business-stack 0.1.0

package/frontend/web/vitest.config.ts

@@ -0,0 +1,14 @@
+import path from "node:path";
+import { defineConfig } from "vitest/config";
+
+export default defineConfig({
+  test: {
+    environment: "node",
+    include: ["src/**/*.test.ts"],
+  },
+  resolve: {
+    alias: {
+      "@": path.resolve(__dirname, "./src"),
+    },
+  },
+});

package/gateway/.env.example

@@ -0,0 +1,23 @@
+# Required for OAuth callbacks / redirects. Use the URL the *browser* uses (Next app), not the gateway port.
+# Default in code is http://localhost:3000 if unset.
+BETTER_AUTH_URL=http://localhost:3000
+
+# Production: openssl rand -base64 32
+# BETTER_AUTH_SECRET=
+
+# Optional: comma-separated origins for CSRF (defaults include localhost:3000)
+# BETTER_AUTH_TRUSTED_ORIGINS=http://localhost:3000,http://127.0.0.1:3000
+
+# Same value as backend BACKEND_GATEWAY_SECRET. When set, OpenAPI UIs work only when
+# proxied through this gateway (backend returns 403 for /docs without this header).
+# BACKEND_GATEWAY_SECRET=
+
+# Encrypted integration settings (Alpha webhook, WABridge, Gemini API key for FastAPI) in the Better Auth SQLite DB.
+# openssl rand -hex 32
+# INTEGRATIONS_ENCRYPTION_KEY=
+# Shared with Next + FastAPI: GET /internal/integrations with Authorization: Bearer ...
+# openssl rand -base64 32
+# INTEGRATIONS_INTERNAL_SECRET=
+# Optional: comma-separated integration admin emails. If unset, any signed-in user may read plaintext secrets and PUT settings.
+# Admins receive decrypted values from GET /api/integrations/settings; other signed-in users see masked secrets only.
+# INTEGRATION_SETTINGS_ADMIN_EMAILS=admin@example.com

package/gateway/README.md

@@ -0,0 +1,13 @@
+To install dependencies:
+```sh
+bun install
+```
+
+To run:
+```sh
+bun run dev
+```
+
+The gateway listens on **port 3001** by default (`PORT`). Open `http://127.0.0.1:3001` (or set `PORT`).
+
+Better Auth needs a public **base URL** (where `/api/auth` is reached in the browser). With the Next.js app proxying auth, set `BETTER_AUTH_URL` to that origin (e.g. `http://localhost:3000`). See `.env.example`. If unset, the gateway defaults to `http://localhost:3000`.

package/gateway/package.json

@@ -0,0 +1,24 @@
+{
+  "name": "@business-stack/gateway",
+  "private": true,
+  "packageManager": "bun@1.3.1",
+  "scripts": {
+    "dev": "bun run --hot src/index.ts",
+    "start": "bun run src/index.ts",
+    "migrate": "bun x @better-auth/cli@latest migrate --yes",
+    "build": "bun -e \"require('fs').mkdirSync('dist',{recursive:true}); require('fs').writeFileSync('dist/.buildstamp','')\"",
+    "lint": "biome check .",
+    "lint:fix": "biome check --write .",
+    "typecheck": "tsc --noEmit",
+    "test": "bun -e \"process.exit(0)\"",
+    "clean": "bun x rimraf@6 dist"
+  },
+  "dependencies": {
+    "better-auth": "1.5.6",
+    "hono": "^4.12.10"
+  },
+  "devDependencies": {
+    "@types/bun": "latest",
+    "typescript": "^5.8.3"
+  }
+}

