feat(pitch-deck): add passwordless investor auth, audit logs, snapshots & PWA

Implement a complete investor access system for the pitch deck: - Passwordless magic link auth (jose JWT + nodemailer SMTP) - Per-investor audit logging (slide views, assumption changes, chat) - Financial model snapshot persistence (auto-save/restore per investor) - PWA support (manifest, service worker, offline caching, icons) - Security safeguards (watermark overlay, rate limiting, anti-scraping headers, content protection, single-session enforcement) - Admin API for invite/revoke/audit-log management - Integrated into docker-compose.coolify.yml for production deployment Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 09:37:50 +02:00
parent c433bc021e
commit f565dfdb15
35 changed files with 4232 additions and 14 deletions
--- a/pitch-deck/app/api/admin/audit-logs/route.ts
+++ b/pitch-deck/app/api/admin/audit-logs/route.ts
@@ -0,0 +1,42 @@
+import { NextRequest, NextResponse } from 'next/server'
+import pool from '@/lib/db'
+import { validateAdminSecret } from '@/lib/auth'
+
+export async function GET(request: NextRequest) {
+  if (!validateAdminSecret(request)) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const { searchParams } = new URL(request.url)
+  const investorId = searchParams.get('investor_id')
+  const action = searchParams.get('action')
+  const limit = Math.min(parseInt(searchParams.get('limit') || '100'), 500)
+  const offset = parseInt(searchParams.get('offset') || '0')
+
+  const conditions: string[] = []
+  const params: unknown[] = []
+  let paramIdx = 1
+
+  if (investorId) {
+    conditions.push(`a.investor_id = $${paramIdx++}`)
+    params.push(investorId)
+  }
+  if (action) {
+    conditions.push(`a.action = $${paramIdx++}`)
+    params.push(action)
+  }
+
+  const where = conditions.length > 0 ? `WHERE ${conditions.join(' AND ')}` : ''
+
+  const { rows } = await pool.query(
+    `SELECT a.*, i.email as investor_email, i.name as investor_name
+     FROM pitch_audit_logs a
+     LEFT JOIN pitch_investors i ON i.id = a.investor_id
+     ${where}
+     ORDER BY a.created_at DESC
+     LIMIT $${paramIdx++} OFFSET $${paramIdx++}`,
+    [...params, limit, offset]
+  )
+
+  return NextResponse.json({ logs: rows })
+}
--- a/pitch-deck/app/api/admin/investors/route.ts
+++ b/pitch-deck/app/api/admin/investors/route.ts
@@ -0,0 +1,19 @@
+import { NextRequest, NextResponse } from 'next/server'
+import pool from '@/lib/db'
+import { validateAdminSecret } from '@/lib/auth'
+
+export async function GET(request: NextRequest) {
+  if (!validateAdminSecret(request)) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const { rows } = await pool.query(
+    `SELECT i.id, i.email, i.name, i.company, i.status, i.last_login_at, i.login_count, i.created_at,
+            (SELECT COUNT(*) FROM pitch_audit_logs a WHERE a.investor_id = i.id AND a.action = 'slide_viewed') as slides_viewed,
+            (SELECT MAX(a.created_at) FROM pitch_audit_logs a WHERE a.investor_id = i.id) as last_activity
+     FROM pitch_investors i
+     ORDER BY i.created_at DESC`
+  )
+
+  return NextResponse.json({ investors: rows })
+}
--- a/pitch-deck/app/api/admin/invite/route.ts
+++ b/pitch-deck/app/api/admin/invite/route.ts
@@ -0,0 +1,68 @@
+import { NextRequest, NextResponse } from 'next/server'
+import pool from '@/lib/db'
+import { validateAdminSecret, generateToken, logAudit, getClientIp } from '@/lib/auth'
+import { sendMagicLinkEmail } from '@/lib/email'
+import { checkRateLimit, RATE_LIMITS } from '@/lib/rate-limit'
+
+export async function POST(request: NextRequest) {
+  if (!validateAdminSecret(request)) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const body = await request.json()
+  const { email, name, company } = body
+
+  if (!email || typeof email !== 'string') {
