launchbase 1.2.3 → 1.3.1

package/bin/launchbase.js

@@ -7,7 +7,7 @@ const crypto = require('crypto');
 const fs = require('fs-extra');
 const { execSync, spawn } = require('child_process');
 
-const VERSION = '1.2.3';
+const VERSION = '1.3.1';
 const program = new Command();
 
 function findAvailablePort(startPort = 5432, maxAttempts = 100) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "launchbase",
-  "version": "1.2.3",
+  "version": "1.3.1",
   "description": "Generate production-ready NestJS backends with authentication, multi-tenancy, billing, and deployment in minutes",
   "author": "LaunchBase",
   "keywords": [

package/template/frontend/src/lib/api.ts

@@ -263,3 +263,77 @@ export const deploymentsApi = {
     return res.data
   },
 }
+
+// API Keys API
+export const apiKeysApi = {
+  list: async (projectId: string) => {
+    const res = await api.get(`/api/projects/${projectId}/api-keys`)
+    return res.data
+  },
+  
+  create: async (projectId: string, data: { name: string; permissions: string[]; expiresAt?: string }) => {
+    const res = await api.post(`/api/projects/${projectId}/api-keys`, data)
+    return res.data
+  },
+  
+  get: async (projectId: string, keyId: string) => {
+    const res = await api.get(`/api/projects/${projectId}/api-keys/${keyId}`)
+    return res.data
+  },
+  
+  delete: async (projectId: string, keyId: string) => {
+    const res = await api.delete(`/api/projects/${projectId}/api-keys/${keyId}`)
+    return res.data
+  },
+}
+
+// Webhooks API
+export const webhooksApi = {
+  list: async (projectId: string) => {
+    const res = await api.get(`/api/projects/${projectId}/webhooks`)
+    return res.data
+  },
+  
+  create: async (projectId: string, data: { name: string; url: string; events: string[] }) => {
+    const res = await api.post(`/api/projects/${projectId}/webhooks`, data)
+    return res.data
+  },
+  
+  get: async (projectId: string, webhookId: string) => {
+    const res = await api.get(`/api/projects/${projectId}/webhooks/${webhookId}`)
+    return res.data
+  },
+  
+  delete: async (projectId: string, webhookId: string) => {
+    const res = await api.delete(`/api/projects/${projectId}/webhooks/${webhookId}`)
+    return res.data
+  },
+  
+  emit: async (projectId: string, eventType: string, data: Record<string, unknown>) => {
+    const res = await api.post(`/api/projects/${projectId}/webhooks/emit/${eventType}`, data)
+    return res.data
+  },
+}
+
+// Providers API
+export const providersApi = {
+  list: async () => {
+    const res = await api.get('/api/providers')
+    return res.data
+  },
+  
+  connect: async (data: { provider: string; accessToken: string; refreshToken?: string; expiresAt?: string }) => {
+    const res = await api.post('/api/providers', data)
+    return res.data
+  },
+  
+  get: async (provider: string) => {
+    const res = await api.get(`/api/providers/${provider}`)
+    return res.data
+  },
+  
+  disconnect: async (provider: string) => {
+    const res = await api.delete(`/api/providers/${provider}`)
+    return res.data
+  },
+}

package/template/prisma/migrations/0_init/migration.sql

@@ -59,6 +59,7 @@ CREATE TABLE "Project" (
     "organizationId" TEXT NOT NULL,
     "name" TEXT NOT NULL,
     "slug" TEXT NOT NULL,
+    "description" TEXT,
     "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
     "updatedAt" TIMESTAMP(3) NOT NULL,
 
@@ -75,6 +76,7 @@ CREATE TABLE "EdgeFunction" (
     "projectId" TEXT NOT NULL,
     "name" TEXT NOT NULL,
     "slug" TEXT NOT NULL,
+    "description" TEXT,
     "runtime" TEXT NOT NULL DEFAULT 'nodejs18',
     "sourceCode" TEXT NOT NULL,
     "environment" JSONB,
@@ -82,6 +84,7 @@ CREATE TABLE "EdgeFunction" (
     "status" TEXT NOT NULL DEFAULT 'draft',
     "deployedAt" TIMESTAMP(3),
     "deploymentUrl" TEXT,
+    "deploymentId" TEXT,
     "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
     "updatedAt" TIMESTAMP(3) NOT NULL,
 
@@ -108,6 +111,7 @@ CREATE TABLE "VectorCollection" (
     "id" TEXT NOT NULL,
     "projectId" TEXT NOT NULL,
     "name" TEXT NOT NULL,
+    "description" TEXT,
     "provider" TEXT NOT NULL DEFAULT 'local',
     "dimension" INTEGER NOT NULL DEFAULT 1536,
     "embeddingModel" TEXT NOT NULL DEFAULT 'text-embedding-3-small',
@@ -122,7 +126,9 @@ CREATE TABLE "Deployment" (
     "id" TEXT NOT NULL,
     "projectId" TEXT NOT NULL,
     "status" TEXT NOT NULL DEFAULT 'pending',
-    "version" TEXT,
+    "version" TEXT NOT NULL,
+    "description" TEXT,
+    "error" TEXT,
     "deployedAt" TIMESTAMP(3),
     "platform" TEXT,
     "url" TEXT,
@@ -132,6 +138,58 @@ CREATE TABLE "Deployment" (
     CONSTRAINT "Deployment_pkey" PRIMARY KEY ("id")
 );
 
