Initial commit: PodcastYes — AI podcast platform

app/api/assets/[...key]/route.ts

@@ -0,0 +1,65 @@
+import { NextRequest } from "next/server";
+import { getServerSession } from "@/lib/auth/guards";
+import { prisma } from "@/lib/db";
+import { storage } from "@/lib/storage";
+
+export const dynamic = "force-dynamic";
+
+const CONTENT_TYPES: Record<string, string> = {
+  mp3: "audio/mpeg",
+  png: "image/png",
+  jpg: "image/jpeg",
+  jpeg: "image/jpeg",
+  webp: "image/webp",
+  zip: "application/zip",
+  txt: "text/plain; charset=utf-8",
+};
+
+/**
+ * Serve a stored asset by key after verifying the requester owns the episode
+ * (or is an admin). Private MP3 downloads flow through here; public cover art is
+ * served directly by nginx from /media.
+ */
+export async function GET(
+  req: NextRequest,
+  { params }: { params: Promise<{ key: string[] }> }
+) {
+  const { key: segments } = await params;
+  const key = segments.join("/");
+
+  const session = await getServerSession();
+  if (!session) return new Response("Unauthorized", { status: 401 });
+
+  // Resolve the owning episode from the asset record so we can authorize.
+  const [audio, art] = await Promise.all([
+    prisma.audioAsset.findFirst({ where: { storageKey: key }, select: { episode: { select: { userId: true } } } }),
+    prisma.coverArt.findFirst({ where: { storageKey: key }, select: { episode: { select: { userId: true } } } }),
+  ]);
+  const ownerId = audio?.episode.userId ?? art?.episode.userId;
+  if (!ownerId) return new Response("Not found", { status: 404 });
+
+  const isOwner = ownerId === session.user.id;
+  const isAdmin = session.user.role === "admin";
+  if (!isOwner && !isAdmin) return new Response("Forbidden", { status: 403 });
+
+  const exists = await storage().exists(key);
+  if (!exists) return new Response("Not found", { status: 404 });
+
+  const data = await storage().get(key);
+  const ext = key.split(".").pop()?.toLowerCase() ?? "";
+  const contentType = CONTENT_TYPES[ext] ?? "application/octet-stream";
+
+  const download = req.nextUrl.searchParams.get("download");
+  const filename = key.split("/").pop() ?? "asset";
+
+  return new Response(data as BodyInit, {
+    headers: {
+      "Content-Type": contentType,
+      "Content-Length": String(data.byteLength),
+      "Cache-Control": "private, max-age=3600",
+      ...(download
+        ? { "Content-Disposition": `attachment; filename="${filename}"` }
+        : {}),
+    },
+  });
+}

app/api/auth/[...all]/route.ts

@@ -0,0 +1,4 @@
+import { toNextJsHandler } from "better-auth/next-js";
+import { auth } from "@/lib/auth/auth";
+
+export const { GET, POST } = toNextJsHandler(auth.handler);

