business-stack 0.1.0

package/frontend/web/src/app/settings/integrations/actions.ts

@@ -0,0 +1,74 @@
+"use server";
+
+import { headers } from "next/headers";
+import { invalidateIntegrationsConfigCache } from "@/lib/integrations-config";
+
+const gateway =
+  process.env.AUTH_GATEWAY_INTERNAL_URL?.trim() || "http://127.0.0.1:3001";
+
+export type IntegrationSettingsView = {
+  alphaWebhookSecret: string | null;
+  wabridgeBaseUrl: string | null;
+  wabridgePhone: string | null;
+  wabridgeEnabled: boolean | null;
+  geminiApiKey: string | null;
+};
+
+export async function loadIntegrationSettingsForForm(): Promise<
+  | { ok: true; data: IntegrationSettingsView }
+  | { ok: false; reason: "unauthorized" | "error" }
+> {
+  const cookie = (await headers()).get("cookie") ?? "";
+  const res = await fetch(`${gateway}/api/integrations/settings`, {
+    headers: { cookie },
+    cache: "no-store",
+  });
+  if (res.status === 401) {
+    return { ok: false, reason: "unauthorized" };
+  }
+  if (!res.ok) {
+    return { ok: false, reason: "error" };
+  }
+  const data = (await res.json()) as IntegrationSettingsView;
+  return { ok: true, data };
+}
+
+export type SaveIntegrationPayload = {
+  alphaWebhookSecret?: string | null;
+  wabridgeBaseUrl?: string | null;
+  wabridgePhone?: string | null;
+  wabridgeEnabled?: boolean | null;
+  geminiApiKey?: string | null;
+};
+
+export async function saveIntegrationSettings(
+  payload: SaveIntegrationPayload,
+): Promise<{ ok: boolean; error?: string }> {
+  const cookie = (await headers()).get("cookie") ?? "";
+  const res = await fetch(`${gateway}/api/integrations/settings`, {
+    method: "PUT",
+    headers: { "Content-Type": "application/json", cookie },
+    body: JSON.stringify(payload),
+    cache: "no-store",
+  });
+  if (res.status === 401) {
+    return { ok: false, error: "Unauthorized" };
+  }
+  if (res.status === 403) {
+    return {
+      ok: false,
+      error:
+        "Forbidden — your email may not be in INTEGRATION_SETTINGS_ADMIN_EMAILS",
+    };
+  }
+  if (!res.ok) {
+    const j = (await res.json().catch(() => null)) as {
+      error?: unknown;
+    } | null;
+    const err =
+      j?.error != null && typeof j.error === "string" ? j.error : "Save failed";
+    return { ok: false, error: err };
+  }
+  invalidateIntegrationsConfigCache();
+  return { ok: true };
+}

package/frontend/web/src/app/settings/integrations/integrations-settings-form.tsx

