@knotpad/app 0.1.0 → 0.1.2

package/lib/mcp-handler.ts

@@ -1,31 +0,0 @@
-import { NextRequest, NextResponse } from "next/server";
-import { verifyMcpToken, extractBearerToken, McpTokenPayload } from "@/lib/mcp-auth";
-import { rateLimit, getClientIp } from "@/lib/rate-limit";
-
-export type McpContext = McpTokenPayload & { alias: string | null };
-
-// 120 requests per minute per IP — generous for agent polling, tight enough to block abuse
-const MCP_RATE_LIMIT_MAX = 120;
-const MCP_RATE_LIMIT_WINDOW_MS = 60_000;
-
-export async function withMcpAuth(
-  req: NextRequest,
-  handler: (ctx: McpContext) => Promise<NextResponse>
-): Promise<NextResponse> {
-  const ip = getClientIp(req);
-  const rl = rateLimit(`mcp:${ip}`, MCP_RATE_LIMIT_MAX, MCP_RATE_LIMIT_WINDOW_MS);
-  if (rl.limited) {
-    return NextResponse.json(
-      { error: "Too many requests" },
-      { status: 429, headers: { "Retry-After": String(rl.retryAfter) } }
-    );
-  }
-
-  const token = extractBearerToken(req.headers.get("authorization"));
-  if (!token) return NextResponse.json({ error: "Missing token" }, { status: 401 });
-
-  const ctx = await verifyMcpToken(token);
-  if (!ctx) return NextResponse.json({ error: "Invalid or revoked token" }, { status: 401 });
-
-  return handler(ctx);
-}

package/lib/mcp-url.test.ts

@@ -1,12 +0,0 @@
-import { describe, expect, it } from "vitest";
-import { getMcpUrl } from "@/lib/mcp-url";
-
-describe("getMcpUrl", () => {
-  it("prefers the explicit MCP URL", () => {
-    expect(getMcpUrl("https://app.example.com", "https://mcp.example.com")).toBe("https://mcp.example.com");
-  });
-
-  it("derives the MCP URL from the app URL when no explicit value is set", () => {
-    expect(getMcpUrl("http://localhost:3000", undefined)).toBe("http://localhost:3000/mcp");
-  });
-});

package/lib/mcp-url.ts

@@ -1,7 +0,0 @@
-export function getMcpUrl(appUrl: string, explicitMcpUrl?: string): string {
-  if (explicitMcpUrl) {
-    return explicitMcpUrl;
-  }
-
-  return `${appUrl.replace(/\/$/, "")}/mcp`;
-}

package/lib/mentions.test.ts

@@ -1,45 +0,0 @@
-import { describe, it, expect } from "vitest";
-import { resolveAssignee, normalizeHandle } from "@/lib/mentions";
-
-// Minimal fake tx exposing only what resolveAssignee touches.
-function fakeTx(members: Array<{ userId: string; user: { name: string | null; email: string | null } }>) {
-  return { workspaceMember: { findMany: async () => members } } as never;
-}
-
-const members = [
-  { userId: "u1", user: { name: "John Doe", email: "john@acme.com" } },
-  { userId: "u2", user: { name: null, email: "alice@acme.com" } },
-];
-
-describe("resolveAssignee", () => {
-  it("matches a name handle even though the editor strips spaces", async () => {
-    // editor builds "@johndoe" from "John Doe"
-    const r = await resolveAssignee(fakeTx(members), "ws", "@johndoe");
-    expect(r).toEqual({ assigneeId: "u1", assigneeType: "HUMAN" });
-  });
-
-  it("matches a bare email local-part", async () => {
-    const r = await resolveAssignee(fakeTx(members), "ws", "@alice");
-    expect(r.assigneeId).toBe("u2");
-  });
-
-  it("does not ambiguously prefix-match emails", async () => {
-    // "@al" must NOT resolve to alice@ (old startsWith bug)
-    const r = await resolveAssignee(fakeTx(members), "ws", "@al");
-    expect(r.assigneeId).toBeNull();
-  });
-
-  it("treats @agent as an agent, not a human", async () => {
-    const r = await resolveAssignee(fakeTx(members), "ws", "@agent");
-    expect(r).toEqual({ assigneeId: null, assigneeType: "AGENT" });
-  });
-
-  it("returns no assignee for a null handle", async () => {
-    const r = await resolveAssignee(fakeTx(members), "ws", null);
-    expect(r).toEqual({ assigneeId: null, assigneeType: "HUMAN" });
-  });
-
-  it("normalizeHandle strips @, case, and whitespace", () => {
-    expect(normalizeHandle("@John Doe")).toBe("johndoe");
-  });
-});

