vibecarbon 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (495) hide show
  1. package/LICENSE +663 -0
  2. package/README.md +188 -0
  3. package/carbon/.claude/hooks/task-completed-gate.sh +19 -0
  4. package/carbon/.claude/hooks/teammate-idle-gate.sh +29 -0
  5. package/carbon/.claude/settings.json +29 -0
  6. package/carbon/.cursor/rules/vibecarbon.mdc +6 -0
  7. package/carbon/.dockerignore +57 -0
  8. package/carbon/.env.example +219 -0
  9. package/carbon/.github/copilot-instructions.md +3 -0
  10. package/carbon/.github/workflows/deploy.yml +346 -0
  11. package/carbon/.github/workflows/vibecarbon-build.yml +81 -0
  12. package/carbon/.windsurfrules +74 -0
  13. package/carbon/AGENTS.md +422 -0
  14. package/carbon/CLAUDE.md +3 -0
  15. package/carbon/DEVELOPMENT.md +187 -0
  16. package/carbon/Dockerfile +98 -0
  17. package/carbon/LICENSE +21 -0
  18. package/carbon/PRODUCTION.md +364 -0
  19. package/carbon/README.md +193 -0
  20. package/carbon/TESTING.md +138 -0
  21. package/carbon/backup/Dockerfile +75 -0
  22. package/carbon/backup/backup.sh +95 -0
  23. package/carbon/backup/compose-backup.sh +140 -0
  24. package/carbon/biome.json +83 -0
  25. package/carbon/cloud-init/docker-ce-setup.yaml +55 -0
  26. package/carbon/cloud-init/k3s/master-init.sh +215 -0
  27. package/carbon/cloud-init/k3s/supabase-init.sh +167 -0
  28. package/carbon/cloud-init/k3s/worker-init.sh +147 -0
  29. package/carbon/components.json +24 -0
  30. package/carbon/content/blog/authentication-guide.mdx +34 -0
  31. package/carbon/content/blog/getting-started.mdx +41 -0
  32. package/carbon/content/changelog/v0-1-0.mdx +40 -0
  33. package/carbon/content/docs/analytics.mdx +90 -0
  34. package/carbon/content/docs/authentication.mdx +231 -0
  35. package/carbon/content/docs/background-jobs.mdx +116 -0
  36. package/carbon/content/docs/cli.mdx +630 -0
  37. package/carbon/content/docs/database.mdx +236 -0
  38. package/carbon/content/docs/deployment.mdx +227 -0
  39. package/carbon/content/docs/development.mdx +238 -0
  40. package/carbon/content/docs/environments.mdx +84 -0
  41. package/carbon/content/docs/getting-started.mdx +112 -0
  42. package/carbon/content/docs/legal/privacy-policy.mdx +89 -0
  43. package/carbon/content/docs/legal/terms-of-service.mdx +99 -0
  44. package/carbon/content/docs/optional-services.mdx +160 -0
  45. package/carbon/db/Dockerfile +23 -0
  46. package/carbon/docker-compose.dev-init.yml +5 -0
  47. package/carbon/docker-compose.metabase.override.yml +14 -0
  48. package/carbon/docker-compose.metabase.prod.yml +28 -0
  49. package/carbon/docker-compose.metabase.yml +84 -0
  50. package/carbon/docker-compose.n8n.override.yml +14 -0
  51. package/carbon/docker-compose.n8n.prod.yml +31 -0
  52. package/carbon/docker-compose.n8n.yml +97 -0
  53. package/carbon/docker-compose.observability.override.yml +18 -0
  54. package/carbon/docker-compose.observability.prod.yml +28 -0
  55. package/carbon/docker-compose.observability.yml +125 -0
  56. package/carbon/docker-compose.override.yml +28 -0
  57. package/carbon/docker-compose.prod.yml +294 -0
  58. package/carbon/docker-compose.yml +508 -0
  59. package/carbon/docker-entrypoint.sh +12 -0
  60. package/carbon/ha/activate-standby.sh +52 -0
  61. package/carbon/ha/primary-init.sql +36 -0
  62. package/carbon/ha/standby-init.sh +74 -0
  63. package/carbon/k8s/LICENSE +99 -0
  64. package/carbon/k8s/README.md +272 -0
  65. package/carbon/k8s/base/app/deployment.yaml +130 -0
  66. package/carbon/k8s/base/app/hpa.yaml +44 -0
  67. package/carbon/k8s/base/app/kustomization.yaml +10 -0
  68. package/carbon/k8s/base/app/network-policy.yaml +124 -0
  69. package/carbon/k8s/base/app/pdb.yaml +14 -0
  70. package/carbon/k8s/base/app/rbac.yaml +36 -0
  71. package/carbon/k8s/base/app/service.yaml +16 -0
  72. package/carbon/k8s/base/backup/cronjob.yaml +120 -0
  73. package/carbon/k8s/base/backup/kustomization.yaml +7 -0
  74. package/carbon/k8s/base/backup/network-policy.yaml +31 -0
  75. package/carbon/k8s/base/backup/rbac.yaml +7 -0
  76. package/carbon/k8s/base/cluster-autoscaler/deployment.yaml +103 -0
  77. package/carbon/k8s/base/cluster-autoscaler/kustomization.yaml +17 -0
  78. package/carbon/k8s/base/cluster-autoscaler/rbac.yaml +109 -0
  79. package/carbon/k8s/base/config/configmap.yaml +48 -0
  80. package/carbon/k8s/base/config/kustomization.yaml +8 -0
  81. package/carbon/k8s/base/hetzner-ccm/kustomization.yaml +9 -0
  82. package/carbon/k8s/base/hetzner-csi/kustomization.yaml +9 -0
  83. package/carbon/k8s/base/kustomization.yaml +43 -0
  84. package/carbon/k8s/base/namespace.yaml +7 -0
  85. package/carbon/k8s/base/network-policies.yaml +95 -0
  86. package/carbon/k8s/base/registry/kustomization.yaml +5 -0
  87. package/carbon/k8s/base/registry/local-registry.yaml +193 -0
  88. package/carbon/k8s/base/traefik/certificate.yaml +21 -0
  89. package/carbon/k8s/base/traefik/configmap.yaml +13 -0
  90. package/carbon/k8s/base/traefik/deployment.yaml +165 -0
  91. package/carbon/k8s/base/traefik/ingressroute.yaml +141 -0
  92. package/carbon/k8s/base/traefik/kustomization.yaml +11 -0
  93. package/carbon/k8s/base/traefik/middleware.yaml +109 -0
  94. package/carbon/k8s/base/traefik/network-policy.yaml +92 -0
  95. package/carbon/k8s/base/traefik/service.yaml +38 -0
  96. package/carbon/k8s/flux/README.md +49 -0
  97. package/carbon/k8s/flux/clusters/primary/vibecarbon.yaml +128 -0
  98. package/carbon/k8s/flux/clusters/standby/vibecarbon.yaml +83 -0
  99. package/carbon/k8s/gitops/cert-manager-webhook-hetzner/helm-release.yaml +38 -0
  100. package/carbon/k8s/gitops/cert-manager-webhook-hetzner/helm-repository.yaml +16 -0
  101. package/carbon/k8s/gitops/cert-manager-webhook-hetzner/kustomization.yaml +10 -0
  102. package/carbon/k8s/gitops/supabase/helm-release.yaml +66 -0
  103. package/carbon/k8s/gitops/supabase/helm-repository.yaml +18 -0
  104. package/carbon/k8s/gitops/supabase/kustomization.yaml +33 -0
  105. package/carbon/k8s/infra/cert-manager-resources/cluster-issuers-cloudflare.yaml +51 -0
  106. package/carbon/k8s/infra/cert-manager-resources/cluster-issuers-hetzner.yaml +59 -0
  107. package/carbon/k8s/infra/cert-manager-resources/cluster-issuers-manual.yaml +43 -0
