heyiam 0.2.29 → 0.3.0

package/dist/routes/projects.js

@@ -1,6 +1,6 @@
 import { Router } from 'express';
 import { statSync } from 'node:fs';
-import { buildSessionList, buildProjectDetail } from './context.js';
+import { requireProject, buildSessionList, buildProjectDetail } from './context.js';
 export function createProjectsRouter(ctx) {
     const router = Router();
     router.get('/api/projects', async (_req, res) => {
@@ -18,13 +18,10 @@ export function createProjectsRouter(ctx) {
     // Aggregated project detail for the hub screen
     router.get('/api/projects/:project/detail', async (req, res) => {
         try {
-            const { project } = req.params;
-            const projects = await ctx.getProjects();
-            const proj = projects.find((p) => p.name === project || p.dirName === project);
-            if (!proj) {
-                res.status(404).json({ error: 'Project not found' });
+            const project = String(req.params.project);
+            const proj = await requireProject(ctx, project, res);
+            if (!proj)
                 return;
-            }
             res.json(buildProjectDetail(ctx.db, proj));
         }
         catch (err) {
@@ -95,13 +92,11 @@ export function createProjectsRouter(ctx) {
     });
     router.get('/api/projects/:project/sessions/:id', async (req, res) => {
         try {
-            const { project, id } = req.params;
-            const projects = await ctx.getProjects();
-            const proj = projects.find((p) => p.name === project || p.dirName === project);
-            if (!proj) {
-                res.status(404).json({ error: { code: 'PROJECT_NOT_FOUND', message: 'Project not found' } });
+            const project = String(req.params.project);
+            const id = String(req.params.id);
+            const proj = await requireProject(ctx, project, res);
+            if (!proj)
                 return;
-            }
             const meta = proj.sessions.find((s) => s.sessionId === id);
             if (!meta) {
                 res.status(404).json({ error: { code: 'SESSION_NOT_FOUND', message: 'Session not found' } });
@@ -140,13 +135,10 @@ export function createProjectsRouter(ctx) {
     router.get('/api/projects/:project/git-remote', async (req, res) => {
         const { execFileSync } = await import('node:child_process');
         try {
-            const { project } = req.params;
-            const projects = await ctx.getProjects();
-            const proj = projects.find((p) => p.name === project || p.dirName === project);
-            if (!proj) {
-                res.status(404).json({ error: { code: 'PROJECT_NOT_FOUND', message: 'Project not found' } });
+            const project = String(req.params.project);
+            const proj = await requireProject(ctx, project, res);
+            if (!proj)
                 return;
-            }
             let projectPath = null;
             for (const meta of proj.sessions) {
                 try {

