@mevdragon/vidfarm-devcli 0.1.0 → 0.2.0

package/dist/src/app.js

@@ -1,19 +1,27 @@
-import { readFileSync } from "node:fs";
+import { readFileSync, statSync } from "node:fs";
 import path from "node:path";
 import { Hono } from "hono";
 import { z } from "zod";
+import { renderLoginPage, renderPricingPage, renderSettingsPage } from "./account-pages.js";
 import { config } from "./config.js";
 import { database } from "./db.js";
 import { renderDevApp } from "./dev-app.js";
-import { encryptString } from "./lib/crypto.js";
+import { renderHomepage } from "./homepage.js";
+import { decryptString, encryptString, hashSecret } from "./lib/crypto.js";
 import { createId } from "./lib/ids.js";
 import { templateRegistry } from "./registry.js";
 import { AuthService } from "./services/auth.js";
 import { JobsService } from "./services/jobs.js";
 import { StorageService } from "./services/storage.js";
+import { TemplateSourceService } from "./services/template-sources.js";
 const auth = new AuthService();
 const jobs = new JobsService();
 const storage = new StorageService();
+const templateSources = new TemplateSourceService();
+const API_PREFIX = "/api/v1";
+const USER_PREFIX = `${API_PREFIX}/user`;
+const TEMPLATES_PREFIX = `${API_PREFIX}/templates`;
+const SESSION_COOKIE = "vidfarm_session";
 const app = new Hono();
 const otpRequestSchema = z.object({
     email: z.string().email()
@@ -23,42 +31,533 @@ const otpVerifySchema = z.object({
     code: z.string().min(6).max(6),
     name: z.string().optional()
 });
+const passwordLoginSchema = z.object({
+    email: z.string().email(),
+    password: z.string().min(1)
+});
+const adminWhitelistSchema = z.object({
+    emails: z.array(z.string().email()).min(1)
+});
+const adminCreateUserSchema = z.object({
+    email: z.string().email(),
+    password: z.string().min(8),
+    name: z.string().optional()
+});
 const providerKeySchema = z.object({
     provider: z.enum(["openai", "gemini", "openrouter", "perplexity"]),
     label: z.string().optional(),
     secret: z.string().min(8),
     weight: z.number().int().min(1).max(100).default(1)
 });
-const workspacePresignSchema = z.object({
-    path: z.string().min(1),
-    contentType: z.string().min(3).default("application/octet-stream")
+const settingsProviderKeyFormSchema = z.object({
+    provider: z.enum(["openai", "gemini", "openrouter", "perplexity"]),
+    label: z.string().trim().optional(),
+    secret: z.string().min(8),
+    weight: z.coerce.number().int().min(1).max(100).default(1)
+});
+const settingsProfileFormSchema = z.object({
+    about: z.string().max(10000).optional(),
+    groupchat_url: z.union([z.literal(""), z.string().url()]).optional(),
+    flockposter_api_key: z.string().max(1000).optional()
 });
+const listJobsQuerySchema = z.object({
+    tracer: z.string().min(1).optional(),
+    start_time: z.string().min(1).optional(),
+    end_time: z.string().min(1).optional(),
+    limit: z.coerce.number().int().min(1).max(500).optional(),
+    template_id: z.string().min(1).optional()
+});
+function getLoginMode(value) {
+    return value === "password" ? "password" : "otp";
+}
+const allowedAttachmentExtensions = new Set([
+    ".png", ".jpg", ".jpeg", ".gif", ".webp", ".svg",
+    ".mp4", ".mov", ".webm", ".m4v",
+    ".mp3", ".wav", ".m4a", ".aac", ".ogg",
+    ".pdf", ".md", ".txt"
+]);
 app.use("*", async (c, next) => {
     c.header("x-powered-by", "vidfarm");
+    await templateRegistry.ensureInitialized();
     await next();
 });
-app.get("/", (c) => c.json({ name: "vidfarm", version: "0.1.0", environment: config.NODE_ENV }));
-app.get("/health", (c) => c.json({ ok: true, time: new Date().toISOString() }));
-app.get("/dev", (c) => c.html(renderDevApp({
-    environment: config.NODE_ENV,
-    templates: templateRegistry.list().map((template) => ({
-        id: template.id,
-        version: template.version,
-        description: template.description,
-        operations: Object.entries(template.operations).map(([name, operation]) => ({
-            name,
-            description: operation.description,
-            workflow: operation.workflow,
-            providerHint: operation.providerHint ?? null
+function renderConsole(c) {
+    return c.html(renderDevApp({
+        environment: config.NODE_ENV,
+        templates: templateRegistry.list().map((template) => ({
+            id: template.id,
+            slug_id: template.slugId,
+            version: template.version,
+            description: template.about.description,
+            operations: Object.entries(template.operations).map(([name, operation]) => ({
+                name,
+                description: operation.description,
+                workflow: operation.workflow,
+                providerHint: operation.providerHint ?? null
+            }))
         }))
-    }))
-})));
-app.post("/auth/request-otp", async (c) => {
+    }));
+}
+function parseCookieHeader(value) {
+    const cookies = new Map();
+    if (!value) {
+        return cookies;
+    }
+    for (const part of value.split(";")) {
+        const trimmed = part.trim();
+        if (!trimmed) {
+            continue;
+        }
+        const separator = trimmed.indexOf("=");
+        if (separator < 0) {
+            continue;
+        }
+        cookies.set(trimmed.slice(0, separator), decodeURIComponent(trimmed.slice(separator + 1)));
+    }
+    return cookies;
+}
+function appendCookie(c, value) {
+    c.header("set-cookie", value, { append: true });
+}
+function setBrowserSession(c, customer) {
