loopwind 0.25.6 → 0.25.8

package/plans/PLATFORM_IMPLEMENTATION.md

@@ -1,5 +1,7 @@
 # Loopwind API Service - Implementation Plan
 
+> **Note**: This implements the architecture described in [PLATFORM.md](./PLATFORM.md).
+
 ## Overview
 
 This document outlines the step-by-step implementation plan for the Loopwind API service using a 100% Cloudflare stack with organization-based user management.
@@ -14,9 +16,9 @@ This document outlines the step-by-step implementation plan for the Loopwind API
 │   loopwind.dev              api.loopwind.dev           app.loopwind.dev     │
 │   ─────────────             ────────────────           ─────────────────    │
 │   Marketing site            REST API                   Dashboard UI         │
-│   Documentation             Authentication             User settings        │
-│   Blog                      Template CRUD              Template management  │
-│                             Rendering API              Render history       │
+│   Documentation             GET /r/{token}             User settings        │
+│   Blog                      POST /r/{token}            Template management  │
+│                             Authentication             Analytics            │
 │                                                                             │
 │   └── website/              └── platform/              └── website/src/app/ │
 │       (Astro)                   (Workers)                  (Astro)          │
@@ -28,12 +30,19 @@ This document outlines the step-by-step implementation plan for the Loopwind API
 │                         Shared Cloudflare Resources                          │
 ├─────────────────────────────────────────────────────────────────────────────┤
 │                                                                             │
-│   D1 Database          KV Namespaces           R2 Buckets                   │
-│   ───────────          ──────────────          ──────────                   │
-│   • users              • SESSIONS              • loopwind-assets            │
-│   • organizations      • RATE_LIMIT            • loopwind-renders           │
-│   • templates          • CACHE                                              │
-│   • render_jobs                                                             │
+│   D1 Database          KV Namespaces           R2 Buckets     Analytics    │
+│   ───────────          ──────────────          ──────────     Engine       │
+│   • users              • SESSIONS              • assets       ─────────    │
+│   • organizations      • RATE_LIMIT            • renders      • renders    │
+│   • render_tokens      • RENDER_TOKENS                        • hits       │
+│   • custom_domains     (cache)                                             │
+│   • allowed_hosts                                                          │
+│                                                                             │
+│   Org DOs (SQLite)                                                        │
+│   ─────────────────                                                        │
+│   • templates                                                              │
+│   • template_files                                                         │
+│   • render_jobs                                                            │
 │                                                                             │
 └─────────────────────────────────────────────────────────────────────────────┘
 ```
@@ -45,10 +54,13 @@ This document outlines the step-by-step implementation plan for the Loopwind API
 | Marketing & Docs | Astro (website/) |
 | Dashboard UI | Astro (website/src/pages/app/) |
 | API | Cloudflare Workers (platform/) |
-| Database | Cloudflare D1 (SQLite) |
-| Auth | Custom (bcrypt + JWT) |
+| Global Database | Cloudflare D1 (users, organizations, tokens) |
+| Org Data | Durable Objects w/ SQLite (templates, files) |
+| Auth | GitHub OAuth + JWT |
 | Sessions | Workers KV |
 | File Storage | Cloudflare R2 |
+| Render Cache | Cloudflare R2 |
+| Analytics | Cloudflare Analytics Engine |
 | Video Rendering | Cloudflare Containers |
 | Image Rendering | Workers (WASM) |
 | CDN | Cloudflare (automatic) |
@@ -59,9 +71,19 @@ This document outlines the step-by-step implementation plan for the Loopwind API
 Organization
   └── Users (members)
        └── API Keys
-       └── Templates (owned by org, created by user)
+       └── Templates (owned by organization, created by user)
+            └── Render Tokens (random IDs for URLs)
 ```
 
+### Key Concepts from PLATFORM.md
+
+- **Render tokens**: Random IDs like `x7k9m2p4` used in URLs (prevents enumeration)
+- **R2 caching**: Rendered images cached by hash of inputs
+- **Analytics Engine**: Track renders vs hits per template
+- **Allowed hosts**: Security for external image URLs
+- **Version pinning**: `?v=1.0.0` to pin to specific template version
+- **Custom domains**: `og.mysite.com` instead of `api.loopwind.dev/r/...`
+
 ---
 
 ## Phase 1: Project Setup & Database Schema
@@ -96,16 +118,15 @@ loopwind/
 │   ├── src/
 │   │   ├── index.ts                # Main worker entry
 │   │   ├── routes/
-│   │   │   ├── auth.ts             # Login, register, logout
-│   │   │   ├── organizations.ts    # Org management
-│   │   │   ├── users.ts            # User management
+│   │   │   ├── auth.ts             # GitHub OAuth login/logout
+│   │   │   ├── organizations.ts            # Organization management
 │   │   │   ├── templates.ts        # Template CRUD & publish
-│   │   │   ├── render.ts           # Image/video rendering
-│   │   │   └── keys.ts             # API key management
+│   │   │   ├── render.ts           # Public render API (GET/POST /r/{token})
+│   │   │   ├── keys.ts             # API key management
+│   │   │   └── analytics.ts        # Render/hit stats
 │   │   ├── middleware/
-│   │   │   ├── auth.ts             # JWT validation
-│   │   │   ├── rateLimit.ts        # Rate limiting
-│   │   │   └── orgAccess.ts        # Organization access control
+│   │   │   ├── auth.ts             # JWT validation + organization access
+│   │   │   └── rateLimit.ts        # Rate limiting per organization
 │   │   ├── services/
 │   │   │   ├── auth.ts             # Auth logic
 │   │   │   ├── render.ts           # Render orchestration
@@ -204,14 +225,19 @@ binding = "VIDEO_RENDERER"
 class_name = "VideoRenderer"
 image = "./container"
 
-# Durable Objects for job orchestration
+# Durable Objects for organization data (templates, versions, files)
 [[durable_objects.bindings]]
-name = "RENDER_JOBS"
-class_name = "RenderJobOrchestrator"
+name = "ORG_DO"
+class_name = "OrgDurableObject"
 
 [[migrations]]
 tag = "v1"
-new_classes = ["RenderJobOrchestrator"]
+new_classes = ["OrgDurableObject"]
+
+# Analytics Engine for render/hit tracking
+[[analytics_engine_datasets]]
+binding = "ANALYTICS"
+dataset = "loopwind_analytics"
 
 # Environment variables
 [vars]
@@ -221,6 +247,8 @@ CORS_ORIGINS = "https://loopwind.dev,https://app.loopwind.dev"
 
 # Secrets (set via `wrangler secret put`)
 # JWT_SECRET
+# GITHUB_CLIENT_ID
+# GITHUB_CLIENT_SECRET
 ```
 
 ### 1.5 CORS Configuration
@@ -298,26 +326,34 @@ CREATE TABLE organizations (
 -- Users
 CREATE TABLE users (
   id TEXT PRIMARY KEY,                    -- usr_xxxxx
-  org_id TEXT NOT NULL REFERENCES organizations(id) ON DELETE CASCADE,
 
-  email TEXT UNIQUE NOT NULL,
-  username TEXT UNIQUE NOT NULL,
-  password_hash TEXT NOT NULL,
+  -- GitHub OAuth
+  github_id TEXT UNIQUE,
+  github_username TEXT,
 
+  email TEXT UNIQUE NOT NULL,
   name TEXT,
   avatar_url TEXT,
-  role TEXT DEFAULT 'member',             -- owner, admin, member
 
-  email_verified_at TEXT,
   last_login_at TEXT,
-
   created_at TEXT DEFAULT (datetime('now')),
   updated_at TEXT DEFAULT (datetime('now'))
 );
 
-CREATE INDEX idx_users_org ON users(org_id);
 CREATE INDEX idx_users_email ON users(email);
-CREATE INDEX idx_users_username ON users(username);
+CREATE INDEX idx_users_github ON users(github_id);
+
+-- Organization Members (join table)
+CREATE TABLE org_members (
+  org_id TEXT NOT NULL REFERENCES organizations(id) ON DELETE CASCADE,
+  user_id TEXT NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+  role TEXT DEFAULT 'member',             -- owner, admin, member
+
+  created_at TEXT DEFAULT (datetime('now')),
+  PRIMARY KEY (org_id, user_id)
+);
+
+CREATE INDEX idx_org_members_user ON org_members(user_id);
 
 -- API Keys
 CREATE TABLE api_keys (
@@ -340,7 +376,7 @@ CREATE TABLE api_keys (
 CREATE INDEX idx_api_keys_org ON api_keys(org_id);
 CREATE INDEX idx_api_keys_prefix ON api_keys(key_prefix);
 
--- Templates
+-- Templates (stored in Organization Durable Objects, this is just for global lookups)
 CREATE TABLE templates (
   id TEXT PRIMARY KEY,                    -- tpl_xxxxx
   org_id TEXT NOT NULL REFERENCES organizations(id) ON DELETE CASCADE,
@@ -351,15 +387,11 @@ CREATE TABLE templates (
   description TEXT,
 
   type TEXT NOT NULL,                     -- image, video
-  meta TEXT NOT NULL,                     -- JSON: { size, props, video? }
+  current_version TEXT,                   -- "1.0.0"
 
   is_private INTEGER DEFAULT 0,
   tags TEXT DEFAULT '[]',                 -- JSON array
 
-  -- Stats
-  downloads INTEGER DEFAULT 0,
-  renders INTEGER DEFAULT 0,
-
   created_at TEXT DEFAULT (datetime('now')),
   updated_at TEXT DEFAULT (datetime('now')),
 
@@ -370,52 +402,50 @@ CREATE INDEX idx_templates_org ON templates(org_id);
 CREATE INDEX idx_templates_slug ON templates(slug);
 CREATE INDEX idx_templates_type ON templates(type);
 
--- Template Versions
-CREATE TABLE template_versions (
-  id TEXT PRIMARY KEY,                    -- ver_xxxxx
+-- Render Tokens (random IDs for URLs - prevents enumeration)
+CREATE TABLE render_tokens (
+  token TEXT PRIMARY KEY,                 -- x7k9m2p4 (8 char random)
+  org_id TEXT NOT NULL REFERENCES organizations(id) ON DELETE CASCADE,
   template_id TEXT NOT NULL REFERENCES templates(id) ON DELETE CASCADE,
 
-  version TEXT NOT NULL,                  -- Semver: 1.0.0
-  files TEXT NOT NULL,                    -- JSON: [{ path, r2_key, checksum }]
-
-  published_at TEXT DEFAULT (datetime('now')),
+  name TEXT,                              -- Optional friendly name
+  allowed_props TEXT,                     -- JSON: null = all, or ["title", "image"]
 
-  UNIQUE(template_id, version)
+  revoked_at TEXT,                        -- Soft delete
+  created_at TEXT DEFAULT (datetime('now'))
 );
 
-CREATE INDEX idx_versions_template ON template_versions(template_id);
+CREATE INDEX idx_render_tokens_org ON render_tokens(org_id);
+CREATE INDEX idx_render_tokens_template ON render_tokens(template_id);
 
--- Render Jobs (for async video rendering)
-CREATE TABLE render_jobs (
-  id TEXT PRIMARY KEY,                    -- job_xxxxx
-  org_id TEXT NOT NULL REFERENCES organizations(id),
-  user_id TEXT REFERENCES users(id),
-  template_id TEXT NOT NULL REFERENCES templates(id),
+-- Custom Domains (og.mysite.com → api.loopwind.dev/r/...)
+CREATE TABLE custom_domains (
+  id TEXT PRIMARY KEY,                    -- dom_xxxxx
+  org_id TEXT NOT NULL REFERENCES organizations(id) ON DELETE CASCADE,
 
-  status TEXT DEFAULT 'queued',           -- queued, processing, completed, failed
+  domain TEXT UNIQUE NOT NULL,            -- og.mysite.com
+  verified_at TEXT,                       -- NULL until DNS verified
 
-  props TEXT,                             -- JSON
-  format TEXT NOT NULL,                   -- mp4, gif
+  created_at TEXT DEFAULT (datetime('now'))
+);
 
-  progress REAL DEFAULT 0,                -- 0.0 - 1.0
-  current_frame INTEGER,
-  total_frames INTEGER,
+CREATE INDEX idx_custom_domains_org ON custom_domains(org_id);
+CREATE INDEX idx_custom_domains_domain ON custom_domains(domain);
 
-  output_key TEXT,                        -- R2 key for output
-  error TEXT,
+-- Allowed Hosts (security for external image URLs)
+CREATE TABLE allowed_hosts (
+  id TEXT PRIMARY KEY,                    -- ah_xxxxx
+  org_id TEXT NOT NULL REFERENCES organizations(id) ON DELETE CASCADE,
 
-  webhook_url TEXT,
-  webhook_sent INTEGER DEFAULT 0,
+  pattern TEXT NOT NULL,                  -- *.example.com or cdn.example.com
 
-  started_at TEXT,
-  completed_at TEXT,
-  created_at TEXT DEFAULT (datetime('now'))
+  created_at TEXT DEFAULT (datetime('now')),
+  UNIQUE(org_id, pattern)
 );
 
-CREATE INDEX idx_jobs_org ON render_jobs(org_id);
-CREATE INDEX idx_jobs_status ON render_jobs(status);
+CREATE INDEX idx_allowed_hosts_org ON allowed_hosts(org_id);
 
--- Invitations (for adding users to orgs)
+-- Invitations (for adding users to organizations)
 CREATE TABLE invitations (
   id TEXT PRIMARY KEY,                    -- inv_xxxxx
   org_id TEXT NOT NULL REFERENCES organizations(id) ON DELETE CASCADE,
@@ -441,8 +471,8 @@ CREATE TABLE audit_log (
   org_id TEXT NOT NULL,
   user_id TEXT,
 
-  action TEXT NOT NULL,                   -- user.login, template.publish, etc.
-  resource_type TEXT,                     -- user, template, api_key
+  action TEXT NOT NULL,                   -- user.login, template.publish, render.create
+  resource_type TEXT,                     -- user, template, api_key, render_token
   resource_id TEXT,
 
   metadata TEXT,                          -- JSON
@@ -509,10 +539,15 @@ export interface Env {
   VIDEO_RENDERER: Container;
 
   // Durable Objects
-  RENDER_JOBS: DurableObjectNamespace;
+  ORG_DO: DurableObjectNamespace;
+
+  // Analytics Engine
+  ANALYTICS: AnalyticsEngineDataset;
 
   // Secrets
   JWT_SECRET: string;
+  GITHUB_CLIENT_ID: string;
+  GITHUB_CLIENT_SECRET: string;
 
   // Vars
   JWT_ISSUER: string;
@@ -521,11 +556,11 @@ export interface Env {
 
 export interface User {
   id: string;
-  org_id: string;
+  github_id: string;
+  github_username: string;
   email: string;
-  username: string;
   name: string | null;
-  role: 'owner' | 'admin' | 'member';
+  avatar_url: string | null;
 }
 
 export interface Organization {
@@ -535,10 +570,22 @@ export interface Organization {
   plan: 'free' | 'pro' | 'business';
 }
 
+export interface OrgMember {
+  org_id: string;
+  user_id: string;
+  role: 'owner' | 'admin' | 'member';
+}
+
+export interface RenderToken {
+  token: string;
+  org_id: string;
+  template_id: string;
+  name: string | null;
+  allowed_props: string[] | null;
+}
+
 export interface JWTPayload {
   sub: string;        // user_id
-  org: string;        // org_id
-  role: string;       // user role
   iss: string;
   aud: string;
   iat: number;
@@ -649,6 +696,8 @@ export const generateId = {
   version: () => `ver_${nanoid(16)}`,
   job: () => `job_${nanoid(16)}`,
   invitation: () => `inv_${nanoid(16)}`,
+  domain: () => `dom_${nanoid(16)}`,
+  allowedHost: () => `ah_${nanoid(16)}`,
 };
 
 export function generateApiKey(): { key: string; prefix: string } {
@@ -657,173 +706,165 @@ export function generateApiKey(): { key: string; prefix: string } {
   return { key, prefix };
 }
 
+export function generateRenderToken(): string {
+  // Short random token for URLs: x7k9m2p4
+  return nanoid(8);
+}
+
 export function generateInviteToken(): string {
   return nanoid(32);
 }
 ```
 