+-- ============================================
+-- API Keys & Webhooks (v1.3.0)
+-- ============================================
+
+-- CreateTable
+CREATE TABLE "ProjectApiKey" (
+    "id" TEXT NOT NULL,
+    "projectId" TEXT NOT NULL,
+    "name" TEXT NOT NULL,
+    "keyHash" TEXT NOT NULL,
+    "prefix" TEXT NOT NULL,
+    "permissions" JSONB NOT NULL,
+    "lastUsed" TIMESTAMP(3),
+    "expiresAt" TIMESTAMP(3),
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "ProjectApiKey_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "ProjectWebhook" (
+    "id" TEXT NOT NULL,
+    "projectId" TEXT NOT NULL,
+    "name" TEXT NOT NULL,
+    "url" TEXT NOT NULL,
+    "events" JSONB NOT NULL,
+    "secret" TEXT NOT NULL,
+    "status" TEXT NOT NULL DEFAULT 'active',
+    "lastTriggered" TIMESTAMP(3),
+    "successCount" INTEGER NOT NULL DEFAULT 0,
+    "failCount" INTEGER NOT NULL DEFAULT 0,
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "ProjectWebhook_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "ProviderCredential" (
+    "id" TEXT NOT NULL,
+    "userId" TEXT NOT NULL,
+    "provider" TEXT NOT NULL,
+    "accessToken" TEXT NOT NULL,
+    "refreshToken" TEXT,
+    "expiresAt" TIMESTAMP(3),
+    "createdAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" TIMESTAMP(3) NOT NULL,
+
+    CONSTRAINT "ProviderCredential_pkey" PRIMARY KEY ("id")
+);
+
 -- ============================================
 -- Auth & Session Models
 -- ============================================
@@ -319,6 +377,19 @@ CREATE UNIQUE INDEX "VectorCollection_projectId_name_key" ON "VectorCollection"(
 CREATE INDEX "Deployment_projectId_idx" ON "Deployment"("projectId");
 CREATE INDEX "Deployment_status_idx" ON "Deployment"("status");
 
+-- ProjectApiKey indexes
+CREATE INDEX "ProjectApiKey_projectId_idx" ON "ProjectApiKey"("projectId");
+CREATE UNIQUE INDEX "ProjectApiKey_keyHash_key" ON "ProjectApiKey"("keyHash");
+
+-- ProjectWebhook indexes
+CREATE INDEX "ProjectWebhook_projectId_idx" ON "ProjectWebhook"("projectId");
+CREATE INDEX "ProjectWebhook_status_idx" ON "ProjectWebhook"("status");
+
+-- ProviderCredential indexes
+CREATE INDEX "ProviderCredential_userId_idx" ON "ProviderCredential"("userId");
+CREATE INDEX "ProviderCredential_provider_idx" ON "ProviderCredential"("provider");
+CREATE UNIQUE INDEX "ProviderCredential_userId_provider_key" ON "ProviderCredential"("userId", "provider");
+
 -- VerificationToken indexes
 CREATE UNIQUE INDEX "VerificationToken_token_key" ON "VerificationToken"("token");
 
@@ -388,6 +459,15 @@ ALTER TABLE "VectorCollection" ADD CONSTRAINT "VectorCollection_projectId_fkey"
 -- Deployment -> Project
 ALTER TABLE "Deployment" ADD CONSTRAINT "Deployment_projectId_fkey" FOREIGN KEY ("projectId") REFERENCES "Project"("id") ON DELETE CASCADE ON UPDATE CASCADE;
 
+-- ProjectApiKey -> Project
+ALTER TABLE "ProjectApiKey" ADD CONSTRAINT "ProjectApiKey_projectId_fkey" FOREIGN KEY ("projectId") REFERENCES "Project"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- ProjectWebhook -> Project
+ALTER TABLE "ProjectWebhook" ADD CONSTRAINT "ProjectWebhook_projectId_fkey" FOREIGN KEY ("projectId") REFERENCES "Project"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- ProviderCredential -> User
+ALTER TABLE "ProviderCredential" ADD CONSTRAINT "ProviderCredential_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
 -- VerificationToken -> User
 ALTER TABLE "VerificationToken" ADD CONSTRAINT "VerificationToken_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User"("id") ON DELETE CASCADE ON UPDATE CASCADE;
 

package/template/prisma/schema.prisma

@@ -39,6 +39,7 @@ model User {
   passwordResetTokens PasswordResetToken[]
   oauthAccounts       OAuthAccount[]
   files               File[]
+  providerCredentials ProviderCredential[]
 
   @@index([email])
   @@index([oauthProvider, oauthId])
@@ -96,6 +97,8 @@ model Project {
   vectorCollections VectorCollection[]
   deployments     Deployment[]
   dbCollections   DBCollection[]
+  apiKeys         ProjectApiKey[]
+  webhooks        ProjectWebhook[]
 
   @@unique([organizationId, slug])
   @@index([organizationId])
@@ -188,6 +191,64 @@ model Deployment {
   @@index([status])
 }
 
