@promptbook/cli 0.103.0-48 → 0.103.0-49

package/apps/agents-server/src/app/agents/[agentName]/page.tsx

@@ -1,16 +1,25 @@
 'use server';
 
 import { $provideAgentCollectionForServer } from '@/src/tools/$provideAgentCollectionForServer';
-import { PromptbookQrCode } from '@promptbook-local/components';
 // import { BookEditor } from '@promptbook-local/components';
+import { $provideServer } from '@/src/tools/$provideServer';
 import { parseAgentSource } from '@promptbook-local/core';
+import { Columns2Icon, Edit2Icon } from 'lucide-react';
 import { headers } from 'next/headers';
+import { notFound } from 'next/navigation';
+import { Color } from '../../../../../../src/utils/color/Color';
+import { withAlpha } from '../../../../../../src/utils/color/operators/withAlpha';
 import { $sideEffect } from '../../../../../../src/utils/organization/$sideEffect';
-import { AgentUrlCopy } from './AgentUrlCopy';
+import { AgentChatWrapper } from './AgentChatWrapper';
+import { AgentQrCode } from './AgentQrCode';
+import { CopyField } from './CopyField';
+import { generateAgentMetadata } from './generateAgentMetadata';
 // import { Agent } from '@promptbook-local/core';
 // import { RemoteLlmExecutionTools } from '@promptbook-local/remote-client';
 // import { OpenAiAssistantExecutionTools } from '@promptbook-local/openai';
 
+export const generateMetadata = generateAgentMetadata;
+
 export default async function AgentPage({ params }: { params: Promise<{ agentName: string }> }) {
     // const [apiKey, setApiKey] = useStateInLocalStorage<string>('openai-apiKey', () => '');
     // const [isApiKeyVisible, setIsApiKeyVisible] = useState(false);
@@ -22,141 +31,135 @@ export default async function AgentPage({ params }: { params: Promise<{ agentNam
     agentName = decodeURIComponent(agentName);
 
     const collection = await $provideAgentCollectionForServer();
-    const agentSource = await collection.getAgentSource(agentName);
+    let agentSource;
+    try {
+        agentSource = await collection.getAgentSource(agentName);
+    } catch (error) {
+        if (
+            error instanceof Error &&
+            // Note: This is a bit hacky, but valid way to check for specific error message
+            (error.message.includes('Cannot coerce the result to a single JSON object') ||
+                error.message.includes('JSON object requested, multiple (or no) results returned'))
+        ) {
+            notFound();
+        }
+        throw error;
+    }
     const agentProfile = parseAgentSource(agentSource);
 
+    const { publicUrl } = await $provideServer();
+
     // Build agent page URL for QR and copy
-    const pageUrl = `${process.env.NEXT_PUBLIC_URL}/agents/${encodeURIComponent(agentName)}`;
-    // <- TODO: !!! Better
+    const agentUrl = `${publicUrl.href}${encodeURIComponent(agentName)}`;
+    // <- TODO: [🐱‍🚀] Better
+
+    const agentEmail = `${agentName}@${publicUrl.hostname}`;
+
+    console.log('[🐱‍🚀]', { pageUrl: agentUrl });
 
     // Extract brand color from meta
-    const brandColor = agentProfile.meta.color || '#3b82f6'; // Default to blue-600
+    const brandColor = Color.from(agentProfile.meta.color || '#3b82f6'); // Default to blue-600
 