-### 2.5 Auth Routes
+### 2.5 Auth Routes (GitHub OAuth)
 
 ```typescript
 // src/routes/auth.ts
 import { Hono } from 'hono';
-import { z } from 'zod';
-import type { Env, User } from '../types/env';
-import { hashPassword, verifyPassword, validatePasswordStrength } from '../lib/password';
+import type { Env } from '../types/env';
 import { signAccessToken, signRefreshToken, verifyToken } from '../lib/jwt';
 import { generateId } from '../lib/id';
 
 const auth = new Hono<{ Bindings: Env }>();
 
-// Validation schemas
-const registerSchema = z.object({
-  email: z.string().email(),
-  username: z.string().min(3).max(30).regex(/^[a-z0-9_-]+$/i),
-  password: z.string().min(8),
-  name: z.string().optional(),
-  orgName: z.string().min(2).max(50),
-});
+// GET /auth/github - Redirect to GitHub OAuth
+auth.get('/github', async (c) => {
+  const state = crypto.randomUUID();
 
-const loginSchema = z.object({
-  email: z.string().email(),
-  password: z.string(),
-});
+  // Store state in KV for CSRF protection
+  await c.env.SESSIONS.put(`oauth_state:${state}`, '1', { expirationTtl: 600 });
 
-// POST /auth/register
-auth.post('/register', async (c) => {
-  const body = await c.req.json();
-  const parsed = registerSchema.safeParse(body);
+  const params = new URLSearchParams({
+    client_id: c.env.GITHUB_CLIENT_ID,
+    redirect_uri: 'https://api.loopwind.dev/auth/github/callback',
+    scope: 'read:user user:email',
+    state,
+  });
 
-  if (!parsed.success) {
-    return c.json({ error: 'Validation failed', details: parsed.error.flatten() }, 400);
-  }
+  return c.redirect(`https://github.com/login/oauth/authorize?${params}`);
+});
 
-  const { email, username, password, name, orgName } = parsed.data;
+// GET /auth/github/callback - Handle OAuth callback
+auth.get('/github/callback', async (c) => {
+  const code = c.req.query('code');
+  const state = c.req.query('state');
 
-  // Validate password strength
-  const pwCheck = validatePasswordStrength(password);
-  if (!pwCheck.valid) {
-    return c.json({ error: 'Weak password', details: pwCheck.errors }, 400);
+  if (!code || !state) {
+    return c.redirect('https://app.loopwind.dev/login?error=missing_params');
   }
 
-  // Check if email/username exists
-  const existing = await c.env.DB.prepare(
-    'SELECT id FROM users WHERE email = ? OR username = ?'
-  ).bind(email, username).first();
-
-  if (existing) {
-    return c.json({ error: 'Email or username already exists' }, 409);
+  // Verify state
+  const storedState = await c.env.SESSIONS.get(`oauth_state:${state}`);
+  if (!storedState) {
+    return c.redirect('https://app.loopwind.dev/login?error=invalid_state');
   }
+  await c.env.SESSIONS.delete(`oauth_state:${state}`);
 
-  // Create organization
-  const orgId = generateId.org();
-  const orgSlug = orgName.toLowerCase().replace(/[^a-z0-9]+/g, '-');
+  // Exchange code for access token
+  const tokenResponse = await fetch('https://github.com/login/oauth/access_token', {
+    method: 'POST',
+    headers: {
+      'Accept': 'application/json',
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify({
+      client_id: c.env.GITHUB_CLIENT_ID,
+      client_secret: c.env.GITHUB_CLIENT_SECRET,
+      code,
+    }),
+  });
 
-  // Check org slug uniqueness
-  const existingOrg = await c.env.DB.prepare(
-    'SELECT id FROM organizations WHERE slug = ?'
-  ).bind(orgSlug).first();
+  const tokenData = await tokenResponse.json<{ access_token?: string; error?: string }>();
 
-  if (existingOrg) {
-    return c.json({ error: 'Organization name already taken' }, 409);
+  if (tokenData.error || !tokenData.access_token) {
+    return c.redirect('https://app.loopwind.dev/login?error=oauth_failed');
   }
 
-  // Hash password
-  const passwordHash = await hashPassword(password);
-
-  // Create org and user in transaction
-  const userId = generateId.user();
-  const now = new Date().toISOString();
-
-  await c.env.DB.batch([
-    c.env.DB.prepare(`
-      INSERT INTO organizations (id, name, slug, usage_reset_at)
-      VALUES (?, ?, ?, ?)
-    `).bind(orgId, orgName, orgSlug, getNextMonthReset()),
-
-    c.env.DB.prepare(`
-      INSERT INTO users (id, org_id, email, username, password_hash, name, role)
-      VALUES (?, ?, ?, ?, ?, ?, 'owner')
-    `).bind(userId, orgId, email, username, passwordHash, name || null),
+  // Fetch user info from GitHub
+  const [userResponse, emailsResponse] = await Promise.all([
+    fetch('https://api.github.com/user', {
+      headers: { Authorization: `Bearer ${tokenData.access_token}` },
+    }),
+    fetch('https://api.github.com/user/emails', {
+      headers: { Authorization: `Bearer ${tokenData.access_token}` },
+    }),
   ]);
 
-  // Generate tokens
-  const accessToken = await signAccessToken({ sub: userId, org: orgId, role: 'owner' }, c.env);
-  const refreshToken = await signRefreshToken(userId, c.env);
+  const githubUser = await userResponse.json<{
+    id: number;
+    login: string;
+    name: string | null;
+    avatar_url: string;
+  }>();
 
-  // Store refresh token in KV
-  await c.env.SESSIONS.put(`refresh:${userId}`, refreshToken, { expirationTtl: 7 * 24 * 60 * 60 });
+  const emails = await emailsResponse.json<Array<{
+    email: string;
+    primary: boolean;
+    verified: boolean;
+  }>>();
 
-  return c.json({
-    user: { id: userId, email, username, name, role: 'owner' },
-    organization: { id: orgId, name: orgName, slug: orgSlug },
-    accessToken,
-    refreshToken,
-  }, 201);
-});
+  const primaryEmail = emails.find(e => e.primary && e.verified)?.email;
+  if (!primaryEmail) {
+    return c.redirect('https://app.loopwind.dev/login?error=no_verified_email');
+  }
 
-// POST /auth/login
-auth.post('/login', async (c) => {
-  const body = await c.req.json();
-  const parsed = loginSchema.safeParse(body);
+  // Find or create user
+  let user = await c.env.DB.prepare(`
+    SELECT id, github_id, email, name, avatar_url FROM users WHERE github_id = ?
+  `).bind(String(githubUser.id)).first<any>();
 
-  if (!parsed.success) {
-    return c.json({ error: 'Validation failed' }, 400);
-  }
+  if (!user) {
+    // Create new user
+    const userId = generateId.user();
 
-  const { email, password } = parsed.data;
+    await c.env.DB.prepare(`
+      INSERT INTO users (id, github_id, github_username, email, name, avatar_url)
+      VALUES (?, ?, ?, ?, ?, ?)
+    `).bind(
+      userId,
+      String(githubUser.id),
+      githubUser.login,
+      primaryEmail,
+      githubUser.name,
+      githubUser.avatar_url
+    ).run();
+
+    // Create default personal organization
+    const orgId = generateId.org();
+    const orgSlug = githubUser.login.toLowerCase();
 
-  // Find user
-  const user = await c.env.DB.prepare(`
-    SELECT u.id, u.org_id, u.email, u.username, u.name, u.role, u.password_hash,
-           o.name as org_name, o.slug as org_slug, o.plan
-    FROM users u
-    JOIN organizations o ON u.org_id = o.id
-    WHERE u.email = ?
-  `).bind(email).first<any>();
+    await c.env.DB.batch([
+      c.env.DB.prepare(`
+        INSERT INTO organizations (id, name, slug, usage_reset_at)
+        VALUES (?, ?, ?, ?)
+      `).bind(orgId, `${githubUser.login}'s Organization`, orgSlug, getNextMonthReset()),
 
-  if (!user) {
-    return c.json({ error: 'Invalid credentials' }, 401);
-  }
+      c.env.DB.prepare(`
+        INSERT INTO org_members (org_id, user_id, role)
+        VALUES (?, ?, 'owner')
+      `).bind(orgId, userId),
+    ]);
 
-  // Verify password
-  const valid = await verifyPassword(password, user.password_hash);
-  if (!valid) {
-    return c.json({ error: 'Invalid credentials' }, 401);
+    user = { id: userId, github_id: String(githubUser.id), email: primaryEmail, name: githubUser.name, avatar_url: githubUser.avatar_url };
+  } else {
+    // Update user info
+    await c.env.DB.prepare(`
+      UPDATE users SET github_username = ?, name = ?, avatar_url = ?, last_login_at = ?
+      WHERE id = ?
+    `).bind(githubUser.login, githubUser.name, githubUser.avatar_url, new Date().toISOString(), user.id).run();
   }
 
-  // Update last login
-  await c.env.DB.prepare(
-    'UPDATE users SET last_login_at = ? WHERE id = ?'
-  ).bind(new Date().toISOString(), user.id).run();
-
   // Generate tokens
-  const accessToken = await signAccessToken(
-    { sub: user.id, org: user.org_id, role: user.role },
-    c.env
-  );
+  const accessToken = await signAccessToken({ sub: user.id }, c.env);
   const refreshToken = await signRefreshToken(user.id, c.env);
 
-  // Store refresh token
+  // Store refresh token in KV
   await c.env.SESSIONS.put(`refresh:${user.id}`, refreshToken, { expirationTtl: 7 * 24 * 60 * 60 });
 
-  return c.json({
-    user: {
-      id: user.id,
-      email: user.email,
-      username: user.username,
-      name: user.name,
-      role: user.role,
-    },
-    organization: {
-      id: user.org_id,
-      name: user.org_name,
-      slug: user.org_slug,
-      plan: user.plan,
-    },
-    accessToken,
-    refreshToken,
-  });
+  // Redirect to app with tokens (using fragment to keep them out of server logs)
+  return c.redirect(
+    `https://app.loopwind.dev/auth/callback#access_token=${accessToken}&refresh_token=${refreshToken}`
+  );
 });
 
 // POST /auth/refresh
@@ -836,7 +877,7 @@ auth.post('/refresh', async (c) => {
 
   // Verify refresh token
   const payload = await verifyToken(refreshToken, c.env);
-  if (!payload || payload.type !== 'refresh') {
+  if (!payload || (payload as any).type !== 'refresh') {
     return c.json({ error: 'Invalid refresh token' }, 401);
   }
 
@@ -848,7 +889,7 @@ auth.post('/refresh', async (c) => {
 
   // Get user
   const user = await c.env.DB.prepare(`
-    SELECT id, org_id, role FROM users WHERE id = ?
+    SELECT id FROM users WHERE id = ?
   `).bind(payload.sub).first<any>();
 
   if (!user) {
@@ -856,10 +897,7 @@ auth.post('/refresh', async (c) => {
   }
 
   // Generate new tokens
-  const newAccessToken = await signAccessToken(
-    { sub: user.id, org: user.org_id, role: user.role },
-    c.env
-  );
+  const newAccessToken = await signAccessToken({ sub: user.id }, c.env);
   const newRefreshToken = await signRefreshToken(user.id, c.env);
 
   // Update refresh token in KV
@@ -871,6 +909,38 @@ auth.post('/refresh', async (c) => {
   });
 });
 
+// GET /auth/me - Get current user with organizations
+auth.get('/me', async (c) => {
+  const authHeader = c.req.header('Authorization');
+  if (!authHeader?.startsWith('Bearer ')) {
+    return c.json({ error: 'Unauthorized' }, 401);
+  }
+
+  const token = authHeader.slice(7);