+    const payload = encryptString(JSON.stringify({
+        customerId: customer.id,
+        email: customer.email,
+        issuedAt: new Date().toISOString()
+    }), config.ENCRYPTION_SECRET);
+    appendCookie(c, `${SESSION_COOKIE}=${encodeURIComponent(payload)}; Path=/; HttpOnly; SameSite=Lax; Max-Age=2592000${config.isProduction ? "; Secure" : ""}`);
+}
+function clearBrowserSession(c) {
+    appendCookie(c, `${SESSION_COOKIE}=; Path=/; HttpOnly; SameSite=Lax; Max-Age=0${config.isProduction ? "; Secure" : ""}`);
+}
+function getBrowserCustomer(c) {
+    try {
+        const cookies = parseCookieHeader(c.req.header("cookie"));
+        const raw = cookies.get(SESSION_COOKIE);
+        if (!raw) {
+            return null;
+        }
+        const session = JSON.parse(decryptString(raw, config.ENCRYPTION_SECRET));
+        if (!session.customerId) {
+            return null;
+        }
+        return database.getCustomerById(session.customerId);
+    }
+    catch {
+        return null;
+    }
+}
+function requireBrowserCustomer(c) {
+    const customer = getBrowserCustomer(c);
+    if (!customer?.isPaidPlan) {
+        return null;
+    }
+    return customer;
+}
+function redirect(c, location, status = 302) {
+    return c.redirect(location, status);
+}
+function redirectToSettings(c, input) {
+    const params = new URLSearchParams();
+    if (input?.notice) {
+        params.set("notice", input.notice);
+    }
+    if (input?.error) {
+        params.set("error", input.error);
+    }
+    const suffix = params.size ? `?${params.toString()}` : "";
+    return redirect(c, `/settings${suffix}`, 303);
+}
+function sanitizeFileName(value) {
+    const normalized = path.basename(value).replace(/[^\w.-]+/g, "_");
+    return normalized.length ? normalized : "upload.bin";
+}
+function isAllowedAttachment(fileName, contentType) {
+    const extension = path.extname(fileName).toLowerCase();
+    if (allowedAttachmentExtensions.has(extension)) {
+        return true;
+    }
+    return contentType.startsWith("image/")
+        || contentType.startsWith("video/")
+        || contentType.startsWith("audio/")
+        || contentType === "application/pdf"
+        || contentType === "text/plain"
+        || contentType === "text/markdown";
+}
+function isFormFile(value) {
+    return Boolean(value
+        && typeof value === "object"
+        && "name" in value
+        && "arrayBuffer" in value);
+}
+function getVisibleApiKey(customerId) {
+    const existing = database.getLatestApiKeyForCustomer(customerId);
+    const rawValue = existing?.raw_value ? String(existing.raw_value) : null;
+    if (rawValue) {
+        return rawValue;
+    }
+    const apiKey = `vf_${createId("key")}`;
+    database.insertApiKey({
+        id: createId("api"),
+        customerId,
+        keyHash: hashSecret(apiKey + config.API_KEY_SALT),
+        rawValue: apiKey,
+        label: "Settings API key"
+    });
+    return apiKey;
+}
+function readStoredSecret(value) {
+    try {
+        return decryptString(value, config.ENCRYPTION_SECRET);
+    }
+    catch {
+        return value;
+    }
+}
+function getReleaseTimestamp(release) {
+    return release.activatedAt ?? release.updatedAt ?? release.createdAt;
+}
+function getApprovedHomepageTemplates(c) {
+    const approvedReleaseByTemplateId = new Map();
+    for (const release of database.listTemplateReleases()) {
+        if (release.status !== "active" && release.status !== "certified") {
+            continue;
+        }
+        const current = approvedReleaseByTemplateId.get(release.templateId);
+        if (!current || getReleaseTimestamp(release) > getReleaseTimestamp(current)) {
+            approvedReleaseByTemplateId.set(release.templateId, release);
+        }
+    }
+    return templateRegistry.list()
+        .map((template) => {
+        const release = approvedReleaseByTemplateId.get(template.id);
+        const approvedAt = release?.activatedAt
+            ?? release?.updatedAt
+            ?? release?.createdAt
+            ?? (template.skillPath
+                ? (() => {
+                    try {
+                        return statSync(template.skillPath).mtime.toISOString();
+                    }
+                    catch {
+                        return null;
+                    }
+                })()
+                : null);
+        const skillContent = template.skillPath
+            ? (() => {
+                try {
+                    return readFileSync(template.skillPath, "utf8");
+                }
+                catch {
+                    return "";
+                }
+            })()
+            : "";
+        return {
+            title: template.about.title,
+            templateId: template.id,
+            slugId: template.slugId,
+            viralDna: template.about.viral_dna,
+            visualDna: template.about.visual_dna,
+            previewUrl: template.about.preview_media[0]
+                ? resolveHomepagePreviewUrl(c, template.id, template.about.preview_media[0])
+                : null,
+            skillContent,
+            approvedAt
+        };
+    })
+        .sort((a, b) => {
+        const aTime = a.approvedAt ? Date.parse(a.approvedAt) : 0;
+        const bTime = b.approvedAt ? Date.parse(b.approvedAt) : 0;
+        return bTime - aTime || a.title.localeCompare(b.title);
+    });
+}
+function renderApprovedHomepage(c) {
+    return c.html(renderHomepage({
+        templates: getApprovedHomepageTemplates(c),
+        account: {
+            isLoggedIn: Boolean(getBrowserCustomer(c))
