feat(pitch-deck): add passwordless investor auth, audit logs, snapshots & PWA

Implement a complete investor access system for the pitch deck:

- Passwordless magic link auth (jose JWT + nodemailer SMTP)
- Per-investor audit logging (slide views, assumption changes, chat)
- Financial model snapshot persistence (auto-save/restore per investor)
- PWA support (manifest, service worker, offline caching, icons)
- Security safeguards (watermark overlay, rate limiting, anti-scraping
  headers, content protection, single-session enforcement)
- Admin API for invite/revoke/audit-log management
- Integrated into docker-compose.coolify.yml for production deployment

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docker-compose.coolify.yml

@@ -171,6 +171,39 @@ services:
     networks:
       - breakpilot-network
 
+  # =========================================================
+  # PITCH DECK
+  # =========================================================
+  pitch-deck:
+    build:
+      context: ./pitch-deck
+      dockerfile: Dockerfile
+    container_name: bp-core-pitch-deck
+    expose:
+      - "3000"
+    environment:
+      DATABASE_URL: postgres://${POSTGRES_USER}:${POSTGRES_PASSWORD}@${POSTGRES_HOST}:${POSTGRES_PORT:-5432}/${POSTGRES_DB}
+      PITCH_JWT_SECRET: ${PITCH_JWT_SECRET}
+      PITCH_ADMIN_SECRET: ${PITCH_ADMIN_SECRET}
+      PITCH_BASE_URL: ${PITCH_BASE_URL:-https://pitch.breakpilot.ai}
+      MAGIC_LINK_TTL_HOURS: ${MAGIC_LINK_TTL_HOURS:-72}
+      SMTP_HOST: ${SMTP_HOST}
+      SMTP_PORT: ${SMTP_PORT:-587}
+      SMTP_USERNAME: ${SMTP_USERNAME}
+      SMTP_PASSWORD: ${SMTP_PASSWORD}
+      SMTP_FROM_NAME: ${SMTP_FROM_NAME:-BreakPilot}
+      SMTP_FROM_ADDR: ${SMTP_FROM_ADDR:-noreply@breakpilot.ai}
+      NODE_ENV: production
+    healthcheck:
+      test: ["CMD", "wget", "-q", "--spider", "http://127.0.0.1:3000/api/health"]
+      interval: 30s
+      timeout: 10s
+      start_period: 15s
+      retries: 3
+    restart: unless-stopped
+    networks:
+      - breakpilot-network
+
   # =========================================================
   # HEALTH AGGREGATOR
   # =========================================================
@@ -183,7 +216,7 @@ services:
       - "8099"
     environment:
       PORT: 8099
-      CHECK_SERVICES: "valkey:6379,consent-service:8081,rag-service:8097,embedding-service:8087,paddleocr-service:8095"
+      CHECK_SERVICES: "valkey:6379,consent-service:8081,rag-service:8097,embedding-service:8087,paddleocr-service:8095,pitch-deck:3000"
     healthcheck:
       test: ["CMD", "curl", "-f", "http://127.0.0.1:8099/health"]
       interval: 30s

pitch-deck/app/api/admin/audit-logs/route.ts

@@ -0,0 +1,42 @@
+import { NextRequest, NextResponse } from 'next/server'
+import pool from '@/lib/db'
+import { validateAdminSecret } from '@/lib/auth'
+
+export async function GET(request: NextRequest) {
+  if (!validateAdminSecret(request)) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const { searchParams } = new URL(request.url)
+  const investorId = searchParams.get('investor_id')
+  const action = searchParams.get('action')
+  const limit = Math.min(parseInt(searchParams.get('limit') || '100'), 500)
+  const offset = parseInt(searchParams.get('offset') || '0')
+
+  const conditions: string[] = []
+  const params: unknown[] = []
+  let paramIdx = 1
+
+  if (investorId) {
+    conditions.push(`a.investor_id = $${paramIdx++}`)
+    params.push(investorId)
+  }
+  if (action) {
+    conditions.push(`a.action = $${paramIdx++}`)
+    params.push(action)
+  }
+
+  const where = conditions.length > 0 ? `WHERE ${conditions.join(' AND ')}` : ''
+
+  const { rows } = await pool.query(
+    `SELECT a.*, i.email as investor_email, i.name as investor_name
+     FROM pitch_audit_logs a
+     LEFT JOIN pitch_investors i ON i.id = a.investor_id
+     ${where}
+     ORDER BY a.created_at DESC
+     LIMIT $${paramIdx++} OFFSET $${paramIdx++}`,
+    [...params, limit, offset]
+  )
+
+  return NextResponse.json({ logs: rows })
+}

pitch-deck/app/api/admin/investors/route.ts

@@ -0,0 +1,19 @@
+import { NextRequest, NextResponse } from 'next/server'
+import pool from '@/lib/db'
+import { validateAdminSecret } from '@/lib/auth'
+
+export async function GET(request: NextRequest) {
+  if (!validateAdminSecret(request)) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const { rows } = await pool.query(
+    `SELECT i.id, i.email, i.name, i.company, i.status, i.last_login_at, i.login_count, i.created_at,
+            (SELECT COUNT(*) FROM pitch_audit_logs a WHERE a.investor_id = i.id AND a.action = 'slide_viewed') as slides_viewed,
+            (SELECT MAX(a.created_at) FROM pitch_audit_logs a WHERE a.investor_id = i.id) as last_activity
+     FROM pitch_investors i
+     ORDER BY i.created_at DESC`
+  )
+
+  return NextResponse.json({ investors: rows })
+}

pitch-deck/app/api/admin/invite/route.ts

@@ -0,0 +1,68 @@
+import { NextRequest, NextResponse } from 'next/server'
+import pool from '@/lib/db'
+import { validateAdminSecret, generateToken, logAudit, getClientIp } from '@/lib/auth'
+import { sendMagicLinkEmail } from '@/lib/email'
+import { checkRateLimit, RATE_LIMITS } from '@/lib/rate-limit'
+
+export async function POST(request: NextRequest) {
+  if (!validateAdminSecret(request)) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const body = await request.json()
+  const { email, name, company } = body
+
+  if (!email || typeof email !== 'string') {
+    return NextResponse.json({ error: 'Email required' }, { status: 400 })
+  }
+
+  // Rate limit by email
+  const rl = checkRateLimit(`magic-link:${email.toLowerCase()}`, RATE_LIMITS.magicLink)
+  if (!rl.allowed) {
+    return NextResponse.json({ error: 'Too many invites for this email. Try again later.' }, { status: 429 })
+  }
+
+  const normalizedEmail = email.toLowerCase().trim()
+
+  // Upsert investor
+  const { rows } = await pool.query(
+    `INSERT INTO pitch_investors (email, name, company)
+     VALUES ($1, $2, $3)
+     ON CONFLICT (email) DO UPDATE SET
+       name = COALESCE(EXCLUDED.name, pitch_investors.name),
+       company = COALESCE(EXCLUDED.company, pitch_investors.company),
+       status = CASE WHEN pitch_investors.status = 'revoked' THEN 'invited' ELSE pitch_investors.status END,
+       updated_at = NOW()
+     RETURNING id, status`,
+    [normalizedEmail, name || null, company || null]
+  )
+
+  const investor = rows[0]
+
+  // Generate magic link
+  const token = generateToken()
+  const ttlHours = parseInt(process.env.MAGIC_LINK_TTL_HOURS || '72')
+  const expiresAt = new Date(Date.now() + ttlHours * 60 * 60 * 1000)
+
+  await pool.query(
+    `INSERT INTO pitch_magic_links (investor_id, token, expires_at)
+     VALUES ($1, $2, $3)`,
+    [investor.id, token, expiresAt]
+  )
+
+  // Build magic link URL
+  const baseUrl = process.env.PITCH_BASE_URL || 'https://pitch.breakpilot.ai'
+  const magicLinkUrl = `${baseUrl}/auth/verify?token=${token}`
+
+  // Send email
+  await sendMagicLinkEmail(normalizedEmail, name || null, magicLinkUrl)
+
+  await logAudit(investor.id, 'magic_link_sent', { email: normalizedEmail }, request)
+
+  return NextResponse.json({
+    success: true,
+    investor_id: investor.id,
+    email: normalizedEmail,
+    expires_at: expiresAt.toISOString(),
+  })
+}

