npm - @valentinkolb/cloud - Versions diffs - 0.1.0 - Mend

@valentinkolb/cloud 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (196) hide show

package/package.json +69 -0
package/public/logo.svg +1 -0
package/scripts/build.ts +113 -0
package/scripts/preload.ts +73 -0
package/src/_internal/define-app.ts +399 -0
package/src/_internal/heartbeat.ts +33 -0
package/src/_internal/registry.ts +100 -0
package/src/_internal/runtime-context.ts +38 -0
package/src/api/accounts-entities.ts +134 -0
package/src/api/admin-lifecycle.ts +210 -0
package/src/api/auth/schemas.ts +28 -0
package/src/api/auth.ts +230 -0
package/src/api/index.ts +66 -0
package/src/api/me.ts +206 -0
package/src/api/search/schemas.ts +43 -0
package/src/api/search.ts +130 -0
package/src/clients/core.ts +19 -0
package/src/config/env.ts +23 -0
package/src/config/index.ts +6 -0
package/src/config/ssr.ts +58 -0
package/src/contracts/app.ts +140 -0
package/src/contracts/index.ts +5 -0
package/src/contracts/profile.ts +67 -0
package/src/contracts/registry.ts +50 -0
package/src/contracts/settings-types.ts +84 -0
package/src/contracts/shared.ts +258 -0
package/src/contracts/widgets.ts +121 -0
package/src/index.ts +6 -0
package/src/server/api/index.ts +1 -0
package/src/server/api/respond.ts +55 -0
package/src/server/api-client.ts +54 -0
package/src/server/app-context.ts +39 -0
package/src/server/index.ts +62 -0
package/src/server/middleware/auth.ts +168 -0
package/src/server/middleware/index.ts +7 -0
package/src/server/middleware/middleware.ts +47 -0
package/src/server/middleware/openapi.ts +126 -0
package/src/server/middleware/rate-limit.ts +126 -0
package/src/server/middleware/request-logger.ts +41 -0
package/src/server/middleware/validator.ts +35 -0
package/src/server/services/access.ts +294 -0
package/src/server/services/freeipa/client.ts +100 -0
package/src/server/services/freeipa/index.ts +9 -0
package/src/server/services/freeipa/session.ts +78 -0
package/src/server/services/freeipa/tls.ts +48 -0
package/src/server/services/freeipa/util.ts +60 -0
package/src/server/services/geo.ts +154 -0
package/src/server/services/index.ts +28 -0
package/src/server/services/services.ts +13 -0
package/src/services/account-lifecycle/audit.ts +41 -0
package/src/services/account-lifecycle/index.ts +907 -0
package/src/services/account-lifecycle/scheduler.ts +347 -0
package/src/services/account-model.ts +21 -0
package/src/services/accounts/app.ts +966 -0
package/src/services/accounts/authz.ts +22 -0
package/src/services/accounts/base-group.ts +11 -0
package/src/services/accounts/base-user.ts +45 -0
package/src/services/accounts/entities.ts +529 -0
package/src/services/accounts/group-sql.ts +106 -0
package/src/services/accounts/groups.ts +246 -0
package/src/services/accounts/index.ts +14 -0
package/src/services/accounts/ipa-data.ts +64 -0
package/src/services/accounts/lifecycle.ts +2 -0
package/src/services/accounts/local-groups.ts +491 -0
package/src/services/accounts/model.ts +135 -0
package/src/services/accounts/switching.ts +117 -0
package/src/services/accounts/users.ts +714 -0
package/src/services/auth-flows/index.ts +6 -0
package/src/services/auth-flows/ipa.ts +128 -0
package/src/services/auth-flows/magic-link.ts +119 -0
package/src/services/freeipa-config.ts +89 -0
package/src/services/index.ts +46 -0
package/src/services/ipa/auth.ts +122 -0
package/src/services/ipa/groups.ts +684 -0
package/src/services/ipa/guard.ts +17 -0
package/src/services/ipa/index.ts +17 -0
