showpane 0.4.1 → 0.4.3

package/bundle/scaffold/src/components/portal-shell.tsx

@@ -0,0 +1,373 @@
+"use client";
+
+import { type ReactNode, useCallback, useEffect, useRef, useState } from "react";
+import { Check, Copy, type LucideIcon } from "lucide-react";
+import { cn } from "@/lib/utils";
+import {
+  ANALYTICS_METADATA_KEYS,
+  type PortalEventMetadata,
+  type PortalEventType,
+} from "@/lib/portal-contracts";
+
+export type PortalTab = {
+  id: string;
+  label: string;
+  icon: LucideIcon;
+  badge?: "amber" | null;
+  content: ReactNode;
+};
+
+export type PortalContact = {
+  name: string;
+  title: string;
+  avatarSrc: string;
+  email: string;
+  phone?: string;
+  phoneDisplay?: string;
+  message?: string;
+};
+
+export type PortalShellProps = {
+  companyName: string;
+  companyLogo: ReactNode;
+  portalLabel?: string;
+
+  clientName: string;
+  clientLogoSrc: string;
+  clientLogoAlt: string;
+
+  tabs: PortalTab[];
+
+  contact: PortalContact;
+  lastUpdated: string;
+  hideFooterOnTab?: string;
+
+  shareEndpoint?: string;
+  eventsEndpoint?: string;
+};
+
+// ── Visitor ID (sp_visitor cookie, 30-day, first-party UUID) ─────────────────
+
+function getOrCreateVisitorId(): string {
+  if (typeof document === "undefined") return "";
+  const match = document.cookie.match(/(?:^|; )sp_visitor=([^;]+)/);
+  if (match) return match[1];
+  const id = crypto.randomUUID();
+  const expires = new Date(Date.now() + 30 * 24 * 60 * 60 * 1000).toUTCString();
+  document.cookie = `sp_visitor=${id}; path=/; expires=${expires}; SameSite=Lax`;
+  return id;
+}
+
+// ── Event tracking ───────────────────────────────────────────────────────────
+
+function trackEvent(
+  eventsEndpoint: string,
+  event: PortalEventType,
+  detail?: string,
+  visitorId?: string,
+  metadata?: PortalEventMetadata
+) {
+  fetch(eventsEndpoint, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ event, detail, visitorId, metadata }),
+  }).catch(() => {});
+}
+
+function readHashTab(tabIds: string[]): string {
+  if (typeof window === "undefined") return tabIds[0] ?? "";
+  const hash = window.location.hash.replace("#", "");
+  return tabIds.includes(hash) ? hash : tabIds[0] ?? "";
+}
+
+// ── Section time tracking via Intersection Observer ──────────────────────────
+
+function useSectionTimeTracking(
+  activeTab: string,
+  eventsEndpoint: string,
+  visitorId: string
+) {
+  const sectionTimers = useRef<Map<string, number>>(new Map());
+  const observerRef = useRef<IntersectionObserver | null>(null);
+
+  const flushSectionTime = useCallback(
+    (sectionId: string) => {
+      const startTime = sectionTimers.current.get(sectionId);
+      if (!startTime) return;
+      const duration = Math.round((Date.now() - startTime) / 1000);
+      sectionTimers.current.delete(sectionId);
+      if (duration >= 2) {
+        trackEvent(eventsEndpoint, "section_time", sectionId, visitorId, {
+          [ANALYTICS_METADATA_KEYS.durationSeconds]: duration,
+        });
+      }
+    },
+    [eventsEndpoint, visitorId]
+  );
+
+  useEffect(() => {
+    if (typeof IntersectionObserver === "undefined") return;
+
+    // Flush all timers from previous tab
+    for (const sectionId of sectionTimers.current.keys()) {
+      flushSectionTime(sectionId);
+    }
+
+    observerRef.current?.disconnect();
+
+    const observer = new IntersectionObserver(
+      (entries) => {
+        for (const entry of entries) {
+          const sectionId = entry.target.getAttribute("data-section-id");
+          if (!sectionId) continue;
+
+          if (entry.isIntersecting) {
+            if (!sectionTimers.current.has(sectionId)) {
+              sectionTimers.current.set(sectionId, Date.now());
+              trackEvent(eventsEndpoint, "section_view", sectionId, visitorId);
+            }
+          } else {
+            flushSectionTime(sectionId);
+          }
+        }
+      },
+      { threshold: 0.3 }
+    );
+
+    observerRef.current = observer;
+