pitch-deck/app/api/admin/revoke/route.ts

@@ -0,0 +1,26 @@
+import { NextRequest, NextResponse } from 'next/server'
+import pool from '@/lib/db'
+import { validateAdminSecret, revokeAllSessions, logAudit } from '@/lib/auth'
+
+export async function POST(request: NextRequest) {
+  if (!validateAdminSecret(request)) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const body = await request.json()
+  const { investor_id } = body
+
+  if (!investor_id) {
+    return NextResponse.json({ error: 'investor_id required' }, { status: 400 })
+  }
+
+  await pool.query(
+    `UPDATE pitch_investors SET status = 'revoked', updated_at = NOW() WHERE id = $1`,
+    [investor_id]
+  )
+
+  await revokeAllSessions(investor_id)
+  await logAudit(investor_id, 'investor_revoked', {}, request)
+
+  return NextResponse.json({ success: true })
+}

pitch-deck/app/api/audit/route.ts

@@ -0,0 +1,26 @@
+import { NextRequest, NextResponse } from 'next/server'
+import { getSessionFromCookie, logAudit } from '@/lib/auth'
+
+export async function POST(request: NextRequest) {
+  const session = await getSessionFromCookie()
+  if (!session) {
+    return NextResponse.json({ error: 'Not authenticated' }, { status: 401 })
+  }
+
+  const body = await request.json()
+  const { action, details, slide_id } = body
+
+  if (!action || typeof action !== 'string') {
+    return NextResponse.json({ error: 'action required' }, { status: 400 })
+  }
+
+  // Only allow known client-side actions
+  const allowedActions = ['slide_viewed', 'assumption_changed', 'chat_message_sent', 'snapshot_saved', 'snapshot_restored']
+  if (!allowedActions.includes(action)) {
+    return NextResponse.json({ error: 'Invalid action' }, { status: 400 })
+  }
+
+  await logAudit(session.sub, action, details || {}, request, slide_id, session.sessionId)
+
+  return NextResponse.json({ success: true })
+}

pitch-deck/app/api/auth/logout/route.ts

@@ -0,0 +1,14 @@
+import { NextRequest, NextResponse } from 'next/server'
+import { getSessionFromCookie, revokeSession, clearSessionCookie, logAudit } from '@/lib/auth'
+
+export async function POST(request: NextRequest) {
+  const session = await getSessionFromCookie()
+
+  if (session) {
+    await revokeSession(session.sessionId)
+    await logAudit(session.sub, 'logout', {}, request, undefined, session.sessionId)
+  }
+
+  await clearSessionCookie()
+  return NextResponse.json({ success: true })
+}

pitch-deck/app/api/auth/me/route.ts

@@ -0,0 +1,27 @@
+import { NextResponse } from 'next/server'
+import pool from '@/lib/db'
+import { getSessionFromCookie, validateSession } from '@/lib/auth'
+
+export async function GET() {
+  const session = await getSessionFromCookie()
+  if (!session) {
+    return NextResponse.json({ error: 'Not authenticated' }, { status: 401 })
+  }
+
+  const valid = await validateSession(session.sessionId, session.sub)
+  if (!valid) {
+    return NextResponse.json({ error: 'Session expired' }, { status: 401 })
+  }
+
+  const { rows } = await pool.query(
+    `SELECT id, email, name, company, status, last_login_at, login_count, created_at
+     FROM pitch_investors WHERE id = $1`,
+    [session.sub]
+  )
+
+  if (rows.length === 0 || rows[0].status === 'revoked') {
+    return NextResponse.json({ error: 'Access revoked' }, { status: 403 })
+  }
+
+  return NextResponse.json({ investor: rows[0] })
+}

pitch-deck/app/api/auth/verify/route.ts

@@ -0,0 +1,85 @@
+import { NextRequest, NextResponse } from 'next/server'
+import pool from '@/lib/db'
+import { createSession, setSessionCookie, getClientIp, logAudit, hashToken } from '@/lib/auth'
+import { checkRateLimit, RATE_LIMITS } from '@/lib/rate-limit'
+
+export async function POST(request: NextRequest) {
+  const ip = getClientIp(request) || 'unknown'
+
+  // Rate limit by IP
+  const rl = checkRateLimit(`auth-verify:${ip}`, RATE_LIMITS.authVerify)
+  if (!rl.allowed) {
+    return NextResponse.json({ error: 'Too many attempts. Try again later.' }, { status: 429 })
+  }
+
+  const body = await request.json()
+  const { token } = body
+
+  if (!token || typeof token !== 'string') {
+    return NextResponse.json({ error: 'Token required' }, { status: 400 })
+  }
+
+  // Find the magic link
+  const { rows } = await pool.query(
+    `SELECT ml.id, ml.investor_id, ml.expires_at, ml.used_at, i.email, i.status as investor_status
+     FROM pitch_magic_links ml
+     JOIN pitch_investors i ON i.id = ml.investor_id
+     WHERE ml.token = $1`,
+    [token]
+  )
+
+  if (rows.length === 0) {
+    await logAudit(null, 'login_failed', { reason: 'invalid_token' }, request)
+    return NextResponse.json({ error: 'Invalid link' }, { status: 401 })
+  }
+
+  const link = rows[0]
+
+  if (link.used_at) {
+    await logAudit(link.investor_id, 'login_failed', { reason: 'token_already_used' }, request)
+    return NextResponse.json({ error: 'This link has already been used. Please request a new one.' }, { status: 401 })
+  }
+
+  if (new Date(link.expires_at) < new Date()) {
+    await logAudit(link.investor_id, 'login_failed', { reason: 'token_expired' }, request)
+    return NextResponse.json({ error: 'This link has expired. Please request a new one.' }, { status: 401 })
+  }
+
+  if (link.investor_status === 'revoked') {
+    await logAudit(link.investor_id, 'login_failed', { reason: 'investor_revoked' }, request)
+    return NextResponse.json({ error: 'Access has been revoked.' }, { status: 403 })
+  }
+
+  const ua = request.headers.get('user-agent')
+
+  // Mark token as used
+  await pool.query(
+    `UPDATE pitch_magic_links SET used_at = NOW(), ip_address = $1, user_agent = $2 WHERE id = $3`,
+    [ip, ua, link.id]
+  )
+
+  // Activate investor if first login
+  await pool.query(
+    `UPDATE pitch_investors SET status = 'active', last_login_at = NOW(), login_count = login_count + 1, updated_at = NOW()
+     WHERE id = $1`,
+    [link.investor_id]
+  )
+
+  // Create session and set cookie
+  const { sessionId, jwt } = await createSession(link.investor_id, ip, ua)
+  await setSessionCookie(jwt)
+
+  // Check for new IP
+  const { rows: prevSessions } = await pool.query(
+    `SELECT DISTINCT ip_address FROM pitch_sessions WHERE investor_id = $1 AND id != $2 AND ip_address IS NOT NULL`,
+    [link.investor_id, sessionId]
+  )
+  const knownIps = prevSessions.map((r: { ip_address: string }) => r.ip_address)
+  if (knownIps.length > 0 && !knownIps.includes(ip)) {
+    await logAudit(link.investor_id, 'new_ip_detected', { ip, known_ips: knownIps }, request, undefined, sessionId)
+  }
+
+  await logAudit(link.investor_id, 'login_success', { email: link.email }, request, undefined, sessionId)
+
+  return NextResponse.json({ success: true, redirect: '/' })
+}

pitch-deck/app/api/health/route.ts

@@ -0,0 +1,5 @@
+import { NextResponse } from 'next/server'
+
+export async function GET() {
+  return NextResponse.json({ status: 'ok', timestamp: new Date().toISOString() })
+}

