@nexttylabs/echo 0.2.0

package/lib/auth/org-context.ts

@@ -0,0 +1,71 @@
+/*
+ * Copyright (c) 2026 Echo Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+import { assertOrganizationAccess } from "@/lib/auth/organization";
+import type { db as database } from "@/lib/db";
+
+type Database = NonNullable<typeof database>;
+
+type OrgContextSource = "query" | "header" | "cookie" | "explicit";
+
+export type OrgContext = {
+  organizationId: string;
+  memberRole: string | null;
+  source: OrgContextSource;
+};
+
+type OrgContextRequest = {
+  nextUrl: URL;
+  headers: Headers;
+  cookies?: { get: (name: string) => { value: string } | undefined };
+};
+
+export async function getOrgContext(options: {
+  request: OrgContextRequest;
+  db: Pick<Database, "select">;
+  userId?: string | null;
+  organizationId?: string | null;
+  requireMembership?: boolean;
+}): Promise<OrgContext> {
+  const { request, db, userId, organizationId, requireMembership } = options;
+  const queryOrgId = request.nextUrl.searchParams.get("organizationId");
+  const headerOrgId = request.headers.get("x-organization-id");
+  const cookieOrgId = request.cookies?.get("orgId")?.value ?? null;
+
+  const resolved = organizationId || queryOrgId || headerOrgId || cookieOrgId;
+  const source: OrgContextSource = organizationId
+    ? "explicit"
+    : queryOrgId
+      ? "query"
+      : headerOrgId
+        ? "header"
+        : "cookie";
+
+  if (!resolved) {
+    throw new Error("Missing organization");
+  }
+
+  let memberRole: string | null = null;
+  if (userId) {
+    const member = await assertOrganizationAccess(db, userId, resolved);
+    memberRole = member.role;
+  } else if (requireMembership) {
+    throw new Error("Access denied");
+  }
+
+  return { organizationId: resolved, memberRole, source };
+}

package/lib/auth/organization.ts

@@ -0,0 +1,107 @@
+/*
+ * Copyright (c) 2026 Echo Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+import { and, eq } from "drizzle-orm";
+import { db } from "@/lib/db";
+import type { db as database } from "@/lib/db";
+import { organizationMembers, organizations } from "@/lib/db/schema";
+
+type Database = NonNullable<typeof database>;
+
+export interface UserOrganization {
+  id: string;
+  name: string;
+  slug: string;
+  description: string | null;
+  role: string;
+}
+
+export async function getUserOrganizations(
+  db: Database,
+  userId: string
+): Promise<UserOrganization[]> {
+  return db
+    .select({
+      id: organizations.id,
+      name: organizations.name,
+      slug: organizations.slug,
+      description: organizations.description,
+      role: organizationMembers.role,
+    })
+    .from(organizationMembers)
+    .innerJoin(organizations, eq(organizations.id, organizationMembers.organizationId))
+    .where(eq(organizationMembers.userId, userId));
+}
+
+export async function getUserOrganization(
+  db: Database,
+  userId: string
+): Promise<UserOrganization | null> {
+  const result = await db
+    .select({
+      id: organizations.id,
+      name: organizations.name,
+      slug: organizations.slug,
+      description: organizations.description,
+      role: organizationMembers.role,
+    })
+    .from(organizationMembers)
+    .innerJoin(organizations, eq(organizations.id, organizationMembers.organizationId))
+    .where(eq(organizationMembers.userId, userId))
+    .limit(1);
+
+  return result[0] || null;
+}
+
+export interface OrganizationMember {
+  organizationId: string;
+  userId: string;
+  role: string;
+}
+
+type MinimalDb = {
+  select: Database["select"];
+};
+
+export async function assertOrganizationAccess(
+  db: MinimalDb,
+  userId: string,
+  organizationId: string
+): Promise<OrganizationMember> {
+  const [member] = await db
+    .select()
+    .from(organizationMembers)
+    .where(
+      and(
+        eq(organizationMembers.organizationId, organizationId),
+        eq(organizationMembers.userId, userId)
+      )
+    )
+    .limit(1);
+
+  if (!member) {
+    throw new Error("Access denied");
+  }
+
+  return member;
+}
+
+export async function getCurrentOrganizationId(userId: string): Promise<string | null> {
+  if (!db) return null;
+  const org = await getUserOrganization(db, userId);
+  return org?.id || null;
+}

