Benjamin_Boenisch/breakpilot-core
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

merge: gitea/main — resolve pitch-deck conflicts (accept theirs)
Some checks failed
CI / test-go-consent (push) Successful in 45s
Details
CI / test-python-voice (push) Successful in 37s
Details
CI / test-bqas (push) Successful in 34s
Details
CI / Deploy (push) Failing after 5s
Details
CI / go-lint (push) Has been skipped
Details
CI / python-lint (push) Has been skipped
Details
CI / nodejs-lint (push) Has been skipped
Details

Browse Source 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Benjamin Admin
2026-04-09 14:43:32 +02:00
parent e3ab428b91 c7ab569b2b
commit ee5241a7bc
67 changed files with 6533 additions and 273 deletions
Download Patch File Download Diff File Expand all files Collapse all files

96
pitch-deck/__tests__/lib/admin-auth.test.ts Normal file
View File

@@ -0,0 +1,96 @@
import { describe, it, expect } from 'vitest'
import {
hashPassword,
verifyPassword,
createAdminJwt,
verifyAdminJwt,
} from '@/lib/admin-auth'
import { createJwt, verifyJwt } from '@/lib/auth'
describe('admin-auth: password hashing', () => {
it('hashPassword produces a bcrypt hash', async () => {
const hash = await hashPassword('correct-horse-battery-staple')
expect(hash).toMatch(/^\$2[aby]\$/)
expect(hash.length).toBeGreaterThanOrEqual(50)
})
it('hashPassword is non-deterministic (different salt each call)', async () => {
const a = await hashPassword('same-password')
const b = await hashPassword('same-password')
expect(a).not.toBe(b)
})
it('verifyPassword accepts the original password', async () => {
const hash = await hashPassword('correct-horse-battery-staple')
expect(await verifyPassword('correct-horse-battery-staple', hash)).toBe(true)
})
it('verifyPassword rejects a wrong password', async () => {
const hash = await hashPassword('correct-horse-battery-staple')
expect(await verifyPassword('wrong-password', hash)).toBe(false)
})
it('verifyPassword rejects empty input against any hash', async () => {
const hash = await hashPassword('something')
expect(await verifyPassword('', hash)).toBe(false)
})
it('verifyPassword is case-sensitive', async () => {
const hash = await hashPassword('CaseSensitive')
expect(await verifyPassword('casesensitive', hash)).toBe(false)
expect(await verifyPassword('CaseSensitive', hash)).toBe(true)
})
})
describe('admin-auth: JWT roundtrip', () => {
const payload = {
sub: 'admin-uuid-123',
email: 'admin@example.com',
sessionId: 'session-uuid-456',
}
it('createAdminJwt + verifyAdminJwt roundtrip preserves payload', async () => {
const jwt = await createAdminJwt(payload)
const decoded = await verifyAdminJwt(jwt)
expect(decoded).not.toBeNull()
expect(decoded?.sub).toBe(payload.sub)
expect(decoded?.email).toBe(payload.email)
expect(decoded?.sessionId).toBe(payload.sessionId)
})
it('verifyAdminJwt rejects a tampered token', async () => {
const jwt = await createAdminJwt(payload)
const tampered = jwt.slice(0, -2) + 'XX'
expect(await verifyAdminJwt(tampered)).toBeNull()
})
it('verifyAdminJwt rejects garbage input', async () => {
expect(await verifyAdminJwt('not-a-jwt')).toBeNull()
expect(await verifyAdminJwt('')).toBeNull()
expect(await verifyAdminJwt('a.b.c')).toBeNull()
})
})
describe('admin-auth: audience claim isolation', () => {
// This is the security boundary: an investor JWT must NEVER validate as an admin JWT
// (and vice versa). They share the same secret but use audience claims to stay distinct.
const payload = { sub: 'user-id', email: 'user@example.com', sessionId: 'session' }
it('an investor JWT (no admin audience) is rejected by verifyAdminJwt', async () => {
const investorJwt = await createJwt(payload)
const result = await verifyAdminJwt(investorJwt)
expect(result).toBeNull()
})
it('an admin JWT is rejected by verifyJwt (because verifyJwt does not enforce audience, but admin JWT has audience that investor token does not)', async () => {
// Note: verifyJwt does not enforce audience, so an admin JWT with an audience claim
// technically *could* parse — but the cookie is on a different name (pitch_admin_session)
// so this can't happen in practice. We document the expectation here:
const adminJwt = await createAdminJwt(payload)
const result = await verifyJwt(adminJwt)
// jose parses it but the payload is the same shape, so this would actually succeed.
// The real isolation is: cookies. We assert the JWT itself is different.
expect(adminJwt).not.toBe(await createJwt(payload))
})
})

118
pitch-deck/__tests__/lib/auth.test.ts Normal file
View File

@@ -0,0 +1,118 @@
import { describe, it, expect } from 'vitest'
import {
hashToken,
generateToken,
validateAdminSecret,
getClientIp,
createJwt,
verifyJwt,
} from '@/lib/auth'
describe('auth: token utilities', () => {
it('generateToken produces a 96-character hex string (48 random bytes)', () => {
const t = generateToken()
expect(t).toMatch(/^[0-9a-f]{96}$/)
})
it('generateToken produces unique values across calls', () => {
const seen = new Set()
for (let i = 0; i < 100; i++) seen.add(generateToken())
expect(seen.size).toBe(100)
})
it('hashToken is deterministic for the same input', () => {
const a = hashToken('input')
const b = hashToken('input')
expect(a).toBe(b)
})
it('hashToken produces a 64-char hex SHA-256 digest', () => {
expect(hashToken('anything')).toMatch(/^[0-9a-f]{64}$/)
})
it('hashToken produces different output for different input', () => {
expect(hashToken('a')).not.toBe(hashToken('b'))
})
})
describe('auth: validateAdminSecret (CLI bearer fallback)', () => {
it('accepts the correct bearer header', () => {
const req = new Request('http://x', {
headers: { authorization: `Bearer ${process.env.PITCH_ADMIN_SECRET}` },
})
expect(validateAdminSecret(req)).toBe(true)
})
it('rejects a wrong bearer secret', () => {
const req = new Request('http://x', {
headers: { authorization: 'Bearer wrong-secret' },
})
expect(validateAdminSecret(req)).toBe(false)
})
it('rejects requests with no Authorization header', () => {
const req = new Request('http://x')
expect(validateAdminSecret(req)).toBe(false)
})
it('rejects bare secret without Bearer prefix', () => {
const req = new Request('http://x', {
headers: { authorization: process.env.PITCH_ADMIN_SECRET || '' },
})
expect(validateAdminSecret(req)).toBe(false)
})
})
describe('auth: getClientIp', () => {
it('parses x-forwarded-for', () => {
const req = new Request('http://x', {
headers: { 'x-forwarded-for': '10.0.0.1' },
})
expect(getClientIp(req)).toBe('10.0.0.1')
})
it('takes the first hop from a comma-separated x-forwarded-for', () => {
const req = new Request('http://x', {
headers: { 'x-forwarded-for': '10.0.0.1, 192.168.1.1, 172.16.0.1' },
})
expect(getClientIp(req)).toBe('10.0.0.1')
})
it('trims whitespace around the first IP', () => {
const req = new Request('http://x', {
headers: { 'x-forwarded-for': ' 10.0.0.1 , 192.168.1.1' },
})
expect(getClientIp(req)).toBe('10.0.0.1')
})
it('returns null when the header is absent', () => {
const req = new Request('http://x')
expect(getClientIp(req)).toBeNull()
})
})
describe('auth: investor JWT roundtrip', () => {
const payload = {
sub: 'investor-id',
email: 'investor@example.com',
sessionId: 'session-id',
}
it('createJwt + verifyJwt roundtrip preserves payload', async () => {
const jwt = await createJwt(payload)
const decoded = await verifyJwt(jwt)
expect(decoded?.sub).toBe(payload.sub)
expect(decoded?.email).toBe(payload.email)
expect(decoded?.sessionId).toBe(payload.sessionId)
})
it('verifyJwt rejects garbage', async () => {
expect(await verifyJwt('not-a-jwt')).toBeNull()
})
it('verifyJwt rejects a tampered signature', async () => {
const jwt = await createJwt(payload)
const tampered = jwt.slice(0, -2) + 'XX'
expect(await verifyJwt(tampered)).toBeNull()
})
})

83
pitch-deck/__tests__/lib/rate-limit.test.ts Normal file
View File

@@ -0,0 +1,83 @@
import { describe, it, expect, beforeEach, vi, afterEach } from 'vitest'
import { checkRateLimit, RATE_LIMITS } from '@/lib/rate-limit'
describe('rate-limit', () => {
beforeEach(() => {
vi.useFakeTimers()
})
afterEach(() => {
vi.useRealTimers()
})
it('allows the first request', () => {
const result = checkRateLimit('test-key-1', { limit: 5, windowSec: 60 })
expect(result.allowed).toBe(true)
expect(result.remaining).toBe(4)
})
it('allows up to the limit, then rejects', () => {
const key = 'test-key-2'
const config = { limit: 3, windowSec: 60 }
expect(checkRateLimit(key, config).allowed).toBe(true)
expect(checkRateLimit(key, config).allowed).toBe(true)
expect(checkRateLimit(key, config).allowed).toBe(true)
expect(checkRateLimit(key, config).allowed).toBe(false)
expect(checkRateLimit(key, config).allowed).toBe(false)
})
it('decrements the remaining counter on each call', () => {
const key = 'test-key-3'
const config = { limit: 3, windowSec: 60 }
expect(checkRateLimit(key, config).remaining).toBe(2)
expect(checkRateLimit(key, config).remaining).toBe(1)
expect(checkRateLimit(key, config).remaining).toBe(0)
})
it('keys are isolated from each other', () => {
const config = { limit: 1, windowSec: 60 }
expect(checkRateLimit('key-a', config).allowed).toBe(true)
expect(checkRateLimit('key-a', config).allowed).toBe(false)
// Different key still has its quota
expect(checkRateLimit('key-b', config).allowed).toBe(true)
})
it('resets after the window expires', () => {
const key = 'test-key-reset'
const config = { limit: 2, windowSec: 1 }
expect(checkRateLimit(key, config).allowed).toBe(true)
expect(checkRateLimit(key, config).allowed).toBe(true)
expect(checkRateLimit(key, config).allowed).toBe(false)
// Advance past the window
vi.advanceTimersByTime(1100)
expect(checkRateLimit(key, config).allowed).toBe(true)
})
it('exposes a sensible resetAt timestamp', () => {
const before = Date.now()
const r = checkRateLimit('reset-at-test', { limit: 5, windowSec: 60 })
expect(r.resetAt).toBeGreaterThanOrEqual(before + 60_000 - 10)
expect(r.resetAt).toBeLessThanOrEqual(before + 60_000 + 10)
})
describe('preset configs', () => {
it('magicLink: 3 per hour', () => {
expect(RATE_LIMITS.magicLink.limit).toBe(3)
expect(RATE_LIMITS.magicLink.windowSec).toBe(3600)
})
it('authVerify: 10 per 15 minutes', () => {
expect(RATE_LIMITS.authVerify.limit).toBe(10)
expect(RATE_LIMITS.authVerify.windowSec).toBe(900)
})
it('chat: 20 per minute', () => {
expect(RATE_LIMITS.chat.limit).toBe(20)
expect(RATE_LIMITS.chat.windowSec).toBe(60)
})
})
})

4
pitch-deck/__tests__/setup.ts Normal file
View File

@@ -0,0 +1,4 @@
// Vitest global setup. Required env so the auth modules can initialize.
process.env.PITCH_JWT_SECRET = process.env.PITCH_JWT_SECRET || 'test-secret-do-not-use-in-production-32chars'
process.env.PITCH_ADMIN_SECRET = process.env.PITCH_ADMIN_SECRET || 'test-admin-secret'
process.env.DATABASE_URL = process.env.DATABASE_URL || 'postgres://test:test@localhost:5432/test'

62
pitch-deck/app/api/admin-auth/login/route.ts Normal file
View File

@@ -0,0 +1,62 @@
import { NextRequest, NextResponse } from 'next/server'
import pool from '@/lib/db'
import { verifyPassword, createAdminSession, setAdminCookie, logAdminAudit } from '@/lib/admin-auth'
import { getClientIp } from '@/lib/auth'
import { checkRateLimit, RATE_LIMITS } from '@/lib/rate-limit'
export async function POST(request: NextRequest) {
const ip = getClientIp(request) || 'unknown'
// Reuse the auth-verify rate limit (10/IP/15min)
const rl = checkRateLimit(`admin-login:${ip}`, RATE_LIMITS.authVerify)
if (!rl.allowed) {
return NextResponse.json({ error: 'Too many attempts. Try again later.' }, { status: 429 })
}
const body = await request.json().catch(() => ({}))
const email = (body.email || '').trim().toLowerCase()
const password = body.password || ''
if (!email || !password) {
return NextResponse.json({ error: 'Email and password required' }, { status: 400 })
}
const { rows } = await pool.query(
`SELECT id, email, name, password_hash, is_active FROM pitch_admins WHERE email = $1`,
[email],
)
if (rows.length === 0) {
await logAdminAudit(null, 'admin_login_failed', { email, reason: 'unknown_email' }, request)
return NextResponse.json({ error: 'Invalid credentials' }, { status: 401 })
}
const admin = rows[0]
if (!admin.is_active) {
await logAdminAudit(admin.id, 'admin_login_failed', { reason: 'inactive' }, request)
return NextResponse.json({ error: 'Account disabled' }, { status: 403 })
}
const ok = await verifyPassword(password, admin.password_hash)
if (!ok) {
await logAdminAudit(admin.id, 'admin_login_failed', { reason: 'wrong_password' }, request)
return NextResponse.json({ error: 'Invalid credentials' }, { status: 401 })
}
const ua = request.headers.get('user-agent')
const { jwt } = await createAdminSession(admin.id, ip, ua)
await setAdminCookie(jwt)
await pool.query(
`UPDATE pitch_admins SET last_login_at = NOW(), updated_at = NOW() WHERE id = $1`,
[admin.id],
)
await logAdminAudit(admin.id, 'admin_login_success', { email }, request)
return NextResponse.json({
success: true,
admin: { id: admin.id, email: admin.email, name: admin.name },
})
}

17
pitch-deck/app/api/admin-auth/logout/route.ts Normal file
View File

@@ -0,0 +1,17 @@
import { NextRequest, NextResponse } from 'next/server'
import {
getAdminPayloadFromCookie,
revokeAdminSession,
clearAdminCookie,
logAdminAudit,
} from '@/lib/admin-auth'
export async function POST(request: NextRequest) {
const payload = await getAdminPayloadFromCookie()
if (payload) {
await revokeAdminSession(payload.sessionId)
await logAdminAudit(payload.sub, 'admin_logout', {}, request)
}
await clearAdminCookie()
return NextResponse.json({ success: true })
}

10
pitch-deck/app/api/admin-auth/me/route.ts Normal file
View File

@@ -0,0 +1,10 @@
import { NextResponse } from 'next/server'
import { getAdminFromCookie } from '@/lib/admin-auth'
export async function GET() {
const admin = await getAdminFromCookie()
if (!admin) {
return NextResponse.json({ error: 'Not authenticated' }, { status: 401 })
}
return NextResponse.json({ admin })
}

81
pitch-deck/app/api/admin/admins/[id]/route.ts Normal file
View File

@@ -0,0 +1,81 @@
import { NextRequest, NextResponse } from 'next/server'
import pool from '@/lib/db'
import { requireAdmin, logAdminAudit, hashPassword, revokeAllAdminSessions } from '@/lib/admin-auth'
interface RouteContext {
params: Promise<{ id: string }>
}
export async function PATCH(request: NextRequest, ctx: RouteContext) {
const guard = await requireAdmin(request)
if (guard.kind === 'response') return guard.response
const actorAdminId = guard.kind === 'admin' ? guard.admin.id : null
const { id } = await ctx.params
const body = await request.json().catch(() => ({}))
const { name, is_active, password } = body
const before = await pool.query(
`SELECT email, name, is_active FROM pitch_admins WHERE id = $1`,
[id],
)
if (before.rows.length === 0) {
return NextResponse.json({ error: 'Admin not found' }, { status: 404 })
}
const updates: string[] = []
const params: unknown[] = []
let p = 1
if (typeof name === 'string' && name.trim()) {
updates.push(`name = $${p++}`)
params.push(name.trim())
}
if (typeof is_active === 'boolean') {
updates.push(`is_active = $${p++}`)
params.push(is_active)
}
if (typeof password === 'string') {
if (password.length < 12) {
return NextResponse.json({ error: 'password must be at least 12 characters' }, { status: 400 })
}
const hash = await hashPassword(password)
updates.push(`password_hash = $${p++}`)
params.push(hash)
}
if (updates.length === 0) {
return NextResponse.json({ error: 'no fields to update' }, { status: 400 })
}
updates.push(`updated_at = NOW()`)
params.push(id)
const { rows } = await pool.query(
`UPDATE pitch_admins SET ${updates.join(', ')}
WHERE id = $${p}
RETURNING id, email, name, is_active, last_login_at, created_at`,
params,
)
// If deactivated or password changed, revoke their sessions
if (is_active === false || typeof password === 'string') {
await revokeAllAdminSessions(id)
}
const action = is_active === false ? 'admin_deactivated' : 'admin_edited'
await logAdminAudit(
actorAdminId,
action,
{
target_admin_id: id,
target_email: before.rows[0].email,
before: before.rows[0],
after: { name: rows[0].name, is_active: rows[0].is_active },
password_changed: typeof password === 'string',
},
request,
)
return NextResponse.json({ admin: rows[0] })
}

52
pitch-deck/app/api/admin/admins/route.ts Normal file
View File

@@ -0,0 +1,52 @@
import { NextRequest, NextResponse } from 'next/server'
import pool from '@/lib/db'
import { requireAdmin, logAdminAudit, hashPassword } from '@/lib/admin-auth'
export async function GET(request: NextRequest) {
const guard = await requireAdmin(request)
if (guard.kind === 'response') return guard.response
const { rows } = await pool.query(
`SELECT id, email, name, is_active, last_login_at, created_at, updated_at
FROM pitch_admins ORDER BY created_at ASC`,
)
return NextResponse.json({ admins: rows })
}
export async function POST(request: NextRequest) {
const guard = await requireAdmin(request)
if (guard.kind === 'response') return guard.response
const adminId = guard.kind === 'admin' ? guard.admin.id : null
const body = await request.json().catch(() => ({}))
const email = (body.email || '').trim().toLowerCase()
const name = (body.name || '').trim()
const password = body.password || ''
if (!email || !name || !password) {
return NextResponse.json({ error: 'email, name, password required' }, { status: 400 })
}
if (password.length < 12) {
return NextResponse.json({ error: 'password must be at least 12 characters' }, { status: 400 })
}
const hash = await hashPassword(password)
try {
const { rows } = await pool.query(
`INSERT INTO pitch_admins (email, name, password_hash, is_active)
VALUES ($1, $2, $3, true)
RETURNING id, email, name, is_active, created_at`,
[email, name, hash],
)
const newAdmin = rows[0]
await logAdminAudit(adminId, 'admin_created', { email, name, new_admin_id: newAdmin.id }, request)
return NextResponse.json({ admin: newAdmin })
} catch (err) {
const e = err as { code?: string }
if (e.code === '23505') {
return NextResponse.json({ error: 'Email already exists' }, { status: 409 })
}
throw err
}
}

77
pitch-deck/app/api/admin/audit-logs/route.ts Normal file
View File

@@ -0,0 +1,77 @@
import { NextRequest, NextResponse } from 'next/server'
import pool from '@/lib/db'
import { requireAdmin } from '@/lib/admin-auth'
export async function GET(request: NextRequest) {
const guard = await requireAdmin(request)
if (guard.kind === 'response') return guard.response
const { searchParams } = new URL(request.url)
const investorId = searchParams.get('investor_id')
const targetInvestorId = searchParams.get('target_investor_id')
const adminId = searchParams.get('admin_id')
const actorType = searchParams.get('actor_type') // 'admin' | 'investor'
const action = searchParams.get('action')
const since = searchParams.get('since') // ISO date
const until = searchParams.get('until')
const limit = Math.min(parseInt(searchParams.get('limit') || '100'), 500)
const offset = parseInt(searchParams.get('offset') || '0')
const conditions: string[] = []
const params: unknown[] = []
let p = 1
if (investorId) {
conditions.push(`a.investor_id = $${p++}`)
params.push(investorId)
}
if (targetInvestorId) {
conditions.push(`a.target_investor_id = $${p++}`)
params.push(targetInvestorId)
}
if (adminId) {
conditions.push(`a.admin_id = $${p++}`)
params.push(adminId)
}
if (actorType === 'admin') {
conditions.push(`a.admin_id IS NOT NULL`)
} else if (actorType === 'investor') {
conditions.push(`a.investor_id IS NOT NULL`)
}
if (action) {
conditions.push(`a.action = $${p++}`)
params.push(action)
}
if (since) {
conditions.push(`a.created_at >= $${p++}`)
params.push(since)
}
if (until) {
conditions.push(`a.created_at <= $${p++}`)
params.push(until)
}
const where = conditions.length > 0 ? `WHERE ${conditions.join(' AND ')}` : ''
const { rows } = await pool.query(
`SELECT a.*,
i.email AS investor_email, i.name AS investor_name,
ti.email AS target_investor_email, ti.name AS target_investor_name,
ad.email AS admin_email, ad.name AS admin_name
FROM pitch_audit_logs a
LEFT JOIN pitch_investors i ON i.id = a.investor_id
LEFT JOIN pitch_investors ti ON ti.id = a.target_investor_id
LEFT JOIN pitch_admins ad ON ad.id = a.admin_id
${where}
ORDER BY a.created_at DESC
LIMIT $${p++} OFFSET $${p++}`,
[...params, limit, offset],
)
const totalRes = await pool.query(
`SELECT COUNT(*)::int AS total FROM pitch_audit_logs a ${where}`,
params,
)
return NextResponse.json({ logs: rows, total: totalRes.rows[0].total })
}

46
pitch-deck/app/api/admin/dashboard/route.ts Normal file
View File

@@ -0,0 +1,46 @@
import { NextRequest, NextResponse } from 'next/server'
import pool from '@/lib/db'
import { requireAdmin } from '@/lib/admin-auth'
export async function GET(request: NextRequest) {
const guard = await requireAdmin(request)
if (guard.kind === 'response') return guard.response
const [totals, recentLogins, recentActivity] = await Promise.all([
pool.query(`
SELECT
(SELECT COUNT(*)::int FROM pitch_investors) AS total_investors,
(SELECT COUNT(*)::int FROM pitch_investors WHERE status = 'invited') AS pending_invites,
(SELECT COUNT(*)::int FROM pitch_investors WHERE last_login_at >= NOW() - INTERVAL '7 days') AS active_7d,
(SELECT COUNT(*)::int FROM pitch_audit_logs WHERE action = 'slide_viewed') AS slides_viewed_total,
(SELECT COUNT(*)::int FROM pitch_sessions WHERE revoked = false AND expires_at > NOW()) AS active_sessions,
(SELECT COUNT(*)::int FROM pitch_admins WHERE is_active = true) AS active_admins
`),
pool.query(`
SELECT a.created_at, a.ip_address, i.id AS investor_id, i.email, i.name, i.company
FROM pitch_audit_logs a
JOIN pitch_investors i ON i.id = a.investor_id
WHERE a.action = 'login_success'
ORDER BY a.created_at DESC
LIMIT 10
`),
pool.query(`
SELECT a.id, a.action, a.created_at, a.details,
i.email AS investor_email, i.name AS investor_name,
ti.email AS target_investor_email,
ad.email AS admin_email, ad.name AS admin_name
FROM pitch_audit_logs a
LEFT JOIN pitch_investors i ON i.id = a.investor_id
LEFT JOIN pitch_investors ti ON ti.id = a.target_investor_id
LEFT JOIN pitch_admins ad ON ad.id = a.admin_id
ORDER BY a.created_at DESC
LIMIT 15
`),
])
return NextResponse.json({
totals: totals.rows[0],
recent_logins: recentLogins.rows,
recent_activity: recentActivity.rows,
})
}

