nobalmako 1.0.0

package/drizzle/meta/_journal.json

@@ -0,0 +1,13 @@
+{
+  "version": "7",
+  "dialect": "postgresql",
+  "entries": [
+    {
+      "idx": 0,
+      "version": "7",
+      "when": 1769191495696,
+      "tag": "0000_pink_spiral",
+      "breakpoints": true
+    }
+  ]
+}

package/drizzle.config.ts

@@ -0,0 +1,10 @@
+import { defineConfig } from 'drizzle-kit'
+
+export default defineConfig({
+  schema: './src/lib/schema.ts',
+  out: './drizzle',
+  dialect: 'postgresql',
+  dbCredentials: {
+    url: process.env.DATABASE_URL!,
+  },
+})

package/eslint.config.mjs

@@ -0,0 +1,18 @@
+import { defineConfig, globalIgnores } from "eslint/config";
+import nextVitals from "eslint-config-next/core-web-vitals";
+import nextTs from "eslint-config-next/typescript";
+
+const eslintConfig = defineConfig([
+  ...nextVitals,
+  ...nextTs,
+  // Override default ignores of eslint-config-next.
+  globalIgnores([
+    // Default ignores of eslint-config-next:
+    ".next/**",
+    "out/**",
+    "build/**",
+    "next-env.d.ts",
+  ]),
+]);
+
+export default eslintConfig;

package/next.config.ts

@@ -0,0 +1,7 @@
+import type { NextConfig } from "next";
+
+const nextConfig: NextConfig = {
+  /* config options here */
+};
+
+export default nextConfig;

package/package.json

@@ -0,0 +1,80 @@
+{
+  "name": "nobalmako",
+  "version": "1.0.0",
+  "private": false,
+  "bin": {
+    "nobalmako": "./dist/nobalmako.js"
+  },
+  "scripts": {
+    "dev": "next dev",
+    "build": "next build",
+    "build:cli": "esbuild src/bin/nobalmako.ts --bundle --platform=node --outfile=dist/nobalmako.js --external:dotenv --external:commander --external:fs --external:path --external:os --external:enquirer",
+    "start": "next start",
+    "lint": "next lint",
+    "db:generate": "drizzle-kit generate",
+    "db:push": "drizzle-kit push",
+    "db:migrate": "drizzle-kit migrate",
+    "db:studio": "drizzle-kit studio",
+    "db:seed": "tsx src/lib/seed.ts",
+    "cli": "tsx src/bin/nobalmako.ts"
+  },
+  "dependencies": {
+    "@hookform/resolvers": "^5.2.2",
+    "@neondatabase/serverless": "^1.0.2",
+    "@radix-ui/react-alert-dialog": "^1.1.15",
+    "@radix-ui/react-avatar": "^1.1.11",
+    "@radix-ui/react-checkbox": "^1.3.3",
+    "@radix-ui/react-dialog": "^1.1.15",
+    "@radix-ui/react-dropdown-menu": "^2.1.16",
+    "@radix-ui/react-label": "^2.1.8",
+    "@radix-ui/react-popover": "^1.1.15",
+    "@radix-ui/react-progress": "^1.1.8",
+    "@radix-ui/react-select": "^2.2.6",
+    "@radix-ui/react-separator": "^1.1.8",
+    "@radix-ui/react-slot": "^1.2.4",
+    "@radix-ui/react-switch": "^1.2.6",
+    "@radix-ui/react-tabs": "^1.1.13",
+    "@radix-ui/react-toast": "^1.2.15",
+    "@radix-ui/react-tooltip": "^1.2.8",
+    "@tanstack/react-query": "^5.90.19",
+    "@types/jsonwebtoken": "^9.0.10",
+    "@types/qrcode": "^1.5.6",
+    "@types/speakeasy": "^2.0.10",
+    "bcryptjs": "^3.0.3",
+    "class-variance-authority": "^0.7.1",
+    "clsx": "^2.1.1",
+    "commander": "^14.0.3",
+    "date-fns": "^4.1.0",
+    "dotenv": "^17.2.3",
+    "drizzle-kit": "^0.31.8",
+    "drizzle-orm": "^0.45.1",
+    "enquirer": "^2.4.1",
+    "jsonwebtoken": "^9.0.3",
+    "lucide-react": "^0.562.0",
+    "next": "16.1.3",
+    "nodemailer": "^7.0.13",
+    "postgres": "^3.4.8",
+    "qrcode": "^1.5.4",
+    "react": "19.2.3",
+    "react-dom": "19.2.3",
+    "react-hook-form": "^7.71.1",
+    "sonner": "^2.0.7",
+    "speakeasy": "^2.0.0",
+    "tailwind-merge": "^3.4.0",
+    "zod": "^4.3.5"
+  },
+  "devDependencies": {
+    "@tailwindcss/postcss": "^4",
+    "@types/node": "^20",
+    "@types/nodemailer": "^7.0.9",
+    "@types/react": "^19",
+    "@types/react-dom": "^19",
+    "esbuild": "^0.27.2",
+    "eslint": "^9",
+    "eslint-config-next": "16.1.3",
+    "tailwindcss": "^4",
+    "tsx": "^4.21.0",
+    "tw-animate-css": "^1.4.0",
+    "typescript": "^5"
+  }
+}