package/gateway/src/auth.ts

@@ -0,0 +1,49 @@
+import { Database } from "bun:sqlite";
+import { betterAuth } from "better-auth";
+import { loadStackSecretsIntoEnv } from "./stack-secrets";
+
+loadStackSecretsIntoEnv();
+
+const dbPath = process.env.BETTER_AUTH_DATABASE_PATH ?? "auth.sqlite";
+const sqlite = new Database(dbPath, { create: true });
+
+function parseTrustedOrigins(): string[] {
+  const raw = process.env.BETTER_AUTH_TRUSTED_ORIGINS;
+  if (raw?.trim()) {
+    return raw
+      .split(",")
+      .map((o) => o.trim())
+      .filter(Boolean);
+  }
+  return ["http://localhost:3000", "http://127.0.0.1:3000"];
+}
+
+/** Public origin where clients call /api/auth (Next dev server); gateway is proxied behind it. */
+const baseURL =
+  process.env.BETTER_AUTH_URL?.replace(/\/$/, "") || "http://localhost:3000";
+
+export const auth = betterAuth({
+  baseURL,
+  database: sqlite,
+  emailAndPassword: { enabled: true },
+  rateLimit: {
+    enabled: true,
+    storage: "database",
+  },
+  session: {
+    cookieCache: {
+      enabled: true,
+      maxAge: 60 * 5,
+      strategy: "compact",
+    },
+  },
+  account: {
+    encryptOAuthTokens: true,
+  },
+  trustedOrigins: parseTrustedOrigins(),
+  advanced: {
+    ipAddress: {
+      ipAddressHeaders: ["x-forwarded-for", "x-real-ip"],
+    },
+  },
+});

package/gateway/src/index.ts

@@ -0,0 +1,141 @@
+import { Hono } from "hono";
+import { cors } from "hono/cors";
+import { proxy } from "hono/proxy";
+import { auth } from "./auth";
+import {
+  handleGetIntegrationSettings,
+  handleInternalIntegrationsGet,
+  handlePutIntegrationSettings,
+} from "./integrations/handlers";
+
+type Variables = {
+  user: typeof auth.$Infer.Session.user | null;
+  session: typeof auth.$Infer.Session.session | null;
+};
+
+const corsOrigin = process.env.CORS_ORIGIN?.trim() || "http://localhost:3000";
+
+const backendOrigin = (
+  process.env.BACKEND_ORIGIN?.trim() || "http://127.0.0.1:8000"
+).replace(/\/$/, "");
+
+const apiGatewayPrefix =
+  process.env.API_GATEWAY_PREFIX?.trim() || "/api/backend";
+
+const app = new Hono<{ Variables: Variables }>();
+
+app.use(
+  "*",
+  cors({
+    origin: corsOrigin,
+    allowHeaders: ["Content-Type", "Authorization"],
+    allowMethods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
+    exposeHeaders: ["Content-Length"],
+    maxAge: 600,
+    credentials: true,
+  }),
+);
+
+app.use("*", async (c, next) => {
+  const session = await auth.api.getSession({ headers: c.req.raw.headers });
+
+  if (!session) {
+    c.set("user", null);
+    c.set("session", null);
+    await next();
+    return;
+  }
+
+  c.set("user", session.user);
+  c.set("session", session.session);
+  await next();
+});
+
+app.on(["POST", "GET"], "/api/auth/*", (c) => auth.handler(c.req.raw));
+
+app.get("/internal/integrations", handleInternalIntegrationsGet);
+
+const integrationsApi = new Hono<{ Variables: Variables }>();
+integrationsApi.get("/settings", handleGetIntegrationSettings);
+integrationsApi.put("/settings", handlePutIntegrationSettings);
+app.route("/api/integrations", integrationsApi);
+
+const backendProxy = new Hono<{ Variables: Variables }>();
+
+backendProxy.all("*", async (c) => {
+  const user = c.get("user");
+  if (!user) {
+    return c.json({ error: "Unauthorized" }, 401);
+  }
+
+  const pathname = new URL(c.req.url).pathname;
+  const prefixNorm = apiGatewayPrefix.replace(/\/$/, "");
+  let path: string;
+  if (pathname === prefixNorm || pathname === `${prefixNorm}/`) {
+    path = "/";
+  } else if (pathname.startsWith(`${prefixNorm}/`)) {
+    path = pathname.slice(prefixNorm.length);
+  } else {
+    path = pathname;
+  }
+  if (!path || path === "") {
+    path = "/";
+  }
+  if (!path.startsWith("/")) {
+    path = `/${path}`;
+  }
+
+  const upstream = new URL(backendOrigin);
+  upstream.pathname = path;
+  upstream.search = new URL(c.req.url).search;
+
+  const proto = new URL(c.req.url).protocol.replace(":", "");
+  const host = c.req.header("host") ?? "";
+  const forwardedFor = c.req.header("x-forwarded-for");
+  const gatewaySecret = process.env.BACKEND_GATEWAY_SECRET?.trim();
+
+  return proxy(upstream.toString(), {
+    ...c.req,
+    headers: {
+      ...c.req.header(),
+      ...(forwardedFor ? { "X-Forwarded-For": forwardedFor } : {}),
+      "X-Forwarded-Host": host,
+      "X-Forwarded-Proto": proto,
+      // FastAPI Swagger/ReDoc use this as ASGI root_path so /openapi.json matches the gateway prefix.
+      "X-Forwarded-Prefix": prefixNorm,
+      ...(gatewaySecret ? { "X-Gateway-Secret": gatewaySecret } : {}),
+      "X-User-Id": user.id,
+      ...(user.email != null && user.email !== ""
+        ? { "X-User-Email": user.email }
+        : {}),
+    },
+  });
+});
+
+app.route(apiGatewayPrefix, backendProxy);
+
+app.get("/", (c) => {
+  return c.text("Hello Hono!");
+});
+
+app.get("/session", (c) => {
+  const session = c.get("session");
+  const user = c.get("user");
+
+  if (!user) {
+    return c.body(null, 401);
+  }
+
+  return c.json({ session, user });
+});
+
+const port = Number(process.env.PORT ?? 3001);
+
+export default {
+  port,
+  fetch: app.fetch,
+};
+
+console.log(
+  `Gateway listening on http://localhost:${port} (backend ${backendOrigin}, prefix ${apiGatewayPrefix})`,
+);

