@qwickapps/server 1.8.2 → 1.10.0

package/package.json

@@ -1,7 +1,8 @@
 {
   "name": "@qwickapps/server",
-  "version": "1.8.2",
+  "version": "1.10.0",
   "description": "Plugin-based application server framework for building websites, APIs, admin dashboards, and full-stack products",
+  "type": "module",
   "main": "dist/src/index.js",
   "types": "dist/src/index.d.ts",
   "exports": {
@@ -29,6 +30,29 @@
     "ui",
     "CHANGELOG.md"
   ],
+  "scripts": {
+    "build": "npm run build:ui-lib && npm run build:server && npm run build:ui",
+    "build:server": "tsc",
+    "build:ui": "cd ui && vite build",
+    "build:ui-lib": "cd ui && vite build --config vite.lib.config.ts && tsc -p tsconfig.lib.json",
+    "build:clean": "rm -rf dist dist-ui dist-ui-lib && npm run build",
+    "dev": "tsc --watch",
+    "dev:ui": "cd ui && vite",
+    "clean": "rm -rf dist dist-ui dist-ui-lib node_modules",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "test:coverage": "vitest run --coverage",
+    "test:e2e": "playwright test",
+    "test:e2e:ui": "playwright test --ui",
+    "test:e2e:headed": "playwright test --headed",
+    "demo": "npm run build:server && pnpm tsx examples/demo-server.ts",
+    "demo:gateway": "npm run build:server && pnpm tsx examples/demo-gateway.ts",
+    "demo:all": "npm run build:server && pnpm tsx examples/demo-all.ts",
+    "type-check": "tsc --noEmit",
+    "type-check:ui": "cd ui && tsc --noEmit",
+    "validate:clean-install": "./qa/clean-install/validate.sh",
+    "prepublishOnly": "npm run test && npm run build && npm run validate:clean-install"
+  },
   "dependencies": {
     "@qwickapps/logging": "^1.0.2",
     "compression": "^1.7.4",
@@ -115,32 +139,10 @@
   },
   "repository": {
     "type": "git",
-    "url": "https://github.com/qwickapps/server.git"
+    "url": "git+https://github.com/qwickapps/server.git"
   },
   "homepage": "https://github.com/qwickapps/server#readme",
   "publishConfig": {
     "access": "public"
-  },
-  "scripts": {
-    "build": "npm run build:ui-lib && npm run build:server && npm run build:ui",
-    "build:server": "tsc",
-    "build:ui": "cd ui && vite build",
-    "build:ui-lib": "cd ui && vite build --config vite.lib.config.ts && tsc -p tsconfig.lib.json",
-    "build:clean": "rm -rf dist dist-ui dist-ui-lib && npm run build",
-    "dev": "tsc --watch",
-    "dev:ui": "cd ui && vite",
-    "clean": "rm -rf dist dist-ui dist-ui-lib node_modules",
-    "test": "vitest run",
-    "test:watch": "vitest",
-    "test:coverage": "vitest run --coverage",
-    "test:e2e": "playwright test",
-    "test:e2e:ui": "playwright test --ui",
-    "test:e2e:headed": "playwright test --headed",
-    "demo": "npm run build:server && pnpm tsx examples/demo-server.ts",
-    "demo:gateway": "npm run build:server && pnpm tsx examples/demo-gateway.ts",
-    "demo:all": "npm run build:server && pnpm tsx examples/demo-all.ts",
-    "type-check": "tsc --noEmit",
-    "type-check:ui": "cd ui && tsc --noEmit",
-    "validate:clean-install": "./qa/clean-install/validate.sh"
   }
-}
+}

package/src/core/control-panel.ts

@@ -37,6 +37,7 @@ import {
 } from './plugin-registry.js';
 import { bearerTokenAuth } from '../plugins/api-keys/index.js';
 import { createCorePlugin } from '../plugins/core/index.js';
+import { sanitizeUrl } from '../utils/url.js';
 
 // Get the package root directory for serving UI assets
 const _filename = fileURLToPath(import.meta.url);
@@ -506,7 +507,7 @@ function generateLandingPageHtml(options: {
   const linksHtml = links
     .map(
       (link) =>
-        `<a href="${link.url}" class="link">${link.label}</a>`
+        `<a href="${sanitizeUrl(link.url)}" class="link">${link.label}</a>`
     )
     .join('');
 

package/src/core/gateway.ts

@@ -34,6 +34,7 @@ import express from 'express';
 import { existsSync, readFileSync } from 'fs';
 import { resolve, join, dirname } from 'path';
 import { fileURLToPath } from 'url';
+import { sanitizeUrl } from '../utils/url.js';
 