package/lib/mentions.ts

@@ -1,73 +0,0 @@
-/**
- * Mention handle resolution — shared by every note→task sync path so the
- * matching rules can't drift between call sites.
- *
- * The editor builds handles from a member's name (preferred) or email:
- *   @${(name ?? email).toLowerCase().replace(/\s+/g, "")}
- * so resolution must normalise both sides identically. We also accept a bare
- * email local-part (e.g. "@alice" for alice@acme.com) since people type that.
- */
-
-import { prisma } from "@/lib/prisma";
-import { isAgentHandle } from "@/lib/task-parser";
-
-type Tx = Parameters<Parameters<typeof prisma.$transaction>[0]>[0];
-
-export type ResolvedAssignee = {
-  assigneeId: string | null;
-  assigneeType: "HUMAN" | "AGENT";
-};
-
-export type WorkspaceMemberWithUser = {
-  userId: string;
-  user: { id: string; name: string | null; email: string | null };
-};
-
-/** Strip a leading "@", lower-case, and remove whitespace. */
-export function normalizeHandle(handle: string): string {
-  return handle.replace(/^@/, "").toLowerCase().replace(/\s+/g, "");
-}
-
-/**
- * Fetch all workspace members once so callers in a loop can pass the list in
- * and avoid an N+1 per-task query.
- */
-export async function fetchWorkspaceMembers(
-  tx: Tx,
-  workspaceId: string
-): Promise<WorkspaceMemberWithUser[]> {
-  return tx.workspaceMember.findMany({
-    where: { workspaceId },
-    include: { user: { select: { id: true, name: true, email: true } } },
-  });
-}
-
-/**
- * Resolve an @mention handle to a workspace user.
- * Pass `prefetchedMembers` (from `fetchWorkspaceMembers`) to avoid a DB query
- * per call when resolving multiple tasks in a loop.
- */
-export async function resolveAssignee(
-  tx: Tx,
-  workspaceId: string,
-  handle: string | null,
-  prefetchedMembers?: WorkspaceMemberWithUser[]
-): Promise<ResolvedAssignee> {
-  if (!handle) return { assigneeId: null, assigneeType: "HUMAN" };
-  if (isAgentHandle(handle)) return { assigneeId: null, assigneeType: "AGENT" };
-
-  const slug = normalizeHandle(handle);
-  const members = prefetchedMembers ?? await tx.workspaceMember.findMany({
-    where: { workspaceId },
-    include: { user: { select: { id: true, name: true, email: true } } },
-  });
-
-  const match = members.find((m) => {
-    const email = (m.user.email ?? "").toLowerCase().replace(/\s+/g, "");
-    const nameSlug = (m.user.name ?? "").toLowerCase().replace(/\s+/g, "");
-    const emailLocal = email.split("@")[0];
-    return slug === nameSlug || slug === email || slug === emailLocal;
-  });
-
-  return { assigneeId: match?.userId ?? null, assigneeType: "HUMAN" };
-}