  108. package/carbon/k8s/infra/cert-manager-resources/kustomization.yaml +15 -0
  109. package/carbon/k8s/infra/kustomization.yaml +21 -0
  110. package/carbon/k8s/infra/traefik-crds/kustomization.yaml +10 -0
  111. package/carbon/k8s/overlays/local/configmap.yaml +23 -0
  112. package/carbon/k8s/overlays/local/ingressroute-studio.yaml +104 -0
  113. package/carbon/k8s/overlays/local/kustomization.yaml +215 -0
  114. package/carbon/k8s/overlays/local/namespace.yaml +8 -0
  115. package/carbon/k8s/overlays/local/secrets.yaml +32 -0
  116. package/carbon/k8s/overlays/production/kustomization.yaml +34 -0
  117. package/carbon/k8s/test-local.sh +318 -0
  118. package/carbon/k8s/values/supabase.values.yaml +133 -0
  119. package/carbon/package.json +154 -0
  120. package/carbon/runtime.Dockerfile +17 -0
  121. package/carbon/scripts/_dev-jwt.mjs +45 -0
  122. package/carbon/scripts/check-rls.ts +53 -0
  123. package/carbon/scripts/dev-init.js +191 -0
  124. package/carbon/scripts/dev.js +191 -0
  125. package/carbon/scripts/docker-down.js +63 -0
  126. package/carbon/scripts/docker-logs.js +59 -0
  127. package/carbon/scripts/docker-up.js +222 -0
  128. package/carbon/scripts/generate-dev-configs.sh +131 -0
  129. package/carbon/scripts/generate-rss.ts +116 -0
  130. package/carbon/scripts/generate-sitemap.ts +102 -0
  131. package/carbon/scripts/k8s-apply.js +71 -0
  132. package/carbon/scripts/k8s-delete.js +75 -0
  133. package/carbon/scripts/lib/manifest.js +176 -0
  134. package/carbon/scripts/secret-scan.mjs +278 -0
  135. package/carbon/scripts/validate-dev-configs.sh +101 -0
  136. package/carbon/src/client/App.tsx +202 -0
  137. package/carbon/src/client/assets/hyperformant-dark.svg +29 -0
  138. package/carbon/src/client/assets/hyperformant-light.svg +29 -0
  139. package/carbon/src/client/assets/logos/aider.svg +1 -0
  140. package/carbon/src/client/assets/logos/antigravity.svg +1 -0
  141. package/carbon/src/client/assets/logos/bolt.svg +1 -0
  142. package/carbon/src/client/assets/logos/claude-code.svg +1 -0
  143. package/carbon/src/client/assets/logos/copilot.svg +1 -0
  144. package/carbon/src/client/assets/logos/cursor.svg +1 -0
  145. package/carbon/src/client/assets/logos/gemini-cli.svg +1 -0
  146. package/carbon/src/client/assets/logos/lovable.svg +1 -0
  147. package/carbon/src/client/assets/logos/openai-codex.svg +1 -0
  148. package/carbon/src/client/assets/logos/v0.svg +1 -0
  149. package/carbon/src/client/assets/logos/windsurf.svg +1 -0
  150. package/carbon/src/client/assets/vibecarbon-icon.svg +19 -0
  151. package/carbon/src/client/assets/vibecarbon-logo-dark.svg +29 -0
  152. package/carbon/src/client/assets/vibecarbon-logo-light.svg +29 -0
  153. package/carbon/src/client/components/AIIntegrationSection.tsx +120 -0
  154. package/carbon/src/client/components/AppSidebar.tsx +760 -0
  155. package/carbon/src/client/components/ArchitectureSection.tsx +46 -0
  156. package/carbon/src/client/components/CTAFooter.tsx +59 -0
  157. package/carbon/src/client/components/ComparisonSection.tsx +132 -0
  158. package/carbon/src/client/components/ContentPanel.tsx +66 -0
  159. package/carbon/src/client/components/ContentSkeleton.tsx +21 -0
  160. package/carbon/src/client/components/ErrorBoundary.tsx +46 -0
  161. package/carbon/src/client/components/FAQSection.tsx +76 -0
  162. package/carbon/src/client/components/FileUpload.tsx +210 -0
  163. package/carbon/src/client/components/HeaderActions.tsx +17 -0
  164. package/carbon/src/client/components/Hero.tsx +608 -0
  165. package/carbon/src/client/components/ImpersonationBanner.tsx +31 -0
  166. package/carbon/src/client/components/LanguageSwitcher.tsx +67 -0
  167. package/carbon/src/client/components/Logo.tsx +87 -0
  168. package/carbon/src/client/components/LogoStrip.tsx +76 -0
  169. package/carbon/src/client/components/MetricsStrip.tsx +48 -0
  170. package/carbon/src/client/components/Nav.tsx +195 -0
  171. package/carbon/src/client/components/NewsletterSignup.tsx +147 -0
  172. package/carbon/src/client/components/NotificationDrawer.tsx +171 -0
  173. package/carbon/src/client/components/PageHeader.tsx +24 -0
  174. package/carbon/src/client/components/PlanGate.tsx +36 -0
  175. package/carbon/src/client/components/PricingSection.tsx +371 -0
  176. package/carbon/src/client/components/SEO.tsx +34 -0
  177. package/carbon/src/client/components/SmoothScroll.tsx +45 -0
  178. package/carbon/src/client/components/TechStackSection.tsx +165 -0
  179. package/carbon/src/client/components/WorkflowSection.tsx +604 -0
  180. package/carbon/src/client/components/admin/DockerLogs.tsx +276 -0
  181. package/carbon/src/client/components/admin/PerformanceMetrics.tsx +230 -0
  182. package/carbon/src/client/components/admin/ServiceCard.tsx +45 -0
  183. package/carbon/src/client/components/admin/ServicesStatus.tsx +296 -0
  184. package/carbon/src/client/components/architecture/ArchitectureDiagram.tsx +413 -0
  185. package/carbon/src/client/components/auth/AuthProvider.tsx +466 -0
  186. package/carbon/src/client/components/effects/FilmGrainOverlay.tsx +35 -0
  187. package/carbon/src/client/components/effects/FresnelEdge.tsx +49 -0
  188. package/carbon/src/client/components/effects/GlowTracker.tsx +46 -0
  189. package/carbon/src/client/components/effects/SparkBurst.tsx +145 -0
  190. package/carbon/src/client/components/effects/VGlowEffect.tsx +83 -0
  191. package/carbon/src/client/components/effects/index.ts +2 -0
  192. package/carbon/src/client/components/layouts/SidebarLayout.tsx +20 -0
  193. package/carbon/src/client/components/scroll/ScrollSection.tsx +76 -0
  194. package/carbon/src/client/components/scroll/ScrollytellingProvider.tsx +81 -0
  195. package/carbon/src/client/components/scroll/index.ts +2 -0
  196. package/carbon/src/client/components/ui/accordion.tsx +71 -0
  197. package/carbon/src/client/components/ui/alert-dialog.tsx +162 -0
  198. package/carbon/src/client/components/ui/alert.tsx +73 -0
  199. package/carbon/src/client/components/ui/aspect-ratio.tsx +22 -0
  200. package/carbon/src/client/components/ui/avatar.tsx +91 -0
  201. package/carbon/src/client/components/ui/badge.tsx +50 -0
  202. package/carbon/src/client/components/ui/breadcrumb.tsx +100 -0