 // Get QwickApps Server version from package.json
 const _filename = fileURLToPath(import.meta.url);
@@ -287,7 +288,7 @@ function generateLandingPageHtml(
   const linksHtml = links
     .map(
       (link) =>
-        `<a href="${link.url}" class="link">${link.label}</a>`
+        `<a href="${sanitizeUrl(link.url)}" class="link">${link.label}</a>`
     )
     .join('');
 
@@ -846,7 +847,7 @@ function generateMaintenancePageHtml(
   }
 
   const contactHtml = config.contactUrl
-    ? `<a href="${config.contactUrl}" class="btn btn-secondary">
+    ? `<a href="${sanitizeUrl(config.contactUrl)}" class="btn btn-secondary">
         <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" width="18" height="18">
           <path d="M4 4h16c1.1 0 2 .9 2 2v12c0 1.1-.9 2-2 2H4c-1.1 0-2-.9-2-2V6c0-1.1.9-2 2-2z"/>
           <polyline points="22,6 12,13 2,6"/>
@@ -1362,35 +1363,33 @@ export function createGateway(config: GatewayConfig): GatewayInstance {
         },
       });
 
-      const apps = config.apps || [];
-      for (const appConfig of apps) {
-        // IMPORTANT: Insert QwickApps Server and Control Panel proxies BEFORE root path proxy
-        // This ensures /qapi/* and /cpanel requests don't get caught by frontend catch-all routing
-        if (appConfig.path === '/') {
-          // 1. Register QwickApps Server API proxy at /qapi/* BEFORE the root proxy
-          //    These are framework APIs: SuperTokens auth, health checks, postgres, cache, etc.
-          //    Payload CMS uses natural Next.js /api/* path
-          app.use((req, res, next) => {
-            if (req.path.startsWith('/qapi/')) {
-              return qwickAppsApiProxy(req, res, next);
-            }
-            next();
-          });
-          logger.debug(`Setting up proxy: /qapi/* -> http://localhost:${cpPort} (QwickApps Server APIs)`);
-          mountedApps.push({ path: '/qapi', type: 'proxy', target: `http://localhost:${cpPort}` });
-
-          // 2. Register Control Panel UI proxy BEFORE the root proxy
-          app.use(cpPath, cpUiProxy);
-          mountedApps.push({ path: cpPath, type: 'proxy', target: `http://localhost:${cpPort}` });
-
-          // 3. Setup WebSocket upgrade handling for control panel UI
-          server!.on('upgrade', (req: IncomingMessage, socket: Duplex, head: Buffer) => {
-            if (req.url?.startsWith(cpPath)) {
-              cpUiProxy.upgrade?.(req, socket as Socket, head);
-            }
-          });
+      // Always register QwickApps Server API proxy (/qapi/*) and Control Panel proxy (/cpanel)
+      // regardless of whether any apps are mounted. This ensures createControlPanel() callers
+      // (which pass no apps) still get /cpanel and /api routes proxied from the gateway port.
+      // 1. Register QwickApps Server API proxy at /qapi/*
+      app.use((req, res, next) => {
+        if (req.path.startsWith('/qapi/')) {
+          return qwickAppsApiProxy(req, res, next);
         }
+        next();
+      });
+      logger.debug(`Setting up proxy: /qapi/* -> http://localhost:${cpPort} (QwickApps Server APIs)`);
+      mountedApps.push({ path: '/qapi', type: 'proxy', target: `http://localhost:${cpPort}` });
+
+      // 2. Register Control Panel UI proxy
+      app.use(cpPath, cpUiProxy);
+      mountedApps.push({ path: cpPath, type: 'proxy', target: `http://localhost:${cpPort}` });
 
