/auth.js +225 -0
package/dist/server/middleware/rate-limit.d.ts +50 -0
package/dist/server/middleware/rate-limit.js +270 -0
package/dist/server/middleware/scope-guard.d.ts +25 -0
package/dist/server/middleware/scope-guard.js +45 -0
package/dist/server/middleware/url-validator.d.ts +15 -0
package/dist/server/middleware/url-validator.js +201 -0
package/dist/server/openapi.yaml +6418 -0
package/dist/server/pg-auth-store.d.ts +146 -0
package/dist/server/pg-auth-store.js +576 -0
package/dist/server/pg-job-queue.d.ts +59 -0
package/dist/server/pg-job-queue.js +375 -0
package/dist/server/routes/activity.d.ts +6 -0
package/dist/server/routes/activity.js +79 -0
package/dist/server/routes/admin-active.d.ts +7 -0
package/dist/server/routes/admin-active.js +120 -0
package/dist/server/routes/admin-stats.d.ts +7 -0
package/dist/server/routes/admin-stats.js +176 -0
package/dist/server/routes/agent.d.ts +24 -0
package/dist/server/routes/agent.js +480 -0
package/dist/server/routes/answer.d.ts +5 -0
package/dist/server/routes/answer.js +125 -0
package/dist/server/routes/ask.d.ts +28 -0
package/dist/server/routes/ask.js +295 -0
package/dist/server/routes/batch.d.ts +6 -0
package/dist/server/routes/batch.js +493 -0
package/dist/server/routes/cache-warm.d.ts +25 -0
package/dist/server/routes/cache-warm.js +212 -0
package/dist/server/routes/cli-usage.d.ts +6 -0
package/dist/server/routes/cli-usage.js +127 -0
package/dist/server/routes/compat.d.ts +23 -0
package/dist/server/routes/compat.js +652 -0
package/dist/server/routes/crawl.d.ts +13 -0
package/dist/server/routes/crawl.js +287 -0
package/dist/server/routes/deep-fetch.d.ts +8 -0
package/dist/server/routes/deep-fetch.js +57 -0
package/dist/server/routes/deep-research.d.ts +11 -0
package/dist/server/routes/deep-research.js +232 -0
package/dist/server/routes/demo.d.ts +24 -0
package/dist/server/routes/demo.js +517 -0
package/dist/server/routes/do.d.ts +8 -0
package/dist/server/routes/do.js +72 -0
package/dist/server/routes/extract.d.ts +14 -0
package/dist/server/routes/extract.js +325 -0
package/dist/server/routes/feed.d.ts +15 -0
package/dist/server/routes/feed.js +311 -0
package/dist/server/routes/fetch-queue.d.ts +13 -0
package/dist/server/routes/fetch-queue.js +357 -0
package/dist/server/routes/fetch.d.ts +7 -0
package/dist/server/routes/fetch.js +1274 -0
package/dist/server/routes/go.d.ts +14 -0
package/dist/server/routes/go.js +81 -0
package/dist/server/routes/health.d.ts +11 -0
package/dist/server/routes/health.js +141 -0
package/dist/server/routes/jobs.d.ts +7 -0
package/dist/server/routes/jobs.js +574 -0
package/dist/server/routes/map.d.ts +11 -0
package/dist/server/routes/map.js +116 -0
package/dist/server/routes/mcp.d.ts +14 -0
package/dist/server/routes/mcp.js +197 -0
package/dist/server/routes/metrics.d.ts +37 -0
package/dist/server/routes/metrics.js +149 -0
package/dist/server/routes/oauth.d.ts +9 -0
package/dist/server/routes/oauth.js +396 -0
package/dist/server/routes/playground.d.ts +17 -0
package/dist/server/routes/playground.js +283 -0
package/dist/server/routes/reader.d.ts +18 -0
package/dist/server/routes/reader.js +192 -0
package/dist/server/routes/research.d.ts +14 -0
package/dist/server/routes/research.js +482 -0
package/dist/server/routes/screenshot.d.ts +22 -0
package/dist/server/routes/screenshot.js +820 -0
package/dist/server/routes/search.d.ts +6 -0
package/dist/server/routes/search.js +874 -0
package/dist/server/routes/session.d.ts +17 -0
package/dist/server/routes/session.js +548 -0
package/dist/server/routes/share.d.ts +18 -0
package/dist/server/routes/share.js +462 -0
package/dist/server/routes/smart-search/handlers/cars.d.ts +2 -0
package/dist/server/routes/smart-search/handlers/cars.js +102 -0
package/dist/server/routes/smart-search/handlers/flights.d.ts +2 -0
package/dist/server/routes/smart-search/handlers/flights.js +72 -0
package/dist/server/routes/smart-search/handlers/general.d.ts +13 -0
package/dist/server/routes/smart-search/handlers/general.js +717 -0
package/dist/server/routes/smart-search/handlers/hotels.d.ts +2 -0
package/dist/server/routes/smart-search/handlers/hotels.js +88 -0
package/dist/server/routes/smart-search/handlers/products.d.ts +2 -0
package/dist/server/routes/smart-search/handlers/products.js +1309 -0
package/dist/server/routes/smart-search/handlers/rental.d.ts +2 -0
package/dist/server/routes/smart-search/handlers/rental.js +154 -0
package/dist/server/routes/smart-search/handlers/restaurants.d.ts +2 -0
package/dist/server/routes/smart-search/handlers/restaurants.js +225 -0
package/dist/server/routes/smart-search/handlers/transit-verdict.d.ts +41 -0
package/dist/server/routes/smart-search/handlers/transit-verdict.js +224 -0
package/dist/server/routes/smart-search/index.d.ts +19 -0
package/dist/server/routes/smart-search/index.js +546 -0
package/dist/server/routes/smart-search/intent.d.ts +3 -0
package/dist/server/routes/smart-search/intent.js +264 -0
package/dist/server/routes/smart-search/llm.d.ts +16 -0
package/dist/server/routes/smart-search/llm.js +70 -0
package/dist/server/routes/smart-search/sources/reddit.d.ts +18 -0
package/dist/server/routes/smart-search/sources/reddit.js +34 -0
package/dist/server/routes/smart-search/sources/yelp.d.ts +25 -0
package/dist/server/routes/smart-search/sources/yelp.js +171 -0
package/dist/server/routes/smart-search/sources/youtube.d.ts +8 -0
package/dist/server/routes/smart-search/sources/youtube.js +9 -0
package/dist/server/routes/smart-search/types.d.ts +81 -0
package/dist/server/routes/smart-search/types.js +1 -0
package/dist/server/routes/smart-search/utils.d.ts +20 -0
package/dist/server/routes/smart-search/utils.js +146 -0
package/dist/server/routes/stats.d.ts +6 -0
package/dist/server/routes/stats.js +71 -0
package/dist/server/routes/stripe.d.ts +15 -0
package/dist/server/routes/stripe.js +296 -0
package/dist/server/routes/transcript-export.d.ts +10 -0
package/dist/server/routes/transcript-export.js +178 -0
package/dist/server/routes/usage.d.ts +9 -0
package/dist/server/routes/usage.js +279 -0
package/dist/server/routes/users.d.ts +8 -0
package/dist/server/routes/users.js +1867 -0
package/dist/server/routes/watch.d.ts +15 -0
package/dist/server/routes/watch.js +309 -0
package/dist/server/routes/webhooks.d.ts +26 -0
package/dist/server/routes/webhooks.js +170 -0
package/dist/server/routes/youtube.d.ts +6 -0
package/dist/server/routes/youtube.js +130 -0
package/dist/server/sentry.d.ts +14 -0
package/dist/server/sentry.js +104 -0
package/dist/server/types.d.ts +15 -0
package/dist/server/types.js +7 -0
package/dist/server/utils/response.d.ts +44 -0
package/dist/server/utils/response.js +69 -0
package/dist/server/utils/sse.d.ts +22 -0
package/dist/server/utils/sse.js +38 -0
package/dist/types.d.ts +552 -0
package/dist/types.js +39 -0
package/llms.txt +105 -0
package/package.json +189 -0

package/dist/server/routes/users.js ADDED Viewed

@@ -0,0 +1,1867 @@
+/**
+ * User authentication and API key management routes
+ */
+import { Router } from 'express';
+import crypto from 'crypto';
+import bcrypt from 'bcrypt';
+import jwt from 'jsonwebtoken';
+import pg from 'pg';
+import { PostgresAuthStore } from '../pg-auth-store.js';
+import { sendPasswordResetEmail } from '../email-service.js';
+const { Pool } = pg;
+const BCRYPT_ROUNDS = 12;
+/**
+ * Per-email rate limiter for login attempts (brute-force protection)
+ */
+const loginAttempts = new Map();
+// Clean up expired entries every 15 minutes
+setInterval(() => {
+    const now = Date.now();
+    for (const [key, attempt] of loginAttempts.entries()) {
+        if (now >= attempt.resetAt) {
+            loginAttempts.delete(key);
+        }
+    }
+}, 15 * 60 * 1000);
+function loginRateLimiter(req, res, next) {
+    const email = req.body?.email?.toLowerCase();
+    if (!email) {
+        next();
+        return;
+    }
+    const now = Date.now();
+    const attempt = loginAttempts.get(email);
+    if (attempt && now < attempt.resetAt) {
+        if (attempt.count >= 5) {
+            res.status(429).json({
+                success: false,
+                error: {
+                    type: 'too_many_attempts',
+                    message: 'Too many login attempts. Please try again in 15 minutes.',
+                    hint: 'Wait 15 minutes before trying again.',
+                    docs: 'https://webpeel.dev/docs/errors#too_many_attempts',
+                },
+                retryAfter: Math.ceil((attempt.resetAt - now) / 1000),
+                requestId: crypto.randomUUID(),
+            });
+            return;
+        }
+        attempt.count++;
+    }
+    else {
+        loginAttempts.set(email, { count: 1, resetAt: now + 15 * 60 * 1000 });
+    }
+    next();
+}
+/**
+ * Per-IP rate limiter for refresh endpoint (brute-force protection)