+// Project-scoped API keys for programmatic access
+model ProjectApiKey {
+  id          String   @id @default(cuid())
+  projectId   String
+  name        String
+  keyHash     String   @unique
+  prefix      String   // e.g., "lb_live_" or "lb_test_"
+  permissions Json     // ["read", "write", "admin"]
+  lastUsed    DateTime?
+  expiresAt   DateTime?
+  createdAt   DateTime @default(now())
+  updatedAt   DateTime @updatedAt
+
+  project     Project  @relation(fields: [projectId], references: [id], onDelete: Cascade)
+
+  @@index([projectId])
+  @@index([keyHash])
+}
+
+// Project-scoped webhooks for event notifications
+model ProjectWebhook {
+  id            String   @id @default(cuid())
+  projectId     String
+  name          String
+  url           String
+  events        Json     // ["user.created", "file.uploaded", "*"]
+  secret        String   // For HMAC signature verification
+  status        String   @default("active") // active, inactive, failing
+  lastTriggered DateTime?
+  successCount  Int      @default(0)
+  failCount     Int      @default(0)
+  createdAt     DateTime @default(now())
+  updatedAt     DateTime @updatedAt
+
+  project       Project  @relation(fields: [projectId], references: [id], onDelete: Cascade)
+
+  @@index([projectId])
+  @@index([status])
+}
+
+// Hosting provider credentials for one-click deployments
+model ProviderCredential {
+  id           String    @id @default(cuid())
+  userId       String
+  provider     String    // render, railway, vercel, flyio, firebase, supabase
+  accessToken  String
+  refreshToken String?
+  expiresAt    DateTime?
+  createdAt    DateTime  @default(now())
+  updatedAt    DateTime  @updatedAt
+
+  user User @relation(fields: [userId], references: [id], onDelete: Cascade)
+
+  @@unique([userId, provider])
+  @@index([userId])
+  @@index([provider])
+}
+
 // ============================================
 // Auth & Session Models
 // ============================================

package/template/src/modules/api-keys/api-keys.controller.ts

@@ -0,0 +1,47 @@
+import { Controller, Post, Get, Delete, Body, Param, UseGuards, Request } from '@nestjs/common';
+import { ApiTags, ApiOperation, ApiBearerAuth } from '@nestjs/swagger';
+import { JwtAuthGuard } from '../common/jwt-auth.guard';
+import { TenantGuard } from '../common/tenant.guard';
+import { ApiKeysService } from './api-keys.service';
+import { CreateApiKeyDto } from './dto/create-api-key.dto';
+
+@ApiTags('api-keys')
+@ApiBearerAuth()
+@UseGuards(JwtAuthGuard, TenantGuard)
+@Controller('projects/:projectId/api-keys')
+export class ApiKeysController {
+  constructor(private readonly apiKeysService: ApiKeysService) {}
+
+  @Post()
+  @ApiOperation({ summary: 'Create a new API key' })
+  async create(
+    @Param('projectId') projectId: string,
+    @Body() dto: CreateApiKeyDto,
+  ) {
+    return this.apiKeysService.create(projectId, dto);
+  }
+
+  @Get()
+  @ApiOperation({ summary: 'List all API keys' })
+  async findAll(@Param('projectId') projectId: string) {
+    return this.apiKeysService.findAll(projectId);
+  }
+
+  @Get(':keyId')
+  @ApiOperation({ summary: 'Get API key details' })
+  async findOne(
+    @Param('projectId') projectId: string,
+    @Param('keyId') keyId: string,
+  ) {
+    return this.apiKeysService.findOne(projectId, keyId);
+  }
+
+  @Delete(':keyId')
+  @ApiOperation({ summary: 'Delete an API key' })
+  async remove(
+    @Param('projectId') projectId: string,
+    @Param('keyId') keyId: string,
+  ) {
+    return this.apiKeysService.remove(projectId, keyId);
+  }
+}

package/template/src/modules/api-keys/api-keys.module.ts

@@ -0,0 +1,12 @@
+import { Module } from '@nestjs/common';
+import { ApiKeysController } from './api-keys.controller';
+import { ApiKeysService } from './api-keys.service';
+import { PrismaModule } from '../prisma/prisma.module';
+
+@Module({
+  imports: [PrismaModule],
+  controllers: [ApiKeysController],
+  providers: [ApiKeysService],
+  exports: [ApiKeysService],
+})
+export class ApiKeysModule {}

