feat: Phase 0 walking skeleton — monorepo, API, web, ML stub

Sets up the full Phase 0 foundation: - pnpm workspaces + turbo build graph; native module build approval - packages/shared-types: HTTP contracts (Tip, Auth, Integrations, User) - services/api: Express modular monolith with better-sqlite3/drizzle - auth: Google OAuth2 + PKCE via openid-client v6, cookie sessions - integrations: Todoist OAuth2 connect/disconnect, token vault - recommender: RandomPolicy over Todoist tasks, feedback sink - user: profile, consent capture, full account deletion (GDPR) - apps/web: Next.js 15, three pages (sign-in → connect → tip) - tip page: black canvas, hold-to-act gesture, action sheet - PWA manifest + theme - ml/serving: FastAPI stub implementing the POST /score contract - infra: docker-compose (core/full profiles), Dockerfiles, CI skeleton - .env.example with all required vars documented Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-14 12:41:24 +00:00
parent 7f173f88d3
commit 65218762be
44 changed files with 4574 additions and 0 deletions
--- a/services/api/src/config.ts
+++ b/services/api/src/config.ts
@@ -0,0 +1,32 @@
+import 'dotenv/config';
+
+function require(name: string): string {
+  const val = process.env[name];
+  if (!val) throw new Error(`Missing required env var: ${name}`);
+  return val;
+}
+
+function optional(name: string, fallback: string): string {
+  return process.env[name] ?? fallback;
+}
+
+export const config = {
+  PORT: parseInt(optional('PORT', '3001'), 10),
+  NODE_ENV: optional('NODE_ENV', 'development'),
+  DATABASE_PATH: optional('DATABASE_PATH', './data/oo.db'),
+
+  SESSION_SECRET: require('SESSION_SECRET'),
+
+  GOOGLE_CLIENT_ID: require('GOOGLE_CLIENT_ID'),
+  GOOGLE_CLIENT_SECRET: require('GOOGLE_CLIENT_SECRET'),
+
+  TODOIST_CLIENT_ID: require('TODOIST_CLIENT_ID'),
+  TODOIST_CLIENT_SECRET: require('TODOIST_CLIENT_SECRET'),
+
+  /** Absolute base URL of this API, e.g. http://localhost:3001 */
+  API_BASE_URL: optional('API_BASE_URL', 'http://localhost:3001'),
+  /** Absolute base URL of the web app, e.g. http://localhost:3000 */
+  WEB_BASE_URL: optional('WEB_BASE_URL', 'http://localhost:3000'),
+
+  ML_SERVING_URL: optional('ML_SERVING_URL', 'http://localhost:8000'),
+};
--- a/services/api/src/db/index.ts
+++ b/services/api/src/db/index.ts
@@ -0,0 +1,53 @@
+import Database from 'better-sqlite3';
+import { drizzle } from 'drizzle-orm/better-sqlite3';
+import * as schema from './schema.js';
+import { config } from '../config.js';
+
+const sqlite = new Database(config.DATABASE_PATH);
+sqlite.pragma('journal_mode = WAL');
+sqlite.pragma('foreign_keys = ON');
+
+export const db = drizzle(sqlite, { schema });
+
+export function runMigrations() {
+  sqlite.exec(`
+    CREATE TABLE IF NOT EXISTS users (
+      id TEXT PRIMARY KEY,
+      email TEXT NOT NULL UNIQUE,
+      name TEXT,
+      image TEXT,
+      google_id TEXT UNIQUE,
+      consent_given INTEGER NOT NULL DEFAULT 0,
+      consent_at TEXT,
+      created_at TEXT NOT NULL,
+      deleted_at TEXT
+    );
+
+    CREATE TABLE IF NOT EXISTS integration_tokens (
+      id TEXT PRIMARY KEY,
+      user_id TEXT NOT NULL REFERENCES users(id),
+      provider TEXT NOT NULL,
+      access_token TEXT NOT NULL,
+      refresh_token TEXT,
+      expires_at TEXT,
+      connected_at TEXT NOT NULL,
+      UNIQUE(user_id, provider)
+    );
+
+    CREATE TABLE IF NOT EXISTS tip_feedback (
+      id TEXT PRIMARY KEY,
+      user_id TEXT NOT NULL REFERENCES users(id),
+      tip_id TEXT NOT NULL,
+      action TEXT NOT NULL,
+      source_id TEXT,
+      created_at TEXT NOT NULL
+    );