     // Mock agent actions
-    const agentActions = ['Emails', 'Web', 'Documents', 'Browser', 'WhatsApp', 'Coding'];
-
-    // Render agent profile fields
-    const renderProfileFields = () => {
-        const renderValue = (value: unknown): React.ReactNode => {
-            if (value === null || value === undefined) {
-                return <span className="text-gray-400 italic">Not specified</span>;
-            }
-            if (typeof value === 'object' && !Array.isArray(value)) {
-                const objValue = value as Record<string, unknown>;
-                return (
-                    <div className="space-y-1 pl-3 border-l-2 border-gray-200">
-                        {Object.entries(objValue).map(([subKey, subValue]) => (
-                            <div key={subKey} className="flex gap-2">
-                                <span className="text-xs text-gray-600 font-medium">{subKey}:</span>
-                                <span className="text-sm text-gray-700">{String(subValue)}</span>
-                            </div>
-                        ))}
-                    </div>
-                );
-            }
-            if (Array.isArray(value)) {
-                return (
-                    <ul className="list-disc list-inside space-y-0.5">
-                        {value.map((item, idx) => (
-                            <li key={idx} className="text-sm text-gray-700">
-                                {String(item)}
-                            </li>
-                        ))}
-                    </ul>
-                );
-            }
-            return <span className="text-base text-gray-800 break-words">{String(value)}</span>;
-        };
-
-        return (
-            <div className="space-y-4">
-                {Object.entries(agentProfile).map(([key, value]) => (
-                    <div key={key} className="flex flex-col gap-1">
-                        <span className="text-xs text-gray-500 font-semibold uppercase tracking-wide">{key}</span>
-                        {renderValue(value)}
-                    </div>
-                ))}
-            </div>
-        );
-    };
+    const agentActions = ['Emails', 'Web chat', 'Read documents', 'Browser', 'WhatsApp', '<Coding/>'];
 