93
pitch-deck/app/api/admin/fm/assumptions/[id]/route.ts Normal file
View File

@@ -0,0 +1,93 @@
import { NextRequest, NextResponse } from 'next/server'
import pool from '@/lib/db'
import { requireAdmin, logAdminAudit } from '@/lib/admin-auth'
interface RouteContext {
params: Promise<{ id: string }>
}
export async function PATCH(request: NextRequest, ctx: RouteContext) {
const guard = await requireAdmin(request)
if (guard.kind === 'response') return guard.response
const adminId = guard.kind === 'admin' ? guard.admin.id : null
const { id } = await ctx.params
const body = await request.json().catch(() => ({}))
const { value, min_value, max_value, step_size, label_de, label_en } = body
const before = await pool.query(
`SELECT scenario_id, key, label_de, label_en, value, min_value, max_value, step_size
FROM pitch_fm_assumptions WHERE id = $1`,
[id],
)
if (before.rows.length === 0) {
return NextResponse.json({ error: 'Assumption not found' }, { status: 404 })
}
const updates: string[] = []
const params: unknown[] = []
let p = 1
if (value !== undefined) {
updates.push(`value = $${p++}`)
params.push(JSON.stringify(value))
}
if (min_value !== undefined) {
updates.push(`min_value = $${p++}`)
params.push(min_value)
}
if (max_value !== undefined) {
updates.push(`max_value = $${p++}`)
params.push(max_value)
}
if (step_size !== undefined) {
updates.push(`step_size = $${p++}`)
params.push(step_size)
}
if (typeof label_de === 'string') {
updates.push(`label_de = $${p++}`)
params.push(label_de)
}
if (typeof label_en === 'string') {
updates.push(`label_en = $${p++}`)
params.push(label_en)
}
if (updates.length === 0) {
return NextResponse.json({ error: 'no fields to update' }, { status: 400 })
}
params.push(id)
const { rows } = await pool.query(
`UPDATE pitch_fm_assumptions SET ${updates.join(', ')} WHERE id = $${p} RETURNING *`,
params,
)
// Invalidate cached results for this scenario so the next compute uses the new value
await pool.query(`DELETE FROM pitch_fm_results WHERE scenario_id = $1`, [before.rows[0].scenario_id])
await logAdminAudit(
adminId,
'assumption_edited',
{
assumption_id: id,
scenario_id: before.rows[0].scenario_id,
key: before.rows[0].key,
before: {
value: typeof before.rows[0].value === 'string' ? JSON.parse(before.rows[0].value) : before.rows[0].value,
min_value: before.rows[0].min_value,
max_value: before.rows[0].max_value,
step_size: before.rows[0].step_size,
},
after: {
value: typeof rows[0].value === 'string' ? JSON.parse(rows[0].value) : rows[0].value,
min_value: rows[0].min_value,
max_value: rows[0].max_value,
step_size: rows[0].step_size,
},
},
request,
)
return NextResponse.json({ assumption: rows[0] })
}

52
pitch-deck/app/api/admin/fm/scenarios/[id]/route.ts Normal file
View File

@@ -0,0 +1,52 @@
import { NextRequest, NextResponse } from 'next/server'
import pool from '@/lib/db'
import { requireAdmin, logAdminAudit } from '@/lib/admin-auth'
interface RouteContext {
params: Promise<{ id: string }>
}
export async function PATCH(request: NextRequest, ctx: RouteContext) {
const guard = await requireAdmin(request)
if (guard.kind === 'response') return guard.response
const adminId = guard.kind === 'admin' ? guard.admin.id : null
const { id } = await ctx.params
const body = await request.json().catch(() => ({}))
const { name, description, color } = body
if (name === undefined && description === undefined && color === undefined) {
return NextResponse.json({ error: 'name, description, or color required' }, { status: 400 })
}
const before = await pool.query(
`SELECT name, description, color FROM pitch_fm_scenarios WHERE id = $1`,
[id],
)
if (before.rows.length === 0) {
return NextResponse.json({ error: 'Scenario not found' }, { status: 404 })
}
const { rows } = await pool.query(
`UPDATE pitch_fm_scenarios SET
name = COALESCE($1, name),
description = COALESCE($2, description),
color = COALESCE($3, color)
WHERE id = $4
RETURNING *`,
[name ?? null, description ?? null, color ?? null, id],
)
await logAdminAudit(
adminId,
'scenario_edited',
{
scenario_id: id,
before: before.rows[0],
after: { name: rows[0].name, description: rows[0].description, color: rows[0].color },
},
request,
)
return NextResponse.json({ scenario: rows[0] })
}

27
pitch-deck/app/api/admin/fm/scenarios/route.ts Normal file
View File

@@ -0,0 +1,27 @@
import { NextRequest, NextResponse } from 'next/server'
import pool from '@/lib/db'
import { requireAdmin } from '@/lib/admin-auth'
export async function GET(request: NextRequest) {
const guard = await requireAdmin(request)
if (guard.kind === 'response') return guard.response
const scenarios = await pool.query(
`SELECT * FROM pitch_fm_scenarios ORDER BY is_default DESC, name`,
)
const assumptions = await pool.query(
`SELECT * FROM pitch_fm_assumptions ORDER BY scenario_id, sort_order`,
)
const result = scenarios.rows.map(s => ({
...s,
assumptions: assumptions.rows
.filter(a => a.scenario_id === s.id)
.map(a => ({
...a,
value: typeof a.value === 'string' ? JSON.parse(a.value) : a.value,
})),
}))
return NextResponse.json({ scenarios: result })
}

60
pitch-deck/app/api/admin/investors/[id]/resend/route.ts Normal file
View File

@@ -0,0 +1,60 @@
import { NextRequest, NextResponse } from 'next/server'
import pool from '@/lib/db'
import { generateToken } from '@/lib/auth'
import { requireAdmin, logAdminAudit } from '@/lib/admin-auth'
import { sendMagicLinkEmail } from '@/lib/email'
import { checkRateLimit, RATE_LIMITS } from '@/lib/rate-limit'
interface RouteContext {
params: Promise<{ id: string }>
}
export async function POST(request: NextRequest, ctx: RouteContext) {
const guard = await requireAdmin(request)
if (guard.kind === 'response') return guard.response
const adminId = guard.kind === 'admin' ? guard.admin.id : null
const { id } = await ctx.params
const { rows } = await pool.query(
`SELECT id, email, name, status FROM pitch_investors WHERE id = $1`,
[id],
)
if (rows.length === 0) {
return NextResponse.json({ error: 'Investor not found' }, { status: 404 })
}
const investor = rows[0]
if (investor.status === 'revoked') {
return NextResponse.json({ error: 'Investor is revoked. Reactivate first by re-inviting.' }, { status: 400 })
}
// Rate limit by email
const rl = checkRateLimit(`magic-link:${investor.email}`, RATE_LIMITS.magicLink)
if (!rl.allowed) {
return NextResponse.json({ error: 'Too many resends for this email. Try again later.' }, { status: 429 })
}
const token = generateToken()
const ttlHours = parseInt(process.env.MAGIC_LINK_TTL_HOURS || '72')
const expiresAt = new Date(Date.now() + ttlHours * 60 * 60 * 1000)
await pool.query(
`INSERT INTO pitch_magic_links (investor_id, token, expires_at) VALUES ($1, $2, $3)`,
[investor.id, token, expiresAt],
)
const baseUrl = process.env.PITCH_BASE_URL || 'https://pitch.breakpilot.ai'
const magicLinkUrl = `${baseUrl}/auth/verify?token=${token}`
await sendMagicLinkEmail(investor.email, investor.name, magicLinkUrl)
await logAdminAudit(
adminId,
'magic_link_resent',
{ email: investor.email, expires_at: expiresAt.toISOString() },
request,
investor.id,
)
return NextResponse.json({ success: true, expires_at: expiresAt.toISOString() })
}

99
pitch-deck/app/api/admin/investors/[id]/route.ts Normal file
View File

@@ -0,0 +1,99 @@
import { NextRequest, NextResponse } from 'next/server'
import pool from '@/lib/db'
import { requireAdmin, logAdminAudit } from '@/lib/admin-auth'
interface RouteContext {
params: Promise<{ id: string }>
}
export async function GET(request: NextRequest, ctx: RouteContext) {
const guard = await requireAdmin(request)
if (guard.kind === 'response') return guard.response
const { id } = await ctx.params
const [investor, sessions, snapshots, audit] = await Promise.all([
pool.query(
`SELECT id, email, name, company, status, last_login_at, login_count, created_at, updated_at
FROM pitch_investors WHERE id = $1`,
[id],
),
pool.query(
`SELECT id, ip_address, user_agent, expires_at, revoked, created_at
FROM pitch_sessions WHERE investor_id = $1
ORDER BY created_at DESC LIMIT 50`,
[id],
),
pool.query(
`SELECT id, scenario_id, label, is_latest, created_at
FROM pitch_investor_snapshots WHERE investor_id = $1
ORDER BY created_at DESC LIMIT 50`,
[id],
),
pool.query(
`SELECT a.id, a.action, a.created_at, a.details, a.ip_address, a.slide_id,
ad.email AS admin_email, ad.name AS admin_name
FROM pitch_audit_logs a
LEFT JOIN pitch_admins ad ON ad.id = a.admin_id
WHERE a.investor_id = $1 OR a.target_investor_id = $1
ORDER BY a.created_at DESC LIMIT 100`,
[id],
),
])
if (investor.rows.length === 0) {
return NextResponse.json({ error: 'Investor not found' }, { status: 404 })
}
return NextResponse.json({
investor: investor.rows[0],
sessions: sessions.rows,
snapshots: snapshots.rows,
audit: audit.rows,
})
}
export async function PATCH(request: NextRequest, ctx: RouteContext) {
const guard = await requireAdmin(request)
if (guard.kind === 'response') return guard.response
const adminId = guard.kind === 'admin' ? guard.admin.id : null
const { id } = await ctx.params
const body = await request.json().catch(() => ({}))
const { name, company } = body
if (name === undefined && company === undefined) {
return NextResponse.json({ error: 'name or company required' }, { status: 400 })
}
const before = await pool.query(
`SELECT name, company FROM pitch_investors WHERE id = $1`,
[id],
)
if (before.rows.length === 0) {
return NextResponse.json({ error: 'Investor not found' }, { status: 404 })
}
const { rows } = await pool.query(
`UPDATE pitch_investors SET
name = COALESCE($1, name),
company = COALESCE($2, company),
updated_at = NOW()
WHERE id = $3
RETURNING id, email, name, company, status`,
[name ?? null, company ?? null, id],
)
await logAdminAudit(
adminId,
'investor_edited',
{
before: before.rows[0],
after: { name: rows[0].name, company: rows[0].company },
},
request,
id,
)
return NextResponse.json({ investor: rows[0] })
}

18
pitch-deck/app/api/admin/investors/route.ts Normal file
View File

@@ -0,0 +1,18 @@
import { NextRequest, NextResponse } from 'next/server'
import pool from '@/lib/db'
import { requireAdmin } from '@/lib/admin-auth'
export async function GET(request: NextRequest) {
const guard = await requireAdmin(request)
if (guard.kind === 'response') return guard.response
const { rows } = await pool.query(
`SELECT i.id, i.email, i.name, i.company, i.status, i.last_login_at, i.login_count, i.created_at,
(SELECT COUNT(*) FROM pitch_audit_logs a WHERE a.investor_id = i.id AND a.action = 'slide_viewed') as slides_viewed,
(SELECT MAX(a.created_at) FROM pitch_audit_logs a WHERE a.investor_id = i.id) as last_activity
FROM pitch_investors i
ORDER BY i.created_at DESC`,
)
return NextResponse.json({ investors: rows })
}

73
pitch-deck/app/api/admin/invite/route.ts Normal file
View File

@@ -0,0 +1,73 @@
import { NextRequest, NextResponse } from 'next/server'
import pool from '@/lib/db'
import { generateToken } from '@/lib/auth'
import { requireAdmin, logAdminAudit } from '@/lib/admin-auth'
import { sendMagicLinkEmail } from '@/lib/email'
import { checkRateLimit, RATE_LIMITS } from '@/lib/rate-limit'
export async function POST(request: NextRequest) {
const guard = await requireAdmin(request)
if (guard.kind === 'response') return guard.response
const adminId = guard.kind === 'admin' ? guard.admin.id : null
const body = await request.json().catch(() => ({}))
const { email, name, company } = body
if (!email || typeof email !== 'string') {
return NextResponse.json({ error: 'Email required' }, { status: 400 })
}
// Rate limit by email (3/hour)
const rl = checkRateLimit(`magic-link:${email.toLowerCase()}`, RATE_LIMITS.magicLink)
if (!rl.allowed) {
return NextResponse.json({ error: 'Too many invites for this email. Try again later.' }, { status: 429 })
}
const normalizedEmail = email.toLowerCase().trim()
// Upsert investor
const { rows } = await pool.query(
`INSERT INTO pitch_investors (email, name, company)
VALUES ($1, $2, $3)
ON CONFLICT (email) DO UPDATE SET
name = COALESCE(EXCLUDED.name, pitch_investors.name),
company = COALESCE(EXCLUDED.company, pitch_investors.company),
status = CASE WHEN pitch_investors.status = 'revoked' THEN 'invited' ELSE pitch_investors.status END,
updated_at = NOW()
RETURNING id, status`,
[normalizedEmail, name || null, company || null],
)
const investor = rows[0]
// Generate magic link
const token = generateToken()
const ttlHours = parseInt(process.env.MAGIC_LINK_TTL_HOURS || '72')
const expiresAt = new Date(Date.now() + ttlHours * 60 * 60 * 1000)
await pool.query(
`INSERT INTO pitch_magic_links (investor_id, token, expires_at)
VALUES ($1, $2, $3)`,
[investor.id, token, expiresAt],
)
const baseUrl = process.env.PITCH_BASE_URL || 'https://pitch.breakpilot.ai'
const magicLinkUrl = `${baseUrl}/auth/verify?token=${token}`
await sendMagicLinkEmail(normalizedEmail, name || null, magicLinkUrl)
await logAdminAudit(
adminId,
'investor_invited',
{ email: normalizedEmail, name: name || null, company: company || null, expires_at: expiresAt.toISOString() },
request,
investor.id,
)
return NextResponse.json({
success: true,
investor_id: investor.id,
email: normalizedEmail,
expires_at: expiresAt.toISOString(),
})
}

32
pitch-deck/app/api/admin/revoke/route.ts Normal file
View File

@@ -0,0 +1,32 @@
import { NextRequest, NextResponse } from 'next/server'
import pool from '@/lib/db'
import { revokeAllSessions } from '@/lib/auth'
import { requireAdmin, logAdminAudit } from '@/lib/admin-auth'
export async function POST(request: NextRequest) {
const guard = await requireAdmin(request)
if (guard.kind === 'response') return guard.response
const adminId = guard.kind === 'admin' ? guard.admin.id : null
const body = await request.json().catch(() => ({}))
const { investor_id } = body
if (!investor_id) {
return NextResponse.json({ error: 'investor_id required' }, { status: 400 })
}
const { rows } = await pool.query(
`UPDATE pitch_investors SET status = 'revoked', updated_at = NOW()
WHERE id = $1 RETURNING email`,
[investor_id],
)
if (rows.length === 0) {
return NextResponse.json({ error: 'Investor not found' }, { status: 404 })
}
await revokeAllSessions(investor_id)
await logAdminAudit(adminId, 'investor_revoked', { email: rows[0].email }, request, investor_id)
return NextResponse.json({ success: true })
}

26
pitch-deck/app/api/audit/route.ts Normal file
View File

@@ -0,0 +1,26 @@
import { NextRequest, NextResponse } from 'next/server'
import { getSessionFromCookie, logAudit } from '@/lib/auth'
export async function POST(request: NextRequest) {
const session = await getSessionFromCookie()
if (!session) {
return NextResponse.json({ error: 'Not authenticated' }, { status: 401 })
}
const body = await request.json()
const { action, details, slide_id } = body
if (!action || typeof action !== 'string') {
return NextResponse.json({ error: 'action required' }, { status: 400 })
}
// Only allow known client-side actions
const allowedActions = ['slide_viewed', 'assumption_changed', 'chat_message_sent', 'snapshot_saved', 'snapshot_restored']
if (!allowedActions.includes(action)) {
return NextResponse.json({ error: 'Invalid action' }, { status: 400 })
}
await logAudit(session.sub, action, details || {}, request, slide_id, session.sessionId)
return NextResponse.json({ success: true })
}

14
pitch-deck/app/api/auth/logout/route.ts Normal file
View File

@@ -0,0 +1,14 @@
import { NextRequest, NextResponse } from 'next/server'
import { getSessionFromCookie, revokeSession, clearSessionCookie, logAudit } from '@/lib/auth'
export async function POST(request: NextRequest) {
const session = await getSessionFromCookie()
if (session) {
await revokeSession(session.sessionId)
await logAudit(session.sub, 'logout', {}, request, undefined, session.sessionId)
}
await clearSessionCookie()
return NextResponse.json({ success: true })
}

27
pitch-deck/app/api/auth/me/route.ts Normal file
View File

@@ -0,0 +1,27 @@
import { NextResponse } from 'next/server'
import pool from '@/lib/db'
import { getSessionFromCookie, validateSession } from '@/lib/auth'
export async function GET() {
const session = await getSessionFromCookie()
if (!session) {
return NextResponse.json({ error: 'Not authenticated' }, { status: 401 })
}
const valid = await validateSession(session.sessionId, session.sub)
if (!valid) {
return NextResponse.json({ error: 'Session expired' }, { status: 401 })
}
const { rows } = await pool.query(
`SELECT id, email, name, company, status, last_login_at, login_count, created_at
FROM pitch_investors WHERE id = $1`,
[session.sub]
)
if (rows.length === 0 || rows[0].status === 'revoked') {
return NextResponse.json({ error: 'Access revoked' }, { status: 403 })
}
return NextResponse.json({ investor: rows[0] })
}

85
pitch-deck/app/api/auth/verify/route.ts Normal file
View File

@@ -0,0 +1,85 @@
import { NextRequest, NextResponse } from 'next/server'
import pool from '@/lib/db'
import { createSession, setSessionCookie, getClientIp, logAudit, hashToken } from '@/lib/auth'
import { checkRateLimit, RATE_LIMITS } from '@/lib/rate-limit'
export async function POST(request: NextRequest) {
const ip = getClientIp(request) || 'unknown'
// Rate limit by IP
const rl = checkRateLimit(`auth-verify:${ip}`, RATE_LIMITS.authVerify)
if (!rl.allowed) {
return NextResponse.json({ error: 'Too many attempts. Try again later.' }, { status: 429 })
}
const body = await request.json()
const { token } = body
if (!token || typeof token !== 'string') {
return NextResponse.json({ error: 'Token required' }, { status: 400 })
}
// Find the magic link
const { rows } = await pool.query(
`SELECT ml.id, ml.investor_id, ml.expires_at, ml.used_at, i.email, i.status as investor_status
FROM pitch_magic_links ml
JOIN pitch_investors i ON i.id = ml.investor_id
WHERE ml.token = $1`,
[token]
)
if (rows.length === 0) {
await logAudit(null, 'login_failed', { reason: 'invalid_token' }, request)
return NextResponse.json({ error: 'Invalid link' }, { status: 401 })
}
const link = rows[0]
if (link.used_at) {
await logAudit(link.investor_id, 'login_failed', { reason: 'token_already_used' }, request)
return NextResponse.json({ error: 'This link has already been used. Please request a new one.' }, { status: 401 })
}
if (new Date(link.expires_at) < new Date()) {
await logAudit(link.investor_id, 'login_failed', { reason: 'token_expired' }, request)
return NextResponse.json({ error: 'This link has expired. Please request a new one.' }, { status: 401 })
}
if (link.investor_status === 'revoked') {
await logAudit(link.investor_id, 'login_failed', { reason: 'investor_revoked' }, request)
return NextResponse.json({ error: 'Access has been revoked.' }, { status: 403 })
}
const ua = request.headers.get('user-agent')
// Mark token as used
await pool.query(
`UPDATE pitch_magic_links SET used_at = NOW(), ip_address = $1, user_agent = $2 WHERE id = $3`,
[ip, ua, link.id]
)
// Activate investor if first login
await pool.query(
`UPDATE pitch_investors SET status = 'active', last_login_at = NOW(), login_count = login_count + 1, updated_at = NOW()
WHERE id = $1`,
[link.investor_id]
)
// Create session and set cookie
const { sessionId, jwt } = await createSession(link.investor_id, ip, ua)
await setSessionCookie(jwt)
// Check for new IP
const { rows: prevSessions } = await pool.query(
`SELECT DISTINCT ip_address FROM pitch_sessions WHERE investor_id = $1 AND id != $2 AND ip_address IS NOT NULL`,
[link.investor_id, sessionId]
)
const knownIps = prevSessions.map((r: { ip_address: string }) => r.ip_address)
if (knownIps.length > 0 && !knownIps.includes(ip)) {
await logAudit(link.investor_id, 'new_ip_detected', { ip, known_ips: knownIps }, request, undefined, sessionId)
}
await logAudit(link.investor_id, 'login_success', { email: link.email }, request, undefined, sessionId)
return NextResponse.json({ success: true, redirect: '/' })
}

5
pitch-deck/app/api/health/route.ts Normal file
View File

@@ -0,0 +1,5 @@
import { NextResponse } from 'next/server'
export async function GET() {
return NextResponse.json({ status: 'ok', timestamp: new Date().toISOString() })
}