package/src/services/ipa/profile.ts +90 -0
package/src/services/ipa/search.ts +154 -0
package/src/services/ipa/sync.ts +740 -0
package/src/services/ipa/users.ts +794 -0
package/src/services/logging/index.ts +294 -0
package/src/services/notifications/email.ts +123 -0
package/src/services/notifications/index.ts +413 -0
package/src/services/postgres.ts +51 -0
package/src/services/providers/index.ts +27 -0
package/src/services/providers/local/auth.ts +13 -0
package/src/services/providers/local/index.ts +4 -0
package/src/services/providers/local/users.ts +255 -0
package/src/services/session/index.ts +137 -0
package/src/services/settings/api.ts +61 -0
package/src/services/settings/app.ts +101 -0
package/src/services/settings/crypto.ts +69 -0
package/src/services/settings/defaults.ts +824 -0
package/src/services/settings/index.ts +203 -0
package/src/services/settings/namespace.ts +9 -0
package/src/services/settings/snapshot.ts +49 -0
package/src/services/settings/store.ts +179 -0
package/src/services/settings/templates.ts +10 -0
package/src/services/weather/forecast.ts +287 -0
package/src/services/weather/geo.ts +110 -0
package/src/services/weather/index.ts +99 -0
package/src/services/weather/location.ts +24 -0
package/src/services/weather/locations.ts +125 -0
package/src/services/weather/migrate.ts +22 -0
package/src/services/weather/types.ts +61 -0
package/src/services/weather/ui.ts +50 -0
package/src/shared/account-display.ts +17 -0
package/src/shared/account-session.ts +15 -0
package/src/shared/icons.ts +109 -0
package/src/shared/index.ts +10 -0
package/src/shared/markdown/client.ts +130 -0
package/src/shared/markdown/extensions/code.ts +58 -0
package/src/shared/markdown/extensions/images.ts +43 -0
package/src/shared/markdown/extensions/info-blocks.ts +93 -0
package/src/shared/markdown/extensions/katex.ts +120 -0
package/src/shared/markdown/extensions/links.ts +34 -0
package/src/shared/markdown/extensions/tables.ts +88 -0
package/src/shared/markdown/extensions/task-list.ts +53 -0
package/src/shared/markdown/index.ts +97 -0
package/src/shared/markdown/shared.ts +36 -0
package/src/ssr/AdminLayout.tsx +42 -0
package/src/ssr/AdminSidebar.tsx +95 -0
package/src/ssr/Footer.island.tsx +62 -0
package/src/ssr/GlobalSearchDialog.tsx +389 -0
package/src/ssr/GlobalSearchHelpDialog.tsx +106 -0
package/src/ssr/GlobalSearchTrigger.island.tsx +42 -0
package/src/ssr/HotkeysHelpRail.island.tsx +99 -0
package/src/ssr/Layout.tsx +326 -0
package/src/ssr/MoreAppsDropdown.island.tsx +61 -0
package/src/ssr/NavMenu.island.tsx +108 -0
package/src/ssr/ThemeToggleRail.island.tsx +27 -0
package/src/ssr/index.ts +5 -0
package/src/ssr/islands/SearchBar.island.tsx +77 -0
package/src/ssr/islands/index.ts +1 -0
package/src/ssr/runtime.ts +22 -0
package/src/styles/base-popover.css +28 -0
package/src/styles/effects.css +65 -0
package/src/styles/global.css +133 -0
package/src/styles/input.css +54 -0
package/src/styles/tokens.css +35 -0
package/src/styles/utilities-buttons.css +125 -0
package/src/styles/utilities-feedback.css +65 -0
package/src/styles/utilities-layout.css +122 -0
package/src/styles/utilities-navigation.css +196 -0
package/src/types/ambient.d.ts +8 -0
package/src/ui/admin-settings.tsx +148 -0
package/src/ui/dialog-core.ts +146 -0
package/src/ui/filter/FilterChip.tsx +196 -0
package/src/ui/filter/index.ts +2 -0
package/src/ui/index.ts +19 -0
package/src/ui/input/Checkbox.tsx +55 -0
package/src/ui/input/ColorInput.tsx +122 -0
package/src/ui/input/DateTimeInput.tsx +86 -0