+
+    CREATE TABLE IF NOT EXISTS sessions (
+      id TEXT PRIMARY KEY,
+      user_id TEXT NOT NULL REFERENCES users(id),
+      expires_at TEXT NOT NULL,
+      created_at TEXT NOT NULL
+    );
+  `);
+}
--- a/services/api/src/db/schema.ts
+++ b/services/api/src/db/schema.ts
@@ -0,0 +1,39 @@
+import { sqliteTable, text, integer } from 'drizzle-orm/sqlite-core';
+
+export const users = sqliteTable('users', {
+  id: text('id').primaryKey(),
+  email: text('email').notNull().unique(),
+  name: text('name'),
+  image: text('image'),
+  googleId: text('google_id').unique(),
+  consentGiven: integer('consent_given', { mode: 'boolean' }).notNull().default(false),
+  consentAt: text('consent_at'),
+  createdAt: text('created_at').notNull(),
+  deletedAt: text('deleted_at'),
+});
+
+export const integrationTokens = sqliteTable('integration_tokens', {
+  id: text('id').primaryKey(),
+  userId: text('user_id').notNull().references(() => users.id),
+  provider: text('provider').notNull(), // 'todoist'
+  accessToken: text('access_token').notNull(),
+  refreshToken: text('refresh_token'),
+  expiresAt: text('expires_at'),
+  connectedAt: text('connected_at').notNull(),
+});
+
+export const tipFeedback = sqliteTable('tip_feedback', {
+  id: text('id').primaryKey(),
+  userId: text('user_id').notNull().references(() => users.id),
+  tipId: text('tip_id').notNull(),
+  action: text('action').notNull(), // 'done' | 'dismiss' | 'snooze'
+  sourceId: text('source_id'),
+  createdAt: text('created_at').notNull(),
+});
+
+export const sessions = sqliteTable('sessions', {
+  id: text('id').primaryKey(),
+  userId: text('user_id').notNull().references(() => users.id),
+  expiresAt: text('expires_at').notNull(),
+  createdAt: text('created_at').notNull(),
+});
--- a/services/api/src/index.ts
+++ b/services/api/src/index.ts
@@ -0,0 +1,39 @@
+import 'dotenv/config';
+import express from 'express';
+import cookieParser from 'cookie-parser';
+import cors from 'cors';
+import { config } from './config.js';
+import { runMigrations } from './db/index.js';
+import { sessionMiddleware } from './middleware/session.js';
+import { authRouter } from './routes/auth.js';
+import { integrationsRouter } from './routes/integrations.js';
+import { recommenderRouter } from './routes/recommender.js';
+import { userRouter } from './routes/user.js';
+import { mkdir } from 'fs/promises';
+import { dirname } from 'path';
+
+await mkdir(dirname(config.DATABASE_PATH), { recursive: true });
+runMigrations();
+
+const app = express();
+
+app.use(
+  cors({
+    origin: config.WEB_BASE_URL,
+    credentials: true,
+  }),
+);
+app.use(express.json());
+app.use(cookieParser());
+app.use(sessionMiddleware);
+
+app.get('/health', (_req, res) => res.json({ ok: true }));
+
+app.use('/api/auth', authRouter);
+app.use('/api/integrations', integrationsRouter);
+app.use('/api', recommenderRouter);
+app.use('/api/user', userRouter);
+
+app.listen(config.PORT, () => {
+  console.log(`oO API listening on http://localhost:${config.PORT}`);
+});
--- a/services/api/src/middleware/session.ts
+++ b/services/api/src/middleware/session.ts
@@ -0,0 +1,47 @@
+import { Request, Response, NextFunction } from 'express';
+import { db } from '../db/index.js';
+import { sessions, users } from '../db/schema.js';
+import { eq, gt } from 'drizzle-orm';
+
+export interface AuthenticatedRequest extends Request {
+  userId?: string;
+}
+
+/**
+ * Reads the `sid` cookie, validates it against the sessions table,
+ * and sets req.userId if valid. Does not reject unauthenticated requests —
+ * individual route handlers must guard themselves.
