@knotpad/app 0.1.0

package/app/upgrade/page.tsx

@@ -0,0 +1,75 @@
+import type { Metadata } from "next";
+import { auth } from "@/auth";
+import { redirect } from "next/navigation";
+import { prisma } from "@/lib/prisma";
+import { AppLogo } from "@/components/branding/app-logo";
+import { SwitchAccountButton } from "@/components/auth/switch-account-button";
+import { BillingDashboard } from "@/components/billing/billing-dashboard";
+
+export const metadata: Metadata = {
+  title: "Upgrade",
+  robots: "noindex, nofollow",
+};
+
+/**
+ * Standalone upgrade page, outside the (app) route group.
+ *
+ * app/(app)/layout.tsx paywalls IS_CLOUD users whose workspaces are all FREE —
+ * which would otherwise also block /settings/billing. This page resolves the
+ * user's PERSONAL workspace directly (not via getActiveWorkspaceId, which on
+ * cloud only returns Pro-accessible workspaces) so a FREE user always has a
+ * path to checkout.
+ */
+export default async function UpgradePage() {
+  const session = await auth();
+  if (!session) redirect("/login");
+
+  const member = await prisma.workspaceMember.findFirst({
+    where: { userId: session.user.id, workspace: { type: "PERSONAL" }, revokedAt: null },
+    include: {
+      workspace: {
+        include: { _count: { select: { members: { where: { revokedAt: null } } } } },
+      },
+    },
+  });
+  if (!member) redirect("/login");
+
+  const { workspace } = member;
+
+  const me = await prisma.user.findUnique({
+    where: { id: session.user.id },
+    select: { email: true, passwordHash: true },
+  });
+  const isGuest = !!me?.email?.endsWith("@local.brief") && !me?.passwordHash;
+
+  return (
+    <div className="flex min-h-full items-center justify-center px-6 py-12">
+      <div className="w-full max-w-lg space-y-6">
+        <div className="space-y-4">
+          <div className="flex justify-center sm:justify-start">
+            <AppLogo className="h-8 w-auto" />
+          </div>
+          <div>
+            <h1 className="text-xl font-semibold text-zinc-100">Upgrade to Knotpad Pro</h1>
+            <p className="mt-1 text-sm text-zinc-400">
+              Unlock cloud sync and access from any device, including the web and PWA.
+            </p>
+          </div>
+          <SwitchAccountButton className="rounded-md border border-zinc-700 px-4 py-2 text-sm text-zinc-300 hover:bg-zinc-900 transition-colors" />
+        </div>
+        <BillingDashboard
+          isPro={workspace.isPro}
+          isOwner={member.role === "OWNER"}
+          memberCount={workspace._count.members}
+          seatCount={workspace.seatCount}
+          stripeId={workspace.stripeId}
+          planType={workspace.planType}
+          licenseType={workspace.licenseType}
+          workspaceType={workspace.type}
+          workspaceId={workspace.id}
+          isGuest={isGuest}
+        />
+      </div>
+    </div>
+  );
+}

package/auth.config.ts

@@ -0,0 +1,33 @@
+import type { NextAuthConfig } from "next-auth";
+
+// Lightweight config for proxy.ts — no DB adapter, JWT-only verification.
+export const authConfig: NextAuthConfig = {
+  pages: { signIn: "/login" },
+  callbacks: {
+    authorized({ auth, request: { nextUrl } }) {
+      const isLoggedIn = !!auth?.user;
+      // Invite pages are accessible regardless of login state (invite page handles auth itself).
+      if (nextUrl.pathname.startsWith("/invite/")) return true;
+
+      const isAuthPage =
+        nextUrl.pathname === "/login" ||
+        nextUrl.pathname === "/register" ||
+        nextUrl.pathname === "/guest" ||
+        nextUrl.pathname === "/forgot-password" ||
+        nextUrl.pathname === "/reset-password";
+
+      if (isAuthPage) {
+        if (!isLoggedIn) return true;
+        // Logged-in user visiting an auth page — redirect away.
+        // Preserve ?next= so invite-accept flow isn't broken (e.g. /login?next=/invite/TOKEN).
+        // Validate next is a relative same-origin path to prevent open redirect.
+        const next = nextUrl.searchParams.get("next");
+        const safePath =
+          next && next.startsWith("/") && !next.startsWith("//") ? next : "/notes";
+        return Response.redirect(new URL(safePath, nextUrl));
+      }
+      return isLoggedIn;
+    },
+  },
+  providers: [],
+};

