@knotpad/app 0.1.0 → 0.1.1

package/app/api/mcp/revoke-token/[tokenId]/route.tsx

@@ -1,30 +0,0 @@
-import { NextRequest, NextResponse } from "next/server";
-import { auth } from "@/auth";
-import { prisma } from "@/lib/prisma";
-
-export async function DELETE(
-  _req: NextRequest,
-  { params }: { params: Promise<{ tokenId: string }> }
-) {
-  const session = await auth();
-  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-
-  const { tokenId } = await params;
-  const record = await prisma.mcpToken.findUnique({ where: { id: tokenId } });
-  if (!record || record.revokedAt) {
-    return NextResponse.json({ error: "Not found" }, { status: 404 });
-  }
-
-  if (record.userId !== session.user.id) {
-    // Workspace admins and owners may revoke any token in their workspace
-    const callerMember = await prisma.workspaceMember.findFirst({
-      where: { userId: session.user.id, workspaceId: record.workspaceId, revokedAt: null },
-    });
-    if (!callerMember || callerMember.role === "MEMBER") {
-      return NextResponse.json({ error: "Forbidden" }, { status: 403 });
-    }
-  }
-
-  await prisma.mcpToken.update({ where: { id: tokenId }, data: { revokedAt: new Date() } });
-  return NextResponse.json({ ok: true });
-}

package/app/api/mcp/update-alias/[tokenId]/route.tsx

@@ -1,22 +0,0 @@
-import { NextRequest, NextResponse } from "next/server";
-import { auth } from "@/auth";
-import { prisma } from "@/lib/prisma";
-
-export async function PATCH(
-  req: NextRequest,
-  { params }: { params: Promise<{ tokenId: string }> }
-) {
-  const session = await auth();
-  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-
-  const { tokenId } = await params;
-  const { alias } = await req.json();
-
-  const record = await prisma.mcpToken.findUnique({ where: { id: tokenId } });
-  if (!record || record.userId !== session.user.id) {
-    return NextResponse.json({ error: "Not found" }, { status: 404 });
-  }
-
-  await prisma.mcpToken.update({ where: { id: tokenId }, data: { alias: alias || null } });
-  return NextResponse.json({ ok: true });
-}

package/app/api/notes/[noteId]/export/route.tsx

@@ -1,45 +0,0 @@
-import { NextRequest, NextResponse } from "next/server";
-import { auth } from "@/auth";
-import { prisma } from "@/lib/prisma";
-import { decryptContent } from "@/lib/note-crypto";
-import { getActiveWorkspaceId } from "@/lib/workspace";
-
-// Tolerates both legacy <!--task::STATUS--> and id-bearing <!--task::ID::STATUS-->.
-const BADGE_COMMENT_RE = /\s*<!--task::[^>]*-->/g;
-
-function toCleanMarkdown(title: string, content: string): string {
-  const lines = content
-    .split("\n")
-    .map((line) => line.replace(BADGE_COMMENT_RE, ""));
-  return `# ${title}\n\n${lines.join("\n")}`;
-}
-
-export async function GET(
-  _req: NextRequest,
-  { params }: { params: Promise<{ noteId: string }> }
-) {
-  const session = await auth();
-  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-
-  const { noteId } = await params;
-
-  const workspaceId = await getActiveWorkspaceId(session.user.id);
-  if (!workspaceId) return NextResponse.json({ error: "No workspace" }, { status: 404 });
-
-  const note = await prisma.note.findFirst({
-    where: { id: noteId, workspaceId },
-  });
-  if (!note) return NextResponse.json({ error: "Not found" }, { status: 404 });
-
-  const plainContent = await decryptContent(note.content, workspaceId);
-  const md = toCleanMarkdown(note.title, plainContent);
-  const slug = note.title.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-|-$/g, "");
-  const filename = `${slug || "note"}.md`;
-
-  return new NextResponse(md, {
-    headers: {
-      "Content-Type": "text/markdown; charset=utf-8",
-      "Content-Disposition": `attachment; filename="${filename}"`,
-    },
-  });
-}