@@ -0,0 +1,330 @@
+"use client";
+
+import { Eye, EyeOff } from "lucide-react";
+import { useRouter } from "next/navigation";
+import { useEffect, useState, useTransition } from "react";
+import {
+  type IntegrationSettingsView,
+  saveIntegrationSettings,
+} from "./actions";
+
+/** Must match gateway masked response for set secrets */
+const MASK = "********";
+
+function isMaskedSecret(v: string | null): boolean {
+  return v === MASK;
+}
+
+/**
+ * How to update a secret field on save.
+ * - undefined: omit from payload (unchanged)
+ * - null: remove stored value
+ * - string: new value
+ *
+ * `initialFromServer` is either plaintext (integration admin) or the mask token when the
+ * gateway still hides the value.
+ */
+function secretFieldUpdate(
+  raw: string,
+  initialFromServer: string | null,
+): string | null | undefined {
+  const t = raw.trim();
+  if (isMaskedSecret(initialFromServer)) {
+    if (t === MASK) {
+      return undefined;
+    }
+    if (t === "") {
+      return null;
+    }
+    return t;
+  }
+
+  const initialT = (initialFromServer ?? "").trim();
+  const hadDbValue = initialT !== "";
+  if (t === initialT) {
+    return undefined;
+  }
+  if (t === "") {
+    return hadDbValue ? null : undefined;
+  }
+  return t;
+}
+
+type Props = {
+  initial: IntegrationSettingsView;
+};
+
+export function IntegrationsSettingsForm({ initial }: Props) {
+  const router = useRouter();
+  const [pending, startTransition] = useTransition();
+  const [message, setMessage] = useState<string | null>(null);
+
+  const geminiMasked = isMaskedSecret(initial.geminiApiKey);
+  const alphaMasked = isMaskedSecret(initial.alphaWebhookSecret);
+  const phoneMasked = isMaskedSecret(initial.wabridgePhone);
+  const geminiWasSet =
+    geminiMasked || (!!initial.geminiApiKey && initial.geminiApiKey !== "");
+  const alphaWasSet =
+    alphaMasked ||
+    (!!initial.alphaWebhookSecret && initial.alphaWebhookSecret !== "");
+  const phoneWasSet =
+    phoneMasked || (!!initial.wabridgePhone && initial.wabridgePhone !== "");
+
+  const [geminiKey, setGeminiKey] = useState(() =>
+    geminiMasked ? MASK : (initial.geminiApiKey ?? ""),
+  );
+  const [alphaSecret, setAlphaSecret] = useState(() =>
+    alphaMasked ? MASK : (initial.alphaWebhookSecret ?? ""),
+  );
+  const [baseUrl, setBaseUrl] = useState(initial.wabridgeBaseUrl ?? "");
+  const [phone, setPhone] = useState(() =>
+    phoneMasked ? MASK : (initial.wabridgePhone ?? ""),
+  );
+  const [enabled, setEnabled] = useState(initial.wabridgeEnabled !== false);
+  const [showGeminiKey, setShowGeminiKey] = useState(false);
+  const [showAlphaSecret, setShowAlphaSecret] = useState(false);
+
+  useEffect(() => {
+    setGeminiKey(
+      isMaskedSecret(initial.geminiApiKey)
+        ? MASK
+        : (initial.geminiApiKey ?? ""),
+    );
+    setAlphaSecret(
+      isMaskedSecret(initial.alphaWebhookSecret)
+        ? MASK
+        : (initial.alphaWebhookSecret ?? ""),
+    );
+    setBaseUrl(initial.wabridgeBaseUrl ?? "");
+    setPhone(
+      isMaskedSecret(initial.wabridgePhone)
+        ? MASK
+        : (initial.wabridgePhone ?? ""),
+    );
+    setEnabled(initial.wabridgeEnabled !== false);
+  }, [initial]);
+
+  function submit() {
+    setMessage(null);
+    const payload: Parameters<typeof saveIntegrationSettings>[0] = {};
+
+    const g = secretFieldUpdate(geminiKey, initial.geminiApiKey);
+    if (g !== undefined) {
+      payload.geminiApiKey = g;
+    }
+
+    const a = secretFieldUpdate(alphaSecret, initial.alphaWebhookSecret);
+    if (a !== undefined) {
+      payload.alphaWebhookSecret = a;
+    }
+
+    payload.wabridgeBaseUrl = baseUrl.trim() || null;
+
+    const p = secretFieldUpdate(phone, initial.wabridgePhone);
+    if (p !== undefined) {
+      payload.wabridgePhone = p;
+    }
+
+    payload.wabridgeEnabled = enabled;
+
+    startTransition(async () => {
+      const r = await saveIntegrationSettings(payload);
+      if (!r.ok) {
+        setMessage(r.error ?? "Save failed");
+        return;
+      }
+      setMessage("Saved.");
+      router.refresh();
+    });
+  }
+
+  return (
+    <div className="flex flex-col gap-8 rounded-lg border border-neutral-200 bg-white/60 p-5 dark:border-neutral-800 dark:bg-neutral-950/40">
+      <p className="text-sm leading-relaxed text-neutral-600 dark:text-neutral-400">
+        Secrets are encrypted in the gateway database. The backend reads them
+        when{" "}
+        <code className="rounded bg-neutral-100 px-1 text-xs dark:bg-neutral-900">
+          GEMINI_API_KEY
+        </code>{" "}
+        is unset. Configure{" "}
+        <code className="rounded bg-neutral-100 px-1 text-xs dark:bg-neutral-900">
+          INTEGRATIONS_ENCRYPTION_KEY
+        </code>
+        ,{" "}
+        <code className="rounded bg-neutral-100 px-1 text-xs dark:bg-neutral-900">
+          INTEGRATIONS_INTERNAL_SECRET
+        </code>
+        , and matching URLs on Next and FastAPI.
+      </p>
+
+      <section className="flex flex-col gap-4">
+        <h2 className="text-xs font-semibold uppercase tracking-wide text-neutral-500">
+          Backend (Gemini)
+        </h2>
+        <label className="flex flex-col gap-1.5">
+          <span className="text-sm font-medium text-neutral-900 dark:text-neutral-100">
+            Gemini API key
+          </span>
+          <div className="relative">
+            <input
+              type={showGeminiKey ? "text" : "password"}
+              autoComplete="off"
+              value={geminiKey}
+              onChange={(e) => setGeminiKey(e.target.value)}
+              onFocus={(e) => {
+                if (geminiKey === MASK) {
+                  e.target.select();
+                }
+              }}
+              className="w-full rounded-md border border-neutral-300 bg-white py-2 pl-3 pr-10 text-sm dark:border-neutral-700 dark:bg-neutral-950"
+              placeholder="Paste your API key"
+            />
+            <button