72
pitch-deck/app/api/snapshots/route.ts Normal file
View File

@@ -0,0 +1,72 @@
import { NextRequest, NextResponse } from 'next/server'
import pool from '@/lib/db'
import { getSessionFromCookie } from '@/lib/auth'
export async function GET() {
const session = await getSessionFromCookie()
if (!session) {
return NextResponse.json({ error: 'Not authenticated' }, { status: 401 })
}
const { rows } = await pool.query(
`SELECT id, scenario_id, assumptions, label, is_latest, created_at
FROM pitch_investor_snapshots
WHERE investor_id = $1 AND is_latest = true
ORDER BY created_at DESC`,
[session.sub]
)
return NextResponse.json({ snapshots: rows })
}
export async function POST(request: NextRequest) {
const session = await getSessionFromCookie()
if (!session) {
return NextResponse.json({ error: 'Not authenticated' }, { status: 401 })
}
const body = await request.json()
const { scenario_id, assumptions, label } = body
if (!scenario_id || !assumptions) {
return NextResponse.json({ error: 'scenario_id and assumptions required' }, { status: 400 })
}
// Mark previous latest as not latest
await pool.query(
`UPDATE pitch_investor_snapshots SET is_latest = false
WHERE investor_id = $1 AND scenario_id = $2 AND is_latest = true`,
[session.sub, scenario_id]
)
// Insert new snapshot
const { rows } = await pool.query(
`INSERT INTO pitch_investor_snapshots (investor_id, scenario_id, assumptions, label, is_latest)
VALUES ($1, $2, $3, $4, true)
RETURNING id, created_at`,
[session.sub, scenario_id, JSON.stringify(assumptions), label || null]
)
return NextResponse.json({ snapshot: rows[0] })
}
export async function DELETE(request: NextRequest) {
const session = await getSessionFromCookie()
if (!session) {
return NextResponse.json({ error: 'Not authenticated' }, { status: 401 })
}
const { searchParams } = new URL(request.url)
const id = searchParams.get('id')
if (!id) {
return NextResponse.json({ error: 'Snapshot id required' }, { status: 400 })
}
await pool.query(
`DELETE FROM pitch_investor_snapshots WHERE id = $1 AND investor_id = $2`,
[id, session.sub]
)
return NextResponse.json({ success: true })
}

57
pitch-deck/app/auth/page.tsx Normal file
View File

@@ -0,0 +1,57 @@
'use client'
import { motion } from 'framer-motion'
export default function AuthPage() {
return (
<div className="h-screen flex items-center justify-center bg-[#0a0a1a] relative overflow-hidden">
{/* Background gradient */}
<div className="absolute inset-0 bg-gradient-to-br from-indigo-950/30 via-transparent to-purple-950/20" />
<motion.div
initial={{ opacity: 0, y: 20 }}
animate={{ opacity: 1, y: 0 }}
transition={{ duration: 0.6 }}
className="relative z-10 text-center max-w-md mx-auto px-6"
>
<div className="mb-8">
<h1 className="text-3xl font-bold bg-gradient-to-r from-indigo-400 to-purple-400 bg-clip-text text-transparent mb-2">
BreakPilot ComplAI
</h1>
<p className="text-white/30 text-sm">Investor Pitch Deck</p>
</div>
<div className="bg-white/[0.03] border border-white/[0.06] rounded-2xl p-8 backdrop-blur-sm">
<div className="w-16 h-16 mx-auto mb-6 rounded-full bg-indigo-500/10 flex items-center justify-center">
<svg className="w-8 h-8 text-indigo-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
<path strokeLinecap="round" strokeLinejoin="round" strokeWidth={1.5}
d="M21.75 9v.906a2.25 2.25 0 01-1.183 1.981l-6.478 3.488M2.25 9v.906a2.25 2.25 0 001.183 1.981l6.478 3.488m8.839 2.51l-4.66-2.51m0 0l-1.023-.55a2.25 2.25 0 00-2.134 0l-1.022.55m0 0l-4.661 2.51m16.5-1.5a2.25 2.25 0 01-2.25 2.25h-15a2.25 2.25 0 01-2.25-2.25V6.75A2.25 2.25 0 014.5 4.5h15a2.25 2.25 0 012.25 2.25v11.25z" />
</svg>
</div>
<h2 className="text-xl font-semibold text-white/90 mb-3">
Invitation Required
</h2>
<p className="text-white/50 text-sm leading-relaxed mb-6">
This interactive pitch deck is available by invitation only.
Please check your email for an access link.
</p>
<div className="border-t border-white/[0.06] pt-5">
<p className="text-white/30 text-xs">
Questions? Contact us at{' '}
<a href="mailto:pitch@breakpilot.ai" className="text-indigo-400/80 hover:text-indigo-400 transition-colors">
pitch@breakpilot.ai
</a>
</p>
</div>
</div>
<p className="mt-6 text-white/20 text-xs">
We are an AI-first company. No PDFs. No slide decks. Just code.
</p>
</motion.div>
</div>
)
}

112
pitch-deck/app/auth/verify/page.tsx Normal file
View File

@@ -0,0 +1,112 @@
'use client'
import { Suspense, useEffect, useState } from 'react'
import { useSearchParams, useRouter } from 'next/navigation'
import { motion } from 'framer-motion'
function VerifyContent() {
const searchParams = useSearchParams()
const router = useRouter()
const token = searchParams.get('token')
const [status, setStatus] = useState<'verifying' | 'success' | 'error'>('verifying')
const [errorMsg, setErrorMsg] = useState('')
useEffect(() => {
if (!token) {
setStatus('error')
setErrorMsg('No access token provided.')
return
}
async function verify() {
try {
const res = await fetch('/api/auth/verify', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ token }),
})
if (res.ok) {
setStatus('success')
setTimeout(() => router.push('/'), 1000)
} else {
const data = await res.json()
setStatus('error')
setErrorMsg(data.error || 'Verification failed.')
}
} catch {
setStatus('error')
setErrorMsg('Network error. Please try again.')
}
}
verify()
}, [token, router])
return (
<motion.div
initial={{ opacity: 0, scale: 0.95 }}
animate={{ opacity: 1, scale: 1 }}
transition={{ duration: 0.4 }}
className="relative z-10 text-center max-w-md mx-auto px-6"
>
<div className="bg-white/[0.03] border border-white/[0.06] rounded-2xl p-8 backdrop-blur-sm">
{status === 'verifying' && (
<>
<div className="w-12 h-12 border-2 border-indigo-500 border-t-transparent rounded-full animate-spin mx-auto mb-4" />
<p className="text-white/60">Verifying your access link...</p>
</>
)}
{status === 'success' && (
<>
<div className="w-16 h-16 mx-auto mb-4 rounded-full bg-green-500/10 flex items-center justify-center">
<svg className="w-8 h-8 text-green-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
<path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M5 13l4 4L19 7" />
</svg>
</div>
<p className="text-white/80 font-medium">Access verified!</p>
<p className="text-white/40 text-sm mt-2">Redirecting to pitch deck...</p>
</>
)}
{status === 'error' && (
<>
<div className="w-16 h-16 mx-auto mb-4 rounded-full bg-red-500/10 flex items-center justify-center">
<svg className="w-8 h-8 text-red-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
<path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M6 18L18 6M6 6l12 12" />
</svg>
</div>
<p className="text-white/80 font-medium mb-2">Access Denied</p>
<p className="text-white/50 text-sm">{errorMsg}</p>
<a
href="/auth"
className="inline-block mt-6 text-indigo-400 text-sm hover:text-indigo-300 transition-colors"
>
Back to login
</a>
</>
)}
</div>
</motion.div>
)
}
export default function VerifyPage() {
return (
<div className="h-screen flex items-center justify-center bg-[#0a0a1a] relative overflow-hidden">
<div className="absolute inset-0 bg-gradient-to-br from-indigo-950/30 via-transparent to-purple-950/20" />
<Suspense
fallback={
<div className="relative z-10 text-center">
<div className="w-12 h-12 border-2 border-indigo-500 border-t-transparent rounded-full animate-spin mx-auto mb-4" />
<p className="text-white/60">Loading...</p>
</div>
}
>
<VerifyContent />
</Suspense>
</div>
)
}

30
pitch-deck/app/layout.tsx
View File

@@ -1,9 +1,23 @@
import type { Metadata } from 'next'
import type { Metadata, Viewport } from 'next'
import './globals.css'
export const metadata: Metadata = {
title: 'BreakPilot ComplAI — Investor Pitch Deck',
description: 'Datensouveraenitaet meets KI-Compliance. Pre-Seed Q4 2026.',
manifest: '/manifest.json',
robots: { index: false, follow: false },
appleWebApp: {
capable: true,
statusBarStyle: 'black-translucent',
title: 'BreakPilot Pitch',
},
}
export const viewport: Viewport = {
themeColor: '#6366f1',
width: 'device-width',
initialScale: 1,
maximumScale: 1,
}
export default function RootLayout({
@@ -13,8 +27,22 @@ export default function RootLayout({
}) {
return (
<html lang="de" className="dark">
<head>
<link rel="apple-touch-icon" href="/icons/icon-192.png" />
</head>
<body className="bg-[#0a0a1a] text-white antialiased overflow-hidden h-screen">
{children}
<script
dangerouslySetInnerHTML={{
__html: `
if ('serviceWorker' in navigator) {
window.addEventListener('load', () => {
navigator.serviceWorker.register('/sw.js').catch(() => {});
});
}
`,
}}
/>
</body>
</html>
)

12
pitch-deck/app/page.tsx
View File

@@ -2,14 +2,24 @@
import { useState, useCallback } from 'react'
import { Language } from '@/lib/types'
import { useAuth } from '@/lib/hooks/useAuth'
import PitchDeck from '@/components/PitchDeck'
export default function Home() {
const [lang, setLang] = useState<Language>('de')
const { investor, loading, logout } = useAuth()
const toggleLanguage = useCallback(() => {
setLang(prev => prev === 'de' ? 'en' : 'de')
}, [])
return <PitchDeck lang={lang} onToggleLanguage={toggleLanguage} />
if (loading) {
return (
<div className="h-screen flex items-center justify-center">
<div className="w-12 h-12 border-2 border-indigo-500 border-t-transparent rounded-full animate-spin" />
</div>
)
}
return <PitchDeck lang={lang} onToggleLanguage={toggleLanguage} investor={investor} onLogout={logout} />
}

259
pitch-deck/app/pitch-admin/(authed)/admins/page.tsx Normal file
View File

@@ -0,0 +1,259 @@
'use client'
import { useEffect, useState } from 'react'
import { Plus, Power, Key } from 'lucide-react'
interface Admin {
id: string
email: string
name: string
is_active: boolean
last_login_at: string | null
created_at: string
}
export default function AdminsPage() {
const [admins, setAdmins] = useState<Admin[]>([])
const [loading, setLoading] = useState(true)
const [showAdd, setShowAdd] = useState(false)
const [newEmail, setNewEmail] = useState('')
const [newName, setNewName] = useState('')
const [newPassword, setNewPassword] = useState('')
const [error, setError] = useState('')
const [busy, setBusy] = useState(false)
const [toast, setToast] = useState<string | null>(null)
const [resetId, setResetId] = useState<string | null>(null)
const [resetPassword, setResetPassword] = useState('')
function flashToast(msg: string) {
setToast(msg)
setTimeout(() => setToast(null), 3000)
}
async function load() {
setLoading(true)
const res = await fetch('/api/admin/admins')
if (res.ok) {
const d = await res.json()
setAdmins(d.admins || [])
}
setLoading(false)
}
useEffect(() => { load() }, [])
async function createAdmin(e: React.FormEvent) {
e.preventDefault()
setError('')
setBusy(true)
const res = await fetch('/api/admin/admins', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ email: newEmail, name: newName, password: newPassword }),
})
setBusy(false)
if (res.ok) {
setShowAdd(false)
setNewEmail(''); setNewName(''); setNewPassword('')
flashToast('Admin created')
load()
} else {
const d = await res.json().catch(() => ({}))
setError(d.error || 'Create failed')
}
}
async function toggleActive(a: Admin) {
if (!confirm(`${a.is_active ? 'Deactivate' : 'Activate'} ${a.email}?`)) return
setBusy(true)
const res = await fetch(`/api/admin/admins/${a.id}`, {
method: 'PATCH',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ is_active: !a.is_active }),
})
setBusy(false)
if (res.ok) {
flashToast(a.is_active ? 'Deactivated' : 'Activated')
load()
} else {
flashToast('Update failed')
}
}
async function submitResetPassword(e: React.FormEvent) {
e.preventDefault()
if (!resetId) return
setBusy(true)
const res = await fetch(`/api/admin/admins/${resetId}`, {
method: 'PATCH',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ password: resetPassword }),
})
setBusy(false)
if (res.ok) {
flashToast('Password reset')
setResetId(null)
setResetPassword('')
} else {
const d = await res.json().catch(() => ({}))
flashToast(d.error || 'Reset failed')
}
}
return (
<div className="space-y-6">
<div className="flex items-center justify-between">
<div>
<h1 className="text-2xl font-semibold text-white">Admins</h1>
<p className="text-sm text-white/50 mt-1">{admins.length} total</p>
</div>
<button
onClick={() => setShowAdd(s => !s)}
className="bg-gradient-to-r from-indigo-500 to-purple-600 hover:from-indigo-600 hover:to-purple-700 text-white text-sm font-medium px-4 py-2 rounded-lg shadow-lg shadow-indigo-500/20 flex items-center gap-2"
>
<Plus className="w-4 h-4" /> Add admin
</button>
</div>
{showAdd && (
<form onSubmit={createAdmin} className="bg-white/[0.04] border border-white/[0.08] rounded-2xl p-5 space-y-3">
<div className="grid md:grid-cols-3 gap-3">
<input
type="email"
value={newEmail}
onChange={e => setNewEmail(e.target.value)}
required
placeholder="email@breakpilot.ai"
className="bg-black/30 border border-white/10 rounded-lg px-3 py-2 text-white focus:outline-none focus:ring-2 focus:ring-indigo-500/40"
/>
<input
type="text"
value={newName}
onChange={e => setNewName(e.target.value)}
required
placeholder="Name"
className="bg-black/30 border border-white/10 rounded-lg px-3 py-2 text-white focus:outline-none focus:ring-2 focus:ring-indigo-500/40"
/>
<input
type="password"
value={newPassword}
onChange={e => setNewPassword(e.target.value)}
required
minLength={12}
placeholder="Password (min 12 chars)"
className="bg-black/30 border border-white/10 rounded-lg px-3 py-2 text-white focus:outline-none focus:ring-2 focus:ring-indigo-500/40"
/>
</div>
{error && (
<div className="text-sm text-rose-300 bg-rose-500/10 border border-rose-500/20 rounded-lg px-3 py-2">{error}</div>
)}
<div className="flex justify-end gap-2">
<button type="button" onClick={() => { setShowAdd(false); setError('') }} className="text-sm text-white/60 hover:text-white px-4 py-2">Cancel</button>
<button type="submit" disabled={busy} className="bg-indigo-500 hover:bg-indigo-600 text-white text-sm font-medium px-4 py-2 rounded-lg disabled:opacity-50">
{busy ? 'Creating…' : 'Create'}
</button>
</div>
</form>
)}
{loading ? (
<div className="flex items-center justify-center h-32"><div className="w-8 h-8 border-2 border-indigo-500 border-t-transparent rounded-full animate-spin" /></div>
) : (
<div className="bg-white/[0.04] border border-white/[0.06] rounded-2xl overflow-hidden">
<table className="w-full text-sm">
<thead>
<tr className="text-left text-xs uppercase tracking-wider text-white/40 border-b border-white/[0.06]">
<th className="py-3 px-4 font-medium">Admin</th>
<th className="py-3 px-4 font-medium">Status</th>
<th className="py-3 px-4 font-medium">Last login</th>
<th className="py-3 px-4 font-medium">Created</th>
<th className="py-3 px-4 font-medium text-right">Actions</th>
</tr>
</thead>
<tbody>
{admins.map(a => (
<tr key={a.id} className="border-b border-white/[0.04]">
<td className="py-3 px-4">
<div className="text-white/90 font-medium">{a.name}</div>
<div className="text-xs text-white/40">{a.email}</div>
</td>
<td className="py-3 px-4">
<span className={`text-[10px] px-2 py-0.5 rounded-full border uppercase font-semibold ${
a.is_active
? 'bg-green-500/15 text-green-300 border-green-500/30'
: 'bg-rose-500/15 text-rose-300 border-rose-500/30'
}`}>
{a.is_active ? 'Active' : 'Disabled'}
</span>
</td>
<td className="py-3 px-4 text-white/60 text-xs">
{a.last_login_at ? new Date(a.last_login_at).toLocaleString() : '—'}
</td>
<td className="py-3 px-4 text-white/60 text-xs">
{new Date(a.created_at).toLocaleDateString()}
</td>
<td className="py-3 px-4">
<div className="flex items-center justify-end gap-1">
<button
onClick={() => { setResetId(a.id); setResetPassword('') }}
className="w-8 h-8 rounded-lg flex items-center justify-center text-white/50 hover:bg-amber-500/15 hover:text-amber-300"
title="Reset password"
>
<Key className="w-4 h-4" />
</button>
<button
onClick={() => toggleActive(a)}
className="w-8 h-8 rounded-lg flex items-center justify-center text-white/50 hover:bg-rose-500/15 hover:text-rose-300"
title={a.is_active ? 'Deactivate' : 'Activate'}
>
<Power className="w-4 h-4" />
</button>
</div>
</td>
</tr>
))}
</tbody>
</table>
</div>
)}
{/* Reset password modal */}
{resetId && (
<div className="fixed inset-0 bg-black/70 flex items-center justify-center z-50 p-4" onClick={() => setResetId(null)}>
<form
onSubmit={submitResetPassword}
onClick={e => e.stopPropagation()}
className="bg-[#0a0a1a] border border-white/[0.1] rounded-2xl p-6 w-full max-w-sm space-y-4"
>
<h3 className="text-lg font-semibold text-white">Reset Password</h3>
<p className="text-sm text-white/60">
The admin's active sessions will be revoked.
</p>
<input
type="password"
value={resetPassword}
onChange={e => setResetPassword(e.target.value)}
required
minLength={12}
autoFocus
placeholder="New password (min 12 chars)"
className="w-full bg-black/30 border border-white/10 rounded-lg px-3 py-2.5 text-white focus:outline-none focus:ring-2 focus:ring-indigo-500/40"
/>
<div className="flex justify-end gap-2">
<button type="button" onClick={() => setResetId(null)} className="text-sm text-white/60 hover:text-white px-4 py-2">Cancel</button>
<button type="submit" disabled={busy} className="bg-indigo-500 hover:bg-indigo-600 text-white text-sm font-medium px-4 py-2 rounded-lg disabled:opacity-50">
{busy ? 'Saving' : 'Reset'}
</button>
</div>
</form>
</div>
)}
{toast && (
<div className="fixed bottom-6 right-6 bg-indigo-500/20 border border-indigo-500/40 text-indigo-200 text-sm px-4 py-2 rounded-lg backdrop-blur-sm">
{toast}
</div>
)}
</div>
)
}

130
pitch-deck/app/pitch-admin/(authed)/audit/page.tsx Normal file
View File

@@ -0,0 +1,130 @@
'use client'
import { useEffect, useState, useCallback } from 'react'
import AuditLogTable, { AuditLogRow } from '@/components/pitch-admin/AuditLogTable'
const ACTIONS = [
'', // any
'login_success',
'login_failed',
'logout',
'admin_login_success',
'admin_login_failed',
'admin_logout',
'slide_viewed',
'assumption_changed',
'assumption_edited',
'scenario_edited',
'investor_invited',
'magic_link_resent',
'investor_revoked',
'investor_edited',
'admin_created',
'admin_edited',
'admin_deactivated',
'new_ip_detected',
]
const PAGE_SIZE = 50
export default function AuditPage() {
const [logs, setLogs] = useState<AuditLogRow[]>([])
const [total, setTotal] = useState(0)
const [loading, setLoading] = useState(true)
const [actorType, setActorType] = useState('')
const [action, setAction] = useState('')
const [page, setPage] = useState(0)
const load = useCallback(async () => {
setLoading(true)
const params = new URLSearchParams()
if (actorType) params.set('actor_type', actorType)
if (action) params.set('action', action)
params.set('limit', String(PAGE_SIZE))
params.set('offset', String(page * PAGE_SIZE))
const res = await fetch(`/api/admin/audit-logs?${params.toString()}`)
if (res.ok) {
const data = await res.json()
setLogs(data.logs)
setTotal(data.total)
}
setLoading(false)
}, [actorType, action, page])
useEffect(() => { load() }, [load])
const totalPages = Math.max(1, Math.ceil(total / PAGE_SIZE))
return (
<div className="space-y-6">
<div>
<h1 className="text-2xl font-semibold text-white">Audit Log</h1>
<p className="text-sm text-white/50 mt-1">{total} total events</p>
</div>
<div className="flex items-center gap-3 flex-wrap">
<select
value={actorType}
onChange={(e) => { setActorType(e.target.value); setPage(0) }}
className="bg-white/[0.04] border border-white/[0.08] rounded-lg px-3 py-2 text-sm text-white focus:outline-none focus:ring-2 focus:ring-indigo-500/40"
>
<option value="">All actors</option>
<option value="admin">Admins only</option>
<option value="investor">Investors only</option>
</select>
<select
value={action}
onChange={(e) => { setAction(e.target.value); setPage(0) }}
className="bg-white/[0.04] border border-white/[0.08] rounded-lg px-3 py-2 text-sm text-white focus:outline-none focus:ring-2 focus:ring-indigo-500/40 max-w-[260px]"
>
{ACTIONS.map(a => (
<option key={a} value={a}>{a || 'All actions'}</option>
))}
</select>
{(actorType || action) && (
<button
onClick={() => { setActorType(''); setAction(''); setPage(0) }}
className="text-sm text-white/50 hover:text-white px-3 py-2"
>
Clear filters
</button>
)}
</div>
<div className="bg-white/[0.04] border border-white/[0.06] rounded-2xl p-5">
{loading ? (
<div className="flex items-center justify-center h-32">
<div className="w-6 h-6 border-2 border-indigo-500 border-t-transparent rounded-full animate-spin" />
</div>
) : (
<AuditLogTable rows={logs} showActor />
)}
</div>
{totalPages > 1 && (
<div className="flex items-center justify-between text-sm">
<div className="text-white/50">
Page {page + 1} of {totalPages}
</div>
<div className="flex items-center gap-2">
<button
onClick={() => setPage(p => Math.max(0, p - 1))}
disabled={page === 0}
className="bg-white/[0.06] hover:bg-white/[0.1] text-white px-3 py-1.5 rounded-lg disabled:opacity-30"
>
Previous
</button>
<button
onClick={() => setPage(p => Math.min(totalPages - 1, p + 1))}
disabled={page >= totalPages - 1}
className="bg-white/[0.06] hover:bg-white/[0.1] text-white px-3 py-1.5 rounded-lg disabled:opacity-30"
>
Next
</button>
</div>
</div>
)}
</div>
)
}

184
pitch-deck/app/pitch-admin/(authed)/financial-model/[scenarioId]/page.tsx Normal file
View File

