loopwind 0.24.1 → 0.25.0

package/plans/PLATFORM_IMPLEMENTATION.md

@@ -0,0 +1,2772 @@
+# Loopwind API Service - Implementation Plan
+
+## Overview
+
+This document outlines the step-by-step implementation plan for the Loopwind API service using a 100% Cloudflare stack with organization-based user management.
+
+### Architecture
+
+```
+┌─────────────────────────────────────────────────────────────────────────────┐
+│                              Domains                                         │
+├─────────────────────────────────────────────────────────────────────────────┤
+│                                                                             │
+│   loopwind.dev              api.loopwind.dev           app.loopwind.dev     │
+│   ─────────────             ────────────────           ─────────────────    │
+│   Marketing site            REST API                   Dashboard UI         │
+│   Documentation             Authentication             User settings        │
+│   Blog                      Template CRUD              Template management  │
+│                             Rendering API              Render history       │
+│                                                                             │
+│   └── website/              └── platform/              └── website/src/app/ │
+│       (Astro)                   (Workers)                  (Astro)          │
+│                                                                             │
+└─────────────────────────────────────────────────────────────────────────────┘
+                                     │
+                                     ▼
+┌─────────────────────────────────────────────────────────────────────────────┐
+│                         Shared Cloudflare Resources                          │
+├─────────────────────────────────────────────────────────────────────────────┤
+│                                                                             │
+│   D1 Database          KV Namespaces           R2 Buckets                   │
+│   ───────────          ──────────────          ──────────                   │
+│   • users              • SESSIONS              • loopwind-assets            │
+│   • organizations      • RATE_LIMIT            • loopwind-renders           │
+│   • templates          • CACHE                                              │
+│   • render_jobs                                                             │
+│                                                                             │
+└─────────────────────────────────────────────────────────────────────────────┘
+```
+
+### Tech Stack
+
+| Component | Technology |
+|-----------|------------|
+| Marketing & Docs | Astro (website/) |
+| Dashboard UI | Astro (website/src/pages/app/) |
+| API | Cloudflare Workers (platform/) |
+| Database | Cloudflare D1 (SQLite) |
+| Auth | Custom (bcrypt + JWT) |
+| Sessions | Workers KV |
+| File Storage | Cloudflare R2 |
+| Video Rendering | Cloudflare Containers |
+| Image Rendering | Workers (WASM) |
+| CDN | Cloudflare (automatic) |
+
+### User Model
+
+```
+Organization
+  └── Users (members)
+       └── API Keys
+       └── Templates (owned by org, created by user)
+```
+
+---
+
+## Phase 1: Project Setup & Database Schema
+
+### 1.1 Initialize Cloudflare Project
+
+```bash
+# Create platform directory
+mkdir platform
+cd platform
+
+# Initialize Workers project
+npm create cloudflare@latest . -- --template worker-typescript
+
+# Install dependencies
+npm install hono                    # Lightweight web framework
+npm install @cloudflare/workers-types
+npm install bcryptjs                # Password hashing (works in Workers)
+npm install jose                    # JWT handling (edge-compatible)
+npm install zod                     # Validation
+npm install nanoid                  # ID generation
+```
+
+### 1.2 Project Structure
+
+```
+loopwind/
+├── src/                            # CLI source (existing)
+├── dist/                           # CLI build (existing)
+├── website/                        # loopwind.dev website (existing)
+├── platform/                       # Cloudflare Workers API
+│   ├── src/
+│   │   ├── index.ts                # Main worker entry
+│   │   ├── routes/
+│   │   │   ├── auth.ts             # Login, register, logout
+│   │   │   ├── organizations.ts    # Org management
+│   │   │   ├── users.ts            # User management
+│   │   │   ├── templates.ts        # Template CRUD & publish
+│   │   │   ├── render.ts           # Image/video rendering
+│   │   │   └── keys.ts             # API key management
+│   │   ├── middleware/
+│   │   │   ├── auth.ts             # JWT validation
+│   │   │   ├── rateLimit.ts        # Rate limiting
+│   │   │   └── orgAccess.ts        # Organization access control
+│   │   ├── services/
+│   │   │   ├── auth.ts             # Auth logic
+│   │   │   ├── render.ts           # Render orchestration
+│   │   │   └── storage.ts          # R2 operations
+│   │   ├── db/
+│   │   │   ├── schema.sql          # D1 schema
+│   │   │   └── queries.ts          # Typed queries
+│   │   ├── lib/
+│   │   │   ├── jwt.ts              # JWT helpers
+│   │   │   ├── password.ts         # Password hashing
+│   │   │   └── id.ts               # ID generation
+│   │   └── types/
+│   │       └── env.ts              # Environment bindings
+│   ├── container/
+│   │   ├── Dockerfile              # Video renderer container
+│   │   ├── render-server.ts        # Container render service
+│   │   └── package.json
+│   ├── migrations/
+│   │   └── 0001_initial.sql        # Database migrations
+│   ├── wrangler.toml               # Cloudflare config
+│   ├── package.json
+│   └── tsconfig.json
+└── package.json                    # Root package (CLI)
+```
+
+### 1.3 Local Development
+
+```bash
+# From project root
+cd platform
+
+# Install dependencies
+npm install
+
+# Run D1 migrations locally
+npm run db:migrate:local
+# → wrangler d1 execute loopwind --local --file=migrations/0001_initial.sql
+
+# Start local dev server
+npm run dev
+# → wrangler dev --local
+
+# Deploy to Cloudflare
+npm run deploy
+# → wrangler deploy
+```
+
+### 1.4 Wrangler Configuration
+
+```toml
+# platform/wrangler.toml
+name = "loopwind-api"
+main = "src/index.ts"
+compatibility_date = "2025-01-01"
+node_compat = true
+
+# Custom domain
+routes = [
+  { pattern = "api.loopwind.dev", custom_domain = true }
+]
+
+[limits]
+cpu_ms = 300000  # 5 minutes for complex renders
+
+# D1 Database
+[[d1_databases]]
+binding = "DB"
+database_name = "loopwind"
+database_id = "xxxxx"  # Created via `wrangler d1 create loopwind`
+
+# R2 Storage
+[[r2_buckets]]
+binding = "STORAGE"
+bucket_name = "loopwind-assets"
+
+[[r2_buckets]]
+binding = "RENDERS"
+bucket_name = "loopwind-renders"
+
+# KV for sessions and rate limiting
+[[kv_namespaces]]
+binding = "SESSIONS"
+id = "xxxxx"
+
+[[kv_namespaces]]
+binding = "RATE_LIMIT"
+id = "xxxxx"
+
+[[kv_namespaces]]
+binding = "CACHE"
+id = "xxxxx"
+
+# Containers for video rendering
+[[containers]]
+binding = "VIDEO_RENDERER"
+class_name = "VideoRenderer"
+image = "./container"
+
+# Durable Objects for job orchestration
+[[durable_objects.bindings]]
+name = "RENDER_JOBS"
+class_name = "RenderJobOrchestrator"
+
+[[migrations]]
+tag = "v1"
+new_classes = ["RenderJobOrchestrator"]
+
+# Environment variables
+[vars]
+JWT_ISSUER = "loopwind.dev"
+JWT_AUDIENCE = "loopwind-api"
+CORS_ORIGINS = "https://loopwind.dev,https://app.loopwind.dev"
+
+# Secrets (set via `wrangler secret put`)
+# JWT_SECRET
+```
+
+### 1.5 CORS Configuration
+
+Since the API runs on a separate subdomain, CORS must be configured:
+
+```typescript
+// platform/src/index.ts
+import { cors } from 'hono/cors';
+
+app.use('*', cors({
+  origin: (origin) => {
+    const allowed = [
+      'https://loopwind.dev',
+      'https://app.loopwind.dev',
+      'http://localhost:4321',  // Astro dev
+      'http://localhost:3000',
+    ];
+    return allowed.includes(origin) ? origin : null;
+  },
+  credentials: true,
+  allowMethods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
+  allowHeaders: ['Content-Type', 'Authorization'],
+  exposeHeaders: ['X-RateLimit-Limit', 'X-RateLimit-Remaining', 'X-Render-Duration'],
+  maxAge: 86400,
+}));
+```
+
+### 1.6 Custom Domains Setup
+
+```bash
+# In Cloudflare Dashboard or via CLI:
+
+# 1. Add api.loopwind.dev to your zone
+# 2. Deploy platform worker
+cd platform
+wrangler deploy
+
+# 3. The custom_domain in wrangler.toml will automatically:
+#    - Create DNS record
+#    - Provision SSL certificate
+#    - Route traffic to the worker
+
+# For app.loopwind.dev (dashboard), configure in website deployment
+# This can be a separate Cloudflare Pages project or route
+```
+
+### 1.7 Database Schema
+
+```sql
+-- migrations/0001_initial.sql
+
+-- Organizations
+CREATE TABLE organizations (
+  id TEXT PRIMARY KEY,                    -- org_xxxxx
+  name TEXT NOT NULL,
+  slug TEXT UNIQUE NOT NULL,              -- URL-safe name
+  plan TEXT DEFAULT 'free',               -- free, pro, business
+
+  -- Limits based on plan
+  image_renders_limit INTEGER DEFAULT 100,
+  video_renders_limit INTEGER DEFAULT 10,
+  templates_limit INTEGER DEFAULT 5,
+  members_limit INTEGER DEFAULT 1,
+
+  -- Usage counters (reset monthly)
+  image_renders_used INTEGER DEFAULT 0,
+  video_renders_used INTEGER DEFAULT 0,
+  usage_reset_at TEXT,                    -- ISO date of next reset
+
+  created_at TEXT DEFAULT (datetime('now')),
+  updated_at TEXT DEFAULT (datetime('now'))
+);
+
+-- Users
+CREATE TABLE users (
+  id TEXT PRIMARY KEY,                    -- usr_xxxxx
+  org_id TEXT NOT NULL REFERENCES organizations(id) ON DELETE CASCADE,
+
+  email TEXT UNIQUE NOT NULL,
+  username TEXT UNIQUE NOT NULL,
+  password_hash TEXT NOT NULL,
+
+  name TEXT,
+  avatar_url TEXT,
+  role TEXT DEFAULT 'member',             -- owner, admin, member
+
+  email_verified_at TEXT,
+  last_login_at TEXT,
+
+  created_at TEXT DEFAULT (datetime('now')),
+  updated_at TEXT DEFAULT (datetime('now'))
+);
+
+CREATE INDEX idx_users_org ON users(org_id);
+CREATE INDEX idx_users_email ON users(email);
+CREATE INDEX idx_users_username ON users(username);
+
+-- API Keys
+CREATE TABLE api_keys (
+  id TEXT PRIMARY KEY,                    -- key_xxxxx