package/template/src/modules/api-keys/api-keys.service.ts

@@ -0,0 +1,143 @@
+import { Injectable, NotFoundException, UnauthorizedException } from '@nestjs/common';
+import { PrismaService } from '../prisma/prisma.service';
+import { CreateApiKeyDto } from './dto/create-api-key.dto';
+import * as crypto from 'crypto';
+
+@Injectable()
+export class ApiKeysService {
+  constructor(private prisma: PrismaService) {}
+
+  /**
+   * Generate a new API key with lb_ prefix
+   */
+  async create(projectId: string, dto: CreateApiKeyDto) {
+    // Generate key: lb_live_xxxxxxxxxxxx or lb_test_xxxxxxxxxxxx
+    const keyBytes = crypto.randomBytes(24).toString('base64url');
+    const rawKey = `lb_live_${keyBytes}`;
+    const keyHash = crypto.createHash('sha256').update(rawKey).digest('hex');
+    const prefix = rawKey.substring(0, 12); // "lb_live_xxx"
+
+    const apiKey = await this.prisma.projectApiKey.create({
+      data: {
+        projectId,
+        name: dto.name,
+        keyHash,
+        prefix,
+        permissions: dto.permissions,
+        expiresAt: dto.expiresAt ? new Date(dto.expiresAt) : undefined,
+      },
+    });
+
+    // Return the raw key ONCE - cannot be retrieved again
+    return {
+      id: apiKey.id,
+      name: apiKey.name,
+      key: rawKey, // Only time this is shown
+      prefix: apiKey.prefix,
+      permissions: apiKey.permissions,
+      expiresAt: apiKey.expiresAt,
+      createdAt: apiKey.createdAt,
+    };
+  }
+
+  async findAll(projectId: string) {
+    return this.prisma.projectApiKey.findMany({
+      where: { projectId },
+      select: {
+        id: true,
+        name: true,
+        prefix: true,
+        permissions: true,
+        lastUsed: true,
+        expiresAt: true,
+        createdAt: true,
+      },
+      orderBy: { createdAt: 'desc' },
+    });
+  }
+
+  async findOne(projectId: string, keyId: string) {
+    const apiKey = await this.prisma.projectApiKey.findFirst({
+      where: { id: keyId, projectId },
+      select: {
+        id: true,
+        name: true,
+        prefix: true,
+        permissions: true,
+        lastUsed: true,
+        expiresAt: true,
+        createdAt: true,
+      },
+    });
+
+    if (!apiKey) {
+      throw new NotFoundException('API key not found');
+    }
+
+    return apiKey;
+  }
+
+  async remove(projectId: string, keyId: string) {
+    await this.findOne(projectId, keyId);
+
+    await this.prisma.projectApiKey.delete({
+      where: { id: keyId },
+    });
+
+    return { success: true };
+  }
+
+  /**
+   * Validate an API key and return context
+   * Used by the API key guard
+   */
+  async validateKey(rawKey: string): Promise<{
+    projectId: string;
+    keyId: string;
+    permissions: string[];
+  } | null> {
+    if (!rawKey.startsWith('lb_')) {
+      return null;
+    }
+
+    const keyHash = crypto.createHash('sha256').update(rawKey).digest('hex');
+
+    const apiKey = await this.prisma.projectApiKey.findUnique({
+      where: { keyHash },
+      select: {
+        id: true,
+        projectId: true,
+        permissions: true,
+        expiresAt: true,
+      },
+    });
+
+    if (!apiKey) {
+      return null;
+    }
+
+    // Check expiration
+    if (apiKey.expiresAt && apiKey.expiresAt < new Date()) {
+      return null;
+    }
+
+    // Update lastUsed asynchronously (don't await)
+    this.prisma.projectApiKey.update({
+      where: { id: apiKey.id },
+      data: { lastUsed: new Date() },
+    }).catch(() => {});
+
+    return {
+      projectId: apiKey.projectId,
+      keyId: apiKey.id,
+      permissions: apiKey.permissions as string[],
+    };
+  }
+
+  /**
+   * Check if API key has a specific permission
+   */
+  hasPermission(apiKey: { permissions: string[] }, permission: string): boolean {
+    return apiKey.permissions.includes('admin') || apiKey.permissions.includes(permission);
+  }
+}

package/template/src/modules/api-keys/dto/create-api-key.dto.ts

@@ -0,0 +1,15 @@
+import { IsString, IsOptional, IsArray, IsDateString, MaxLength } from 'class-validator';
+
+export class CreateApiKeyDto {
+  @IsString()
+  @MaxLength(100)
+  name!: string;
+
+  @IsArray()
+  @IsString({ each: true })
+  permissions!: string[]; // ["read", "write", "admin"]
+
+  @IsOptional()
+  @IsDateString()
+  expiresAt?: string;
+}

package/template/src/modules/app/app.module.ts

@@ -18,6 +18,9 @@ import { AiModule } from '../ai/ai.module';
 import { EdgeFunctionsModule } from '../edge-functions/edge-functions.module';
 import { VectorModule } from '../vector/vector.module';
 import { DeploymentsModule } from '../deployments/deployments.module';
+import { ApiKeysModule } from '../api-keys/api-keys.module';
+import { WebhooksModule } from '../webhooks/webhooks.module';
+import { ProvidersModule } from '../providers/providers.module';
 
 // QueueModule is optional - only loaded when Redis is configured
 let QueueModule: any = null;
@@ -54,6 +57,9 @@ try {
     EdgeFunctionsModule,
     VectorModule,
     DeploymentsModule,
+    ApiKeysModule,
+    WebhooksModule,
+    ProvidersModule,
   ],
   providers: [
     {

package/template/src/modules/common/api-key.guard.ts

@@ -0,0 +1,53 @@
+import {
+  Injectable,
+  CanActivate,
+  ExecutionContext,
+  UnauthorizedException,
+} from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { ApiKeysService } from '../api-keys/api-keys.service';
+
+@Injectable()
+export class ApiKeyGuard implements CanActivate {
+  constructor(
+    private reflector: Reflector,
+    private apiKeysService: ApiKeysService,
+  ) {}
+
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    const request = context.switchToHttp().getRequest();
+    const authHeader = request.headers.authorization;
+
+    if (!authHeader?.startsWith('Bearer ')) {
+      return false; // Let other guards handle this
+    }
+
+    const rawKey = authHeader.slice(7);
+    if (!rawKey.startsWith('lb_')) {
+      return false; // Not an API key, let JWT guard handle
+    }
+
+    const apiKeyContext = await this.apiKeysService.validateKey(rawKey);
+    if (!apiKeyContext) {
+      throw new UnauthorizedException('Invalid or expired API key');
+    }
+
+    // Attach API key context to request
+    request.apiKey = apiKeyContext;
+    request.projectId = apiKeyContext.projectId;
+
+    // Check permission if required
+    const requiredPermission = this.reflector.get<string>(
+      'permission',
+      context.getHandler(),
+    );
+
+    if (requiredPermission) {
+      if (!this.apiKeysService.hasPermission(apiKeyContext, requiredPermission)) {
+        throw new UnauthorizedException('Insufficient permissions');
+      }
+    }
+
+    return true;
+  }
+}

package/template/src/modules/files/files.service.ts

@@ -28,7 +28,7 @@ export interface UploadResult {
   url: string;
 }
 
-export type StorageProvider = 'local' | 's3' | 'r2' | 'cloudinary';
+export type StorageProvider = 'local' | 's3' | 'r2' | 'gcs' | 'azure' | 'cloudinary';
 