package/dist/routes/publish.js

@@ -2,14 +2,16 @@ import { Router } from 'express';
 import { readFileSync } from 'node:fs';
 import { randomUUID } from 'node:crypto';
 import { getAuthToken } from '../auth.js';
-import { API_URL, PUBLIC_URL } from '../config.js';
-import { loadEnhancedData, saveEnhancedData, saveUploadedState } from '../settings.js';
+import { API_URL, PUBLIC_URL, warnIfNonDefaultApiUrl } from '../config.js';
+import { loadEnhancedData, saveEnhancedData, saveUploadedState, getDefaultTemplate } from '../settings.js';
 import { captureScreenshot } from '../screenshot.js';
 import { redactSession, redactText, scanTextSync, formatFindings, stripHomePathsInText } from '../redact.js';
 import { renderProjectHtml, renderSessionHtml } from '../render/index.js';
 import { buildSessionRenderData, buildSessionCard, buildProjectRenderData } from '../render/build-render-data.js';
 import { buildAgentSummary } from './context.js';
+import { startSSE } from './sse.js';
 import { displayNameFromDir } from '../sync.js';
+import { toSlug } from '../format-utils.js';
 import { getProjectUuid, getFileCountWithChildren } from '../db.js';
 const IMAGE_KEY_PREFIX = 'images/';
 export function createPublishRouter(ctx) {
@@ -32,7 +34,8 @@ export function createPublishRouter(ctx) {
                 totalTokens,
                 sessionCards: sessionCards || [],
             });
-            const html = renderProjectHtml(renderData);
+            const templateName = getDefaultTemplate() || 'editorial';
+            const html = renderProjectHtml(renderData, undefined, templateName);
             res.json({ html });
         }
         catch (err) {
@@ -65,6 +68,7 @@ export function createPublishRouter(ctx) {
     router.post('/api/projects/:project/upload', async (req, res) => {
         const { project } = req.params;
         const auth = getAuthToken();
+        warnIfNonDefaultApiUrl();
         if (!auth) {
             res.status(401).json({ error: { message: 'Authentication required' } });
             return;
@@ -72,18 +76,11 @@ export function createPublishRouter(ctx) {
         const { title: rawTitle, slug: rawSlug, narrative, repoUrl, projectUrl, timeline, skills, totalSessions, totalLoc, totalDurationMinutes, totalAgentDurationMinutes, totalFilesChanged, skippedSessions, selectedSessionIds, screenshotBase64, } = req.body;
         // Ensure slug is the short project name, not the full encoded directory path
         const shortName = displayNameFromDir(String(project));
-        const baseSlug = shortName.toLowerCase().replace(/[^a-z0-9]+/g, '-').replace(/^-|-$/g, '');
+        const baseSlug = toSlug(shortName);
         const title = rawTitle === rawSlug ? shortName : rawTitle;
         // Get stable project UUID from CLI database
         const clientProjectId = getProjectUuid(ctx.db, String(project));
-        res.writeHead(200, {
-            'Content-Type': 'text/event-stream',
-            'Cache-Control': 'no-cache',
-            Connection: 'keep-alive',
-        });
-        const send = (data) => {
-            res.write(`data: ${JSON.stringify(data)}\n\n`);
-        };
+        const send = startSSE(res);
         try {
             // Step 1: Upsert project on Phoenix (with slug conflict retry)
             send({ type: 'project', status: 'creating' });
@@ -207,6 +204,7 @@ export function createPublishRouter(ctx) {
             const failedSessions = [];
             const uploadedSessionCards = [];
             if (proj) {
+                const selectedTemplate = getDefaultTemplate() || 'editorial';
                 for (const sessionId of selectedSessionIds) {
                     const meta = proj.sessions.find((s) => s.sessionId === sessionId);
                     if (!meta)
@@ -215,8 +213,7 @@ export function createPublishRouter(ctx) {
                     try {
                         const session = await ctx.loadSession(meta.path, proj.name, sessionId);
                         const enhanced = loadEnhancedData(sessionId);
-                        const sessionSlug = (enhanced?.title ?? session.title ?? sessionId)
-                            .toLowerCase().replace(/[^a-z0-9]+/g, '-').replace(/^-|-$/g, '').slice(0, 80);
+                        const sessionSlug = toSlug(enhanced?.title ?? session.title ?? sessionId, 80);
                         const agentSummary = await buildAgentSummary(meta.children ?? [], (c) => ctx.getSessionStats(c, proj.name), { deduplicate: true });
                         const devTake = (enhanced?.developerTake ?? session.developerTake ?? '').slice(0, 2000);
                         const sessionNarrative = enhanced?.narrative ?? '';
@@ -233,11 +230,12 @@ export function createPublishRouter(ctx) {
                             sessionSlug,
                             sourceTool: sessionSourceTool,
                             agentSummary,
+                            template: selectedTemplate,
                         };
                         let sessionRenderedHtml = null;
                         try {
                             const sessionRenderData = buildSessionRenderData(renderOpts);
-                            sessionRenderedHtml = renderSessionHtml(sessionRenderData);
+                            sessionRenderedHtml = renderSessionHtml(sessionRenderData, selectedTemplate);
                         }
                         catch (renderErr) {
                             console.error(`[upload] Session render failed for ${sessionId}:`, renderErr.message);
@@ -259,7 +257,7 @@ export function createPublishRouter(ctx) {
                                 end_time: session.endTime ? new Date(session.endTime).toISOString() : null,
                                 cwd: session.cwd ?? null,
                                 wall_clock_minutes: session.wallClockMinutes ?? null,
-                                template: 'editorial',
+                                template: selectedTemplate,
                                 language: null,
                                 tools: session.toolBreakdown?.map((t) => t.tool) ?? [],
                                 skills: sessionSkills,
@@ -293,7 +291,7 @@ export function createPublishRouter(ctx) {
                             })(),
                             cwd: session.cwd ?? null,
                             wall_clock_minutes: session.wallClockMinutes ?? null,
-                            template: 'editorial',
+                            template: selectedTemplate,
                             skills: sessionSkills,
                             tools: session.toolBreakdown?.map((t) => t.tool) ?? [],
                             source: sessionSourceTool,