+  const payload = await verifyToken(token, c.env);
+  if (!payload) {
+    return c.json({ error: 'Invalid token' }, 401);
+  }
+
+  const user = await c.env.DB.prepare(`
+    SELECT id, email, name, avatar_url, github_username FROM users WHERE id = ?
+  `).bind(payload.sub).first<any>();
+
+  if (!user) {
+    return c.json({ error: 'User not found' }, 404);
+  }
+
+  // Get user's organizations
+  const { results: organizations } = await c.env.DB.prepare(`
+    SELECT t.id, t.name, t.slug, t.plan, tm.role
+    FROM organizations o
+    JOIN org_members tm ON t.id = tm.org_id
+    WHERE tm.user_id = ?
+  `).bind(user.id).all<any>();
+
+  return c.json({ user, organizations });
+});
+
 // POST /auth/logout
 auth.post('/logout', async (c) => {
   const authHeader = c.req.header('Authorization');
@@ -905,13 +975,14 @@ export default auth;
 // src/middleware/auth.ts
 import { Context, Next } from 'hono';
 import { verifyToken } from '../lib/jwt';
-import type { Env, User, JWTPayload } from '../types/env';
+import type { Env, JWTPayload } from '../types/env';
 
 // Extend Hono context
 declare module 'hono' {
   interface ContextVariableMap {
     user: JWTPayload;
-    apiKey?: { id: string; scopes: string[] };
+    orgId?: string;  // Set when accessing organization-specific routes
+    apiKey?: { id: string; scopes: string[]; org_id: string };
   }
 }
 
@@ -942,9 +1013,8 @@ export async function authMiddleware(c: Context<{ Bindings: Env }>, next: Next)
 
     // Find API key by prefix
     const key = await c.env.DB.prepare(`
-      SELECT ak.id, ak.key_hash, ak.scopes, ak.org_id, u.id as user_id, u.role
+      SELECT ak.id, ak.key_hash, ak.scopes, ak.org_id, ak.user_id
       FROM api_keys ak
-      JOIN users u ON ak.user_id = u.id
       WHERE ak.key_prefix = ?
         AND (ak.expires_at IS NULL OR ak.expires_at > datetime('now'))
     `).bind(keyPrefix).first<any>();
@@ -967,12 +1037,9 @@ export async function authMiddleware(c: Context<{ Bindings: Env }>, next: Next)
     ).bind(new Date().toISOString(), key.id).run();
 
     // Set context
-    c.set('user', {
-      sub: key.user_id,
-      org: key.org_id,
-      role: key.role,
-    } as JWTPayload);
-    c.set('apiKey', { id: key.id, scopes: JSON.parse(key.scopes) });
+    c.set('user', { sub: key.user_id } as JWTPayload);
+    c.set('orgId', key.org_id);
+    c.set('apiKey', { id: key.id, scopes: JSON.parse(key.scopes), org_id: key.org_id });
 
     return next();
   }
@@ -1000,15 +1067,37 @@ export function requireScopes(...scopes: string[]) {
   };
 }
 
-// Role checking middleware
-export function requireRole(...roles: string[]) {
+// Organization access middleware - validates user has access to the organization
+export function requireOrgAccess(roleRequired?: 'owner' | 'admin' | 'member') {
   return async (c: Context<{ Bindings: Env }>, next: Next) => {
     const user = c.get('user');
+    const orgId = c.req.param('orgId') || c.get('orgId');
 
-    if (!roles.includes(user.role)) {
-      return c.json({ error: 'Insufficient role', required: roles }, 403);
+    if (!orgId) {
+      return c.json({ error: 'Organization ID required' }, 400);
     }
 
+    // Check organization membership
+    const member = await c.env.DB.prepare(`
+      SELECT role FROM org_members WHERE org_id = ? AND user_id = ?
+    `).bind(orgId, user.sub).first<{ role: string }>();
+
+    if (!member) {
+      return c.json({ error: 'Not a member of this organization' }, 403);
+    }
+
+    // Check role if required
+    if (roleRequired) {
+      const roleHierarchy = ['member', 'admin', 'owner'];
+      const userLevel = roleHierarchy.indexOf(member.role);
+      const requiredLevel = roleHierarchy.indexOf(roleRequired);
+
+      if (userLevel < requiredLevel) {
+        return c.json({ error: 'Insufficient permissions', required: roleRequired }, 403);
+      }
+    }
+
+    c.set('orgId', orgId);
     return next();
   };
 }
@@ -1033,16 +1122,16 @@ const PLAN_LIMITS: Record<string, RateLimitConfig> = {
 };
 
 export async function rateLimitMiddleware(c: Context<{ Bindings: Env }>, next: Next) {
-  const user = c.get('user');
-  if (!user) return next();
+  const orgId = c.get('orgId');
+  if (!orgId) return next();
 
-  // Get org plan
+  // Get organization plan
   const org = await c.env.DB.prepare(
     'SELECT plan FROM organizations WHERE id = ?'
-  ).bind(user.org).first<{ plan: string }>();
+  ).bind(orgId).first<{ plan: string }>();
 
   const limits = PLAN_LIMITS[org?.plan || 'free'];
-  const key = `rate:${user.org}:${Math.floor(Date.now() / limits.windowMs)}`;
+  const key = `rate:${orgId}:${Math.floor(Date.now() / limits.windowMs)}`;
 
   // Get current count
   const current = await c.env.RATE_LIMIT.get(key);
@@ -1079,8 +1168,8 @@ export async function rateLimitMiddleware(c: Context<{ Bindings: Env }>, next: N
 import { Hono } from 'hono';
 import { z } from 'zod';
 import type { Env } from '../types/env';
-import { authMiddleware, requireScopes } from '../middleware/auth';
-import { generateId } from '../lib/id';
+import { authMiddleware, requireScopes, requireOrgAccess } from '../middleware/auth';
+import { generateId, generateRenderToken } from '../lib/id';
 
 const templates = new Hono<{ Bindings: Env }>();
 
@@ -1105,9 +1194,10 @@ const publishSchema = z.object({
   })),
 });
 
-// POST /templates/publish
-templates.post('/publish', requireScopes('templates:write'), async (c) => {
+// POST /organizations/:orgId/templates/publish
+templates.post('/:orgId/publish', requireOrgAccess('member'), requireScopes('templates:write'), async (c) => {
   const user = c.get('user');
+  const orgId = c.get('orgId')!;
   const body = await c.req.json();
 
   const parsed = publishSchema.safeParse(body);
@@ -1117,15 +1207,15 @@ templates.post('/publish', requireScopes('templates:write'), async (c) => {
 
   const { name, version, description, isPrivate, tags, meta, files } = parsed.data;
 
-  // Get org for slug
+  // Get organization for slug and limits
   const org = await c.env.DB.prepare(
     'SELECT slug, templates_limit FROM organizations WHERE id = ?'
-  ).bind(user.org).first<any>();
+  ).bind(orgId).first<any>();
 
   // Check template limit
   const templateCount = await c.env.DB.prepare(
     'SELECT COUNT(*) as count FROM templates WHERE org_id = ?'
-  ).bind(user.org).first<{ count: number }>();
+  ).bind(orgId).first<{ count: number }>();
 
   if (templateCount!.count >= org.templates_limit) {
     return c.json({ error: 'Template limit reached', limit: org.templates_limit }, 403);
@@ -1136,7 +1226,7 @@ templates.post('/publish', requireScopes('templates:write'), async (c) => {
   // Check if template exists
   let template = await c.env.DB.prepare(
     'SELECT id FROM templates WHERE org_id = ? AND name = ?'
-  ).bind(user.org, name).first<{ id: string }>();
+  ).bind(orgId, name).first<{ id: string }>();
 
   const templateId = template?.id || generateId.template();
 
@@ -1169,51 +1259,52 @@ templates.post('/publish', requireScopes('templates:write'), async (c) => {
     uploadedFiles.push({ path: file.path, r2Key, checksum: checksumHex });
   }
 
-  // Create or update template
+  // Create or update template + create render token
   const versionId = generateId.version();
+  const renderToken = generateRenderToken();
 
   if (!template) {
     await c.env.DB.batch([
       c.env.DB.prepare(`
-        INSERT INTO templates (id, org_id, created_by, name, slug, description, type, meta, is_private, tags)
+        INSERT INTO templates (id, org_id, created_by, name, slug, description, type, current_version, is_private, tags)
         VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
       `).bind(
-        templateId, user.org, user.sub, name, slug,
-        description || null, meta.type, JSON.stringify(meta),
+        templateId, orgId, user.sub, name, slug,
+        description || null, meta.type, version,
         isPrivate ? 1 : 0, JSON.stringify(tags)
       ),
       c.env.DB.prepare(`
-        INSERT INTO template_versions (id, template_id, version, files)
-        VALUES (?, ?, ?, ?)
-      `).bind(versionId, templateId, version, JSON.stringify(uploadedFiles)),
+        INSERT INTO render_tokens (token, org_id, template_id)
+        VALUES (?, ?, ?)
+      `).bind(renderToken, orgId, templateId),
     ]);
   } else {
-    await c.env.DB.batch([
-      c.env.DB.prepare(`
-        UPDATE templates SET description = ?, meta = ?, is_private = ?, tags = ?, updated_at = datetime('now')
-        WHERE id = ?
-      `).bind(description || null, JSON.stringify(meta), isPrivate ? 1 : 0, JSON.stringify(tags), templateId),
-      c.env.DB.prepare(`
-        INSERT INTO template_versions (id, template_id, version, files)
-        VALUES (?, ?, ?, ?)
-      `).bind(versionId, templateId, version, JSON.stringify(uploadedFiles)),
-    ]);
+    await c.env.DB.prepare(`
+      UPDATE templates SET description = ?, current_version = ?, is_private = ?, tags = ?, updated_at = datetime('now')
+      WHERE id = ?
+    `).bind(description || null, version, isPrivate ? 1 : 0, JSON.stringify(tags), templateId).run();
   }
 
+  // Get existing render token if template already existed
+  const existingToken = template
+    ? await c.env.DB.prepare('SELECT token FROM render_tokens WHERE template_id = ? AND revoked_at IS NULL').bind(templateId).first<{token: string}>()
+    : null;
+
   return c.json({
     id: templateId,
     name,
     slug,
     version,
-    url: `https://loopwind.dev/${slug}`,
+    renderToken: existingToken?.token || renderToken,
+    renderUrl: `https://api.loopwind.dev/r/${existingToken?.token || renderToken}`,
     publishedAt: new Date().toISOString(),
   }, 201);
 });
 
-// GET /templates - List public templates or org templates
-templates.get('/', async (c) => {
-  const user = c.get('user');
-  const { q, type, tags, author, sort = 'recent', page = '1', limit = '20' } = c.req.query();
+// GET /organizations/:orgId/templates - List organization templates
+templates.get('/:orgId', requireOrgAccess(), async (c) => {
+  const orgId = c.get('orgId')!;
+  const { q, type, sort = 'recent', page = '1', limit = '20' } = c.req.query();
 
   const offset = (parseInt(page) - 1) * parseInt(limit);
 
@@ -1422,279 +1513,770 @@ export const publishCommand = new Command('publish')
 
 ---
 
-## Phase 4: Image Rendering API
+## Phase 4: Public Render API
 
-### 4.1 Render Routes
+> **Key change from PLATFORM.md**: Uses random render tokens in URLs (`/r/x7k9m2p4`) instead of template slugs. This prevents enumeration and allows fine-grained access control.
+
+### 4.1 Render Routes (GET/POST /r/{token})
 