package/auth.ts

@@ -0,0 +1,79 @@
+import NextAuth from "next-auth";
+import { PrismaAdapter } from "@auth/prisma-adapter";
+import Credentials from "next-auth/providers/credentials";
+import Google from "next-auth/providers/google";
+import bcrypt from "bcryptjs";
+import { prisma, getCloudPrisma } from "@/lib/prisma";
+import { authConfig } from "@/auth.config";
+
+export const { handlers, auth, signIn, signOut } = NextAuth({
+  ...authConfig,
+  trustHost: true, // Required for local HTTP (NPX/Electron dev and production)
+  // Auth (User, Session, Account) lives in Neon — identity is cloud-scoped.
+  // Free/guest users skip OAuth entirely and use local credentials only.
+  adapter: getCloudPrisma() ? (PrismaAdapter(getCloudPrisma()!) as any) : undefined,
+  session: { strategy: "jwt" },
+  providers: [
+    Credentials({
+      credentials: {
+        email: { label: "Email", type: "email" },
+        password: { label: "Password", type: "password" },
+      },
+      async authorize(credentials) {
+        if (!credentials?.email) return null;
+
+        const email = credentials.email as string;
+
+        // Guest accounts live in local PGlite (no cloud account needed)
+        if (email.endsWith("@local.brief")) {
+          const localUser = await prisma.user.findUnique({ where: { email } });
+          if (localUser && !localUser.passwordHash) {
+            return { id: localUser.id, email: localUser.email, name: localUser.name ?? "Guest" };
+          }
+          return null;
+        }
+
+        // Real accounts: prefer cloud (Neon) when available, fall back to local PGlite
+        // so that registration works in fully-local mode (no CLOUD_DATABASE_URL).
+        const db = getCloudPrisma() ?? prisma;
+        const user = await db.user.findUnique({ where: { email } });
+        if (!user || !credentials.password || !user.passwordHash) return null;
+
+        const valid = await bcrypt.compare(credentials.password as string, user.passwordHash);
+        if (!valid) return null;
+
+        return { id: user.id, email: user.email, name: user.name ?? "" };
+      },
+    }),
+    ...(process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET
+      ? [
+          Google({
+            clientId: process.env.GOOGLE_CLIENT_ID,
+            clientSecret: process.env.GOOGLE_CLIENT_SECRET,
+          }),
+        ]
+      : []),
+  ],
+  callbacks: {
+    async jwt({ token, user }) {
+      if (user) token.id = user.id;
+      return token;
+    },
+    async session({ session, token }) {
+      if (token?.id) session.user.id = token.id as string;
+      return session;
+    },
+    authorized: authConfig.callbacks!.authorized,
+  },
+});
+
+declare module "next-auth" {
+  interface Session {
+    user: {
+      id: string;
+      email: string;
+      name: string;
+      image?: string;
+    };
+  }
+}

