@studious-lms/server 1.2.45 → 1.2.47

package/src/index.ts

@@ -11,58 +11,57 @@ import { logger } from './utils/logger.js';
 import { setupSocketHandlers } from './socket/handlers.js';
 import { bucket } from './lib/googleCloudStorage.js';
 import { prisma } from './lib/prisma.js';
+
+import { authLimiter, generalLimiter, helmetConfig, uploadLimiter } from './middleware/security.js';
+
 import * as Sentry from "@sentry/node";
+import { env } from './lib/config/env.js';
+import compression from 'compression';
+import { v4 as uuidv4 } from 'uuid';
 
-import { renderTrpcPanel } from "trpc-panel";
 
 import "./instrument.js";
-
-dotenv.config();
+import { openAIClient } from './utils/inference.js';
 
 const app = express();
 
+app.use(helmetConfig);
+app.use(compression());
+
+app.use((req, res, next) => {
+  const requestId = uuidv4();
+  res.setHeader('X-Request-ID', requestId);
+  next();
+});
+
+app.use(generalLimiter);
+
+const allowedOrigins = env.NODE_ENV === 'production'
+? [
+    'https://www.studious.sh',
+    'https://studious.sh',
+    env.NEXT_PUBLIC_APP_URL,
+    'http://localhost:3000',
+
+  ].filter(Boolean)
+: [
+    'http://localhost:3000',
+    'http://localhost:3001',
+    'http://127.0.0.1:3000',
+    'http://127.0.0.1:3001',
+
+    env.NEXT_PUBLIC_APP_URL || 'http://localhost:3000'
+  ];
+
 // CORS middleware
 app.use(cors({
-  origin: [
-    'http://localhost:3000',  // Frontend development server
-    'http://localhost:3001',  // Server port
-    'http://127.0.0.1:3000',  // Alternative localhost
-    'http://127.0.0.1:3001',  // Alternative localhost
-    'https://www.studious.sh',  // Production frontend
-    'https://studious.sh',     // Production frontend (without www)
-    process.env.NEXT_PUBLIC_APP_URL || 'http://localhost:3000'
-  ],
+  origin: allowedOrigins,
   credentials: true,
   methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
   allowedHeaders: ['Content-Type', 'Authorization', 'X-Requested-With', 'x-user'],
   optionsSuccessStatus: 200
 }));
 
-// Handle preflight OPTIONS requests
-app.options('*', (req, res) => {
-  const allowedOrigins = [
-    'http://localhost:3000',
-    'http://localhost:3001', 
-    'http://127.0.0.1:3000',
-    'http://127.0.0.1:3001',
-    'https://www.studious.sh',  // Production frontend
-    'https://studious.sh',     // Production frontend (without www)
-    process.env.NEXT_PUBLIC_APP_URL || 'http://localhost:3000'
-  ];
-  
-  const origin = req.headers.origin;
-  if (origin && allowedOrigins.includes(origin)) {
-    res.header('Access-Control-Allow-Origin', origin);
-  } else {
-    res.header('Access-Control-Allow-Origin', 'http://localhost:3000');
-  }
-  
-  res.header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
-  res.header('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-Requested-With, x-user');
-  res.header('Access-Control-Allow-Credentials', 'true');
-  res.sendStatus(200);
-});
-
 // CORS debugging middleware
 app.use((req, res, next) => {
   if (req.method === 'OPTIONS' || req.path.includes('trpc')) {
@@ -92,7 +91,7 @@ app.use((req, res, next) => {
 });
 
 app.use("/panel", async (_, res) => {
-  if (process.env.NODE_ENV !== "development") {
+  if (env.NODE_ENV !== "development") {
     return res.status(404).send("Not Found");
   }
 
@@ -115,12 +114,25 @@ app.use("/panel", async (_, res) => {
 // Create HTTP server
 const httpServer = createServer(app);
 
-app.get('/health', (req, res) => {
-  res.status(200).json({ message: 'OK' });
-});
+app.get('/health', async (req, res) => {
 