package/dist/routes/settings.js

@@ -1,6 +1,7 @@
 import { Router } from 'express';
-import { saveAnthropicApiKey, clearAnthropicApiKey, getAnthropicApiKey } from '../settings.js';
+import { saveAnthropicApiKey, clearAnthropicApiKey, getAnthropicApiKey, getSettings, setDefaultTemplate, getPortfolioProfile, savePortfolioProfile } from '../settings.js';
 import { hasApiKey } from '../llm/index.js';
+import { isValidTemplate, DEFAULT_TEMPLATE, BUILT_IN_TEMPLATES } from '../render/templates.js';
 export function createSettingsRouter(_ctx) {
     const router = Router();
     // Save or clear the Anthropic API key
@@ -25,5 +26,97 @@ export function createSettingsRouter(_ctx) {
             maskedKey: key ? `...${key.slice(-4)}` : null,
         });
     });
+    // List available templates
+    router.get('/api/templates', (_req, res) => {
+        const templates = BUILT_IN_TEMPLATES.map((t) => ({
+            name: t.name,
+            label: t.label,
+            description: t.description,
+            accent: t.accent,
+            mode: t.mode,
+            tags: t.tags,
+            builtIn: true,
+        }));
+        res.json({ templates });
+    });
+    // Get current portfolio theme
+    router.get('/api/settings/theme', (_req, res) => {
+        const settings = getSettings();
+        res.json({ template: settings.defaultTemplate ?? DEFAULT_TEMPLATE });
+    });
+    // Set portfolio theme
+    router.post('/api/settings/theme', (req, res) => {
+        const { template } = req.body;
+        if (!template || !isValidTemplate(template)) {
+            res.status(400).json({ error: 'Invalid template name' });
+            return;
+        }
+        setDefaultTemplate(template);
+        console.log(`[settings] Portfolio theme set to: ${template}`);
+        res.json({ ok: true, template });
+    });
+    // Get portfolio profile data
+    router.get('/api/portfolio', (_req, res) => {
+        res.json(getPortfolioProfile());
+    });
+    // Save portfolio profile data
+    router.post('/api/portfolio', (req, res) => {
+        const body = req.body;
+        if (!body || typeof body !== 'object' || Array.isArray(body)) {
+            res.status(400).json({ error: { code: 'INVALID_BODY', message: 'Request body must be a JSON object' } });
+            return;
+        }
+        const ALLOWED_FIELDS = [
+            'displayName', 'bio', 'photoBase64', 'location', 'email', 'phone',
+            'linkedinUrl', 'githubUrl', 'twitterHandle', 'websiteUrl',
+            'resumeBase64', 'resumeFilename',
+        ];
+        const errors = [];
+        // Structural validation: only allow known string fields
+        const cleaned = {};
+        for (const key of ALLOWED_FIELDS) {
+            const val = body[key];
+            if (val === undefined || val === null || val === '')
+                continue;
+            if (typeof val !== 'string') {
+                errors.push({ field: key, message: `${key} must be a string` });
+                continue;
+            }
+            cleaned[key] = val;
+        }
+        // Length limits
+        if (cleaned.displayName && cleaned.displayName.length > 200) {
+            errors.push({ field: 'displayName', message: 'Display name must be under 200 characters' });
+        }
+        if (cleaned.bio && cleaned.bio.length > 2000) {
+            errors.push({ field: 'bio', message: 'Bio must be under 2000 characters' });
+        }
+        if (cleaned.email && !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(cleaned.email)) {
+            errors.push({ field: 'email', message: 'Invalid email format' });
+        }
+        if (cleaned.linkedinUrl && !cleaned.linkedinUrl.startsWith('http')) {
+            errors.push({ field: 'linkedinUrl', message: 'LinkedIn URL must start with http' });
+        }
+        if (cleaned.githubUrl && !cleaned.githubUrl.startsWith('http')) {
+            errors.push({ field: 'githubUrl', message: 'GitHub URL must start with http' });
+        }
+        if (cleaned.websiteUrl && !cleaned.websiteUrl.startsWith('http')) {
+            errors.push({ field: 'websiteUrl', message: 'Website URL must start with http' });
+        }
+        // File size limits (base64 ~1.37x raw; cap photo at ~5MB, resume at ~10MB)
+        if (cleaned.photoBase64 && cleaned.photoBase64.length > 7_000_000) {
+            errors.push({ field: 'photoBase64', message: 'Photo must be under 5MB' });
+        }
+        if (cleaned.resumeBase64 && cleaned.resumeBase64.length > 14_000_000) {
+            errors.push({ field: 'resumeBase64', message: 'Resume must be under 10MB' });
+        }
+        if (errors.length > 0) {
+            res.status(400).json({ error: { code: 'VALIDATION_ERROR', message: 'Validation failed', fields: errors } });
+            return;
+        }
+        savePortfolioProfile(cleaned);
+        console.log('[settings] Portfolio profile saved');
+        res.json({ ok: true });
+    });
     return router;
 }