package/bin/brief.js

@@ -0,0 +1,224 @@
+#!/usr/bin/env node
+/**
+ * Knotpad CLI — npx @knotpad/app
+ *
+ * Sets up and starts a local Knotpad instance in under 60 seconds.
+ * Requires: Node 18+ only. No external database needed.
+ *
+ * What it does:
+ *  1. Checks Node version
+ *  2. Finds or creates a .env file in the current directory
+ *  3. Generates NEXTAUTH_SECRET / MCP_SECRET if not present
+ *  4. Starts the Next.js server on port 3099
+ *     → PGlite (embedded local DB) bootstraps automatically at startup
+ *       via instrumentation.tsx → lib/prisma.ts + lib/db-init.ts
+ *  5. Opens an app-mode window (Chrome/Edge — no address bar) or falls back to browser
+ */
+
+"use strict";
+
+const { execSync, spawn } = require("child_process");
+const fs   = require("fs");
+const path = require("path");
+const { randomBytes } = require("crypto");
+
+// ── Helpers ────────────────────────────────────────────────────────────────────
+
+function log(msg)  { process.stdout.write(`\x1b[36m[knotpad]\x1b[0m ${msg}\n`); }
+function ok(msg)   { process.stdout.write(`\x1b[32m[knotpad]\x1b[0m ${msg}\n`); }
+function die(msg)  { process.stderr.write(`\x1b[31m[knotpad]\x1b[0m ${msg}\n`); process.exit(1); }
+
+function genSecret(bytes = 32) {
+  return randomBytes(bytes).toString("base64url");
+}
+
+function openBrowser(url) {
+  const cmd =
+    process.platform === "win32"  ? `start "" "${url}"` :
+    process.platform === "darwin" ? `open "${url}"` :
+    `xdg-open "${url}"`;
+  try { execSync(cmd, { stdio: "ignore" }); } catch {}
+}
+
+// ── Chrome / Edge app-mode detection ──────────────────────────────────────────
+
+/**
+ * Find a Chrome or Edge binary on the system. Returns { bin, name } or null.
+ */
+function findChromeOrEdge() {
+  const platform = process.platform;
+
+  if (platform === "win32") {
+    const pf   = process.env.ProgramFiles         || "";
+    const pfx  = process.env["ProgramFiles(x86)"] || "";
+    const local = process.env.LOCALAPPDATA        || "";
+    const candidates = [
+      { bin: path.join(pf,    "Google", "Chrome", "Application", "chrome.exe"), name: "chrome" },
+      { bin: path.join(pfx,   "Google", "Chrome", "Application", "chrome.exe"), name: "chrome" },
+      { bin: path.join(local, "Google", "Chrome", "Application", "chrome.exe"), name: "chrome" },
+      { bin: path.join(pf,    "Microsoft", "Edge", "Application", "msedge.exe"), name: "edge" },
+      { bin: path.join(pfx,   "Microsoft", "Edge", "Application", "msedge.exe"), name: "edge" },
+    ];
+    for (const c of candidates) {
+      if (c.bin && fs.existsSync(c.bin)) return c;
+    }
+    return null;
+  }
+
+  if (platform === "darwin") {
+    const candidates = [
+      { bin: "/Applications/Google Chrome.app/Contents/MacOS/Google Chrome", name: "chrome" },
+      { bin: "/Applications/Microsoft Edge.app/Contents/MacOS/Microsoft Edge", name: "edge" },
+    ];
+    for (const c of candidates) {
+      if (fs.existsSync(c.bin)) return c;
+    }
+    return null;
+  }
+
+  // Linux / other unix-like
+  const bins = [
+    { bin: "google-chrome",  name: "chrome" },
+    { bin: "chromium",       name: "chrome" },
+    { bin: "microsoft-edge", name: "edge" },
+  ];
+  for (const c of bins) {
+    try {
+      execSync(`which ${c.bin}`, { stdio: "ignore" });
+      return { bin: c.bin, name: c.name };
+    } catch {}
+  }
+  return null;
+}
+
+/**
+ * Open the app URL in a Chrome/Edge app-mode window (no address bar, no tabs).
+ * Falls back to the regular browser if no Chrome/Edge is found.
+ */
+function openAppWindow(url) {
+  const browser = findChromeOrEdge();
+  if (!browser) {
+    log("No Chrome/Edge found — falling back to default browser");
+    return openBrowser(url);
+  }
+
+  try {
+    const profileDir = path.join(WORK_DIR, ".brief", "chrome-profile");
+    fs.mkdirSync(profileDir, { recursive: true });
+
+    const args = [
+      `--app=${url}`,
+      `--user-data-dir=${profileDir}`,