package/lib/note-crypto.ts

@@ -1,108 +0,0 @@
-/**
- * Transparent note encryption-at-rest layer — server-side AES-256-GCM.
- *
- * Encryption policy:
- *   - Local-only mode (IS_CLOUD=false, no CLOUD_DATABASE_URL):
- *     Notes are stored as plaintext in PGlite. The data never leaves the
- *     user's device, so encryption is unnecessary and would only create
- *     a footgun (lose ENCRYPTION_PEPPER → lose all notes).
- *
- *   - Cloud mode (IS_CLOUD=true) or local with cloud sync (CLOUD_DATABASE_URL):
- *     Notes are always encrypted before storage. This protects data at rest
- *     in the cloud DB (Neon). The server holds the key (ENCRYPTION_PEPPER).
- *
- * Two sets of helpers, kept for call-site clarity:
- *   encryptContent / decryptContent   → API routes / MCP (primary `prisma`)
- *   encryptForSync / decryptFromSync  → sync-worker talking to either DB
- * Both behave identically. Decryption is safe to call on plaintext (returns
- * it unchanged) so legacy rows and local-only data don't throw.
- *
- * Only note.content is encrypted. Titles, ids, timestamps, and task data stay
- * plaintext so they remain queryable.
- */
-
-import { prisma, getCloudPrisma } from "@/lib/prisma";
-import { encryptNote, decryptNote, generateSalt, isEncrypted } from "@/lib/encryption";
-
-// ── Cloud check ─────────────────────────────────────────────────────────────
-// Encryption is only needed when data may reach the cloud DB. In local-only
-// mode (no cloud sync), notes stay plaintext on the user's own device.
-function isCloudEnabled(): boolean {
-  return process.env.IS_CLOUD === "true" || !!process.env.CLOUD_DATABASE_URL;
-}
-
-// ── Salt cache ────────────────────────────────────────────────────────────────
-// Per-workspace salt persisted in the workspace row. Cached in-process to avoid
-// an extra round-trip on every note read/write.
-
-const saltCache = new Map<string, string>();
-
-async function getWorkspaceSalt(workspaceId: string): Promise<string> {
-  const cached = saltCache.get(workspaceId);
-  if (cached) return cached;
-
-  const workspace = await prisma.workspace.findUnique({
-    where: { id: workspaceId },
-    select: { encryptionSalt: true },
-  });
-
-  if (workspace?.encryptionSalt) {
-    saltCache.set(workspaceId, workspace.encryptionSalt);
-    return workspace.encryptionSalt;
-  }
-
-  // First time for this workspace: generate and persist the salt.
-  const salt = generateSalt();
-  await prisma.workspace.update({
-    where: { id: workspaceId },
-    data: { encryptionSalt: salt },
-  });
-  // Mirror to Neon so the migration step can find the salt alongside the workspace record.
-  // Non-fatal: if the cloud write fails, the migration endpoint will copy the workspace row.
-  const cloud = getCloudPrisma();
-  if (cloud) {
-    cloud.workspace.update({ where: { id: workspaceId }, data: { encryptionSalt: salt } }).catch(() => {});
-  }
-  saltCache.set(workspaceId, salt);
-  return salt;
-}
-
-function getPepper(): string {
-  const pepper = process.env.ENCRYPTION_PEPPER;
-  if (!pepper) {
-    throw new Error(
-      "[Brief] ENCRYPTION_PEPPER env var is required to encrypt notes at rest. " +
-      "Generate one with: openssl rand -base64 32"
-    );
-  }
-  return pepper;
-}
-
-// ── Public helpers ──────────────────────────────────────────────────────────
-
-export async function encryptContent(
-  content: string,
-  workspaceId: string
-): Promise<string> {
-  if (!isCloudEnabled()) return content; // local-only: store plaintext
-  if (isEncrypted(content)) return content; // never double-encrypt
-  const salt = await getWorkspaceSalt(workspaceId);
-  return encryptNote(content, getPepper(), salt);
-}
-
-export async function decryptContent(
-  content: string,
-  workspaceId: string
-): Promise<string> {
-  if (!isEncrypted(content)) return content; // plaintext or local-only safety
-  const salt = await getWorkspaceSalt(workspaceId);
-  return decryptNote(content, getPepper(), salt);
-}
-
-// Sync-worker aliases — identical behaviour, named for call-site intent.
-export const encryptForSync = encryptContent;
-export const decryptFromSync = decryptContent;
-
-export function invalidateSaltCache(workspaceId: string): void {
-  saltCache.delete(workspaceId);
-}