package/gateway/src/integrations/admin.ts

@@ -0,0 +1,19 @@
+/** Returns true if this user may change integration settings. */
+export function isIntegrationSettingsAdmin(
+  email: string | null | undefined,
+): boolean {
+  const raw = process.env.INTEGRATION_SETTINGS_ADMIN_EMAILS?.trim();
+  if (!raw) {
+    return true;
+  }
+  if (!email?.trim()) {
+    return false;
+  }
+  const allow = new Set(
+    raw
+      .split(",")
+      .map((e) => e.trim().toLowerCase())
+      .filter(Boolean),
+  );
+  return allow.has(email.trim().toLowerCase());
+}

package/gateway/src/integrations/crypto.ts

@@ -0,0 +1,52 @@
+import {
+  createCipheriv,
+  createDecipheriv,
+  createHash,
+  randomBytes,
+} from "node:crypto";
+
+const ALGO = "aes-256-gcm";
+const IV_LENGTH = 12;
+const AUTH_TAG_LENGTH = 16;
+
+function integrationKeyMaterial(): Buffer {
+  const raw = process.env.INTEGRATIONS_ENCRYPTION_KEY?.trim();
+  if (!raw) {
+    throw new Error("INTEGRATIONS_ENCRYPTION_KEY is not set");
+  }
+  if (/^[0-9a-fA-F]{64}$/.test(raw)) {
+    return Buffer.from(raw, "hex");
+  }
+  return createHash("sha256").update(raw, "utf8").digest();
+}
+
+/** Returns base64(iv || ciphertext+tag) for storage. */
+export function encryptIntegrationValue(plaintext: string): string {
+  const key = integrationKeyMaterial();
+  const iv = randomBytes(IV_LENGTH);
+  const cipher = createCipheriv(ALGO, key, iv, {
+    authTagLength: AUTH_TAG_LENGTH,
+  });
+  const enc = Buffer.concat([cipher.update(plaintext, "utf8"), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  const combined = Buffer.concat([iv, tag, enc]);
+  return combined.toString("base64");
+}
+
+export function decryptIntegrationValue(payloadB64: string): string {
+  const key = integrationKeyMaterial();
+  const buf = Buffer.from(payloadB64, "base64");
+  if (buf.length < IV_LENGTH + AUTH_TAG_LENGTH + 1) {
+    throw new Error("invalid ciphertext");
+  }
+  const iv = buf.subarray(0, IV_LENGTH);
+  const tag = buf.subarray(IV_LENGTH, IV_LENGTH + AUTH_TAG_LENGTH);
+  const data = buf.subarray(IV_LENGTH + AUTH_TAG_LENGTH);
+  const decipher = createDecipheriv(ALGO, key, iv, {
+    authTagLength: AUTH_TAG_LENGTH,
+  });
+  decipher.setAuthTag(tag);
+  return Buffer.concat([decipher.update(data), decipher.final()]).toString(
+    "utf8",
+  );
+}