package/postcss.config.mjs

@@ -0,0 +1,7 @@
+const config = {
+  plugins: {
+    "@tailwindcss/postcss": {},
+  },
+};
+
+export default config;

package/public/file.svg

@@ -0,0 +1 @@
+<svg fill="none" viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg"><path d="M14.5 13.5V5.41a1 1 0 0 0-.3-.7L9.8.29A1 1 0 0 0 9.08 0H1.5v13.5A2.5 2.5 0 0 0 4 16h8a2.5 2.5 0 0 0 2.5-2.5m-1.5 0v-7H8v-5H3v12a1 1 0 0 0 1 1h8a1 1 0 0 0 1-1M9.5 5V2.12L12.38 5zM5.13 5h-.62v1.25h2.12V5zm-.62 3h7.12v1.25H4.5zm.62 3h-.62v1.25h7.12V11z" clip-rule="evenodd" fill="#666" fill-rule="evenodd"/></svg>

package/public/globe.svg

@@ -0,0 +1 @@
+<svg fill="none" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16"><g clip-path="url(#a)"><path fill-rule="evenodd" clip-rule="evenodd" d="M10.27 14.1a6.5 6.5 0 0 0 3.67-3.45q-1.24.21-2.7.34-.31 1.83-.97 3.1M8 16A8 8 0 1 0 8 0a8 8 0 0 0 0 16m.48-1.52a7 7 0 0 1-.96 0H7.5a4 4 0 0 1-.84-1.32q-.38-.89-.63-2.08a40 40 0 0 0 3.92 0q-.25 1.2-.63 2.08a4 4 0 0 1-.84 1.31zm2.94-4.76q1.66-.15 2.95-.43a7 7 0 0 0 0-2.58q-1.3-.27-2.95-.43a18 18 0 0 1 0 3.44m-1.27-3.54a17 17 0 0 1 0 3.64 39 39 0 0 1-4.3 0 17 17 0 0 1 0-3.64 39 39 0 0 1 4.3 0m1.1-1.17q1.45.13 2.69.34a6.5 6.5 0 0 0-3.67-3.44q.65 1.26.98 3.1M8.48 1.5l.01.02q.41.37.84 1.31.38.89.63 2.08a40 40 0 0 0-3.92 0q.25-1.2.63-2.08a4 4 0 0 1 .85-1.32 7 7 0 0 1 .96 0m-2.75.4a6.5 6.5 0 0 0-3.67 3.44 29 29 0 0 1 2.7-.34q.31-1.83.97-3.1M4.58 6.28q-1.66.16-2.95.43a7 7 0 0 0 0 2.58q1.3.27 2.95.43a18 18 0 0 1 0-3.44m.17 4.71q-1.45-.12-2.69-.34a6.5 6.5 0 0 0 3.67 3.44q-.65-1.27-.98-3.1" fill="#666"/></g><defs><clipPath id="a"><path fill="#fff" d="M0 0h16v16H0z"/></clipPath></defs></svg>