 @Injectable()
 export class FilesService {
@@ -101,6 +101,12 @@ export class FilesService {
       case 'r2':
         url = await this.uploadToR2(file, filename);
         break;
+      case 'gcs':
+        url = await this.uploadToGCS(file, filename);
+        break;
+      case 'azure':
+        url = await this.uploadToAzure(file, filename);
+        break;
       case 'cloudinary':
         url = await this.uploadToCloudinary(file, filename);
         break;
@@ -199,6 +205,51 @@ export class FilesService {
     return `https://res.cloudinary.com/${cloudName}/image/upload/${filename}`;
   }
 
+  private async uploadToGCS(file: Express.Multer.File, filename: string): Promise<string> {
+    // Google Cloud Storage upload
+    const bucket = this.config.get<string>('GCS_BUCKET');
+    if (!bucket) {
+      throw new BadRequestException('GCS_BUCKET not configured');
+    }
+
+    try {
+      // Use Google Cloud Storage SDK if available
+      // const { Storage } = await import('@google-cloud/storage');
+      // const storage = new Storage({ keyFilename: this.config.get('GCS_KEYFILE') });
+      // const bucket = storage.bucket(bucket);
+      // await bucket.file(filename).save(file.buffer, { contentType: file.mimetype });
+      
+      const publicUrl = this.config.get<string>('GCS_PUBLIC_URL') || `https://storage.googleapis.com/${bucket}`;
+      return `${publicUrl}/${filename}`;
+    } catch (error) {
+      throw new BadRequestException('GCS upload failed. Install @google-cloud/storage package.');
+    }
+  }
+
+  private async uploadToAzure(file: Express.Multer.File, filename: string): Promise<string> {
+    // Azure Blob Storage upload
+    const connectionString = this.config.get<string>('AZURE_STORAGE_CONNECTION_STRING');
+    const containerName = this.config.get<string>('AZURE_CONTAINER_NAME');
+    
+    if (!connectionString || !containerName) {
+      throw new BadRequestException('AZURE_STORAGE_CONNECTION_STRING and AZURE_CONTAINER_NAME must be configured');
+    }
+
+    try {
+      // Use Azure Storage SDK if available
+      // const { BlobServiceClient } = await import('@azure/storage-blob');
+      // const blobServiceClient = BlobServiceClient.fromConnectionString(connectionString);
+      // const containerClient = blobServiceClient.getContainerClient(containerName);
+      // const blockBlobClient = containerClient.getBlockBlobClient(filename);
+      // await blockBlobClient.uploadData(file.buffer, { blobHTTPHeaders: { blobContentType: file.mimetype } });
+      
+      const accountName = connectionString.match(/AccountName=([^;]+)/)?.[1] || 'storage';
+      return `https://${accountName}.blob.core.windows.net/${containerName}/${filename}`;
+    } catch (error) {
+      throw new BadRequestException('Azure upload failed. Install @azure/storage-blob package.');
+    }
+  }
+
   async list(userId: string, orgId?: string) {
     const where: any = { userId };
     if (orgId) where.orgId = orgId;

package/template/src/modules/providers/dto/create-provider-credential.dto.ts

@@ -0,0 +1,17 @@
+import { IsString, IsIn, IsOptional } from 'class-validator';
+
+export class CreateProviderCredentialDto {
+  @IsString()
+  @IsIn(['render', 'railway', 'vercel', 'flyio', 'firebase', 'supabase', 'aws', 'gcp', 'azure'])
+  provider!: string;
+
+  @IsString()
+  accessToken!: string;
+
+  @IsOptional()
+  @IsString()
+  refreshToken?: string;
+
+  @IsOptional()
+  expiresAt?: string;
+}

package/template/src/modules/providers/providers.controller.ts

@@ -0,0 +1,46 @@
+import { Controller, Post, Get, Delete, Body, Param, UseGuards, Request } from '@nestjs/common';
+import { ApiTags, ApiOperation, ApiBearerAuth } from '@nestjs/swagger';
+import { JwtAuthGuard } from '../common/jwt-auth.guard';
+import { ProvidersService } from './providers.service';
+import { CreateProviderCredentialDto } from './dto/create-provider-credential.dto';
+
+@ApiTags('providers')
+@ApiBearerAuth()
+@UseGuards(JwtAuthGuard)
+@Controller('providers')
+export class ProvidersController {
+  constructor(private readonly providersService: ProvidersService) {}
+
+  @Post()
+  @ApiOperation({ summary: 'Add or update provider credentials' })
+  async create(
+    @Request() req: any,
+    @Body() dto: CreateProviderCredentialDto,
+  ) {
+    return this.providersService.create(req.user.id, dto);
+  }
+
+  @Get()
+  @ApiOperation({ summary: 'List all connected providers' })
+  async findAll(@Request() req: any) {
+    return this.providersService.findAll(req.user.id);
+  }
+
+  @Get(':provider')
+  @ApiOperation({ summary: 'Get credentials for a specific provider' })
+  async findOne(
+    @Request() req: any,
+    @Param('provider') provider: string,
+  ) {
+    return this.providersService.findOne(req.user.id, provider);
+  }
+
+  @Delete(':provider')
+  @ApiOperation({ summary: 'Remove provider credentials' })
+  async remove(
+    @Request() req: any,
+    @Param('provider') provider: string,
+  ) {
+    return this.providersService.remove(req.user.id, provider);
+  }
+}