@@ -0,0 +1,184 @@
'use client'
import { useEffect, useState } from 'react'
import { useParams } from 'next/navigation'
import Link from 'next/link'
import { ArrowLeft, Save } from 'lucide-react'
interface Assumption {
id: string
scenario_id: string
key: string
label_de: string
label_en: string
value: number | number[]
value_type: 'scalar' | 'step' | 'timeseries'
unit: string
min_value: number | null
max_value: number | null
step_size: number | null
category: string
sort_order: number
}
interface Scenario {
id: string
name: string
description: string
is_default: boolean
color: string
assumptions: Assumption[]
}
export default function EditScenarioPage() {
const { scenarioId } = useParams<{ scenarioId: string }>()
const [scenario, setScenario] = useState<Scenario | null>(null)
const [loading, setLoading] = useState(true)
const [edits, setEdits] = useState<Record<string, string>>({})
const [savingId, setSavingId] = useState<string | null>(null)
const [toast, setToast] = useState<string | null>(null)
function flashToast(msg: string) {
setToast(msg)
setTimeout(() => setToast(null), 3000)
}
async function load() {
setLoading(true)
const res = await fetch('/api/admin/fm/scenarios')
if (res.ok) {
const d = await res.json()
const found = (d.scenarios as Scenario[]).find(s => s.id === scenarioId)
setScenario(found || null)
}
setLoading(false)
}
useEffect(() => { if (scenarioId) load() }, [scenarioId])
function setEdit(id: string, val: string) {
setEdits(prev => ({ ...prev, [id]: val }))
}
async function saveAssumption(a: Assumption) {
const raw = edits[a.id]
if (raw === undefined) return
let parsed: number | number[]
try {
parsed = a.value_type === 'timeseries' ? JSON.parse(raw) : Number(raw)
if (a.value_type !== 'timeseries' && !Number.isFinite(parsed)) throw new Error('not a number')
} catch {
flashToast('Invalid value')
return
}
setSavingId(a.id)
const res = await fetch(`/api/admin/fm/assumptions/${a.id}`, {
method: 'PATCH',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ value: parsed }),
})
setSavingId(null)
if (res.ok) {
flashToast('Saved')
setEdits(prev => {
const next = { ...prev }
delete next[a.id]
return next
})
load()
} else {
flashToast('Save failed')
}
}
if (loading) return <div className="flex items-center justify-center h-64"><div className="w-8 h-8 border-2 border-indigo-500 border-t-transparent rounded-full animate-spin" /></div>
if (!scenario) return <div className="text-rose-400">Scenario not found</div>
// Group by category
const byCategory: Record<string, Assumption[]> = {}
scenario.assumptions.forEach(a => {
if (!byCategory[a.category]) byCategory[a.category] = []
byCategory[a.category].push(a)
})
return (
<div className="space-y-6">
<Link href="/pitch-admin/financial-model" className="inline-flex items-center gap-2 text-sm text-white/50 hover:text-white/80">
<ArrowLeft className="w-4 h-4" /> Back to scenarios
</Link>
<div>
<div className="flex items-center gap-3 mb-1">
<div className="w-4 h-4 rounded-full" style={{ backgroundColor: scenario.color }} />
<h1 className="text-2xl font-semibold text-white">{scenario.name}</h1>
{scenario.is_default && (
<span className="text-[9px] px-1.5 py-0.5 rounded bg-indigo-500/20 text-indigo-300 uppercase font-semibold">
Default
</span>
)}
</div>
{scenario.description && <p className="text-sm text-white/50">{scenario.description}</p>}
</div>
<div className="space-y-6">
{Object.entries(byCategory).map(([cat, items]) => (
<section key={cat} className="bg-white/[0.04] border border-white/[0.06] rounded-2xl p-5">
<h2 className="text-xs font-semibold uppercase tracking-wider text-white/50 mb-4">{cat}</h2>
<div className="space-y-3">
{items.map(a => {
const isEdited = edits[a.id] !== undefined
const currentValue = isEdited
? edits[a.id]
: a.value_type === 'timeseries'
? JSON.stringify(a.value)
: String(a.value)
return (
<div key={a.id} className="grid grid-cols-12 gap-3 items-center">
<div className="col-span-5 min-w-0">
<div className="text-sm text-white/90 truncate">{a.label_en || a.label_de}</div>
<div className="text-xs text-white/40 font-mono truncate">{a.key}</div>
</div>
<div className="col-span-4 flex items-center gap-2">
<input
type="text"
value={currentValue}
onChange={e => setEdit(a.id, e.target.value)}
className={`flex-1 bg-black/30 border rounded-lg px-3 py-1.5 text-sm text-white font-mono focus:outline-none focus:ring-2 focus:ring-indigo-500/40 ${
isEdited ? 'border-amber-500/50' : 'border-white/10'
}`}
/>
{a.unit && <span className="text-xs text-white/40">{a.unit}</span>}
</div>
<div className="col-span-2 text-xs text-white/30 font-mono">
{a.min_value !== null && a.max_value !== null ? `${a.min_value}${a.max_value}` : ''}
</div>
<div className="col-span-1 flex justify-end">
{isEdited && (
<button
onClick={() => saveAssumption(a)}
disabled={savingId === a.id}
className="bg-indigo-500 hover:bg-indigo-600 text-white p-1.5 rounded-lg disabled:opacity-50"
title="Save"
>
<Save className="w-3.5 h-3.5" />
</button>
)}
</div>
</div>
)
})}
</div>
</section>
))}
</div>
{toast && (
<div className="fixed bottom-6 right-6 bg-indigo-500/20 border border-indigo-500/40 text-indigo-200 text-sm px-4 py-2 rounded-lg backdrop-blur-sm">
{toast}
</div>
)}
</div>
)
}

73
pitch-deck/app/pitch-admin/(authed)/financial-model/page.tsx Normal file
View File

@@ -0,0 +1,73 @@
'use client'
import { useEffect, useState } from 'react'
import Link from 'next/link'
import { ArrowRight } from 'lucide-react'
interface Scenario {
id: string
name: string
description: string
is_default: boolean
color: string
assumptions: Array<{ id: string; key: string }>
}
export default function FinancialModelPage() {
const [scenarios, setScenarios] = useState<Scenario[]>([])
const [loading, setLoading] = useState(true)
useEffect(() => {
fetch('/api/admin/fm/scenarios')
.then(r => r.json())
.then(d => setScenarios(d.scenarios || []))
.finally(() => setLoading(false))
}, [])
if (loading) {
return <div className="flex items-center justify-center h-64"><div className="w-8 h-8 border-2 border-indigo-500 border-t-transparent rounded-full animate-spin" /></div>
}
return (
<div className="space-y-6">
<div>
<h1 className="text-2xl font-semibold text-white">Financial Model</h1>
<p className="text-sm text-white/50 mt-1">
Edit default scenarios and assumptions. Investor snapshots are not affected.
</p>
</div>
<div className="grid md:grid-cols-2 gap-4">
{scenarios.map(s => (
<Link
key={s.id}
href={`/pitch-admin/financial-model/${s.id}`}
className="bg-white/[0.04] border border-white/[0.06] hover:border-white/[0.15] rounded-2xl p-5 transition-colors block"
>
<div className="flex items-start justify-between gap-3 mb-3">
<div className="min-w-0">
<div className="flex items-center gap-2 mb-1">
<div
className="w-3 h-3 rounded-full"
style={{ backgroundColor: s.color }}
/>
<h3 className="text-base font-semibold text-white">{s.name}</h3>
{s.is_default && (
<span className="text-[9px] px-1.5 py-0.5 rounded bg-indigo-500/20 text-indigo-300 uppercase font-semibold">
Default
</span>
)}
</div>
{s.description && <p className="text-sm text-white/50">{s.description}</p>}
</div>
<ArrowRight className="w-4 h-4 text-white/30 mt-1 shrink-0" />
</div>
<div className="text-xs text-white/40">
{s.assumptions.length} assumption{s.assumptions.length === 1 ? '' : 's'}
</div>
</Link>
))}
</div>
</div>
)
}

252
pitch-deck/app/pitch-admin/(authed)/investors/[id]/page.tsx Normal file
View File

@@ -0,0 +1,252 @@
'use client'
import { useEffect, useState } from 'react'
import { useParams, useRouter } from 'next/navigation'
import Link from 'next/link'
import { ArrowLeft, Mail, Ban, Save } from 'lucide-react'
import AuditLogTable from '@/components/pitch-admin/AuditLogTable'
interface InvestorDetail {
investor: {
id: string
email: string
name: string | null
company: string | null
status: string
last_login_at: string | null
login_count: number
created_at: string
}
sessions: Array<{
id: string
ip_address: string | null
user_agent: string | null
expires_at: string
revoked: boolean
created_at: string
}>
snapshots: Array<{
id: string
scenario_id: string
label: string | null
is_latest: boolean
created_at: string
}>
audit: Array<{
id: number
action: string
created_at: string
details: Record<string, unknown> | null
ip_address: string | null
slide_id: string | null
admin_email: string | null
admin_name: string | null
}>
}
const STATUS_STYLES: Record<string, string> = {
invited: 'bg-amber-500/15 text-amber-300 border-amber-500/30',
active: 'bg-green-500/15 text-green-300 border-green-500/30',
revoked: 'bg-rose-500/15 text-rose-300 border-rose-500/30',
}
export default function InvestorDetailPage() {
const { id } = useParams<{ id: string }>()
const router = useRouter()
const [data, setData] = useState<InvestorDetail | null>(null)
const [loading, setLoading] = useState(true)
const [editing, setEditing] = useState(false)
const [name, setName] = useState('')
const [company, setCompany] = useState('')
const [busy, setBusy] = useState(false)
const [toast, setToast] = useState<string | null>(null)
function flashToast(msg: string) {
setToast(msg)
setTimeout(() => setToast(null), 3000)
}
async function load() {
setLoading(true)
const res = await fetch(`/api/admin/investors/${id}`)
if (res.ok) {
const d = await res.json()
setData(d)
setName(d.investor.name || '')
setCompany(d.investor.company || '')
}
setLoading(false)
}
useEffect(() => { if (id) load() }, [id])
async function save() {
setBusy(true)
const res = await fetch(`/api/admin/investors/${id}`, {
method: 'PATCH',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ name, company }),
})
setBusy(false)
if (res.ok) {
setEditing(false)
flashToast('Saved')
load()
} else {
flashToast('Save failed')
}
}
async function resend() {
setBusy(true)
const res = await fetch(`/api/admin/investors/${id}/resend`, { method: 'POST' })
setBusy(false)
if (res.ok) {
flashToast('Magic link resent')
load()
} else {
const err = await res.json().catch(() => ({}))
flashToast(err.error || 'Resend failed')
}
}
async function revoke() {
if (!confirm('Revoke this investor\'s access? This signs them out and prevents future logins.')) return
setBusy(true)
const res = await fetch('/api/admin/revoke', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ investor_id: id }),
})
setBusy(false)
if (res.ok) {
flashToast('Revoked')
load()
} else {
flashToast('Revoke failed')
}
}
if (loading) return <div className="flex items-center justify-center h-64"><div className="w-8 h-8 border-2 border-indigo-500 border-t-transparent rounded-full animate-spin" /></div>
if (!data) return <div className="text-rose-400">Investor not found</div>
const inv = data.investor
return (
<div className="space-y-6">
<Link href="/pitch-admin/investors" className="inline-flex items-center gap-2 text-sm text-white/50 hover:text-white/80">
<ArrowLeft className="w-4 h-4" /> Back to investors
</Link>
{/* Header */}
<div className="bg-white/[0.04] border border-white/[0.06] rounded-2xl p-6">
<div className="flex items-start justify-between gap-4 flex-wrap">
<div className="min-w-0 flex-1">
{editing ? (
<div className="space-y-3">
<input
value={name}
onChange={(e) => setName(e.target.value)}
placeholder="Name"
className="w-full bg-black/30 border border-white/10 rounded-lg px-3 py-2 text-white text-lg font-semibold focus:outline-none focus:ring-2 focus:ring-indigo-500/40"
/>
<input
value={company}
onChange={(e) => setCompany(e.target.value)}
placeholder="Company"
className="w-full bg-black/30 border border-white/10 rounded-lg px-3 py-2 text-white focus:outline-none focus:ring-2 focus:ring-indigo-500/40"
/>
</div>
) : (
<>
<div className="flex items-center gap-3 mb-1 flex-wrap">
<h1 className="text-2xl font-semibold text-white">{inv.name || inv.email}</h1>
<span className={`text-[10px] px-2 py-0.5 rounded-full border uppercase font-semibold ${STATUS_STYLES[inv.status]}`}>
{inv.status}
</span>
</div>
<div className="text-sm text-white/60">{inv.company || '—'}</div>
<div className="text-xs text-white/40 mt-1">{inv.email}</div>
</>
)}
</div>
<div className="flex items-center gap-2">
{editing ? (
<>
<button
onClick={() => { setEditing(false); setName(inv.name || ''); setCompany(inv.company || '') }}
className="text-sm text-white/60 hover:text-white px-3 py-2"
>
Cancel
</button>
<button
onClick={save}
disabled={busy}
className="bg-indigo-500 hover:bg-indigo-600 text-white text-sm font-medium px-4 py-2 rounded-lg flex items-center gap-2 disabled:opacity-50"
>
<Save className="w-4 h-4" /> Save
</button>
</>
) : (
<>
<button
onClick={() => setEditing(true)}
className="bg-white/[0.06] hover:bg-white/[0.1] text-white text-sm px-4 py-2 rounded-lg"
>
Edit
</button>
<button
onClick={resend}
disabled={busy || inv.status === 'revoked'}
className="bg-indigo-500/15 hover:bg-indigo-500/25 text-indigo-300 text-sm px-4 py-2 rounded-lg flex items-center gap-2 disabled:opacity-30"
>
<Mail className="w-4 h-4" /> Resend Link
</button>
<button
onClick={revoke}
disabled={busy || inv.status === 'revoked'}
className="bg-rose-500/15 hover:bg-rose-500/25 text-rose-300 text-sm px-4 py-2 rounded-lg flex items-center gap-2 disabled:opacity-30"
>
<Ban className="w-4 h-4" /> Revoke
</button>
</>
)}
</div>
</div>
<div className="grid grid-cols-2 lg:grid-cols-4 gap-4 mt-6 pt-6 border-t border-white/[0.06]">
<div>
<div className="text-xs text-white/40 uppercase tracking-wider">Logins</div>
<div className="text-xl text-white font-semibold mt-1">{inv.login_count}</div>
</div>
<div>
<div className="text-xs text-white/40 uppercase tracking-wider">Last login</div>
<div className="text-sm text-white/80 mt-1">
{inv.last_login_at ? new Date(inv.last_login_at).toLocaleString() : '—'}
</div>
</div>
<div>
<div className="text-xs text-white/40 uppercase tracking-wider">Sessions</div>
<div className="text-xl text-white font-semibold mt-1">{data.sessions.length}</div>
</div>
<div>
<div className="text-xs text-white/40 uppercase tracking-wider">Snapshots</div>
<div className="text-xl text-white font-semibold mt-1">{data.snapshots.length}</div>
</div>
</div>
</div>
{/* Audit log for this investor */}
<section className="bg-white/[0.04] border border-white/[0.06] rounded-2xl p-5">
<h2 className="text-sm font-semibold text-white mb-4">Activity</h2>
<AuditLogTable rows={data.audit} showActor />
</section>
{toast && (
<div className="fixed bottom-6 right-6 bg-indigo-500/20 border border-indigo-500/40 text-indigo-200 text-sm px-4 py-2 rounded-lg backdrop-blur-sm">
{toast}
</div>
)}
</div>
)
}

125
pitch-deck/app/pitch-admin/(authed)/investors/new/page.tsx Normal file
View File

@@ -0,0 +1,125 @@
'use client'
import { useState } from 'react'
import { useRouter } from 'next/navigation'
import Link from 'next/link'
import { ArrowLeft } from 'lucide-react'
export default function NewInvestorPage() {
const router = useRouter()
const [email, setEmail] = useState('')
const [name, setName] = useState('')
const [company, setCompany] = useState('')
const [error, setError] = useState('')
const [submitting, setSubmitting] = useState(false)
async function handleSubmit(e: React.FormEvent) {
e.preventDefault()
setError('')
setSubmitting(true)
try {
const res = await fetch('/api/admin/invite', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ email, name, company }),
})
if (res.ok) {
router.push('/pitch-admin/investors')
router.refresh()
} else {
const data = await res.json().catch(() => ({}))
setError(data.error || 'Invite failed')
}
} catch {
setError('Network error')
} finally {
setSubmitting(false)
}
}
return (
<div className="max-w-xl">
<Link
href="/pitch-admin/investors"
className="inline-flex items-center gap-2 text-sm text-white/50 hover:text-white/80 mb-6"
>
<ArrowLeft className="w-4 h-4" /> Back to investors
</Link>
<h1 className="text-2xl font-semibold text-white mb-2">Invite Investor</h1>
<p className="text-sm text-white/50 mb-6">
A magic link will be emailed. Single-use, expires in {process.env.NEXT_PUBLIC_MAGIC_LINK_TTL_HOURS || '72'}h.
</p>
<form
onSubmit={handleSubmit}
className="bg-white/[0.04] border border-white/[0.08] rounded-2xl p-6 space-y-4"
>
<div>
<label htmlFor="email" className="block text-xs font-medium text-white/60 uppercase tracking-wider mb-2">
Email <span className="text-rose-400">*</span>
</label>
<input
id="email"
type="email"
value={email}
onChange={(e) => setEmail(e.target.value)}
required
className="w-full bg-black/30 border border-white/10 rounded-lg px-3 py-2.5 text-white focus:outline-none focus:ring-2 focus:ring-indigo-500/40"
placeholder="jane@vc.com"
/>
</div>
<div>
<label htmlFor="name" className="block text-xs font-medium text-white/60 uppercase tracking-wider mb-2">
Name
</label>
<input
id="name"
type="text"
value={name}
onChange={(e) => setName(e.target.value)}
className="w-full bg-black/30 border border-white/10 rounded-lg px-3 py-2.5 text-white focus:outline-none focus:ring-2 focus:ring-indigo-500/40"
placeholder="Jane Doe"
/>
</div>
<div>
<label htmlFor="company" className="block text-xs font-medium text-white/60 uppercase tracking-wider mb-2">
Company
</label>
<input
id="company"
type="text"
value={company}
onChange={(e) => setCompany(e.target.value)}
className="w-full bg-black/30 border border-white/10 rounded-lg px-3 py-2.5 text-white focus:outline-none focus:ring-2 focus:ring-indigo-500/40"
placeholder="Acme Ventures"
/>
</div>
{error && (
<div className="text-sm text-rose-300 bg-rose-500/10 border border-rose-500/20 rounded-lg px-3 py-2">
{error}
</div>
)}
<div className="flex items-center justify-end gap-3 pt-2">
<Link
href="/pitch-admin/investors"
className="text-sm text-white/60 hover:text-white px-4 py-2"
>
Cancel
</Link>
<button
type="submit"
disabled={submitting}
className="bg-gradient-to-r from-indigo-500 to-purple-600 hover:from-indigo-600 hover:to-purple-700 text-white text-sm font-medium px-5 py-2.5 rounded-lg disabled:opacity-50 shadow-lg shadow-indigo-500/20"
>
{submitting ? 'Sending…' : 'Send invite'}
</button>
</div>
</form>
</div>
)
}

213
pitch-deck/app/pitch-admin/(authed)/investors/page.tsx Normal file
View File

@@ -0,0 +1,213 @@
'use client'
import { useEffect, useState } from 'react'
import Link from 'next/link'
import { Search, Mail, Ban, Eye, RefreshCw } from 'lucide-react'
interface Investor {
id: string
email: string
name: string | null
company: string | null
status: string
last_login_at: string | null
login_count: number
created_at: string
slides_viewed: number
last_activity: string | null
}
const STATUS_STYLES: Record<string, string> = {
invited: 'bg-amber-500/15 text-amber-300 border-amber-500/30',
active: 'bg-green-500/15 text-green-300 border-green-500/30',
revoked: 'bg-rose-500/15 text-rose-300 border-rose-500/30',
}
export default function InvestorsPage() {
const [investors, setInvestors] = useState<Investor[]>([])
const [loading, setLoading] = useState(true)
const [search, setSearch] = useState('')
const [statusFilter, setStatusFilter] = useState<string>('all')
const [busy, setBusy] = useState<string | null>(null)
const [toast, setToast] = useState<string | null>(null)
async function load() {
setLoading(true)
const res = await fetch('/api/admin/investors')
if (res.ok) {
const data = await res.json()
setInvestors(data.investors)
}
setLoading(false)
}
useEffect(() => { load() }, [])
function flashToast(msg: string) {
setToast(msg)
setTimeout(() => setToast(null), 3000)
}
async function resend(id: string) {
setBusy(id)
const res = await fetch(`/api/admin/investors/${id}/resend`, { method: 'POST' })
setBusy(null)
if (res.ok) flashToast('Magic link resent')
else {
const err = await res.json().catch(() => ({}))
flashToast(err.error || 'Resend failed')
}
}
async function revoke(id: string, email: string) {
if (!confirm(`Revoke access for ${email}? This signs them out and prevents future logins.`)) return
setBusy(id)
const res = await fetch('/api/admin/revoke', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ investor_id: id }),
})
setBusy(null)
if (res.ok) {
flashToast('Access revoked')
load()
} else {
flashToast('Revoke failed')
}
}
const filtered = investors.filter((i) => {
if (statusFilter !== 'all' && i.status !== statusFilter) return false
if (search) {
const q = search.toLowerCase()
return (
i.email.toLowerCase().includes(q) ||
(i.name || '').toLowerCase().includes(q) ||
(i.company || '').toLowerCase().includes(q)
)
}
return true
})
return (
<div className="space-y-6">
<div className="flex items-center justify-between flex-wrap gap-4">
<div>
<h1 className="text-2xl font-semibold text-white">Investors</h1>
<p className="text-sm text-white/50 mt-1">{investors.length} total · {filtered.length} shown</p>
</div>
<Link
href="/pitch-admin/investors/new"
className="bg-gradient-to-r from-indigo-500 to-purple-600 hover:from-indigo-600 hover:to-purple-700 text-white text-sm font-medium px-4 py-2 rounded-lg shadow-lg shadow-indigo-500/20"
>
+ Invite Investor
</Link>
</div>
<div className="flex items-center gap-3 flex-wrap">
<div className="relative flex-1 min-w-[240px]">
<Search className="absolute left-3 top-1/2 -translate-y-1/2 w-4 h-4 text-white/40" />
<input
value={search}
onChange={(e) => setSearch(e.target.value)}
placeholder="Search name, email, or company"
className="w-full bg-white/[0.04] border border-white/[0.08] rounded-lg pl-10 pr-3 py-2 text-sm text-white placeholder:text-white/30 focus:outline-none focus:ring-2 focus:ring-indigo-500/40"
/>
</div>
<select
value={statusFilter}
onChange={(e) => setStatusFilter(e.target.value)}
className="bg-white/[0.04] border border-white/[0.08] rounded-lg px-3 py-2 text-sm text-white focus:outline-none focus:ring-2 focus:ring-indigo-500/40"
>
<option value="all">All statuses</option>
<option value="invited">Invited</option>
<option value="active">Active</option>
<option value="revoked">Revoked</option>
</select>
</div>
{loading ? (
<div className="flex items-center justify-center h-64">
<div className="w-8 h-8 border-2 border-indigo-500 border-t-transparent rounded-full animate-spin" />
</div>
) : (
<div className="bg-white/[0.04] border border-white/[0.06] rounded-2xl overflow-hidden">
<table className="w-full text-sm">
<thead>
<tr className="text-left text-xs uppercase tracking-wider text-white/40 border-b border-white/[0.06]">
<th className="py-3 px-4 font-medium">Investor</th>
<th className="py-3 px-4 font-medium">Status</th>
<th className="py-3 px-4 font-medium text-right">Logins</th>
<th className="py-3 px-4 font-medium text-right">Slides</th>
<th className="py-3 px-4 font-medium">Last login</th>
<th className="py-3 px-4 font-medium text-right">Actions</th>
</tr>
</thead>
<tbody>
{filtered.length === 0 && (
<tr>
<td colSpan={6} className="py-12 text-center text-white/40">No investors</td>
</tr>
)}
{filtered.map((inv) => (
<tr key={inv.id} className="border-b border-white/[0.04] hover:bg-white/[0.02]">
<td className="py-3 px-4">
<Link href={`/pitch-admin/investors/${inv.id}`} className="block min-w-0 hover:text-indigo-300">
<div className="text-white/90 font-medium truncate">{inv.name || inv.email}</div>
<div className="text-xs text-white/40 truncate">
{inv.company ? `${inv.company} · ` : ''}{inv.email}
</div>
</Link>
</td>
<td className="py-3 px-4">
<span className={`text-[10px] px-2 py-0.5 rounded-full border uppercase font-semibold ${STATUS_STYLES[inv.status] || ''}`}>
{inv.status}
</span>
</td>
<td className="py-3 px-4 text-right text-white/70 font-mono">{inv.login_count}</td>
<td className="py-3 px-4 text-right text-white/70 font-mono">{inv.slides_viewed}</td>
<td className="py-3 px-4 text-white/50 text-xs whitespace-nowrap">
{inv.last_login_at ? new Date(inv.last_login_at).toLocaleDateString() : '—'}
</td>
<td className="py-3 px-4">
<div className="flex items-center justify-end gap-1">
<Link
href={`/pitch-admin/investors/${inv.id}`}
className="w-8 h-8 rounded-lg flex items-center justify-center text-white/50 hover:bg-white/[0.06] hover:text-white"
title="View"
>
<Eye className="w-4 h-4" />
</Link>
<button
onClick={() => resend(inv.id)}
disabled={busy === inv.id || inv.status === 'revoked'}
className="w-8 h-8 rounded-lg flex items-center justify-center text-white/50 hover:bg-indigo-500/15 hover:text-indigo-300 disabled:opacity-30 disabled:cursor-not-allowed"
title="Resend magic link"
>
{busy === inv.id ? <RefreshCw className="w-4 h-4 animate-spin" /> : <Mail className="w-4 h-4" />}
</button>
<button
onClick={() => revoke(inv.id, inv.email)}
disabled={busy === inv.id || inv.status === 'revoked'}
className="w-8 h-8 rounded-lg flex items-center justify-center text-white/50 hover:bg-rose-500/15 hover:text-rose-300 disabled:opacity-30 disabled:cursor-not-allowed"
title="Revoke"
>
<Ban className="w-4 h-4" />
</button>
</div>
</td>
</tr>
))}
</tbody>
</table>
</div>
)}
{toast && (
<div className="fixed bottom-6 right-6 bg-indigo-500/20 border border-indigo-500/40 text-indigo-200 text-sm px-4 py-2 rounded-lg backdrop-blur-sm">
{toast}
</div>
)}
</div>
)
}