+  org_id TEXT NOT NULL REFERENCES organizations(id) ON DELETE CASCADE,
+  user_id TEXT NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+
+  name TEXT NOT NULL,
+  key_hash TEXT NOT NULL,                 -- bcrypt hash
+  key_prefix TEXT NOT NULL,               -- lw_live_xxxx (for display)
+
+  scopes TEXT DEFAULT '[]',               -- JSON array: ["render:read", "render:write"]
+
+  last_used_at TEXT,
+  expires_at TEXT,                        -- Optional expiration
+
+  created_at TEXT DEFAULT (datetime('now'))
+);
+
+CREATE INDEX idx_api_keys_org ON api_keys(org_id);
+CREATE INDEX idx_api_keys_prefix ON api_keys(key_prefix);
+
+-- Templates
+CREATE TABLE templates (
+  id TEXT PRIMARY KEY,                    -- tpl_xxxxx
+  org_id TEXT NOT NULL REFERENCES organizations(id) ON DELETE CASCADE,
+  created_by TEXT NOT NULL REFERENCES users(id),
+
+  name TEXT NOT NULL,
+  slug TEXT NOT NULL,                     -- org-slug/template-name
+  description TEXT,
+
+  type TEXT NOT NULL,                     -- image, video
+  meta TEXT NOT NULL,                     -- JSON: { size, props, video? }
+
+  is_private INTEGER DEFAULT 0,
+  tags TEXT DEFAULT '[]',                 -- JSON array
+
+  -- Stats
+  downloads INTEGER DEFAULT 0,
+  renders INTEGER DEFAULT 0,
+
+  created_at TEXT DEFAULT (datetime('now')),
+  updated_at TEXT DEFAULT (datetime('now')),
+
+  UNIQUE(org_id, name)
+);
+
+CREATE INDEX idx_templates_org ON templates(org_id);
+CREATE INDEX idx_templates_slug ON templates(slug);
+CREATE INDEX idx_templates_type ON templates(type);
+
+-- Template Versions
+CREATE TABLE template_versions (
+  id TEXT PRIMARY KEY,                    -- ver_xxxxx
+  template_id TEXT NOT NULL REFERENCES templates(id) ON DELETE CASCADE,
+
+  version TEXT NOT NULL,                  -- Semver: 1.0.0
+  files TEXT NOT NULL,                    -- JSON: [{ path, r2_key, checksum }]
+
+  published_at TEXT DEFAULT (datetime('now')),
+
+  UNIQUE(template_id, version)
+);
+
+CREATE INDEX idx_versions_template ON template_versions(template_id);
+
+-- Render Jobs (for async video rendering)
+CREATE TABLE render_jobs (
+  id TEXT PRIMARY KEY,                    -- job_xxxxx
+  org_id TEXT NOT NULL REFERENCES organizations(id),
+  user_id TEXT REFERENCES users(id),
+  template_id TEXT NOT NULL REFERENCES templates(id),
+
+  status TEXT DEFAULT 'queued',           -- queued, processing, completed, failed
+
+  props TEXT,                             -- JSON
+  format TEXT NOT NULL,                   -- mp4, gif
+
+  progress REAL DEFAULT 0,                -- 0.0 - 1.0
+  current_frame INTEGER,
+  total_frames INTEGER,
+
+  output_key TEXT,                        -- R2 key for output
+  error TEXT,
+
+  webhook_url TEXT,
+  webhook_sent INTEGER DEFAULT 0,
+
+  started_at TEXT,
+  completed_at TEXT,
+  created_at TEXT DEFAULT (datetime('now'))
+);
+
+CREATE INDEX idx_jobs_org ON render_jobs(org_id);
+CREATE INDEX idx_jobs_status ON render_jobs(status);
+
+-- Invitations (for adding users to orgs)
+CREATE TABLE invitations (
+  id TEXT PRIMARY KEY,                    -- inv_xxxxx
+  org_id TEXT NOT NULL REFERENCES organizations(id) ON DELETE CASCADE,
+  invited_by TEXT NOT NULL REFERENCES users(id),
+
+  email TEXT NOT NULL,
+  role TEXT DEFAULT 'member',
+
+  token TEXT UNIQUE NOT NULL,             -- Random token for invite link
+
+  expires_at TEXT NOT NULL,
+  accepted_at TEXT,
+
+  created_at TEXT DEFAULT (datetime('now'))
+);
+
+CREATE INDEX idx_invitations_token ON invitations(token);
+CREATE INDEX idx_invitations_email ON invitations(email);
+
+-- Audit Log
+CREATE TABLE audit_log (
+  id TEXT PRIMARY KEY,
+  org_id TEXT NOT NULL,
+  user_id TEXT,
+
+  action TEXT NOT NULL,                   -- user.login, template.publish, etc.
+  resource_type TEXT,                     -- user, template, api_key
+  resource_id TEXT,
+
+  metadata TEXT,                          -- JSON
+  ip_address TEXT,
+  user_agent TEXT,
+
+  created_at TEXT DEFAULT (datetime('now'))
+);
+
+CREATE INDEX idx_audit_org ON audit_log(org_id);
+CREATE INDEX idx_audit_created ON audit_log(created_at);
+```
+
+### 1.8 Create D1 Database
+
+```bash
+# From platform directory
+cd platform
+
+# Create database
+wrangler d1 create loopwind
+# Copy the database_id to wrangler.toml
+
+# Run migrations
+wrangler d1 execute loopwind --file=./migrations/0001_initial.sql
+
+# Create KV namespaces
+wrangler kv:namespace create SESSIONS
+wrangler kv:namespace create RATE_LIMIT
+wrangler kv:namespace create CACHE
+# Copy the IDs to wrangler.toml
+
+# Create R2 buckets
+wrangler r2 bucket create loopwind-assets
+wrangler r2 bucket create loopwind-renders
+
+# Set secrets
+wrangler secret put JWT_SECRET
+# Enter a secure random string (64+ chars)
+```
+
+---
+
+## Phase 2: Authentication System
+
+### 2.1 Environment Types
+
+```typescript
+// src/types/env.ts
+export interface Env {
+  // D1
+  DB: D1Database;
+
+  // R2
+  STORAGE: R2Bucket;
+  RENDERS: R2Bucket;
+
+  // KV
+  SESSIONS: KVNamespace;
+  RATE_LIMIT: KVNamespace;
+  CACHE: KVNamespace;
+
+  // Containers
+  VIDEO_RENDERER: Container;
+
+  // Durable Objects
+  RENDER_JOBS: DurableObjectNamespace;
+
+  // Secrets
+  JWT_SECRET: string;
+
+  // Vars
+  JWT_ISSUER: string;
+  JWT_AUDIENCE: string;
+}
+
+export interface User {
+  id: string;
+  org_id: string;
+  email: string;
+  username: string;
+  name: string | null;
+  role: 'owner' | 'admin' | 'member';
+}
+
+export interface Organization {
+  id: string;
+  name: string;
+  slug: string;
+  plan: 'free' | 'pro' | 'business';
+}
+
+export interface JWTPayload {
+  sub: string;        // user_id
+  org: string;        // org_id
+  role: string;       // user role
+  iss: string;
+  aud: string;
+  iat: number;
+  exp: number;
+}
+```
+
+### 2.2 Password Utilities
+
+```typescript
+// src/lib/password.ts
+import bcrypt from 'bcryptjs';
+
+const SALT_ROUNDS = 12;
+
+export async function hashPassword(password: string): Promise<string> {
+  return bcrypt.hash(password, SALT_ROUNDS);
+}
+
+export async function verifyPassword(password: string, hash: string): Promise<boolean> {
+  return bcrypt.compare(password, hash);
+}
+
+export function validatePasswordStrength(password: string): { valid: boolean; errors: string[] } {
+  const errors: string[] = [];
+
+  if (password.length < 8) {
+    errors.push('Password must be at least 8 characters');
+  }
+  if (!/[A-Z]/.test(password)) {
+    errors.push('Password must contain an uppercase letter');
+  }
+  if (!/[a-z]/.test(password)) {
+    errors.push('Password must contain a lowercase letter');
+  }
+  if (!/[0-9]/.test(password)) {
+    errors.push('Password must contain a number');
+  }
+
+  return { valid: errors.length === 0, errors };
+}
+```
+
+### 2.3 JWT Utilities
+
+```typescript
+// src/lib/jwt.ts
+import { SignJWT, jwtVerify } from 'jose';
+import type { JWTPayload, Env } from '../types/env';
+
+const ACCESS_TOKEN_TTL = '15m';
+const REFRESH_TOKEN_TTL = '7d';
+
+export async function signAccessToken(
+  payload: Omit<JWTPayload, 'iss' | 'aud' | 'iat' | 'exp'>,
+  env: Env
+): Promise<string> {
+  const secret = new TextEncoder().encode(env.JWT_SECRET);
+
+  return new SignJWT(payload)
+    .setProtectedHeader({ alg: 'HS256' })
+    .setIssuer(env.JWT_ISSUER)
+    .setAudience(env.JWT_AUDIENCE)
+    .setIssuedAt()
+    .setExpirationTime(ACCESS_TOKEN_TTL)
+    .sign(secret);
+}
+
+export async function signRefreshToken(
+  userId: string,
+  env: Env
+): Promise<string> {
+  const secret = new TextEncoder().encode(env.JWT_SECRET);
+
+  return new SignJWT({ sub: userId, type: 'refresh' })
+    .setProtectedHeader({ alg: 'HS256' })
+    .setIssuer(env.JWT_ISSUER)
+    .setIssuedAt()
+    .setExpirationTime(REFRESH_TOKEN_TTL)
+    .sign(secret);
+}
+
+export async function verifyToken(token: string, env: Env): Promise<JWTPayload | null> {
+  try {
+    const secret = new TextEncoder().encode(env.JWT_SECRET);
+    const { payload } = await jwtVerify(token, secret, {
+      issuer: env.JWT_ISSUER,
+      audience: env.JWT_AUDIENCE,
+    });
+    return payload as JWTPayload;
+  } catch {
+    return null;
+  }
+}
+```
+
+### 2.4 ID Generation
+
+```typescript
+// src/lib/id.ts
+import { nanoid } from 'nanoid';
+
+export const generateId = {
+  org: () => `org_${nanoid(16)}`,
+  user: () => `usr_${nanoid(16)}`,
+  key: () => `key_${nanoid(16)}`,
+  template: () => `tpl_${nanoid(16)}`,
+  version: () => `ver_${nanoid(16)}`,
+  job: () => `job_${nanoid(16)}`,
+  invitation: () => `inv_${nanoid(16)}`,
+};
+
+export function generateApiKey(): { key: string; prefix: string } {
+  const key = `lw_live_${nanoid(32)}`;
+  const prefix = key.substring(0, 12);
+  return { key, prefix };
+}
+
+export function generateInviteToken(): string {
+  return nanoid(32);
+}
+```
+
+### 2.5 Auth Routes
+
+```typescript
+// src/routes/auth.ts
+import { Hono } from 'hono';
+import { z } from 'zod';
+import type { Env, User } from '../types/env';
+import { hashPassword, verifyPassword, validatePasswordStrength } from '../lib/password';
+import { signAccessToken, signRefreshToken, verifyToken } from '../lib/jwt';
+import { generateId } from '../lib/id';
+
+const auth = new Hono<{ Bindings: Env }>();
+
+// Validation schemas
+const registerSchema = z.object({
+  email: z.string().email(),
+  username: z.string().min(3).max(30).regex(/^[a-z0-9_-]+$/i),
+  password: z.string().min(8),
+  name: z.string().optional(),
+  orgName: z.string().min(2).max(50),
+});
+
+const loginSchema = z.object({
+  email: z.string().email(),
+  password: z.string(),
+});
+
+// POST /auth/register
+auth.post('/register', async (c) => {
+  const body = await c.req.json();
+  const parsed = registerSchema.safeParse(body);
+
+  if (!parsed.success) {
+    return c.json({ error: 'Validation failed', details: parsed.error.flatten() }, 400);
+  }
+
+  const { email, username, password, name, orgName } = parsed.data;
+
+  // Validate password strength
+  const pwCheck = validatePasswordStrength(password);
+  if (!pwCheck.valid) {
+    return c.json({ error: 'Weak password', details: pwCheck.errors }, 400);
+  }
+
+  // Check if email/username exists
+  const existing = await c.env.DB.prepare(
+    'SELECT id FROM users WHERE email = ? OR username = ?'
