@nexttylabs/echo 0.2.0

package/app/api/feedback/similar/route.ts

@@ -0,0 +1,100 @@
+/*
+ * Copyright (c) 2026 Echo Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+import { NextRequest, NextResponse } from "next/server";
+import { db } from "@/lib/db";
+import { feedback } from "@/lib/db/schema";
+import { eq, isNull, and } from "drizzle-orm";
+import { buildSimilarResponse } from "@/lib/feedback/find-similar";
+import { getOrgContext } from "@/lib/auth/org-context";
+
+export const dynamic = "force-dynamic";
+export const runtime = "nodejs";
+
+/**
+ * GET /api/feedback/similar
+ * Returns a list of feedback entries similar to the provided title/description
+ */
+export async function GET(req: NextRequest) {
+  if (!db) {
+    return NextResponse.json(
+      { error: "Database not configured", code: "DATABASE_NOT_CONFIGURED" },
+      { status: 500 }
+    );
+  }
+
+  try {
+    const searchParams = req.nextUrl.searchParams;
+    const title = searchParams.get("title") || "";
+    const description = searchParams.get("description") || "";
+    const context = await getOrgContext({ request: req, db, requireMembership: false });
+
+    if (!title.trim()) {
+      return NextResponse.json({ suggestions: [] });
+    }
+
+    // Fetch active feedback for the organization
+    const existingFeedback = await db
+      .select({
+        feedbackId: feedback.feedbackId,
+        title: feedback.title,
+        description: feedback.description,
+      })
+      .from(feedback)
+      .where(
+        and(
+          eq(feedback.organizationId, context.organizationId),
+          isNull(feedback.deletedAt)
+        )
+      )
+      .limit(100);
+
+    const suggestions = buildSimilarResponse(
+      title,
+      description,
+      existingFeedback.map((f) => ({
+        feedbackId: f.feedbackId,
+        title: f.title ?? "",
+        description: f.description,
+      }))
+    );
+
+    return NextResponse.json({
+      suggestions: suggestions.slice(0, 5),
+    });
+  } catch (error) {
+    if (error instanceof Error) {
+      if (error.message === "Missing organization") {
+        return NextResponse.json(
+          { error: "Organization ID is required", code: "MISSING_ORG_ID" },
+          { status: 400 }
+        );
+      }
+      if (error.message === "Access denied") {
+        return NextResponse.json(
+          { error: "Insufficient permissions", code: "FORBIDDEN" },
+          { status: 403 }
+        );
+      }
+    }
+    console.error("Error finding similar feedback:", error);
+    return NextResponse.json(
+      { error: "Internal server error", code: "INTERNAL_ERROR" },
+      { status: 500 }
+    );
+  }
+}

package/app/api/health/route.test.ts

@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 2026 Echo Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+import { describe, it, expect } from "bun:test";
+import { NextRequest } from "next/server";
+import { GET } from "./route";
+
+describe("GET /api/health", () => {
+  it("returns health status with database check", async () => {
+    const previousDatabaseUrl = process.env.DATABASE_URL;
+    process.env.DATABASE_URL = "";
+    const req = new NextRequest("http://localhost/api/health");
+
+    const res = await GET(req);
+    expect(res.status).toBe(503);
+
+    const body = await res.json();
+    expect(body.status).toBe("unhealthy");
+    expect(typeof body.timestamp).toBe("string");
+    expect(typeof body.uptime).toBe("number");
+    expect(body.checks).toBeDefined();
+    expect(body.checks.database).toBeDefined();
+    expect(body.checks.database.status).toBe("fail");
+    expect(typeof body.checks.database.error).toBe("string");
+
+    if (previousDatabaseUrl === undefined) {
+      delete process.env.DATABASE_URL;
+    } else {
+      process.env.DATABASE_URL = previousDatabaseUrl;
+    }
+  });
+
+  it("includes cache and timing headers", async () => {
+    const previousDatabaseUrl = process.env.DATABASE_URL;
+    process.env.DATABASE_URL = "";
+    const req = new NextRequest("http://localhost/api/health");
+
+    const res = await GET(req);
+    expect(res.headers.get("Cache-Control")).toBe(
+      "no-cache, no-store, must-revalidate"
+    );
+    expect(res.headers.get("X-Health-Check-Duration")).toMatch(/\d+ms/);
+
+    if (previousDatabaseUrl === undefined) {
+      delete process.env.DATABASE_URL;
+    } else {
+      process.env.DATABASE_URL = previousDatabaseUrl;
+    }
+  });
+});