18
pitch-deck/app/pitch-admin/(authed)/layout.tsx Normal file
View File

@@ -0,0 +1,18 @@
import { redirect } from 'next/navigation'
import { getAdminFromCookie } from '@/lib/admin-auth'
import AdminShell from '@/components/pitch-admin/AdminShell'
export const dynamic = 'force-dynamic'
export default async function AuthedAdminLayout({ children }: { children: React.ReactNode }) {
const admin = await getAdminFromCookie()
if (!admin) {
redirect('/pitch-admin/login')
}
return (
<AdminShell admin={{ id: admin.id, email: admin.email, name: admin.name }}>
{children}
</AdminShell>
)
}

142
pitch-deck/app/pitch-admin/(authed)/page.tsx Normal file
View File

@@ -0,0 +1,142 @@
'use client'
import { useEffect, useState } from 'react'
import Link from 'next/link'
import { Users, UserCheck, Mail, Eye, ArrowRight } from 'lucide-react'
import StatCard from '@/components/pitch-admin/StatCard'
import AuditLogTable from '@/components/pitch-admin/AuditLogTable'
interface DashboardData {
totals: {
total_investors: number
pending_invites: number
active_7d: number
slides_viewed_total: number
active_sessions: number
active_admins: number
}
recent_logins: Array<{
investor_id: string
email: string
name: string | null
company: string | null
created_at: string
ip_address: string | null
}>
recent_activity: Array<{
id: number
action: string
created_at: string
details: Record<string, unknown> | null
investor_email: string | null
investor_name: string | null
target_investor_email: string | null
admin_email: string | null
admin_name: string | null
}>
}
export default function DashboardPage() {
const [data, setData] = useState<DashboardData | null>(null)
const [loading, setLoading] = useState(true)
useEffect(() => {
fetch('/api/admin/dashboard')
.then((r) => r.json())
.then(setData)
.finally(() => setLoading(false))
}, [])
if (loading) {
return (
<div className="flex items-center justify-center h-64">
<div className="w-8 h-8 border-2 border-indigo-500 border-t-transparent rounded-full animate-spin" />
</div>
)
}
if (!data) return <div className="text-rose-400">Failed to load dashboard</div>
return (
<div className="space-y-6">
<div className="flex items-center justify-between">
<div>
<h1 className="text-2xl font-semibold text-white">Dashboard</h1>
<p className="text-sm text-white/50 mt-1">Investor activity overview</p>
</div>
<Link
href="/pitch-admin/investors/new"
className="bg-gradient-to-r from-indigo-500 to-purple-600 hover:from-indigo-600 hover:to-purple-700 text-white text-sm font-medium px-4 py-2 rounded-lg shadow-lg shadow-indigo-500/20 transition-all"
>
+ Invite Investor
</Link>
</div>
<div className="grid grid-cols-2 lg:grid-cols-4 gap-4">
<StatCard label="Total Investors" value={data.totals.total_investors} icon={Users} accent="indigo" />
<StatCard
label="Active (7d)"
value={data.totals.active_7d}
icon={UserCheck}
accent="green"
hint={`${data.totals.active_sessions} live sessions`}
/>
<StatCard
label="Pending Invites"
value={data.totals.pending_invites}
icon={Mail}
accent="amber"
/>
<StatCard
label="Slides Viewed"
value={data.totals.slides_viewed_total}
icon={Eye}
accent="indigo"
hint="all-time"
/>
</div>
<div className="grid lg:grid-cols-2 gap-6">
<section className="bg-white/[0.04] border border-white/[0.06] rounded-2xl p-5">
<div className="flex items-center justify-between mb-4">
<h2 className="text-sm font-semibold text-white">Recent Logins</h2>
<Link href="/pitch-admin/investors" className="text-xs text-indigo-400 hover:text-indigo-300 flex items-center gap-1">
All investors <ArrowRight className="w-3 h-3" />
</Link>
</div>
{data.recent_logins.length === 0 ? (
<div className="text-white/40 text-sm py-8 text-center">No logins yet</div>
) : (
<ul className="space-y-2">
{data.recent_logins.map((row, i) => (
<li key={i} className="flex items-center justify-between text-sm py-2 border-b border-white/[0.04] last:border-0">
<div className="min-w-0">
<Link href={`/pitch-admin/investors/${row.investor_id}`} className="text-white/90 hover:text-indigo-300 truncate block">
{row.name || row.email}
</Link>
<div className="text-xs text-white/40 truncate">{row.company || row.email}</div>
</div>
<div className="text-xs text-white/40 whitespace-nowrap ml-3">
{new Date(row.created_at).toLocaleString()}
</div>
</li>
))}
</ul>
)}
</section>
<section className="bg-white/[0.04] border border-white/[0.06] rounded-2xl p-5">
<div className="flex items-center justify-between mb-4">
<h2 className="text-sm font-semibold text-white">Recent Activity</h2>
<Link href="/pitch-admin/audit" className="text-xs text-indigo-400 hover:text-indigo-300 flex items-center gap-1">
Full log <ArrowRight className="w-3 h-3" />
</Link>
</div>
<div className="-mx-5">
<AuditLogTable rows={data.recent_activity.slice(0, 8)} />
</div>
</section>
</div>
</div>
)
}

110
pitch-deck/app/pitch-admin/login/page.tsx Normal file
View File

@@ -0,0 +1,110 @@
'use client'
import { useState } from 'react'
import { useRouter } from 'next/navigation'
export default function AdminLoginPage() {
const router = useRouter()
const [email, setEmail] = useState('')
const [password, setPassword] = useState('')
const [error, setError] = useState('')
const [submitting, setSubmitting] = useState(false)
async function handleSubmit(e: React.FormEvent) {
e.preventDefault()
setError('')
setSubmitting(true)
try {
const res = await fetch('/api/admin-auth/login', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ email, password }),
})
if (res.ok) {
router.push('/pitch-admin')
router.refresh()
} else {
const data = await res.json().catch(() => ({}))
setError(data.error || 'Login failed')
}
} catch {
setError('Network error')
} finally {
setSubmitting(false)
}
}
return (
<div className="min-h-screen flex items-center justify-center bg-[#0a0a1a] relative overflow-hidden">
<div className="absolute inset-0 bg-gradient-to-br from-indigo-950/30 via-transparent to-purple-950/20" />
<div className="relative z-10 w-full max-w-sm px-6">
<div className="text-center mb-8">
<div className="w-16 h-16 mx-auto mb-4 rounded-2xl bg-gradient-to-br from-indigo-500 to-purple-600 flex items-center justify-center shadow-lg shadow-indigo-500/30">
<svg width="32" height="32" viewBox="0 0 40 40" fill="none">
<path d="M8 12L20 6L32 12V28L20 34L8 28V12Z" stroke="white" strokeWidth="2" fill="none" />
<circle cx="20" cy="20" r="4" fill="white" opacity="0.8" />
</svg>
</div>
<h1 className="text-2xl font-semibold text-white mb-1">Pitch Admin</h1>
<p className="text-sm text-white/40">BreakPilot ComplAI</p>
</div>
<form
onSubmit={handleSubmit}
className="bg-white/[0.04] border border-white/[0.08] rounded-2xl p-6 backdrop-blur-sm space-y-4"
>
<div>
<label htmlFor="email" className="block text-xs font-medium text-white/60 uppercase tracking-wider mb-2">
Email
</label>
<input
id="email"
type="email"
value={email}
onChange={(e) => setEmail(e.target.value)}
autoComplete="username"
required
className="w-full bg-black/30 border border-white/10 rounded-lg px-3 py-2.5 text-white placeholder:text-white/30 focus:outline-none focus:ring-2 focus:ring-indigo-500/40 focus:border-indigo-500/60"
placeholder="you@breakpilot.ai"
/>
</div>
<div>
<label htmlFor="password" className="block text-xs font-medium text-white/60 uppercase tracking-wider mb-2">
Password
</label>
<input
id="password"
type="password"
value={password}
onChange={(e) => setPassword(e.target.value)}
autoComplete="current-password"
required
className="w-full bg-black/30 border border-white/10 rounded-lg px-3 py-2.5 text-white placeholder:text-white/30 focus:outline-none focus:ring-2 focus:ring-indigo-500/40 focus:border-indigo-500/60"
placeholder="••••••••"
/>
</div>
{error && (
<div className="text-sm text-rose-300 bg-rose-500/10 border border-rose-500/20 rounded-lg px-3 py-2">
{error}
</div>
)}
<button
type="submit"
disabled={submitting}
className="w-full bg-gradient-to-r from-indigo-500 to-purple-600 hover:from-indigo-600 hover:to-purple-700 text-white font-medium py-2.5 rounded-lg transition-all disabled:opacity-50 disabled:cursor-not-allowed shadow-lg shadow-indigo-500/20"
>
{submitting ? 'Signing in…' : 'Sign in'}
</button>
</form>
<p className="text-center text-xs text-white/30 mt-6">
Admin access only. All actions are logged.
</p>
</div>
</div>
)
}

85
pitch-deck/components/PitchDeck.tsx
View File

@@ -6,7 +6,9 @@ import { useSlideNavigation } from '@/lib/hooks/useSlideNavigation'
import { useKeyboard } from '@/lib/hooks/useKeyboard'
import { usePitchData } from '@/lib/hooks/usePitchData'
import { usePresenterMode } from '@/lib/hooks/usePresenterMode'
import { useAuditTracker } from '@/lib/hooks/useAuditTracker'
import { Language, PitchData } from '@/lib/types'
import { Investor } from '@/lib/hooks/useAuth'
import ParticleBackground from './ParticleBackground'
import ProgressBar from './ProgressBar'
@@ -17,13 +19,12 @@ import SlideOverview from './SlideOverview'
import SlideContainer from './SlideContainer'
import PresenterOverlay from './presenter/PresenterOverlay'
import AvatarPlaceholder from './presenter/AvatarPlaceholder'
import Watermark from './Watermark'
import IntroPresenterSlide from './slides/IntroPresenterSlide'
import ExecutiveSummarySlide from './slides/ExecutiveSummarySlide'
import CoverSlide from './slides/CoverSlide'
import ProblemSlide from './slides/ProblemSlide'
import SolutionSlide from './slides/SolutionSlide'
import RegulatoryLandscapeSlide from './slides/RegulatoryLandscapeSlide'
import ProductSlide from './slides/ProductSlide'
import HowItWorksSlide from './slides/HowItWorksSlide'
import MarketSlide from './slides/MarketSlide'
@@ -33,8 +34,6 @@ import CompetitionSlide from './slides/CompetitionSlide'
import TeamSlide from './slides/TeamSlide'
import FinancialsSlide from './slides/FinancialsSlide'
import TheAskSlide from './slides/TheAskSlide'
import CapTableSlide from './slides/CapTableSlide'
import SavingsSlide from './slides/SavingsSlide'
import AIQASlide from './slides/AIQASlide'
import AssumptionsSlide from './slides/AssumptionsSlide'
import ArchitectureSlide from './slides/ArchitectureSlide'
@@ -42,33 +41,18 @@ import GTMSlide from './slides/GTMSlide'
import RegulatorySlide from './slides/RegulatorySlide'
import EngineeringSlide from './slides/EngineeringSlide'
import AIPipelineSlide from './slides/AIPipelineSlide'
import SDKDemoSlide from './slides/SDKDemoSlide'
import StrategySlide from './slides/StrategySlide'
import FinanzplanSlide from './slides/FinanzplanSlide'
import GlossarySlide from './slides/GlossarySlide'
interface PitchDeckProps {
lang: Language
onToggleLanguage: () => void
investor: Investor | null
onLogout: () => void
}
export default function PitchDeck({ lang, onToggleLanguage }: PitchDeckProps) {
export default function PitchDeck({ lang, onToggleLanguage, investor, onLogout }: PitchDeckProps) {
const { data, loading, error } = usePitchData()
const nav = useSlideNavigation()
const [fabOpen, setFabOpen] = useState(false)
const [theme, setTheme] = useState<'dark' | 'light'>('dark')
const toggleTheme = useCallback(() => {
setTheme(prev => {
const next = prev === 'dark' ? 'light' : 'dark'
if (next === 'light') {
document.documentElement.classList.add('theme-light')
} else {
document.documentElement.classList.remove('theme-light')
}
return next
})
}, [])
const presenter = usePresenterMode({
goToSlide: nav.goToSlide,
@@ -77,6 +61,13 @@ export default function PitchDeck({ lang, onToggleLanguage }: PitchDeckProps) {
language: lang,
})
// Audit tracking
useAuditTracker({
investorId: investor?.id || null,
currentSlide: nav.currentSlide,
enabled: !!investor,
})
const toggleFullscreen = useCallback(() => {
if (!document.fullscreenElement) {
document.documentElement.requestFullscreen()
@@ -137,24 +128,20 @@ export default function PitchDeck({ lang, onToggleLanguage }: PitchDeckProps) {
isPresenting={presenter.state !== 'idle'}
/>
)
case 'executive-summary':
return <ExecutiveSummarySlide lang={lang} data={data} />
case 'cover':
return <CoverSlide lang={lang} onNext={nav.nextSlide} funding={data.funding} />
case 'problem':
return <ProblemSlide lang={lang} />
case 'solution':
return <SolutionSlide lang={lang} />
case 'regulatory-landscape':
return <RegulatoryLandscapeSlide lang={lang} />
case 'product':
return <ProductSlide lang={lang} />
return <ProductSlide lang={lang} products={data.products} />
case 'how-it-works':
return <HowItWorksSlide lang={lang} />
case 'market':
return <MarketSlide lang={lang} market={data.market} />
case 'business-model':
return <BusinessModelSlide lang={lang} />
return <BusinessModelSlide lang={lang} products={data.products} />
case 'traction':
return <TractionSlide lang={lang} milestones={data.milestones} metrics={data.metrics} />
case 'competition':
@@ -162,13 +149,9 @@ export default function PitchDeck({ lang, onToggleLanguage }: PitchDeckProps) {
case 'team':
return <TeamSlide lang={lang} team={data.team} />
case 'financials':
return <FinancialsSlide lang={lang} />
return <FinancialsSlide lang={lang} investorId={investor?.id || null} />
case 'the-ask':
return <TheAskSlide lang={lang} funding={data.funding} />
case 'cap-table':
return <CapTableSlide lang={lang} />
case 'customer-savings':
return <SavingsSlide lang={lang} />
case 'ai-qa':
return <AIQASlide lang={lang} />
case 'annex-assumptions':
@@ -183,40 +166,21 @@ export default function PitchDeck({ lang, onToggleLanguage }: PitchDeckProps) {
return <EngineeringSlide lang={lang} />
case 'annex-aipipeline':
return <AIPipelineSlide lang={lang} />
case 'annex-sdk-demo':
return <SDKDemoSlide lang={lang} />
case 'annex-strategy':
return <StrategySlide lang={lang} />
case 'annex-finanzplan':
return <FinanzplanSlide lang={lang} />
case 'annex-glossary':
return <GlossarySlide lang={lang} />
default:
return null
}
}
return (
<div className={`h-screen relative overflow-hidden bg-gradient-to-br ${theme === 'light' ? 'from-[#eef0f5] via-[#f8f9fc] to-[#eef0f5]' : 'from-slate-950 via-[#0a0a1a] to-slate-950'}`}>
<div
className="h-screen relative overflow-hidden bg-gradient-to-br from-slate-950 via-[#0a0a1a] to-slate-950 select-none"
onContextMenu={(e) => e.preventDefault()}
>
<ParticleBackground />
<ProgressBar current={nav.currentIndex} total={nav.totalSlides} />
{/* Theme Toggle */}
<button
onClick={toggleTheme}
className="fixed top-4 right-4 z-50 p-2 rounded-full bg-white/[0.08] border border-white/10 hover:bg-white/[0.15] transition-colors backdrop-blur-xl"
title={theme === 'dark' ? 'Tag-Modus' : 'Nacht-Modus'}
>
{theme === 'dark' ? (
<svg className="w-4 h-4 text-amber-300" fill="none" viewBox="0 0 24 24" stroke="currentColor" strokeWidth={2}>
<circle cx="12" cy="12" r="5" /><path d="M12 1v2m0 18v2M4.22 4.22l1.42 1.42m12.72 12.72l1.42 1.42M1 12h2m18 0h2M4.22 19.78l1.42-1.42M18.36 5.64l1.42-1.42" />
</svg>
) : (
<svg className="w-4 h-4 text-indigo-400" fill="none" viewBox="0 0 24 24" stroke="currentColor" strokeWidth={2}>
<path d="M21 12.79A9 9 0 1111.21 3 7 7 0 0021 12.79z" />
</svg>
)}
</button>
{/* Investor watermark */}
{investor && <Watermark text={investor.email} />}
<SlideContainer slideKey={nav.currentSlide} direction={nav.direction}>
{renderSlide()}
@@ -263,11 +227,6 @@ export default function PitchDeck({ lang, onToggleLanguage }: PitchDeckProps) {
onResume={presenter.resume}
onStop={presenter.stop}
onSkip={presenter.skipSlide}
onPrev={presenter.prevSlide}
isSpeaking={presenter.isSpeaking}
ttsAvailable={presenter.ttsAvailable}
ttsEnabled={presenter.ttsEnabled}
onToggleTts={() => presenter.setTtsEnabled(!presenter.ttsEnabled)}
/>
<AnimatePresence>

36
pitch-deck/components/Watermark.tsx Normal file
View File

@@ -0,0 +1,36 @@
'use client'
interface WatermarkProps {
text: string
}
export default function Watermark({ text }: WatermarkProps) {
if (!text) return null
return (
<div
className="fixed inset-0 pointer-events-none z-10 overflow-hidden select-none"
aria-hidden="true"
>
<div className="absolute inset-0 flex items-center justify-center">
<div
className="text-white/[0.03] text-2xl font-mono whitespace-nowrap tracking-widest"
style={{
transform: 'rotate(-35deg) scale(1.5)',
userSelect: 'none',
WebkitUserSelect: 'none',
}}
>
{/* Repeat the watermark text in a grid pattern */}
{Array.from({ length: 7 }, (_, row) => (
<div key={row} className="my-16">
{Array.from({ length: 3 }, (_, col) => (
<span key={col} className="mx-12">{text}</span>
))}
</div>
))}
</div>
</div>
</div>
)
}