+  ).bind(email, username).first();
+
+  if (existing) {
+    return c.json({ error: 'Email or username already exists' }, 409);
+  }
+
+  // Create organization
+  const orgId = generateId.org();
+  const orgSlug = orgName.toLowerCase().replace(/[^a-z0-9]+/g, '-');
+
+  // Check org slug uniqueness
+  const existingOrg = await c.env.DB.prepare(
+    'SELECT id FROM organizations WHERE slug = ?'
+  ).bind(orgSlug).first();
+
+  if (existingOrg) {
+    return c.json({ error: 'Organization name already taken' }, 409);
+  }
+
+  // Hash password
+  const passwordHash = await hashPassword(password);
+
+  // Create org and user in transaction
+  const userId = generateId.user();
+  const now = new Date().toISOString();
+
+  await c.env.DB.batch([
+    c.env.DB.prepare(`
+      INSERT INTO organizations (id, name, slug, usage_reset_at)
+      VALUES (?, ?, ?, ?)
+    `).bind(orgId, orgName, orgSlug, getNextMonthReset()),
+
+    c.env.DB.prepare(`
+      INSERT INTO users (id, org_id, email, username, password_hash, name, role)
+      VALUES (?, ?, ?, ?, ?, ?, 'owner')
+    `).bind(userId, orgId, email, username, passwordHash, name || null),
+  ]);
+
+  // Generate tokens
+  const accessToken = await signAccessToken({ sub: userId, org: orgId, role: 'owner' }, c.env);
+  const refreshToken = await signRefreshToken(userId, c.env);
+
+  // Store refresh token in KV
+  await c.env.SESSIONS.put(`refresh:${userId}`, refreshToken, { expirationTtl: 7 * 24 * 60 * 60 });
+
+  return c.json({
+    user: { id: userId, email, username, name, role: 'owner' },
+    organization: { id: orgId, name: orgName, slug: orgSlug },
+    accessToken,
+    refreshToken,
+  }, 201);
+});
+
+// POST /auth/login
+auth.post('/login', async (c) => {
+  const body = await c.req.json();
+  const parsed = loginSchema.safeParse(body);
+
+  if (!parsed.success) {
+    return c.json({ error: 'Validation failed' }, 400);
+  }
+
+  const { email, password } = parsed.data;
+
+  // Find user
+  const user = await c.env.DB.prepare(`
+    SELECT u.id, u.org_id, u.email, u.username, u.name, u.role, u.password_hash,
+           o.name as org_name, o.slug as org_slug, o.plan
+    FROM users u
+    JOIN organizations o ON u.org_id = o.id
+    WHERE u.email = ?
+  `).bind(email).first<any>();
+
+  if (!user) {
+    return c.json({ error: 'Invalid credentials' }, 401);
+  }
+
+  // Verify password
+  const valid = await verifyPassword(password, user.password_hash);
+  if (!valid) {
+    return c.json({ error: 'Invalid credentials' }, 401);
+  }
+
+  // Update last login
+  await c.env.DB.prepare(
+    'UPDATE users SET last_login_at = ? WHERE id = ?'
+  ).bind(new Date().toISOString(), user.id).run();
+
+  // Generate tokens
+  const accessToken = await signAccessToken(
+    { sub: user.id, org: user.org_id, role: user.role },
+    c.env
+  );
+  const refreshToken = await signRefreshToken(user.id, c.env);
+
+  // Store refresh token
+  await c.env.SESSIONS.put(`refresh:${user.id}`, refreshToken, { expirationTtl: 7 * 24 * 60 * 60 });
+
+  return c.json({
+    user: {
+      id: user.id,
+      email: user.email,
+      username: user.username,
+      name: user.name,
+      role: user.role,
+    },
+    organization: {
+      id: user.org_id,
+      name: user.org_name,
+      slug: user.org_slug,
+      plan: user.plan,
+    },
+    accessToken,
+    refreshToken,
+  });
+});
+
+// POST /auth/refresh
+auth.post('/refresh', async (c) => {
+  const { refreshToken } = await c.req.json();
+
+  if (!refreshToken) {
+    return c.json({ error: 'Refresh token required' }, 400);
+  }
+
+  // Verify refresh token
+  const payload = await verifyToken(refreshToken, c.env);
+  if (!payload || payload.type !== 'refresh') {
+    return c.json({ error: 'Invalid refresh token' }, 401);
+  }
+
+  // Check if token is still valid in KV
+  const storedToken = await c.env.SESSIONS.get(`refresh:${payload.sub}`);
+  if (storedToken !== refreshToken) {
+    return c.json({ error: 'Refresh token revoked' }, 401);
+  }
+
+  // Get user
+  const user = await c.env.DB.prepare(`
+    SELECT id, org_id, role FROM users WHERE id = ?
+  `).bind(payload.sub).first<any>();
+
+  if (!user) {
+    return c.json({ error: 'User not found' }, 401);
+  }
+
+  // Generate new tokens
+  const newAccessToken = await signAccessToken(
+    { sub: user.id, org: user.org_id, role: user.role },
+    c.env
+  );
+  const newRefreshToken = await signRefreshToken(user.id, c.env);
+
+  // Update refresh token in KV
+  await c.env.SESSIONS.put(`refresh:${user.id}`, newRefreshToken, { expirationTtl: 7 * 24 * 60 * 60 });
+
+  return c.json({
+    accessToken: newAccessToken,
+    refreshToken: newRefreshToken,
+  });
+});
+
+// POST /auth/logout
+auth.post('/logout', async (c) => {
+  const authHeader = c.req.header('Authorization');
+  if (!authHeader?.startsWith('Bearer ')) {
+    return c.json({ error: 'Unauthorized' }, 401);
+  }
+
+  const token = authHeader.slice(7);
+  const payload = await verifyToken(token, c.env);
+
+  if (payload) {
+    // Delete refresh token
+    await c.env.SESSIONS.delete(`refresh:${payload.sub}`);
+  }
+
+  return c.json({ success: true });
+});
+
+// Helper function
+function getNextMonthReset(): string {
+  const now = new Date();
+  const next = new Date(now.getFullYear(), now.getMonth() + 1, 1);
+  return next.toISOString();
+}
+
+export default auth;
+```
+
+### 2.6 Auth Middleware
+
+```typescript
+// src/middleware/auth.ts
+import { Context, Next } from 'hono';
+import { verifyToken } from '../lib/jwt';
+import type { Env, User, JWTPayload } from '../types/env';
+
+// Extend Hono context
+declare module 'hono' {
+  interface ContextVariableMap {
+    user: JWTPayload;
+    apiKey?: { id: string; scopes: string[] };
+  }
+}
+
+export async function authMiddleware(c: Context<{ Bindings: Env }>, next: Next) {
+  const authHeader = c.req.header('Authorization');
+
+  if (!authHeader) {
+    return c.json({ error: 'Authorization required' }, 401);
+  }
+
+  // Check for Bearer token (JWT)
+  if (authHeader.startsWith('Bearer ')) {
+    const token = authHeader.slice(7);
+    const payload = await verifyToken(token, c.env);
+
+    if (!payload) {
+      return c.json({ error: 'Invalid or expired token' }, 401);
+    }
+
+    c.set('user', payload);
+    return next();
+  }
+
+  // Check for API key
+  if (authHeader.startsWith('ApiKey ')) {
+    const apiKey = authHeader.slice(7);
+    const keyPrefix = apiKey.substring(0, 12);
+
+    // Find API key by prefix
+    const key = await c.env.DB.prepare(`
+      SELECT ak.id, ak.key_hash, ak.scopes, ak.org_id, u.id as user_id, u.role
+      FROM api_keys ak
+      JOIN users u ON ak.user_id = u.id
+      WHERE ak.key_prefix = ?
+        AND (ak.expires_at IS NULL OR ak.expires_at > datetime('now'))
+    `).bind(keyPrefix).first<any>();
+
+    if (!key) {
+      return c.json({ error: 'Invalid API key' }, 401);
+    }
+
+    // Verify full key hash
+    const bcrypt = await import('bcryptjs');
+    const valid = await bcrypt.compare(apiKey, key.key_hash);
+
+    if (!valid) {
+      return c.json({ error: 'Invalid API key' }, 401);
+    }
+
+    // Update last used
+    await c.env.DB.prepare(
+      'UPDATE api_keys SET last_used_at = ? WHERE id = ?'
+    ).bind(new Date().toISOString(), key.id).run();
+
+    // Set context
+    c.set('user', {
+      sub: key.user_id,
+      org: key.org_id,
+      role: key.role,
+    } as JWTPayload);
+    c.set('apiKey', { id: key.id, scopes: JSON.parse(key.scopes) });
+
+    return next();
+  }
+
+  return c.json({ error: 'Invalid authorization format' }, 401);
+}
+
+// Scope checking middleware
+export function requireScopes(...scopes: string[]) {
+  return async (c: Context<{ Bindings: Env }>, next: Next) => {
+    const apiKey = c.get('apiKey');
+
+    // JWT auth has all scopes
+    if (!apiKey) {
+      return next();
+    }
+
+    // Check API key scopes
+    const hasScope = scopes.every(s => apiKey.scopes.includes(s));
+    if (!hasScope) {
+      return c.json({ error: 'Insufficient permissions', required: scopes }, 403);
+    }
+
+    return next();
+  };
+}
+
+// Role checking middleware
+export function requireRole(...roles: string[]) {
+  return async (c: Context<{ Bindings: Env }>, next: Next) => {
+    const user = c.get('user');
+
+    if (!roles.includes(user.role)) {
+      return c.json({ error: 'Insufficient role', required: roles }, 403);
+    }
+
+    return next();
+  };
+}
+```
+
+### 2.7 Rate Limiting Middleware
+
+```typescript
+// src/middleware/rateLimit.ts
+import { Context, Next } from 'hono';
+import type { Env } from '../types/env';
+
+interface RateLimitConfig {
+  windowMs: number;    // Time window in ms
+  maxRequests: number; // Max requests per window
+}
+
+const PLAN_LIMITS: Record<string, RateLimitConfig> = {
+  free: { windowMs: 60000, maxRequests: 10 },
+  pro: { windowMs: 60000, maxRequests: 100 },
+  business: { windowMs: 60000, maxRequests: 500 },
+};
+
+export async function rateLimitMiddleware(c: Context<{ Bindings: Env }>, next: Next) {
+  const user = c.get('user');
+  if (!user) return next();
+
+  // Get org plan
+  const org = await c.env.DB.prepare(
+    'SELECT plan FROM organizations WHERE id = ?'
