@m5kdev/backend 0.1.0

package/package.json

@@ -0,0 +1,205 @@
+{
+  "name": "@m5kdev/backend",
+  "version": "0.1.0",
+  "description": "Composable Express server stack with Drizzle ORM and tRPC.",
+  "license": "GPL-3.0-only",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/michalkow/m5kdev.git"
+  },
+  "homepage": "https://github.com/michalkow/m5kdev#readme",
+  "bugs": "https://github.com/michalkow/m5kdev/issues",
+  "files": [
+    "src"
+  ],
+  "dependencies": {
+    "@aws-sdk/client-s3": "3.891.0",
+    "@aws-sdk/client-sts": "3.891.0",
+    "@aws-sdk/s3-request-presigner": "3.891.0",
+    "@libsql/client": "0.17.0",
+    "@mastra/core": "1.0.4",
+    "@mastra/rag": "2.0.0",
+    "@openrouter/ai-sdk-provider": "1.5.4",
+    "@posthog/ai": "6.2.0",
+    "@sentry/node": "10.22.0",
+    "@trpc/server": "11.4.3",
+    "@types/multer": "1.4.12",
+    "ai": "5.0.14",
+    "better-auth": "1.4.18",
+    "bip32": "4.0.0",
+    "bip39": "3.1.0",
+    "bitcoinjs-lib": "7.0.0",
+    "body-parser": "1.20.3",
+    "bullmq": "5.58.0",
+    "cors": "2.8.5",
+    "dotenv": "16.6.1",
+    "drizzle-orm": "0.44.3",
+    "drizzle-zod": "0.8.2",
+    "express": "4.21.2",
+    "ffmpeg-ffprobe-static": "6.1.2-rc.1",
+    "fluent-ffmpeg": "2.1.3",
+    "ioredis": "5.7.0",
+    "luxon": "3.7.1",
+    "multer": "1.4.5-lts.1",
+    "mustache": "4.2.0",
+    "neverthrow": "8.2.0",
+    "openid-client": "6.8.1",
+    "pino": "9.6.0",
+    "pino-pretty": "13.0.0",
+    "posthog-node": "4.10.2",
+    "radashi": "12.6.0",
+    "react": "19.2.1",
+    "react-dom": "19.2.1",
+    "replicate": "1.0.1",
+    "resend": "6.5.2",
+    "rrule": "2.8.1",
+    "stripe": "20.1.0",
+    "tiny-secp256k1": "2.2.3",
+    "trpc-to-openapi": "2.3.0",
+    "uuid": "11.0.5",
+    "zod": "4.2.1",
+    "@m5kdev/commons": "0.1.0",
+    "@m5kdev/config": "0.0.0"
+  },
+  "devDependencies": {
+    "@jest/globals": "30.2.0",
+    "@types/body-parser": "1.19.5",
+    "@types/cors": "2.8.17",
+    "@types/express": "4.17.21",
+    "@types/fluent-ffmpeg": "2.1.27",
+    "@types/jest": "30.0.0",
+    "@types/luxon": "3.7.1",
+    "@types/mustache": "4.2.6",
+    "@types/node": "20.19.11",
+    "@types/react": "19.2.7",
+    "@types/react-dom": "19.2.3",
+    "drizzle-kit": "0.31.4",
+    "jest": "30.1.3",
+    "ts-jest": "29.4.4",
+    "tslib": "2.8.1",
+    "tsup": "8.4.0",
+    "tsx": "4.19.2",
+    "typescript": "5.9.2"
+  },
+  "imports": {
+    "#modules/ai/*": "./src/modules/ai/*.ts",
+    "#modules/utils/*": "./src/modules/utils/*.ts",
+    "#modules/base/*": "./src/modules/base/*.ts",
+    "#modules/billing/*": "./src/modules/billing/*.ts",
+    "#modules/crypto/*": "./src/modules/crypto/*.ts",
+    "#modules/auth/*": "./src/modules/auth/*.ts",
+    "#modules/tag/*": "./src/modules/tag/*.ts",
+    "#modules/connect/*": "./src/modules/connect/*.ts",
+    "#modules/workflow/*": "./src/modules/workflow/*.ts",
+    "#modules/file/*": "./src/modules/file/*.ts",
+    "#modules/recurrence/*": "./src/modules/recurrence/*.ts",
+    "#modules/video/*": "./src/modules/video/*.ts",
+    "#modules/posthog/*": "./src/modules/posthog/*.ts",
+    "#modules/access/*": "./src/modules/access/*.ts",
+    "#modules/social/*": "./src/modules/social/*.ts",
+    "#modules/clay/*": "./src/modules/clay/*.ts",
+    "#modules/webhook/*": "./src/modules/webhook/*.ts",
