rebreak-monorepo

chahine/rebreak-monorepo

Fork 0

Commit Graph

Author	SHA1	Message	Date
chahinebrini	335945fe2c	feat(tier): plan limits Rev.2 + downgrade reconciliation + change-preview (Phase 2 backend) - plan-features.ts: globalBlocklist 'curated'\|'full' (curated = 30-domain stub, TODO real ~1-2k HaGeZi subset); maxAppDevices vs maxProtectedDevices split (legend maxProtectedDevices: 2); mail 1/3/Infinity - limit-enforcement structured errors on mail/connect, custom-domains/add, devices/enroll ({ error:'plan_limit', resource, current, limit }); approved-own-submissions already excluded from custom-domain count (slot frees on approval) - server/utils/downgrade-reconciliation.ts: founding-member exemption; re-upgrade reactivates paused mail + degraded devices; downgrade pauses newest-N mail accounts (isActive=false, pausedAt, pausedReason; pre-pause sets nextScanAt=now for a final sweep — real direct IMAP scan is TODO/stub); degrades excess device profiles (status='degraded', degradedAt); free → globalBlocklistGraceUntil = now+14d; custom domains grandfathered - set-plan.post.ts + stripe/webhook.post.ts: run reconciliation on plan change; set-plan accepts { foundingMember } for testing - GET /api/plan/change-preview?to=<plan>: gains/keeps/changes per resource (8 axes), founding-member → direction 'same' - me.get.ts: + foundingMember, globalBlocklistGraceUntil, planLimits block - blocklist + mail-scan honour globalBlocklistGraceUntil (grace → treat as 'full') - db: countMailConnections/getMailConnections exclude paused; getAllMailConnections; getDeviceBlocklistMode (active\|grace\|passthrough\|revoked) - migration 20260511_tier_system_phase2 (profiles.founding_member + global_blocklist_grace_until; mail_connections.paused_at/paused_reason; protected_devices.degraded_at). prisma generate + build:backend clean. TODOs (separate tickets): founding-member auto-counter on signup; real direct IMAP final-scan (not just nextScanAt nudge); real curated blocklist data + wiring the stub into the blocklist response for free users. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-11 16:23:02 +02:00
chahinebrini	6962e09403	feat(devices): Windows 11 DoH protection — reg-file endpoint + tests - Add server/utils/regfile.ts: generateWindowsDohRegFile() producing UTF-16 LE + BOM .reg content for DohWellKnownServers registry path. label and dohTemplate values are properly escape'd (\, ", \n, \r, \t). - Add GET /api/devices/:id/profile.reg — public, windows-platform-gated, returns octet-stream with Content-Disposition attachment. - Update enroll.post.ts: downloadUrl is now platform-aware (windows → .reg, all others → .mobileconfig). - Add tests/devices/regfile.test.ts: 13 tests covering BOM, CRLF, token embed, subkey naming, AutoUpgradeFlag, label escaping (", \, \n), and labelToSlug edge cases. All 111 tests pass. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-11 04:48:51 +02:00
chahinebrini	677b67902b	feat(devices): protected device enrollment + mobileconfig generator Backend: - ProtectedDevice prisma model + migration add_protected_devices - DB helpers: list/count/get/create/confirm/revoke - mobileconfig.ts utility — XML-escape, unique UUIDs per request - 5 endpoints under /api/devices/* (avoid /api/devices conflict with existing Capacitor UserDevice route by using /api/devices/protected for list) Phase 1: backend ready. DoH-server token-routing comes in phase 2. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-11 04:06:49 +02:00

Author

SHA1

Message

Date

chahinebrini

335945fe2c

feat(tier): plan limits Rev.2 + downgrade reconciliation + change-preview (Phase 2 backend)

- plan-features.ts: globalBlocklist 'curated'|'full' (curated = 30-domain stub,
  TODO real ~1-2k HaGeZi subset); maxAppDevices vs maxProtectedDevices split
  (legend maxProtectedDevices: 2); mail 1/3/Infinity
- limit-enforcement structured errors on mail/connect, custom-domains/add, devices/enroll
  ({ error:'plan_limit', resource, current, limit }); approved-own-submissions already
  excluded from custom-domain count (slot frees on approval)
- server/utils/downgrade-reconciliation.ts: founding-member exemption; re-upgrade
  reactivates paused mail + degraded devices; downgrade pauses newest-N mail accounts
  (isActive=false, pausedAt, pausedReason; pre-pause sets nextScanAt=now for a final
  sweep — real direct IMAP scan is TODO/stub); degrades excess device profiles
  (status='degraded', degradedAt); free → globalBlocklistGraceUntil = now+14d;
  custom domains grandfathered
- set-plan.post.ts + stripe/webhook.post.ts: run reconciliation on plan change;
  set-plan accepts { foundingMember } for testing
- GET /api/plan/change-preview?to=<plan>: gains/keeps/changes per resource (8 axes),
  founding-member → direction 'same'
- me.get.ts: + foundingMember, globalBlocklistGraceUntil, planLimits block
- blocklist + mail-scan honour globalBlocklistGraceUntil (grace → treat as 'full')
- db: countMailConnections/getMailConnections exclude paused; getAllMailConnections;
  getDeviceBlocklistMode (active|grace|passthrough|revoked)
- migration 20260511_tier_system_phase2 (profiles.founding_member +
  global_blocklist_grace_until; mail_connections.paused_at/paused_reason;
  protected_devices.degraded_at). prisma generate + build:backend clean.

TODOs (separate tickets): founding-member auto-counter on signup; real direct IMAP
final-scan (not just nextScanAt nudge); real curated blocklist data + wiring the
stub into the blocklist response for free users.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-11 16:23:02 +02:00

chahinebrini

6962e09403

feat(devices): Windows 11 DoH protection — reg-file endpoint + tests

- Add server/utils/regfile.ts: generateWindowsDohRegFile() producing
  UTF-16 LE + BOM .reg content for DohWellKnownServers registry path.
  label and dohTemplate values are properly escape'd (\, ", \n, \r, \t).
- Add GET /api/devices/:id/profile.reg — public, windows-platform-gated,
  returns octet-stream with Content-Disposition attachment.
- Update enroll.post.ts: downloadUrl is now platform-aware
  (windows → .reg, all others → .mobileconfig).
- Add tests/devices/regfile.test.ts: 13 tests covering BOM, CRLF,
  token embed, subkey naming, AutoUpgradeFlag, label escaping (", \, \n),
  and labelToSlug edge cases. All 111 tests pass.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-05-11 04:48:51 +02:00

chahinebrini

677b67902b

feat(devices): protected device enrollment + mobileconfig generator

Backend:
- ProtectedDevice prisma model + migration add_protected_devices
- DB helpers: list/count/get/create/confirm/revoke
- mobileconfig.ts utility — XML-escape, unique UUIDs per request
- 5 endpoints under /api/devices/* (avoid /api/devices conflict with existing
  Capacitor UserDevice route by using /api/devices/protected for list)

Phase 1: backend ready. DoH-server token-routing comes in phase 2.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-11 04:06:49 +02:00

3 Commits