@knotpad/app 0.1.0

package/app/api/export/route.tsx

@@ -0,0 +1,40 @@
+/**
+ * Export all notes in the workspace as a single JSON payload.
+ * Each note is rendered as clean markdown (no internal badge comments).
+ *
+ * The response is a Knotpad JSON export file (version 1), accepted by POST /api/restore.
+ */
+import { NextResponse } from "next/server";
+import { auth } from "@/auth";
+import { prisma } from "@/lib/prisma";
+import { buildWorkspaceBackup } from "@/lib/backup/export-workspace-backup";
+import { rateLimit } from "@/lib/rate-limit";
+
+export async function GET() {
+  const session = await auth();
+  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+
+  const rl = rateLimit(`export:${session.user.id}`, 5, 60_000);
+  if (rl.limited) {
+    return NextResponse.json({ error: "Too many requests" }, { status: 429, headers: { "Retry-After": String(rl.retryAfter) } });
+  }
+
+  const member = await prisma.workspaceMember.findFirst({
+    where: { userId: session.user.id },
+    include: { workspace: true },
+  });
+  if (!member) return NextResponse.json({ error: "No workspace" }, { status: 404 });
+
+  const { filename, payload } = await buildWorkspaceBackup(
+    member.workspaceId,
+    member.workspace.name,
+    member.workspace.slug
+  );
+
+  return new NextResponse(JSON.stringify(payload, null, 2), {
+    headers: {
+      "Content-Type": "application/json",
+      "Content-Disposition": `attachment; filename="${filename}"`,
+    },
+  });
+}

package/app/api/feedback/route.tsx

@@ -0,0 +1,54 @@
+import { NextRequest, NextResponse } from "next/server";
+import { auth } from "@/auth";
+import { prisma } from "@/lib/prisma";
+import { z } from "zod";
+
+const feedbackSchema = z.object({
+  type: z.enum(["feedback", "bug", "feature_request"]),
+  subject: z.string().min(1).max(200),
+  message: z.string().min(1).max(5000),
+});
+
+export async function POST(req: NextRequest) {
+  const session = await auth();
+  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+
+  const body = await req.json();
+  const parsed = feedbackSchema.safeParse(body);
+  if (!parsed.success) {
+    return NextResponse.json({ error: "Invalid input", details: parsed.error.flatten() }, { status: 400 });
+  }
+
+  const { type, subject, message } = parsed.data;
+
+  const feedback = await prisma.feedback.create({
+    data: {
+      userId: session.user.id,
+      type,
+      subject,
+      message,
+    },
+  });
+
+  return NextResponse.json({ id: feedback.id, success: true });
+}
+
+export async function GET() {
+  const session = await auth();
+  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+
+  const feedback = await prisma.feedback.findMany({
+    where: { userId: session.user.id },
+    orderBy: { createdAt: "desc" },
+    take: 50,
+    select: {
+      id: true,
+      type: true,
+      subject: true,
+      message: true,
+      createdAt: true,
+    },
+  });
+
+  return NextResponse.json(feedback);
+}

package/app/api/folders/[folderId]/route.tsx

@@ -0,0 +1,51 @@
+import { NextRequest, NextResponse } from "next/server";
+import { auth } from "@/auth";
+import { getPrimaryDb } from "@/lib/prisma";
+import { getActiveWorkspaceId } from "@/lib/workspace";
+
+async function ownedFolder(userId: string, folderId: string) {
+  const workspaceId = await getActiveWorkspaceId(userId);
+  if (!workspaceId) return null;
+  const db = await getPrimaryDb(workspaceId);
+  const folder = await db.folder.findFirst({ where: { id: folderId, workspaceId } });
+  return folder ? { folder, workspaceId, db } : null;
+}
+
+export async function PATCH(
+  req: NextRequest,
+  { params }: { params: Promise<{ folderId: string }> }
+) {
+  const session = await auth();
+  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+
+  const { folderId } = await params;
+  const owned = await ownedFolder(session.user.id, folderId);
+  if (!owned) return NextResponse.json({ error: "Not found" }, { status: 404 });
+
+  const { name } = await req.json().catch(() => ({}));
+  const trimmed = typeof name === "string" ? name.trim() : "";
+  if (!trimmed) return NextResponse.json({ error: "name required" }, { status: 400 });
+
+  const folder = await owned.db.folder.update({
+    where: { id: folderId },
+    data: { name: trimmed.slice(0, 120) },
+    select: { id: true, name: true },
+  });
+  return NextResponse.json(folder);
+}
+
+export async function DELETE(
+  _req: NextRequest,
+  { params }: { params: Promise<{ folderId: string }> }
+) {
+  const session = await auth();
+  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+
+  const { folderId } = await params;
+  const owned = await ownedFolder(session.user.id, folderId);
+  if (!owned) return NextResponse.json({ error: "Not found" }, { status: 404 });
+
+  // Notes keep existing; their folderId is set to null via the FK (onDelete: SetNull).
+  await owned.db.folder.delete({ where: { id: folderId } });
+  return NextResponse.json({ ok: true });
+}