 ```typescript
 // src/routes/render.ts
 import { Hono } from 'hono';
-import { z } from 'zod';
 import type { Env } from '../types/env';
-import { authMiddleware, requireScopes } from '../middleware/auth';
 import { generateId } from '../lib/id';
 
 const render = new Hono<{ Bindings: Env }>();
 
-render.use('*', authMiddleware);
+// GET /r/:token - URL-based rendering (for OG images, etc.)
+// Usage: <img src="https://api.loopwind.dev/r/x7k9m2p4?title=Hello&image=https://..." />
+render.get('/:token', async (c) => {
+  const token = c.req.param('token');
+  const query = c.req.query();
 
-const imageRenderSchema = z.object({
-  template: z.string(),           // slug or id
-  version: z.string().optional(), // defaults to latest
-  props: z.record(z.any()),
-  format: z.enum(['png', 'jpg', 'webp', 'svg']).default('png'),
-  scale: z.number().min(1).max(3).default(1),
+  // Parse props from query params
+  const props = parseProps(query);
+  const format = (query.format as 'png' | 'jpg' | 'webp' | 'svg') || 'png';
+  const version = query.v || 'latest';
+
+  return handleRender(c, token, props, format, version);
 });
 
-const videoRenderSchema = z.object({
-  template: z.string(),
-  version: z.string().optional(),
-  props: z.record(z.any()),
-  format: z.enum(['mp4', 'gif']).default('mp4'),
-  webhook: z.string().url().optional(),
+// POST /r/:token - API-based rendering
+render.post('/:token', async (c) => {
+  const token = c.req.param('token');
+  const body = await c.req.json<{
+    props?: Record<string, any>;
+    format?: 'png' | 'jpg' | 'webp' | 'svg';
+    version?: string;
+  }>();
+
+  const props = body.props || {};
+  const format = body.format || 'png';
+  const version = body.version || 'latest';
+
+  return handleRender(c, token, props, format, version);
 });
 
-// POST /render - Synchronous image rendering
-render.post('/', requireScopes('render:write'), async (c) => {
-  const user = c.get('user');
-  const body = await c.req.json();
+// Main render handler
+async function handleRender(
+  c: any,
+  token: string,
+  props: Record<string, any>,
+  format: string,
+  version: string
+) {
+  const env: Env = c.env;
+
+  // 1. Look up render token (KV cache first, then D1)
+  const tokenData = await lookupRenderToken(token, env);
+  if (!tokenData) {
+    return c.json({ error: 'Invalid render token' }, 404);
+  }
+
+  // 2. Check if props are allowed
+  if (tokenData.allowed_props) {
+    const allowed = JSON.parse(tokenData.allowed_props);
+    const propsKeys = Object.keys(props);
+    const invalidKeys = propsKeys.filter(k => !allowed.includes(k));
+    if (invalidKeys.length > 0) {
+      return c.json({ error: 'Props not allowed', invalid: invalidKeys }, 400);
+    }
+  }
 
-  const parsed = imageRenderSchema.safeParse(body);
-  if (!parsed.success) {
-    return c.json({ error: 'Validation failed', details: parsed.error.flatten() }, 400);
+  // 3. Validate external URLs in props (allowed hosts check)
+  const urlProps = extractUrls(props);
+  if (urlProps.length > 0) {
+    const validationResult = await validateExternalUrls(urlProps, tokenData.org_id, env);
+    if (!validationResult.valid) {
+      return c.json({ error: 'External URL not allowed', blocked: validationResult.blocked }, 403);
+    }
   }
 
-  const { template, version, props, format, scale } = parsed.data;
+  // 4. Resolve version
+  const resolvedVersion = version === 'latest'
+    ? await getLatestVersion(tokenData.template_id, env)
+    : version;
 
-  // Check usage limits
-  const org = await c.env.DB.prepare(`
-    SELECT image_renders_limit, image_renders_used, usage_reset_at
-    FROM organizations WHERE id = ?
-  `).bind(user.org).first<any>();
+  // 5. Check R2 cache
+  const cacheKey = getCacheKey(tokenData.template_id, resolvedVersion, props, format);
+  const cached = await env.RENDERS.get(cacheKey);
 
-  // Reset usage if needed
-  if (new Date(org.usage_reset_at) < new Date()) {
-    await c.env.DB.prepare(`
-      UPDATE organizations
-      SET image_renders_used = 0, video_renders_used = 0, usage_reset_at = ?
-      WHERE id = ?
-    `).bind(getNextMonthReset(), user.org).run();
-    org.image_renders_used = 0;
+  if (cached) {
+    // Track cache hit
+    env.ANALYTICS.writeDataPoint({
+      indexes: [tokenData.template_id],
+      blobs: [tokenData.org_id, 'hit', format],
+      doubles: [1],
+    });
+
+    return new Response(cached.body, {
+      headers: {
+        'Content-Type': getContentType(format),
+        'Cache-Control': 'public, max-age=31536000, immutable',
+        'X-Cache': 'HIT',
+      },
+    });
   }
 
+  // 6. Check usage limits
+  const org = await env.DB.prepare(`
+    SELECT image_renders_limit, image_renders_used, usage_reset_at
+    FROM organizations WHERE id = ?
+  `).bind(tokenData.org_id).first<any>();
+
   if (org.image_renders_used >= org.image_renders_limit) {
-    return c.json({ error: 'Image render limit exceeded', limit: org.image_renders_limit }, 403);
+    return c.json({ error: 'Render limit exceeded' }, 429);
   }
 
-  // Get template
-  const tpl = await getTemplate(c.env, template, version, user.org);
-  if (!tpl) {
-    return c.json({ error: 'Template not found' }, 404);
-  }
+  // 7. Get template from Organization Durable Object
+  const orgDO = env.ORG_DO.get(env.ORG_DO.idFromName(tokenData.org_id));
+  const templateResponse = await orgDO.fetch(`http://internal/template/${tokenData.template_id}/${resolvedVersion}`);
 
-  if (tpl.type !== 'image') {
-    return c.json({ error: 'Use /render/async for video templates' }, 400);
+  if (!templateResponse.ok) {
+    return c.json({ error: 'Template not found' }, 404);
   }
 
-  // Load template files from R2
-  const templateCode = await loadTemplateFromR2(c.env, tpl);
+  const templateData = await templateResponse.json<{
+    code: string;
+    meta: any;
+    assets: Record<string, string>;
+  }>();
 
-  // Render image (using loopwind core renderer)
+  // 8. Render image
   const startTime = Date.now();
-  const imageBuffer = await renderImage(templateCode, props, format, scale);
+  const imageBuffer = await renderImage(templateData.code, props, format, templateData.meta);
   const duration = Date.now() - startTime;
 
-  // Increment usage
-  await c.env.DB.prepare(
-    'UPDATE organizations SET image_renders_used = image_renders_used + 1 WHERE id = ?'
-  ).bind(user.org).run();
+  // 9. Store in R2 cache
+  await env.RENDERS.put(cacheKey, imageBuffer, {
+    customMetadata: {
+      template_id: tokenData.template_id,
+      version: resolvedVersion,
+      format,
+      created_at: new Date().toISOString(),
+    },
+  });
 