+      // 3. Setup WebSocket upgrade handling for control panel UI
+      server!.on('upgrade', (req: IncomingMessage, socket: Duplex, head: Buffer) => {
+        if (req.url?.startsWith(cpPath)) {
+          cpUiProxy.upgrade?.(req, socket as Socket, head);
+        }
+      });
+
+      const apps = config.apps || [];
+      for (const appConfig of apps) {
+        // For apps with a root path, skip re-registering qapi/cpanel proxies (already done above)
         // Now register the app itself
         if (appConfig.source.type === 'proxy') {
           setupProxyApp(appConfig, server);

package/src/plugins/auth/adapters/supertokens-adapter.ts

@@ -47,14 +47,12 @@ export function supertokensAdapter(config: SupertokensAdapterConfig): AuthAdapte
         // Store response on request for later use in getUser()
         (req as SupertokensExtendedRequest)[REQUEST_RES_KEY] = res;
 
-        // Skip if already initialized with error
+        // Skip if already initialized with error — let auth-checking middleware
+        // decide whether to block the request based on authRequired config.
+        // Returning 500 here blocks ALL routes (including /auth/config/status)
+        // even when authRequired is false.
         if (initializationError) {
-          return res.status(500).json({
-            error: 'Auth Configuration Error',
-            message:
-              'Supertokens is not properly configured. Install supertokens-node package: npm install supertokens-node',
-            details: initializationError.message,
-          });
+          return next();
         }
 
         // Lazy initialize Supertokens
@@ -74,6 +72,51 @@ export function supertokensAdapter(config: SupertokensAdapterConfig): AuthAdapte
               recipeList.push(EmailPassword.default.init());
             }
 
+            // Add Passwordless (magic link) recipe if enabled
+            if (config.enablePasswordless) {
+              const Passwordless = await import('supertokens-node/recipe/passwordless');
+
+              // eslint-disable-next-line @typescript-eslint/no-explicit-any
+              const passwordlessConfig: any = {
+                contactMethod: 'EMAIL',
+                flowType: 'MAGIC_LINK',
+              };
+
+              // Override email delivery with Resend if API key is provided
+              if (config.resendApiKey) {
+                const resendApiKey = config.resendApiKey;
+                const fromEmail = config.resendFromEmail || 'noreply@faabzi.com';
+                const appName = config.appName;
+
+                passwordlessConfig.emailDelivery = {
+                  service: {
+                    sendEmail: async ({ email, urlWithLinkCode }: { email: string; urlWithLinkCode?: string }) => {
+                      try {
+                        await fetch('https://api.resend.com/emails', {
+                          method: 'POST',
+                          headers: {
+                            Authorization: `Bearer ${resendApiKey}`,
+                            'Content-Type': 'application/json',
+                          },
+                          body: JSON.stringify({
+                            from: fromEmail,
+                            to: email,
+                            subject: `Sign in to ${appName}`,
+                            html: `<p>Click the link below to sign in to ${appName}.</p><p>This link expires in 15 minutes.</p><p><a href="${urlWithLinkCode}" style="display:inline-block;padding:12px 24px;background-color:#1a1a1a;color:#fff;text-decoration:none;border-radius:6px;font-weight:600;">Sign in</a></p><p>Or copy this URL: ${urlWithLinkCode}</p><p>If you did not request this, you can safely ignore this email.</p>`,
+                          }),
+                        });
+                      } catch (err) {
+                        console.error('[SupertokensAdapter] Failed to send magic link email via Resend:', err);
+                        throw err;
+                      }
+                    },
+                  },
+                };
+              }
+
+              recipeList.push(Passwordless.default.init(passwordlessConfig));
+            }
+
             // Add ThirdParty recipe if any social providers configured
             if (config.socialProviders) {
               // Build provider configurations using Supertokens ProviderInput type
@@ -163,12 +206,10 @@ export function supertokensAdapter(config: SupertokensAdapterConfig): AuthAdapte
             initializationError =
               error instanceof Error ? error : new Error('Failed to initialize Supertokens');
             console.error('[SupertokensAdapter] Initialization error:', error);
-            return res.status(500).json({
-              error: 'Auth Configuration Error',
-              message:
-                'Supertokens is not properly configured. Install supertokens-node package: npm install supertokens-node',
-              details: initializationError.message,
-            });
+            // Let the auth-checking middleware decide whether to block this request.
+            // Non-auth routes (e.g. /auth/config/status) must remain accessible
+            // so the UI can display the configuration error state.
+            return next();
           }
         }
 

package/src/plugins/auth/auth-plugin.ts

@@ -73,13 +73,14 @@ export function createAuthPlugin(config: AuthPluginConfig): Plugin {
         }
       }
 