package/lib/note-sync.ts

@@ -1,201 +0,0 @@
-/**
- * Helpers for keeping notes ↔ tasks in sync.
- * - Snapshot management (base content for three-way merge)
- * - Note badge updates when task status changes
- * - Re-parse note content into tasks after edits
- */
-
-import { prisma } from "@/lib/prisma";
-import type { PrismaClient, Priority } from "@/app/generated/prisma/client";
-import { parseTasksFromMarkdown } from "@/lib/task-parser";
-import { resolveAssignee } from "@/lib/mentions";
-import { encryptForSync, decryptFromSync } from "@/lib/note-crypto";
-
-// --- Snapshot store (noteSnapshots field in SyncState) ---
-
-type Snapshots = Record<string, string>; // noteId → content
-
-export async function getOrCreateSyncState(workspaceId: string, db: PrismaClient = prisma) {
-  const existing = await db.syncState.findUnique({ where: { workspaceId } });
-  if (existing) return existing;
-  return db.syncState.create({ data: { workspaceId } });
-}
-
-export async function getSnapshots(
-  workspaceId: string,
-  db: PrismaClient = prisma
-): Promise<{ snapshots: Snapshots; version: number }> {
-  const state = await db.syncState.findUnique({ where: { workspaceId } });
-  const version = state?.snapshotVersion ?? 0;
-  if (!state?.noteSnapshots) return { snapshots: {}, version };
-  try {
-    // Snapshots hold note content (the three-way-merge base), so the JSON blob
-    // is encrypted at rest. Values inside the parsed map are plaintext.
-    const json = await decryptFromSync(state.noteSnapshots, workspaceId);
-    return { snapshots: JSON.parse(json) as Snapshots, version };
-  } catch {
-    return { snapshots: {}, version };
-  }
-}
-
-export async function saveSnapshots(
-  workspaceId: string,
-  snapshots: Snapshots,
-  expectedVersion?: number,
-  db: PrismaClient = prisma
-): Promise<void> {
-  const blob = await encryptForSync(JSON.stringify(snapshots), workspaceId);
-
-  if (expectedVersion !== undefined) {
-    // Optimistic concurrency: only write if the version hasn't changed since we read.
-    // Protects against concurrent writes from multiple Node.js instances (cloud mode).
-    const updated = await db.syncState.updateMany({
-      where: { workspaceId, snapshotVersion: expectedVersion },
-      data: { noteSnapshots: blob, snapshotVersion: { increment: 1 } },
-    });
-    if (updated.count === 0) {
-      throw new Error("Snapshot version conflict — another process updated concurrently");
-    }
-    return;
-  }
-
-  await db.syncState.upsert({
-    where: { workspaceId },
-    update: { noteSnapshots: blob, snapshotVersion: { increment: 1 } },
-    create: { workspaceId, noteSnapshots: blob, snapshotVersion: 1 },
-  });
-}
-
-// Per-workspace serialization: getSnapshots → mutate → saveSnapshots is a
-// read-modify-write of one JSON blob, so concurrent single-note updates within
-// this process would clobber each other. Chain them per workspace.
-// For multi-instance protection, saveSnapshots uses optimistic concurrency.
-const snapshotChains = new Map<string, Promise<unknown>>();
-
-function withSnapshotLock<T>(workspaceId: string, fn: () => Promise<T>): Promise<T> {
-  const prev = snapshotChains.get(workspaceId) ?? Promise.resolve();
-  const next = prev.then(fn, fn);
-  // Keep the chain alive but don't let rejections poison the next caller.
-  snapshotChains.set(workspaceId, next.catch(() => {}));
-  return next;
-}
-
-export async function saveSnapshot(
-  workspaceId: string,
-  noteId: string,
-  content: string,
-  db: PrismaClient = prisma