+    // Observe all elements with data-section-id within #main-content
+    const mainContent = document.getElementById("main-content");
+    if (mainContent) {
+      const sections = mainContent.querySelectorAll("[data-section-id]");
+      sections.forEach((el) => observer.observe(el));
+    }
+
+    return () => {
+      for (const sectionId of sectionTimers.current.keys()) {
+        flushSectionTime(sectionId);
+      }
+      observer.disconnect();
+    };
+  }, [activeTab, eventsEndpoint, visitorId, flushSectionTime]);
+}
+
+// ── PortalShell component ────────────────────────────────────────────────────
+
+export function PortalShell({
+  companyName,
+  companyLogo,
+  portalLabel,
+  clientName,
+  clientLogoSrc,
+  clientLogoAlt,
+  tabs,
+  contact,
+  lastUpdated,
+  hideFooterOnTab,
+  shareEndpoint,
+  eventsEndpoint,
+}: PortalShellProps) {
+  const resolvedShareEndpoint = shareEndpoint ?? "/api/client-auth/share";
+  const resolvedEventsEndpoint = eventsEndpoint ?? "/api/client-events";
+  const resolvedPortalLabel = portalLabel ?? "Client Portal";
+  const resolvedContactMessage = contact.message ?? "Reach out anytime";
+
+  const tabIds = tabs.map((tab) => tab.id);
+  const defaultTab = tabIds[0] ?? "";
+
+  const [activeTab, setActiveTab] = useState(defaultTab);
+  const [copied, setCopied] = useState(false);
+  const [copyError, setCopyError] = useState(false);
+  const [visitorId] = useState(() => getOrCreateVisitorId());
+
+  useEffect(() => {
+    const syncFromHash = () => setActiveTab(readHashTab(tabIds));
+    syncFromHash();
+    window.addEventListener("hashchange", syncFromHash);
+    return () => window.removeEventListener("hashchange", syncFromHash);
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, []);
+
+  useEffect(() => {
+    trackEvent(resolvedEventsEndpoint, "portal_view", undefined, visitorId);
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, []);
+
+  useEffect(() => {
+    if (!copied && !copyError) return;
+    const timeout = window.setTimeout(() => { setCopied(false); setCopyError(false); }, 2000);
+    return () => window.clearTimeout(timeout);
+  }, [copied, copyError]);
+
+  useSectionTimeTracking(activeTab, resolvedEventsEndpoint, visitorId);
+
+  function switchTab(tab: string) {
+    setActiveTab(tab);
+    window.history.replaceState(null, "", `#${tab}`);
+    window.scrollTo({ top: 0, behavior: "smooth" });
+    trackEvent(resolvedEventsEndpoint, "tab_switch", tab, visitorId);
+  }
+
+  async function handleShare() {
+    try {
+      const response = await fetch(resolvedShareEndpoint);
+      if (!response.ok) { setCopyError(true); return; }
+
+      const { shareUrl } = (await response.json()) as { shareUrl?: string };
+      if (!shareUrl) { setCopyError(true); return; }
+
+      await navigator.clipboard.writeText(
+        activeTab === defaultTab ? shareUrl : `${shareUrl}#${activeTab}`
+      );
+      setCopied(true);
+    } catch {
+      setCopyError(true);
+    }
+  }
+
+  const activeContent = tabs.find((t) => t.id === activeTab)?.content ?? null;
+  const showFooter = hideFooterOnTab ? activeTab !== hideFooterOnTab : true;
+
+  return (
+    <div className="flex min-h-screen flex-col bg-gray-50">
+      <div className="sticky top-0 z-30 border-b border-gray-200 bg-white/95 backdrop-blur">
+        <header className="border-b bg-white/90">
+          <div className="mx-auto flex max-w-4xl items-center justify-between px-4 py-3 sm:px-6">
+            <div className="flex items-center gap-3">
+              <div className="relative flex items-center">
+                <div className="flex h-8 w-8 items-center justify-center rounded-full border-2 border-white bg-gray-900">
+                  {companyLogo}
+                </div>
+                <img
+                  src={clientLogoSrc}
+                  alt={clientLogoAlt}
+                  width={32}
+                  height={32}
+                  className="-ml-2 h-8 w-8 rounded-full border-2 border-white"