-  // Increment template renders
-  await c.env.DB.prepare(
-    'UPDATE templates SET renders = renders + 1 WHERE id = ?'
-  ).bind(tpl.id).run();
+  // 10. Track render event
+  env.ANALYTICS.writeDataPoint({
+    indexes: [tokenData.template_id],
+    blobs: [tokenData.org_id, 'render', format],
+    doubles: [1, duration],
+  });
 
-  // Return image
-  const contentType = {
-    png: 'image/png',
-    jpg: 'image/jpeg',
-    webp: 'image/webp',
-    svg: 'image/svg+xml',
-  }[format];
+  // 11. Increment usage (non-blocking)
+  c.executionCtx.waitUntil(
+    env.DB.prepare(
+      'UPDATE organizations SET image_renders_used = image_renders_used + 1 WHERE id = ?'
+    ).bind(tokenData.org_id).run()
+  );
 
   return new Response(imageBuffer, {
     headers: {
-      'Content-Type': contentType,
+      'Content-Type': getContentType(format),
+      'Cache-Control': 'public, max-age=31536000, immutable',
+      'X-Cache': 'MISS',
       'X-Render-Duration': `${duration}ms`,
-      'X-Render-Id': generateId.job(),
     },
   });
-});
+}
 
-// POST /render/async - Asynchronous video rendering
-render.post('/async', requireScopes('render:write'), async (c) => {
-  const user = c.get('user');
-  const body = await c.req.json();
+// KV-cached render token lookup
+async function lookupRenderToken(token: string, env: Env) {
+  // Check KV cache first (1ms vs 5-10ms D1)
+  const cached = await env.CACHE.get(`rt:${token}`, 'json');
+  if (cached) return cached;
 
-  const parsed = videoRenderSchema.safeParse(body);
-  if (!parsed.success) {
-    return c.json({ error: 'Validation failed', details: parsed.error.flatten() }, 400);
+  // Fall back to D1
+  const row = await env.DB.prepare(`
+    SELECT org_id, template_id, allowed_props
+    FROM render_tokens
+    WHERE token = ? AND revoked_at IS NULL
+  `).bind(token).first<any>();
+
+  if (!row) return null;
+
+  // Cache in KV for 1 hour
+  await env.CACHE.put(`rt:${token}`, JSON.stringify(row), { expirationTtl: 3600 });
+  return row;
+}
+
+// Generate deterministic cache key
+function getCacheKey(
+  templateId: string,
+  version: string,
+  props: object,
+  format: string
+): string {
+  const input = JSON.stringify({ templateId, version, props, format });
+  const hash = crypto.subtle.digestSync('SHA-256', new TextEncoder().encode(input));
+  return Array.from(new Uint8Array(hash)).map(b => b.toString(16).padStart(2, '0')).join('').slice(0, 32);
+}
+
+// Validate external URLs against allowed hosts
+async function validateExternalUrls(
+  urls: string[],
+  orgId: string,
+  env: Env
+): Promise<{ valid: boolean; blocked: string[] }> {
+  const { results } = await env.DB.prepare(
+    'SELECT pattern FROM allowed_hosts WHERE org_id = ?'
+  ).bind(orgId).all<{ pattern: string }>();
+
+  const patterns = results.map(r => r.pattern);
+  const blocked: string[] = [];
+
+  for (const url of urls) {
+    const urlObj = new URL(url);
+    const host = urlObj.hostname;
+
+    // Check against patterns
+    const allowed = patterns.some(pattern => {
+      if (pattern.startsWith('*.')) {
+        const suffix = pattern.slice(2);
+        return host.endsWith(suffix) || host === suffix;
+      }
+      return host === pattern;
+    });
+
+    if (!allowed) {
+      blocked.push(url);
+    }
   }
 
-  const { template, version, props, format, webhook } = parsed.data;
+  return { valid: blocked.length === 0, blocked };
+}
 
-  // Check usage limits
-  const org = await c.env.DB.prepare(`
-    SELECT video_renders_limit, video_renders_used
-    FROM organizations WHERE id = ?
-  `).bind(user.org).first<any>();
+// Extract URLs from props
+function extractUrls(props: Record<string, any>): string[] {
+  const urls: string[] = [];
+  const urlRegex = /^https?:\/\//;
+
+  function traverse(obj: any) {
+    if (typeof obj === 'string' && urlRegex.test(obj)) {
+      urls.push(obj);
+    } else if (Array.isArray(obj)) {
+      obj.forEach(traverse);
+    } else if (typeof obj === 'object' && obj !== null) {
+      Object.values(obj).forEach(traverse);
+    }
+  }
+
+  traverse(props);
+  return urls;
+}
 
-  if (org.video_renders_used >= org.video_renders_limit) {
-    return c.json({ error: 'Video render limit exceeded', limit: org.video_renders_limit }, 403);
+// Parse props from query string
+function parseProps(query: Record<string, string>): Record<string, any> {
+  const reserved = ['format', 'v', 'width', 'height'];
+  const props: Record<string, any> = {};
+
+  for (const [key, value] of Object.entries(query)) {
+    if (!reserved.includes(key)) {
+      // Try to parse JSON values
+      try {
+        props[key] = JSON.parse(value);
+      } catch {
+        props[key] = value;
+      }
+    }
   }
 
-  // Get template
-  const tpl = await getTemplate(c.env, template, version, user.org);
-  if (!tpl) {
-    return c.json({ error: 'Template not found' }, 404);
+  return props;
+}
+
+// Get latest version for a template
+async function getLatestVersion(templateId: string, env: Env): Promise<string> {
+  const row = await env.DB.prepare(
+    'SELECT current_version FROM templates WHERE id = ?'
+  ).bind(templateId).first<{ current_version: string }>();
+
+  return row?.current_version || '1.0.0';
+}
+
+// Content type mapping
+function getContentType(format: string): string {
+  const types: Record<string, string> = {
+    png: 'image/png',
+    jpg: 'image/jpeg',
+    webp: 'image/webp',
+    svg: 'image/svg+xml',
+  };
+  return types[format] || 'image/png';
+}
+
+// Placeholder for actual render function (uses loopwind SDK)
+async function renderImage(
+  code: string,
+  props: Record<string, any>,
+  format: string,
+  meta: any
+): Promise<ArrayBuffer> {
+  // This would use the loopwind SDK to render the template
+  // Implementation depends on how templates are compiled/executed
+  throw new Error('renderImage implementation required');
+}
+
+export default render;
+```
+
+### 4.2 Image Transformations (Cloudflare Images)
+
+External image URLs passed as props are automatically transformed using [Cloudflare Image Transformations](https://developers.cloudflare.com/images/transform-images/).
+
+```typescript
+// src/lib/image-transform.ts
+
+interface ImageTransform {
+  width?: number;
+  height?: number;
+  fit?: 'cover' | 'contain' | 'scale-down' | 'crop' | 'pad';
+  format?: 'auto' | 'webp' | 'avif' | 'jpeg' | 'png';
+  quality?: number;
+}
+
+/**
+ * Transform an image URL using Cloudflare Images
+ * Uses the /cdn-cgi/image/ endpoint built into all Cloudflare zones
+ */
+export function transformImageUrl(
+  originalUrl: string,
+  transform: ImageTransform,
+  apiDomain: string = 'api.loopwind.dev'
+): string {
+  // Build transform options string
+  const options: string[] = [];
+
+  if (transform.width) options.push(`width=${transform.width}`);
+  if (transform.height) options.push(`height=${transform.height}`);
+  if (transform.fit) options.push(`fit=${transform.fit}`);
+  if (transform.format) options.push(`format=${transform.format}`);
+  if (transform.quality) options.push(`quality=${transform.quality}`);
+
+  // Default to auto format if not specified (serves WebP/AVIF to supporting browsers)
+  if (!transform.format) options.push('format=auto');
+
+  const optionsString = options.join(',');
+
+  // Cloudflare Images URL format: /cdn-cgi/image/{options}/{source-url}
+  return `https://${apiDomain}/cdn-cgi/image/${optionsString}/${originalUrl}`;
+}
+
+/**
+ * Apply transforms to all image props based on template meta
+ */
+export async function transformImageProps(
+  props: Record<string, any>,
+  templateMeta: { props?: Record<string, { type?: string; transform?: ImageTransform }> },
+  env: Env
+): Promise<Record<string, any>> {
+  const transformedProps = { ...props };
+
+  if (!templateMeta.props) return transformedProps;
+
+  for (const [key, propDef] of Object.entries(templateMeta.props)) {
+    if (propDef.type !== 'image' || !propDef.transform) continue;
+
+    const propValue = props[key];
+    if (!propValue || typeof propValue !== 'string') continue;
+
+    // Skip if not a URL
+    if (!propValue.startsWith('http://') && !propValue.startsWith('https://')) continue;
+
+    // Apply transform
+    transformedProps[key] = transformImageUrl(propValue, propDef.transform);
   }
 
-  // Create job
-  const jobId = generateId.job();
-  const meta = JSON.parse(tpl.meta);
-  const totalFrames = meta.video ? meta.video.fps * meta.video.duration : 0;
+  return transformedProps;
+}
+```
 
-  await c.env.DB.prepare(`
-    INSERT INTO render_jobs (id, org_id, user_id, template_id, props, format, total_frames, webhook_url)
-    VALUES (?, ?, ?, ?, ?, ?, ?, ?)
-  `).bind(jobId, user.org, user.sub, tpl.id, JSON.stringify(props), format, totalFrames, webhook || null).run();
+**Integration in render handler:**
 
-  // Dispatch to container via Durable Object
-  const jobDO = c.env.RENDER_JOBS.get(c.env.RENDER_JOBS.idFromName(jobId));
-  await jobDO.fetch('http://internal/start', {
-    method: 'POST',
-    body: JSON.stringify({
-      jobId,
-      templateId: tpl.id,
-      version: tpl.version,
-      props,
-      format,
-      meta,
-    }),
-  });
+```typescript
+// In handleRender function (render.ts)
 
-  // Increment usage
-  await c.env.DB.prepare(
-    'UPDATE organizations SET video_renders_used = video_renders_used + 1 WHERE id = ?'
-  ).bind(user.org).run();
+async function handleRender(c: any, token: string, props: Record<string, any>, ...) {
+  // ... lookup render token, validate hosts ...
 
