feat(pitch-deck): add passwordless investor auth, audit logs, snapshots & PWA

Implement a complete investor access system for the pitch deck: - Passwordless magic link auth (jose JWT + nodemailer SMTP) - Per-investor audit logging (slide views, assumption changes, chat) - Financial model snapshot persistence (auto-save/restore per investor) - PWA support (manifest, service worker, offline caching, icons) - Security safeguards (watermark overlay, rate limiting, anti-scraping headers, content protection, single-session enforcement) - Admin API for invite/revoke/audit-log management - Integrated into docker-compose.coolify.yml for production deployment Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-05 09:37:50 +02:00
parent c433bc021e
commit f565dfdb15
35 changed files with 4232 additions and 14 deletions
--- a/pitch-deck/public/icons/icon-192.png
+++ b/pitch-deck/public/icons/icon-192.png
--- a/pitch-deck/public/icons/icon-512.png
+++ b/pitch-deck/public/icons/icon-512.png
--- a/pitch-deck/public/icons/icon-maskable-512.png
+++ b/pitch-deck/public/icons/icon-maskable-512.png
--- a/pitch-deck/public/manifest.json
+++ b/pitch-deck/public/manifest.json
@@ -0,0 +1,28 @@
+{
+  "name": "BreakPilot ComplAI — Investor Pitch",
+  "short_name": "BreakPilot Pitch",
+  "description": "Interactive investor pitch deck for BreakPilot ComplAI",
+  "start_url": "/",
+  "display": "fullscreen",
+  "orientation": "any",
+  "background_color": "#0a0a1a",
+  "theme_color": "#6366f1",
+  "icons": [
+    {
+      "src": "/icons/icon-192.png",
+      "sizes": "192x192",
+      "type": "image/png"
+    },
+    {
+      "src": "/icons/icon-512.png",
+      "sizes": "512x512",
+      "type": "image/png"
+    },
+    {
+      "src": "/icons/icon-maskable-512.png",
+      "sizes": "512x512",
+      "type": "image/png",
+      "purpose": "maskable"
+    }
+  ]
+}
--- a/pitch-deck/public/sw.js
+++ b/pitch-deck/public/sw.js
@@ -0,0 +1,70 @@
+const CACHE_NAME = 'breakpilot-pitch-v1'
+const STATIC_ASSETS = [
+  '/',
+  '/manifest.json',
+]
+
+// Install: cache the app shell
+self.addEventListener('install', (event) => {
+  event.waitUntil(
+    caches.open(CACHE_NAME).then((cache) => cache.addAll(STATIC_ASSETS))
+  )
+  self.skipWaiting()
+})
+
+// Activate: clean old caches
+self.addEventListener('activate', (event) => {
+  event.waitUntil(
+    caches.keys().then((keys) =>
+      Promise.all(keys.filter((k) => k !== CACHE_NAME).map((k) => caches.delete(k)))
+    )
+  )
+  self.clients.claim()
+})
+
+// Fetch: network-first for API, cache-first for static assets
+self.addEventListener('fetch', (event) => {
+  const url = new URL(event.request.url)
+
+  // Skip non-GET requests
+  if (event.request.method !== 'GET') return
+
+  // Network-first for API routes and auth
+  if (url.pathname.startsWith('/api/') || url.pathname.startsWith('/auth')) {
+    event.respondWith(
+      fetch(event.request).catch(() => caches.match(event.request))
+    )
+    return
+  }
+
+  // Cache-first for static assets (JS, CSS, images, fonts)
+  if (
+    url.pathname.startsWith('/_next/static/') ||
+    url.pathname.startsWith('/icons/') ||
+    url.pathname.endsWith('.js') ||
+    url.pathname.endsWith('.css')
+  ) {
+    event.respondWith(
+      caches.match(event.request).then((cached) => {
+        if (cached) return cached
+        return fetch(event.request).then((response) => {
+          const clone = response.clone()
+          caches.open(CACHE_NAME).then((cache) => cache.put(event.request, clone))
+          return response
+        })
+      })
+    )
+    return
+  }
+
+  // Network-first for everything else (HTML pages)
+  event.respondWith(
+    fetch(event.request)
+      .then((response) => {
+        const clone = response.clone()
+        caches.open(CACHE_NAME).then((cache) => cache.put(event.request, clone))
+        return response
+      })
+      .catch(() => caches.match(event.request))
+  )
+})