+                  loading="eager"
+                />
+              </div>
+              <div>
+                <h1 className="text-sm font-bold tracking-tight text-gray-900">
+                  {clientName}
+                </h1>
+                <p className="text-[11px] text-gray-500">{companyName} {resolvedPortalLabel}</p>
+              </div>
+            </div>
+            <button
+              type="button"
+              onClick={handleShare}
+              className={cn(
+                "flex items-center gap-1.5 rounded-lg border px-3 py-1.5 text-xs font-medium transition-colors",
+                copyError
+                  ? "border-red-200 text-red-600"
+                  : "border-gray-200 text-gray-600 hover:bg-gray-50"
+              )}
+            >
+              {copied ? (
+                <Check className="h-3.5 w-3.5 text-green-500" />
+              ) : (
+                <Copy className="h-3.5 w-3.5" />
+              )}
+              {copied ? "Copied!" : copyError ? "Failed to copy" : "Copy secure link"}
+            </button>
+          </div>
+        </header>
+
+        <div className="bg-white/90">
+          <div role="tablist" className="mx-auto flex max-w-4xl gap-1 overflow-x-auto px-4 sm:px-6">
+            {tabs.map((tab) => {
+              const Icon = tab.icon;
+              return (
+                <button
+                  key={tab.id}
+                  type="button"
+                  role="tab"
+                  aria-selected={activeTab === tab.id}
+                  aria-controls={`tabpanel-${tab.id}`}
+                  id={`tab-${tab.id}`}
+                  onClick={() => switchTab(tab.id)}
+                  className={cn(
+                    "flex items-center gap-1.5 whitespace-nowrap border-b-2 px-3 py-2.5 text-sm font-medium transition-colors sm:gap-2 sm:px-4",
+                    activeTab === tab.id
+                      ? "border-primary text-primary"
+                      : "border-transparent text-gray-400 hover:text-gray-700"
+                  )}
+                >
+                  <span className="relative">
+                    <Icon className="h-4 w-4" />
+                    {tab.badge && activeTab !== tab.id ? (
+                      <span className="absolute -right-1 -top-1 h-2 w-2 rounded-full bg-amber-400" />
+                    ) : null}
+                  </span>
+                  <span className="hidden sm:inline">{tab.label}</span>
+                  <span className="sm:hidden">{tab.label.split(" ")[0]}</span>
+                </button>
+              );
+            })}
+          </div>
+        </div>
+      </div>
+
+      <main
+        id="main-content"
+        role="tabpanel"
+        aria-labelledby={`tab-${activeTab}`}
+        className="mx-auto w-full max-w-4xl px-4 py-6 sm:px-6 sm:py-8"
+      >
+        {activeContent}
+      </main>
+
+      {showFooter ? (
+        <footer className="mt-auto border-t bg-white">
+          <div className="mx-auto flex max-w-4xl items-center gap-4 px-4 py-4 sm:px-6">
+            <img
+              src={contact.avatarSrc}
+              alt={contact.name}
+              width={32}
+              height={32}
+              className="h-8 w-8 shrink-0 rounded-full"
+              loading="lazy"
+            />
+            <div className="flex-1">
+              <p className="text-xs">
+                <span className="font-semibold text-gray-900">{contact.name}</span>{" "}
+                <span className="text-gray-400">{contact.title}</span>
+              </p>
+              <p className="text-[11px] text-gray-500">{resolvedContactMessage}</p>
+            </div>
+            <div className="flex items-center gap-3">
+              <a
+                href={`mailto:${contact.email}`}
+                className="text-xs text-gray-400 transition-colors hover:text-gray-600"
+              >
+                {contact.email}
+              </a>
+              {contact.phone ? (