package/gateway/src/integrations/handlers.ts

@@ -0,0 +1,124 @@
+import type { Context } from "hono";
+import type { auth } from "../auth";
+import { isIntegrationSettingsAdmin } from "./admin";
+import { readFullSnapshot, upsertFromBody } from "./store";
+
+type Variables = {
+  user: typeof auth.$Infer.Session.user | null;
+  session: typeof auth.$Infer.Session.session | null;
+};
+
+function maskIfSet(isSet: boolean): string | null {
+  return isSet ? "********" : null;
+}
+
+/** GET /api/integrations/settings — session required; secrets plaintext for integration admins only. */
+export async function handleGetIntegrationSettings(
+  c: Context<{ Variables: Variables }>,
+) {
+  const user = c.get("user");
+  if (!user) {
+    return c.json({ error: "Unauthorized" }, 401);
+  }
+
+  const snap = readFullSnapshot();
+  const reveal = isIntegrationSettingsAdmin(user.email);
+
+  return c.json({
+    alphaWebhookSecret: reveal
+      ? snap.alphaWebhookSecret && snap.alphaWebhookSecret !== ""
+        ? snap.alphaWebhookSecret
+        : null
+      : maskIfSet(
+          snap.alphaWebhookSecret != null && snap.alphaWebhookSecret !== "",
+        ),
+    wabridgeBaseUrl: snap.wabridgeBaseUrl ?? null,
+    wabridgePhone: reveal
+      ? snap.wabridgePhone && snap.wabridgePhone !== ""
+        ? snap.wabridgePhone
+        : null
+      : maskIfSet(snap.wabridgePhone != null && snap.wabridgePhone !== ""),
+    wabridgeEnabled:
+      snap.wabridgeEnabled === "true"
+        ? true
+        : snap.wabridgeEnabled === "false"
+          ? false
+          : null,
+    geminiApiKey: reveal
+      ? snap.geminiApiKey && snap.geminiApiKey !== ""
+        ? snap.geminiApiKey
+        : null
+      : maskIfSet(snap.geminiApiKey != null && snap.geminiApiKey !== ""),
+  });
+}
+
+/** PUT /api/integrations/settings — session + admin allowlist. */
+export async function handlePutIntegrationSettings(
+  c: Context<{ Variables: Variables }>,
+) {
+  const user = c.get("user");
+  if (!user) {
+    return c.json({ error: "Unauthorized" }, 401);
+  }
+  if (!isIntegrationSettingsAdmin(user.email)) {
+    return c.json({ error: "Forbidden" }, 403);
+  }
+
+  if (!process.env.INTEGRATIONS_ENCRYPTION_KEY?.trim()) {
+    return c.json(
+      { error: "INTEGRATIONS_ENCRYPTION_KEY is not configured on the gateway" },
+      503,
+    );
+  }
+
+  let body: Record<string, unknown>;
+  try {
+    body = (await c.req.json()) as Record<string, unknown>;
+  } catch {
+    return c.json({ error: "Invalid JSON" }, 400);
+  }
+
+  try {
+    upsertFromBody(body);
+  } catch (e) {
+    const msg = e instanceof Error ? e.message : "update failed";
+    return c.json({ error: msg }, 400);
+  }
+
+  return c.json({ ok: true });
+}
+
+/** GET /internal/integrations — Bearer INTEGRATIONS_INTERNAL_SECRET; plaintext for Next server. */
+export async function handleInternalIntegrationsGet(c: Context) {
+  const expected = process.env.INTEGRATIONS_INTERNAL_SECRET?.trim();
+  if (!expected) {
+    return c.json(
+      { error: "INTEGRATIONS_INTERNAL_SECRET is not configured" },
+      503,
+    );
+  }
+
+  const authz = c.req.header("authorization")?.trim() ?? "";
+  const token = authz.toLowerCase().startsWith("bearer ")
+    ? authz.slice(7).trim()
+    : null;
+  if (!token || token !== expected) {
+    return c.json({ error: "Unauthorized" }, 401);
+  }
+
+  if (!process.env.INTEGRATIONS_ENCRYPTION_KEY?.trim()) {
+    return c.json(
+      { error: "INTEGRATIONS_ENCRYPTION_KEY is not configured" },
+      503,
+    );
+  }
+
+  const snap = readFullSnapshot();
+  return c.json({
+    alphaWebhookSecret: snap.alphaWebhookSecret,
+    wabridgeBaseUrl: snap.wabridgeBaseUrl,
+    wabridgePhone: snap.wabridgePhone,
+    wabridgeEnabled: snap.wabridgeEnabled,
+    geminiApiKey: snap.geminiApiKey,
+  });
+}