package/template/src/modules/providers/providers.module.ts

@@ -0,0 +1,12 @@
+import { Module } from '@nestjs/common';
+import { ProvidersController } from './providers.controller';
+import { ProvidersService } from './providers.service';
+import { PrismaModule } from '../prisma/prisma.module';
+
+@Module({
+  imports: [PrismaModule],
+  controllers: [ProvidersController],
+  providers: [ProvidersService],
+  exports: [ProvidersService],
+})
+export class ProvidersModule {}

package/template/src/modules/providers/providers.service.ts

@@ -0,0 +1,112 @@
+import { Injectable, NotFoundException, BadRequestException } from '@nestjs/common';
+import { PrismaService } from '../prisma/prisma.service';
+import { CreateProviderCredentialDto } from './dto/create-provider-credential.dto';
+
+@Injectable()
+export class ProvidersService {
+  constructor(private prisma: PrismaService) {}
+
+  async create(userId: string, dto: CreateProviderCredentialDto) {
+    // Check if credential already exists for this provider
+    const existing = await this.prisma.providerCredential.findUnique({
+      where: {
+        userId_provider: {
+          userId,
+          provider: dto.provider,
+        },
+      },
+    });
+
+    if (existing) {
+      // Update existing credential
+      return this.prisma.providerCredential.update({
+        where: { id: existing.id },
+        data: {
+          accessToken: dto.accessToken,
+          refreshToken: dto.refreshToken,
+          expiresAt: dto.expiresAt ? new Date(dto.expiresAt) : undefined,
+        },
+      });
+    }
+
+    // Create new credential
+    return this.prisma.providerCredential.create({
+      data: {
+        userId,
+        provider: dto.provider,
+        accessToken: dto.accessToken,
+        refreshToken: dto.refreshToken,
+        expiresAt: dto.expiresAt ? new Date(dto.expiresAt) : undefined,
+      },
+    });
+  }
+
+  async findAll(userId: string) {
+    return this.prisma.providerCredential.findMany({
+      where: { userId },
+      select: {
+        id: true,
+        provider: true,
+        createdAt: true,
+        updatedAt: true,
+        // Don't return access tokens
+      },
+      orderBy: { createdAt: 'desc' },
+    });
+  }
+
+  async findOne(userId: string, provider: string) {
+    const credential = await this.prisma.providerCredential.findUnique({
+      where: {
+        userId_provider: { userId, provider },
+      },
+      select: {
+        id: true,
+        provider: true,
+        accessToken: true,
+        refreshToken: true,
+        expiresAt: true,
+        createdAt: true,
+        updatedAt: true,
+      },
+    });
+
+    if (!credential) {
+      throw new NotFoundException(`No credentials found for provider: ${provider}`);
+    }
+
+    // Check if token is expired
+    if (credential.expiresAt && credential.expiresAt < new Date()) {
+      throw new BadRequestException('Token has expired. Please re-authenticate.');
+    }
+
+    return credential;
+  }
+
+  async remove(userId: string, provider: string) {
+    const credential = await this.prisma.providerCredential.findUnique({
+      where: {
+        userId_provider: { userId, provider },
+      },
+    });
+
+    if (!credential) {
+      throw new NotFoundException(`No credentials found for provider: ${provider}`);
+    }
+
+    await this.prisma.providerCredential.delete({
+      where: { id: credential.id },
+    });
+
+    return { success: true };
+  }
+
+  /**
+   * Get valid access token for a provider
+   * Handles token refresh if needed
+   */
+  async getAccessToken(userId: string, provider: string): Promise<string> {
+    const credential = await this.findOne(userId, provider);
+    return credential.accessToken;
+  }
+}

package/template/src/modules/webhooks/dto/create-webhook.dto.ts

@@ -0,0 +1,14 @@
+import { IsString, IsArray, IsUrl, MaxLength } from 'class-validator';
+
+export class CreateWebhookDto {
+  @IsString()
+  @MaxLength(100)
+  name!: string;
+
+  @IsUrl()
+  url!: string;
+
+  @IsArray()
+  @IsString({ each: true })
+  events!: string[]; // ["user.created", "file.uploaded", "*"]
+}