+      "--window-size=1400,900",
+      "--no-first-run",
+      "--no-default-browser-check",
+    ];
+
+    log(`Launching ${browser.name} app-mode window…`);
+    const child = spawn(browser.bin, args, {
+      detached: true,
+      stdio: "ignore",
+    });
+    child.unref();
+  } catch {
+    log("Failed to launch app-mode window — falling back to default browser");
+    openBrowser(url);
+  }
+}
+
+// ── 1. Node version ────────────────────────────────────────────────────────────
+
+const [major] = process.versions.node.split(".").map(Number);
+if (major < 18) die(`Node 18+ required (you have ${process.versions.node}). Install from https://nodejs.org`);
+
+// ── 2. .env setup ──────────────────────────────────────────────────────────────
+
+const PKG_DIR  = path.resolve(__dirname, "..");
+const WORK_DIR = process.cwd();
+const ENV_PATH = path.join(WORK_DIR, ".env");
+
+let env = {};
+if (fs.existsSync(ENV_PATH)) {
+  const raw = fs.readFileSync(ENV_PATH, "utf8");
+  for (const line of raw.split(/\r?\n/)) {
+    const m = /^([A-Z_][A-Z0-9_]*)=(.*)$/.exec(line.trim());
+    if (m) env[m[1]] = m[2].replace(/^["']|["']$/g, "");
+  }
+  log(".env found, loading existing config");
+} else {
+  log("Creating .env with defaults…");
+}
+
+// Fill defaults — no DATABASE_URL needed; PGlite handles local storage automatically
+// Port 3099 avoids clashing with dev servers (3000) commonly running alongside.
+const defaults = {
+  NEXTAUTH_SECRET:     genSecret(),
+  NEXTAUTH_URL:        "http://localhost:3099",
+  MCP_SECRET:          genSecret(),
+  ENCRYPTION_PEPPER:   genSecret(),
+  NEXT_PUBLIC_APP_URL: "http://localhost:3099",
+  NEXT_PUBLIC_MCP_URL: "http://localhost:3099/mcp",
+  IS_CLOUD:            "false",
+  CRON_SECRET:         genSecret(16),
+};
+
+let changed = false;
+for (const [k, v] of Object.entries(defaults)) {
+  if (!env[k]) { env[k] = v; changed = true; }
+}
+
+if (changed) {
+  const lines = Object.entries(env).map(([k, v]) => `${k}="${v}"`).join("\n");
+  fs.writeFileSync(ENV_PATH, lines + "\n", "utf8");
+  ok(".env written");
+}
+
+// Apply env for this process
+for (const [k, v] of Object.entries(env)) {
+  process.env[k] = v;
+}
+
+// ── 3. Build (if not already built) ───────────────────────────────────────────
+
+// BUILD_ID is only written after a successful build — a leftover .next/ from a
+// failed build won't have it, so we correctly re-run in that case.
+const BUILD_ID = path.join(PKG_DIR, ".next", "BUILD_ID");
+if (!fs.existsSync(BUILD_ID)) {
+  log("Building Knotpad (first run — takes ~30 seconds)…");
+  try {
+    execSync("npx next build", { cwd: PKG_DIR, stdio: "inherit", env: process.env });
+    ok("Build complete");
+  } catch {
+    die("Build failed. Run `npx @knotpad/app` again after fixing any errors.");
+  }
+}
+
+// ── 4. Start server ────────────────────────────────────────────────────────────
+
+// Pre-create PGlite data directory so the app can open it immediately at startup
+fs.mkdirSync(path.join(WORK_DIR, ".brief", "db"), { recursive: true });
+
+const PORT = parseInt(process.env.PORT ?? "3099", 10);
+const URL  = `http://localhost:${PORT}`;
+
+ok(`\nStarting Knotpad on ${URL}\n`);
+process.stdout.write(`  ${"\x1b[2m"}Ctrl+C to stop${"\x1b[0m"}\n\n`);
+
+const NEXT_BIN = path.join(PKG_DIR, "node_modules", "next", "dist", "bin", "next");
+const server = spawn(process.execPath, [NEXT_BIN, "start", "--port", String(PORT)], {
+  cwd: PKG_DIR,
+  stdio: "inherit",
+  env: process.env,
+});
+
+server.on("error", (e) => die(`Failed to start server: ${e.message}`));
+server.on("exit", (code) => {
+  if (code !== 0 && code !== null) die(`Server exited with code ${code}`);
+});
+
+// Open in app-mode Chrome/Edge window (falls back to browser if not found)
+setTimeout(() => openAppWindow(URL), 1500);
+
+// Graceful exit
+process.on("SIGINT",  () => { server.kill("SIGINT");  process.exit(0); });
+process.on("SIGTERM", () => { server.kill("SIGTERM"); process.exit(0); });