+    "#modules/email/*": "./src/modules/email/*.ts",
+    "#lib/*": "./src/lib/*.ts",
+    "#trpc": "./src/trpc/index.ts",
+    "#utils/*": "./src/utils/*.ts"
+  },
+  "exports": {
+    "./modules/ai/*": {
+      "types": "./dist/src/modules/ai/*.d.ts",
+      "default": "./dist/src/modules/ai/*.js"
+    },
+    "./modules/utils/*": {
+      "types": "./dist/src/modules/utils/*.d.ts",
+      "default": "./dist/src/modules/utils/*.js"
+    },
+    "./modules/base/*": {
+      "types": "./dist/src/modules/base/*.d.ts",
+      "default": "./dist/src/modules/base/*.js"
+    },
+    "./modules/billing/*": {
+      "types": "./dist/src/modules/billing/*.d.ts",
+      "default": "./dist/src/modules/billing/*.js"
+    },
+    "./modules/crypto/*": {
+      "types": "./dist/src/modules/crypto/*.d.ts",
+      "default": "./dist/src/modules/crypto/*.js"
+    },
+    "./modules/auth/*": {
+      "types": "./dist/src/modules/auth/*.d.ts",
+      "default": "./dist/src/modules/auth/*.js"
+    },
+    "./modules/tag/*": {
+      "types": "./dist/src/modules/tag/*.d.ts",
+      "default": "./dist/src/modules/tag/*.js"
+    },
+    "./modules/connect/*": {
+      "types": "./dist/src/modules/connect/*.d.ts",
+      "default": "./dist/src/modules/connect/*.js"
+    },
+    "./modules/workflow/*": {
+      "types": "./dist/src/modules/workflow/*.d.ts",
+      "default": "./dist/src/modules/workflow/*.js"
+    },
+    "./modules/file/*": {
+      "types": "./dist/src/modules/file/*.d.ts",
+      "default": "./dist/src/modules/file/*.js"
+    },
+    "./modules/recurrence/*": {
+      "types": "./dist/src/modules/recurrence/*.d.ts",
+      "default": "./dist/src/modules/recurrence/*.js"
+    },
+    "./modules/video/*": {
+      "types": "./dist/src/modules/video/*.d.ts",
+      "default": "./dist/src/modules/video/*.js"
+    },
+    "./modules/posthog/*": {
+      "types": "./dist/src/modules/posthog/*.d.ts",
+      "default": "./dist/src/modules/posthog/*.js"
+    },
+    "./modules/access/*": {
+      "types": "./dist/src/modules/access/*.d.ts",
+      "default": "./dist/src/modules/access/*.js"
+    },
+    "./modules/social/*": {
+      "types": "./dist/src/modules/social/*.d.ts",
+      "default": "./dist/src/modules/social/*.js"
+    },
+    "./modules/clay/*": {
+      "types": "./dist/src/modules/clay/*.d.ts",
+      "default": "./dist/src/modules/clay/*.js"
+    },
+    "./modules/webhook/*": {
+      "types": "./dist/src/modules/webhook/*.d.ts",
+      "default": "./dist/src/modules/webhook/*.js"
+    },
+    "./modules/email/*": {
+      "types": "./dist/src/modules/email/*.d.ts",
+      "default": "./dist/src/modules/email/*.js"
+    },
+    "./lib/*": {
+      "types": "./dist/src/lib/*.d.ts",
+      "default": "./dist/src/lib/*.js"
+    },
+    "./trpc": {
+      "types": "./dist/src/trpc/index.d.ts",
+      "default": "./dist/src/trpc/index.js"
+    },
+    "./utils/*": {
+      "types": "./dist/src/utils/*.d.ts",
+      "default": "./dist/src/utils/*.js"
+    },
+    "./types": {
+      "types": "./dist/src/types.d.ts",
+      "default": "./dist/src/types.js"
+    }
+  },
+  "scripts": {
+    "lint": "biome check .",
+    "lint:fix": "biome check . --write",
+    "build": "tsc --build",
+    "check-types": "tsc --noEmit",
+    "test": "jest -c jest.config.ts",
+    "test:watch": "jest -c jest.config.ts --watch"
+  }
+}