+        }
+    }));
+}
+app.get("/", (c) => renderApprovedHomepage(c));
+app.get("/health", (c) => c.json({ ok: true, time: new Date().toISOString() }));
+app.get("/dev", (c) => renderConsole(c));
+app.get("/template-media", async (c) => {
+    const key = c.req.query("key") ?? "";
+    return serveStorageKeyAsset(c, key);
+});
+app.get(API_PREFIX, (c) => c.json({ name: "vidfarm", version: "0.1.0", environment: config.NODE_ENV }));
+app.get("/login", (c) => {
+    const customer = getBrowserCustomer(c);
+    if (customer?.isPaidPlan) {
+        return redirect(c, "/settings");
+    }
+    return c.html(renderLoginPage({ mode: getLoginMode(c.req.query("mode")) }));
+});
+app.post("/login/password", async (c) => {
+    const mode = getLoginMode(c.req.query("mode"));
+    const parsed = passwordLoginSchema.safeParse(await parseFormBody(c));
+    if (!parsed.success) {
+        return c.html(renderLoginPage({ mode, error: "Enter a valid email and password." }), 400);
+    }
+    try {
+        const result = auth.authenticateWithPassword(parsed.data.email, parsed.data.password);
+        if (result.status === "pricing") {
+            return c.html(renderPricingPage({ email: result.customer.email }));
+        }
+        setBrowserSession(c, result.customer);
+        return redirect(c, "/settings");
+    }
+    catch (error) {
+        return c.html(renderLoginPage({
+            mode,
+            email: parsed.data.email,
+            error: error instanceof Error ? error.message : "Unable to login."
+        }), 401);
+    }
+});
+app.post("/login/otp/request", async (c) => {
+    const mode = getLoginMode(c.req.query("mode"));
+    const parsed = otpRequestSchema.safeParse(await parseFormBody(c));
+    if (!parsed.success) {
+        return c.html(renderLoginPage({ mode, error: "Enter a valid email address." }), 400);
+    }
+    await auth.requestOtp(parsed.data.email);
+    return c.html(renderLoginPage({
+        mode,
+        email: parsed.data.email,
+        otpSent: true,
+        message: "OTP sent. Enter the code to continue."
+    }));
+});
+app.post("/login/otp/verify", async (c) => {
+    const mode = getLoginMode(c.req.query("mode"));
+    const parsed = otpVerifySchema.safeParse(await parseFormBody(c));
+    if (!parsed.success) {
+        return c.html(renderLoginPage({ mode, error: "Enter the email and 6-digit OTP." }), 400);
+    }
+    try {
+        const result = auth.verifyOtpForBrowserLogin(parsed.data.email, parsed.data.code, parsed.data.name);
+        if (result.status === "pricing") {
+            clearBrowserSession(c);
+            return c.html(renderPricingPage({ email: result.customer.email }));
+        }
+        setBrowserSession(c, result.customer);
+        return redirect(c, "/settings");
+    }
+    catch (error) {
+        return c.html(renderLoginPage({
+            mode,
+            email: parsed.data.email,
+            otpSent: true,
+            error: error instanceof Error ? error.message : "Unable to verify OTP."
+        }), 401);
+    }
+});
+app.get("/settings", (c) => {
+    const customer = requireBrowserCustomer(c);
+    if (!customer) {
+        return redirect(c, "/login");
+    }
+    const directorSkill = (() => {
+        try {
+            return readFileSync(path.resolve("SKILL.user.md"), "utf8");
+        }
+        catch {
+            return "";
+        }
+    })();
+    const developerSkill = customer.isDeveloper
+        ? (() => {
+            try {
+                return readFileSync(path.resolve("SKILL.developer.md"), "utf8");
+            }
+            catch {
+                return null;
+            }
+        })()
+        : null;
+    return c.html(renderSettingsPage({
+        notice: c.req.query("notice") ?? null,
+        error: c.req.query("error") ?? null,
+        email: customer.email,
+        isPaidPlan: customer.isPaidPlan,
+        isDeveloper: customer.isDeveloper,
+        about: customer.about,
+        groupchatUrl: customer.groupchatUrl,
+        flockposterApiKey: customer.flockposterApiKey,
+        vidfarmApiKey: getVisibleApiKey(customer.id),
+        directorSkill,
+        developerSkill,
+        providerKeys: database.listProviderKeysWithSecrets(customer.id).map((entry) => ({
+            id: String(entry.id),
+            provider: String(entry.provider),
+            label: entry.label ? String(entry.label) : null,
+            secret: readStoredSecret(String(entry.secret)),
+            status: String(entry.status),
+            weight: Number(entry.weight),
+            created_at: String(entry.created_at),
+            last_used_at: entry.last_used_at ? String(entry.last_used_at) : null
+        })),
+        attachments: database.listUserAttachments(customer.id)
+    }));
+});
+app.post("/settings/profile", async (c) => {
+    const customer = requireBrowserCustomer(c);
+    if (!customer) {
+        return redirect(c, "/login");
+    }
+    try {
+        const body = settingsProfileFormSchema.parse(await parseFormBody(c));
+        database.updateCustomerProfile({
+            customerId: customer.id,
+            about: body.about?.trim() || null,
+            groupchatUrl: body.groupchat_url?.trim() || null,
+            flockposterApiKey: body.flockposter_api_key?.trim() || null
+        });
+        return redirectToSettings(c, { notice: "Profile updated." });
+    }
+    catch (error) {
+        return redirectToSettings(c, {
+            error: error instanceof Error ? error.message : "Unable to update profile."