+    return NextResponse.json({ error: 'Email required' }, { status: 400 })
+  }
+
+  // Rate limit by email
+  const rl = checkRateLimit(`magic-link:${email.toLowerCase()}`, RATE_LIMITS.magicLink)
+  if (!rl.allowed) {
+    return NextResponse.json({ error: 'Too many invites for this email. Try again later.' }, { status: 429 })
+  }
+
+  const normalizedEmail = email.toLowerCase().trim()
+
+  // Upsert investor
+  const { rows } = await pool.query(
+    `INSERT INTO pitch_investors (email, name, company)
+     VALUES ($1, $2, $3)
+     ON CONFLICT (email) DO UPDATE SET
+       name = COALESCE(EXCLUDED.name, pitch_investors.name),
+       company = COALESCE(EXCLUDED.company, pitch_investors.company),
+       status = CASE WHEN pitch_investors.status = 'revoked' THEN 'invited' ELSE pitch_investors.status END,
+       updated_at = NOW()
+     RETURNING id, status`,
+    [normalizedEmail, name || null, company || null]
+  )
+
+  const investor = rows[0]
+
+  // Generate magic link
+  const token = generateToken()
+  const ttlHours = parseInt(process.env.MAGIC_LINK_TTL_HOURS || '72')
+  const expiresAt = new Date(Date.now() + ttlHours * 60 * 60 * 1000)
+
+  await pool.query(
+    `INSERT INTO pitch_magic_links (investor_id, token, expires_at)
+     VALUES ($1, $2, $3)`,
+    [investor.id, token, expiresAt]
+  )
+
+  // Build magic link URL
+  const baseUrl = process.env.PITCH_BASE_URL || 'https://pitch.breakpilot.ai'
+  const magicLinkUrl = `${baseUrl}/auth/verify?token=${token}`
+
+  // Send email
+  await sendMagicLinkEmail(normalizedEmail, name || null, magicLinkUrl)
+
+  await logAudit(investor.id, 'magic_link_sent', { email: normalizedEmail }, request)
+
+  return NextResponse.json({
+    success: true,
+    investor_id: investor.id,
+    email: normalizedEmail,
+    expires_at: expiresAt.toISOString(),
+  })
+}
--- a/pitch-deck/app/api/admin/revoke/route.ts
+++ b/pitch-deck/app/api/admin/revoke/route.ts
@@ -0,0 +1,26 @@
+import { NextRequest, NextResponse } from 'next/server'
+import pool from '@/lib/db'
+import { validateAdminSecret, revokeAllSessions, logAudit } from '@/lib/auth'
+
+export async function POST(request: NextRequest) {
+  if (!validateAdminSecret(request)) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const body = await request.json()
+  const { investor_id } = body
+
+  if (!investor_id) {
+    return NextResponse.json({ error: 'investor_id required' }, { status: 400 })
+  }
+
+  await pool.query(
+    `UPDATE pitch_investors SET status = 'revoked', updated_at = NOW() WHERE id = $1`,
+    [investor_id]
+  )
+
+  await revokeAllSessions(investor_id)
+  await logAudit(investor_id, 'investor_revoked', {}, request)
+
+  return NextResponse.json({ success: true })
+}
--- a/pitch-deck/app/api/audit/route.ts
+++ b/pitch-deck/app/api/audit/route.ts
@@ -0,0 +1,26 @@
+import { NextRequest, NextResponse } from 'next/server'
+import { getSessionFromCookie, logAudit } from '@/lib/auth'
+
+export async function POST(request: NextRequest) {
+  const session = await getSessionFromCookie()
+  if (!session) {
+    return NextResponse.json({ error: 'Not authenticated' }, { status: 401 })
+  }
+
+  const body = await request.json()
+  const { action, details, slide_id } = body
+
+  if (!action || typeof action !== 'string') {
+    return NextResponse.json({ error: 'action required' }, { status: 400 })
+  }
+
+  // Only allow known client-side actions
+  const allowedActions = ['slide_viewed', 'assumption_changed', 'chat_message_sent', 'snapshot_saved', 'snapshot_restored']
+  if (!allowedActions.includes(action)) {
+    return NextResponse.json({ error: 'Invalid action' }, { status: 400 })
+  }
+
+  await logAudit(session.sub, action, details || {}, request, slide_id, session.sessionId)
+
+  return NextResponse.json({ success: true })
+}