package/public/next.svg

@@ -0,0 +1 @@
+<svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 394 80"><path fill="#000" d="M262 0h68.5v12.7h-27.2v66.6h-13.6V12.7H262V0ZM149 0v12.7H94v20.4h44.3v12.6H94v21h55v12.6H80.5V0h68.7zm34.3 0h-17.8l63.8 79.4h17.9l-32-39.7 32-39.6h-17.9l-23 28.6-23-28.6zm18.3 56.7-9-11-27.1 33.7h17.8l18.3-22.7z"/><path fill="#000" d="M81 79.3 17 0H0v79.3h13.6V17l50.2 62.3H81Zm252.6-.4c-1 0-1.8-.4-2.5-1s-1.1-1.6-1.1-2.6.3-1.8 1-2.5 1.6-1 2.6-1 1.8.3 2.5 1a3.4 3.4 0 0 1 .6 4.3 3.7 3.7 0 0 1-3 1.8zm23.2-33.5h6v23.3c0 2.1-.4 4-1.3 5.5a9.1 9.1 0 0 1-3.8 3.5c-1.6.8-3.5 1.3-5.7 1.3-2 0-3.7-.4-5.3-1s-2.8-1.8-3.7-3.2c-.9-1.3-1.4-3-1.4-5h6c.1.8.3 1.6.7 2.2s1 1.2 1.6 1.5c.7.4 1.5.5 2.4.5 1 0 1.8-.2 2.4-.6a4 4 0 0 0 1.6-1.8c.3-.8.5-1.8.5-3V45.5zm30.9 9.1a4.4 4.4 0 0 0-2-3.3 7.5 7.5 0 0 0-4.3-1.1c-1.3 0-2.4.2-3.3.5-.9.4-1.6 1-2 1.6a3.5 3.5 0 0 0-.3 4c.3.5.7.9 1.3 1.2l1.8 1 2 .5 3.2.8c1.3.3 2.5.7 3.7 1.2a13 13 0 0 1 3.2 1.8 8.1 8.1 0 0 1 3 6.5c0 2-.5 3.7-1.5 5.1a10 10 0 0 1-4.4 3.5c-1.8.8-4.1 1.2-6.8 1.2-2.6 0-4.9-.4-6.8-1.2-2-.8-3.4-2-4.5-3.5a10 10 0 0 1-1.7-5.6h6a5 5 0 0 0 3.5 4.6c1 .4 2.2.6 3.4.6 1.3 0 2.5-.2 3.5-.6 1-.4 1.8-1 2.4-1.7a4 4 0 0 0 .8-2.4c0-.9-.2-1.6-.7-2.2a11 11 0 0 0-2.1-1.4l-3.2-1-3.8-1c-2.8-.7-5-1.7-6.6-3.2a7.2 7.2 0 0 1-2.4-5.7 8 8 0 0 1 1.7-5 10 10 0 0 1 4.3-3.5c2-.8 4-1.2 6.4-1.2 2.3 0 4.4.4 6.2 1.2 1.8.8 3.2 2 4.3 3.4 1 1.4 1.5 3 1.5 5h-5.8z"/></svg>

package/public/vercel.svg

@@ -0,0 +1 @@
+<svg fill="none" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1155 1000"><path d="m577.3 0 577.4 1000H0z" fill="#fff"/></svg>

package/public/window.svg

@@ -0,0 +1 @@
+<svg fill="none" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16"><path fill-rule="evenodd" clip-rule="evenodd" d="M1.5 2.5h13v10a1 1 0 0 1-1 1h-11a1 1 0 0 1-1-1zM0 1h16v11.5a2.5 2.5 0 0 1-2.5 2.5h-11A2.5 2.5 0 0 1 0 12.5zm3.75 4.5a.75.75 0 1 0 0-1.5.75.75 0 0 0 0 1.5M7 4.75a.75.75 0 1 1-1.5 0 .75.75 0 0 1 1.5 0m1.75.75a.75.75 0 1 0 0-1.5.75.75 0 0 0 0 1.5" fill="#666"/></svg>