package/src/lib/posthog.ts

@@ -0,0 +1,5 @@
+import { PostHog } from "posthog-node";
+
+export const posthogClient = new PostHog(process.env.VITE_PUBLIC_POSTHOG_KEY!, {
+  host: process.env.VITE_PUBLIC_POSTHOG_HOST!,
+});

package/src/lib/sentry.ts

@@ -0,0 +1,8 @@
+import * as Sentry from "@sentry/node";
+
+Sentry.init({
+  dsn: process.env.SENTRY_SERVER_DNS,
+
+  // Set sampling rate for profiling - this is evaluated only once per SDK.init
+  profileSessionSampleRate: 1.0,
+});

package/src/modules/access/access.repository.ts

@@ -0,0 +1,36 @@
+import { and, eq } from "drizzle-orm";
+import type { LibSQLDatabase } from "drizzle-orm/libsql";
+import { ok } from "neverthrow";
+import * as auth from "#modules/auth/auth.db";
+import type { ServerResultAsync } from "#modules/base/base.dto";
+import { BaseRepository } from "#modules/base/base.repository";
+
+const schema = { ...auth };
+type Schema = typeof schema;
+type Orm = LibSQLDatabase<Schema>;
+
+export class AccessRepository extends BaseRepository<Orm, Schema, Record<string, never>> {
+  async getOrganizationRole(userId: string, organizationId: string): ServerResultAsync<string> {
+    return this.throwableAsync(async () => {
+      const [member] = await this.orm
+        .select({ role: schema.members.role })
+        .from(schema.members)
+        .where(
+          and(eq(schema.members.organizationId, organizationId), eq(schema.members.userId, userId))
+        )
+        .limit(1);
+      return ok(member?.role ?? "");
+    });
+  }
+
+  async getTeamRole(userId: string, teamId: string): ServerResultAsync<string> {
+    return this.throwableAsync(async () => {
+      const [member] = await this.orm
+        .select({ role: schema.teamMembers.role })
+        .from(schema.teamMembers)
+        .where(and(eq(schema.teamMembers.teamId, teamId), eq(schema.teamMembers.userId, userId)))
+        .limit(1);
+      return ok(member?.role ?? "");
+    });
+  }
+}

package/src/modules/access/access.service.ts

@@ -0,0 +1,81 @@
+import type { Statements } from "better-auth/plugins/access";
+import { err, ok } from "neverthrow";
+import type { AccessRepository } from "#modules/access/access.repository";
+import type { AccessControlRoles } from "#modules/access/access.utils";
+import type { ServerResultAsync } from "#modules/base/base.dto";
+import { BaseService } from "#modules/base/base.service";
+
+type User = {
+  id: string;
+  role: string;
+};
+
+export class AccessService<T extends Statements> extends BaseService<
+  { access: AccessRepository },
+  never
+> {
+  acr: AccessControlRoles<T>;
+
+  constructor(repositories: { access: AccessRepository }, acr: AccessControlRoles<T>) {
+    super(repositories);
+    this.acr = acr;
+  }
+
+  authorize(
+    level: "user" | "team" | "organization",
+    role: string,
+    request: any,
+    connector: "OR" | "AND" = "AND"
+  ) {
+    try {
+      return !!this.acr[level][role].authorize(request, connector).success;
+    } catch (error) {
+      console.error(error);
+      return false;
+    }
+  }
+
+  async checkAccess(
+    user: User,
+    level: "team" | "organization",
+    levelId: string,
+    request: any,
+    connector: "OR" | "AND" = "AND"
+  ): ServerResultAsync<boolean> {
+    const role =
+      level === "organization"
+        ? await this.repository.access.getOrganizationRole(user.id, levelId)
+        : await this.repository.access.getTeamRole(user.id, levelId);
+    if (role.isErr()) return err(role.error);
+    return ok(this.authorize(level, role.value, request, connector));
+  }
+
+  async hasAccess(
+    user: User,
+    level: "user" | "team" | "organization",
+    levelId: string,
+    request: any,
+    connector: "OR" | "AND" = "AND"
+  ): ServerResultAsync<boolean> {
+    // FIXME: catch all admin user access for now
+    if (user.role === "admin") return ok(true);
+    const userAccess = this.authorize("user", user.role, request, connector);
+    if (level === "user") return ok(userAccess && user.id === levelId);
+    if (userAccess) return ok(true);
+
+    const organizationAccess = await this.checkAccess(
+      user,
+      "organization",
+      levelId,
+      request,
+      connector
+    );
+    if (organizationAccess.isErr()) return err(organizationAccess.error);
+    if (level === "organization") return organizationAccess;
+    if (organizationAccess.value) return ok(true);
+
+    const teamAccess = await this.checkAccess(user, "team", levelId, request, connector);
+    if (teamAccess.isErr()) return err(teamAccess.error);
+    return teamAccess;
+  }
+}