+ */
+export async function sessionMiddleware(
+  req: AuthenticatedRequest,
+  _res: Response,
+  next: NextFunction,
+) {
+  const sid = req.cookies?.sid as string | undefined;
+  if (!sid) return next();
+
+  const now = new Date().toISOString();
+  const [session] = await db
+    .select()
+    .from(sessions)
+    .where(eq(sessions.id, sid))
+    .limit(1);
+
+  if (session && session.expiresAt > now) {
+    req.userId = session.userId;
+  }
+
+  next();
+}
+
+export function requireAuth(
+  req: AuthenticatedRequest,
+  res: Response,
+  next: NextFunction,
+) {
+  if (!req.userId) {
+    res.status(401).json({ error: 'Unauthorized' });
+    return;
+  }
+  next();
+}
--- a/services/api/src/routes/auth.ts
+++ b/services/api/src/routes/auth.ts
@@ -0,0 +1,152 @@
+import { type Router as ExpressRouter, Router, Request, Response } from 'express';
+import * as client from 'openid-client';
+import { nanoid } from 'nanoid';
+import { db } from '../db/index.js';
+import { users, sessions } from '../db/schema.js';
+import { eq } from 'drizzle-orm';
+import { config } from '../config.js';
+
+const router: ExpressRouter = Router();
+
+// In-memory PKCE state store (dev-only; replace with Redis/DB for prod)
+const pendingStates = new Map<string, { codeVerifier: string; redirectTo: string }>();
+
+let oidcConfig: client.Configuration | null = null;
+
+async function getOidcConfig() {
+  if (oidcConfig) return oidcConfig;
+  oidcConfig = await client.discovery(
+    new URL('https://accounts.google.com'),
+    config.GOOGLE_CLIENT_ID,
+    config.GOOGLE_CLIENT_SECRET,
+  );
+  return oidcConfig;
+}
+
+/** GET /api/auth/login — redirect to Google */
+router.get('/login', async (req: Request, res: Response) => {
+  const cfg = await getOidcConfig();
+  const state = nanoid();
+  const codeVerifier = client.randomPKCECodeVerifier();
+  const codeChallenge = await client.calculatePKCECodeChallenge(codeVerifier);
+  const redirectTo = (req.query.redirectTo as string) ?? '/tip';
+
+  pendingStates.set(state, { codeVerifier, redirectTo });
+  // Expire after 10 minutes
+  setTimeout(() => pendingStates.delete(state), 10 * 60 * 1000);
+
+  const redirectUri = `${config.API_BASE_URL}/api/auth/callback`;
+  const authUrl = client.buildAuthorizationUrl(cfg, {
+    redirect_uri: redirectUri,
+    scope: 'openid email profile',
+    state,
+    code_challenge: codeChallenge,
+    code_challenge_method: 'S256',
+  });
+
+  res.redirect(authUrl.toString());
+});
+
+/** GET /api/auth/callback — Google returns here */
+router.get('/callback', async (req: Request, res: Response) => {
+  const cfg = await getOidcConfig();
+  const state = req.query.state as string;
+  const pending = pendingStates.get(state);
+  if (!pending) {
+    res.status(400).json({ error: 'Invalid or expired state' });
+    return;
+  }
+  pendingStates.delete(state);
+
+  const redirectUri = `${config.API_BASE_URL}/api/auth/callback`;
+  const currentUrl = new URL(req.url, config.API_BASE_URL);
+
+  let tokens: client.TokenEndpointResponse;
+  try {
+    tokens = await client.authorizationCodeGrant(cfg, currentUrl, {
+      pkceCodeVerifier: pending.codeVerifier,
+      expectedState: state,
+    });
+  } catch (err) {
+    console.error('OAuth callback error', err);
+    res.status(400).json({ error: 'OAuth error' });
+    return;
+  }
+
+  // openid-client v6: ID token claims via tokens.id_token decoding
+  const idToken = tokens.id_token;
+  if (!idToken) {
+    res.status(400).json({ error: 'No ID token' });
+    return;
+  }
+  // Decode JWT payload without verification (already verified by the library)
+  const payload = JSON.parse(Buffer.from(idToken.split('.')[1], 'base64url').toString()) as {
+    sub: string; email: string; name?: string; picture?: string;
+  };
+  if (!payload.email) {
+    res.status(400).json({ error: 'No email in token claims' });
+    return;
+  }
+
+  // Upsert user
+  const googleId = payload.sub;