pitch-deck/app/api/snapshots/route.ts

@@ -0,0 +1,72 @@
+import { NextRequest, NextResponse } from 'next/server'
+import pool from '@/lib/db'
+import { getSessionFromCookie } from '@/lib/auth'
+
+export async function GET() {
+  const session = await getSessionFromCookie()
+  if (!session) {
+    return NextResponse.json({ error: 'Not authenticated' }, { status: 401 })
+  }
+
+  const { rows } = await pool.query(
+    `SELECT id, scenario_id, assumptions, label, is_latest, created_at
+     FROM pitch_investor_snapshots
+     WHERE investor_id = $1 AND is_latest = true
+     ORDER BY created_at DESC`,
+    [session.sub]
+  )
+
+  return NextResponse.json({ snapshots: rows })
+}
+
+export async function POST(request: NextRequest) {
+  const session = await getSessionFromCookie()
+  if (!session) {
+    return NextResponse.json({ error: 'Not authenticated' }, { status: 401 })
+  }
+
+  const body = await request.json()
+  const { scenario_id, assumptions, label } = body
+
+  if (!scenario_id || !assumptions) {
+    return NextResponse.json({ error: 'scenario_id and assumptions required' }, { status: 400 })
+  }
+
+  // Mark previous latest as not latest
+  await pool.query(
+    `UPDATE pitch_investor_snapshots SET is_latest = false
+     WHERE investor_id = $1 AND scenario_id = $2 AND is_latest = true`,
+    [session.sub, scenario_id]
+  )
+
+  // Insert new snapshot
+  const { rows } = await pool.query(
+    `INSERT INTO pitch_investor_snapshots (investor_id, scenario_id, assumptions, label, is_latest)
+     VALUES ($1, $2, $3, $4, true)
+     RETURNING id, created_at`,
+    [session.sub, scenario_id, JSON.stringify(assumptions), label || null]
+  )
+
+  return NextResponse.json({ snapshot: rows[0] })
+}
+
+export async function DELETE(request: NextRequest) {
+  const session = await getSessionFromCookie()
+  if (!session) {
+    return NextResponse.json({ error: 'Not authenticated' }, { status: 401 })
+  }
+
+  const { searchParams } = new URL(request.url)
+  const id = searchParams.get('id')
+
+  if (!id) {
+    return NextResponse.json({ error: 'Snapshot id required' }, { status: 400 })
+  }
+
+  await pool.query(
+    `DELETE FROM pitch_investor_snapshots WHERE id = $1 AND investor_id = $2`,
+    [id, session.sub]
+  )
+
+  return NextResponse.json({ success: true })
+}

pitch-deck/app/auth/page.tsx

@@ -0,0 +1,57 @@
+'use client'
+
+import { motion } from 'framer-motion'
+
+export default function AuthPage() {
+  return (
+    <div className="h-screen flex items-center justify-center bg-[#0a0a1a] relative overflow-hidden">
+      {/* Background gradient */}
+      <div className="absolute inset-0 bg-gradient-to-br from-indigo-950/30 via-transparent to-purple-950/20" />
+
+      <motion.div
+        initial={{ opacity: 0, y: 20 }}
+        animate={{ opacity: 1, y: 0 }}
+        transition={{ duration: 0.6 }}
+        className="relative z-10 text-center max-w-md mx-auto px-6"
+      >
+        <div className="mb-8">
+          <h1 className="text-3xl font-bold bg-gradient-to-r from-indigo-400 to-purple-400 bg-clip-text text-transparent mb-2">
+            BreakPilot ComplAI
+          </h1>
+          <p className="text-white/30 text-sm">Investor Pitch Deck</p>
+        </div>
+
+        <div className="bg-white/[0.03] border border-white/[0.06] rounded-2xl p-8 backdrop-blur-sm">
+          <div className="w-16 h-16 mx-auto mb-6 rounded-full bg-indigo-500/10 flex items-center justify-center">
+            <svg className="w-8 h-8 text-indigo-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={1.5}
+                d="M21.75 9v.906a2.25 2.25 0 01-1.183 1.981l-6.478 3.488M2.25 9v.906a2.25 2.25 0 001.183 1.981l6.478 3.488m8.839 2.51l-4.66-2.51m0 0l-1.023-.55a2.25 2.25 0 00-2.134 0l-1.022.55m0 0l-4.661 2.51m16.5-1.5a2.25 2.25 0 01-2.25 2.25h-15a2.25 2.25 0 01-2.25-2.25V6.75A2.25 2.25 0 014.5 4.5h15a2.25 2.25 0 012.25 2.25v11.25z" />
+            </svg>
+          </div>
+
+          <h2 className="text-xl font-semibold text-white/90 mb-3">
+            Invitation Required
+          </h2>
+
+          <p className="text-white/50 text-sm leading-relaxed mb-6">
+            This interactive pitch deck is available by invitation only.
+            Please check your email for an access link.
+          </p>
+
+          <div className="border-t border-white/[0.06] pt-5">
+            <p className="text-white/30 text-xs">
+              Questions? Contact us at{' '}
+              <a href="mailto:pitch@breakpilot.ai" className="text-indigo-400/80 hover:text-indigo-400 transition-colors">
+                pitch@breakpilot.ai
+              </a>
+            </p>
+          </div>
+        </div>
+
+        <p className="mt-6 text-white/20 text-xs">
+          We are an AI-first company. No PDFs. No slide decks. Just code.
+        </p>
+      </motion.div>
+    </div>
+  )
+}

pitch-deck/app/auth/verify/page.tsx

@@ -0,0 +1,112 @@
+'use client'
+
+import { Suspense, useEffect, useState } from 'react'
+import { useSearchParams, useRouter } from 'next/navigation'
+import { motion } from 'framer-motion'
+
+function VerifyContent() {
+  const searchParams = useSearchParams()
+  const router = useRouter()
+  const token = searchParams.get('token')
+
+  const [status, setStatus] = useState<'verifying' | 'success' | 'error'>('verifying')
+  const [errorMsg, setErrorMsg] = useState('')
+
+  useEffect(() => {
+    if (!token) {
+      setStatus('error')
+      setErrorMsg('No access token provided.')
+      return
+    }
+
+    async function verify() {
+      try {
+        const res = await fetch('/api/auth/verify', {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ token }),
+        })
+
+        if (res.ok) {
+          setStatus('success')
+          setTimeout(() => router.push('/'), 1000)
+        } else {
+          const data = await res.json()
+          setStatus('error')
+          setErrorMsg(data.error || 'Verification failed.')
+        }
+      } catch {
+        setStatus('error')
+        setErrorMsg('Network error. Please try again.')
+      }
+    }
+
+    verify()
+  }, [token, router])
+
+  return (
+    <motion.div
+      initial={{ opacity: 0, scale: 0.95 }}
+      animate={{ opacity: 1, scale: 1 }}
+      transition={{ duration: 0.4 }}
+      className="relative z-10 text-center max-w-md mx-auto px-6"
+    >
+      <div className="bg-white/[0.03] border border-white/[0.06] rounded-2xl p-8 backdrop-blur-sm">
+        {status === 'verifying' && (
+          <>
+            <div className="w-12 h-12 border-2 border-indigo-500 border-t-transparent rounded-full animate-spin mx-auto mb-4" />
+            <p className="text-white/60">Verifying your access link...</p>
+          </>
+        )}
+
+        {status === 'success' && (
+          <>
+            <div className="w-16 h-16 mx-auto mb-4 rounded-full bg-green-500/10 flex items-center justify-center">
+              <svg className="w-8 h-8 text-green-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M5 13l4 4L19 7" />
+              </svg>
+            </div>
+            <p className="text-white/80 font-medium">Access verified!</p>
+            <p className="text-white/40 text-sm mt-2">Redirecting to pitch deck...</p>
+          </>
+        )}
+
+        {status === 'error' && (
+          <>
+            <div className="w-16 h-16 mx-auto mb-4 rounded-full bg-red-500/10 flex items-center justify-center">
+              <svg className="w-8 h-8 text-red-400" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M6 18L18 6M6 6l12 12" />
+              </svg>
+            </div>
+            <p className="text-white/80 font-medium mb-2">Access Denied</p>
+            <p className="text-white/50 text-sm">{errorMsg}</p>
+            <a
+              href="/auth"
+              className="inline-block mt-6 text-indigo-400 text-sm hover:text-indigo-300 transition-colors"
+            >
+              Back to login
+            </a>
+          </>
+        )}
+      </div>
+    </motion.div>
+  )
+}
+
+export default function VerifyPage() {
+  return (
+    <div className="h-screen flex items-center justify-center bg-[#0a0a1a] relative overflow-hidden">
+      <div className="absolute inset-0 bg-gradient-to-br from-indigo-950/30 via-transparent to-purple-950/20" />
+      <Suspense
+        fallback={
+          <div className="relative z-10 text-center">
+            <div className="w-12 h-12 border-2 border-indigo-500 border-t-transparent rounded-full animate-spin mx-auto mb-4" />
+            <p className="text-white/60">Loading...</p>
+          </div>
+        }
+      >
+        <VerifyContent />
+      </Suspense>
+    </div>
+  )
+}