+              type="button"
+              aria-label={showGeminiKey ? "Hide API key" : "Show API key"}
+              aria-pressed={showGeminiKey}
+              onClick={() => setShowGeminiKey((v) => !v)}
+              className="absolute right-2 top-1/2 -translate-y-1/2 rounded p-1 text-neutral-500 hover:bg-neutral-100 hover:text-neutral-800 dark:hover:bg-neutral-800 dark:hover:text-neutral-200"
+            >
+              {showGeminiKey ? (
+                <EyeOff className="size-4" aria-hidden />
+              ) : (
+                <Eye className="size-4" aria-hidden />
+              )}
+            </button>
+          </div>
+          <span className="text-xs text-neutral-500">
+            {geminiMasked
+              ? "Saved key is masked for your account. Admins see the real value. Replace, or clear and save to remove."
+              : geminiWasSet
+                ? "Replace or clear the field and save to remove."
+                : "Optional if the backend already has GEMINI_API_KEY."}
+          </span>
+        </label>
+      </section>
+
+      <section className="flex flex-col gap-4">
+        <h2 className="text-xs font-semibold uppercase tracking-wide text-neutral-500">
+          Alpha
+        </h2>
+        <label className="flex flex-col gap-1.5">
+          <span className="text-sm font-medium text-neutral-900 dark:text-neutral-100">
+            Webhook secret
+          </span>
+          <div className="relative">
+            <input
+              type={showAlphaSecret ? "text" : "password"}
+              autoComplete="off"
+              value={alphaSecret}
+              onChange={(e) => setAlphaSecret(e.target.value)}
+              onFocus={(e) => {
+                if (alphaSecret === MASK) {
+                  e.target.select();
+                }
+              }}
+              className="w-full rounded-md border border-neutral-300 bg-white py-2 pl-3 pr-10 text-sm dark:border-neutral-700 dark:bg-neutral-950"
+              placeholder="Webhook signing secret"
+            />
+            <button
+              type="button"
+              aria-label={
+                showAlphaSecret ? "Hide webhook secret" : "Show webhook secret"
+              }
+              aria-pressed={showAlphaSecret}
+              onClick={() => setShowAlphaSecret((v) => !v)}
+              className="absolute right-2 top-1/2 -translate-y-1/2 rounded p-1 text-neutral-500 hover:bg-neutral-100 hover:text-neutral-800 dark:hover:bg-neutral-800 dark:hover:text-neutral-200"
+            >
+              {showAlphaSecret ? (
+                <EyeOff className="size-4" aria-hidden />
+              ) : (
+                <Eye className="size-4" aria-hidden />
+              )}
+            </button>
+          </div>
+          <span className="text-xs text-neutral-500">
+            {alphaMasked
+              ? "Saved secret is masked for your account. Admins see the real value."
+              : alphaWasSet
+                ? "Replace or clear the field and save to remove."
+                : "Leave empty if you do not use Alpha webhooks."}
+          </span>
+        </label>
+      </section>
+
+      <section className="flex flex-col gap-4">
+        <h2 className="text-xs font-semibold uppercase tracking-wide text-neutral-500">
+          WABridge
+        </h2>
+        <label className="flex flex-col gap-1.5">
+          <span className="text-sm font-medium text-neutral-900 dark:text-neutral-100">
+            Base URL
+          </span>
+          <input
+            type="url"
+            value={baseUrl}
+            onChange={(e) => setBaseUrl(e.target.value)}
+            className="rounded-md border border-neutral-300 bg-white px-3 py-2 text-sm dark:border-neutral-700 dark:bg-neutral-950"
+            placeholder="http://127.0.0.1:8080"
+          />
+        </label>
+
+        <label className="flex flex-col gap-1.5">
+          <span className="text-sm font-medium text-neutral-900 dark:text-neutral-100">
+            Phone (E.164, no +)
+          </span>
+          <input
+            type="text"
+            inputMode="numeric"
+            value={phone}
+            onChange={(e) => setPhone(e.target.value)}
+            onFocus={(e) => {
+              if (phone === MASK) {
+                e.target.select();
+              }
+            }}
+            className="rounded-md border border-neutral-300 bg-white px-3 py-2 text-sm dark:border-neutral-700 dark:bg-neutral-950"
+            placeholder="e.g. 15551234567"
+          />
+          <span className="text-xs text-neutral-500">
+            {phoneMasked
+              ? "Saved number is masked for your account. Admins see the real value."
+              : phoneWasSet
+                ? "Clear the field and save to use /send/self without a default number."
+                : "Optional default destination for delivery."}
+          </span>
+        </label>
+
+        <label className="flex cursor-pointer items-center gap-2.5 text-sm text-neutral-800 dark:text-neutral-200">
+          <input
+            type="checkbox"
+            checked={enabled}
+            onChange={(e) => setEnabled(e.target.checked)}
+            className="size-4 rounded border-neutral-300 dark:border-neutral-600"
+          />
+          Delivery enabled
+        </label>
+      </section>
+
+      {message ? (
+        <p
+          className={
+            message === "Saved."
+              ? "text-sm text-green-700 dark:text-green-400"
+              : "text-sm text-amber-800 dark:text-amber-200"
+          }
+        >
+          {message}
+        </p>
+      ) : null}
+
+      <button
+        type="button"
+        disabled={pending}
+        onClick={() => submit()}
+        className="rounded-md bg-neutral-900 px-4 py-2.5 text-sm font-medium text-white disabled:opacity-50 dark:bg-neutral-100 dark:text-neutral-900"
+      >
+        {pending ? "Saving…" : "Save changes"}
+      </button>
+    </div>
+  );
+}