-      // Register SuperTokens middleware on router for /auth/* paths
-      // This ensures Gateway forwards ALL /api/auth/* requests to control panel
-      // where SuperTokens can handle them dynamically
+      // Register SuperTokens middleware on router for auth paths
+      // Uses config.apiBasePath so Gateway forwards requests to the correct path
+      // e.g. SUPERTOKENS_API_BASE_PATH=/qapi/auth → router.use('/qapi/auth', ...)
+      const authBasePath = config.apiBasePath ?? '/auth';
       if (Array.isArray(primaryMiddleware)) {
-        router.use('/auth', ...primaryMiddleware);
+        router.use(authBasePath, ...primaryMiddleware);
       } else {
-        router.use('/auth', primaryMiddleware);
+        router.use(authBasePath, primaryMiddleware);
       }
 
       // Add the auth checking middleware to router (not app)

package/src/plugins/auth/env-config.ts

@@ -149,6 +149,9 @@ function parseSupertokensEnv(): EnvParseResult<SupertokensAdapterConfig> {
     apiBasePath: getEnv('SUPERTOKENS_API_BASE_PATH') ?? '/auth',
     websiteBasePath: getEnv('SUPERTOKENS_WEBSITE_BASE_PATH') ?? '/auth',
     enableEmailPassword: getEnvBool('SUPERTOKENS_ENABLE_EMAIL_PASSWORD', true),
+    enablePasswordless: getEnvBool('SUPERTOKENS_ENABLE_PASSWORDLESS', false),
+    resendApiKey: getEnv('RESEND_API_KEY'),
+    resendFromEmail: getEnv('RESEND_FROM_EMAIL'),
   };
 
   // Parse social providers
@@ -402,6 +405,7 @@ export function createAuthPluginFromEnv(options?: AuthEnvPluginOptions): Plugin
     excludePaths,
     authRequired,
     debug,
+    apiBasePath: getEnv('SUPERTOKENS_API_BASE_PATH') ?? getEnv('AUTH_API_BASE_PATH'),
     onUnauthorized: options?.onUnauthorized,
     onAuthenticated: options?.onAuthenticated,
   };

package/src/plugins/auth/types.ts

@@ -155,6 +155,15 @@ export interface SupertokensAdapterConfig {
   /** Enable email/password auth (default: true) */
   enableEmailPassword?: boolean;
 
+  /** Enable passwordless (magic link) auth (default: false) */
+  enablePasswordless?: boolean;
+
+  /** Resend API key for magic link email delivery (optional — uses SuperTokens core delivery if not set) */
+  resendApiKey?: string;
+
+  /** From email address for magic link emails */
+  resendFromEmail?: string;
+
   /** Social login providers */
   socialProviders?: {
     google?: { clientId: string; clientSecret: string };
@@ -180,6 +189,8 @@ export interface AuthPluginConfig {
   excludePaths?: string[];
   /** Whether auth is required for all routes (default: true) */
   authRequired?: boolean;
+  /** API base path for auth routes registered on the Express router (default: '/auth') */
+  apiBasePath?: string;
   /** Custom unauthorized handler */
   onUnauthorized?: (req: Request, res: Response) => void;
   /**

package/src/plugins/maintenance/seed-executor.ts

@@ -106,11 +106,12 @@ export class SeedExecutor {
     this.outputSize = 0;
 
     return new Promise((resolvePromise, rejectPromise) => {
-      // Determine if we need tsx (for .ts/.mts files that import TS modules)
-      // Use tsx for .mjs files too since they might import from TS source
-      const needsTsx = scriptPath.match(/\.(mjs|ts|mts)$/);
+      // .ts/.mts files require tsx for TypeScript compilation.
+      // .mjs files are native ESM and run directly with node — tsx is not
+      // available in the system PATH in Docker production builds.
+      const needsTsx = scriptPath.match(/\.(ts|mts)$/);
       const execCommand = needsTsx ? 'tsx' : process.execPath;
-      const execArgs = needsTsx ? [scriptPath] : [scriptPath];
+      const execArgs = [scriptPath];
 