  203. package/carbon/src/client/components/ui/button-group.tsx +78 -0
  204. package/carbon/src/client/components/ui/button.tsx +120 -0
  205. package/carbon/src/client/components/ui/calendar.tsx +182 -0
  206. package/carbon/src/client/components/ui/card.tsx +85 -0
  207. package/carbon/src/client/components/ui/carousel.tsx +227 -0
  208. package/carbon/src/client/components/ui/chart.tsx +357 -0
  209. package/carbon/src/client/components/ui/checkbox.tsx +27 -0
  210. package/carbon/src/client/components/ui/collapsible.tsx +15 -0
  211. package/carbon/src/client/components/ui/command.tsx +178 -0
  212. package/carbon/src/client/components/ui/context-menu.tsx +233 -0
  213. package/carbon/src/client/components/ui/dialog.tsx +132 -0
  214. package/carbon/src/client/components/ui/drawer.tsx +118 -0
  215. package/carbon/src/client/components/ui/dropdown-menu.tsx +242 -0
  216. package/carbon/src/client/components/ui/empty.tsx +94 -0
  217. package/carbon/src/client/components/ui/field.tsx +226 -0
  218. package/carbon/src/client/components/ui/hover-card.tsx +44 -0
  219. package/carbon/src/client/components/ui/input-group.tsx +146 -0
  220. package/carbon/src/client/components/ui/input-otp.tsx +83 -0
  221. package/carbon/src/client/components/ui/input.tsx +20 -0
  222. package/carbon/src/client/components/ui/item.tsx +188 -0
  223. package/carbon/src/client/components/ui/kbd.tsx +26 -0
  224. package/carbon/src/client/components/ui/label.tsx +21 -0
  225. package/carbon/src/client/components/ui/menubar.tsx +250 -0
  226. package/carbon/src/client/components/ui/navigation-menu.tsx +155 -0
  227. package/carbon/src/client/components/ui/pagination.tsx +102 -0
  228. package/carbon/src/client/components/ui/popover.tsx +75 -0
  229. package/carbon/src/client/components/ui/progress.tsx +66 -0
  230. package/carbon/src/client/components/ui/radio-group.tsx +36 -0
  231. package/carbon/src/client/components/ui/resizable.tsx +46 -0
  232. package/carbon/src/client/components/ui/scroll-area.tsx +48 -0
  233. package/carbon/src/client/components/ui/select.tsx +186 -0
  234. package/carbon/src/client/components/ui/separator.tsx +21 -0
  235. package/carbon/src/client/components/ui/sheet.tsx +124 -0
  236. package/carbon/src/client/components/ui/sidebar.tsx +702 -0
  237. package/carbon/src/client/components/ui/skeleton.tsx +13 -0
  238. package/carbon/src/client/components/ui/slider.tsx +57 -0
  239. package/carbon/src/client/components/ui/sonner.tsx +45 -0
  240. package/carbon/src/client/components/ui/spinner.tsx +15 -0
  241. package/carbon/src/client/components/ui/switch.tsx +30 -0
  242. package/carbon/src/client/components/ui/table.tsx +89 -0
  243. package/carbon/src/client/components/ui/tabs.tsx +73 -0
  244. package/carbon/src/client/components/ui/textarea.tsx +18 -0
  245. package/carbon/src/client/components/ui/toggle-group.tsx +87 -0
  246. package/carbon/src/client/components/ui/toggle.tsx +44 -0
  247. package/carbon/src/client/components/ui/tooltip.tsx +56 -0
  248. package/carbon/src/client/hooks/api/index.ts +14 -0
  249. package/carbon/src/client/hooks/api/useAuthSettings.ts +80 -0
  250. package/carbon/src/client/hooks/api/useSubscription.ts +87 -0
  251. package/carbon/src/client/hooks/use-mobile.ts +21 -0
  252. package/carbon/src/client/hooks/useMousePosition.ts +91 -0
  253. package/carbon/src/client/hooks/useNotifications.tsx +124 -0
  254. package/carbon/src/client/hooks/useOrganizationMembers.ts +127 -0
  255. package/carbon/src/client/hooks/useOrganizations.tsx +230 -0
  256. package/carbon/src/client/hooks/usePackageManager.ts +69 -0
  257. package/carbon/src/client/hooks/useReducedMotion.ts +20 -0
  258. package/carbon/src/client/hooks/useRunningServices.ts +114 -0
  259. package/carbon/src/client/hooks/useScrollProgress.ts +56 -0
  260. package/carbon/src/client/index.css +467 -0
  261. package/carbon/src/client/index.html +56 -0
  262. package/carbon/src/client/lib/admin-services.ts +151 -0
  263. package/carbon/src/client/lib/api.ts +32 -0
  264. package/carbon/src/client/lib/blog.ts +35 -0
  265. package/carbon/src/client/lib/changelog.ts +33 -0
  266. package/carbon/src/client/lib/docs-search.ts +101 -0
  267. package/carbon/src/client/lib/docs.ts +37 -0
  268. package/carbon/src/client/lib/i18n.ts +32 -0
  269. package/carbon/src/client/lib/supabase.ts +72 -0
  270. package/carbon/src/client/lib/tailwind-colors.ts +357 -0
  271. package/carbon/src/client/lib/theme.ts +117 -0
  272. package/carbon/src/client/lib/utils.ts +22 -0
  273. package/carbon/src/client/locales/de.json +529 -0
  274. package/carbon/src/client/locales/en.json +461 -0
  275. package/carbon/src/client/locales/es.json +529 -0
  276. package/carbon/src/client/locales/fr.json +529 -0
  277. package/carbon/src/client/locales/pt.json +529 -0
  278. package/carbon/src/client/main.tsx +56 -0
  279. package/carbon/src/client/mdx.d.ts +13 -0
  280. package/carbon/src/client/pages/ApiDocs.tsx +76 -0
  281. package/carbon/src/client/pages/AuthCallback.tsx +34 -0
  282. package/carbon/src/client/pages/Blog.tsx +167 -0
  283. package/carbon/src/client/pages/Changelog.tsx +171 -0
  284. package/carbon/src/client/pages/Charts.tsx +388 -0
  285. package/carbon/src/client/pages/Checkout.tsx +227 -0
  286. package/carbon/src/client/pages/Contact.tsx +174 -0
  287. package/carbon/src/client/pages/Dashboard.tsx +368 -0
  288. package/carbon/src/client/pages/Docs.tsx +372 -0
  289. package/carbon/src/client/pages/ForgotPassword.tsx +111 -0
  290. package/carbon/src/client/pages/Home.tsx +187 -0
  291. package/carbon/src/client/pages/Legal.tsx +100 -0
  292. package/carbon/src/client/pages/Login.tsx +408 -0
  293. package/carbon/src/client/pages/MFAVerify.tsx +156 -0
  294. package/carbon/src/client/pages/NotFound.tsx +21 -0
  295. package/carbon/src/client/pages/Onboarding.tsx +246 -0
  296. package/carbon/src/client/pages/ResetPassword.tsx +200 -0
  297. package/carbon/src/client/pages/UIComponents.tsx +390 -0
  298. package/carbon/src/client/pages/admin/ContactSubmissions.tsx +220 -0
  299. package/carbon/src/client/pages/admin/Dashboard.tsx +24 -0
  300. package/carbon/src/client/pages/admin/Infrastructure.tsx +257 -0
  301. package/carbon/src/client/pages/admin/Jobs.tsx +225 -0