+                <a
+                  href={`tel:${contact.phone}`}
+                  className="text-xs text-gray-400 transition-colors hover:text-gray-600"
+                >
+                  {contact.phoneDisplay ?? contact.phone}
+                </a>
+              ) : null}
+            </div>
+          </div>
+          <div className="flex items-center justify-center gap-2 pb-3">
+            <p className="text-[11px] text-gray-300">Last updated {lastUpdated}</p>
+            <span className="text-gray-200">·</span>
+            <a
+              href="https://showpane.com"
+              target="_blank"
+              rel="noopener noreferrer"
+              className="text-[10px] text-gray-300 transition-colors hover:text-gray-400"
+            >
+              Powered by Showpane
+            </a>
+          </div>
+        </footer>
+      ) : null}
+    </div>
+  );
+}

package/bundle/scaffold/src/lib/abuse-controls.ts

@@ -0,0 +1,43 @@
+type RateLimitEntry = {
+  count: number;
+  resetAt: number;
+};
+
+function checkRateLimit(
+  bucket: Map<string, RateLimitEntry>,
+  key: string,
+  limit: number,
+  windowMs: number
+): boolean {
+  const now = Date.now();
+  const existing = bucket.get(key);
+
+  if (!existing || now > existing.resetAt) {
+    if (bucket.size > 5000) {
+      for (const [bucketKey, entry] of bucket) {
+        if (now > entry.resetAt) bucket.delete(bucketKey);
+      }
+    }
+    bucket.set(key, { count: 1, resetAt: now + windowMs });
+    return false;
+  }
+
+  existing.count += 1;
+  return existing.count > limit;
+}
+
+const uploadAttempts = new Map<string, RateLimitEntry>();
+const eventAttempts = new Map<string, RateLimitEntry>();
+
+export const DEFAULT_PORTAL_STORAGE_QUOTA_BYTES = 500 * 1024 * 1024; // 500MB
+export const UPLOAD_RATE_LIMIT_PER_MINUTE = 10;
+export const EVENT_RATE_LIMIT_PER_MINUTE = 60;
+export const EVENT_METADATA_MAX_BYTES = 4 * 1024;
+
+export function isUploadRateLimited(key: string): boolean {
+  return checkRateLimit(uploadAttempts, key, UPLOAD_RATE_LIMIT_PER_MINUTE, 60_000);
+}
+
+export function isEventRateLimited(key: string): boolean {
+  return checkRateLimit(eventAttempts, key, EVENT_RATE_LIMIT_PER_MINUTE, 60_000);
+}

package/bundle/scaffold/src/lib/branding.ts

@@ -0,0 +1,50 @@
+/**
+ * Auto-branding utility for Showpane.
+ * Fetches logos, avatars, and brand colors from free APIs.
+ * All functions return sensible defaults on failure.
+ */
+
+/**
+ * Fetch a company logo URL from a domain.
+ * Uses Clearbit Logo API (free, no key required).
+ * Falls back to a UI Avatars URL with the company initial.
+ */
+export function getLogoUrl(domain: string, fallbackName?: string): string {
+  if (domain) {
+    // Clearbit Logo API - free, no authentication needed
+    return `https://logo.clearbit.com/${domain}`;
+  }
+  // Fallback: initial-based avatar via ui-avatars.com
+  const initial = (fallbackName || "?")[0].toUpperCase();
+  return `https://ui-avatars.com/api/?name=${initial}&background=111827&color=fff&size=128&bold=true`;
+}
+
+/**
+ * Fetch a Gravatar URL for an email address.
+ * Falls back to UI Avatars if no Gravatar exists.
+ */
+export function getAvatarUrl(email: string, fallbackName?: string): string {
+  if (email) {
+    // Use Gravatar with fallback to UI Avatars
+    const hash = email.trim().toLowerCase();
+    // Note: Real implementation would MD5 hash the email.
+    // For now, use UI Avatars as the Gravatar default (d=)
+    const fallback = encodeURIComponent(
+      `https://ui-avatars.com/api/?name=${encodeURIComponent(fallbackName || email.split("@")[0])}&background=dbeafe&color=2563eb&size=128`
+    );
+    return `https://www.gravatar.com/avatar/?d=${fallback}`;
+  }
+  const name = fallbackName || "User";
+  return `https://ui-avatars.com/api/?name=${encodeURIComponent(name)}&background=dbeafe&color=2563eb&size=128`;
+}
+
+/**
+ * Generate a placeholder logo as a data URI SVG.
+ * Used when no domain is available.