     return (
-        <div
-            className="w-full min-h-screen bg-gray-50 py-10 px-4 flex items-center justify-center"
-            style={{ backgroundColor: brandColor }}
-        >
-            <div className="max-w-5xl w-full bg-white rounded-xl shadow-lg p-8 flex flex-col md:flex-row gap-8">
-                {/* Left column: Profile info */}
-                <div className="flex-1 flex flex-col gap-6">
-                    <div className="flex items-center gap-4">
-                        {agentProfile.meta.image && (
-                            // eslint-disable-next-line @next/next/no-img-element
-                            <img
-                                src={agentProfile.meta.image as string}
-                                alt={agentProfile.agentName || 'Agent'}
-                                width={64}
-                                height={64}
-                                className="rounded-full object-cover border-2"
-                                style={{ borderColor: brandColor }}
-                            />
-                        )}
-                        <div className="flex-1">
-                            <h1 className="text-3xl font-bold text-gray-900">{agentProfile.agentName}</h1>
+        <div className="flex flex-col md:flex-row h-[calc(100vh-60px)] w-full overflow-hidden">
+            {/* Left sidebar: Profile info */}
+            <div
+                className="w-full md:w-[400px] flex flex-col gap-6 p-6 overflow-y-auto border-r bg-gray-50 flex-shrink-0"
+                style={{
+                    backgroundColor: brandColor.then(withAlpha(0.05)).toHex(),
+                    borderColor: brandColor.then(withAlpha(0.1)).toHex(),
+                }}
+            >
+                <div className="flex items-center gap-4">
+                    {agentProfile.meta.image && (
+                        // eslint-disable-next-line @next/next/no-img-element
+                        <img
+                            src={agentProfile.meta.image as string}
+                            alt={agentProfile.agentName || 'Agent'}
+                            width={64}
+                            height={64}
+                            className="rounded-full object-cover border-2 aspect-square w-16 h-16"
+                            style={{ borderColor: brandColor.toHex() }}
+                        />
+                    )}
+                    <div className="flex-1">
+                        <h1 className="text-3xl font-bold text-gray-900 break-words">{agentProfile.agentName}</h1>
+                        <span
+                            className="inline-block mt-1 px-2 py-1 rounded text-xs font-semibold text-white"
+                            style={{ backgroundColor: brandColor.toHex() }}
+                        >
+                            Agent
+                        </span>
+                    </div>
+                </div>
+
+                <p className="text-gray-700">{agentProfile.personaDescription}</p>
+
+                <div className="flex flex-col gap-2">
+                    <h2 className="text-sm font-semibold text-gray-700 uppercase tracking-wide">Capabilities</h2>
+                    <div className="flex flex-wrap gap-2">
+                        {agentActions.map((action) => (
                             <span
-                                className="inline-block mt-1 px-2 py-1 rounded text-xs font-semibold text-white"
-                                style={{ backgroundColor: brandColor }}
+                                key={action}
+                                className="px-3 py-1 bg-white text-gray-700 rounded-full text-xs font-medium border border-gray-200 shadow-sm"
                             >
-                                Agent
+                                {action}
                             </span>
-                        </div>
-                    </div>
-                    {renderProfileFields()}
-                    <div className="flex flex-col gap-2">
-                        <h2 className="text-sm font-semibold text-gray-700 uppercase tracking-wide">Actions</h2>
-                        <div className="flex flex-wrap gap-2">
-                            {agentActions.map((action) => (
-                                <span
-                                    key={action}
-                                    className="px-3 py-1 bg-gray-100 text-gray-700 rounded-full text-xs font-medium border border-gray-200"
-                                >
-                                    {action}
-                                </span>
-                            ))}
-                        </div>
+                        ))}
                     </div>
-                    <div className="flex gap-4 mt-6">
+                </div>
+
+                <div className="flex flex-col gap-2 mt-auto">
+                    <div className="flex gap-2">
                         <a
-                            href={`${pageUrl}/chat`}
+                            href={`/agents/${encodeURIComponent(agentName)}/book+chat`}
                             // <- TODO: [🧠] Can I append path like this on current browser URL in href?
-                            className="bg-blue-600 hover:bg-blue-700 text-white px-4 py-2 rounded shadow font-semibold transition"
+                            className="flex-1 inline-flex items-center justify-center whitespace-nowrap bg-white hover:bg-gray-100 text-gray-800 px-4 py-2 rounded shadow font-semibold transition border border-gray-200"
                         >
-                            💬 Chat
+                            <Columns2Icon className="ml-2 w-4 h-4 mr-2" />
+                            Book + Chat
                         </a>
                         <a
-                            href={`${pageUrl}/book`}
+                            href={`/agents/${encodeURIComponent(agentName)}/book`}
                             // <- TODO: [🧠] Can I append path like this on current browser URL in href?
-                            className="bg-gray-200 hover:bg-gray-300 text-gray-800 px-4 py-2 rounded shadow font-semibold transition"
+                            className="flex-1 inline-flex items-center justify-center whitespace-nowrap bg-white hover:bg-gray-100 text-gray-800 px-4 py-2 rounded shadow font-semibold transition border border-gray-200"
                         >
-                            ✏️ Edit Agent Book
+                            <Edit2Icon className="ml-2 w-4 h-4 mr-2" />
+                            Edit
                         </a>
                     </div>
                 </div>
-                {/* Right column: QR, source, copy */}
-                <div className="flex flex-col items-center gap-6 min-w-[260px]">
-                    <div className="bg-gray-100 rounded-lg p-4 flex flex-col items-center">
-                        <PromptbookQrCode value={pageUrl} />
-                        <span className="mt-2 text-xs text-gray-500">Scan to open agent page</span>
+
+                <div className="flex flex-col items-center gap-4 pt-6 border-t border-gray-200 w-full">
+                    <div className="bg-white rounded-lg p-4 flex flex-col items-center shadow-sm border border-gray-100">
+                        <AgentQrCode
+                            agentName={agentProfile.agentName || 'Agent'}
+                            personaDescription={agentProfile.personaDescription}
+                            agentUrl={agentUrl}
+                            agentEmail={agentEmail}
+                        />
+                    </div>
+                    <div className="flex flex-col gap-2 w-full">
+                        <CopyField label="Agent Page URL" value={agentUrl} />
+                        <CopyField label="Agent Email" value={agentEmail} />
                     </div>
-                    <AgentUrlCopy url={pageUrl} />
                 </div>
             </div>
+
+            {/* Main content: Chat */}
+            <div className="flex-1 relative h-full bg-white">
+                <AgentChatWrapper agentUrl={agentUrl} />
+            </div>
         </div>
     );
 }
 
 /**
- * TODO: !!! Make this page look nice - 🃏
- * TODO: !!! Show usage of LLM
+ * TODO: [🐱‍🚀] Make this page look nice - 🃏
+ * TODO: [🐱‍🚀] Show usage of LLM
  * TODO: [🚗] Components and pages here should be just tiny UI wraper around proper agent logic and conponents
  * TODO: [🎣][🧠] Maybe do API / Page for transpilers, Allow to export each agent
  */

package/apps/agents-server/src/app/agents/page.tsx

@@ -7,5 +7,5 @@ export default async function AgentsPage() {
 }
 
 /**
- * TODO: !!! Distinguish between `/` and `/agents` pages
+ * TODO: [🐱‍🚀] Distinguish between `/` and `/agents` pages
  */