package/src/modules/access/access.test.ts

@@ -0,0 +1,216 @@
+import { createClient } from "@libsql/client";
+import type { LibSQLDatabase } from "drizzle-orm/libsql";
+import { drizzle } from "drizzle-orm/libsql";
+import fs from "fs";
+import path from "path";
+import { AccessRepository } from "#modules/access/access.repository";
+import { AccessService } from "#modules/access/access.service";
+import { createAccessRoles } from "#modules/access/access.utils";
+import * as authSchema from "#modules/auth/auth.db";
+
+describe("AccessService", () => {
+  const statements = {
+    project: ["create", "share", "update", "delete"],
+  } as const;
+
+  const roleDefinitions = {
+    user: {
+      admin: { project: ["create", "share", "update"] },
+    },
+    team: {
+      admin: { project: ["create", "share", "update"] },
+    },
+    organization: {
+      admin: { project: ["create", "share", "update"] },
+    },
+  } as const;
+
+  const acr = createAccessRoles(statements, roleDefinitions);
+  // Minimal repository stub; not used by authorize() unit tests
+  const accessService = new AccessService({ access: {} as unknown as AccessRepository }, acr);
+
+  describe("user level", () => {
+    it("allows defined action", () => {
+      expect(accessService.authorize("user", "admin", { project: ["create"] })).toBe(true);
+    });
+
+    it("denies undefined action", () => {
+      expect(accessService.authorize("user", "admin", { project: ["delete"] })).toBe(false);
+    });
+
+    it("handles AND vs OR connectors for multiple actions", () => {
+      // admin has create but not delete
+      expect(
+        accessService.authorize("user", "admin", { project: ["create", "delete"] }, "AND")
+      ).toBe(false);
+      expect(
+        accessService.authorize(
+          "user",
+          "admin",
+          { project: { actions: ["create", "delete"], connector: "OR" } },
+          "OR"
+        )
+      ).toBe(true);
+    });
+  });
+
+  describe("team level", () => {
+    it("allows defined action", () => {
+      expect(accessService.authorize("team", "admin", { project: ["share"] })).toBe(true);
+    });
+
+    it("denies undefined action", () => {
+      expect(accessService.authorize("team", "admin", { project: ["delete"] })).toBe(false);
+    });
+  });
+
+  describe("organization level", () => {
+    it("allows defined action", () => {
+      expect(accessService.authorize("organization", "admin", { project: ["update"] })).toBe(true);
+    });
+
+    it("denies undefined action", () => {
+      expect(accessService.authorize("organization", "admin", { project: ["delete"] })).toBe(false);
+    });
+  });
+});
+
+describe("AccessRepository (libsql local)", () => {
+  const dbFile = path.join(__dirname, "access.test.sqlite");
+  const url = `file:${dbFile}`;
+  const client = createClient({ url });
+  type Schema = typeof authSchema;
+  type Orm = LibSQLDatabase<Schema>;
+  const orm = drizzle(client, { schema: authSchema }) as Orm;
+  const repo = new AccessRepository({ orm, schema: authSchema as Schema }, {});
+
+  beforeAll(async () => {
+    // Create minimal tables required for tests
+    await client.execute(`
+      CREATE TABLE IF NOT EXISTS members (
+        id TEXT PRIMARY KEY,
+        organization_id TEXT NOT NULL,
+        user_id TEXT NOT NULL,
+        role TEXT NOT NULL
+      );
+    `);
+    await client.execute(`
+      CREATE TABLE IF NOT EXISTS teammembers (
+        id TEXT PRIMARY KEY,
+        team_id TEXT NOT NULL,
+        user_id TEXT NOT NULL,
+        role TEXT NOT NULL
+      );
+    `);
+  });
+
+  beforeEach(async () => {
+    await client.execute({