-): Promise<void> {
-  await withSnapshotLock(workspaceId, async () => {
-    const { snapshots, version } = await getSnapshots(workspaceId, db);
-    snapshots[noteId] = content;
-    await saveSnapshots(workspaceId, snapshots, version, db);
-  });
-}
-
-export async function deleteSnapshot(
-  workspaceId: string,
-  noteId: string,
-  db: PrismaClient = prisma
-): Promise<void> {
-  await withSnapshotLock(workspaceId, async () => {
-    const { snapshots, version } = await getSnapshots(workspaceId, db);
-    delete snapshots[noteId];
-    await saveSnapshots(workspaceId, snapshots, version, db);
-  });
-}
-
-// --- Note badge update (inline status markers) ---
-
-const STATUS_COMMENT_RE = /\s*<!--task::[^>]*-->/g;
-const TASK_LINE_RE = /^(\s*)-\s+\[([ x])\]\s+(.+)$/;
-
-export async function updateNoteBadge(
-  noteId: string,
-  taskTitle: string,
-  newStatus: string,
-  db: PrismaClient = prisma
-): Promise<void> {
-  const note = await db.note.findUnique({ where: { id: noteId } });
-  if (!note) return;
-
-  const plain = await decryptFromSync(note.content, note.workspaceId);
-  const lines = plain.split("\n");
-  let changed = false;
-
-  for (let i = 0; i < lines.length; i++) {
-    const m = TASK_LINE_RE.exec(lines[i]);
-    if (!m) continue;
-
-    const lineTitle = m[3]
-      .replace(/@[\w-]+/g, "")
-      .replace(/<[^>]+>/g, "")
-      .replace(STATUS_COMMENT_RE, "")
-      .trim();
-
-    if (lineTitle !== taskTitle) continue;
-
-    // Flip the checkbox only; <!--task::STATUS--> comments are no longer written
-    // (nothing reads them and they caused spurious sync diffs).
-    const stripped = lines[i].replace(STATUS_COMMENT_RE, "");
-    const checkbox = newStatus === "DONE" ? "x" : " ";
-    const next = stripped.replace(/\[([ x])\]/, `[${checkbox}]`);
-    if (next !== lines[i]) { lines[i] = next; changed = true; }
-    break;
-  }
-
-  if (changed) {
-    const stored = await encryptForSync(lines.join("\n"), note.workspaceId);
-    await db.note.update({
-      where: { id: noteId },
-      data: { content: stored, version: { increment: 1 } },
-    });
-  }
-}
-
-// --- Re-parse note content → sync tasks (idempotent) ---
-
-export async function syncNoteToTasks(
-  noteId: string,
-  workspaceId: string,
-  db: PrismaClient = prisma
-): Promise<void> {
-  const note = await db.note.findUnique({
-    where: { id: noteId },
-    include: { tasks: true },
-  });
-  if (!note) return;
-
-  const plain = await decryptFromSync(note.content, workspaceId);
-  const parsed = parseTasksFromMarkdown(plain);
-  const existingByTitle = new Map(note.tasks.map((t) => [t.title, t]));
-
-  await db.$transaction(async (tx) => {
-    for (const p of parsed) {
-      if (existingByTitle.has(p.title)) {
-        existingByTitle.delete(p.title);
-        continue; // already exists, idempotent
-      }
-
-      const { assigneeId, assigneeType } = await resolveAssignee(tx, workspaceId, p.assigneeHandle);
-
-      const task = await tx.task.create({
-        data: {
-          title: p.title,
-          noteId,
-          workspaceId,
-          assigneeType,
-          assigneeId,
-          fileRefs: p.fileRefs,
-          ...(p.priority && { priority: p.priority as Priority }),
-        },
-      });
-
-      // Snippet is intentionally empty — computed from decrypted note content at
-      // read time (task-detail page) so no plaintext leaks into the DB.
-      await tx.taskReference.create({
-        data: { taskId: task.id, noteId, snippet: "" },
-      });
-    }
-  });
-}