+ */
+const refreshAttempts = new Map();
+setInterval(() => {
+    const now = Date.now();
+    for (const [key, attempt] of refreshAttempts.entries()) {
+        if (now >= attempt.resetAt) {
+            refreshAttempts.delete(key);
+        }
+    }
+}, 15 * 60 * 1000);
+function refreshRateLimiter(req, res, next) {
+    const ip = req.headers['cf-connecting-ip'] ||
+        req.headers['x-forwarded-for']?.split(',')[0]?.trim() ||
+        req.ip ||
+        'unknown';
+    const now = Date.now();
+    const attempt = refreshAttempts.get(ip);
+    if (attempt && now < attempt.resetAt) {
+        if (attempt.count >= 10) {
+            res.status(429).json({
+                success: false,
+                error: {
+                    type: 'too_many_attempts',
+                    message: 'Too many refresh attempts. Please try again in 15 minutes.',
+                    hint: 'Wait 15 minutes before trying again.',
+                    docs: 'https://webpeel.dev/docs/errors#too_many_attempts',
+                },
+                retryAfter: Math.ceil((attempt.resetAt - now) / 1000),
+                requestId: crypto.randomUUID(),
+            });
+            return;
+        }
+        attempt.count++;
+    }
+    else {
+        refreshAttempts.set(ip, { count: 1, resetAt: now + 15 * 60 * 1000 });
+    }
+    next();
+}
+/**
+ * Validate email format
+ */
+function isValidEmail(email) {
+    const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+    return emailRegex.test(email);
+}
+/**
+ * Validate password strength
+ */
+function isValidPassword(password) {
+    // bcrypt silently truncates at 72 bytes — enforce a max to prevent confusion
+    return password.length >= 8 && password.length <= 128;
+}
+/**
+ * JWT authentication middleware
+ */
+function jwtAuth(req, res, next) {
+    try {
+        const authHeader = req.headers.authorization;
+        if (!authHeader?.startsWith('Bearer ')) {
+            res.status(401).json({
+                success: false,
+                error: {
+                    type: 'missing_token',
+                    message: 'JWT token required. Provide via Authorization: Bearer <token>',
+                    hint: 'Include your JWT in the Authorization header: Bearer <token>',
+                    docs: 'https://webpeel.dev/docs/errors#unauthorized',
+                },
+                requestId: crypto.randomUUID(),
+            });
+            return;
+        }
+        const token = authHeader.slice(7);
+        const jwtSecret = process.env.JWT_SECRET;
+        if (!jwtSecret) {
+            throw new Error('JWT_SECRET environment variable not configured');
+        }
+        const payload = jwt.verify(token, jwtSecret);
+        // Attach user info to request
+        req.user = payload;
+        next();
+    }
+    catch (error) {
+        if (error instanceof jwt.JsonWebTokenError) {
+            res.status(401).json({
+                success: false,
+                error: {
+                    type: 'invalid_token',
+                    message: 'Invalid or expired JWT token',
+                    hint: 'Log in again to get a new token.',
+                    docs: 'https://webpeel.dev/docs/errors#unauthorized',
+                },
+                requestId: crypto.randomUUID(),
+            });
+            return;
+        }
+        res.status(500).json({
+            success: false,
+            error: {
+                type: 'auth_error',
+                message: 'Authentication failed',
+                docs: 'https://webpeel.dev/docs/errors#auth_error',
+            },
+            requestId: crypto.randomUUID(),
+        });
+    }
+}
+/**
+ * Create user routes
+ */
+export function createUserRouter() {
+    const router = Router();
+    const dbUrl = process.env.DATABASE_URL;
+    if (!dbUrl) {
+        throw new Error('DATABASE_URL environment variable is required');
+    }
+    const pool = new Pool({
+        connectionString: dbUrl,
+        // TLS: enabled when DATABASE_URL contains sslmode=require.
+        // Secure by default (rejectUnauthorized: true); set PG_REJECT_UNAUTHORIZED=false
+        // only for managed DBs (Render/Neon/Supabase) that use self-signed certs.
+        ssl: process.env.DATABASE_URL?.includes('sslmode=require')
+            ? { rejectUnauthorized: process.env.PG_REJECT_UNAUTHORIZED !== 'false' }
+            : undefined,
+    });
+    // Initialize refresh_tokens table on startup
+    pool.query(`
+    CREATE TABLE IF NOT EXISTS refresh_tokens (
+      id TEXT PRIMARY KEY,
+      user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+      expires_at TIMESTAMPTZ NOT NULL,
+      revoked_at TIMESTAMPTZ,
+      created_at TIMESTAMPTZ DEFAULT NOW()
+    )
+  `).then(() => pool.query(`CREATE INDEX IF NOT EXISTS idx_refresh_tokens_user ON refresh_tokens(user_id)`)).catch((err) => {
+        console.error('Failed to initialize refresh_tokens table:', err);
+    });
+    /**
+     * Helper: generate a refresh token and store its jti in the database
+     */
+    async function createRefreshToken(userId, jwtSecret) {
+        const jti = crypto.randomUUID();
+        const expiresAt = new Date(Date.now() + 30 * 24 * 60 * 60 * 1000); // 30 days
+        await pool.query(`INSERT INTO refresh_tokens (id, user_id, expires_at) VALUES ($1, $2, $3)`, [jti, userId, expiresAt]);
+        return jwt.sign({ userId, jti }, jwtSecret, { expiresIn: '30d' });
+    }
+    /**
+     * POST /v1/auth/register
+     * Register a new user and create their first API key
+     */
+    router.post('/v1/auth/register', async (req, res) => {
+        try {
+            const { email, password } = req.body;
+            // Input validation
+            if (!email || !password) {
+                res.status(400).json({
+                    success: false,
+                    error: {
+                        type: 'missing_fields',
+                        message: 'Email and password are required',
+                        hint: 'Provide both email and password in the request body.',
+                        docs: 'https://webpeel.dev/docs/errors#missing_fields',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            if (!isValidEmail(email)) {
+                res.status(400).json({
+                    success: false,
+                    error: {
+                        type: 'invalid_email',
+                        message: 'Invalid email format',
+                        hint: 'Provide a valid email address (e.g. user@example.com).',
+                        docs: 'https://webpeel.dev/docs/errors#invalid_email',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            if (!isValidPassword(password)) {
+                res.status(400).json({
+                    success: false,
+                    error: {
+                        type: 'weak_password',
+                        message: 'Password must be at least 8 characters',
+                        hint: 'Choose a password with at least 8 characters.',
+                        docs: 'https://webpeel.dev/docs/errors#weak_password',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            // Hash password
+            const passwordHash = await bcrypt.hash(password, BCRYPT_ROUNDS);
+            // Create user
+            const userResult = await pool.query(`INSERT INTO users (email, password_hash, tier, weekly_limit, burst_limit, rate_limit)
+        VALUES ($1, $2, 'free', 500, 50, 10)
+        RETURNING id, email, tier, weekly_limit, burst_limit, rate_limit, created_at`, [email, passwordHash]);
+            const user = userResult.rows[0];
+            // Generate API key
+            const apiKey = PostgresAuthStore.generateApiKey();
+            const keyHash = crypto.createHash('sha256').update(apiKey).digest('hex');
+            const keyPrefix = PostgresAuthStore.getKeyPrefix(apiKey);
+            // Store API key
+            await pool.query(`INSERT INTO api_keys (user_id, key_hash, key_prefix, name)
+        VALUES ($1, $2, $3, 'Default')`, [user.id, keyHash, keyPrefix]);
+            const signupTimestamp = new Date().toISOString();
+            res.status(201).json({
+                user: {
+                    id: user.id,
+                    email: user.email,
+                    tier: user.tier,
+                    weeklyLimit: user.weekly_limit,
+                    burstLimit: user.burst_limit,
+                    rateLimit: user.rate_limit,
+                    createdAt: user.created_at,
+                },
+                apiKey, // SECURITY: Only returned once, never stored or shown again
+            });
+            // Fire-and-forget Discord webhook for successful signups; never block registration on webhook errors.