pitch-deck/app/layout.tsx

@@ -1,9 +1,23 @@
-import type { Metadata } from 'next'
+import type { Metadata, Viewport } from 'next'
 import './globals.css'
 
 export const metadata: Metadata = {
   title: 'BreakPilot ComplAI — Investor Pitch Deck',
   description: 'Datensouveraenitaet meets KI-Compliance. Pre-Seed Q4 2026.',
+  manifest: '/manifest.json',
+  robots: { index: false, follow: false },
+  appleWebApp: {
+    capable: true,
+    statusBarStyle: 'black-translucent',
+    title: 'BreakPilot Pitch',
+  },
+}
+
+export const viewport: Viewport = {
+  themeColor: '#6366f1',
+  width: 'device-width',
+  initialScale: 1,
+  maximumScale: 1,
 }
 
 export default function RootLayout({
@@ -13,8 +27,22 @@ export default function RootLayout({
 }) {
   return (
     <html lang="de" className="dark">
+      <head>
+        <link rel="apple-touch-icon" href="/icons/icon-192.png" />
+      </head>
       <body className="bg-[#0a0a1a] text-white antialiased overflow-hidden h-screen">
         {children}
+        <script
+          dangerouslySetInnerHTML={{
+            __html: `
+              if ('serviceWorker' in navigator) {
+                window.addEventListener('load', () => {
+                  navigator.serviceWorker.register('/sw.js').catch(() => {});
+                });
+              }
+            `,
+          }}
+        />
       </body>
     </html>
   )

pitch-deck/app/page.tsx

@@ -2,14 +2,24 @@
 
 import { useState, useCallback } from 'react'
 import { Language } from '@/lib/types'
+import { useAuth } from '@/lib/hooks/useAuth'
 import PitchDeck from '@/components/PitchDeck'
 
 export default function Home() {
   const [lang, setLang] = useState<Language>('de')
+  const { investor, loading, logout } = useAuth()
 
   const toggleLanguage = useCallback(() => {
     setLang(prev => prev === 'de' ? 'en' : 'de')
   }, [])
 
-  return <PitchDeck lang={lang} onToggleLanguage={toggleLanguage} />
+  if (loading) {
+    return (
+      <div className="h-screen flex items-center justify-center">
+        <div className="w-12 h-12 border-2 border-indigo-500 border-t-transparent rounded-full animate-spin" />
+      </div>
+    )
+  }
+
+  return <PitchDeck lang={lang} onToggleLanguage={toggleLanguage} investor={investor} onLogout={logout} />
 }

pitch-deck/components/PitchDeck.tsx

@@ -5,7 +5,9 @@ import { AnimatePresence } from 'framer-motion'
 import { useSlideNavigation } from '@/lib/hooks/useSlideNavigation'
 import { useKeyboard } from '@/lib/hooks/useKeyboard'
 import { usePitchData } from '@/lib/hooks/usePitchData'
+import { useAuditTracker } from '@/lib/hooks/useAuditTracker'
 import { Language, PitchData } from '@/lib/types'
+import { Investor } from '@/lib/hooks/useAuth'
 
 import ParticleBackground from './ParticleBackground'
 import ProgressBar from './ProgressBar'
@@ -14,6 +16,7 @@ import NavigationFAB from './NavigationFAB'
 import ChatFAB from './ChatFAB'
 import SlideOverview from './SlideOverview'
 import SlideContainer from './SlideContainer'
+import Watermark from './Watermark'
 
 import CoverSlide from './slides/CoverSlide'
 import ProblemSlide from './slides/ProblemSlide'
@@ -38,13 +41,22 @@ import AIPipelineSlide from './slides/AIPipelineSlide'
 interface PitchDeckProps {
   lang: Language
   onToggleLanguage: () => void
+  investor: Investor | null
+  onLogout: () => void
 }
 
-export default function PitchDeck({ lang, onToggleLanguage }: PitchDeckProps) {
+export default function PitchDeck({ lang, onToggleLanguage, investor, onLogout }: PitchDeckProps) {
   const { data, loading, error } = usePitchData()
   const nav = useSlideNavigation()
   const [fabOpen, setFabOpen] = useState(false)
 
+  // Audit tracking
+  useAuditTracker({
+    investorId: investor?.id || null,
+    currentSlide: nav.currentSlide,
+    enabled: !!investor,
+  })
+
   const toggleFullscreen = useCallback(() => {
     if (!document.fullscreenElement) {
       document.documentElement.requestFullscreen()
@@ -117,7 +129,7 @@ export default function PitchDeck({ lang, onToggleLanguage }: PitchDeckProps) {
       case 'team':
         return <TeamSlide lang={lang} team={data.team} />
       case 'financials':
-        return <FinancialsSlide lang={lang} />
+        return <FinancialsSlide lang={lang} investorId={investor?.id || null} />
       case 'the-ask':
         return <TheAskSlide lang={lang} funding={data.funding} />
       case 'ai-qa':
@@ -140,10 +152,16 @@ export default function PitchDeck({ lang, onToggleLanguage }: PitchDeckProps) {
   }
 
   return (
-    <div className="h-screen relative overflow-hidden bg-gradient-to-br from-slate-950 via-[#0a0a1a] to-slate-950">
+    <div
+      className="h-screen relative overflow-hidden bg-gradient-to-br from-slate-950 via-[#0a0a1a] to-slate-950 select-none"
+      onContextMenu={(e) => e.preventDefault()}
+    >
       <ParticleBackground />
       <ProgressBar current={nav.currentIndex} total={nav.totalSlides} />
 
+      {/* Investor watermark */}
+      {investor && <Watermark text={investor.email} />}
+
       <SlideContainer slideKey={nav.currentSlide} direction={nav.direction}>
         {renderSlide()}
       </SlideContainer>

pitch-deck/components/Watermark.tsx

@@ -0,0 +1,36 @@
+'use client'
+
+interface WatermarkProps {
+  text: string
+}
+
+export default function Watermark({ text }: WatermarkProps) {
+  if (!text) return null
+
+  return (
+    <div
+      className="fixed inset-0 pointer-events-none z-50 overflow-hidden select-none"
+      aria-hidden="true"
+    >
+      <div className="absolute inset-0 flex items-center justify-center">
+        <div
+          className="text-white/[0.03] text-2xl font-mono whitespace-nowrap tracking-widest"
+          style={{
+            transform: 'rotate(-35deg) scale(1.5)',
+            userSelect: 'none',
+            WebkitUserSelect: 'none',
+          }}
+        >
+          {/* Repeat the watermark text in a grid pattern */}
+          {Array.from({ length: 7 }, (_, row) => (
+            <div key={row} className="my-16">
+              {Array.from({ length: 3 }, (_, col) => (
+                <span key={col} className="mx-12">{text}</span>
+              ))}
+            </div>
+          ))}
+        </div>
+      </div>
+    </div>
+  )
+}

pitch-deck/components/slides/FinancialsSlide.tsx

@@ -20,11 +20,12 @@ type FinTab = 'overview' | 'guv' | 'cashflow'
 
 interface FinancialsSlideProps {
   lang: Language
+  investorId: string | null
 }
 
-export default function FinancialsSlide({ lang }: FinancialsSlideProps) {
+export default function FinancialsSlide({ lang, investorId }: FinancialsSlideProps) {
   const i = t(lang)
-  const fm = useFinancialModel()
+  const fm = useFinancialModel(investorId)
   const [activeTab, setActiveTab] = useState<FinTab>('overview')
   const de = lang === 'de'
 