+        });
+    }
+});
+app.post("/settings/provider-keys", async (c) => {
+    const customer = requireBrowserCustomer(c);
+    if (!customer) {
+        return redirect(c, "/login");
+    }
+    try {
+        const body = settingsProviderKeyFormSchema.parse(await parseFormBody(c));
+        database.createProviderKey({
+            id: createId("pkey"),
+            customerId: customer.id,
+            provider: body.provider,
+            label: body.label?.trim() || null,
+            encryptedSecret: body.secret,
+            weight: body.weight
+        });
+        return redirectToSettings(c, { notice: "Provider key added." });
+    }
+    catch (error) {
+        return redirectToSettings(c, {
+            error: error instanceof Error ? error.message : "Unable to add provider key."
+        });
+    }
+});
+app.post("/settings/provider-keys/:keyId/delete", (c) => {
+    const customer = requireBrowserCustomer(c);
+    if (!customer) {
+        return redirect(c, "/login");
+    }
+    database.deleteProviderKey(customer.id, c.req.param("keyId"));
+    return redirectToSettings(c, { notice: "Provider key removed." });
+});
+app.post("/settings/attachments", async (c) => {
+    const customer = requireBrowserCustomer(c);
+    if (!customer) {
+        return redirect(c, "/login");
+    }
+    try {
+        const formData = await c.req.formData();
+        const files = formData.getAll("files").filter(isFormFile);
+        if (!files.length) {
+            return redirectToSettings(c, { error: "Select at least one file to upload." });
+        }
+        for (const file of files) {
+            const fileName = sanitizeFileName(file.name || "upload.bin");
+            const contentType = file.type || "application/octet-stream";
+            if (!isAllowedAttachment(fileName, contentType)) {
+                return redirectToSettings(c, { error: `Unsupported attachment type: ${fileName}` });
+            }
+            const arrayBuffer = await file.arrayBuffer();
+            const buffer = Buffer.from(arrayBuffer);
+            const attachmentId = createId("att");
+            const storageKey = `user/${customer.id}/attachments/${attachmentId}/${fileName}`;
+            const stored = await storage.putBuffer(storageKey, buffer, contentType, { publicRead: true });
+            database.createUserAttachment({
+                id: attachmentId,
+                customerId: customer.id,
+                fileName,
+                contentType,
+                sizeBytes: buffer.byteLength,
+                storageKey: stored.key,
+                publicUrl: stored.url
+            });
+        }
+        return redirectToSettings(c, { notice: "Attachment upload complete." });
+    }
+    catch (error) {
+        return redirectToSettings(c, {
+            error: error instanceof Error ? error.message : "Unable to upload attachments."