package/lib/auth/permissions.ts

@@ -0,0 +1,87 @@
+/*
+ * Copyright (c) 2026 Echo Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+export type UserRole =
+  | "admin"
+  | "product_manager"
+  | "developer"
+  | "customer_support"
+  | "customer";
+
+export const PERMISSIONS = {
+  CREATE_FEEDBACK: "create_feedback",
+  SUBMIT_ON_BEHALF: "submit_on_behalf",
+  DELETE_FEEDBACK: "delete_feedback",
+  MANAGE_ORG: "manage_org",
+  UPDATE_FEEDBACK_STATUS: "update_feedback_status",
+  BACKUP_CREATE: "backup_create",
+  BACKUP_VIEW: "backup_view",
+} as const;
+
+export type Permission = (typeof PERMISSIONS)[keyof typeof PERMISSIONS];
+
+export const ROLE_PERMISSIONS: Record<UserRole, Permission[]> = {
+  admin: [
+    PERMISSIONS.CREATE_FEEDBACK,
+    PERMISSIONS.SUBMIT_ON_BEHALF,
+    PERMISSIONS.DELETE_FEEDBACK,
+    PERMISSIONS.MANAGE_ORG,
+    PERMISSIONS.UPDATE_FEEDBACK_STATUS,
+    PERMISSIONS.BACKUP_CREATE,
+    PERMISSIONS.BACKUP_VIEW,
+  ],
+  product_manager: [
+    PERMISSIONS.CREATE_FEEDBACK,
+    PERMISSIONS.SUBMIT_ON_BEHALF,
+    PERMISSIONS.DELETE_FEEDBACK,
+    PERMISSIONS.UPDATE_FEEDBACK_STATUS,
+    PERMISSIONS.BACKUP_VIEW,
+  ],
+  developer: [PERMISSIONS.CREATE_FEEDBACK],
+  customer_support: [
+    PERMISSIONS.CREATE_FEEDBACK,
+    PERMISSIONS.SUBMIT_ON_BEHALF,
+  ],
+  customer: [PERMISSIONS.CREATE_FEEDBACK],
+};
+
+export function hasPermission(role: UserRole, permission: Permission): boolean {
+  return ROLE_PERMISSIONS[role]?.includes(permission) ?? false;
+}
+
+export function hasAllPermissions(
+  role: UserRole,
+  permissions: Permission[],
+): boolean {
+  return permissions.every((permission) => hasPermission(role, permission));
+}
+
+export function canSubmitOnBehalf(role: UserRole): boolean {
+  return hasPermission(role, PERMISSIONS.SUBMIT_ON_BEHALF);
+}
+
+export function canUpdateFeedbackStatus(role: UserRole): boolean {
+  return hasPermission(role, PERMISSIONS.UPDATE_FEEDBACK_STATUS);
+}
+
+export function canDeleteFeedback(role: UserRole): boolean {
+  return hasPermission(role, PERMISSIONS.DELETE_FEEDBACK);
+}
+
+export function canEditFeedback(role: UserRole): boolean {
+  return role === "admin" || role === "product_manager";
+}

package/lib/auth/session.ts

@@ -0,0 +1,23 @@
+/*
+ * Copyright (c) 2026 Echo Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+import type { NextRequest } from "next/server";
+import { auth } from "@/lib/auth/config";
+
+export async function getServerSession(req: NextRequest) {
+  return auth.api.getSession({ headers: req.headers });
+}