package/app/api/folders/route.tsx

@@ -0,0 +1,37 @@
+import { NextRequest, NextResponse } from "next/server";
+import { auth } from "@/auth";
+import { prisma, getPrimaryDb, isConnectionError } from "@/lib/prisma";
+import { getActiveWorkspaceId } from "@/lib/workspace";
+
+const MAX_NAME_LEN = 120;
+
+export async function POST(req: NextRequest) {
+  const session = await auth();
+  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+
+  const workspaceId = await getActiveWorkspaceId(session.user.id);
+  if (!workspaceId) return NextResponse.json({ error: "No workspace" }, { status: 404 });
+
+  const { name } = await req.json().catch(() => ({}));
+  const trimmed = typeof name === "string" ? name.trim() : "";
+  if (!trimmed) return NextResponse.json({ error: "name required" }, { status: 400 });
+  if (trimmed.length > MAX_NAME_LEN) return NextResponse.json({ error: "name too long" }, { status: 400 });
+
+  const db = await getPrimaryDb(workspaceId);
+  try {
+    const folder = await db.folder.create({
+      data: { name: trimmed, workspaceId },
+      select: { id: true, name: true },
+    });
+    return NextResponse.json(folder, { status: 201 });
+  } catch (err) {
+    if (isConnectionError(err) && db !== prisma) {
+      const folder = await prisma.folder.create({
+        data: { name: trimmed, workspaceId },
+        select: { id: true, name: true },
+      });
+      return NextResponse.json(folder, { status: 201 });
+    }
+    throw err;
+  }
+}