package/server/index.ts

@@ -0,0 +1,118 @@
+import express, { type Request, Response, NextFunction } from "express";
+import { registerRoutes } from "./routes";
+import { serveStatic } from "./static";
+import { createServer } from "http";
+import path from "path";
+import { fileURLToPath } from "url";
+import mime from "mime-types";
+import { createServer as createViteServer } from "vite";
+import { config } from "dotenv";
+
+config(); // Load environment variables from .env file
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+
+const app = express();
+const httpServer = createServer(app);
+
+declare module "http" {
+  interface IncomingMessage {
+    rawBody: unknown;
+  }
+}
+
+app.use(
+  express.json({
+    verify: (req, _res, buf) => {
+      req.rawBody = buf;
+    },
+  }),
+);
+
+app.use(express.urlencoded({ extended: false }));
+
+export function log(message: string, source = "express") {
+  const formattedTime = new Date().toLocaleTimeString("en-US", {
+    hour: "numeric",
+    minute: "2-digit",
+    second: "2-digit",
+    hour12: true,
+  });
+
+  console.log(`${formattedTime} [${source}] ${message}`);
+}
+
+app.use((req, res, next) => {
+  const start = Date.now();
+  const path = req.path;
+  let capturedJsonResponse: Record<string, any> | undefined = undefined;
+
+  const originalResJson = res.json;
+  res.json = function (bodyJson, ...args) {
+    capturedJsonResponse = bodyJson;
+    return originalResJson.apply(res, [bodyJson, ...args]);
+  };
+
+  res.on("finish", () => {
+    const duration = Date.now() - start;
+    if (path.startsWith("/api")) {
+      let logLine = `${req.method} ${path} ${res.statusCode} in ${duration}ms`;
+      if (capturedJsonResponse) {
+        logLine += ` :: ${JSON.stringify(capturedJsonResponse)}`;
+      }
+
+      log(logLine);
+    }
+  });
+
+  next();
+});
+
+(async () => {
+  await registerRoutes(httpServer, app);
+
+  app.use((err: any, _req: Request, res: Response, next: NextFunction) => {
+    const status = err.status || err.statusCode || 500;
+    const message = err.message || "Internal Server Error";
+
+    console.error("Internal Server Error:", err);
+
+    if (res.headersSent) {
+      return next(err);
+    }
+
+    return res.status(status).json({ message });
+  });
+
+  // importantly only setup vite in development and after
+  // setting up all the other routes so the catch-all route
+  // doesn't interfere with the other routes
+  if (process.env.NODE_ENV === "production") {
+    serveStatic(app);
+  } else {
+    // Create Vite server in middleware mode for development
+    const vite = await createViteServer({
+      server: { middlewareMode: true },
+      appType: 'spa'
+    });
+    
+    // Use vite's connect instance as middleware
+    app.use(vite.middlewares);
+  }
+
+  // ALWAYS serve the app on the port specified in the environment variable PORT
+  // Other ports are firewalled. Default to 5000 if not specified.
+  // this serves both the API and the client.
+  // It is the only port that is not firewalled.
+  const port = parseInt(process.env.PORT || "5000", 10);
+  httpServer.listen(
+    {
+      port,
+      host: "0.0.0.0",
+      reusePort: true,
+    },
+    () => {
+      log(`serving on port ${port}`);
+    },
+  );
+})();