package/app/api/notes/[noteId]/route.tsx

@@ -1,360 +0,0 @@
-import { NextRequest, NextResponse } from "next/server";
-import { auth } from "@/auth";
-import { prisma, getCloudPrisma, getPrimaryDb, isConnectionError } from "@/lib/prisma";
-import type { Priority } from "@/app/generated/prisma/client";
-import { parseTasksFromMarkdown } from "@/lib/task-parser";
-import { resolveAssignee, fetchWorkspaceMembers } from "@/lib/mentions";
-import { encryptContent, decryptContent } from "@/lib/note-crypto";
-import { writeTombstone } from "@/lib/conflict-resolver";
-import { deleteSnapshot } from "@/lib/note-sync";
-import { getActiveWorkspaceId } from "@/lib/workspace";
-import { autoTitle } from "@/lib/note-title";
-import { parseJson } from "@/lib/api-error";
-import { updateNoteSchema } from "@/lib/validation/note";
-
-type Tx = Parameters<Parameters<typeof prisma.$transaction>[0]>[0];
-
-// Guard rails: keep a single note from exhausting the DB / the O(mn) merge.
-// Defined in lib/limits so validation schemas can share them; re-exported here
-// for the existing import sites.
-export { MAX_CONTENT_LEN, MAX_TITLE_LEN } from "@/lib/limits";
-import { MAX_TITLE_LEN } from "@/lib/limits";
-
-async function getWorkspaceForUser(userId: string) {
-  return getActiveWorkspaceId(userId);
-}
-
-export async function GET(
-  _req: NextRequest,
-  { params }: { params: Promise<{ noteId: string }> }
-) {
-  const session = await auth();
-  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-
-  const { noteId } = await params;
-  const workspaceId = await getWorkspaceForUser(session.user.id);
-  if (!workspaceId) return NextResponse.json({ error: "No workspace" }, { status: 404 });
-
-  const db = await getPrimaryDb(workspaceId);
-  const note = await db.note.findFirst({
-    where: { id: noteId, workspaceId },
-    include: {
-      tasks: {
-        orderBy: { createdAt: "asc" },
-        include: { assignee: { select: { id: true, name: true, email: true } } },
-      },
-    },
-  });
-
-  if (!note) return NextResponse.json({ error: "Not found" }, { status: 404 });
-  const decrypted = await decryptContent(note.content, workspaceId);
-  return NextResponse.json({ ...note, content: decrypted });
-}
-
-export async function PATCH(
-  req: NextRequest,
-  { params }: { params: Promise<{ noteId: string }> }
-) {
-  const session = await auth();
-  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-
-  const { noteId } = await params;
-  const workspaceId = await getWorkspaceForUser(session.user.id);
-  if (!workspaceId) return NextResponse.json({ error: "No workspace" }, { status: 404 });
-
-  const db = await getPrimaryDb(workspaceId);
-  const existing = await db.note.findFirst({ where: { id: noteId, workspaceId } });
-  if (!existing) return NextResponse.json({ error: "Not found" }, { status: 404 });
-
-  const parsed = await parseJson(req, updateNoteSchema);
-  if (parsed.response) return parsed.response;
-  const { title, content, baseVersion, folderId } = parsed.data;
-
-  // Locked notes: only allow folder moves, not content/title edits.
-  if (existing.isLocked && (title !== undefined || content !== undefined)) {
-    return NextResponse.json({ error: "Note is locked", code: "NOTE_LOCKED" }, { status: 423 });
-  }
-
-  // Move-to-folder is metadata, independent of content/version. null = unfile.
-  if (folderId !== undefined) {
-    if (folderId !== null) {
-      const folder = await db.folder.findFirst({ where: { id: folderId, workspaceId }, select: { id: true } });
-      if (!folder) return NextResponse.json({ error: "Invalid folder" }, { status: 400 });
-    }
-    await db.note.update({ where: { id: noteId }, data: { folderId } });
-  }
-
-  // Auto-title when the user hasn't named the note
-  let resolvedTitle: string | undefined = title;
-  if (content !== undefined && typeof title === "string" && (title === "Untitled" || !title.trim())) {