       // Spawn process with TypeScript support if needed
       this.child = spawn(execCommand, execArgs, {

package/src/plugins/maintenance-plugin.ts

@@ -416,6 +416,8 @@ export function createMaintenancePlugin(config: MaintenancePluginConfig = {}): P
               } catch (error) {
                 logger.error('Seed execution failed', { name, error });
 
+                const duration = Date.now() - startTime;
+
                 // Send error event via SSE to notify client
                 res.write(`data: ${JSON.stringify({
                   type: 'error',
@@ -423,6 +425,13 @@ export function createMaintenancePlugin(config: MaintenancePluginConfig = {}): P
                   timestamp: new Date().toISOString()
                 })}\n\n`);
 
+                // Send exit event so the UI can transition out of the "Running..." state
+                res.write(`data: ${JSON.stringify({
+                  type: 'exit',
+                  data: JSON.stringify({ exitCode: 1, duration }),
+                  timestamp: new Date().toISOString()
+                })}\n\n`);
+
                 // Update execution record as failed
                 if (hasPostgres() && executionId) {
                   const db = getPostgres();
@@ -476,16 +485,31 @@ export function createMaintenancePlugin(config: MaintenancePluginConfig = {}): P
 
               const db = getPostgres();
 
+              // Derive the DB role from the connection URL so GRANT statements
+              // work regardless of which user owns the schema.
+              let dbRole = 'qwickapps';
+              if (config.databaseUrl) {
+                try {
+                  const parsedUrl = new URL(config.databaseUrl);
+                  const urlUser = parsedUrl.username;
+                  if (urlUser && /^[a-zA-Z_][a-zA-Z0-9_]*$/.test(urlUser)) {
+                    dbRole = urlUser;
+                  }
+                } catch {
+                  // Keep default if URL is unparseable
+                }
+              }
+
               // Drop and recreate public schema (removes all tables, data, etc.)
               await db.queryRaw('DROP SCHEMA IF EXISTS public CASCADE');
               await db.queryRaw('CREATE SCHEMA public');
               await db.queryRaw('GRANT ALL ON SCHEMA public TO public');
               await db.queryRaw('GRANT ALL ON SCHEMA public TO postgres');
-              await db.queryRaw('GRANT ALL ON SCHEMA public TO qwickapps');
+              await db.queryRaw(`GRANT ALL ON SCHEMA public TO ${dbRole}`);
 
               // Grant default privileges for future tables and sequences
-              await db.queryRaw('ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO qwickapps');
-              await db.queryRaw('ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO qwickapps');
+              await db.queryRaw(`ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO ${dbRole}`);
+              await db.queryRaw(`ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO ${dbRole}`);
 
               res.json({
                 success: true,
@@ -795,7 +819,7 @@ export function createMaintenancePlugin(config: MaintenancePluginConfig = {}): P
                 // Execute Payload migration command
                 const { spawn } = await import('child_process');
 
-                migrationProcess = spawn('npx', ['payload', 'migrate', '--force-accept-warning'], {
+                migrationProcess = spawn('pnpm', ['exec', 'payload', 'migrate', '--force-accept-warning'], {
                   cwd: process.cwd(),
                   env: {
                     ...process.env,

package/src/plugins/postgres-plugin.test.ts

@@ -36,6 +36,8 @@ import {
   createPostgresPlugin,
   getPostgres,
   hasPostgres,
+  parseConnectionUrl,
+  isManagedDatabase,
   type PostgresPluginConfig,
 } from './postgres-plugin.js';
 import type { PluginRegistry } from '../core/plugin-registry.js';
@@ -221,6 +223,82 @@ describe('PostgreSQL Plugin', () => {
     });
   });
 