+            try {
+                const webhookUrl = process.env.DISCORD_SIGNUP_WEBHOOK;
+                if (webhookUrl) {
+                    void fetch(webhookUrl, {
+                        method: 'POST',
+                        headers: { 'Content-Type': 'application/json' },
+                        body: JSON.stringify({
+                            embeds: [{
+                                    title: '🎉 New Signup',
+                                    color: 9133302,
+                                    fields: [
+                                        { name: 'Email', value: email, inline: true },
+                                        { name: 'Tier', value: 'Free', inline: true },
+                                        { name: 'Timestamp', value: signupTimestamp, inline: false },
+                                    ],
+                                    timestamp: signupTimestamp,
+                                    footer: { text: 'WebPeel Signups' },
+                                }],
+                        }),
+                    }).catch(() => { });
+                }
+            }
+            catch (e) {
+                if (process.env.DEBUG)
+                    console.debug('[webpeel]', 'discord webhook failed:', e instanceof Error ? e.message : e);
+            }
+        }
+        catch (error) {
+            if (error.code === '23505') { // Unique violation
+                res.status(409).json({
+                    success: false,
+                    error: {
+                        type: 'email_exists',
+                        message: 'Email already registered',
+                        hint: 'Try logging in instead, or use a different email.',
+                        docs: 'https://webpeel.dev/docs/errors#email_exists',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            console.error('Registration error:', error);
+            res.status(500).json({
+                success: false,
+                error: {
+                    type: 'registration_failed',
+                    message: 'Failed to register user',
+                    docs: 'https://webpeel.dev/docs/errors#registration_failed',
+                },
+                requestId: crypto.randomUUID(),
+            });
+        }
+    });
+    /**
+     * POST /v1/auth/login
+     * Login with email/password and get JWT token
+     */
+    router.post('/v1/auth/login', loginRateLimiter, async (req, res) => {
+        try {
+            const { email, password } = req.body;
+            if (!email || !password) {
+                res.status(400).json({
+                    success: false,
+                    error: {
+                        type: 'missing_fields',
+                        message: 'Email and password are required',
+                        hint: 'Provide both email and password in the request body.',
+                        docs: 'https://webpeel.dev/docs/errors#missing_fields',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            // Get user
+            const result = await pool.query('SELECT id, email, password_hash, tier FROM users WHERE email = $1', [email]);
+            // Constant-time auth: always run bcrypt.compare to prevent timing oracle
+            // (prevents user enumeration via response time differences)
+            const DUMMY_HASH = '$2b$12$LJ7F3mGTqKmEqFv5GsNXxeIkYwJwgJkOqSvKqGqKqGqKqGqKqGqKq';
+            const user = result.rows[0];
+            const hashToCompare = user?.password_hash ?? DUMMY_HASH;
+            const passwordValid = await bcrypt.compare(password, hashToCompare);
+            if (!user || !passwordValid) {
+                res.status(401).json({
+                    success: false,
+                    error: {
+                        type: 'invalid_credentials',
+                        message: 'Invalid email or password',
+                        hint: 'Check your email and password and try again.',
+                        docs: 'https://webpeel.dev/docs/errors#unauthorized',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            // Generate JWT
+            const jwtSecret = process.env.JWT_SECRET;
+            if (!jwtSecret) {
+                throw new Error('JWT_SECRET not configured');
+            }
+            const token = jwt.sign({
+                userId: user.id,
+                email: user.email,
+                tier: user.tier,
+            }, jwtSecret, { expiresIn: '7d' });
+            let refreshToken = null;
+            try {
+                refreshToken = await createRefreshToken(user.id, jwtSecret);
+            }
+            catch (refreshErr) {
+                console.error('Refresh token creation failed (login will continue without it):', refreshErr);
+            }
+            res.json({
+                token,
+                ...(refreshToken ? { refreshToken } : {}),
+                expiresIn: 604800,
+                user: {
+                    id: user.id,
+                    email: user.email,
+                    tier: user.tier,
+                },
+            });
+        }
+        catch (error) {
+            console.error('Login error:', error);
+            res.status(500).json({
+                success: false,
+                error: {
+                    type: 'login_failed',
+                    message: 'Failed to login',
+                    docs: 'https://webpeel.dev/docs/errors#login_failed',
+                },
+                requestId: crypto.randomUUID(),
+            });
+        }
+    });
+    /**
+     * POST /v1/auth/refresh
+     * Exchange a valid refresh token for a new access token + refresh token
+     */
+    router.post('/v1/auth/refresh', refreshRateLimiter, async (req, res) => {
+        try {
+            const { refreshToken } = req.body;
+            if (!refreshToken) {
+                res.status(400).json({
+                    success: false,
+                    error: {
+                        type: 'missing_token',
+                        message: 'refreshToken is required',
+                        hint: 'Include the refreshToken from your previous login response.',
+                        docs: 'https://webpeel.dev/docs/errors#missing_token',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            const jwtSecret = process.env.JWT_SECRET;
+            if (!jwtSecret) {
+                throw new Error('JWT_SECRET not configured');
+            }
+            // Verify JWT signature + expiry
+            let payload;
+            try {
+                payload = jwt.verify(refreshToken, jwtSecret);
+            }
+            catch {
+                res.status(401).json({
+                    success: false,
+                    error: {
+                        type: 'invalid_token',
+                        message: 'Invalid or expired refresh token',
+                        hint: 'Log in again to get a new refresh token.',
+                        docs: 'https://webpeel.dev/docs/errors#unauthorized',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            // Check token is not revoked and still exists
+            const tokenResult = await pool.query(`SELECT id, user_id, revoked_at FROM refresh_tokens WHERE id = $1`, [payload.jti]);
+            if (tokenResult.rows.length === 0 || tokenResult.rows[0].revoked_at !== null) {
+                res.status(401).json({
+                    success: false,
+                    error: {
+                        type: 'token_revoked',
+                        message: 'Refresh token has been revoked',
+                        hint: 'Log in again to get a new refresh token.',
+                        docs: 'https://webpeel.dev/docs/errors#unauthorized',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            // Get current user info (tier may have changed)
+            const userResult = await pool.query('SELECT id, email, tier FROM users WHERE id = $1', [payload.userId]);
+            if (userResult.rows.length === 0) {
+                res.status(401).json({
+                    success: false,
+                    error: {
+                        type: 'user_not_found',
+                        message: 'User no longer exists',
+                        docs: 'https://webpeel.dev/docs/errors#user_not_found',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            const user = userResult.rows[0];
+            // Revoke old refresh token (rotate tokens)
+            await pool.query(`UPDATE refresh_tokens SET revoked_at = NOW() WHERE id = $1`, [payload.jti]);
+            // Issue new access token (7d) + new refresh token (30d)
+            const newToken = jwt.sign({
+                userId: user.id,
+                email: user.email,
+                tier: user.tier,
+            }, jwtSecret, { expiresIn: '7d' });
+            const newRefreshToken = await createRefreshToken(user.id, jwtSecret);
+            res.json({
+                token: newToken,
+                refreshToken: newRefreshToken,
+                expiresIn: 604800,
+            });
+        }
+        catch (error) {
+            console.error('Refresh token error:', error);
+            res.status(500).json({
+                success: false,
+                error: {
+                    type: 'refresh_failed',
+                    message: 'Failed to refresh token',
+                    docs: 'https://webpeel.dev/docs/errors#refresh_failed',
+                },
+                requestId: crypto.randomUUID(),
+            });
+        }
+    });
+    /**
+     * POST /v1/auth/revoke
+     * Revoke all refresh tokens for the current user (logout all devices)
+     */
+    router.post('/v1/auth/revoke', jwtAuth, async (req, res) => {
+        try {
+            const { userId } = req.user;
+            await pool.query(`UPDATE refresh_tokens SET revoked_at = NOW() WHERE user_id = $1 AND revoked_at IS NULL`, [userId]);
+            res.json({ success: true, message: 'All refresh tokens revoked' });
+        }
+        catch (error) {
+            console.error('Revoke tokens error:', error);
+            res.status(500).json({
+                success: false,
+                error: {
+                    type: 'revoke_failed',
+                    message: 'Failed to revoke tokens',
+                    docs: 'https://webpeel.dev/docs/errors#revoke_failed',
+                },
+                requestId: crypto.randomUUID(),
+            });
+        }
+    });
+    /**
+     * POST /v1/auth/forgot-password
+     * Request a password reset email. Always returns success to prevent email enumeration.