+  ).bind(user.org).first<{ plan: string }>();
+
+  const limits = PLAN_LIMITS[org?.plan || 'free'];
+  const key = `rate:${user.org}:${Math.floor(Date.now() / limits.windowMs)}`;
+
+  // Get current count
+  const current = await c.env.RATE_LIMIT.get(key);
+  const count = current ? parseInt(current, 10) : 0;
+
+  if (count >= limits.maxRequests) {
+    return c.json({
+      error: 'Rate limit exceeded',
+      retryAfter: Math.ceil(limits.windowMs / 1000),
+    }, 429);
+  }
+
+  // Increment counter
+  await c.env.RATE_LIMIT.put(key, String(count + 1), {
+    expirationTtl: Math.ceil(limits.windowMs / 1000),
+  });
+
+  // Set rate limit headers
+  c.header('X-RateLimit-Limit', String(limits.maxRequests));
+  c.header('X-RateLimit-Remaining', String(limits.maxRequests - count - 1));
+
+  return next();
+}
+```
+
+---
+
+## Phase 3: Template Publishing
+
+### 3.1 Template Routes
+
+```typescript
+// src/routes/templates.ts
+import { Hono } from 'hono';
+import { z } from 'zod';
+import type { Env } from '../types/env';
+import { authMiddleware, requireScopes } from '../middleware/auth';
+import { generateId } from '../lib/id';
+
+const templates = new Hono<{ Bindings: Env }>();
+
+// Apply auth to all routes
+templates.use('*', authMiddleware);
+
+const publishSchema = z.object({
+  name: z.string().min(1).max(50).regex(/^[a-z0-9-]+$/),
+  version: z.string().regex(/^\d+\.\d+\.\d+$/),
+  description: z.string().optional(),
+  isPrivate: z.boolean().default(false),
+  tags: z.array(z.string()).default([]),
+  meta: z.object({
+    type: z.enum(['image', 'video']),
+    size: z.object({ width: z.number(), height: z.number() }),
+    video: z.object({ fps: z.number(), duration: z.number() }).optional(),
+    props: z.record(z.string()),
+  }),
+  files: z.array(z.object({
+    path: z.string(),
+    content: z.string(), // Base64 encoded
+  })),
+});
+
+// POST /templates/publish
+templates.post('/publish', requireScopes('templates:write'), async (c) => {
+  const user = c.get('user');
+  const body = await c.req.json();
+
+  const parsed = publishSchema.safeParse(body);
+  if (!parsed.success) {
+    return c.json({ error: 'Validation failed', details: parsed.error.flatten() }, 400);
+  }
+
+  const { name, version, description, isPrivate, tags, meta, files } = parsed.data;
+
+  // Get org for slug
+  const org = await c.env.DB.prepare(
+    'SELECT slug, templates_limit FROM organizations WHERE id = ?'
+  ).bind(user.org).first<any>();
+
+  // Check template limit
+  const templateCount = await c.env.DB.prepare(
+    'SELECT COUNT(*) as count FROM templates WHERE org_id = ?'
+  ).bind(user.org).first<{ count: number }>();
+
+  if (templateCount!.count >= org.templates_limit) {
+    return c.json({ error: 'Template limit reached', limit: org.templates_limit }, 403);
+  }
+
+  const slug = `${org.slug}/${name}`;
+
+  // Check if template exists
+  let template = await c.env.DB.prepare(
+    'SELECT id FROM templates WHERE org_id = ? AND name = ?'
+  ).bind(user.org, name).first<{ id: string }>();
+
+  const templateId = template?.id || generateId.template();
+
+  // Check version doesn't exist
+  if (template) {
+    const existingVersion = await c.env.DB.prepare(
+      'SELECT id FROM template_versions WHERE template_id = ? AND version = ?'
+    ).bind(templateId, version).first();
+
+    if (existingVersion) {
+      return c.json({ error: 'Version already exists' }, 409);
+    }
+  }
+
+  // Upload files to R2
+  const uploadedFiles: { path: string; r2Key: string; checksum: string }[] = [];
+
+  for (const file of files) {
+    const content = Buffer.from(file.content, 'base64');
+    const checksum = await crypto.subtle.digest('SHA-256', content);
+    const checksumHex = Array.from(new Uint8Array(checksum))
+      .map(b => b.toString(16).padStart(2, '0')).join('');
+
+    const r2Key = `templates/${templateId}/${version}/${file.path}`;
+
+    await c.env.STORAGE.put(r2Key, content, {
+      customMetadata: { checksum: checksumHex },
+    });
+
+    uploadedFiles.push({ path: file.path, r2Key, checksum: checksumHex });
+  }
+
+  // Create or update template
+  const versionId = generateId.version();
+
+  if (!template) {
+    await c.env.DB.batch([
+      c.env.DB.prepare(`
+        INSERT INTO templates (id, org_id, created_by, name, slug, description, type, meta, is_private, tags)
+        VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+      `).bind(
+        templateId, user.org, user.sub, name, slug,
+        description || null, meta.type, JSON.stringify(meta),
+        isPrivate ? 1 : 0, JSON.stringify(tags)
+      ),
+      c.env.DB.prepare(`
+        INSERT INTO template_versions (id, template_id, version, files)
+        VALUES (?, ?, ?, ?)
+      `).bind(versionId, templateId, version, JSON.stringify(uploadedFiles)),
+    ]);
+  } else {
+    await c.env.DB.batch([
+      c.env.DB.prepare(`
+        UPDATE templates SET description = ?, meta = ?, is_private = ?, tags = ?, updated_at = datetime('now')
+        WHERE id = ?
+      `).bind(description || null, JSON.stringify(meta), isPrivate ? 1 : 0, JSON.stringify(tags), templateId),
+      c.env.DB.prepare(`
+        INSERT INTO template_versions (id, template_id, version, files)
+        VALUES (?, ?, ?, ?)
+      `).bind(versionId, templateId, version, JSON.stringify(uploadedFiles)),
+    ]);
+  }
+
+  return c.json({
+    id: templateId,
+    name,
+    slug,
+    version,
+    url: `https://loopwind.dev/${slug}`,
+    publishedAt: new Date().toISOString(),
+  }, 201);
+});
+
+// GET /templates - List public templates or org templates
+templates.get('/', async (c) => {
+  const user = c.get('user');
+  const { q, type, tags, author, sort = 'recent', page = '1', limit = '20' } = c.req.query();
+
+  const offset = (parseInt(page) - 1) * parseInt(limit);
+
+  let query = `
+    SELECT t.*, o.name as org_name, o.slug as org_slug,
+           (SELECT version FROM template_versions WHERE template_id = t.id ORDER BY published_at DESC LIMIT 1) as latest_version
+    FROM templates t
+    JOIN organizations o ON t.org_id = o.id
+    WHERE (t.is_private = 0 OR t.org_id = ?)
+  `;
+  const params: any[] = [user.org];
+
+  if (q) {
+    query += ` AND (t.name LIKE ? OR t.description LIKE ?)`;
+    params.push(`%${q}%`, `%${q}%`);
+  }
+
+  if (type) {
+    query += ` AND t.type = ?`;
+    params.push(type);
+  }
+
+  if (author) {
+    query += ` AND o.slug = ?`;
+    params.push(author);
+  }
+
+  // Sort
+  const sortMap: Record<string, string> = {
+    recent: 'ORDER BY t.created_at DESC',
+    popular: 'ORDER BY t.renders DESC',
+    downloads: 'ORDER BY t.downloads DESC',
+  };
+  query += ` ${sortMap[sort] || sortMap.recent}`;
+
+  query += ` LIMIT ? OFFSET ?`;
+  params.push(parseInt(limit), offset);
+
+  const results = await c.env.DB.prepare(query).bind(...params).all();
+
+  // Get total count
+  let countQuery = `
+    SELECT COUNT(*) as total FROM templates t
+    JOIN organizations o ON t.org_id = o.id
+    WHERE (t.is_private = 0 OR t.org_id = ?)
+  `;
+  const countParams: any[] = [user.org];
+
+  if (q) {
+    countQuery += ` AND (t.name LIKE ? OR t.description LIKE ?)`;
+    countParams.push(`%${q}%`, `%${q}%`);
+  }
+  if (type) {
+    countQuery += ` AND t.type = ?`;
+    countParams.push(type);
+  }
+
+  const countResult = await c.env.DB.prepare(countQuery).bind(...countParams).first<{ total: number }>();
+
+  return c.json({
+    templates: results.results,
+    total: countResult?.total || 0,
+    page: parseInt(page),
+    pages: Math.ceil((countResult?.total || 0) / parseInt(limit)),
+  });
+});
+
+// GET /templates/:slug - Get template by slug
+templates.get('/:orgSlug/:name', async (c) => {
+  const user = c.get('user');
+  const slug = `${c.req.param('orgSlug')}/${c.req.param('name')}`;
+
+  const template = await c.env.DB.prepare(`
+    SELECT t.*, o.name as org_name, o.slug as org_slug
+    FROM templates t
+    JOIN organizations o ON t.org_id = o.id
+    WHERE t.slug = ? AND (t.is_private = 0 OR t.org_id = ?)