+  const email = payload.email;
+  const name = payload.name;
+  const image = payload.picture;
+  const now = new Date().toISOString();
+
+  let [user] = await db.select().from(users).where(eq(users.googleId, googleId)).limit(1);
+
+  if (!user) {
+    const id = nanoid();
+    await db.insert(users).values({ id, email, name, image, googleId, createdAt: now });
+    [user] = await db.select().from(users).where(eq(users.id, id)).limit(1);
+  }
+
+  // Create session (30-day TTL)
+  const sid = nanoid(32);
+  const expiresAt = new Date(Date.now() + 30 * 24 * 60 * 60 * 1000).toISOString();
+  await db.insert(sessions).values({ id: sid, userId: user.id, expiresAt, createdAt: now });
+
+  res
+    .cookie('sid', sid, {
+      httpOnly: true,
+      secure: config.NODE_ENV === 'production',
+      sameSite: 'lax',
+      expires: new Date(expiresAt),
+      path: '/',
+    })
+    .redirect(`${config.WEB_BASE_URL}${pending.redirectTo}`);
+});
+
+/** POST /api/auth/logout */
+router.post('/logout', async (req: Request, res: Response) => {
+  const sid = req.cookies?.sid as string | undefined;
+  if (sid) {
+    await db.delete(sessions).where(eq(sessions.id, sid));
+  }
+  res.clearCookie('sid').json({ ok: true });
+});
+
+/** GET /api/auth/session */
+router.get('/session', async (req: Request, res: Response) => {
+  const sid = req.cookies?.sid as string | undefined;
+  if (!sid) {
+    res.json({ user: null });
+    return;
+  }
+  const now = new Date().toISOString();
+  const [session] = await db.select().from(sessions).where(eq(sessions.id, sid)).limit(1);
+  if (!session || session.expiresAt <= now) {
+    res.json({ user: null });
+    return;
+  }
+  const [user] = await db.select().from(users).where(eq(users.id, session.userId)).limit(1);
+  if (!user || user.deletedAt) {
+    res.json({ user: null });
+    return;
+  }
+  res.json({ user: { id: user.id, email: user.email, name: user.name, image: user.image } });
+});
+
+export { router as authRouter };
--- a/services/api/src/routes/integrations.ts
+++ b/services/api/src/routes/integrations.ts
@@ -0,0 +1,141 @@
+import { type Router as ExpressRouter, Router, Request, Response } from 'express';
+import { nanoid } from 'nanoid';
+import { db } from '../db/index.js';
+import { integrationTokens } from '../db/schema.js';
+import { eq, and } from 'drizzle-orm';
+import { config } from '../config.js';
+import { requireAuth, AuthenticatedRequest } from '../middleware/session.js';
+
+const router: ExpressRouter = Router();
+
+const TODOIST_OAUTH_URL = 'https://todoist.com/oauth/authorize';
+const TODOIST_TOKEN_URL = 'https://todoist.com/oauth/access_token';
+const TODOIST_SCOPES = 'data:read_write';
+
+// In-memory CSRF state store
+const pendingStates = new Map<string, { userId: string; redirectTo: string }>();
+
+/** GET /api/integrations — list connected integrations */
+router.get('/', requireAuth, async (req: AuthenticatedRequest, res: Response) => {
+  const tokens = await db
+    .select()
+    .from(integrationTokens)
+    .where(eq(integrationTokens.userId, req.userId!));
+
+  const integrations = tokens.map((t) => ({
+    provider: t.provider,
+    status: 'connected',
+    connectedAt: t.connectedAt,
+  }));
+
+  res.json({ integrations });
+});
+
+/** GET /api/integrations/todoist/connect — start OAuth */
+router.get('/todoist/connect', requireAuth, (req: AuthenticatedRequest, res: Response) => {
+  const state = nanoid();
+  pendingStates.set(state, {
+    userId: req.userId!,
+    redirectTo: (req.query.redirectTo as string) ?? '/connect',
+  });
+  setTimeout(() => pendingStates.delete(state), 10 * 60 * 1000);
+
+  const url = new URL(TODOIST_OAUTH_URL);
+  url.searchParams.set('client_id', config.TODOIST_CLIENT_ID);
+  url.searchParams.set('scope', TODOIST_SCOPES);
+  url.searchParams.set('state', state);
+  url.searchParams.set('redirect_uri', `${config.API_BASE_URL}/api/integrations/todoist/callback`);
+
+  res.redirect(url.toString());