+     */
+    router.post('/v1/auth/forgot-password', async (req, res) => {
+        const { email } = req.body;
+        // Always return success (prevent email enumeration)
+        res.json({ success: true, message: 'If an account exists, a reset link has been sent.' });
+        // Background: check if user exists, generate token, send email
+        if (!email || typeof email !== 'string')
+            return;
+        try {
+            const userResult = await pool.query('SELECT id, email FROM users WHERE email = $1', [email.toLowerCase().trim()]);
+            if (userResult.rows.length === 0)
+                return; // User doesn't exist — silently ignore
+            const user = userResult.rows[0];
+            // Generate a secure random token
+            const token = crypto.randomBytes(32).toString('hex');
+            const tokenHash = crypto.createHash('sha256').update(token).digest('hex');
+            const expiresAt = new Date(Date.now() + 60 * 60 * 1000); // 1 hour
+            // Invalidate any existing tokens for this user
+            await pool.query('UPDATE password_reset_tokens SET used = true WHERE user_id = $1 AND used = false', [user.id]);
+            // Store hashed token
+            await pool.query('INSERT INTO password_reset_tokens (user_id, token_hash, expires_at) VALUES ($1, $2, $3)', [user.id, tokenHash, expiresAt]);
+            // Send email
+            const resetUrl = `https://app.webpeel.dev/reset-password?token=${token}`;
+            await sendPasswordResetEmail(user.email, resetUrl);
+        }
+        catch (err) {
+            console.error('[auth] forgot-password error:', err);
+        }
+    });
+    /**
+     * POST /v1/auth/reset-password
+     * Reset a user's password using a valid reset token.
+     */
+    router.post('/v1/auth/reset-password', async (req, res) => {
+        const { token, password } = req.body;
+        if (!token || !password) {
+            return res.status(400).json({ success: false, error: { type: 'invalid_request', message: 'Token and password are required.' } });
+        }
+        if (password.length < 8) {
+            return res.status(400).json({ success: false, error: { type: 'invalid_request', message: 'Password must be at least 8 characters.' } });
+        }
+        try {
+            const tokenHash = crypto.createHash('sha256').update(token).digest('hex');
+            const result = await pool.query('SELECT id, user_id, expires_at, used FROM password_reset_tokens WHERE token_hash = $1', [tokenHash]);
+            if (result.rows.length === 0) {
+                return res.status(400).json({ success: false, error: { type: 'invalid_token', message: 'Invalid or expired reset link.' } });
+            }
+            const resetToken = result.rows[0];
+            if (resetToken.used) {
+                return res.status(400).json({ success: false, error: { type: 'token_used', message: 'This reset link has already been used.' } });
+            }
+            if (new Date(resetToken.expires_at) < new Date()) {
+                return res.status(400).json({ success: false, error: { type: 'token_expired', message: 'This reset link has expired. Please request a new one.' } });
+            }
+            // Hash new password using same method as registration
+            const passwordHash = await bcrypt.hash(password, BCRYPT_ROUNDS);
+            // Update password
+            await pool.query('UPDATE users SET password_hash = $1, updated_at = now() WHERE id = $2', [passwordHash, resetToken.user_id]);
+            // Mark token as used
+            await pool.query('UPDATE password_reset_tokens SET used = true WHERE id = $1', [resetToken.id]);
+            return res.json({ success: true, message: 'Password has been reset successfully.' });
+        }
+        catch (err) {
+            console.error('[auth] reset-password error:', err);
+            return res.status(500).json({ success: false, error: { type: 'server_error', message: 'Failed to reset password.' } });
+        }
+    });
+    /**
+     * GET /v1/me
+     * Get current user profile and usage
+     */
+    router.get('/v1/me', jwtAuth, async (req, res) => {
+        try {
+            const { userId } = req.user;
+            const result = await pool.query(`SELECT
+          u.id, u.email, u.tier, u.weekly_limit, u.burst_limit, u.rate_limit, u.created_at,
+          u.stripe_customer_id, u.stripe_subscription_id
+        FROM users u
+        WHERE u.id = $1`, [userId]);
+            if (result.rows.length === 0) {
+                res.status(404).json({
+                    success: false,
+                    error: {
+                        type: 'user_not_found',
+                        message: 'User not found',
+                        docs: 'https://webpeel.dev/docs/errors#user_not_found',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            const user = result.rows[0];
+            res.json({
+                id: user.id,
+                email: user.email,
+                tier: user.tier,
+                weeklyLimit: user.weekly_limit,
+                burstLimit: user.burst_limit,
+                rateLimit: user.rate_limit,
+                createdAt: user.created_at,
+                hasStripe: !!user.stripe_customer_id,
+            });
+        }
+        catch (error) {
+            console.error('Get profile error:', error);
+            res.status(500).json({
+                success: false,
+                error: {
+                    type: 'profile_failed',
+                    message: 'Failed to get profile',
+                    docs: 'https://webpeel.dev/docs/errors#profile_failed',
+                },
+                requestId: crypto.randomUUID(),
+            });
+        }
+    });
+    /**
+     * PATCH /v1/me
+     * Update current user's profile (name)
+     */
+    router.patch('/v1/me', jwtAuth, async (req, res) => {
+        try {
+            const { userId } = req.user;
+            const { name } = req.body;
+            if (!name || typeof name !== 'string' || name.trim().length === 0) {
+                res.status(400).json({
+                    success: false,
+                    error: {
+                        type: 'name_required',
+                        message: 'Name is required',
+                        hint: 'Provide a non-empty "name" field in the request body.',
+                        docs: 'https://webpeel.dev/docs/errors#name_required',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            if (name.length > 100) {
+                res.status(400).json({
+                    success: false,
+                    error: {
+                        type: 'invalid_name',
+                        message: 'Name must be 100 characters or less',
+                        docs: 'https://webpeel.dev/docs/errors#invalid_name',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            const result = await pool.query('UPDATE users SET name = $1, updated_at = now() WHERE id = $2 RETURNING id, email, name, tier', [name.trim(), userId]);
+            if (result.rows.length === 0) {
+                res.status(404).json({
+                    success: false,
+                    error: {
+                        type: 'user_not_found',
+                        message: 'User not found',
+                        docs: 'https://webpeel.dev/docs/errors#user_not_found',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            res.json({ user: result.rows[0] });
+        }
+        catch (error) {
+            console.error('Update me error:', error);
+            res.status(500).json({
+                success: false,
+                error: {
+                    type: 'update_failed',
+                    message: 'Failed to update profile',
+                    docs: 'https://webpeel.dev/docs/errors#update_failed',
+                },
+                requestId: crypto.randomUUID(),
+            });
+        }
+    });
+    /**
+     * Parse expiresIn parameter to a Date or null (null = never expires)
+     */
+    function parseExpiresIn(expiresIn) {
+        if (!expiresIn || expiresIn === 'never')
+            return null;
+        const now = new Date();
+        switch (expiresIn) {
+            case '7d': return new Date(now.getTime() + 7 * 24 * 60 * 60 * 1000);
+            case '30d': return new Date(now.getTime() + 30 * 24 * 60 * 60 * 1000);
+            case '90d': return new Date(now.getTime() + 90 * 24 * 60 * 60 * 1000);
+            case '1y': return new Date(now.getTime() + 365 * 24 * 60 * 60 * 1000);
+            default: {
+                // Try ISO date string
+                const parsed = new Date(expiresIn);
+                if (!isNaN(parsed.getTime()) && parsed > now)
+                    return parsed;
+                return null;
+            }
+        }
+    }
+    /**
+     * POST /v1/keys
+     * Create a new API key
+     */
+    router.post('/v1/keys', jwtAuth, async (req, res) => {
+        try {
+            const { userId } = req.user;
+            const { name, expiresIn, scope } = req.body;
+            // Validate scope — only allow known values; default to 'full'
+            const validScopes = ['full', 'read', 'restricted'];
+            const keyScope = validScopes.includes(scope) ? scope : 'full';
+            // Parse optional expiration
+            const expiresAt = parseExpiresIn(expiresIn);
+            // Generate API key
+            const apiKey = PostgresAuthStore.generateApiKey();
+            const keyHash = crypto.createHash('sha256').update(apiKey).digest('hex');
+            const keyPrefix = PostgresAuthStore.getKeyPrefix(apiKey);
+            // Store API key
+            const result = await pool.query(`INSERT INTO api_keys (user_id, key_hash, key_prefix, name, expires_at, scope)
+        VALUES ($1, $2, $3, $4, $5, $6)
+        RETURNING id, key_prefix, name, created_at, expires_at, scope`, [userId, keyHash, keyPrefix, name || 'Unnamed Key', expiresAt, keyScope]);
+            const key = result.rows[0];
+            res.status(201).json({
+                id: key.id,
+                key: apiKey, // SECURITY: Only returned once
+                prefix: key.key_prefix,
+                name: key.name,
+                scope: key.scope,
+                createdAt: key.created_at,
+                expiresAt: key.expires_at,
+            });
+        }
+        catch (error) {
+            console.error('Create key error:', error);
+            res.status(500).json({
+                success: false,
+                error: {
+                    type: 'key_creation_failed',
+                    message: 'Failed to create API key',
+                    docs: 'https://webpeel.dev/docs/errors#key_creation_failed',
+                },
+                requestId: crypto.randomUUID(),
+            });
+        }
+    });
+    /**
+     * Format expiry as human-readable string
+     */
+    function formatExpiresIn(expiresAt) {
+        if (!expiresAt)
+            return null;
+        const now = new Date();
+        const diffMs = expiresAt.getTime() - now.getTime();
+        const diffDays = Math.round(diffMs / (24 * 60 * 60 * 1000));
+        if (diffDays < 0) {
+            const absDays = Math.abs(diffDays);
+            return absDays === 1 ? 'expired 1 day ago' : `expired ${absDays} days ago`;
+        }
+        if (diffDays === 0)
+            return 'expires today';
+        if (diffDays === 1)