+  `).bind(slug, user.org).first();
+
+  if (!template) {
+    return c.json({ error: 'Template not found' }, 404);
+  }
+
+  // Get versions
+  const versions = await c.env.DB.prepare(`
+    SELECT version, published_at FROM template_versions
+    WHERE template_id = ? ORDER BY published_at DESC
+  `).bind(template.id).all();
+
+  return c.json({
+    ...template,
+    meta: JSON.parse(template.meta as string),
+    tags: JSON.parse(template.tags as string),
+    versions: versions.results,
+  });
+});
+
+export default templates;
+```
+
+### 3.2 CLI Publish Command
+
+```typescript
+// CLI: src/commands/publish.ts (in loopwind CLI)
+import { Command } from 'commander';
+import fs from 'fs';
+import path from 'path';
+import { getCredentials, getConfig } from '../lib/config';
+import { loadTemplate } from '../lib/renderer';
+
+export const publishCommand = new Command('publish')
+  .description('Publish template to loopwind.dev')
+  .argument('[template]', 'Template name to publish')
+  .option('--version <version>', 'Semantic version')
+  .option('--private', 'Make template private')
+  .option('--description <text>', 'Template description')
+  .option('--dry-run', 'Validate without publishing')
+  .action(async (templateName, options) => {
+    // Get credentials
+    const credentials = await getCredentials();
+    if (!credentials) {
+      console.error('Not logged in. Run: loopwind login');
+      process.exit(1);
+    }
+
+    // Load template
+    const config = await getConfig();
+    const templatePath = path.join(config.paths.root, templateName, 'template.tsx');
+
+    if (!fs.existsSync(templatePath)) {
+      console.error(`Template not found: ${templateName}`);
+      process.exit(1);
+    }
+
+    const { meta } = await loadTemplate(templatePath);
+
+    // Collect all files in template directory
+    const templateDir = path.dirname(templatePath);
+    const files: { path: string; content: string }[] = [];
+
+    function collectFiles(dir: string, base = '') {
+      for (const entry of fs.readdirSync(dir, { withFileTypes: true })) {
+        const fullPath = path.join(dir, entry.name);
+        const relativePath = path.join(base, entry.name);
+
+        if (entry.isDirectory()) {
+          collectFiles(fullPath, relativePath);
+        } else {
+          files.push({
+            path: relativePath,
+            content: fs.readFileSync(fullPath).toString('base64'),
+          });
+        }
+      }
+    }
+
+    collectFiles(templateDir);
+
+    // Determine version
+    const version = options.version || await promptVersion(templateName, credentials);
+
+    if (options.dryRun) {
+      console.log('Dry run - would publish:');
+      console.log(`  Template: ${templateName}`);
+      console.log(`  Version: ${version}`);
+      console.log(`  Files: ${files.length}`);
+      console.log(`  Type: ${meta.type}`);
+      return;
+    }
+
+    // Publish
+    console.log(`Publishing ${templateName}@${version}...`);
+
+    const response = await fetch('https://api.loopwind.dev/templates/publish', {
+      method: 'POST',
+      headers: {
+        'Authorization': `Bearer ${credentials.token}`,
+        'Content-Type': 'application/json',
+      },
+      body: JSON.stringify({
+        name: templateName,
+        version,
+        description: options.description || meta.description,
+        isPrivate: options.private || false,
+        meta: {
+          type: meta.type || 'image',
+          size: meta.size,
+          video: meta.video,
+          props: meta.props,
+        },
+        files,
+      }),
+    });
+
+    if (!response.ok) {
+      const error = await response.json();
+      console.error(`Failed to publish: ${error.error}`);
+      process.exit(1);
+    }
+
+    const result = await response.json();
+    console.log(`✓ Published ${result.slug}@${result.version}`);
+    console.log(`  URL: ${result.url}`);
+  });
+```
+
+---
+
+## Phase 4: Image Rendering API
+
+### 4.1 Render Routes
+
+```typescript
+// src/routes/render.ts
+import { Hono } from 'hono';
+import { z } from 'zod';
+import type { Env } from '../types/env';
+import { authMiddleware, requireScopes } from '../middleware/auth';
+import { generateId } from '../lib/id';
+
+const render = new Hono<{ Bindings: Env }>();
+
+render.use('*', authMiddleware);
+
+const imageRenderSchema = z.object({
+  template: z.string(),           // slug or id
+  version: z.string().optional(), // defaults to latest
+  props: z.record(z.any()),
+  format: z.enum(['png', 'jpg', 'webp', 'svg']).default('png'),
+  scale: z.number().min(1).max(3).default(1),
+});
+
+const videoRenderSchema = z.object({
+  template: z.string(),
+  version: z.string().optional(),
+  props: z.record(z.any()),
+  format: z.enum(['mp4', 'gif']).default('mp4'),
+  webhook: z.string().url().optional(),
+});
+
+// POST /render - Synchronous image rendering
+render.post('/', requireScopes('render:write'), async (c) => {
+  const user = c.get('user');
+  const body = await c.req.json();
+
+  const parsed = imageRenderSchema.safeParse(body);
+  if (!parsed.success) {
+    return c.json({ error: 'Validation failed', details: parsed.error.flatten() }, 400);
+  }
+
+  const { template, version, props, format, scale } = parsed.data;
+
+  // Check usage limits
+  const org = await c.env.DB.prepare(`
+    SELECT image_renders_limit, image_renders_used, usage_reset_at
+    FROM organizations WHERE id = ?
+  `).bind(user.org).first<any>();
+
+  // Reset usage if needed
+  if (new Date(org.usage_reset_at) < new Date()) {
+    await c.env.DB.prepare(`
+      UPDATE organizations
+      SET image_renders_used = 0, video_renders_used = 0, usage_reset_at = ?
+      WHERE id = ?
+    `).bind(getNextMonthReset(), user.org).run();
+    org.image_renders_used = 0;
+  }
+
+  if (org.image_renders_used >= org.image_renders_limit) {
+    return c.json({ error: 'Image render limit exceeded', limit: org.image_renders_limit }, 403);
+  }
+
+  // Get template
+  const tpl = await getTemplate(c.env, template, version, user.org);
+  if (!tpl) {
+    return c.json({ error: 'Template not found' }, 404);
+  }
+
+  if (tpl.type !== 'image') {
+    return c.json({ error: 'Use /render/async for video templates' }, 400);
+  }
+
+  // Load template files from R2
+  const templateCode = await loadTemplateFromR2(c.env, tpl);
+
+  // Render image (using loopwind core renderer)
+  const startTime = Date.now();
+  const imageBuffer = await renderImage(templateCode, props, format, scale);
+  const duration = Date.now() - startTime;
+
+  // Increment usage
+  await c.env.DB.prepare(
+    'UPDATE organizations SET image_renders_used = image_renders_used + 1 WHERE id = ?'
+  ).bind(user.org).run();
+
+  // Increment template renders
+  await c.env.DB.prepare(
+    'UPDATE templates SET renders = renders + 1 WHERE id = ?'
+  ).bind(tpl.id).run();
+
+  // Return image
+  const contentType = {
+    png: 'image/png',
+    jpg: 'image/jpeg',
+    webp: 'image/webp',
+    svg: 'image/svg+xml',
+  }[format];
+
+  return new Response(imageBuffer, {
+    headers: {
+      'Content-Type': contentType,
+      'X-Render-Duration': `${duration}ms`,
+      'X-Render-Id': generateId.job(),
+    },
+  });
+});
+
+// POST /render/async - Asynchronous video rendering
+render.post('/async', requireScopes('render:write'), async (c) => {
+  const user = c.get('user');
+  const body = await c.req.json();
+
+  const parsed = videoRenderSchema.safeParse(body);
+  if (!parsed.success) {
+    return c.json({ error: 'Validation failed', details: parsed.error.flatten() }, 400);
+  }
+
+  const { template, version, props, format, webhook } = parsed.data;
+
+  // Check usage limits
+  const org = await c.env.DB.prepare(`
+    SELECT video_renders_limit, video_renders_used
+    FROM organizations WHERE id = ?
+  `).bind(user.org).first<any>();
+
+  if (org.video_renders_used >= org.video_renders_limit) {
+    return c.json({ error: 'Video render limit exceeded', limit: org.video_renders_limit }, 403);
+  }
+
+  // Get template
+  const tpl = await getTemplate(c.env, template, version, user.org);
+  if (!tpl) {
+    return c.json({ error: 'Template not found' }, 404);
+  }
+
+  // Create job
+  const jobId = generateId.job();
+  const meta = JSON.parse(tpl.meta);
+  const totalFrames = meta.video ? meta.video.fps * meta.video.duration : 0;
+
+  await c.env.DB.prepare(`
+    INSERT INTO render_jobs (id, org_id, user_id, template_id, props, format, total_frames, webhook_url)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+  `).bind(jobId, user.org, user.sub, tpl.id, JSON.stringify(props), format, totalFrames, webhook || null).run();
+
+  // Dispatch to container via Durable Object
+  const jobDO = c.env.RENDER_JOBS.get(c.env.RENDER_JOBS.idFromName(jobId));
+  await jobDO.fetch('http://internal/start', {
+    method: 'POST',
+    body: JSON.stringify({
+      jobId,
+      templateId: tpl.id,
+      version: tpl.version,
+      props,
+      format,
+      meta,
+    }),
+  });
+
+  // Increment usage
+  await c.env.DB.prepare(
+    'UPDATE organizations SET video_renders_used = video_renders_used + 1 WHERE id = ?'
+  ).bind(user.org).run();
+
+  return c.json({
+    jobId,
+    status: 'queued',
+    totalFrames,
+    estimatedDuration: totalFrames * 100, // rough estimate
+    statusUrl: `/render/${jobId}`,
+    createdAt: new Date().toISOString(),
+  }, 202);
+});
+
+// GET /render/:jobId - Get job status
+render.get('/:jobId', async (c) => {
+  const user = c.get('user');
+  const jobId = c.req.param('jobId');
+
+  const job = await c.env.DB.prepare(`
+    SELECT * FROM render_jobs WHERE id = ? AND org_id = ?
+  `).bind(jobId, user.org).first();
+
+  if (!job) {
+    return c.json({ error: 'Job not found' }, 404);
+  }
+
+  const response: any = {
+    jobId: job.id,
+    status: job.status,
+    progress: job.progress,
+    currentFrame: job.current_frame,
+    totalFrames: job.total_frames,
+    createdAt: job.created_at,
+  };
+
+  if (job.status === 'processing') {
+    response.startedAt = job.started_at;
+  }
+
+  if (job.status === 'completed') {
+    response.outputUrl = `https://renders.loopwind.dev/${job.output_key}`;
+    response.expiresAt = new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString();
+    response.completedAt = job.completed_at;
+  }
+
+  if (job.status === 'failed') {
+    response.error = job.error;
+  }
+
+  return c.json(response);
+});
+
+// Helper functions
+async function getTemplate(env: Env, slugOrId: string, version: string | undefined, orgId: string) {
+  let template;
+
+  if (slugOrId.startsWith('tpl_')) {
+    template = await env.DB.prepare(`
+      SELECT t.*, tv.version, tv.files
+      FROM templates t
+      JOIN template_versions tv ON tv.template_id = t.id
+      WHERE t.id = ? AND (t.is_private = 0 OR t.org_id = ?)
+      ORDER BY tv.published_at DESC LIMIT 1
+    `).bind(slugOrId, orgId).first();
+  } else {
+    const versionClause = version
+      ? 'AND tv.version = ?'
+      : '';
+    const params = version
+      ? [slugOrId, orgId, version]
+      : [slugOrId, orgId];
+
+    template = await env.DB.prepare(`
+      SELECT t.*, tv.version, tv.files
+      FROM templates t
+      JOIN template_versions tv ON tv.template_id = t.id
+      WHERE t.slug = ? AND (t.is_private = 0 OR t.org_id = ?)