-    resolvedTitle = autoTitle(content, title);
-  }
-
-  // Guard the auto-generated title too (content/title lengths are schema-checked).
-  if (resolvedTitle !== undefined && resolvedTitle.length > MAX_TITLE_LEN) {
-    return NextResponse.json({ error: `title must be ≤ ${MAX_TITLE_LEN} chars` }, { status: 400 });
-  }
-
-  const storedContent =
-    content !== undefined ? await encryptContent(content, workspaceId) : undefined;
-
-  // Steps 1+2 — write note content AND sync tasks atomically in one transaction.
-  // Optimistic concurrency: only write if version still matches; if not, return 409
-  // so the client can adopt the server copy instead of silently clobbering it.
-  // Task sync runs in the same transaction so a parse failure rolls back the write.
-  type StaleResult = { currentVersion?: number; content: string; title?: string };
-  let staleResult: StaleResult | null = null;
-  let readDb = db; // tracks which DB we actually wrote to for the Step 3 read
-
-  const runTransaction = async (txDb: typeof db) => {
-    await txDb.$transaction(async (tx) => {
-      if (storedContent !== undefined && typeof baseVersion === "number") {
-        const res = await tx.note.updateMany({
-          where: { id: noteId, workspaceId, version: baseVersion },
-          data: { content: storedContent, version: { increment: 1 }, ...(resolvedTitle !== undefined && { title: resolvedTitle }) },
-        });
-        if (res.count === 0) {
-          const fresh = await tx.note.findFirst({ where: { id: noteId, workspaceId } });
-          const freshContent = fresh ? await decryptContent(fresh.content, workspaceId) : "";
-          staleResult = { currentVersion: fresh?.version, content: freshContent, title: fresh?.title ?? undefined };
-          throw new Error("stale");
-        }
-      } else if (resolvedTitle !== undefined || storedContent !== undefined) {
-        await tx.note.update({
-          where: { id: noteId },
-          data: {
-            ...(resolvedTitle !== undefined && { title: resolvedTitle }),
-            ...(storedContent !== undefined && { content: storedContent, version: { increment: 1 } }),
-          },
-        });
-      }
-      if (content !== undefined) {
-        await syncTasksForNote(tx, noteId, workspaceId, content);
-        await syncReferencesForNote(tx, noteId, workspaceId, content);
-      }
-    });
-  };
-
-  try {
-    await runTransaction(db);
-  } catch (err) {
-    if (staleResult) {
-      const { currentVersion, content: freshContent, title: freshTitle } = staleResult as StaleResult;
-      return NextResponse.json({ error: "stale", currentVersion, content: freshContent, title: freshTitle }, { status: 409 });
-    }
-    // Cloud unreachable — fall back to local buffer
-    if (isConnectionError(err) && db !== prisma) {
-      staleResult = null;
-      readDb = prisma;
-      try {
-        await runTransaction(prisma);
-        // Only set pendingSync=true AFTER the local write completes successfully.
-        // If runTransaction throws, we skip this line so no phantom pending record
-        // is left behind for a note that was never written.
-        await prisma.note.update({ where: { id: noteId }, data: { pendingSync: true } });
-      } catch (localErr) {
-        if (staleResult) {
-          const { currentVersion, content: freshContent, title: freshTitle } = staleResult as StaleResult;
-          return NextResponse.json({ error: "stale", currentVersion, content: freshContent, title: freshTitle }, { status: 409 });
-        }
-        console.error("[brief] note save failed (local fallback):", localErr);
-        return NextResponse.json({ error: "Save failed" }, { status: 500 });
-      }
-    } else {
-      console.error("[brief] note save failed:", err);
-      return NextResponse.json({ error: "Save failed" }, { status: 500 });
-    }
-  }
-  // (folderId-only requests fall through — already applied above — so no empty update.)