package/lib/note-title.ts

@@ -1,93 +0,0 @@
-// Extract a human-readable title from raw markdown content.
-// Strips common markdown syntax and returns the first meaningful sentence,
-// capped at 80 characters so it fits nicely in sidebars and card labels.
-
-const MAX_AUTO_TITLE_LEN = 80;
-
-export function extractTitleFromContent(content: string): string | null {
-  if (!content || !content.trim()) return null;
-
-  const lines = content.split("\n");
-  for (const raw of lines) {
-    let line = raw.trim();
-    if (!line) continue;
-
-    // Strip heading markers
-    line = line.replace(/^#{1,6}\s*/, "");
-
-    // Strip task checkbox prefix
-    line = line.replace(/^\s*-\s+\[[ x]\]\s*/, "");
-
-    // Strip bold / italic / strikethrough markers
-    line = line.replace(/(\*{1,2}|_{1,2}|~{2})([^*_~]+)\1/g, "$2");
-
-    // Strip inline code backticks
-    line = line.replace(/`([^`]+)`/g, "$1");
-
-    // Strip markdown links → keep only the text part
-    line = line.replace(/\[([^\]]+)\]\([^)]+\)/g, "$1");
-
-    // Strip bare URLs
-    line = line.replace(/https?:\/\/\S+/g, "");
-
-    // Strip HTML tags
-    line = line.replace(/<[^>]+>/g, "");
-
-    // Strip image syntax
-    line = line.replace(/!\[[^\]]*\]\([^)]+\)/g, "");
-
-    // Strip note/task refs
-    line = line.replace(/\[\[[^\]]+\]\]/g, "");
-    line = line.replace(/\(\([^)]+\)\)/g, "");
-
-    // Strip mention handles
-    line = line.replace(/@[\w-]+/g, "");
-
-    // Strip file references <...>
-    line = line.replace(/<[^>]+>/g, "");
-
-    // Strip date/date-ranges
-    line = line.replace(/\d{4}-\d{2}-\d{2}(\.\.\d{4}-\d{2}-\d{2})?/g, "");
-
-    // Strip remaining markdown list markers
-    line = line.replace(/^(\s*[-*+]|\d+\.)\s+/, "");
-
-    // Clean up whitespace
-    line = line.replace(/\s+/g, " ").trim();
-
-    if (!line) continue;
-
-    // Cap length at first sentence boundary if possible, otherwise first 4 words
-    let title = line;
-    const sentenceEnd = title.search(/[.!?](\s|$)/);
-    if (sentenceEnd !== -1 && sentenceEnd > 0) {
-      title = title.slice(0, sentenceEnd + 1);
-    } else {
-      // No punctuation — grab the first 4 words
-      const words = title.split(" ");
-      if (words.length > 4) {
-        title = words.slice(0, 4).join(" ");
-      }
-    }
-    if (title.length > MAX_AUTO_TITLE_LEN) {
-      title = title.slice(0, MAX_AUTO_TITLE_LEN);
-      // Don't chop mid-word
-      const lastSpace = title.lastIndexOf(" ");
-      if (lastSpace > 20) title = title.slice(0, lastSpace);
-    }
-
-    title = title.trim();
-    if (title) return title;
-  }
-
-  return null;
-}
-
-export function autoTitle(content: string, currentTitle?: string): string {
-  // Only auto-title if the user hasn't explicitly named it
-  if (currentTitle && currentTitle.trim() && currentTitle.trim() !== "Untitled") {
-    return currentTitle.trim();
-  }
-  const extracted = extractTitleFromContent(content);
-  return extracted ?? "Untitled";
-}