+      ${versionClause}
+      ORDER BY tv.published_at DESC LIMIT 1
+    `).bind(...params).first();
+  }
+
+  return template;
+}
+
+async function loadTemplateFromR2(env: Env, template: any): Promise<string> {
+  const files = JSON.parse(template.files);
+  const mainFile = files.find((f: any) => f.path === 'template.tsx');
+
+  if (!mainFile) {
+    throw new Error('Template file not found');
+  }
+
+  const object = await env.STORAGE.get(mainFile.r2Key);
+  if (!object) {
+    throw new Error('Template file not found in storage');
+  }
+
+  return await object.text();
+}
+
+function getNextMonthReset(): string {
+  const now = new Date();
+  return new Date(now.getFullYear(), now.getMonth() + 1, 1).toISOString();
+}
+
+export default render;
+```
+
+### 4.2 Render Job Durable Object
+
+```typescript
+// src/durable-objects/RenderJobOrchestrator.ts
+import { DurableObject } from 'cloudflare:workers';
+import type { Env } from '../types/env';
+
+export class RenderJobOrchestrator extends DurableObject {
+  constructor(ctx: DurableObjectState, env: Env) {
+    super(ctx, env);
+  }
+
+  async fetch(request: Request): Promise<Response> {
+    const url = new URL(request.url);
+
+    if (url.pathname === '/start' && request.method === 'POST') {
+      return this.startJob(request);
+    }
+
+    if (url.pathname === '/progress' && request.method === 'POST') {
+      return this.updateProgress(request);
+    }
+
+    if (url.pathname === '/complete' && request.method === 'POST') {
+      return this.completeJob(request);
+    }
+
+    if (url.pathname === '/fail' && request.method === 'POST') {
+      return this.failJob(request);
+    }
+
+    return new Response('Not found', { status: 404 });
+  }
+
+  async startJob(request: Request): Promise<Response> {
+    const { jobId, templateId, version, props, format, meta } = await request.json();
+
+    // Store job state
+    await this.ctx.storage.put('job', {
+      jobId,
+      templateId,
+      version,
+      props,
+      format,
+      meta,
+      status: 'processing',
+      progress: 0,
+      startedAt: Date.now(),
+    });
+
+    // Update DB
+    await this.env.DB.prepare(
+      'UPDATE render_jobs SET status = ?, started_at = ? WHERE id = ?'
+    ).bind('processing', new Date().toISOString(), jobId).run();
+
+    // Start container
+    const container = await getContainer(this.env.VIDEO_RENDERER, jobId);
+
+    // Fire and forget - container will call back with progress/completion
+    container.fetch('http://container/render', {
+      method: 'POST',
+      body: JSON.stringify({
+        jobId,
+        templateId,
+        version,
+        props,
+        format,
+        meta,
+        callbackUrl: `https://api.loopwind.dev/internal/jobs/${jobId}`,
+      }),
+    });
+
+    return new Response(JSON.stringify({ status: 'started' }));
+  }
+
+  async updateProgress(request: Request): Promise<Response> {
+    const { progress, currentFrame } = await request.json();
+    const job = await this.ctx.storage.get('job') as any;
+
+    job.progress = progress;
+    job.currentFrame = currentFrame;
+    await this.ctx.storage.put('job', job);
+
+    // Update DB
+    await this.env.DB.prepare(
+      'UPDATE render_jobs SET progress = ?, current_frame = ? WHERE id = ?'
+    ).bind(progress, currentFrame, job.jobId).run();
+
+    return new Response(JSON.stringify({ status: 'updated' }));
+  }
+
+  async completeJob(request: Request): Promise<Response> {
+    const { outputKey } = await request.json();
+    const job = await this.ctx.storage.get('job') as any;
+
+    // Update DB
+    await this.env.DB.prepare(`
+      UPDATE render_jobs
+      SET status = 'completed', progress = 1, output_key = ?, completed_at = ?
+      WHERE id = ?
+    `).bind(outputKey, new Date().toISOString(), job.jobId).run();
+
+    // Fire webhook if configured
+    const dbJob = await this.env.DB.prepare(
+      'SELECT webhook_url FROM render_jobs WHERE id = ?'
+    ).bind(job.jobId).first<any>();
+
+    if (dbJob?.webhook_url) {
+      await fetch(dbJob.webhook_url, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          event: 'render.completed',
+          jobId: job.jobId,
+          status: 'completed',
+          outputUrl: `https://renders.loopwind.dev/${outputKey}`,
+          timestamp: new Date().toISOString(),
+        }),
+      });
+
+      await this.env.DB.prepare(
+        'UPDATE render_jobs SET webhook_sent = 1 WHERE id = ?'
+      ).bind(job.jobId).run();
+    }
+
+    return new Response(JSON.stringify({ status: 'completed' }));
+  }
+
+  async failJob(request: Request): Promise<Response> {
+    const { error } = await request.json();
+    const job = await this.ctx.storage.get('job') as any;
+
+    await this.env.DB.prepare(`
+      UPDATE render_jobs SET status = 'failed', error = ? WHERE id = ?
+    `).bind(error, job.jobId).run();
+
+    return new Response(JSON.stringify({ status: 'failed' }));
+  }
+}
+```
+
+---
+
+## Phase 5: Video Rendering Container
+
+### 5.1 Container Dockerfile
+
+```dockerfile
+# container/Dockerfile
+FROM node:20-slim
+
+# Install FFmpeg
+RUN apt-get update && \
+    apt-get install -y ffmpeg && \
+    rm -rf /var/lib/apt/lists/*
+
+WORKDIR /app
+
+# Copy package files
+COPY package*.json ./
+RUN npm ci --production
+
+# Copy application
+COPY . .
+
+# Build TypeScript
+RUN npm run build
+
+EXPOSE 8080
+
+CMD ["node", "dist/render-server.js"]
+```
+
+### 5.2 Container Render Server
+
+```typescript
+// container/src/render-server.ts
+import express from 'express';
+import { renderVideo } from './video-renderer';
+
+const app = express();
+app.use(express.json({ limit: '50mb' }));
+
+app.post('/render', async (req, res) => {
+  const { jobId, templateId, version, props, format, meta, callbackUrl } = req.body;
+
+  console.log(`Starting render job ${jobId}`);
+
+  try {
+    // Render video with progress callbacks
+    const outputPath = await renderVideo({
+      jobId,
+      templateId,
+      version,
+      props,
+      format,
+      meta,
+      onProgress: async (progress, currentFrame) => {
+        // Report progress to API
+        await fetch(`${callbackUrl}/progress`, {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ progress, currentFrame }),
+        });
+      },
+    });
+
+    // Upload to R2
+    const outputKey = `${jobId}.${format}`;
+    await uploadToR2(outputPath, outputKey);
+
+    // Report completion
+    await fetch(`${callbackUrl}/complete`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ outputKey }),
+    });
+
+    res.json({ status: 'completed', outputKey });
+  } catch (error: any) {
+    console.error(`Render failed for job ${jobId}:`, error);
+
+    // Report failure
+    await fetch(`${callbackUrl}/fail`, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ error: error.message }),
+    });
+
+    res.status(500).json({ error: error.message });
+  }
+});
+
+app.get('/health', (req, res) => {
+  res.json({ status: 'healthy' });
+});
+
+const PORT = process.env.PORT || 8080;
+app.listen(PORT, () => {
+  console.log(`Render server listening on port ${PORT}`);
+});
+```
+
+---
+
+## Phase 6: Organization & User Management
+
+### 6.1 Organization Routes
+
+```typescript
+// src/routes/organizations.ts
+import { Hono } from 'hono';
+import { z } from 'zod';
+import type { Env } from '../types/env';
+import { authMiddleware, requireRole } from '../middleware/auth';
+import { generateId, generateInviteToken } from '../lib/id';
+
+const orgs = new Hono<{ Bindings: Env }>();
+
+orgs.use('*', authMiddleware);
+
+// GET /organizations/current - Get current org
+orgs.get('/current', async (c) => {
+  const user = c.get('user');
+
+  const org = await c.env.DB.prepare(`
+    SELECT o.*,
+           (SELECT COUNT(*) FROM users WHERE org_id = o.id) as member_count,
+           (SELECT COUNT(*) FROM templates WHERE org_id = o.id) as template_count
+    FROM organizations o
+    WHERE o.id = ?
+  `).bind(user.org).first();
+
+  return c.json(org);
+});
+
+// PUT /organizations/current - Update org
+orgs.put('/current', requireRole('owner', 'admin'), async (c) => {
+  const user = c.get('user');
+  const { name } = await c.req.json();
+
+  if (name) {
+    await c.env.DB.prepare(
+      'UPDATE organizations SET name = ?, updated_at = datetime("now") WHERE id = ?'
+    ).bind(name, user.org).run();
+  }
+
+  return c.json({ success: true });
+});
+
+// GET /organizations/current/members - List members
+orgs.get('/current/members', async (c) => {
+  const user = c.get('user');
+
+  const members = await c.env.DB.prepare(`
+    SELECT id, email, username, name, role, last_login_at, created_at
+    FROM users WHERE org_id = ?
+  `).bind(user.org).all();
+
+  return c.json({ members: members.results });
+});
+
+// POST /organizations/current/invitations - Invite user
+orgs.post('/current/invitations', requireRole('owner', 'admin'), async (c) => {
+  const user = c.get('user');
+  const { email, role = 'member' } = await c.req.json();
+
+  // Check member limit
+  const org = await c.env.DB.prepare(
+    'SELECT members_limit FROM organizations WHERE id = ?'
+  ).bind(user.org).first<any>();
+
+  const memberCount = await c.env.DB.prepare(
+    'SELECT COUNT(*) as count FROM users WHERE org_id = ?'
+  ).bind(user.org).first<{ count: number }>();
+
+  if (memberCount!.count >= org.members_limit) {
+    return c.json({ error: 'Member limit reached' }, 403);
+  }
+
+  // Check if user already exists in org
+  const existing = await c.env.DB.prepare(
+    'SELECT id FROM users WHERE email = ? AND org_id = ?'
+  ).bind(email, user.org).first();
+
+  if (existing) {
+    return c.json({ error: 'User already in organization' }, 409);
+  }
+
+  // Create invitation
+  const inviteId = generateId.invitation();
+  const token = generateInviteToken();
+  const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000).toISOString();
+
+  await c.env.DB.prepare(`
+    INSERT INTO invitations (id, org_id, invited_by, email, role, token, expires_at)
+    VALUES (?, ?, ?, ?, ?, ?, ?)
+  `).bind(inviteId, user.org, user.sub, email, role, token, expiresAt).run();
+
+  // TODO: Send invitation email
+
+  return c.json({
+    id: inviteId,
+    email,
+    role,
+    inviteUrl: `https://loopwind.dev/invite/${token}`,
+    expiresAt,
+  }, 201);
+});
+
+// DELETE /organizations/current/members/:userId - Remove member
+orgs.delete('/current/members/:userId', requireRole('owner', 'admin'), async (c) => {
+  const user = c.get('user');
+  const userId = c.req.param('userId');
+
+  // Can't remove yourself
+  if (userId === user.sub) {
+    return c.json({ error: 'Cannot remove yourself' }, 400);
+  }
+
+  // Can't remove owner
+  const targetUser = await c.env.DB.prepare(
+    'SELECT role FROM users WHERE id = ? AND org_id = ?'