-app.get('/test-sentry', (req, res) => {
-  throw new Error('Test error');
+  try {
+    // Check database connectivity
+    await prisma.$queryRaw`SELECT 1`;
+    
+    res.status(200).json({ 
+      status: 'OK',
+      timestamp: new Date().toISOString(),
+      uptime: process.uptime(),
+      database: 'connected'
+    });
+  } catch (error) {
+    res.status(503).json({ 
+      status: 'ERROR',
+      database: 'disconnected',
+      error: error instanceof Error ? error.message : 'Unknown error'
+    });
+  }
 });
 
 // Setup Socket.IO
@@ -133,7 +145,7 @@ const io = new Server(httpServer, {
       'http://127.0.0.1:3001',  // Alternative localhost
       'https://www.studious.sh',  // Production frontend
       'https://studious.sh',     // Production frontend (without www)
-      process.env.NEXT_PUBLIC_APP_URL || 'http://localhost:3000'
+      env.NEXT_PUBLIC_APP_URL || 'http://localhost:3000'
     ],
     methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
     credentials: true,
@@ -356,12 +368,15 @@ app.get('/api/files/:fileId', async (req, res) => {
   }
 });
 
+app.use('/trpc/auth.login', authLimiter);
+app.use('/trpc/auth.register', authLimiter);
+
 // File upload endpoint for secure file uploads (supports both POST and PUT)
-app.post('/api/upload/:filePath', async (req, res) => {
+app.post('/api/upload/:filePath', uploadLimiter, async (req, res) => {
   handleFileUpload(req, res);
 });
 
-app.put('/api/upload/:filePath', async (req, res) => {
+app.put('/api/upload/:filePath', uploadLimiter, async (req, res) => {
   handleFileUpload(req, res);
 });
 
@@ -378,7 +393,7 @@ function handleFileUpload(req: any, res: any) {
       'http://127.0.0.1:3001',
       'https://www.studious.sh',  // Production frontend
       'https://studious.sh',     // Production frontend (without www)
-      process.env.NEXT_PUBLIC_APP_URL || 'http://localhost:3000'
+      env.NEXT_PUBLIC_APP_URL || 'http://localhost:3000'
     ];
     
     if (origin && allowedOrigins.includes(origin)) {
@@ -453,7 +468,7 @@ Sentry.setupExpressErrorHandler(app);
 // });
 
 
-const PORT = process.env.PORT || 3001;
+const PORT = env.PORT || 3001;
 
 httpServer.listen(PORT, () => {
   logger.info(`Server running on port ${PORT}`, { 
@@ -464,10 +479,10 @@ httpServer.listen(PORT, () => {
 
 // log all env variables
 logger.info('Configurations', {
-  NODE_ENV: process.env.NODE_ENV,
-  PORT: process.env.PORT,
-  NEXT_PUBLIC_APP_URL: process.env.NEXT_PUBLIC_APP_URL,
-  LOG_MODE: process.env.LOG_MODE,
+  NODE_ENV: env.NODE_ENV,
+  PORT: env.PORT,
+  NEXT_PUBLIC_APP_URL: env.NEXT_PUBLIC_APP_URL,
+  LOG_MODE: env.LOG_MODE,
 });
 
 // Log CORS configuration
@@ -477,6 +492,35 @@ logger.info('CORS Configuration', {
     'http://localhost:3001', 
     'http://127.0.0.1:3000',
     'http://127.0.0.1:3001',
-    process.env.NEXT_PUBLIC_APP_URL || 'http://localhost:3000'
+    env.NEXT_PUBLIC_APP_URL || 'http://localhost:3000'
   ]
-});
+});
+
+const gracefulShutdown = (signal: string) => {
+  logger.info(`Received ${signal}, shutting down gracefully`);
+  
+  httpServer.close(() => {
+    logger.info('HTTP server closed');
+    
+    io.close(() => {
+      logger.info('Socket.IO server closed');
+      
+      prisma.$disconnect().then(() => {
+        logger.info('Database connections closed');
+        process.exit(0);
+      }).catch((err) => {
+        logger.error('Error disconnecting from database', { error: err });
+        process.exit(1);
+      });
+    });
+  });
+  
+  // Force shutdown after 10 seconds
+  setTimeout(() => {
+    logger.error('Forced shutdown after timeout');
+    process.exit(1);
+  }, 10000);
+};
+
+process.on('SIGTERM', () => gracefulShutdown('SIGTERM'));
+process.on('SIGINT', () => gracefulShutdown('SIGINT'));

package/src/instrument.ts

@@ -1,8 +1,15 @@
 import * as Sentry from "@sentry/node";
+import { env } from "./lib/config/env.js";
 