package/lib/config/rate-limits.ts

@@ -0,0 +1,64 @@
+/*
+ * Copyright (c) 2026 Echo Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+import { NextRequest } from 'next/server';
+import { RateLimitConfig } from '@/lib/middleware/rate-limit';
+import { apiKeyKeyGenerator } from '@/lib/middleware/rate-limit-keys';
+
+export const RATE_LIMITS = {
+  public: {
+    windowMs: 60 * 15,
+    maxRequests: 100,
+    keyGenerator: (req: NextRequest) => {
+      const ip = req.headers.get('x-forwarded-for')?.split(',')[0] || 'unknown';
+      return Promise.resolve(`public:${ip}`);
+    },
+  },
+
+  authenticated: {
+    windowMs: 60,
+    maxRequests: 60,
+    keyGenerator: (req: NextRequest) => {
+      const userId = req.headers.get('x-user-id') || 'unknown';
+      return Promise.resolve(`user:${userId}`);
+    },
+  },
+
+  apiKey: {
+    windowMs: 60,
+    maxRequests: 100,
+    keyGenerator: (req: NextRequest) => Promise.resolve(apiKeyKeyGenerator(req)),
+  },
+
+  write: {
+    windowMs: 60,
+    maxRequests: 20,
+    keyGenerator: (req: NextRequest) => Promise.resolve(apiKeyKeyGenerator(req)),
+  },
+
+  webhook: {
+    windowMs: 60,
+    maxRequests: 200,
+    keyGenerator: (req: NextRequest) => {
+      const orgId = req.headers.get('x-organization-id') || 'unknown';
+      return Promise.resolve(`webhook:${orgId}`);
+    },
+  },
+} satisfies Record<
+  string,
+  Omit<RateLimitConfig, 'skipFailedRequests' | 'storage'>
+>;

package/lib/dashboard/get-dashboard-stats.ts

@@ -0,0 +1,136 @@
+/*
+ * Copyright (c) 2026 Echo Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+import { eq, and, gte, isNull, sql, count } from "drizzle-orm";
+import type { db as database } from "@/lib/db";
+import { feedback } from "@/lib/db/schema";
+import type { UserRole } from "@/lib/auth/permissions";
+
+type Database = NonNullable<typeof database>;
+
+export interface DashboardStats {
+  totalFeedback: number;
+  pendingFeedback: number;
+  weeklyFeedback: number;
+  resolvedFeedback: number;
+  statusDistribution: { status: string; count: number }[];
+  recentFeedback: {
+    feedbackId: number;
+    title: string;
+    type: string;
+    status: string;
+    priority: string;
+    createdAt: Date;
+  }[];
+}
+
+export async function getDashboardStats(
+  db: Database,
+  options: {
+    userId: string;
+    userRole: UserRole;
+    organizationId: string;
+  }
+): Promise<DashboardStats> {
+  const { userId, userRole, organizationId } = options;
+  const sevenDaysAgo = new Date();
+  sevenDaysAgo.setDate(sevenDaysAgo.getDate() - 7);
+
+  const isAdminOrPM = userRole === "admin" || userRole === "product_manager";
+
+  // Base condition: not deleted and belongs to organization
+  const baseCondition = and(
+    isNull(feedback.deletedAt),
+    eq(feedback.organizationId, organizationId)
+  );
+
+  // For non-admin/PM, filter by submittedBy
+  const userCondition = isAdminOrPM
+    ? baseCondition
+    : and(baseCondition, eq(feedback.submittedBy, userId));
+
+  // Total feedback count
+  const [totalResult] = await db
+    .select({ count: count() })
+    .from(feedback)
+    .where(userCondition);
+
+  // Pending feedback (status = 'new' or 'in-progress')
+  const [pendingResult] = await db
+    .select({ count: count() })
+    .from(feedback)
+    .where(
+      and(
+        userCondition,
+        sql`${feedback.status} IN ('new', 'in-progress')`
+      )
+    );
+
+  // Weekly feedback (last 7 days)
+  const [weeklyResult] = await db
+    .select({ count: count() })
+    .from(feedback)
+    .where(and(userCondition, gte(feedback.createdAt, sevenDaysAgo)));
+
+  // Resolved feedback (completed + closed)
+  const [resolvedResult] = await db
+    .select({ count: count() })
+    .from(feedback)
+    .where(
+      and(
+        userCondition,
+        sql`${feedback.status} IN ('completed', 'closed')`
+      )
+    );
+
+  // Status distribution
+  const statusDistribution = await db
+    .select({
+      status: feedback.status,
+      count: count(),
+    })
+    .from(feedback)
+    .where(userCondition)
+    .groupBy(feedback.status);
+
+  // Recent feedback (last 5)
+  const recentFeedback = await db
+    .select({
+      feedbackId: feedback.feedbackId,
+      title: feedback.title,
+      type: feedback.type,
+      status: feedback.status,
+      priority: feedback.priority,
+      createdAt: feedback.createdAt,
+    })
+    .from(feedback)
+    .where(userCondition)
+    .orderBy(sql`${feedback.createdAt} DESC`)
+    .limit(5);
+
+  return {
+    totalFeedback: totalResult?.count ?? 0,
+    pendingFeedback: pendingResult?.count ?? 0,
+    weeklyFeedback: weeklyResult?.count ?? 0,
+    resolvedFeedback: resolvedResult?.count ?? 0,
+    statusDistribution: statusDistribution.map((s) => ({
+      status: s.status,
+      count: Number(s.count),
+    })),
+    recentFeedback,
+  };
+}