  302. package/carbon/src/client/pages/admin/Logs.tsx +18 -0
  303. package/carbon/src/client/pages/admin/Newsletter.tsx +300 -0
  304. package/carbon/src/client/pages/admin/Notifications.tsx +603 -0
  305. package/carbon/src/client/pages/admin/Organizations.tsx +306 -0
  306. package/carbon/src/client/pages/admin/Settings.tsx +314 -0
  307. package/carbon/src/client/pages/admin/Theme.tsx +465 -0
  308. package/carbon/src/client/pages/admin/Users.tsx +365 -0
  309. package/carbon/src/client/pages/api-docs.css +156 -0
  310. package/carbon/src/client/pages/organizations/Details.tsx +200 -0
  311. package/carbon/src/client/pages/organizations/Members.tsx +402 -0
  312. package/carbon/src/client/pages/settings/Billing.tsx +473 -0
  313. package/carbon/src/client/pages/settings/Profile.tsx +160 -0
  314. package/carbon/src/client/pages/settings/Security.tsx +341 -0
  315. package/carbon/src/client/public/favicon.svg +19 -0
  316. package/carbon/src/client/public/robots.txt +8 -0
  317. package/carbon/src/server/billing/index.ts +104 -0
  318. package/carbon/src/server/billing/provider.ts +81 -0
  319. package/carbon/src/server/billing/providers/paddle.ts +314 -0
  320. package/carbon/src/server/billing/providers/polar.ts +325 -0
  321. package/carbon/src/server/billing/providers/stripe.ts +233 -0
  322. package/carbon/src/server/emails/templates.ts +116 -0
  323. package/carbon/src/server/index.ts +554 -0
  324. package/carbon/src/server/lib/auth.ts +6 -0
  325. package/carbon/src/server/lib/email.ts +64 -0
  326. package/carbon/src/server/lib/env.ts +112 -0
  327. package/carbon/src/server/lib/errors.ts +21 -0
  328. package/carbon/src/server/lib/logger.ts +17 -0
  329. package/carbon/src/server/lib/rate-limiter.ts +288 -0
  330. package/carbon/src/server/lib/request.ts +34 -0
  331. package/carbon/src/server/lib/stripe.ts +42 -0
  332. package/carbon/src/server/lib/supabase.ts +65 -0
  333. package/carbon/src/server/middleware/requirePlan.ts +80 -0
  334. package/carbon/src/server/routes/_internal/services-status.ts +958 -0
  335. package/carbon/src/server/routes/_internal/verify-role.ts +185 -0
  336. package/carbon/src/server/routes/health.ts +48 -0
  337. package/carbon/src/server/routes/v1/admin/contact.ts +128 -0
  338. package/carbon/src/server/routes/v1/admin/jobs.ts +171 -0
  339. package/carbon/src/server/routes/v1/admin/newsletter.ts +237 -0
  340. package/carbon/src/server/routes/v1/auth.ts +390 -0
  341. package/carbon/src/server/routes/v1/billing.ts +718 -0
  342. package/carbon/src/server/routes/v1/contact.ts +93 -0
  343. package/carbon/src/server/routes/v1/index.ts +1333 -0
  344. package/carbon/src/server/routes/v1/newsletter.ts +181 -0
  345. package/carbon/src/server/routes/v1/performance.ts +157 -0
  346. package/carbon/src/server/routes/v1/stats.ts +170 -0
  347. package/carbon/src/server/routes/v1/theme.ts +106 -0
  348. package/carbon/src/server/routes/webhooks/billing.ts +376 -0
  349. package/carbon/src/server/routes/webhooks/stripe.ts +276 -0
  350. package/carbon/src/server/types.ts +11 -0
  351. package/carbon/src/shared/pricing.ts +155 -0
  352. package/carbon/src/shared/types.ts +338 -0
  353. package/carbon/supabase/migrations/00001_init.sql +717 -0
  354. package/carbon/supabase/migrations/00002_theme_settings.sql +13 -0
  355. package/carbon/supabase/migrations/00003_pg_cron.sql +121 -0
  356. package/carbon/supabase/migrations/00004_contact_newsletter.sql +81 -0
  357. package/carbon/supabase/migrations/00005_localization_languages.sql +22 -0
  358. package/carbon/supabase/seed.sql +16 -0
  359. package/carbon/tests/_helpers/app.ts +45 -0
  360. package/carbon/tests/_helpers/env.ts +37 -0
  361. package/carbon/tests/_helpers/factories.ts +69 -0
  362. package/carbon/tests/_helpers/jwt.ts +23 -0
  363. package/carbon/tests/_helpers/setup-integration.ts +20 -0
  364. package/carbon/tests/_helpers/setup-rtl.ts +12 -0
  365. package/carbon/tests/component/ErrorBoundary.test.tsx +53 -0
  366. package/carbon/tests/component/use-auth-settings.test.tsx +119 -0
  367. package/carbon/tests/integration/server/routes/contact.test.ts +162 -0
  368. package/carbon/tests/integration/server/routes/health.test.ts +61 -0
  369. package/carbon/tests/structural/i18n-parity.test.ts +42 -0
  370. package/carbon/tests/unit/client/utils.test.ts +49 -0
  371. package/carbon/tests/unit/shared/pricing.test.ts +93 -0
  372. package/carbon/tsconfig.json +27 -0
  373. package/carbon/tsconfig.server.json +27 -0
  374. package/carbon/tsconfig.test.json +9 -0
  375. package/carbon/vite.config.ts +110 -0
  376. package/carbon/vitest.config.ts +74 -0
  377. package/carbon/volumes/db/jwt.sql +57 -0
  378. package/carbon/volumes/db/metabase-init.sh +29 -0
  379. package/carbon/volumes/db/n8n-init.sh +25 -0
  380. package/carbon/volumes/db/realtime.sql +33 -0
  381. package/carbon/volumes/db/roles.sql +93 -0
  382. package/carbon/volumes/db/set-passwords.sh +12 -0
  383. package/carbon/volumes/db/super-admin.dev.sql +113 -0
  384. package/carbon/volumes/db/super-admin.generated.sql +113 -0
  385. package/carbon/volumes/db/super-admin.sql +114 -0
  386. package/carbon/volumes/grafana/dashboards/logs.json +179 -0
  387. package/carbon/volumes/grafana/dashboards/overview.json +523 -0
  388. package/carbon/volumes/grafana/dashboards/postgresql.json +337 -0
  389. package/carbon/volumes/grafana/dashboards.dev/logs.json +179 -0
  390. package/carbon/volumes/grafana/dashboards.dev/overview.json +156 -0
  391. package/carbon/volumes/grafana/dashboards.dev/postgresql.json +337 -0
  392. package/carbon/volumes/grafana/provisioning/dashboards/dashboards.dev.yml +16 -0
  393. package/carbon/volumes/grafana/provisioning/dashboards/dashboards.yml +16 -0
  394. package/carbon/volumes/grafana/provisioning/datasources/datasources.yml +43 -0
  395. package/carbon/volumes/kong/docker-entrypoint.sh +9 -0
  396. package/carbon/volumes/kong/kong.yml +208 -0
  397. package/carbon/volumes/loki/loki-config.yml +58 -0
  398. package/carbon/volumes/n8n/hooks.js +131 -0
  399. package/carbon/volumes/n8n/scripts/setup.sh +66 -0
  400. package/carbon/volumes/prometheus/prometheus.yml +43 -0
  401. package/carbon/volumes/promtail/promtail-config.yml +64 -0