-Sentry.init({
-  dsn: "https://5440f33877e8e19d7644624f5d3d2f10@o4510401976860672.ingest.de.sentry.io/4510402093514832",
-  // Setting this option to true will send default PII data to Sentry.
-  // For example, automatic IP address collection on events
-  sendDefaultPii: true,
-});
+// Only initialize Sentry in non-test environments
+if (env.NODE_ENV !== 'test') {
+  Sentry.init({
+    dsn: env.SENTRY_DSN,
+    environment: env.NODE_ENV || 'development',
+    // Setting this option to true will send default PII data to Sentry.
+    // For example, automatic IP address collection on events
+    sendDefaultPii: true,
+    // @todo: disable in test environment
+    enabled: true, // Explicitly disable in test environment
+  });
+}

package/src/lib/config/env.ts

@@ -0,0 +1,126 @@
+import { z } from 'zod';
+import dotenv from 'dotenv';
+import { resolve } from 'path';
+import { logger } from '../../utils/logger.js';
+
+// Determine which env file to load based on NODE_ENV
+const nodeEnv = process.env.NODE_ENV || 'development';
+const envFileMap: Record<string, string> = {
+  test: '.env.test',
+  development: '.env.development',
+  production: '.env.production',
+};
+
+// Load the appropriate env file
+const envFile = envFileMap[nodeEnv] || '.env';
+const envPath = resolve(process.cwd(), envFile);
+
+// Load environment variables from the correct file
+// First load .env (base), then override with environment-specific file
+dotenv.config(); // Load .env first (base config)
+dotenv.config({ path: envPath, override: true }); // Override with env-specific
+
+const isTest = nodeEnv === 'test';
+const isProduction = nodeEnv === 'production';
+
+// Base schema with required vars for all environments
+const baseSchema = z.object({
+  NODE_ENV: z.enum(['development', 'production', 'test']).default('development'),
+  PORT: z.string().transform(Number).default('3001'),
+  DATABASE_URL: z.string().url('DATABASE_URL must be a valid URL'),
+});
+
+// Production/development schema with all required vars
+const fullSchema = baseSchema.extend({
+  NEXT_PUBLIC_APP_URL: z.string().url().default('http://localhost:3000'),
+  BACKEND_URL: z.string().url().default('http://localhost:3001'),
+  SENTRY_DSN: z.string().url().optional(),
+  EMAIL_HOST: z.string().min(1, 'EMAIL_HOST is required'),
+  EMAIL_USER: z.string().email('EMAIL_USER must be a valid email'),
+  EMAIL_PASS: z.string().min(1, 'EMAIL_PASS is required'),
+  EMAIL_DRY_RUN: z.string().optional().default('false'),
+  GOOGLE_CLOUD_PROJECT_ID: z.string().min(1, 'GOOGLE_CLOUD_PROJECT_ID is required'),
+  GOOGLE_CLOUD_CLIENT_EMAIL: z.string().email('GOOGLE_CLOUD_CLIENT_EMAIL must be a valid email'),
+  GOOGLE_CLOUD_PRIVATE_KEY: z.string().min(1, 'GOOGLE_CLOUD_PRIVATE_KEY is required'),
+  GOOGLE_CLOUD_BUCKET_NAME: z.string().min(1, 'GOOGLE_CLOUD_BUCKET_NAME is required'),
+  PUSHER_APP_ID: z.string().min(1, 'PUSHER_APP_ID is required'),
+  PUSHER_KEY: z.string().min(1, 'PUSHER_KEY is required'),
+  PUSHER_SECRET: z.string().min(1, 'PUSHER_SECRET is required'),
+  PUSHER_CLUSTER: z.string().min(1, 'PUSHER_CLUSTER is required'),
+  INFERENCE_API_KEY: z.string().optional(),
+  INFERENCE_API_BASE_URL: z.string().url().optional(),
+  OPENAI_API_KEY: z.string().optional(),
+  LOG_MODE: z.enum(['normal', 'verbose', 'quiet']).default('normal'),