+        });
+    }
+});
+app.post("/settings/attachments/:attachmentId/delete", async (c) => {
+    const customer = requireBrowserCustomer(c);
+    if (!customer) {
+        return redirect(c, "/login");
+    }
+    const attachment = database.getUserAttachment(customer.id, c.req.param("attachmentId"));
+    if (!attachment) {
+        return redirectToSettings(c, { error: "Attachment not found." });
+    }
+    await storage.deleteObject(attachment.storageKey).catch(() => undefined);
+    database.deleteUserAttachment(customer.id, attachment.id);
+    return redirectToSettings(c, { notice: "Attachment removed." });
+});
+app.post("/logout", (c) => {
+    clearBrowserSession(c);
+    return redirect(c, "/");
+});
+app.post(`${API_PREFIX}/admin/auth/whitelist`, async (c) => {
+    try {
+        requireSuperagency(c);
+    }
+    catch (error) {
+        return c.json({ error: error instanceof Error ? error.message : "Forbidden" }, 403);
+    }
+    const parsed = adminWhitelistSchema.parse(await c.req.json());
+    const customers = parsed.emails.map((email) => {
+        const normalizedEmail = email.trim().toLowerCase();
+        const existing = database.getCustomerByEmail(normalizedEmail);
+        return database.upsertCustomer({
+            id: existing?.id ?? createId("cus"),
+            email: normalizedEmail,
+            name: existing?.name ?? null,
+            defaultWebhookUrl: existing?.defaultWebhookUrl ?? null,
+            isDeveloper: existing?.isDeveloper
+                || config.adminEmails.includes(normalizedEmail)
+                || config.developerEmails.includes(normalizedEmail),
+            isPaidPlan: true
+        });
+    });
+    return c.json({ customers });
+});
+app.post(`${API_PREFIX}/admin/auth/users`, async (c) => {
+    try {
+        requireSuperagency(c);
+    }
+    catch (error) {
+        return c.json({ error: error instanceof Error ? error.message : "Forbidden" }, 403);
+    }
+    const parsed = adminCreateUserSchema.parse(await c.req.json());
+    const customer = auth.createPasswordUser({
+        email: parsed.email,
+        password: parsed.password,
+        name: parsed.name ?? null
+    });
+    return c.json({ customer }, 201);
+});
+app.post(`${USER_PREFIX}/request-otp`, async (c) => {
     const body = otpRequestSchema.parse(await c.req.json());
     await auth.requestOtp(body.email);
     return c.json({ ok: true });
 });
-app.post("/auth/verify-otp", async (c) => {
+app.post(`${USER_PREFIX}/verify-otp`, async (c) => {
     const body = otpVerifySchema.parse(await c.req.json());
     return c.json(auth.verifyOtp(body.email, body.code, body.name));
 });
@@ -75,13 +574,185 @@ const requireAuth = async (c, next) => {
         return c.json({ error: error instanceof Error ? error.message : "Unauthorized" }, 401);
     }
 };
-app.use("/me/*", requireAuth);
-app.use("/templates/*", requireAuth);
-app.get("/templates", (c) => c.json({
-    templates: templateRegistry.list().map((template) => ({
+app.use(`${USER_PREFIX}/me`, requireAuth);
+app.use(`${USER_PREFIX}/me/*`, requireAuth);
+app.use(`${TEMPLATES_PREFIX}/*`, requireAuth);
+function requireAdmin(c) {
+    const customer = requireCustomer(c);
+    if (!config.adminEmails.includes(customer.email.toLowerCase())) {
+        throw new Error("Admin access required.");
+    }
+    return customer;
+}
+function requireDeveloper(c) {
+    const customer = requireCustomer(c);
+    if (!customer.isDeveloper && !config.adminEmails.includes(customer.email.toLowerCase())) {
+        throw new Error("Developer access required.");
+    }
+    return customer;
+}
+function requireSuperagency(c) {
+    const provided = c.req.header("x-superagency-key");
+    if (!config.SUPERAGENCY_KEY || provided !== config.SUPERAGENCY_KEY) {
+        throw new Error("Superagency access required.");
+    }
+}
+async function parseFormBody(c) {
+    const body = await c.req.parseBody();
+    const normalized = {};
+    for (const [key, value] of Object.entries(body)) {
+        normalized[key] = typeof value === "string" ? value : "";
+    }
+    return normalized;
+}
+function buildAbsoluteUrl(c, pathname) {
+    return new URL(pathname, config.PUBLIC_BASE_URL || c.req.url).toString();
+}
+function resolveTemplateAboutStorageKey(templateId, entry) {
+    const normalizedEntry = entry.replace(/^\/+/, "");
+    if (!/^https?:\/\//i.test(entry)) {
+        const templateAboutPrefix = `templates/${templateId}/about/`;
+        if (normalizedEntry.startsWith(templateAboutPrefix)) {
+            return normalizedEntry;
+        }
+        return normalizedEntry.startsWith("about/")
+            ? `templates/${templateId}/${normalizedEntry}`
+            : `templates/${templateId}/about/${normalizedEntry}`;
+    }
+    try {
+        const url = new URL(entry);
+        const pathname = url.pathname.replace(/^\/+/, "");
+        if (pathname.startsWith(`templates/${templateId}/about/`)) {
+            return pathname;
+        }
+        if (config.AWS_S3_BUCKET && pathname.startsWith(`${config.AWS_S3_BUCKET}/`)) {
+            const withoutBucket = pathname.slice(config.AWS_S3_BUCKET.length + 1);
+            if (withoutBucket.startsWith(`templates/${templateId}/about/`)) {
+                return withoutBucket;
+            }
+        }
+        const embeddedMatch = pathname.match(/(templates\/[^/]+\/about\/.+)$/);
+        if (embeddedMatch) {