package/src/ui/input/ImageInput.tsx +170 -0
package/src/ui/input/NumberInput.tsx +113 -0
package/src/ui/input/PinInput.tsx +169 -0
package/src/ui/input/SegmentedControl.tsx +99 -0
package/src/ui/input/Select.tsx +288 -0
package/src/ui/input/SelectChip.tsx +61 -0
package/src/ui/input/Slider.tsx +118 -0
package/src/ui/input/Switch.tsx +62 -0
package/src/ui/input/TagsInput.tsx +115 -0
package/src/ui/input/TextInput.tsx +160 -0
package/src/ui/input/index.ts +13 -0
package/src/ui/input/types.ts +42 -0
package/src/ui/input/util.tsx +105 -0
package/src/ui/ipa/Avatar.tsx +28 -0
package/src/ui/ipa/GroupView.tsx +36 -0
package/src/ui/ipa/LoginBtn.tsx +16 -0
package/src/ui/ipa/UserView.tsx +58 -0
package/src/ui/ipa/index.ts +4 -0
package/src/ui/misc/ContextMenu.tsx +211 -0
package/src/ui/misc/CopyButton.tsx +28 -0
package/src/ui/misc/Dropdown.tsx +194 -0
package/src/ui/misc/EntitySearch.tsx +213 -0
package/src/ui/misc/Lightbox.tsx +194 -0
package/src/ui/misc/LinkCard.tsx +34 -0
package/src/ui/misc/LogEntriesTable.tsx +61 -0
package/src/ui/misc/MarkdownView.tsx +65 -0
package/src/ui/misc/Pagination.tsx +51 -0
package/src/ui/misc/PermissionEditor.tsx +379 -0
package/src/ui/misc/ProgressBar.tsx +47 -0
package/src/ui/misc/RemoveBtn.tsx +27 -0
package/src/ui/misc/StatCell.tsx +90 -0
package/src/ui/misc/index.ts +18 -0
package/src/ui/navigation.ts +32 -0
package/src/ui/prompts.tsx +854 -0
package/src/ui/sidebar.tsx +468 -0
package/src/ui/widgets/Widget.tsx +62 -0
package/src/ui/widgets/WidgetCard.tsx +19 -0
package/src/ui/widgets/WidgetHero.tsx +39 -0
package/src/ui/widgets/WidgetList.tsx +84 -0
package/src/ui/widgets/WidgetPills.tsx +68 -0
package/src/ui/widgets/WidgetStat.tsx +67 -0
package/src/ui/widgets/WidgetStatus.tsx +62 -0
package/src/ui/widgets/index.ts +9 -0

package/src/services/logging/index.ts ADDED Viewed

@@ -0,0 +1,294 @@
+import { sql } from "bun";
+import type { PaginationParams } from "../../contracts/shared";
+import { registerSettings, registerGroupLabel } from "../settings/defaults";
+import { escapeLikePattern, parsePgJsonRecord, toPgTextArray } from "../postgres";
+// ── Settings Registration ──────────────────────────────────────────────
+registerGroupLabel("logs", "Logging");
+registerSettings([
+  {
+    key: "logs.retention_days",
+    kind: "number",
+    default: 30,
+    description: "Automatically delete log entries older than this many days",
+    group: "logs",
+  },
+]);
+// ==========================
+// Types
+// ==========================
+type LogLevel = "debug" | "info" | "warn" | "error";
+type WriteParams = {
+  level: LogLevel;
+  source: string;
+  message: string;
+  metadata?: Record<string, unknown>;
+};
+type Logger = {
+  debug: (message: string, metadata?: Record<string, unknown>) => void;
+  info: (message: string, metadata?: Record<string, unknown>) => void;
+  warn: (message: string, metadata?: Record<string, unknown>) => void;
+  error: (message: string, metadata?: Record<string, unknown>) => void;
+};
+export type LogEntry = {
+  id: number;
+  level: LogLevel;
+  source: string;
+  message: string;
+  metadata: Record<string, unknown> | null;
+  createdAt: string;
+};
+type DbLogRow = {
+  id: number;
+  level: string;
+  source: string;
+  message: string;
+  metadata: Record<string, unknown> | null;
+  created_at: string;
+};
+// ==========================
+// Helpers
+// ==========================
+/**
+ * Maps one logging row to the public log entry shape.