+});
+
+// Test schema - only require what's needed for tests
+const testSchema = baseSchema.extend({
+  NEXT_PUBLIC_APP_URL: z.string().url().optional().default('http://localhost:3000'),
+  BACKEND_URL: z.string().url().optional().default('http://localhost:3001'),
+  SENTRY_DSN: z.string().url().optional(),
+  EMAIL_HOST: z.string().optional().default('smtp.test.com'),
+  EMAIL_USER: z.string().email().optional().default('test@test.com'),
+  EMAIL_PASS: z.string().optional().default('test'),
+  EMAIL_DRY_RUN: z.string().optional().default('false'),
+  GOOGLE_CLOUD_PROJECT_ID: z.string().optional().default('test-project'),
+  GOOGLE_CLOUD_CLIENT_EMAIL: z.string().email().optional().default('test@test.iam.gserviceaccount.com'),
+  GOOGLE_CLOUD_PRIVATE_KEY: z.string().optional().default('test-key'),
+  GOOGLE_CLOUD_BUCKET_NAME: z.string().optional().default('test-bucket'),
+  PUSHER_APP_ID: z.string().optional().default('test-app-id'),
+  PUSHER_KEY: z.string().optional().default('test-key'),
+  PUSHER_SECRET: z.string().optional().default('test-secret'),
+  PUSHER_CLUSTER: z.string().optional().default('us2'),
+  INFERENCE_API_KEY: z.string().optional(),
+  OPENAI_API_KEY: z.string().optional(),
+  INFERENCE_API_BASE_URL: z.string().url().optional(),
+  LOG_MODE: z.enum(['normal', 'verbose', 'quiet']).default('quiet'),
+});
+
+// Use test schema in test mode, full schema otherwise
+const envSchema = isTest ? testSchema : fullSchema;
+
+// Validate environment variables
+function validateEnv() {
+  try {
+    const parsed = envSchema.parse(process.env);
+    
+    // Only exit on validation failure in production
+    if (isProduction && !parsed.DATABASE_URL) {
+      logger.error('DATABASE_URL is required in production');
+      process.exit(1);
+    }
+    
+    return parsed;
+  } catch (error) {
+    if (error instanceof z.ZodError) {
+      const missingVars = error.errors.map(err => ({
+        path: err.path.join('.'),
+        message: err.message,
+      }));
+      
+      logger.error('Environment variable validation failed', {
+        envFile,
+        missingVars,
+      });
+      
+      // Only exit in production - in test/dev, log warning but continue
+      if (isProduction) {
+        logger.error(`Please check your ${envFile} file and ensure all required variables are set.`);
+        process.exit(1);
+      } else {
+        logger.warn('Continuing with defaults - some features may not work correctly', {
+          envFile,
+        });
+        // Return parsed with defaults for non-production
+        return envSchema.parse({ ...process.env });
+      }
+    }
+    throw error;
+  }
+}
+
+// Export validated environment variables
+export const env = validateEnv();
+
+// Type-safe environment access
+export type Env = z.infer<typeof envSchema>;

package/src/lib/fileUpload.ts

@@ -4,6 +4,7 @@ import { getSignedUrl, objectExists } from "./googleCloudStorage.js";
 import { generateMediaThumbnail } from "./thumbnailGenerator.js";
 import { prisma } from "./prisma.js";
 import { logger } from "../utils/logger.js";
+import { env } from "./config/env.js";
 
 export interface FileData {
   name: string;
@@ -136,7 +137,7 @@ export async function createDirectUploadFile(
     const uploadSessionId = uuidv4();
     