package/frontend/web/src/app/settings/integrations/page.tsx

@@ -0,0 +1,41 @@
+import Link from "next/link";
+import { redirect } from "next/navigation";
+import { loadIntegrationSettingsForForm } from "./actions";
+import { IntegrationsSettingsForm } from "./integrations-settings-form";
+
+export default async function IntegrationsSettingsPage() {
+  const result = await loadIntegrationSettingsForForm();
+  if (!result.ok && result.reason === "unauthorized") {
+    redirect("/auth/sign-in");
+  }
+  if (!result.ok) {
+    return (
+      <main className="mx-auto flex w-full max-w-xl flex-1 flex-col gap-6 p-6">
+        <Link
+          href="/"
+          className="text-sm text-neutral-500 hover:underline dark:text-neutral-400"
+        >
+          ← Home
+        </Link>
+        <p className="text-sm text-amber-800 dark:text-amber-200">
+          Could not load integration settings. Is the gateway running?
+        </p>
+      </main>
+    );
+  }
+
+  return (
+    <main className="mx-auto flex w-full max-w-xl flex-1 flex-col gap-6 p-6">
+      <Link
+        href="/"
+        className="text-sm text-neutral-500 hover:underline dark:text-neutral-400"
+      >
+        ← Home
+      </Link>
+      <h1 className="text-2xl font-semibold tracking-tight">
+        Integration settings
+      </h1>
+      <IntegrationsSettingsForm initial={result.data} />
+    </main>
+  );
+}