+ */
+const mapRow = (row: DbLogRow): LogEntry => ({
+  id: row.id,
+  level: row.level as LogLevel,
+  source: row.source,
+  message: row.message,
+  metadata: parsePgJsonRecord(row.metadata),
+  createdAt: row.created_at,
+});
+// ==========================
+// Core: Write + Logger
+// ==========================
+/**
+ * Keys whose values are scrubbed from log metadata before console + DB write.
+ * Defense-in-depth: future code that accidentally passes a token/password/
+ * cookie into `logger.info(...)` won't leak it to the persistent log.
+ *
+ * Match is case-insensitive and substring-based on the key (e.g. `apiKey`,
+ * `accessToken`, `clientSecret` all trip).
+ */
+const SENSITIVE_KEY_PATTERN = /(password|secret|token|cookie|authorization|api[_-]?key|private[_-]?key|session)/i;
+const REDACTED = "[REDACTED]";
+const redactMetadata = (input: unknown): unknown => {
+  if (input === null || typeof input !== "object") return input;
+  if (Array.isArray(input)) return input.map(redactMetadata);
+  const out: Record<string, unknown> = {};
+  for (const [key, value] of Object.entries(input)) {
+    out[key] = SENSITIVE_KEY_PATTERN.test(key) ? REDACTED : redactMetadata(value);
+  }
+  return out;
+};
+/** Fire-and-forget write — mirrors to console, then inserts to DB async. */
+function write(params: WriteParams): void {
+  const safeMetadata = params.metadata ? (redactMetadata(params.metadata) as Record<string, unknown>) : undefined;
+  const prefix = `[${params.source}]`;
+  const consoleFn = params.level === "error" ? console.error : params.level === "warn" ? console.warn : console.log;
+  consoleFn(prefix, params.message, ...(safeMetadata ? [safeMetadata] : []));
+  sql`
+    INSERT INTO logging.entries (level, source, message, metadata)
+    VALUES (
+      ${params.level},
+      ${params.source},
+      ${params.message},
+      ${safeMetadata ? JSON.stringify(safeMetadata) : null}::jsonb
+    )
+  `.catch((err: Error) => console.error("[logging] DB write failed:", err.message));
+}
+/**
+ * Stateless logger factory. Creates an object with .debug/.info/.warn/.error methods
+ * bound to the given source. Can be called inline or cached — no state is held.