     // Generate backend proxy upload URL (not direct GCS)
-    const baseUrl = process.env.BACKEND_URL || 'http://localhost:3001';
+    const baseUrl = env.BACKEND_URL || 'http://localhost:3001';
     const uploadUrl = `${baseUrl}/api/upload/${encodeURIComponent(filePath)}`;
     const uploadExpiresAt = new Date(Date.now() + 15 * 60 * 1000); // 15 minutes from now
     
@@ -231,7 +232,7 @@ export async function confirmDirectUpload(
     // If uploadSuccess is true, verify the object actually exists in GCS
     if (uploadSuccess) {
       try {
-        const exists = await objectExists(process.env.GOOGLE_CLOUD_BUCKET_NAME!, fileRecord.path);
+        const exists = await objectExists(env.GOOGLE_CLOUD_BUCKET_NAME!, fileRecord.path);
         if (!exists) {
           actualUploadSuccess = false;
           actualErrorMessage = 'File upload reported as successful but object not found in Google Cloud Storage';

package/src/lib/googleCloudStorage.ts

@@ -1,17 +1,17 @@
-import dotenv from 'dotenv';
-dotenv.config();
+
 import { Storage } from '@google-cloud/storage';
 import { TRPCError } from '@trpc/server';
+import { env } from './config/env.js';
 
 const storage = new Storage({
-  projectId: process.env.GOOGLE_CLOUD_PROJECT_ID,
+  projectId: env.GOOGLE_CLOUD_PROJECT_ID,
   credentials: {
-    client_email: process.env.GOOGLE_CLOUD_CLIENT_EMAIL,
-    private_key: process.env.GOOGLE_CLOUD_PRIVATE_KEY?.replace(/\\n/g, '\n'),
+    client_email: env.GOOGLE_CLOUD_CLIENT_EMAIL,
+    private_key: env.GOOGLE_CLOUD_PRIVATE_KEY?.replace(/\\n/g, '\n'),
   },
 });
 
-export const bucket = storage.bucket(process.env.GOOGLE_CLOUD_BUCKET_NAME!);
+export const bucket = storage.bucket(env.GOOGLE_CLOUD_BUCKET_NAME!);
 
 // Short expiration time for signed URLs (5 minutes)
 const SIGNED_URL_EXPIRATION = 5 * 60 * 1000;

package/src/lib/jsonConversion.ts

@@ -4,12 +4,13 @@ import { readFileSync } from 'fs'
 import { join } from 'path'
 import { writeFile } from 'fs'
 import { DocumentBlock, FormatTypes, Fonts } from './jsonStyles.js'
+import { logger } from '../utils/logger.js'
 
 export async function createPdf(blocks: DocumentBlock[]) {
-    console.log('createPdf: Starting PDF creation with', blocks.length, 'blocks');
+    logger.info(`createPdf: Starting PDF creation with ${blocks.length} blocks`);
     try {
         const pdfDoc = await PDFDocument.create()
-        console.log('createPdf: PDFDocument created successfully');
+        logger.info('createPdf: PDFDocument created successfully');
         
         // Register fontkit to enable custom font embedding
         pdfDoc.registerFontkit(fontkit)
@@ -33,9 +34,9 @@ export async function createPdf(blocks: DocumentBlock[]) {
             notoSansItalic = await pdfDoc.embedFont(italicFontBytes)
             courierFont = await pdfDoc.embedFont(StandardFonts.Courier) // Keep Courier for code blocks
             