+            return 'in 1 day';
+        return `in ${diffDays} days`;
+    }
+    /**
+     * GET /v1/keys
+     * List user's API keys (prefix only, never full key)
+     */
+    router.get('/v1/keys', jwtAuth, async (req, res) => {
+        try {
+            const { userId } = req.user;
+            const result = await pool.query(`SELECT id, key_prefix, name, is_active, created_at, last_used_at, expires_at, scope
+        FROM api_keys
+        WHERE user_id = $1
+        ORDER BY created_at DESC`, [userId]);
+            const now = new Date();
+            res.json({
+                keys: result.rows.map(key => {
+                    const expiresAt = key.expires_at ? new Date(key.expires_at) : null;
+                    const isExpired = expiresAt !== null && expiresAt <= now;
+                    return {
+                        id: key.id,
+                        prefix: key.key_prefix,
+                        name: key.name,
+                        isActive: key.is_active,
+                        scope: key.scope || 'full',
+                        createdAt: key.created_at,
+                        lastUsedAt: key.last_used_at,
+                        expiresAt: key.expires_at,
+                        isExpired,
+                        expiresIn: formatExpiresIn(expiresAt),
+                    };
+                }),
+            });
+        }
+        catch (error) {
+            console.error('List keys error:', error);
+            res.status(500).json({
+                success: false,
+                error: {
+                    type: 'list_keys_failed',
+                    message: 'Failed to list API keys',
+                    docs: 'https://webpeel.dev/docs/errors#list_keys_failed',
+                },
+                requestId: crypto.randomUUID(),
+            });
+        }
+    });
+    /**
+     * PATCH /v1/keys/:id
+     * Update an API key (currently: name only)
+     */
+    router.patch('/v1/keys/:id', jwtAuth, async (req, res) => {
+        try {
+            const { userId } = req.user;
+            const { id } = req.params;
+            const { name } = req.body;
+            if (!name || typeof name !== 'string' || name.trim().length === 0) {
+                res.status(400).json({
+                    success: false,
+                    error: {
+                        type: 'invalid_name',
+                        message: 'Key name is required',
+                        hint: 'Provide a non-empty "name" field in the request body.',
+                        docs: 'https://webpeel.dev/docs/errors#invalid_name',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            if (name.length > 64) {
+                res.status(400).json({
+                    success: false,
+                    error: {
+                        type: 'invalid_name',
+                        message: 'Key name must be 64 characters or less',
+                        docs: 'https://webpeel.dev/docs/errors#invalid_name',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            const result = await pool.query(`UPDATE api_keys SET name = $1 WHERE id = $2 AND user_id = $3 RETURNING id, name, key_prefix, created_at, last_used_at, is_active, expires_at`, [name.trim(), id, userId]);
+            if (result.rowCount === 0) {
+                res.status(404).json({
+                    success: false,
+                    error: {
+                        type: 'not_found',
+                        message: 'API key not found',
+                        docs: 'https://webpeel.dev/docs/errors#not_found',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            const key = result.rows[0];
+            res.json({
+                id: key.id,
+                name: key.name,
+                prefix: key.key_prefix,
+                createdAt: key.created_at,
+                lastUsedAt: key.last_used_at,
+                isActive: key.is_active,
+                expiresAt: key.expires_at,
+            });
+        }
+        catch (error) {
+            console.error('Update key error:', error);
+            res.status(500).json({
+                success: false,
+                error: {
+                    type: 'update_failed',
+                    message: 'Failed to update API key',
+                    docs: 'https://webpeel.dev/docs/errors#update_failed',
+                },
+                requestId: crypto.randomUUID(),
+            });
+        }
+    });
+    /**
+     * DELETE /v1/keys/:id
+     * Deactivate an API key
+     */
+    router.delete('/v1/keys/:id', jwtAuth, async (req, res) => {
+        try {
+            const { userId } = req.user;
+            const { id } = req.params;
+            // Verify ownership and deactivate
+            const result = await pool.query(`UPDATE api_keys
+        SET is_active = false
+        WHERE id = $1 AND user_id = $2
+        RETURNING id`, [id, userId]);
+            if (result.rows.length === 0) {
+                res.status(404).json({
+                    success: false,
+                    error: {
+                        type: 'key_not_found',
+                        message: 'API key not found or access denied',
+                        docs: 'https://webpeel.dev/docs/errors#not_found',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            res.json({
+                success: true,
+                message: 'API key deactivated',
+            });
+        }
+        catch (error) {
+            console.error('Delete key error:', error);
+            res.status(500).json({
+                success: false,
+                error: {
+                    type: 'delete_key_failed',
+                    message: 'Failed to delete API key',
+                    docs: 'https://webpeel.dev/docs/errors#delete_key_failed',
+                },
+                requestId: crypto.randomUUID(),
+            });
+        }
+    });
+    /**
+     * GET /v1/usage
+     * Get current week usage + limits + burst + extra usage
+     */
+    router.get('/v1/usage', async (req, res) => {
+        try {
+            // Accept both JWT session tokens and API keys
+            const userId = req.user?.userId || req.auth?.keyInfo?.accountId;
+            if (!userId) {
+                // Fall back to jwtAuth behavior for informative error
+                res.status(401).json({
+                    success: false,
+                    error: {
+                        type: 'unauthorized',
+                        message: 'Authentication required. Provide a JWT token or API key.',
+                        hint: 'Get a free API key at https://app.webpeel.dev/keys',
+                        docs: 'https://webpeel.dev/docs/errors#unauthorized',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            // Helper: Get current ISO week
+            const getCurrentWeek = () => {
+                const now = new Date();
+                const year = now.getUTCFullYear();
+                const jan4 = new Date(Date.UTC(year, 0, 4));
+                const weekNum = Math.ceil(((now.getTime() - jan4.getTime()) / 86400000 + jan4.getUTCDay() + 1) / 7);
+                return `${year}-W${String(weekNum).padStart(2, '0')}`;
+            };
+            // Helper: Get current hour bucket
+            const getCurrentHour = () => {
+                return new Date().toISOString().substring(0, 13);
+            };
+            // Helper: Get week reset time
+            const getWeekResetTime = () => {
+                const now = new Date();
+                const dayOfWeek = now.getUTCDay();
+                const daysUntilMonday = dayOfWeek === 0 ? 1 : 8 - dayOfWeek;
+                const nextMonday = new Date(now);
+                nextMonday.setUTCDate(now.getUTCDate() + daysUntilMonday);
+                nextMonday.setUTCHours(0, 0, 0, 0);
+                return nextMonday.toISOString();
+            };
+            // Helper: Get time until next hour
+            const getTimeUntilNextHour = () => {
+                const now = new Date();
+                const minutesRemaining = 59 - now.getUTCMinutes();
+                if (minutesRemaining === 0)
+                    return '< 1 min';
+                return `${minutesRemaining} min`;
+            };
+            // Helper: Get next month reset
+            const getMonthResetTime = () => {
+                const now = new Date();
+                return new Date(Date.UTC(now.getUTCFullYear(), now.getUTCMonth() + 1, 1, 0, 0, 0, 0)).toISOString();
+            };
+            const currentWeek = getCurrentWeek();
+            const currentHour = getCurrentHour();
+            // Get user plan info
+            const planResult = await pool.query(`SELECT tier, weekly_limit, burst_limit FROM users WHERE id = $1`, [userId]);
+            if (planResult.rows.length === 0) {
+                res.status(404).json({
+                    success: false,
+                    error: {
+                        type: 'user_not_found',
+                        message: 'User not found',
+                        docs: 'https://webpeel.dev/docs/errors#user_not_found',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            const plan = planResult.rows[0];
+            // Get weekly usage
+            const weeklyResult = await pool.query(`SELECT
+          COALESCE(SUM(wu.basic_count), 0) as basic_used,
+          COALESCE(SUM(wu.stealth_count), 0) as stealth_used,
+          COALESCE(SUM(wu.captcha_count), 0) as captcha_used,
+          COALESCE(SUM(wu.search_count), 0) as search_used,
+          COALESCE(SUM(wu.total_count), 0) as total_used,
+          COALESCE(MAX(wu.rollover_credits), 0) as rollover_credits
+        FROM users u
+        LEFT JOIN api_keys ak ON ak.user_id = u.id
+        LEFT JOIN weekly_usage wu ON wu.api_key_id = ak.id AND wu.week = $2
+        WHERE u.id = $1
+        GROUP BY u.id`, [userId, currentWeek]);
+            let weeklyUsage = weeklyResult.rows[0] || {
+                basic_used: 0,
+                stealth_used: 0,
+                captcha_used: 0,
+                search_used: 0,
+                total_used: 0,
+                rollover_credits: 0,
+            };
+            // Fallback: if weekly_usage is 0 but usage_logs has entries (e.g. playground/JWT auth),
+            // count from usage_logs for the current week so the counter reflects real activity
+            if (parseInt(weeklyUsage.total_used) === 0) {
+                const weekStart = currentWeek; // e.g. "2026-W10"
+                const [weekYear, weekNum] = weekStart.split('-W').map(Number);
+                // Compute the start of the week (Monday) from ISO week number
+                const jan4 = new Date(weekYear, 0, 4);
+                const dayOfWeek = jan4.getDay() || 7;
+                const weekStartDate = new Date(jan4);
+                weekStartDate.setDate(jan4.getDate() - (dayOfWeek - 1) + (weekNum - 1) * 7);
+                weekStartDate.setHours(0, 0, 0, 0);
+                const logResult = await pool.query(`SELECT COUNT(*) as total_used FROM usage_logs WHERE user_id = $1 AND created_at >= $2`, [userId, weekStartDate.toISOString()]).catch(() => ({ rows: [{ total_used: 0 }] }));
+                const logCount = parseInt(logResult.rows[0]?.total_used) || 0;
+                if (logCount > 0) {
+                    weeklyUsage = { ...weeklyUsage, total_used: logCount, basic_used: logCount };
+                }