-  return c.json({
-    jobId,
-    status: 'queued',
-    totalFrames,
-    estimatedDuration: totalFrames * 100, // rough estimate
-    statusUrl: `/render/${jobId}`,
-    createdAt: new Date().toISOString(),
-  }, 202);
+  // Get template metadata from Organization DO
+  const templateMeta = await getTemplateMeta(tokenData.template_id, env);
+
+  // Transform image props using Cloudflare Images
+  const transformedProps = await transformImageProps(props, templateMeta, env);
+
+  // Continue with rendering using transformed props
+  const imageBuffer = await renderImage(templateData.code, transformedProps, format, templateMeta);
+
+  // ...
+}
+```
+
+**Direct image proxy endpoint:**
+
+```typescript
+// src/routes/img.ts
+import { Hono } from 'hono';
+import type { Env } from '../types/env';
+
+const img = new Hono<{ Bindings: Env }>();
+
+// GET /img?src=<url>&w=<width>&h=<height>&fit=<fit>&f=<format>&q=<quality>
+// Proxies to Cloudflare Images for transformation
+img.get('/', async (c) => {
+  const src = c.req.query('src');
+  if (!src) {
+    return c.json({ error: 'Missing src parameter' }, 400);
+  }
+
+  // Validate URL is allowed (use same allowed_hosts logic)
+  // For public endpoint, only allow from default allowed hosts
+  const url = new URL(src);
+  const defaultAllowed = [
+    'images.unsplash.com',
+    'cdn.sanity.io',
+    'res.cloudinary.com',
+  ];
+
+  const isAllowed = defaultAllowed.some(host =>
+    url.hostname === host || url.hostname.endsWith('.' + host)
+  );
+
+  if (!isAllowed) {
+    return c.json({ error: 'Host not allowed for public image proxy' }, 403);
+  }
+
+  // Build Cloudflare Images URL
+  const options: string[] = [];
+  const w = c.req.query('w');
+  const h = c.req.query('h');
+  const fit = c.req.query('fit');
+  const f = c.req.query('f');
+  const q = c.req.query('q');
+
+  if (w) options.push(`width=${w}`);
+  if (h) options.push(`height=${h}`);
+  if (fit) options.push(`fit=${fit}`);
+  options.push(`format=${f || 'auto'}`);
+  if (q) options.push(`quality=${q}`);
+
+  // Redirect to Cloudflare Images endpoint
+  // This leverages CF's built-in image optimization without needing Images subscription
+  const cfImageUrl = `/cdn-cgi/image/${options.join(',')}/${src}`;
+
+  return c.redirect(cfImageUrl, 302);
 });
 
-// GET /render/:jobId - Get job status
-render.get('/:jobId', async (c) => {
-  const user = c.get('user');
-  const jobId = c.req.param('jobId');
+export default img;
+```
+
+**Wrangler configuration for Cloudflare Images:**
+
+```toml
+# platform/wrangler.toml
+
+# Enable Image Resizing (included in Pro plan, or pay-as-you-go)
+# No additional config needed - /cdn-cgi/image/ is automatic on any CF zone
+```
+
+**Cost considerations:**
+
+| Plan | Image Transforms |
+|------|------------------|
+| Free | Not available |
+| Pro ($20/mo) | 100K transforms/mo included |
+| Business | 1M transforms/mo included |
+| Pay-as-you-go | $9 per 100K transforms |
+
+### 4.3 Signed URLs (Private Images)
+
+For private templates, implement HMAC-SHA256 signed URLs with expiration.
+
+**Database schema addition:**
+
+```sql
+-- Add to migrations/0001_initial.sql
+
+-- Signing Keys for private image URLs
+CREATE TABLE signing_keys (
+  id TEXT PRIMARY KEY,                    -- sk_xxxxx
+  org_id TEXT NOT NULL REFERENCES organizations(id) ON DELETE CASCADE,
+
+  key_hash TEXT NOT NULL,                 -- bcrypt hash of the key
+  key_prefix TEXT NOT NULL,               -- sk_live_**** (for display)
+
+  created_at TEXT DEFAULT (datetime('now')),
+  revoked_at TEXT                         -- Soft delete
+);
+
+CREATE INDEX idx_signing_keys_org ON signing_keys(org_id);
+```
 
-  const job = await c.env.DB.prepare(`
-    SELECT * FROM render_jobs WHERE id = ? AND org_id = ?
-  `).bind(jobId, user.org).first();
+**Signature verification middleware:**
 
-  if (!job) {
-    return c.json({ error: 'Job not found' }, 404);
+```typescript
+// src/middleware/signature.ts
+import { Context, Next } from 'hono';
+import type { Env } from '../types/env';
+
+/**
+ * Verify signed URLs for private templates
+ */
+export async function verifySignature(c: Context<{ Bindings: Env }>, next: Next) {
+  const exp = c.req.query('exp');
+  const sig = c.req.query('sig');
+  const orgId = c.get('orgId');
+
+  // Check if template requires signature
+  const templateMeta = c.get('templateMeta');
+  if (!templateMeta?.requireSignature) {
+    return next();
   }
 
-  const response: any = {
-    jobId: job.id,
-    status: job.status,
-    progress: job.progress,
-    currentFrame: job.current_frame,
-    totalFrames: job.total_frames,
-    createdAt: job.created_at,
-  };
+  // Signature required but not provided
+  if (!exp || !sig) {
+    return c.json({
+      error: 'signature_required',
+      message: 'This template requires a signed URL'
+    }, 403);
+  }
 
-  if (job.status === 'processing') {
-    response.startedAt = job.started_at;
+  // Check expiration
+  const expTime = parseInt(exp, 10);
+  if (isNaN(expTime) || expTime < Math.floor(Date.now() / 1000)) {
+    return c.json({
+      error: 'signature_expired',
+      message: `URL expired at ${new Date(expTime * 1000).toISOString()}`
+    }, 403);
   }
 
-  if (job.status === 'completed') {
-    response.outputUrl = `https://renders.loopwind.dev/${job.output_key}`;
-    response.expiresAt = new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString();
-    response.completedAt = job.completed_at;
+  // Get signing key for this org
+  const signingKey = await c.env.DB.prepare(`
+    SELECT key_hash FROM signing_keys
+    WHERE org_id = ? AND revoked_at IS NULL
+    ORDER BY created_at DESC LIMIT 1
+  `).bind(orgId).first<{ key_hash: string }>();
+
+  if (!signingKey) {
+    return c.json({
+      error: 'no_signing_key',
+      message: 'No signing key configured for this organization'
+    }, 500);
+  }
+
+  // Reconstruct the data that was signed
+  const url = new URL(c.req.url);
+  url.searchParams.delete('sig');  // Remove sig from verification
+  const dataToSign = url.pathname + url.search;
+
+  // Verify signature
+  const encoder = new TextEncoder();
+  const key = await crypto.subtle.importKey(
+    'raw',
+    encoder.encode(signingKey.key_hash),
+    { name: 'HMAC', hash: 'SHA-256' },
+    false,
+    ['sign', 'verify']
+  );
+
+  const signatureBuffer = hexToArrayBuffer(sig);
+  const isValid = await crypto.subtle.verify(
+    'HMAC',
+    key,
+    signatureBuffer,
+    encoder.encode(dataToSign)
+  );
+
+  if (!isValid) {
+    return c.json({
+      error: 'signature_invalid',
+      message: 'Signature verification failed'
+    }, 403);
   }
 
-  if (job.status === 'failed') {
-    response.error = job.error;
+  return next();
+}
+
+function hexToArrayBuffer(hex: string): ArrayBuffer {
+  const bytes = new Uint8Array(hex.length / 2);
+  for (let i = 0; i < hex.length; i += 2) {
+    bytes[i / 2] = parseInt(hex.substr(i, 2), 16);
   }
+  return bytes.buffer;
+}
+```
+
+**Signing key routes:**
+
+```typescript
+// src/routes/signing-keys.ts
+import { Hono } from 'hono';
+import type { Env } from '../types/env';
+import { authMiddleware, requireOrgAccess } from '../middleware/auth';
+import { generateId } from '../lib/id';
+import { hashPassword } from '../lib/password';
+import { nanoid } from 'nanoid';
+
+const signingKeys = new Hono<{ Bindings: Env }>();
 
-  return c.json(response);
+signingKeys.use('*', authMiddleware);
+
+// GET /organizations/:orgId/signing-keys - List signing keys
+signingKeys.get('/:orgId', requireOrgAccess('admin'), async (c) => {
+  const orgId = c.get('orgId')!;
+
+  const { results } = await c.env.DB.prepare(`
+    SELECT id, key_prefix, created_at FROM signing_keys
+    WHERE org_id = ? AND revoked_at IS NULL
+    ORDER BY created_at DESC
+  `).bind(orgId).all();
+
+  return c.json({ keys: results });
 });
 
-// Helper functions
-async function getTemplate(env: Env, slugOrId: string, version: string | undefined, orgId: string) {
-  let template;
-
-  if (slugOrId.startsWith('tpl_')) {
-    template = await env.DB.prepare(`
-      SELECT t.*, tv.version, tv.files
-      FROM templates t
-      JOIN template_versions tv ON tv.template_id = t.id
-      WHERE t.id = ? AND (t.is_private = 0 OR t.org_id = ?)
-      ORDER BY tv.published_at DESC LIMIT 1
-    `).bind(slugOrId, orgId).first();
-  } else {
-    const versionClause = version
-      ? 'AND tv.version = ?'
-      : '';
-    const params = version
-      ? [slugOrId, orgId, version]
-      : [slugOrId, orgId];
-
-    template = await env.DB.prepare(`
-      SELECT t.*, tv.version, tv.files
-      FROM templates t
-      JOIN template_versions tv ON tv.template_id = t.id
-      WHERE t.slug = ? AND (t.is_private = 0 OR t.org_id = ?)
-      ${versionClause}
-      ORDER BY tv.published_at DESC LIMIT 1
-    `).bind(...params).first();
-  }
-
-  return template;
-}
+// POST /organizations/:orgId/signing-keys - Create signing key
+signingKeys.post('/:orgId', requireOrgAccess('admin'), async (c) => {
+  const orgId = c.get('orgId')!;
 
-async function loadTemplateFromR2(env: Env, template: any): Promise<string> {
-  const files = JSON.parse(template.files);
-  const mainFile = files.find((f: any) => f.path === 'template.tsx');
+  const keyId = `sk_${nanoid(16)}`;
+  const rawKey = `sk_live_${nanoid(32)}`;
+  const keyHash = await hashPassword(rawKey);
+  const keyPrefix = rawKey.substring(0, 12) + '****';
 
-  if (!mainFile) {
-    throw new Error('Template file not found');
-  }
+  await c.env.DB.prepare(`
+    INSERT INTO signing_keys (id, org_id, key_hash, key_prefix)
+    VALUES (?, ?, ?, ?)
+  `).bind(keyId, orgId, keyHash, keyPrefix).run();
+
+  return c.json({
+    id: keyId,
+    key: rawKey,  // Only shown once!
+    prefix: keyPrefix,
+    createdAt: new Date().toISOString(),
+  }, 201);
+});
+
+// DELETE /organizations/:orgId/signing-keys/:id - Revoke signing key
+signingKeys.delete('/:orgId/signing-keys/:id', requireOrgAccess('admin'), async (c) => {
+  const orgId = c.get('orgId')!;
+  const keyId = c.req.param('id');
 
-  const object = await env.STORAGE.get(mainFile.r2Key);
-  if (!object) {
-    throw new Error('Template file not found in storage');
+  const result = await c.env.DB.prepare(`
+    UPDATE signing_keys SET revoked_at = datetime('now')
+    WHERE id = ? AND org_id = ?
+  `).bind(keyId, orgId).run();
+
+  if (result.meta.changes === 0) {
+    return c.json({ error: 'Key not found' }, 404);
   }
 
-  return await object.text();
+  return c.json({ success: true });
+});
+
+export default signingKeys;
+```
+
+**Integration in render handler:**
+
+```typescript
+// In handleRender (render.ts), add signature verification
+import { verifySignature } from '../middleware/signature';
+
+render.get('/:token', async (c) => {
+  // ... lookup render token ...
+
+  // Load template meta and attach to context
+  const templateMeta = await getTemplateMeta(tokenData.template_id, env);
+  c.set('templateMeta', templateMeta);
+  c.set('orgId', tokenData.org_id);
+
+  // Verify signature if required
+  const signatureResult = await verifySignature(c, () => Promise.resolve());
+  if (signatureResult) return signatureResult;  // Returns error response if invalid
+
+  // Continue with normal rendering...
+});
+```
+
+**Client-side SDK for generating signed URLs:**
+
+```typescript
+// Published as @loopwind/sign or included in main SDK
+
+import crypto from 'crypto';
+
+export interface SignOptions {
+  expiresIn?: number;  // seconds (default: 3600)
 }
 
-function getNextMonthReset(): string {
-  const now = new Date();
-  return new Date(now.getFullYear(), now.getMonth() + 1, 1).toISOString();
+export function signRenderUrl(
+  renderUrl: string,
+  signingKey: string,
+  options: SignOptions = {}
+): string {
+  const { expiresIn = 3600 } = options;
+
+  const url = new URL(renderUrl);
+  const exp = Math.floor(Date.now() / 1000) + expiresIn;
+
+  // Add expiration
+  url.searchParams.set('exp', String(exp));
+
+  // Sort params for consistent signing
+  url.searchParams.sort();
+
+  // Generate signature
+  const dataToSign = url.pathname + url.search;
+  const sig = crypto
+    .createHmac('sha256', signingKey)
+    .update(dataToSign)
+    .digest('hex');
+
+  url.searchParams.set('sig', sig);
+  return url.toString();
 }
 