-
-  // Step 3 — fetch fresh note + post-sync tasks to return to the client.
-  const note = await readDb.note.findFirst({
-    where: { id: noteId, workspaceId },
-    include: {
-      tasks: {
-        orderBy: { createdAt: "asc" },
-        include: { assignee: { select: { id: true, name: true, email: true } } },
-      },
-    },
-  });
-  if (!note) return NextResponse.json({ error: "Not found" }, { status: 404 });
-
-  // Return decrypted content to the client
-  const decryptedContent =
-    note.content ? await decryptContent(note.content, workspaceId) : note.content;
-  return NextResponse.json({ ...note, content: decryptedContent });
-}
-
-export async function DELETE(
-  _req: NextRequest,
-  { params }: { params: Promise<{ noteId: string }> }
-) {
-  const session = await auth();
-  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-
-  const { noteId } = await params;
-  const workspaceId = await getWorkspaceForUser(session.user.id);
-  if (!workspaceId) return NextResponse.json({ error: "No workspace" }, { status: 404 });
-
-  const db = await getPrimaryDb(workspaceId);
-  const note = await db.note.findFirst({ where: { id: noteId, workspaceId } });
-  if (!note) return NextResponse.json({ error: "Not found" }, { status: 404 });
-  if (note.isLocked) {
-    return NextResponse.json({ error: "Note is locked", code: "NOTE_LOCKED" }, { status: 423 });
-  }
-
-  await db.$transaction(async (tx) => {
-    await tx.note.delete({ where: { id: noteId } });
-    // Tombstone must be written atomically with the delete — otherwise a sync
-    // pull before this point would resurrect the note (resurrection bug).
-    const tombstoneWhere = { workspaceId, entityType: "note", entityId: noteId };
-    const hasTombstone = await tx.tombstone.findFirst({ where: tombstoneWhere });
-    if (!hasTombstone) await tx.tombstone.create({ data: tombstoneWhere });
-  });
-
-  // Drop the merge snapshot (non-fatal). Use cloud DB for Pro so snapshot is gone from Neon.
-  await deleteSnapshot(workspaceId, noteId, db).catch(() => {});
-
-  // For Pro users (db = Neon): mirror tombstone + delete to local PGlite buffer (best-effort).
-  // For Free users (db = PGlite): mirror to Neon if configured (best-effort).
-  const mirrorDb = db === prisma ? getCloudPrisma() : prisma;
-  if (mirrorDb) {
-    try {
-      const tombstoneWhere = { workspaceId, entityType: "note", entityId: noteId };
-      const hasMirror = await mirrorDb.tombstone.findFirst({ where: tombstoneWhere });
-      if (!hasMirror) await mirrorDb.tombstone.create({ data: tombstoneWhere });
-      await mirrorDb.note.deleteMany({ where: { id: noteId, workspaceId } });
-    } catch {
-      // Non-fatal: flush worker will reconcile on next trigger.
-    }
-  }
-
-  return NextResponse.json({ ok: true });
-}
-
-type ParsedTask = ReturnType<typeof parseTasksFromMarkdown>[number];
-type ExistingTask = Awaited<ReturnType<Tx["task"]["findMany"]>>[number];
-
-async function syncTasksForNote(tx: Tx, noteId: string, workspaceId: string, content: string) {
-  const parsed = parseTasksFromMarkdown(content);
-  const existingTasks = await tx.task.findMany({ where: { noteId }, orderBy: { createdAt: "asc" } });
-
-  // ── Identity diff ──────────────────────────────────────────────────────────
-  // Match by exact title first; pair the leftovers in document order (those are
-  // renames → UPDATE in place so status/assignee/references survive). Only true
-  // surplus lines create, only true surplus tasks delete.
-  const remainingExisting = [...existingTasks];
-  const pairs: Array<{ parsed: ParsedTask; existing: ExistingTask | null }> = [];
-  const unmatchedParsed: ParsedTask[] = [];
-
-  for (const p of parsed) {
-    const idx = remainingExisting.findIndex((t) => t.title === p.title);
-    if (idx !== -1) {
-      pairs.push({ parsed: p, existing: remainingExisting.splice(idx, 1)[0] });