+            }
+            const totalAvailable = plan.weekly_limit + weeklyUsage.rollover_credits;
+            const remaining = Math.max(0, totalAvailable - weeklyUsage.total_used);
+            const percentUsed = totalAvailable > 0 ? Math.round((weeklyUsage.total_used / totalAvailable) * 100) : 0;
+            // Get burst usage (current hour)
+            const burstResult = await pool.query(`SELECT COALESCE(SUM(bu.count), 0) as burst_used
+        FROM users u
+        LEFT JOIN api_keys ak ON ak.user_id = u.id
+        LEFT JOIN burst_usage bu ON bu.api_key_id = ak.id AND bu.hour_bucket = $2
+        WHERE u.id = $1`, [userId, currentHour]);
+            const burstUsed = burstResult.rows[0]?.burst_used || 0;
+            const burstPercent = plan.burst_limit > 0 ? Math.round((burstUsed / plan.burst_limit) * 100) : 0;
+            // Get extra usage info
+            const extraResult = await pool.query(`SELECT
+          extra_usage_enabled,
+          extra_usage_balance,
+          extra_usage_spent,
+          extra_usage_spending_limit,
+          auto_reload_enabled
+        FROM users
+        WHERE id = $1`, [userId]);
+            const extra = extraResult.rows[0];
+            const extraPercent = extra.extra_usage_spending_limit > 0
+                ? Math.round((parseFloat(extra.extra_usage_spent) / parseFloat(extra.extra_usage_spending_limit)) * 100)
+                : 0;
+            res.json({
+                plan: {
+                    tier: plan.tier,
+                    weeklyLimit: plan.weekly_limit,
+                    burstLimit: plan.burst_limit,
+                },
+                session: {
+                    burstUsed,
+                    burstLimit: plan.burst_limit,
+                    resetsIn: getTimeUntilNextHour(),
+                    percentUsed: burstPercent,
+                },
+                weekly: {
+                    week: currentWeek,
+                    basicUsed: weeklyUsage.basic_used,
+                    stealthUsed: weeklyUsage.stealth_used,
+                    captchaUsed: weeklyUsage.captcha_used,
+                    searchUsed: weeklyUsage.search_used,
+                    totalUsed: weeklyUsage.total_used,
+                    totalAvailable,
+                    rolloverCredits: weeklyUsage.rollover_credits,
+                    remaining,
+                    percentUsed,
+                    resetsAt: getWeekResetTime(),
+                },
+                extraUsage: {
+                    enabled: extra.extra_usage_enabled,
+                    spent: parseFloat(extra.extra_usage_spent),
+                    spendingLimit: parseFloat(extra.extra_usage_spending_limit),
+                    balance: parseFloat(extra.extra_usage_balance),
+                    autoReload: extra.auto_reload_enabled,
+                    percentUsed: extraPercent,
+                    resetsAt: getMonthResetTime(),
+                },
+            });
+        }
+        catch (error) {
+            console.error('Get usage error:', error);
+            res.status(500).json({
+                success: false,
+                error: {
+                    type: 'usage_failed',
+                    message: 'Failed to get usage',
+                    docs: 'https://webpeel.dev/docs/errors#usage_failed',
+                },
+                requestId: crypto.randomUUID(),
+            });
+        }
+    });
+    /**
+     * GET /v1/usage/history
+     * Get daily usage history for the past N days (default 7)
+     */
+    router.get('/v1/usage/history', async (req, res) => {
+        try {
+            const userId = req.user?.userId || req.auth?.keyInfo?.accountId;
+            if (!userId) {
+                res.status(401).json({
+                    success: false,
+                    error: {
+                        type: 'unauthorized',
+                        message: 'Authentication required.',
+                        hint: 'Get a free API key at https://app.webpeel.dev/keys',
+                        docs: 'https://webpeel.dev/docs/errors#unauthorized',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            const days = Math.min(Math.max(parseInt(req.query.days) || 7, 1), 90);
+            // Get daily usage from usage_logs table
+            const result = await pool.query(`SELECT
+          DATE(created_at) as date,
+          COUNT(*) FILTER (WHERE method = 'basic' OR method IS NULL) as fetches,
+          COUNT(*) FILTER (WHERE method = 'stealth') as stealth,
+          COUNT(*) FILTER (WHERE method = 'search') as search
+        FROM usage_logs
+        WHERE user_id = $1
+          AND created_at >= NOW() - INTERVAL '1 day' * $2
+        GROUP BY DATE(created_at)
+        ORDER BY date ASC`, [userId, days]);
+            // Fill in missing days with zeros
+            const history = [];
+            const now = new Date();
+            for (let i = days - 1; i >= 0; i--) {
+                const d = new Date(now);
+                d.setUTCDate(d.getUTCDate() - i);
+                const dateStr = d.toISOString().substring(0, 10);
+                const row = result.rows.find((r) => r.date?.toISOString?.().substring(0, 10) === dateStr || r.date === dateStr);
+                history.push({
+                    date: dateStr,
+                    fetches: parseInt(row?.fetches || '0', 10),
+                    stealth: parseInt(row?.stealth || '0', 10),
+                    search: parseInt(row?.search || '0', 10),
+                });
+            }
+            res.json({ history });
+        }
+        catch (error) {
+            console.error('Get usage history error:', error);
+            res.status(500).json({
+                success: false,
+                error: {
+                    type: 'history_failed',
+                    message: 'Failed to get usage history',
+                    docs: 'https://webpeel.dev/docs/errors#history_failed',
+                },
+                requestId: crypto.randomUUID(),
+            });
+        }
+    });
+    /**
+     * POST /v1/extra-usage/toggle
+     * Enable/disable extra usage
+     */
+    router.post('/v1/extra-usage/toggle', jwtAuth, async (req, res) => {
+        try {
+            const { userId } = req.user;
+            const { enabled } = req.body;
+            if (typeof enabled !== 'boolean') {
+                res.status(400).json({
+                    success: false,
+                    error: {
+                        type: 'invalid_request',
+                        message: 'enabled must be a boolean',
+                        hint: 'Pass enabled: true or enabled: false in the request body.',
+                        docs: 'https://webpeel.dev/docs/errors#invalid_request',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            await pool.query('UPDATE users SET extra_usage_enabled = $1, updated_at = now() WHERE id = $2', [enabled, userId]);
+            res.json({
+                success: true,
+                enabled,
+            });
+        }
+        catch (error) {
+            console.error('Toggle extra usage error:', error);
+            res.status(500).json({
+                success: false,
+                error: {
+                    type: 'toggle_failed',
+                    message: 'Failed to toggle extra usage',
+                    docs: 'https://webpeel.dev/docs/errors#toggle_failed',
+                },
+                requestId: crypto.randomUUID(),
+            });
+        }
+    });
+    /**
+     * POST /v1/extra-usage/limit
+     * Adjust spending limit
+     */
+    router.post('/v1/extra-usage/limit', jwtAuth, async (req, res) => {
+        try {
+            const { userId } = req.user;
+            const { limit } = req.body;
+            if (typeof limit !== 'number' || limit < 10 || limit > 500) {
+                res.status(400).json({
+                    success: false,
+                    error: {
+                        type: 'invalid_limit',
+                        message: 'Limit must be a number between 10 and 500',
+                        hint: 'Pass a numeric limit between 10 and 500 in the request body.',
+                        docs: 'https://webpeel.dev/docs/errors#invalid_limit',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            await pool.query('UPDATE users SET extra_usage_spending_limit = $1, updated_at = now() WHERE id = $2', [limit, userId]);
+            res.json({
+                success: true,
+                limit,
+            });
+        }
+        catch (error) {
+            console.error('Set limit error:', error);
+            res.status(500).json({
+                success: false,
+                error: {
+                    type: 'limit_failed',
+                    message: 'Failed to set spending limit',
+                    docs: 'https://webpeel.dev/docs/errors#limit_failed',
+                },
+                requestId: crypto.randomUUID(),
+            });
+        }
+    });
+    /**
+     * POST /v1/extra-usage/buy
+     * Add to extra usage balance (future: Stripe checkout)
+     */
+    router.post('/v1/extra-usage/buy', jwtAuth, async (_req, res) => {
+        // DISABLED: Stripe integration in progress
+        res.status(501).json({
+            success: false,
+            error: {
+                type: 'not_implemented',
+                message: 'Extra usage purchases are available through our billing portal. Visit https://app.webpeel.dev/billing',
+                hint: 'Visit https://app.webpeel.dev/billing to manage your usage.',
+                docs: 'https://webpeel.dev/docs/errors#not_implemented',
+            },
+            requestId: crypto.randomUUID(),
+        });
+    });
+    /**
+     * PATCH /v1/user/profile
+     * Update user profile (name, avatar)
+     */
+    router.patch('/v1/user/profile', jwtAuth, async (req, res) => {
+        try {
+            const { userId } = req.user;
+            const { name, avatarUrl } = req.body;
+            // Validate inputs
+            if (name && typeof name !== 'string') {
+                res.status(400).json({
+                    success: false,
+                    error: {
+                        type: 'invalid_name',
+                        message: 'Name must be a string',
+                        docs: 'https://webpeel.dev/docs/errors#invalid_name',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            if (name && name.length > 100) {
+                res.status(400).json({
+                    success: false,
+                    error: {
+                        type: 'invalid_name',
+                        message: 'Name too long (max 100 characters)',
+                        docs: 'https://webpeel.dev/docs/errors#invalid_name',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            if (avatarUrl && typeof avatarUrl !== 'string') {
+                res.status(400).json({
+                    success: false,
+                    error: {
+                        type: 'invalid_avatar',
+                        message: 'Avatar URL must be a string',
+                        docs: 'https://webpeel.dev/docs/errors#invalid_avatar',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            if (avatarUrl && avatarUrl.length > 500) {
+                res.status(400).json({
+                    success: false,
+                    error: {
+                        type: 'invalid_avatar',