+      sql: "INSERT INTO members (id, organization_id, user_id, role) VALUES (?, ?, ?, ?)",
+      args: ["m1", "org1", "user1", "admin"],
+    });
+    await client.execute({
+      sql: "INSERT INTO teammembers (id, team_id, user_id, role) VALUES (?, ?, ?, ?)",
+      args: ["tm1", "team1", "user1", "admin"],
+    });
+  });
+
+  afterEach(async () => {
+    await client.execute("DELETE FROM members;");
+    await client.execute("DELETE FROM teammembers;");
+  });
+
+  afterAll(async () => {
+    try {
+      await client.close();
+    } catch {}
+    try {
+      if (fs.existsSync(dbFile)) fs.unlinkSync(dbFile);
+    } catch {}
+  });
+
+  it("returns organization role for user", async () => {
+    const res = await repo.getOrganizationRole("user1", "org1");
+    expect(res.isOk()).toBe(true);
+    if (res.isOk()) expect(res.value).toBe("admin");
+  });
+
+  it("returns team role for user", async () => {
+    const res = await repo.getTeamRole("user1", "team1");
+    expect(res.isOk()).toBe(true);
+    if (res.isOk()) expect(res.value).toBe("admin");
+  });
+
+  describe("AccessService.hasAccess (with repo)", () => {
+    const hasAccessStatements = {
+      project: ["create", "share", "update", "delete"],
+    } as const;
+
+    const hasAccessRoles = {
+      user: {
+        member: { project: ["create"] },
+      },
+      team: {
+        manager: { project: ["share"] },
+      },
+      organization: {
+        manager: { project: ["update"] },
+      },
+    } as const;
+
+    const acr2 = createAccessRoles(hasAccessStatements, hasAccessRoles);
+    const service = new AccessService({ access: repo }, acr2);
+
+    it("admin override grants access", async () => {
+      const result = await service.hasAccess(
+        { id: "any", role: "admin" },
+        "organization",
+        "whatever",
+        { project: ["delete"] }
+      );
+      expect(result.isOk()).toBe(true);
+      if (result.isOk()) expect(result.value).toBe(true);
+    });
+
+    it("user level access only for self and allowed action", async () => {
+      const allowSelf = await service.hasAccess({ id: "user2", role: "member" }, "user", "user2", {
+        project: ["create"],
+      });
+      expect(allowSelf.isOk()).toBe(true);
+      if (allowSelf.isOk()) expect(allowSelf.value).toBe(true);
+
+      const denyOther = await service.hasAccess({ id: "user2", role: "member" }, "user", "other", {
+        project: ["create"],
+      });
+      expect(denyOther.isOk()).toBe(true);
+      if (denyOther.isOk()) expect(denyOther.value).toBe(false);
+    });
+
+    it("organization membership grants access based on repo role", async () => {
+      await client.execute({
+        sql: "INSERT INTO members (id, organization_id, user_id, role) VALUES (?, ?, ?, ?)",
+        args: ["m2", "org2", "user2", "manager"],
+      });
+      const result = await service.hasAccess(
+        { id: "user2", role: "member" },
+        "organization",
+        "org2",
+        { project: ["update"] }
+      );
+      expect(result.isOk()).toBe(true);
+      if (result.isOk()) expect(result.value).toBe(true);
+    });
+
+    it("team membership grants access based on repo role", async () => {
+      await client.execute({
+        sql: "INSERT INTO teammembers (id, team_id, user_id, role) VALUES (?, ?, ?, ?)",
+        args: ["tm2", "team2", "user2", "manager"],
+      });
+      const result = await service.hasAccess({ id: "user2", role: "member" }, "team", "team2", {
+        project: ["share"],
+      });
+      expect(result.isOk()).toBe(true);
+      if (result.isOk()) expect(result.value).toBe(true);
+    });
+  });
+});