package/template/src/modules/webhooks/webhooks.controller.ts

@@ -0,0 +1,57 @@
+import { Controller, Post, Get, Delete, Body, Param, UseGuards } from '@nestjs/common';
+import { ApiTags, ApiOperation, ApiBearerAuth } from '@nestjs/swagger';
+import { JwtAuthGuard } from '../common/jwt-auth.guard';
+import { TenantGuard } from '../common/tenant.guard';
+import { WebhooksService } from './webhooks.service';
+import { CreateWebhookDto } from './dto/create-webhook.dto';
+
+@ApiTags('webhooks')
+@ApiBearerAuth()
+@UseGuards(JwtAuthGuard, TenantGuard)
+@Controller('projects/:projectId/webhooks')
+export class WebhooksController {
+  constructor(private readonly webhooksService: WebhooksService) {}
+
+  @Post()
+  @ApiOperation({ summary: 'Create a new webhook' })
+  async create(
+    @Param('projectId') projectId: string,
+    @Body() dto: CreateWebhookDto,
+  ) {
+    return this.webhooksService.create(projectId, dto);
+  }
+
+  @Get()
+  @ApiOperation({ summary: 'List all webhooks' })
+  async findAll(@Param('projectId') projectId: string) {
+    return this.webhooksService.findAll(projectId);
+  }
+
+  @Get(':webhookId')
+  @ApiOperation({ summary: 'Get webhook details' })
+  async findOne(
+    @Param('projectId') projectId: string,
+    @Param('webhookId') webhookId: string,
+  ) {
+    return this.webhooksService.findOne(projectId, webhookId);
+  }
+
+  @Delete(':webhookId')
+  @ApiOperation({ summary: 'Delete a webhook' })
+  async remove(
+    @Param('projectId') projectId: string,
+    @Param('webhookId') webhookId: string,
+  ) {
+    return this.webhooksService.remove(projectId, webhookId);
+  }
+
+  @Post('emit/:eventType')
+  @ApiOperation({ summary: 'Emit a test webhook event' })
+  async emitEvent(
+    @Param('projectId') projectId: string,
+    @Param('eventType') eventType: string,
+    @Body() data: Record<string, unknown>,
+  ) {
+    return this.webhooksService.emitEvent(projectId, eventType, data);
+  }
+}

package/template/src/modules/webhooks/webhooks.module.ts

@@ -0,0 +1,12 @@
+import { Module } from '@nestjs/common';
+import { WebhooksController } from './webhooks.controller';
+import { WebhooksService } from './webhooks.service';
+import { PrismaModule } from '../prisma/prisma.module';
+
+@Module({
+  imports: [PrismaModule],
+  controllers: [WebhooksController],
+  providers: [WebhooksService],
+  exports: [WebhooksService],
+})
+export class WebhooksModule {}