--- a/pitch-deck/app/api/auth/logout/route.ts
+++ b/pitch-deck/app/api/auth/logout/route.ts
@@ -0,0 +1,14 @@
+import { NextRequest, NextResponse } from 'next/server'
+import { getSessionFromCookie, revokeSession, clearSessionCookie, logAudit } from '@/lib/auth'
+
+export async function POST(request: NextRequest) {
+  const session = await getSessionFromCookie()
+
+  if (session) {
+    await revokeSession(session.sessionId)
+    await logAudit(session.sub, 'logout', {}, request, undefined, session.sessionId)
+  }
+
+  await clearSessionCookie()
+  return NextResponse.json({ success: true })
+}
--- a/pitch-deck/app/api/auth/me/route.ts
+++ b/pitch-deck/app/api/auth/me/route.ts
@@ -0,0 +1,27 @@
+import { NextResponse } from 'next/server'
+import pool from '@/lib/db'
+import { getSessionFromCookie, validateSession } from '@/lib/auth'
+
+export async function GET() {
+  const session = await getSessionFromCookie()
+  if (!session) {
+    return NextResponse.json({ error: 'Not authenticated' }, { status: 401 })
+  }
+
+  const valid = await validateSession(session.sessionId, session.sub)
+  if (!valid) {
+    return NextResponse.json({ error: 'Session expired' }, { status: 401 })
+  }
+
+  const { rows } = await pool.query(
+    `SELECT id, email, name, company, status, last_login_at, login_count, created_at
+     FROM pitch_investors WHERE id = $1`,
+    [session.sub]
+  )
+
+  if (rows.length === 0 || rows[0].status === 'revoked') {
+    return NextResponse.json({ error: 'Access revoked' }, { status: 403 })
+  }
+
+  return NextResponse.json({ investor: rows[0] })
+}
--- a/pitch-deck/app/api/auth/verify/route.ts
+++ b/pitch-deck/app/api/auth/verify/route.ts
@@ -0,0 +1,85 @@
+import { NextRequest, NextResponse } from 'next/server'
+import pool from '@/lib/db'
+import { createSession, setSessionCookie, getClientIp, logAudit, hashToken } from '@/lib/auth'
+import { checkRateLimit, RATE_LIMITS } from '@/lib/rate-limit'
+
+export async function POST(request: NextRequest) {
+  const ip = getClientIp(request) || 'unknown'
+
+  // Rate limit by IP
+  const rl = checkRateLimit(`auth-verify:${ip}`, RATE_LIMITS.authVerify)
+  if (!rl.allowed) {
+    return NextResponse.json({ error: 'Too many attempts. Try again later.' }, { status: 429 })
+  }
+
+  const body = await request.json()
+  const { token } = body
+
+  if (!token || typeof token !== 'string') {
+    return NextResponse.json({ error: 'Token required' }, { status: 400 })
+  }
+
+  // Find the magic link
+  const { rows } = await pool.query(
+    `SELECT ml.id, ml.investor_id, ml.expires_at, ml.used_at, i.email, i.status as investor_status
+     FROM pitch_magic_links ml
+     JOIN pitch_investors i ON i.id = ml.investor_id
+     WHERE ml.token = $1`,
+    [token]
+  )
+
+  if (rows.length === 0) {
+    await logAudit(null, 'login_failed', { reason: 'invalid_token' }, request)
+    return NextResponse.json({ error: 'Invalid link' }, { status: 401 })
+  }
+
+  const link = rows[0]
+
+  if (link.used_at) {
+    await logAudit(link.investor_id, 'login_failed', { reason: 'token_already_used' }, request)
+    return NextResponse.json({ error: 'This link has already been used. Please request a new one.' }, { status: 401 })
+  }
+
+  if (new Date(link.expires_at) < new Date()) {
+    await logAudit(link.investor_id, 'login_failed', { reason: 'token_expired' }, request)
+    return NextResponse.json({ error: 'This link has expired. Please request a new one.' }, { status: 401 })
+  }
+
+  if (link.investor_status === 'revoked') {
+    await logAudit(link.investor_id, 'login_failed', { reason: 'investor_revoked' }, request)
+    return NextResponse.json({ error: 'Access has been revoked.' }, { status: 403 })
+  }
+
+  const ua = request.headers.get('user-agent')
+
+  // Mark token as used
+  await pool.query(