  402. package/carbon/volumes/traefik/middlewares.dev.yml +83 -0
  403. package/carbon/volumes/traefik/middlewares.yml +95 -0
  404. package/carbon/volumes/traefik/vite-dev.yml +20 -0
  405. package/package.json +95 -0
  406. package/src/access.js +354 -0
  407. package/src/activate.js +187 -0
  408. package/src/add.js +718 -0
  409. package/src/backup.js +786 -0
  410. package/src/cli.js +350 -0
  411. package/src/configure.js +967 -0
  412. package/src/console.js +155 -0
  413. package/src/create.js +1499 -0
  414. package/src/deploy.js +311 -0
  415. package/src/destroy.js +2033 -0
  416. package/src/diagnose.js +735 -0
  417. package/src/down.js +80 -0
  418. package/src/failover.js +1032 -0
  419. package/src/lib/backup-s3.js +179 -0
  420. package/src/lib/build.js +33 -0
  421. package/src/lib/checksum.js +28 -0
  422. package/src/lib/ci-setup.js +666 -0
  423. package/src/lib/cli/help.js +129 -0
  424. package/src/lib/cli/parse-flags.js +160 -0
  425. package/src/lib/cli/select-action.js +65 -0
  426. package/src/lib/cli/select-environment.js +108 -0
  427. package/src/lib/cli/tty-guard.js +75 -0
  428. package/src/lib/cloudflare.js +447 -0
  429. package/src/lib/colors.js +52 -0
  430. package/src/lib/command.js +361 -0
  431. package/src/lib/config.js +359 -0
  432. package/src/lib/cost.js +103 -0
  433. package/src/lib/deploy/bundle.js +231 -0
  434. package/src/lib/deploy/compose/acme-verify.js +121 -0
  435. package/src/lib/deploy/compose/build-args.js +78 -0
  436. package/src/lib/deploy/compose/ha.js +1874 -0
  437. package/src/lib/deploy/compose/index.js +1294 -0
  438. package/src/lib/deploy/compose/reconcile.js +74 -0
  439. package/src/lib/deploy/github.js +382 -0
  440. package/src/lib/deploy/image.js +191 -0
  441. package/src/lib/deploy/index.js +119 -0
  442. package/src/lib/deploy/k8s/LICENSE +99 -0
  443. package/src/lib/deploy/k8s/gitops-deploy.js +298 -0
  444. package/src/lib/deploy/k8s/ha/index.js +1000 -0
  445. package/src/lib/deploy/k8s/index.js +62 -0
  446. package/src/lib/deploy/k8s/k3s.js +2515 -0
  447. package/src/lib/deploy/orchestrator.js +1401 -0
  448. package/src/lib/deploy/prompts.js +545 -0
  449. package/src/lib/deploy/remote-build.js +130 -0
  450. package/src/lib/deploy/state.js +120 -0
  451. package/src/lib/deploy/utils.js +328 -0
  452. package/src/lib/deploy-logger.js +93 -0
  453. package/src/lib/dns-propagation.js +48 -0
  454. package/src/lib/environment.js +58 -0
  455. package/src/lib/fetch-retry.js +103 -0
  456. package/src/lib/github-environments.js +335 -0
  457. package/src/lib/hetzner-dns.js +377 -0
  458. package/src/lib/hetzner-guided-setup.js +275 -0
  459. package/src/lib/host-keys.js +37 -0
  460. package/src/lib/iac/cloud-init.js +52 -0
  461. package/src/lib/iac/index.js +325 -0
  462. package/src/lib/iac/programs/hetzner-compose.js +130 -0
  463. package/src/lib/iac/programs/hetzner-k8s.js +320 -0
  464. package/src/lib/kubectl.js +81 -0
  465. package/src/lib/licensing/index.js +259 -0
  466. package/src/lib/licensing/tiers.js +181 -0
  467. package/src/lib/licensing/validator.js +171 -0
  468. package/src/lib/merge-package-json.js +90 -0
  469. package/src/lib/operator-ip.js +381 -0
  470. package/src/lib/package-manager.js +111 -0
  471. package/src/lib/perf.js +71 -0
  472. package/src/lib/project-guard.js +39 -0
  473. package/src/lib/project.js +334 -0
  474. package/src/lib/providers/base.js +276 -0
  475. package/src/lib/providers/hetzner-s3.js +656 -0
  476. package/src/lib/providers/hetzner.js +755 -0
  477. package/src/lib/providers/index.js +164 -0
  478. package/src/lib/s3.js +510 -0
  479. package/src/lib/secret-scan.js +583 -0
  480. package/src/lib/secrets.js +63 -0
  481. package/src/lib/server-types.js +195 -0
  482. package/src/lib/shell.js +91 -0
  483. package/src/lib/ssh.js +241 -0
  484. package/src/lib/tracker.js +242 -0
  485. package/src/lib/upgrade-policy.js +170 -0
  486. package/src/lib/validators.js +105 -0
  487. package/src/lib/version.js +5 -0
  488. package/src/remove.js +292 -0
  489. package/src/reset.js +97 -0
  490. package/src/restore.js +871 -0
  491. package/src/scale.js +1734 -0
  492. package/src/shell.js +222 -0
  493. package/src/status.js +981 -0
  494. package/src/up.js +264 -0
  495. package/src/upgrade.js +721 -0
@@ -0,0 +1,554 @@
1
+ import { serve } from '@hono/node-server';
2
+ import { serveStatic } from '@hono/node-server/serve-static';
3
+ import { Hono } from 'hono';
4
+ import { cors } from 'hono/cors';
5
+ import { logger as honoLogger } from 'hono/logger';
6
+ import { secureHeaders } from 'hono/secure-headers';
7
+ import { timeout } from 'hono/timeout';
8
+ import { env } from './lib/env';
9
+ import { logger } from './lib/logger';
10
+ import { createRateLimiter } from './lib/rate-limiter';
11
+ import { getSupabaseClient } from './lib/supabase';
12
+ import { servicesStatusRoutes } from './routes/_internal/services-status';
13
+ import { verifyRoleRoutes } from './routes/_internal/verify-role';
14
+ import { healthRoutes } from './routes/health';
15
+ import { v1Routes } from './routes/v1';
16
+ import { adminContactRoutes } from './routes/v1/admin/contact';
17
+ import { jobsRoutes } from './routes/v1/admin/jobs';
18
+ import { adminNewsletterRoutes } from './routes/v1/admin/newsletter';
19
+ import { authRoutes } from './routes/v1/auth';
20
+ import { billingRoutes } from './routes/v1/billing';
21
+ import { contactRoutes } from './routes/v1/contact';
22
+ import { newsletterRoutes } from './routes/v1/newsletter';
23
+ import { performanceRoutes } from './routes/v1/performance';
24
+ import { statsRoutes } from './routes/v1/stats';
25
+ import { themeRoutes } from './routes/v1/theme';
26
+ import { billingWebhookRoutes } from './routes/webhooks/billing';
27
+ import { stripeWebhookRoutes } from './routes/webhooks/stripe';
28
+ import type { HonoVariables } from './types';
29
+
30
+ const app = new Hono<{ Variables: HonoVariables }>();
31
+
32
+ // ============================================================================
33
+ // SECURITY MIDDLEWARE
34
+ // ============================================================================
35
+
36
+ // Security headers (X-Content-Type-Options, X-Frame-Options, etc.)