package/gateway/src/integrations/keys.ts

@@ -0,0 +1,12 @@
+/** SQLite row keys (stable identifiers). */
+export const INTEGRATION_DB_KEYS = {
+  alphaWebhookSecret: "alpha_webhook_secret",
+  wabridgeBaseUrl: "wabridge_base_url",
+  wabridgePhone: "wabridge_phone",
+  wabridgeEnabled: "wabridge_enabled",
+  /** Used by the FastAPI backend (embed + /query) when GEMINI_API_KEY is unset. */
+  geminiApiKey: "gemini_api_key",
+} as const;
+
+export type IntegrationDbKey =
+  (typeof INTEGRATION_DB_KEYS)[keyof typeof INTEGRATION_DB_KEYS];

package/gateway/src/integrations/store.ts

@@ -0,0 +1,106 @@
+import { Database } from "bun:sqlite";
+import { decryptIntegrationValue, encryptIntegrationValue } from "./crypto";
+import { INTEGRATION_DB_KEYS, type IntegrationDbKey } from "./keys";
+
+const dbPath = process.env.BETTER_AUTH_DATABASE_PATH ?? "auth.sqlite";
+
+let _db: Database | null = null;
+
+function getDb(): Database {
+  if (!_db) {
+    _db = new Database(dbPath, { create: true });
+    _db.run(`
+      CREATE TABLE IF NOT EXISTS integration_settings (
+        key TEXT PRIMARY KEY NOT NULL,
+        ciphertext TEXT NOT NULL,
+        updated_at TEXT NOT NULL
+      )
+    `);
+  }
+  return _db;
+}
+
+export function getEncryptedRow(key: IntegrationDbKey): string | null {
+  const row = getDb()
+    .query("SELECT ciphertext FROM integration_settings WHERE key = ?")
+    .get(key) as { ciphertext: string } | null;
+  return row?.ciphertext ?? null;
+}
+
+export function setEncryptedRow(
+  key: IntegrationDbKey,
+  plaintext: string,
+): void {
+  const ciphertext = encryptIntegrationValue(plaintext);
+  const updatedAt = new Date().toISOString();
+  getDb().run(
+    `INSERT INTO integration_settings (key, ciphertext, updated_at)
+     VALUES (?, ?, ?)
+     ON CONFLICT(key) DO UPDATE SET ciphertext = excluded.ciphertext, updated_at = excluded.updated_at`,
+    [key, ciphertext, updatedAt],
+  );
+}
+
+export function deleteRow(key: IntegrationDbKey): void {
+  getDb().run("DELETE FROM integration_settings WHERE key = ?", [key]);
+}
+
+export function getPlaintext(key: IntegrationDbKey): string | null {
+  const row = getEncryptedRow(key);
+  if (!row) return null;
+  try {
+    return decryptIntegrationValue(row);
+  } catch {
+    return null;
+  }
+}
+
+export type IntegrationSnapshot = {
+  alphaWebhookSecret: string | null;
+  wabridgeBaseUrl: string | null;
+  wabridgePhone: string | null;
+  wabridgeEnabled: string | null;
+  geminiApiKey: string | null;
+};
+
+export function readFullSnapshot(): IntegrationSnapshot {
+  return {
+    alphaWebhookSecret: getPlaintext(INTEGRATION_DB_KEYS.alphaWebhookSecret),
+    wabridgeBaseUrl: getPlaintext(INTEGRATION_DB_KEYS.wabridgeBaseUrl),
+    wabridgePhone: getPlaintext(INTEGRATION_DB_KEYS.wabridgePhone),
+    wabridgeEnabled: getPlaintext(INTEGRATION_DB_KEYS.wabridgeEnabled),
+    geminiApiKey: getPlaintext(INTEGRATION_DB_KEYS.geminiApiKey),
+  };
+}
+
+export function upsertFromBody(body: Record<string, unknown>): void {
+  const setIfString = (k: IntegrationDbKey, v: unknown) => {
+    if (v === undefined) return;
+    if (v === null || v === "") {
+      deleteRow(k);
+      return;
+    }
+    if (typeof v !== "string") {
+      throw new Error(`invalid type for ${k}`);
+    }
+    setEncryptedRow(k, v);
+  };
+
+  const setBool = (k: IntegrationDbKey, v: unknown) => {
+    if (v === undefined) return;
+    if (v === null) {
+      deleteRow(k);
+      return;
+    }
+    if (typeof v !== "boolean") {
+      throw new Error(`invalid type for ${k}`);
+    }
+    setEncryptedRow(k, v ? "true" : "false");
+  };
+
+  setIfString(INTEGRATION_DB_KEYS.alphaWebhookSecret, body.alphaWebhookSecret);
+  setIfString(INTEGRATION_DB_KEYS.wabridgeBaseUrl, body.wabridgeBaseUrl);
+  setIfString(INTEGRATION_DB_KEYS.wabridgePhone, body.wabridgePhone);
+  setBool(INTEGRATION_DB_KEYS.wabridgeEnabled, body.wabridgeEnabled);
+  setIfString(INTEGRATION_DB_KEYS.geminiApiKey, body.geminiApiKey);
+}