+    `UPDATE pitch_magic_links SET used_at = NOW(), ip_address = $1, user_agent = $2 WHERE id = $3`,
+    [ip, ua, link.id]
+  )
+
+  // Activate investor if first login
+  await pool.query(
+    `UPDATE pitch_investors SET status = 'active', last_login_at = NOW(), login_count = login_count + 1, updated_at = NOW()
+     WHERE id = $1`,
+    [link.investor_id]
+  )
+
+  // Create session and set cookie
+  const { sessionId, jwt } = await createSession(link.investor_id, ip, ua)
+  await setSessionCookie(jwt)
+
+  // Check for new IP
+  const { rows: prevSessions } = await pool.query(
+    `SELECT DISTINCT ip_address FROM pitch_sessions WHERE investor_id = $1 AND id != $2 AND ip_address IS NOT NULL`,
+    [link.investor_id, sessionId]
+  )
+  const knownIps = prevSessions.map((r: { ip_address: string }) => r.ip_address)
+  if (knownIps.length > 0 && !knownIps.includes(ip)) {
+    await logAudit(link.investor_id, 'new_ip_detected', { ip, known_ips: knownIps }, request, undefined, sessionId)
+  }
+
+  await logAudit(link.investor_id, 'login_success', { email: link.email }, request, undefined, sessionId)
+
+  return NextResponse.json({ success: true, redirect: '/' })
+}
--- a/pitch-deck/app/api/health/route.ts
+++ b/pitch-deck/app/api/health/route.ts
@@ -0,0 +1,5 @@
+import { NextResponse } from 'next/server'
+
+export async function GET() {
+  return NextResponse.json({ status: 'ok', timestamp: new Date().toISOString() })
+}
--- a/pitch-deck/app/api/snapshots/route.ts
+++ b/pitch-deck/app/api/snapshots/route.ts
@@ -0,0 +1,72 @@
+import { NextRequest, NextResponse } from 'next/server'
+import pool from '@/lib/db'
+import { getSessionFromCookie } from '@/lib/auth'
+
+export async function GET() {
+  const session = await getSessionFromCookie()
+  if (!session) {
+    return NextResponse.json({ error: 'Not authenticated' }, { status: 401 })
+  }
+
+  const { rows } = await pool.query(
+    `SELECT id, scenario_id, assumptions, label, is_latest, created_at
+     FROM pitch_investor_snapshots
+     WHERE investor_id = $1 AND is_latest = true
+     ORDER BY created_at DESC`,
+    [session.sub]
+  )
+
+  return NextResponse.json({ snapshots: rows })
+}
+
+export async function POST(request: NextRequest) {
+  const session = await getSessionFromCookie()
+  if (!session) {
+    return NextResponse.json({ error: 'Not authenticated' }, { status: 401 })
+  }
+
+  const body = await request.json()
+  const { scenario_id, assumptions, label } = body
+
+  if (!scenario_id || !assumptions) {
+    return NextResponse.json({ error: 'scenario_id and assumptions required' }, { status: 400 })
+  }
+
+  // Mark previous latest as not latest
+  await pool.query(
+    `UPDATE pitch_investor_snapshots SET is_latest = false
+     WHERE investor_id = $1 AND scenario_id = $2 AND is_latest = true`,
+    [session.sub, scenario_id]
+  )
+
+  // Insert new snapshot
+  const { rows } = await pool.query(
+    `INSERT INTO pitch_investor_snapshots (investor_id, scenario_id, assumptions, label, is_latest)
+     VALUES ($1, $2, $3, $4, true)
+     RETURNING id, created_at`,
+    [session.sub, scenario_id, JSON.stringify(assumptions), label || null]
+  )
+
+  return NextResponse.json({ snapshot: rows[0] })
+}
+
+export async function DELETE(request: NextRequest) {
+  const session = await getSessionFromCookie()
+  if (!session) {
+    return NextResponse.json({ error: 'Not authenticated' }, { status: 401 })
+  }
+
+  const { searchParams } = new URL(request.url)
+  const id = searchParams.get('id')
+
+  if (!id) {
+    return NextResponse.json({ error: 'Snapshot id required' }, { status: 400 })
+  }
+
+  await pool.query(
+    `DELETE FROM pitch_investor_snapshots WHERE id = $1 AND investor_id = $2`,
+    [id, session.sub]
+  )
+
+  return NextResponse.json({ success: true })
+}