-export default render;
+// Edge-compatible version (for Cloudflare Workers, Vercel Edge, etc.)
+export async function signRenderUrlEdge(
+  renderUrl: string,
+  signingKey: string,
+  options: SignOptions = {}
+): Promise<string> {
+  const { expiresIn = 3600 } = options;
+
+  const url = new URL(renderUrl);
+  const exp = Math.floor(Date.now() / 1000) + expiresIn;
+
+  url.searchParams.set('exp', String(exp));
+  url.searchParams.sort();
+
+  const dataToSign = url.pathname + url.search;
+
+  const encoder = new TextEncoder();
+  const key = await crypto.subtle.importKey(
+    'raw',
+    encoder.encode(signingKey),
+    { name: 'HMAC', hash: 'SHA-256' },
+    false,
+    ['sign']
+  );
+
+  const signature = await crypto.subtle.sign(
+    'HMAC',
+    key,
+    encoder.encode(dataToSign)
+  );
+
+  const sig = Array.from(new Uint8Array(signature))
+    .map(b => b.toString(16).padStart(2, '0'))
+    .join('');
+
+  url.searchParams.set('sig', sig);
+  return url.toString();
+}
 ```
 
-### 4.2 Render Job Durable Object
+### 4.4 Render Job Durable Object
 
 ```typescript
 // src/durable-objects/RenderJobOrchestrator.ts
@@ -1948,79 +2530,104 @@ app.listen(PORT, () => {
 import { Hono } from 'hono';
 import { z } from 'zod';
 import type { Env } from '../types/env';
-import { authMiddleware, requireRole } from '../middleware/auth';
+import { authMiddleware, requireOrgAccess } from '../middleware/auth';
 import { generateId, generateInviteToken } from '../lib/id';
 
 const orgs = new Hono<{ Bindings: Env }>();
 
 orgs.use('*', authMiddleware);
 
-// GET /organizations/current - Get current org
-orgs.get('/current', async (c) => {
+// GET /organizations - List user's organizations
+orgs.get('/', async (c) => {
   const user = c.get('user');
 
+  const { results } = await c.env.DB.prepare(`
+    SELECT t.*, tm.role,
+           (SELECT COUNT(*) FROM org_members WHERE org_id = t.id) as member_count,
+           (SELECT COUNT(*) FROM templates WHERE org_id = t.id) as template_count
+    FROM organizations o
+    JOIN org_members tm ON t.id = tm.org_id
+    WHERE tm.user_id = ?
+  `).bind(user.sub).all();
+
+  return c.json({ organizations: results });
+});
+
+// GET /organizations/:orgId - Get organization details
+orgs.get('/:orgId', requireOrgAccess(), async (c) => {
+  const orgId = c.get('orgId')!;
+
   const org = await c.env.DB.prepare(`
-    SELECT o.*,
-           (SELECT COUNT(*) FROM users WHERE org_id = o.id) as member_count,
-           (SELECT COUNT(*) FROM templates WHERE org_id = o.id) as template_count
+    SELECT t.*,
+           (SELECT COUNT(*) FROM org_members WHERE org_id = t.id) as member_count,
+           (SELECT COUNT(*) FROM templates WHERE org_id = t.id) as template_count
     FROM organizations o
-    WHERE o.id = ?
-  `).bind(user.org).first();
+    WHERE t.id = ?
+  `).bind(orgId).first();
 
   return c.json(org);
 });
 
-// PUT /organizations/current - Update org
-orgs.put('/current', requireRole('owner', 'admin'), async (c) => {
-  const user = c.get('user');
+// PUT /organizations/:orgId - Update organization
+orgs.put('/:orgId', requireOrgAccess('admin'), async (c) => {
+  const orgId = c.get('orgId')!;
   const { name } = await c.req.json();
 
   if (name) {
     await c.env.DB.prepare(
       'UPDATE organizations SET name = ?, updated_at = datetime("now") WHERE id = ?'
-    ).bind(name, user.org).run();
+    ).bind(name, orgId).run();
   }
 
   return c.json({ success: true });
 });
 
-// GET /organizations/current/members - List members
-orgs.get('/current/members', async (c) => {
-  const user = c.get('user');
+// GET /organizations/:orgId/members - List members
+orgs.get('/:orgId/members', requireOrgAccess(), async (c) => {
+  const orgId = c.get('orgId')!;
 
-  const members = await c.env.DB.prepare(`
-    SELECT id, email, username, name, role, last_login_at, created_at
-    FROM users WHERE org_id = ?
-  `).bind(user.org).all();
+  const { results } = await c.env.DB.prepare(`
+    SELECT u.id, u.email, u.name, u.avatar_url, u.github_username, tm.role, tm.created_at
+    FROM users u
+    JOIN org_members tm ON u.id = tm.user_id
+    WHERE tm.org_id = ?
+  `).bind(orgId).all();
 
-  return c.json({ members: members.results });
+  return c.json({ members: results });
 });
 
-// POST /organizations/current/invitations - Invite user
-orgs.post('/current/invitations', requireRole('owner', 'admin'), async (c) => {
+// POST /organizations/:orgId/invitations - Invite user
+orgs.post('/:orgId/invitations', requireOrgAccess('admin'), async (c) => {
   const user = c.get('user');
+  const orgId = c.get('orgId')!;
   const { email, role = 'member' } = await c.req.json();
 
   // Check member limit
   const org = await c.env.DB.prepare(
     'SELECT members_limit FROM organizations WHERE id = ?'
-  ).bind(user.org).first<any>();
+  ).bind(orgId).first<any>();
 
   const memberCount = await c.env.DB.prepare(
-    'SELECT COUNT(*) as count FROM users WHERE org_id = ?'
-  ).bind(user.org).first<{ count: number }>();
+    'SELECT COUNT(*) as count FROM org_members WHERE org_id = ?'
+  ).bind(orgId).first<{ count: number }>();
 
   if (memberCount!.count >= org.members_limit) {
     return c.json({ error: 'Member limit reached' }, 403);
   }
 
-  // Check if user already exists in org
-  const existing = await c.env.DB.prepare(
-    'SELECT id FROM users WHERE email = ? AND org_id = ?'
-  ).bind(email, user.org).first();
+  // Check if user already in organization
+  const existingUser = await c.env.DB.prepare(
+    'SELECT id FROM users WHERE email = ?'
+  ).bind(email).first<{ id: string }>();
+
+  if (existingUser) {
+    const existingMember = await c.env.DB.prepare(
+      'SELECT 1 FROM org_members WHERE org_id = ? AND user_id = ?'
+    ).bind(orgId, existingUser.id).first();
 
-  if (existing) {
-    return c.json({ error: 'User already in organization' }, 409);
+    if (existingMember) {
+      return c.json({ error: 'User already in organization' }, 409);
+    }
   }
 
   // Create invitation
@@ -2031,7 +2638,7 @@ orgs.post('/current/invitations', requireRole('owner', 'admin'), async (c) => {
   await c.env.DB.prepare(`
     INSERT INTO invitations (id, org_id, invited_by, email, role, token, expires_at)
     VALUES (?, ?, ?, ?, ?, ?, ?)
-  `).bind(inviteId, user.org, user.sub, email, role, token, expiresAt).run();
+  `).bind(inviteId, orgId, user.sub, email, role, token, expiresAt).run();
 
   // TODO: Send invitation email
 
@@ -2039,14 +2646,15 @@ orgs.post('/current/invitations', requireRole('owner', 'admin'), async (c) => {
     id: inviteId,
     email,
     role,
-    inviteUrl: `https://loopwind.dev/invite/${token}`,
+    inviteUrl: `https://app.loopwind.dev/invite/${token}`,
     expiresAt,
   }, 201);
 });
 
-// DELETE /organizations/current/members/:userId - Remove member
-orgs.delete('/current/members/:userId', requireRole('owner', 'admin'), async (c) => {
+// DELETE /organizations/:orgId/members/:userId - Remove member
+orgs.delete('/:orgId/members/:userId', requireOrgAccess('admin'), async (c) => {
   const user = c.get('user');
+  const orgId = c.get('orgId')!;
   const userId = c.req.param('userId');
 
   // Can't remove yourself
@@ -2055,19 +2663,21 @@ orgs.delete('/current/members/:userId', requireRole('owner', 'admin'), async (c)
   }
 
   // Can't remove owner
-  const targetUser = await c.env.DB.prepare(
-    'SELECT role FROM users WHERE id = ? AND org_id = ?'
-  ).bind(userId, user.org).first<{ role: string }>();
+  const targetMember = await c.env.DB.prepare(
+    'SELECT role FROM org_members WHERE org_id = ? AND user_id = ?'
+  ).bind(orgId, userId).first<{ role: string }>();
 
-  if (!targetUser) {
-    return c.json({ error: 'User not found' }, 404);
+  if (!targetMember) {
+    return c.json({ error: 'User not found in organization' }, 404);
   }
 
-  if (targetUser.role === 'owner') {
+  if (targetMember.role === 'owner') {
     return c.json({ error: 'Cannot remove owner' }, 403);
   }
 
-  await c.env.DB.prepare('DELETE FROM users WHERE id = ?').bind(userId).run();
+  await c.env.DB.prepare(
+    'DELETE FROM org_members WHERE org_id = ? AND user_id = ?'
+  ).bind(orgId, userId).run();
 
   return c.json({ success: true });
 });
@@ -2082,7 +2692,7 @@ export default orgs;
 import { Hono } from 'hono';
 import { z } from 'zod';
 import type { Env } from '../types/env';
-import { authMiddleware } from '../middleware/auth';
+import { authMiddleware, requireOrgAccess } from '../middleware/auth';
 import { generateId, generateApiKey } from '../lib/id';
 import { hashPassword } from '../lib/password';
 
@@ -2096,26 +2706,27 @@ const createKeySchema = z.object({
   expiresIn: z.number().optional(), // Days until expiration
 });
 
-// GET /keys - List API keys
-keys.get('/', async (c) => {
-  const user = c.get('user');
+// GET /organizations/:orgId/keys - List API keys for organization
+keys.get('/:orgId', requireOrgAccess(), async (c) => {
+  const orgId = c.get('orgId')!;
 
-  const apiKeys = await c.env.DB.prepare(`
+  const { results } = await c.env.DB.prepare(`
     SELECT id, name, key_prefix, scopes, last_used_at, expires_at, created_at
     FROM api_keys WHERE org_id = ?
-  `).bind(user.org).all();
+  `).bind(orgId).all();
 
   return c.json({
-    keys: apiKeys.results.map((k: any) => ({
+    keys: results.map((k: any) => ({
       ...k,
       scopes: JSON.parse(k.scopes),
     })),
   });
 });
 
-// POST /keys - Create API key
-keys.post('/', async (c) => {
+// POST /organizations/:orgId/keys - Create API key for organization
+keys.post('/:orgId', requireOrgAccess('admin'), async (c) => {
   const user = c.get('user');
+  const orgId = c.get('orgId')!;
   const body = await c.req.json();
 
   const parsed = createKeySchema.safeParse(body);
@@ -2136,7 +2747,7 @@ keys.post('/', async (c) => {
   await c.env.DB.prepare(`
     INSERT INTO api_keys (id, org_id, user_id, name, key_hash, key_prefix, scopes, expires_at)
     VALUES (?, ?, ?, ?, ?, ?, ?, ?)
-  `).bind(keyId, user.org, user.sub, name, keyHash, prefix, JSON.stringify(scopes), expiresAt).run();
+  `).bind(keyId, orgId, user.sub, name, keyHash, prefix, JSON.stringify(scopes), expiresAt).run();
 
   return c.json({
     id: keyId,
@@ -2149,14 +2760,14 @@ keys.post('/', async (c) => {
   }, 201);
 });
 