package/apps/agents-server/src/app/api/auth/login/route.ts

@@ -0,0 +1,65 @@
+import { $getTableName } from '@/src/database/$getTableName';
+import { $provideSupabaseForServer } from '../../../../database/$provideSupabaseForServer';
+import { AgentsServerDatabase } from '../../../../database/schema';
+import { verifyPassword } from '../../../../utils/auth';
+import { setSession } from '../../../../utils/session';
+import { NextResponse } from 'next/server';
+
+export async function POST(request: Request) {
+    try {
+        const body = await request.json();
+        const { username, password } = body;
+
+        if (!username || !password) {
+            return NextResponse.json({ error: 'Username and password are required' }, { status: 400 });
+        }
+
+        // 1. Check if it's the environment admin
+        if (process.env.ADMIN_PASSWORD && password === process.env.ADMIN_PASSWORD && username === 'admin') {
+             // Or maybe allow any username if password matches admin password? 
+             // The task says "process.env.ADMIN_PASSWORD is like one of the admin users"
+             // Assuming username 'admin' for environment password login.
+             await setSession({ username: 'admin', isAdmin: true });
+             return NextResponse.json({ success: true });
+        }
+        
+        // 2. Check DB users
+        const supabase = $provideSupabaseForServer();
+        const { data: user, error } = await supabase
+            .from(await $getTableName('User'))
+            .select('*')
+            .eq('username', username)
+            .single();
+
+        if (error || !user) {
+            // Check if password matches ADMIN_PASSWORD even if user doesn't exist?
+            // "The table User should work together with the process.env.ADMIN_PASSWORD"
+            // If the user enters a password that matches process.env.ADMIN_PASSWORD, should they get admin access regardless of username?
+            // "process.env.ADMIN_PASSWORD is like one of the admin users" implies it's a specific credential.
+            // Let's stick to: if username is 'admin' and password is ADMIN_PASSWORD, it works.
+            // Or if the password matches ADMIN_PASSWORD, maybe we grant admin access? 
+            // "Non-admin users can only log in... cannot see list of users"
+            
+            // Re-reading: "process.env.ADMIN_PASSWORD is like one of the admin users in the User table"
+            // This suggests it's treated as a user.
+            
+            // If I login with a valid user from DB, I check password hash.
+            // If I login with 'admin' and ADMIN_PASSWORD, I get admin.
+
+            return NextResponse.json({ error: 'Invalid credentials' }, { status: 401 });
+        }
+
+        const isValid = await verifyPassword(password, (user as AgentsServerDatabase['public']['Tables']['User']['Row']).passwordHash);
+
+        if (!isValid) {
+             return NextResponse.json({ error: 'Invalid credentials' }, { status: 401 });
+        }
+
+        await setSession({ username: (user as AgentsServerDatabase['public']['Tables']['User']['Row']).username, isAdmin: (user as AgentsServerDatabase['public']['Tables']['User']['Row']).isAdmin });
+        return NextResponse.json({ success: true });
+
+    } catch (error) {
+        console.error('Login error:', error);
+        return NextResponse.json({ error: 'Internal server error' }, { status: 500 });
+    }
+}

package/apps/agents-server/src/app/api/auth/logout/route.ts

@@ -0,0 +1,7 @@
+import { clearSession } from '../../../../utils/session';
+import { NextResponse } from 'next/server';
+
+export async function POST() {
+    await clearSession();
+    return NextResponse.json({ success: true });
+}