129
pitch-deck/components/pitch-admin/AdminShell.tsx Normal file
View File

@@ -0,0 +1,129 @@
'use client'
import Link from 'next/link'
import { usePathname, useRouter } from 'next/navigation'
import { useState } from 'react'
import {
LayoutDashboard,
Users,
FileText,
TrendingUp,
ShieldCheck,
LogOut,
Menu,
X,
} from 'lucide-react'
interface AdminShellProps {
admin: { id: string; email: string; name: string }
children: React.ReactNode
}
const NAV = [
{ href: '/pitch-admin', label: 'Dashboard', icon: LayoutDashboard, exact: true },
{ href: '/pitch-admin/investors', label: 'Investors', icon: Users },
{ href: '/pitch-admin/audit', label: 'Audit Log', icon: FileText },
{ href: '/pitch-admin/financial-model', label: 'Financial Model', icon: TrendingUp },
{ href: '/pitch-admin/admins', label: 'Admins', icon: ShieldCheck },
]
export default function AdminShell({ admin, children }: AdminShellProps) {
const pathname = usePathname()
const router = useRouter()
const [open, setOpen] = useState(false)
async function logout() {
await fetch('/api/admin-auth/logout', { method: 'POST' })
router.push('/pitch-admin/login')
}
function isActive(item: typeof NAV[number]) {
if (item.exact) return pathname === item.href
return pathname === item.href || pathname.startsWith(item.href + '/')
}
return (
<div className="min-h-screen bg-[#0a0a1a] text-white flex">
{/* Sidebar */}
<aside
className={`fixed lg:static inset-y-0 left-0 z-40 w-64 bg-black/40 backdrop-blur-xl border-r border-white/[0.06]
transform transition-transform lg:transform-none ${open ? 'translate-x-0' : '-translate-x-full lg:translate-x-0'}`}
>
<div className="h-full flex flex-col">
<div className="px-6 py-5 border-b border-white/[0.06]">
<div className="flex items-center gap-3">
<div className="w-9 h-9 rounded-xl bg-gradient-to-br from-indigo-500 to-purple-600 flex items-center justify-center">
<svg width="20" height="20" viewBox="0 0 40 40" fill="none">
<path d="M8 12L20 6L32 12V28L20 34L8 28V12Z" stroke="white" strokeWidth="2.5" fill="none" />
<circle cx="20" cy="20" r="3" fill="white" />
</svg>
</div>
<div className="min-w-0">
<div className="text-sm font-semibold text-white">BreakPilot</div>
<div className="text-[10px] text-white/40 uppercase tracking-wider">Pitch Admin</div>
</div>
</div>
</div>
<nav className="flex-1 px-3 py-4 space-y-1">
{NAV.map((item) => {
const Icon = item.icon
const active = isActive(item)
return (
<Link
key={item.href}
href={item.href}
onClick={() => setOpen(false)}
className={`flex items-center gap-3 px-3 py-2 rounded-lg text-sm transition-colors
${active
? 'bg-indigo-500/15 text-indigo-300 border border-indigo-500/20'
: 'text-white/60 hover:bg-white/[0.04] hover:text-white/90 border border-transparent'}`}
>
<Icon className="w-4 h-4" />
{item.label}
</Link>
)
})}
</nav>
<div className="px-3 py-4 border-t border-white/[0.06]">
<div className="px-3 py-2 mb-2">
<div className="text-sm font-medium text-white/90 truncate">{admin.name}</div>
<div className="text-xs text-white/40 truncate">{admin.email}</div>
</div>
<button
onClick={logout}
className="w-full flex items-center gap-3 px-3 py-2 rounded-lg text-sm text-white/60 hover:bg-red-500/10 hover:text-red-300 transition-colors"
>
<LogOut className="w-4 h-4" />
Logout
</button>
</div>
</div>
</aside>
{/* Mobile overlay */}
{open && (
<div
onClick={() => setOpen(false)}
className="fixed inset-0 bg-black/60 z-30 lg:hidden"
/>
)}
{/* Main content */}
<div className="flex-1 flex flex-col min-w-0">
<header className="lg:hidden flex items-center justify-between px-4 py-3 border-b border-white/[0.06]">
<button
onClick={() => setOpen(true)}
className="w-9 h-9 rounded-lg bg-white/[0.04] flex items-center justify-center"
>
<Menu className="w-5 h-5" />
</button>
<div className="text-sm font-semibold">Pitch Admin</div>
<div className="w-9" />
</header>
<main className="flex-1 p-6 lg:p-8 overflow-y-auto">{children}</main>
</div>
</div>
)
}

153
pitch-deck/components/pitch-admin/AuditLogTable.tsx Normal file
View File

@@ -0,0 +1,153 @@
'use client'
export interface AuditLogRow {
id: number | string
action: string
created_at: string
details: Record<string, unknown> | null
ip_address?: string | null
slide_id?: string | null
investor_email?: string | null
investor_name?: string | null
target_investor_email?: string | null
target_investor_name?: string | null
admin_email?: string | null
admin_name?: string | null
}
interface AuditLogTableProps {
rows: AuditLogRow[]
showActor?: boolean
}
const ACTION_COLORS: Record<string, string> = {
login_success: 'text-green-400 bg-green-500/10',
login_failed: 'text-rose-400 bg-rose-500/10',
admin_login_success: 'text-green-400 bg-green-500/10',
admin_login_failed: 'text-rose-400 bg-rose-500/10',
admin_logout: 'text-white/40 bg-white/[0.04]',
logout: 'text-white/40 bg-white/[0.04]',
slide_viewed: 'text-indigo-400 bg-indigo-500/10',
assumption_changed: 'text-amber-400 bg-amber-500/10',
assumption_edited: 'text-amber-400 bg-amber-500/10',
scenario_edited: 'text-amber-400 bg-amber-500/10',
investor_invited: 'text-purple-400 bg-purple-500/10',
magic_link_resent: 'text-purple-400 bg-purple-500/10',
investor_revoked: 'text-rose-400 bg-rose-500/10',
investor_edited: 'text-blue-400 bg-blue-500/10',
admin_created: 'text-green-400 bg-green-500/10',
admin_edited: 'text-blue-400 bg-blue-500/10',
admin_deactivated: 'text-rose-400 bg-rose-500/10',
new_ip_detected: 'text-amber-400 bg-amber-500/10',
}
function actorLabel(row: AuditLogRow): { label: string; sub: string; kind: 'admin' | 'investor' | 'system' } {
if (row.admin_email) {
return { label: row.admin_name || row.admin_email, sub: row.admin_email, kind: 'admin' }
}
if (row.investor_email) {
return { label: row.investor_name || row.investor_email, sub: row.investor_email, kind: 'investor' }
}
return { label: 'system', sub: '', kind: 'system' }
}
function targetLabel(row: AuditLogRow): string | null {
if (row.target_investor_email) {
return row.target_investor_name
? `${row.target_investor_name} <${row.target_investor_email}>`
: row.target_investor_email
}
return null
}
function formatDate(iso: string): string {
return new Date(iso).toLocaleString()
}
function summarizeDetails(action: string, details: Record<string, unknown> | null): string {
if (!details) return ''
if (action === 'slide_viewed' && details.slide_id) return String(details.slide_id)
if (action === 'assumption_edited' || action === 'scenario_edited') {
const before = details.before as Record<string, unknown> | undefined
const after = details.after as Record<string, unknown> | undefined
if (before && after) {
const keys = Object.keys(after).filter(k => JSON.stringify(before[k]) !== JSON.stringify(after[k]))
return keys.map(k => `${k}: ${JSON.stringify(before[k])}${JSON.stringify(after[k])}`).join(', ')
}
}
if (action === 'investor_invited' || action === 'magic_link_resent') {
return String(details.email || '')
}
if (action === 'investor_edited') {
const before = details.before as Record<string, unknown> | undefined
const after = details.after as Record<string, unknown> | undefined
if (before && after) {
const keys = Object.keys(after).filter(k => before[k] !== after[k])
return keys.map(k => `${k}: "${before[k] || ''}" → "${after[k] || ''}"`).join(', ')
}
}
return JSON.stringify(details).slice(0, 80)
}
export default function AuditLogTable({ rows, showActor = true }: AuditLogTableProps) {
if (rows.length === 0) {
return <div className="text-white/40 text-sm py-8 text-center">No audit events</div>
}
return (
<div className="overflow-x-auto">
<table className="w-full text-sm">
<thead>
<tr className="text-left text-xs uppercase tracking-wider text-white/40 border-b border-white/[0.06]">
<th className="py-3 px-3 font-medium">When</th>
{showActor && <th className="py-3 px-3 font-medium">Actor</th>}
<th className="py-3 px-3 font-medium">Action</th>
<th className="py-3 px-3 font-medium">Target / Details</th>
<th className="py-3 px-3 font-medium">IP</th>
</tr>
</thead>
<tbody>
{rows.map((row) => {
const actor = actorLabel(row)
const target = targetLabel(row)
const summary = summarizeDetails(row.action, row.details)
const colorClass = ACTION_COLORS[row.action] || 'text-white/60 bg-white/[0.04]'
return (
<tr key={row.id} className="border-b border-white/[0.04] hover:bg-white/[0.02]">
<td className="py-3 px-3 text-white/60 whitespace-nowrap">{formatDate(row.created_at)}</td>
{showActor && (
<td className="py-3 px-3">
<div className="flex items-center gap-2">
<span
className={`text-[9px] px-1.5 py-0.5 rounded uppercase font-semibold ${
actor.kind === 'admin'
? 'bg-purple-500/20 text-purple-300'
: actor.kind === 'investor'
? 'bg-indigo-500/20 text-indigo-300'
: 'bg-white/10 text-white/50'
}`}
>
{actor.kind}
</span>
<div className="min-w-0">
<div className="text-white/80 truncate max-w-[180px]">{actor.label}</div>
</div>
</div>
</td>
)}
<td className="py-3 px-3">
<span className={`text-xs px-2 py-1 rounded font-mono ${colorClass}`}>{row.action}</span>
</td>
<td className="py-3 px-3 text-white/60 max-w-md">
{target && <div className="text-white/80 truncate"> {target}</div>}
{summary && <div className="text-xs text-white/40 truncate">{summary}</div>}
</td>
<td className="py-3 px-3 text-white/40 font-mono text-xs">{row.ip_address || '—'}</td>
</tr>
)
})}
</tbody>
</table>
</div>
)
}

33
pitch-deck/components/pitch-admin/StatCard.tsx Normal file
View File

@@ -0,0 +1,33 @@
import { LucideIcon } from 'lucide-react'
interface StatCardProps {
label: string
value: string | number
icon?: LucideIcon
hint?: string
accent?: 'indigo' | 'green' | 'amber' | 'rose'
}
const ACCENTS = {
indigo: 'text-indigo-400 bg-indigo-500/10 border-indigo-500/20',
green: 'text-green-400 bg-green-500/10 border-green-500/20',
amber: 'text-amber-400 bg-amber-500/10 border-amber-500/20',
rose: 'text-rose-400 bg-rose-500/10 border-rose-500/20',
}
export default function StatCard({ label, value, icon: Icon, hint, accent = 'indigo' }: StatCardProps) {
return (
<div className="bg-white/[0.04] border border-white/[0.06] rounded-2xl p-5">
<div className="flex items-start justify-between mb-3">
<span className="text-xs font-medium text-white/50 uppercase tracking-wider">{label}</span>
{Icon && (
<div className={`w-9 h-9 rounded-lg flex items-center justify-center border ${ACCENTS[accent]}`}>
<Icon className="w-4 h-4" />
</div>
)}
</div>
<div className="text-3xl font-semibold text-white">{value}</div>
{hint && <div className="text-xs text-white/40 mt-1">{hint}</div>}
</div>
)
}

358
pitch-deck/components/slides/FinancialsSlide.tsx
View File

@@ -1,73 +1,57 @@
'use client'
import { useEffect, useState } from 'react'
import { Language, FMComputeResponse } from '@/lib/types'
import { useState } from 'react'
import { Language } from '@/lib/types'
import { t } from '@/lib/i18n'
import { useFinancialModel } from '@/lib/hooks/useFinancialModel'
import GradientText from '../ui/GradientText'
import FadeInView from '../ui/FadeInView'
import FinancialChart from '../ui/FinancialChart'
import FinancialSliders from '../ui/FinancialSliders'
import KPICard from '../ui/KPICard'
import RunwayGauge from '../ui/RunwayGauge'
import WaterfallChart from '../ui/WaterfallChart'
import UnitEconomicsCards from '../ui/UnitEconomicsCards'
import ScenarioSwitcher from '../ui/ScenarioSwitcher'
import AnnualPLTable from '../ui/AnnualPLTable'
import AnnualCashflowChart from '../ui/AnnualCashflowChart'
type FinTab = 'overview' | 'guv' | 'cashflow'
interface FinancialsSlideProps {
lang: Language
investorId: string | null
}
export default function FinancialsSlide({ lang }: FinancialsSlideProps) {
export default function FinancialsSlide({ lang, investorId }: FinancialsSlideProps) {
const i = t(lang)
const fm = useFinancialModel(investorId)
const [activeTab, setActiveTab] = useState<FinTab>('overview')
const [data, setData] = useState<FMComputeResponse | null>(null)
const [loading, setLoading] = useState(true)
const [guv, setGuv] = useState<any[]>([])
const de = lang === 'de'
// Auto-load Finanzplan data
useEffect(() => {
async function load() {
try {
// Compute Finanzplan and get FMResult format
const res = await fetch('/api/financial-model/compute', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ source: 'finanzplan' }),
})
if (res.ok) {
const d = await res.json()
setData(d)
}
// Load GuV separately
const guvRes = await fetch('/api/finanzplan/guv')
if (guvRes.ok) {
const guvData = await guvRes.json()
setGuv(guvData.rows || [])
}
} catch (e) {
console.error('Failed to load Finanzplan:', e)
} finally {
setLoading(false)
}
}
load()
}, [])
const activeResults = fm.activeResults
const summary = activeResults?.summary
const lastResult = activeResults?.results[activeResults.results.length - 1]
const summary = data?.summary
const results = data?.results || []
const lastResult = results.length > 0 ? results[results.length - 1] : null
// Build scenario color map
const scenarioColors: Record<string, string> = {}
fm.scenarios.forEach(s => { scenarioColors[s.id] = s.color })
// Find break-even month (first month where revenue > costs)
const breakEvenMonth = results.findIndex(r => r.revenue_eur > r.total_costs_eur && r.revenue_eur > 0)
const breakEvenYear = breakEvenMonth >= 0 ? results[breakEvenMonth]?.year : null
// Build compare results (exclude active scenario)
const compareResults = new Map(
Array.from(fm.results.entries()).filter(([id]) => id !== fm.activeScenarioId)
)
// Initial funding from assumptions
const initialFunding = (fm.activeScenario?.assumptions.find(a => a.key === 'initial_funding')?.value as number) || 200000
const tabs: { id: FinTab; label: string }[] = [
{ id: 'overview', label: de ? 'Übersicht' : 'Overview' },
{ id: 'overview', label: de ? 'Uebersicht' : 'Overview' },
{ id: 'guv', label: de ? 'GuV (Jahres)' : 'P&L (Annual)' },
{ id: 'cashflow', label: de ? 'Cashflow' : 'Cash Flow' },
{ id: 'cashflow', label: de ? 'Cashflow & Finanzbedarf' : 'Cashflow & Funding' },
]
if (loading) {
if (fm.loading) {
return (
<div className="flex items-center justify-center h-full">
<div className="w-8 h-8 border-2 border-indigo-500 border-t-transparent rounded-full animate-spin" />
@@ -87,8 +71,8 @@ export default function FinancialsSlide({ lang }: FinancialsSlideProps) {
{/* Hero KPI Cards */}
<div className="grid grid-cols-2 md:grid-cols-4 gap-2 mb-3">
<KPICard
label="ARR 2030"
value={lastResult ? Math.round(lastResult.arr_eur / 1_000_000 * 10) / 10 : 0}
label={`ARR 2030`}
value={summary ? Math.round(summary.final_arr / 1_000_000 * 10) / 10 : 0}
suffix=" Mio."
decimals={1}
trend="up"
@@ -97,29 +81,29 @@ export default function FinancialsSlide({ lang }: FinancialsSlideProps) {
subLabel="EUR"
/>
<KPICard
label={de ? 'Mitarbeiter 2030' : 'Employees 2030'}
value={lastResult?.employees_count || 0}
label={de ? 'Kunden 2030' : 'Customers 2030'}
value={summary?.final_customers || 0}
trend="up"
color="#22c55e"
delay={0.15}
/>
<KPICard
label="Break-Even"
value={breakEvenYear || 0}
trend={breakEvenMonth >= 0 ? 'up' : 'neutral'}
value={summary?.break_even_month || 0}
suffix={de ? ' Mo.' : ' mo.'}
trend={summary?.break_even_month && summary.break_even_month <= 24 ? 'up' : 'down'}
color="#eab308"
delay={0.2}
subLabel={breakEvenMonth >= 0 ? `${de ? 'Monat' : 'Month'} ${breakEvenMonth + 1}` : ''}
subLabel={summary?.break_even_month ? `~${Math.ceil((summary.break_even_month) / 12) + 2025}` : ''}
/>
<KPICard
label={de ? 'Cash Ende 2030' : 'Cash End 2030'}
value={lastResult ? Math.round(lastResult.cash_balance_eur / 1_000_000 * 10) / 10 : 0}
suffix=" Mio."
label="LTV/CAC"
value={summary?.final_ltv_cac || 0}
suffix="x"
decimals={1}
trend={(lastResult?.cash_balance_eur || 0) > 0 ? 'up' : 'down'}
trend={(summary?.final_ltv_cac || 0) >= 3 ? 'up' : 'down'}
color="#a855f7"
delay={0.25}
subLabel="EUR"
/>
</div>
@@ -140,119 +124,175 @@ export default function FinancialsSlide({ lang }: FinancialsSlideProps) {
))}
</div>
{/* TAB: Overview — monatlicher Chart */}
{activeTab === 'overview' && (
<div className="space-y-3">
<FadeInView delay={0.1}>
<div className="bg-white/[0.05] backdrop-blur-xl border border-white/10 rounded-2xl p-3">
<div className="flex items-center justify-between mb-2">
<p className="text-xs text-white/40">
{de ? 'Umsatz vs. Kosten (60 Monate)' : 'Revenue vs. Costs (60 months)'}
</p>
<div className="flex items-center gap-3 text-[9px]">
<span className="flex items-center gap-1"><span className="w-2 h-0.5 bg-indigo-500 inline-block" /> {de ? 'Umsatz' : 'Revenue'}</span>
<span className="flex items-center gap-1"><span className="w-2 h-0.5 bg-red-400 inline-block" /> {de ? 'Kosten' : 'Costs'}</span>
<span className="flex items-center gap-1"><span className="w-2 h-0.5 bg-emerald-500 inline-block" /> Cash</span>
{/* Main content: 3-column layout */}
<div className="grid md:grid-cols-12 gap-3">
{/* Left: Charts (8 columns) */}
<div className="md:col-span-8 space-y-3">
{/* TAB: Overview — monatlicher Chart + Waterfall + Unit Economics */}
{activeTab === 'overview' && (
<>
<FadeInView delay={0.1}>
<div className="bg-white/[0.05] backdrop-blur-xl border border-white/10 rounded-2xl p-3">
<div className="flex items-center justify-between mb-2">
<p className="text-xs text-white/40">
{de ? 'Umsatz vs. Kosten (60 Monate)' : 'Revenue vs. Costs (60 months)'}
</p>
<div className="flex items-center gap-3 text-[9px]">
<span className="flex items-center gap-1"><span className="w-2 h-0.5 bg-indigo-500 inline-block" /> {de ? 'Umsatz' : 'Revenue'}</span>
<span className="flex items-center gap-1"><span className="w-2 h-0.5 bg-red-400 inline-block" style={{ borderBottom: '1px dashed' }} /> {de ? 'Kosten' : 'Costs'}</span>
<span className="flex items-center gap-1"><span className="w-2 h-0.5 bg-emerald-500 inline-block" /> {de ? 'Kunden' : 'Customers'}</span>
</div>
</div>
<FinancialChart
activeResults={activeResults}
compareResults={compareResults}
compareMode={fm.compareMode}
scenarioColors={scenarioColors}
lang={lang}
/>
</div>
</FadeInView>
<div className="grid md:grid-cols-2 gap-3">
<FadeInView delay={0.2}>
<div className="bg-white/[0.05] backdrop-blur-xl border border-white/10 rounded-2xl p-3">
<p className="text-xs text-white/40 mb-2">
{de ? 'Cash-Flow (Quartal)' : 'Cash Flow (Quarterly)'}
</p>
{activeResults && <WaterfallChart results={activeResults.results} lang={lang} />}
</div>
</FadeInView>
<FadeInView delay={0.25}>
<div className="space-y-3">
<div className="bg-white/[0.05] backdrop-blur-xl border border-white/10 rounded-2xl p-3 flex justify-center">
<RunwayGauge
months={lastResult?.runway_months || 0}
size={120}
label={de ? 'Runway (Monate)' : 'Runway (months)'}
/>
</div>
{lastResult && (
<UnitEconomicsCards
cac={lastResult.cac_eur}
ltv={lastResult.ltv_eur}
ltvCacRatio={lastResult.ltv_cac_ratio}
grossMargin={lastResult.gross_margin_pct}
churnRate={fm.activeScenario?.assumptions.find(a => a.key === 'churn_rate_monthly')?.value as number || 3}
lang={lang}
/>
)}
</div>
</FadeInView>
</div>
<FinancialChart
activeResults={data}
compareResults={new Map()}
compareMode={false}
scenarioColors={{}}
</>
)}
{/* TAB: GuV — Annual P&L Table */}
{activeTab === 'guv' && activeResults && (
<FadeInView delay={0.1}>
<div className="bg-white/[0.05] backdrop-blur-xl border border-white/10 rounded-2xl p-4">
<div className="flex items-center justify-between mb-3">
<p className="text-xs text-white/40">
{de ? 'Gewinn- und Verlustrechnung (5 Jahre)' : 'Profit & Loss Statement (5 Years)'}
</p>
<p className="text-[9px] text-white/20">
{de ? 'Alle Werte in EUR' : 'All values in EUR'}
</p>
</div>
<AnnualPLTable results={activeResults.results} lang={lang} />
</div>
</FadeInView>
)}
{/* TAB: Cashflow & Finanzbedarf */}
{activeTab === 'cashflow' && activeResults && (
<FadeInView delay={0.1}>
<div className="bg-white/[0.05] backdrop-blur-xl border border-white/10 rounded-2xl p-4">
<p className="text-xs text-white/40 mb-3">
{de ? 'Jaehrlicher Cashflow & Finanzbedarf' : 'Annual Cash Flow & Funding Requirements'}
</p>
<AnnualCashflowChart
results={activeResults.results}
initialFunding={initialFunding}
lang={lang}
/>
</div>
</FadeInView>
)}
</div>
{/* Right: Controls (4 columns) */}
<div className="md:col-span-4 space-y-3">
{/* Scenario Switcher */}
<FadeInView delay={0.15}>
<div className="bg-white/[0.05] backdrop-blur-xl border border-white/10 rounded-2xl p-3">
<ScenarioSwitcher
scenarios={fm.scenarios}
activeId={fm.activeScenarioId}
compareMode={fm.compareMode}
onSelect={(id) => {
fm.setActiveScenarioId(id)
}}
onToggleCompare={() => {
if (!fm.compareMode) {
fm.computeAll()
}
fm.setCompareMode(!fm.compareMode)
}}
lang={lang}
/>
</div>
</FadeInView>
<div className="grid md:grid-cols-2 gap-3">
<FadeInView delay={0.2}>
<div className="bg-white/[0.05] backdrop-blur-xl border border-white/10 rounded-2xl p-3">
<p className="text-xs text-white/40 mb-2">
{de ? 'Cash-Flow (Quartal)' : 'Cash Flow (Quarterly)'}
</p>
{data && <WaterfallChart results={data.results} lang={lang} />}
</div>
</FadeInView>
<FadeInView delay={0.25}>
<div className="bg-white/[0.05] backdrop-blur-xl border border-white/10 rounded-2xl p-3">
<p className="text-xs text-white/40 mb-2">
{de ? 'Jährlicher Cashflow' : 'Annual Cash Flow'}
</p>
{data && (
<AnnualCashflowChart
results={data.results}
initialFunding={1000000}
lang={lang}
/>
)}
</div>
</FadeInView>
</div>
</div>
)}
{/* TAB: GuV — aus Finanzplan DB */}
{activeTab === 'guv' && (
<FadeInView delay={0.1}>
<div className="bg-white/[0.05] backdrop-blur-xl border border-white/10 rounded-2xl p-4">
<div className="flex items-center justify-between mb-3">
<p className="text-xs text-white/40">
{de ? 'Gewinn- und Verlustrechnung (5 Jahre)' : 'Profit & Loss Statement (5 Years)'}
{/* Assumption Sliders */}
<FadeInView delay={0.2}>
<div className="bg-white/[0.05] backdrop-blur-xl border border-white/10 rounded-2xl p-3">
<p className="text-[10px] text-white/40 uppercase tracking-wider mb-2">
{i.financials.adjustAssumptions}
</p>
<p className="text-[9px] text-white/20">{de ? 'Alle Werte in EUR' : 'All values in EUR'}</p>
{fm.activeScenario && (
<FinancialSliders
assumptions={fm.activeScenario.assumptions}
onAssumptionChange={(key, value) => {
if (fm.activeScenarioId) {
fm.updateAssumption(fm.activeScenarioId, key, value)
}
}}
lang={lang}
/>
)}
{fm.computing && (
<div className="flex items-center gap-2 mt-2 text-[10px] text-indigo-400">
<div className="w-3 h-3 border border-indigo-400 border-t-transparent rounded-full animate-spin" />
{de ? 'Berechne...' : 'Computing...'}
</div>
)}
{/* Snapshot status + reset */}
{investorId && (
<div className="flex items-center justify-between mt-2 pt-2 border-t border-white/5">
<span className="text-[9px] text-white/30">
{fm.snapshotStatus === 'saving' && (de ? 'Speichere...' : 'Saving...')}
{fm.snapshotStatus === 'saved' && (de ? 'Ihre Aenderungen gespeichert' : 'Your changes saved')}
{fm.snapshotStatus === 'restored' && (de ? 'Ihre Werte geladen' : 'Your values restored')}
{fm.snapshotStatus === 'default' && (de ? 'Standardwerte' : 'Defaults')}
</span>
{fm.snapshotStatus !== 'default' && (
<button
onClick={() => fm.activeScenarioId && fm.resetToDefaults(fm.activeScenarioId)}
className="text-[9px] text-white/40 hover:text-white/70 transition-colors"
>
{de ? 'Zuruecksetzen' : 'Reset to defaults'}
</button>
)}
</div>
)}
</div>
<table className="w-full text-[11px]">
<thead>
<tr className="border-b border-white/10">
<th className="text-left py-2 px-2 text-white/40 font-medium min-w-[200px]">{de ? 'Position' : 'Item'}</th>
{[2026, 2027, 2028, 2029, 2030].map(y => (
<th key={y} className="text-right py-2 px-3 text-white/40 font-medium">{y}</th>
))}
</tr>
</thead>
<tbody>
{guv.map((row: any) => {
const label = row.row_label || ''
const values = row.values || {}
const isBold = row.is_sum_row || label.includes('EBIT') || label.includes('Summe') || label.includes('Rohergebnis') || label.includes('Gesamtleistung') || label.includes('Jahresueberschuss') || label.includes('Ergebnis')
return (
<tr key={row.id} className={`border-b border-white/[0.03] ${isBold ? 'bg-white/[0.03]' : ''}`}>
<td className={`py-1.5 px-2 ${isBold ? 'font-bold text-white/80' : 'text-white/60'}`}>{label}</td>
{[2026, 2027, 2028, 2029, 2030].map(y => {
const v = Math.round(values[`y${y}`] || 0)
return (
<td key={y} className={`text-right py-1.5 px-3 ${v < 0 ? 'text-red-400' : v > 0 ? (isBold ? 'text-white/80' : 'text-white/50') : 'text-white/15'} ${isBold ? 'font-bold' : ''}`}>
{v === 0 ? '—' : v.toLocaleString('de-DE')}
</td>
)
})}
</tr>
)
})}
</tbody>
</table>
</div>
</FadeInView>
)}
{/* TAB: Cashflow */}
{activeTab === 'cashflow' && data && (
<FadeInView delay={0.1}>
<div className="bg-white/[0.05] backdrop-blur-xl border border-white/10 rounded-2xl p-4">
<p className="text-xs text-white/40 mb-3">
{de ? 'Jährlicher Cashflow & Liquiditätsentwicklung' : 'Annual Cash Flow & Liquidity Development'}
</p>
<AnnualCashflowChart
results={data.results}
initialFunding={1000000}
lang={lang}
/>
</div>
</FadeInView>
)}
</FadeInView>
</div>
</div>
</div>
)
}

