Benjamin_Boenisch/breakpilot-core
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(pitch-deck): passwordless investor auth, audit logs, snapshots & PWA #2

Merged
sharang merged 3 commits from feature/pitch-deck-investor-auth into main 2026-04-07 08:48:38 +00:00
Conversation 0 Commits 3 Files Changed 35 +4232 -14
sharang commented 2026-04-05 18:50:53 +00:00
Owner
Copy Link

Summary

  • Passwordless magic link auth — admin invites investor via API, investor receives email with one-time link, clicks to get JWT session. Single active session per investor, 72h link TTL, rate-limited.
  • Audit logging — tracks all investor activity: logins, slide views, assumption changes, chat messages. Queryable via admin API with filters.
  • Financial model snapshots — per-investor auto-save/restore of assumption changes. Debounced 2s after last change. Reset to defaults button.
  • PWA — manifest.json, service worker (cache-first for static, network-first for APIs), app icons, fullscreen display.
  • Safeguards — email watermark overlay on every slide, security headers (X-Robots-Tag, X-Frame-Options, CSP frame-ancestors none), content protection (no right-click, no text select), rate limiting (magic links, auth, API, chat), IP logging, new IP detection.
  • Docker integration — pitch-deck service added to docker-compose.coolify.yml with health check, env vars, breakpilot-network.

New files (26)

  • migrations/001_investor_auth.sql — 5 tables (investors, magic_links, audit_logs, snapshots, sessions)
  • middleware.ts — auth enforcement on all routes
  • lib/auth.ts, lib/email.ts, lib/rate-limit.ts — core auth utilities
  • lib/hooks/useAuth.ts, lib/hooks/useAuditTracker.ts — client hooks
  • app/api/auth/* — verify, logout, me endpoints
  • app/api/admin/* — invite, investors, revoke, audit-logs endpoints
  • app/api/audit/, app/api/snapshots/, app/api/health/ — audit, snapshot, health endpoints
  • app/auth/, app/auth/verify/ — login and verification pages
  • components/Watermark.tsx — diagonal email watermark
  • public/manifest.json, public/sw.js, public/icons/ — PWA assets

Modified files (9)

  • docker-compose.coolify.yml — add pitch-deck service + update health-aggregator
  • package.json — add jose, nodemailer deps
  • next.config.js — security headers
  • app/layout.tsx — PWA meta tags + service worker registration
  • app/page.tsx — auth wrapper with useAuth hook
  • components/PitchDeck.tsx — investor prop, audit tracker, watermark, content protection
  • components/slides/FinancialsSlide.tsx — snapshot status indicator + reset button
  • lib/hooks/useFinancialModel.ts — snapshot save/restore logic
  • lib/types.ts — Investor, InvestorSnapshot types

Test plan

  • Run migration against PostgreSQL
  • Invite investor via curl -X POST /api/admin/invite -H "Authorization: Bearer $PITCH_ADMIN_SECRET"
  • Verify magic link email received
  • Click magic link, confirm redirect to pitch deck with session cookie
  • Access / without cookie — should redirect to /auth
  • Navigate slides, check pitch_audit_logs table for events
  • Change financial assumptions, logout, login again — confirm values restored
  • Verify watermark overlay shows investor email
  • Check response headers for security headers (curl -I)
  • Test PWA install prompt in Chrome
  • Spam /api/admin/invite — confirm 429 after 3rd request
  • docker compose -f docker-compose.coolify.yml build pitch-deck — confirm build succeeds