--- a/pitch-deck/app/auth/page.tsx
+++ b/pitch-deck/app/auth/page.tsx
@@ -0,0 +1,57 @@
+'use client'
+
+import { motion } from 'framer-motion'
+
+export default function AuthPage() {
+  return (
+    <div className="h-screen flex items-center justify-center bg-[#0a0a1a] relative overflow-hidden">
+      {/* Background gradient */}
+      <div className="absolute inset-0 bg-gradient-to-br from-indigo-950/30 via-transparent to-purple-950/20" />
+
+      <motion.div
+        initial={{ opacity: 0, y: 20 }}
+        animate={{ opacity: 1, y: 0 }}
+        transition={{ duration: 0.6 }}
+        className="relative z-10 text-center max-w-md mx-auto px-6"
+      >
+        <div className="mb-8">
+          <h1 className="text-3xl font-bold bg-gradient-to-r from-indigo-400 to-purple-400 bg-clip-text text-transparent mb-2">
+            BreakPilot ComplAI
+          </h1>
+          <p className="text-white/30 text-sm">Investor Pitch Deck</p>
+        </div>
+
+        <div className="bg-white/[0.03] border border-white/[0.06] rounded-2xl p-8 backdrop-blur-sm">
+          <div className="w-16 h-16 mx-auto mb-6 rounded-full bg-indigo-500/10 flex items-center justify-center">
+            <svg className="w-8 h-8 text-indigo-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={1.5}
+                d="M21.75 9v.906a2.25 2.25 0 01-1.183 1.981l-6.478 3.488M2.25 9v.906a2.25 2.25 0 001.183 1.981l6.478 3.488m8.839 2.51l-4.66-2.51m0 0l-1.023-.55a2.25 2.25 0 00-2.134 0l-1.022.55m0 0l-4.661 2.51m16.5-1.5a2.25 2.25 0 01-2.25 2.25h-15a2.25 2.25 0 01-2.25-2.25V6.75A2.25 2.25 0 014.5 4.5h15a2.25 2.25 0 012.25 2.25v11.25z" />
+            </svg>
+          </div>
+
+          <h2 className="text-xl font-semibold text-white/90 mb-3">
+            Invitation Required
+          </h2>
+
+          <p className="text-white/50 text-sm leading-relaxed mb-6">
+            This interactive pitch deck is available by invitation only.
+            Please check your email for an access link.
+          </p>
+
+          <div className="border-t border-white/[0.06] pt-5">
+            <p className="text-white/30 text-xs">
+              Questions? Contact us at{' '}
+              <a href="mailto:pitch@breakpilot.ai" className="text-indigo-400/80 hover:text-indigo-400 transition-colors">
+                pitch@breakpilot.ai
+              </a>
+            </p>
+          </div>
+        </div>
+
+        <p className="mt-6 text-white/20 text-xs">
+          We are an AI-first company. No PDFs. No slide decks. Just code.
+        </p>
+      </motion.div>
+    </div>
+  )
+}
--- a/pitch-deck/app/auth/verify/page.tsx
+++ b/pitch-deck/app/auth/verify/page.tsx
@@ -0,0 +1,112 @@
+'use client'
+
+import { Suspense, useEffect, useState } from 'react'
+import { useSearchParams, useRouter } from 'next/navigation'
+import { motion } from 'framer-motion'
+
+function VerifyContent() {
+  const searchParams = useSearchParams()
+  const router = useRouter()
+  const token = searchParams.get('token')
+
+  const [status, setStatus] = useState<'verifying' | 'success' | 'error'>('verifying')
+  const [errorMsg, setErrorMsg] = useState('')
+
+  useEffect(() => {
+    if (!token) {
+      setStatus('error')
+      setErrorMsg('No access token provided.')
+      return
+    }
+
+    async function verify() {
+      try {
+        const res = await fetch('/api/auth/verify', {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ token }),
+        })
+
+        if (res.ok) {
+          setStatus('success')
+          setTimeout(() => router.push('/'), 1000)
+        } else {
+          const data = await res.json()
+          setStatus('error')
+          setErrorMsg(data.error || 'Verification failed.')
+        }
+      } catch {
+        setStatus('error')
+        setErrorMsg('Network error. Please try again.')