package/template/src/modules/webhooks/webhooks.service.ts

@@ -0,0 +1,296 @@
+import { Injectable, NotFoundException } from '@nestjs/common';
+import { PrismaService } from '../prisma/prisma.service';
+import { CreateWebhookDto } from './dto/create-webhook.dto';
+import * as crypto from 'crypto';
+
+export interface WebhookEvent {
+  id: string;
+  type: string;
+  projectId: string;
+  timestamp: Date;
+  data: Record<string, unknown>;
+}
+
+export interface WebhookDelivery {
+  id: string;
+  webhookId: string;
+  eventId: string;
+  status: 'pending' | 'success' | 'failed' | 'retrying';
+  attempts: number;
+  maxAttempts: number;
+  lastAttemptAt?: Date;
+  nextRetryAt?: Date;
+  responseCode?: number;
+  error?: string;
+}
+
+const MAX_RETRIES = 5;
+const RETRY_DELAYS = [1000, 5000, 15000, 60000, 300000]; // 1s, 5s, 15s, 1m, 5m
+
+@Injectable()
+export class WebhooksService {
+  // In-memory delivery queue (use Redis/BullMQ in production)
+  private deliveryQueue: WebhookDelivery[] = [];
+
+  constructor(private prisma: PrismaService) {}
+
+  async create(projectId: string, dto: CreateWebhookDto) {
+    // Generate a secret for HMAC signatures
+    const secret = crypto.randomBytes(32).toString('hex');
+
+    const webhook = await this.prisma.projectWebhook.create({
+      data: {
+        projectId,
+        name: dto.name,
+        url: dto.url,
+        events: dto.events,
+        secret,
+      },
+    });
+
+    return {
+      ...webhook,
+      secret, // Only time secret is shown
+    };
+  }
+
+  async findAll(projectId: string) {
+    return this.prisma.projectWebhook.findMany({
+      where: { projectId },
+      select: {
+        id: true,
+        name: true,
+        url: true,
+        events: true,
+        status: true,
+        lastTriggered: true,
+        successCount: true,
+        failCount: true,
+        createdAt: true,
+      },
+      orderBy: { createdAt: 'desc' },
+    });
+  }
+
+  async findOne(projectId: string, webhookId: string) {
+    const webhook = await this.prisma.projectWebhook.findFirst({
+      where: { id: webhookId, projectId },
+    });
+
+    if (!webhook) {
+      throw new NotFoundException('Webhook not found');
+    }
+
+    return webhook;
+  }
+
+  async remove(projectId: string, webhookId: string) {
+    await this.findOne(projectId, webhookId);
+
+    await this.prisma.projectWebhook.delete({
+      where: { id: webhookId },
+    });
+
+    return { success: true };
+  }
+
+  /**
+   * Create a webhook event
+   */
+  createWebhookEvent(type: string, projectId: string, data: Record<string, unknown>): WebhookEvent {
+    return {
+      id: crypto.randomUUID(),
+      type,
+      projectId,
+      timestamp: new Date(),
+      data,
+    };
+  }
+
+  /**
+   * Generate HMAC signature for webhook payload
+   */
+  signWebhookPayload(payload: string, secret: string, timestamp: number): string {
+    const signedPayload = `${timestamp}.${payload}`;
+    return crypto
+      .createHmac('sha256', secret)
+      .update(signedPayload)
+      .digest('hex');
+  }
+
+  /**
+   * Verify webhook signature (for receiving webhooks)
+   */
+  verifyWebhookSignature(
+    payload: string,
+    signature: string,
+    secret: string,
+    timestamp: number,
+    toleranceMs: number = 300000, // 5 minutes
+  ): boolean {
+    const now = Date.now();
+    if (Math.abs(now - timestamp) > toleranceMs) {
+      return false;
+    }
+
+    const expectedSignature = this.signWebhookPayload(payload, secret, timestamp);
+    return crypto.timingSafeEqual(
+      Buffer.from(signature),
+      Buffer.from(expectedSignature),
+    );
+  }
+
+  /**
+   * Emit a webhook event to all matching webhooks
+   */
+  async emitEvent(
+    projectId: string,
+    eventType: string,
+    data: Record<string, unknown>,
+  ): Promise<WebhookDelivery[]> {
+    const event = this.createWebhookEvent(eventType, projectId, data);
+
+    // Get all active webhooks for this project
+    const webhooks = await this.prisma.projectWebhook.findMany({
+      where: { projectId, status: 'active' },
+    });
+
+    // Filter webhooks that subscribe to this event
+    const matchingWebhooks = webhooks.filter(wh => {
+      const events = wh.events as string[];
+      return events.includes('*') || events.includes(eventType);
+    });
+
+    const deliveries: WebhookDelivery[] = [];
+
+    for (const webhook of matchingWebhooks) {
+      const delivery = await this.queueDelivery(webhook.id, webhook.url, webhook.secret as string, event);
+      deliveries.push(delivery);
+    }
+
+    return deliveries;
+  }
+
+  /**
+   * Queue a webhook for delivery
+   */
+  private async queueDelivery(
+    webhookId: string,
+    url: string,
+    secret: string,
+    event: WebhookEvent,
+  ): Promise<WebhookDelivery> {
+    const delivery: WebhookDelivery = {
+      id: crypto.randomUUID(),
+      webhookId,
+      eventId: event.id,
+      status: 'pending',
+      attempts: 0,
+      maxAttempts: MAX_RETRIES,
+    };
+
+    this.deliveryQueue.push(delivery);
+
+    // Process immediately (in production, use a proper queue)
+    await this.processDelivery(delivery, url, secret, event);
+
+    return delivery;
+  }
+
+  /**
+   * Process a webhook delivery
+   */
+  private async processDelivery(
+    delivery: WebhookDelivery,
+    url: string,
+    secret: string,
+    event: WebhookEvent,
+  ): Promise<void> {
+    const payload = JSON.stringify({
+      id: event.id,
+      type: event.type,
+      timestamp: event.timestamp.toISOString(),
+      data: event.data,
+    });
+
+    const timestamp = Date.now();
+    const signature = this.signWebhookPayload(payload, secret, timestamp);
+
+    try {
+      delivery.attempts++;
+      delivery.lastAttemptAt = new Date();
+
+      const controller = new AbortController();
+      const timeoutId = setTimeout(() => controller.abort(), 30000);
+
+      const response = await fetch(url, {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'X-Webhook-Id': delivery.webhookId,
+          'X-Webhook-Event': event.type,
+          'X-Webhook-Signature': signature,
+          'X-Webhook-Timestamp': String(timestamp),
+        },
+        body: payload,
+        signal: controller.signal,
+      });
+
+      clearTimeout(timeoutId);
+      delivery.responseCode = response.status;
+
+      if (response.status >= 200 && response.status < 300) {
+        delivery.status = 'success';
+        await this.updateWebhookStats(delivery.webhookId, true);
+      } else {
+        throw new Error(`HTTP ${response.status}`);
+      }
+    } catch (error) {
+      delivery.error = error instanceof Error ? error.message : String(error);
+
+      if (delivery.attempts < delivery.maxAttempts) {
+        delivery.status = 'retrying';
+        delivery.nextRetryAt = new Date(Date.now() + RETRY_DELAYS[delivery.attempts - 1]);
+
+        // Schedule retry
+        setTimeout(() => {
+          this.processDelivery(delivery, url, secret, event).catch(() => {});
+        }, RETRY_DELAYS[delivery.attempts - 1]);
+      } else {
+        delivery.status = 'failed';
+        await this.updateWebhookStats(delivery.webhookId, false);
+      }
+    }
+  }
+
+  /**
+   * Update webhook success/fail counts
+   */
+  private async updateWebhookStats(webhookId: string, success: boolean): Promise<void> {
+    await this.prisma.projectWebhook.update({
+      where: { id: webhookId },
+      data: {
+        lastTriggered: new Date(),
+        successCount: { increment: success ? 1 : 0 },
+        failCount: { increment: success ? 0 : 1 },
+        status: success ? 'active' : 'failing',
+      },
+    }).catch(() => {});
+  }
+
+  /**
+   * Get delivery status
+   */
+  getDeliveryStatus(deliveryId: string): WebhookDelivery | undefined {
+    return this.deliveryQueue.find(d => d.id === deliveryId);
+  }
+
+  /**
+   * Get pending deliveries
+   */
+  getPendingDeliveries(): WebhookDelivery[] {
+    return this.deliveryQueue.filter(d =>
+      d.status === 'pending' || d.status === 'retrying',
+    );
+  }
+}