Generated with Claude Code

## Summary - **Passwordless magic link auth** — admin invites investor via API, investor receives email with one-time link, clicks to get JWT session. Single active session per investor, 72h link TTL, rate-limited. - **Audit logging** — tracks all investor activity: logins, slide views, assumption changes, chat messages. Queryable via admin API with filters. - **Financial model snapshots** — per-investor auto-save/restore of assumption changes. Debounced 2s after last change. Reset to defaults button. - **PWA** — manifest.json, service worker (cache-first for static, network-first for APIs), app icons, fullscreen display. - **Safeguards** — email watermark overlay on every slide, security headers (X-Robots-Tag, X-Frame-Options, CSP frame-ancestors none), content protection (no right-click, no text select), rate limiting (magic links, auth, API, chat), IP logging, new IP detection. - **Docker integration** — pitch-deck service added to docker-compose.coolify.yml with health check, env vars, breakpilot-network. ## New files (26) - `migrations/001_investor_auth.sql` — 5 tables (investors, magic_links, audit_logs, snapshots, sessions) - `middleware.ts` — auth enforcement on all routes - `lib/auth.ts`, `lib/email.ts`, `lib/rate-limit.ts` — core auth utilities - `lib/hooks/useAuth.ts`, `lib/hooks/useAuditTracker.ts` — client hooks - `app/api/auth/*` — verify, logout, me endpoints - `app/api/admin/*` — invite, investors, revoke, audit-logs endpoints - `app/api/audit/`, `app/api/snapshots/`, `app/api/health/` — audit, snapshot, health endpoints - `app/auth/`, `app/auth/verify/` — login and verification pages - `components/Watermark.tsx` — diagonal email watermark - `public/manifest.json`, `public/sw.js`, `public/icons/` — PWA assets ## Modified files (9) - `docker-compose.coolify.yml` — add pitch-deck service + update health-aggregator - `package.json` — add jose, nodemailer deps - `next.config.js` — security headers - `app/layout.tsx` — PWA meta tags + service worker registration - `app/page.tsx` — auth wrapper with useAuth hook - `components/PitchDeck.tsx` — investor prop, audit tracker, watermark, content protection - `components/slides/FinancialsSlide.tsx` — snapshot status indicator + reset button - `lib/hooks/useFinancialModel.ts` — snapshot save/restore logic - `lib/types.ts` — Investor, InvestorSnapshot types ## Test plan - [ ] Run migration against PostgreSQL - [ ] Invite investor via `curl -X POST /api/admin/invite -H "Authorization: Bearer $PITCH_ADMIN_SECRET"` - [ ] Verify magic link email received - [ ] Click magic link, confirm redirect to pitch deck with session cookie - [ ] Access `/` without cookie — should redirect to `/auth` - [ ] Navigate slides, check `pitch_audit_logs` table for events - [ ] Change financial assumptions, logout, login again — confirm values restored - [ ] Verify watermark overlay shows investor email - [ ] Check response headers for security headers (`curl -I`) - [ ] Test PWA install prompt in Chrome - [ ] Spam `/api/admin/invite` — confirm 429 after 3rd request - [ ] `docker compose -f docker-compose.coolify.yml build pitch-deck` — confirm build succeeds Generated with [Claude Code](https://claude.com/claude-code)
sharang added 1 commit 2026-04-05 18:50:53 +00:00
feat(pitch-deck): add passwordless investor auth, audit logs, snapshots & PWA
Some checks failed
CI / go-lint (pull_request) Failing after 17s
Details
CI / python-lint (pull_request) Failing after 12s
Details
CI / nodejs-lint (pull_request) Failing after 7s
Details
CI / test-go-consent (pull_request) Failing after 11s
Details
CI / test-python-voice (pull_request) Failing after 11s
Details
CI / test-bqas (pull_request) Failing after 11s
Details
CI / Deploy (pull_request) Has been skipped
Details
f565dfdb15 
Implement a complete investor access system for the pitch deck:

- Passwordless magic link auth (jose JWT + nodemailer SMTP)
- Per-investor audit logging (slide views, assumption changes, chat)
- Financial model snapshot persistence (auto-save/restore per investor)
- PWA support (manifest, service worker, offline caching, icons)
- Security safeguards (watermark overlay, rate limiting, anti-scraping
  headers, content protection, single-session enforcement)
- Admin API for invite/revoke/audit-log management
- Integrated into docker-compose.coolify.yml for production deployment

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
sharang added 1 commit 2026-04-06 09:23:14 +00:00
style(pitch-deck): replace placeholder PWA icons with branded design
Some checks failed
CI / go-lint (pull_request) Failing after 12s
Details
CI / python-lint (pull_request) Failing after 11s
Details
CI / nodejs-lint (pull_request) Failing after 5s
Details
CI / test-go-consent (pull_request) Failing after 9s
Details
CI / test-python-voice (pull_request) Failing after 12s
Details
CI / test-bqas (pull_request) Failing after 9s
Details
CI / Deploy (pull_request) Has been skipped
Details
bd2835dec4 
Generate proper BreakPilot ComplAI icons using the pitch deck's
indigo→purple gradient and hexagonal shield logo from CoverSlide.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
sharang force-pushed feature/pitch-deck-investor-auth from bd2835dec4 to bbe7a74715 2026-04-07 08:36:14 +00:00 Compare
sharang merged commit 645973141c into main 2026-04-07 08:48:38 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
sharang Benjamin_Boenisch
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Benjamin_Boenisch/breakpilot-core#2
Delete Branch "feature/pitch-deck-investor-auth"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?