+  describe('parseConnectionUrl', () => {
+    it('should parse a standard URL with explicit port', () => {
+      const result = parseConnectionUrl('postgresql://myuser:mypass@localhost:5432/mydb');
+      expect(result).toEqual({ user: 'myuser', password: 'mypass', host: 'localhost', port: 5432, database: 'mydb' });
+    });
+
+    it('should default port to 5432 when omitted (Neon URL)', () => {
+      const result = parseConnectionUrl('postgresql://user:pass@ep-xxx.us-east-2.aws.neon.tech/neondb?sslmode=require');
+      expect(result.host).toBe('ep-xxx.us-east-2.aws.neon.tech');
+      expect(result.port).toBe(5432);
+      expect(result.database).toBe('neondb');
+      expect(result.user).toBe('user');
+    });
+
+    it('should parse a Supabase URL without port', () => {
+      const result = parseConnectionUrl('postgresql://user:pass@db.abc123.supabase.co/postgres');
+      expect(result.host).toBe('db.abc123.supabase.co');
+      expect(result.port).toBe(5432);
+      expect(result.database).toBe('postgres');
+    });
+
+    it('should normalise postgres:// scheme to postgresql://', () => {
+      const result = parseConnectionUrl('postgres://user:pass@localhost:5432/testdb');
+      expect(result.host).toBe('localhost');
+      expect(result.database).toBe('testdb');
+    });
+
+    it('should strip query-string params from the database name', () => {
+      const result = parseConnectionUrl('postgresql://user:pass@host.neon.tech/mydb?sslmode=require&connect_timeout=10');
+      expect(result.database).toBe('mydb');
+    });
+
+    it('should decode percent-encoded characters in password', () => {
+      const result = parseConnectionUrl('postgresql://user:pass%40word@ep-xxx.neon.tech/mydb?sslmode=require');
+      expect(result.user).toBe('user');
+      expect(result.password).toBe('pass@word');
+      expect(result.host).toBe('ep-xxx.neon.tech');
+      expect(result.database).toBe('mydb');
+    });
+
+    it('should handle empty password without throwing', () => {
+      const result = parseConnectionUrl('postgresql://user:@localhost:5432/mydb');
+      expect(result.user).toBe('user');
+      expect(result.password).toBe('');
+      expect(result.host).toBe('localhost');
+      expect(result.port).toBe(5432);
+      expect(result.database).toBe('mydb');
+    });
+
+    it('should throw on an invalid URL', () => {
+      expect(() => parseConnectionUrl('not-a-url')).toThrow('Invalid PostgreSQL connection URL format');
+    });
+  });
+
+  describe('isManagedDatabase', () => {
+    it('should return true for *.neon.tech hosts', () => {
+      expect(isManagedDatabase('ep-xxx.us-east-2.aws.neon.tech')).toBe(true);
+    });
+
+    it('should return true for *.supabase.co hosts', () => {
+      expect(isManagedDatabase('db.abc123.supabase.co')).toBe(true);
+    });
+
+    it('should return false for localhost', () => {
+      expect(isManagedDatabase('localhost')).toBe(false);
+    });
+
+    it('should return false for RDS hosts', () => {
+      expect(isManagedDatabase('mydb.cluster-xyz.us-east-1.rds.amazonaws.com')).toBe(false);
+    });
+
+    it('should return false for a domain that merely contains but does not end with neon.tech', () => {
+      expect(isManagedDatabase('neon.tech.example.com')).toBe(false);
+    });
+  });
+
   describe('onStop', () => {
     it('should close pool and unregister instance', async () => {
       const plugin = createPostgresPlugin(mockConfig, 'test');

package/src/plugins/postgres-plugin.ts

@@ -161,26 +161,43 @@ export interface PostgresInstance {
 const instances = new Map<string, PostgresInstance>();
 
 /**
- * Parse database connection URL to extract components
+ * Parse database connection URL to extract components.
+ * Supports both `postgresql://` and `postgres://` schemes,
+ * optional port (defaults to 5432), and query-string parameters.
  */
-function parseConnectionUrl(url: string): {
+export function parseConnectionUrl(url: string): {
   user: string;
   password: string;
   host: string;
   port: number;
   database: string;
 } {
-  const match = url.match(/postgresql:\/\/([^:]+):([^@]+)@([^:]+):(\d+)\/(.+)/);
-  if (!match) {
+  // Normalise postgres:// → postgresql:// so the URL constructor accepts it
+  const normalised = url.replace(/^postgres:\/\//, 'postgresql://');
+  let parsed: URL;
+  try {
+    parsed = new URL(normalised);
+  } catch {
     throw new Error('Invalid PostgreSQL connection URL format');
   }
-  return {
-    user: match[1],
-    password: match[2],
-    host: match[3],
-    port: parseInt(match[4], 10),
-    database: match[5],
-  };
+  const user = decodeURIComponent(parsed.username);
+  const password = decodeURIComponent(parsed.password);
+  const host = parsed.hostname;
+  const port = parsed.port ? parseInt(parsed.port, 10) : 5432;
+  // pathname starts with '/' — strip it to get the database name
+  const database = decodeURIComponent(parsed.pathname.slice(1));
+  if (!user || !host || !database) {
+    throw new Error('Invalid PostgreSQL connection URL format');
+  }
+  return { user, password, host, port, database };
+}
+
+/**
+ * Returns true when the host belongs to a known managed-database provider
+ * (Neon, Supabase) where destructive operations like DROP DATABASE are unsafe.
+ */
+export function isManagedDatabase(host: string): boolean {
+  return host.endsWith('.neon.tech') || host.endsWith('.supabase.co');
 }
 