-    } else {
-      unmatchedParsed.push(p);
-    }
-  }
-  // Pair leftover (renamed) lines to leftover tasks by document order.
-  for (const p of unmatchedParsed) {
-    const existing = remainingExisting.length > 0 ? remainingExisting.shift()! : null;
-    pairs.push({ parsed: p, existing });
-  }
-
-  // Fetch workspace members once to avoid an N+1 per task in the loop below.
-  const members = await fetchWorkspaceMembers(tx, workspaceId);
-
-  for (const { parsed: p, existing } of pairs) {
-    const { assigneeId, assigneeType } = await resolveAssignee(tx, workspaceId, p.assigneeHandle, members);
-    const dates = {
-      fileRefs: p.fileRefs,
-      startDate: p.startDate ? new Date(p.startDate) : null,
-      dueDate: p.dueDate ? new Date(p.dueDate) : null,
-    };
-
-    if (!existing) {
-      const created = await tx.task.create({
-        data: {
-          title: p.title,
-          status: p.isChecked ? "DONE" : "OPEN",
-          noteId,
-          workspaceId,
-          assigneeId,
-          assigneeType,
-          ...dates,
-          ...(p.priority && { priority: p.priority as Priority }),
-        },
-      });
-      if (assigneeId) await notifyAssigned(tx, assigneeId, p.title, created.id, noteId);
-      continue;
-    }
-
-    // Checkbox is the source of truth for done-ness, but don't clobber an
-    // in-progress workflow state (CLAIMED/IN_PROGRESS/REVIEW) when unchecked.
-    let status = existing.status;
-    if (p.isChecked && status !== "DONE") status = "DONE";
-    else if (!p.isChecked && status === "DONE") status = "OPEN";
-
-    await tx.task.update({
-      where: { id: existing.id },
-      data: {
-        title: p.title, status, assigneeId, assigneeType, ...dates,
-        ...(p.priority && { priority: p.priority as Priority }),
-      },
-    });
-    if (assigneeId && assigneeId !== existing.assigneeId) {
-      await notifyAssigned(tx, assigneeId, p.title, existing.id, noteId);
-    }
-  }
-
-  // Surplus existing tasks → delete + local tombstone (so sync doesn't resurrect them).
-  const toDelete = remainingExisting.map((t) => t.id);
-  if (toDelete.length > 0) {
-    await tx.task.deleteMany({ where: { id: { in: toDelete } } });
-    await tx.tombstone.createMany({
-      data: toDelete.map((id) => ({ workspaceId, entityType: "task", entityId: id })),
-    });
-  }
-}
-
-async function notifyAssigned(tx: Tx, userId: string, title: string, taskId: string, noteId: string) {
-  await tx.notification.create({
-    data: { userId, type: "task_assigned", title: `You've been assigned: "${title}"`, taskId, noteId },
-  });
-}
-
-async function syncReferencesForNote(tx: Tx, noteId: string, workspaceId: string, content: string) {
-  // Collect ALL ((task title)) occurrences; store multiple snippets joined by separator.
-  const refMap = new Map<string, string[]>(); // title → snippets[]
-  const lines = content.split("\n");
-  for (let i = 0; i < lines.length; i++) {
-    for (const m of lines[i].matchAll(/\(\(([^)]+)\)\)/g)) {
-      const title = m[1].trim();
-      if (!title) continue;
-      const start = Math.max(0, i - 1);
-      const snippet = lines.slice(start, Math.min(lines.length, i + 2)).join("\n");
-      if (!refMap.has(title)) refMap.set(title, []);
-      refMap.get(title)!.push(snippet);
-    }
-  }
-
-  // Always wipe then recreate — keeps things simple and idempotent.
-  await tx.taskReference.deleteMany({ where: { noteId } });
-
-  if (refMap.size === 0) return;
-
-  const matched = await tx.task.findMany({
-    where: { workspaceId, title: { in: Array.from(refMap.keys()) } },
-    select: { id: true, title: true },
-  });
-
-  if (matched.length > 0) {
-    await tx.taskReference.createMany({
-      data: matched.map((t) => ({
-        taskId: t.id,
-        noteId,
-        snippet: "", // computed dynamically from decrypted note content at read time
-      })),
-    });
-  }
-}