app/api/episodes/[id]/stream/route.ts

@@ -0,0 +1,87 @@
+import { NextRequest } from "next/server";
+import { getServerSession } from "@/lib/auth/guards";
+import { prisma } from "@/lib/db";
+import { isTerminal } from "@/lib/episodes/status";
+
+export const dynamic = "force-dynamic";
+
+/**
+ * Server-Sent Events stream of an episode's generation status. Polls the row
+ * every 1.5s and emits on change until the episode reaches a terminal state.
+ * (LISTEN/NOTIFY is a future optimization; polling is simpler and robust.)
+ */
+export async function GET(req: NextRequest, { params }: { params: Promise<{ id: string }> }) {
+  const { id } = await params;
+
+  const session = await getServerSession();
+  if (!session) return new Response("Unauthorized", { status: 401 });
+
+  const ep = await prisma.episode.findUnique({ where: { id }, select: { userId: true } });
+  if (!ep) return new Response("Not found", { status: 404 });
+  if (ep.userId !== session.user.id && session.user.role !== "admin") {
+    return new Response("Forbidden", { status: 403 });
+  }
+
+  const encoder = new TextEncoder();
+
+  const stream = new ReadableStream({
+    start(controller) {
+      let lastSig = "";
+      let stopped = false;
+      let pollTimer: ReturnType<typeof setInterval>;
+      let pingTimer: ReturnType<typeof setInterval>;
+
+      const send = (data: unknown) => {
+        if (!stopped) controller.enqueue(encoder.encode(`data: ${JSON.stringify(data)}\n\n`));
+      };
+
+      const stop = () => {
+        if (stopped) return;
+        stopped = true;
+        clearInterval(pollTimer);
+        clearInterval(pingTimer);
+        try {
+          controller.close();
+        } catch {
+          /* already closed */
+        }
+      };
+
+      const poll = async () => {
+        if (stopped) return;
+        const e = await prisma.episode.findUnique({
+          where: { id },
+          select: { status: true, stage: true, errorMessage: true },
+        });
+        if (!e) {
+          send({ status: "FAILED", error: "Episode not found" });
+          stop();
+          return;
+        }
+        const sig = `${e.status}:${e.stage ?? ""}`;
+        if (sig !== lastSig) {
+          lastSig = sig;
+          send({ status: e.status, stage: e.stage, error: e.errorMessage });
+        }
+        if (isTerminal(e.status)) stop();
+      };
+
+      send({ type: "open" });
+      void poll();
+      pollTimer = setInterval(poll, 1500);
+      pingTimer = setInterval(() => {
+        if (!stopped) controller.enqueue(encoder.encode(": ping\n\n"));
+      }, 15000);
+
+      req.signal.addEventListener("abort", stop);
+    },
+  });
+
+  return new Response(stream, {
+    headers: {
+      "Content-Type": "text/event-stream",
+      "Cache-Control": "no-cache, no-transform",
+      Connection: "keep-alive",
+    },
+  });
+}

app/api/v1/episodes/route.ts

@@ -0,0 +1,103 @@
+import { NextRequest } from "next/server";
+import { z } from "zod";
+import { verifyApiKey, bearerKey } from "@/lib/apikeys";
+import { prisma } from "@/lib/db";
+import { getEffectivePlan } from "@/lib/billing/subscription";
+import { enforceLimit, LimitExceededError } from "@/lib/usage/limits";
+import { enqueueEpisodeGeneration } from "@/lib/queue/pgboss";
+import { FORMAT_SPEAKERS } from "@/lib/episodes/options";
+import { DEFAULT_VOICE_IDS, VOICE_CATALOG } from "@/lib/ai/voices";
+import { rateLimit, LIMITS } from "@/lib/ratelimit";
+
+export const dynamic = "force-dynamic";
+
+async function authorize(req: NextRequest) {
+  return verifyApiKey(bearerKey(req.headers.get("authorization")));
+}
+
+/** GET /api/v1/episodes — list the caller's episodes. */
+export async function GET(req: NextRequest) {
+  const auth = await authorize(req);
+  if (!auth) return Response.json({ error: "Invalid API key" }, { status: 401 });
+
+  const episodes = await prisma.episode.findMany({
+    where: { userId: auth.userId },
+    orderBy: { createdAt: "desc" },
+    take: 50,
+    select: { id: true, title: true, status: true, format: true, language: true, createdAt: true },
+  });
+  return Response.json({ episodes });
+}
+
+const createSchema = z.object({
+  topic: z.string().min(10).max(2000),
+  title: z.string().max(120).optional(),
+  tone: z.string().default("Conversational"),
+  format: z.enum(["SOLO", "INTERVIEW", "MULTI_HOST"]).default("SOLO"),
+  language: z.string().min(2).max(5).default("en"),
+  targetLengthMin: z.number().int().min(1).max(180).default(5),
+  audience: z.string().max(200).optional(),
+});
+
+/** POST /api/v1/episodes — create + generate an episode. */
+export async function POST(req: NextRequest) {
+  const auth = await authorize(req);
+  if (!auth) return Response.json({ error: "Invalid API key" }, { status: 401 });
+
+  const rl = await rateLimit("api", auth.userId, LIMITS.api);
+  if (!rl.ok) {
+    return Response.json(
+      { error: "Rate limit exceeded" },
+      { status: 429, headers: { "Retry-After": String(rl.retryAfterSec ?? 60) } }
+    );
+  }
+
+  const parsed = createSchema.safeParse(await req.json().catch(() => ({})));
+  if (!parsed.success) {
+    return Response.json({ error: parsed.error.issues[0]?.message ?? "Invalid body" }, { status: 400 });
+  }
+  const data = parsed.data;
+
+  const { plan } = await getEffectivePlan(auth.userId);
+  if (data.targetLengthMin > plan.limits.maxEpisodeMinutes) {
+    return Response.json(
+      { error: `Plan supports episodes up to ${plan.limits.maxEpisodeMinutes} minutes` },
+      { status: 402 }
+    );
+  }
+  try {
+    await enforceLimit(auth.userId, "script");
+    await enforceLimit(auth.userId, "audio");
+  } catch (err) {
+    if (err instanceof LimitExceededError) {
+      return Response.json({ error: `Monthly ${err.check.metric} limit reached` }, { status: 402 });
+    }
+    throw err;
+  }
+
+  const speakers = FORMAT_SPEAKERS[data.format].map((s, i) => ({
+    speakerKey: s.speakerKey,
+    displayName: s.defaultName,
+    elevenVoiceId: DEFAULT_VOICE_IDS[s.speakerKey] ?? VOICE_CATALOG[i % VOICE_CATALOG.length].id,
+  }));
+
+  const episode = await prisma.episode.create({
+    data: {
+      userId: auth.userId,
+      title: data.title?.trim() || data.topic.slice(0, 60),
+      topic: data.topic,
+      tone: data.tone,
+      format: data.format,
+      language: data.language,
+      targetLengthMin: data.targetLengthMin,
+      audience: data.audience,
+      status: "QUEUED",
+      stage: "Queued for generation",
+      speakers: { create: speakers },
+      jobs: { create: { type: "full", status: "queued" } },
+    },
+  });
+  await enqueueEpisodeGeneration({ episodeId: episode.id, type: "full" });
+
+  return Response.json({ id: episode.id, status: episode.status }, { status: 201 });
+}