package/gateway/src/stack-secrets.ts

@@ -0,0 +1,35 @@
+import { Database } from "bun:sqlite";
+
+/**
+ * If an env var is unset or whitespace-only, fill it from `stack_secrets` in the auth DB.
+ * Call before Better Auth and integration crypto read secrets from `process.env`.
+ */
+export function loadStackSecretsIntoEnv(): void {
+  const dbPath = process.env.BETTER_AUTH_DATABASE_PATH ?? "auth.sqlite";
+  let db: Database;
+  try {
+    db = new Database(dbPath, { create: true });
+  } catch {
+    return;
+  }
+  try {
+    db.run(`
+      CREATE TABLE IF NOT EXISTS stack_secrets (
+        key TEXT PRIMARY KEY NOT NULL,
+        value TEXT NOT NULL
+      )
+    `);
+    const rows = db.query("SELECT key, value FROM stack_secrets").all() as {
+      key: string;
+      value: string;
+    }[];
+    for (const { key, value } of rows) {
+      const cur = process.env[key]?.trim();
+      if (!cur && value.trim()) {
+        process.env[key] = value;
+      }
+    }
+  } finally {
+    db.close();
+  }
+}

package/gateway/tsconfig.json

@@ -0,0 +1,13 @@
+{
+  "compilerOptions": {
+    "strict": true,
+    "module": "ESNext",
+    "moduleResolution": "bundler",
+    "target": "ES2022",
+    "lib": ["ES2022"],
+    "types": ["bun-types"],
+    "skipLibCheck": true,
+    "noEmit": true
+  },
+  "include": ["src/**/*.ts"]
+}

package/package.json

@@ -0,0 +1,33 @@
+{
+  "name": "business-stack",
+  "version": "0.1.0",
+  "description": "Next.js + Hono gateway + FastAPI monorepo",
+  "license": "UNLICENSED",
+  "packageManager": "bun@1.3.1",
+  "workspaces": ["frontend/web", "gateway", "backend"],
+  "scripts": {
+    "prepublishOnly": "node ../scripts/sync-npm-package.cjs",
+    "dev": "turbo dev --filter=@business-stack/web --filter=@business-stack/gateway --filter=@business-stack/backend",
+    "start": "turbo run start --filter=@business-stack/web --filter=@business-stack/gateway --filter=@business-stack/backend",
+    "build": "turbo run build --filter=@business-stack/web --filter=@business-stack/gateway --filter=@business-stack/backend"
+  },
+  "bin": {
+    "business-stack": "bin/business-stack.cjs"
+  },
+  "files": [
+    "bin",
+    "turbo.json",
+    ".python-version",
+    "frontend/web",
+    "gateway",
+    "backend"
+  ],
+  "engines": {
+    "node": ">=20"
+  },
+  "dependencies": {
+    "better-sqlite3": "^11.7.0",
+    "commander": "^14.0.0",
+    "turbo": "^2.5.4"
+  }
+}