package/app/api/health/route.ts

@@ -0,0 +1,92 @@
+/*
+ * Copyright (c) 2026 Echo Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+import { NextRequest, NextResponse } from "next/server";
+import { createRequestLogger } from "@/lib/logger";
+import { db } from "@/lib/db";
+import { sql } from "drizzle-orm";
+
+export const dynamic = "force-dynamic";
+export const runtime = "nodejs";
+
+interface HealthStatus {
+  status: "healthy" | "unhealthy" | "degraded";
+  timestamp: string;
+  uptime: number;
+  version?: string;
+  checks: {
+    database: {
+      status: "pass" | "fail";
+      latency?: number;
+      error?: string;
+    };
+  };
+}
+
+export async function GET(req: NextRequest) {
+  const reqId = req.headers.get("x-request-id") || "unknown";
+  const log = createRequestLogger(reqId);
+  const startTime = Date.now();
+
+  const health: HealthStatus = {
+    status: "healthy",
+    timestamp: new Date().toISOString(),
+    uptime: process.uptime(),
+    version: process.env.npm_package_version || process.env.APP_VERSION || "0.0.0",
+    checks: {
+      database: { status: "pass" },
+    },
+  };
+
+  if (!process.env.DATABASE_URL || !db) {
+    health.status = "unhealthy";
+    health.checks.database = {
+      status: "fail",
+      error: "DATABASE_URL not set",
+    };
+  } else {
+    try {
+      const dbStart = Date.now();
+      await db.execute(sql`SELECT 1`);
+      const dbLatency = Date.now() - dbStart;
+      health.checks.database.latency = dbLatency;
+
+      if (dbLatency > 500) {
+        health.status = "degraded";
+      }
+    } catch (error) {
+      health.status = "unhealthy";
+      health.checks.database = {
+        status: "fail",
+        error: error instanceof Error ? error.message : "Unknown error",
+      };
+    }
+  }
+
+  const checkTime = Date.now() - startTime;
+  const statusCode = health.status === "unhealthy" ? 503 : 200;
+
+  log.info({ status: health.status, durationMs: checkTime }, "Health check");
+
+  return NextResponse.json(health, {
+    status: statusCode,
+    headers: {
+      "Cache-Control": "no-cache, no-store, must-revalidate",
+      "X-Health-Check-Duration": `${checkTime}ms`,
+    },
+  });
+}

package/app/api/identify/jwt/route.ts

@@ -0,0 +1,29 @@
+/*
+ * Copyright (c) 2026 Echo Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+import { parseJwtIdentity } from "@/lib/auth/jwt-identity";
+import { NextResponse } from "next/server";
+
+export async function POST(request: Request) {
+  const body = await request.json();
+  const token = body.token as string;
+  const identity = parseJwtIdentity(token);
+  if (!identity) {
+    return NextResponse.json({ error: "Invalid token" }, { status: 400 });
+  }
+  return NextResponse.json(identity);
+}