37
+ app.use(
38
+ '*',
39
+ secureHeaders({
40
+ contentSecurityPolicy:
41
+ process.env.NODE_ENV === 'production'
42
+ ? {
43
+ defaultSrc: ["'self'"],
44
+ scriptSrc: ["'self'", "'unsafe-inline'", 'https://static.cloudflareinsights.com'],
45
+ styleSrc: ["'self'", "'unsafe-inline'"],
46
+ imgSrc: ["'self'", 'data:', 'https:'],
47
+ connectSrc: [
48
+ "'self'",
49
+ // In k8s, SUPABASE_URL is the internal kong URL (http://kong:8000).
50
+ // The browser connects to the public domain instead, so we use SITE_URL.
51
+ // Fall back to SUPABASE_URL for non-k8s prod environments.
52
+ env.SITE_URL ?? env.SUPABASE_URL,
53
+ env.SITE_URL ? env.SITE_URL.replace('https://', 'https://api.') : '',
54
+ 'https://cloudflareinsights.com',
55
+ 'https://api.github.com',
56
+ ].filter(Boolean) as string[],
57
+ fontSrc: ["'self'", 'data:'],
58
+ objectSrc: ["'none'"],
59
+ frameAncestors: ["'none'"],
60
+ }
61
+ : undefined,
62
+ // HSTS: Force HTTPS for 1 year, include subdomains (production only)
63
+ strictTransportSecurity:
64
+ process.env.NODE_ENV === 'production' ? 'max-age=31536000; includeSubDomains' : false,
65
+ xFrameOptions: 'DENY',
66
+ xContentTypeOptions: 'nosniff',
67
+ referrerPolicy: 'strict-origin-when-cross-origin',
68
+ crossOriginEmbedderPolicy: false,
69
+ crossOriginResourcePolicy: 'same-origin',
70
+ })
71
+ );
72
+
73
+ // Request timeout (30 seconds)
74
+ app.use('*', timeout(30000));
75
+
76
+ // Request logging
77
+ app.use('*', honoLogger());
78
+
79
+ // Rate limiting for API routes (100 requests per minute per IP)
80
+ app.use('/api/v1/*', createRateLimiter({ windowMs: 60 * 1000, max: 100 }));
81
+ app.use('/api/health', createRateLimiter({ windowMs: 60 * 1000, max: 100 }));
82
+
83
+ // Rate limiting for internal endpoints (higher threshold for infrastructure)
84
+ // These are called by Traefik for auth verification on each request
85
+ app.use('/api/_internal/*', createRateLimiter({ windowMs: 60 * 1000, max: 1000 }));
86
+
87
+ // Rate limiting for webhooks (higher threshold for external services)
88
+ // Stripe may send bursts of events (e.g., during subscription changes)
89
+ app.use('/api/webhooks/*', createRateLimiter({ windowMs: 60 * 1000, max: 500 }));
90
+
91
+ // CORS for SPA - restrict to allowed origins
92
+ app.use(
93
+ '/api/*',
94
+ cors({
95
+ origin: (origin) => {
96
+ // Build allowed origins list
97
+ const allowedOrigins: string[] = [];
98
+
99
+ // Always allow the configured site URL
100
+ if (process.env.SITE_URL) {
101
+ allowedOrigins.push(process.env.SITE_URL);
102
+ }
103
+
104
+ // Allow custom CORS origins from environment
105
+ if (process.env.CORS_ORIGINS) {
106
+ allowedOrigins.push(...process.env.CORS_ORIGINS.split(',').map((o) => o.trim()));
107
+ }
108
+
109
+ // Only allow localhost in development (with configurable ports)
110
+ if (process.env.NODE_ENV !== 'production') {
111
+ const portOffset = Number.parseInt(process.env.DEV_PORT_OFFSET || '0', 10);
112
+ const vitePort = process.env.DEV_VITE_PORT || String(5173 + portOffset);
113
+ const apiPort = process.env.DEV_API_PORT || String(3000 + portOffset);
114
+ allowedOrigins.push(`http://localhost:${vitePort}`, `http://localhost:${apiPort}`);
115
+ }
116
+
117
+ return allowedOrigins.includes(origin) ? origin : null;
118
+ },
119
+ allowHeaders: ['Content-Type', 'Authorization', 'apikey'],
120
+ allowMethods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
121
+ credentials: true,
122
+ maxAge: 3600, // 1 hour
123
+ })
124
+ );
125
+
126
+ // Request body size limit middleware
127
+ app.use('/api/*', async (c, next) => {
128
+ const contentLength = Number.parseInt(c.req.header('content-length') || '0', 10);
129
+ const maxSize = 10 * 1024 * 1024; // 10MB
130
+ if (contentLength > maxSize) {
131
+ return c.json({ error: 'Request body too large' }, 413);
132
+ }
133
+ await next();
134
+ });
135
+
136
+ // Supabase session middleware - inject user and client into context
137
+ // Skip for health endpoint (no auth needed, avoids unnecessary getUser() call)
138
+ app.use('/api/*', async (c, next) => {
139
+ if (c.req.path === '/api/health' || c.req.path === '/api/health/ready') {
140
+ c.set('user', null);
141
+ await next();
142
+ return;
143
+ }
144
+
145
+ const authHeader = c.req.header('Authorization');
146
+ const supabase = getSupabaseClient(authHeader);
147
+ c.set('supabase', supabase);
148
+
149
+ // Verify the JWT and get user info
150
+ if (authHeader?.startsWith('Bearer ')) {
151
+ const {
152
+ data: { user },
153
+ error,
154
+ } = await supabase.auth.getUser();
155
+ if (!error && user) {
156
+ c.set('user', user);
157
+ } else {
158
+ c.set('user', null);
159
+ }
160
+ } else {
161
+ c.set('user', null);
162
+ }
163
+
164
+ await next();
165
+ });
166
+
167
+ // ============================================================================
168
+ // ROUTES
169
+ // ============================================================================
170
+
171
+ // Note: Auth is handled by Supabase (Kong routes to Auth service)
172
+ // Your Hono app only needs to handle application-specific APIs
173
+
174
+ // Health check (public, used by load balancers)
175
+ app.route('/api/health', healthRoutes);
176
+
177
+ // Internal endpoints (for infrastructure, e.g., Traefik ForwardAuth)
178
+ // Rate-limited at higher threshold (1000/min) to allow infrastructure calls
179
+ app.route('/api/_internal/verify-role', verifyRoleRoutes);
180
+ app.route('/api/_internal/services/status', servicesStatusRoutes);
181
+
182
+ // Versioned API endpoints (authenticated)
183
+ app.route('/api/v1', v1Routes);
184
+ app.route('/api/v1/auth', authRoutes);
185
+ app.route('/api/v1/billing', billingRoutes);
186
+ app.route('/api/v1/admin/theme', themeRoutes);
187
+ app.route('/api/v1/admin/stats', statsRoutes);
188
+ app.route('/api/v1/admin/performance', performanceRoutes);
189
+
190
+ app.route('/api/v1/admin/jobs', jobsRoutes);
191
+ app.route('/api/v1/admin/contact', adminContactRoutes);
192
+ app.route('/api/v1/admin/newsletter', adminNewsletterRoutes);
193
+ app.route('/api/v1/contact', contactRoutes);
194
+ app.route('/api/v1/newsletter', newsletterRoutes);
195
+
196
+ // Webhooks (no auth required, signature verified internally)
197
+ // Note: Must receive raw body for signature verification
198
+ app.route('/api/webhooks/billing', billingWebhookRoutes);
199
+ app.route('/api/webhooks/stripe', stripeWebhookRoutes); // Backward compat for existing Stripe deployments