-            console.log('createPdf: Unicode fonts loaded successfully');
+            logger.info('createPdf: Unicode fonts loaded successfully');
         } catch (fontError) {
-            console.warn('createPdf: Failed to load custom fonts, falling back to standard fonts:', fontError);
+            logger.warn(`createPdf: Failed to load custom fonts, falling back to standard fonts: ${fontError}`);
             // Fallback to standard fonts if custom fonts fail
             notoSansRegular = await pdfDoc.embedFont(StandardFonts.Helvetica)
             notoSansBold = await pdfDoc.embedFont(StandardFonts.HelveticaBold)
@@ -342,10 +343,10 @@ export async function createPdf(blocks: DocumentBlock[]) {
 
     let y = height - marginTop
     let lastLineHeight = -1
-    console.log('createPdf: Starting to process', blocks.length, 'blocks');
+    logger.info(`createPdf: Starting to process ${blocks.length} blocks`);
     for (let i = 0; i < blocks.length; i++) {
         const block = blocks[i];
-        console.log(`createPdf: Processing block ${i + 1}/${blocks.length}, format: ${block.format}, content type: ${typeof block.content}`);
+        logger.info(`createPdf: Processing block ${i + 1}/${blocks.length}, format: ${block.format}, content type: ${typeof block.content}`);
         try {
         const preset = STYLE_PRESETS[block.format] || { fontSize: defaultFontSize, lineHeight: defaultLineHeight }
 
@@ -725,24 +726,21 @@ export async function createPdf(blocks: DocumentBlock[]) {
                 }
             }
         }
-        console.log(`createPdf: Successfully processed block ${i + 1}`);
+        logger.info(`createPdf: Successfully processed block ${i + 1}`);
         y -= paragraphSpacing
         lastLineHeight = lineHeight
         } catch (blockError) {
-            console.error(`createPdf: Error processing block ${i + 1}:`, blockError);
+            logger.error(`createPdf: Error processing block ${i + 1}: ${blockError}`);
             throw blockError;
         }
     }
 
-        console.log('createPdf: About to save PDF document');
+        logger.info('createPdf: About to save PDF document');
         const pdfBytes = await pdfDoc.save()
-        console.log('createPdf: PDF saved successfully, bytes length:', pdfBytes.length);
-        // writeFile('output.pdf', pdfBytes, () => {
-        //     console.log('PDF created successfully') // Still only saves file, no API yet
-        // })
+        logger.info(`createPdf: PDF saved successfully, bytes length: ${pdfBytes.length}`);
         return pdfBytes
     } catch (error) {
-        console.error('createPdf: Error during PDF creation:', error);
+        logger.error(`createPdf: Error during PDF creation: ${error}`);
         throw error;
     }
 }

package/src/lib/prisma.ts

@@ -1,6 +1,23 @@
 import { PrismaClient } from '@prisma/client';
+import { env } from './config/env.js';
+
+const getLogLevel = () => {
+  switch (env.NODE_ENV) {
+    case 'development':
+      return ['query', 'error', 'warn'];
+    case 'production':
+      return ['error'];
+    default:
+      return ['error'];
+  }
+}
 
 const prismaClientSingleton = () => {
+  // return new PrismaClient({
+  //   log: env.NODE_ENV === 'development' 
+  //     ? ['query', 'error', 'warn'] 
+  //     : ['error'],
+  // });
   return new PrismaClient();
 };
 
@@ -11,6 +28,10 @@ declare global {
 
 export const prisma = globalThis.prisma ?? prismaClientSingleton();
 
-if (process.env.NODE_ENV !== 'production') {
+if (env.NODE_ENV !== 'production') {
   globalThis.prisma = prisma;
-}
+}
+
+process.on('beforeExit', async () => {
+  await prisma.$disconnect();
+});

package/src/lib/pusher.ts

@@ -1,11 +1,12 @@
 import Pusher from 'pusher';
+import { env } from './config/env.js';
 
 const pusher = new Pusher({
-  appId: process.env.PUSHER_APP_ID!,
-  key: process.env.PUSHER_KEY!,
-  secret: process.env.PUSHER_SECRET!,
-  cluster: process.env.PUSHER_CLUSTER!,
-  useTLS: true,
+  appId: env.PUSHER_APP_ID,
+  key: env.PUSHER_KEY,
+  secret: env.PUSHER_SECRET,
+  cluster: env.PUSHER_CLUSTER,
+  useTLS: env.NODE_ENV !== 'development',
 });
 
 export { pusher };