+            return embeddedMatch[1];
+        }
+    }
+    catch {
+        return null;
+    }
+    return null;
+}
+function resolveHomepagePreviewUrl(c, templateId, entry) {
+    const storageKey = resolveTemplateAboutStorageKey(templateId, entry);
+    if (!storageKey) {
+        return entry;
+    }
+    return buildAbsoluteUrl(c, `/template-media?key=${encodeURIComponent(storageKey)}`);
+}
+async function serveTemplateAboutAsset(c, templateId, assetPath) {
+    const template = templateRegistry.get(templateId);
+    if (!template) {
+        return c.json({ error: "Template not found" }, 404);
+    }
+    const normalizedAssetPath = assetPath.replace(/^\/+/, "");
+    if (!normalizedAssetPath) {
+        return c.json({ error: "Template about asset path is required" }, 400);
+    }
+    const key = `templates/${template.id}/about/${normalizedAssetPath}`;
+    const readUrl = await storage.getReadUrl(key);
+    if (config.STORAGE_DRIVER === "s3" && readUrl) {
+        return c.redirect(readUrl, 302);
+    }
+    try {
+        const object = storage.readLocalObject(key);
+        return new Response(object.body, {
+            headers: {
+                "content-type": object.contentType
+            }
+        });
+    }
+    catch {
+        return c.json({ error: "Template about asset not found" }, 404);
+    }
+}
+async function serveStorageKeyAsset(c, key) {
+    const normalizedKey = key.replace(/^\/+/, "");
+    if (!normalizedKey) {
+        return c.json({ error: "Storage key is required" }, 400);
+    }
+    const readUrl = await storage.getReadUrl(normalizedKey);
+    if (config.STORAGE_DRIVER === "s3" && readUrl) {
+        return c.redirect(readUrl, 302);
+    }
+    try {
+        const object = storage.readLocalObject(normalizedKey);
+        return new Response(object.body, {
+            headers: {
+                "content-type": object.contentType
+            }
+        });
+    }
+    catch {
+        return c.json({ error: "Asset not found" }, 404);
+    }
+}
+function serializeJob(job) {
+    return {
+        job_id: job.id,
+        template_id: job.templateId,
+        operation_name: job.operationName,
+        workflow_name: job.workflowName,
+        tracer: job.tracer,
+        status: job.status,
+        progress: job.progress,
+        result: job.result,
+        error: job.error,
+        parent_job_id: job.parentJobId,
+        created_at: job.createdAt,
+        updated_at: job.updatedAt,
+        started_at: job.startedAt,
+        completed_at: job.completedAt
+    };
+}
+function serializeTemplate(c, template) {
+    return {
         id: template.id,
+        slug_id: template.slugId,
         version: template.version,
-        description: template.description,
+        title: template.about.title,
+        description: template.about.description,
+        skill_url: buildAbsoluteUrl(c, `${TEMPLATES_PREFIX}/${template.id}/skill`),
+        operations: Object.entries(template.operations).map(([name, operation]) => ({
+            name,
+            description: operation.description,
+            providerHint: operation.providerHint ?? null
+        }))
+    };
+}
+function serializeTemplateAbout(c, template) {
+    return {
+        ...serializeTemplate(c, template),
+        viral_dna: template.about.viral_dna,
+        visual_dna: template.about.visual_dna,
+        preview_media: template.about.preview_media.map((entry) => resolveTemplateAboutMediaUrl(c, template.id, entry)),
+        link_to_original: template.about.link_to_original
+    };
+}
+function resolveTemplateAboutMediaUrl(c, templateId, entry) {
+    if (/^https?:\/\//i.test(entry)) {
+        return entry;
+    }
+    const normalizedEntry = entry.replace(/^\/+/, "");
+    const templateAboutPrefix = `templates/${templateId}/about/`;
+    const aboutPath = normalizedEntry.startsWith(templateAboutPrefix)
+        ? `about/${normalizedEntry.slice(templateAboutPrefix.length)}`
+        : normalizedEntry.startsWith("about/")
+            ? normalizedEntry
+            : `about/${normalizedEntry}`;
+    return buildAbsoluteUrl(c, `${TEMPLATES_PREFIX}/${templateId}/${aboutPath}`);
+}
+app.get(TEMPLATES_PREFIX, (c) => c.json({
+    templates: templateRegistry.list().map((template) => ({
+        ...serializeTemplate(c, template),
         operations: Object.entries(template.operations).map(([name, operation]) => ({
             name,
             description: operation.description,
@@ -90,23 +761,35 @@ app.get("/templates", (c) => c.json({
         }))
     }))
 }));
-app.get("/templates/:templateId", (c) => {
+app.get(`${TEMPLATES_PREFIX}/:templateId`, (c) => {
     const template = templateRegistry.get(c.req.param("templateId"));
     if (!template) {
         return c.json({ error: "Template not found" }, 404);
     }
-    return c.json({
-        id: template.id,
-        version: template.version,
-        description: template.description,
-        operations: Object.entries(template.operations).map(([name, operation]) => ({
-            name,
-            description: operation.description,
-            providerHint: operation.providerHint ?? null
-        }))
-    });
+    return c.json(serializeTemplateAbout(c, template));
 });
-app.post("/templates/:templateId/config", async (c) => {
+app.get(`${TEMPLATES_PREFIX}/:templateId/skill`, (c) => {
+    const template = templateRegistry.get(c.req.param("templateId"));
+    if (!template) {