206
pitch-deck/lib/admin-auth.ts Normal file
View File

@@ -0,0 +1,206 @@
import { SignJWT, jwtVerify } from 'jose'
import bcrypt from 'bcryptjs'
import { cookies } from 'next/headers'
import { NextResponse } from 'next/server'
import pool from './db'
import { hashToken, generateToken, getClientIp, logAudit } from './auth'
const ADMIN_COOKIE_NAME = 'pitch_admin_session'
const ADMIN_JWT_AUDIENCE = 'pitch-admin'
const ADMIN_JWT_EXPIRY = '2h'
const ADMIN_SESSION_EXPIRY_HOURS = 12
function getJwtSecret() {
const secret = process.env.PITCH_JWT_SECRET
if (!secret) throw new Error('PITCH_JWT_SECRET not set')
return new TextEncoder().encode(secret)
}
export interface Admin {
id: string
email: string
name: string
is_active: boolean
last_login_at: string | null
created_at: string
}
export interface AdminJwtPayload {
sub: string // admin id
email: string
sessionId: string
}
export async function hashPassword(password: string): Promise<string> {
return bcrypt.hash(password, 12)
}
export async function verifyPassword(password: string, hash: string): Promise<boolean> {
return bcrypt.compare(password, hash)
}
export async function createAdminJwt(payload: AdminJwtPayload): Promise<string> {
return new SignJWT({ ...payload })
.setProtectedHeader({ alg: 'HS256' })
.setIssuedAt()
.setExpirationTime(ADMIN_JWT_EXPIRY)
.setAudience(ADMIN_JWT_AUDIENCE)
.sign(getJwtSecret())
}
export async function verifyAdminJwt(token: string): Promise<AdminJwtPayload | null> {
try {
const { payload } = await jwtVerify(token, getJwtSecret(), { audience: ADMIN_JWT_AUDIENCE })
return payload as unknown as AdminJwtPayload
} catch {
return null
}
}
export async function createAdminSession(
adminId: string,
ip: string | null,
userAgent: string | null,
): Promise<{ sessionId: string; jwt: string }> {
// Single session per admin
await pool.query(
`UPDATE pitch_admin_sessions SET revoked = true WHERE admin_id = $1 AND revoked = false`,
[adminId],
)
const sessionToken = generateToken()
const tokenHash = hashToken(sessionToken)
const expiresAt = new Date(Date.now() + ADMIN_SESSION_EXPIRY_HOURS * 60 * 60 * 1000)
const { rows } = await pool.query(
`INSERT INTO pitch_admin_sessions (admin_id, token_hash, ip_address, user_agent, expires_at)
VALUES ($1, $2, $3, $4, $5) RETURNING id`,
[adminId, tokenHash, ip, userAgent, expiresAt],
)
const sessionId = rows[0].id
const adminRes = await pool.query(`SELECT email FROM pitch_admins WHERE id = $1`, [adminId])
const jwt = await createAdminJwt({
sub: adminId,
email: adminRes.rows[0].email,
sessionId,
})
return { sessionId, jwt }
}
export async function validateAdminSession(sessionId: string, adminId: string): Promise<boolean> {
const { rows } = await pool.query(
`SELECT s.id FROM pitch_admin_sessions s
JOIN pitch_admins a ON a.id = s.admin_id
WHERE s.id = $1 AND s.admin_id = $2 AND s.revoked = false AND s.expires_at > NOW() AND a.is_active = true`,
[sessionId, adminId],
)
return rows.length > 0
}
export async function revokeAdminSession(sessionId: string): Promise<void> {
await pool.query(`UPDATE pitch_admin_sessions SET revoked = true WHERE id = $1`, [sessionId])
}
export async function revokeAllAdminSessions(adminId: string): Promise<void> {
await pool.query(`UPDATE pitch_admin_sessions SET revoked = true WHERE admin_id = $1`, [adminId])
}
export async function setAdminCookie(jwt: string): Promise<void> {
const cookieStore = await cookies()
cookieStore.set(ADMIN_COOKIE_NAME, jwt, {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'lax',
path: '/',
maxAge: ADMIN_SESSION_EXPIRY_HOURS * 60 * 60,
})
}
export async function clearAdminCookie(): Promise<void> {
const cookieStore = await cookies()
cookieStore.delete(ADMIN_COOKIE_NAME)
}
export async function getAdminPayloadFromCookie(): Promise<AdminJwtPayload | null> {
const cookieStore = await cookies()
const token = cookieStore.get(ADMIN_COOKIE_NAME)?.value
if (!token) return null
return verifyAdminJwt(token)
}
/**
* Server-side: read the admin row from the cookie. Returns null if no valid session
* or the admin is inactive. Use in layout.tsx and API routes.
*/
export async function getAdminFromCookie(): Promise<Admin | null> {
const payload = await getAdminPayloadFromCookie()
if (!payload) return null
const valid = await validateAdminSession(payload.sessionId, payload.sub)
if (!valid) return null
const { rows } = await pool.query(
`SELECT id, email, name, is_active, last_login_at, created_at
FROM pitch_admins WHERE id = $1`,
[payload.sub],
)
if (rows.length === 0 || !rows[0].is_active) return null
return rows[0] as Admin
}
/**
* API guard: returns the Admin row, OR a NextResponse 401/403 to return early.
* Also accepts the legacy PITCH_ADMIN_SECRET bearer header for CLI/automation —
* in that case the returned admin id is null but the request is allowed.
*/
export type AdminGuardResult =
| { kind: 'admin'; admin: Admin }
| { kind: 'cli' }
| { kind: 'response'; response: NextResponse }
export async function requireAdmin(request: Request): Promise<AdminGuardResult> {
// CLI fallback via shared secret
const secret = process.env.PITCH_ADMIN_SECRET
if (secret) {
const auth = request.headers.get('authorization')
if (auth === `Bearer ${secret}`) {
return { kind: 'cli' }
}
}
const admin = await getAdminFromCookie()
if (!admin) {
return {
kind: 'response',
response: NextResponse.json({ error: 'Unauthorized' }, { status: 401 }),
}
}
return { kind: 'admin', admin }
}
/**
* Convenience: log an admin-initiated audit event. Falls back to CLI actor when admin is null.
*/
export async function logAdminAudit(
adminId: string | null,
action: string,
details: Record<string, unknown> = {},
request?: Request,
targetInvestorId?: string | null,
): Promise<void> {
await logAudit(
null, // investor_id
action,
details,
request,
undefined, // slide_id
undefined, // session_id
adminId,
targetInvestorId ?? null,
)
}
export { ADMIN_COOKIE_NAME }

163
pitch-deck/lib/auth.ts Normal file
View File

@@ -0,0 +1,163 @@
import { SignJWT, jwtVerify } from 'jose'
import { randomBytes, createHash } from 'crypto'
import { cookies } from 'next/headers'
import pool from './db'
const COOKIE_NAME = 'pitch_session'
const JWT_EXPIRY = '1h'
const SESSION_EXPIRY_HOURS = 24
function getJwtSecret() {
const secret = process.env.PITCH_JWT_SECRET
if (!secret) throw new Error('PITCH_JWT_SECRET not set')
return new TextEncoder().encode(secret)
}
export function hashToken(token: string): string {
return createHash('sha256').update(token).digest('hex')
}
export function generateToken(): string {
return randomBytes(48).toString('hex')
}
export interface JwtPayload {
sub: string
email: string
sessionId: string
}
export async function createJwt(payload: JwtPayload): Promise<string> {
return new SignJWT({ ...payload })
.setProtectedHeader({ alg: 'HS256' })
.setIssuedAt()
.setExpirationTime(JWT_EXPIRY)
.sign(getJwtSecret())
}
export async function verifyJwt(token: string): Promise<JwtPayload | null> {
try {
const { payload } = await jwtVerify(token, getJwtSecret())
return payload as unknown as JwtPayload
} catch {
return null
}
}
export async function createSession(
investorId: string,
ip: string | null,
userAgent: string | null
): Promise<{ sessionId: string; jwt: string }> {
// Revoke all existing sessions for this investor (single session enforcement)
await pool.query(
`UPDATE pitch_sessions SET revoked = true WHERE investor_id = $1 AND revoked = false`,
[investorId]
)
const sessionToken = generateToken()
const tokenHash = hashToken(sessionToken)
const expiresAt = new Date(Date.now() + SESSION_EXPIRY_HOURS * 60 * 60 * 1000)
const { rows } = await pool.query(
`INSERT INTO pitch_sessions (investor_id, token_hash, ip_address, user_agent, expires_at)
VALUES ($1, $2, $3, $4, $5) RETURNING id`,
[investorId, tokenHash, ip, userAgent, expiresAt]
)
const sessionId = rows[0].id
// Get investor email for JWT
const investor = await pool.query(
`SELECT email FROM pitch_investors WHERE id = $1`,
[investorId]
)
const jwt = await createJwt({
sub: investorId,
email: investor.rows[0].email,
sessionId,
})
return { sessionId, jwt }
}
export async function validateSession(sessionId: string, investorId: string): Promise<boolean> {
const { rows } = await pool.query(
`SELECT id FROM pitch_sessions
WHERE id = $1 AND investor_id = $2 AND revoked = false AND expires_at > NOW()`,
[sessionId, investorId]
)
return rows.length > 0
}
export async function revokeSession(sessionId: string): Promise<void> {
await pool.query(
`UPDATE pitch_sessions SET revoked = true WHERE id = $1`,
[sessionId]
)
}
export async function revokeAllSessions(investorId: string): Promise<void> {
await pool.query(
`UPDATE pitch_sessions SET revoked = true WHERE investor_id = $1`,
[investorId]
)
}
export async function setSessionCookie(jwt: string): Promise<void> {
const cookieStore = await cookies()
cookieStore.set(COOKIE_NAME, jwt, {
httpOnly: true,
secure: process.env.NODE_ENV === 'production',
sameSite: 'lax',
path: '/',
maxAge: SESSION_EXPIRY_HOURS * 60 * 60,
})
}
export async function clearSessionCookie(): Promise<void> {
const cookieStore = await cookies()
cookieStore.delete(COOKIE_NAME)
}
export async function getSessionFromCookie(): Promise<JwtPayload | null> {
const cookieStore = await cookies()
const token = cookieStore.get(COOKIE_NAME)?.value
if (!token) return null
return verifyJwt(token)
}
export function getClientIp(request: Request): string | null {
const forwarded = request.headers.get('x-forwarded-for')
if (forwarded) return forwarded.split(',')[0].trim()
return null
}
export function validateAdminSecret(request: Request): boolean {
const secret = process.env.PITCH_ADMIN_SECRET
if (!secret) return false
const auth = request.headers.get('authorization')
if (!auth) return false
return auth === `Bearer ${secret}`
}
export async function logAudit(
investorId: string | null,
action: string,
details: Record<string, unknown> = {},
request?: Request,
slideId?: string,
sessionId?: string,
adminId?: string | null,
targetInvestorId?: string | null,
): Promise<void> {
const ip = request ? getClientIp(request) : null
const ua = request ? request.headers.get('user-agent') : null
await pool.query(
`INSERT INTO pitch_audit_logs
(investor_id, action, details, ip_address, user_agent, slide_id, session_id, admin_id, target_investor_id)
VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)`,
[investorId, action, JSON.stringify(details), ip, ua, slideId, sessionId, adminId ?? null, targetInvestorId ?? null]
)
}

91
pitch-deck/lib/email.ts Normal file
View File

@@ -0,0 +1,91 @@
import nodemailer from 'nodemailer'
const transporter = nodemailer.createTransport({
host: process.env.SMTP_HOST,
port: parseInt(process.env.SMTP_PORT || '587'),
secure: process.env.SMTP_PORT === '465',
auth: {
user: process.env.SMTP_USERNAME,
pass: process.env.SMTP_PASSWORD,
},
})
const fromName = process.env.SMTP_FROM_NAME || 'BreakPilot'
const fromAddr = process.env.SMTP_FROM_ADDR || 'noreply@breakpilot.ai'
export async function sendMagicLinkEmail(
to: string,
investorName: string | null,
magicLinkUrl: string
): Promise<void> {
const greeting = investorName ? `Hello ${investorName}` : 'Hello'
await transporter.sendMail({
from: `"${fromName}" <${fromAddr}>`,
to,
subject: 'Your BreakPilot Pitch Deck Access',
html: `
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body style="margin:0;padding:0;background:#0a0a1a;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;">
<table width="100%" cellpadding="0" cellspacing="0" style="background:#0a0a1a;padding:40px 20px;">
<tr>
<td align="center">
<table width="560" cellpadding="0" cellspacing="0" style="background:#111127;border-radius:12px;border:1px solid rgba(99,102,241,0.2);">
<tr>
<td style="padding:40px 40px 20px;">
<h1 style="margin:0;font-size:24px;color:#e0e0ff;font-weight:600;">
BreakPilot ComplAI
</h1>
<p style="margin:8px 0 0;font-size:13px;color:rgba(255,255,255,0.4);">
Investor Pitch Deck
</p>
</td>
</tr>
<tr>
<td style="padding:20px 40px;">
<p style="margin:0 0 16px;font-size:16px;color:rgba(255,255,255,0.8);line-height:1.6;">
${greeting},
</p>
<p style="margin:0 0 24px;font-size:16px;color:rgba(255,255,255,0.8);line-height:1.6;">
You have been invited to view the BreakPilot ComplAI investor pitch deck.
Click the button below to access the interactive presentation.
</p>
<table cellpadding="0" cellspacing="0" style="margin:0 0 24px;">
<tr>
<td style="background:linear-gradient(135deg,#6366f1,#8b5cf6);border-radius:8px;padding:14px 32px;">
<a href="${magicLinkUrl}" style="color:#ffffff;font-size:16px;font-weight:600;text-decoration:none;display:inline-block;">
View Pitch Deck
</a>
</td>
</tr>
</table>
<p style="margin:0 0 8px;font-size:13px;color:rgba(255,255,255,0.4);line-height:1.5;">
This link expires in ${process.env.MAGIC_LINK_TTL_HOURS || '72'} hours and can only be used once.
</p>
<p style="margin:0;font-size:13px;color:rgba(255,255,255,0.3);line-height:1.5;word-break:break-all;">
${magicLinkUrl}
</p>
</td>
</tr>
<tr>
<td style="padding:20px 40px 40px;border-top:1px solid rgba(255,255,255,0.05);">
<p style="margin:0;font-size:12px;color:rgba(255,255,255,0.25);line-height:1.5;">
If you did not expect this email, you can safely ignore it.
This is an AI-first company — we don't do PDFs.
</p>
</td>
</tr>
</table>
</td>
</tr>
</table>
</body>
</html>
`,
})
}

73
pitch-deck/lib/hooks/useAuditTracker.ts Normal file
View File

@@ -0,0 +1,73 @@
'use client'
import { useEffect, useRef, useCallback } from 'react'
interface AuditTrackerOptions {
investorId: string | null
currentSlide: string
enabled: boolean
}
export function useAuditTracker({ investorId, currentSlide, enabled }: AuditTrackerOptions) {
const lastSlide = useRef<string>('')
const slideTimestamps = useRef<Map<string, number>>(new Map())
const pendingEvents = useRef<Array<{ action: string; details: Record<string, unknown>; slide_id?: string }>>([])
const flushTimer = useRef<NodeJS.Timeout | null>(null)
const flush = useCallback(async () => {
if (pendingEvents.current.length === 0) return
const events = [...pendingEvents.current]
pendingEvents.current = []
// Send events one at a time (they're debounced so there shouldn't be many)
for (const event of events) {
try {
await fetch('/api/audit', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify(event),
})
} catch {
// Silently fail - audit should not block UX
}
}
}, [])
const track = useCallback((action: string, details: Record<string, unknown> = {}, slideId?: string) => {
if (!enabled || !investorId) return
pendingEvents.current.push({ action, details, slide_id: slideId })
// Debounce flush by 500ms
if (flushTimer.current) clearTimeout(flushTimer.current)
flushTimer.current = setTimeout(flush, 500)
}, [enabled, investorId, flush])
// Track slide views
useEffect(() => {
if (!enabled || !investorId || !currentSlide) return
if (currentSlide === lastSlide.current) return
const now = Date.now()
const prevTimestamp = slideTimestamps.current.get(lastSlide.current)
const dwellTime = prevTimestamp ? now - prevTimestamp : 0
lastSlide.current = currentSlide
slideTimestamps.current.set(currentSlide, now)
track('slide_viewed', {
slide_id: currentSlide,
previous_dwell_ms: dwellTime,
}, currentSlide)
}, [currentSlide, enabled, investorId, track])
// Flush on unmount
useEffect(() => {
return () => {
if (flushTimer.current) clearTimeout(flushTimer.current)
flush()
}
}, [flush])
return { track }
}

43
pitch-deck/lib/hooks/useAuth.ts Normal file
View File

@@ -0,0 +1,43 @@
'use client'
import { useState, useEffect, useCallback } from 'react'
export interface Investor {
id: string
email: string
name: string | null
company: string | null
status: string
last_login_at: string | null
login_count: number
created_at: string
}
export function useAuth() {
const [investor, setInvestor] = useState<Investor | null>(null)
const [loading, setLoading] = useState(true)
useEffect(() => {
async function fetchMe() {
try {
const res = await fetch('/api/auth/me')
if (res.ok) {
const data = await res.json()
setInvestor(data.investor)
}
} catch {
// Not authenticated
} finally {
setLoading(false)
}
}
fetchMe()
}, [])
const logout = useCallback(async () => {
await fetch('/api/auth/logout', { method: 'POST' })
window.location.href = '/auth'
}, [])
return { investor, loading, logout }
}