package/apps/agents-server/src/app/api/metadata/route.ts

@@ -0,0 +1,116 @@
+import { $getTableName } from '../../../database/$getTableName';
+import { $provideSupabase } from '../../../database/$provideSupabase';
+import { isUserAdmin } from '../../../utils/isUserAdmin';
+import { NextRequest, NextResponse } from 'next/server';
+
+export async function GET(request: NextRequest) {
+    if (!(await isUserAdmin())) {
+        return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+    }
+
+    const supabase = $provideSupabase();
+    const table = await $getTableName('Metadata');
+
+    const { data, error } = await supabase.from(table).select('*').order('key');
+
+    if (error) {
+        return NextResponse.json({ error: error.message }, { status: 500 });
+    }
+
+    return NextResponse.json(data);
+}
+
+export async function POST(request: NextRequest) {
+    if (!(await isUserAdmin())) {
+        return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+    }
+
+    try {
+        const body = await request.json();
+        const { key, value, note } = body;
+
+        if (!key || !value) {
+            return NextResponse.json({ error: 'Key and value are required' }, { status: 400 });
+        }
+
+        const supabase = $provideSupabase();
+        const table = await $getTableName('Metadata');
+
+        const { data, error } = await supabase
+            .from(table)
+            .insert({ key, value, note })
+            .select()
+            .single();
+
+        if (error) {
+            return NextResponse.json({ error: error.message }, { status: 500 });
+        }
+
+        return NextResponse.json(data);
+    } catch (e) {
+        return NextResponse.json({ error: 'Invalid request body' }, { status: 400 });
+    }
+}
+
+export async function PUT(request: NextRequest) {
+    if (!(await isUserAdmin())) {
+        return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+    }
+
+    try {
+        const body = await request.json();
+        const { key, value, note } = body;
+
+        if (!key || !value) {
+            return NextResponse.json({ error: 'Key and value are required' }, { status: 400 });
+        }
+
+        const supabase = $provideSupabase();
+        const table = await $getTableName('Metadata');
+
+        // Using upsert if it exists or update if strict
+        // Since key is unique, upsert works well, but usually PUT implies update.
+        // Let's use update to be safe and explicit about editing existing.
+        // Actually, for editing, we identify by ID or Key.
+        // Let's use Key as identifier since it is unique.
+
+        const { data, error } = await supabase
+            .from(table)
+            .update({ value, note, updatedAt: new Date().toISOString() })
+            .eq('key', key)
+            .select()
+            .single();
+
+        if (error) {
+            return NextResponse.json({ error: error.message }, { status: 500 });
+        }
+
+        return NextResponse.json(data);
+    } catch (e) {
+        return NextResponse.json({ error: 'Invalid request body' }, { status: 400 });
+    }
+}
+
+export async function DELETE(request: NextRequest) {
+    if (!(await isUserAdmin())) {
+        return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+    }
+
+    const searchParams = request.nextUrl.searchParams;
+    const key = searchParams.get('key');
+
+    if (!key) {
+        return NextResponse.json({ error: 'Key is required' }, { status: 400 });
+    }
+
+    const supabase = $provideSupabase();
+    const table = await $getTableName('Metadata');
+
+    const { error } = await supabase.from(table).delete().eq('key', key);
+
+    if (error) {
+        return NextResponse.json({ error: error.message }, { status: 500 });
+    }
+
+    return NextResponse.json({ success: true });
+}

package/apps/agents-server/src/app/api/upload/route.ts

@@ -4,6 +4,7 @@ import { serializeError } from '@promptbook-local/utils';
 import formidable from 'formidable';
 import { readFile } from 'fs/promises';
 import { NextRequest, NextResponse } from 'next/server';
+import { forTime } from 'waitasecond';
 import { assertsError } from '../../../../../../src/errors/assertsError';
 import { string_url } from '../../../../../../src/types/typeAliases';
 import { keepUnused } from '../../../../../../src/utils/organization/keepUnused';
@@ -13,6 +14,9 @@ import { validateMimeType } from '../../../../src/utils/validators/validateMimeT
 
 export async function POST(request: NextRequest) {
     try {
+        await forTime(1);
+        // await forTime(5000);
+
         const nodeRequest = await nextRequestToNodeRequest(request);
 
         const files = await new Promise<formidable.Files>((resolve, reject) => {
@@ -57,13 +61,13 @@ export async function POST(request: NextRequest) {
         return new Response(
             JSON.stringify(
                 serializeError(error),
-                // <- TODO: !!! Rename `serializeError` to `errorToJson`
+                // <- TODO: [🐱‍🚀] Rename `serializeError` to `errorToJson`
                 null,
                 4,
-                // <- TODO: !!! Allow to configure pretty print for agent server
+                // <- TODO: [🐱‍🚀] Allow to configure pretty print for agent server
             ),
             {
-                status: 400, // <- TODO: !!! Make `errorToHttpStatusCode`
+                status: 400, // <- TODO: [🐱‍🚀] Make `errorToHttpStatusCode`
                 headers: { 'Content-Type': 'application/json' },
             },
         );