200
+
201
+ // Backwards compatibility: redirect old /api/* to /api/v1/*
202
+ app.get('/api/me', (c) => c.redirect('/api/v1/me', 301));
203
+ app.get('/api/organizations', (c) => c.redirect('/api/v1/organizations', 301));
204
+ app.post('/api/organizations', (c) => c.redirect('/api/v1/organizations', 307));
205
+
206
+ // ============================================================================
207
+ // API DOCUMENTATION
208
+ // ============================================================================
209
+
210
+ // Calculate API port for OpenAPI spec
211
+ const portOffset = Number.parseInt(process.env.DEV_PORT_OFFSET || '0', 10);
212
+ const apiPort = process.env.DEV_API_PORT || String(3000 + portOffset);
213
+
214
+ // OpenAPI spec
215
+ const openApiSpec = {
216
+ openapi: '3.0.0',
217
+ info: {
218
+ title: '{{PROJECT_NAME}} API',
219
+ version: '1.0.0',
220
+ description: 'API documentation for {{PROJECT_NAME}}',
221
+ },
222
+ servers: [{ url: `http://localhost:${apiPort}`, description: 'Development server' }],
223
+ paths: {
224
+ '/api/health': {
225
+ get: {
226
+ summary: 'Health check',
227
+ tags: ['Health'],
228
+ responses: {
229
+ '200': {
230
+ description: 'Service is healthy',
231
+ content: {
232
+ 'application/json': {
233
+ schema: {
234
+ type: 'object',
235
+ properties: {
236
+ status: { type: 'string', example: 'healthy' },
237
+ timestamp: { type: 'string', format: 'date-time' },
238
+ services: {
239
+ type: 'object',
240
+ properties: {
241
+ database: { type: 'string' },
242
+ supabase: { type: 'string' },
243
+ },
244
+ },
245
+ },
246
+ },
247
+ },
248
+ },
249
+ },
250
+ },
251
+ },
252
+ },
253
+ '/api/v1/me': {
254
+ get: {
255
+ summary: 'Get current user',
256
+ tags: ['User'],
257
+ security: [{ bearerAuth: [] }],
258
+ responses: {
259
+ '200': { description: 'User info with memberships and role' },
260
+ '401': { description: 'Unauthorized' },
261
+ },
262
+ },
263
+ },
264
+ '/api/v1/organizations': {
265
+ get: {
266
+ summary: 'List organizations',
267
+ tags: ['Organizations'],
268
+ security: [{ bearerAuth: [] }],
269
+ responses: {
270
+ '200': { description: 'List of organizations' },
271
+ '401': { description: 'Unauthorized' },
272
+ },
273
+ },
274
+ post: {
275
+ summary: 'Create organization',
276
+ tags: ['Organizations'],
277
+ security: [{ bearerAuth: [] }],
278
+ requestBody: {
279
+ required: true,
280
+ content: {
281
+ 'application/json': {
282
+ schema: {
283
+ type: 'object',
284
+ required: ['name', 'slug'],
285
+ properties: {
286
+ name: { type: 'string' },
287
+ slug: { type: 'string' },
288
+ },
289
+ },
290
+ },
291
+ },
292
+ },
293
+ responses: {
294
+ '201': { description: 'Organization created' },
295
+ '400': { description: 'Bad request' },
296
+ '401': { description: 'Unauthorized' },
297
+ },
298
+ },
299
+ },
300
+ '/api/v1/billing/checkout': {
301
+ post: {
302
+ summary: 'Create checkout session',
303
+ tags: ['Billing'],
304
+ security: [{ bearerAuth: [] }],
305
+ requestBody: {
306
+ required: true,
307
+ content: {
308
+ 'application/json': {
309
+ schema: {
310
+ type: 'object',
311
+ required: ['priceId', 'type'],
312
+ properties: {
313
+ priceId: { type: 'string' },
314
+ type: { type: 'string', enum: ['user', 'organization'] },
315
+ organizationId: { type: 'string', format: 'uuid' },
316
+ },
317
+ },
318
+ },
319
+ },
320
+ },
321
+ responses: {
322
+ '200': { description: 'Checkout session URL' },
323
+ '401': { description: 'Unauthorized' },
324
+ },
325
+ },
326
+ },
327
+ '/api/v1/contact/submit': {
328
+ post: {
329
+ summary: 'Submit contact form',
330
+ description: 'Public endpoint, rate-limited (5 per 15 minutes). Honeypot spam protection.',
331
+ tags: ['Contact'],
332
+ requestBody: {
333
+ required: true,
334
+ content: {
335
+ 'application/json': {
336
+ schema: {
337
+ type: 'object',
338
+ required: ['name', 'email', 'subject', 'message'],
339
+ properties: {
340
+ name: { type: 'string', maxLength: 200 },
341
+ email: { type: 'string', format: 'email' },
342
+ subject: { type: 'string', maxLength: 300 },
343
+ message: { type: 'string', minLength: 10, maxLength: 5000 },
344
+ },
345
+ },
346
+ },
347
+ },
348
+ },
349
+ responses: {
350
+ '200': { description: 'Submission received' },
351
+ '400': { description: 'Validation error' },
352
+ '429': { description: 'Rate limit exceeded' },
353
+ },
354
+ },
355
+ },
356
+ '/api/v1/newsletter/subscribe': {
357
+ post: {
358
+ summary: 'Subscribe to newsletter',
359
+ description:
360
+ 'Public endpoint, rate-limited. Uses double opt-in (sends confirmation email).',
361
+ tags: ['Newsletter'],
362
+ requestBody: {
363
+ required: true,
364
+ content: {
365
+ 'application/json': {
366
+ schema: {
367
+ type: 'object',
368
+ required: ['email'],
369
+ properties: {
370
+ email: { type: 'string', format: 'email' },
371
+ name: { type: 'string', maxLength: 200 },
372
+ },
373
+ },
374
+ },
375
+ },
376
+ },
377
+ responses: {
378
+ '200': { description: 'Subscription initiated — check email to confirm' },
379
+ '400': { description: 'Validation error' },
380
+ },
381
+ },
382
+ },
383
+ '/api/v1/admin/jobs': {
384
+ get: {
385
+ summary: 'List background jobs',
386
+ tags: ['Admin'],
387
+ security: [{ bearerAuth: [] }],
388
+ responses: {
389
+ '200': { description: 'Job summaries and execution history' },
390
+ '403': { description: 'Forbidden — requires super admin' },
391
+ },
392
+ },
393
+ },
394
+ '/api/v1/admin/contact': {
395
+ get: {
396
+ summary: 'List contact submissions',
397
+ tags: ['Admin'],
398
+ security: [{ bearerAuth: [] }],
399
+ responses: {
400
+ '200': { description: 'Paginated contact submissions' },
401
+ '403': { description: 'Forbidden — requires super admin' },
402
+ },
403
+ },
404
+ },
405
+ '/api/v1/admin/newsletter': {
406
+ get: {
407
+ summary: 'List newsletter subscribers',
408
+ tags: ['Admin'],
409
+ security: [{ bearerAuth: [] }],
410
+ responses: {
411
+ '200': { description: 'Paginated subscriber list' },
412
+ '403': { description: 'Forbidden — requires super admin' },
413
+ },
414
+ },
415
+ },
416
+ '/api/webhooks/billing': {
417
+ post: {
418
+ summary: 'Billing webhook handler',
419
+ description:
420
+ 'Provider-agnostic webhook endpoint. Detects Stripe/Paddle/Polar from active provider. Signature verified internally.',
421
+ tags: ['Webhooks'],
422
+ responses: {
423