package/app/api/graph/route.tsx

@@ -0,0 +1,242 @@
+import { NextRequest, NextResponse } from "next/server";
+import { auth } from "@/auth";
+import { prisma } from "@/lib/prisma";
+import { getActiveWorkspaceId } from "@/lib/workspace";
+import { rateLimit } from "@/lib/rate-limit";
+import { decryptContent } from "@/lib/note-crypto";
+
+export type GraphNodeType = "note" | "task" | "person" | "agent" | "folder";
+
+export type GraphNode = {
+  id: string;
+  type: GraphNodeType;
+  label: string;
+  href?: string;
+  status?: string;
+};
+
+export type GraphEdge = {
+  source: string;
+  target: string;
+  type: "contains" | "assigned" | "references";
+};
+
+export type GraphData = { nodes: GraphNode[]; edges: GraphEdge[] };
+
+export async function GET(req: NextRequest) {
+  const session = await auth();
+  if (!session) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+
+  const rl = rateLimit(`graph:${session.user.id}`, 20, 60_000);
+  if (rl.limited) {
+    return NextResponse.json({ error: "Too many requests" }, { status: 429, headers: { "Retry-After": String(rl.retryAfter) } });
+  }
+
+  const activeWs = await getActiveWorkspaceId(session.user.id);
+  const member = await prisma.workspaceMember.findFirst({
+    where: { userId: session.user.id, workspaceId: activeWs ?? undefined },
+    include: {
+      workspace: {
+        include: {
+          folders: { select: { id: true, name: true } },
+          notes: {
+            include: {
+              tasks: {
+                include: {
+                  assignee: { select: { id: true, name: true, email: true } },
+                  // Cross-note references: notes that mention this task via ((title))
+                  references: { select: { noteId: true } },
+                },
+              },
+            },
+          },
+          members: {
+            include: { user: { select: { id: true, name: true, email: true } } },
+          },
+        },
+      },
+    },
+  });
+  if (!member) return NextResponse.json({ error: "No workspace" }, { status: 404 });
+
+  const nodes: GraphNode[] = [];
+  const edges: GraphEdge[] = [];
+  const personSet = new Set<string>();
+  const edgeSet = new Set<string>(); // dedupe edges
+
+  function addEdge(source: string, target: string, type: GraphEdge["type"]) {
+    const key = `${source}→${target}:${type}`;
+    if (edgeSet.has(key)) return;
+    edgeSet.add(key);
+    edges.push({ source, target, type });
+  }
+
+  // ── Folder nodes (amber) ─────────────────────────────────────────────────
+  for (const folder of member.workspace.folders) {
+    nodes.push({
+      id: `folder-${folder.id}`,
+      type: "folder",
+      label: folder.name,
+    });
+  }
+
+  // ── Note + Task nodes ────────────────────────────────────────────────────
+  const noteIdSet = new Set(member.workspace.notes.map((n) => n.id));
+
+  // Build lookup maps: title → node id for resolving [[note]] and ((task)) refs
+  const noteTitleToId = new Map<string, string>();
+  const taskTitleToId = new Map<string, string>();
+
+  for (const note of member.workspace.notes) {
+    noteTitleToId.set(note.title.toLowerCase(), note.id);
+    for (const task of note.tasks) {
+      taskTitleToId.set(task.title.toLowerCase(), task.id);
+    }
+  }
+
+  // Regex patterns for extracting references from note content
+  const NOTE_REF_RE = /\[\[([^\]]+)\]\]/g;
+  const TASK_REF_RE = /\(\(([^)]+)\)\)/g;
+  const TASK_LINE_RE = /^(\s*)-\s+\[([ x])\]\s+(.+)$/;
+
+  for (const note of member.workspace.notes) {
+    nodes.push({
+      id: `note-${note.id}`,
+      type: "note",
+      label: note.title,
+      href: `/notes/${note.id}`,
+    });
+
+    // Folder → Note containment edge
+    if (note.folderId) {
+      addEdge(`folder-${note.folderId}`, `note-${note.id}`, "contains");
+    }
+
+    for (const task of note.tasks) {
+      // Agent-assigned tasks rendered as blue, human as teal
+      const taskNodeType: GraphNodeType = task.assigneeType === "AGENT" ? "agent" : "task";
+      const taskNodeId = `task-${task.id}`;
+
+      nodes.push({
+        id: taskNodeId,
+        type: taskNodeType,
+        label: task.title,
+        href: `/tasks/${task.id}?from=/graph`,
+        status: task.status,
+      });
+
+      // Note → Task containment edge (source note owns the task)
+      addEdge(`note-${note.id}`, taskNodeId, "contains");
+
+      // ── Assignee edges ─────────────────────────────────────────────────
+      if (task.assignee) {
+        const personId = `person-${task.assignee.id}`;
+        if (!personSet.has(personId)) {
+          personSet.add(personId);
+          nodes.push({
+            id: personId,
+            type: "person",
+            label: task.assignee.name ?? task.assignee.email ?? "Unknown",
+          });
+        }
+        addEdge(taskNodeId, personId, "assigned");
+      } else if (task.assigneeType === "AGENT" && task.claimedByAlias) {
+        const agentPersonId = `agent-person-${task.claimedByAlias}`;
+        if (!personSet.has(agentPersonId)) {
+          personSet.add(agentPersonId);
+          nodes.push({ id: agentPersonId, type: "agent", label: `@agent:${task.claimedByAlias}` });
+        }
+        addEdge(taskNodeId, agentPersonId, "assigned");
+      }
+
+      // ── Cross-note reference edges (from TaskReference table) ────────
+      // For each note that has a ((task title)) mention pointing at this task,
+      // draw a dashed "references" edge: referencing-note → this-task.
+      // Skip if the reference comes from the task's own source note (already
+      // shown as a "contains" edge above).
+      for (const ref of task.references) {
+        if (ref.noteId !== note.id && noteIdSet.has(ref.noteId)) {
+          addEdge(`note-${ref.noteId}`, taskNodeId, "references");
+        }
+      }
+    }
+
+    // ── Parse decrypted note content for inline references ────────────────
+    // This catches:
+    //   - Note-level [[note]] refs → note-to-note edges
+    //   - Note-level ((task)) refs → note-to-task edges
+    //   - Task-level [[note]] refs → task-to-note edges
+    //   - Task-level ((task)) refs → task-to-task edges
+    try {
+      const plain = await decryptContent(note.content, note.workspaceId);
+      const lines = plain.split("\n");
+      const ownTaskIds = new Set(note.tasks.map((t) => t.id));
+
+      for (const rawLine of lines) {
+        const taskMatch = TASK_LINE_RE.exec(rawLine);
+
+        if (taskMatch) {
+          // This is a task line — resolve refs from the task node
+          const lineText = taskMatch[3];
+          // Strip metadata to get the clean task title for lookup
+          const cleanTitle = lineText
+            .replace(/\[\[[^\]]*\]\]/g, "")
+            .replace(/\(\([^)]*\)\)/g, "")
+            .replace(/@[\w-]+/g, "")
+            .replace(/<[^>]+>/g, "")
+            .replace(/\d{4}-\d{2}-\d{2}(\.\.\d{4}-\d{2}-\d{2})?/g, "")
+            .replace(/\s*<!--task::[A-Z_]+-->/g, "")
+            .trim();
+          const srcTaskId = taskTitleToId.get(cleanTitle.toLowerCase());
+          if (!srcTaskId) continue;
+          const srcTaskNodeId = `task-${srcTaskId}`;
+
+          // [[note title]] refs inside task line → task-to-note edge
+          let m: RegExpExecArray | null;
+          const noteRefRe = new RegExp(NOTE_REF_RE.source, "g");
+          while ((m = noteRefRe.exec(lineText)) !== null) {
+            const refNoteId = noteTitleToId.get(m[1].trim().toLowerCase());
+            if (refNoteId && refNoteId !== note.id) {
+              addEdge(srcTaskNodeId, `note-${refNoteId}`, "references");
+            }
+          }
+
+          // ((task title)) refs inside task line → task-to-task edge
+          const taskRefRe = new RegExp(TASK_REF_RE.source, "g");
+          while ((m = taskRefRe.exec(lineText)) !== null) {
+            const refTaskId = taskTitleToId.get(m[1].trim().toLowerCase());
+            if (refTaskId && refTaskId !== srcTaskId) {
+              addEdge(srcTaskNodeId, `task-${refTaskId}`, "references");
+            }
+          }
+        } else {
+          // Non-task line — resolve refs from the note node
+          const noteNodeId = `note-${note.id}`;
+
+          let m: RegExpExecArray | null;
+          const noteRefRe = new RegExp(NOTE_REF_RE.source, "g");
+          while ((m = noteRefRe.exec(rawLine)) !== null) {
+            const refNoteId = noteTitleToId.get(m[1].trim().toLowerCase());
+            if (refNoteId && refNoteId !== note.id) {
+              addEdge(noteNodeId, `note-${refNoteId}`, "references");
+            }
+          }
+
+          const taskRefRe = new RegExp(TASK_REF_RE.source, "g");
+          while ((m = taskRefRe.exec(rawLine)) !== null) {
+            const refTaskId = taskTitleToId.get(m[1].trim().toLowerCase());
+            // Skip tasks this note already owns — they have a "contains" edge,
+            // so a redundant "references" edge would just draw a doubled line.
+            if (refTaskId && !ownTaskIds.has(refTaskId)) {
+              addEdge(noteNodeId, `task-${refTaskId}`, "references");
+            }
+          }
+        }
+      }
+    } catch {
+      // If decryption fails, skip inline references for this note
+    }
+  }
+
+  return NextResponse.json({ nodes, edges } satisfies GraphData);
+}

