feat: Phase 0 walking skeleton — monorepo, API, web, ML stub

Sets up the full Phase 0 foundation: - pnpm workspaces + turbo build graph; native module build approval - packages/shared-types: HTTP contracts (Tip, Auth, Integrations, User) - services/api: Express modular monolith with better-sqlite3/drizzle - auth: Google OAuth2 + PKCE via openid-client v6, cookie sessions - integrations: Todoist OAuth2 connect/disconnect, token vault - recommender: RandomPolicy over Todoist tasks, feedback sink - user: profile, consent capture, full account deletion (GDPR) - apps/web: Next.js 15, three pages (sign-in → connect → tip) - tip page: black canvas, hold-to-act gesture, action sheet - PWA manifest + theme - ml/serving: FastAPI stub implementing the POST /score contract - infra: docker-compose (core/full profiles), Dockerfiles, CI skeleton - .env.example with all required vars documented Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-14 12:41:24 +00:00
parent 7f173f88d3
commit 65218762be
44 changed files with 4574 additions and 0 deletions
--- a/services/api/src/routes/user.ts
+++ b/services/api/src/routes/user.ts
@@ -0,0 +1,68 @@
+import { type Router as ExpressRouter, Router, Response } from 'express';
+import { db } from '../db/index.js';
+import { users, integrationTokens, tipFeedback, sessions } from '../db/schema.js';
+import { eq } from 'drizzle-orm';
+import { requireAuth, AuthenticatedRequest } from '../middleware/session.js';
+
+const router: ExpressRouter = Router();
+
+/** GET /api/user/me */
+router.get('/me', requireAuth, async (req: AuthenticatedRequest, res: Response) => {
+  const [user] = await db.select().from(users).where(eq(users.id, req.userId!)).limit(1);
+  if (!user || user.deletedAt) {
+    res.status(404).json({ error: 'User not found' });
+    return;
+  }
+  res.json({
+    id: user.id,
+    email: user.email,
+    name: user.name,
+    image: user.image,
+    createdAt: user.createdAt,
+    consentGiven: user.consentGiven,
+  });
+});
+
+/** POST /api/user/consent — record consent */
+router.post('/consent', requireAuth, async (req: AuthenticatedRequest, res: Response) => {
+  await db
+    .update(users)
+    .set({ consentGiven: true, consentAt: new Date().toISOString() })
+    .where(eq(users.id, req.userId!));
+  res.json({ ok: true });
+});
+
+/** DELETE /api/user/me — account deletion */
+router.delete('/me', requireAuth, async (req: AuthenticatedRequest, res: Response) => {
+  const userId = req.userId!;
+
+  // Revoke all integration tokens
+  const tokens = await db
+    .select()
+    .from(integrationTokens)
+    .where(eq(integrationTokens.userId, userId));
+
+  for (const token of tokens) {
+    if (token.provider === 'todoist') {
+      await fetch('https://api.todoist.com/sync/v9/access_tokens/revoke', {
+        method: 'POST',
+        headers: { Authorization: `Bearer ${token.accessToken}` },
+      }).catch(() => {});
+    }
+  }
+
+  // Delete cascade
+  await db.delete(integrationTokens).where(eq(integrationTokens.userId, userId));
+  await db.delete(tipFeedback).where(eq(tipFeedback.userId, userId));
+  await db.delete(sessions).where(eq(sessions.userId, userId));
+
+  // Soft-delete user (GDPR: keep audit trail row without PII)
+  await db
+    .update(users)
+    .set({ deletedAt: new Date().toISOString(), email: `deleted:${userId}`, name: null, image: null, googleId: null })
+    .where(eq(users.id, userId));
+
+  res.clearCookie('sid').json({ ok: true });
+});
+
+export { router as userRouter };