+});
+
+/** GET /api/integrations/todoist/callback — Todoist returns here */
+router.get('/todoist/callback', async (req: Request, res: Response) => {
+  const state = req.query.state as string;
+  const code = req.query.code as string;
+  const pending = pendingStates.get(state);
+  if (!pending) {
+    res.status(400).json({ error: 'Invalid or expired state' });
+    return;
+  }
+  pendingStates.delete(state);
+
+  // Exchange code for token
+  const body = new URLSearchParams({
+    client_id: config.TODOIST_CLIENT_ID,
+    client_secret: config.TODOIST_CLIENT_SECRET,
+    code,
+    redirect_uri: `${config.API_BASE_URL}/api/integrations/todoist/callback`,
+  });
+
+  const tokenRes = await fetch(TODOIST_TOKEN_URL, {
+    method: 'POST',
+    headers: { 'Content-Type': 'application/x-www-form-urlencoded', Accept: 'application/json' },
+    body: body.toString(),
+  });
+
+  if (!tokenRes.ok) {
+    res.status(502).json({ error: 'Failed to exchange Todoist token' });
+    return;
+  }
+
+  const { access_token } = (await tokenRes.json()) as { access_token: string };
+  const now = new Date().toISOString();
+  const id = nanoid();
+
+  // Delete existing token (if any) then insert fresh
+  await db
+    .delete(integrationTokens)
+    .where(
+      and(
+        eq(integrationTokens.userId, pending.userId),
+        eq(integrationTokens.provider, 'todoist'),
+      ),
+    );
+  await db.insert(integrationTokens).values({
+    id,
+    userId: pending.userId,
+    provider: 'todoist',
+    accessToken: access_token,
+    connectedAt: now,
+  });
+
+  res.redirect(`${config.WEB_BASE_URL}${pending.redirectTo}?connected=todoist`);
+});
+
+/** DELETE /api/integrations/:provider — revoke token */
+router.delete('/:provider', requireAuth, async (req: AuthenticatedRequest, res: Response) => {
+  const provider = String(req.params.provider);
+
+  const [token] = await db
+    .select()
+    .from(integrationTokens)
+    .where(
+      and(
+        eq(integrationTokens.userId, req.userId!),
+        eq(integrationTokens.provider, provider),
+      ),
+    )
+    .limit(1);
+
+  if (token?.provider === 'todoist') {
+    // Best-effort revocation
+    await fetch('https://api.todoist.com/sync/v9/access_tokens/revoke', {
+      method: 'POST',
+      headers: { Authorization: `Bearer ${token.accessToken}` },
+    }).catch(() => {});
+  }
+
+  await db
+    .delete(integrationTokens)
+    .where(
+      and(
+        eq(integrationTokens.userId, req.userId!),
+        eq(integrationTokens.provider, provider),
+      ),
+    );
+
+  res.json({ ok: true });
+});
+
+export { router as integrationsRouter };
--- a/services/api/src/routes/recommender.ts
+++ b/services/api/src/routes/recommender.ts
@@ -0,0 +1,116 @@
+import { type Router as ExpressRouter, Router, Response } from 'express';
+import { nanoid } from 'nanoid';
+import { db } from '../db/index.js';
+import { integrationTokens, tipFeedback } from '../db/schema.js';
+import { eq, and } from 'drizzle-orm';
+import { requireAuth, AuthenticatedRequest } from '../middleware/session.js';
+import type { Tip } from '@oo/shared-types';
+
+const router: ExpressRouter = Router();
+
+/** Fetch active Todoist tasks for a user via their stored token */
+async function fetchTodoistTasks(accessToken: string): Promise<Tip[]> {
+  const res = await fetch('https://api.todoist.com/rest/v2/tasks?filter=today|overdue', {
+    headers: { Authorization: `Bearer ${accessToken}` },
+  });
+
+  if (!res.ok) return [];
+
+  const tasks = (await res.json()) as Array<{
+    id: string;
+    content: string;
+    due?: { string: string };
+  }>;
+
+  return tasks.map((t) => ({
+    id: `todoist:${t.id}`,
+    content: t.content,
+    source: 'todoist' as const,
+    sourceId: t.id,
+    createdAt: new Date().toISOString(),
+  }));
+}
+
+/**
+ * RandomPolicy — picks one task at random from the candidate set.
+ * Contract: same interface the ML scorer will implement.