package/app/api/guest/route.tsx

@@ -0,0 +1,58 @@
+import { NextResponse } from "next/server";
+import { prisma } from "@/lib/prisma";
+import { seedDefaultKanbanStatuses } from "@/lib/kanban-status";
+
+const IS_CLOUD = process.env.IS_CLOUD === "true";
+
+// Creates (or, on desktop, reuses) a local-only guest account.
+// Guest: no email, no password — full local features, no cloud sync.
+//
+// Desktop/NPX (IS_CLOUD=false): there is ONE persistent local identity, so
+// relaunching the app returns the user to the same notes instead of minting a
+// fresh empty workspace every time. Cloud (IS_CLOUD=true): mint a unique guest
+// per call (each browser is a different visitor; a shared identity would collide).
+export async function POST() {
+  if (!IS_CLOUD) {
+    // Reuse the existing unclaimed local guest (passwordHash still null — a
+    // claimed/upgraded account no longer qualifies, see /api/account/claim).
+    const existing = await prisma.user.findFirst({
+      where: { email: { endsWith: "@local.brief" }, passwordHash: null },
+      orderBy: { createdAt: "asc" },
+      select: { id: true, email: true },
+    });
+    if (existing) {
+      return NextResponse.json({ email: existing.email, guestId: existing.id }, { status: 200 });
+    }
+  }
+
+  const guestId = crypto.randomUUID();
+  const internalEmail = `guest_${guestId}@local.brief`;
+
+  const user = await prisma.$transaction(async (tx) => {
+    const newUser = await tx.user.create({
+      data: {
+        email: internalEmail,
+        name: "Guest",
+        role: "OWNER",
+      },
+    });
+
+    const slug = `guest-${guestId.slice(0, 8)}`;
+    const workspace = await tx.workspace.create({
+      data: {
+        name: "My Workspace",
+        slug,
+        members: { create: { userId: newUser.id, role: "OWNER" } },
+      },
+    });
+
+    // Seed the default kanban statuses so the board/list/badges work out of the
+    // box (mirrors /api/register; the old guest route skipped this).
+    await seedDefaultKanbanStatuses(workspace.id, tx);
+
+    return newUser;
+  });
+
+  // Return the internal credentials so the client can sign in via NextAuth
+  return NextResponse.json({ email: user.email, guestId }, { status: 201 });
+}