package/dist/routes/sse.js

@@ -0,0 +1,9 @@
+/** Set up an SSE response and return a typed send helper. */
+export function startSSE(res) {
+    res.writeHead(200, {
+        'Content-Type': 'text/event-stream',
+        'Cache-Control': 'no-cache',
+        Connection: 'keep-alive',
+    });
+    return (data) => res.write(`data: ${JSON.stringify(data)}\n\n`);
+}

package/dist/server.js

@@ -81,9 +81,15 @@ export function createApp(sessionsBasePath, dbPath) {
     if (process.env.NODE_ENV !== 'production')
         corsOrigins.push('http://localhost:5173');
     app.use(cors({ origin: corsOrigins }));
-    app.use((_req, res, next) => {
+    app.use((req, res, next) => {
         res.setHeader('X-Content-Type-Options', 'nosniff');
-        res.setHeader('X-Frame-Options', 'DENY');
+        // Allow same-origin framing for preview pages (used by template browser iframes)
+        if (req.path.startsWith('/preview/')) {
+            res.setHeader('X-Frame-Options', 'SAMEORIGIN');
+        }
+        else {
+            res.setHeader('X-Frame-Options', 'DENY');
+        }
         next();
     });
     app.use(express.json({ limit: '10mb' }));

package/dist/settings.js

@@ -34,6 +34,14 @@ export function clearAnthropicApiKey(configDir) {
     delete settings.anthropicApiKey;
     writeConfig(SETTINGS_FILE, settings, configDir);
 }
+export function getDefaultTemplate(configDir) {
+    return getSettings(configDir).defaultTemplate;
+}
+export function setDefaultTemplate(templateName, configDir) {
+    const settings = getSettings(configDir);
+    settings.defaultTemplate = templateName;
+    writeConfig(SETTINGS_FILE, settings, configDir);
+}
 export function isOnboardingComplete(configDir) {
     return !!getSettings(configDir).onboardingCompletedAt;
 }
@@ -47,6 +55,15 @@ export function resetOnboarding(configDir) {
     delete settings.onboardingCompletedAt;
     writeConfig(SETTINGS_FILE, settings, configDir);
 }
+// ── Portfolio profile ────────────────────────────────────────
+export function getPortfolioProfile(configDir) {
+    return getSettings(configDir).portfolio ?? {};
+}
+export function savePortfolioProfile(data, configDir) {
+    const settings = getSettings(configDir);
+    settings.portfolio = data;
+    writeConfig(SETTINGS_FILE, settings, configDir);
+}
 /**
  * Returns the Anthropic API key from settings file or env var.
  * Env var takes precedence.
@@ -81,15 +98,6 @@ export function loadEnhancedData(sessionId, configDir) {
         return null;
     }
 }
-export function markAsUploaded(sessionId, configDir) {
-    const data = loadEnhancedData(sessionId, configDir);
-    if (!data)
-        return;
-    data.uploaded = true;
-    const dir = enhancedDir(configDir);
-    mkdirSync(dir, { recursive: true });
-    writeFileSync(enhancedPath(sessionId, configDir), JSON.stringify(data, null, 2), { mode: 0o600 });
-}
 export function deleteEnhancedData(sessionId, configDir) {
     const path = enhancedPath(sessionId, configDir);
     if (existsSync(path))

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "heyiam",
-  "version": "0.2.29",
+  "version": "0.3.0",
   "description": "Turn AI coding sessions into portfolio case studies",
   "type": "module",
   "license": "MIT",
@@ -31,13 +31,11 @@
     "dev:api": "tsx watch src/index.ts open --no-open",
     "dev:app": "cd app && npm run dev",
     "test": "vitest run && cd app && npx vitest run",
-    "test:backend": "vitest run",
+    "test:backend": "vitest run --exclude src/build-integrity.test.ts",
     "test:frontend": "cd app && npx vitest run"
   },
   "dependencies": {
     "@anthropic-ai/sdk": "^0.79.0",
-    "@secretlint/node": "^11.4.0",
-    "@secretlint/secretlint-rule-preset-recommend": "^11.4.0",
     "better-sqlite3": "^12.8.0",
     "commander": "^13.1.0",
     "cors": "^2.8.6",