 /**
@@ -567,6 +584,8 @@ export function createPostgresPlugin(
               }
             }
 
+            const managed = connParams ? isManagedDatabase(connParams.host) : false;
+
             try {
               await targetInstance.query('SELECT 1');
               res.json({
@@ -576,6 +595,7 @@ export function createPostgresPlugin(
                 user: connParams?.user,
                 host: connParams?.host,
                 port: connParams?.port,
+                managed,
                 autoInitializeEnabled: config.autoInitialize !== false,
                 adminCredentialsProvided: !!(config.adminUser && config.adminPassword),
               });
@@ -587,6 +607,7 @@ export function createPostgresPlugin(
                 user: connParams?.user,
                 host: connParams?.host,
                 port: connParams?.port,
+                managed,
                 errorMessage: err instanceof Error ? err.message : String(err),
                 autoInitializeEnabled: config.autoInitialize !== false,
                 adminCredentialsProvided: !!(config.adminUser && config.adminPassword),
@@ -676,6 +697,13 @@ export function createPostgresPlugin(
             }
 
             const connParams = parseConnectionUrl(config.url);
+
+            if (isManagedDatabase(connParams.host)) {
+              return res.status(403).json({
+                message: 'Delete and recreate is not supported for managed databases (Neon, Supabase). Manage your database through the provider dashboard.',
+              });
+            }
+
             const effectiveAdminUser = adminUser || config.adminUser;
             const effectiveAdminPassword = adminPassword || config.adminPassword;
 

package/src/plugins/rate-limit/env-config.ts

@@ -12,7 +12,7 @@
  * - RATE_LIMIT_CLEANUP_ENABLED: Enable cleanup job (default: true)
  * - RATE_LIMIT_CLEANUP_INTERVAL_MS: Cleanup interval in ms (default: 300000 = 5 minutes)
  * - RATE_LIMIT_API_ENABLED: Enable status API endpoints (default: true)
- * - RATE_LIMIT_API_PREFIX: API route prefix (default: /rate-limit)
+ * - RATE_LIMIT_API_PREFIX: API route prefix (default: empty, framework adds /rate-limit automatically)
  * - RATE_LIMIT_DEBUG: Enable debug logging (default: false)
  *
  * PostgreSQL Store (via postgres-plugin):
@@ -181,7 +181,7 @@ export function createRateLimitPluginFromEnv(options?: RateLimitEnvPluginOptions
   const cleanupEnabled = getEnvBool('RATE_LIMIT_CLEANUP_ENABLED', true);
   const cleanupIntervalMs = getEnvInt('RATE_LIMIT_CLEANUP_INTERVAL_MS', 300000);
   const apiEnabled = getEnvBool('RATE_LIMIT_API_ENABLED', true);
-  const apiPrefix = getEnv('RATE_LIMIT_API_PREFIX') || '/rate-limit';
+  const apiPrefix = getEnv('RATE_LIMIT_API_PREFIX') || '';
   const debug = options?.debug ?? getEnvBool('RATE_LIMIT_DEBUG', false);
 
   // PostgreSQL store config
@@ -252,10 +252,10 @@ export function getRateLimitConfigStatus(): RateLimitConfigStatus {
  * Register config API routes
  */
 function registerConfigRoutes(registry: PluginRegistry): void {
-  // GET /rate-limit/config/status - Get current rate limit status
+  // GET /config/status - Get current rate limit status
   registry.addRoute({
     method: 'get',
-    path: '/rate-limit/config/status',
+    path: '/config/status',
     pluginId: 'rate-limit',
     handler: (_req: Request, res: Response) => {
       res.json(getRateLimitConfigStatus());

package/src/utils/index.ts

@@ -0,0 +1 @@
+export { sanitizeUrl } from './url.js';