package/apps/agents-server/src/app/api/users/[username]/route.ts

@@ -0,0 +1,75 @@
+import { $getTableName } from '@/src/database/$getTableName';
+import { NextResponse } from 'next/server';
+import { $provideSupabaseForServer } from '../../../../database/$provideSupabaseForServer';
+import { hashPassword } from '../../../../utils/auth';
+import { isUserAdmin } from '../../../../utils/isUserAdmin';
+
+export async function PATCH(request: Request, { params }: { params: Promise<{ username: string }> }) {
+    if (!(await isUserAdmin())) {
+        return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+    }
+
+    try {
+        const { username: usernameParam } = await params;
+        const body = await request.json();
+        const { password, isAdmin } = body;
+
+        const updates: { updatedAt: string; passwordHash?: string; isAdmin?: boolean } = {
+            updatedAt: new Date().toISOString(),
+        };
+
+        if (password) {
+            updates.passwordHash = await hashPassword(password);
+        }
+
+        if (typeof isAdmin === 'boolean') {
+            updates.isAdmin = isAdmin;
+        }
+
+        const supabase = $provideSupabaseForServer();
+        const { data: updatedUser, error } = await supabase
+            .from(await $getTableName('User'))
+            .update(updates)
+            .eq('username', usernameParam)
+            .select('id, username, createdAt, updatedAt, isAdmin')
+            .single();
+
+        if (error) {
+            throw error;
+        }
+
+        if (!updatedUser) {
+            return NextResponse.json({ error: 'User not found' }, { status: 404 });
+        }
+
+        return NextResponse.json(updatedUser);
+    } catch (error) {
+        console.error('Update user error:', error);
+        return NextResponse.json({ error: 'Internal server error' }, { status: 500 });
+    }
+}
+
+export async function DELETE(request: Request, { params }: { params: Promise<{ username: string }> }) {
+    if (!(await isUserAdmin())) {
+        return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+    }
+
+    try {
+        const { username: usernameParam } = await params;
+        const supabase = $provideSupabaseForServer();
+
+        const { error } = await supabase
+            .from(await $getTableName('User'))
+            .delete()
+            .eq('username', usernameParam);
+
+        if (error) {
+            throw error;
+        }
+
+        return NextResponse.json({ success: true });
+    } catch (error) {
+        console.error('Delete user error:', error);
+        return NextResponse.json({ error: 'Internal server error' }, { status: 500 });
+    }
+}

package/apps/agents-server/src/app/api/users/route.ts

@@ -0,0 +1,71 @@
+import { $getTableName } from '@/src/database/$getTableName';
+import { $provideSupabaseForServer } from '../../../database/$provideSupabaseForServer';
+import { hashPassword } from '../../../utils/auth';
+import { isUserAdmin } from '../../../utils/isUserAdmin';
+import { NextResponse } from 'next/server';
+
+export async function GET() {
+    if (!(await isUserAdmin())) {
+        return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+    }
+
+    try {
+        const supabase = $provideSupabaseForServer();
+        const { data: users, error } = await supabase
+            .from(await $getTableName('User'))
+            .select('id, username, createdAt, updatedAt, isAdmin')
+            .order('username');
+
+        if (error) {
+            throw error;
+        }
+
+        return NextResponse.json(users);
+    } catch (error) {
+        console.error('List users error:', error);
+        return NextResponse.json({ error: 'Internal server error' }, { status: 500 });
+    }
+}
+
+export async function POST(request: Request) {
+    if (!(await isUserAdmin())) {
+        return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+    }
+
+    try {
+        const body = await request.json();
+        const { username, password, isAdmin } = body;
+
+        if (!username || !password) {
+            return NextResponse.json({ error: 'Username and password are required' }, { status: 400 });
+        }
+
+        const passwordHash = await hashPassword(password);
+        const supabase = $provideSupabaseForServer();
+
+        const { data: newUser, error } = await supabase
+            .from(await $getTableName('User'))
+            .insert({
+                username,
+                passwordHash,
+                isAdmin: !!isAdmin,
+                createdAt: new Date().toISOString(),
+                updatedAt: new Date().toISOString(),
+            })
+            .select('id, username, createdAt, updatedAt, isAdmin')
+            .single();
+
+        if (error) {
+            if (error.code === '23505') { // unique_violation
+                 return NextResponse.json({ error: 'Username already exists' }, { status: 409 });
+            }
+            throw error;
+        }
+
+        return NextResponse.json(newUser);
+
+    } catch (error) {
+        console.error('Create user error:', error);
+        return NextResponse.json({ error: 'Internal server error' }, { status: 500 });
+    }
+}