package/frontend/web/src/app/webhooks/alpha-alerts/route.ts

@@ -0,0 +1,84 @@
+import { handleAlertCreated } from "@/lib/alpha-webhook/handler";
+import { isValidAlphaWebhookSignature } from "@/lib/alpha-webhook/signature";
+import type { AlertCreatedPayload } from "@/lib/alpha-webhook/types";
+import { getIntegrationsConfig } from "@/lib/integrations-config";
+
+export const runtime = "nodejs";
+
+/** Allow outbound connector calls (e.g. WABridge fetch) to finish before the isolate freezes (Vercel). */
+export const maxDuration = 60;
+
+function isRecord(value: unknown): value is Record<string, unknown> {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+
+function isAlertCreatedPayload(value: unknown): value is AlertCreatedPayload {
+  if (!isRecord(value)) return false;
+  return (
+    typeof value._id === "string" &&
+    typeof value.alert_type === "string" &&
+    typeof value.date === "string" &&
+    typeof value.r2_key === "string" &&
+    typeof value.alert_string === "string"
+  );
+}
+
+export async function POST(request: Request): Promise<Response> {
+  const rawBody = await request.text();
+  const event = request.headers.get("x-alpha-webhook-event");
+  const signature = request.headers.get("x-alpha-signature");
+
+  if (!event?.trim()) {
+    return Response.json(
+      { error: "Missing X-Alpha-Webhook-Event" },
+      { status: 400 },
+    );
+  }
+
+  const { alphaWebhookSecret: secret } = await getIntegrationsConfig();
+  if (signature) {
+    if (!secret) {
+      return Response.json(
+        {
+          error:
+            "Signature present but webhook secret is not configured (SQLite or ALPHA_WEBHOOK_SECRET)",
+        },
+        { status: 401 },
+      );
+    }
+    if (!isValidAlphaWebhookSignature(rawBody, secret, signature)) {
+      return Response.json({ error: "Invalid signature" }, { status: 401 });
+    }
+  }
+
+  let payload: unknown;
+  try {
+    payload = JSON.parse(rawBody) as unknown;
+  } catch {
+    return Response.json({ error: "Invalid JSON body" }, { status: 400 });
+  }
+
+  switch (event) {
+    case "alert.created": {
+      if (!isAlertCreatedPayload(payload)) {
+        return Response.json(
+          { error: "Payload does not match alert.created shape" },
+          { status: 400 },
+        );
+      }
+      await handleAlertCreated(payload).catch((err: unknown) => {
+        console.error(
+          "[alpha-webhook] handleAlertCreated failed:",
+          err instanceof Error ? err.message : err,
+        );
+      });
+      break;
+    }
+    default: {
+      // Closed receiver: unknown events are acknowledged without processing.
+      break;
+    }
+  }
+
+  return new Response(null, { status: 204 });
+}