+ '200': { description: 'Webhook processed' },
424
+ '400': { description: 'Invalid signature or payload' },
425
+ },
426
+ },
427
+ },
428
+ '/api/_internal/verify-role': {
429
+ get: {
430
+ summary: 'Verify user role (ForwardAuth)',
431
+ description:
432
+ 'Internal endpoint for Traefik ForwardAuth. Verifies JWT and checks user role.',
433
+ tags: ['Internal'],
434
+ parameters: [
435
+ {
436
+ name: 'role',
437
+ in: 'query',
438
+ description: 'Required role (e.g., admin)',
439
+ schema: { type: 'string' },
440
+ },
441
+ {
442
+ name: 'roles',
443
+ in: 'query',
444
+ description: 'Comma-separated list of acceptable roles',
445
+ schema: { type: 'string' },
446
+ },
447
+ ],
448
+ responses: {
449
+ '200': { description: 'User authenticated and has required role' },
450
+ '401': { description: 'Not authenticated' },
451
+ '403': { description: 'Authenticated but lacks required role' },
452
+ },
453
+ },
454
+ },
455
+ },
456
+ components: {
457
+ securitySchemes: {
458
+ bearerAuth: {
459
+ type: 'http',
460
+ scheme: 'bearer',
461
+ bearerFormat: 'JWT',
462
+ },
463
+ },
464
+ },
465
+ };
466
+
467
+ // Serve OpenAPI spec under /api so Vite proxy works
468
+ app.get('/api/openapi.json', (c) => c.json(openApiSpec));
469
+
470
+ // API docs (dev-only dependencies, conditionally loaded)
471
+ if (process.env.NODE_ENV !== 'production') {
472
+ const [{ apiReference }, { swaggerUI }] = await Promise.all([
473
+ import('@scalar/hono-api-reference'),
474
+ import('@hono/swagger-ui'),
475
+ ]);
476
+ app.get(
477
+ '/api/docs',
478
+ apiReference({
479
+ url: '/api/openapi.json',
480
+ pageTitle: '{{PROJECT_NAME}} API',
481
+ theme: 'purple',
482
+ })
483
+ );
484
+ app.get('/api/swagger', swaggerUI({ url: '/api/openapi.json' }));
485
+ }
486
+
487
+ // ============================================================================
488
+ // STATIC FILE SERVING (Production) / API Docs redirect (Development)
489
+ // ============================================================================
490
+
491
+ if (process.env.NODE_ENV === 'production') {
492
+ // Static assets with cache headers
493
+ app.use(
494
+ '/assets/*',
495
+ serveStatic({
496
+ root: './dist/client',
497
+ onFound: (_path, c) => {
498
+ c.header('Cache-Control', 'public, immutable, max-age=31536000');
499
+ },
500
+ })
501
+ );
502
+
503
+ // Serve static files from dist/client
504
+ app.use('/*', serveStatic({ root: './dist/client' }));
505
+
506
+ // SPA fallback - serve index.html for client-side routing
507
+ app.get('/*', serveStatic({ path: './dist/client/index.html' }));
508
+ } else {
509
+ // Development: redirect root to API docs (frontend served by Vite dev server)
510
+ app.get('/', (c) => c.redirect('/api/docs'));
511
+ }
512
+
513
+ // ============================================================================
514
+ // SERVER STARTUP
515
+ // ============================================================================
516
+
517
+ const port = env.DEV_API_PORT ?? env.PORT + env.DEV_PORT_OFFSET;
518
+
519
+ // Login attempt cleanup is now handled by pg_cron (see migration 00003_pg_cron.sql)
520
+
521
+ logger.info({ port }, 'Starting server');
522
+
523
+ const server = serve({
524
+ fetch: app.fetch,
525
+ port,
526
+ });
527
+
528
+ // Graceful shutdown handler - drain in-flight requests before exiting
529
+ let isShuttingDown = false;
530
+ const SHUTDOWN_TIMEOUT_MS = 10000;
531
+
532
+ const shutdown = (signal: string) => {
533
+ if (isShuttingDown) return;
534
+ isShuttingDown = true;
535
+
536
+ logger.info({ signal }, 'Shutting down gracefully...');
537
+
538
+ // Stop accepting new connections and wait for in-flight requests to finish
539
+ server.close(() => {
540
+ logger.info('All connections closed');
541
+ process.exit(0);
542
+ });
543
+
544
+ // Force exit if draining takes too long
545
+ setTimeout(() => {
546
+ logger.warn('Shutdown timeout reached, forcing exit');
547
+ process.exit(1);
548
+ }, SHUTDOWN_TIMEOUT_MS).unref();
549
+ };
550
+
551
+ process.on('SIGINT', () => shutdown('SIGINT'));
552
+ process.on('SIGTERM', () => shutdown('SIGTERM'));
553
+
554
+ export default app;
@@ -0,0 +1,6 @@
1
+ import type { User } from '@supabase/supabase-js';
2
+
3
+ /** Check if a user has the super_admin role (set via app_metadata by Supabase admin API) */
4
+ export function isSuperAdmin(user: User): boolean {
5
+ return user.app_metadata?.role === 'super_admin';
6
+ }
@@ -0,0 +1,64 @@
1
+ import nodemailer from 'nodemailer';
2
+ import { env } from './env';
3
+ import { logger } from './logger';
4
+
5
+ /**
6
+ * Email service using SMTP (shared credentials with Supabase Auth).
7
+ * Gracefully no-ops when not configured (matching isStripeConfigured() pattern).
8
+ */
9
+
10
+ const transporter =
11
+ env.SMTP_HOST && env.SMTP_USER
12
+ ? nodemailer.createTransport({
13
+ host: env.SMTP_HOST,
14
+ port: env.SMTP_PORT ?? 587,
15
+ auth: { user: env.SMTP_USER, pass: env.SMTP_PASS },
16
+ })
17
+ : null;
18
+
19
+ export function isEmailConfigured(): boolean {
20
+ return transporter !== null && !!env.SMTP_ADMIN_EMAIL;
21
+ }
22
+
23
+ interface SendEmailOptions {
24
+ to: string | string[];
25
+ subject: string;
26
+ html: string;
27
+ text?: string;
28
+ replyTo?: string;
29
+ }
30
+
31
+ /**
32
+ * Send an email via SMTP.
33
+ * No-ops if email is not configured (dev mode without SMTP credentials).
34
+ */
35
+ export async function sendEmail(options: SendEmailOptions): Promise<{ id?: string }> {
36
+ if (!isEmailConfigured() || !transporter || !env.SMTP_ADMIN_EMAIL) {
37
+ logger.debug({ to: options.to, subject: options.subject }, 'Email skipped (not configured)');
38
+ return {};
39
+ }
40
+
41
+ const from = env.SMTP_SENDER_NAME
42
+ ? `${env.SMTP_SENDER_NAME} <${env.SMTP_ADMIN_EMAIL}>`
43
+ : env.SMTP_ADMIN_EMAIL;
44
+
45
+ try {
46
+ const info = await transporter.sendMail({
47
+ from,
48
+ to: Array.isArray(options.to) ? options.to.join(', ') : options.to,
49
+ subject: options.subject,
50
+ html: options.html,
51
+ ...(options.text ? { text: options.text } : {}),
52
+ ...(options.replyTo ? { replyTo: options.replyTo } : {}),
53
+ });
54
+
55
+ logger.info(
56
+ { messageId: info.messageId, to: options.to, subject: options.subject },
57
+ 'Email sent'
58
+ );
59
+ return { id: info.messageId };
60
+ } catch (error) {
61
+ logger.error({ error, to: options.to, subject: options.subject }, 'Email send error');
62
+ throw error;
63
+ }
64
+ }