+ */
+export function getInitialLogo(name: string, bgColor = "#111827", textColor = "#ffffff"): string {
+  const initial = (name || "?")[0].toUpperCase();
+  return `data:image/svg+xml,${encodeURIComponent(
+    `<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 128 128"><rect width="128" height="128" rx="24" fill="${bgColor}"/><text x="64" y="64" dy=".35em" text-anchor="middle" fill="${textColor}" font-family="system-ui,sans-serif" font-size="64" font-weight="600">${initial}</text></svg>`
+  )}`;
+}

package/bundle/scaffold/src/lib/client-auth.ts

@@ -0,0 +1,98 @@
+/**
+ * Client portal auth helpers.
+ *
+ * Wraps token.ts (pure crypto) with DB lookups and Next.js request/response helpers.
+ * For CLI scripts that need token operations without Next.js, import from token.ts directly.
+ */
+
+import { getCredentialVersion } from "@/lib/client-portals";
+import { NextRequest, NextResponse } from "next/server";
+import {
+  buildAndSignToken,
+  verifyTokenSignature,
+  isClientAuthConfigured,
+  SESSION_TOKEN_MAX_AGE_SECONDS,
+  SHARE_COOKIE_MAX_AGE_SECONDS,
+  SHARE_TOKEN_MAX_AGE_SECONDS,
+} from "@/lib/token";
+
+export { isClientAuthConfigured } from "@/lib/token";
+export type { ClientTokenScope, VerifiedTokenPayload } from "@/lib/token";
+
+export const CLIENT_AUTH_COOKIE = "client_auth";
+export const CLIENT_AUTH_COOKIE_MAX_AGE_SECONDS = SESSION_TOKEN_MAX_AGE_SECONDS;
+export const CLIENT_SHARE_TOKEN_MAX_AGE_SECONDS = SHARE_COOKIE_MAX_AGE_SECONDS;
+
+export type VerifiedClientToken = {
+  orgId: string;
+  slug: string;
+  scope: "session" | "share";
+};
+
+async function signClientToken(
+  orgId: string,
+  slug: string,
+  scope: "session" | "share",
+  maxAgeSeconds: number | null
+): Promise<string | null> {
+  const credentialVersion = await getCredentialVersion(orgId, slug);
+  if (!credentialVersion) return null;
+  return buildAndSignToken(orgId, slug, scope, maxAgeSeconds, credentialVersion);
+}
+
+export async function signSessionToken(orgId: string, slug: string): Promise<string | null> {
+  return signClientToken(orgId, slug, "session", SESSION_TOKEN_MAX_AGE_SECONDS);
+}
+
+export async function signShareToken(orgId: string, slug: string): Promise<string | null> {
+  return signClientToken(orgId, slug, "share", SHARE_TOKEN_MAX_AGE_SECONDS);
+}
+
+export async function verifyClientToken(
+  token: string,
+  expectedScope?: "session" | "share"
+): Promise<VerifiedClientToken | null> {
+  const payload = await verifyTokenSignature(token, expectedScope);
+  if (!payload) return null;
+
+  // Check credential version against DB
+  const credentialVersion = await getCredentialVersion(payload.orgId, payload.slug);
+  if (!credentialVersion || credentialVersion !== payload.ver) return null;
+
+  return { orgId: payload.orgId, slug: payload.slug, scope: payload.scope };
+}
+
+/** Extract authenticated identity from request cookie, or null. */
+export async function getAuthenticatedPortal(
+  req: NextRequest,
+  expectedScope?: "session" | "share"
+): Promise<{ orgId: string; slug: string; scope: "session" | "share" } | null> {
+  const token = req.cookies.get(CLIENT_AUTH_COOKIE)?.value;
+  if (!token) return null;
+  const verified = await verifyClientToken(token, expectedScope);
+  if (!verified) return null;
+  return { orgId: verified.orgId, slug: verified.slug, scope: verified.scope };
+}
+
+/**
+ * @deprecated Use getAuthenticatedPortal instead. Returns only slug for backward compat.