package/app/api/health/route.tsx

@@ -0,0 +1,10 @@
+import { NextResponse } from "next/server";
+
+// Tiny always-200 reachability probe. No auth, no DB — used by the client
+// online-status helper and the service worker to confirm the server is actually
+// reachable (navigator.onLine alone can't tell us that).
+export const dynamic = "force-dynamic";
+
+export function GET() {
+  return NextResponse.json({ ok: true, ts: Date.now() });
+}

package/app/api/holidays/countries/route.tsx

@@ -0,0 +1,14 @@
+import { NextResponse } from "next/server";
+import Holidays from "date-holidays";
+
+export async function GET() {
+  const hd = new Holidays();
+  const raw = hd.getCountries() as Record<string, string>;
+  const countries = Object.entries(raw)
+    .map(([code, name]) => ({ code, name }))
+    .sort((a, b) => a.name.localeCompare(b.name));
+  return NextResponse.json(
+    { countries },
+    { headers: { "Cache-Control": "public, max-age=86400" } }
+  );
+}

package/app/api/holidays/route.tsx

@@ -0,0 +1,49 @@
+/**
+ * General-purpose public holidays endpoint powered by the `date-holidays` npm library.
+ * Computes holidays locally — no external network dependency.
+ *
+ * Query params:
+ *   country – ISO 3166-1 alpha-2 code, e.g. "MY"  (required)
+ *   state   – region/state sub-code, e.g. "KUL"   (optional)
+ *   year    – 4-digit year                         (required)
+ *
+ * GET /api/holidays/countries           → { countries: { code, name }[] }
+ * GET /api/holidays/states?country=XX   → { states: { code, name }[] }
+ * GET /api/holidays?country=XX&year=YYYY[&state=YY] → { holidays: { name, date, is_subject_to_change }[] }
+ */
+import { NextRequest, NextResponse } from "next/server";
+import Holidays from "date-holidays";
+
+export async function GET(req: NextRequest) {
+  const { searchParams } = req.nextUrl;
+  const country = searchParams.get("country");
+  const state   = searchParams.get("state") ?? undefined;
+  const year    = searchParams.get("year");
+
+  if (!country) {
+    return NextResponse.json({ error: "country param required" }, { status: 400 });
+  }
+  if (!year || !/^\d{4}$/.test(year)) {
+    return NextResponse.json({ error: "year param required (YYYY)" }, { status: 400 });
+  }
+
+  try {
+    const hd = new Holidays(country, state ?? "");
+    const raw = hd.getHolidays(Number(year));
+
+    const holidays = raw
+      .filter((h) => h.type === "public")
+      .map((h) => ({
+        name: h.name,
+        date: h.date.slice(0, 10),
+        is_subject_to_change: false,
+      }));
+
+    return NextResponse.json(
+      { holidays },
+      { headers: { "Cache-Control": "public, max-age=86400, stale-while-revalidate=3600" } }
+    );
+  } catch {
+    return NextResponse.json({ error: "Failed to compute holidays for the given country/state" }, { status: 400 });
+  }
+}

package/app/api/holidays/states/route.tsx

@@ -0,0 +1,21 @@
+import { NextRequest, NextResponse } from "next/server";
+import Holidays from "date-holidays";
+
+export async function GET(req: NextRequest) {
+  const country = req.nextUrl.searchParams.get("country");
+  if (!country) {
+    return NextResponse.json({ error: "country param required" }, { status: 400 });
+  }
+  const hd = new Holidays();
+  const raw = hd.getStates(country) as Record<string, string> | undefined;
+  if (!raw) {
+    return NextResponse.json({ states: [] });
+  }
+  const states = Object.entries(raw)
+    .map(([code, name]) => ({ code, name }))
+    .sort((a, b) => a.name.localeCompare(b.name));
+  return NextResponse.json(
+    { states },
+    { headers: { "Cache-Control": "public, max-age=86400" } }
+  );
+}