+ *
+ * @example
+ * // Inline
+ * logger("yjs").info("Document loaded", { noteId });
+ *
+ * // Cached
+ * const log = logger("weather");
+ * log.error("API error", { status: 500 });
+ */
+export function logger(source: string): Logger {
+  return {
+    debug: (msg, meta) => write({ level: "debug", source, message: msg, metadata: meta }),
+    info: (msg, meta) => write({ level: "info", source, message: msg, metadata: meta }),
+    warn: (msg, meta) => write({ level: "warn", source, message: msg, metadata: meta }),
+    error: (msg, meta) => write({ level: "error", source, message: msg, metadata: meta }),
+  };
+}
+// ==========================
+// Admin: List / Sources / Cleanup
+// ==========================
+/** List log entries with pagination and optional filters. */
+const list = async (
+  pagination: PaginationParams,
+  options?: {
+    source?: string;
+    sources?: string[];
+    level?: string;
+    search?: string;
+  },
+): Promise<{ entries: LogEntry[]; total: number }> => {
+  const { offset, perPage } = pagination;
+  const { source, sources, level, search } = options ?? {};
+  const searchPattern = search ? `%${escapeLikePattern(search)}%` : null;
+  const filterSource = source && source !== "all" ? source : null;
+  const filterSources =
+    !filterSource && Array.isArray(sources) && sources.length > 0 ? [...new Set(sources.map((value) => value.trim()).filter(Boolean))] : null;
+  const filterSourcesLiteral = filterSources ? toPgTextArray(filterSources) : null;
+  const filterLevel = level && level !== "all" ? level : null;
+  const hasSourceList = !!filterSources && filterSources.length > 0;
+  let countRows: Array<{ count: number }> = [];
+  let dataRows: DbLogRow[] = [];
+  if (filterSource) {
+    countRows = await sql`
+      SELECT COUNT(*)::int as count
+      FROM logging.entries
+      WHERE source = ${filterSource}
+        AND (${filterLevel}::text IS NULL OR level = ${filterLevel})
+        AND (${searchPattern}::text IS NULL OR message ILIKE ${searchPattern} ESCAPE '\' OR metadata::text ILIKE ${searchPattern} ESCAPE '\')
+    `;
+    dataRows = await sql`
+      SELECT id, level, source, message, metadata, created_at
+      FROM logging.entries
+      WHERE source = ${filterSource}
+        AND (${filterLevel}::text IS NULL OR level = ${filterLevel})
+        AND (${searchPattern}::text IS NULL OR message ILIKE ${searchPattern} ESCAPE '\' OR metadata::text ILIKE ${searchPattern} ESCAPE '\')
+      ORDER BY created_at DESC
+      LIMIT ${perPage} OFFSET ${offset}
+    `;
+  } else if (hasSourceList) {
+    countRows = await sql`
+      SELECT COUNT(*)::int as count
+      FROM logging.entries
+      WHERE source = ANY(${filterSourcesLiteral}::text[])
+        AND (${filterLevel}::text IS NULL OR level = ${filterLevel})
+        AND (${searchPattern}::text IS NULL OR message ILIKE ${searchPattern} ESCAPE '\' OR metadata::text ILIKE ${searchPattern} ESCAPE '\')
+    `;
+    dataRows = await sql`
+      SELECT id, level, source, message, metadata, created_at
+      FROM logging.entries
+      WHERE source = ANY(${filterSourcesLiteral}::text[])
+        AND (${filterLevel}::text IS NULL OR level = ${filterLevel})
+        AND (${searchPattern}::text IS NULL OR message ILIKE ${searchPattern} ESCAPE '\' OR metadata::text ILIKE ${searchPattern} ESCAPE '\')
+      ORDER BY created_at DESC
+      LIMIT ${perPage} OFFSET ${offset}
+    `;
+  } else {
+    countRows = await sql`
+      SELECT COUNT(*)::int as count
+      FROM logging.entries
+      WHERE (${filterLevel}::text IS NULL OR level = ${filterLevel})
+        AND (${searchPattern}::text IS NULL OR message ILIKE ${searchPattern} ESCAPE '\' OR metadata::text ILIKE ${searchPattern} ESCAPE '\')
+    `;
+    dataRows = await sql`
+      SELECT id, level, source, message, metadata, created_at
+      FROM logging.entries
+      WHERE (${filterLevel}::text IS NULL OR level = ${filterLevel})
+        AND (${searchPattern}::text IS NULL OR message ILIKE ${searchPattern} ESCAPE '\' OR metadata::text ILIKE ${searchPattern} ESCAPE '\')
+      ORDER BY created_at DESC
+      LIMIT ${perPage} OFFSET ${offset}
+    `;
+  }
+  return {
+    entries: dataRows.map((row: DbLogRow) => mapRow(row)),
+    total: countRows[0]?.count ?? 0,
+  };
+};
+/** Get all unique source names (for filter dropdown). */
+const getSources = async (): Promise<string[]> => {
+  const rows = await sql`
+    SELECT DISTINCT source FROM logging.entries ORDER BY source
+  `;
+  return rows.map((row: { source: string }) => row.source);
+};
+/** Delete log entries older than the given number of days. */
+const cleanup = async (olderThanDays: number): Promise<{ deleted: number }> => {
+  const rows = await sql`
+    DELETE FROM logging.entries
+    WHERE created_at < now() - ${olderThanDays + " days"}::interval
+  `;
+  return { deleted: rows.count };
+};
+export type LogSummary = {
+  total: number;
+  errors24h: number;
+  warnings24h: number;
+  total24h: number;
+  sources: number;
+  lastErrorAt: string | null;
+};
+/**
+ * Aggregated stats for the admin dashboard. Single SQL roundtrip, but split
+ * into independent subqueries so each one can use `idx_logging_entries_level`
+ * and `idx_logging_level_created_at` (composite, see migration). The original
+ * `COUNT(*) FILTER (...)` form forced a full-table scan because there was no
+ * top-level `WHERE`.