+  ).bind(userId, user.org).first<{ role: string }>();
+
+  if (!targetUser) {
+    return c.json({ error: 'User not found' }, 404);
+  }
+
+  if (targetUser.role === 'owner') {
+    return c.json({ error: 'Cannot remove owner' }, 403);
+  }
+
+  await c.env.DB.prepare('DELETE FROM users WHERE id = ?').bind(userId).run();
+
+  return c.json({ success: true });
+});
+
+export default orgs;
+```
+
+### 6.2 API Key Routes
+
+```typescript
+// src/routes/keys.ts
+import { Hono } from 'hono';
+import { z } from 'zod';
+import type { Env } from '../types/env';
+import { authMiddleware } from '../middleware/auth';
+import { generateId, generateApiKey } from '../lib/id';
+import { hashPassword } from '../lib/password';
+
+const keys = new Hono<{ Bindings: Env }>();
+
+keys.use('*', authMiddleware);
+
+const createKeySchema = z.object({
+  name: z.string().min(1).max(100),
+  scopes: z.array(z.string()).default(['render:read', 'render:write', 'templates:read']),
+  expiresIn: z.number().optional(), // Days until expiration
+});
+
+// GET /keys - List API keys
+keys.get('/', async (c) => {
+  const user = c.get('user');
+
+  const apiKeys = await c.env.DB.prepare(`
+    SELECT id, name, key_prefix, scopes, last_used_at, expires_at, created_at
+    FROM api_keys WHERE org_id = ?
+  `).bind(user.org).all();
+
+  return c.json({
+    keys: apiKeys.results.map((k: any) => ({
+      ...k,
+      scopes: JSON.parse(k.scopes),
+    })),
+  });
+});
+
+// POST /keys - Create API key
+keys.post('/', async (c) => {
+  const user = c.get('user');
+  const body = await c.req.json();
+
+  const parsed = createKeySchema.safeParse(body);
+  if (!parsed.success) {
+    return c.json({ error: 'Validation failed' }, 400);
+  }
+
+  const { name, scopes, expiresIn } = parsed.data;
+
+  const keyId = generateId.key();
+  const { key, prefix } = generateApiKey();
+  const keyHash = await hashPassword(key);
+
+  const expiresAt = expiresIn
+    ? new Date(Date.now() + expiresIn * 24 * 60 * 60 * 1000).toISOString()
+    : null;
+
+  await c.env.DB.prepare(`
+    INSERT INTO api_keys (id, org_id, user_id, name, key_hash, key_prefix, scopes, expires_at)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+  `).bind(keyId, user.org, user.sub, name, keyHash, prefix, JSON.stringify(scopes), expiresAt).run();
+
+  return c.json({
+    id: keyId,
+    key,  // Only returned once!
+    name,
+    prefix,
+    scopes,
+    expiresAt,
+    createdAt: new Date().toISOString(),
+  }, 201);
+});
+
+// DELETE /keys/:id - Revoke API key
+keys.delete('/:id', async (c) => {
+  const user = c.get('user');
+  const keyId = c.req.param('id');
+
+  const result = await c.env.DB.prepare(
+    'DELETE FROM api_keys WHERE id = ? AND org_id = ?'
+  ).bind(keyId, user.org).run();
+
+  if (result.meta.changes === 0) {
+    return c.json({ error: 'API key not found' }, 404);
+  }
+
+  return c.json({ success: true });
+});
+
+export default keys;
+```
+
+---
+
+## Phase 7: Main Worker Entry Point
+
+### 7.1 Main Application
+
+```typescript
+// src/index.ts
+import { Hono } from 'hono';
+import { cors } from 'hono/cors';
+import { logger } from 'hono/logger';
+import type { Env } from './types/env';
+
+import auth from './routes/auth';
+import organizations from './routes/organizations';
+import templates from './routes/templates';
+import render from './routes/render';
+import keys from './routes/keys';
+
+import { rateLimitMiddleware } from './middleware/rateLimit';
+import { RenderJobOrchestrator } from './durable-objects/RenderJobOrchestrator';
+
+const app = new Hono<{ Bindings: Env }>();
+
+// Global middleware
+app.use('*', logger());
+app.use('*', cors({
+  origin: ['https://loopwind.dev', 'http://localhost:3000'],
+  credentials: true,
+}));
+
+// Health check
+app.get('/health', (c) => c.json({ status: 'ok' }));
+
+// Public routes
+app.route('/auth', auth);
+
+// Protected routes with rate limiting
+app.use('/organizations/*', rateLimitMiddleware);
+app.use('/templates/*', rateLimitMiddleware);
+app.use('/render/*', rateLimitMiddleware);
+app.use('/keys/*', rateLimitMiddleware);
+
+app.route('/organizations', organizations);
+app.route('/templates', templates);
+app.route('/render', render);
+app.route('/keys', keys);
+
+// Internal routes (for container callbacks)
+app.post('/internal/jobs/:jobId/progress', async (c) => {
+  const jobId = c.req.param('jobId');
+  const jobDO = c.env.RENDER_JOBS.get(c.env.RENDER_JOBS.idFromName(jobId));
+  return jobDO.fetch('http://internal/progress', {
+    method: 'POST',
+    body: JSON.stringify(await c.req.json()),
+  });
+});
+
+app.post('/internal/jobs/:jobId/complete', async (c) => {
+  const jobId = c.req.param('jobId');
+  const jobDO = c.env.RENDER_JOBS.get(c.env.RENDER_JOBS.idFromName(jobId));
+  return jobDO.fetch('http://internal/complete', {
+    method: 'POST',
+    body: JSON.stringify(await c.req.json()),
+  });
+});
+
+app.post('/internal/jobs/:jobId/fail', async (c) => {
+  const jobId = c.req.param('jobId');
+  const jobDO = c.env.RENDER_JOBS.get(c.env.RENDER_JOBS.idFromName(jobId));
+  return jobDO.fetch('http://internal/fail', {
+    method: 'POST',
+    body: JSON.stringify(await c.req.json()),
+  });
+});
+
+// 404 handler
+app.notFound((c) => c.json({ error: 'Not found' }, 404));
+
+// Error handler
+app.onError((err, c) => {
+  console.error('Unhandled error:', err);
+  return c.json({ error: 'Internal server error' }, 500);
+});
+
+// Export for Cloudflare Workers
+export default app;
+
+// Export Durable Object
+export { RenderJobOrchestrator };
+```
+
+---
+
+## Phase 8: CLI Authentication Commands
+
+### 8.1 Login Command
+
+```typescript
+// CLI: src/commands/login.ts
+import { Command } from 'commander';
+import http from 'http';
+import open from 'open';
+import { saveCredentials } from '../lib/config';
+
+export const loginCommand = new Command('login')
+  .description('Login to loopwind.dev')
+  .option('--no-browser', 'Print login URL instead of opening browser')
+  .action(async (options) => {
+    // Start local server to receive callback
+    const server = http.createServer();
+    const port = await getAvailablePort(3333);
+
+    const callbackUrl = `http://localhost:${port}/callback`;
+    const loginUrl = `https://loopwind.dev/cli-login?callback=${encodeURIComponent(callbackUrl)}`;
+
+    return new Promise((resolve, reject) => {
+      server.on('request', async (req, res) => {
+        if (req.url?.startsWith('/callback')) {
+          const url = new URL(req.url, `http://localhost:${port}`);
+          const token = url.searchParams.get('token');
+          const refreshToken = url.searchParams.get('refreshToken');
+          const user = JSON.parse(url.searchParams.get('user') || '{}');
+
+          if (token && refreshToken) {
+            await saveCredentials({
+              token,
+              refreshToken,
+              user,
+              expiresAt: new Date(Date.now() + 15 * 60 * 1000).toISOString(),
+            });
+
+            res.writeHead(200, { 'Content-Type': 'text/html' });
+            res.end('<h1>Success!</h1><p>You can close this window.</p>');
+
+            console.log(`✓ Logged in as ${user.email}`);
+            server.close();
+            resolve(undefined);
+          } else {
+            res.writeHead(400);
+            res.end('Login failed');
+            reject(new Error('Login failed'));
+          }
+        }
+      });
+
+      server.listen(port, () => {
+        if (options.browser) {
+          console.log('Opening browser for authentication...');
+          open(loginUrl);
+        } else {
+          console.log(`Open this URL to login:\n${loginUrl}`);
+        }
+        console.log('Waiting for authentication...');
+      });
+
+      // Timeout after 5 minutes
+      setTimeout(() => {
+        server.close();
+        reject(new Error('Login timed out'));
+      }, 5 * 60 * 1000);
+    });
+  });
+
+export const logoutCommand = new Command('logout')
+  .description('Logout from loopwind.dev')
+  .action(async () => {
+    const { clearCredentials } = await import('../lib/config');
+    await clearCredentials();
+    console.log('✓ Logged out');
+  });
+
+export const whoamiCommand = new Command('whoami')
+  .description('Show current user')
+  .action(async () => {
+    const { getCredentials } = await import('../lib/config');
+    const creds = await getCredentials();
+
+    if (!creds) {
+      console.log('Not logged in');
+      return;
+    }
+
+    console.log(`Logged in as: ${creds.user.email}`);
+    console.log(`Organization: ${creds.user.org_name || 'N/A'}`);
+  });
+```
+
+---
+
+## Phase 9: Dashboard UI (website/)
+
+The dashboard UI lives in the existing Astro website at `app.loopwind.dev`.