package/lib/db/index.ts

@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 2026 Echo Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+import { drizzle } from "drizzle-orm/node-postgres";
+import { Pool } from "pg";
+import * as schema from "./schema";
+
+const databaseUrl = process.env.DATABASE_URL || "postgres://postgres:postgres@localhost:5432/postgres";
+
+const globalForDb = globalThis as unknown as {
+  pool: Pool | undefined;
+};
+
+const pool =
+  globalForDb.pool ??
+  (databaseUrl
+    ? new Pool({
+        connectionString: databaseUrl,
+        max: 10, // Default to 10 connections
+      })
+    : undefined);
+
+if (process.env.NODE_ENV !== "production") {
+  globalForDb.pool = pool;
+}
+
+export const db = pool ? drizzle(pool, { schema }) : null;

package/lib/db/migrate.test.ts

@@ -0,0 +1,49 @@
+/*
+ * Copyright (c) 2026 Echo Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+import { describe, expect, it } from "bun:test";
+import { runMigrations } from "./migrate";
+
+describe("runMigrations", () => {
+  it("throws when database is missing", async () => {
+    await expect(runMigrations({ database: null })).rejects.toThrow(
+      "Database connection not configured"
+    );
+  });
+
+  it("calls migrator with default migrations folder", async () => {
+    const previousUrl = process.env.DATABASE_URL;
+    process.env.DATABASE_URL = "postgres://test";
+    let called = false;
+    const migrateFn = async (_db: unknown, config: { migrationsFolder: string }) => {
+      called = true;
+      expect(config.migrationsFolder).toBe("./lib/db/migrations");
+    };
+
+    await runMigrations({
+      database: {} as unknown,
+      migrateFn,
+    });
+
+    expect(called).toBe(true);
+    if (previousUrl === undefined) {
+      delete process.env.DATABASE_URL;
+    } else {
+      process.env.DATABASE_URL = previousUrl;
+    }
+  });
+});

package/lib/db/migrate.ts

@@ -0,0 +1,62 @@
+/*
+ * Copyright (c) 2026 Echo Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ */
+
+import { migrate } from "drizzle-orm/node-postgres/migrator";
+import { db } from "@/lib/db";
+import { logger } from "@/lib/logger";
+
+type Database = NonNullable<typeof db>;
+
+type RunMigrationsOptions = {
+  database?: Database | null;
+  migrateFn?: typeof migrate;
+  migrationsFolder?: string;
+};
+
+export async function runMigrations(options: RunMigrationsOptions = {}) {
+  const database = options.database === undefined ? db : options.database;
+  const migrateFn = options.migrateFn ?? migrate;
+  const migrationsFolder = options.migrationsFolder ?? "./lib/db/migrations";
+
+  if (!database || !process.env.DATABASE_URL) {
+    logger.error("Database connection not configured");
+    throw new Error("Database connection not configured");
+  }
+
+  logger.info("Running database migrations...");
+
+  try {
+    await migrateFn(database, { migrationsFolder });
+    logger.info("Migrations completed successfully");
+  } catch (error) {
+    logger.error({ err: error }, "Migration failed");
+    throw error;
+  }
+}
+
+// eslint-disable-next-line @typescript-eslint/no-explicit-any
+if ((import.meta as any).main) {
+  runMigrations()
+    .then(() => {
+      console.log("✅ Migrations completed");
+      process.exit(0);
+    })
+    .catch((error) => {
+      console.error("❌ Migration failed:", error);
+      process.exit(1);
+    });
+}