+ *
+ * `last_error_at::text` because `bun.sql` returns timestamps as `Date` and the
+ * `LogSummary.lastErrorAt: string | null` contract expects an ISO-ish string.
+ */
+const summary = async (): Promise<LogSummary> => {
+  const [row] = await sql<{
+    total: number;
+    total_24h: number;
+    errors_24h: number;
+    warnings_24h: number;
+    sources: number;
+    last_error_at: string | null;
+  }[]>`
+    SELECT
+      (SELECT COUNT(*)::int FROM logging.entries)                                                                AS total,
+      (SELECT COUNT(*)::int FROM logging.entries WHERE created_at > now() - interval '24 hours')                 AS total_24h,
+      (SELECT COUNT(*)::int FROM logging.entries WHERE level = 'error' AND created_at > now() - interval '24 hours') AS errors_24h,
+      (SELECT COUNT(*)::int FROM logging.entries WHERE level = 'warn'  AND created_at > now() - interval '24 hours') AS warnings_24h,
+      (SELECT COUNT(*)::int FROM (SELECT DISTINCT source FROM logging.entries) s)                                AS sources,
+      (SELECT created_at::text FROM logging.entries WHERE level = 'error' ORDER BY created_at DESC LIMIT 1)      AS last_error_at
+  `;
+  return {
+    total: row?.total ?? 0,
+    errors24h: row?.errors_24h ?? 0,
+    warnings24h: row?.warnings_24h ?? 0,
+    total24h: row?.total_24h ?? 0,
+    sources: row?.sources ?? 0,
+    lastErrorAt: row?.last_error_at ?? null,
+  };
+};
+/** Admin service object for querying/managing logs. */
+export const logging = {
+  list,
+  getSources,
+  cleanup,
+  summary,
+};

package/src/services/notifications/email.ts ADDED Viewed

@@ -0,0 +1,123 @@
+import { createTransport, type Transporter } from "nodemailer";
+import sanitizeHtml from "sanitize-html";
+import * as settings from "../settings";
+import { coreSettings } from "../settings/api";
+/** Lazily-created transporter — uses current settings on each send. */
+const getTransporter = async (): Promise<Transporter> => {
+  const host = await settings.get<string>("mail.noreply.smtp_host");
+  const port = await settings.get<number>("mail.noreply.smtp_port");
+  const user = await settings.get<string>("mail.noreply.user");
+  const pass = await settings.get<string>("mail.noreply.password");
+  return createTransport({
+    host,
+    port,
+    secure: port === 465,
+    auth: { user, pass },
+  });
+};
+/** Sanitize plain text content (no HTML allowed). */
+const sanitizeContent = (content: string): string => sanitizeHtml(content, { allowedTags: [], allowedAttributes: {} });
+/** Sanitize rich HTML content (links, basic formatting allowed). */
+const sanitizeRawHtml = (html: string): string =>
+  sanitizeHtml(html, {
+    allowedTags: ["a", "strong", "em", "p", "br", "span", "code"],
+    allowedAttributes: {
+      a: ["href", "target", "style"],
+      span: ["style"],
+      p: ["style"],
+      code: ["style"],
+    },
+    allowedSchemes: ["http", "https", "mailto"],
+  });
+/** Send an email with the standard HTML template. */
+export const sendEmail = async (to: string, subject: string, opts: { content?: string; rawHtml?: string }): Promise<void> => {