package/frontend/web/src/components/home-auth-panel.tsx

@@ -0,0 +1,49 @@
+"use client";
+
+import Link from "next/link";
+import { authClient } from "@/lib/auth-client";
+
+export function HomeAuthPanel() {
+  const { data: session, isPending } = authClient.useSession();
+
+  if (isPending) {
+    return <p className="text-sm text-neutral-500">Checking session…</p>;
+  }
+
+  if (!session?.user) {
+    return (
+      <div className="flex flex-col gap-3 sm:flex-row sm:items-center">
+        <p className="text-sm text-neutral-600">You are signed out.</p>
+        <Link
+          className="inline-flex items-center justify-center rounded-md bg-neutral-900 px-4 py-2 text-sm font-medium text-white hover:bg-neutral-800"
+          href="/auth/sign-in"
+        >
+          Sign in
+        </Link>
+      </div>
+    );
+  }
+
+  return (
+    <div className="flex flex-col gap-2">
+      <p className="text-sm text-neutral-700">
+        Signed in as <span className="font-medium">{session.user.email}</span>
+      </p>
+      <div className="flex flex-wrap gap-2">
+        <Link
+          className="text-sm font-medium text-neutral-900 underline underline-offset-4"
+          href="/account/settings"
+        >
+          Account
+        </Link>
+        <button
+          className="text-sm font-medium text-red-700 underline underline-offset-4"
+          type="button"
+          onClick={() => authClient.signOut()}
+        >
+          Sign out
+        </button>
+      </div>
+    </div>
+  );
+}

package/frontend/web/src/components/providers.tsx

@@ -0,0 +1,50 @@
+"use client";
+
+import { AuthUIProvider } from "@daveyplate/better-auth-ui";
+import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
+import Link from "next/link";
+import { useRouter } from "next/navigation";
+import type { ReactNode } from "react";
+import { useState } from "react";
+import { Toaster } from "sonner";
+import { authClient } from "@/lib/auth-client";
+
+function appBaseUrl(): string {
+  const raw = process.env.NEXT_PUBLIC_APP_URL?.trim();
+  if (raw) {
+    return raw.replace(/\/$/, "");
+  }
+  if (typeof window !== "undefined") {
+    return window.location.origin;
+  }
+  return "http://localhost:3000";
+}
+
+export function Providers({ children }: { children: ReactNode }) {
+  const router = useRouter();
+  const [queryClient] = useState(
+    () =>
+      new QueryClient({
+        defaultOptions: {
+          queries: {
+            staleTime: 60 * 1000,
+          },
+        },
+      }),
+  );
+
+  return (
+    <QueryClientProvider client={queryClient}>
+      <AuthUIProvider
+        authClient={authClient}
+        navigate={router.push}
+        replace={router.replace}
+        Link={Link}
+        baseURL={appBaseUrl()}
+      >
+        {children}
+        <Toaster closeButton position="top-center" richColors />
+      </AuthUIProvider>
+    </QueryClientProvider>
+  );
+}

package/frontend/web/src/lib/alpha-webhook/connectors/registry.ts

@@ -0,0 +1,35 @@
+import { getIntegrationsConfig } from "@/lib/integrations-config";
+import type { AlertCreatedPayload } from "../types";
+import type { AlertConnector } from "./types";
+import { createWabridgeConnector } from "./wabridge";
+
+/** Runs all enabled connectors in parallel; failures are logged and do not throw. */
+export async function deliverAlertPayload(
+  payload: AlertCreatedPayload,
+): Promise<void> {
+  const cfg = await getIntegrationsConfig();
+  const connectors: AlertConnector[] = [];
+  const wabridge = createWabridgeConnector(cfg);
+  if (wabridge) {
+    connectors.push(wabridge);
+  }
+  if (connectors.length === 0) {
+    return;
+  }
+
+  const results = await Promise.allSettled(
+    connectors.map((c) => c.deliver(payload)),
+  );
+
+  for (let i = 0; i < results.length; i++) {
+    const r = results[i];
+    if (r.status === "rejected") {
+      const id = connectors[i].id;
+      const err = r.reason;
+      console.error(
+        `[alpha-webhook] connector "${id}" failed:`,
+        err instanceof Error ? err.message : err,
+      );
+    }
+  }
+}

package/frontend/web/src/lib/alpha-webhook/connectors/types.ts

@@ -0,0 +1,8 @@
+import type { AlertCreatedPayload } from "../types";
+
+/** Outbound channel for a verified `alert.created` payload (WhatsApp, Slack, etc.). */
+export type AlertConnector = {
+  /** Stable id for logs and metrics (e.g. `wabridge`, `slack`). */
+  id: string;
+  deliver(payload: AlertCreatedPayload): Promise<void>;
+};