+        return c.json({ error: "Template not found" }, 404);
+    }
+    if (!template.skillPath) {
+        return c.json({ error: "Template skill file is not configured" }, 404);
+    }
+    try {
+        return c.body(readFileSync(template.skillPath, "utf8"), 200, {
+            "content-type": "text/markdown; charset=utf-8"
+        });
+    }
+    catch (error) {
+        return c.json({ error: error instanceof Error ? error.message : "Skill file could not be read" }, 500);
+    }
+});
+app.get(`${TEMPLATES_PREFIX}/:templateId/about/*`, async (c) => {
+    const assetPath = c.req.param("*") ?? "";
+    return serveTemplateAboutAsset(c, c.req.param("templateId"), assetPath);
+});
+app.post(`${TEMPLATES_PREFIX}/:templateId/config`, async (c) => {
     const customer = requireCustomer(c);
     const template = templateRegistry.get(c.req.param("templateId"));
     if (!template) {
@@ -122,7 +805,7 @@ app.post("/templates/:templateId/config", async (c) => {
     });
     return c.json({ ok: true, template_id: template.id, config: parsed });
 });
-app.post("/templates/:templateId/operations/:operationName", async (c) => {
+app.post(`${TEMPLATES_PREFIX}/:templateId/operations/:operationName`, async (c) => {
     const customer = requireCustomer(c);
     const template = templateRegistry.get(c.req.param("templateId"));
     if (!template) {
@@ -150,45 +833,98 @@ app.post("/templates/:templateId/operations/:operationName", async (c) => {
     });
     return c.json({ job_id: job.id, tracer: job.tracer, status: job.status }, 202);
 });
-app.get("/templates/:templateId/jobs/:jobId", (c) => {
+app.get(`${TEMPLATES_PREFIX}/:templateId/jobs`, (c) => {
     const customer = requireCustomer(c);
+    const template = templateRegistry.get(c.req.param("templateId"));
+    if (!template) {
+        return c.json({ error: "Template not found" }, 404);
+    }
+    const query = listJobsQuerySchema.parse({
+        tracer: c.req.query("tracer"),
+        start_time: c.req.query("start_time"),
+        end_time: c.req.query("end_time"),
+        limit: c.req.query("limit")
+    });
+    const listedJobs = jobs.listJobs({
+        customerId: customer.id,
+        templateId: template.id,
+        tracer: query.tracer,
+        startTime: query.start_time,
+        endTime: query.end_time,
+        limit: query.limit
+    });
+    return c.json({ template_id: template.id, jobs: listedJobs.map(serializeJob) });
+});
+app.get(`${TEMPLATES_PREFIX}/:templateId/jobs/:jobId`, (c) => {
+    const customer = requireCustomer(c);
+    const template = templateRegistry.get(c.req.param("templateId"));
+    if (!template) {
+        return c.json({ error: "Template not found" }, 404);
+    }
     const job = jobs.getJob(c.req.param("jobId"));
-    if (!job || job.customerId !== customer.id || job.templateId !== c.req.param("templateId")) {
+    if (!job || job.customerId !== customer.id || job.templateId !== template.id) {
         return c.json({ error: "Job not found" }, 404);
     }
-    return c.json({
-        job_id: job.id,
-        tracer: job.tracer,
-        status: job.status,
-        progress: job.progress,
-        result: job.result,
-        error: job.error,
-        created_at: job.createdAt,
-        updated_at: job.updatedAt
-    });
+    return c.json(serializeJob(job));
 });
-app.get("/templates/:templateId/jobs/:jobId/logs", (c) => {
+app.get(`${TEMPLATES_PREFIX}/:templateId/jobs/:jobId/logs`, (c) => {
     const customer = requireCustomer(c);
+    const template = templateRegistry.get(c.req.param("templateId"));
+    if (!template) {
+        return c.json({ error: "Template not found" }, 404);
+    }
     const job = jobs.getJob(c.req.param("jobId"));
-    if (!job || job.customerId !== customer.id || job.templateId !== c.req.param("templateId")) {
+    if (!job || job.customerId !== customer.id || job.templateId !== template.id) {
         return c.json({ error: "Job not found" }, 404);
     }
-    const logs = jobs.listLogs(job.id, c.req.query("logs_from") || undefined, Number(c.req.query("limit") ?? 100));
+    const query = listJobsQuerySchema.parse({
+        start_time: c.req.query("start_time"),
+        end_time: c.req.query("end_time"),
+        limit: c.req.query("limit")
+    });
+    const logs = jobs.listLogs({
+        jobId: job.id,
+        startTime: query.start_time,
+        endTime: query.end_time,
+        limit: query.limit
+    });
     return c.json({ job_id: job.id, tracer: job.tracer, logs });
 });
-app.post("/templates/:templateId/jobs/:jobId/cancel", (c) => {
+app.post(`${TEMPLATES_PREFIX}/:templateId/jobs/:jobId/cancel`, (c) => {
     const customer = requireCustomer(c);
+    const template = templateRegistry.get(c.req.param("templateId"));
+    if (!template) {
+        return c.json({ error: "Template not found" }, 404);
+    }
     const job = jobs.getJob(c.req.param("jobId"));
-    if (!job || job.customerId !== customer.id || job.templateId !== c.req.param("templateId")) {
+    if (!job || job.customerId !== customer.id || job.templateId !== template.id) {
         return c.json({ error: "Job not found" }, 404);
     }
     jobs.cancelJob(job.id);
     return c.json({ ok: true, job_id: job.id, status: "cancelled" });
 });
-app.get("/me", (c) => c.json({ customer: requireCustomer(c) }));
-app.get("/me/jobs", (c) => c.json({ jobs: jobs.listJobs(requireCustomer(c).id, c.req.query("template_id") || undefined) }));