app/api/webhooks/paypal/route.ts

@@ -0,0 +1,33 @@
+import { NextRequest } from "next/server";
+import { verifyPaypalWebhook } from "@/lib/billing/paypal";
+import { handlePaypalEvent } from "@/lib/billing/webhooks/paypal";
+
+export const dynamic = "force-dynamic";
+
+const SIG_HEADERS = [
+  "paypal-auth-algo",
+  "paypal-cert-url",
+  "paypal-transmission-id",
+  "paypal-transmission-sig",
+  "paypal-transmission-time",
+];
+
+export async function POST(req: NextRequest) {
+  const body = await req.text();
+  const headers: Record<string, string | undefined> = {};
+  for (const h of SIG_HEADERS) headers[h] = req.headers.get(h) ?? undefined;
+
+  const verified = await verifyPaypalWebhook(headers, body).catch(() => false);
+  if (!verified) {
+    console.error("[paypal webhook] verification failed");
+    return new Response("Invalid signature", { status: 400 });
+  }
+
+  try {
+    await handlePaypalEvent(JSON.parse(body));
+  } catch (err) {
+    console.error("[paypal webhook] handler error", err);
+    return new Response("Handler error", { status: 500 });
+  }
+  return new Response("ok");
+}

app/api/webhooks/stripe/route.ts

@@ -0,0 +1,29 @@
+import { NextRequest } from "next/server";
+import type Stripe from "stripe";
+import { stripe } from "@/lib/billing/stripe";
+import { handleStripeEvent } from "@/lib/billing/webhooks/stripe";
+
+export const dynamic = "force-dynamic";
+
+export async function POST(req: NextRequest) {
+  const secret = process.env.STRIPE_WEBHOOK_SECRET;
+  const signature = req.headers.get("stripe-signature");
+  if (!secret || !signature) return new Response("Webhook not configured", { status: 400 });
+
+  const body = await req.text();
+  let event: Stripe.Event;
+  try {
+    event = stripe().webhooks.constructEvent(body, signature, secret);
+  } catch (err) {
+    console.error("[stripe webhook] signature verification failed", err);
+    return new Response("Invalid signature", { status: 400 });
+  }
+
+  try {
+    await handleStripeEvent(event);
+  } catch (err) {
+    console.error("[stripe webhook] handler error", err);
+    return new Response("Handler error", { status: 500 });
+  }
+  return new Response("ok");
+}