+  const rawAppUrl = await settings.get<string>("app.url");
+  const appUrl = rawAppUrl.startsWith("http") ? rawAppUrl : `https://${rawAppUrl}`;
+  const appName = await settings.get<string>("app.name");
+  const emailFrom = await settings.get<string>("mail.noreply.from");
+  let body = "";
+  if (opts.rawHtml) {
+    body = sanitizeRawHtml(opts.rawHtml);
+  } else if (opts.content) {
+    body = `<p>${sanitizeContent(opts.content)}</p>`;
+  }
+  const html = await buildHtml(appUrl, appName, body);
+  const transporter = await getTransporter();
+  await transporter.sendMail({
+    from: `"${appName}" <${emailFrom}>`,
+    to,
+    subject,
+    html,
+  });
+};
+/**
+ * Builds the default HTML mail template wrapper when no raw HTML was provided.
+ */
+const buildHtml = async (appUrl: string, appName: string, content: string) => {
+  const logoUri = await coreSettings.get<string>("app.logo");
+  return `
+<!DOCTYPE html>
+<html>
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+</head>
+<body style="margin:0;padding:0;background:#f4f4f5;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;">
+  <table width="100%" cellpadding="0" cellspacing="0" style="padding:32px 16px;">
+    <tr><td align="center">
+      <table width="100%" style="max-width:520px;" cellpadding="0" cellspacing="0">
+        <!-- Header -->
+        <tr><td style="background:#ffffff;padding:20px 24px;border-radius:12px 12px 0 0;border:1px solid #e4e4e7;border-bottom:none;">
+          <table cellpadding="0" cellspacing="0"><tr>
+          ${
+            logoUri
+              ? `<td style="padding-right:12px;vertical-align:middle;">
+              <img src="${logoUri}" alt="Logo" width="28" height="28" style="display:block;">
+            </td>`
+              : ""
+          }
+            <td style="vertical-align:middle;">
+              <span style="font-size:16px;font-weight:600;color:#18181b;">${appName}</span>
+            </td>
+          </tr></table>
+        </td></tr>
+        <!-- Content -->
+        <tr><td style="background:#ffffff;padding:28px 24px;border-left:1px solid #e4e4e7;border-right:1px solid #e4e4e7;">
+          <div style="font-size:14px;line-height:1.6;color:#27272a;">
+            ${content}
+          </div>
+        </td></tr>
+        <!-- Footer -->
+        <tr><td style="background:#fafafa;padding:16px 24px;border-radius:0 0 12px 12px;border:1px solid #e4e4e7;border-top:none;">
+          <p style="margin:0 0 8px;font-size:11px;color:#71717a;text-align:center;">
+            <a href="${appUrl}/impressum" style="color:#71717a;text-decoration:underline;">Imprint</a>
+            &nbsp;&middot;&nbsp;
+            <a href="${appUrl}/legal/terms" style="color:#71717a;text-decoration:underline;">Terms</a>
+            &nbsp;&middot;&nbsp;
+            <a href="${appUrl}/legal/privacy" style="color:#71717a;text-decoration:underline;">Privacy</a>
+          </p>
+          <p style="margin:0;font-size:11px;color:#a1a1aa;text-align:center;">
+            This message was sent automatically. Please do not reply to this email.
+          </p>
+        </td></tr>
+      </table>
+    </td></tr>
+  </table>
+</body>
+<!-- the answer is 42 ;D -->
+</html>
+`;
+};