@@ -268,6 +269,26 @@ export default function FinancialsSlide({ lang }: FinancialsSlideProps) {
                   {de ? 'Berechne...' : 'Computing...'}
                 </div>
               )}
+
+              {/* Snapshot status + reset */}
+              {investorId && (
+                <div className="flex items-center justify-between mt-2 pt-2 border-t border-white/5">
+                  <span className="text-[9px] text-white/30">
+                    {fm.snapshotStatus === 'saving' && (de ? 'Speichere...' : 'Saving...')}
+                    {fm.snapshotStatus === 'saved' && (de ? 'Ihre Aenderungen gespeichert' : 'Your changes saved')}
+                    {fm.snapshotStatus === 'restored' && (de ? 'Ihre Werte geladen' : 'Your values restored')}
+                    {fm.snapshotStatus === 'default' && (de ? 'Standardwerte' : 'Defaults')}
+                  </span>
+                  {fm.snapshotStatus !== 'default' && (
+                    <button
+                      onClick={() => fm.activeScenarioId && fm.resetToDefaults(fm.activeScenarioId)}
+                      className="text-[9px] text-white/40 hover:text-white/70 transition-colors"
+                    >
+                      {de ? 'Zuruecksetzen' : 'Reset to defaults'}
+                    </button>
+                  )}
+                </div>
+              )}
             </div>
           </FadeInView>
         </div>

pitch-deck/lib/auth.ts

@@ -0,0 +1,160 @@
+import { SignJWT, jwtVerify } from 'jose'
+import { randomBytes, createHash } from 'crypto'
+import { cookies } from 'next/headers'
+import pool from './db'
+
+const COOKIE_NAME = 'pitch_session'
+const JWT_EXPIRY = '1h'
+const SESSION_EXPIRY_HOURS = 24
+
+function getJwtSecret() {
+  const secret = process.env.PITCH_JWT_SECRET
+  if (!secret) throw new Error('PITCH_JWT_SECRET not set')
+  return new TextEncoder().encode(secret)
+}
+
+export function hashToken(token: string): string {
+  return createHash('sha256').update(token).digest('hex')
+}
+
+export function generateToken(): string {
+  return randomBytes(48).toString('hex')
+}
+
+export interface JwtPayload {
+  sub: string
+  email: string
+  sessionId: string
+}
+
+export async function createJwt(payload: JwtPayload): Promise<string> {
+  return new SignJWT({ ...payload })
+    .setProtectedHeader({ alg: 'HS256' })
+    .setIssuedAt()
+    .setExpirationTime(JWT_EXPIRY)
+    .sign(getJwtSecret())
+}
+
+export async function verifyJwt(token: string): Promise<JwtPayload | null> {
+  try {
+    const { payload } = await jwtVerify(token, getJwtSecret())
+    return payload as unknown as JwtPayload
+  } catch {
+    return null
+  }
+}
+
+export async function createSession(
+  investorId: string,
+  ip: string | null,
+  userAgent: string | null
+): Promise<{ sessionId: string; jwt: string }> {
+  // Revoke all existing sessions for this investor (single session enforcement)
+  await pool.query(
+    `UPDATE pitch_sessions SET revoked = true WHERE investor_id = $1 AND revoked = false`,
+    [investorId]
+  )
+
+  const sessionToken = generateToken()
+  const tokenHash = hashToken(sessionToken)
+  const expiresAt = new Date(Date.now() + SESSION_EXPIRY_HOURS * 60 * 60 * 1000)
+
+  const { rows } = await pool.query(
+    `INSERT INTO pitch_sessions (investor_id, token_hash, ip_address, user_agent, expires_at)
+     VALUES ($1, $2, $3, $4, $5) RETURNING id`,
+    [investorId, tokenHash, ip, userAgent, expiresAt]
+  )
+
+  const sessionId = rows[0].id
+
+  // Get investor email for JWT
+  const investor = await pool.query(
+    `SELECT email FROM pitch_investors WHERE id = $1`,
+    [investorId]
+  )
+
+  const jwt = await createJwt({
+    sub: investorId,
+    email: investor.rows[0].email,
+    sessionId,
+  })
+
+  return { sessionId, jwt }
+}
+
+export async function validateSession(sessionId: string, investorId: string): Promise<boolean> {
+  const { rows } = await pool.query(
+    `SELECT id FROM pitch_sessions
+     WHERE id = $1 AND investor_id = $2 AND revoked = false AND expires_at > NOW()`,
+    [sessionId, investorId]
+  )
+  return rows.length > 0
+}
+
+export async function revokeSession(sessionId: string): Promise<void> {
+  await pool.query(
+    `UPDATE pitch_sessions SET revoked = true WHERE id = $1`,
+    [sessionId]
+  )
+}
+
+export async function revokeAllSessions(investorId: string): Promise<void> {
+  await pool.query(
+    `UPDATE pitch_sessions SET revoked = true WHERE investor_id = $1`,
+    [investorId]
+  )
+}
+
+export async function setSessionCookie(jwt: string): Promise<void> {
+  const cookieStore = await cookies()
+  cookieStore.set(COOKIE_NAME, jwt, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'lax',
+    path: '/',
+    maxAge: SESSION_EXPIRY_HOURS * 60 * 60,
+  })
+}
+
+export async function clearSessionCookie(): Promise<void> {
+  const cookieStore = await cookies()
+  cookieStore.delete(COOKIE_NAME)
+}
+
+export async function getSessionFromCookie(): Promise<JwtPayload | null> {
+  const cookieStore = await cookies()
+  const token = cookieStore.get(COOKIE_NAME)?.value
+  if (!token) return null
+  return verifyJwt(token)
+}
+
+export function getClientIp(request: Request): string | null {
+  const forwarded = request.headers.get('x-forwarded-for')
+  if (forwarded) return forwarded.split(',')[0].trim()
+  return null
+}
+
+export function validateAdminSecret(request: Request): boolean {
+  const secret = process.env.PITCH_ADMIN_SECRET
+  if (!secret) return false
+  const auth = request.headers.get('authorization')
+  if (!auth) return false
+  return auth === `Bearer ${secret}`
+}
+
+export async function logAudit(
+  investorId: string | null,
+  action: string,
+  details: Record<string, unknown> = {},
+  request?: Request,
+  slideId?: string,
+  sessionId?: string
+): Promise<void> {
+  const ip = request ? getClientIp(request) : null
+  const ua = request ? request.headers.get('user-agent') : null
+  await pool.query(
+    `INSERT INTO pitch_audit_logs (investor_id, action, details, ip_address, user_agent, slide_id, session_id)
+     VALUES ($1, $2, $3, $4, $5, $6, $7)`,
+    [investorId, action, JSON.stringify(details), ip, ua, slideId, sessionId]
+  )
+}