+ */
+export async function getAuthenticatedSlug(req: NextRequest): Promise<string | null> {
+  const portal = await getAuthenticatedPortal(req);
+  return portal?.slug ?? null;
+}
+
+/** Set the client auth cookie on a response. */
+export function setClientAuthCookie(
+  res: NextResponse,
+  token: string,
+  maxAge = CLIENT_AUTH_COOKIE_MAX_AGE_SECONDS
+) {
+  res.cookies.set(CLIENT_AUTH_COOKIE, token, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === "production",
+    sameSite: "lax",
+    path: "/",
+    maxAge,
+  });
+}

package/bundle/scaffold/src/lib/client-portals.ts

@@ -0,0 +1,134 @@
+import { prisma } from "@/lib/db";
+import {
+  getRuntimePortalBySlug,
+  getRuntimePortalByUsername,
+  getRuntimeState,
+  isRuntimeSnapshotMode,
+} from "@/lib/runtime-state";
+
+type ClientPortalRow = {
+  organizationId: string;
+  slug: string;
+  companyName: string;
+  username: string;
+  passwordHash: string;
+  credentialVersion: string;
+};
+
+const PORTAL_SELECT = {
+  organizationId: true,
+  slug: true,
+  companyName: true,
+  username: true,
+  passwordHash: true,
+  credentialVersion: true,
+} as const;
+
+export async function getClientPortalBySlug(
+  organizationId: string,
+  slug: string
+): Promise<ClientPortalRow | null> {
+  if (isRuntimeSnapshotMode()) {
+    const portal = await getRuntimePortalBySlug(slug);
+    return portal
+      ? {
+          organizationId,
+          slug: portal.slug,
+          companyName: portal.companyName,
+          username: portal.username,
+          passwordHash: portal.passwordHash,
+          credentialVersion: portal.credentialVersion,
+        }
+      : null;
+  }
+
+  return prisma.clientPortal.findFirst({
+    where: { organizationId, slug, isActive: true },
+    select: PORTAL_SELECT,
+  });
+}
+
+export async function getClientPortalByUsername(
+  organizationId: string,
+  username: string
+): Promise<ClientPortalRow | null> {
+  if (isRuntimeSnapshotMode()) {
+    const portal = await getRuntimePortalByUsername(username);
+    return portal
+      ? {
+          organizationId,
+          slug: portal.slug,
+          companyName: portal.companyName,
+          username: portal.username,
+          passwordHash: portal.passwordHash,
+          credentialVersion: portal.credentialVersion,
+        }
+      : null;
+  }
+
+  return prisma.clientPortal.findFirst({
+    where: { organizationId, username, isActive: true },
+    select: PORTAL_SELECT,
+  });
+}
+
+/** Look up the portal ID by org-scoped slug. */
+export async function getClientPortalId(
+  organizationId: string,
+  slug: string
+): Promise<string | null> {
+  const portal = await prisma.clientPortal.findFirst({
+    where: { organizationId, slug, isActive: true },
+    select: { id: true },
+  });
+  return portal?.id ?? null;
+}
+
+/** Validate login credentials. Returns the matching slug or null. */
+export async function validateClientLogin(
+  organizationId: string,
+  username: string,
+  password: string
+): Promise<string | null> {
+  const portal = await getClientPortalByUsername(organizationId, username);
+  if (!portal) return null;
+  const bcrypt = await import("bcryptjs");
+  const match = await bcrypt.compare(password, portal.passwordHash);
+  return match ? portal.slug : null;
+}
+
+/** Get the credential version string for token signing/verification. */
+export async function getCredentialVersion(
+  organizationId: string,
+  slug: string
+): Promise<string | null> {
+  const portal = await getClientPortalBySlug(organizationId, slug);
+  return portal?.credentialVersion ?? null;
+}
+
+/**
+ * Resolve the organizationId for the current request context.
+ * Cloud: each Vercel project has ORG_ID set during provisioning.
+ * Self-hosted: returns the single org in the DB.
+ */
+export async function resolveDefaultOrganizationId(): Promise<string | null> {
+  if (isRuntimeSnapshotMode()) {
+    const state = await getRuntimeState();
+    return state?.organization.id ?? process.env.ORG_ID ?? null;
+  }
+
+  // Cloud: each Vercel project has ORG_ID set during provisioning
+  if (process.env.ORG_ID) {
+    const org = await prisma.organization.findUnique({
+      where: { id: process.env.ORG_ID },
+      select: { id: true },
+    });
+    return org?.id ?? null;
+  }
+  // Self-hosted: use the single org in the DB
+  const org = await prisma.organization.findFirst({
+    select: { id: true },
+    orderBy: { createdAt: "asc" },
+  });
+  return org?.id ?? null;
+}