+ */
+function randomPolicy(candidates: Tip[]): Tip | null {
+  if (!candidates.length) return null;
+  return candidates[Math.floor(Math.random() * candidates.length)];
+}
+
+/** POST /api/recommend */
+router.post('/', requireAuth, async (req: AuthenticatedRequest, res: Response) => {
+  const [token] = await db
+    .select()
+    .from(integrationTokens)
+    .where(
+      and(
+        eq(integrationTokens.userId, req.userId!),
+        eq(integrationTokens.provider, 'todoist'),
+      ),
+    )
+    .limit(1);
+
+  if (!token) {
+    res.status(422).json({ error: 'No integrations connected' });
+    return;
+  }
+
+  const candidates = await fetchTodoistTasks(token.accessToken);
+  const tip = randomPolicy(candidates);
+
+  if (!tip) {
+    res.status(204).end();
+    return;
+  }
+
+  res.json({ tip });
+});
+
+/** POST /api/tip/:id/feedback */
+router.post('/tip/:id/feedback', requireAuth, async (req: AuthenticatedRequest, res: Response) => {
+  const { action } = req.body as { action: string };
+  const tipId = String(req.params.id);
+
+  if (!['done', 'dismiss', 'snooze'].includes(action)) {
+    res.status(400).json({ error: 'Invalid action' });
+    return;
+  }
+
+  await db.insert(tipFeedback).values({
+    id: nanoid(),
+    userId: req.userId!,
+    tipId,
+    action,
+    sourceId: tipId.startsWith('todoist:') ? tipId.slice(8) : null,
+    createdAt: new Date().toISOString(),
+  });
+
+  // If done, mark complete in Todoist
+  if (action === 'done' && tipId.startsWith('todoist:')) {
+    const todoistId = tipId.slice(8);
+    const [token] = await db
+      .select()
+      .from(integrationTokens)
+      .where(
+        and(
+          eq(integrationTokens.userId, req.userId!),
+          eq(integrationTokens.provider, 'todoist'),
+        ),
+      )
+      .limit(1);
+
+    if (token) {
+      await fetch(`https://api.todoist.com/rest/v2/tasks/${todoistId}/close`, {
+        method: 'POST',
+        headers: { Authorization: `Bearer ${token.accessToken}` },
+      }).catch(() => {});
+    }
+  }
+
+  res.json({ ok: true });
+});
+
+export { router as recommenderRouter };
--- a/services/api/src/routes/user.ts
+++ b/services/api/src/routes/user.ts
@@ -0,0 +1,68 @@
+import { type Router as ExpressRouter, Router, Response } from 'express';
+import { db } from '../db/index.js';
+import { users, integrationTokens, tipFeedback, sessions } from '../db/schema.js';
+import { eq } from 'drizzle-orm';
+import { requireAuth, AuthenticatedRequest } from '../middleware/session.js';
+
+const router: ExpressRouter = Router();
+
+/** GET /api/user/me */
+router.get('/me', requireAuth, async (req: AuthenticatedRequest, res: Response) => {
+  const [user] = await db.select().from(users).where(eq(users.id, req.userId!)).limit(1);
+  if (!user || user.deletedAt) {
+    res.status(404).json({ error: 'User not found' });
+    return;
+  }
+  res.json({
+    id: user.id,
+    email: user.email,
+    name: user.name,
+    image: user.image,
+    createdAt: user.createdAt,
+    consentGiven: user.consentGiven,
+  });
+});
+
+/** POST /api/user/consent — record consent */
+router.post('/consent', requireAuth, async (req: AuthenticatedRequest, res: Response) => {
+  await db
+    .update(users)
+    .set({ consentGiven: true, consentAt: new Date().toISOString() })
+    .where(eq(users.id, req.userId!));
+  res.json({ ok: true });
+});
+
+/** DELETE /api/user/me — account deletion */
+router.delete('/me', requireAuth, async (req: AuthenticatedRequest, res: Response) => {
+  const userId = req.userId!;
+
+  // Revoke all integration tokens
+  const tokens = await db
+    .select()
+    .from(integrationTokens)
+    .where(eq(integrationTokens.userId, userId));
+
+  for (const token of tokens) {
+    if (token.provider === 'todoist') {
+      await fetch('https://api.todoist.com/sync/v9/access_tokens/revoke', {
+        method: 'POST',
+        headers: { Authorization: `Bearer ${token.accessToken}` },
+      }).catch(() => {});
+    }
+  }
+
+  // Delete cascade
+  await db.delete(integrationTokens).where(eq(integrationTokens.userId, userId));
+  await db.delete(tipFeedback).where(eq(tipFeedback.userId, userId));
+  await db.delete(sessions).where(eq(sessions.userId, userId));
+
+  // Soft-delete user (GDPR: keep audit trail row without PII)
+  await db
+    .update(users)
+    .set({ deletedAt: new Date().toISOString(), email: `deleted:${userId}`, name: null, image: null, googleId: null })
+    .where(eq(users.id, userId));
+
+  res.clearCookie('sid').json({ ok: true });
+});
+
+export { router as userRouter };