package/src/app/api/api-keys/[id]/route.ts

@@ -0,0 +1,147 @@
+import { NextRequest, NextResponse } from 'next/server'
+import { eq, and } from 'drizzle-orm'
+import { db } from '@/lib/db'
+import { apiKeys, teamMembers } from '@/lib/schema'
+import { createAuditLog } from '@/lib/audit'
+import { z } from 'zod'
+import { getUserFromToken } from '@/lib/auth'
+
+const updateApiKeySchema = z.object({
+  name: z.string().min(1).max(100).optional(),
+  permissions: z.array(z.string()).optional(),
+  expiresAt: z.string().optional(),
+})
+
+// PUT /api/api-keys/[id] - Update an API key
+export async function PUT(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  try {
+    const user = await getUserFromToken()
+    if (!user) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
+    const userId = user.id
+    const { id: apiKeyId } = await params
+    const body = await request.json()
+
+    const validation = updateApiKeySchema.safeParse(body)
+    if (!validation.success) {
+      return NextResponse.json({ error: 'Invalid input', details: validation.error.issues }, { status: 400 })
+    }
+
+    const updates = validation.data
+
+    // Find the API key and verify ownership
+    const apiKey = await db
+      .select()
+      .from(apiKeys)
+      .where(eq(apiKeys.id, apiKeyId))
+      .limit(1)
+
+    if (apiKey.length === 0) {
+      return NextResponse.json({ error: 'API key not found' }, { status: 404 })
+    }
+
+    const key = apiKey[0]
+
+    // Check if user owns this key or is a member of the team that owns it
+    let hasAccess = key.userId === userId
+
+    if (!hasAccess && key.teamId) {
+      const teamMember = await db
+        .select()
+        .from(teamMembers)
+        .where(and(eq(teamMembers.teamId, key.teamId), eq(teamMembers.userId, userId)))
+        .limit(1)
+      hasAccess = teamMember.length > 0
+    }
+
+    if (!hasAccess) {
+      return NextResponse.json({ error: 'Access denied' }, { status: 403 })
+    }
+
+    // Update the API key
+    const [updatedKey] = await db
+      .update(apiKeys)
+      .set({
+        ...updates,
+        expiresAt: updates.expiresAt ? new Date(updates.expiresAt) : null,
+      })
+      .where(eq(apiKeys.id, apiKeyId))
+      .returning()
+
+    // Log audit event
+    await createAuditLog({
+      userId,
+      action: 'update',
+      resourceType: 'team', // API keys belong to teams
+      resourceId: key.teamId || userId, // Use team ID or user ID as resource ID
+      oldValue: { name: key.name, permissions: key.permissions },
+      newValue: updates,
+    })
+
+    return NextResponse.json({ apiKey: updatedKey })
+  } catch (error) {
+    console.error('Error updating API key:', error)
+    return NextResponse.json({ error: 'Failed to update API key' }, { status: 500 })
+  }
+}
+
+// DELETE /api/api-keys/[id] - Delete an API key
+export async function DELETE(request: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  try {
+    const user = await getUserFromToken()
+    if (!user) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
+    const userId = user.id
+    const { id: apiKeyId } = await params
+
+    // Find the API key and verify ownership
+    const apiKey = await db
+      .select()
+      .from(apiKeys)
+      .where(eq(apiKeys.id, apiKeyId))
+      .limit(1)
+
+    if (apiKey.length === 0) {
+      return NextResponse.json({ error: 'API key not found' }, { status: 404 })
+    }
+
+    const key = apiKey[0]
+
+    // Check if user owns this key or is a member of the team that owns it
+    let hasAccess = key.userId === userId
+
+    if (!hasAccess && key.teamId) {
+      const teamMember = await db
+        .select()
+        .from(teamMembers)
+        .where(and(eq(teamMembers.teamId, key.teamId), eq(teamMembers.userId, userId)))
+        .limit(1)
+      hasAccess = teamMember.length > 0
+    }
+
+    if (!hasAccess) {
+      return NextResponse.json({ error: 'Access denied' }, { status: 403 })
+    }
+
+    // Delete the API key
+    await db.delete(apiKeys).where(eq(apiKeys.id, apiKeyId))
+
+    // Log audit event
+    await createAuditLog({
+      userId,
+      action: 'delete',
+      resourceType: 'team', // API keys belong to teams
+      resourceId: key.teamId || userId, // Use team ID or user ID as resource ID
+      oldValue: { name: key.name, permissions: key.permissions },
+    })
+
+    return NextResponse.json({ success: true })
+  } catch (error) {
+    console.error('Error deleting API key:', error)
+    return NextResponse.json({ error: 'Failed to delete API key' }, { status: 500 })
+  }
+}