+                        message: 'Avatar URL too long (max 500 characters)',
+                        docs: 'https://webpeel.dev/docs/errors#invalid_avatar',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            if (avatarUrl) {
+                try {
+                    const parsed = new URL(avatarUrl);
+                    if (!['http:', 'https:'].includes(parsed.protocol)) {
+                        res.status(400).json({
+                            success: false,
+                            error: {
+                                type: 'invalid_avatar',
+                                message: 'Avatar URL must use http or https protocol',
+                                docs: 'https://webpeel.dev/docs/errors#invalid_avatar',
+                            },
+                            requestId: crypto.randomUUID(),
+                        });
+                        return;
+                    }
+                }
+                catch {
+                    res.status(400).json({
+                        success: false,
+                        error: {
+                            type: 'invalid_avatar',
+                            message: 'Avatar URL must be a valid URL',
+                            hint: 'Provide a fully-qualified URL starting with https://',
+                            docs: 'https://webpeel.dev/docs/errors#invalid_avatar',
+                        },
+                        requestId: crypto.randomUUID(),
+                    });
+                    return;
+                }
+            }
+            // Build update query dynamically
+            const updates = [];
+            const values = [];
+            let paramIndex = 1;
+            if (name !== undefined) {
+                updates.push(`name = $${paramIndex++}`);
+                values.push(name);
+            }
+            if (avatarUrl !== undefined) {
+                updates.push(`avatar_url = $${paramIndex++}`);
+                values.push(avatarUrl);
+            }
+            if (updates.length === 0) {
+                res.status(400).json({
+                    success: false,
+                    error: {
+                        type: 'no_updates',
+                        message: 'No fields to update',
+                        hint: 'Provide at least one of: name, avatarUrl.',
+                        docs: 'https://webpeel.dev/docs/errors#no_updates',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            updates.push(`updated_at = now()`);
+            values.push(userId);
+            const result = await pool.query(`UPDATE users SET ${updates.join(', ')} WHERE id = $${paramIndex} RETURNING id, email, name, avatar_url`, values);
+            if (result.rows.length === 0) {
+                res.status(404).json({
+                    success: false,
+                    error: {
+                        type: 'user_not_found',
+                        message: 'User not found',
+                        docs: 'https://webpeel.dev/docs/errors#user_not_found',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            res.json({
+                success: true,
+                user: {
+                    id: result.rows[0].id,
+                    email: result.rows[0].email,
+                    name: result.rows[0].name,
+                    avatar: result.rows[0].avatar_url,
+                },
+            });
+        }
+        catch (error) {
+            console.error('Update profile error:', error);
+            res.status(500).json({
+                success: false,
+                error: {
+                    type: 'update_failed',
+                    message: 'Failed to update profile',
+                    docs: 'https://webpeel.dev/docs/errors#update_failed',
+                },
+                requestId: crypto.randomUUID(),
+            });
+        }
+    });
+    /**
+     * PATCH /v1/user/password
+     * Change password (verify current, hash new)
+     */
+    router.patch('/v1/user/password', jwtAuth, async (req, res) => {
+        try {
+            const { userId } = req.user;
+            const { currentPassword, newPassword } = req.body;
+            if (!currentPassword || !newPassword) {
+                res.status(400).json({
+                    success: false,
+                    error: {
+                        type: 'missing_fields',
+                        message: 'Current and new passwords are required',
+                        hint: 'Provide both currentPassword and newPassword in the request body.',
+                        docs: 'https://webpeel.dev/docs/errors#missing_fields',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            if (!isValidPassword(newPassword)) {
+                res.status(400).json({
+                    success: false,
+                    error: {
+                        type: 'weak_password',
+                        message: 'Password must be at least 8 characters',
+                        hint: 'Choose a password with at least 8 characters.',
+                        docs: 'https://webpeel.dev/docs/errors#weak_password',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            // Get current password hash
+            const userResult = await pool.query('SELECT password_hash FROM users WHERE id = $1', [userId]);
+            if (userResult.rows.length === 0) {
+                res.status(404).json({
+                    success: false,
+                    error: {
+                        type: 'user_not_found',
+                        message: 'User not found',
+                        docs: 'https://webpeel.dev/docs/errors#user_not_found',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            // OAuth users don't have passwords
+            if (!userResult.rows[0].password_hash) {
+                res.status(400).json({
+                    success: false,
+                    error: {
+                        type: 'oauth_user',
+                        message: 'OAuth users cannot set passwords. Please use your OAuth provider to manage your account.',
+                        hint: 'Manage your account through your OAuth provider (e.g. Google, GitHub).',
+                        docs: 'https://webpeel.dev/docs/errors#oauth_user',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            // Verify current password
+            const passwordValid = await bcrypt.compare(currentPassword, userResult.rows[0].password_hash);
+            if (!passwordValid) {
+                res.status(401).json({
+                    success: false,
+                    error: {
+                        type: 'invalid_password',
+                        message: 'Current password is incorrect',
+                        hint: 'Double-check your current password and try again.',
+                        docs: 'https://webpeel.dev/docs/errors#unauthorized',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            // Hash new password
+            const newPasswordHash = await bcrypt.hash(newPassword, BCRYPT_ROUNDS);
+            // Update password
+            await pool.query('UPDATE users SET password_hash = $1, updated_at = now() WHERE id = $2', [newPasswordHash, userId]);
+            res.json({ success: true, message: 'Password updated successfully' });
+        }
+        catch (error) {
+            console.error('Change password error:', error);
+            res.status(500).json({
+                success: false,
+                error: {
+                    type: 'update_failed',
+                    message: 'Failed to change password',
+                    docs: 'https://webpeel.dev/docs/errors#update_failed',
+                },
+                requestId: crypto.randomUUID(),
+            });
+        }
+    });
+    /**
+     * DELETE /v1/user/account
+     * Delete account + cascade to api_keys, oauth_accounts
+     */
+    router.delete('/v1/user/account', jwtAuth, async (req, res) => {
+        try {
+            const { userId } = req.user;
+            const { password, confirmEmail } = req.body;
+            // Get user info
+            const userResult = await pool.query('SELECT email, password_hash FROM users WHERE id = $1', [userId]);
+            if (userResult.rows.length === 0) {
+                res.status(404).json({
+                    success: false,
+                    error: {
+                        type: 'user_not_found',
+                        message: 'User not found',
+                        docs: 'https://webpeel.dev/docs/errors#user_not_found',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            const user = userResult.rows[0];
+            // Verify email confirmation
+            if (confirmEmail !== user.email) {
+                res.status(400).json({
+                    success: false,
+                    error: {
+                        type: 'email_mismatch',
+                        message: 'Email confirmation does not match account email',
+                        hint: 'Provide your exact account email in the confirmEmail field.',
+                        docs: 'https://webpeel.dev/docs/errors#email_mismatch',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            // Verify password (if user has one - OAuth users might not)
+            if (user.password_hash) {
+                if (!password) {
+                    res.status(400).json({
+                        success: false,
+                        error: {
+                            type: 'missing_password',
+                            message: 'Password is required',
+                            hint: 'Provide your account password to confirm account deletion.',
+                            docs: 'https://webpeel.dev/docs/errors#missing_password',
+                        },
+                        requestId: crypto.randomUUID(),
+                    });
+                    return;
+                }
+                const passwordValid = await bcrypt.compare(password, user.password_hash);
+                if (!passwordValid) {
+                    res.status(401).json({
+                        success: false,
+                        error: {
+                            type: 'invalid_password',
+                            message: 'Password is incorrect',
+                            hint: 'Double-check your password and try again.',
+                            docs: 'https://webpeel.dev/docs/errors#unauthorized',
+                        },
+                        requestId: crypto.randomUUID(),
+                    });
+                    return;
+                }
+            }
+            // Delete user and all related data in a transaction
+            const client = await pool.connect();
+            try {
+                await client.query('BEGIN');
+                await client.query('DELETE FROM api_keys WHERE user_id = $1', [userId]);
+                await client.query('DELETE FROM oauth_accounts WHERE user_id = $1', [userId]);
+                await client.query('DELETE FROM users WHERE id = $1', [userId]);
+                await client.query('COMMIT');
+            }
+            catch (txError) {
+                await client.query('ROLLBACK');
+                throw txError;
+            }
+            finally {
+                client.release();
+            }
+            res.json({
+                success: true,
+                message: 'Account deleted successfully. We\'re sorry to see you go!'