+      }
+    }
+
+    verify()
+  }, [token, router])
+
+  return (
+    <motion.div
+      initial={{ opacity: 0, scale: 0.95 }}
+      animate={{ opacity: 1, scale: 1 }}
+      transition={{ duration: 0.4 }}
+      className="relative z-10 text-center max-w-md mx-auto px-6"
+    >
+      <div className="bg-white/[0.03] border border-white/[0.06] rounded-2xl p-8 backdrop-blur-sm">
+        {status === 'verifying' && (
+          <>
+            <div className="w-12 h-12 border-2 border-indigo-500 border-t-transparent rounded-full animate-spin mx-auto mb-4" />
+            <p className="text-white/60">Verifying your access link...</p>
+          </>
+        )}
+
+        {status === 'success' && (
+          <>
+            <div className="w-16 h-16 mx-auto mb-4 rounded-full bg-green-500/10 flex items-center justify-center">
+              <svg className="w-8 h-8 text-green-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M5 13l4 4L19 7" />
+              </svg>
+            </div>
+            <p className="text-white/80 font-medium">Access verified!</p>
+            <p className="text-white/40 text-sm mt-2">Redirecting to pitch deck...</p>
+          </>
+        )}
+
+        {status === 'error' && (
+          <>
+            <div className="w-16 h-16 mx-auto mb-4 rounded-full bg-red-500/10 flex items-center justify-center">
+              <svg className="w-8 h-8 text-red-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M6 18L18 6M6 6l12 12" />
+              </svg>
+            </div>
+            <p className="text-white/80 font-medium mb-2">Access Denied</p>
+            <p className="text-white/50 text-sm">{errorMsg}</p>
+            <a
+              href="/auth"
+              className="inline-block mt-6 text-indigo-400 text-sm hover:text-indigo-300 transition-colors"
+            >
+              Back to login
+            </a>
+          </>
+        )}
+      </div>
+    </motion.div>
+  )
+}
+
+export default function VerifyPage() {
+  return (
+    <div className="h-screen flex items-center justify-center bg-[#0a0a1a] relative overflow-hidden">
+      <div className="absolute inset-0 bg-gradient-to-br from-indigo-950/30 via-transparent to-purple-950/20" />
+      <Suspense
+        fallback={
+          <div className="relative z-10 text-center">
+            <div className="w-12 h-12 border-2 border-indigo-500 border-t-transparent rounded-full animate-spin mx-auto mb-4" />
+            <p className="text-white/60">Loading...</p>
+          </div>
+        }
+      >
+        <VerifyContent />
+      </Suspense>
+    </div>
+  )
+}
--- a/pitch-deck/app/layout.tsx
+++ b/pitch-deck/app/layout.tsx
@@ -1,9 +1,23 @@
-import type { Metadata } from 'next'
+import type { Metadata, Viewport } from 'next'
 import './globals.css'

 export const metadata: Metadata = {
  title: 'BreakPilot ComplAI — Investor Pitch Deck',
  description: 'Datensouveraenitaet meets KI-Compliance. Pre-Seed Q4 2026.',
+  manifest: '/manifest.json',
+  robots: { index: false, follow: false },
+  appleWebApp: {
+    capable: true,
+    statusBarStyle: 'black-translucent',
+    title: 'BreakPilot Pitch',
+  },
+}
+
+export const viewport: Viewport = {
+  themeColor: '#6366f1',
+  width: 'device-width',
+  initialScale: 1,
+  maximumScale: 1,
 }

 export default function RootLayout({
@@ -13,8 +27,22 @@ export default function RootLayout({
 }) {
  return (
    <html lang="de" className="dark">
+      <head>
+        <link rel="apple-touch-icon" href="/icons/icon-192.png" />
+      </head>
      <body className="bg-[#0a0a1a] text-white antialiased overflow-hidden h-screen">
        {children}
+        <script
+          dangerouslySetInnerHTML={{
+            __html: `
+              if ('serviceWorker' in navigator) {
+                window.addEventListener('load', () => {
+                  navigator.serviceWorker.register('/sw.js').catch(() => {});
+                });
+              }
+            `,
+          }}
+        />
      </body>
    </html>
  )
--- a/pitch-deck/app/page.tsx
+++ b/pitch-deck/app/page.tsx
@@ -2,14 +2,24 @@

 import { useState, useCallback } from 'react'
 import { Language } from '@/lib/types'
+import { useAuth } from '@/lib/hooks/useAuth'
 import PitchDeck from '@/components/PitchDeck'

 export default function Home() {
  const [lang, setLang] = useState<Language>('de')
+  const { investor, loading, logout } = useAuth()

  const toggleLanguage = useCallback(() => {
    setLang(prev => prev === 'de' ? 'en' : 'de')
  }, [])

-  return <PitchDeck lang={lang} onToggleLanguage={toggleLanguage} />
+  if (loading) {
+    return (
+      <div className="h-screen flex items-center justify-center">
+        <div className="w-12 h-12 border-2 border-indigo-500 border-t-transparent rounded-full animate-spin" />
+      </div>
+    )
+  }
+
+  return <PitchDeck lang={lang} onToggleLanguage={toggleLanguage} investor={investor} onLogout={logout} />
 }