pitch-deck/lib/email.ts

@@ -0,0 +1,91 @@
+import nodemailer from 'nodemailer'
+
+const transporter = nodemailer.createTransport({
+  host: process.env.SMTP_HOST,
+  port: parseInt(process.env.SMTP_PORT || '587'),
+  secure: process.env.SMTP_PORT === '465',
+  auth: {
+    user: process.env.SMTP_USERNAME,
+    pass: process.env.SMTP_PASSWORD,
+  },
+})
+
+const fromName = process.env.SMTP_FROM_NAME || 'BreakPilot'
+const fromAddr = process.env.SMTP_FROM_ADDR || 'noreply@breakpilot.ai'
+
+export async function sendMagicLinkEmail(
+  to: string,
+  investorName: string | null,
+  magicLinkUrl: string
+): Promise<void> {
+  const greeting = investorName ? `Hello ${investorName}` : 'Hello'
+
+  await transporter.sendMail({
+    from: `"${fromName}" <${fromAddr}>`,
+    to,
+    subject: 'Your BreakPilot Pitch Deck Access',
+    html: `
+      <!DOCTYPE html>
+      <html>
+      <head>
+        <meta charset="utf-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1.0">
+      </head>
+      <body style="margin:0;padding:0;background:#0a0a1a;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;">
+        <table width="100%" cellpadding="0" cellspacing="0" style="background:#0a0a1a;padding:40px 20px;">
+          <tr>
+            <td align="center">
+              <table width="560" cellpadding="0" cellspacing="0" style="background:#111127;border-radius:12px;border:1px solid rgba(99,102,241,0.2);">
+                <tr>
+                  <td style="padding:40px 40px 20px;">
+                    <h1 style="margin:0;font-size:24px;color:#e0e0ff;font-weight:600;">
+                      BreakPilot ComplAI
+                    </h1>
+                    <p style="margin:8px 0 0;font-size:13px;color:rgba(255,255,255,0.4);">
+                      Investor Pitch Deck
+                    </p>
+                  </td>
+                </tr>
+                <tr>
+                  <td style="padding:20px 40px;">
+                    <p style="margin:0 0 16px;font-size:16px;color:rgba(255,255,255,0.8);line-height:1.6;">
+                      ${greeting},
+                    </p>
+                    <p style="margin:0 0 24px;font-size:16px;color:rgba(255,255,255,0.8);line-height:1.6;">
+                      You have been invited to view the BreakPilot ComplAI investor pitch deck.
+                      Click the button below to access the interactive presentation.
+                    </p>
+                    <table cellpadding="0" cellspacing="0" style="margin:0 0 24px;">
+                      <tr>
+                        <td style="background:linear-gradient(135deg,#6366f1,#8b5cf6);border-radius:8px;padding:14px 32px;">
+                          <a href="${magicLinkUrl}" style="color:#ffffff;font-size:16px;font-weight:600;text-decoration:none;display:inline-block;">
+                            View Pitch Deck
+                          </a>
+                        </td>
+                      </tr>
+                    </table>
+                    <p style="margin:0 0 8px;font-size:13px;color:rgba(255,255,255,0.4);line-height:1.5;">
+                      This link expires in ${process.env.MAGIC_LINK_TTL_HOURS || '72'} hours and can only be used once.
+                    </p>
+                    <p style="margin:0;font-size:13px;color:rgba(255,255,255,0.3);line-height:1.5;word-break:break-all;">
+                      ${magicLinkUrl}
+                    </p>
+                  </td>
+                </tr>
+                <tr>
+                  <td style="padding:20px 40px 40px;border-top:1px solid rgba(255,255,255,0.05);">
+                    <p style="margin:0;font-size:12px;color:rgba(255,255,255,0.25);line-height:1.5;">
+                      If you did not expect this email, you can safely ignore it.
+                      This is an AI-first company — we don't do PDFs.
+                    </p>
+                  </td>
+                </tr>
+              </table>
+            </td>
+          </tr>
+        </table>
+      </body>
+      </html>
+    `,
+  })
+}

pitch-deck/lib/hooks/useAuditTracker.ts

@@ -0,0 +1,73 @@
+'use client'
+
+import { useEffect, useRef, useCallback } from 'react'
+
+interface AuditTrackerOptions {
+  investorId: string | null
+  currentSlide: string
+  enabled: boolean
+}
+
+export function useAuditTracker({ investorId, currentSlide, enabled }: AuditTrackerOptions) {
+  const lastSlide = useRef<string>('')
+  const slideTimestamps = useRef<Map<string, number>>(new Map())
+  const pendingEvents = useRef<Array<{ action: string; details: Record<string, unknown>; slide_id?: string }>>([])
+  const flushTimer = useRef<NodeJS.Timeout | null>(null)
+
+  const flush = useCallback(async () => {
+    if (pendingEvents.current.length === 0) return
+    const events = [...pendingEvents.current]
+    pendingEvents.current = []
+
+    // Send events one at a time (they're debounced so there shouldn't be many)
+    for (const event of events) {
+      try {
+        await fetch('/api/audit', {
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify(event),
+        })
+      } catch {
+        // Silently fail - audit should not block UX
+      }
+    }
+  }, [])
+
+  const track = useCallback((action: string, details: Record<string, unknown> = {}, slideId?: string) => {
+    if (!enabled || !investorId) return
+
+    pendingEvents.current.push({ action, details, slide_id: slideId })
+
+    // Debounce flush by 500ms
+    if (flushTimer.current) clearTimeout(flushTimer.current)
+    flushTimer.current = setTimeout(flush, 500)
+  }, [enabled, investorId, flush])
+
+  // Track slide views
+  useEffect(() => {
+    if (!enabled || !investorId || !currentSlide) return
+    if (currentSlide === lastSlide.current) return
+
+    const now = Date.now()
+    const prevTimestamp = slideTimestamps.current.get(lastSlide.current)
+    const dwellTime = prevTimestamp ? now - prevTimestamp : 0
+
+    lastSlide.current = currentSlide
+    slideTimestamps.current.set(currentSlide, now)
+
+    track('slide_viewed', {
+      slide_id: currentSlide,
+      previous_dwell_ms: dwellTime,
+    }, currentSlide)
+  }, [currentSlide, enabled, investorId, track])
+
+  // Flush on unmount
+  useEffect(() => {
+    return () => {
+      if (flushTimer.current) clearTimeout(flushTimer.current)
+      flush()
+    }
+  }, [flush])
+
+  return { track }
+}

pitch-deck/lib/hooks/useAuth.ts

@@ -0,0 +1,43 @@
+'use client'
+
+import { useState, useEffect, useCallback } from 'react'
+
+export interface Investor {
+  id: string
+  email: string
+  name: string | null
+  company: string | null
+  status: string
+  last_login_at: string | null
+  login_count: number
+  created_at: string
+}
+
+export function useAuth() {
+  const [investor, setInvestor] = useState<Investor | null>(null)
+  const [loading, setLoading] = useState(true)
+
+  useEffect(() => {
+    async function fetchMe() {
+      try {
+        const res = await fetch('/api/auth/me')
+        if (res.ok) {
+          const data = await res.json()
+          setInvestor(data.investor)
+        }
+      } catch {
+        // Not authenticated
+      } finally {
+        setLoading(false)
+      }
+    }
+    fetchMe()
+  }, [])
+
+  const logout = useCallback(async () => {
+    await fetch('/api/auth/logout', { method: 'POST' })
+    window.location.href = '/auth'
+  }, [])
+
+  return { investor, loading, logout }
+}

pitch-deck/lib/hooks/useFinancialModel.ts

@@ -1,24 +1,55 @@
 'use client'
 
 import { useState, useEffect, useCallback, useRef } from 'react'
-import { FMScenario, FMResult, FMComputeResponse } from '../types'
+import { FMScenario, FMResult, FMComputeResponse, InvestorSnapshot } from '../types'
 
-export function useFinancialModel() {
+export function useFinancialModel(investorId?: string | null) {
   const [scenarios, setScenarios] = useState<FMScenario[]>([])
   const [activeScenarioId, setActiveScenarioId] = useState<string | null>(null)
   const [compareMode, setCompareMode] = useState(false)
   const [results, setResults] = useState<Map<string, FMComputeResponse>>(new Map())
   const [loading, setLoading] = useState(true)
   const [computing, setComputing] = useState(false)
+  const [snapshotStatus, setSnapshotStatus] = useState<'default' | 'saving' | 'saved' | 'restored'>('default')
   const computeTimer = useRef<NodeJS.Timeout | null>(null)
+  const snapshotTimer = useRef<NodeJS.Timeout | null>(null)
+  const snapshotsLoaded = useRef(false)
 
-  // Load scenarios on mount
+  // Load scenarios on mount, then apply snapshots if investor is logged in
   useEffect(() => {
     async function load() {
       try {
         const res = await fetch('/api/financial-model')
         if (res.ok) {
-          const data: FMScenario[] = await res.json()
+          let data: FMScenario[] = await res.json()
+
+          // If investor is logged in, restore their snapshots
+          if (investorId && !snapshotsLoaded.current) {
+            try {
+              const snapRes = await fetch('/api/snapshots')
+              if (snapRes.ok) {
+                const { snapshots } = await snapRes.json() as { snapshots: InvestorSnapshot[] }
+                if (snapshots.length > 0) {
+                  data = data.map(scenario => {
+                    const snapshot = snapshots.find(s => s.scenario_id === scenario.id)
+                    if (!snapshot) return scenario
+                    return {
+                      ...scenario,
+                      assumptions: scenario.assumptions.map(a => {
+                        const savedValue = snapshot.assumptions[a.key]
+                        return savedValue !== undefined ? { ...a, value: savedValue } : a
+                      }),
+                    }
+                  })
+                  setSnapshotStatus('restored')
+                }
+              }
+            } catch {
+              // Snapshot restore failed — use defaults
+            }
+            snapshotsLoaded.current = true
+          }
+
           setScenarios(data)
           const defaultScenario = data.find(s => s.is_default) || data[0]
           if (defaultScenario) {
@@ -32,7 +63,7 @@ export function useFinancialModel() {
       }
     }
     load()
-  }, [])
+  }, [investorId])
 