package/app/api/integrations/github/route.ts

@@ -0,0 +1,196 @@
+/*
+ * Copyright (c) 2026 Echo Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+import { NextRequest, NextResponse } from "next/server";
+import { auth } from "@/lib/auth/config";
+import { db } from "@/lib/db";
+import { githubIntegrations } from "@/lib/db/schema";
+import { eq } from "drizzle-orm";
+import { GitHubClient } from "@/lib/integrations/github";
+import { randomBytes } from "crypto";
+import { getCurrentOrganizationId } from "@/lib/auth/organization";
+import { z } from "zod";
+import { apiError, validationError } from "@/lib/api/errors";
+
+export const dynamic = "force-dynamic";
+export const runtime = "nodejs";
+
+const createGitHubIntegrationSchema = z.object({
+  accessToken: z.string().min(1),
+  owner: z.string().min(1),
+  repo: z.string().min(1),
+  autoSync: z.boolean().optional().default(true),
+});
+
+export async function GET(req: NextRequest) {
+  const session = await auth.api.getSession({ headers: req.headers });
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+
+  const organizationId = await getCurrentOrganizationId(session.user.id);
+  if (!organizationId) {
+    return NextResponse.json(
+      { error: "No organization selected" },
+      { status: 400 },
+    );
+  }
+
+  if (!db) {
+    return NextResponse.json(
+      { error: "Database not configured" },
+      { status: 500 },
+    );
+  }
+
+  try {
+    const config = await db
+      .select()
+      .from(githubIntegrations)
+      .where(eq(githubIntegrations.organizationId, organizationId))
+      .limit(1)
+      .then((rows) => rows[0]);
+
+    if (!config) {
+      return NextResponse.json({ configured: false });
+    }
+
+    return NextResponse.json({
+      configured: true,
+      owner: config.owner,
+      repo: config.repo,
+      autoSync: config.autoSync,
+    });
+  } catch (error) {
+    return apiError(error);
+  }
+}
+
+export async function POST(req: NextRequest) {
+  const session = await auth.api.getSession({ headers: req.headers });
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+
+  const organizationId = await getCurrentOrganizationId(session.user.id);
+  if (!organizationId) {
+    return NextResponse.json(
+      { error: "No organization selected" },
+      { status: 400 },
+    );
+  }
+
+  if (!db) {
+    return NextResponse.json(
+      { error: "Database not configured" },
+      { status: 500 },
+    );
+  }
+
+  try {
+    const body = await req.json();
+    const validated = createGitHubIntegrationSchema.parse(body);
+
+    const client = new GitHubClient({
+      accessToken: validated.accessToken,
+      owner: validated.owner,
+      repo: validated.repo,
+    });
+    const isValid = await client.validateToken();
+
+    if (!isValid) {
+      return NextResponse.json(
+        { error: "Invalid token or repository" },
+        { status: 400 },
+      );
+    }
+
+    const webhookSecret = randomBytes(32).toString("hex");
+
+    const existing = await db
+      .select()
+      .from(githubIntegrations)
+      .where(eq(githubIntegrations.organizationId, organizationId))
+      .limit(1)
+      .then((rows) => rows[0]);
+
+    if (existing) {
+      await db
+        .update(githubIntegrations)
+        .set({
+          accessToken: validated.accessToken,
+          owner: validated.owner,
+          repo: validated.repo,
+          autoSync: validated.autoSync,
+          webhookSecret,
+        })
+        .where(eq(githubIntegrations.id, existing.id));
+    } else {
+      await db.insert(githubIntegrations).values({
+        organizationId,
+        accessToken: validated.accessToken,
+        owner: validated.owner,
+        repo: validated.repo,
+        autoSync: validated.autoSync,
+        webhookSecret,
+      });
+    }
+
+    return NextResponse.json({
+      success: true,
+      webhookUrl: `${process.env.NEXT_PUBLIC_APP_URL}/api/webhooks/github`,
+      webhookSecret,
+    });
+  } catch (error) {
+    if (error instanceof z.ZodError) {
+      return validationError(error.issues);
+    }
+    return apiError(error);
+  }
+}
+
+export async function DELETE(req: NextRequest) {
+  const session = await auth.api.getSession({ headers: req.headers });
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+
+  const organizationId = await getCurrentOrganizationId(session.user.id);
+  if (!organizationId) {
+    return NextResponse.json(
+      { error: "No organization selected" },
+      { status: 400 },
+    );
+  }
+
+  if (!db) {
+    return NextResponse.json(
+      { error: "Database not configured" },
+      { status: 500 },
+    );
+  }
+
+  try {
+    await db
+      .delete(githubIntegrations)
+      .where(eq(githubIntegrations.organizationId, organizationId));
+
+    return NextResponse.json({ success: true });
+  } catch (error) {
+    return apiError(error);
+  }
+}