package/src/modules/access/access.utils.ts

@@ -0,0 +1,46 @@
+import {
+  type AccessControl,
+  createAccessControl,
+  type Role,
+  type Statements,
+  type Subset,
+} from "better-auth/plugins/access";
+
+export type AccessControlRoles<T extends Statements> = {
+  ac: AccessControl<T>;
+  user: Record<string, Role<Subset<keyof T, T>>>;
+  team: Record<string, Role<Subset<keyof T, T>>>;
+  organization: Record<string, Role<Subset<keyof T, T>>>;
+};
+
+// Allow defining role statements with any subset of resources from T
+// and only actions permitted by each resource definition in T
+export type RoleDefinition<T extends Statements> = {
+  [K in keyof T]?: T[K] extends readonly (infer A)[] ? readonly A[] : never;
+};
+
+export type RoleDefinitions<T extends Statements> = {
+  user: Record<string, RoleDefinition<T>>;
+  team: Record<string, RoleDefinition<T>>;
+  organization: Record<string, RoleDefinition<T>>;
+};
+
+export function createAccessRoles<T extends Statements>(
+  statements: T,
+  roleDefinitions: RoleDefinitions<T>
+): AccessControlRoles<T> {
+  const ac = createAccessControl(statements);
+  const user: Record<string, Role<Subset<keyof T, T>>> = {};
+  const team: Record<string, Role<Subset<keyof T, T>>> = {};
+  const organization: Record<string, Role<Subset<keyof T, T>>> = {};
+  for (const [roleName, roleStatements] of Object.entries(roleDefinitions.user)) {
+    user[roleName] = ac.newRole(roleStatements as unknown as Subset<keyof T, T>);
+  }
+  for (const [roleName, roleStatements] of Object.entries(roleDefinitions.team)) {
+    team[roleName] = ac.newRole(roleStatements as unknown as Subset<keyof T, T>);
+  }
+  for (const [roleName, roleStatements] of Object.entries(roleDefinitions.organization)) {
+    organization[roleName] = ac.newRole(roleStatements as unknown as Subset<keyof T, T>);
+  }
+  return { ac, user, team, organization };
+}

package/src/modules/ai/ai.db.ts

@@ -0,0 +1,38 @@
+import { integer, real, sqliteTable as table, text } from "drizzle-orm/sqlite-core";
+import { v4 as uuidv4 } from "uuid";
+import { organizations, teams, users } from "#modules/auth/auth.db";
+
+export const chats = table("chats", {
+  id: text("id").primaryKey().$default(uuidv4),
+  userId: text("user_id")
+    .notNull()
+    .references(() => users.id, { onDelete: "cascade" }),
+  title: text("title"),
+  type: text("type"),
+  conversation: text("conversation", { mode: "json" }),
+  createdAt: integer("created_at", { mode: "timestamp" }).$default(() => new Date()),
+  updatedAt: integer("updated_at", { mode: "timestamp" })
+    .notNull()
+    .$default(() => new Date()),
+});
+
+export const aiUsage = table("ai_usage", {
+  id: text("id").primaryKey().$default(uuidv4),
+  userId: text("user_id").references(() => users.id, { onDelete: "cascade" }),
+  teamId: text("team_id").references(() => teams.id, { onDelete: "cascade" }),
+  organizationId: text("organization_id").references(() => organizations.id, {
+    onDelete: "cascade",
+  }),
+  feature: text("feature").notNull(),
+  provider: text("provider").notNull(),
+  model: text("model").notNull(),
+  inputTokens: integer("input_tokens"),
+  outputTokens: integer("output_tokens"),
+  totalTokens: integer("total_tokens"),
+  cost: real("cost"),
+  traceId: text("trace_id"),
+  createdAt: integer("created_at", { mode: "timestamp" })
+    .notNull()
+    .$default(() => new Date()),
+  metadata: text("metadata", { mode: "json" }),
+});