package/app/api/notes/route.tsx

@@ -1,112 +0,0 @@
-import { NextRequest, NextResponse } from "next/server";
-import { auth } from "@/auth";
-import { prisma, getPrimaryDb, isConnectionError } from "@/lib/prisma";
-import type { Priority } from "@/app/generated/prisma/client";
-import { parseTasksFromMarkdown } from "@/lib/task-parser";
-import { resolveAssignee, fetchWorkspaceMembers } from "@/lib/mentions";
-import { encryptContent } from "@/lib/note-crypto";
-import { getActiveWorkspaceId } from "@/lib/workspace";
-import { rateLimit } from "@/lib/rate-limit";
-import { autoTitle } from "@/lib/note-title";
-import { parseJson } from "@/lib/api-error";
-import { createNoteSchema } from "@/lib/validation/note";
-import { MAX_TITLE_LEN, MAX_CONTENT_LEN } from "@/lib/limits";
-
-const NOTES_LIST_MAX = 500;
-
-export async function GET(req: NextRequest) {
-  const session = await auth();
-  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-
-  const rl = rateLimit(`notes-list:${session.user.id}`, 60, 60_000);
-  if (rl.limited) {
-    return NextResponse.json({ error: "Too many requests" }, { status: 429, headers: { "Retry-After": String(rl.retryAfter) } });
-  }
-
-  const workspaceId = await getActiveWorkspaceId(session.user.id);
-  if (!workspaceId) return NextResponse.json({ error: "No workspace" }, { status: 404 });
-
-  const db = await getPrimaryDb(workspaceId);
-  const notes = await db.note.findMany({
-    where: { workspaceId },
-    orderBy: { updatedAt: "desc" },
-    take: NOTES_LIST_MAX,
-    include: { _count: { select: { tasks: true } } },
-  });
-
-  return NextResponse.json(notes);
-}
-
-export async function POST(req: NextRequest) {
-  const session = await auth();
-  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-
-  const workspaceId = await getActiveWorkspaceId(session.user.id);
-  if (!workspaceId) return NextResponse.json({ error: "No workspace" }, { status: 404 });
-
-  const parsed = await parseJson(req, createNoteSchema);
-  if (parsed.response) return parsed.response;
-  const { title, content, folderId } = parsed.data;
-
-  const plainContent: string = content || "";
-  const resolvedTitle = autoTitle(plainContent, title);
-  const storedContent = await encryptContent(plainContent, workspaceId);
-
-  const db = await getPrimaryDb(workspaceId);
-
-  try {
-    const note = await db.$transaction(async (tx) => {
-      const newNote = await tx.note.create({
-        data: { title: resolvedTitle, content: storedContent, workspaceId, folderId: folderId || null },
-      });
-      if (plainContent) {
-        await createTasksFromNote(tx, newNote.id, workspaceId, plainContent);
-      }
-      return newNote;
-    });
-    return NextResponse.json(note, { status: 201 });
-  } catch (err) {
-    if (isConnectionError(err) && db !== prisma) {
-      // Cloud unreachable — buffer locally and flag for flush
-      const note = await prisma.$transaction(async (tx) => {
-        const newNote = await tx.note.create({
-          data: { title: resolvedTitle, content: storedContent, workspaceId, folderId: folderId || null, pendingSync: true },
-        });
-        if (plainContent) {
-          await createTasksFromNote(tx, newNote.id, workspaceId, plainContent);
-        }
-        return newNote;
-      });
-      return NextResponse.json(note, { status: 201 });
-    }
-    throw err;
-  }
-}
-
-type Tx = Parameters<Parameters<typeof prisma.$transaction>[0]>[0];
-
-async function createTasksFromNote(tx: Tx, noteId: string, workspaceId: string, content: string) {
-  const parsed = parseTasksFromMarkdown(content);
-  if (parsed.length === 0) return;
-
-  // Fetch workspace members once to avoid one DB query per parsed task.
-  const members = await fetchWorkspaceMembers(tx, workspaceId);
-
-  for (const task of parsed) {
-    const { assigneeId, assigneeType } = await resolveAssignee(tx, workspaceId, task.assigneeHandle, members);
-    await tx.task.create({
-      data: {
-        title: task.title,
-        status: task.isChecked ? "DONE" : "OPEN",
-        noteId,
-        workspaceId,
-        assigneeId,
-        assigneeType,
-        fileRefs: task.fileRefs,
-        startDate: task.startDate ? new Date(task.startDate) : null,
-        dueDate: task.dueDate ? new Date(task.dueDate) : null,
-        ...(task.priority && { priority: task.priority as Priority }),
-      },
-    });
-  }
-}