+            });
+        }
+        catch (error) {
+            console.error('Delete account error:', error);
+            res.status(500).json({
+                success: false,
+                error: {
+                    type: 'delete_failed',
+                    message: 'Failed to delete account',
+                    docs: 'https://webpeel.dev/docs/errors#delete_failed',
+                },
+                requestId: crypto.randomUUID(),
+            });
+        }
+    });
+    /**
+     * GET /v1/user/alert-preferences
+     * Returns current alert threshold and email
+     */
+    router.get('/v1/user/alert-preferences', jwtAuth, async (req, res) => {
+        try {
+            const { userId } = req.user;
+            const result = await pool.query('SELECT alert_threshold, alert_email FROM users WHERE id = $1', [userId]);
+            if (result.rows.length === 0) {
+                res.status(404).json({
+                    success: false,
+                    error: {
+                        type: 'user_not_found',
+                        message: 'User not found',
+                        docs: 'https://webpeel.dev/docs/errors#user_not_found',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            res.json({
+                threshold: result.rows[0].alert_threshold,
+                email: result.rows[0].alert_email,
+            });
+        }
+        catch (error) {
+            console.error('Get alert preferences error:', error);
+            res.status(500).json({
+                success: false,
+                error: {
+                    type: 'get_prefs_failed',
+                    message: 'Failed to get alert preferences',
+                    docs: 'https://webpeel.dev/docs/errors#get_prefs_failed',
+                },
+                requestId: crypto.randomUUID(),
+            });
+        }
+    });
+    /**
+     * PUT /v1/user/alert-preferences
+     * Save alert threshold and/or email
+     * Body: { threshold: number | null, email: string | null }
+     */
+    router.put('/v1/user/alert-preferences', jwtAuth, async (req, res) => {
+        try {
+            const { userId } = req.user;
+            const { threshold, email } = req.body;
+            // Validate threshold: must be null or a number between 1 and 100
+            if (threshold !== null && threshold !== undefined) {
+                if (typeof threshold !== 'number' || threshold < 1 || threshold > 100) {
+                    res.status(400).json({
+                        success: false,
+                        error: {
+                            type: 'invalid_threshold',
+                            message: 'Threshold must be a number between 1 and 100, or null to disable',
+                            hint: 'Pass a number between 1 and 100, or null to disable alerts.',
+                            docs: 'https://webpeel.dev/docs/errors#invalid_threshold',
+                        },
+                        requestId: crypto.randomUUID(),
+                    });
+                    return;
+                }
+            }
+            // Validate email if provided
+            if (email !== null && email !== undefined) {
+                if (typeof email !== 'string' || !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
+                    res.status(400).json({
+                        success: false,
+                        error: {
+                            type: 'invalid_email',
+                            message: 'Email must be a valid email address, or null to use account email',
+                            hint: 'Provide a valid email address (e.g. user@example.com), or null.',
+                            docs: 'https://webpeel.dev/docs/errors#invalid_email',
+                        },
+                        requestId: crypto.randomUUID(),
+                    });
+                    return;
+                }
+            }
+            await pool.query('UPDATE users SET alert_threshold = $1, alert_email = $2, updated_at = now() WHERE id = $3', [threshold ?? null, email ?? null, userId]);
+            res.json({ success: true });
+        }
+        catch (error) {
+            console.error('Save alert preferences error:', error);
+            res.status(500).json({
+                success: false,
+                error: {
+                    type: 'save_prefs_failed',
+                    message: 'Failed to save alert preferences',
+                    docs: 'https://webpeel.dev/docs/errors#save_prefs_failed',
+                },
+                requestId: crypto.randomUUID(),
+            });
+        }
+    });
+    /**
+     * DELETE /v1/account
+     * GDPR data deletion endpoint — deletes the authenticated user's account and ALL associated data.
+     *
+     * Accepts both API key auth (req.auth.keyInfo.accountId) and JWT session auth (req.user.userId).
+     * This is the GDPR-friendly endpoint that skips the password/email confirmation flow,
+     * intended for programmatic use (e.g. an in-app "Delete my data" button that pre-verifies
+     * identity via the existing session).
+     */
+    router.delete('/v1/account', async (req, res) => {
+        try {
+            // Support both API key auth and JWT session auth
+            const userId = req.user?.userId || req.auth?.keyInfo?.accountId;
+            if (!userId) {
+                res.status(401).json({
+                    success: false,
+                    error: {
+                        type: 'unauthorized',
+                        message: 'Authentication required. Provide a JWT token or API key.',
+                        hint: 'Include your API key via Authorization: Bearer <key> or X-API-Key header.',
+                        docs: 'https://webpeel.dev/docs/errors#unauthorized',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            // Verify user exists before attempting deletion
+            const userCheck = await pool.query('SELECT id FROM users WHERE id = $1', [userId]);
+            if (userCheck.rows.length === 0) {
+                res.status(404).json({
+                    success: false,
+                    error: {
+                        type: 'user_not_found',
+                        message: 'User not found',
+                        docs: 'https://webpeel.dev/docs/errors#user_not_found',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            // Delegate to PostgresAuthStore which wraps everything in a transaction
+            const authStore = new PostgresAuthStore();
+            await authStore.deleteAccount(userId);
+            res.json({
+                success: true,
+                message: 'Account and all associated data deleted. Your data has been permanently removed in accordance with GDPR Article 17.',
+            });
+        }
+        catch (error) {
+            console.error('GDPR account deletion error:', error);
+            res.status(500).json({
+                success: false,
+                error: {
+                    type: 'deletion_failed',
+                    message: 'Failed to delete account',
+                    docs: 'https://webpeel.dev/docs/errors#deletion_failed',
+                },
+                requestId: crypto.randomUUID(),
+            });
+        }
+    });
+    /**
+     * DELETE /v1/account
+     * GDPR data deletion endpoint — deletes the authenticated user's account and ALL associated data.
+     *
+     * Accepts both API key auth (req.auth.keyInfo.accountId) and JWT session auth (req.user.userId).
+     * This is the GDPR-compliant endpoint for programmatic "Delete my data" requests.
+     */
+    router.delete('/v1/account', async (req, res) => {
+        try {
+            // Support both API key auth and JWT session auth
+            const userId = req.user?.userId || req.auth?.keyInfo?.accountId;
+            if (!userId) {
+                res.status(401).json({
+                    success: false,
+                    error: {
+                        type: 'unauthorized',
+                        message: 'Authentication required. Provide a JWT token or API key.',
+                        hint: 'Include your API key via Authorization: Bearer <key> or X-API-Key header.',
+                        docs: 'https://webpeel.dev/docs/errors#unauthorized',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            // Verify user exists before attempting deletion
+            const userCheck = await pool.query('SELECT id FROM users WHERE id = $1', [userId]);
+            if (userCheck.rows.length === 0) {
+                res.status(404).json({
+                    success: false,
+                    error: {
+                        type: 'user_not_found',
+                        message: 'User not found',
+                        docs: 'https://webpeel.dev/docs/errors#user_not_found',
+                    },
+                    requestId: crypto.randomUUID(),
+                });
+                return;
+            }
+            // Delegate to PostgresAuthStore which wraps everything in a transaction
+            const authStore = new PostgresAuthStore();
+            await authStore.deleteAccount(userId);
+            res.json({
+                success: true,
+                message: 'Account and all associated data deleted. Your data has been permanently removed in accordance with GDPR Article 17.',
+            });
+        }
+        catch (error) {
+            console.error('GDPR account deletion error:', error);
+            res.status(500).json({
+                success: false,
+                error: {
+                    type: 'deletion_failed',
+                    message: 'Failed to delete account',
+                    docs: 'https://webpeel.dev/docs/errors#deletion_failed',
+                },
+                requestId: crypto.randomUUID(),
+            });
+        }
+    });
+    return router;
+}