package/src/app/api/api-keys/route.ts

@@ -0,0 +1,151 @@
+import { NextRequest, NextResponse } from 'next/server'
+import { eq, and, desc } from 'drizzle-orm'
+import { db } from '@/lib/db'
+import { apiKeys, teams, teamMembers } from '@/lib/schema'
+import { createAuditLog } from '@/lib/audit'
+import { z } from 'zod'
+import bcrypt from 'bcryptjs'
+import crypto from 'crypto'
+import { getUserFromToken } from '@/lib/auth'
+
+// Validation schemas
+const createApiKeySchema = z.object({
+  name: z.string().min(1).max(100),
+  teamId: z.string().optional(),
+  permissions: z.array(z.string()).default(['read']),
+  expiresAt: z.string().optional(),
+})
+
+// Generate a secure API key
+function generateApiKey(): string {
+  return 'nm_' + crypto.randomBytes(32).toString('hex')
+}
+
+// Hash the API key for storage
+async function hashApiKey(key: string): Promise<string> {
+  return await bcrypt.hash(key, 12)
+}
+
+// GET /api/api-keys - Get all API keys for the user
+export async function GET() {
+  try {
+    const user = await getUserFromToken()
+    if (!user) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
+    const userId = user.id
+
+    // Get user's API keys
+    const userApiKeys = await db
+      .select({
+        id: apiKeys.id,
+        name: apiKeys.name,
+        permissions: apiKeys.permissions,
+        lastUsed: apiKeys.lastUsed,
+        createdAt: apiKeys.createdAt,
+        expiresAt: apiKeys.expiresAt,
+        teamId: apiKeys.teamId,
+        teamName: teams.name,
+      })
+      .from(apiKeys)
+      .leftJoin(teams, eq(apiKeys.teamId, teams.id))
+      .where(eq(apiKeys.userId, userId))
+      .orderBy(desc(apiKeys.createdAt))
+
+    // Get API keys for teams where user is a member
+    const teamApiKeys = await db
+      .select({
+        id: apiKeys.id,
+        name: apiKeys.name,
+        permissions: apiKeys.permissions,
+        lastUsed: apiKeys.lastUsed,
+        createdAt: apiKeys.createdAt,
+        expiresAt: apiKeys.expiresAt,
+        teamId: apiKeys.teamId,
+        teamName: teams.name,
+      })
+      .from(apiKeys)
+      .innerJoin(teams, eq(apiKeys.teamId, teams.id))
+      .innerJoin(teamMembers, eq(teams.id, teamMembers.teamId))
+      .where(eq(teamMembers.userId, userId))
+      .orderBy(desc(apiKeys.createdAt))
+
+    const allApiKeys = [...userApiKeys, ...teamApiKeys]
+
+    return NextResponse.json({ apiKeys: allApiKeys })
+  } catch (error) {
+    console.error('Error fetching API keys:', error)
+    return NextResponse.json({ error: 'Failed to fetch API keys' }, { status: 500 })
+  }
+}
+
+// POST /api/api-keys - Create a new API key
+export async function POST(request: NextRequest) {
+  try {
+    const user = await getUserFromToken()
+    if (!user) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
+    const userId = user.id
+    const body = await request.json()
+
+    const validation = createApiKeySchema.safeParse(body)
+    if (!validation.success) {
+      return NextResponse.json({ error: 'Invalid input', details: validation.error.issues }, { status: 400 })
+    }
+
+    const { name, teamId, permissions, expiresAt } = validation.data
+
+    // If teamId is provided, verify user is a member of the team
+    if (teamId) {
+      const teamMember = await db
+        .select()
+        .from(teamMembers)
+        .where(and(eq(teamMembers.teamId, teamId), eq(teamMembers.userId, userId)))
+        .limit(1)
+
+      if (teamMember.length === 0) {
+        return NextResponse.json({ error: 'You are not a member of this team' }, { status: 403 })
+      }
+    }
+
+    // Generate and hash the API key
+    const apiKey = generateApiKey()
+    const keyHash = await hashApiKey(apiKey)
+
+    // Create the API key record
+    const [newApiKey] = await db
+      .insert(apiKeys)
+      .values({
+        userId,
+        teamId: teamId || null,
+        name,
+        keyHash,
+        permissions,
+        expiresAt: expiresAt ? new Date(expiresAt) : null,
+      })
+      .returning()
+
+    // Log audit event
+    await createAuditLog({
+      userId,
+      action: 'create',
+      resourceType: 'team', // API keys belong to teams
+      resourceId: teamId || userId, // Use team ID or user ID as resource ID
+      newValue: { name, permissions, teamId },
+    })
+
+    // Return the API key (this is the only time it will be shown)
+    return NextResponse.json({
+      apiKey: {
+        ...newApiKey,
+        key: apiKey, // Include the plain key for the user to copy
+      },
+    })
+  } catch (error) {
+    console.error('Error creating API key:', error)
+    return NextResponse.json({ error: 'Failed to create API key' }, { status: 500 })
+  }
+}