package/app/api/internal/domain-lookup/route.ts

@@ -0,0 +1,67 @@
+/*
+ * Copyright (c) 2026 Echo Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+import { NextRequest, NextResponse } from "next/server";
+import { db } from "@/lib/db";
+import { organizationSettings, organizations } from "@/lib/db/schema";
+import { eq } from "drizzle-orm";
+
+/**
+ * Internal API for domain lookup (used by middleware)
+ * GET /api/internal/domain-lookup?domain=feedback.acme.com
+ */
+export async function GET(req: NextRequest) {
+  // Verify middleware secret to prevent external access
+  const secret = req.headers.get("x-middleware-secret");
+  if (secret !== process.env.MIDDLEWARE_SECRET) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+
+  const domain = req.nextUrl.searchParams.get("domain");
+  if (!domain) {
+    return NextResponse.json({ error: "Domain required" }, { status: 400 });
+  }
+
+  if (!db) {
+    return NextResponse.json({ error: "Database not configured" }, { status: 500 });
+  }
+
+  try {
+    const [organization] = await db
+      .select({
+        organizationId: organizations.id,
+        orgSlug: organizations.slug,
+      })
+      .from(organizationSettings)
+      .innerJoin(organizations, eq(organizationSettings.organizationId, organizations.id))
+      .where(eq(organizationSettings.customDomain, domain))
+      .limit(1);
+
+    if (!organization) {
+      return NextResponse.json({ found: false });
+    }
+
+    return NextResponse.json({
+      found: true,
+      orgSlug: organization.orgSlug,
+      organizationId: organization.organizationId,
+    });
+  } catch (error) {
+    console.error("Domain lookup error:", error);
+    return NextResponse.json({ error: "Lookup failed" }, { status: 500 });
+  }
+}

package/app/api/invitations/accept/handler.ts

@@ -0,0 +1,101 @@
+/*
+ * Copyright (c) 2026 Echo Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+import { NextResponse } from "next/server";
+import { eq } from "drizzle-orm";
+import type { db as database } from "@/lib/db";
+import { invitations, organizationMembers } from "@/lib/db/schema";
+
+const TOKEN_REQUIRED = "Token is required";
+
+type Database = NonNullable<typeof database>;
+
+type AcceptInvitationDeps = {
+  auth: {
+    api: {
+      getSession: (args: { headers: Headers }) => Promise<{ user: { id: string } } | null>;
+    };
+  };
+  db: {
+    select: Database["select"];
+    transaction: Database["transaction"];
+  };
+};
+
+type NowProvider = () => Date;
+
+export function buildAcceptInvitationHandler(
+  deps: AcceptInvitationDeps,
+  nowProvider: NowProvider = () => new Date(),
+) {
+  return async function POST(req: Request) {
+    const session = await deps.auth.api.getSession({ headers: req.headers });
+    if (!session) {
+      return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+    }
+
+    let body: unknown;
+    try {
+      body = await req.json();
+    } catch {
+      return NextResponse.json({ error: "Invalid request body" }, { status: 400 });
+    }
+
+    if (!body || typeof body !== "object" || !("token" in body)) {
+      return NextResponse.json({ error: TOKEN_REQUIRED }, { status: 400 });
+    }
+
+    const token = (body as { token?: unknown }).token;
+    if (typeof token !== "string" || token.trim().length === 0) {
+      return NextResponse.json({ error: TOKEN_REQUIRED }, { status: 400 });
+    }
+
+    const [invitation] = await deps.db
+      .select()
+      .from(invitations)
+      .where(eq(invitations.token, token))
+      .limit(1);
+
+    if (!invitation) {
+      return NextResponse.json({ error: "Invitation not found" }, { status: 404 });
+    }
+
+    if (invitation.acceptedAt) {
+      return NextResponse.json({ error: "Invitation already accepted" }, { status: 409 });
+    }
+
+    const now = nowProvider();
+    if (invitation.expiresAt <= now) {
+      return NextResponse.json({ error: "邀请已过期" }, { status: 410 });
+    }
+
+    await deps.db.transaction(async (tx) => {
+      await tx.insert(organizationMembers).values({
+        organizationId: invitation.organizationId,
+        userId: session.user.id,
+        role: invitation.role,
+      });
+
+      await tx
+        .update(invitations)
+        .set({ acceptedAt: now })
+        .where(eq(invitations.id, invitation.id));
+    });
+
+    return NextResponse.json({ message: "Invitation accepted" }, { status: 200 });
+  };
+}

package/app/api/invitations/accept/route.ts

@@ -0,0 +1,29 @@
+/*
+ * Copyright (c) 2026 Echo Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+import { buildAcceptInvitationHandler } from "./handler";
+import { auth } from "@/lib/auth/config";
+import { db } from "@/lib/db";
+
+export const dynamic = "force-dynamic";
+export const runtime = "nodejs";
+
+if (!db) {
+  throw new Error("Database not initialized");
+}
+
+export const POST = buildAcceptInvitationHandler({ auth, db });