package/app/api/notifications/route.tsx

@@ -1,44 +0,0 @@
-import { NextRequest, NextResponse } from "next/server";
-import { auth } from "@/auth";
-import { prisma } from "@/lib/prisma";
-
-export async function GET() {
-  const session = await auth();
-  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-
-  const notifications = await prisma.notification.findMany({
-    where: { userId: session.user.id },
-    orderBy: { createdAt: "desc" },
-    take: 30,
-  });
-
-  return NextResponse.json(notifications);
-}
-
-export async function PATCH(req: NextRequest) {
-  const session = await auth();
-  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-
-  const { ids } = await req.json();
-  if (ids === "all") {
-    await prisma.notification.updateMany({
-      where: { userId: session.user.id, read: false },
-      data: { read: true },
-    });
-  } else if (Array.isArray(ids)) {
-    await prisma.notification.updateMany({
-      where: { userId: session.user.id, id: { in: ids } },
-      data: { read: true },
-    });
-  }
-
-  return NextResponse.json({ ok: true });
-}
-
-export async function DELETE() {
-  const session = await auth();
-  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
-
-  await prisma.notification.deleteMany({ where: { userId: session.user.id } });
-  return NextResponse.json({ ok: true });
-}

package/app/api/register/route.tsx

@@ -1,67 +0,0 @@
-import { NextRequest, NextResponse } from "next/server";
-import bcrypt from "bcryptjs";
-import { prisma, getCloudPrisma } from "@/lib/prisma";
-import { seedDefaultKanbanStatuses } from "@/lib/kanban-status";
-import { rateLimit, getClientIp } from "@/lib/rate-limit";
-
-// 10 registration attempts per IP per hour
-const AUTH_MAX = 10;
-const AUTH_WINDOW_MS = 60 * 60_000;
-
-export async function POST(req: NextRequest) {
-  const ip = getClientIp(req);
-  const rl = rateLimit(`register:${ip}`, AUTH_MAX, AUTH_WINDOW_MS);
-  if (rl.limited) {
-    return NextResponse.json(
-      { error: "Too many attempts. Try again later." },
-      { status: 429, headers: { "Retry-After": String(rl.retryAfter) } }
-    );
-  }
-
-  const { name, email, password } = await req.json();
-
-  if (!name || !email || !password) {
-    return NextResponse.json({ error: "Missing fields" }, { status: 400 });
-  }
-  if (typeof password !== "string" || password.length < 8) {
-    return NextResponse.json({ error: "Password must be at least 8 characters" }, { status: 400 });
-  }
-  if (typeof email !== "string" || !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email)) {
-    return NextResponse.json({ error: "Invalid email address" }, { status: 400 });
-  }
-
-  // Real users must be in the same DB that auth.ts reads from (cloud if available, local otherwise).
-  const db = getCloudPrisma() ?? prisma;
-
-  const existing = await db.user.findUnique({ where: { email } });
-  if (existing) {
-    return NextResponse.json({ error: "Email already in use" }, { status: 409 });
-  }
-
-  const passwordHash = await bcrypt.hash(password, 12);
-  const slug = name.toLowerCase().replace(/\s+/g, "-") + "-" + Date.now();
-
-  const user = await db.$transaction(async (tx) => {
-    const newUser = await tx.user.create({
-      data: { name, email, passwordHash, role: "OWNER" },
-    });
-
-    const workspace = await tx.workspace.create({
-      data: {
-        name: `${name}'s Workspace`,
-        slug,
-        type: "PERSONAL",
-        planType: "FREE",
-        isCloud: false,
-        isPro: false,
-        members: { create: { userId: newUser.id, role: "OWNER" } },
-      },
-    });
-
-    await seedDefaultKanbanStatuses(workspace.id, tx);
-
-    return newUser;
-  });
-
-  return NextResponse.json({ id: user.id, email: user.email }, { status: 201 });
-}