   // Compute when active scenario changes
   useEffect(() => {
@@ -60,6 +91,28 @@ export function useFinancialModel() {
     }
   }, [])
 
+  // Auto-save snapshot (debounced)
+  const saveSnapshot = useCallback(async (scenarioId: string) => {
+    if (!investorId) return
+    const scenario = scenarios.find(s => s.id === scenarioId)
+    if (!scenario) return
+
+    const assumptions: Record<string, number | number[]> = {}
+    scenario.assumptions.forEach(a => { assumptions[a.key] = a.value })
+
+    setSnapshotStatus('saving')
+    try {
+      await fetch('/api/snapshots', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ scenario_id: scenarioId, assumptions }),
+      })
+      setSnapshotStatus('saved')
+    } catch {
+      setSnapshotStatus('default')
+    }
+  }, [investorId, scenarios])
+
   const updateAssumption = useCallback(async (scenarioId: string, key: string, value: number | number[]) => {
     // Optimistic update in local state
     setScenarios(prev => prev.map(s => {
@@ -80,7 +133,33 @@ export function useFinancialModel() {
     // Debounced recompute
     if (computeTimer.current) clearTimeout(computeTimer.current)
     computeTimer.current = setTimeout(() => compute(scenarioId), 300)
-  }, [compute])
+
+    // Debounced snapshot save (2s after last change)
+    if (snapshotTimer.current) clearTimeout(snapshotTimer.current)
+    snapshotTimer.current = setTimeout(() => saveSnapshot(scenarioId), 2000)
+  }, [compute, saveSnapshot])
+
+  const resetToDefaults = useCallback(async (scenarioId: string) => {
+    // Reload from server (without snapshots)
+    try {
+      const res = await fetch('/api/financial-model')
+      if (res.ok) {
+        const data: FMScenario[] = await res.json()
+        const defaultScenario = data.find(s => s.id === scenarioId)
+        if (defaultScenario) {
+          setScenarios(prev => prev.map(s => s.id === scenarioId ? defaultScenario : s))
+          // Delete snapshot
+          if (investorId) {
+            await fetch(`/api/snapshots?id=${scenarioId}`, { method: 'DELETE' })
+          }
+          setSnapshotStatus('default')
+          compute(scenarioId)
+        }
+      }
+    } catch {
+      // ignore
+    }
+  }, [compute, investorId])
 
   const computeAll = useCallback(async () => {
     for (const s of scenarios) {
@@ -105,5 +184,7 @@ export function useFinancialModel() {
     compute,
     computeAll,
     updateAssumption,
+    resetToDefaults,
+    snapshotStatus,
   }
 }

pitch-deck/lib/rate-limit.ts

@@ -0,0 +1,52 @@
+interface RateLimitEntry {
+  count: number
+  resetAt: number
+}
+
+const store = new Map<string, RateLimitEntry>()
+
+// Cleanup stale entries every 60 seconds
+setInterval(() => {
+  const now = Date.now()
+  for (const [key, entry] of store) {
+    if (entry.resetAt <= now) store.delete(key)
+  }
+}, 60_000)
+
+export interface RateLimitConfig {
+  /** Max requests in the window */
+  limit: number
+  /** Window size in seconds */
+  windowSec: number
+}
+
+export interface RateLimitResult {
+  allowed: boolean
+  remaining: number
+  resetAt: number
+}
+
+export function checkRateLimit(key: string, config: RateLimitConfig): RateLimitResult {
+  const now = Date.now()
+  const entry = store.get(key)
+
+  if (!entry || entry.resetAt <= now) {
+    store.set(key, { count: 1, resetAt: now + config.windowSec * 1000 })
+    return { allowed: true, remaining: config.limit - 1, resetAt: now + config.windowSec * 1000 }
+  }
+
+  if (entry.count >= config.limit) {
+    return { allowed: false, remaining: 0, resetAt: entry.resetAt }
+  }
+
+  entry.count++
+  return { allowed: true, remaining: config.limit - entry.count, resetAt: entry.resetAt }
+}
+
+// Preset configurations
+export const RATE_LIMITS = {
+  magicLink: { limit: 3, windowSec: 3600 } as RateLimitConfig,        // 3 per email per hour
+  authVerify: { limit: 10, windowSec: 900 } as RateLimitConfig,       // 10 per IP per 15min
+  api: { limit: 60, windowSec: 60 } as RateLimitConfig,               // 60 per session per minute
+  chat: { limit: 20, windowSec: 60 } as RateLimitConfig,              // 20 per session per minute
+} as const

pitch-deck/lib/types.ts

@@ -193,6 +193,27 @@ export interface FMComputeResponse {
   }
 }
 
+// Investor Auth Types
+export interface Investor {
+  id: string
+  email: string
+  name: string | null
+  company: string | null
+  status: 'invited' | 'active' | 'revoked'
+  last_login_at: string | null
+  login_count: number
+  created_at: string
+}
+
+export interface InvestorSnapshot {
+  id: string
+  scenario_id: string
+  assumptions: Record<string, number | number[]>
+  label: string | null
+  is_latest: boolean
+  created_at: string
+}
+
 export type Language = 'de' | 'en'
 
 export interface ChatMessage {

pitch-deck/middleware.ts

@@ -0,0 +1,80 @@
+import { NextRequest, NextResponse } from 'next/server'
+import { jwtVerify } from 'jose'
+
+const PUBLIC_PATHS = [
+  '/auth',
+  '/api/auth',
+  '/api/health',
+  '/api/admin',
+  '/_next',
+  '/manifest.json',
+  '/sw.js',
+  '/icons',
+  '/favicon.ico',
+]
+
+function isPublicPath(pathname: string): boolean {
+  return PUBLIC_PATHS.some(p => pathname === p || pathname.startsWith(p + '/'))
+}
+
+export async function middleware(request: NextRequest) {
+  const { pathname } = request.nextUrl
+
+  // Allow public paths
+  if (isPublicPath(pathname)) {
+    return NextResponse.next()
+  }
+
+  // Check for session cookie
+  const token = request.cookies.get('pitch_session')?.value
+
+  if (!token) {
+    return NextResponse.redirect(new URL('/auth', request.url))
+  }
+
+  // Verify JWT
+  const secret = process.env.PITCH_JWT_SECRET
+  if (!secret) {
+    return NextResponse.redirect(new URL('/auth', request.url))
+  }
+
+  try {
+    const { payload } = await jwtVerify(token, new TextEncoder().encode(secret))
+
+    // Add investor info to headers for downstream use
+    const response = NextResponse.next()
+    response.headers.set('x-investor-id', payload.sub as string)
+    response.headers.set('x-investor-email', payload.email as string)
+    response.headers.set('x-session-id', payload.sessionId as string)
+
+    // Auto-refresh JWT if within last 15 minutes of expiry
+    const exp = payload.exp as number
+    const now = Math.floor(Date.now() / 1000)
+    const timeLeft = exp - now
+
+    if (timeLeft < 900 && timeLeft > 0) {
+      // Import dynamically to avoid Edge runtime issues with pg
+      // The actual refresh happens server-side in the API routes
+      response.headers.set('x-token-refresh-needed', 'true')
+    }
+
+    return response
+  } catch {
+    // Invalid or expired JWT
+    const response = NextResponse.redirect(new URL('/auth', request.url))
+    response.cookies.delete('pitch_session')
+    return response
+  }
+}
+
+export const config = {
+  matcher: [
+    /*
+     * Match all request paths except:
+     * - _next/static (static files)
+     * - _next/image (image optimization files)
+     * - favicon.ico (favicon file)
+     */
+    '/((?!_next/static|_next/image).*)',
+  ],
+}