-app.get("/me/provider-keys", (c) => c.json({ provider_keys: database.listProviderKeys(requireCustomer(c).id) }));
-app.post("/me/provider-keys", async (c) => {
+app.get(`${USER_PREFIX}/me`, (c) => c.json({ customer: requireCustomer(c) }));
+app.get(`${USER_PREFIX}/me/jobs`, (c) => {
+    const query = listJobsQuerySchema.parse({
+        template_id: c.req.query("template_id"),
+        tracer: c.req.query("tracer"),
+        start_time: c.req.query("start_time"),
+        end_time: c.req.query("end_time"),
+        limit: c.req.query("limit")
+    });
+    return c.json({
+        jobs: jobs.listJobs({
+            customerId: requireCustomer(c).id,
+            templateId: query.template_id,
+            tracer: query.tracer,
+            startTime: query.start_time,
+            endTime: query.end_time,
+            limit: query.limit
+        }).map(serializeJob)
+    });
+});
+app.get(`${USER_PREFIX}/me/provider-keys`, (c) => c.json({ provider_keys: database.listProviderKeys(requireCustomer(c).id) }));
+app.post(`${USER_PREFIX}/me/provider-keys`, async (c) => {
     const customer = requireCustomer(c);
     const body = providerKeySchema.parse(await c.req.json());
     database.createProviderKey({
@@ -196,15 +932,100 @@ app.post("/me/provider-keys", async (c) => {
         customerId: customer.id,
         provider: body.provider,
         label: body.label ?? null,
-        encryptedSecret: encryptString(body.secret, config.ENCRYPTION_SECRET),
+        encryptedSecret: body.secret,
         weight: body.weight
     });
     return c.json({ ok: true }, 201);
 });
-app.post("/me/workspace/presign", async (c) => {
-    const customer = requireCustomer(c);
-    const body = workspacePresignSchema.parse(await c.req.json());
-    return c.json(await storage.createPresignedWorkspaceUpload(customer.id, body.path, body.contentType));
+app.get(`${TEMPLATES_PREFIX}/sources`, (c) => {
+    try {
+        requireAdmin(c);
+    }
+    catch (error) {
+        return c.json({ error: error instanceof Error ? error.message : "Forbidden" }, 403);
+    }
+    return c.json({ sources: templateSources.listSources() });
+});
+app.post(`${TEMPLATES_PREFIX}/sources`, async (c) => {
+    try {
+        requireDeveloper(c);
+    }
+    catch (error) {
+        return c.json({ error: error instanceof Error ? error.message : "Forbidden" }, 403);
+    }
+    try {
+        const body = z.object({
+            template_id: z.string().regex(/^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i, "template_id must be a UUIDv4."),
+            slug_id: z.string().min(3).regex(/^[a-z0-9_]+$/i, "slug_id must contain only letters, numbers, and underscores."),
+            repo_url: z.string().url(),
+            branch: z.string().min(1).default("production"),
+            template_module_path: z.string().min(1),
+            skill_path: z.string().min(1).default("SKILL.md"),
+            install_command: z.string().min(1).default("npm install"),
+            build_command: z.string().min(1).default("npm run build")
+        }).parse(await c.req.json());
+        const source = templateSources.registerSource({
+            templateId: body.template_id,
+            slugId: body.slug_id,
+            repoUrl: body.repo_url,
+            branch: body.branch,
+            templateModulePath: body.template_module_path,
+            skillPath: body.skill_path,
+            installCommand: body.install_command,
+            buildCommand: body.build_command
+        });
+        return c.json({ source }, 201);
+    }
+    catch (error) {
+        const message = error instanceof Error ? error.message : "Unable to register template source.";
+        const status = /already exists/i.test(message) ? 409 : 400;
+        return c.json({ error: message }, status);
+    }
+});
+app.get(`${TEMPLATES_PREFIX}/releases`, (c) => {
+    try {
+        requireAdmin(c);
+    }
+    catch (error) {
+        return c.json({ error: error instanceof Error ? error.message : "Forbidden" }, 403);
+    }
+    return c.json({ releases: templateSources.listReleases(c.req.query("template_id") || undefined) });
+});
+app.post(`${TEMPLATES_PREFIX}/sources/:sourceId/import`, async (c) => {
+    try {
+        requireAdmin(c);
+    }
+    catch (error) {
+        return c.json({ error: error instanceof Error ? error.message : "Forbidden" }, 403);
+    }
+    const body = z.object({
+        commit_sha: z.string().min(7).optional()
+    }).parse(await c.req.json().catch(() => ({})));
+    const release = await templateSources.importRelease({
+        sourceId: c.req.param("sourceId"),
+        commitSha: body.commit_sha ?? null
+    });
+    return c.json({ release }, 201);
+});
+app.post(`${TEMPLATES_PREFIX}/releases/:releaseId/activate`, async (c) => {
+    try {
+        requireAdmin(c);
+    }
+    catch (error) {
+        return c.json({ error: error instanceof Error ? error.message : "Forbidden" }, 403);
+    }
+    const { release, template } = await templateSources.activateRelease({
+        releaseId: c.req.param("releaseId")
+    });
+    templateRegistry.registerRuntimeTemplate(template);
+    return c.json({
+        release,
+        template: {
+            id: template.id,
+            version: template.version,
+            description: template.about.description
+        }
+    });
 });
 app.get("/storage/:key", (c) => {
     const key = decodeURIComponent(c.req.param("key"));