+
+### 9.1 Dashboard Structure
+
+```
+website/
+├── src/
+│   ├── pages/
+│   │   ├── index.astro              # Marketing homepage
+│   │   ├── docs/                    # Documentation
+│   │   └── app/                     # Dashboard (protected)
+│   │       ├── index.astro          # Dashboard home
+│   │       ├── login.astro          # Login page
+│   │       ├── register.astro       # Registration page
+│   │       ├── templates/
+│   │       │   ├── index.astro      # Template list
+│   │       │   └── [slug].astro     # Template detail
+│   │       ├── renders/
+│   │       │   ├── index.astro      # Render history
+│   │       │   └── [id].astro       # Render detail
+│   │       ├── settings/
+│   │       │   ├── index.astro      # Account settings
+│   │       │   ├── api-keys.astro   # API key management
+│   │       │   └── team.astro       # Team/org management
+│   │       └── billing.astro        # Billing/plan
+│   ├── components/
+│   │   └── app/                     # Dashboard components
+│   │       ├── Sidebar.astro
+│   │       ├── Header.astro
+│   │       ├── TemplateCard.astro
+│   │       └── RenderPreview.astro
+│   ├── layouts/
+│   │   ├── Layout.astro             # Marketing layout
+│   │   └── AppLayout.astro          # Dashboard layout
+│   └── lib/
+│       └── api.ts                   # API client
+```
+
+### 9.2 API Client
+
+```typescript
+// website/src/lib/api.ts
+const API_BASE = import.meta.env.PUBLIC_API_URL || 'https://api.loopwind.dev';
+
+interface ApiOptions {
+  method?: string;
+  body?: any;
+  token?: string;
+}
+
+export async function api<T>(endpoint: string, options: ApiOptions = {}): Promise<T> {
+  const { method = 'GET', body, token } = options;
+
+  const headers: Record<string, string> = {
+    'Content-Type': 'application/json',
+  };
+
+  if (token) {
+    headers['Authorization'] = `Bearer ${token}`;
+  }
+
+  const response = await fetch(`${API_BASE}${endpoint}`, {
+    method,
+    headers,
+    body: body ? JSON.stringify(body) : undefined,
+    credentials: 'include',
+  });
+
+  if (!response.ok) {
+    const error = await response.json();
+    throw new Error(error.error || 'API request failed');
+  }
+
+  return response.json();
+}
+
+// Auth helpers
+export const auth = {
+  login: (email: string, password: string) =>
+    api<{ accessToken: string; refreshToken: string; user: any }>('/auth/login', {
+      method: 'POST',
+      body: { email, password },
+    }),
+
+  register: (data: { email: string; password: string; username: string; name?: string; orgName: string }) =>
+    api<{ accessToken: string; refreshToken: string; user: any; organization: any }>('/auth/register', {
+      method: 'POST',
+      body: data,
+    }),
+
+  logout: (token: string) =>
+    api('/auth/logout', { method: 'POST', token }),
+
+  refresh: (refreshToken: string) =>
+    api<{ accessToken: string; refreshToken: string }>('/auth/refresh', {
+      method: 'POST',
+      body: { refreshToken },
+    }),
+};
+
+// Templates
+export const templates = {
+  list: (token: string, params?: { q?: string; type?: string; page?: number }) =>
+    api<{ templates: any[]; total: number }>(`/templates?${new URLSearchParams(params as any)}`, { token }),
+
+  get: (token: string, slug: string) =>
+    api<any>(`/templates/${slug}`, { token }),
+};
+
+// Renders
+export const renders = {
+  create: (token: string, data: { template: string; props: any; format: string }) =>
+    api('/render', { method: 'POST', token, body: data }),
+
+  createAsync: (token: string, data: { template: string; props: any; format: string; webhook?: string }) =>
+    api<{ jobId: string; status: string }>('/render/async', { method: 'POST', token, body: data }),
+
+  getJob: (token: string, jobId: string) =>
+    api<any>(`/render/${jobId}`, { token }),
+};
+
+// API Keys
+export const apiKeys = {
+  list: (token: string) =>
+    api<{ keys: any[] }>('/keys', { token }),
+
+  create: (token: string, data: { name: string; scopes?: string[] }) =>
+    api<{ id: string; key: string; name: string }>('/keys', { method: 'POST', token, body: data }),
+
+  revoke: (token: string, id: string) =>
+    api(`/keys/${id}`, { method: 'DELETE', token }),
+};
+```
+
+### 9.3 Auth State Management
+
+```typescript
+// website/src/lib/auth-store.ts
+import { atom } from 'nanostores';
+
+interface AuthState {
+  user: any | null;
+  organization: any | null;
+  accessToken: string | null;
+  refreshToken: string | null;
+  isAuthenticated: boolean;
+}
+
+export const authStore = atom<AuthState>({
+  user: null,
+  organization: null,
+  accessToken: null,
+  refreshToken: null,
+  isAuthenticated: false,
+});
+
+// Initialize from localStorage (client-side only)
+export function initAuth() {
+  if (typeof window === 'undefined') return;
+
+  const stored = localStorage.getItem('loopwind_auth');
+  if (stored) {
+    try {
+      const data = JSON.parse(stored);
+      authStore.set({ ...data, isAuthenticated: !!data.accessToken });
+    } catch {
+      localStorage.removeItem('loopwind_auth');
+    }
+  }
+}
+
+export function setAuth(data: Partial<AuthState>) {
+  const current = authStore.get();
+  const newState = { ...current, ...data, isAuthenticated: !!data.accessToken };
+  authStore.set(newState);
+
+  if (typeof window !== 'undefined') {
+    localStorage.setItem('loopwind_auth', JSON.stringify(newState));
+  }
+}
+
+export function clearAuth() {
+  authStore.set({
+    user: null,
+    organization: null,
+    accessToken: null,
+    refreshToken: null,
+    isAuthenticated: false,
+  });
+
+  if (typeof window !== 'undefined') {
+    localStorage.removeItem('loopwind_auth');
+  }
+}
+
+export function getToken(): string | null {
+  return authStore.get().accessToken;
+}
+```
+
+### 9.4 Protected Route Middleware
+
+```astro
+---
+// website/src/middleware.ts (Astro middleware)
+import { defineMiddleware } from 'astro:middleware';
+
+export const onRequest = defineMiddleware(async (context, next) => {
+  const { pathname } = context.url;
+
+  // Check if route requires auth
+  if (pathname.startsWith('/app') && !pathname.startsWith('/app/login') && !pathname.startsWith('/app/register')) {
+    // Check for auth cookie/header
+    const token = context.cookies.get('loopwind_token')?.value;
+
+    if (!token) {
+      return context.redirect('/app/login?redirect=' + encodeURIComponent(pathname));
+    }
+
+    // Optionally validate token with API
+    // context.locals.user = await validateToken(token);
+  }
+
+  return next();
+});
+```
+
+### 9.5 Example Dashboard Page
+
+```astro
+---
+// website/src/pages/app/templates/index.astro
+import AppLayout from '../../../layouts/AppLayout.astro';
+import TemplateCard from '../../../components/app/TemplateCard.astro';
+import { templates } from '../../../lib/api';
+
+const token = Astro.cookies.get('loopwind_token')?.value;
+let templateList = [];
+let error = null;
+
+try {
+  const response = await templates.list(token!, {});
+  templateList = response.templates;
+} catch (e: any) {
+  error = e.message;
+}
+---
+
+<AppLayout title="Templates">
+  <div class="p-6">
+    <div class="flex justify-between items-center mb-6">
+      <h1 class="text-2xl font-bold">Templates</h1>
+      <a href="/app/templates/new" class="btn btn-primary">
+        Publish Template
+      </a>
+    </div>
+
+    {error && (
+      <div class="alert alert-error mb-4">{error}</div>
+    )}
+
+    <div class="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-3 gap-4">
+      {templateList.map((template) => (
+        <TemplateCard template={template} />
+      ))}
+    </div>
+
+    {templateList.length === 0 && !error && (
+      <div class="text-center py-12 text-gray-500">
+        <p>No templates yet.</p>
+        <p class="mt-2">
+          Publish your first template using:
+          <code class="bg-gray-100 px-2 py-1 rounded">loopwind publish my-template</code>
+        </p>
+      </div>
+    )}
+  </div>
+</AppLayout>
+```
+
+### 9.6 Website Wrangler Config (Updated)
+
+```toml
+# website/wrangler.toml
+name = "loopwind-website"
+compatibility_date = "2024-12-01"
+compatibility_flags = ["nodejs_compat_v2"]
+
+# Custom domains
+routes = [
+  { pattern = "loopwind.dev/*", custom_domain = true },
+  { pattern = "app.loopwind.dev/*", custom_domain = true }
+]
+
+[build]
+command = "npm run build"
+
+[site]
+bucket = "./dist"
+
+# Environment variables
+[vars]
+PUBLIC_API_URL = "https://api.loopwind.dev"
+```
+
+---
+
+## Implementation Checklist
+
+### Phase 1: Setup
+- [ ] Create Cloudflare project with Wrangler
+- [ ] Set up D1 database and run migrations
+- [ ] Create KV namespaces
+- [ ] Create R2 buckets
+- [ ] Configure wrangler.toml
+
+### Phase 2: Authentication
+- [ ] Implement password hashing utilities
+- [ ] Implement JWT utilities
+- [ ] Create auth routes (register, login, logout, refresh)
+- [ ] Create auth middleware
+- [ ] Create rate limiting middleware
+- [ ] Test auth flow
+
+### Phase 3: Organizations & Users
+- [ ] Implement organization routes
+- [ ] Implement user management routes
+- [ ] Implement invitation system
+- [ ] Implement API key management
+- [ ] Test organization flows
+
+### Phase 4: Template Publishing
+- [ ] Implement template publish endpoint
+- [ ] Implement template listing/search
+- [ ] Implement template versioning
+- [ ] Add CLI `loopwind publish` command
+- [ ] Add CLI `loopwind login/logout` commands
+- [ ] Test publishing flow
+
+### Phase 5: Image Rendering
+- [ ] Port loopwind renderer to Workers
+- [ ] Implement sync render endpoint
+- [ ] Add usage tracking
+- [ ] Test image rendering
+
+### Phase 6: Video Rendering
+- [ ] Create container Dockerfile
+- [ ] Implement container render server
+- [ ] Create Durable Object for job orchestration
+- [ ] Implement async render endpoint
+- [ ] Implement job status endpoint
+- [ ] Implement webhook notifications
+- [ ] Test video rendering
+
+### Phase 7: Production (Platform)
+- [ ] Set up api.loopwind.dev custom domain
+- [ ] Configure secrets (JWT_SECRET)
+- [ ] Set up monitoring (Sentry, analytics)
+- [ ] Create staging environment
+- [ ] Deploy platform to production
+
+### Phase 8: CLI Commands
+- [ ] Add `loopwind login` command (browser OAuth flow)
+- [ ] Add `loopwind logout` command
+- [ ] Add `loopwind whoami` command
+- [ ] Add `loopwind publish` command
+- [ ] Add `loopwind render --remote` flag
+- [ ] Add `loopwind keys` commands
+- [ ] Store credentials in ~/.loopwind/credentials.json
+
+### Phase 9: Dashboard UI (Website)
+- [ ] Create AppLayout.astro for dashboard
+- [ ] Create login/register pages
+- [ ] Implement API client (website/src/lib/api.ts)
+- [ ] Implement auth state management (nanostores)
+- [ ] Create middleware for protected routes
+- [ ] Build templates list page
+- [ ] Build template detail page
+- [ ] Build renders history page
+- [ ] Build settings pages (account, API keys, team)
+- [ ] Set up app.loopwind.dev domain
+
+---
+
+## Cost Estimates
+
+| Resource | Free Tier | Estimated Monthly (Pro) |
+|----------|-----------|------------------------|
+| Workers | 100k req/day | $5 + usage |
+| D1 | 5M rows read, 100k writes | $5 + usage |
+| KV | 100k reads, 1k writes | Included |
+| R2 | 10GB storage, 10M reads | $15/TB + ops |
+| Containers | - | ~$10-50 (usage based) |
+| **Total** | **$0** | **~$30-100/month** |
+
+---
+
+## Security Checklist
+
+- [ ] All passwords hashed with bcrypt (cost 12)
+- [ ] JWT tokens expire in 15 minutes
+- [ ] Refresh tokens stored in KV with TTL
+- [ ] API keys hashed before storage
+- [ ] Rate limiting per organization
+- [ ] CORS configured for allowed origins
+- [ ] Input validation with Zod on all endpoints
+- [ ] SQL injection prevented via prepared statements
+- [ ] Template code sandboxed (no eval, no network)
+- [ ] R2 signed URLs with expiration
+- [ ] Audit logging for sensitive operations