-// DELETE /keys/:id - Revoke API key
-keys.delete('/:id', async (c) => {
-  const user = c.get('user');
+// DELETE /organizations/:orgId/keys/:id - Revoke API key
+keys.delete('/:orgId/keys/:id', requireOrgAccess('admin'), async (c) => {
+  const orgId = c.get('orgId')!;
   const keyId = c.req.param('id');
 
   const result = await c.env.DB.prepare(
     'DELETE FROM api_keys WHERE id = ? AND org_id = ?'
-  ).bind(keyId, user.org).run();
+  ).bind(keyId, orgId).run();
 
   if (result.meta.changes === 0) {
     return c.json({ error: 'API key not found' }, 404);
@@ -2188,14 +2799,14 @@ import render from './routes/render';
 import keys from './routes/keys';
 
 import { rateLimitMiddleware } from './middleware/rateLimit';
-import { RenderJobOrchestrator } from './durable-objects/RenderJobOrchestrator';
+import { OrgDurableObject } from './durable-objects/OrgDurableObject';
 
 const app = new Hono<{ Bindings: Env }>();
 
 // Global middleware
 app.use('*', logger());
 app.use('*', cors({
-  origin: ['https://loopwind.dev', 'http://localhost:3000'],
+  origin: ['https://loopwind.dev', 'https://app.loopwind.dev', 'http://localhost:3000', 'http://localhost:4321'],
   credentials: true,
 }));
 
@@ -2205,36 +2816,242 @@ app.get('/health', (c) => c.json({ status: 'ok' }));
 // Public routes
 app.route('/auth', auth);
 
+// Public render API (no auth required - uses render tokens)
+app.route('/r', render);
+
 // Protected routes with rate limiting
 app.use('/organizations/*', rateLimitMiddleware);
-app.use('/templates/*', rateLimitMiddleware);
-app.use('/render/*', rateLimitMiddleware);
-app.use('/keys/*', rateLimitMiddleware);
 
 app.route('/organizations', organizations);
-app.route('/templates', templates);
-app.route('/render', render);
-app.route('/keys', keys);
+app.route('/organizations', templates);  // /organizations/:orgId/templates/...
+app.route('/organizations', keys);       // /organizations/:orgId/keys/...
+
+// Custom domain support - proxy requests from og.mysite.com
+app.get('*', async (c) => {
+  const host = c.req.header('host');
+
+  // Check if this is a custom domain request
+  if (host && !host.includes('loopwind.dev') && !host.includes('localhost')) {
+    const customDomain = await c.env.DB.prepare(
+      'SELECT org_id FROM custom_domains WHERE domain = ? AND verified_at IS NOT NULL'
+    ).bind(host).first<{ org_id: string }>();
+
+    if (customDomain) {
+      // Get default render token for this organization
+      const token = await c.env.DB.prepare(
+        'SELECT token FROM render_tokens WHERE org_id = ? AND revoked_at IS NULL LIMIT 1'
+      ).bind(customDomain.org_id).first<{ token: string }>();
+
+      if (token) {
+        // Forward to render handler
+        const url = new URL(c.req.url);
+        url.pathname = `/r/${token.token}`;
+        return c.redirect(url.toString(), 307);
+      }
+    }
+  }
 
-// Internal routes (for container callbacks)
-app.post('/internal/jobs/:jobId/progress', async (c) => {
-  const jobId = c.req.param('jobId');
-  const jobDO = c.env.RENDER_JOBS.get(c.env.RENDER_JOBS.idFromName(jobId));
-  return jobDO.fetch('http://internal/progress', {
-    method: 'POST',
-    body: JSON.stringify(await c.req.json()),
-  });
+  return c.json({ error: 'Not found' }, 404);
 });
 
-app.post('/internal/jobs/:jobId/complete', async (c) => {
-  const jobId = c.req.param('jobId');
-  const jobDO = c.env.RENDER_JOBS.get(c.env.RENDER_JOBS.idFromName(jobId));
-  return jobDO.fetch('http://internal/complete', {
-    method: 'POST',
-    body: JSON.stringify(await c.req.json()),
-  });
+// Export Durable Object class
+export { OrgDurableObject };
+
+export default app;
+```
+
+### 7.2 Analytics Routes (Render/Hit Stats)
+
+```typescript
+// src/routes/analytics.ts
+import { Hono } from 'hono';
+import type { Env } from '../types/env';
+import { authMiddleware, requireOrgAccess } from '../middleware/auth';
+
+const analytics = new Hono<{ Bindings: Env }>();
+
+analytics.use('*', authMiddleware);
+
+// GET /organizations/:orgId/analytics - Get organization analytics overview
+analytics.get('/:orgId', requireOrgAccess(), async (c) => {
+  const orgId = c.get('orgId')!;
+  const { period = '7d' } = c.req.query();
+
+  // Query Analytics Engine
+  const stats = await queryAnalytics(c.env, orgId, period);
+
+  return c.json(stats);
 });
 
+// GET /organizations/:orgId/analytics/templates/:templateId - Get template-specific analytics
+analytics.get('/:orgId/templates/:templateId', requireOrgAccess(), async (c) => {
+  const orgId = c.get('orgId')!;
+  const templateId = c.req.param('templateId');
+  const { period = '7d' } = c.req.query();
+
+  const stats = await queryTemplateAnalytics(c.env, orgId, templateId, period);
+
+  return c.json(stats);
+});
+
+async function queryAnalytics(env: Env, orgId: string, period: string) {
+  // Analytics Engine SQL API
+  const days = period === '30d' ? 30 : period === '7d' ? 7 : 1;
+  const since = new Date(Date.now() - days * 24 * 60 * 60 * 1000).toISOString();
+
+  // This would use the Analytics Engine SQL API
+  // For now, return mock structure
+  return {
+    period,
+    totalRenders: 0,
+    totalHits: 0,
+    uniqueTemplates: 0,
+    byTemplate: [],
+    byDay: [],
+    hitRatio: 0, // hits / (renders + hits)
+  };
+}
+
+async function queryTemplateAnalytics(env: Env, orgId: string, templateId: string, period: string) {
+  return {
+    templateId,
+    period,
+    renders: 0,
+    hits: 0,
+    byFormat: {},
+    byDay: [],
+  };
+}
+
+export default analytics;
+```
+
+### 7.3 Organization Durable Object (Template Storage)
+
+```typescript
+// src/durable-objects/OrgDurableObject.ts
+import { DurableObject } from 'cloudflare:workers';
+import type { Env } from '../types/env';
+
+export class OrgDurableObject extends DurableObject {
+  private sql: SqlStorage;
+
+  constructor(ctx: DurableObjectState, env: Env) {
+    super(ctx, env);
+    this.sql = ctx.storage.sql;
+
+    // Initialize SQLite schema
+    this.sql.exec(`
+      CREATE TABLE IF NOT EXISTS templates (
+        id TEXT PRIMARY KEY,
+        name TEXT NOT NULL,
+        type TEXT NOT NULL,
+        current_version TEXT
+      );
+
+      CREATE TABLE IF NOT EXISTS template_versions (
+        id TEXT PRIMARY KEY,
+        template_id TEXT NOT NULL,
+        version TEXT NOT NULL,
+        meta TEXT NOT NULL,
+        UNIQUE(template_id, version)
+      );
+
+      CREATE TABLE IF NOT EXISTS template_files (
+        id TEXT PRIMARY KEY,
+        version_id TEXT NOT NULL,
+        path TEXT NOT NULL,
+        content TEXT NOT NULL,
+        checksum TEXT NOT NULL
+      );
+    `);
+  }
+
+  async fetch(request: Request): Promise<Response> {
+    const url = new URL(request.url);
+    const path = url.pathname;
+
+    // GET /template/:id/:version - Get template code and meta
+    const templateMatch = path.match(/^\/template\/([^/]+)\/([^/]+)$/);
+    if (templateMatch && request.method === 'GET') {
+      const [, templateId, version] = templateMatch;
+      return this.getTemplate(templateId, version);
+    }
+
+    // POST /template - Store template version
+    if (path === '/template' && request.method === 'POST') {
+      const data = await request.json();
+      return this.storeTemplate(data);
+    }
+
+    return new Response('Not found', { status: 404 });
+  }
+
+  private async getTemplate(templateId: string, version: string): Promise<Response> {
+    // Get version
+    const versionRow = this.sql.exec(`
+      SELECT * FROM template_versions
+      WHERE template_id = ? AND version = ?
+    `, templateId, version).one();
+
+    if (!versionRow) {
+      return new Response('Not found', { status: 404 });
+    }
+
+    // Get files
+    const files = this.sql.exec(`
+      SELECT path, content FROM template_files
+      WHERE version_id = ?
+    `, versionRow.id).toArray();
+
+    const code = files.find(f => f.path === 'template.tsx')?.content || '';
+    const assets: Record<string, string> = {};
+    for (const file of files) {
+      if (file.path !== 'template.tsx') {
+        assets[file.path] = file.content;
+      }
+    }
+
+    return Response.json({
+      code,
+      meta: JSON.parse(versionRow.meta as string),
+      assets,
+    });
+  }
+
+  private async storeTemplate(data: any): Promise<Response> {
+    const { templateId, name, type, version, meta, files } = data;
+
+    // Upsert template
+    this.sql.exec(`
+      INSERT INTO templates (id, name, type, current_version)
+      VALUES (?, ?, ?, ?)
+      ON CONFLICT(id) DO UPDATE SET current_version = excluded.current_version
+    `, templateId, name, type, version);
+
+    // Insert version
+    const versionId = `ver_${crypto.randomUUID().slice(0, 16)}`;
+    this.sql.exec(`
+      INSERT INTO template_versions (id, template_id, version, meta)
+      VALUES (?, ?, ?, ?)
+    `, versionId, templateId, version, JSON.stringify(meta));
+
+    // Insert files
+    for (const file of files) {
+      const fileId = `file_${crypto.randomUUID().slice(0, 16)}`;
+      this.sql.exec(`
+        INSERT INTO template_files (id, version_id, path, content, checksum)
+        VALUES (?, ?, ?, ?, ?)
+      `, fileId, versionId, file.path, file.content, file.checksum);
+    }
+
+    return Response.json({ success: true, versionId });
+  }
+}
+```
+
+```typescript
+// Old job callback routes removed - video rendering uses containers directly
 app.post('/internal/jobs/:jobId/fail', async (c) => {
   const jobId = c.req.param('jobId');
   const jobDO = c.env.RENDER_JOBS.get(c.env.RENDER_JOBS.idFromName(jobId));
@@ -2383,7 +3200,7 @@ website/
 │   │       ├── settings/
 │   │       │   ├── index.astro      # Account settings
 │   │       │   ├── api-keys.astro   # API key management
-│   │       │   └── team.astro       # Team/org management
+│   │       │   └── organization.astro  # Organization management
 │   │       └── billing.astro        # Billing/plan
 │   ├── components/
 │   │   └── app/                     # Dashboard components
@@ -2739,7 +3556,7 @@ PUBLIC_API_URL = "https://api.loopwind.dev"
 - [ ] Build templates list page
 - [ ] Build template detail page
 - [ ] Build renders history page
-- [ ] Build settings pages (account, API keys, team)
+- [ ] Build settings pages (account, API keys, organization)
 - [ ] Set up app.loopwind.dev domain
 
 ---