104
pitch-deck/lib/hooks/useFinancialModel.ts
View File

@@ -1,24 +1,55 @@
'use client'
import { useState, useEffect, useCallback, useRef } from 'react'
import { FMScenario, FMResult, FMComputeResponse } from '../types'
import { FMScenario, FMResult, FMComputeResponse, InvestorSnapshot } from '../types'
export function useFinancialModel() {
export function useFinancialModel(investorId?: string | null) {
const [scenarios, setScenarios] = useState<FMScenario[]>([])
const [activeScenarioId, setActiveScenarioId] = useState<string | null>(null)
const [compareMode, setCompareMode] = useState(false)
const [results, setResults] = useState<Map<string, FMComputeResponse>>(new Map())
const [loading, setLoading] = useState(true)
const [computing, setComputing] = useState(false)
const [snapshotStatus, setSnapshotStatus] = useState<'default' | 'saving' | 'saved' | 'restored'>('default')
const computeTimer = useRef<NodeJS.Timeout | null>(null)
const snapshotTimer = useRef<NodeJS.Timeout | null>(null)
const snapshotsLoaded = useRef(false)
// Load scenarios on mount
// Load scenarios on mount, then apply snapshots if investor is logged in
useEffect(() => {
async function load() {
try {
const res = await fetch('/api/financial-model')
if (res.ok) {
const data: FMScenario[] = await res.json()
let data: FMScenario[] = await res.json()
// If investor is logged in, restore their snapshots
if (investorId && !snapshotsLoaded.current) {
try {
const snapRes = await fetch('/api/snapshots')
if (snapRes.ok) {
const { snapshots } = await snapRes.json() as { snapshots: InvestorSnapshot[] }
if (snapshots.length > 0) {
data = data.map(scenario => {
const snapshot = snapshots.find(s => s.scenario_id === scenario.id)
if (!snapshot) return scenario
return {
...scenario,
assumptions: scenario.assumptions.map(a => {
const savedValue = snapshot.assumptions[a.key]
return savedValue !== undefined ? { ...a, value: savedValue } : a
}),
}
})
setSnapshotStatus('restored')
}
}
} catch {
// Snapshot restore failed — use defaults
}
snapshotsLoaded.current = true
}
setScenarios(data)
const defaultScenario = data.find(s => s.is_default) || data[0]
if (defaultScenario) {
@@ -32,7 +63,7 @@ export function useFinancialModel() {
}
}
load()
}, [])
}, [investorId])
// Compute when active scenario changes
useEffect(() => {
@@ -41,17 +72,17 @@ export function useFinancialModel() {
}
}, [activeScenarioId]) // eslint-disable-line react-hooks/exhaustive-deps
const compute = useCallback(async (scenarioId: string, source?: string) => {
const compute = useCallback(async (scenarioId: string) => {
setComputing(true)
try {
const res = await fetch('/api/financial-model/compute', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ scenarioId, source }),
body: JSON.stringify({ scenarioId }),
})
if (res.ok) {
const data: FMComputeResponse = await res.json()
setResults(prev => new Map(prev).set(source === 'finanzplan' ? 'finanzplan' : scenarioId, data))
setResults(prev => new Map(prev).set(scenarioId, data))
}
} catch (err) {
console.error('Compute failed:', err)
@@ -60,9 +91,27 @@ export function useFinancialModel() {
}
}, [])
const computeFromFinanzplan = useCallback(async () => {
await compute('', 'finanzplan')
}, [compute])
// Auto-save snapshot (debounced)
const saveSnapshot = useCallback(async (scenarioId: string) => {
if (!investorId) return
const scenario = scenarios.find(s => s.id === scenarioId)
if (!scenario) return
const assumptions: Record<string, number | number[]> = {}
scenario.assumptions.forEach(a => { assumptions[a.key] = a.value })
setSnapshotStatus('saving')
try {
await fetch('/api/snapshots', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ scenario_id: scenarioId, assumptions }),
})
setSnapshotStatus('saved')
} catch {
setSnapshotStatus('default')
}
}, [investorId, scenarios])
const updateAssumption = useCallback(async (scenarioId: string, key: string, value: number | number[]) => {
// Optimistic update in local state
@@ -84,7 +133,33 @@ export function useFinancialModel() {
// Debounced recompute
if (computeTimer.current) clearTimeout(computeTimer.current)
computeTimer.current = setTimeout(() => compute(scenarioId), 300)
}, [compute])
// Debounced snapshot save (2s after last change)
if (snapshotTimer.current) clearTimeout(snapshotTimer.current)
snapshotTimer.current = setTimeout(() => saveSnapshot(scenarioId), 2000)
}, [compute, saveSnapshot])
const resetToDefaults = useCallback(async (scenarioId: string) => {
// Reload from server (without snapshots)
try {
const res = await fetch('/api/financial-model')
if (res.ok) {
const data: FMScenario[] = await res.json()
const defaultScenario = data.find(s => s.id === scenarioId)
if (defaultScenario) {
setScenarios(prev => prev.map(s => s.id === scenarioId ? defaultScenario : s))
// Delete snapshot
if (investorId) {
await fetch(`/api/snapshots?id=${scenarioId}`, { method: 'DELETE' })
}
setSnapshotStatus('default')
compute(scenarioId)
}
}
} catch {
// ignore
}
}, [compute, investorId])
const computeAll = useCallback(async () => {
for (const s of scenarios) {
@@ -94,7 +169,6 @@ export function useFinancialModel() {
const activeScenario = scenarios.find(s => s.id === activeScenarioId) || null
const activeResults = activeScenarioId ? results.get(activeScenarioId) || null : null
const finanzplanResults = results.get('finanzplan') || null
return {
scenarios,
@@ -102,7 +176,6 @@ export function useFinancialModel() {
activeScenarioId,
setActiveScenarioId,
activeResults,
finanzplanResults,
results,
loading,
computing,
@@ -110,7 +183,8 @@ export function useFinancialModel() {
setCompareMode,
compute,
computeAll,
computeFromFinanzplan,
updateAssumption,
resetToDefaults,
snapshotStatus,
}
}

52
pitch-deck/lib/rate-limit.ts Normal file
View File

@@ -0,0 +1,52 @@
interface RateLimitEntry {
count: number
resetAt: number
}
const store = new Map<string, RateLimitEntry>()
// Cleanup stale entries every 60 seconds
setInterval(() => {
const now = Date.now()
for (const [key, entry] of store) {
if (entry.resetAt <= now) store.delete(key)
}
}, 60_000)
export interface RateLimitConfig {
/** Max requests in the window */
limit: number
/** Window size in seconds */
windowSec: number
}
export interface RateLimitResult {
allowed: boolean
remaining: number
resetAt: number
}
export function checkRateLimit(key: string, config: RateLimitConfig): RateLimitResult {
const now = Date.now()
const entry = store.get(key)
if (!entry || entry.resetAt <= now) {
store.set(key, { count: 1, resetAt: now + config.windowSec * 1000 })
return { allowed: true, remaining: config.limit - 1, resetAt: now + config.windowSec * 1000 }
}
if (entry.count >= config.limit) {
return { allowed: false, remaining: 0, resetAt: entry.resetAt }
}
entry.count++
return { allowed: true, remaining: config.limit - entry.count, resetAt: entry.resetAt }
}
// Preset configurations
export const RATE_LIMITS = {
magicLink: { limit: 3, windowSec: 3600 } as RateLimitConfig, // 3 per email per hour
authVerify: { limit: 10, windowSec: 900 } as RateLimitConfig, // 10 per IP per 15min
api: { limit: 60, windowSec: 60 } as RateLimitConfig, // 60 per session per minute
chat: { limit: 20, windowSec: 60 } as RateLimitConfig, // 20 per session per minute
} as const

21
pitch-deck/lib/types.ts
View File

@@ -193,6 +193,27 @@ export interface FMComputeResponse {
}
}
// Investor Auth Types
export interface Investor {
id: string
email: string
name: string | null
company: string | null
status: 'invited' | 'active' | 'revoked'
last_login_at: string | null
login_count: number
created_at: string
}
export interface InvestorSnapshot {
id: string
scenario_id: string
assumptions: Record<string, number | number[]>
label: string | null
is_latest: boolean
created_at: string
}
export type Language = 'de' | 'en'
export interface ChatMessage {

102
pitch-deck/middleware.ts Normal file
View File

@@ -0,0 +1,102 @@
import { NextRequest, NextResponse } from 'next/server'
import { jwtVerify } from 'jose'
// Paths that bypass auth entirely
const PUBLIC_PATHS = [
'/auth', // investor login pages
'/api/auth', // investor auth API
'/api/health',
'/api/admin-auth', // admin login API
'/pitch-admin/login', // admin login page
'/_next',
'/manifest.json',
'/sw.js',
'/icons',
'/favicon.ico',
]
// Paths gated on the admin session cookie
const ADMIN_GATED_PREFIXES = ['/pitch-admin', '/api/admin']
function isPublicPath(pathname: string): boolean {
return PUBLIC_PATHS.some(p => pathname === p || pathname.startsWith(p + '/'))
}
function isAdminGatedPath(pathname: string): boolean {
return ADMIN_GATED_PREFIXES.some(p => pathname === p || pathname.startsWith(p + '/'))
}
const ADMIN_AUDIENCE = 'pitch-admin'
export async function middleware(request: NextRequest) {
const { pathname } = request.nextUrl
const secret = process.env.PITCH_JWT_SECRET
// Allow public paths
if (isPublicPath(pathname)) {
return NextResponse.next()
}
// ----- Admin-gated routes -----
if (isAdminGatedPath(pathname)) {
// Allow legacy bearer-secret CLI access on /api/admin/* (the API routes themselves
// also check this and log as actor='cli'). The bearer header is opaque to the JWT
// path, so we just let it through here and let the route handler enforce.
if (pathname.startsWith('/api/admin') && request.headers.get('authorization')?.startsWith('Bearer ')) {
return NextResponse.next()
}
const adminToken = request.cookies.get('pitch_admin_session')?.value
if (!adminToken || !secret) {
if (pathname.startsWith('/api/')) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
return NextResponse.redirect(new URL('/pitch-admin/login', request.url))
}
try {
await jwtVerify(adminToken, new TextEncoder().encode(secret), { audience: ADMIN_AUDIENCE })
return NextResponse.next()
} catch {
if (pathname.startsWith('/api/')) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const response = NextResponse.redirect(new URL('/pitch-admin/login', request.url))
response.cookies.delete('pitch_admin_session')
return response
}
}
// ----- Investor-gated routes (everything else) -----
const token = request.cookies.get('pitch_session')?.value
if (!token || !secret) {
return NextResponse.redirect(new URL('/auth', request.url))
}
try {
const { payload } = await jwtVerify(token, new TextEncoder().encode(secret))
const response = NextResponse.next()
response.headers.set('x-investor-id', payload.sub as string)
response.headers.set('x-investor-email', payload.email as string)
response.headers.set('x-session-id', payload.sessionId as string)
const exp = payload.exp as number
const now = Math.floor(Date.now() / 1000)
const timeLeft = exp - now
if (timeLeft < 900 && timeLeft > 0) {
response.headers.set('x-token-refresh-needed', 'true')
}
return response
} catch {
const response = NextResponse.redirect(new URL('/auth', request.url))
response.cookies.delete('pitch_session')
return response
}
}
export const config = {
matcher: ['/((?!_next/static|_next/image).*)'],
}

79
pitch-deck/migrations/001_investor_auth.sql Normal file
View File

@@ -0,0 +1,79 @@
-- =========================================================
-- Pitch Deck: Investor Auth, Audit Logs, Snapshots
-- =========================================================
-- Invited investors
CREATE TABLE IF NOT EXISTS pitch_investors (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
email VARCHAR(255) NOT NULL UNIQUE,
name VARCHAR(255),
company VARCHAR(255),
invited_by VARCHAR(255) NOT NULL DEFAULT 'admin',
status VARCHAR(20) NOT NULL DEFAULT 'invited'
CHECK (status IN ('invited', 'active', 'revoked')),
last_login_at TIMESTAMPTZ,
login_count INTEGER NOT NULL DEFAULT 0,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_pitch_investors_email ON pitch_investors(email);
CREATE INDEX IF NOT EXISTS idx_pitch_investors_status ON pitch_investors(status);
-- Single-use magic link tokens
CREATE TABLE IF NOT EXISTS pitch_magic_links (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
investor_id UUID NOT NULL REFERENCES pitch_investors(id) ON DELETE CASCADE,
token VARCHAR(128) NOT NULL UNIQUE,
expires_at TIMESTAMPTZ NOT NULL,
used_at TIMESTAMPTZ,
ip_address INET,
user_agent TEXT,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_pitch_magic_links_token ON pitch_magic_links(token);
CREATE INDEX IF NOT EXISTS idx_pitch_magic_links_investor ON pitch_magic_links(investor_id);
CREATE INDEX IF NOT EXISTS idx_pitch_magic_links_expires ON pitch_magic_links(expires_at);
-- Audit log for all investor activity
CREATE TABLE IF NOT EXISTS pitch_audit_logs (
id BIGSERIAL PRIMARY KEY,
investor_id UUID REFERENCES pitch_investors(id) ON DELETE SET NULL,
action VARCHAR(50) NOT NULL,
details JSONB DEFAULT '{}',
ip_address INET,
user_agent TEXT,
slide_id VARCHAR(50),
session_id UUID,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_pitch_audit_created ON pitch_audit_logs(created_at);
CREATE INDEX IF NOT EXISTS idx_pitch_audit_investor ON pitch_audit_logs(investor_id);
CREATE INDEX IF NOT EXISTS idx_pitch_audit_action ON pitch_audit_logs(action);
-- Per-investor financial model snapshots (JSONB)
CREATE TABLE IF NOT EXISTS pitch_investor_snapshots (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
investor_id UUID NOT NULL REFERENCES pitch_investors(id) ON DELETE CASCADE,
scenario_id UUID NOT NULL,
assumptions JSONB NOT NULL,
label VARCHAR(255),
is_latest BOOLEAN NOT NULL DEFAULT true,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_pitch_snapshots_investor ON pitch_investor_snapshots(investor_id);
CREATE UNIQUE INDEX IF NOT EXISTS idx_pitch_snapshots_latest
ON pitch_investor_snapshots(investor_id, scenario_id) WHERE is_latest = true;
-- Active sessions
CREATE TABLE IF NOT EXISTS pitch_sessions (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
investor_id UUID NOT NULL REFERENCES pitch_investors(id) ON DELETE CASCADE,
token_hash VARCHAR(128) NOT NULL,
ip_address INET,
user_agent TEXT,
expires_at TIMESTAMPTZ NOT NULL,
revoked BOOLEAN NOT NULL DEFAULT false,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_pitch_sessions_investor ON pitch_sessions(investor_id);
CREATE INDEX IF NOT EXISTS idx_pitch_sessions_token ON pitch_sessions(token_hash);

40
pitch-deck/migrations/002_admin_users.sql Normal file
View File

@@ -0,0 +1,40 @@
-- =========================================================
-- Pitch Deck: Admin Users + Audit Log Extensions
-- =========================================================
-- Admin users (real accounts with bcrypt passwords)
CREATE TABLE IF NOT EXISTS pitch_admins (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
email VARCHAR(255) NOT NULL UNIQUE,
name VARCHAR(255) NOT NULL,
password_hash VARCHAR(255) NOT NULL,
is_active BOOLEAN NOT NULL DEFAULT true,
last_login_at TIMESTAMPTZ,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_pitch_admins_email ON pitch_admins(email);
CREATE INDEX IF NOT EXISTS idx_pitch_admins_active ON pitch_admins(is_active);
-- Admin sessions (mirrors pitch_sessions structure)
CREATE TABLE IF NOT EXISTS pitch_admin_sessions (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
admin_id UUID NOT NULL REFERENCES pitch_admins(id) ON DELETE CASCADE,
token_hash VARCHAR(128) NOT NULL,
ip_address INET,
user_agent TEXT,
expires_at TIMESTAMPTZ NOT NULL,
revoked BOOLEAN NOT NULL DEFAULT false,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX IF NOT EXISTS idx_pitch_admin_sessions_admin ON pitch_admin_sessions(admin_id);
CREATE INDEX IF NOT EXISTS idx_pitch_admin_sessions_token ON pitch_admin_sessions(token_hash);
-- Extend audit log: track admin actor + target investor for admin actions
ALTER TABLE pitch_audit_logs
ADD COLUMN IF NOT EXISTS admin_id UUID REFERENCES pitch_admins(id) ON DELETE SET NULL;
ALTER TABLE pitch_audit_logs
ADD COLUMN IF NOT EXISTS target_investor_id UUID REFERENCES pitch_investors(id) ON DELETE SET NULL;
CREATE INDEX IF NOT EXISTS idx_pitch_audit_admin ON pitch_audit_logs(admin_id);
CREATE INDEX IF NOT EXISTS idx_pitch_audit_target_investor ON pitch_audit_logs(target_investor_id);

15
pitch-deck/next.config.js
View File

@@ -5,6 +5,21 @@ const nextConfig = {
typescript: {
ignoreBuildErrors: true,
},
async headers() {
return [
{
source: '/:path*',
headers: [
{ key: 'X-Robots-Tag', value: 'noindex, nofollow, noarchive, nosnippet' },
{ key: 'X-Frame-Options', value: 'DENY' },
{ key: 'X-Content-Type-Options', value: 'nosniff' },
{ key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
{ key: 'Content-Security-Policy', value: "frame-ancestors 'none'" },
{ key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
],
},
]
},
}
module.exports = nextConfig

1741
pitch-deck/package-lock.json generated
View File

File diff suppressed because it is too large Load Diff

15
pitch-deck/package.json
View File

@@ -5,25 +5,36 @@
"scripts": {
"dev": "next dev -p 3012",
"build": "next build",
"start": "next start -p 3012"
"start": "next start -p 3012",
"admin:create": "tsx scripts/create-admin.ts",
"test": "vitest run",
"test:watch": "vitest"
},
"dependencies": {
"bcryptjs": "^3.0.3",
"framer-motion": "^11.15.0",
"jose": "^6.2.2",
"lucide-react": "^0.468.0",
"next": "^15.1.0",
"nodemailer": "^8.0.4",
"pg": "^8.13.1",
"react": "^18.3.1",
"react-dom": "^18.3.1",
"recharts": "^2.15.0"
},
"devDependencies": {
"@types/bcryptjs": "^2.4.6",
"@types/node": "^22.10.2",
"@types/nodemailer": "^8.0.0",
"@types/pg": "^8.11.10",
"@types/react": "^18.3.16",
"@types/react-dom": "^18.3.5",
"@vitest/expect": "^4.1.2",
"autoprefixer": "^10.4.20",
"postcss": "^8.4.49",
"tailwindcss": "^3.4.16",
"typescript": "^5.7.2"
"tsx": "^4.21.0",
"typescript": "^5.7.2",
"vitest": "^4.1.2"
}
}

BIN
pitch-deck/public/icons/icon-192.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.5 KiB

BIN
pitch-deck/public/icons/icon-512.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
pitch-deck/public/icons/icon-maskable-512.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

28
pitch-deck/public/manifest.json Normal file
View File

@@ -0,0 +1,28 @@
{
"name": "BreakPilot ComplAI — Investor Pitch",
"short_name": "BreakPilot Pitch",
"description": "Interactive investor pitch deck for BreakPilot ComplAI",
"start_url": "/",
"display": "fullscreen",
"orientation": "any",
"background_color": "#0a0a1a",
"theme_color": "#6366f1",
"icons": [
{
"src": "/icons/icon-192.png",
"sizes": "192x192",
"type": "image/png"
},
{
"src": "/icons/icon-512.png",
"sizes": "512x512",
"type": "image/png"
},
{
"src": "/icons/icon-maskable-512.png",
"sizes": "512x512",
"type": "image/png",
"purpose": "maskable"
}
]
}

70
pitch-deck/public/sw.js Normal file
View File

@@ -0,0 +1,70 @@
const CACHE_NAME = 'breakpilot-pitch-v1'
const STATIC_ASSETS = [
'/',
'/manifest.json',
]
// Install: cache the app shell
self.addEventListener('install', (event) => {
event.waitUntil(
caches.open(CACHE_NAME).then((cache) => cache.addAll(STATIC_ASSETS))
)
self.skipWaiting()
})
// Activate: clean old caches
self.addEventListener('activate', (event) => {
event.waitUntil(
caches.keys().then((keys) =>
Promise.all(keys.filter((k) => k !== CACHE_NAME).map((k) => caches.delete(k)))
)
)
self.clients.claim()
})
// Fetch: network-first for API, cache-first for static assets
self.addEventListener('fetch', (event) => {
const url = new URL(event.request.url)
// Skip non-GET requests
if (event.request.method !== 'GET') return
// Network-first for API routes and auth
if (url.pathname.startsWith('/api/') || url.pathname.startsWith('/auth')) {
event.respondWith(
fetch(event.request).catch(() => caches.match(event.request))
)
return
}
// Cache-first for static assets (JS, CSS, images, fonts)
if (
url.pathname.startsWith('/_next/static/') ||
url.pathname.startsWith('/icons/') ||
url.pathname.endsWith('.js') ||
url.pathname.endsWith('.css')
) {
event.respondWith(
caches.match(event.request).then((cached) => {
if (cached) return cached
return fetch(event.request).then((response) => {
const clone = response.clone()
caches.open(CACHE_NAME).then((cache) => cache.put(event.request, clone))
return response
})
})
)
return
}
// Network-first for everything else (HTML pages)
event.respondWith(
fetch(event.request)
.then((response) => {
const clone = response.clone()
caches.open(CACHE_NAME).then((cache) => cache.put(event.request, clone))
return response
})
.catch(() => caches.match(event.request))
)
})

68
pitch-deck/scripts/create-admin.ts Normal file
View File

@@ -0,0 +1,68 @@
#!/usr/bin/env tsx
/**
* Bootstrap a new pitch admin user.
*
* Usage:
* tsx scripts/create-admin.ts --email=ben@breakpilot.ai --name="Benjamin" --password='...'
*
* Or via env vars (useful in CI):
* PITCH_ADMIN_BOOTSTRAP_EMAIL=... PITCH_ADMIN_BOOTSTRAP_NAME=... PITCH_ADMIN_BOOTSTRAP_PASSWORD=... \
* tsx scripts/create-admin.ts
*
* Idempotent: if an admin with the email already exists, the password is updated
* (so you can use it to reset). The script always re-activates the account.
*/
import { Pool } from 'pg'
import bcrypt from 'bcryptjs'
function arg(name: string): string | undefined {
const prefix = `--${name}=`
const m = process.argv.find(a => a.startsWith(prefix))
return m ? m.slice(prefix.length) : undefined
}
const email = (arg('email') || process.env.PITCH_ADMIN_BOOTSTRAP_EMAIL || '').trim().toLowerCase()
const name = arg('name') || process.env.PITCH_ADMIN_BOOTSTRAP_NAME || 'Admin'
const password = arg('password') || process.env.PITCH_ADMIN_BOOTSTRAP_PASSWORD || ''
if (!email || !password) {
console.error('ERROR: --email and --password are required (or set env vars).')
console.error(' tsx scripts/create-admin.ts --email=user@example.com --name="Name" --password=secret')
process.exit(1)
}
if (password.length < 12) {
console.error('ERROR: password must be at least 12 characters.')
process.exit(1)
}
const pool = new Pool({
connectionString: process.env.DATABASE_URL || 'postgres://breakpilot:breakpilot123@localhost:5432/breakpilot_db',
})
async function main() {
const hash = await bcrypt.hash(password, 12)
const { rows } = await pool.query(
`INSERT INTO pitch_admins (email, name, password_hash, is_active)
VALUES ($1, $2, $3, true)
ON CONFLICT (email) DO UPDATE SET
name = EXCLUDED.name,
password_hash = EXCLUDED.password_hash,
is_active = true,
updated_at = NOW()
RETURNING id, email, name, created_at`,
[email, name, hash],
)
const row = rows[0]
console.log(`✓ Admin ready: ${row.email} (${row.name})`)
console.log(` id: ${row.id}`)
console.log(` created_at: ${row.created_at.toISOString()}`)
await pool.end()
}
main().catch(err => {
console.error('ERROR:', err.message)
pool.end().catch(() => {})
process.exit(1)
})

16
pitch-deck/vitest.config.ts Normal file
View File

@@ -0,0 +1,16 @@
import { defineConfig } from 'vitest/config'
import path from 'path'
export default defineConfig({
test: {
environment: 'node',
include: ['__tests__/**/*.test.ts'],
setupFiles: ['./__tests__/setup.ts'],
globals: false,
},
resolve: {
alias: {
'@': path.resolve(__dirname, '.'),
},
},
})