package/src/app/api/audit-logs/route.ts

@@ -0,0 +1,84 @@
+import { NextRequest, NextResponse } from 'next/server'
+import { eq, and, desc, or, inArray } from 'drizzle-orm'
+import { db } from '@/lib/db'
+import { auditLogs, users, teams, teamMembers } from '@/lib/schema'
+import { getUserFromToken } from '@/lib/auth'
+
+export async function GET(request: NextRequest) {
+  try {
+    const user = await getUserFromToken()
+    if (!user) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+    }
+
+    const { searchParams } = new URL(request.url)
+    const teamId = searchParams.get('teamId')
+
+    let query = db
+      .select({
+        id: auditLogs.id,
+        action: auditLogs.action,
+        resourceType: auditLogs.resourceType,
+        resourceId: auditLogs.resourceId,
+        oldValue: auditLogs.oldValue,
+        newValue: auditLogs.newValue,
+        ipAddress: auditLogs.ipAddress,
+        userAgent: auditLogs.userAgent,
+        createdAt: auditLogs.createdAt,
+        userId: auditLogs.userId,
+        userName: users.name,
+        userEmail: users.email,
+        teamId: auditLogs.teamId,
+        teamName: teams.name,
+      })
+      .from(auditLogs)
+      .leftJoin(users, eq(auditLogs.userId, users.id))
+      .leftJoin(teams, eq(auditLogs.teamId, teams.id))
+
+    if (teamId) {
+      // Check if user is member of the team
+      const membership = await db
+        .select()
+        .from(teamMembers)
+        .where(
+          and(
+            eq(teamMembers.teamId, teamId),
+            eq(teamMembers.userId, user.id)
+          )
+        )
+        .limit(1)
+
+      if (membership.length === 0) {
+        return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+      }
+
+      query = query.where(eq(auditLogs.teamId, teamId)) as any
+    } else {
+      // Get teams where user is member
+      const userTeams = await db
+        .select({ id: teamMembers.teamId })
+        .from(teamMembers)
+        .where(eq(teamMembers.userId, user.id))
+      
+      const teamIds = userTeams.map(t => t.id)
+
+      if (teamIds.length > 0) {
+        query = query.where(
+          or(
+            eq(auditLogs.userId, user.id),
+            inArray(auditLogs.teamId, teamIds)
+          )
+        ) as any
+      } else {
+        query = query.where(eq(auditLogs.userId, user.id)) as any
+      }
+    }
+
+    const logs = await (query as any).orderBy(desc(auditLogs.createdAt)).limit(100)
+
+    return NextResponse.json({ logs })
+  } catch (error) {
+    console.error('Error fetching audit logs:', error)
+    return NextResponse.json({ error: 'Failed to fetch audit logs' }, { status: 500 })
+  }
+}