pitch-deck/migrations/001_investor_auth.sql

@@ -0,0 +1,79 @@
+-- =========================================================
+-- Pitch Deck: Investor Auth, Audit Logs, Snapshots
+-- =========================================================
+
+-- Invited investors
+CREATE TABLE IF NOT EXISTS pitch_investors (
+  id            UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  email         VARCHAR(255) NOT NULL UNIQUE,
+  name          VARCHAR(255),
+  company       VARCHAR(255),
+  invited_by    VARCHAR(255) NOT NULL DEFAULT 'admin',
+  status        VARCHAR(20) NOT NULL DEFAULT 'invited'
+                CHECK (status IN ('invited', 'active', 'revoked')),
+  last_login_at TIMESTAMPTZ,
+  login_count   INTEGER NOT NULL DEFAULT 0,
+  created_at    TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  updated_at    TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+CREATE INDEX IF NOT EXISTS idx_pitch_investors_email ON pitch_investors(email);
+CREATE INDEX IF NOT EXISTS idx_pitch_investors_status ON pitch_investors(status);
+
+-- Single-use magic link tokens
+CREATE TABLE IF NOT EXISTS pitch_magic_links (
+  id            UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  investor_id   UUID NOT NULL REFERENCES pitch_investors(id) ON DELETE CASCADE,
+  token         VARCHAR(128) NOT NULL UNIQUE,
+  expires_at    TIMESTAMPTZ NOT NULL,
+  used_at       TIMESTAMPTZ,
+  ip_address    INET,
+  user_agent    TEXT,
+  created_at    TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+CREATE INDEX IF NOT EXISTS idx_pitch_magic_links_token ON pitch_magic_links(token);
+CREATE INDEX IF NOT EXISTS idx_pitch_magic_links_investor ON pitch_magic_links(investor_id);
+CREATE INDEX IF NOT EXISTS idx_pitch_magic_links_expires ON pitch_magic_links(expires_at);
+
+-- Audit log for all investor activity
+CREATE TABLE IF NOT EXISTS pitch_audit_logs (
+  id            BIGSERIAL PRIMARY KEY,
+  investor_id   UUID REFERENCES pitch_investors(id) ON DELETE SET NULL,
+  action        VARCHAR(50) NOT NULL,
+  details       JSONB DEFAULT '{}',
+  ip_address    INET,
+  user_agent    TEXT,
+  slide_id      VARCHAR(50),
+  session_id    UUID,
+  created_at    TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+CREATE INDEX IF NOT EXISTS idx_pitch_audit_created ON pitch_audit_logs(created_at);
+CREATE INDEX IF NOT EXISTS idx_pitch_audit_investor ON pitch_audit_logs(investor_id);
+CREATE INDEX IF NOT EXISTS idx_pitch_audit_action ON pitch_audit_logs(action);
+
+-- Per-investor financial model snapshots (JSONB)
+CREATE TABLE IF NOT EXISTS pitch_investor_snapshots (
+  id            UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  investor_id   UUID NOT NULL REFERENCES pitch_investors(id) ON DELETE CASCADE,
+  scenario_id   UUID NOT NULL,
+  assumptions   JSONB NOT NULL,
+  label         VARCHAR(255),
+  is_latest     BOOLEAN NOT NULL DEFAULT true,
+  created_at    TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+CREATE INDEX IF NOT EXISTS idx_pitch_snapshots_investor ON pitch_investor_snapshots(investor_id);
+CREATE UNIQUE INDEX IF NOT EXISTS idx_pitch_snapshots_latest
+  ON pitch_investor_snapshots(investor_id, scenario_id) WHERE is_latest = true;
+
+-- Active sessions
+CREATE TABLE IF NOT EXISTS pitch_sessions (
+  id            UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  investor_id   UUID NOT NULL REFERENCES pitch_investors(id) ON DELETE CASCADE,
+  token_hash    VARCHAR(128) NOT NULL,
+  ip_address    INET,
+  user_agent    TEXT,
+  expires_at    TIMESTAMPTZ NOT NULL,
+  revoked       BOOLEAN NOT NULL DEFAULT false,
+  created_at    TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+CREATE INDEX IF NOT EXISTS idx_pitch_sessions_investor ON pitch_sessions(investor_id);
+CREATE INDEX IF NOT EXISTS idx_pitch_sessions_token ON pitch_sessions(token_hash);

pitch-deck/next.config.js

@@ -5,6 +5,21 @@ const nextConfig = {
   typescript: {
     ignoreBuildErrors: true,
   },
+  async headers() {
+    return [
+      {
+        source: '/:path*',
+        headers: [
+          { key: 'X-Robots-Tag', value: 'noindex, nofollow, noarchive, nosnippet' },
+          { key: 'X-Frame-Options', value: 'DENY' },
+          { key: 'X-Content-Type-Options', value: 'nosniff' },
+          { key: 'Referrer-Policy', value: 'strict-origin-when-cross-origin' },
+          { key: 'Content-Security-Policy', value: "frame-ancestors 'none'" },
+          { key: 'Permissions-Policy', value: 'camera=(), microphone=(), geolocation=()' },
+        ],
+      },
+    ]
+  },
 }
 
 module.exports = nextConfig

pitch-deck/package.json

@@ -9,8 +9,10 @@
   },
   "dependencies": {
     "framer-motion": "^11.15.0",
+    "jose": "^6.2.2",
     "lucide-react": "^0.468.0",
     "next": "^15.1.0",
+    "nodemailer": "^8.0.4",
     "pg": "^8.13.1",
     "react": "^18.3.1",
     "react-dom": "^18.3.1",
@@ -18,6 +20,7 @@
   },
   "devDependencies": {
     "@types/node": "^22.10.2",
+    "@types/nodemailer": "^8.0.0",
     "@types/pg": "^8.11.10",
     "@types/react": "^18.3.16",
     "@types/react-dom": "^18.3.5",

pitch-deck/public/manifest.json

@@ -0,0 +1,28 @@
+{
+  "name": "BreakPilot ComplAI — Investor Pitch",
+  "short_name": "BreakPilot Pitch",
+  "description": "Interactive investor pitch deck for BreakPilot ComplAI",
+  "start_url": "/",
+  "display": "fullscreen",
+  "orientation": "any",
+  "background_color": "#0a0a1a",
+  "theme_color": "#6366f1",
+  "icons": [
+    {
+      "src": "/icons/icon-192.png",
+      "sizes": "192x192",
+      "type": "image/png"
+    },
+    {
+      "src": "/icons/icon-512.png",
+      "sizes": "512x512",
+      "type": "image/png"
+    },
+    {
+      "src": "/icons/icon-maskable-512.png",
+      "sizes": "512x512",
+      "type": "image/png",
+      "purpose": "maskable"
+    }
+  ]
+}

pitch-deck/public/sw.js

@@ -0,0 +1,70 @@
+const CACHE_NAME = 'breakpilot-pitch-v1'
+const STATIC_ASSETS = [
+  '/',
+  '/manifest.json',
+]
+
+// Install: cache the app shell
+self.addEventListener('install', (event) => {
+  event.waitUntil(
+    caches.open(CACHE_NAME).then((cache) => cache.addAll(STATIC_ASSETS))
+  )
+  self.skipWaiting()
+})
+
+// Activate: clean old caches
+self.addEventListener('activate', (event) => {
+  event.waitUntil(
+    caches.keys().then((keys) =>
+      Promise.all(keys.filter((k) => k !== CACHE_NAME).map((k) => caches.delete(k)))
+    )
+  )
+  self.clients.claim()
+})
+
+// Fetch: network-first for API, cache-first for static assets
+self.addEventListener('fetch', (event) => {
+  const url = new URL(event.request.url)
+
+  // Skip non-GET requests
+  if (event.request.method !== 'GET') return
+
+  // Network-first for API routes and auth
+  if (url.pathname.startsWith('/api/') || url.pathname.startsWith('/auth')) {
+    event.respondWith(
+      fetch(event.request).catch(() => caches.match(event.request))
+    )
+    return
+  }
+
+  // Cache-first for static assets (JS, CSS, images, fonts)
+  if (
+    url.pathname.startsWith('/_next/static/') ||
+    url.pathname.startsWith('/icons/') ||
+    url.pathname.endsWith('.js') ||
+    url.pathname.endsWith('.css')
+  ) {
+    event.respondWith(
+      caches.match(event.request).then((cached) => {
+        if (cached) return cached
+        return fetch(event.request).then((response) => {
+          const clone = response.clone()
+          caches.open(CACHE_NAME).then((cache) => cache.put(event.request, clone))
+          return response
+        })
+      })
+    )
+    return
+  }
+
+  // Network-first for everything else (HTML pages)
+  event.respondWith(
+    fetch(event.request)
+      .then((response) => {
+        const clone = response.clone()
+        caches.open(CACHE_NAME).then((cache) => cache.put(event.request, clone))
+        return response
+      })
+      .catch(() => caches.match(event.request))
+  )
+})