package/src/middleware/auth.ts

@@ -1,6 +1,7 @@
 import { TRPCError } from '@trpc/server';
 import { prisma } from '../lib/prisma.js';
 import type { MiddlewareContext } from '../types/trpc.js';
+import * as Sentry from "@sentry/node";
 
 export const createAuthMiddleware = (t: any) => {
 
@@ -50,10 +51,11 @@ export const createAuthMiddleware = (t: any) => {
         },
       });
     } catch (error) {
-      console.log(error)
+      Sentry.captureException(error);
+      console.error(error);
       throw new TRPCError({
-        code: 'UNAUTHORIZED',
-        message: 'Invalid user data',
+        code: 'INTERNAL_SERVER_ERROR',
+        message: 'Internal server error',
       });
     }
   });

package/src/middleware/security.ts

@@ -0,0 +1,80 @@
+import helmet from 'helmet';
+import rateLimit from 'express-rate-limit';
+import type { Request, Response } from 'express';
+
+const isDevelopment = process.env.NODE_ENV === 'development';
+
+// Custom handler for rate limit errors that returns JSON
+// This format can be intercepted on the frontend with:
+// error.data?.code === 'TOO_MANY_REQUESTS' || error.data?.httpStatus === 429
+const rateLimitHandler = (req: Request, res: Response) => {
+  // Return JSON structure that can be intercepted on frontend with:
+  // error.data?.code === 'TOO_MANY_REQUESTS' || error.data?.httpStatus === 429
+  // When tRPC wraps this, the response body becomes error.data, so we put code/httpStatus at top level
+  res.status(429).json({
+    code: 'TOO_MANY_REQUESTS',
+    message: 'Too many requests, please try again later.',
+  });
+};
+
+// General API rate limiter - applies to all routes
+export const generalLimiter = rateLimit({
+  windowMs: 10 * 60 * 1000, // 10 minutes
+  max: 100, // Limit each IP to 100 requests per windowMs
+  message: 'Too many requests from this IP, please try again later.',
+  standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
+  legacyHeaders: false, // Disable the `X-RateLimit-*` headers
+  handler: rateLimitHandler,
+  skip: (req) => {
+    // Skip rate limiting for health checks
+    return req.path === '/health';
+  },
+});
+
+// Stricter rate limiter for authentication endpoints
+export const authLimiter = rateLimit({
+  windowMs: 5 * 60 * 1000, // 5 minutes
+  max: 5, // Limit each IP to 5 login attempts per windowMs
+  message: 'Too many authentication attempts, please try again later.',
+  standardHeaders: true,
+  legacyHeaders: false,
+  skipSuccessfulRequests: true, // Don't count successful requests
+  handler: rateLimitHandler,
+});
+
+// File upload rate limiter
+export const uploadLimiter = rateLimit({
+  windowMs: 30 * 60 * 1000, // 30 minutes
+  max: 50, // Limit each IP to 50 uploads per hour
+  message: 'Too many file uploads, please try again later.',
+  standardHeaders: true,
+  legacyHeaders: false,
+  handler: rateLimitHandler,
+});
+
+// Helmet configuration
+export const helmetConfig = helmet({
+  contentSecurityPolicy: {
+    directives: {
+      defaultSrc: ["'self'"],
+      styleSrc: ["'self'", "'unsafe-inline'"], // Allow inline styles for tRPC panel
+      // Allow inline scripts only in development (for tRPC panel)
+      // In production, keep strict CSP without unsafe-inline
+      scriptSrc: isDevelopment 
+        ? ["'self'", "'unsafe-inline'"] 
+        : ["'self'"],
+      imgSrc: ["'self'", "data:", "https:"], // Allow images from any HTTPS source
+      connectSrc: ["'self'", "https://*.sentry.io"], // Allow Sentry connections
+      fontSrc: ["'self'", "data:"],
+      objectSrc: ["'none'"],
+      mediaSrc: ["'self'"],
+      frameSrc: ["'none'"],
+    },
+  },
+  crossOriginEmbedderPolicy: false, // Disable if you need to embed resources
+  hsts: {
+    maxAge: 31536000, // 1 year
+    includeSubDomains: true,
+    preload: true,
+  },
+});